From 0e267d2c6b4bca3d1bec1be4c7c06f051431e5d9 Mon Sep 17 00:00:00 2001
From: Joze RIHTARSIC <joze.rihtarsic@ext.ec.europa.eu>
Date: Fri, 18 Oct 2019 13:59:06 +0200
Subject: [PATCH] - add smp+sml+bind mysql-tomcat image - fix sml integration
if over http then no TLS parameters are configured
---
.../tomcat-mysql-smp-sml/docker-compose.yml | 14 ++
.../db-scripts/sml-mysql5innodb-data.sql | 52 +++++
.../tomcat-mysql-smp-sml/runCompose.sh | 69 +++++++
.../tomcat-mysql-smp-sml/stopClearCompose.sh | 18 ++
smp-docker/images/build-docker-images.sh | 7 +
.../images/tomcat-mysql-smp-sml/Dockerfile | 136 +++++++++++++
.../images/tomcat-mysql-smp-sml/README.md | 28 +++
.../images/tomcat-mysql-smp-sml/bind/db.192 | 17 ++
.../bind/db.test.edelivery.local | 15 ++
.../tomcat-mysql-smp-sml/bind/named.conf | 16 ++
.../bind/named.conf.local | 30 +++
.../bind/named.conf.options | 51 +++++
.../images/tomcat-mysql-smp-sml/entrypoint.sh | 186 ++++++++++++++++++
.../smp/config/PropertyInitialization.java | 2 +-
.../ec/edelivery/smp/sml/SmlConnector.java | 24 ++-
.../smp/utils/X509CertificateUtils.java | 6 +-
...nticationByClientCertFromKeystoreTest.java | 10 +-
.../mysql-4.1_integration_test_data.sql | 4 +-
18 files changed, 663 insertions(+), 22 deletions(-)
create mode 100644 smp-docker/compose/tomcat-mysql-smp-sml/docker-compose.yml
create mode 100644 smp-docker/compose/tomcat-mysql-smp-sml/properties/db-scripts/sml-mysql5innodb-data.sql
create mode 100755 smp-docker/compose/tomcat-mysql-smp-sml/runCompose.sh
create mode 100755 smp-docker/compose/tomcat-mysql-smp-sml/stopClearCompose.sh
create mode 100755 smp-docker/images/tomcat-mysql-smp-sml/Dockerfile
create mode 100755 smp-docker/images/tomcat-mysql-smp-sml/README.md
create mode 100755 smp-docker/images/tomcat-mysql-smp-sml/bind/db.192
create mode 100755 smp-docker/images/tomcat-mysql-smp-sml/bind/db.test.edelivery.local
create mode 100755 smp-docker/images/tomcat-mysql-smp-sml/bind/named.conf
create mode 100755 smp-docker/images/tomcat-mysql-smp-sml/bind/named.conf.local
create mode 100755 smp-docker/images/tomcat-mysql-smp-sml/bind/named.conf.options
create mode 100755 smp-docker/images/tomcat-mysql-smp-sml/entrypoint.sh
diff --git a/smp-docker/compose/tomcat-mysql-smp-sml/docker-compose.yml b/smp-docker/compose/tomcat-mysql-smp-sml/docker-compose.yml
new file mode 100644
index 000000000..a9375cf23
--- /dev/null
+++ b/smp-docker/compose/tomcat-mysql-smp-sml/docker-compose.yml
@@ -0,0 +1,14 @@
+version: "3.0"
+services:
+ tomcat-mysql:
+ image: smp-sml-tomcat-mysql:${SMP_VERSION}
+ container_name: smp-sml-tomcat-mysql
+ volumes:
+ - ./properties/db-scripts:/tmp/custom-database-scripts/ # init script.
+ ports:
+ - 3908:3306
+ - 8982:8080
+ - 6902:6901
+ - 53:53
+
+
diff --git a/smp-docker/compose/tomcat-mysql-smp-sml/properties/db-scripts/sml-mysql5innodb-data.sql b/smp-docker/compose/tomcat-mysql-smp-sml/properties/db-scripts/sml-mysql5innodb-data.sql
new file mode 100644
index 000000000..fe8a92272
--- /dev/null
+++ b/smp-docker/compose/tomcat-mysql-smp-sml/properties/db-scripts/sml-mysql5innodb-data.sql
@@ -0,0 +1,52 @@
+insert into bdmsl_configuration(property, value, description, created_on, last_updated_on) values
+('useProxy','false','true if a proxy is required to connect to the internet. Possible values: true/false', NOW(), NOW()),
+('unsecureLoginAllowed','true','true if the use of HTTPS is not required. If the value is set to true, then the user unsecure-http-client is automatically created. Possible values: true/false', NOW(), NOW()),
+('signResponse','false','true if the responses must be signed. Possible values: true/false', NOW(), NOW()),
+('paginationListRequest','100','Number of participants per page for the list operation of ManageParticipantIdentifier service. This property is used for pagination purposes.', NOW(), NOW()),
+('keystorePassword','vXA7JjCy0iDQmX1UEN1Qwg==','Base64 encrypted password for Keystore.', NOW(), NOW()),
+('keystoreFileName','keystore.jks','The JKS keystore file. Should be just the filename if the file is in the classpath or in the configurationDir', NOW(), NOW()),
+('keystoreAlias','sendercn','The alias in the keystore.', NOW(), NOW()),
+('httpProxyUser','user','The proxy user', NOW(), NOW()),
+('httpProxyPort','80','The http proxy port', NOW(), NOW()),
+('httpProxyPassword','setencPasswd','Base64 encrypted password for Proxy.', NOW(), NOW()),
+('httpProxyHost','127.0.0.1','The http proxy host', NOW(), NOW()),
+('encriptionPrivateKey','encriptionPrivateKey.private','Name of the 256 bit AES secret key to encrypt or decrypt passwords.', NOW(), NOW()),
+('dnsClient.server','127.0.0.1','The DNS server', NOW(), NOW()),
+('dnsClient.publisherPrefix','publisher','This is the prefix for the publishers (SMP). This is to be concatenated with the associated DNS domain in the table bdmsl_certificate_domain', NOW(), NOW()),
+('dnsClient.enabled','true','true if registration of DNS records is required. Must be true in production. Possible values: true/false', NOW(), NOW()),
+('dnsClient.SIG0PublicKeyName','sig0.acc.edelivery.tech.ec.europa.eu.','The public key name of the SIG0 key', NOW(), NOW()),
