Skip to content

CP V8.0 - Story #15211: Separate client certificates for UI components and server certificates for VitamUI components. #3525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
GiooDev wants to merge 2 commits into
base: master_8.0.x
Choose a base branch
from
+81 −45
Open

CP V8.0 - Story #15211: Separate client certificates for UI components and server certificates for VitamUI components. #3525

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
80d1786
Story #15211: Separate client certificates for UI components and serv…
GiooDev Jan 29, 2026
9288821
Story #15211: Generate dedicated client certificate for cas-server.
GiooDev Jan 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions deployment/ansible-vitamui/vitamui_apps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@
vitamui_struct: "{{ vitamui.cas_server }}"
vitamui_certificate_type: "external"
password_keystore: "{{ keystores_server_cas_server }}"
password_keystore_client: "{{ keystores_client_external_cas_server }}"
password_truststore: "{{ truststores_client_external }}"
consul_tags: "cas-server, cas, external"
tags:
Expand Down
9 changes: 9 additions & 0 deletions deployment/environments/group_vars/all/vitamui_vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,34 +71,43 @@ vitamui:
identity:
vitamui_component: ui-identity
port_service: 8002
secure: false
identity_admin:
vitamui_component: ui-identity-admin
port_service: 8401
package_name: vitamui-ui-identity-rsc
secure: false
referential:
vitamui_component: ui-referential
port_service: 8005
secure: false
portal:
vitamui_component: ui-portal
port_service: 8003
has_tenant_list: true
has_lang_selection: true
has_site_selection: false
secure: false
ingest:
vitamui_component: ui-ingest
port_service: 8008
secure: false
archive_search:
vitamui_component: ui-archive-search
port_service: 8009
secure: false
collect:
vitamui_component: ui-collect
port_service: 8010
secure: false
pastis:
vitamui_component: ui-pastis
port_service: 9015
secure: false
design_system:
vitamui_component: ui-design-system
port_service: 9016
secure: false

# Applications
api_gateway:
Expand Down
4 changes: 2 additions & 2 deletions deployment/pki/config/crt-config
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,8 @@ issuerAltName = issuer:copy
subjectAltName = ${ENV::OPENSSL_SAN}
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature, keyEncipherment
nsCertType = server, client
extendedKeyUsage = serverAuth, clientAuth
nsCertType = server
extendedKeyUsage = serverAuth

[ extension_client ]
nsComment = "Certificat Client SSL"
Expand Down
21 changes: 12 additions & 9 deletions deployment/pki/scripts/generate_certs.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,16 +39,19 @@ function generateCerts {
generateHostCertAndStorePassphrase collect-external hosts_vitamui_collect_external
generateHostCertAndStorePassphrase pastis-external hosts_vitamui_pastis_external

pki_logger "Génération des certificats clients"
generateClientCertAndStorePassphrase cas-server client-external

#Zone UI
generateHostCertAndStorePassphrase ui-portal hosts_ui_portal
generateHostCertAndStorePassphrase ui-identity hosts_ui_identity
generateHostCertAndStorePassphrase ui-identity-admin hosts_ui_identity_admin
generateHostCertAndStorePassphrase ui-referential hosts_ui_referential
generateHostCertAndStorePassphrase ui-ingest hosts_ui_ingest
generateHostCertAndStorePassphrase ui-archive-search hosts_ui_archive_search
generateHostCertAndStorePassphrase ui-collect hosts_ui_collect
generateHostCertAndStorePassphrase ui-pastis hosts_ui_pastis
generateHostCertAndStorePassphrase ui-design-system hosts_ui_design_system
generateClientCertAndStorePassphrase ui-portal client-external
generateClientCertAndStorePassphrase ui-identity client-external
generateClientCertAndStorePassphrase ui-identity-admin client-external
generateClientCertAndStorePassphrase ui-referential client-external
generateClientCertAndStorePassphrase ui-ingest client-external
generateClientCertAndStorePassphrase ui-archive-search client-external
generateClientCertAndStorePassphrase ui-collect client-external
generateClientCertAndStorePassphrase ui-pastis client-external
generateClientCertAndStorePassphrase ui-design-system client-external

#Reverse
generateHostCertAndStorePassphrase reverse hosts_vitamui_reverseproxy
Expand Down
15 changes: 8 additions & 7 deletions deployment/pki/scripts/lib/certs.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,14 @@ function getHostCertificatePath {

