Use hostname verification for SecurityAdmin (opensearch-project#2541)

* Use hostname verification for SecurityAdmin

Signed-off-by: Craig Perkins <[email protected]>

src/main/java/org/opensearch/security/tools/SecurityAdmin.java

@@ -1410,6 +1410,7 @@ private static RestHighLevelClient getRestHighLevelClient(SSLContext sslContext,
                                     .setSslContext(sslContext)
                                     .setTlsVersions(supportedProtocols)
                                     .setCiphers(supportedCipherSuites)
+                                    .setHostnameVerifier(hnv)
                                     // See please https://issues.apache.org/jira/browse/HTTPCLIENT-2219
                                     .setTlsDetailsFactory(new Factory<SSLEngine, TlsDetails>() {
                                         @Override

src/test/java/org/opensearch/security/SecurityAdminTests.java

@@ -19,6 +19,7 @@
 
 import java.io.ByteArrayOutputStream;
 import java.io.File;
+import java.io.IOException;
 import java.io.PrintStream;
 import java.util.ArrayList;
 import java.util.List;
@@ -37,6 +38,10 @@
 import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse;
 import org.opensearch.security.tools.SecurityAdmin;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.matchesPattern;
+import static org.junit.Assert.assertThrows;
+
 public class SecurityAdminTests extends SingleClusterTest {
 
     @Test
@@ -71,6 +76,66 @@ public void testSecurityAdmin() throws Exception {
         Assert.assertEquals(HttpStatus.SC_OK, (rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode());
     }
 
+    @Test
+    public void testSecurityAdminHostnameVerificationEnforced() throws Exception {
+        final Settings settings = Settings.builder()
+                .put("plugins.security.ssl.http.enabled",true)
+                .put("plugins.security.ssl.http.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/root-ca.pem"))
+                .put("plugins.security.ssl.http.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.crt.pem"))
+                .put("plugins.security.ssl.http.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.key.pem"))
+                .putList("plugins.security.authcz.admin_dn", List.of("CN=kirk,OU=client,O=client,L=test,C=de"))
+                .build();
+        setup(Settings.EMPTY, null, settings, false);
+
+        final String prefix = getResourceFolder()==null?"securityadmin/":getResourceFolder()+"/securityadmin/";
+
+        List<String> argsAsList = new ArrayList<>();
+        argsAsList.add("-cacert");
+        argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"root-ca.pem").toFile().getAbsolutePath());
+        argsAsList.add("-cert");
+        argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk.crt.pem").toFile().getAbsolutePath());
+        argsAsList.add("-key");
+        argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk.key.pem").toFile().getAbsolutePath());
+        argsAsList.add("-p");
+        argsAsList.add(String.valueOf(clusterInfo.httpPort));
+        argsAsList.add("-icl");
+        addDirectoryPath(argsAsList, TEST_RESOURCE_ABSOLUTE_PATH);
+
+        final IOException expectedException = assertThrows(IOException.class, () -> SecurityAdmin.execute(argsAsList.toArray(new String[0])));
+        final String expectedMessagePattern = "Certificate for <.+> doesn't match any of the subject alternative names: \\[node-.\\.example\\.com\\]";
+        assertThat(expectedException.getMessage(), matchesPattern(expectedMessagePattern));
+    }
+
+    @Test
+    public void testSecurityAdminHostnameVerificationNotEnforced() throws Exception {
+        final Settings settings = Settings.builder()
+                .put("plugins.security.ssl.http.enabled",true)
+                .put("plugins.security.ssl.http.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/root-ca.pem"))
+                .put("plugins.security.ssl.http.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.crt.pem"))
+                .put("plugins.security.ssl.http.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.key.pem"))
+                .putList("plugins.security.authcz.admin_dn", List.of("CN=kirk,OU=client,O=client,L=test,C=de"))
+                .build();
+        setup(Settings.EMPTY, null, settings, false);
+
+        final String prefix = getResourceFolder()==null?"securityadmin/":getResourceFolder()+"/securityadmin/";
+
+        List<String> argsAsList = new ArrayList<>();
+        argsAsList.add("-cacert");
+        argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"root-ca.pem").toFile().getAbsolutePath());
+        argsAsList.add("-cert");
+        argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk.crt.pem").toFile().getAbsolutePath());
+        argsAsList.add("-key");
+        argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk.key.pem").toFile().getAbsolutePath());
+        argsAsList.add("-p");
+        argsAsList.add(String.valueOf(clusterInfo.httpPort));
+        argsAsList.add("-icl");
+        addDirectoryPath(argsAsList, TEST_RESOURCE_ABSOLUTE_PATH);
+        argsAsList.add("-nhnv");
+
+        int returnCode  = SecurityAdmin.execute(argsAsList.toArray(new String[0]));
+        Assert.assertEquals(0, returnCode);
+    }
+
     @Test
     public void testSecurityAdminInvalidCert() throws Exception {
         final Settings settings = Settings.builder()