+('dnsClient.SIG0KeyFileName','SIG0.private','The actual SIG0 key file. Should be just the filename if the file is in the classpath or in the configurationDir', NOW(), NOW()),
+('dnsClient.SIG0Enabled','false','true if the SIG0 signing is enabled. Required fr DNSSEC. Possible values: true/false', NOW(), NOW()),
+('dataInconsistencyAnalyzer.senderEmail','automated-notifications@nomail.ec.europa.eu','Sender email address for reporting Data Inconsistency Analyzer.', NOW(), NOW()),
+('dataInconsistencyAnalyzer.recipientEmail','email@domain.com','Email address to receive Data Inconsistency Checker results', NOW(), NOW()),
+('dataInconsistencyAnalyzer.cronJobExpression','0 0 3 ? * *','Cron expression for dataInconsistencyChecker job. Example: 0 0 3 ? * * (everyday at 3:00 am)', NOW(), NOW()),
+('configurationDir','/opt/smlconf/','The absolute path to the folder containing all the configuration files (keystore and sig0 key)', NOW(), NOW()),
+('certificateChangeCronExpression','0 0 2 ? * *','Cron expression for the changeCertificate job. Example: 0 0 2 ? * * (everyday at 2:00 am)', NOW(), NOW()),
+('authorization.smp.certSubjectRegex','^.*(CN=SMP_|OU=PEPPOL TEST SMP).*$','User with ROOT-CA is granted SMP_ROLE only if its certificates Subject matches configured regexp', NOW(), NOW()),
+('authentication.bluecoat.enabled','true','Enables reverse proxy authentication.', NOW(), NOW()),
+('adminPassword','$2a$10$9RzbkquhBYRkHUoKMTNZhOPJmevTbUKWf549MEiCWUd.1LdblMhBi','BCrypt Hashed password to access admin services', NOW(), NOW()),
+('mail.smtp.host','smtp.localhost','BCrypt Hashed password to access admin services', NOW(), NOW()),
+('mail.smtp.port','25','BCrypt Hashed password to access admin services', NOW(), NOW()),
+('sml.property.refresh.cronJobExpression','5 */1 * * * *','Properies update', NOW(), NOW());
+
+
+
+insert into bdmsl_subdomain(subdomain_id, subdomain_name,dns_zone, description, participant_id_regexp, dns_record_types, smp_url_schemas, created_on, last_updated_on) values
+(1, 'test.edelivery.local', 'test.edelivery.local','Test domain', '^.*$','all','all', NOW(), NOW()),
+(2, 'ehealth.test.edelivery.local','test.edelivery.local','Domain for eHealth ','^.*$','all','all',NOW(), NOW()),
+(3, 'isaitb.test.edelivery.local','test.edelivery.local','Domain for isaitb ','^.*$','all','all',NOW(), NOW()),
+(4, 'peppol.test.edelivery.local', 'test.edelivery.local','Domain for OpenPeppol ', '^((((0002|0007|0009|0037|0060|0088|0096|0097|0106|0135|0142|9901|9902|9904|9905|9906|9907|9908|9909|9910|9912|9913|9914|9915|9916|9917|9918|9919|9920|9921|9922|9923|9924|9925|9926|9927|9928|9929|9930|9931|9932|9933|9934|9935|9936|9937|9938|9939|9940|9941|9942|9943|9944|9945|9946|9947|9948|9949|9950|9951|9952|9953|9954|9955|9956|9957|0184):).*)|(\\*))$','all','all', NOW(), NOW());
+
+
+INSERT INTO bdmsl_certificate_domain(certificate, crl_url, is_root_ca, fk_subdomain_id, created_on, last_updated_on, is_admin) VALUES
+('CN=unsecure_root,O=delete_in_production,C=only_for_testing','',1, 2, NOW(), NOW(),1),
+('CN=unsecure_root_testTeam,O=delete_in_production,C=only_for_testing','',1, 2, NOW(), NOW(),1),
+('CN=rootCNTest,OU=B4,O=DIGIT,L=Brussels,ST=BE,C=BE','',1, 1, NOW(), NOW(),0),
+('CN=rootCNIsa,OU=B4,O=DIGIT,L=Brussels,ST=BE,C=BE','',1, 3, NOW(), NOW(),1),
+('CN=AdministratorSML,OU=B4,O=DIGIT,C=BE','',0, 2, NOW(), NOW(),1);
+
+
+
+
+
+
diff --git a/smp-docker/compose/tomcat-mysql-smp-sml/runCompose.sh b/smp-docker/compose/tomcat-mysql-smp-sml/runCompose.sh
new file mode 100755
index 000000000..32a6b77e2
--- /dev/null
+++ b/smp-docker/compose/tomcat-mysql-smp-sml/runCompose.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+WORKING_DIR="$(dirname $0)"
+SML_INIT_DATABASE="../../../smp-webapp/src/main/smp-setup/database-scripts/mysql5innodb.ddl"
+SML_INIT_DATABASE_DATA="../../../smp-webapp/src/main/smp-setup/database-scripts/mysql5innodb-data.sql"
+# soap ui data
+PREFIX="smp-sml-tomcat-mysql"
+SMP_VERSION=
+
+# clear volume and containers - to run restart from strach
+
+
+# READ argumnets
+while getopts i:v: option
+do
+ case "${option}"
+ in
+ i) SML_INIT_DATABASE_DATA=${OPTARG};;
+ v) SMP_VERSION=${OPTARG};;
+ esac
+done
+
+
+if [ -z "${SMP_VERSION}" ]
+then
+ # get version from POM file
+ SMP_VERSION="$(mvn org.apache.maven.plugins:maven-help-plugin:3.1.0:evaluate -Dexpression=project.version -q -DforceStdout)"
+
+fi
+
+echo "SMP version: $SMP_VERSION"
+echo "Working Directory: ${WORKING_DIR}"
+cd "$WORKING_DIR"
+
+
+
+# check if property folder exists if not create it
+if [ ! -d "./properties/db-scripts/" ]
+then
+ mkdir -p "./properties/db-scripts/"
+fi
+
+# create database init script from l
+cp "${SML_INIT_DATABASE}" ./properties/db-scripts/mysql5innodb.ddl
+cp "${SML_INIT_DATABASE_DATA}" ./properties/db-scripts/mysql5innodb-data.sql
+
+
+
+function clearOldContainers {
+ echo "Clear containers and volumes"
+ docker-compose -p "${PREFIX}" rm -s -f -v
+ echo "Clear containers and volumes"
+}
+
+
+#
+# Always delete shared-status-folder else weblogic will start to quick!
+# because statuses are sync over shared-status-folder folders and it could contain status from previous run.
