Story #15211: Cleaning PKI.

deployment/ansible-vitamui/app_api_gateway.yml

@@ -7,7 +7,7 @@
   vars:
     vitamui_struct: "{{ vitamui.api_gateway }}"
     vitamui_certificate_type: external
-    password_keystore_server: "{{ keystores_server_vitamui_services_api_gateway }}"
-    password_keystore_client: "{{ keystores_client_vitamui_services_api_gateway }}"
-    password_truststore: "{{ truststores_client_external }}"
+    password_keystore_server: "{{ keystore_server_vitamui_services_api_gateway }}"
+    password_keystore_client: "{{ keystore_client_vitamui_services_api_gateway }}"
+    password_truststore: "{{ truststore_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_archive_search.yml

@@ -7,7 +7,7 @@
   vars:
     vitamui_struct: "{{ vitamui.archive_search }}"
     vitamui_certificate_type: external
-    password_keystore_server: "{{ keystores_server_vitamui_services_archive_search }}"
-    password_keystore_client: "{{ keystores_client_vitamui_services_archive_search }}"
-    password_truststore: "{{ truststores_client_external }}"
+    password_keystore_server: "{{ keystore_server_vitamui_services_archive_search }}"
+    password_keystore_client: "{{ keystore_client_vitamui_services_archive_search }}"
+    password_truststore: "{{ truststore_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_collect.yml

@@ -7,7 +7,7 @@
   vars:
     vitamui_struct: "{{ vitamui.collect }}"
     vitamui_certificate_type: external
-    password_keystore_server: "{{ keystores_server_vitamui_services_collect }}"
-    password_keystore_client: "{{ keystores_client_vitamui_services_collect }}"
-    password_truststore: "{{ truststores_client_external }}"
+    password_keystore_server: "{{ keystore_server_vitamui_services_collect }}"
+    password_keystore_client: "{{ keystore_client_vitamui_services_collect }}"
+    password_truststore: "{{ truststore_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_ingest.yml

@@ -7,7 +7,7 @@
   vars:
     vitamui_struct: "{{ vitamui.ingest }}"
     vitamui_certificate_type: external
-    password_keystore_server: "{{ keystores_server_vitamui_services_ingest }}"
-    password_keystore_client: "{{ keystores_client_vitamui_services_ingest }}"
-    password_truststore: "{{ truststores_client_external }}"
+    password_keystore_server: "{{ keystore_server_vitamui_services_ingest }}"
+    password_keystore_client: "{{ keystore_client_vitamui_services_ingest }}"
+    password_truststore: "{{ truststore_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_pastis.yml

@@ -7,7 +7,7 @@
   vars:
     vitamui_struct: "{{ vitamui.pastis }}"
     vitamui_certificate_type: external
-    password_keystore_server: "{{ keystores_server_vitamui_services_pastis }}"
-    password_keystore_client: "{{ keystores_client_vitamui_services_pastis }}"
-    password_truststore: "{{ truststores_client_external }}"
+    password_keystore_server: "{{ keystore_server_vitamui_services_pastis }}"
+    password_keystore_client: "{{ keystore_client_vitamui_services_pastis }}"
+    password_truststore: "{{ truststore_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_referential.yml

@@ -7,7 +7,7 @@
   vars:
     vitamui_struct: "{{ vitamui.referential }}"
     vitamui_certificate_type: external
-    password_keystore_server: "{{ keystores_server_vitamui_services_referential }}"
-    password_keystore_client: "{{ keystores_client_vitamui_services_referential }}"
-    password_truststore: "{{ truststores_client_external }}"
+    password_keystore_server: "{{ keystore_server_vitamui_services_referential }}"
+    password_keystore_client: "{{ keystore_client_vitamui_services_referential }}"
+    password_truststore: "{{ truststore_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/vitamui_apps.yml

@@ -9,8 +9,8 @@
   vars:
     vitamui_struct: "{{ vitamui.security }}"
     vitamui_certificate_type: server
-    password_keystore_server: "{{ keystores_server_vitamui_services_security }}"
-    password_truststore: "{{ truststores_vitamui }}"
+    password_keystore_server: "{{ keystore_server_vitamui_services_security }}"
+    password_truststore: "{{ truststore_vitamui }}"
   tags: security
 
 # External apps
@@ -22,9 +22,9 @@
   vars:
     vitamui_struct: "{{ vitamui.iam }}"
     vitamui_certificate_type: external
-    password_keystore_server: "{{ keystores_server_vitamui_services_iam }}"
-    password_keystore_client: "{{ keystores_client_vitamui_services_iam }}"
-    password_truststore: "{{ truststores_client_external }}"
+    password_keystore_server: "{{ keystore_server_vitamui_services_iam }}"
+    password_keystore_client: "{{ keystore_client_vitamui_services_iam }}"
+    password_truststore: "{{ truststore_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"
   tags: iam
 