src/test/resources/securityadmin/certificate_generation.md

@@ -0,0 +1,23 @@
+# Script to generate certificates for SecurityAdmin Tests
+
+```
+openssl genrsa -out root-ca-key.pem 2048
+openssl req -x509 -sha256 -new -nodes -key root-ca-key.pem -subj "/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Root CA/CN=Example Com Inc. Root CA" -days 3650 -out root-ca.pem
+openssl genrsa -out signing-key.pem 2048
+openssl req -x509 -sha256 -new -nodes -CA root-ca.pem -CAkey root-ca-key.pem -key signing-key.pem -subj "/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Signing CA/CN=Example Com Inc. Signing CA" -days 3650 -out signing.pem
+
+openssl genrsa -out node-key-temp.pem 2048
+openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node.key.pem
+openssl req -new -key node.key.pem -subj "/C=DE/L=Test/O=Test/OU=SSL/CN=node-1.example.com" -out node.csr
+openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=DNS:node-1.example.com,IP:127.0.0.1") -in node.csr -out node.crt.pem -CA signing.pem -CAkey signing-key.pem
+
+# CN=kirk,OU=client,O=client,L=Test,C=DE
+openssl genrsa -out kirk-key-temp.pem 2048
+openssl pkcs8 -inform PEM -outform PEM -in kirk-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out kirk.key.pem
+openssl req -new -key kirk.key.pem -subj "/C=DE/L=Test/O=client/OU=client/CN=kirk" -out kirk.csr
+openssl x509 -req -days 3650 -in kirk.csr -out kirk.crt.pem -CA signing.pem -CAkey signing-key.pem
+```
+
+For `kirk.crt.pem` and `node.crt.pem` all certificates in the chain including `root-ca.pem` and `signing.pem` need to be included in the file.
+
+When bundling the certificates together in the same file the root certificate is placed at the bottom and the lowest level certificate (the node certificate) on the top.

