diff --git a/deployment/ansible-vitamui/app_api_gateway.yml b/deployment/ansible-vitamui/app_api_gateway.yml index b9b47cdd3d7..ebf95a97015 100644 --- a/deployment/ansible-vitamui/app_api_gateway.yml +++ b/deployment/ansible-vitamui/app_api_gateway.yml @@ -7,7 +7,7 @@ vars: vitamui_struct: "{{ vitamui.api_gateway }}" vitamui_certificate_type: external - password_keystore_server: "{{ keystores_server_vitamui_services_api_gateway }}" - password_keystore_client: "{{ keystores_client_vitamui_services_api_gateway }}" - password_truststore: "{{ truststores_client_external }}" + password_keystore_server: "{{ keystore_server_vitamui_services_api_gateway }}" + password_keystore_client: "{{ keystore_client_vitamui_services_api_gateway }}" + password_truststore: "{{ truststore_client_external }}" vitam_cert: "{{ vitam_certs.vitamui }}" diff --git a/deployment/ansible-vitamui/app_archive_search.yml b/deployment/ansible-vitamui/app_archive_search.yml index 6849629d0fc..f54fb09ea3d 100644 --- a/deployment/ansible-vitamui/app_archive_search.yml +++ b/deployment/ansible-vitamui/app_archive_search.yml @@ -7,7 +7,7 @@ vars: vitamui_struct: "{{ vitamui.archive_search }}" vitamui_certificate_type: external - password_keystore_server: "{{ keystores_server_vitamui_services_archive_search }}" - password_keystore_client: "{{ keystores_client_vitamui_services_archive_search }}" - password_truststore: "{{ truststores_client_external }}" + password_keystore_server: "{{ keystore_server_vitamui_services_archive_search }}" + password_keystore_client: "{{ keystore_client_vitamui_services_archive_search }}" + password_truststore: "{{ truststore_client_external }}" vitam_cert: "{{ vitam_certs.vitamui }}" diff --git a/deployment/ansible-vitamui/app_collect.yml b/deployment/ansible-vitamui/app_collect.yml index cbddfae8088..50f6593a9bd 100644 --- a/deployment/ansible-vitamui/app_collect.yml +++ b/deployment/ansible-vitamui/app_collect.yml @@ -7,7 +7,7 @@ vars: vitamui_struct: "{{ vitamui.collect }}" vitamui_certificate_type: external - password_keystore_server: "{{ keystores_server_vitamui_services_collect }}" - password_keystore_client: "{{ keystores_client_vitamui_services_collect }}" - password_truststore: "{{ truststores_client_external }}" + password_keystore_server: "{{ keystore_server_vitamui_services_collect }}" + password_keystore_client: "{{ keystore_client_vitamui_services_collect }}" + password_truststore: "{{ truststore_client_external }}" vitam_cert: "{{ vitam_certs.vitamui }}" diff --git a/deployment/ansible-vitamui/app_ingest.yml b/deployment/ansible-vitamui/app_ingest.yml index 00461cf6a64..e11da075b33 100644 --- a/deployment/ansible-vitamui/app_ingest.yml +++ b/deployment/ansible-vitamui/app_ingest.yml @@ -7,7 +7,7 @@ vars: vitamui_struct: "{{ vitamui.ingest }}" vitamui_certificate_type: external - password_keystore_server: "{{ keystores_server_vitamui_services_ingest }}" - password_keystore_client: "{{ keystores_client_vitamui_services_ingest }}" - password_truststore: "{{ truststores_client_external }}" + password_keystore_server: "{{ keystore_server_vitamui_services_ingest }}" + password_keystore_client: "{{ keystore_client_vitamui_services_ingest }}" + password_truststore: "{{ truststore_client_external }}" vitam_cert: "{{ vitam_certs.vitamui }}" diff --git a/deployment/ansible-vitamui/app_pastis.yml b/deployment/ansible-vitamui/app_pastis.yml index cfc8fcc663f..5acf6df2f02 100644 --- a/deployment/ansible-vitamui/app_pastis.yml +++ b/deployment/ansible-vitamui/app_pastis.yml @@ -7,7 +7,7 @@ vars: vitamui_struct: "{{ vitamui.pastis }}" vitamui_certificate_type: external - password_keystore_server: "{{ keystores_server_vitamui_services_pastis }}" - password_keystore_client: "{{ keystores_client_vitamui_services_pastis }}" - password_truststore: "{{ truststores_client_external }}" + password_keystore_server: "{{ keystore_server_vitamui_services_pastis }}" + password_keystore_client: "{{ keystore_client_vitamui_services_pastis }}" + password_truststore: "{{ truststore_client_external }}" vitam_cert: "{{ vitam_certs.vitamui }}" diff --git a/deployment/ansible-vitamui/app_referential.yml b/deployment/ansible-vitamui/app_referential.yml index 16f48b99bc6..7bf70ec64c0 100644 --- a/deployment/ansible-vitamui/app_referential.yml +++ b/deployment/ansible-vitamui/app_referential.yml @@ -7,7 +7,7 @@ vars: vitamui_struct: "{{ vitamui.referential }}" vitamui_certificate_type: external - password_keystore_server: "{{ keystores_server_vitamui_services_referential }}" - password_keystore_client: "{{ keystores_client_vitamui_services_referential }}" - password_truststore: "{{ truststores_client_external }}" + password_keystore_server: "{{ keystore_server_vitamui_services_referential }}" + password_keystore_client: "{{ keystore_client_vitamui_services_referential }}" + password_truststore: "{{ truststore_client_external }}" vitam_cert: "{{ vitam_certs.vitamui }}" diff --git a/deployment/ansible-vitamui/vitamui_apps.yml b/deployment/ansible-vitamui/vitamui_apps.yml index c92df1de50e..10faaa1afec 100644 --- a/deployment/ansible-vitamui/vitamui_apps.yml +++ b/deployment/ansible-vitamui/vitamui_apps.yml @@ -9,8 +9,8 @@ vars: vitamui_struct: "{{ vitamui.security }}" vitamui_certificate_type: server - password_keystore_server: "{{ keystores_server_vitamui_services_security }}" - password_truststore: "{{ truststores_vitamui }}" + password_keystore_server: "{{ keystore_server_vitamui_services_security }}" + password_truststore: "{{ truststore_vitamui }}" tags: security # External apps @@ -22,9 +22,9 @@ vars: vitamui_struct: "{{ vitamui.iam }}" vitamui_certificate_type: external - password_keystore_server: "{{ keystores_server_vitamui_services_iam }}" - password_keystore_client: "{{ keystores_client_vitamui_services_iam }}" - password_truststore: "{{ truststores_client_external }}" + password_keystore_server: "{{ keystore_server_vitamui_services_iam }}" + password_keystore_client: "{{ keystore_client_vitamui_services_iam }}" + password_truststore: "{{ truststore_client_external }}" vitam_cert: "{{ vitam_certs.vitamui }}" tags: iam @@ -37,7 +37,7 @@ vars: vitamui_struct: "{{ vitamui.cas_server }}" vitamui_certificate_type: external - password_keystore_server: "{{ keystores_server_vitamui_services_cas_server }}" - password_keystore_client: "{{ keystores_client_vitamui_services_cas_server }}" - password_truststore: "{{ truststores_client_external }}" + password_keystore_server: "{{ keystore_server_vitamui_services_cas_server }}" + password_keystore_client: "{{ keystore_client_vitamui_services_cas_server }}" + password_truststore: "{{ truststore_client_external }}" tags: cas-server diff --git a/deployment/environments/group_vars/all/vitam_vars.yml b/deployment/environments/group_vars/all/vitam_vars.yml index d9e6d6136fd..c23ca36fd63 100755 --- a/deployment/environments/group_vars/all/vitam_vars.yml +++ b/deployment/environments/group_vars/all/vitam_vars.yml @@ -45,9 +45,9 @@ vitam_vars: vitam_certs: vitamui: filename: keystore_vitamui.p12 - password: "{{ keystores_client_vitam_vitamui }}" - truststore_filename: truststore_vitam.jks - password_truststore: "{{ truststores_client_vitam }}" + password: "{{ keystore_client_vitam_vitamui }}" + truststore_filename: truststore_vitam.p12 + password_truststore: "{{ truststore_client_vitam }}" # Define connection settings for external / third-party Vitam instances (for COLLECT) @@ -55,8 +55,8 @@ external_archiving_systems: ## Every external archiving system must have a unique id (only used alphanumeric chars, "_" or "-"). ## Please ensure corresponding keystore/truststore files are provided : - ## > environments/external_archiving_systems_keystores/keystore_.jks - ## > environments/external_archiving_systems_keystores/truststore_.jks + ## > environments/external_archiving_systems_keystores/keystore_.p12 + ## > environments/external_archiving_systems_keystores/truststore_.p12 ## Please ensure keystore/truststore passwords are defined (in an ansible vault file): ## > external_archiving_systems.keystore_password.: ## > external_archiving_systems.truststore_password.: diff --git a/deployment/environments/group_vars/all/vitamui_vars.yml b/deployment/environments/group_vars/all/vitamui_vars.yml index f39932b260b..97bd71a84a4 100755 --- a/deployment/environments/group_vars/all/vitamui_vars.yml +++ b/deployment/environments/group_vars/all/vitamui_vars.yml @@ -66,37 +66,46 @@ vitamui: ui_identity: vitamui_component: ui-identity port_service: 8002 + secure: false ui_identity_admin: vitamui_component: ui-identity-admin port_service: 8401 + secure: false package_name: vitamui-ui-identity-rsc ui_referential: vitamui_component: ui-referential port_service: 8005 + secure: false ui_portal: vitamui_component: ui-portal port_service: 8003 + secure: false has_tenant_list: true has_lang_selection: true has_site_selection: false ui_ingest: vitamui_component: ui-ingest port_service: 8008 + secure: false ui_archive_search: vitamui_component: ui-archive-search port_service: 8009 + secure: false ui_collect: vitamui_component: ui-collect port_service: 8010 + secure: false # offline_services: # Disables online search engines in collect # - agencies # - archive-unit-profiles ui_pastis: vitamui_component: ui-pastis port_service: 9015 + secure: false ui_design_system: vitamui_component: ui-design-system port_service: 9016 + secure: false # Applications api_gateway: diff --git a/deployment/pki/config/ca-config b/deployment/pki/config/ca-config index 98f79f9fce7..fbbbca76e5d 100644 --- a/deployment/pki/config/ca-config +++ b/deployment/pki/config/ca-config @@ -7,7 +7,7 @@ default_ca = ca_root [ ca_root ] dir = ./pki -certs = $dir/ca/client-external +certs = $dir/ca/${ENV::OPENSSL_CA_DIR} new_certs_dir = $dir/tempcerts database = $dir/config/${ENV::OPENSSL_CA_DIR}/index.txt certificate = $dir/ca/${ENV::OPENSSL_CA_DIR}/ca-root.crt @@ -44,7 +44,6 @@ O = vitamui OU = authorities CN = ${ENV::OPENSSL_CN} - # Certificates creation parameters : extensions [ extension_ca_root ] diff --git a/deployment/pki/config/crt-config b/deployment/pki/config/crt-config index a3f5e3f06c6..3ba56fa0827 100644 --- a/deployment/pki/config/crt-config +++ b/deployment/pki/config/crt-config @@ -22,7 +22,7 @@ unique_subject = no [ policy_match ] countryName = match stateOrProvinceName = match -localityName = match +localityName = match organizationName = match organizationalUnitName = optional commonName = supplied @@ -43,7 +43,6 @@ L = paris O = vitamui CN = ${ENV::OPENSSL_CN} - # Certificates creation parameters : extensions [ extension_server ] @@ -66,13 +65,3 @@ basicConstraints = critical,CA:FALSE keyUsage = digitalSignature nsCertType = client extendedKeyUsage = clientAuth - -[ extension_timestamping ] -nsComment = "Certificat Serveur SSL" -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer:always -issuerAltName = issuer:copy -basicConstraints = critical,CA:FALSE -keyUsage = digitalSignature, nonRepudiation -nsCertType = server -extendedKeyUsage = critical,timeStamping diff --git a/deployment/pki/scripts/generate_certs.sh b/deployment/pki/scripts/generate_certs.sh index f5df84f0fd8..98eb704d3ce 100755 --- a/deployment/pki/scripts/generate_certs.sh +++ b/deployment/pki/scripts/generate_certs.sh @@ -23,7 +23,6 @@ function generateCerts { pki_logger "Génération des certificats serveurs" # Zone interne generateServerCertAndStorePassphrase security vitamui-services - generateServerAndClientCertAndStorePassphrase api-gateway vitamui-services #Zone externe generateServerAndClientCertAndStorePassphrase iam vitamui-services @@ -33,6 +32,7 @@ function generateCerts { generateServerAndClientCertAndStorePassphrase archive-search vitamui-services generateServerAndClientCertAndStorePassphrase collect vitamui-services generateServerAndClientCertAndStorePassphrase pastis vitamui-services + generateServerAndClientCertAndStorePassphrase api-gateway vitamui-services #Zone UI generateServerAndClientCertAndStorePassphrase ui-portal vitamui-services @@ -43,10 +43,9 @@ function generateCerts { generateServerAndClientCertAndStorePassphrase ui-archive-search vitamui-services generateServerAndClientCertAndStorePassphrase ui-collect vitamui-services generateServerAndClientCertAndStorePassphrase ui-pastis vitamui-services - generateServerCertAndStorePassphrase ui-design-system vitamui-services #Reverse - generateServerCertAndStorePassphrase reverse hosts_vitamui_reverseproxy vitamui-services + generateServerCertAndStorePassphrase reverse vitamui-services # Example of generated client cert for a customer allowing to perform request on external APIs # generateClientCertAndStorePassphrase customer_x client-external diff --git a/deployment/pki/scripts/generate_certs_dev.sh b/deployment/pki/scripts/generate_certs_dev.sh index 356d2e8e9e0..44c52747334 100755 --- a/deployment/pki/scripts/generate_certs_dev.sh +++ b/deployment/pki/scripts/generate_certs_dev.sh @@ -13,11 +13,11 @@ set -e REPERTOIRE_ROOT="$( cd "$( readlink -f $(dirname ${BASH_SOURCE[0]}) )/../../../dev-deployment" ; pwd )" -function getHostCertificateCn { +function getComponentCertificateCn { echo "dev.vitamui.com" } -function getHostCertificateSan { +function getComponentCertificateSan { echo "DNS:dev.vitamui.com,DNS:localhost" } @@ -33,6 +33,7 @@ function generateCerts { pki_logger "Génération des certificats serveurs" # Zone interne generateServerCertAndStorePassphrase security vitamui-services + #Zone externe generateServerAndClientCertAndStorePassphrase iam vitamui-services generateServerAndClientCertAndStorePassphrase cas-server vitamui-services @@ -42,6 +43,7 @@ function generateCerts { generateServerAndClientCertAndStorePassphrase collect vitamui-services generateServerAndClientCertAndStorePassphrase pastis vitamui-services generateServerAndClientCertAndStorePassphrase api-gateway vitamui-services + #Zone UI generateServerAndClientCertAndStorePassphrase ui-portal vitamui-services generateServerAndClientCertAndStorePassphrase ui-identity vitamui-services @@ -51,10 +53,9 @@ function generateCerts { generateServerAndClientCertAndStorePassphrase ui-archive-search vitamui-services generateServerAndClientCertAndStorePassphrase ui-pastis vitamui-services generateServerAndClientCertAndStorePassphrase ui-collect vitamui-services - generateServerCertAndStorePassphrase ui-design-system vitamui-services #Reverse - generateServerCertAndStorePassphrase reverse hosts_vitamui_reverseproxy vitamui-services + generateServerCertAndStorePassphrase reverse vitamui-services # Example of generated client cert for a customer allowing to perform request on external APIs generateClientCertAndStorePassphrase customer_x client-external diff --git a/deployment/pki/scripts/lib/ca.sh b/deployment/pki/scripts/lib/ca.sh index f78f0432fe7..67e445c72bb 100755 --- a/deployment/pki/scripts/lib/ca.sh +++ b/deployment/pki/scripts/lib/ca.sh @@ -1,99 +1,115 @@ #!/usr/bin/env bash set -e -###################################################################### -############################# Includes ############################## -###################################################################### +################################################################################ +################################## Includes ################################### +################################################################################ . "$(dirname $0)/lib/commons.sh" -###################################################################### -############################# Functions ############################## -###################################################################### +################################################################################ +################################## Functions ################################### +################################################################################ -# Génération de la CA root +# Generate root CA function generate_ca_root { - local MDP_CAROOT_KEY="${1}" - local REPERTOIRE_SORTIE="${2}" - local CONFIG_DIR="${3}" + local CA_ROOT_PASS="${1}" + local AUTHORITY="${2}" # Correctly set certificate CN (env var is read inside the openssl configuration file) - export OPENSSL_CN=ca_root_${REPERTOIRE_SORTIE} + export OPENSSL_CN=ca_root_${AUTHORITY} + pki_logger "OPENSSL_CN : ${OPENSSL_CN}" # Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file) - export OPENSSL_CA_DIR=${REPERTOIRE_SORTIE} + export OPENSSL_CA_DIR="${AUTHORITY}" + pki_logger "OPENSSL_CA_DIR : ${OPENSSL_CA_DIR}" - if [ ! -d ${REPERTOIRE_CA}/${REPERTOIRE_SORTIE} ]; then - pki_logger "Création du sous-répertoire ${REPERTOIRE_SORTIE}" - mkdir -p ${REPERTOIRE_CA}/${REPERTOIRE_SORTIE}; + local CA_DIR=${CA_DIR}/${OPENSSL_CA_DIR} + if [ ! -d ${CA_DIR} ]; then + pki_logger "Create directory ${CA_DIR}" + mkdir -p ${CA_DIR}; fi - pki_logger "Create CA request..." + pki_logger "Create CA-root request..." openssl req \ - -config ${REPERTOIRE_CONFIG}/ca-config \ + -config ${CONFIG_DIR}/ca-config \ -new \ - -out ${REPERTOIRE_CA}/${REPERTOIRE_SORTIE}/ca-root.req \ - -keyout ${REPERTOIRE_CA}/${REPERTOIRE_SORTIE}/ca-root.key \ - -passout pass:${MDP_CAROOT_KEY} \ + -out ${CA_DIR}/ca-root.req \ + -keyout ${CA_DIR}/ca-root.key \ + -passout pass:${CA_ROOT_PASS} \ -batch - pki_logger "Create CA certificate... $(pwd)" + pki_logger "Sign CA-root certificate..." openssl ca \ - -config ${REPERTOIRE_CONFIG}/ca-config \ + -config ${CONFIG_DIR}/ca-config \ -selfsign \ -extensions extension_ca_root \ - -in ${REPERTOIRE_CA}/${REPERTOIRE_SORTIE}/ca-root.req \ - -passin pass:${MDP_CAROOT_KEY} \ - -out ${REPERTOIRE_CA}/${REPERTOIRE_SORTIE}/ca-root.crt \ + -in ${CA_DIR}/ca-root.req \ + -passin pass:${CA_ROOT_PASS} \ + -out ${CA_DIR}/ca-root.crt \ -batch + + pki_logger "Convert CA-root certificate to PEM format..." + openssl x509 \ + -in ${CA_DIR}/ca-root.crt \ + -out ${CA_DIR}/ca-root.pem \ + -outform PEM } -# Génération de la CA intermédiaire -function generate_ca_interm { - local MDP_CAINTERMEDIATE_KEY="${1}" - local MDP_CAROOT_KEY="${2}" - local REPERTOIRE_SORTIE="${3}" - local TYPE_CA="${4}" +# Generate intermediate CA +function generate_ca_intermediate { + local CA_INTERMEDIATE_PASS="${1}" + local CA_ROOT_PASS="${2}" + local AUTHORITY="${3}" # Correctly set certificate CN (env var is read inside the openssl configuration file) - export OPENSSL_CN=ca_intermediate_${REPERTOIRE_SORTIE} + export OPENSSL_CN=ca_intermediate_${AUTHORITY} + pki_logger "OPENSSL_CN : ${OPENSSL_CN}" # Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file) - export OPENSSL_CA_DIR=${REPERTOIRE_SORTIE} - pki_logger "OPENSSL_CA_DIR : ${CAROOT_DIR}" - if [ ! -d ${REPERTOIRE_CA}/${REPERTOIRE_SORTIE} ]; then - pki_logger "Création du sous-répertoire ${REPERTOIRE_SORTIE}" - mkdir -p ${REPERTOIRE_CA}/${REPERTOIRE_SORTIE}; + export OPENSSL_CA_DIR=${AUTHORITY} + pki_logger "OPENSSL_CA_DIR : ${OPENSSL_CA_DIR}" + + local CA_DIR=${CA_DIR}/${OPENSSL_CA_DIR} + if [ ! -d ${CA_DIR} ]; then + pki_logger "Create directory ${OPENSSL_CA_DIR}" + mkdir -p ${CA_DIR}; fi - pki_logger "Generate intermediate request..." + pki_logger "Create CA-intermediate request..." openssl req \ - -config ${REPERTOIRE_CONFIG}/ca-config \ - -new \ - -newkey ${PARAM_KEY_CHIFFREMENT} \ - -out ${REPERTOIRE_CA}/${REPERTOIRE_SORTIE}/ca-intermediate.req \ - -keyout ${REPERTOIRE_CA}/${REPERTOIRE_SORTIE}/ca-intermediate.key \ - -passout pass:${MDP_CAINTERMEDIATE_KEY} \ - -batch - - pki_logger "Sign..." + -config ${CONFIG_DIR}/ca-config \ + -new \ + -newkey ${CRYPTO_SPEC} \ + -out ${CA_DIR}/ca-intermediate.req \ + -keyout ${CA_DIR}/ca-intermediate.key \ + -passout pass:${CA_INTERMEDIATE_PASS} \ + -batch + + pki_logger "Sign CA-intermediate certificate..." openssl ca \ - -config ${REPERTOIRE_CONFIG}/ca-config \ - -extensions extension_ca_intermediate \ - -in ${REPERTOIRE_CA}/${REPERTOIRE_SORTIE}/ca-intermediate.req \ - -passin pass:${MDP_CAROOT_KEY} \ - -out ${REPERTOIRE_CA}/${REPERTOIRE_SORTIE}/ca-intermediate.crt \ - -batch + -config ${CONFIG_DIR}/ca-config \ + -extensions extension_ca_intermediate \ + -in ${CA_DIR}/ca-intermediate.req \ + -passin pass:${CA_ROOT_PASS} \ + -out ${CA_DIR}/ca-intermediate.crt \ + -batch + + pki_logger "Convert CA-intermediate certificate to PEM format..." + openssl x509 \ + -in ${CA_DIR}/ca-intermediate.crt \ + -out ${CA_DIR}/ca-intermediate.pem \ + -outform PEM } -# Génération de la CA intermédiaire +# Initialize CA configuration function init_config_ca { local CA_DIR="${1}" # Suppression de la configuration existante. - rm -Rf "${REPERTOIRE_CONFIG}/${CA_DIR}" - mkdir -p "${REPERTOIRE_CONFIG}/${CA_DIR}" - touch "${REPERTOIRE_CONFIG}/${CA_DIR}/index.txt" - echo '01' > "${REPERTOIRE_CONFIG}/${CA_DIR}/serial" - touch "${REPERTOIRE_CONFIG}/${CA_DIR}/crlnumber" + rm -Rf "${CONFIG_DIR}/${CA_DIR}" + mkdir -p "${CONFIG_DIR}/${CA_DIR}" + touch "${CONFIG_DIR}/${CA_DIR}/index.txt" + echo '01' > "${CONFIG_DIR}/${CA_DIR}/serial" + touch "${CONFIG_DIR}/${CA_DIR}/crlnumber" } function get_autorities() { @@ -101,6 +117,10 @@ function get_autorities() { echo "" } +################################################################################ +################################## Main ################################## +################################################################################ + function main() { # FIXME Why ? it seems to be related to the variable 'dir' set in the configuration of certificates. @@ -115,69 +135,69 @@ function main() { fi fi - pki_logger "Paramètres d'entrée:" - pki_logger " -> Ecraser les CA existants: ${ERASE}" + pki_logger "Input parameters:" + pki_logger " -> Erase existing CAs: ${ERASE}" # Cleaning or creating vault file for CA initVault ca ${ERASE} if [ "${ERASE}" == "true" ]; then - if [ -d ${REPERTOIRE_CA} ]; then + if [ -d ${CA_DIR} ]; then # We remove all generated CA - find "${REPERTOIRE_CA}/" -mindepth 1 -maxdepth 1 -type d -exec rm -Rf {} \; + find "${CA_DIR}/" -mindepth 1 -maxdepth 1 -type d -exec rm -Rf {} \; fi - if [ -d ${REPERTOIRE_CONFIG} ]; then + if [ -d ${CONFIG_DIR} ]; then # We remove all configurations linked to CA (except main config files) - find "${REPERTOIRE_CONFIG}/" -mindepth 1 -maxdepth 1 -type d -exec rm -Rf {} \; + find "${CONFIG_DIR}/" -mindepth 1 -maxdepth 1 -type d -exec rm -Rf {} \; fi fi - pki_logger "Lancement de la procédure de création des CA" + pki_logger "Starting CA creation process" pki_logger "==============================================" - if [ ! -d ${REPERTOIRE_CA} ]; then - pki_logger "Répertoire ${REPERTOIRE_CA} absent ; création..." - mkdir -p ${REPERTOIRE_CA}; + if [ ! -d ${CA_DIR} ]; then + pki_logger "Directory ${CA_DIR} does not exist, creating it..." + mkdir -p ${CA_DIR}; fi if [ ! -d ${TEMP_CERTS} ]; then - pki_logger "Création du répertoire de travail temporaire tempcerts sous ${TEMP_CERTS}..." + pki_logger "Directory ${TEMP_CERTS} does not exist, creating it..." mkdir -p ${TEMP_CERTS} fi - # Création des CA par autorités - autorities="$(get_autorities)" - for ITEM in ${autorities[@]} + # Create CA per authorities + AUTHORITIES="$(get_autorities)" + for AUTHORITY in ${AUTHORITIES[@]} do - mkdir -p ${REPERTOIRE_CA}/${ITEM} - init_config_ca ${ITEM} - - if [ ! -f ${REPERTOIRE_CA}/${ITEM}/ca-root.crt ]; then - pki_logger "Création de CA-root pour ${ITEM}..." - # Génération du CA_ROOT_PASSWORD & stockage dans le vault-ca - CA_ROOT_PASSWORD=$(generatePassphrase) - setComponentPassphrase ca "ca_root_${ITEM}" "${CA_ROOT_PASSWORD}" - generate_ca_root ${CA_ROOT_PASSWORD} ${ITEM} ${ITEM} + mkdir -p ${CA_DIR}/${AUTHORITY} + init_config_ca ${AUTHORITY} + + if [ ! -f ${CA_DIR}/${AUTHORITY}/ca-root.crt ]; then + pki_logger "Creation of CA-root for ${AUTHORITY}..." + # Generate CA_ROOT_PASS & store it in the vault-ca + CA_ROOT_PASS=$(generatePassphrase) + setComponentPassphrase ca "ca_root_${AUTHORITY}" "${CA_ROOT_PASS}" + generate_ca_root ${CA_ROOT_PASS} ${AUTHORITY} else - pki_logger "Le CA-root ${ITEM} existe déjà, il ne sera pas recréé..." + pki_logger "CA-root for ${AUTHORITY} already exists, it will not be recreated..." fi - if [ ! -f ${REPERTOIRE_CA}/${ITEM}/ca-intermediate.crt ]; then - pki_logger "Création du CA-intermediate pour ${ITEM}..." - # Génération du CA_INTERMEDIATE_PASSWORD & stockage dans le vault-ca - CA_INTERMEDIATE_PASSWORD=$(generatePassphrase) - setComponentPassphrase ca "ca_intermediate_${ITEM}" "${CA_INTERMEDIATE_PASSWORD}" - generate_ca_interm ${CA_INTERMEDIATE_PASSWORD} ${CA_ROOT_PASSWORD} ${ITEM} ${ITEM} - - purge_directory "${REPERTOIRE_CONFIG}/${ITEM}" - purge_directory "${REPERTOIRE_CA}/${ITEM}" + if [ ! -f ${CA_DIR}/${AUTHORITY}/ca-intermediate.crt ]; then + pki_logger "Creation of CA-intermediate for ${AUTHORITY}..." + # Generate CA_INTERMEDIATE_PASS & store it in the vault-ca + CA_INTERMEDIATE_PASS=$(generatePassphrase) + setComponentPassphrase ca "ca_intermediate_${AUTHORITY}" "${CA_INTERMEDIATE_PASS}" + generate_ca_intermediate ${CA_INTERMEDIATE_PASS} ${CA_ROOT_PASS} ${AUTHORITY} + + purge_directory "${CONFIG_DIR}/${AUTHORITY}" + purge_directory "${CA_DIR}/${AUTHORITY}" else - pki_logger "Le CA-intermediate ${ITEM} existe déjà, il ne sera pas recréé..." + pki_logger "CA-intermediate for ${AUTHORITY} already exists, it will not be recreated..." fi pki_logger "----------------------------------------------" done if [ -d ${TEMP_CERTS} ]; then pki_logger "==============================================" - pki_logger "Nettoyage du répertoire de travail temporaire tempcerts" + pki_logger "Cleaning of temporary tempcerts directories" rm -Rf ${TEMP_CERTS} fi pki_logger "==============================================" - pki_logger "Fin de la procédure de création des CA" + pki_logger "End of CA creation procedure" } diff --git a/deployment/pki/scripts/lib/certs.sh b/deployment/pki/scripts/lib/certs.sh index 0797a01d4b3..94805e0c502 100755 --- a/deployment/pki/scripts/lib/certs.sh +++ b/deployment/pki/scripts/lib/certs.sh @@ -1,25 +1,25 @@ #!/usr/bin/env bash set -e -###################################################################### -############################# Includes ############################## -###################################################################### +################################################################################ +################################## Includes ################################### +################################################################################ . "$(dirname $0)/lib/commons.sh" -###################################################################### -############################# Functions ############################## -###################################################################### +################################################################################ +################################## Functions ################################### +################################################################################ -# Génération du chemin d'un certificat serveur -function getHostCertificatePath { +# Generate the path of a server certificate +function getServerCertificatePath { local TYPE_CERTIFICAT="${1}" local COMPONENT="${2}" - echo "${REPERTOIRE_CERTIFICAT}/${TYPE_CERTIFICAT}/server/${COMPONENT}" + echo "${CERTIFICATE_DIR}/${TYPE_CERTIFICAT}/server/${COMPONENT}" } -# Génération du SubjectAlternate Name pour les certificats serveur. -function getHostCertificateSan { +# Generate the Subject Alternate Name for a server certificate +function getComponentCertificateSan { local SERVICE_HOSTNAME="${1}" local SERVICE_DC_HOSTNAME="${2}" local REVERSE_SAN="${3}" @@ -31,274 +31,192 @@ function getHostCertificateSan { fi } -# Génération du CN Name pour les certificats serveur. -function getHostCertificateCn { +# Generate the CN Name for a server certificate +function getComponentCertificateCn { local SERVICE_HOSTNAME="${1}" echo "${SERVICE_HOSTNAME}" } -# Génération d'un certificat serveur +# Generate a server certificate function generateServerCertificate { local COMPOSANT="${1}" - local CERT_KEY="${2}" + local KEY_PASS="${2}" local INTERMEDIATE_CA_KEY="${3}" local TYPE_CERTIFICAT="${4}" - local SERVER_TYPE="${5}" + local PKI_CONTEXT="${5}" local SERVICE_HOSTNAME="${6}" local SERVICE_DC_HOSTNAME="${7}" local REVERSE_SAN="${8}" # Correctly set Subject Alternate Name (env var is read inside the openssl configuration file) - export OPENSSL_SAN="$(getHostCertificateSan $SERVICE_HOSTNAME $SERVICE_DC_HOSTNAME $REVERSE_SAN)" + export OPENSSL_SAN="$(getComponentCertificateSan $SERVICE_HOSTNAME $SERVICE_DC_HOSTNAME $REVERSE_SAN)" # Correctly set certificate CN (env var is read inside the openssl configuration file) - export OPENSSL_CN="$(getHostCertificateCn $SERVICE_HOSTNAME)" + export OPENSSL_CN="$(getComponentCertificateCn $SERVICE_HOSTNAME)" # Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file) - export OPENSSL_CRT_DIR=${SERVER_TYPE} - - pki_logger "Création du certificat ${SERVER_TYPE} pour ${COMPOSANT}..." - local HOST_CERTIFICATE_PATH=$(getHostCertificatePath ${SERVER_TYPE} ${COMPOSANT}) - mkdir -p "${HOST_CERTIFICATE_PATH}" - pki_logger "Generation de la clé..." - openssl req -newkey "${PARAM_KEY_CHIFFREMENT}" \ - -passout pass:"${CERT_KEY}" \ - -keyout "${HOST_CERTIFICATE_PATH}/${COMPOSANT}.key" \ - -out "${HOST_CERTIFICATE_PATH}/${COMPOSANT}.req" \ + export OPENSSL_CRT_DIR=${PKI_CONTEXT} + + pki_logger "Starting process to generate ${TYPE_CERTIFICAT} certificate signed with CA ${PKI_CONTEXT} for ${COMPOSANT}..." + local SERVER_CERTIFICATE_PATH=$(getServerCertificatePath ${PKI_CONTEXT} ${COMPOSANT}) + mkdir -p "${SERVER_CERTIFICATE_PATH}" + pki_logger "Generating ${TYPE_CERTIFICAT} key for ${COMPOSANT}..." + openssl req -newkey "${CRYPTO_SPEC}" \ + -passout pass:"${KEY_PASS}" \ + -keyout "${SERVER_CERTIFICATE_PATH}/${COMPOSANT}.key" \ + -out "${SERVER_CERTIFICATE_PATH}/${COMPOSANT}.req" \ -nodes \ - -config "${REPERTOIRE_CONFIG}/crt-config" \ + -config "${CONFIG_DIR}/crt-config" \ -batch - pki_logger "Generation du certificat signé avec CA ${SERVER_TYPE}..." - openssl ca -config "${REPERTOIRE_CONFIG}/crt-config" \ + pki_logger "Generating ${TYPE_CERTIFICAT} crt for ${COMPOSANT}..." + openssl ca -config "${CONFIG_DIR}/crt-config" \ -passin pass:"${INTERMEDIATE_CA_KEY}" \ - -out "${HOST_CERTIFICATE_PATH}/${COMPOSANT}.crt" \ - -in "${HOST_CERTIFICATE_PATH}/${COMPOSANT}.req" \ + -out "${SERVER_CERTIFICATE_PATH}/${COMPOSANT}.crt" \ + -in "${SERVER_CERTIFICATE_PATH}/${COMPOSANT}.req" \ -extensions extension_${TYPE_CERTIFICAT} -batch - openssl x509 \ - -in "${HOST_CERTIFICATE_PATH}/${COMPOSANT}.crt" \ - -out "${HOST_CERTIFICATE_PATH}/${COMPOSANT}.pem" - - purge_directory "${HOST_CERTIFICATE_PATH}" - purge_directory "${REPERTOIRE_CONFIG}/${SERVER_TYPE}" -} - -# Génération du chemin d'un certificat de timestamping -function getTimestampCertificatePath { - local TYPE_CERTIFICAT="${1}" - local HOSTNAME="${2}" - echo "${REPERTOIRE_CERTIFICAT}/${TYPE_CERTIFICAT}/vitam" -} - -# Génération d'un certificat de timestamping ; le nom du certificat est dérivé de son usage -function generateTimestampCertificate { - local USAGE="${1}" - local CERT_KEY="${2}" - local INTERMEDIATE_CA_KEY="${3}" - local TYPE_CERTIFICAT="${4}" - local CN_VALEUR="${USAGE}" - - # Correctly set certificate CN (env var is read inside the openssl configuration file) - export OPENSSL_CN="${CN_VALEUR}" - # Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file) - export OPENSSL_CRT_DIR=${TYPE_CERTIFICAT} - - pki_logger "Création du certificat ${TYPE_CERTIFICAT} pour usage ${USAGE}" - local TIMESTAMP_CERTIFICATE_PATH=$(getTimestampCertificatePath ${TYPE_CERTIFICAT}) - mkdir -p "${TIMESTAMP_CERTIFICATE_PATH}" - pki_logger "Generation de la clé..." - openssl req -newkey "${PARAM_KEY_CHIFFREMENT}" \ - -passout pass:"${CERT_KEY}" \ - -keyout "${TIMESTAMP_CERTIFICATE_PATH}/${USAGE}.key" \ - -out "${TIMESTAMP_CERTIFICATE_PATH}/${USAGE}.req" \ - -nodes \ - -config "${REPERTOIRE_CONFIG}/crt-config" \ - -batch - - pki_logger "Generation du certificat signé avec CA ${TYPE_CERTIFICAT}..." - openssl ca -config "${REPERTOIRE_CONFIG}/crt-config" \ - -passin pass:"${INTERMEDIATE_CA_KEY}" \ - -out "${TIMESTAMP_CERTIFICATE_PATH}/${USAGE}.crt" \ - -in "${TIMESTAMP_CERTIFICATE_PATH}/${USAGE}.req" \ - -extensions extension_${TYPE_CERTIFICAT} -batch - - purge_directory "${TIMESTAMP_CERTIFICATE_PATH}" - purge_directory "${REPERTOIRE_CONFIG}/${TYPE_CERTIFICAT}" + purge_directory "${SERVER_CERTIFICATE_PATH}" + purge_directory "${CONFIG_DIR}/${PKI_CONTEXT}" } - -# Génération du chemin d'un certificat client +# Generate the path of a client certificate function getClientCertificatePath { - local CLIENT_TYPE="${1}" - local CLIENT_NAME="${2}" - echo "${REPERTOIRE_CERTIFICAT}/${CLIENT_TYPE}/clients/${CLIENT_NAME}" + local PKI_CONTEXT="${1}" + local COMPOSANT="${2}" + echo "${CERTIFICATE_DIR}/${PKI_CONTEXT}/clients/${COMPOSANT}" } -# Génération d'un certificat client +# Generate a client certificate function generateClientCertificate { - local CLIENT_NAME="${1}" - local MDP_KEY="${2}" - local MDP_CAINTERMEDIATE_KEY="${3}" - local CLIENT_TYPE="${4}" - local TYPE_CERTIFICAT="client" + local COMPOSANT="${1}" + local KEY_PASS="${2}" + local CA_INTERMEDIATE_PASS="${3}" + local TYPE_CERTIFICAT="${4}" + local PKI_CONTEXT="${5}" # Correctly set certificate CN (env var is read inside the openssl configuration file) - export OPENSSL_CN="${CLIENT_NAME}" + export OPENSSL_CN="${COMPOSANT}" # Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file) - export OPENSSL_CRT_DIR=${CLIENT_TYPE} + export OPENSSL_CRT_DIR=${PKI_CONTEXT} - pki_logger "Création du certificat ${TYPE_CERTIFICAT} pour ${CLIENT_NAME}" - local CLIENT_CERTIFICATE_PATH=$(getClientCertificatePath ${CLIENT_TYPE} ${CLIENT_NAME}) + pki_logger "Starting process to generate ${TYPE_CERTIFICAT} certificate for ${COMPOSANT}..." + local CLIENT_CERTIFICATE_PATH=$(getClientCertificatePath ${PKI_CONTEXT} ${COMPOSANT}) mkdir -p "${CLIENT_CERTIFICATE_PATH}" - pki_logger "Generation de la clé..." - openssl req -newkey "${PARAM_KEY_CHIFFREMENT}" \ - -passout pass:"${MDP_KEY}" \ - -keyout "${CLIENT_CERTIFICATE_PATH}/${CLIENT_NAME}.key" \ - -out "${CLIENT_CERTIFICATE_PATH}/${CLIENT_NAME}.req" \ - -config "${REPERTOIRE_CONFIG}/crt-config" \ + pki_logger "Generating ${TYPE_CERTIFICAT} key for ${COMPOSANT}..." + # TODO: Workaround with -nodes parameter to avoid passphrase. + # Remove this parameter when we have a solution for providing the passphrase to ansible during deployment. + openssl req -newkey "${CRYPTO_SPEC}" \ + -passout pass:"${KEY_PASS}" \ + -nodes \ + -keyout "${CLIENT_CERTIFICATE_PATH}/${COMPOSANT}.key" \ + -out "${CLIENT_CERTIFICATE_PATH}/${COMPOSANT}.req" \ + -config "${CONFIG_DIR}/crt-config" \ -batch - pki_logger "Generation du certificat signé avec ${CLIENT_TYPE}..." - openssl ca -config "${REPERTOIRE_CONFIG}/crt-config" \ - -passin pass:"${MDP_CAINTERMEDIATE_KEY}" \ - -out "${CLIENT_CERTIFICATE_PATH}/${CLIENT_NAME}.crt" \ - -in "${CLIENT_CERTIFICATE_PATH}/${CLIENT_NAME}.req" \ + pki_logger "Generating ${TYPE_CERTIFICAT} crt signed with ${PKI_CONTEXT} for ${COMPOSANT}..." + openssl ca -config "${CONFIG_DIR}/crt-config" \ + -passin pass:"${CA_INTERMEDIATE_PASS}" \ + -out "${CLIENT_CERTIFICATE_PATH}/${COMPOSANT}.crt" \ + -in "${CLIENT_CERTIFICATE_PATH}/${COMPOSANT}.req" \ -extensions extension_${TYPE_CERTIFICAT} -batch - pki_logger "Generation du certificat pem pour client " - openssl x509 \ - -in "${CLIENT_CERTIFICATE_PATH}/${CLIENT_NAME}.crt" \ - -out "${CLIENT_CERTIFICATE_PATH}/${CLIENT_NAME}.pem" - + pki_logger "Generating ${TYPE_CERTIFICAT} pem only for cas-server and ui-* components..." + # Mandatory for loading the certificates in database 'security -> certificates' for authentification purposes + if [ "${COMPOSANT}" == "cas-server" ] || [[ "${COMPOSANT}" == ui-* ]]; then + pki_logger "Generating ${TYPE_CERTIFICAT} pem for ${COMPOSANT}..." + openssl x509 \ + -in "${CLIENT_CERTIFICATE_PATH}/${COMPOSANT}.crt" \ + -out "${CLIENT_CERTIFICATE_PATH}/${COMPOSANT}.pem" + fi purge_directory "${CLIENT_CERTIFICATE_PATH}" - purge_directory "${REPERTOIRE_CONFIG}/${CLIENT_TYPE}" + purge_directory "${CONFIG_DIR}/${PKI_CONTEXT}" } -# Génération des certificats serveur et client pour un composant donné +# Generate a server and a client certificate and store passphrase function generateServerAndClientCertAndStorePassphrase { local COMPONENT="${1}" - if [ "$#" -eq 2 ]; then - local PKI_CONTEXT="${2}" - generateServerCertAndStorePassphrase "${COMPONENT}" "${PKI_CONTEXT}" - generateClientCertAndStorePassphrase "${COMPONENT}" "${PKI_CONTEXT}" - else - local HOSTS_GROUP="${2}" - local PKI_CONTEXT="${3}" - generateServerCertAndStorePassphrase "${COMPONENT}" "${HOSTS_GROUP}" "${PKI_CONTEXT}" - generateClientCertAndStorePassphrase "${COMPONENT}" "${PKI_CONTEXT}" - fi + local PKI_CONTEXT="${2}" + generateServerCertAndStorePassphrase "${COMPONENT}" "${PKI_CONTEXT}" + generateClientCertAndStorePassphrase "${COMPONENT}" "${PKI_CONTEXT}" } -# Génération des certificats serveur et stockage de la passphrase pour tous les hosts d'un host group donné +# Generate a server certificate and store passphrase function generateServerCertAndStorePassphrase { local COMPONENT="${1}" - local HOSTS_GROUP="" - local SERVER_TYPE="" - - pki_logger "DEBUG" "generateServerCertAndStorePassphrase called with $# args: 1=$1, 2=$2, 3=$3" - if [ "$#" -eq 3 ]; then - HOSTS_GROUP="${2}" - SERVER_TYPE="${3}" - elif [ "$#" -eq 2 ]; then - SERVER_TYPE="${2}" - fi - pki_logger "DEBUG" "Component: ${COMPONENT}, Group: ${HOSTS_GROUP}, Type: ${SERVER_TYPE}" + local PKI_CONTEXT="${2}" + + pki_logger "DEBUG" "generateServerCertAndStorePassphrase called with $# args: COMPONENT=$1, PKI_CONTEXT=$2" local TYPE_CERTIFICAT="server" local REVERSE_SAN="" - local SERVER="" - # Récupération du password de la CA_INTERMEDIATE dans le vault-ca - CA_INTERMEDIATE_PASSWORD=$(getComponentPassphrase ca "ca_intermediate_${SERVER_TYPE}") + # Retrieve the passphrase of the CA_INTERMEDIATE from the vault-ca + CA_INTERMEDIATE_PASS=$(getComponentPassphrase ca "ca_intermediate_${PKI_CONTEXT}") DC_NAME=$(getDcName) - if [ -n "${HOSTS_GROUP}" ]; then - SERVER=$(ansible -i ${ENVIRONNEMENT_FILE} --list-hosts ${HOSTS_GROUP} ${ANSIBLE_VAULT_PASSWD} | sed "1 d" | head -n 1 | xargs) - fi - if [ "${COMPONENT}" == "reverse" ]; then - if [ -n "${SERVER}" ]; then - REVERSE_SAN=$(read_ansible_var "vitamui_reverse_external_dns" ${SERVER}) - fi + REVERSE_SAN=$(read_ansible_var "vitamui_reverse_external_dns" hosts_vitamui_reverseproxy[0]) + pki_logger "DEBUG" "REVERSE_SAN=${REVERSE_SAN}" fi - local SERVER_CERTIFICATE_PATH=$(getHostCertificatePath ${SERVER_TYPE} ${COMPONENT}) + pki_logger "DEBUG" "DC_NAME=${DC_NAME}, CONSUL_DOMAIN=${CONSUL_DOMAIN}" + + local SERVER_CERTIFICATE_PATH=$(getServerCertificatePath ${PKI_CONTEXT} ${COMPONENT}) if [ ! -f "${SERVER_CERTIFICATE_PATH}/${COMPONENT}.crt" ]; then - # Generate the key - local CERT_KEY=$(generatePassphrase) + # Generate the passphrase + local KEY_PASS=$(generatePassphrase) # Create the certificate generateServerCertificate ${COMPONENT} \ - ${CERT_KEY} \ - ${CA_INTERMEDIATE_PASSWORD} \ - ${TYPE_CERTIFICAT} \ - ${SERVER_TYPE} \ - "vitamui-${COMPONENT}.service.${CONSUL_DOMAIN}" \ - "vitamui-${COMPONENT}.service.${DC_NAME}.${CONSUL_DOMAIN}" \ - "${REVERSE_SAN}" + ${KEY_PASS} \ + ${CA_INTERMEDIATE_PASS} \ + ${TYPE_CERTIFICAT} \ + ${PKI_CONTEXT} \ + "vitamui-${COMPONENT}.service.${CONSUL_DOMAIN}" \ + "vitamui-${COMPONENT}.service.${DC_NAME}.