From 67545cc748f64f5239ce2f86747f6562e3d85f8d Mon Sep 17 00:00:00 2001 From: Chris Hyzer Date: Sat, 7 May 2022 01:25:10 -0400 Subject: [PATCH] GRP-4028: ability for container to add ssl client cert for java --- Dockerfile | 6 ++- .../usr-local-bin/librarySetupFilesTomcat.sh | 46 +++++++++++++++++++ 2 files changed, 50 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4cd81305..3d084135 100644 --- a/Dockerfile +++ b/Dockerfile @@ -105,8 +105,10 @@ COPY container_files/tier-support/log4j_fix/webinfLib/* /opt/grouper/grouperWeba # this is to improve openshift RUN touch /opt/grouper/grouperEnv.sh \ && mkdir -p /opt/tomee/work/Catalina/localhost/ \ - && chown -R tomcat:root /opt/grouper/ /etc/httpd/conf/ /home/tomcat/ /opt/tomee/ /usr/local/bin /etc/httpd/conf.d/ /opt/tier-support/ \ - && chmod -R g+rwx /opt/grouper/ /etc/httpd/conf/ /home/tomcat/ /opt/tomee/ /usr/local/bin /etc/httpd/conf.d/ /opt/tier-support/ + && mkdir -p /opt/grouper/certs/client \ + && mkdir -p /opt/grouper/certs/anchors \ + && chown -R tomcat:root /opt/grouper/ /etc/httpd/conf/ /home/tomcat/ /opt/tomee/ /usr/local/bin /etc/httpd/conf.d/ /opt/tier-support/ /usr/lib/jvm/java/jre/lib/security/cacerts \ + && chmod -R g+rwx /opt/grouper/ /etc/httpd/conf/ /home/tomcat/ /opt/tomee/ /usr/local/bin /etc/httpd/conf.d/ /opt/tier-support/ /usr/lib/jvm/java/jre/lib/security/cacerts # keep backup of files RUN mkdir -p /opt/tier-support/originalFiles ; \ diff --git a/container_files/usr-local-bin/librarySetupFilesTomcat.sh b/container_files/usr-local-bin/librarySetupFilesTomcat.sh index d79edade..548b4ae3 100644 --- a/container_files/usr-local-bin/librarySetupFilesTomcat.sh +++ b/container_files/usr-local-bin/librarySetupFilesTomcat.sh @@ -10,6 +10,7 @@ setupFilesTomcat() { setupFilesTomcat_sessionTimeout setupFilesTomcat_ssl setupFilesTomcat_sslCertsAnchors + setupFilesTomcat_sslCertsClient } @@ -267,6 +268,49 @@ setupFilesTomcat_sslCertsAnchors() { fi } +setupFilesTomcat_sslCertsClient() { + + if [ -n "$(ls -A /opt/grouper/certs/client/*.pem 2>/dev/null)" ]; then + + chmod +w /usr/lib/jvm/java/jre/lib/security/cacerts + returnCode=$? + echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) chmod +w /usr/lib/jvm/java/jre/lib/security/cacerts , result=$returnCode" + if [ $returnCode != 0 ] + then + exit $returnCode + fi + + for fileName in /opt/grouper/certs/client/*.pem; do + [ -f "$fileName" ] || break + + fileNameNoExtension=$(basename -- "$fileName") + fileNameNoExtension="${fileNameNoExtension%.*}" + /usr/lib/jvm/java/bin/keytool -import -noprompt -keystore /usr/lib/jvm/java/jre/lib/security/cacerts -storepass changeit -alias "$fileNameNoExtension" -file "$fileName" + + returnCode=$? + echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) /usr/lib/jvm/java/bin/keytool -import -noprompt -keystore /usr/lib/jvm/java/jre/lib/security/cacerts -storepass changeit -alias \"$fileNameNoExtension\" -file \"$fileName\" , result=$returnCode" + if [ $returnCode != 0 ] + then + exit $returnCode + fi + + done + + chmod -w /usr/lib/jvm/java/jre/lib/security/cacerts + returnCode=$? + echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) chmod -w /usr/lib/jvm/java/jre/lib/security/cacerts , result=$returnCode" + if [ $returnCode != 0 ] + then + exit $returnCode + fi + + else + echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsClient) There are no client certs in /opt/grouper/certs/client/*.pem to process" + fi + + fi +} + setupFilesTomcat_unsetAll() { @@ -276,6 +320,7 @@ setupFilesTomcat_unsetAll() { unset -f setupFilesTomcat_ports unset -f setupFilesTomcat_ssl unset -f setupFilesTomcat_sslCertsAnchors + unset -f setupFilesTomcat_sslCertsClient unset -f setupFilesTomcat_supervisor unset -f setupFilesTomcat_unsetAll unset -f setupFilesTomcat_accessLogs @@ -292,6 +337,7 @@ setupFilesTomcat_exportAll() { export -f setupFilesTomcat_ports export -f setupFilesTomcat_ssl export -f setupFilesTomcat_sslCertsAnchors + export -f setupFilesTomcat_sslCertsClient export -f setupFilesTomcat_supervisor export -f setupFilesTomcat_unsetAll export -f setupFilesTomcat_accessLogs