# Génération du SubjectAlternate Name pour les certificats serveur.
function getHostCertificateSan {
local HOSTNAME="${1}"
local SERVICE_HOSTNAME="${2}"
local SERVICE_DC_HOSTNAME="${3}"
local REVERSE_SAN="${4}"
local SERVICE_HOSTNAME="${1}"
local SERVICE_DC_HOSTNAME="${2}"
local REVERSE_SAN="${3}"

if [ -n "${REVERSE_SAN}" ]; then
echo "DNS:${SERVICE_HOSTNAME},DNS:${HOSTNAME},DNS:${SERVICE_DC_HOSTNAME},DNS:${REVERSE_SAN}"
echo "DNS:${SERVICE_HOSTNAME},DNS:${SERVICE_DC_HOSTNAME},DNS:${REVERSE_SAN}"
else
echo "DNS:${SERVICE_HOSTNAME},DNS:${HOSTNAME},DNS:${SERVICE_DC_HOSTNAME}"
echo "DNS:${SERVICE_HOSTNAME},DNS:${SERVICE_DC_HOSTNAME}"
fi
}

Expand All @@ -50,7 +49,7 @@ function generateHostCertificate {
local REVERSE_SAN="${8}"

# Correctly set Subject Alternate Name (env var is read inside the openssl configuration file)
export OPENSSL_SAN="$(getHostCertificateSan $HOSTNAME $SERVICE_HOSTNAME $SERVICE_DC_HOSTNAME $REVERSE_SAN)"
export OPENSSL_SAN="$(getHostCertificateSan $SERVICE_HOSTNAME $SERVICE_DC_HOSTNAME $REVERSE_SAN)"
# Correctly set certificate CN (env var is read inside the openssl configuration file)
export OPENSSL_CN="$(getHostCertificateCn $SERVICE_HOSTNAME)"
# Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file)
Expand Down Expand Up @@ -151,8 +150,10 @@ function generateClientCertificate {
local CLIENT_CERTIFICATE_PATH=$(getClientCertificatePath ${CLIENT_TYPE} ${CLIENT_NAME})
mkdir -p "${CLIENT_CERTIFICATE_PATH}"
pki_logger "Generation de la clé..."
# Workaround to avoid passphrase with -nodes option problem while loading passphrase to nginx
openssl req -newkey "${PARAM_KEY_CHIFFREMENT}" \
-passout pass:"${MDP_KEY}" \
-nodes \
-keyout "${CLIENT_CERTIFICATE_PATH}/${CLIENT_NAME}.key" \
-out "${CLIENT_CERTIFICATE_PATH}/${CLIENT_NAME}.req" \
-config "${REPERTOIRE_CONFIG}/crt-config" \
Expand Down
4 changes: 2 additions & 2 deletions deployment/pki/scripts/lib/stores.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,8 +259,8 @@ function main() {
# rm -f ${JKS_GRANTED_STORE}
# fi
mkdir -p ${REPERTOIRE_KEYSTORES}/client-${CLIENT_TYPE}
# # client-${CLIENT_TYPE} keystores generation
for COMPONENT in $( ls ${REPERTOIRE_CERTIFICAT}/client-${CLIENT_TYPE}/clients 2>/dev/null | grep -vF -e "README" -e "external" ); do
# Do not generate keystores for ui- components, we don't need them
for COMPONENT in $( ls ${REPERTOIRE_CERTIFICAT}/client-${CLIENT_TYPE}/clients 2>/dev/null | grep -vF -e "README" -e "external" -e "^ui-"); do

# Generate the p12 keystore
pki_logger "-------------------------------------------"
Expand Down
4 changes: 2 additions & 2 deletions deployment/roles/nginx_webapp/tasks/install.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,8 @@
owner: "{{ frontend_user }}"
mode: "{{ vitam_defaults.folder.conf_permission }}"
with_fileglob:
- "{{ inventory_dir }}/certs/server/hosts/{{ inventory_hostname }}/{{ vitamui_struct.vitamui_component }}.crt"
- "{{ inventory_dir }}/certs/server/hosts/{{ inventory_hostname }}/{{ vitamui_struct.vitamui_component }}.key"
- "{{ inventory_dir }}/certs/client-external/clients/{{ vitamui_struct.vitamui_component }}/{{ vitamui_struct.vitamui_component }}.crt"
- "{{ inventory_dir }}/certs/client-external/clients/{{ vitamui_struct.vitamui_component }}/{{ vitamui_struct.vitamui_component }}.key"
notify: reload nginx

- name: Put ssl configuration when secure is enabled
Expand Down
7 changes: 6 additions & 1 deletion deployment/roles/nginx_webapp/templates/frontend/vhost.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,12 @@ server {
{% endfor %}
deny all; # Deny access to all other IP addresses

proxy_pass {{ 'https' if vitamui.api_gateway.secure | default(secure) | bool else 'http' }}://API-GATEWAY;
{% if vitamui.api_gateway.secure | default(secure) | bool %}
set $api_gateway_dns "vitamui-{{ vitamui.api_gateway.vitamui_component }}.service.{{ consul_domain }}";
proxy_pass https://$api_gateway_dns:{{ vitamui.api_gateway.port_service }};
{% else %}
proxy_pass http://API-GATEWAY;
{% endif %}
proxy_ssl_certificate {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}.crt;
proxy_ssl_certificate_key {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}.key;
proxy_ssl_session_reuse off;
Expand Down
18 changes: 9 additions & 9 deletions deployment/roles/reinit_security_certificates/templates/security.populate_certificates.js.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,16 @@ db.certificates.insertOne({
{% endif %}
{%- endmacro %}