src/test/resources/securityadmin/kirk.crt.pem

@@ -0,0 +1,69 @@
+-----BEGIN CERTIFICATE-----
+MIIDajCCAlICFCVxBZmleOHXHqoyn6dQlHVWZ/t8MA0GCSqGSIb3DQEBCwUAMIGV
+MRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZ
+MBcGA1UECgwQRXhhbXBsZSBDb20gSW5jLjEkMCIGA1UECwwbRXhhbXBsZSBDb20g
+SW5jLiBTaWduaW5nIENBMSQwIgYDVQQDDBtFeGFtcGxlIENvbSBJbmMuIFNpZ25p
+bmcgQ0EwHhcNMjMwNTAyMTc1NzA2WhcNMzMwNDI5MTc1NzA2WjBNMQswCQYDVQQG
+EwJERTENMAsGA1UEBwwEVGVzdDEPMA0GA1UECgwGY2xpZW50MQ8wDQYDVQQLDAZj
+bGllbnQxDTALBgNVBAMMBGtpcmswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDFYEoC+qyqLKhNpSAj3qUfhGRNmoHlpDRG2Zq+wAx6e24pODNGtyrtswF7
+7Nf3HgODMrFMCg/gJC6U78VbI4hPO63E+nQr3Q2h7kdn7E4t1VJOUY4YFROyvayD
+epDWmIGwer0H+Wd+7t6TrQod/Hj5do3og5IgBaK1AS4OExanmuJ10WrfzctS9dg4
+xY2RT7pmNWVeOA1IdkPRu5T7jr72n66jSuwqbTiS+vQHdqgZsXUC+DtvMtRmRYo0
+QT4nndNYA72FFKH9bmKiLvNyeTMAn45fE+ebiZGFTcK7e5hZ+l6YTWvUlGoS54t+
+2kNxTaHl3NXr9KCwF7lT/HoS42RnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFNe
+E2ClU0OxVk5nWmQUnr3MmsFDaBe/0CfGBHLcixqRenaGlwGcrUB4B2mYF3xkGRhF
+xrd2lJy3bMxYxl5Zp63atdK5s7JnHSatPFGxwJJ/9BRDeZtx0X42mCspb1ho+0yV
+bUVYOiy3G/Nt7erfRb8a6ZlWk3Ri2HZ/OG3jQnQCLPstNZ5DeRlM33ltiHj3EDlz
+PyRgp+n89FLKZjImY4zJdjBKdfky2PKKZGJJ+57L+fIu/2TR17Qeaxf4cRa6DWtX
+8fwRHkrj9MVLvdASLwFKfdEefw/uTPLigwdrydjy+AFogfpmBvJ9CXqCq81lSROr
+Pzbo7NaChtZ6Mxgd3fU=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEBzCCAu+gAwIBAgIUC1KT/DcaMNL7fjY7g361424pyWowDQYJKoZIhvcNAQEL
+BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt
+cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl
+IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v
+dCBDQTAeFw0yMzA1MDIxNzU3MDVaFw0zMzA0MjkxNzU3MDVaMIGVMRMwEQYKCZIm
+iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ
+RXhhbXBsZSBDb20gSW5jLjEkMCIGA1UECwwbRXhhbXBsZSBDb20gSW5jLiBTaWdu
+aW5nIENBMSQwIgYDVQQDDBtFeGFtcGxlIENvbSBJbmMuIFNpZ25pbmcgQ0EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxgE4w07GMwoHzxYlXSmNYv3Lx
+iPvftzWrFfA15dyHcCrYnoTN+re5uTi8L40Obzr7BzL41mFHED85EfvGYl02MCai
+jA2MHE7vh1JxKJ4oLMI0jtXYaBPXDb96qcfCMC+Vce0RH+I815nip1Amf/M/jMov
+KlGGYSipa4otfj8ZrinMItFucpY/mEsFgzO+yQ+Go2gzyJlNeJXIuhsfdvkq76X8
++oNrltHL1f/Y1HP7qV5eZn6uODSesHGK1VCLg7UIRk3aZRmAo5ZwTV5xb3rKhxDJ
+mvBtK77TcG9CA3MXOM204G7n85aYN+Xrb+c5xQjzsR6bo1O4I37fn8sSP9/hAgMB
+AAGjUzBRMB0GA1UdDgQWBBTotToiEVpUwaXfM1lPhT4Cf+wxpzAfBgNVHSMEGDAW
+gBTeMJiA4CPf0XcafDPDTzO+iylLfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQAfiHlJtB+NWDS68BRnpil500PPQzB0edqhO3h/2tnXmxtXKbH/
+0sKgCvPn3tEK8y5WrzC2UDB2F594TlGUWHiMwy1SwMkrP8gUpDS2syisaORyQ7/1
+aOktoD0eBZEWFJtGLCPR7uz/KtbZo6QsAZYhxqdE9Dn2Dw2d0YcIFogCG9ohAIWm
+6Hss2CTs2z1YKXJqYb+o0jwFDRF0H7cd5HeFaMQIkz9hLURInUU3JYemONzaxc26
+peelfPOmDySzaQjqn4lQRXXze79fMs3G5hD+f8WvQqtJkSGS1CXnLvZ8PBf12jxZ
+0SkzxLWyKOSz6M3tXonaxsLMXF+4dM48+NOm
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEATCCAumgAwIBAgIUUe5xSfjzHNOkaqCRf5AIYXQQM3cwDQYJKoZIhvcNAQEL
+BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt
+cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl
+IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v
+dCBDQTAeFw0yMzA1MDIxNzU3MDVaFw0zMzA0MjkxNzU3MDVaMIGPMRMwEQYKCZIm
+iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ
+RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290
+IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTQTojW8vphvADeNvMhFyfV0p7EA77bxQf
+XBzbwGXqjeS4X1WeisbOi+HvBvrmg3olzzA2vVH+5gT+5S6Q62BX4oyCyyqoK/3n
+gc+8JBLGpACEeLQotLE238L8wzM+L4WblZretvAi85JZ09ur0yZ7C6QE3QeGMRrL
+9OjHuCtzSAJO3t8uuf+IwDMM/8k822reski+iVsNxHVsBkTDFbHbVKFuHadqaMRp
+G2wFINnSi4L/hMAQtIvJasjiW26kZKLd8WckDYGgZaFc1l46RR7Pj/lULBCdc86X
+INuL1M411RjB08tqMTTjqvQhMWlv+qVkoVlyx97iFKWo5gNz2FbRAgMBAAGjUzBR
+MB0GA1UdDgQWBBTeMJiA4CPf0XcafDPDTzO+iylLfzAfBgNVHSMEGDAWgBTeMJiA
+4CPf0XcafDPDTzO+iylLfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQAz7tZirV9htIc3bNE0IxJ1F1oMfQChH4kgZiw8coLZ6dElzUzBhF3JZEyL
+CDxnI0Q94l+Wg6KGUNSAqlYcXbcWYhgml0B6oCGp30GlyhbK16OrapKcHitjYoKB
+rNtf5H4Ks0/I9YK9NKCLrFPsp9Qt5qStQuhZcumJbct8irXLPmrVTLKrIqCkBmP5
+7P7v9Vud5/TxWTjLUZo+eS/AkJurOdDZDf+lVmpcbsez6HsSusNu5E7BDwLcPIFQ
+MukDp/SRLInq8I8cA5t5U+tiQgsUCdLMIaLQ72EJuCId9XB8oyhP/rOJy+xwNnLW
+ZngkAWtN8JWNoaA8FkLYbJOGLikP
+-----END CERTIFICATE-----