${CONSUL_DOMAIN}" \ + "${REVERSE_SAN}" # Store the key to the vault - setComponentPassphrase certs "server_vitamui_services_${COMPONENT}_key" \ - "${CERT_KEY}" + setComponentPassphrase certs "server_${PKI_CONTEXT}_${COMPONENT}_key" "${KEY_PASS}" else - pki_logger "Le certificat SERVER - ${SERVER_TYPE} - ${COMPONENT}.crt existe déjà, il ne sera pas recréé..." + pki_logger "Le certificat SERVER - ${PKI_CONTEXT} - ${COMPONENT}.crt existe déjà, il ne sera pas recréé..." fi } -# Génération d'un certificat timestamp (utilise la fonction de génération de certificats serveur) -function generateTimestampCertAndStorePassphrase { - local USAGE="${1}" - - # Récupération du password de la CA_INTERMEDIATE dans le vault-ca - CA_INTERMEDIATE_PASSWORD=$(getComponentPassphrase ca "ca_intermediate_timestamping") - local TIMESTAMP_CERTIFICAT_TYPE="timestamping" - local TIMESTAMP_CERTIFICATE_PATH=$(getTimestampCertificatePath ${TIMESTAMP_CERTIFICAT_TYPE}) - if [ ! -f "${SERVER_CERTIFICATE_PATH}/${USAGE}.crt" ]; then - # Generate the key - local CERT_KEY=$(generatePassphrase) - # Create the certificate - generateTimestampCertificate ${USAGE} \ - ${CERT_KEY} \ - ${CA_INTERMEDIATE_PASSWORD} - ${TIMESTAMP_CERTIFICAT_TYPE} - # Store the key to the vault - setComponentPassphrase certs "timestamping_${USAGE}_key" \ - "${CERT_KEY}" - else - pki_logger "Le certificat ${TIMESTAMP_CERTIFICAT_TYPE} - ${USAGE}.crt existe déjà, il ne sera pas recréé..." - fi -} - -# Génération du certificat client et stockage de la passphrase +# Generate client certificate and store the passphrase function generateClientCertAndStorePassphrase { local COMPONENT="${1}" - local CLIENT_TYPE="${2}" + local PKI_CONTEXT="${2}" + + pki_logger "DEBUG" "generateClientCertAndStorePassphrase called with $# args: COMPONENT=$1, PKI_CONTEXT=$2" + + local TYPE_CERTIFICAT="client" - local CLIENT_CERTIFICATE_PATH=$(getClientCertificatePath ${CLIENT_TYPE} ${COMPONENT}) + local CLIENT_CERTIFICATE_PATH=$(getClientCertificatePath ${PKI_CONTEXT} ${COMPONENT}) if [ ! -f "${CLIENT_CERTIFICATE_PATH}/${COMPONENT}.crt" ]; then - # Récupération du password de la CA_INTERMEDIATE dans le vault-ca - CA_INTERMEDIATE_PASSWORD=$(getComponentPassphrase ca "ca_intermediate_${CLIENT_TYPE}") + # Get the CA_INTERMEDIATE passphrase from the vault-ca + local CA_INTERMEDIATE_PASS=$(getComponentPassphrase ca "ca_intermediate_${PKI_CONTEXT}") # Generate the key - local CERT_KEY=$(generatePassphrase) + local KEY_PASS=$(generatePassphrase) # Create the certificate generateClientCertificate ${COMPONENT} \ - ${CERT_KEY} \ - ${CA_INTERMEDIATE_PASSWORD} \ - ${CLIENT_TYPE} + ${KEY_PASS} \ + ${CA_INTERMEDIATE_PASS} \ + ${TYPE_CERTIFICAT} \ + ${PKI_CONTEXT} # Store the key to the vault - setComponentPassphrase certs "client_${CLIENT_TYPE}_${COMPONENT}_key" \ - "${CERT_KEY}" + setComponentPassphrase certs "client_${PKI_CONTEXT}_${COMPONENT}_key" "${KEY_PASS}" else - pki_logger "Le certificat CLIENT - ${CLIENT_TYPE} - ${COMPONENT} existe déjà, il ne sera pas recréé..." + pki_logger "Le certificat CLIENT - ${PKI_CONTEXT} - ${COMPONENT} existe déjà, il ne sera pas recréé..." fi } -# Recopie de la CA de pki/CA vers environments/cert/cert-type/CA +# Copy the CA from pki//ca to environments/certs//ca function copyCAFromPki { - local CERT_TYPE="${1}" + local PKI_CONTEXT="${1}" - mkdir -p "${REPERTOIRE_CERTIFICAT}/${CERT_TYPE}/ca" - pki_logger "Copie des CA de ${CERT_TYPE}" - for CA in $(ls ${REPERTOIRE_CA}/${CERT_TYPE}/*.crt); do - cp -f "${CA}" "${REPERTOIRE_CERTIFICAT}/${CERT_TYPE}/ca/$(basename ${CA})" + mkdir -p "${CERTIFICATE_DIR}/${PKI_CONTEXT}/ca" + pki_logger "Copying CA of ${PKI_CONTEXT}" + for CA in $(ls ${CA_DIR}/${PKI_CONTEXT}/*.crt ${CA_DIR}/${PKI_CONTEXT}/*.pem); do + cp -vf "${CA}" "${CERTIFICATE_DIR}/${PKI_CONTEXT}/ca/$(basename ${CA})" done } @@ -322,9 +240,9 @@ function generateCerts { pki_logger "Generation of certificates" } -###################################################################### -############################# Main ############################# -###################################################################### +################################################################################ +################################## Main ################################## +################################################################################ function main { @@ -352,9 +270,9 @@ function main { exit 1 fi - pki_logger "Paramètres d'entrée:" + pki_logger "Input parameters:" pki_logger " -> Environnement: ${ENVIRONNEMENT}" - pki_logger " -> Ecraser les certificats existants: ${ERASE}" + pki_logger " -> Erase existing certificates: ${ERASE}" # Get consul_domain CONSUL_DOMAIN=$(getConsulDomain) @@ -363,20 +281,20 @@ function main { initVault certs ${ERASE} if [ "${ERASE}" == "true" ]; then - if [ -d ${REPERTOIRE_CERTIFICAT} ]; then + if [ -d ${CERTIFICATE_DIR} ]; then # We remove all generated certs - find ${REPERTOIRE_CERTIFICAT} -type f -name *.crt -exec rm -f {} \; - find ${REPERTOIRE_CERTIFICAT} -type f -name *.key -exec rm -f {} \; - find ${REPERTOIRE_CERTIFICAT} -type f -name *.pem -exec rm -f {} \; - find ${REPERTOIRE_CERTIFICAT} -type d -empty -delete + find ${CERTIFICATE_DIR} -type f -name *.crt -exec rm -f {} \; + find ${CERTIFICATE_DIR} -type f -name *.key -exec rm -f {} \; + find ${CERTIFICATE_DIR} -type f -name *.pem -exec rm -f {} \; + find ${CERTIFICATE_DIR} -type d -empty -delete fi fi - if [ ! -d ${REPERTOIRE_CERTIFICAT} ]; then - pki_logger "Création du répertoire des certicats sous ${REPERTOIRE_CERTIFICAT}..." - mkdir -p ${REPERTOIRE_CERTIFICAT} + if [ ! -d ${CERTIFICATE_DIR} ]; then + pki_logger "Directory ${CERTIFICATE_DIR} does not exist, creating it..." + mkdir -p ${CERTIFICATE_DIR} fi if [ ! -d ${TEMP_CERTS} ]; then - pki_logger "Création du répertoire de travail temporaire tempcerts sous ${TEMP_CERTS}..." + pki_logger "Directory ${TEMP_CERTS} does not exist, creating it..." mkdir -p ${TEMP_CERTS} fi @@ -384,9 +302,9 @@ function main { if [ -d ${TEMP_CERTS} ]; then pki_logger "==============================================" - pki_logger "Nettoyage du répertoire de travail temporaire tempcerts" + pki_logger "Cleaning of temporary tempcerts directories" rm -Rf ${TEMP_CERTS} fi pki_logger "==============================================" - pki_logger "Fin de la procédure de création des certificats" + pki_logger "End of certificates creation procedure" } diff --git a/deployment/pki/scripts/lib/commons.sh b/deployment/pki/scripts/lib/commons.sh index 6523d84cb6d..f7ff16b05b0 100755 --- a/deployment/pki/scripts/lib/commons.sh +++ b/deployment/pki/scripts/lib/commons.sh @@ -4,13 +4,12 @@ set -e REPERTOIRE_ROOT="$( cd "$( readlink -f $(dirname ${BASH_SOURCE[0]}) )/../../.." ; pwd )" function init () { - - REPERTOIRE_CERTIFICAT="${REPERTOIRE_ROOT}/environments/certs" - REPERTOIRE_CA="${REPERTOIRE_ROOT}/pki/ca" + CERTIFICATE_DIR="${REPERTOIRE_ROOT}/environments/certs" + CA_DIR="${REPERTOIRE_ROOT}/pki/ca" CA_ROOT_TYPE="all" - REPERTOIRE_CONFIG="${REPERTOIRE_ROOT}/pki/config" + CONFIG_DIR="${REPERTOIRE_ROOT}/pki/config" TEMP_CERTS="${REPERTOIRE_ROOT}/pki/tempcerts" - PARAM_KEY_CHIFFREMENT="rsa:4096" + CRYPTO_SPEC="rsa:4096" ENVIRONMENT_VARIABLES="${REPERTOIRE_ROOT}/environments/group_vars/all" if [ -f "${REPERTOIRE_ROOT}/vault_pass.txt" ]; then @@ -26,7 +25,6 @@ function init () { # Check if gawk is present hash gawk - } function read_ansible_var { @@ -99,7 +97,7 @@ function getVaultFile() { case $TYPE in "ca" | "certs") - echo -n "${REPERTOIRE_CERTIFICAT}/vault-${TYPE}.yml" + echo -n "${CERTIFICATE_DIR}/vault-${TYPE}.yml" ;; "keystores") echo -n "${ENVIRONMENT_VARIABLES}/vault-${TYPE}.yml" @@ -199,7 +197,6 @@ function getComponentPassphrase { } } - # Method allowing to check if a key is declared in a vault file (ONLY a single level of tree structure). # @param TYPE Type of vault. # @param KEY Key linked to the data to retrieve. @@ -247,7 +244,6 @@ function hasComponentPassphrase { } } - # Method allowing to save a key/value in a vault file (ONLY a single level of tree structure). # @param TYPE Type of vault. # @param KEY Key of the data. diff --git a/deployment/pki/scripts/lib/stores.sh b/deployment/pki/scripts/lib/stores.sh index 62465eb48f8..a3d72c3e6da 100755 --- a/deployment/pki/scripts/lib/stores.sh +++ b/deployment/pki/scripts/lib/stores.sh @@ -1,24 +1,25 @@ #!/usr/bin/env bash set -e -###################################################################### -############################# Includes ############################## -###################################################################### +################################################################################ +################################## Includes ################################### +################################################################################ . "$(dirname $0)/pki/scripts/lib/commons.sh" -###################################################################### -############################# Functions ############################## -###################################################################### +################################################################################ +################################## Functions ################################### +################################################################################ -# Pour incorporer un certificat dans un store -function addCrtInJks { +# Import a certificate into a keystore +function addCrtInKeystore { local STORE="${1}" local MDP_STORE="${2}" local CERTIFICAT="${3}" local ALIAS="${4}" keytool -import -keystore ${STORE} \ + -storetype PKCS12 \ -file ${CERTIFICAT} \ -storepass ${MDP_STORE} \ -keypass ${MDP_STORE} \ @@ -26,14 +27,15 @@ function addCrtInJks { -alias ${ALIAS} } -# Pour incorporer une CA dans un store -function addCaInJks { +# Import a CA certificate into a keystore +function addCaInKeystore { local STORE="${1}" local MDP_STORE="${2}" local CERTIFICAT="${3}" local ALIAS="${4}" keytool -import -trustcacerts -keystore ${STORE} \ + -storetype PKCS12 \ -file ${CERTIFICAT} \ -storepass ${MDP_STORE} \ -keypass ${MDP_STORE} \ @@ -41,10 +43,10 @@ function addCaInJks { -alias ${ALIAS} } -# Génération d'un p12 et d'un pem depuis un certificat +# Generate a p12 and a pem from a certificate function crtKeyToP12 { local BASEFILE="${1}" - local MDP_KEY="${2}" + local KEY_PASS="${2}" local KEYPAIR_NAME="${3}" local MDP_P12="${4}" local TARGET_FILE="${5}" @@ -53,33 +55,33 @@ function crtKeyToP12 { -inkey "${BASEFILE}/${KEYPAIR_NAME}.key" \ -in "${BASEFILE}/${KEYPAIR_NAME}.crt" \ -name "${KEYPAIR_NAME}" \ - -passin pass:"${MDP_KEY}" \ + -passin pass:"${KEY_PASS}" \ -out "${BASEFILE}/${KEYPAIR_NAME}.p12" \ -passout pass:"${MDP_P12}" if [ "${BASEFILE}/${KEYPAIR_NAME}.p12" != "${TARGET_FILE}" ]; then mkdir -p $(dirname ${TARGET_FILE}) - mv "${BASEFILE}/${KEYPAIR_NAME}.p12" "${TARGET_FILE}" + mv -v "${BASEFILE}/${KEYPAIR_NAME}.p12" "${TARGET_FILE}" fi } -# Pour incorporer un certificat p12 dans un keystore jks -function addP12InJks { - local JKS_KEYSTORE="${1}" - local JKS_KEYSTORE_PASSWORD="${2}" +# Import a p12 certificate into a keystore +function addP12InKeystore { + local KEYSTORE="${1}" + local KEYSTORE_PASSWORD="${2}" local P12_KEYSTORE="${3}" local P12_STORE_PASSWORD="${4}" - mkdir -p "$(dirname ${JKS_KEYSTORE})" + mkdir -p "$(dirname ${KEYSTORE})" keytool -importkeystore \ -srckeystore ${P12_KEYSTORE} -srcstorepass ${P12_STORE_PASSWORD} -srcstoretype PKCS12 \ - -destkeystore ${JKS_KEYSTORE} -storepass ${JKS_KEYSTORE_PASSWORD} \ - -keypass ${JKS_KEYSTORE_PASSWORD} -deststorepass ${JKS_KEYSTORE_PASSWORD} \ - -destkeypass ${JKS_KEYSTORE_PASSWORD} -deststoretype JKS + -destkeystore ${KEYSTORE} -storepass ${KEYSTORE_PASSWORD} \ + -keypass ${KEYSTORE_PASSWORD} -deststorepass ${KEYSTORE_PASSWORD} \ + -destkeypass ${KEYSTORE_PASSWORD} -deststoretype PKCS12 } -# Renvoie la clé du keystore pour un composant donné +# Get the keystore passphrase for a given component function getKeystorePassphrase { local KEY="${1}" local RETURN_CODE=0 @@ -95,7 +97,7 @@ function getKeystorePassphrase { fi } -# Generate a trustore +# Generate a truststore function generateTrustStore { local TRUSTORE_TYPE=${1} local CLIENT_TYPE=${2} @@ -107,70 +109,70 @@ function generateTrustStore { # Set truststore path and delete the store if already exists if [ "${TRUSTORE_TYPE}" == "client" ]; then - JKS_TRUST_STORE=${REPERTOIRE_KEYSTORES}/client-${CLIENT_TYPE}/truststore_${CLIENT_TYPE}.jks - TRUST_STORE_PASSWORD=$(getKeystorePassphrase "truststores_client_${CLIENT_TYPE}") + TRUST_STORE=${REPERTOIRE_KEYSTORES}/client-${CLIENT_TYPE}/truststore_${CLIENT_TYPE}.p12 + TRUST_STORE_PASSWORD=$(getKeystorePassphrase "truststore_client_${CLIENT_TYPE}") elif [ "${TRUSTORE_TYPE}" == "vitamui-services" ]; then - JKS_TRUST_STORE=${REPERTOIRE_KEYSTORES}/vitamui-services/truststore_vitamui.jks - TRUST_STORE_PASSWORD=$(getKeystorePassphrase "truststores_vitamui") + TRUST_STORE=${REPERTOIRE_KEYSTORES}/vitamui-services/truststore_vitamui.p12 + TRUST_STORE_PASSWORD=$(getKeystorePassphrase "truststore_vitamui") else pki_logger "ERROR" "Invalid trustore type: ${TRUSTORE_TYPE}" return 1 fi - if [ -f "${JKS_TRUST_STORE}" ]; then - rm -f "${JKS_TRUST_STORE}" + if [ -f "${TRUST_STORE}" ]; then + rm -vf "${TRUST_STORE}" fi # Add the public client ca certificates to the truststore - pki_logger "Ajout des certificats client dans le truststore" + pki_logger "Add client certificates to the truststore" if [ "${TRUSTORE_TYPE}" == "client" ]; then if [ "${CLIENT_TYPE}" == "vitamui-services" ]; then - CLIENT_CA_DIR="${REPERTOIRE_CERTIFICAT}/${CLIENT_TYPE}/ca" + CLIENT_CA_DIR="${CERTIFICATE_DIR}/${CLIENT_TYPE}/ca" else - CLIENT_CA_DIR="${REPERTOIRE_CERTIFICAT}/client-${CLIENT_TYPE}/ca" + CLIENT_CA_DIR="${CERTIFICATE_DIR}/client-${CLIENT_TYPE}/ca" fi for CRT_FILE in $(ls ${CLIENT_CA_DIR}/*.crt); do - pki_logger "Ajout de ${CRT_FILE} dans le truststore ${CLIENT_TYPE}" + pki_logger "Add ${CRT_FILE} to the truststore ${CLIENT_TYPE}" ALIAS="client-${CLIENT_TYPE}-$(basename ${CRT_FILE})" - addCrtInJks ${JKS_TRUST_STORE} \ - ${TRUST_STORE_PASSWORD} \ - ${CRT_FILE} \ - ${ALIAS} + addCrtInKeystore ${TRUST_STORE} \ + ${TRUST_STORE_PASSWORD} \ + ${CRT_FILE} \ + ${ALIAS} done fi # Add the server certificates to the truststore - pki_logger "Ajout des certificats serveur dans le truststore" - for CRT_FILE in $(ls ${REPERTOIRE_CERTIFICAT}/vitamui-services/ca/*.crt); do - pki_logger "Ajout de ${CRT_FILE} dans le truststore ${CLIENT_TYPE}" + pki_logger "Add server certificates to the truststore" + for CRT_FILE in $(ls ${CERTIFICATE_DIR}/vitamui-services/ca/*.crt); do + pki_logger "Add ${CRT_FILE} to the truststore ${CLIENT_TYPE}" ALIAS="server-$(basename ${CRT_FILE})" - addCrtInJks ${JKS_TRUST_STORE} \ - ${TRUST_STORE_PASSWORD} \ - ${CRT_FILE} \ - ${ALIAS} + addCrtInKeystore ${TRUST_STORE} \ + ${TRUST_STORE_PASSWORD} \ + ${CRT_FILE} \ + ${ALIAS} done # Add the client CA certificates to the server truststore (to trust incoming client certs) if [ "${TRUSTORE_TYPE}" == "vitamui-services" ]; then - pki_logger "Ajout des CA clients dans le truststore serveur" + pki_logger "Add client CA certificates to the server truststore" for CLIENT_CA_TYPE in vitam vitamui-services external; do if [ "${CLIENT_CA_TYPE}" == "vitamui-services" ]; then - CA_DIR="${REPERTOIRE_CERTIFICAT}/${CLIENT_CA_TYPE}/ca" + CA_DIR="${CERTIFICATE_DIR}/${CLIENT_CA_TYPE}/ca" else - CA_DIR="${REPERTOIRE_CERTIFICAT}/client-${CLIENT_CA_TYPE}/ca" + CA_DIR="${CERTIFICATE_DIR}/client-${CLIENT_CA_TYPE}/ca" fi if [ -d "${CA_DIR}" ]; then for CRT_FILE in $(ls ${CA_DIR}/*.crt 2>/dev/null); do - pki_logger "Ajout de ${CRT_FILE} dans le truststore server" + pki_logger "Add ${CRT_FILE} to the server truststore" ALIAS="client-${CLIENT_CA_TYPE}-$(basename ${CRT_FILE})" - addCrtInJks ${JKS_TRUST_STORE} \ - ${TRUST_STORE_PASSWORD} \ - ${CRT_FILE} \ - ${ALIAS} + addCrtInKeystore ${TRUST_STORE} \ + ${TRUST_STORE_PASSWORD} \ + ${CRT_FILE} \ + ${ALIAS} done fi done @@ -179,53 +181,53 @@ function generateTrustStore { if [ "${DEV_MODE}" == "true" ]; then pki_logger "DEV_MODE is true" # Add the server certificates to the truststore - for CRT_FILE in $(find ${REPERTOIRE_CERTIFICAT}/vitamui-services/server -name "*.crt"); do - pki_logger "Ajout de ${CRT_FILE} dans le truststore ${CLIENT_TYPE}" + for CRT_FILE in $(find ${CERTIFICATE_DIR}/vitamui-services/server -name "*.crt"); do + pki_logger "Add ${CRT_FILE} to the truststore ${CLIENT_TYPE}" ALIAS="server-$(basename ${CRT_FILE})" - addCrtInJks ${JKS_TRUST_STORE} \ - ${TRUST_STORE_PASSWORD} \ - ${CRT_FILE} \ - ${ALIAS} + addCrtInKeystore ${TRUST_STORE} \ + ${TRUST_STORE_PASSWORD} \ + ${CRT_FILE} \ + ${ALIAS} done fi } function generateHostKeystore { local COMPONENT="${1}" - local JKS_KEYSTORE="${2}" + local KEYSTORE="${2}" local P12_KEYSTORE="${3}" local CRT_KEY_PASSWORD="${4}" - local JKS_PASSWORD="${5}" + local KEYSTORE_PASSWORD="${5}" local TMP_P12_PASSWORD="${6}" - if [ -f ${JKS_KEYSTORE} ]; then - rm -f ${JKS_KEYSTORE} + if [ -f ${KEYSTORE} ]; then + rm -f ${KEYSTORE} fi - pki_logger "Génération du p12" + pki_logger "Generate p12" crtKeyToP12 $(dirname ${P12_KEYSTORE}) \ ${CRT_KEY_PASSWORD} \ ${COMPONENT} \ ${TMP_P12_PASSWORD} \ ${P12_KEYSTORE} - pki_logger "Génération du jks" - addP12InJks ${JKS_KEYSTORE} \ - ${JKS_PASSWORD} \ + pki_logger "Generate keystore" + addP12InKeystore ${KEYSTORE} \ + ${KEYSTORE_PASSWORD} \ ${P12_KEYSTORE} \ ${TMP_P12_PASSWORD} if [ "${DEV_MODE}" != "true" ]; then if [ -f ${P12_KEYSTORE} ]; then - pki_logger " /!\ Suppression du p12: ${P12_KEYSTORE}" - rm -f ${P12_KEYSTORE} + pki_logger " /!\ Delete p12: ${P12_KEYSTORE}" + rm -vf ${P12_KEYSTORE} fi fi } -###################################################################### -############################# Main ############################# -###################################################################### +################################################################################ +################################## Main ################################## +################################################################################ function main() { cd $(dirname $0) @@ -238,14 +240,14 @@ function main() { fi fi - pki_logger "Paramètres d'entrée:" - pki_logger " -> Ecraser la configuration des keystores/PKI: ${ERASE}" + pki_logger "Input parameters:" + pki_logger " -> Overwrite keystores: ${ERASE}" TMP_P12_PASSWORD="$(generatePassphrase)" REPERTOIRE_KEYSTORES="${REPERTOIRE_ROOT}/environments/keystores" if [ ! -d ${REPERTOIRE_KEYSTORES} ]; then - pki_logger "Création du répertoire des keystores ..." + pki_logger "Directory ${REPERTOIRE_KEYSTORES} does not exist, creating it..." mkdir -p ${REPERTOIRE_KEYSTORES}; fi @@ -253,57 +255,47 @@ function main() { initVault keystores ${ERASE} # Remove old keystores & servers directories - find ${REPERTOIRE_KEYSTORES} -mindepth 1 -maxdepth 1 -type d -exec rm -rf {} \; - - # Generate the server keystores - for COMPONENT in $(ls ${REPERTOIRE_CERTIFICAT}/vitamui-services/server/); do - - mkdir -p ${REPERTOIRE_KEYSTORES}/vitamui-services/server/${COMPONENT} - - pki_logger "-------------------------------------------" - pki_logger "Creation du keystore de ${COMPONENT}" - JKS_KEYSTORE=${REPERTOIRE_KEYSTORES}/vitamui-services/server/${COMPONENT}/keystore_${COMPONENT}.jks - P12_KEYSTORE=${REPERTOIRE_CERTIFICAT}/vitamui-services/server/${COMPONENT}/${COMPONENT}.p12 - CRT_KEY_PASSWORD=$(getComponentPassphrase certs "server_vitamui_services_${COMPONENT}_key") - JKS_PASSWORD=$(getKeystorePassphrase "keystores_server_vitamui_services_${COMPONENT}") - - generateHostKeystore ${COMPONENT} \ - ${JKS_KEYSTORE} \ - ${P12_KEYSTORE} \ - ${CRT_KEY_PASSWORD} \ - ${JKS_PASSWORD} \ - ${TMP_P12_PASSWORD} + find ${REPERTOIRE_KEYSTORES} -mindepth 1 -maxdepth 1 -type d -exec rm -vrf {} \; + + # Generate the server keystores for vitamui-services except ui- components + for COMPONENT in $( ls ${CERTIFICATE_DIR}/vitamui-services/server/ | grep -v -e "README" -e "^ui-" ); do + mkdir -p ${REPERTOIRE_KEYSTORES}/vitamui-services/server/${COMPONENT} + + pki_logger "-------------------------------------------" + pki_logger "Create keystore for ${COMPONENT}" + KEYSTORE=${REPERTOIRE_KEYSTORES}/vitamui-services/server/${COMPONENT}/keystore_${COMPONENT}.p12 + P12_KEYSTORE=${CERTIFICATE_DIR}/vitamui-services/server/${COMPONENT}/${COMPONENT}.p12 + CRT_KEY_PASSWORD=$(getComponentPassphrase certs "server_vitamui_services_${COMPONENT}_key") + KEYSTORE_PASSWORD=$(getKeystorePassphrase "keystore_server_vitamui_services_${COMPONENT}") + + generateHostKeystore ${COMPONENT} \ + ${KEYSTORE} \ + ${P12_KEYSTORE} \ + ${CRT_KEY_PASSWORD} \ + ${KEYSTORE_PASSWORD} \ + ${TMP_P12_PASSWORD} done - # Keystores generation foreach client type (storage, external) - # for CLIENT_TYPE in external storage; do + # Generate client keystores foreach client type for CLIENT_TYPE in external vitam vitamui-services; do - # # Set grantedstore path and delete the store if already exists - # JKS_GRANTED_STORE=${REPERTOIRE_KEYSTORES}/client-${CLIENT_TYPE}/grantedstore_${CLIENT_TYPE}.jks - # GRANTED_STORE_PASSWORD=$(getKeystorePassphrase "grantedstores_client_${CLIENT_TYPE}") - - # # Delete the old granted store if already exists - # if [ -f ${JKS_GRANTED_STORE} ]; then - # rm -f ${JKS_GRANTED_STORE} - # fi if [ "${CLIENT_TYPE}" == "vitamui-services" ]; then STORE_DIR="${REPERTOIRE_KEYSTORES}/${CLIENT_TYPE}/clients" - CERT_SRC_DIR="${REPERTOIRE_CERTIFICAT}/${CLIENT_TYPE}/clients" + CERT_SRC_DIR="${CERTIFICATE_DIR}/${CLIENT_TYPE}/clients" KEY_PREFIX="client_${CLIENT_TYPE}" else STORE_DIR="${REPERTOIRE_KEYSTORES}/client-${CLIENT_TYPE}" - CERT_SRC_DIR="${REPERTOIRE_CERTIFICAT}/client-${CLIENT_TYPE}/clients" + CERT_SRC_DIR="${CERTIFICATE_DIR}/client-${CLIENT_TYPE}/clients" KEY_PREFIX="client_client-${CLIENT_TYPE}" fi mkdir -p ${STORE_DIR} - # # client-${CLIENT_TYPE} keystores generation - for COMPONENT in $( ls ${CERT_SRC_DIR} 2>/dev/null | grep -vF -e "README" -e "external" ); do + # Do not generate keystores for ui- components, we don't need them + for COMPONENT in $( ls ${CERT_SRC_DIR} 2>/dev/null | grep -v -e "README" -e "external" -e "^ui-" ); do # Generate the p12 keystore pki_logger "-------------------------------------------" - pki_logger "Creation du keystore client de ${COMPONENT}" + pki_logger "Generate client keystore for ${COMPONENT}" CERT_DIRECTORY=${CERT_SRC_DIR}/${COMPONENT} CRT_KEY_PASSWORD=$(getComponentPassphrase certs "${KEY_PREFIX}_${COMPONENT}_key") if [ "${CLIENT_TYPE}" == "vitamui-services" ]; then @@ -311,31 +303,31 @@ function main() { else P12_KEYSTORE=${STORE_DIR}/keystore_${COMPONENT}.p12 fi - P12_PASSWORD=$(getKeystorePassphrase "keystores_client_${CLIENT_TYPE}_${COMPONENT}") + P12_PASSWORD=$(getKeystorePassphrase "keystore_client_${CLIENT_TYPE}_${COMPONENT}") if [ "${DEV_MODE}" != "true" ]; then if [ -f ${P12_KEYSTORE} ]; then - pki_logger " /!\ Suppression du p12: ${P12_KEYSTORE}" - rm -f ${P12_KEYSTORE} + pki_logger " /!