+
+export SMP_VERSION="${SMP_VERSION}"
+echo "Clear old containser"
+clearOldContainers
+# start "
+echo "Start compose"
+docker-compose -p ${PREFIX} up -d --force-recreate
+
+# wait until service is up
+for i in `seq 100`; do timeout 1 bash -c ' curl --head --silent --fail http://localhost:8982/smp/'; if [ $? -eq 0 ] ; then break;fi; echo "$i. Wait for tomcat to start!"; sleep 5; done;
+
diff --git a/smp-docker/compose/tomcat-mysql-smp-sml/stopClearCompose.sh b/smp-docker/compose/tomcat-mysql-smp-sml/stopClearCompose.sh
new file mode 100755
index 000000000..ab8907f1f
--- /dev/null
+++ b/smp-docker/compose/tomcat-mysql-smp-sml/stopClearCompose.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+WORKING_DIR="$(dirname $0)"
+echo "Working Directory: ${WORKING_DIR}"
+cd "$WORKING_DIR"
+
+PREFIX="smp-sml-tomcat-mysql"
+
+# clear volume and containers - to run restart from scratch
+function clearOldContainers {
+ echo "Clear containers and volumes"
+ docker-compose -p "${PREFIX}" rm -s -f -v
+}
+
+
+# stop and clear
+clearOldContainers
+
diff --git a/smp-docker/images/build-docker-images.sh b/smp-docker/images/build-docker-images.sh
index f5cbefc6a..b72140be0 100755
--- a/smp-docker/images/build-docker-images.sh
+++ b/smp-docker/images/build-docker-images.sh
@@ -117,6 +117,7 @@ echo ""
cp "${SMP_ARTEFACTS}/smp.war" ./weblogic-12.2.1.3-smp/smp.war
# for mysql tomcat
cp "${SMP_ARTEFACTS}/smp.war" ./tomcat-mysql/artefacts/smp.war
+ cp "${SMP_ARTEFACTS}/smp.war" ./tomcat-mysql-smp-sml/artefacts/smp.war
fi
# SMP setup zip
@@ -128,6 +129,7 @@ echo ""
# copy artefact to docker build folder
cp "${SMP_ARTEFACTS}/smp-${SMP_VERSION}-setup.zip" ./weblogic-12.2.1.3-smp/smp-setup.zip
cp "${SMP_ARTEFACTS}/smp-${SMP_VERSION}-setup.zip" ./tomcat-mysql/artefacts/smp-setup.zip
+ cp "${SMP_ARTEFACTS}/smp-${SMP_VERSION}-setup.zip" ./tomcat-mysql-smp-sml/artefacts/smp-setup.zip
fi
@@ -167,6 +169,9 @@ echo ""
# build tomcat mysql image deployment.
docker build -t "smp-tomcat-mysql:${SMP_VERSION}" ./tomcat-mysql/ --build-arg SMP_VERSION=${SMP_VERSION}
+ # build tomcat mysql image deployment.
+ docker build -t "smp-sml-tomcat-mysql:${SMP_VERSION}" ./tomcat-mysql-smp-sml/ --build-arg SMP_VERSION=${SMP_VERSION}
+
}
function pushImageToDockerhub {
@@ -177,6 +182,7 @@ function pushImageToDockerhub {
docker login --username="${DOCKER_USER}" --password="${DOCKER_PASSWORD}"
# push images
pushImageIfExisting "smp-tomcat-mysql:${SMP_VERSION}"
+ pushImageIfExisting "smp-sml-tomcat-mysql:${SMP_VERSION}"
pushImageIfExisting "smp-weblogic-122:${SMP_VERSION}"
pushImageIfExisting "smp-oradb-11.2.0.2-xe:${SMP_VERSION}"
fi
@@ -206,6 +212,7 @@ function pushImageIfExisting {
# clear also the tomcat/mysql image
rm -rf "./tomcat-mysql/artefacts/*.*"
+ rm -rf "./tomcat-mysql-smp-sml/artefacts/*.*"
if [[ "V$SMP_ARTEFACTS_CLEAR" == "Vtrue" ]]
then
diff --git a/smp-docker/images/tomcat-mysql-smp-sml/Dockerfile b/smp-docker/images/tomcat-mysql-smp-sml/Dockerfile
new file mode 100755
index 000000000..5f7c845a8
--- /dev/null
+++ b/smp-docker/images/tomcat-mysql-smp-sml/Dockerfile
@@ -0,0 +1,136 @@
+FROM ubuntu:18.04
+MAINTAINER Joze Rihtarsic
+
+ARG SMP_VERSION
+# Set the SMP_VERSION env variable \
+ENV SMP_HOME=/opt/smp \
+ MYSQL_DRV_VERSION=5.1.46 \
+ MYSQL_DRV_SHA1=9a3e63b387e376364211e96827bc27db8d7a92e9 \
+ TOMCAT_MAJOR=8 \
+ TOMCAT_VERSION=8.5.31 \
+ TOMCAT_SHA512=51d8877782bc975b8c566263df7e55f383e617aa3c81ea2c219fed18e1f5d9e8233a92100de95b9a8df69ce5c0ad89a195d5b7e5647fcf9df26231870073a9cb \
+ SMP_DB_SCHEMA=smp \
+ SMP_DB_USER=smp \
+ SMP_DB_USER_PASSWORD=smp \
+ MYSQL_ROOT_PASSWORD=root \
+# sml environment variables
+ SML_VERSION=4.0.1 \
+ SML_DISTRIBUTION_URL=https://ec.europa.eu/cefdigital/artifact/repository/public/eu/europa/ec/bdmsl/bdmsl-webapp/ \
+ SML_SHA1=ba1f70eba030095ccc23b1653cbf1a1cc2c2fa7b \
+ SML_SETUP_SHA1=d47852efa419e67111ad850b477e127e02cb83f8 \
+ SML_DB_SCHEMA=sml \
+ SML_DB_USER=sml \
+ SML_DB_USER_PASSWORD=sml \
+ BIND_USER=bind \
+# misc variables
+ JACOCO_VERSION=0.8.4 \
+ LANG=en_US.utf8 \
+ LD_LIBRARY_PATH=/usr/local/apr/lib
+
+
+# Exposing ports used in entrypoint.sh ..