src/test/resources/securityadmin/kirk.key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDFYEoC+qyqLKhN
+pSAj3qUfhGRNmoHlpDRG2Zq+wAx6e24pODNGtyrtswF77Nf3HgODMrFMCg/gJC6U
+78VbI4hPO63E+nQr3Q2h7kdn7E4t1VJOUY4YFROyvayDepDWmIGwer0H+Wd+7t6T
+rQod/Hj5do3og5IgBaK1AS4OExanmuJ10WrfzctS9dg4xY2RT7pmNWVeOA1IdkPR
+u5T7jr72n66jSuwqbTiS+vQHdqgZsXUC+DtvMtRmRYo0QT4nndNYA72FFKH9bmKi
+LvNyeTMAn45fE+ebiZGFTcK7e5hZ+l6YTWvUlGoS54t+2kNxTaHl3NXr9KCwF7lT
+/HoS42RnAgMBAAECggEADtRZOzgSWQbZ7luFuqwzw9ZyotIFCHf55Yjb85ECXwF/
+GWG7mIiSlSFp7yGwaES9BtJ8N7ZZ0wFk7pPFRD+7MhjNyYr3x4PoTk5U1x4OEauB
+b5j5EB4lSLyvhYFj+Huk4tmV8k9u0z6nQnkx1Wbuv++EYf/grr89plPcXfpZLWZ3
+0y84mR/ENYXtbtPSwLgMR6OY+q36hqc2a9+si4j/P0jf37jfyE8AlTGWEGdKQaN8
+iLLfyXpKxHn8zweZ3kWzOS2mZhya15S9F5YUS+d3TOt1J/3EcxMu/UJMxWBN/Tea
+JvMZUgMTVyg4RN/MOzvjOUDKOUdgGIdPI6G9/nfs4QKBgQDzQPqxJBgy5BUVXOAO
+/lT4QvMFnKiPxedDkSHHwPXwx+dqL6Bk/1mco3P6VDX5OfB4xp0NWkjekfyU01Ab
+jvULO2MaH3MEiQuDuYs3NDY+lT/YGdlB7Asd8AMr8Clu5DHTjyz6KefS+stOfbrn
+smAmpk/TdTM/lQfhZPiU4FVhSwKBgQDPt+dfqw2zm+T5g3KeJ/Ej5UsThiNJseIh
+KF5NlPrRfsdIybkcbDtIiHlJ3qVn6Tq8zEvEANdwYd3/7orFilUahc9zlA7z9O2L
+tRu8I9zjI3vjArzO0Wkh1NxDoGzQX6giTHDpL7+m/bjc3pj1RXjlP8IRHx7j6w3H
++ciKuTaz1QKBgG1UBBg/f7zHtA4g6vbyKiBWfsFD8qKDsPg2L3eG60KnpgOcmjsq
+ZQ04jXSyCnwUJVcy9P0+Wcfm1x3Qh42LR+kfbOAdyGT+bzVp2/8YsVSZYdNvcqzl
+OO3gpJxH2WdkmlxaWj2pPe8eFugVLD7cdciJMRF5+GmYQq1z4yGOXfFXAoGAV2yA
+fhxhPOntGjL/x57p+ACmc4YuTfMHSItT/XUph4jDWVhFh7fpz6JY4gVKOozIAvQ9
+IzZzdkJKjFAaqf+JyArvgCadkIHShM1p6epyKksh9i6NxsIObIXJWtEnWyAXhLAF
+ia9mC2OYLaWmXPyrYFlQVaJyftzMRRFVHUXMxy0CgYBT2+xAwAMxj4HVtwBthQXH
+0Akawz9Gvw7/BJOGBRzJMM6H5qqejWbA/FKmvySdK2IrQ6dISjrVMr7VtjMrwumM
+JO3T54O4iuFpNck1z+d4BZjvWpsxpPRg4RktwhMtJ2BZYh43aI4pFfxs6YFga+ZK
+vMm+70bHS8AskkmaxAFzHw==
+-----END PRIVATE KEY-----

