This commit is contained in:
anhefti 2019-08-28 14:43:14 +02:00
parent 104fe6512d
commit 431063ab32
8 changed files with 85 additions and 39 deletions

View file

@ -3,27 +3,19 @@ FROM openjdk:11-jre-stretch
RUN apt-get update && apt-get install -y openssl RUN apt-get update && apt-get install -y openssl
ENV KEYSTORE_PWD= ENV KEYSTORE_PWD=
ENV SERVER_CN="localhost"
ENV CLIENT_CN="localhost"
ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich" ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich"
ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA" ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA"
ENV OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=${SERVER_CN}"
ENV OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=${CLIENT_CN}"
COPY gencerts.sh /
RUN chmod +x /gencerts.sh
VOLUME /certs VOLUME /certs
WORKDIR /certs WORKDIR /certs
# This works on windows # This works on windows
CMD openssl genrsa -out ca-key.pem 2048 \ CMD openssl genrsa -out ca-key.pem 2048 \
&& openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \ && openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \
&& openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_SERVER}" -keyout server-key.pem -out server-req.pem \ && openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout server-key.pem -out server-req.pem \
&& openssl rsa -in server-key.pem -out server-key.pem \ && openssl rsa -in server-key.pem -out server-key.pem \
&& openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \ && openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \
&& openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_CLIENT}" -keyout client-key.pem -out client-req.pem \ && openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout client-key.pem -out client-req.pem \
&& openssl rsa -in client-key.pem -out client-key.pem \ && openssl rsa -in client-key.pem -out client-key.pem \
&& openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \ && openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \
&& openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \ && openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \

23
docker/gencerts/certs.cnf Normal file
View file

@ -0,0 +1,23 @@
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CH
ST = Zuerich
L = Zuerich
O = ETH
CN = localhost
[v3_req]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:TRUE
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = seb-server-mariadb
DNS.4 = seb-server