+# - 3306 Mysql port
+# - 6400 JaCoCo port
+# - 8080 Tomcat port
+# - 53 dns port
+EXPOSE 3306 8080 6400 53
+
+
+
+VOLUME ["/data"]
+
+# install utils, java, mysql \
+RUN apt-get update \
+ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+ mysql-server \
+ openjdk-8-jdk \
+ locales\
+ curl \
+ unzip \
+ bind9 \
+ bind9utils \
+ dnsutils \
+ libapr1 \
+ libapr1-dev \
+ libssl-dev \
+ gcc \
+ make \
+ && rm -rf /var/lib/apt/lists/* \
+ && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 \
+# set user
+ && addgroup mysql mysql \
+# download SMP, SMP setup, tomcat mysql driver
+ && mkdir -p $SMP_HOME \
+ && cd $SMP_HOME \
+ && curl -O https://repo1.maven.org/maven2/mysql/mysql-connector-java/$MYSQL_DRV_VERSION/mysql-connector-java-$MYSQL_DRV_VERSION.jar \
+ && sha1sum mysql-connector-java-$MYSQL_DRV_VERSION.jar | grep $MYSQL_DRV_SHA1 \
+ && curl -o tomcat.zip "https://archive.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.zip" \
+ && sha512sum tomcat.zip | grep $TOMCAT_SHA512 \
+ && unzip tomcat.zip \
+ && mv mysql-connector-java-$MYSQL_DRV_VERSION.jar $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/lib/ \
+ && rm tomcat.zip \
+ && mkdir -p $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes/ \
+ && echo "export CLASSPATH=$SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes" > $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/bin/setenv.sh \
+# add sml and smp datasource
+ && sed -i -e "s/<\/Context>/<Resource name=\"jdbc\/eDeliverySmpDs\" auth=\"Container\" type=\"javax.sql.DataSource\" maxTotal=\"100\" maxIdle=\"30\" maxWaitMillis=\"10000\" username=\"$SMP_DB_USER\" password=\"$SMP_DB_USER_PASSWORD\" driverClassName=\"com.mysql.jdbc.Driver\" url=\"jdbc:mysql:\/\/localhost:3306\/$SMP_DB_SCHEMA?useSSL=false\&characterEncoding=UTF-8\&useUnicode=true\"\/>\\n<Resource name=\"jdbc\/eDeliverySmlDs\" auth=\"Container\" type=\"javax.sql.DataSource\" maxTotal=\"100\" maxIdle=\"30\" maxWaitMillis=\"10000\" username=\"$SML_DB_USER\" password=\"$SML_DB_USER_PASSWORD\" driverClassName=\"com.mysql.jdbc.Driver\" url=\"jdbc:mysql:\/\/localhost:3306\/$SML_DB_SCHEMA?useSSL=false\&characterEncoding=UTF-8\&useUnicode=true\"\/><\/Context>/g" "$SMP_HOME/apache-tomcat-$TOMCAT_VERSION/conf/context.xml" \
+ && sed -i -e "s/<Connector /<Connector URIEncoding=\"UTF-8\" /g" "$SMP_HOME/apache-tomcat-$TOMCAT_VERSION/conf/server.xml" \
+# add SMP init configuration
+ && echo "datasource.jndi=java:comp/env/jdbc/eDeliverySmpDs" > $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes/smp.config.properties \
+ && echo "hibernate.dialect=org.hibernate.dialect.MySQL5InnoDBDialect" >> $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes/smp.config.properties \
+ && echo "# SMP init parameters" >> $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes/smp.config.properties \
+ && echo "authentication.blueCoat.enabled=true" >> $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes/smp.config.properties \
+ && echo "bdmsl.integration.enabled=true" >> $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes/smp.config.properties \
+ && echo "bdmsl.integration.url=http://localhost:8080/edelivery-sml/" >> $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes/smp.config.properties \
+ && echo "bdmsl.integration.logical.address=http://localhost:8080/smp/" >> $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes/smp.config.properties \
+ && echo "bdmsl.integration.physical.address=0.0.0.0" >> $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes/smp.config.properties \
+ && echo "bdmsl.participant.multidomain.enabled=false" >> $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes/smp.config.properties \
+# add SML init configuration
+ && echo "sml.datasource.jndi=java:comp/env/jdbc/eDeliverySmlDs" > $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes/sml.config.properties \
+ && echo "sml.hibernate.dialect=org.hibernate.dialect.MySQLDialect" >> $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes/sml.config.properties \
+ && echo "sml.jsp.servlet.class=org.apache.jasper.servlet.JspServlet" >> $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/classes/sml.config.properties \
+# mysql configuration
+ && sed -i -e "s/127.0.0.1/0.0.0.0/g" /etc/mysql/mysql.conf.d/mysqld.cnf \
+# image is also used for code coverage report
+ && mkdir /opt/jacoco \
+ && curl -o /opt/jacoco/jacoco-agent.jar http://central.maven.org/maven2/org/jacoco/org.jacoco.agent/$JACOCO_VERSION/org.jacoco.agent-$JACOCO_VERSION-runtime.jar \
+ && mkdir /opt/smlconf \
+ && mkdir /opt/smlconf/bind
+# enable native TLS on tomcat
+
+RUN export JAVA_HOME=$(readlink -f /usr/bin/javac | sed "s:/bin/javac::") \
+ && cd $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/bin \
+ && tar xfz tomcat-native.tar.gz \
+ && cd tomcat-native-1.2.16-src/native \
+ && ./configure && make && make install
+
+# dowload and deploy sml
+RUN curl -o $SMP_HOME/edelivery-sml.war "$SML_DISTRIBUTION_URL/$SML_VERSION/bdmsl-webapp-$SML_VERSION.war"
+RUN sha1sum $SMP_HOME/edelivery-sml.war | grep $SML_SHA1
+RUN curl -o /tmp/sml-setup.zip "$SML_DISTRIBUTION_URL/$SML_VERSION/bdmsl-webapp-$SML_VERSION-setup.zip"
+RUN sha1sum /tmp/sml-setup.zip | grep $SML_SETUP_SHA1
+RUN mv $SMP_HOME/edelivery-sml.war $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/webapps/
+
+ENV BIND_USER=bind
+
+ADD ./artefacts /tmp/artefacts
+COPY ./entrypoint.sh /sbin/entrypoint.sh
+
+
+COPY bind/db.test.edelivery.local /opt/smlconf/bind/db.test.edelivery.local
+COPY bind/db.192 /opt/smlconf/bind/db.192
+COPY bind/named.conf /opt/smlconf/bind/named.conf
+COPY bind/named.conf.local /opt/smlconf/bind/named.conf.local
+
+
+RUN unzip /tmp/artefacts/smp-setup.zip -d /tmp/ \
+ && mv /tmp/smp-$SMP_VERSION /tmp/smp-setup \
+ && mv /tmp/artefacts/smp.war $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/webapps/ \
+ && unzip /tmp/sml-setup.zip -d /tmp/ \
+ && mv /tmp/bdmsl-webapp-$SML_VERSION /tmp/sml-setup \
+ && cp /tmp/sml-setup/encriptionPrivateKey.private /opt/smlconf/encriptionPrivateKey.private \
+ && cp /tmp/sml-setup/keystore.jks /opt/smlconf/keystore.jk \
+ && chmod u+x /sbin/entrypoint.sh
+
+
+ENTRYPOINT ["/sbin/entrypoint.sh"]
+
diff --git a/smp-docker/images/tomcat-mysql-smp-sml/README.md b/smp-docker/images/tomcat-mysql-smp-sml/README.md
new file mode 100755
index 000000000..8ee723797
--- /dev/null
+++ b/smp-docker/images/tomcat-mysql-smp-sml/README.md
@@ -0,0 +1,28 @@
+# Experiamental SMP docker image
+Purpose of image is to help SMP and AP sofware developers to create development environment for localy testing Dynamic Discovery using SML and SMP.
+Image uses latest version of eDelivery SMP setup on tomcat, mysql ubuntu
+
+# Image build
+
+docker build -t smp .
+
+# Run container based on smp image
+docker run --name smp -it --rm -p [http-port]:8080 -v [local volume]:/data smp
+example:
+docker run --name smp --rm -it -p 8080:8080 -v /opt/dockerdata/smp:/data smp smp
+
+## SMP (param: -p 8080:8080 )
+url: http://localhost:8080/smp
+
+## MYSQL (param: -p 3306:3306)
+Database client connection (for testing and debugging )
+url: jdbc:mysql://localhost:3306/smp
+Username: smp
+Password: smp
+
+## Volume (-v /opt/dockerdata/sml:/data)
+Mysql database files and tomcat configuration (and logs) can be externalized for experimenting with different SMP settings.