src/test/resources/securityadmin/node.crt.pem

@@ -0,0 +1,71 @@
+-----BEGIN CERTIFICATE-----
+MIID4TCCAsmgAwIBAgIUKmE8oZm3QVdGZWbKLY8S4F05UugwDQYJKoZIhvcNAQEL
+BQAwgZUxEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt
+cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSQwIgYDVQQLDBtFeGFtcGxl
+IENvbSBJbmMuIFNpZ25pbmcgQ0ExJDAiBgNVBAMMG0V4YW1wbGUgQ29tIEluYy4g
+U2lnbmluZyBDQTAeFw0yMzA1MDIxODI0MzFaFw0zMzA0MjkxODI0MzFaMFYxCzAJ
+BgNVBAYTAkRFMQ0wCwYDVQQHDARUZXN0MQ0wCwYDVQQKDARUZXN0MQwwCgYDVQQL
+DANTU0wxGzAZBgNVBAMMEm5vZGUtMS5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKfvsczlQQAPg0iivG6O5kazZjS8z3dM6b/hmtw7
+NSlihZeXgPOoyd1BttCNB1fo/TsnikHggWRVHj8v01kNJtKmvgdtTYJIUJEZJdEH
+NHFXmxR+3YhmZr1qKdkihB0Z7rv+oYrHe2MOg8jtt3VPZuOIZZXfIJWw93CajXaO
+zNv/sNdPdaPI8tTJIzihYNVcMtx5koPS66xB2Rwp06MfvJ568BAXxl2QSRjWFX4v
+CFOzKL8nZtr779HemWFABzCllzff7xLcjWbkaoTk7gPrgh6vzW0hE2pLAbNnlre3
+rommG/zzKgmytZ+PTvbEyhiuNjVgcCG2vhGu8myRYgoGZw8CAwEAAaNnMGUwIwYD
+VR0RBBwwGoISbm9kZS0xLmV4YW1wbGUuY29thwR/AAABMB0GA1UdDgQWBBQ04XN1
+I1bs3kMQrOhNfL/rxZpeUzAfBgNVHSMEGDAWgBTotToiEVpUwaXfM1lPhT4Cf+wx
+pzANBgkqhkiG9w0BAQsFAAOCAQEADAaqiuJBzK8/PYN30Xx6QnKnwj4GlzzSVY/O
+AzNgfUL7QH1k6tBNlgyFom2UozIZvFuCdfJg6X5+BFWXSh4LuvODzudWUQM3bjh4
+JZJYOTTOmT6lBi+KAPbwpirj+XUVvqNlAew81b0n63uWh8yeGBa/5G0G28Dyu6Ma
+E1jZDmKVLZqGByhM46IUxov7aDFk4elM2nH0JVZpFPbTjjN5bLefqwIW8Y7NjU9s
+8Zvv4fFtsoKqPhFhPAMTjlg7bMOqtWIw95w0L1fRz9yCuN0LAjlqCFKDGLmaWqFK
+GaQKbw86KKrPfl8y9yqBgfUN69NmE5qhgmobu0so5Yy5V69BwQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEBzCCAu+gAwIBAgIUC1KT/DcaMNL7fjY7g361424pyWowDQYJKoZIhvcNAQEL
+BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt
+cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl
+IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v
+dCBDQTAeFw0yMzA1MDIxNzU3MDVaFw0zMzA0MjkxNzU3MDVaMIGVMRMwEQYKCZIm
+iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ
+RXhhbXBsZSBDb20gSW5jLjEkMCIGA1UECwwbRXhhbXBsZSBDb20gSW5jLiBTaWdu
+aW5nIENBMSQwIgYDVQQDDBtFeGFtcGxlIENvbSBJbmMuIFNpZ25pbmcgQ0EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxgE4w07GMwoHzxYlXSmNYv3Lx
+iPvftzWrFfA15dyHcCrYnoTN+re5uTi8L40Obzr7BzL41mFHED85EfvGYl02MCai