@@ -37,7 +37,7 @@
   vars:
     vitamui_struct: "{{ vitamui.cas_server }}"
     vitamui_certificate_type: external
-    password_keystore_server: "{{ keystores_server_vitamui_services_cas_server }}"
-    password_keystore_client: "{{ keystores_client_vitamui_services_cas_server }}"
-    password_truststore: "{{ truststores_client_external }}"
+    password_keystore_server: "{{ keystore_server_vitamui_services_cas_server }}"
+    password_keystore_client: "{{ keystore_client_vitamui_services_cas_server }}"
+    password_truststore: "{{ truststore_client_external }}"
   tags: cas-server

deployment/environments/group_vars/all/vitam_vars.yml

@@ -45,18 +45,18 @@ vitam_vars:
 vitam_certs:
   vitamui:
     filename: keystore_vitamui.p12
-    password: "{{ keystores_client_vitam_vitamui }}"
-    truststore_filename: truststore_vitam.jks
-    password_truststore: "{{ truststores_client_vitam }}"
+    password: "{{ keystore_client_vitam_vitamui }}"
+    truststore_filename: truststore_vitam.p12
+    password_truststore: "{{ truststore_client_vitam }}"
 
 
 # Define connection settings for external / third-party Vitam instances (for COLLECT)
 external_archiving_systems:
 
   ## Every external archiving system must have a unique id (only used alphanumeric chars, "_" or "-").
   ## Please ensure corresponding keystore/truststore files are provided :
-  ##  > environments/external_archiving_systems_keystores/keystore_<archiving_system_id>.jks
-  ##  > environments/external_archiving_systems_keystores/truststore_<archiving_system_id>.jks
+  ##  > environments/external_archiving_systems_keystores/keystore_<archiving_system_id>.p12
+  ##  > environments/external_archiving_systems_keystores/truststore_<archiving_system_id>.p12
   ## Please ensure keystore/truststore passwords are defined (in an ansible vault file):
   ##  > external_archiving_systems.keystore_password.<archiving_system_id>: <changeme>
   ##  > external_archiving_systems.truststore_password.<archiving_system_id>: <changeme>

deployment/environments/group_vars/all/vitamui_vars.yml

@@ -66,37 +66,46 @@ vitamui:
   ui_identity:
     vitamui_component: ui-identity
     port_service: 8002
+    secure: false
   ui_identity_admin:
     vitamui_component: ui-identity-admin
     port_service: 8401
+    secure: false
     package_name: vitamui-ui-identity-rsc
   ui_referential:
     vitamui_component: ui-referential
     port_service: 8005
+    secure: false
   ui_portal:
     vitamui_component: ui-portal
     port_service: 8003
+    secure: false
     has_tenant_list: true
     has_lang_selection: true
     has_site_selection: false
   ui_ingest:
     vitamui_component: ui-ingest
     port_service: 8008
+    secure: false
   ui_archive_search:
     vitamui_component: ui-archive-search
     port_service: 8009
+    secure: false
   ui_collect:
     vitamui_component: ui-collect
     port_service: 8010
+    secure: false
 #    offline_services: # Disables online search engines in collect
 #      - agencies
 #      - archive-unit-profiles
   ui_pastis:
     vitamui_component: ui-pastis
     port_service: 9015
+    secure: false
   ui_design_system:
     vitamui_component: ui-design-system
     port_service: 9016
+    secure: false
 
   # Applications
   api_gateway:

deployment/pki/config/ca-config

@@ -7,7 +7,7 @@ default_ca      = ca_root
 
 [ ca_root ]
 dir             = ./pki
-certs           = $dir/ca/client-external
+certs           = $dir/ca/${ENV::OPENSSL_CA_DIR}
 new_certs_dir   = $dir/tempcerts
 database        = $dir/config/${ENV::OPENSSL_CA_DIR}/index.txt
 certificate     = $dir/ca/${ENV::OPENSSL_CA_DIR}/ca-root.crt
@@ -44,7 +44,6 @@ O = vitamui
 OU = authorities
 CN = ${ENV::OPENSSL_CN}
 
-
 # Certificates creation parameters : extensions
 
 [ extension_ca_root ]

deployment/pki/config/crt-config

@@ -22,7 +22,7 @@ unique_subject  = no
 [ policy_match ]
 countryName             = match
 stateOrProvinceName     = match
-localityName		    = match
+localityName            = match
 organizationName        = match
 organizationalUnitName  = optional
 commonName              = supplied
@@ -43,7 +43,6 @@ L = paris
 O = vitamui
 CN = ${ENV::OPENSSL_CN}
 