+
+
+
+
diff --git a/smp-docker/images/tomcat-mysql-smp-sml/bind/db.192 b/smp-docker/images/tomcat-mysql-smp-sml/bind/db.192
new file mode 100755
index 000000000..2d6d62e28
--- /dev/null
+++ b/smp-docker/images/tomcat-mysql-smp-sml/bind/db.192
@@ -0,0 +1,17 @@
+ ;
+; BIND reverse data file for local loopback interface
+;
+$TTL 604800
+@ IN SOA ns.test.edelivery.local. root.test.edelivery.local. (
+ 3 ; Serial
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+;
+@ IN NS ns.
+102 IN PTR ns.test.edelivery.local.
+
+; also list other computers
+101 IN PTR ns2.test.edelivery.local.
+
diff --git a/smp-docker/images/tomcat-mysql-smp-sml/bind/db.test.edelivery.local b/smp-docker/images/tomcat-mysql-smp-sml/bind/db.test.edelivery.local
new file mode 100755
index 000000000..255540496
--- /dev/null
+++ b/smp-docker/images/tomcat-mysql-smp-sml/bind/db.test.edelivery.local
@@ -0,0 +1,15 @@
+$ORIGIN .
+$TTL 604800 ; 1 week
+test.edelivery.local IN SOA ns.test.edelivery.local. root.test.edelivery.local. (
+ 1 ; serial
+ 604800 ; refresh (1 week)
+ 86400 ; retry (1 day)
+ 2419200 ; expire (4 weeks)
+ 604800 ; minimum (1 week)
+ )
+ NS ns.test.edelivery.local.
+
+$ORIGIN test.edelivery.local.
+$TTL 60 ; 1 minute
+ac A 192.168.56.201
+ns A 127.0.0.1
diff --git a/smp-docker/images/tomcat-mysql-smp-sml/bind/named.conf b/smp-docker/images/tomcat-mysql-smp-sml/bind/named.conf
new file mode 100755
index 000000000..4a70c5ac8
--- /dev/null
+++ b/smp-docker/images/tomcat-mysql-smp-sml/bind/named.conf
@@ -0,0 +1,16 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
+// structure of BIND configuration files in Debian, *BEFORE* you customize
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+// key sig0.acc.edelivery.tech.ec.europa.eu. {
+// algorithm hmac-md5;
+// secret "U4u/rkxSgL2QjNcwn+EwLA==";
+//};
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";
diff --git a/smp-docker/images/tomcat-mysql-smp-sml/bind/named.conf.local b/smp-docker/images/tomcat-mysql-smp-sml/bind/named.conf.local
new file mode 100755
index 000000000..90fcf979c
--- /dev/null
+++ b/smp-docker/images/tomcat-mysql-smp-sml/bind/named.conf.local
@@ -0,0 +1,30 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+
+
+zone "test.edelivery.local" {
+ type master;
+ file "/etc/bind/db.test.edelivery.local";
+ //allow-update { 127.0.0.1;172/8; } ;
+ allow-update { any; };
+ allow-query { any; };
+ allow-transfer {127.0.0.1; 172/8;};
+// allow-update { key sig0.acc.edelivery.tech.ec.europa.eu. ; } ;
+};
+
+
+zone "168.192.in-addr.arpa" {
+ type master;
+ notify no;
+ file "/etc/bind/db.192";
+// allow-update { 127.0.0.1;172/8; } ;
+ allow-update { any; } ;
+ allow-query { any; };
+ allow-transfer {127.0.0.1; 172/8;};
+// allow-update { key sig0.acc.edelivery.tech.ec.europa.eu. ; } ;
+};
diff --git a/smp-docker/images/tomcat-mysql-smp-sml/bind/named.conf.options b/smp-docker/images/tomcat-mysql-smp-sml/bind/named.conf.options
new file mode 100755
index 000000000..ef6c69e5e
--- /dev/null
+++ b/smp-docker/images/tomcat-mysql-smp-sml/bind/named.conf.options
@@ -0,0 +1,51 @@
+options {
+ directory "/var/cache/bind";
+
+ // If there is a firewall between you and nameservers you want
+ // to talk to, you may need to fix the firewall to allow multiple
+ // ports to talk. See http://www.kb.cert.org/vuls/id/800113
+
+ // If your ISP provided one or more IP addresses for stable
+ // nameservers, you probably want to use them as forwarders.
+ // Uncomment the following block, and insert the addresses replacing
+ // the all-0's placeholder.
+
+ // forwarders {
+ // 0.0.0.0;
+ // };
+
+ //========================================================================
+ // JRC: disable recursion search (this is Authoritative-Only dns server)
+ //========================================================================
+
+
+ recursion no;
+ fetch-glue no;
+ //========================================================================
+ // JRC: allow-transfer defines a match list e.g. IP address(es) that are
+ // allowed to transfer (copy) the zone information from the server (master
+ // or slave for the zone).
+ //========================================================================
+ allow-transfer { none; };
+
+ //========================================================================
+ // If BIND logs error messages about the root key being expired,
+ // you will need to update your keys. See https://www.isc.org/bind-keys
+ //========================================================================
+
+ dnssec-enable false;
+ dnssec-validation auto;
+
+ //========================================================================
+ // JRC: dnssec-lookaside auto; makes that named reads the DLV key from bind.keys the first time it executes.
+ //========================================================================
+ dnssec-lookaside auto;
+ //========================================================================
+ // JRC:The bindkeys-file line is needed only if your bind.keys file is in a location other than /etc/bind/bind.keys - if it's /etc/bind/bind.keys, it's loaded by default.