\ Delete p12: ${P12_KEYSTORE}" + rm -vf ${P12_KEYSTORE} fi fi - pki_logger "Génération du p12" + pki_logger "Generate p12" crtKeyToP12 ${CERT_DIRECTORY} \ ${CRT_KEY_PASSWORD} \ ${COMPONENT} \ ${P12_PASSWORD} \ ${P12_KEYSTORE} - pki_logger "Génération du jks" + pki_logger "Generate keystore for ${COMPONENT}" if [ "${CLIENT_TYPE}" == "vitamui-services" ]; then - JKS_KEYSTORE=${STORE_DIR}/${COMPONENT}/keystore_${COMPONENT}.jks + KEYSTORE=${STORE_DIR}/${COMPONENT}/keystore_${COMPONENT}.p12 else - JKS_KEYSTORE=${STORE_DIR}/keystore_${COMPONENT}.jks + KEYSTORE=${STORE_DIR}/keystore_${COMPONENT}.p12 fi - JKS_PASSWORD=$(getKeystorePassphrase "keystores_client_${CLIENT_TYPE}_${COMPONENT}") - addP12InJks ${JKS_KEYSTORE} \ - ${JKS_PASSWORD} \ + KEYSTORE_PASSWORD=$(getKeystorePassphrase "keystore_client_${CLIENT_TYPE}_${COMPONENT}") + addP12InKeystore ${KEYSTORE} \ + ${KEYSTORE_PASSWORD} \ ${P12_KEYSTORE} \ ${P12_PASSWORD} done diff --git a/deployment/roles/nginx/templates/nginx.conf.j2 b/deployment/roles/nginx/templates/nginx.conf.j2 index 5ad4bd13678..17e5028d2b2 100644 --- a/deployment/roles/nginx/templates/nginx.conf.j2 +++ b/deployment/roles/nginx/templates/nginx.conf.j2 @@ -23,7 +23,8 @@ http { error_log {{ nginx_log_dir }}/error.log; # Force consul agent resolution - resolver 127.0.0.1; + resolver 127.0.0.1 valid=10s ipv6=off; + resolver_timeout 5s; sendfile on; tcp_nopush on; diff --git a/deployment/roles/nginx_webapp/defaults/main.yml b/deployment/roles/nginx_webapp/defaults/main.yml index b362274a8aa..320c98aff03 100644 --- a/deployment/roles/nginx_webapp/defaults/main.yml +++ b/deployment/roles/nginx_webapp/defaults/main.yml @@ -14,3 +14,5 @@ nginx_ssl_dir: /etc/nginx/conf.d/ssl secure: "{{ vitamui_defaults.services.secure | default(true) | bool }}" package_name: "vitamui-{{ vitamui_struct.vitamui_component }}-rsc" + +consul_folder_conf: "{{ vitam_defaults.folder.root_path }}/conf/consul" diff --git a/deployment/roles/nginx_webapp/handlers/main.yml b/deployment/roles/nginx_webapp/handlers/main.yml index edde81c50be..ace2c102dd7 100644 --- a/deployment/roles/nginx_webapp/handlers/main.yml +++ b/deployment/roles/nginx_webapp/handlers/main.yml @@ -1,5 +1,10 @@ --- +- name: nginx_webapp - reload consul configuration + service: + name: "{{ consul.service_name | default('vitam-consul') }}" + state: reloaded + - name: reload nginx service: name: nginx diff --git a/deployment/roles/nginx_webapp/tasks/install.yml b/deployment/roles/nginx_webapp/tasks/install.yml index 2b3d89709ec..ccf929cacda 100644 --- a/deployment/roles/nginx_webapp/tasks/install.yml +++ b/deployment/roles/nginx_webapp/tasks/install.yml @@ -25,7 +25,7 @@ set_fact: frontend_application_version: "{{ package_facts_result.ansible_facts.packages[ vitamui_struct.package_name | default(package_name) ][0].version }}" -- name: Configure upsteam for API GW +- name: Configure upstream for API GW template: src: frontend/upstream_gw.j2 dest: "{{ nginx_conf_dir }}/upstream_gw" @@ -52,27 +52,59 @@ mode: "{{ vitam_defaults.folder.conf_permission }}" notify: reload nginx -- name: "Add UI certificates for {{ vitamui_struct.vitamui_component }}" +- name: "Add client certificates for {{ vitamui_struct.vitamui_component }}" copy: - src: "{{ item }}" - dest: "{{ nginx_ssl_dir }}" + src: "{{ inventory_dir }}/certs/vitamui-services/clients/{{ vitamui_struct.vitamui_component }}/{{ vitamui_struct.vitamui_component }}.{{ item }}" + dest: "{{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}_client.{{ item }}" group: "{{ frontend_group }}" owner: "{{ frontend_user }}" mode: "{{ vitam_defaults.folder.conf_permission }}" - with_fileglob: - - "{{ inventory_dir }}/certs/vitamui-services/server/{{ vitamui_struct.vitamui_component }}/{{ vitamui_struct.vitamui_component }}.crt" - - "{{ inventory_dir }}/certs/vitamui-services/server/{{ vitamui_struct.vitamui_component }}/{{ vitamui_struct.vitamui_component }}.key" + loop: + - crt + - key + when: vitamui_struct.vitamui_component != "ui-design-system" + tags: update_vitamui_certificates notify: reload nginx -- name: Put ssl configuration when secure is enabled - template: - src: ssl-ui.conf.j2 - dest: "{{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}-ssl.conf" - group: "{{ frontend_group }}" - owner: "{{ frontend_user }}" - mode: "{{ vitamui_defaults.folder.conf_permission }}" - when: vitamui_struct.secure | default(secure) | bool - notify: reload nginx +- block: + + - name: "Add server certificates for {{ vitamui_struct.vitamui_component }} when secure is enabled" + copy: + src: "{{ inventory_dir }}/certs/vitamui-services/server/{{ vitamui_struct.vitamui_component }}/{{ vitamui_struct.vitamui_component }}.{{ item }}" + dest: "{{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}_server.{{ item }}" + group: "{{ frontend_group }}" + owner: "{{ frontend_user }}" + mode: "{{ vitam_defaults.folder.conf_permission }}" + loop: + - crt + - key + tags: update_vitamui_certificates + notify: reload nginx + + - name: "Put ssl configuration for {{ vitamui_struct.vitamui_component }} when secure is enabled" + template: + src: ssl-ui.conf.j2 + dest: "{{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}-ssl.conf" + group: "{{ frontend_group }}" + owner: "{{ frontend_user }}" + mode: "{{ vitamui_defaults.folder.conf_permission }}" + notify: reload nginx + + #### Consul configuration #### + # Ensures the service can be resolved via a DNS name that matches the certificate's SAN. + - name: "Deploy consul agent service declaration for {{ vitamui_struct.vitamui_component }} service" + template: + src: service-componentid.json.j2 + dest: "{{ consul.conf_folder | default(consul_folder_conf) }}/service-{{ vitamui_struct.vitamui_component }}.json" + owner: "{{ vitam_defaults.users.vitam }}" + group: "{{ vitam_defaults.users.group }}" + mode: "{{ '0644' if install_mode == 'container' else vitam_defaults.folder.conf_permission }}" + tags: consul_conf + notify: nginx_webapp - reload consul configuration + + when: + - vitamui_struct.secure | default(secure) | bool + - vitamui_struct.vitamui_component != "ui-design-system" - name: Ensure nginx is started systemd: diff --git a/deployment/roles/nginx_webapp/tasks/uninstall.yml b/deployment/roles/nginx_webapp/tasks/uninstall.yml index 246c55f4887..37324a01963 100644 --- a/deployment/roles/nginx_webapp/tasks/uninstall.yml +++ b/deployment/roles/nginx_webapp/tasks/uninstall.yml @@ -21,4 +21,7 @@ - "{{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}-ssl.conf" - "{{ nginx_conf_dir }}/{{ vitamui_struct.vitamui_component }}.conf" - "{{ frontend_data_dir }}/{{ vitamui_struct.vitamui_component }}/assets/config.json" - notify: reload nginx + - "{{ consul.conf_folder | default(consul_folder_conf) }}/service-{{ vitamui_struct.vitamui_component }}.json" + notify: + - reload nginx + - nginx_webapp - reload consul configuration diff --git a/deployment/roles/nginx_webapp/templates/frontend/vhost.conf.j2 b/deployment/roles/nginx_webapp/templates/frontend/vhost.conf.j2 index ccb1ba29592..eb31e96599e 100644 --- a/deployment/roles/nginx_webapp/templates/frontend/vhost.conf.j2 +++ b/deployment/roles/nginx_webapp/templates/frontend/vhost.conf.j2 @@ -36,10 +36,15 @@ server { {% endfor %} deny all; # Deny access to all other IP addresses - proxy_pass {{ 'https' if vitamui.api_gateway.secure | default(secure) | bool else 'http' }}://API-GATEWAY; - proxy_ssl_certificate {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}.crt; - proxy_ssl_certificate_key {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}.key; + set $api_gateway_dns "vitamui-{{ vitamui.api_gateway.vitamui_component }}.service.{{ consul_domain }}"; + proxy_pass {{ 'https' if vitamui.api_gateway.secure | default(secure) | bool else 'http' }}://$api_gateway_dns:{{ vitamui.api_gateway.port_service }}; + # proxy_pass {{ 'https' if vitamui.api_gateway.secure | default(secure) | bool else 'http' }}://API-GATEWAY; + {% if vitamui_struct.vitamui_component != 'ui-design-system' %} + proxy_ssl_certificate {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}_client.crt; + proxy_ssl_certificate_key {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}_client.key; proxy_ssl_session_reuse off; + # proxy_ssl_password_file {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}_client.key_pass; + {% endif %} {% if vitamui_struct.vitamui_component in [ 'ui-ingest', 'ui-collect' ] %} # http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_request_buffering diff --git a/deployment/roles/nginx_webapp/templates/service-componentid.json.j2 b/deployment/roles/nginx_webapp/templates/service-componentid.json.j2 new file mode 100644 index 00000000000..667d2afa2eb --- /dev/null +++ b/deployment/roles/nginx_webapp/templates/service-componentid.json.j2 @@ -0,0 +1,17 @@ +{ + "service": { + "name": "vitamui-{{ vitamui_struct.vitamui_component }}", + "address": "{{ ip_service }}", + "port": {{ vitamui_struct.port_service }}, + "enable_tag_override": false, + "tags": ["vitamui", "{{ vitamui_struct.vitamui_component }}"], + "checks": [ + { + "name": "Service 'vitamui-{{ vitamui_struct.vitamui_component }}' check", + "notes": "HTTP port opened", + "tcp": "{{ ip_service }}:{{ vitamui_struct.port_service }}", + "interval": "10s" + } + ] + } +} diff --git a/deployment/roles/nginx_webapp/templates/ssl-ui.conf.j2 b/deployment/roles/nginx_webapp/templates/ssl-ui.conf.j2 index 9ed2269484b..577ee4d2b3a 100644 --- a/deployment/roles/nginx_webapp/templates/ssl-ui.conf.j2 +++ b/deployment/roles/nginx_webapp/templates/ssl-ui.conf.j2 @@ -1,5 +1,6 @@ -ssl_certificate {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}.crt; -ssl_certificate_key {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}.key; +ssl_certificate {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}_server.crt; +ssl_certificate_key {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}_server.key; +# ssl_password_file {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}_server.key_pass; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; diff --git a/deployment/roles/reinit_security_certificates/templates/security.populate_certificates.js.j2 b/deployment/roles/reinit_security_certificates/templates/security.populate_certificates.js.j2 index 6b490390cfe..56a90002797 100644 --- a/deployment/roles/reinit_security_certificates/templates/security.populate_certificates.js.j2 +++ b/deployment/roles/reinit_security_certificates/templates/security.populate_certificates.js.j2 @@ -1,39 +1,31 @@ -db = db.getSiblingDB('{{ mongodb.security.db }}') +dbSecurity = db.getSiblingDB('{{ mongodb.security.db | default('security') }}') print("START security.populate_certificates.js"); -db.certificates.deleteMany({}); +dbSecurity.certificates.deleteMany({}); -{% macro insertCertificate(pemFile, contextId, host) -%} -db.certificates.insertOne({ - "_id": "{{ host+'_' if (host is defined and host != '') else '' }}{{ pemFile | basename | replace('.pem','_cert') }}", - "contextId": "{{ contextId }}", - "subjectDN": "subjectDN", - "issuerDN": "issuerDN", - "serialNumber": "serialNumberAdmin", - "data": "{{ lookup('file', pemFile) | cert_to_str() }}" -}) +{% macro insertCertificate(pemFile, contextId, groupName) -%} + {% if groups[groupName] | default([]) | length > 0 %} + dbSecurity.certificates.insertOne({ + "_id": "{{ pemFile | basename | replace('.pem','_cert') }}", + "contextId": "{{ contextId }}", + "subjectDN": "subjectDN", + "issuerDN": "issuerDN", + "serialNumber": "serialNumberAdmin", + "data": "{{ lookup('file', pemFile) | cert_to_str() }}" + }) + {% endif %} {%- endmacro %} -{% macro process(keyPath, contextId, groupName) -%} - {% if groupName is defined and groupName != '' %} - {% for host in groups[groupName] %} - {{ insertCertificate(keyPath | replace('%host%', host), contextId, host) }} - {% endfor %} - {% else %} - {{ insertCertificate(keyPath, contextId) }} - {% endif %} -{%- endmacro %} - -{{ process('{{ pki_dir }}/vitamui-services/clients/cas-server/cas-server.pem', 'cas_context') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/cas-server/cas-server.pem', 'cas_context', 'hosts_cas_server') }} -{{ process('{{ pki_dir }}/vitamui-services/clients/ui-portal/ui-portal.pem', 'ui_portal_context') }} -{{ process('{{ pki_dir }}/vitamui-services/clients/ui-identity/ui-identity.pem', 'ui_identity_context') }} -{{ process('{{ pki_dir }}/vitamui-services/clients/ui-identity-admin/ui-identity-admin.pem', 'ui_admin_identity_context') }} -{{ process('{{ pki_dir }}/vitamui-services/clients/ui-referential/ui-referential.pem', 'ui_referential_context') }} -{{ process('{{ pki_dir }}/vitamui-services/clients/ui-archive-search/ui-archive-search.pem', 'ui_archive_search_context') }} -{{ process('{{ pki_dir }}/vitamui-services/clients/ui-ingest/ui-ingest.pem', 'ui_ingest_context') }} -{{ process('{{ pki_dir }}/vitamui-services/clients/ui-pastis/ui-pastis.pem', 'ui_pastis_context') }} -{{ process('{{ pki_dir }}/vitamui-services/clients/ui-collect/ui-collect.pem', 'ui_collect_context') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-portal/ui-portal.pem', 'ui_portal_context', 'hosts_ui_portal') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-identity/ui-identity.pem', 'ui_identity_context', 'hosts_ui_identity') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-identity-admin/ui-identity-admin.pem', 'ui_admin_identity_context', 'hosts_ui_identity_admin') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-referential/ui-referential.pem', 'ui_referential_context', 'hosts_ui_referential') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-archive-search/ui-archive-search.pem', 'ui_archive_search_context', 'hosts_ui_archive_search') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-ingest/ui-ingest.pem', 'ui_ingest_context', 'hosts_ui_ingest') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-pastis/ui-pastis.pem', 'ui_pastis_context', 'hosts_ui_pastis') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-collect/ui-collect.pem', 'ui_collect_context', 'hosts_ui_collect') }} print("END security.populate_certificates.js"); diff --git a/deployment/roles/reverse/tasks/apache/apache.yml b/deployment/roles/reverse/tasks/apache/apache.yml index 72dd666a0b0..0621a81a99f 100644 --- a/deployment/roles/reverse/tasks/apache/apache.yml +++ b/deployment/roles/reverse/tasks/apache/apache.yml @@ -92,7 +92,7 @@ - name: copy server certificate files when protocole https copy: - src: "{{ inventory_dir }}/certs/vitamui-services/server/hosts/{{ inventory_hostname }}/reverse.{{ item }}" + src: "{{ inventory_dir }}/certs/vitamui-services/server/reverse/reverse.{{ item }}" dest: "/etc/{{ apache_service }}/certs/reverse.{{ item }}" owner: "{{ apache_user }}" group: "{{ apache_group }}" diff --git a/deployment/roles/reverse/tasks/nginx/nginx.yml b/deployment/roles/reverse/tasks/nginx/nginx.yml index d6da5844735..0d31297f504 100644 --- a/deployment/roles/reverse/tasks/nginx/nginx.yml +++ b/deployment/roles/reverse/tasks/nginx/nginx.yml @@ -28,6 +28,7 @@ - reverse.crt - reverse.key - dhparam.pem + - vitamui-services-ca-bundle.pem notify: reload nginx - name: Ensure nginx is started diff --git a/deployment/roles/reverse/templates/apache/httpd_config b/deployment/roles/reverse/templates/apache/httpd_config index d40da1ff322..a7718f7c8bb 100644 --- a/deployment/roles/reverse/templates/apache/httpd_config +++ b/deployment/roles/reverse/templates/apache/httpd_config @@ -1,14 +1,11 @@ +ServerName {{ vitamui_reverse_external_dns }} {% if vitamui_reverse_external_protocol | default('https') | lower == 'https' %} + ServerAlias reverse.service.{{ consul_domain }} SSLEngine on SSLCertificateFile /etc/{{ apache_service }}/certs/reverse.crt SSLCertificateKeyFile /etc/{{ apache_service }}/certs/reverse.key - ServerName {{ vitamui_reverse_external_dns }} - ServerAlias reverse.service.{{ consul_domain }} - ServerAlias {{ ip_service }} -{% else %} - ServerName {{ vitamui_reverse_external_dns }} {% endif %} {% if authorization_header_name is defined and authorization_header_name | length %} @@ -44,68 +41,65 @@ SubstituteMaxLineLength 12M # UI IDENTITY ADMIN -{% for host in groups['hosts_ui_identity_admin'] %} - ProxyPassMatch ^/identity-admin/(.*)$ {{ 'https' if vitamui.ui_identity_admin.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_identity_admin.port_service }}/$1 {{ reverse_connection_params }} - ProxyPassReverse /identity-admin {{ 'https' if vitamui.ui_identity_admin.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_identity_admin.port_service }} + ProxyPassMatch ^/identity-admin/(.*)$ {{ 'https' if vitamui.ui_identity_admin.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_identity_admin.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_identity_admin.port_service }}/$1 {{ reverse_connection_params }} + ProxyPassReverse /identity-admin {{ 'https' if vitamui.ui_identity_admin.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_identity_admin.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_identity_admin.port_service }} SetOutputFilter proxy-html ProxyHTMLURLMap /identity/ /identity-admin/ RequestHeader unset Accept-Encoding -{% endfor %} # UI IDENTITY -{% for host in groups['hosts_ui_identity'] %} - ProxyPassMatch ^/identity/(.*)$ {{ 'https' if vitamui.ui_identity.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_identity.port_service }}/$1 - ProxyPassReverse /identity {{ 'https' if vitamui.ui_identity.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_identity.port_service }} -{% endfor %} + ProxyPassMatch ^/identity/(.*)$ {{ 'https' if vitamui.ui_identity.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_identity.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_identity.port_service }}/$1 + ProxyPassReverse /identity {{ 'https' if vitamui.ui_identity.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_identity.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_identity.port_service }} +{% if groups.get('hosts_ui_referential', []) | length > 0 %} # UI REFERENTIAL -{% for host in groups['hosts_ui_referential'] %} - ProxyPassMatch ^/referential/(.*)$ {{ 'https' if vitamui.ui_referential.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_referential.port_service }}/$1 - ProxyPassReverse /referential {{ 'https' if vitamui.ui_referential.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_referential.port_service }} -{% endfor %} + ProxyPassMatch ^/referential/(.*)$ {{ 'https' if vitamui.ui_referential.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_referential.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_referential.port_service }}/$1 + ProxyPassReverse /referential {{ 'https' if vitamui.ui_referential.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_referential.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_referential.port_service }} +{% endif %} +{% if groups.get('hosts_ui_ingest', []) | length > 0 %} # UI INGEST -{% for host in groups['hosts_ui_ingest'] %} - ProxyPassMatch ^/ingest/(.*)$ {{ 'https' if vitamui.ui_ingest.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_ingest.port_service }}/$1 - ProxyPassReverse /ingest {{ 'https' if vitamui.ui_ingest.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_ingest.port_service }} -{% endfor %} + ProxyPassMatch ^/ingest/(.*)$ {{ 'https' if vitamui.ui_ingest.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_ingest.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_ingest.port_service }}/$1 + ProxyPassReverse /ingest {{ 'https' if vitamui.ui_ingest.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_ingest.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_ingest.port_service }} +{% endif %} +{% if groups.get('hosts_ui_pastis', []) | length > 0 %} # UI PASTIS -{% for host in groups['hosts_ui_pastis'] %} - ProxyPassMatch ^/pastis/(.*)$ {{ 'https' if vitamui.ui_pastis.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_pastis.port_service }}/$1 - ProxyPassReverse /pastis {{ 'https' if vitamui.ui_pastis.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_pastis.port_service }} -{% endfor %} + ProxyPassMatch ^/pastis/(.*)$ {{ 'https' if vitamui.ui_pastis.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_pastis.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_pastis.port_service }}/$1 + ProxyPassReverse /pastis {{ 'https' if vitamui.ui_pastis.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_pastis.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_pastis.port_service }} +{% endif %} +{% if groups.get('hosts_ui_archive_search', []) | length > 0 %} # UI ARCHIVE SEARCH -{% for host in groups['hosts_ui_archive_search'] %} - ProxyPassMatch ^/archive-search/(.*)$ {{ 'https' if vitamui.ui_archive_search.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_archive_search.port_service }}/$1 - ProxyPassReverse /archive-search {{ 'https' if vitamui.ui_archive_search.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_archive_search.port_service }} -{% endfor %} + ProxyPassMatch ^/archive-search/(.*)$ {{ 'https' if vitamui.ui_archive_search.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_archive_search.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_archive_search.port_service }}/$1 + ProxyPassReverse /archive-search {{ 'https' if vitamui.ui_archive_search.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_archive_search.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_archive_search.port_service }} +{% endif %} +{% if groups.get('hosts_ui_collect', []) | length > 0 %} # UI COLLECT -{% for host in groups['hosts_ui_collect'] %} - ProxyPassMatch ^/collect/(.*)$ {{ 'https' if vitamui.ui_collect.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_collect.port_service }}/$1 - ProxyPassReverse /collect {{ 'https' if vitamui.ui_collect.