From 856087983ebddada71f50b837c47e75981b1be32 Mon Sep 17 00:00:00 2001 From: Eduardo Martins Date: Mon, 25 Mar 2024 14:23:13 +0000 Subject: [PATCH] [WFLY-18475] moves README.adoc to README-source.adoc; syncs versions properties; simplifies basic testing --- ...start_helloworld-mutual-ssl-secured_ci.yml | 1 + .../README-source.adoc | 133 +++++------------- helloworld-mutual-ssl-secured/pom.xml | 13 +- .../helloworld_mutual_ssl/BasicRuntimeIT.java | 14 +- 4 files changed, 45 insertions(+), 116 deletions(-) diff --git a/.github/workflows/quickstart_helloworld-mutual-ssl-secured_ci.yml b/.github/workflows/quickstart_helloworld-mutual-ssl-secured_ci.yml index bf0c1a6769..c04c4f947c 100644 --- a/.github/workflows/quickstart_helloworld-mutual-ssl-secured_ci.yml +++ b/.github/workflows/quickstart_helloworld-mutual-ssl-secured_ci.yml @@ -12,5 +12,6 @@ jobs: uses: ./.github/workflows/quickstart_ci.yml with: QUICKSTART_PATH: helloworld-mutual-ssl-secured + SERVER_PROVISIONING_SERVER_HOST: https://localhost:8443/ TEST_PROVISIONED_SERVER: true TEST_OPENSHIFT: false \ No newline at end of file diff --git a/helloworld-mutual-ssl-secured/README-source.adoc b/helloworld-mutual-ssl-secured/README-source.adoc index 61fd319432..9ae0189e6c 100644 --- a/helloworld-mutual-ssl-secured/README-source.adoc +++ b/helloworld-mutual-ssl-secured/README-source.adoc @@ -32,88 +32,24 @@ include::../shared-doc/add-application-user.adoc[leveloffset=+1] IMPORTANT: For the purpose of this quickstart the password can contain any valid value because the `ApplicationRealm` will be used for authorization only, for example, to obtain the security roles. -[[set_up_client_keystore_using_java_keytool]] -== Set Up the Client Keystore Using Java Keytool +// Back Up the {productName} Standalone Server Configuration +include::../shared-doc/back-up-server-standalone-configuration.adoc[leveloffset=+1] +// Start the {productName} Standalone Server +include::../shared-doc/start-the-standalone-server.adoc[leveloffset=+1] -. Open a terminal and navigate to the {productName} server `configuration` directory: -+ -[source,subs="+quotes,attributes+",options="nowrap"] ----- -$ cd __{jbossHomeName}__/standalone/configuration/ ----- +[[set_up_client_keystore_using_java_keytool]] +== Set Up the Client Keystore . Create the client certificate, which is used to authenticate against the server when accessing a resource through TLS. + -[source,options="nowrap"] ----- -$>keytool -genkey -keystore client.keystore -storepass secret -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12 - -What is your first and last name? - [Unknown]: quickstartUser -What is the name of your organizational unit? - [Unknown]: Sales -What is the name of your organization? - [Unknown]: My Company -What is the name of your City or Locality? - [Unknown]: Sao Paulo -What is the name of your State or Province? - [Unknown]: Sao Paulo -What is the two-letter country code for this unit? - [Unknown]: BR -Is CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR correct? - [no]: yes ----- - -+ -Notice that it sets the `first and last name` to `quickstartUser` and that this matches the user that was added to the `ApplicationRealm`. When authorizing access to a resource, the CN (common name) of the client's certificate is extracted by a principal decoder and this name is then used by the `ApplicationRealm` to obtain the client's roles. - -. Export the client certificate and create a truststore by importing this certificate. -+ -[source,options="nowrap"] +[source,subs="+quotes,attributes+", options="nowrap"] ---- -$>keytool -exportcert -keystore client.keystore -storetype pkcs12 -storepass secret -keypass secret -file client.crt -$>keytool -import -file client.crt -alias quickstartUser -keystore client.truststore -storepass secret - -Owner: CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR -Issuer: CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR -Serial number: 7fd95ce4 -Valid from: Mon Jul 24 16:14:03 BRT 2017 until: Tue Jul 24 16:14:03 BRT 2018 -Certificate fingerprints: - MD5: 87:41:C5:CC:E6:79:91:F0:9D:90:AD:9E:DD:57:81:80 - SHA1: 55:35:CA:B0:DC:DD:4F:E6:B8:9F:45:4B:4B:98:93:B5:3B:7C:55:84 - SHA256: 0A:FC:93:B6:25:5A:74:42:B8:A1:C6:5F:69:88:72:7F:27:A9:81:B0:17:0C:F1:AF:3D:DE:B7:E5:F1:69:66:4B - Signature algorithm name: SHA256withRSA - Version: 3 - -Extensions: - -#1: ObjectId: 2.5.29.14 Criticality=false -SubjectKeyIdentifier [ -KeyIdentifier [ -0000: 95 84 BE C6 32 BB 2B 13 4C 7F 5D D4 C4 C8 22 12 ....2.+.L.]...". -0010: CB 09 39 09 ..9. -] -] - -Trust this certificate? [no]: yes -Certificate was added to keystore +$ __{jbossHomeName}__/bin/jboss-cli.sh --connect --file=configure-client-cert.cli ---- + -It is worth noticing that the client certificate was imported under the `quickstartUser` alias. When authenticating a client in a `CLIENT_CERT` configuration, the CN (common name) of the client's certificate is extracted by a principal decoder and this name is then used by the `KeyStoreRealm` to match an alias in the trust store. If a trusted certificate is found under this alas, the client is considered authenticated. - -. Export client certificate to pkcs12 format. -+ -[source,options="nowrap"] ----- -$>keytool -importkeystore -srckeystore client.keystore -srcstorepass secret -destkeystore clientCert.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -deststorepass secret ----- +NOTE: For Windows, use the `__{jbossHomeName}__\bin\jboss-cli.bat` script. -. The certificate and keystore are now properly configured. - -// Back Up the {productName} Standalone Server Configuration -include::../shared-doc/back-up-server-standalone-configuration.adoc[leveloffset=+1] -// Start the {productName} Standalone Server -include::../shared-doc/start-the-standalone-server.adoc[leveloffset=+1] +The certificate and keystore are now properly configured. [[configure_the_server]] == Configure the Server @@ -157,7 +93,7 @@ After stopping the server, open the `__{jbossHomeName}__/standalone/configuratio - + ---- @@ -233,14 +169,14 @@ It maps the `client_cert_domain` from the quickstart application to the `http-au [[test_the_server_ssl_configuration]] == Test the Server TLS Configuration -To test the TLS configuration, access: https://localhost:8443 +To test the TLS configuration, start {productName} and access: https://localhost:8443 If it is configured correctly, you should be asked to trust the server certificate. [[import_the_client_certificate_into_your_browser]] == Import the Certificate into Your Browser -Before you access the application, you must import the _clientCert.p12_, which holds the client certificate, into your browser. +Before you access the application, you must import the _client.keystore.P12_, which holds the client certificate, into your browser. [[import_the_client_certificate_into_google_chrome]] === Import the Certificate into Google Chrome @@ -248,7 +184,7 @@ Before you access the application, you must import the _clientCert.p12_, which h . Click the Chrome menu icon (3 dots) in the upper right on the browser toolbar and choose *Settings*. This takes you to `link:`chrome://settings/`. . Click on *Privacy and security* and then on *Security*. . Scroll down to the *Advanced* section and on the *Manage certificates* screen, select the *Your Certificates* tab and click on the *Import* button. -. Select the *clientCert.p12* file. You will be prompted to enter the password: `secret`. +. Select the *client.keystore.p12* file. You will be prompted to enter the password: `secret`. . The client certificate is now installed in the Google Chrome browser. [[import_the_client_certificate_into_mozilla_firefox]] @@ -258,14 +194,14 @@ Before you access