+jA2MHE7vh1JxKJ4oLMI0jtXYaBPXDb96qcfCMC+Vce0RH+I815nip1Amf/M/jMov
+KlGGYSipa4otfj8ZrinMItFucpY/mEsFgzO+yQ+Go2gzyJlNeJXIuhsfdvkq76X8
++oNrltHL1f/Y1HP7qV5eZn6uODSesHGK1VCLg7UIRk3aZRmAo5ZwTV5xb3rKhxDJ
+mvBtK77TcG9CA3MXOM204G7n85aYN+Xrb+c5xQjzsR6bo1O4I37fn8sSP9/hAgMB
+AAGjUzBRMB0GA1UdDgQWBBTotToiEVpUwaXfM1lPhT4Cf+wxpzAfBgNVHSMEGDAW
+gBTeMJiA4CPf0XcafDPDTzO+iylLfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQAfiHlJtB+NWDS68BRnpil500PPQzB0edqhO3h/2tnXmxtXKbH/
+0sKgCvPn3tEK8y5WrzC2UDB2F594TlGUWHiMwy1SwMkrP8gUpDS2syisaORyQ7/1
+aOktoD0eBZEWFJtGLCPR7uz/KtbZo6QsAZYhxqdE9Dn2Dw2d0YcIFogCG9ohAIWm
+6Hss2CTs2z1YKXJqYb+o0jwFDRF0H7cd5HeFaMQIkz9hLURInUU3JYemONzaxc26
+peelfPOmDySzaQjqn4lQRXXze79fMs3G5hD+f8WvQqtJkSGS1CXnLvZ8PBf12jxZ
+0SkzxLWyKOSz6M3tXonaxsLMXF+4dM48+NOm
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEATCCAumgAwIBAgIUUe5xSfjzHNOkaqCRf5AIYXQQM3cwDQYJKoZIhvcNAQEL
+BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt
+cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl
+IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v
+dCBDQTAeFw0yMzA1MDIxNzU3MDVaFw0zMzA0MjkxNzU3MDVaMIGPMRMwEQYKCZIm
+iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ
+RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290
+IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTQTojW8vphvADeNvMhFyfV0p7EA77bxQf
+XBzbwGXqjeS4X1WeisbOi+HvBvrmg3olzzA2vVH+5gT+5S6Q62BX4oyCyyqoK/3n
+gc+8JBLGpACEeLQotLE238L8wzM+L4WblZretvAi85JZ09ur0yZ7C6QE3QeGMRrL
+9OjHuCtzSAJO3t8uuf+IwDMM/8k822reski+iVsNxHVsBkTDFbHbVKFuHadqaMRp
+G2wFINnSi4L/hMAQtIvJasjiW26kZKLd8WckDYGgZaFc1l46RR7Pj/lULBCdc86X
+INuL1M411RjB08tqMTTjqvQhMWlv+qVkoVlyx97iFKWo5gNz2FbRAgMBAAGjUzBR
+MB0GA1UdDgQWBBTeMJiA4CPf0XcafDPDTzO+iylLfzAfBgNVHSMEGDAWgBTeMJiA
+4CPf0XcafDPDTzO+iylLfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQAz7tZirV9htIc3bNE0IxJ1F1oMfQChH4kgZiw8coLZ6dElzUzBhF3JZEyL
+CDxnI0Q94l+Wg6KGUNSAqlYcXbcWYhgml0B6oCGp30GlyhbK16OrapKcHitjYoKB
+rNtf5H4Ks0/I9YK9NKCLrFPsp9Qt5qStQuhZcumJbct8irXLPmrVTLKrIqCkBmP5
+7P7v9Vud5/TxWTjLUZo+eS/AkJurOdDZDf+lVmpcbsez6HsSusNu5E7BDwLcPIFQ
+MukDp/SRLInq8I8cA5t5U+tiQgsUCdLMIaLQ72EJuCId9XB8oyhP/rOJy+xwNnLW
+ZngkAWtN8JWNoaA8FkLYbJOGLikP
+-----END CERTIFICATE-----