-
 # Certificates creation parameters : extensions
 
 [ extension_server ]
@@ -66,13 +65,3 @@ basicConstraints                = critical,CA:FALSE
 keyUsage                        = digitalSignature
 nsCertType                      = client
 extendedKeyUsage                = clientAuth
-
-[ extension_timestamping ]
-nsComment                       = "Certificat Serveur SSL"
-subjectKeyIdentifier            = hash
-authorityKeyIdentifier          = keyid,issuer:always
-issuerAltName                   = issuer:copy
-basicConstraints                = critical,CA:FALSE
-keyUsage                        = digitalSignature, nonRepudiation
-nsCertType                      = server
-extendedKeyUsage                = critical,timeStamping

deployment/pki/scripts/generate_certs.sh

@@ -23,7 +23,6 @@ function generateCerts {
     pki_logger "Génération des certificats serveurs"
     # Zone interne
     generateServerCertAndStorePassphrase            security            vitamui-services
-    generateServerAndClientCertAndStorePassphrase   api-gateway         vitamui-services
 
     #Zone externe
     generateServerAndClientCertAndStorePassphrase   iam                 vitamui-services
@@ -33,6 +32,7 @@ function generateCerts {
     generateServerAndClientCertAndStorePassphrase   archive-search      vitamui-services
     generateServerAndClientCertAndStorePassphrase   collect             vitamui-services
     generateServerAndClientCertAndStorePassphrase   pastis              vitamui-services
+    generateServerAndClientCertAndStorePassphrase   api-gateway         vitamui-services
 
     #Zone UI
     generateServerAndClientCertAndStorePassphrase   ui-portal           vitamui-services
@@ -43,10 +43,9 @@ function generateCerts {
     generateServerAndClientCertAndStorePassphrase   ui-archive-search   vitamui-services
     generateServerAndClientCertAndStorePassphrase   ui-collect          vitamui-services
     generateServerAndClientCertAndStorePassphrase   ui-pastis           vitamui-services
-    generateServerCertAndStorePassphrase            ui-design-system    vitamui-services
 
     #Reverse
-    generateServerCertAndStorePassphrase            reverse             hosts_vitamui_reverseproxy    vitamui-services
+    generateServerCertAndStorePassphrase            reverse             vitamui-services
 
     # Example of generated client cert for a customer allowing to perform request on external APIs
     # generateClientCertAndStorePassphrase customer_x              client-external

deployment/pki/scripts/generate_certs_dev.sh

@@ -13,11 +13,11 @@ set -e
 
 REPERTOIRE_ROOT="$( cd "$( readlink -f $(dirname ${BASH_SOURCE[0]}) )/../../../dev-deployment" ; pwd )"
 
-function getHostCertificateCn {
+function getComponentCertificateCn {
     echo "dev.vitamui.com"
 }
 
-function getHostCertificateSan {
+function getComponentCertificateSan {
     echo "DNS:dev.vitamui.com,DNS:localhost"
 }
 
@@ -33,6 +33,7 @@ function generateCerts {
     pki_logger "Génération des certificats serveurs"
     # Zone interne
     generateServerCertAndStorePassphrase            security            vitamui-services
+
     #Zone externe
     generateServerAndClientCertAndStorePassphrase   iam                 vitamui-services
     generateServerAndClientCertAndStorePassphrase   cas-server          vitamui-services
@@ -42,6 +43,7 @@ function generateCerts {
     generateServerAndClientCertAndStorePassphrase   collect             vitamui-services
     generateServerAndClientCertAndStorePassphrase   pastis              vitamui-services
     generateServerAndClientCertAndStorePassphrase   api-gateway         vitamui-services
+
     #Zone UI
     generateServerAndClientCertAndStorePassphrase   ui-portal           vitamui-services
     generateServerAndClientCertAndStorePassphrase   ui-identity         vitamui-services
@@ -51,10 +53,9 @@ function generateCerts {
     generateServerAndClientCertAndStorePassphrase   ui-archive-search   vitamui-services
     generateServerAndClientCertAndStorePassphrase   ui-pastis           vitamui-services
     generateServerAndClientCertAndStorePassphrase   ui-collect          vitamui-services
-    generateServerCertAndStorePassphrase            ui-design-system    vitamui-services
 
     #Reverse
-    generateServerCertAndStorePassphrase            reverse             hosts_vitamui_reverseproxy     vitamui-services
+    generateServerCertAndStorePassphrase            reverse             vitamui-services
 
     # Example of generated client cert for a customer allowing to perform request on external APIs
     generateClientCertAndStorePassphrase            customer_x          client-external