+ //========================================================================
+ // bindkeys-file "/etc/bind/bind.keys";
+
+ auth-nxdomain no; # conform to RFC1035
+ listen-on-v6 { any; };
+};
+
diff --git a/smp-docker/images/tomcat-mysql-smp-sml/entrypoint.sh b/smp-docker/images/tomcat-mysql-smp-sml/entrypoint.sh
new file mode 100755
index 000000000..bbe6ddd72
--- /dev/null
+++ b/smp-docker/images/tomcat-mysql-smp-sml/entrypoint.sh
@@ -0,0 +1,186 @@
+#!/bin/sh
+
+#set -e
+
+# parameters
+MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD:-"root"}
+SMP_DB_USER=${SMP_DB_USER:-"smp"}
+SMP_DB_USER_PASSWORD=${SMP_DB_USER_PASSWORD:-"secret123"}
+SMP_DB_SCHEMA=${SMP_DB_SCHEMA:-"smp"}
+
+SML_DB_USER=${SML_DB_USER:-"sml"}
+SML_DB_USER_PASSWORD=${SML_DB_USER_PASSWORD:-"secret123"}
+SML_DB_SCHEMA=${SML_DB_SCHEMA:-"sml"}
+
+DATA_DIR=/data
+MYSQL_DATA_DIR=${DATA_DIR}/mysql
+TOMCAT_DIR=${DATA_DIR}/tomcat
+TOMCAT_HOME=${SMP_HOME}/apache-tomcat-$TOMCAT_VERSION/
+BIND_DATA_DIR=${DATA_DIR}/bind
+
+
+if [ ! -d ${DATA_DIR} ]; then
+ mkdir -p ${DATA_DIR}
+fi
+
+init_tomcat() {
+ # add java code coverage angent to image
+ JAVA_OPTS="-javaagent:/opt/jacoco/jacoco-agent.jar=output=tcpserver,address=*,port=6901 $JAVA_OPTS"
+ # add allow encoded slashes and disable scheme for proxy
+ JAVA_OPTS="$JAVA_OPTS -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djdk.http.auth.tunneling.disabledSchemes="
+ export JAVA_OPTS
+
+ echo "[INFO] init tomcat folders: $tfile"
+ if [ ! -d ${TOMCAT_DIR} ]; then
+ mkdir -p ${TOMCAT_DIR}
+ fi
+
+ # move tomcat log folder to data folder
+ if [ ! -d ${TOMCAT_DIR}/logs ]; then
+ if [ ! -d ${TOMCAT_HOME}/logs ]; then
+ mkdir -p ${TOMCAT_DIR}/logs
+ else
+ mv ${TOMCAT_HOME}/logs ${TOMCAT_DIR}/
+ rm -rf ${TOMCAT_HOME}/logs
+ fi
+ fi
+ rm -rf ${TOMCAT_HOME}/logs
+ ln -sf ${TOMCAT_DIR}/logs ${TOMCAT_HOME}/logs
+
+ # move tomcat conf folder to data folder
+ if [ ! -d ${TOMCAT_DIR}/conf ]; then
+ mv ${TOMCAT_HOME}/conf ${TOMCAT_DIR}/
+ fi
+ rm -rf ${TOMCAT_HOME}/conf
+ ln -sf ${TOMCAT_DIR}/conf ${TOMCAT_HOME}/conf
+
+ # move smp conf folder to data folder
+ if [ ! -d ${TOMCAT_DIR}/classes ]; then
+ mv ${TOMCAT_HOME}/classes ${TOMCAT_DIR}/
+ fi
+ rm -rf ${TOMCAT_HOME}/classes
+ ln -sf ${TOMCAT_DIR}/classes ${TOMCAT_HOME}/
+
+ # sleep a little to avoid mv issues
+ sleep 5s
+}
+
+
+init_mysql() {
+ echo "[INFO] init database:"
+ if [ ! -d "/run/mysqld" ]; then
+ mkdir -p /run/mysqld
+ chown -R mysql:mysql /run/mysqld
+ fi
+
+ if [ ! -d ${MYSQL_DATA_DIR} ]; then
+ # sleep a little to avoid mv issues
+ sleep 3s
+ mv /var/lib/mysql ${DATA_DIR}
+ fi
+
+ rm -rf /var/lib/mysql
+ ln -sf ${MYSQL_DATA_DIR} /var/lib/mysql
+ chmod -R 0777 ${MYSQL_DATA_DIR}
+ chown -R mysql:mysql ${MYSQL_DATA_DIR}
+ echo '[INFO] start MySQL'
+ sleep 5s
+ service mysql start
+
+ echo "[INFO] create SMP database: ${SMP_DB_SCHEMA}"
+ if [ -d ${MYSQL_DATA_DIR}/${SMP_DB_SCHEMA} ]; then
+ echo "[INFO] MySQL ${SMP_DB_SCHEMA} already present, skipping creation"
+ else
+ echo "[INFO] MySQL ${SMP_DB_SCHEMA} not found, creating initial DBs"
+
+ echo 'Create smp database'
+ mysql -h localhost -u root -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD';drop schema if exists $SMP_DB_SCHEMA;DROP USER IF EXISTS $SMP_DB_USER; create schema $SMP_DB_SCHEMA;alter database $SMP_DB_SCHEMA charset=utf8; create user $SMP_DB_USER identified by '$SMP_DB_USER_PASSWORD';grant all on $SMP_DB_SCHEMA.* to $SMP_DB_USER;"
+
+ if [ -f "/tmp/custom-database-scripts/mysql5innodb-data.sql" ]
+ then
+ echo "Use custom database script! "
+ mysql -h localhost -u root --password=$MYSQL_ROOT_PASSWORD $SMP_DB_SCHEMA < "tmp/custom-database-scripts/mysql5innodb.ddl"
+ else
+ echo "Use default database ddl script!"
+ mysql -h localhost -u root --password=$MYSQL_ROOT_PASSWORD $SMP_DB_SCHEMA < "/tmp/smp-setup/database-scripts/mysql5innodb.ddl"
+ fi
+
+ if [ -f "/tmp/custom-database-scripts/mysql5innodb-data.sql" ]
+ then
+ echo "Use custom init script! "
+ mysql -h localhost -u root --password=$MYSQL_ROOT_PASSWORD $SMP_DB_SCHEMA < "/tmp/custom-database-scripts/mysql5innodb-data.sql"
+ else
+ echo "Use default init script!"
+ mysql -h localhost -u root --password=$MYSQL_ROOT_PASSWORD $SMP_DB_SCHEMA < "/tmp/smp-setup/database-scripts/mysql5innodb-data.sql"
+ fi
+ fi
+
+
+ echo "[INFO] create SML database: ${SML_DB_SCHEMA}"
+ if [ -d ${MYSQL_DATA_DIR}/${SML_DB_SCHEMA} ]; then
+ echo "[INFO] MySQL $SML_DB_SCHEMA already present, skipping creation"
+ else
+ echo "[INFO] MySQL ${SML_DB_SCHEMA} not found, creating initial DBs"
+
+ echo 'Create sml database'
+ mysql -h localhost -u root -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD';drop schema if exists $SML_DB_SCHEMA;DROP USER IF EXISTS $SML_DB_USER; create schema $SML_DB_SCHEMA;alter database $SML_DB_SCHEMA charset=utf8; create user $SML_DB_USER identified by '$SML_DB_USER_PASSWORD';grant all on $SML_DB_SCHEMA.* to $SML_DB_USER;"
+
+ if [ -f "/tmp/custom-database-scripts/sml-mysql5innodb.sql" ]
+ then
+ echo "Use custom database script! "
+ mysql -h localhost -u root --password=$MYSQL_ROOT_PASSWORD $SML_DB_SCHEMA < "/tmp/custom-database-scripts/sml-mysql5innodb.ddl"
+ else
+ echo "Use default database ddl script!"
+ mysql -h localhost -u root --password=$MYSQL_ROOT_PASSWORD $SML_DB_SCHEMA < "/tmp/sml-setup/database-scripts/mysql5innodb.ddl"
+ fi
+
+ if [ -f "/tmp/custom-database-scripts/sml-mysql5innodb-data.sql" ]
+ then
+ echo "Use custom init script! "
+ mysql -h localhost -u root --password=$MYSQL_ROOT_PASSWORD $SML_DB_SCHEMA < "/tmp/custom-database-scripts/sml-mysql5innodb-data.sql"
+ else
+ echo "Use default init script!"
