Code development platform for open source projects from the European Union institutions :large_blue_circle: EU Login authentication by SMS will be completely phased out by mid-2025. To see alternatives please check here

Skip to content
Snippets Groups Projects
Commit 1a7a9992 authored by Joze RIHTARSIC's avatar Joze RIHTARSIC
Browse files

Pull request #191: [EDELIVERY-14203] Configure mTLS for tomcat and integration tests 

Merge in EDELIVERY/smp from feature/EDELIVERY-14203-docker-configure-tomcat-image-to-use-https to development

* commit '76d547da':
  [EDELIVERY-14203] Configure mTLS for tomcat and integration tests
parents 1dd8cfea 76d547da
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 90 additions and 6 deletions
domismp-tests/domismp-docker/compose/domismp-tomcat-mysql/docker-compose.local.yml
+ 1
0
View file @ 1a7a9992
......@@ -6,6 +6,7 @@ services:
ports:
- "3908:3306"
- "8982:8080"
- "8943:8443"
# - "6902:6901"
# - "8953:53"
- "5005:5005"
......
domismp-tests/domismp-docker/images/domismp-tomcat-mysql/Dockerfile
+ 4
3
View file @ 1a7a9992
......@@ -10,7 +10,8 @@ ENV SMP_HOME=/opt/smp \
MYSQL_DRV_SHA1=41ec3f8cdaccf6c46a47d7cd628eeb59a926d9d4 \
TOMCAT_MAJOR=9 \
TOMCAT_VERSION=9.0.73 \
TOMCAT_NAVITVE_VERSION=1.2.36 \
TOMCAT_NATIVE_VERSION=1.2.36 \
TOMCAT_TLS_KEY_ALIAS=eulogin.protected.smp.local \
TOMCAT_SHA512=4deac84d6f8ff147d0060605e85fd2c0bf92b9eb622e426d4acc19d0cd4fc0d46a394e01e5664076a5e4f1c39ae14fc2238ebee53a7779bf086540f6dc4967c8 \
JAVA_8_VERSION="jdk8u402-b06" \
JAVA_8_URL_FILENAME="OpenJDK8U-jdk_x64_linux_hotspot_8u402b06.tar.gz" \
......@@ -52,7 +53,7 @@ ENV TOMCAT_HOME=/opt/apache-tomcat-$TOMCAT_VERSION \
# - 8080 Tomcat port
# - 53 dns port
# - JDPA debug port
EXPOSE 3306 8080 6901 53 5005
EXPOSE 3306 8080 8443 6901 53 5005
VOLUME ["/data"]
......@@ -124,7 +125,7 @@ RUN echo "smp.jdbc.driver=com.mysql.cj.jdbc.Driver" > $SMP_HOME/apache-tomcat-
RUN cd $SMP_HOME/apache-tomcat-$TOMCAT_VERSION/bin \
&& tar xfz tomcat-native.tar.gz \
&& cd tomcat-native-${TOMCAT_NAVITVE_VERSION}-src/native \
&& cd tomcat-native-${TOMCAT_NATIVE_VERSION}-src/native \
&& ./configure && make && make install
# download and deploy sml
......
domismp-tests/domismp-docker/images/domismp-tomcat-mysql/entrypoint.sh
+ 22
0
View file @ 1a7a9992
......@@ -89,8 +89,30 @@ init_tomcat() {
# sleep a little to avoid mv issues
sleep 5s
configureServerHttps
}
function configureServerHttps() {
echo "Create Tomcat HTTPS..."
cp /tmp/artefacts/shared-artefacts/server* ${TOMCAT_HOME}/
# Because tomcat-native.tar.gz is installed we can use APR connector
sed -i.bak -e "s#</Service>#<Connector port=\"8443\" protocol=\"org.apache.coyote.http11.Http11AprProtocol\" \
maxThreads=\"200\" maxParameterCount=\"1000\" \
scheme=\"https\" secure=\"true\" SSLEnabled=\"true\" \
clientAuth=\"true\" sslProtocol=\"TLS\" \
keystoreType=\"PKCS12\" \
keystoreFile=\"/tmp/artefacts/shared-artefacts/server-keystore.p12\" \
keyAlias=\"${TOMCAT_TLS_KEY_ALIAS}\" \
keystorePass=\"test123\" \
keyPass=\"test123\" \
truststoreType=\"PKCS12\" \
truststoreFile=\"/tmp/artefacts/shared-artefacts/server-truststore.p12\" \
truststorePass=\"test123\" \
/> \
</Service>#g" "${TOMCAT_HOME}/conf/server.xml"
}
init_mysql() {
echo "[INFO] init database:"
if [ ! -d "/run/mysqld" ]; then
......
domismp-tests/domismp-docker/images/shared-artefacts/README.md
+ 44
3
View file @ 1a7a9992
The SMP keystore and SML truststore are needed for SMP/SML integration.
- [sml-truststore.p12](sml-truststore.p12)
- [smp-keystore-docker.p12](smp-keystore-docker.p12)
# Test keystores and truststores
The folder contains the keystore and truststore files needed for the SMP/SML integration and the Tomcat HTTPS endpoint.
