From 431063ab32843eb8b8904e0f0d7d450932e99f38 Mon Sep 17 00:00:00 2001 From: anhefti Date: Wed, 28 Aug 2019 14:43:14 +0200 Subject: [PATCH] prod --- docker/gencerts/Dockerfile | 12 ++----- docker/gencerts/certs.cnf | 23 ++++++++++++ .../selfsigned/application-prod.properties | 36 +++++++++++-------- .../{gencerts/Dockerfile => certs.Dockerfile} | 17 ++++----- docker/prod/standalone/selfsigned/certs.cnf | 23 ++++++++++++ .../standalone/selfsigned/docker-compose.yml | 8 +++-- .../{Dockerfile => sebserver.Dockerfile} | 4 +-- .../ethz/seb/sebserver/WebSecurityConfig.java | 1 + 8 files changed, 85 insertions(+), 39 deletions(-) create mode 100644 docker/gencerts/certs.cnf rename docker/prod/standalone/selfsigned/{gencerts/Dockerfile => certs.Dockerfile} (57%) create mode 100644 docker/prod/standalone/selfsigned/certs.cnf rename docker/prod/standalone/selfsigned/{Dockerfile => sebserver.Dockerfile} (76%) diff --git a/docker/gencerts/Dockerfile b/docker/gencerts/Dockerfile index 2a900f91..5dfb9366 100644 --- a/docker/gencerts/Dockerfile +++ b/docker/gencerts/Dockerfile @@ -3,27 +3,19 @@ FROM openjdk:11-jre-stretch RUN apt-get update && apt-get install -y openssl ENV KEYSTORE_PWD= -ENV SERVER_CN="localhost" -ENV CLIENT_CN="localhost" ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich" ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA" -ENV OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=${SERVER_CN}" -ENV OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=${CLIENT_CN}" - -COPY gencerts.sh / -RUN chmod +x /gencerts.sh VOLUME /certs - WORKDIR /certs # This works on windows CMD openssl genrsa -out ca-key.pem 2048 \ && openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \ - && openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_SERVER}" -keyout server-key.pem -out server-req.pem \ + && openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout server-key.pem -out server-req.pem \ && openssl rsa -in server-key.pem -out server-key.pem \ && openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \ - && openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_CLIENT}" -keyout client-key.pem -out client-req.pem \ + && openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout client-key.pem -out client-req.pem \ && openssl rsa -in client-key.pem -out client-key.pem \ && openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \ && openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \ diff --git a/docker/gencerts/certs.cnf b/docker/gencerts/certs.cnf new file mode 100644 index 00000000..38e3a964 --- /dev/null +++ b/docker/gencerts/certs.cnf @@ -0,0 +1,23 @@ +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_req +prompt = no + +[req_distinguished_name] +C = CH +ST = Zuerich +L = Zuerich +O = ETH +CN = localhost + +[v3_req] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +basicConstraints = CA:TRUE +subjectAltName = @alt_names + +[alt_names] +DNS.1 = localhost +DNS.2 = 127.0.0.1 +DNS.3 = seb-server-mariadb +DNS.4 = seb-server diff --git a/docker/prod/standalone/selfsigned/application-prod.properties b/docker/prod/standalone/selfsigned/application-prod.properties index 0bee56e7..f9ed5f1c 100644 --- a/docker/prod/standalone/selfsigned/application-prod.properties +++ b/docker/prod/standalone/selfsigned/application-prod.properties @@ -1,5 +1,13 @@ spring.profiles.include=prod-ws,prod-gui +file.encoding=UTF-8 +logging.level.org.apache.tomcat.util.net.NioEndpoint=DEBUG +logging.level.ch=DEBUG + +sebserver.certs.password=[SET_PWD] +sebserver.mariadb.password=[SET_PWD] +sebserver.password=[SET_PWD] + server.address=0.0.0.0 server.port=443 server.servlet.context-path=/ @@ -7,21 +15,20 @@ server.servlet.context-path=/ security.require-ssl=true server.ssl.key-store-type=PKCS12 server.ssl.key-store=file:/certs/seb-server-keystore.pkcs12 -server.ssl.key-store-password=[SET_PWD] -server.ssl.key-alias=1 - - -file.encoding=UTF-8 +server.ssl.key-store-password=${sebserver.certs.password} +server.ssl.key-alias=sebserver +server.ssl.key-password=${sebserver.certs.password} +server.ssl.trust-store=file:/certs/seb-server-truststore.pkcs12 +server.ssl.trust-store-password=${sebserver.certs.password} +server.ssl.enabled-protocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2 javax.net.ssl.keyStore=/certs/seb-server-keystore.pkcs12 -javax.net.ssl.keyStorePassword=[SET_PWD] +javax.net.ssl.keyStorePassword=${sebserver.certs.password} javax.net.ssl.trustStore=/certs/seb-server-truststore.pkcs12 -javax.net.ssl.trustStorePassword=[SET_PWD] +javax.net.ssl.trustStorePassword=${sebserver.certs.password} - -spring.datasource.password=[SET_PWD] -sebserver.webservice.api.admin.clientSecret=[SET_PWD] -sebserver.webservice.internalSecret=[SET_PWD] +sebserver.webservice.api.admin.clientSecret=${sebserver.password} +sebserver.webservice.internalSecret=${sebserver.password} ########################################################## ### SEB Server Webservice configuration @@ -43,11 +50,12 @@ spring.datasource.hikari.initializationFailTimeout=1 spring.datasource.hikari.connectionTimeout=30000 spring.datasource.hikari.idleTimeout=600000 spring.datasource.hikari.maxLifetime=1800000 +spring.datasource.password=${sebserver.mariadb.password} # webservice configuration sebserver.webservice.distributed=false sebserver.webservice.http.scheme=https -sebserver.webservice.http.server.name=${server.address} +sebserver.webservice.http.server.name=0.0.0.0 sebserver.webservice.http.redirect.gui=/gui sebserver.webservice.api.admin.clientId=guiClient sebserver.webservice.api.admin.endpoint=/admin-api/v1 @@ -76,8 +84,8 @@ server.servlet.session.tracking-modes=cookie sebserver.gui.entrypoint=/gui sebserver.gui.webservice.protocol=https -sebserver.gui.webservice.address=${server.address} -sebserver.gui.webservice.port=80 +sebserver.gui.webservice.address=0.0.0.0 +sebserver.gui.webservice.port=443 sebserver.gui.webservice.apipath=/admin-api/v1 # defines the polling interval that is used to poll the webservice for client connection data on a monitored exam page sebserver.gui.webservice.poll-interval=500 diff --git a/docker/prod/standalone/selfsigned/gencerts/Dockerfile b/docker/prod/standalone/selfsigned/certs.Dockerfile similarity index 57% rename from docker/prod/standalone/selfsigned/gencerts/Dockerfile rename to docker/prod/standalone/selfsigned/certs.Dockerfile index 8de7584f..243a6618 100644 --- a/docker/prod/standalone/selfsigned/gencerts/Dockerfile +++ b/docker/prod/standalone/selfsigned/certs.Dockerfile @@ -3,28 +3,25 @@ FROM openjdk:11-jre-stretch RUN apt-get update && apt-get install -y openssl ENV KEYSTORE_PWD= -ENV SERVER_CN="seb-server-mariadb" -ENV CLIENT_CN="seb-server-mariadb" ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich" -ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA" -ENV OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=${SERVER_CN}" -ENV OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=${CLIENT_CN}" +ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=SEB_SEVER_CN" VOLUME /certs - WORKDIR /certs -# This works on windows CMD openssl genrsa -out ca-key.pem 2048 \ && openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \ - && openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_SERVER}" -keyout server-key.pem -out server-req.pem \ + && openssl req -newkey rsa:2048 -days 3600 -nodes -config /certs/config/certs.cnf -keyout server-key.pem -out server-req.pem \ && openssl rsa -in server-key.pem -out server-key.pem \ && openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \ - && openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_CLIENT}" -keyout client-key.pem -out client-req.pem \ + && openssl req -newkey rsa:2048 -days 3600 -nodes -config /certs/config/certs.cnf -keyout client-key.pem -out client-req.pem \ && openssl rsa -in client-key.pem -out client-key.pem \ && openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \ && openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \ && openssl x509 -in ca.pem -inform pem -out ca.der -outform der \ && openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:"${KEYSTORE_PWD}" \ && keytool -importkeystore -destkeystore seb-server-keystore.pkcs12 -deststorepass "${KEYSTORE_PWD}" -srckeystore client-cert.pkcs12 -srcstoretype PKCS12 -srcstorepass "${KEYSTORE_PWD}" \ - && keytool -import -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \ No newline at end of file + && keytool -import -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \ + && keytool -genkeypair -alias sebserver -dname "CN=localhost, OU=ETHZ, O=ETHZ, L=Zuerich, S=Zuerich, C=CH" -keyalg RSA -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore seb-server-keystore.pkcs12 -storepass "${KEYSTORE_PWD}" -validity 3650 \ + && keytool -export -alias sebserver -keystore seb-server-keystore.pkcs12 -rfc -file sebserver.cert -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \ + && keytool -importcert -trustcacerts -alias sebserver -file sebserver.cert -keystore seb-server-truststore.pkcs12 -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \ No newline at end of file diff --git a/docker/prod/standalone/selfsigned/certs.cnf b/docker/prod/standalone/selfsigned/certs.cnf new file mode 100644 index 00000000..9e6e418c --- /dev/null +++ b/docker/prod/standalone/selfsigned/certs.cnf @@ -0,0 +1,23 @@ +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_req +prompt = no + +[req_distinguished_name] +C = CH +ST = Zuerich +L = Zuerich +O = ETHZ +CN = localhost + +[v3_req] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +basicConstraints = CA:TRUE +subjectAltName = @alt_names + +[alt_names] +DNS.1 = localhost +DNS.2 = 127.0.0.1 +DNS.3 = seb-server-mariadb +DNS.4 = seb-server diff --git a/docker/prod/standalone/selfsigned/docker-compose.yml b/docker/prod/standalone/selfsigned/docker-compose.yml index 6d5bbffb..83584cc5 100644 --- a/docker/prod/standalone/selfsigned/docker-compose.yml +++ b/docker/prod/standalone/selfsigned/docker-compose.yml @@ -2,11 +2,12 @@ version: '3' services: selfsigned: build: - context: ./gencerts - dockerfile: Dockerfile + context: . + dockerfile: certs.Dockerfile container_name: gencerts volumes: - ./certs:/certs + - .:/certs/config environment: - SERVER_CN=seb-server-mariadb - CLIENT_CN=seb-server-mariadb @@ -31,6 +32,7 @@ services: seb-server: build: context: . + dockerfile: sebserver.Dockerfile args: - GIT_TAG= - SEBSERVER_VERSION=0.4.1-beta-SNAPSHOT @@ -39,7 +41,7 @@ services: - .:/config - ./certs:/certs ports: - - 80:80 + - 443:443 networks: - seb-server-network depends_on: diff --git a/docker/prod/standalone/selfsigned/Dockerfile b/docker/prod/standalone/selfsigned/sebserver.Dockerfile similarity index 76% rename from docker/prod/standalone/selfsigned/Dockerfile rename to docker/prod/standalone/selfsigned/sebserver.Dockerfile index a603946e..a8a56c38 100644 --- a/docker/prod/standalone/selfsigned/Dockerfile +++ b/docker/prod/standalone/selfsigned/sebserver.Dockerfile @@ -25,6 +25,6 @@ ENV SEBSERVER_VERSION=${SEBSERVER_VERSION} WORKDIR /sebserver COPY --from=1 /sebserver/target/seb-server-"$SEBSERVER_VERSION".jar /sebserver -ENTRYPOINT exec java -jar seb-server-"${SEBSERVER_VERSION}".jar --spring.profiles.active=prod --spring.config.location=file:/config/,classpath:/config/ +ENTRYPOINT exec java -Djavax.net.debug=SSL -jar seb-server-"${SEBSERVER_VERSION}".jar --spring.profiles.active=prod --spring.config.location=file:/config/,classpath:/config/ -EXPOSE 80 \ No newline at end of file +EXPOSE 443 \ No newline at end of file diff --git a/src/main/java/ch/ethz/seb/sebserver/WebSecurityConfig.java b/src/main/java/ch/ethz/seb/sebserver/WebSecurityConfig.java index 7bf87fe1..6728854d 100644 --- a/src/main/java/ch/ethz/seb/sebserver/WebSecurityConfig.java +++ b/src/main/java/ch/ethz/seb/sebserver/WebSecurityConfig.java @@ -174,6 +174,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements E final SSLContext sslContext = SSLContextBuilder .create() .loadTrustMaterial(trustStoreFile, password) + .setKeyStoreType("pkcs12") .build(); final HttpClient client = HttpClients.custom()