the application, you must import the _clientCert.p12_, which h . A new window will open. Click on *Privacy & Security* and scroll down to the *Certificates* section. . Click the *View Certificates* button. . A new window will open. Select the *Your Certificates* tab and click the *Import* button. -. Select the *clientCert.p12* file. You will be prompted to enter the password: `secret`. +. Select the *client.keystore.p12* file. You will be prompted to enter the password: `secret`. . The certificate is now installed in the Mozilla Firefox browser. // Build and Deploy the Quickstart include::../shared-doc/build-and-deploy-the-quickstart.adoc[leveloffset=+1] // Additional deployment information -If mutual TLS is configured properly and the WAR application is secured, you will be able to access the application only if the DN of client certificate, for example `clientCert.p12`, is same as the one defined in `app-roles.properties` file. Otherwise, it will result in an HTTP error status code of `403 Access Denied/Forbidden`. +If mutual TLS is configured properly and the WAR application is secured, you will be able to access the application only if the DN of client certificate, for example `client.keystore.p12`, is same as the one defined in `app-roles.properties` file. Otherwise, it will result in an HTTP error status code of `403 Access Denied/Forbidden`. == Access the Application @@ -292,6 +228,9 @@ dzXZz0EjjWCPJk+LVEhEvH0GcWAp3x3irpNU4hRZLd0XomY0Z4NnUt7VMBNYDOxVxgT9qcLnEaEpIfYU ynfnMaOxI67FC2QzhfzERyKqHj47WuwN0xWbS/1gBypS2nUwvItyxaEQG2X5uQY8j8QoY9wcMzIIkP2Mk14gJGHUnA8= ---- +// Server Distribution Testing +:extraStandardDistTestParams: -Dserver.dir=__{jbossHomeName}__ +include::../shared-doc/run-integration-tests-with-server-distribution.adoc[leveloffset=+2] // Undeploy the Quickstart include::../shared-doc/undeploy-the-quickstart.adoc[leveloffset=+1] @@ -313,6 +252,13 @@ include::../shared-doc/restore-standalone-server-configuration-manual.adoc[level == Remove the keystores and certificates created for this quickstart +. Run the CLI script to restore client cert configuration: ++ +[source,subs="+quotes,attributes+",options="nowrap"] +---- +$ __{jbossHomeName}__/bin/jboss-cli.sh --connect --file=restore-client-cert.cli +---- ++ . Open a terminal and navigate to the {productName} server `configuration` directory: + [source,subs="+quotes,attributes+",options="nowrap"] @@ -322,7 +268,7 @@ $ cd __{jbossHomeName}__/standalone/configuration/ + NOTE: For Windows, use the `__{jbossHomeName}__\bin\standalone.bat` script. -. Remove the `clientCert.p12`, `client.crt`, and `client.truststore` files that were generated for this quickstart. +. Remove the `client.keystore.P12`, `clientCert.crt`, and `server.truststore` files that were generated for this quickstart. [[remove_the_client_certificate_from_your_browser]] == Remove the Client Certificate from Your Browser @@ -346,26 +292,11 @@ After you are done with this quickstart, remember to remove the certificate that . Select the *quickstartUser* certificate and click the *Delete* button. . The certificate has now been removed from the Mozilla Firefox browser. -// Run the Quickstart in Red Hat CodeReady Studio or Eclipse -include::../shared-doc/run-the-quickstart-in-jboss-developer-studio.adoc[leveloffset=+1] - -// Additional Red Hat CodeReady Studio instructions -* Make sure you configure the keystores and client certificates as described under xref:set_up_client_keystore_using_java_keytool[Set Up the Client Keystore Using Java Keytool]. -* Depending on the browser you choose, make sure you either xref:import_the_client_certificate_into_google_chrome[import the certificate into Google Chrome] or xref:import_the_client_certificate_into_mozilla_firefox[import the certificate into Mozilla Firefox]. -* Make sure you configure the server by running the JBoss