## The SMP keystore and SML truststore are needed for SMP/SML integration.
- [sml-truststore-docker-demo.p12](sml-truststore-docker-demo.p12)
- [smp-keystore-docker-demo.p12](smp-keystore-docker-demo.p12)
(Keystore and key password: test123)
The smp certificates
- CN=smp_domain_01,OU=edelivery,O=digit,C=eu
......@@ -8,4 +13,40 @@ The smp certificates
are registered in SML as trusted certificates for domains
- domain-01.test.edelivery.local
- domain-02.test.edelivery.local
For detailed DomiSML configuration see the SML init script:[sml-mysql5innodb-data.sql](sml-mysql5innodb-data.sql)
# Tomcate HTTPS endpoint
The Tomcat instance is configured with a mutual TLS endpoint. To access the HTTPS endpoint, start the Docker container with the following port mapping:
example snipped for docker-compose.yml:
ports:
- "8943:8443"
Then you can access the TLS endpoint via:
https://localhost:8943/smp/
Or (if the domain is correctly configured)
https://eulogin.protected.smp.local:8943/smp/
Important: Tomcat is configured for mutual authentication, therefore users must have a client TLS certificate.
To access the HTTPS endpoint via a browser, install the client certificate in your browser.
The pre-configured client certificate/key is provided in the keystore:
[client-tls-keystore.p12](client-tls-keystore.p12)
(Keystore and key password: test123)
# Test TLS client certificate for REST API (using SOAPUI) with mutual HTTPS authentication
To register new participants using the REST API with mutual HTTPS authentication, first register the certificate located at:
[client_test.cer](client_test.cer)
This can be done via the DomiSMP UI.
1. Log in as user: “user”
2. Upload the certificate on the "user settings" page under “Certificate”.
If you are using SOAPUI, add the SSL configuration using the keystore:
[client-tls-keystore.p12](client-tls-keystore.p12)
Then target the HTTPS endpoint:
https://localhost:8943/smp/
domismp-tests/domismp-docker/images/shared-artefacts/client-tls-keystore.p12 0 → 100644
+ 0
0
View file @ 1a7a9992
File added
domismp-tests/domismp-docker/images/shared-artefacts/client_test.cer 0 → 100644
+ 19
0
View file @ 1a7a9992
-----BEGIN CERTIFICATE-----
MIIDGDCCAgCgAwIBAgIEZxkhQDANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJl
dTESMBAGA1UECgwJZWRlbGl2ZXJ5MRUwEwYDVQQLDAx0ZXN0aW5nIHRlYW0xFDAS
BgNVBAMMC2NsaWVudC10ZXN0MB4XDTI0MTAyMzE2MTYwMFoXDTM0MTAyMzE2MTYw
MFowTjELMAkGA1UEBhMCZXUxEjAQBgNVBAoMCWVkZWxpdmVyeTEVMBMGA1UECwwM
dGVzdGluZyB0ZWFtMRQwEgYDVQQDDAtjbGllbnQtdGVzdDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKsza4B8qsbFW/n/eO49K1S6OwQxy0Jjw3Pckp+5
BmwGpqsFhh9EACzQAb1ekRhpmY2wNLrk0JAk/0J/LEOOsFjoSIG2539CsiV/FHje
ZEAuhULJW1n1/PHxamWa6GN/1VeVjRsqDts7MNkjQEYGYwENG9h7zxZ4J89j252y
URH/gdUHLbyGq4XFrDNPTBajID8R+FIQwN/rcLzpMjZtGGN2za4zmAOOPkGQsHVa
+ZnbZulp4ONGeytwArmDF54jQxtf5c6yg/MPi12oDmV4laAe8Zu1VC67qD7p+lPo
UgYf2o8Ox6WEeTddOfNKVBGx5O7PsbISX7aRV4BF2K8X548CAwEAATANBgkqhkiG
9w0BAQsFAAOCAQEAewZdHY153Kmqdyjw8SjxL657liVHJV17qhbrETcwvDIOPDMQ
zN9LLCrYkJ3o26FncVSV7SFARichZ+BddOlqCA3L7jbYu0m5pAqIcr+l387WBCG2
AkK9hE1Al+C1XILVJw07ZVMu5Yzg8Ojt73z1SBypNB/vhc1chOnPjmBqKMWU0wFI
F2Tcs56yng7BBOgVsQw2hj5ejzt9q7dcND/qEpc26P9f0gX4QP8FTBmA706F00io
tp8Le5mJKjTNnBKYWnslXyG/2cbPX0ez4MOpTr/aTGXqiw0aUuNPQDUu8Op35ci6
fGb7XFE0T4yg1IvAbIgG5ylFmeW1G4ddcTz0Dw==
-----END CERTIFICATE-----
domismp-tests/domismp-docker/images/shared-artefacts/server-keystore.p12 0 → 100644
+ 0
0
View file @ 1a7a9992
File added
domismp-tests/domismp-docker/images/shared-artefacts/server-truststore.p12 0 → 100644
+ 0
0
View file @ 1a7a9992
File added
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

For further information about the platform and support, please see https://code.europa.eu/info/about