+ mysql -h localhost -u root --password=$MYSQL_ROOT_PASSWORD $SML_DB_SCHEMA < "/tmp/sml-setup/database-scripts/mysql5innodb-data.sql"
+ fi
+ fi
+
+
+ sleep 5s
+ # start mysql
+
+}
+
+init_bind() {
+
+ # move configuration if it does not exist
+ if [ ! -d ${BIND_DATA_DIR} ]; then
+ mv /etc/bind ${BIND_DATA_DIR}
+ ## add custom configuration
+ cp /opt/smlconf/bind/*.* ${BIND_DATA_DIR}/
+ fi
+ rm -rf /etc/bind
+ ln -sf ${BIND_DATA_DIR} /etc/bind
+ chmod -R 0775 ${BIND_DATA_DIR}
+ chown -R ${BIND_USER}:${BIND_USER} ${BIND_DATA_DIR}
+
+}
+
+init_bind
+init_mysql
+init_tomcat
+
+
+echo "Starting named..."
+$(which named) -u ${BIND_USER} &> $BIND_DATA_DIR/bind-console.out & disown
+
+
+
+echo '[INFO] start running SMP'
+chmod u+x $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/bin/*.sh
+cd $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/
+# run from this folder in order to be smp log in logs folder
+exec ./bin/catalina.sh run
+
+
+
+
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/config/PropertyInitialization.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/config/PropertyInitialization.java
index ba002f235..3bcab5dd6 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/config/PropertyInitialization.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/config/PropertyInitialization.java
@@ -312,7 +312,7 @@ public class PropertyInitialization {
}
// check if keystore is empty then generate cert for user
if (newKeystore.size() == 0) {
- X509CertificateUtils.createAndAddTextCertificate("CN=SMP_TEST-" + UUID.randomUUID().toString() + ", OU=eDelivery, O=DIGITAL, C=BE", newKeystore, newKeyPassword);
+ X509CertificateUtils.createAndAddTextCertificate("CN=SMP_TEST-PRE-SET-EXAMPLE, OU=eDelivery, O=DIGITAL, C=BE", newKeystore, newKeyPassword);
}
newKeystore.store(out, newKeyPassword.toCharArray());
} catch (IOException e) {
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/sml/SmlConnector.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/sml/SmlConnector.java
index 19c6008e7..a3c241be5 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/sml/SmlConnector.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/sml/SmlConnector.java
@@ -322,6 +322,7 @@ public class SmlConnector implements ApplicationContextAware {
} catch (MalformedURLException e) {
throw new IllegalArgumentException("Malformed SML URL: " + url, e);
}
+ boolean useTLS = urlSMPManagment.getProtocol().equalsIgnoreCase("https");
Map<String, Object> requestContext = ((BindingProvider) smlPort).getRequestContext();
requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, urlSMPManagment.toString());
@@ -338,38 +339,34 @@ public class SmlConnector implements ApplicationContextAware {
}
}
+ if (!blueCoatAuthentication && !useTLS) {
+ LOG.warn("SML integration is wrongly configured. Uses 2-way-SSL HTTPS but URL is not HTTPS! Url: {}." ,urlSMPManagment.toString());
+ }
+
HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
configureClientAuthentication(httpConduit, requestContext,
blueCoatAuthentication ? clientCertHttpHeader : clientKeyAlias,
- blueCoatAuthentication);
+ blueCoatAuthentication, useTLS);
configureFaultHandling(requestContext);
configureProxy(httpConduit, urlSMPManagment);
configurePayloadLogging(client);
-
-
-
- LOG.info("Get key managers {}", httpConduit.getTlsClientParameters().getKeyManagers() + " aa");
- LOG.info("Get isUseHttpsURLConnectionDefaultSslSocketFactory {}", httpConduit.getTlsClientParameters().isUseHttpsURLConnectionDefaultSslSocketFactory());
- LOG.info("Get isUseHttpsURLConnectionDefaultHostnameVerifier {}", httpConduit.getTlsClientParameters().isUseHttpsURLConnectionDefaultHostnameVerifier());
-
}
- public void configureClientAuthentication(HTTPConduit httpConduit, Map<String, Object> requestContext, String smlClientAuthentication, boolean blueCoatAuthentication) {
+ public void configureClientAuthentication(HTTPConduit httpConduit, Map<String, Object> requestContext, String smlClientAuthentication, boolean blueCoatAuthentication, boolean useTLS) {
LOG.info("Connect to SML (smlClientAuthentication: {} use Client-CertHeader: {})", smlClientAuthentication, blueCoatAuthentication);
if (StringUtils.isBlank(smlClientAuthentication)) {
throw new IllegalStateException("SML integration is wrongly configured, at least one authentication option is required: 2-way-SSL or Client-Cert header");
}
+
// set truststore...
TLSClientParameters tlsParams = new TLSClientParameters();
-
tlsParams.setUseHttpsURLConnectionDefaultSslSocketFactory(false);
tlsParams.setUseHttpsURLConnectionDefaultHostnameVerifier(false);
tlsParams.setCertConstraints(createCertConstraint(configurationService.getSMLIntegrationServerCertSubjectRegExp()));
tlsParams.setDisableCNCheck(configurationService.smlDisableCNCheck());
-
if (!blueCoatAuthentication) {
LOG.info("SML X509 certificate authentication with alias {}.", smlClientAuthentication);
tlsParams.setCertAlias(smlClientAuthentication);
@@ -380,9 +377,10 @@ public class SmlConnector implements ApplicationContextAware {
customHeaders.put(CLIENT_CERT_HEADER_KEY, Arrays.asList(smlClientAuthentication));
requestContext.put(MessageContext.HTTP_REQUEST_HEADERS, customHeaders);
}
+ if (useTLS) {
- httpConduit.setTlsClientParameters(tlsParams);
-
+ httpConduit.setTlsClientParameters(tlsParams);
+ }
}
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/utils/X509CertificateUtils.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/utils/X509CertificateUtils.java
index 00a82b894..6771e1194 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/utils/X509CertificateUtils.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/utils/X509CertificateUtils.java
@@ -32,6 +32,8 @@ import java.util.List;
public class X509CertificateUtils {
+ public static String testCertIssuerDN = "CN=rootCNTest,OU=B4,O=DIGIT,L=Brussels,ST=BE,C=BE";
+
public static void setupJCEProvider() {
Provider[] providerList = Security.getProviders();
if (providerList == null || providerList.length <= 0 || !(providerList[0] instanceof BouncyCastleProvider)) {
@@ -39,7 +41,7 @@ public class X509CertificateUtils {
}
}