src/test/resources/securityadmin/node.key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCn77HM5UEAD4NI
+orxujuZGs2Y0vM93TOm/4ZrcOzUpYoWXl4DzqMndQbbQjQdX6P07J4pB4IFkVR4/
+L9NZDSbSpr4HbU2CSFCRGSXRBzRxV5sUft2IZma9ainZIoQdGe67/qGKx3tjDoPI
+7bd1T2bjiGWV3yCVsPdwmo12jszb/7DXT3WjyPLUySM4oWDVXDLceZKD0uusQdkc
+KdOjH7yeevAQF8ZdkEkY1hV+LwhTsyi/J2ba++/R3plhQAcwpZc33+8S3I1m5GqE
+5O4D64Ier81tIRNqSwGzZ5a3t66Jphv88yoJsrWfj072xMoYrjY1YHAhtr4RrvJs
+kWIKBmcPAgMBAAECggEAMkXkISVkHwOF1qG47RPkRbgA2brIFLu2ohWEiXdEA96V
+hXr6RHb77ztz4dzGHQAHhsTgc7YkpgeBJYNIrrjsLVVzP7/t2xmQ3M79biTNAz0p
+lKoh4WpeSUfVvUXC7P9NY4PnkicDffTjaKwZJoodj/HOD16bX5R5joEF5j77fsQA
+3DkCD9JxNKxRXz0lH5ICExItQEFweDDT749LunEBC2BDHQ6UDO1JGC7Js9D/ri9C
+sNB/1OMO0AV/g7V0pMD6GlkO48UVYK9kxBZQAgI9YiRtlkVyD4Uy/CxzptJepkRW
+uqx4lD5F98bKpwleqsPNkFCj1ifXd8WAFAD4wkC8mQKBgQC8+JLgFVSmBzzbQSmM
+3iaqcm2wkhWIESV/rEtHvgJCtBZYT1NBekWdZmODfyU0Q2E/lPAYH2LgT+jgoMZ/
+JkvkrMAv8Cgh4J3Jklku29R8YyTYdouje62a69p6u02rbZFDQEeVfVVEHApnngpd
+YVmOm9eSBTBya+1lpO3H394UwwKBgQDjgRNhLoO8ce1V+Txmad1/rwfst364adXf
+UsfxTIP6wJTQXdm1ZVeqswKaGsVAaq6fX83XLT1H47c5newoll3V8KPLjAiAy/VR
+MDMKj2Rr4ojOshdiN+5wiPOVAgmrGg8eTH0wdNchtUAbI31fzzC9n8uYl146bax3
+I4NwyOMPxQKBgQCOdhtMQeh57lTrullXsJaXwwJ8rfT7immpsbtjD5Tmsptx4gOT
+Bln7CpiVJsJmfzGOXHsQxICnOLcIuUxLyRRIBhAxU6z9tTdfIiyHzgSH7bp2UhB9
+pBzCAXLJOfGY/lYXzBrrUPx6B2W0rgmEUoLQpx5CIBVg/YqQKWF1YIktPwKBgQDF
+7nSn5koi15O/atoL2CsnfWaNoo+TbjDu3RyraQCiVo6iQiS5VvRQxPGMlaHri2Vl
+r3psrSVVuF6euDDQlxIIohY/bxOuysQh4Kdnlp2t5ydTfUou366JJf2WNHGo9UEW
+AUIhuGW7I/AkLFpV0vL6513A4mDOwMB93t3qcDxsaQKBgAyXuK+6SpVkGj0HgGBH
+PyAzkoAoTcnv5gBDs/p4MiAigkAl3WqhoouWYUP2nCiQZmA4rbXcNVdClebHBD64
+jmgfXo8E2i+MHhbAWyNSWrHL7punrcdOFETw1JrvFxhPORnDLwpyfSL9DC3JfNmD
+RBM+Z8nCKBWcmxtCpMqmdbdR
+-----END PRIVATE KEY-----