View file

@ -1,5 +1,13 @@
spring.profiles.include=prod-ws,prod-gui spring.profiles.include=prod-ws,prod-gui
file.encoding=UTF-8
logging.level.org.apache.tomcat.util.net.NioEndpoint=DEBUG
logging.level.ch=DEBUG
sebserver.certs.password=[SET_PWD]
sebserver.mariadb.password=[SET_PWD]
sebserver.password=[SET_PWD]
server.address=0.0.0.0 server.address=0.0.0.0
server.port=443 server.port=443
server.servlet.context-path=/ server.servlet.context-path=/
@ -7,21 +15,20 @@ server.servlet.context-path=/
security.require-ssl=true security.require-ssl=true
server.ssl.key-store-type=PKCS12 server.ssl.key-store-type=PKCS12
server.ssl.key-store=file:/certs/seb-server-keystore.pkcs12 server.ssl.key-store=file:/certs/seb-server-keystore.pkcs12
server.ssl.key-store-password=[SET_PWD] server.ssl.key-store-password=${sebserver.certs.password}
server.ssl.key-alias=1 server.ssl.key-alias=sebserver
server.ssl.key-password=${sebserver.certs.password}
server.ssl.trust-store=file:/certs/seb-server-truststore.pkcs12
file.encoding=UTF-8 server.ssl.trust-store-password=${sebserver.certs.password}
server.ssl.enabled-protocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2
javax.net.ssl.keyStore=/certs/seb-server-keystore.pkcs12 javax.net.ssl.keyStore=/certs/seb-server-keystore.pkcs12
javax.net.ssl.keyStorePassword=[SET_PWD] javax.net.ssl.keyStorePassword=${sebserver.certs.password}
javax.net.ssl.trustStore=/certs/seb-server-truststore.pkcs12 javax.net.ssl.trustStore=/certs/seb-server-truststore.pkcs12
javax.net.ssl.trustStorePassword=[SET_PWD] javax.net.ssl.trustStorePassword=${sebserver.certs.password}
sebserver.webservice.api.admin.clientSecret=${sebserver.password}
spring.datasource.password=[SET_PWD] sebserver.webservice.internalSecret=${sebserver.password}
sebserver.webservice.api.admin.clientSecret=[SET_PWD]
sebserver.webservice.internalSecret=[SET_PWD]
########################################################## ##########################################################
### SEB Server Webservice configuration ### SEB Server Webservice configuration
@ -43,11 +50,12 @@ spring.datasource.hikari.initializationFailTimeout=1
spring.datasource.hikari.connectionTimeout=30000 spring.datasource.hikari.connectionTimeout=30000
spring.datasource.hikari.idleTimeout=600000 spring.datasource.hikari.idleTimeout=600000
spring.datasource.hikari.maxLifetime=1800000 spring.datasource.hikari.maxLifetime=1800000
spring.datasource.password=${sebserver.mariadb.password}
# webservice configuration # webservice configuration
sebserver.webservice.distributed=false sebserver.webservice.distributed=false
sebserver.webservice.http.scheme=https sebserver.webservice.http.scheme=https
sebserver.webservice.http.server.name=${server.address} sebserver.webservice.http.server.name=0.0.0.0
sebserver.webservice.http.redirect.gui=/gui sebserver.webservice.http.redirect.gui=/gui
sebserver.webservice.api.admin.clientId=guiClient sebserver.webservice.api.admin.clientId=guiClient
sebserver.webservice.api.admin.endpoint=/admin-api/v1 sebserver.webservice.api.admin.endpoint=/admin-api/v1
@ -76,8 +84,8 @@ server.servlet.session.tracking-modes=cookie
sebserver.gui.entrypoint=/gui sebserver.gui.entrypoint=/gui
sebserver.gui.webservice.protocol=https sebserver.gui.webservice.protocol=https
sebserver.gui.webservice.address=${server.address} sebserver.gui.webservice.address=0.0.0.0
sebserver.gui.webservice.port=80 sebserver.gui.webservice.port=443
sebserver.gui.webservice.apipath=/admin-api/v1 sebserver.gui.webservice.apipath=/admin-api/v1
# defines the polling interval that is used to poll the webservice for client connection data on a monitored exam page # defines the polling interval that is used to poll the webservice for client connection data on a monitored exam page
sebserver.gui.webservice.poll-interval=500 sebserver.gui.webservice.poll-interval=500

View file

@ -3,28 +3,25 @@ FROM openjdk:11-jre-stretch
RUN apt-get update && apt-get install -y openssl RUN apt-get update && apt-get install -y openssl
ENV KEYSTORE_PWD= ENV KEYSTORE_PWD=
ENV SERVER_CN="seb-server-mariadb"
ENV CLIENT_CN="seb-server-mariadb"
ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich" ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich"
ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA" ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=SEB_SEVER_CN"
ENV OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=${SERVER_CN}"
ENV OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=${CLIENT_CN}"
VOLUME /certs VOLUME /certs
WORKDIR /certs WORKDIR /certs
# This works on windows
CMD openssl genrsa -out ca-key.pem 2048 \ CMD openssl genrsa -out ca-key.pem 2048 \
&& openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \ && openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \
&& openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_SERVER}" -keyout server-key.pem -out server-req.pem \ && openssl req -newkey rsa:2048 -days 3600 -nodes -config /certs/config/certs.cnf -keyout server-key.pem -out server-req.pem \
&& openssl rsa -in server-key.pem -out server-key.pem \ && openssl rsa -in server-key.pem -out server-key.pem \
&& openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \ && openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \
&& openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_CLIENT}" -keyout client-key.pem -out client-req.pem \ && openssl req -newkey rsa:2048 -days 3600 -nodes -config /certs/config/certs.cnf -keyout client-key.pem -out client-req.pem \
&& openssl rsa -in client-key.pem -out client-key.pem \ && openssl rsa -in client-key.pem -out client-key.pem \
&& openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \ && openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \
&& openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \ && openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \
&& openssl x509 -in ca.pem -inform pem -out ca.der -outform der \ && openssl x509 -in ca.pem -inform pem -out ca.der -outform der \
&& openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:"${KEYSTORE_PWD}" \ && openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:"${KEYSTORE_PWD}" \
&& keytool -importkeystore -destkeystore seb-server-keystore.pkcs12 -deststorepass "${KEYSTORE_PWD}" -srckeystore client-cert.pkcs12 -srcstoretype PKCS12 -srcstorepass "${KEYSTORE_PWD}" \ && keytool -importkeystore -destkeystore seb-server-keystore.pkcs12 -deststorepass "${KEYSTORE_PWD}" -srckeystore client-cert.pkcs12 -srcstoretype PKCS12 -srcstorepass "${KEYSTORE_PWD}" \
&& keytool -import -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt && keytool -import -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \
&& keytool -genkeypair -alias sebserver -dname "CN=localhost, OU=ETHZ, O=ETHZ, L=Zuerich, S=Zuerich, C=CH" -keyalg RSA -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore seb-server-keystore.pkcs12 -storepass "${KEYSTORE_PWD}" -validity 3650 \
&& keytool -export -alias sebserver -keystore seb-server-keystore.pkcs12 -rfc -file sebserver.cert -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \
&& keytool -importcert -trustcacerts -alias sebserver -file sebserver.cert -keystore seb-server-truststore.pkcs12 -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt

View file

@ -0,0 +1,23 @@
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CH
ST = Zuerich
L = Zuerich
O = ETHZ
CN = localhost
[v3_req]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:TRUE
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = seb-server-mariadb
DNS.4 = seb-server

View file

@ -2,11 +2,12 @@ version: '3'
services: services:
selfsigned: selfsigned:
build: build:
context: ./gencerts context: .
dockerfile: Dockerfile dockerfile: certs.Dockerfile
container_name: gencerts container_name: gencerts
volumes: volumes:
- ./certs:/certs - ./certs:/certs
- .:/certs/config
environment: environment:
- SERVER_CN=seb-server-mariadb - SERVER_CN=seb-server-mariadb
- CLIENT_CN=seb-server-mariadb - CLIENT_CN=seb-server-mariadb
@ -31,6 +32,7 @@ services:
seb-server: seb-server:
build: build:
context: . context: .
dockerfile: sebserver.Dockerfile
args: args:
- GIT_TAG= - GIT_TAG=
- SEBSERVER_VERSION=0.4.1-beta-SNAPSHOT - SEBSERVER_VERSION=0.4.1-beta-SNAPSHOT
@ -39,7 +41,7 @@ services:
- .:/config - .:/config
- ./certs:/certs - ./certs:/certs
ports: ports:
- 80:80 - 443:443
networks: networks:
- seb-server-network - seb-server-network
depends_on: depends_on:

View file

@ -25,6 +25,6 @@ ENV SEBSERVER_VERSION=${SEBSERVER_VERSION}
WORKDIR /sebserver WORKDIR /sebserver
COPY --from=1 /sebserver/target/seb-server-"$SEBSERVER_VERSION".jar /sebserver COPY --from=1 /sebserver/target/seb-server-"$SEBSERVER_VERSION".jar /sebserver
ENTRYPOINT exec java -jar seb-server-"${SEBSERVER_VERSION}".jar --spring.profiles.active=prod --spring.config.location=file:/config/,classpath:/config/ ENTRYPOINT exec java -Djavax.net.debug=SSL -jar seb-server-"${SEBSERVER_VERSION}".jar --spring.profiles.active=prod --spring.config.location=file:/config/,classpath:/config/
EXPOSE 80 EXPOSE 443

View file

@ -174,6 +174,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements E
final SSLContext sslContext = SSLContextBuilder final SSLContext sslContext = SSLContextBuilder
.create() .create()
.loadTrustMaterial(trustStoreFile, password) .loadTrustMaterial(trustStoreFile, password)
.setKeyStoreType("pkcs12")
.build(); .build();
final HttpClient client = HttpClients.custom() final HttpClient client = HttpClients.custom()