CLI commands as described above under xref:configure_the_server[Configure the Server]. Stop the server at the end of that step. -* In {JBDSProductName}, choose *Window* –> *Web Browser*, then select the browser you chose to import the certificate. -* To deploy the application, right-click on the *{artifactId}* project and choose *Run As* –> *Run on Server*. -* Make sure you xref:restore_the_server_configuration[restore the {productName} server configuration] when you have completed testing this quickstart. - -// Debug the Application -include::../shared-doc/debug-the-application.adoc[leveloffset=+1] - -//************************************************* -// Product Release content only -//************************************************* -ifdef::ProductRelease[] +// Build and run sections for other environments/builds +ifndef::ProductRelease,EAPXPRelease[] +:server_provisioning_server_host: https://localhost:8443 +include::../shared-doc/build-and-run-the-quickstart-with-provisioned-server.adoc[leveloffset=+1] +endif::[] // Quickstart not compatible with OpenShift include::../shared-doc/openshift-incompatibility.adoc[leveloffset=+1] - -endif::[] diff --git a/helloworld-mutual-ssl-secured/pom.xml b/helloworld-mutual-ssl-secured/pom.xml index 6270729f3e..232724e557 100644 --- a/helloworld-mutual-ssl-secured/pom.xml +++ b/helloworld-mutual-ssl-secured/pom.xml @@ -44,12 +44,12 @@ - - 31.0.0.Beta1 - + + 31.0.0.Final + ${version.server} - 5.0.0.Final - 4.2.1.Final + 6.0.0.Final + 5.0.0.Beta3 @@ -151,11 +151,10 @@ test - org.apache.httpcomponents httpclient - 4.5.13 + test diff --git a/helloworld-mutual-ssl-secured/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/BasicRuntimeIT.java b/helloworld-mutual-ssl-secured/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/BasicRuntimeIT.java index 199c745047..693061a98d 100644 --- a/helloworld-mutual-ssl-secured/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/BasicRuntimeIT.java +++ b/helloworld-mutual-ssl-secured/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/BasicRuntimeIT.java @@ -53,6 +53,7 @@ public class BasicRuntimeIT { private static final String DEFAULT_SERVER_HOST = "https://localhost:8443/helloworld-mutual-ssl-secured"; + private static final String DEFAULT_SERVER_DIR = System.getProperty("user.dir") + "/target/server"; @Test public void testHTTPEndpointIsAvailable() throws IOException, URISyntaxException, KeyStoreException { @@ -63,17 +64,14 @@ public void testHTTPEndpointIsAvailable() throws IOException, URISyntaxException if (serverHost == null) { serverHost = DEFAULT_SERVER_HOST; } - String serverDir = System.getenv("SERVER_HOME"); + String serverDir = System.getProperty("server.dir"); if (serverDir == null) { - if (System.getProperty("jboss.server.config.dir").contains("target/server")) { - serverDir = System.getProperty("user.dir") + "/" + System.getProperty("jboss.server.config.dir"); - } else { - serverDir = System.getProperty("jboss.server.config.dir"); - } + serverDir = DEFAULT_SERVER_DIR; } + String serverConfigDir = serverDir + "/standalone/configuration"; HttpGet request = new HttpGet(new URI(serverHost+"/")); - KeyStore trustStore = createTrustStore(serverDir, "application.keystore", "password", "server", "PKCS12"); - final HttpClient client = getHttpClientWithSSL(new File(serverDir + "/client.keystore.P12"), "secret", "PKCS12", new File(serverDir + "/client.truststore"), "password", "PKCS12"); + KeyStore trustStore = createTrustStore(serverConfigDir, "application.keystore", "password", "server", "PKCS12"); + final HttpClient client = getHttpClientWithSSL(new File(serverConfigDir + "/client.keystore.P12"), "secret", "PKCS12", new File(serverConfigDir + "/client.truststore"), "password", "PKCS12"); HttpResponse response = client.execute(request); assertEquals(200, response.getStatusLine().getStatusCode()); }