- public static void createAndAddTextCertificate(String subject, KeyStore keystore, String secToken) throws Exception {
+ public static void createAndAddTextCertificate(String subject, KeyStore keystore, String secToken) throws Exception {
setupJCEProvider();
Calendar from = Calendar.getInstance();
from.add(Calendar.DAY_OF_MONTH, -1);
@@ -49,7 +51,7 @@ public class X509CertificateUtils {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(2048);
KeyPair key = keyGen.generateKeyPair();
- X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(new X500Name(subject),BigInteger.ONE, from.getTime(), to.getTime(), new X500Name(subject), SubjectPublicKeyInfo.getInstance(key.getPublic().getEncoded()));
+ X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(new X500Name(testCertIssuerDN),BigInteger.ONE, from.getTime(), to.getTime(), new X500Name(subject), SubjectPublicKeyInfo.getInstance(key.getPublic().getEncoded()));
ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider("BC").build(key.getPrivate());
X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certBuilder.build(sigGen));
diff --git a/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/sml/SmlClientFactoryAuthenticationByClientCertFromKeystoreTest.java b/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/sml/SmlClientFactoryAuthenticationByClientCertFromKeystoreTest.java
index 7fffece9d..d4cec96b1 100644
--- a/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/sml/SmlClientFactoryAuthenticationByClientCertFromKeystoreTest.java
+++ b/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/sml/SmlClientFactoryAuthenticationByClientCertFromKeystoreTest.java
@@ -85,7 +85,7 @@ public class SmlClientFactoryAuthenticationByClientCertFromKeystoreTest extends
Mockito.doReturn(keystoreFile).when(configurationService).getKeystoreFile();
Mockito.doReturn(resourceDirectory.toFile()).when(configurationService).getConfigurationFolder();
Mockito.doReturn("test123").when(configurationService).getKeystoreCredentialToken();
- Mockito.doReturn(new URL("http://localhost/edelivery-sml")).when(configurationService).getSMLIntegrationUrl();
+ Mockito.doReturn(new URL("https://localhost/edelivery-sml")).when(configurationService).getSMLIntegrationUrl();
keystoreService.refreshData();
}
@@ -111,7 +111,7 @@ public class SmlClientFactoryAuthenticationByClientCertFromKeystoreTest extends
assertTrue(httpHeaders == null || httpHeaders.isEmpty());
assertEquals("C=BE,O=CEF Digital,OU=SMP,CN=Secodn domain", clientCert.getSubjectDN().getName());
- assertEquals("http://localhost/edelivery-sml/manageparticipantidentifier", requestContext.get(Message.ENDPOINT_ADDRESS));
+ assertEquals("https://localhost/edelivery-sml/manageparticipantidentifier", requestContext.get(Message.ENDPOINT_ADDRESS));
}
@@ -136,7 +136,7 @@ public class SmlClientFactoryAuthenticationByClientCertFromKeystoreTest extends
assertTrue(httpHeaders == null || httpHeaders.isEmpty());
assertEquals("C=BE,O=CEF Digital,OU=SMP,CN=Secodn domain", clientCert.getSubjectDN().getName());
- assertEquals("http://localhost/edelivery-sml/manageservicemetadata", requestContext.get(Message.ENDPOINT_ADDRESS));
+ assertEquals("https://localhost/edelivery-sml/manageservicemetadata", requestContext.get(Message.ENDPOINT_ADDRESS));
}
@Test
@@ -156,7 +156,7 @@ public class SmlClientFactoryAuthenticationByClientCertFromKeystoreTest extends
X509Certificate clientCert = getClientCertFromKeystore(cxfClient);
assertEquals("C=BE,O=European Commision,OU=DIGIT,CN=SMP Mock Services", clientCert.getSubjectDN().getName());
- assertEquals("http://localhost/edelivery-sml/changedEndpoint", requestContext.get(Message.ENDPOINT_ADDRESS));
+ assertEquals("https://localhost/edelivery-sml/changedEndpoint", requestContext.get(Message.ENDPOINT_ADDRESS));
}
@Test
@@ -177,7 +177,7 @@ public class SmlClientFactoryAuthenticationByClientCertFromKeystoreTest extends
X509Certificate clientCert = getClientCertFromKeystore(cxfClient);
assertEquals("C=BE,O=European Commision,OU=DIGIT,CN=SMP Mock Services", clientCert.getSubjectDN().getName());
- assertEquals("http://localhost/edelivery-sml/changedEndpoint", requestContext.get(Message.ENDPOINT_ADDRESS));
+ assertEquals("https://localhost/edelivery-sml/changedEndpoint", requestContext.get(Message.ENDPOINT_ADDRESS));
}
@Test
diff --git a/smp-soapui-tests/groovy/mysql-4.1_integration_test_data.sql b/smp-soapui-tests/groovy/mysql-4.1_integration_test_data.sql
index d54bf92c6..d1b7d4db9 100644
--- a/smp-soapui-tests/groovy/mysql-4.1_integration_test_data.sql
+++ b/smp-soapui-tests/groovy/mysql-4.1_integration_test_data.sql
@@ -47,7 +47,9 @@ update SMP_USER_SEQ set next_val=100 where next_val=1;
-- insert domain
-insert into SMP_DOMAIN (ID, DOMAIN_CODE, SML_SUBDOMAIN, SML_SMP_ID, SIGNATURE_KEY_ALIAS, SML_BLUE_COAT_AUTH,SML_REGISTERED, CREATED_ON, LAST_UPDATED_ON) values (1, 'domain','','CEF-SMP-002', 'sample_key', 1,0, NOW(), NOW());
+insert into SMP_DOMAIN (ID, DOMAIN_CODE, SML_SUBDOMAIN, SML_SMP_ID, SIGNATURE_KEY_ALIAS, SML_CLIENT_KEY_ALIAS, SML_BLUE_COAT_AUTH,SML_REGISTERED, CREATED_ON, LAST_UPDATED_ON, SML_CLIENT_CERT_HEADER)
+values (1, 'domain','','CEF-SMP-002', 'sample_key','sample_key', 1,0, NOW(), NOW(),'sno=1&subject=CN=SMP_TEST-PRE-SET-EXAMPLE, OU=eDelivery, O=DIGITAL, C=BE&validfrom=Dec 6 17:41:42 2016 GMT&validto=Jul 9 23:59:00 2050 GMT&issuer=CN=rootCNTest,OU=B4,O=DIGIT,L=Brussels,ST=BE,C=BE');
+
insert into SMP_DOMAIN (ID, DOMAIN_CODE, SML_SUBDOMAIN, SML_SMP_ID, SIGNATURE_KEY_ALIAS, SML_BLUE_COAT_AUTH,SML_REGISTERED, CREATED_ON, LAST_UPDATED_ON) values (2, 'domainB','subdomain002', 'CEF-SMP-002','sample_key',1,0, CURRENT_TIMESTAMP(),CURRENT_TIMESTAMP());
insert into SMP_DOMAIN (ID, DOMAIN_CODE, SML_SUBDOMAIN, SML_SMP_ID, SIGNATURE_KEY_ALIAS, SML_BLUE_COAT_AUTH,SML_REGISTERED, CREATED_ON, LAST_UPDATED_ON) values (3, 'domainC','subdomain003', 'CEF-SMP-003','sample_key',1,0, CURRENT_TIMESTAMP(),CURRENT_TIMESTAMP());
insert into SMP_DOMAIN (ID, DOMAIN_CODE, SML_SUBDOMAIN, SML_SMP_ID, SIGNATURE_KEY_ALIAS, SML_BLUE_COAT_AUTH,SML_REGISTERED, CREATED_ON, LAST_UPDATED_ON) values (4, 'domainD','subdomain004', 'CEF-SMP-004','sample_key',1,0, CURRENT_TIMESTAMP(),CURRENT_TIMESTAMP());
--
GitLab