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_collect.port_service }} -{% endfor %} + ProxyPassMatch ^/collect/(.*)$ {{ 'https' if vitamui.ui_collect.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_collect.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_collect.port_service }}/$1 + ProxyPassReverse /collect {{ 'https' if vitamui.ui_collect.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_collect.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_collect.port_service }} +{% endif %} +{% if groups.get('hosts_cas_server', []) | length > 0 %} # CAS SERVER -{% for host in groups['hosts_cas_server'] %} - ProxyPassMatch ^/cas/((login|logout|extras|webjars|css|icons|favicon|images|js|serviceValidate|oauth2.0|clientredirect|oidc).*)$ {{ 'https' if vitamui.cas_server.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.cas_server.port_service }}/cas/$1 {{ reverse_connection_params }} - ProxyPassReverse /cas {{ 'https' if vitamui.cas_server.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.cas_server.port_service }} -{% endfor %} + ProxyPassMatch ^/cas/((login|logout|extras|webjars|css|icons|favicon|images|js|serviceValidate|oauth2.0|clientredirect|oidc).*)$ {{ 'https' if vitamui.cas_server.secure | default(secure) | bool else 'http' }}://{{ vitamui.cas_server.host }}:{{ vitamui.cas_server.port_service }}/cas/$1 {{ reverse_connection_params }} + ProxyPassReverse /cas {{ 'https' if vitamui.cas_server.secure | default(secure) | bool else 'http' }}://{{ vitamui.cas_server.host }}:{{ vitamui.cas_server.port_service }} +{% endif %} +{% if groups.get('hosts_ui_portal', []) | length > 0 %} # PORTAL -{% for host in groups['hosts_ui_portal'] %} - ProxyPass / {{ 'https' if vitamui.ui_portal.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_portal.port_service }}/ {{ reverse_connection_params }} - ProxyPassReverse / {{ 'https' if vitamui.ui_portal.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_portal.port_service }}/ -{% endfor %} - -{% for host in groups.get('hosts_ui_design_system', []) %} - ProxyPass / {{ 'https' if vitamui.ui_design_system.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_design_system.port_service }}/ {{ reverse_connection_params }} - ProxyPassReverse / {{ 'https' if vitamui.ui_design_system.secure | default(secure) | bool else 'http' }}://{{ hostvars[host]['ip_service'] }}:{{ vitamui.ui_design_system.port_service }}/ -{% endfor %} + ProxyPass / {{ 'https' if vitamui.ui_portal.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_portal.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_portal.port_service }}/ {{ reverse_connection_params }} + ProxyPassReverse / {{ 'https' if vitamui.ui_portal.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_portal.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_portal.port_service }}/ +{% endif %} + +{% if groups.get('hosts_ui_design_system', []) | length > 0 %} + # UI DESIGN SYSTEM + ProxyPass / {{ 'https' if vitamui.ui_design_system.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_design_system.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_design_system.port_service }}/ {{ reverse_connection_params }} + ProxyPassReverse / {{ 'https' if vitamui.ui_design_system.secure | default(secure) | bool else 'http' }}://vitamui-{{ vitamui.ui_design_system.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_design_system.port_service }}/ +{% endif %} diff --git a/deployment/roles/reverse/templates/nginx/conf.d/upstream.j2 b/deployment/roles/reverse/templates/nginx/conf.d/upstream.j2 index f958cd3ce4c..cb0e0a1f678 100644 --- a/deployment/roles/reverse/templates/nginx/conf.d/upstream.j2 +++ b/deployment/roles/reverse/templates/nginx/conf.d/upstream.j2 @@ -7,6 +7,7 @@ upstream IDENTITY { ip_hash; + # server vitamui-{{ vitamui.ui_identity.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_identity.port_service }}; {% for h in groups['hosts_ui_identity'] %} server {{ hostvars[h].ip_service }}:{{ vitamui.ui_identity.port_service }}; {% endfor %} @@ -14,6 +15,7 @@ upstream IDENTITY { upstream IDENTITY_ADMIN { ip_hash; + # server vitamui-{{ vitamui.ui_identity_admin.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_identity_admin.port_service }}; {% for h in groups['hosts_ui_identity_admin'] %} server {{ hostvars[h].ip_service }}:{{ vitamui.ui_identity_admin.port_service }}; {% endfor %} @@ -21,6 +23,7 @@ upstream IDENTITY_ADMIN { upstream CAS { ip_hash; + # server vitamui-{{ vitamui.cas_server.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.cas_server.port_service }}; {% for h in groups['hosts_cas_server'] %} server {{ hostvars[h].ip_service }}:{{ vitamui.cas_server.port_service }}; {% endfor %} @@ -28,61 +31,67 @@ upstream CAS { upstream PORTAL { ip_hash; + # server vitamui-{{ vitamui.ui_portal.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_portal.port_service }}; {% for h in groups['hosts_ui_portal'] %} server {{ hostvars[h].ip_service }}:{{ vitamui.ui_portal.port_service }}; {% endfor %} } +{% if groups.get('hosts_ui_referential', []) | length > 0 %} -{% if groups['hosts_ui_referential']|length > 0 %} upstream REFERENTIAL { ip_hash; -{% for h in groups['hosts_ui_referential'] %} + # server vitamui-{{ vitamui.ui_referential.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_referential.port_service }}; + {% for h in groups['hosts_ui_referential'] %} server {{ hostvars[h].ip_service }}:{{ vitamui.ui_referential.port_service }}; -{% endfor %} + {% endfor %} } {% endif %} +{% if groups.get('hosts_ui_ingest', []) | length > 0 %} -{% if groups['hosts_ui_ingest']|length > 0 %} upstream INGEST { ip_hash; -{% for h in groups['hosts_ui_ingest'] %} + # server vitamui-{{ vitamui.ui_ingest.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_ingest.port_service }}; + {% for h in groups['hosts_ui_ingest'] %} server {{ hostvars[h].ip_service }}:{{ vitamui.ui_ingest.port_service }}; -{% endfor %} + {% endfor %} } {% endif %} +{% if groups.get('hosts_ui_archive_search', []) | length > 0 %} -{% if groups['hosts_ui_archive_search']|length > 0 %} upstream ARCHIVE_SEARCH { ip_hash; -{% for h in groups['hosts_ui_archive_search'] %} + # server vitamui-{{ vitamui.ui_archive_search.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_archive_search.port_service }}; + {% for h in groups['hosts_ui_archive_search'] %} server {{ hostvars[h].ip_service }}:{{ vitamui.ui_archive_search.port_service }}; -{% endfor %} + {% endfor %} } {% endif %} +{% if groups.get('hosts_ui_collect', []) | length > 0 %} -{% if groups['hosts_ui_collect']|length > 0 %} upstream COLLECT { ip_hash; -{% for h in groups['hosts_ui_collect'] %} + # server vitamui-{{ vitamui.ui_collect.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_collect.port_service }}; + {% for h in groups['hosts_ui_collect'] %} server {{ hostvars[h].ip_service }}:{{ vitamui.ui_collect.port_service }}; -{% endfor %} + {% endfor %} } {% endif %} +{% if groups.get('hosts_ui_pastis', []) | length > 0 %} -{% if groups['hosts_ui_pastis']|length > 0 %} upstream PASTIS { ip_hash; -{% for h in groups['hosts_ui_pastis'] %} + # server vitamui-{{ vitamui.ui_pastis.vitamui_component }}.service.{{ consul_domain }}:{{ vitamui.ui_pastis.port_service }}; + {% for h in groups['hosts_ui_pastis'] %} server {{ hostvars[h].ip_service }}:{{ vitamui.ui_pastis.port_service }}; -{% endfor %} + {% endfor %} } {% endif %} +{% if groups.get('hosts_ui_design_system', []) | length > 0 %} -{% if groups.get('hosts_ui_design_system', [])|length > 0 %} upstream DESIGN_SYSTEM { ip_hash; -{% for h in groups.get('hosts_ui_design_system', []) %} + {% for h in groups['hosts_ui_design_system'] %} server {{ hostvars[h].ip_service }}:{{ vitamui.ui_design_system.port_service }}; -{% endfor %} + {% endfor %} } {% endif %} diff --git a/deployment/roles/reverse/templates/nginx/conf.d/vhosts.conf.j2 b/deployment/roles/reverse/templates/nginx/conf.d/vhosts.conf.j2 index e993f31278c..e6fd0d8da70 100644 --- a/deployment/roles/reverse/templates/nginx/conf.d/vhosts.conf.j2 +++ b/deployment/roles/reverse/templates/nginx/conf.d/vhosts.conf.j2 @@ -13,37 +13,47 @@ server { # UI IDENTITY_ADMIN location /identity-admin { rewrite /identity-admin/(.*) /$1 break; - proxy_pass {{ 'https' if vitamui.ui_identity_admin.secure | default(secure) | bool else 'http' }}://IDENTITY_ADMIN; sub_filter '/identity/' '{{ url_prefix }}/identity-admin/'; sub_filter_types text/html text/css; sub_filter_once off; proxy_set_header Accept-Encoding ""; + + # set $ui_identity_admin_dns "vitamui-{{ vitamui.ui_identity_admin.vitamui_component }}.service.{{ consul_domain }}"; + # proxy_pass {{ 'https' if vitamui.ui_identity_admin.secure | default(secure) | bool else 'http' }}://$ui_identity_admin_dns:{{ vitamui.ui_identity_admin.port_service }}; + proxy_pass {{ 'https' if vitamui.ui_identity_admin.secure | default(secure) | bool else 'http' }}://IDENTITY_ADMIN; include {{ nginx_conf_dir }}/proxy_params; } # UI IDENTITY location /identity { rewrite /identity/(.*) /$1 break; + + # set $ui_identity_dns "vitamui-{{ vitamui.ui_identity.vitamui_component }}.service.{{ consul_domain }}"; + # proxy_pass {{ 'https' if vitamui.ui_identity.secure | default(secure) | bool else 'http' }}://$ui_identity_dns:{{ vitamui.ui_identity.port_service }}; proxy_pass {{ 'https' if vitamui.ui_identity.secure | default(secure) | bool else 'http' }}://IDENTITY; include {{ nginx_conf_dir }}/proxy_params; } +{% if groups.get('hosts_ui_referential', []) | length > 0 %} -{% if groups['hosts_ui_referential']|length > 0 %} # UI REFERENTIAL location /referential { rewrite /referential/(.*) /$1 break; - proxy_pass {{ 'https' if vitamui.ui_referential.secure | default(secure) | bool else 'http' }}://REFERENTIAL; + # set $ui_referential_dns "vitamui-{{ vitamui.ui_referential.vitamui_component }}.service.{{ consul_domain }}"; + # proxy_pass {{ 'https' if vitamui.ui_referential.secure | default(secure) | bool else 'http' }}://$ui_referential_dns:{{ vitamui.ui_referential.port_service }}; + proxy_pass {{ 'https' if vitamui.ui_referential.secure | default(secure) | bool else 'http' }}://REFERENTIAL; include {{ nginx_conf_dir }}/proxy_params; } {% endif %} +{% if groups.get('hosts_ui_ingest', []) | length > 0 %} -{% if groups['hosts_ui_ingest']|length > 0 %} # UI INGEST location /ingest { rewrite /ingest/(.*) /$1 break; - proxy_pass {{ 'https' if vitamui.ui_ingest.secure | default(secure) | bool else 'http' }}://INGEST; + # set $ui_ingest_dns "vitamui-{{ vitamui.ui_ingest.vitamui_component }}.service.{{ consul_domain }}"; + # proxy_pass {{ 'https' if vitamui.ui_ingest.secure | default(secure) | bool else 'http' }}://$ui_ingest_dns:{{ vitamui.ui_ingest.port_service }}; + proxy_pass {{ 'https' if vitamui.ui_ingest.secure | default(secure) | bool else 'http' }}://INGEST; include {{ nginx_conf_dir }}/proxy_params; # http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_request_buffering @@ -58,33 +68,39 @@ server { client_max_body_size 0; } {% endif %} +{% if groups.get('hosts_ui_archive_search', []) | length > 0 %} -{% if groups['hosts_ui_archive_search']|length > 0 %} # UI ARCHIVE_SEARCH location /archive-search { rewrite /archive-search/(.*) /$1 break; - proxy_pass {{ 'https' if vitamui.ui_archive_search.secure | default(secure) | bool else 'http' }}://ARCHIVE_SEARCH; + # set $ui_archive_search_dns "vitamui-{{ vitamui.ui_archive_search.vitamui_component }}.service.{{ consul_domain }}"; + # proxy_pass {{ 'https' if vitamui.ui_archive_search.secure | default(secure) | bool else 'http' }}://$ui_archive_search_dns:{{ vitamui.ui_archive_search.port_service }}; + proxy_pass {{ 'https' if vitamui.ui_archive_search.secure | default(secure) | bool else 'http' }}://ARCHIVE_SEARCH; include {{ nginx_conf_dir }}/proxy_params; } {% endif %} +{% if groups.get('hosts_ui_pastis', []) | length > 0 %} -{% if groups['hosts_ui_pastis']|length > 0 %} # UI PASTIS location /pastis { rewrite /pastis/(.*) /$1 break; - proxy_pass {{ 'https' if vitamui.ui_pastis.secure | default(secure) | bool else 'http' }}://PASTIS; + # set $ui_pastis_dns "vitamui-{{ vitamui.ui_pastis.vitamui_component }}.service.{{ consul_domain }}"; + # proxy_pass {{ 'https' if vitamui.ui_pastis.secure | default(secure) | bool else 'http' }}://$ui_pastis_dns:{{ vitamui.ui_pastis.port_service }}; + proxy_pass {{ 'https' if vitamui.ui_pastis.secure | default(secure) | bool else 'http' }}://PASTIS; include {{ nginx_conf_dir }}/proxy_params; } {% endif %} +{% if groups.get('hosts_ui_collect', []) | length > 0 %} -{% if groups['hosts_ui_collect']|length > 0 %} # UI COLLECT location /collect { rewrite /collect/(.*) /$1 break; - proxy_pass {{ 'https' if vitamui.ui_collect.secure | default(secure) | bool else 'http' }}://COLLECT; + # set $ui_collect_dns "vitamui-{{ vitamui.ui_collect.vitamui_component }}.service.{{ consul_domain }}"; + # proxy_pass {{ 'https' if vitamui.ui_collect.secure | default(secure) | bool else 'http' }}://$ui_collect_dns:{{ vitamui.ui_collect.port_service }}; + proxy_pass {{ 'https' if vitamui.ui_collect.secure | default(secure) | bool else 'http' }}://COLLECT; include {{ nginx_conf_dir }}/proxy_params; # http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_request_buffering @@ -99,13 +115,15 @@ server { client_max_body_size 0; } {% endif %} +{% if groups.get('hosts_ui_design_system', []) | length > 0 %} -{% if groups.get('hosts_ui_design_system', [])|length > 0 %} # DESIGN SYSTEM location /design-system { rewrite /design-system/(.*) /$1 break; - proxy_pass {{ 'https' if vitamui.ui_design_system.secure | default(secure) | bool else 'http' }}://DESIGN_SYSTEM; + # set $ui_design_system_dns "vitamui-{{ vitamui.ui_design_system.vitamui_component }}.service.{{ consul_domain }}"; + # proxy_pass http://$ui_design_system_dns:{{ vitamui.ui_design_system.port_service }}; + proxy_pass http://DESIGN_SYSTEM; include {{ nginx_conf_dir }}/proxy_params; } {% endif %} @@ -116,12 +134,16 @@ server { } location ~ ^/cas/(login|logout|extras|webjars|css|icons|favicon|images|js|serviceValidate|oauth2.0|clientredirect|oidc) { - proxy_pass {{ 'https' if vitamui.cas_server.secure | default(secure) | bool else 'http' }}://CAS; + set $cas_server_dns "vitamui-{{ vitamui.cas_server.vitamui_component }}.service.{{ consul_domain }}"; + proxy_pass {{ 'https' if vitamui.cas_server.secure | default(secure) | bool else 'http' }}://$cas_server_dns:{{ vitamui.cas_server.port_service }}; + # proxy_pass {{ 'https' if vitamui.cas_server.secure | default(secure) | bool else 'http' }}://CAS; # error: upstream SSL certificate does not match "CAS" while SSL handshaking to upstream include {{ nginx_conf_dir }}/proxy_params; } # PORTAL location / { + # set $ui_portal_dns "vitamui-{{ vitamui.ui_portal.vitamui_component }}.service.{{ consul_domain }}"; + # proxy_pass {{ 'https' if vitamui.ui_portal.secure | default(secure) | bool else 'http' }}://$ui_portal_dns:{{ vitamui.ui_portal.port_service }}; proxy_pass {{ 'https' if vitamui.ui_portal.secure | default(secure) | bool else 'http' }}://PORTAL; include {{ nginx_conf_dir }}/proxy_params; } diff --git a/deployment/roles/reverse/templates/nginx/ssl/reverse.crt.j2 b/deployment/roles/reverse/templates/nginx/ssl/reverse.crt.j2 index eeace708ede..6bcf86749f8 100644 --- a/deployment/roles/reverse/templates/nginx/ssl/reverse.crt.j2 +++ b/deployment/roles/reverse/templates/nginx/ssl/reverse.crt.j2 @@ -1 +1 @@ -{{ lookup('file', "{{ inventory_dir }}/certs/server/hosts/{{ inventory_hostname }}/reverse.crt" ) }} +{{ lookup('file', "{{ inventory_dir }}/certs/vitamui-services/server/reverse/reverse.crt" ) }} diff --git a/deployment/roles/reverse/templates/nginx/ssl/reverse.key.j2 b/deployment/roles/reverse/templates/nginx/ssl/reverse.key.j2 index 8d436312c37..5645274f788 100644 --- a/deployment/roles/reverse/templates/nginx/ssl/reverse.key.j2 +++ b/deployment/roles/reverse/templates/nginx/ssl/reverse.key.j2 @@ -1,2 +1,2 @@ -{{ lookup('file', "{{ inventory_dir }}/certs/server/hosts/{{ inventory_hostname }}/reverse.key" ) }} +{{ lookup('file', "{{ inventory_dir }}/certs/vitamui-services/server/reverse/reverse.key" ) }} diff --git a/deployment/roles/reverse/templates/nginx/ssl/ssl.conf.j2 b/deployment/roles/reverse/templates/nginx/ssl/ssl.conf.j2 index 6a4b8b24228..f5ac0e4234e 100644 --- a/deployment/roles/reverse/templates/nginx/ssl/ssl.conf.j2 +++ b/deployment/roles/reverse/templates/nginx/ssl/ssl.conf.j2 @@ -3,6 +3,10 @@ ssl_certificate_key {{ nginx_ssl_dir }}/reverse.key; # Password file for ssl cert ssl_password_file {{ nginx_ssl_dir }}/reverse.key_pass; +# proxy_ssl_verify on; +# proxy_ssl_verify_depth 2; +# proxy_ssl_trusted_certificate {{ nginx_ssl_dir }}/vitamui-services-ca-bundle.pem; + ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; diff --git a/deployment/roles/reverse/templates/nginx/ssl/vitamui-services-ca-bundle.pem.j2 b/deployment/roles/reverse/templates/nginx/ssl/vitamui-services-ca-bundle.pem.j2 new file mode 100644 index 00000000000..3c63ccaf519 --- /dev/null +++ b/deployment/roles/reverse/templates/nginx/ssl/vitamui-services-ca-bundle.pem.j2 @@ -0,0 +1,2 @@ +{{ lookup('file', "{{ inventory_dir }}/certs/vitamui-services/ca/ca-root.pem" ) }} +{{ lookup('file', "{{ inventory_dir }}/certs/vitamui-services/ca/ca-intermediate.pem" ) }} diff --git a/deployment/roles/vitamui/defaults/main.yml b/deployment/roles/vitamui/defaults/main.yml index ef4ea2e50ef..3183b164fc0 100644 --- a/deployment/roles/vitamui/defaults/main.yml +++ b/deployment/roles/vitamui/defaults/main.yml @@ -10,6 +10,7 @@ jvm_opts: start_timeout: "{{ vitamui_defaults.services.start_timeout | default(300) }}" at_boot: "{{ vitamui_defaults.services.at_boot | default(false) }}" secure: "{{ vitamui_defaults.services.secure | default(true) | bool }}" +ssl_hostname_verification: "{{ vitamui_defaults.services.ssl_hostname_verification | default(true) | bool }}" jvm_log: "{{ vitamui_defaults.services.jvm_log | default(false) | bool }}" accesslogs: "{{ vitamui_defaults.services.accesslogs | default('true') | lower }}" access_retention_days: "{{ vitamui_defaults.services.access_retention_days | default(365) }}" diff --git a/deployment/roles/vitamui/tasks/main.yml b/deployment/roles/vitamui/tasks/main.yml index 1fc6dd8c25d..e0d9613b1a7 100644 --- a/deployment/roles/vitamui/tasks/main.yml +++ b/deployment/roles/vitamui/tasks/main.yml @@ -48,9 +48,9 @@ file: path: "{{ vitamui_defaults.folder.root_path | default('/vitamui') }}/{{ item }}/{{ vitamui_struct.vitamui_component }}" state: directory - owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}" - group: "{{ vitamui_defaults.users.group | default('vitamui') }}" - mode: "{{ vitamui_defaults.folder.folder_permission | default('0750') }}" + owner: "{{ vitamui_defaults.users.vitamui }}" + group: "{{ vitamui_defaults.users.group }}" + mode: "{{ vitamui_defaults.folder.folder_permission }}" with_items: - app - bin @@ -66,9 +66,9 @@ file: path: "{{ vitamui_folder_conf }}/sysconfig" state: directory - owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}" - group: "{{ vitamui_defaults.users.group | default('vitamui') }}" - mode: "{{ vitamui_defaults.folder.folder_permission | default('0750') }}" + owner: "{{ vitamui_defaults.users.vitamui }}" + group: "{{ vitamui_defaults.users.group }}" + mode: "{{ vitamui_defaults.folder.folder_permission }}" notify: restart service when: install_mode != "container" @@ -83,9 +83,9 @@ template: src: java_opts.j2 dest: "{{ vitamui_folder_conf }}/sysconfig/java_opts" - owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}" - group: "{{ vitamui_defaults.users.group | default('vitamui') }}" - mode: "{{ vitamui_defaults.folder.conf_permission | default('0440') }}" + owner: "{{ vitamui_defaults.users.vitamui }}" + group: "{{ vitamui_defaults.users.group }}" + mode: "{{ vitamui_defaults.folder.conf_permission }}" tags: - update_vitamui_jvmopts - update_vitamui_configuration @@ -95,7 +95,7 @@ - name: get passwd for vitamui getent: database: passwd - key: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}" + key: "{{ vitamui_defaults.users.vitamui }}" - name: Deploy systemd service file template: @@ -112,9 +112,9 @@ template: src: logback.xml.j2 dest: "{{ vitamui_folder_conf }}/logback.xml" - owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}" - group: "{{ vitamui_defaults.users.group | default('vitamui') }}" - mode: "{{ vitamui_defaults.folder.conf_permission | default('0440') }}" + owner: "{{ vitamui_defaults.users.vitamui }}" + group: "{{ vitamui_defaults.users.group }}" + mode: "{{ vitamui_defaults.folder.conf_permission }}" tags: update_vitamui_configuration notify: restart service @@ -122,9 +122,9 @@ template: src: "{{ item }}" dest: "{{ vitamui_folder_conf }}/{{ item | basename | regex_replace('\\.j2$') }}" - owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}" - group: "{{ vitamui_defaults.users.group | default('vitamui') }}" - mode: "{{ vitamui_defaults.folder.conf_permission | default('0440') }}" + owner: "{{ vitamui_defaults.users.vitamui }}" + group: "{{ vitamui_defaults.users.group }}" + mode: "{{ vitamui_defaults.folder.conf_permission }}" with_fileglob: - "{{ role_path }}/templates/{{ vitamui_struct.vitamui_component }}/*" #no_log: "{{ hide_passwords_during_deploy }}" @@ -133,61 +133,56 @@ - update_vitamui_certificates # Mandatory to update configuration file containing keystore password notify: restart service -- name: "Copy {{ vitamui_struct.service_name | default(service_name) }} jks keystore (server)" - copy: - src: "{{ inventory_dir }}/keystores/vitamui-services/server/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.jks" - dest: "{{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks" - owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}" - group: "{{ vitamui_defaults.users.group | default('vitamui') }}" - mode: "{{ vitamui_defaults.folder.folder_permission | default('0750') }}" - when: - - vitamui_struct.secure | default(secure) | lower == 'true' - - lookup('pipe', 'test -f {{ inventory_dir }}/keystores/vitamui-services/server/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.jks || echo nofile') == '' - tags: update_vitamui_certificates - notify: restart service +- block: # when secure is true -- name: "Copy {{ vitamui_struct.service_name | default(service_name) }} jks keystore (client)" - copy: - src: "{{ inventory_dir }}/keystores/vitamui-services/clients/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.jks" - dest: "{{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks" - owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}" - group: "{{ vitamui_defaults.users.group | default('vitamui') }}" - mode: "{{ vitamui_defaults.folder.folder_permission | default('0750') }}" - when: - - vitamui_struct.secure | default(secure) | lower == 'true' - - lookup('pipe', 'test -f {{ inventory_dir }}/keystores/vitamui-services/clients/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.jks || echo nofile') == '' - tags: update_vitamui_certificates - notify: restart service + - name: "Copy {{ vitamui_struct.vitamui_component }} jks keystore (server)" + copy: + src: "{{ inventory_dir }}/keystores/vitamui-services/server/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.p12" + dest: "{{ vitamui_folder_conf }}/keystore_server_{{ vitamui_struct.vitamui_component }}.p12" + owner: "{{ vitamui_defaults.users.vitamui }}" + group: "{{ vitamui_defaults.users.group }}" + mode: "{{ vitamui_defaults.folder.folder_permission }}" + tags: update_vitamui_certificates + notify: restart service -# Copy the trustore for all vitamui components in order to communicate between them. -- name: Copy vitamui-services truststore - copy: - src: "{{ inventory_dir }}/keystores/vitamui-services/truststore_vitamui.jks" - dest: "{{ vitamui_folder_conf }}/truststore_vitamui.jks" - owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}" - group: "{{ vitamui_defaults.users.group | default('vitamui') }}" - mode: "{{ vitamui_defaults.folder.folder_permission | default('0750') }}" - when: - - vitamui_struct.secure | default(secure) | lower == 'true' - - vitamui_certificate_type | default('none') | lower == 'vitamui-services' - - lookup('pipe', 'test -f {{ inventory_dir }}/keystores/vitamui-services/truststore_vitamui.jks || echo nofile') == '' - tags: update_vitamui_certificates - notify: restart service + - name: "Copy {{ vitamui_struct.vitamui_component }} jks keystore (client)" + copy: + src: "{{ inventory_dir }}/keystores/vitamui-services/clients/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.p12" + dest: "{{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12" + owner: "{{ vitamui_defaults.users.vitamui }}" + group: "{{ vitamui_defaults.users.group }}" + mode: "{{ vitamui_defaults.folder.folder_permission }}" + when: + - lookup('pipe', 'test -f {{ inventory_dir }}/keystores/vitamui-services/clients/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.p12 || echo nofile') == '' + tags: update_vitamui_certificates + notify: restart service -# Copy the truststore for all external API in order to communicate with vitamui components (ui, external APIs, cas) and externals apps. -- name: Copy external truststore - copy: - src: "{{ inventory_dir }}/keystores/client-{{ vitamui_certificate_type }}/truststore_{{ vitamui_certificate_type }}.jks" - dest: "{{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks" - owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}" - group: "{{ vitamui_defaults.users.group | default('vitamui') }}" - mode: "{{ vitamui_defaults.folder.folder_permission | default('0750') }}" - when: - - vitamui_struct.secure | default(secure) | lower == 'true' - - vitamui_certificate_type | default('none') | lower == 'external' - - lookup('pipe', 'test -f {{ inventory_dir }}/keystores/client-{{ vitamui_certificate_type }}/truststore_{{ vitamui_certificate_type }}.jks || echo nofile') == '' - tags: update_vitamui_certificates - notify: restart service + # Copy the trustore for all vitamui components in order to communicate between them. + - name: Copy vitamui-services truststore + copy: + src: "{{ inventory_dir }}/keystores/vitamui-services/truststore_vitamui.p12" + dest: "{{ vitamui_folder_conf }}/truststore_vitamui.p12" + owner: "{{ vitamui_defaults.users.vitamui }}" + group: "{{ vitamui_defaults.users.group }}" + mode: "{{ vitamui_defaults.folder.folder_permission }}" + tags: update_vitamui_certificates + notify: restart service + + # Copy the truststore for all external API in order to communicate with vitamui components (ui, external APIs, cas) and externals apps. + - name: Copy external truststore + copy: + src: "{{ inventory_dir }}/keystores/client-external/truststore_external.p12" + dest: "{{ vitamui_folder_conf }}/truststore_external.p12" + owner: "{{ vitamui_defaults.users.vitamui }}" + group: "{{ vitamui_defaults.users.group }}" + mode: "{{ vitamui_defaults.folder.folder_permission }}" + when: + - vitamui_certificate_type | default('none') | lower == 'external' + - lookup('pipe', 'test -f {{ inventory_dir }}/keystores/client-external/truststore_external.p12 || echo nofile') == '' + tags: update_vitamui_certificates + notify: restart service + + when: vitamui_struct.secure | default(secure) | bool - name: "Execute sub-tasks for the component: {{ vitamui_struct.vitamui_component }}" include_tasks: "{{ vitamui_struct.vitamui_component }}.yml" diff --git a/deployment/roles/vitamui/tasks/referential.yml b/deployment/roles/vitamui/tasks/referential.yml index be3a15b75a2..c5e9d372cc7 100644 --- a/deployment/roles/vitamui/tasks/referential.yml +++ b/deployment/roles/vitamui/tasks/referential.yml @@ -33,7 +33,7 @@ - name: List existing external archiving system truststores find: paths: "{{ vitamui_folder_conf }}" - patterns: "truststore_external_archiving_system_*.jks" + patterns: "truststore_external_archiving_system_*.p12" file_type: file register: found_external_truststores tags: @@ -55,8 +55,8 @@ - name: Copy external archiving system truststores copy: - src: "{{ inventory_dir }}/keystores_external_archiving_systems/truststore_{{ item }}.jks" - dest: "{{ vitamui_folder_conf }}/truststore_external_archiving_system_{{ item }}.jks" + src: "{{ inventory_dir }}/keystores_external_archiving_systems/truststore_{{ item }}.p12" + dest: "{{ vitamui_folder_conf }}/truststore_external_archiving_system_{{ item }}.p12" owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}" group: "{{ vitamui_defaults.users.group | default('vitamui') }}" mode: "{{ vitamui_defaults.folder.folder_permission | default('0750') }}" @@ -77,9 +77,9 @@ - name: Delete obsolete external archiving system truststores file: - path: "{{ vitamui_folder_conf }}/truststore_external_archiving_system_{{ item }}.jks" + path: "{{ vitamui_folder_conf }}/truststore_external_archiving_system_{{ item }}.p12" state: absent - loop: "{{ found_external_truststores.files | map(attribute='path') | map('basename') | map('regex_replace', '^truststore_fexternal_archiving_system_(.*)\\.jks$', '\\1') | list | difference(external_system_ids) }}" + loop: "{{ found_external_truststores.files | map(attribute='path') | map('basename') | map('regex_replace', '^truststore_external_archiving_system_(.*)\\.p12$', '\\1') | list | difference(external_system_ids) }}" tags: - update_vitamui_configuration - update_vitamui_certificates diff --git a/deployment/roles/vitamui/templates/api-gateway/application.yml.j2 b/deployment/roles/vitamui/templates/api-gateway/application.yml.j2 index 09a0e0b97e2..79caac7b9d8 100644 --- a/deployment/roles/vitamui/templates/api-gateway/application.yml.j2 +++ b/deployment/roles/vitamui/templates/api-gateway/application.yml.j2 @@ -4,11 +4,11 @@ server: port: {{ vitamui_struct.server_port | default('8090') }} {% if vitamui_struct.secure | default(secure) | bool == true %} ssl: - key-store: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-store: {{ vitamui_folder_conf }}/keystore_server_{{ vitamui_struct.vitamui_component }}.p12 key-store-password: {{ password_keystore_server }} key-password: {{ password_keystore_server }} - trust-store: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - trust-store-password: {{ password_truststore }} + trust-store: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + trust-store-password: {{ truststore_vitamui }} client-auth: need {% endif %} max-http-request-header-size: {{ vitamui_struct.server_max_http_header_size | default('10KB') }} @@ -63,8 +63,7 @@ spring: corsConfigurations: '[/**]': allowedOrigins: - - "{{ url_prefix }}" - - "http://localhost" + - "{{ url_prefix }}" allowedMethods: "*" allowedHeaders: "*" routes: diff --git a/deployment/roles/vitamui/templates/archive-search/application.yml.j2 b/deployment/roles/vitamui/templates/archive-search/application.yml.j2 index 7a90492f7d9..b028defda15 100644 --- a/deployment/roles/vitamui/templates/archive-search/application.yml.j2 +++ b/deployment/roles/vitamui/templates/archive-search/application.yml.j2 @@ -22,13 +22,13 @@ cas.tenant.identifier: {{ vitamui_platform_informations.cas_tenant }} server: address: {{ ip_service }} port: {{ vitamui_struct.port_service }} -{% if vitamui_struct.secure | default(secure) | bool == true %} +{% if vitamui_struct.secure | default(secure) | bool %} ssl: - key-store: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-store: {{ vitamui_folder_conf }}/keystore_server_{{ vitamui_struct.vitamui_component }}.p12 key-store-password: {{ password_keystore_server }} key-password: {{ password_keystore_server }} - trust-store: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - trust-store-password: {{ password_truststore }} + trust-store: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + trust-store-password: {{ truststore_vitamui }} client-auth: want client-certificate-header-name: {{ vitamui.api_gateway.client_certificate_header_name | default('x-ssl-cert') }} {% endif %} @@ -67,28 +67,30 @@ archive-search: security-client: server-host: {{ vitamui.security.host }} server-port: {{ vitamui.security.port_service }} -{% if vitamui.security.secure | default(secure) | bool == true %} - secure: {{ vitamui.security.secure | default(secure) | lower }} +{% if vitamui.security.secure | default(secure) | bool %} + secure: true ssl-configuration: + keystore: + key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12 + key-password: {{ password_keystore_client }} truststore: - key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - key-password: {{ password_truststore }} - hostname-verification: true + key-path: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + key-password: {{ truststore_vitamui }} + hostname-verification: {{ vitamui.security.ssl_hostname_verification | default(ssl_hostname_verification) | lower }} {% endif %} iam-client: server-host: {{ vitamui.iam.host }} server-port: {{ vitamui.iam.port_service }} -{% if vitamui.iam.secure | default(secure) | bool == true %} - secure: {{ vitamui.iam.secure | default(secure) | lower }} +{% if vitamui.iam.secure | default(secure) | bool %} + secure: true ssl-configuration: keystore: - key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12 key-password: {{ password_keystore_client }} - type: JKS truststore: - key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - key-password: {{ password_truststore }} - hostname-verification: true + key-path: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + key-password: {{ truststore_vitamui }} + hostname-verification: {{ vitamui.iam.ssl_hostname_verification | default(ssl_hostname_verification) | lower }} {% endif %} {% if opentracing.jaeger.enabled | default(false) | bool %} diff --git a/deployment/roles/vitamui/templates/cas-server/application.yml.j2 b/deployment/roles/vitamui/templates/cas-server/application.yml.j2 index 41c58ec2b0b..52ff6528abd 100644 --- a/deployment/roles/vitamui/templates/cas-server/application.yml.j2 +++ b/deployment/roles/vitamui/templates/cas-server/application.yml.j2 @@ -17,7 +17,7 @@ spring: server: {% if vitamui_struct.secure | default(secure) | bool == true %} ssl: - key-store: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-store: {{ vitamui_folder_conf }}/keystore_server_{{ vitamui_struct.vitamui_component }}.p12 key-store-password: {{ password_keystore_server }} key-password: {{ password_keystore_server }} enabled-protocols: {{ssl_setting.enabled_protocols}} @@ -63,17 +63,16 @@ vitamui.cas.identity: cas iam-client: server-host: {{ vitamui.iam.host }} server-port: {{ vitamui.iam.port_service }} -{% if vitamui.iam.secure | default(secure) | bool == true %} - secure: {{ vitamui.iam.secure | default(secure) | lower }} +{% if vitamui.iam.secure | default(secure) | bool %} + secure: true ssl-configuration: keystore: - key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12 key-password: {{ password_keystore_client }} - type: JKS truststore: - key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - key-password: {{ password_truststore }} - hostname-verification: true + key-path: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + key-password: {{ truststore_vitamui }} + hostname-verification: {{ vitamui.iam.ssl_hostname_verification | default(ssl_hostname_verification) | lower }} {% endif %} cas.authn.accept.users: diff --git a/deployment/roles/vitamui/templates/collect/application.yml.j2 b/deployment/roles/vitamui/templates/collect/application.yml.j2 index fcf1b5ec078..f6ddc5c7729 100644 --- a/deployment/roles/vitamui/templates/collect/application.yml.j2 +++ b/deployment/roles/vitamui/templates/collect/application.yml.j2 @@ -31,13 +31,13 @@ cas.tenant.identifier: {{ vitamui_platform_informations.cas_tenant }} server: address: {{ ip_service }} port: {{ vitamui_struct.port_service }} -{% if vitamui_struct.secure | default(secure) | bool == true %} +{% if vitamui_struct.secure | default(secure) | bool %} ssl: - key-store: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-store: {{ vitamui_folder_conf }}/keystore_server_{{ vitamui_struct.vitamui_component }}.p12 key-store-password: {{ password_keystore_server }} key-password: {{ password_keystore_server }} - trust-store: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - trust-store-password: {{ password_truststore }} + trust-store: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + trust-store-password: {{ truststore_vitamui }} client-auth: want client-certificate-header-name: {{ vitamui.api_gateway.client_certificate_header_name | default('x-ssl-cert') }} {% endif %} @@ -76,28 +76,30 @@ collect: security-client: server-host: {{ vitamui.security.host }} server-port: {{ vitamui.security.port_service }} -{% if vitamui.security.secure | default(secure) | bool == true %} - secure: {{ vitamui.security.secure | default(secure) | lower }} +{% if vitamui.security.secure | default(secure) | bool %} + secure: true ssl-configuration: + keystore: + key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12 + key-password: {{ password_keystore_client }} truststore: - key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - key-password: {{ password_truststore }} - hostname-verification: true + key-path: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + key-password: {{ truststore_vitamui }} + hostname-verification: {{ vitamui.security.ssl_hostname_verification | default(ssl_hostname_verification) | lower }} {% endif %} iam-client: server-host: {{ vitamui.iam.host }} server-port: {{ vitamui.iam.port_service }} -{% if vitamui.iam.secure | default(secure) | bool == true %} - secure: {{ vitamui.iam.secure | default(secure) | lower }} +{% if vitamui.iam.secure | default(secure) | bool %} + secure: true ssl-configuration: keystore: - key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12 key-password: {{ password_keystore_client }} - type: JKS truststore: - key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - key-password: {{ password_truststore }} - hostname-verification: true + key-path: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + key-password: {{ truststore_vitamui }} + hostname-verification: {{ vitamui.iam.ssl_hostname_verification | default(ssl_hostname_verification) | lower }} {% endif %} ontologies_file_path: {{ vitamui_folder_data }}/external_ontology_fields.json diff --git a/deployment/roles/vitamui/templates/iam/application.yml.j2 b/deployment/roles/vitamui/templates/iam/application.yml.j2 index b0db02c2990..2b052dd77ac 100644 --- a/deployment/roles/vitamui/templates/iam/application.yml.j2 +++ b/deployment/roles/vitamui/templates/iam/application.yml.j2 @@ -25,13 +25,13 @@ logging: server: address: {{ ip_service }} port: {{ vitamui_struct.port_service }} -{% if vitamui_struct.secure | default(secure) | bool == true %} +{% if vitamui_struct.secure | default(secure) | bool %} ssl: - key-store: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-store: {{ vitamui_folder_conf }}/keystore_server_{{ vitamui_struct.vitamui_component }}.p12 key-store-password: {{ password_keystore_server }} key-password: {{ password_keystore_server }} - trust-store: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - trust-store-password: {{ password_truststore }} + trust-store: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + trust-store-password: {{ truststore_vitamui }} client-auth: want client-certificate-header-name: {{ vitamui.api_gateway.client_certificate_header_name | default('x-ssl-cert') }} {% endif %} @@ -72,13 +72,16 @@ iam: security-client: server-host: {{ vitamui.security.host }} server-port: {{ vitamui.security.port_service }} -{% if vitamui.security.secure | default(secure) | bool == true %} +{% if vitamui.security.secure | default(secure) | bool %} secure: true ssl-configuration: + keystore: + key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12 + key-password: {{ password_keystore_client }} truststore: - key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - key-password: {{ password_truststore }} - hostname-verification: true + key-path: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + key-password: {{ truststore_vitamui }} + hostname-verification: {{ vitamui.security.ssl_hostname_verification | default(ssl_hostname_verification) | lower }} {% endif %} list-enable-external-identifiers: @@ -104,17 +107,16 @@ login: cas-client: server-host: {{ vitamui.cas_server.host }} server-port: {{ vitamui.cas_server.port_service }} -{% if vitamui.cas_server.secure | default(secure) | bool == true %} +{% if vitamui.cas_server.secure | default(secure) | bool %} secure: true ssl-configuration: keystore: - key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12 key-password: {{ password_keystore_client }} - type: JKS truststore: - key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - key-password: {{ password_truststore }} - hostname-verification: true + key-path: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + key-password: {{ truststore_vitamui }} + hostname-verification: {{ vitamui.cas_server.ssl_hostname_verification | default(ssl_hostname_verification) | lower }} {% endif %} cas.reset.password.url: {{ vitamui.cas_server.base_url | default('/cas') }}{{ vitamui.cas_server.reset_password_url | default('/extras/resetPassword?username={username}&firstname={firstname}&lastname={lastname}&language={language}&customerId={customerId}&ttl=1day') }} diff --git a/deployment/roles/vitamui/templates/ingest/application.yml.j2 b/deployment/roles/vitamui/templates/ingest/application.yml.j2 index 9d31f3101e2..ccb9ce7a6bf 100644 --- a/deployment/roles/vitamui/templates/ingest/application.yml.j2 +++ b/deployment/roles/vitamui/templates/ingest/application.yml.j2 @@ -17,13 +17,13 @@ spring: server: address: {{ ip_service }} port: {{ vitamui_struct.port_service }} -{% if vitamui_struct.secure | default(secure) | bool == true %} +{% if vitamui_struct.secure | default(secure) | bool %} ssl: - key-store: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-store: {{ vitamui_folder_conf }}/keystore_server_{{ vitamui_struct.vitamui_component }}.p12 key-store-password: {{ password_keystore_server }} key-password: {{ password_keystore_server }} - trust-store: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - trust-store-password: {{ password_truststore }} + trust-store: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + trust-store-password: {{ truststore_vitamui }} client-auth: want client-certificate-header-name: {{ vitamui.api_gateway.client_certificate_header_name | default('x-ssl-cert') }} {% endif %} @@ -64,28 +64,30 @@ ingest: security-client: server-host: {{ vitamui.security.host }} server-port: {{ vitamui.security.port_service }} -{% if vitamui.security.secure | default(secure) | bool == true %} - secure: {{ vitamui.security.secure | default(secure) | lower }} +{% if vitamui.security.secure | default(secure) | bool %} + secure: true ssl-configuration: + keystore: + key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12 + key-password: {{ password_keystore_client }} truststore: - key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - key-password: {{ password_truststore }} - hostname-verification: true + key-path: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + key-password: {{ truststore_vitamui }} + hostname-verification: {{ vitamui.security.ssl_hostname_verification | default(ssl_hostname_verification) | lower }} {% endif %} iam-client: server-host: {{ vitamui.iam.host }} server-port: {{ vitamui.iam.port_service }} -{% if vitamui.iam.secure | default(secure) | bool == true %} - secure: {{ vitamui.iam.secure | default(secure) | lower }} +{% if vitamui.iam.secure | default(secure) | bool %} + secure: true ssl-configuration: keystore: - key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12 key-password: {{ password_keystore_client }} - type: JKS truststore: - key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - key-password: {{ password_truststore }} - hostname-verification: true + key-path: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + key-password: {{ truststore_vitamui }} + hostname-verification: {{ vitamui.iam.ssl_hostname_verification | default(ssl_hostname_verification) | lower }} {% endif %} {% if opentracing.jaeger.enabled | default(false) | bool %} diff --git a/deployment/roles/vitamui/templates/pastis/application.yml.j2 b/deployment/roles/vitamui/templates/pastis/application.yml.j2 index 3d21f47094a..9d31937d909 100644 --- a/deployment/roles/vitamui/templates/pastis/application.yml.j2 +++ b/deployment/roles/vitamui/templates/pastis/application.yml.j2 @@ -40,13 +40,13 @@ logging: server: address: {{ ip_service }} port: {{ vitamui_struct.port_service }} -{% if vitamui_struct.secure | default(secure) | bool == true %} +{% if vitamui_struct.secure | default(secure) | bool %} ssl: - key-store: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-store: {{ vitamui_folder_conf }}/keystore_server_{{ vitamui_struct.vitamui_component }}.p12 key-store-password: {{ password_keystore_server }} key-password: {{ password_keystore_server }} - trust-store: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - trust-store-password: {{ password_truststore }} + trust-store: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + trust-store-password: {{ truststore_vitamui }} client-auth: want client-certificate-header-name: {{ vitamui.api_gateway.client_certificate_header_name | default('x-ssl-cert') }} {% endif %} @@ -86,28 +86,30 @@ pastis: security-client: server-host: {{ vitamui.security.host }} server-port: {{ vitamui.security.port_service }} -{% if vitamui.security.secure | default(secure) | bool == true %} - secure: {{ vitamui.security.secure | default(secure) | lower }} +{% if vitamui.security.secure | default(secure) | bool %} + secure: true ssl-configuration: + keystore: + key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12 + key-password: {{ password_keystore_client }} truststore: - key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - key-password: {{ password_truststore }} - hostname-verification: true + key-path: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + key-password: {{ truststore_vitamui }} + hostname-verification: {{ vitamui.security.ssl_hostname_verification | default(ssl_hostname_verification) | lower }} {% endif %} iam-client: server-host: {{ vitamui.iam.host }} server-port: {{ vitamui.iam.port_service }} -{% if vitamui.iam.secure | default(secure) | bool == true %} - secure: {{ vitamui.iam.secure | default(secure) | lower }} +{% if vitamui.iam.secure | default(secure) | bool %} + secure: true ssl-configuration: keystore: - key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12 key-password: {{ password_keystore_client }} - type: JKS truststore: - key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - key-password: {{ password_truststore }} - hostname-verification: true + key-path: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + key-password: {{ truststore_vitamui }} + hostname-verification: {{ vitamui.iam.ssl_hostname_verification | default(ssl_hostname_verification) | lower }} {% endif %} {% if opentracing.jaeger.enabled | default(false) | bool %} diff --git a/deployment/roles/vitamui/templates/referential/application.yml.j2 b/deployment/roles/vitamui/templates/referential/application.yml.j2 index 40e3415b03b..7492b875c3e 100644 --- a/deployment/roles/vitamui/templates/referential/application.yml.j2 +++ b/deployment/roles/vitamui/templates/referential/application.yml.j2 @@ -28,11 +28,11 @@ server: port: {{ vitamui_struct.port_service }} {% if vitamui_struct.secure | default(secure) | bool == true %} ssl: - key-store: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-store: {{ vitamui_folder_conf }}/keystore_server_{{ vitamui_struct.vitamui_component }}.p12 key-store-password: {{ password_keystore_server }} key-password: {{ password_keystore_server }} - trust-store: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - trust-store-password: {{ password_truststore }} + trust-store: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + trust-store-password: {{ truststore_vitamui }} client-auth: want client-certificate-header-name: {{ vitamui.api_gateway.client_certificate_header_name | default('x-ssl-cert') }} {% endif %} @@ -72,28 +72,30 @@ referential: security-client: server-host: {{ vitamui.security.host }} server-port: {{ vitamui.security.port_service }} -{% if vitamui.security.secure | default(secure) | bool == true %} - secure: {{ vitamui.security.secure | default(secure) | lower }} +{% if vitamui.security.secure | default(secure) | bool %} + secure: true ssl-configuration: + keystore: + key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12 + key-password: {{ password_keystore_client }} truststore: - key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - key-password: {{ password_truststore }} - hostname-verification: true + key-path: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + key-password: {{ truststore_vitamui }} + hostname-verification: {{ vitamui.security.ssl_hostname_verification | default(ssl_hostname_verification) | lower }} {% endif %} iam-client: server-host: {{ vitamui.iam.host }} server-port: {{ vitamui.iam.port_service }} -{% if vitamui.iam.secure | default(secure) | bool == true %} - secure: {{ vitamui.iam.secure | default(secure) | lower }} +{% if vitamui.iam.secure | default(secure) | bool %} + secure: true ssl-configuration: keystore: - key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12 key-password: {{ password_keystore_client }} - type: JKS truststore: - key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - key-password: {{ password_truststore }} - hostname-verification: true + key-path: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + key-password: {{ truststore_vitamui }} + hostname-verification: {{ vitamui.iam.ssl_hostname_verification | default(ssl_hostname_verification) | lower }} {% endif %} {% if external_archiving_systems is defined %} @@ -112,7 +114,7 @@ referential: key-path: {{ vitamui_folder_conf }}/keystore_external_archiving_system_{{ clientConfig.archiving_system_id }}.p12 key-password: {{ external_archiving_systems.keystore_password[clientConfig.archiving_system_id] }} truststore: - key-path: {{ vitamui_folder_conf }}/truststore_external_archiving_system_{{ clientConfig.archiving_system_id }}.jks + key-path: {{ vitamui_folder_conf }}/truststore_external_archiving_system_{{ clientConfig.archiving_system_id }}.p12 key-password: {{ external_archiving_systems.truststore_password[clientConfig.archiving_system_id] }} {% endfor %} {% endif %} diff --git a/deployment/roles/vitamui/templates/security/application.yml.j2 b/deployment/roles/vitamui/templates/security/application.yml.j2 index bd5940c9b0a..cec7c729fe4 100644 --- a/deployment/roles/vitamui/templates/security/application.yml.j2 +++ b/deployment/roles/vitamui/templates/security/application.yml.j2 @@ -25,11 +25,11 @@ server: port: {{ vitamui_struct.port_service }} {% if vitamui_struct.secure | default(secure) | bool == true %} ssl: - key-store: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks + key-store: {{ vitamui_folder_conf }}/keystore_server_{{ vitamui_struct.vitamui_component }}.p12 key-store-password: {{ password_keystore_server }} key-password: {{ password_keystore_server }} - trust-store: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks - trust-store-password: {{ password_truststore }} + trust-store: {{ vitamui_folder_conf }}/truststore_vitamui.p12 + trust-store-password: {{ truststore_vitamui }} {% endif %} max-http-request-header-size: {{ vitamui_struct.server_max_http_header_size | default('10KB') }} tomcat: diff --git a/deployment/scripts/mongod/v9.1/0-00_security.populate_certificates.js.j2 b/deployment/scripts/mongod/v9.1/0-00_security.populate_certificates.js.j2 index 885bccf9887..2254451d549 100644 --- a/deployment/scripts/mongod/v9.1/0-00_security.populate_certificates.js.j2 +++ b/deployment/scripts/mongod/v9.1/0-00_security.populate_certificates.js.j2 @@ -4,36 +4,28 @@ print("START v9.1.0-00_security.populate_certificates.js"); dbSecurity.certificates.deleteMany({}); -{% macro insertCertificate(pemFile, contextId, host) -%} -dbSecurity.certificates.insertOne({ - "_id": "{{ host+'_' if (host is defined and host != '') else '' }}{{ pemFile | basename | replace('.pem','_cert') }}", - "contextId": "{{ contextId }}", - "subjectDN": "subjectDN", - "issuerDN": "issuerDN", - "serialNumber": "serialNumberAdmin", - "data": "{{ lookup('file', pemFile) | cert_to_str() }}" -}) +{% macro insertCertificate(pemFile, contextId, groupName) -%} + {% if groups[groupName] | default([]) | length > 0 %} + dbSecurity.certificates.insertOne({ + "_id": "{{ pemFile | basename | replace('.pem','_cert') }}", + "contextId": "{{ contextId }}", + "subjectDN": "subjectDN", + "issuerDN": "issuerDN", + "serialNumber": "serialNumberAdmin", + "data": "{{ lookup('file', pemFile) | cert_to_str() }}" + }) + {% endif %} {%- endmacro %} -{% macro process(keyPath, contextId, groupName) -%} - {% if groupName is defined and groupName != '' %} - {% for host in groups[groupName] %} - {{ insertCertificate(keyPath | replace('%host%', host), contextId, host) }} - {% endfor %} - {% else %} - {{ insertCertificate(keyPath, contextId) }} - {% endif %} -{%- endmacro %} - -{{ process(pki_dir + '/vitamui-services/clients/cas-server/cas-server.pem', 'cas_context') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/cas-server/cas-server.pem', 'cas_context', 'hosts_cas_server') }} -{{ process(pki_dir + '/vitamui-services/clients/ui-portal/ui-portal.pem', 'ui_portal_context') }} -{{ process(pki_dir + '/vitamui-services/clients/ui-identity/ui-identity.pem', 'ui_identity_context') }} -{{ process(pki_dir + '/vitamui-services/clients/ui-identity-admin/ui-identity-admin.pem', 'ui_admin_identity_context') }} -{{ process(pki_dir + '/vitamui-services/clients/ui-referential/ui-referential.pem', 'ui_referential_context') }} -{{ process(pki_dir + '/vitamui-services/clients/ui-archive-search/ui-archive-search.pem', 'ui_archive_search_context') }} -{{ process(pki_dir + '/vitamui-services/clients/ui-ingest/ui-ingest.pem', 'ui_ingest_context') }} -{{ process(pki_dir + '/vitamui-services/clients/ui-pastis/ui-pastis.pem', 'ui_pastis_context') }} -{{ process(pki_dir + '/vitamui-services/clients/ui-collect/ui-collect.pem', 'ui_collect_context') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-portal/ui-portal.pem', 'ui_portal_context', 'hosts_ui_portal') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-identity/ui-identity.pem', 'ui_identity_context', 'hosts_ui_identity') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-identity-admin/ui-identity-admin.pem', 'ui_admin_identity_context', 'hosts_ui_identity_admin') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-referential/ui-referential.pem', 'ui_referential_context', 'hosts_ui_referential') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-archive-search/ui-archive-search.pem', 'ui_archive_search_context', 'hosts_ui_archive_search') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-ingest/ui-ingest.pem', 'ui_ingest_context', 'hosts_ui_ingest') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-pastis/ui-pastis.pem', 'ui_pastis_context', 'hosts_ui_pastis') }} +{{ insertCertificate(pki_dir + '/vitamui-services/clients/ui-collect/ui-collect.pem', 'ui_collect_context', 'hosts_ui_collect') }} print("END v9.1.0-00_security.populate_certificates.js"); diff --git a/dev-deployment/environments/group_vars/all/vault-keystores.yml b/dev-deployment/environments/group_vars/all/vault-keystores.yml index 26285b361b4..b517d4e844a 100644 --- a/dev-deployment/environments/group_vars/all/vault-keystores.yml +++ b/dev-deployment/environments/group_vars/all/vault-keystores.yml @@ -1,112 +1,62 @@ $ANSIBLE_VAULT;1.1;AES256 -30396239396664383239366233316565613635636564346364613963646261386365363766336339 -6264333930336432346535313939383566313164666437330a323366613032383565353865633732 -31623264356436656331393033613937306234306238373261363530326461643831663366616465 -3838393065316264610a306135343137313531373361323661356238656463363565653766653634 -30633133633364646464623436323038393663303431663834373733323866656535363238396230 -30333066373136303334316536383861623136383532613738303364663031626265383838643432 -32333031376362326434323765383736623664633333633465303837383434326561343664356231 -36343966356139386335353932313838643030353533383164363261653734396139306264303762 -65663361643163616130646163383534336239653733363363356130343533326262333332396632 -36623664333765396231356664303563363638303333633535316334346165333362633230376661 -35306165396666383733323037303639393831363036306665336333623531393334663737376633 -63363331356437383963633862333134623666363534316265353435303732386538373239646135 -32646666353564306531643730303233613236326639653632333564663865636532353335323736 -65373662303539353939336363626330346264626564656536313730316237363161326430623039 -39613033363531326539636463353464336665386633643432393130636530633134326330613266 -38316137656462363632326664376339643834666631356530376666643837356338326462366530 -64653063653632346364313536333130383032663861656365663638373139373532303861666330 -63346332373138393533646139376237313462626466353135373836373834383932303937343262 -65646230646531333735656430353437366235333864643163306366363638663636393231393962 -32383333353835316339643465393631633237363432343535316439323861366364356535363135 -61303161333362616133643962626234653630356636303863353538636135636638643334396139 -61393665343232386334643765323462376333636463613363393534393963643064393036313232 -38663934303039313264386531356132376430613234616235383234363336323239616637643961 -32383963396130393964303135383435653331613462336135326535353133396435663139626338 -37393366393563393935663937316434613939663830326434366634633435663634333261306331 -62646235313437663433333538363766613465666234396465393537346565336465383863633139 -34633862363864613839343037386566303239326162333435346136323661643363353765363762 -35366563653166646665313834663530386666316462653761386530653961363562363034616333 -33386633666237336533663861623933643638346166353965646338626163356237383433646236 -63343265313733393565613164366562653766343237326366656462303439633836333231386365 -65373961663564383334373938666334356430353033366636636462373764323065333061373934 -66333064373238366438623164633861656135393634393365323237303230643632323635373061 -33613461656531616330356232373764656561656133313334333665636162383666653064316664 -38376564663130383133643633653336323064366536346465366162376633326537376462653130 -62633663396162383534353861646630663339663365626134336333653963383739623466313336 -61656538333833393264313536613466323536656434326634343334646434336335656233316633 -35616235343436653339313865666535393262666131656233336466323335623335306162373062 -61393738623437346162346634323331396439623036633737643532656236623036623430666564 -31316135613132333063313737653464313766373334343036393161346237356434643130633939 -33383361383533343238373061323731653763653463613766383264636239643365353366653065 -39313233303734663937636239643437313135353439313761663562376234623739326665626139 -66306363306132636233353431643266626630306631663536623632623564306132323166373732 -36343435353537663538636138616364326636653036633733373830643433653463646530366433 -64396638613330316235343338353435303862666536616536323761346430633166616434336165 -33663535303936653730313439336161323736646364333834323965666332613365313738613636 -63343864616331633833386132393034343538303835646333353930386435386533386137393138 -61353763316238383366616337376365376666366632393264633231666532633266323766373464 -64383636306239333531343532616133396562303235343535396566313233613265643634326539 -34333862326263663264346139323031346533336430616566333130373935303831336661353234 -37326466333534393864303061323833343761333830303333343737373937363164373765613939 -66326261333561343262666533373037663266653439313664376330376261663932363037303738 -38323761316661373238323662613634356161336563616364353036303736316539303138633763 -66663561656331306337353633396334613566393132623635313365653962366636376237346538 -65663838383730633931343266613030336263316461373835646234313266646664616463383239 -37343230313661333836326466306236633136623865383936346364306635333433656263373035 -31323433653331383563323761316637343163323532326439653463366131666336386636316265 -31333437636538363937303236326138653464626332666462343062303837313132323533616632 -61316461306265333434386533336233333765666335653663373439623130336164646561393166 -31376339666631313938656566323638613063613139653335383766316431633731656665373461 -36323265333234316664353061353265353861666335623663306530306632366363646662353363 -62613965643932623839383937326566366333396365303864396239343830316134366531653831 -63333632633661356537366563393635373833613561656562633730363832306138363166353131 -32336366663233306462323337346139393162313036366533343335646537343334653333646666 -65383932306463333364373134333836663663303663336337343638346233656461616636643934 -63633138316135646265643233373131623766633666373662653237343764303961316335613836 -61346435313239333964313862393065616339393236663661633338613536336634393131376430 -66626664636262633831613734386262313532333838386362636338633935326435393037626137 -30323636643863376639356530363432333435316264633536386661396235333232646632313465 -62333032636663313061373834343734663765663631393936343536346235346561363166313533 -34313637663961383361356538383739613832343232323363626162333461323131633663393665 -64633064373134633766386536346633393534346439663537343862336232343136373038313830 -31336662303631383238663962663435356565363730343030623534353739653363353736383861 -35326632613836396534313737656565336234396331333461353135303865383535373938623635 -63663839613630303731393764653738336338636461663761393837663966333235613432306137 -66353934346235643164356335316630396361326366393862386431636562393830666437666130 -38336463643866383036653537653835656637376130393063336636343536633630373365376130 -39623835333263666334353038353331646538356138356666386536323735396436353339656133 -62646361626365633438366461333463316431383664616463336637333565323935393364656234 -65383336313062326135643135653333653238646438626533306330646334363836393234396561 -65373964373932363230333536636331396166646635376465626436616437353965626434666632 -36623637653864383939626466633862376336666462393134656363636262663332343233653064 -62376536636461666437653335366166636563386132373162393634366137613166363533343138 -32373361666436376238323766646637323364313762643939306534623230396539613162613432 -33633931386437323365656438333062376339626631333933366364366439623734373034316661 -65333638306266373236633238376661326231616133353062363134613739656233333131656336 -65353430373361353831633165303363316366333864653333616331323366396261363732343930 -63313037323331666330656633663165356163663735616563626537313834373531323637623739 -65333834636335316630613238373335653562323139656336343461653236663236626431323166 -63323164323436643362363439353363306431613661346262353239656239363761306564643730 -38623933363030613335633064323365363638323964333833376237636161346438643136656332 -34653433346435626633363936623162303566383061323632313436356362303931383739333661 -32376336303264396537346265326536363537633630656366613234373963323834393333333661 -63343364303836616464386264326266656633666230353264663930326338623137313338623561 -38346561343461633534656634633263306636636633313535393139353565356631383263383037 -30626235343832383234396462333435356234373630353931643936316339383432323835306165 -63646234653339643137336562373931346439376234613964393238386662383030343235656261 -37323434323230386636383661396338323033333430336264663130343364343837643433663139 -36343732323932386631343066383334346439623637346464326633383337653435393638613831 -36646166343364316435663234306233613061396434666536646132626330643262323566633635 -63383731386635643836303461323138396533393634373836333261623337636236383262663639 -63326432666330666334646539353561633065303338633266383265343830636532656632306334 -63656439633138623334616662653434373130633437663366633637303437383430663935303835 -38376131353662643335333766323138343430366664303761633038623963373433366238343739 -66323865383062353030393163663137663465393032383439336130386230303631633235313864 -36383233643432636165376535643637623133623938626639613130623163353963383337396265 -61343433326163373633633266383230343636633436663964643434383530623437336266376235 -36333366393131326335346166333463303339626638643432313061313566623862393638353863 -31633434363634343335613334356335313865643162353137363933383930643436616237383064 -35356138343366326164363839306361323739346463323236663331386438643066363961616632 -35386638316466666631636233613962653335663732666661666264623936333861643531366231 -383230613232396537323835653635373532 +38653438626234393863333436313833643630343538386163376430633131396561643362643161 +3766363862326436646163396162633630336130333331620a633336353165393932616539633765 +38333363313633633661343432333635393536303363643831343937333463623265303663666435 +6334613331356339610a356434363231386362313664376133353035663261383431376131376537 +30393338633966303866353362636234313939343132333239333164353637656636626339323437 +35643435666439616430396161316666663938393037333434363937333531313164366138393762 +65346530323965643932316161363161346538343161653130646264643332306639353637363833 +30393861303535323332653064373934323361616430303466623937343237666236663465303838 +63633434326664383734323833366434663664643962343631333164303336636138383232623038 +65376163356530353461626530333565373735386665633465363934303961643437643338376165 +61633530333233666663363033643330376565656464376265366331373562653961653134326538 +62626538663434616534616665333736636536383632346432643430363739343933636135376434 +66623631333437326539636362633563303765613863336436346439363635613262663064393034 +39613038633537653332346135633739323861663862396239356264613538363636303631376339 +63326538366263323363313466316561623264613665306630343661396235613337633133643335 +62303530333033386363666564303637343637373439623731353261333330313435623462316438 +37663730303131323964613236343133363338633165336531333630343436656438323966633338 +61636439613438393037636534666561626464373532663566323838653036353861343438333065 +34353666386463393863363463346235373635346432393362636132383462383937633665353537 +63643438303731363563336266353639646164383631393264363866346239386363623231653663 +63373137633339353238383161643038353838396166326639323662646361356530313033643063 +63303462636461623137303562393135306166366334363230353336333836356565623332396236 +36643739383134303535313333643932666461666236623864316566306565613436653061386633 +62383535613533616261393635333366323463616161663364373132656236623939323238303661 +38626361313038323439313539306139623565366365653738663933663461653732616236396564 +64313236313137333332653465313634343466323630343061646464663232623261353037623737 +64323565383864353435343330633431626132363263663336646535616436313537316437316137 +33373864643738373630623737323434613064383762626334306564623732663630366265646331 +65383364643262363665326265376465663261316637373239643164333232663330336330343438 +37633361623433376264663764353662316161616565396362333539633739653636393761363534 +61353632366235616463313566373532333662343833313130303131383933636339376261396161 +35626561663332363436623134376133356539376435363563313030353330303539303961353931 +65633465353432393133633930316362303432306530383064353863353230666231613465363634 +61646635613138363362636130626361626335353061663835306633623463346336663566343030 +31356439633834363835363539343435363633636465353732323334383538353235616365303531 +34323131326532346130626237616232346563643164333539326463643035613932336661306639 +38363161386431303166613433396639333332386662313636336464396562656138306133623738 +61626261313065303763393662626561616564393932383136616133373632326466313732653831 +31383365363333383938646134643736386333383633636166346439346136313336643035646438 +32636463623336643931636338656239363330373461333239376533323038653765316564353161 +65323661333139313566343463353832626430646665346362313839663733613832323561353131 +61623164643435363363313037353034313766633661346365363732626430393034343666303565 +61636538633638376339653162346266393633663934323765386236383839633334666637653363 +66636439663932626332663038616564636236396364383634346665313630346631333266333036 +34643938323266613563643863636630313166306638633032313064636136386266396239396432 +39346164356131643836626239373231363430623661326337383466643334613262306462646364 +66323764613534653532343835396465646664643636626533363036346231303262323031366339 +32646534363264656434613137613434383539636435393533666538623537633439313264636133 +64626463393232336363343565643735303638323362626362363662653938656563383639303163 +30363132393633663663353562633735383138663239646238383565386135643333373263373339 +62626332366365353532373535663538306462613762306138333864613330366432613366653661 +64313064643965643861643932386436363135666663353634323036343965363733323964336139 +63663234323133356534323236353134626237353565393561353462626164386631343837323431 +33626363623061303962333732653765353736346664383734303336663835623339333761653163 +64353139356636343562323534636234383562373137626438396632323933343036323962346630 +65316532386136313361353539323161323331393938313763653161653633666534626232303730 +34303465613762333239346338656533663761623239386135303739643938383136323432323538 +30383439373631623065653166343835656437636231646461333436623139356135373765313465 +65343562363636353832663635653634346135633938396434303530303664323464323139346138 +33343365313633373738306462343133386565333866386434613433346331666432623436356166 +6465 diff --git a/dev-deployment/environments/group_vars/all/vault-keystores.yml.example b/dev-deployment/environments/group_vars/all/vault-keystores.yml.example index e4d1e835f9b..ecaea3c6700 100644 --- a/dev-deployment/environments/group_vars/all/vault-keystores.yml.example +++ b/dev-deployment/environments/group_vars/all/vault-keystores.yml.example @@ -1,41 +1,24 @@ --- -keystores_server_vitamui_services_api_gateway: changeme -keystores_server_vitamui_services_archive_search: changeme -keystores_server_vitamui_services_cas_server: changeme -keystores_server_vitamui_services_collect: changeme -keystores_server_vitamui_services_iam: changeme -keystores_server_vitamui_services_ingest: changeme -keystores_server_vitamui_services_pastis: changeme -keystores_server_vitamui_services_referential: changeme -keystores_server_vitamui_services_reverse: changeme -keystores_server_vitamui_services_security: changeme -keystores_server_vitamui_services_ui_archive_search: changeme -keystores_server_vitamui_services_ui_collect: changeme -keystores_server_vitamui_services_ui_design_system: changeme -keystores_server_vitamui_services_ui_identity: changeme -keystores_server_vitamui_services_ui_identity_admin: changeme -keystores_server_vitamui_services_ui_ingest: changeme -keystores_server_vitamui_services_ui_pastis: changeme -keystores_server_vitamui_services_ui_portal: changeme -keystores_server_vitamui_services_ui_referential: changeme -keystores_client_external_customer_x: changeme -truststores_client_external: changeme -keystores_client_vitam_vitamui: changeme -truststores_client_vitam: changeme -keystores_client_vitamui_services_api_gateway: changeme -keystores_client_vitamui_services_archive_search: changeme -keystores_client_vitamui_services_cas_server: changeme -keystores_client_vitamui_services_collect: changeme -keystores_client_vitamui_services_iam: changeme -keystores_client_vitamui_services_ingest: changeme -keystores_client_vitamui_services_pastis: changeme -keystores_client_vitamui_services_referential: changeme -keystores_client_vitamui_services_ui_archive_search: changeme -keystores_client_vitamui_services_ui_collect: changeme -keystores_client_vitamui_services_ui_identity: changeme -keystores_client_vitamui_services_ui_identity_admin: changeme -keystores_client_vitamui_services_ui_ingest: changeme -keystores_client_vitamui_services_ui_pastis: changeme -keystores_client_vitamui_services_ui_portal: changeme -keystores_client_vitamui_services_ui_referential: changeme -truststores_vitamui: changeme +keystore_server_vitamui_services_api_gateway: changeme +keystore_server_vitamui_services_archive_search: changeme +keystore_server_vitamui_services_cas_server: changeme +keystore_server_vitamui_services_collect: changeme +keystore_server_vitamui_services_iam: changeme +keystore_server_vitamui_services_ingest: changeme +keystore_server_vitamui_services_pastis: changeme +keystore_server_vitamui_services_referential: changeme +keystore_server_vitamui_services_reverse: changeme +keystore_server_vitamui_services_security: changeme +keystore_client_external_customer_x: changeme +truststore_client_external: changeme +keystore_client_vitam_vitamui: changeme +truststore_client_vitam: changeme +keystore_client_vitamui_services_api_gateway: changeme +keystore_client_vitamui_services_archive_search: changeme +keystore_client_vitamui_services_cas_server: changeme +keystore_client_vitamui_services_collect: changeme +keystore_client_vitamui_services_iam: changeme +keystore_client_vitamui_services_ingest: changeme +keystore_client_vitamui_services_pastis: changeme +keystore_client_vitamui_services_referential: changeme +truststore_vitamui: changeme diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-archive-search/keystore_ui-archive-search.jks b/dev-deployment/environments/keystores/vitamui-services/clients/ui-archive-search/keystore_ui-archive-search.jks deleted file mode 100644 index 111159abe8c..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-archive-search/keystore_ui-archive-search.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-archive-search/keystore_ui-archive-search.p12 b/dev-deployment/environments/keystores/vitamui-services/clients/ui-archive-search/keystore_ui-archive-search.p12 deleted file mode 100644 index bb3242281a3..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-archive-search/keystore_ui-archive-search.p12 and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-collect/keystore_ui-collect.jks b/dev-deployment/environments/keystores/vitamui-services/clients/ui-collect/keystore_ui-collect.jks deleted file mode 100644 index 0d973686705..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-collect/keystore_ui-collect.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-collect/keystore_ui-collect.p12 b/dev-deployment/environments/keystores/vitamui-services/clients/ui-collect/keystore_ui-collect.p12 deleted file mode 100644 index 62439ee3567..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-collect/keystore_ui-collect.p12 and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-identity-admin/keystore_ui-identity-admin.jks b/dev-deployment/environments/keystores/vitamui-services/clients/ui-identity-admin/keystore_ui-identity-admin.jks deleted file mode 100644 index 6e908d43179..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-identity-admin/keystore_ui-identity-admin.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-identity-admin/keystore_ui-identity-admin.p12 b/dev-deployment/environments/keystores/vitamui-services/clients/ui-identity-admin/keystore_ui-identity-admin.p12 deleted file mode 100644 index c824d54b0e2..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-identity-admin/keystore_ui-identity-admin.p12 and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-identity/keystore_ui-identity.jks b/dev-deployment/environments/keystores/vitamui-services/clients/ui-identity/keystore_ui-identity.jks deleted file mode 100644 index 2e7fdbdeddd..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-identity/keystore_ui-identity.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-identity/keystore_ui-identity.p12 b/dev-deployment/environments/keystores/vitamui-services/clients/ui-identity/keystore_ui-identity.p12 deleted file mode 100644 index 7503f95a620..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-identity/keystore_ui-identity.p12 and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-ingest/keystore_ui-ingest.jks b/dev-deployment/environments/keystores/vitamui-services/clients/ui-ingest/keystore_ui-ingest.jks deleted file mode 100644 index fcdfaed0630..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-ingest/keystore_ui-ingest.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-ingest/keystore_ui-ingest.p12 b/dev-deployment/environments/keystores/vitamui-services/clients/ui-ingest/keystore_ui-ingest.p12 deleted file mode 100644 index d14c42349c9..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-ingest/keystore_ui-ingest.p12 and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-pastis/keystore_ui-pastis.jks b/dev-deployment/environments/keystores/vitamui-services/clients/ui-pastis/keystore_ui-pastis.jks deleted file mode 100644 index fcc5c3b50d7..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-pastis/keystore_ui-pastis.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-pastis/keystore_ui-pastis.p12 b/dev-deployment/environments/keystores/vitamui-services/clients/ui-pastis/keystore_ui-pastis.p12 deleted file mode 100644 index bc430efe4e5..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-pastis/keystore_ui-pastis.p12 and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-portal/keystore_ui-portal.jks b/dev-deployment/environments/keystores/vitamui-services/clients/ui-portal/keystore_ui-portal.jks deleted file mode 100644 index 05fbcdc3805..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-portal/keystore_ui-portal.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-portal/keystore_ui-portal.p12 b/dev-deployment/environments/keystores/vitamui-services/clients/ui-portal/keystore_ui-portal.p12 deleted file mode 100644 index 9d6770d0aa9..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-portal/keystore_ui-portal.p12 and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-referential/keystore_ui-referential.jks b/dev-deployment/environments/keystores/vitamui-services/clients/ui-referential/keystore_ui-referential.jks deleted file mode 100644 index bda7f542684..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-referential/keystore_ui-referential.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/clients/ui-referential/keystore_ui-referential.p12 b/dev-deployment/environments/keystores/vitamui-services/clients/ui-referential/keystore_ui-referential.p12 deleted file mode 100644 index 929427be2fb..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/clients/ui-referential/keystore_ui-referential.p12 and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/server/ui-archive-search/keystore_ui-archive-search.jks b/dev-deployment/environments/keystores/vitamui-services/server/ui-archive-search/keystore_ui-archive-search.jks deleted file mode 100644 index 69fc974de36..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/server/ui-archive-search/keystore_ui-archive-search.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/server/ui-collect/keystore_ui-collect.jks b/dev-deployment/environments/keystores/vitamui-services/server/ui-collect/keystore_ui-collect.jks deleted file mode 100644 index aea444bc296..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/server/ui-collect/keystore_ui-collect.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/server/ui-design-system/keystore_ui-design-system.jks b/dev-deployment/environments/keystores/vitamui-services/server/ui-design-system/keystore_ui-design-system.jks deleted file mode 100644 index 6dba6995225..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/server/ui-design-system/keystore_ui-design-system.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/server/ui-identity-admin/keystore_ui-identity-admin.jks b/dev-deployment/environments/keystores/vitamui-services/server/ui-identity-admin/keystore_ui-identity-admin.jks deleted file mode 100644 index 33b7d88053a..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/server/ui-identity-admin/keystore_ui-identity-admin.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/server/ui-identity/keystore_ui-identity.jks b/dev-deployment/environments/keystores/vitamui-services/server/ui-identity/keystore_ui-identity.jks deleted file mode 100644 index 95467c0f60b..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/server/ui-identity/keystore_ui-identity.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/server/ui-ingest/keystore_ui-ingest.jks b/dev-deployment/environments/keystores/vitamui-services/server/ui-ingest/keystore_ui-ingest.jks deleted file mode 100644 index 454f0f83843..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/server/ui-ingest/keystore_ui-ingest.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/server/ui-pastis/keystore_ui-pastis.jks b/dev-deployment/environments/keystores/vitamui-services/server/ui-pastis/keystore_ui-pastis.jks deleted file mode 100644 index 6c13fe1b363..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/server/ui-pastis/keystore_ui-pastis.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/server/ui-portal/keystore_ui-portal.jks b/dev-deployment/environments/keystores/vitamui-services/server/ui-portal/keystore_ui-portal.jks deleted file mode 100644 index 48b01f8fa1a..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/server/ui-portal/keystore_ui-portal.jks and /dev/null differ diff --git a/dev-deployment/environments/keystores/vitamui-services/server/ui-referential/keystore_ui-referential.jks b/dev-deployment/environments/keystores/vitamui-services/server/ui-referential/keystore_ui-referential.jks deleted file mode 100644 index b651fd39779..00000000000 Binary files a/dev-deployment/environments/keystores/vitamui-services/server/ui-referential/keystore_ui-referential.jks and /dev/null differ diff --git a/docs/fr/exploitation/sections/external_archiving_systems.md b/docs/fr/exploitation/sections/external_archiving_systems.md index 9aba7ee0107..83a75444ada 100644 --- a/docs/fr/exploitation/sections/external_archiving_systems.md +++ b/docs/fr/exploitation/sections/external_archiving_systems.md @@ -4,9 +4,9 @@ Il est possible de mettre en place des connexions vers des SAE (Systèmes d'Arch Il convient alors de configurer les keystores et truststores des instances cibles dans le dossier `environments/keystores_external_archiving_systems/` dans le dossier de déploiement de l'installation de Vitam-UI. -- `/environments/keystores_external_archiving_systems/keystore_.p12` -- `/environments/keystores_external_archiving_systems/trustore_.jks` -- ... +* `/environments/keystores_external_archiving_systems/keystore_.p12` +* `/environments/keystores_external_archiving_systems/truststore_.p12` +* ... Les mots de passe des keystores et truststores doivent être définis un fichier vault (exemple: `vault_keystores_external_archiving_systems.yml`) à éditer via l'outil ``ansible-vault`` : @@ -20,36 +20,34 @@ external_archiving_systems: : truststore_external_system_2_changeit ``` -Les URLs d'accès aux SAE tiers, et les autorisations d'accès par tenant sont à définir dans la configuration ansible : +Les URLs d'accès aux SAE tiers et les autorisations d'accès par tenant sont à définir dans la configuration ansible : ```yml external_archiving_systems: client_configuration: - - archiving_system_id: - name: "EXTERNAL ENV NAME 1" - access_external: - host: - port: - - archiving_system_id: - name: "EXTERNAL ENV NAME 2" - access_external: + - archiving_system_id: + name: "EXTERNAL ENV NAME 1" + access_external: host: port: - - ... + - archiving_system_id: + name: "EXTERNAL ENV NAME 2" + access_external: + host: + port: + - ... tenant_configuration: - - tenant: 2 - external_archiving_system_references: - - archiving_system_id: local # Use "local" as archiving_system_id to reference the current Vitam instance with other tenants - tenantIds: [1, 2, 3] # Target tenants - - archiving_system_id: - tenantIds: [0, 2] - - tenant: 3 - external_archiving_system_references: - - archiving_system_id: - tenantIds: [10] - - ... -``` - ---- + - tenant: 2 + external_archiving_system_references: + - archiving_system_id: local # Use "local" as archiving_system_id to reference the current Vitam instance with other tenants + tenantIds: [1, 2, 3] # Target tenants + - archiving_system_id: + tenantIds: [0, 2] + - tenant: 3 + external_archiving_system_references: + - archiving_system_id: + tenantIds: [10] + - ... +```