{{ process('{{ pki_dir }}/server/hosts/%host%/cas-server.pem', 'cas_context', 'hosts_cas_server') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/iam-internal.pem', 'iam_internal_context', 'hosts_vitamui_iam_internal') }}

{{ process('{{ pki_dir }}/server/hosts/%host%/ui-portal.pem', 'ui_portal_context', 'hosts_ui_portal') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-identity.pem', 'ui_identity_context', 'hosts_ui_identity') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-identity-admin.pem', 'ui_admin_identity_context', 'hosts_ui_identity_admin') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-referential.pem', 'ui_referential_context', 'hosts_ui_referential') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-archive-search.pem', 'ui_archive_search_context', 'hosts_ui_archive_search') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-ingest.pem', 'ui_ingest_context', 'hosts_ui_ingest') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-pastis.pem', 'ui_pastis_context', 'hosts_ui_pastis') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-collect.pem', 'ui_collect_context', 'hosts_ui_collect') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/cas-server/cas-server.pem', 'cas_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-portal/ui-portal.pem', 'ui_portal_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-identity/ui-identity.pem', 'ui_identity_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-identity-admin/ui-identity-admin.pem', 'ui_admin_identity_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-referential/ui-referential.pem', 'ui_referential_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-archive-search/ui-archive-search.pem', 'ui_archive_search_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-ingest/ui-ingest.pem', 'ui_ingest_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-pastis/ui-pastis.pem', 'ui_pastis_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-collect/ui-collect.pem', 'ui_collect_context') }}

print("END security.populate_certificates.js");
7 changes: 6 additions & 1 deletion deployment/roles/reverse/templates/nginx/conf.d/vhosts.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,12 @@ server {
}

location ~ ^/cas/(login|logout|extras|webjars|css|icons|favicon|images|js|serviceValidate|oauth2.0|clientredirect|oidc) {
proxy_pass {{ 'https' if vitamui.cas_server.secure | default(secure) | bool else 'http' }}://CAS;
{% if vitamui.cas_server.secure | default(secure) | bool %}
set $cas_server_dns "vitamui-{{ vitamui.cas_server.vitamui_component }}.service.{{ consul_domain }}";
proxy_pass https://$cas_server_dns:{{ vitamui.cas_server.port_service }};
{% else %}
proxy_pass http://CAS;
{% endif %}
include {{ nginx_conf_dir }}/proxy_params;
}

Expand Down
13 changes: 13 additions & 0 deletions deployment/roles/vitamui/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,19 @@
- update_vitamui_certificates # Mandatory to update configuration file containing keystore password
notify: restart service

- name: "Copy {{ vitamui_struct.vitamui_component }} jks keystore (client-external)"
copy:
src: "{{ inventory_dir }}/keystores/client-external/keystore_{{ vitamui_struct.vitamui_component }}.p12"
dest: "{{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12"
owner: "{{ vitamui_defaults.users.vitamui }}"
group: "{{ vitamui_defaults.users.group }}"
mode: "{{ vitamui_defaults.folder.conf_permission }}"
when:
- vitamui_struct.vitamui_component == 'cas-server'
- lookup('pipe', 'test -f {{ inventory_dir }}/keystores/client-external/keystore_{{ vitamui_struct.vitamui_component }}.p12 || echo nofile') == ''
tags: update_vitamui_certificates
notify: restart service

- name: "Copy {{ vitamui_struct.service_name | default(service_name) }} jks keystore (server)"
copy:
src: "{{ inventory_dir }}/keystores/server/{{ inventory_hostname }}/keystore_{{ vitamui_struct.vitamui_component }}.jks"
Expand Down
5 changes: 2 additions & 3 deletions deployment/roles/vitamui/templates/cas-server/application.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,8 @@ iam-client:
secure: {{ vitamui.iam_external.secure | default(secure) | lower }}
ssl-configuration:
keystore:
key-path: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks
key-password: {{ password_keystore }}
type: JKS
key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.vitamui_component }}.p12
key-password: {{ password_keystore_client }}
truststore:
key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks
key-password: {{ password_truststore }}
Expand Down
18 changes: 9 additions & 9 deletions deployment/scripts/mongod/v7.1/000_security.populate_certificates.js.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,16 @@ db.certificates.insertOne({
{% endif %}
{%- endmacro %}

{{ process('{{ pki_dir }}/server/hosts/%host%/cas-server.pem', 'cas_context', 'hosts_cas_server') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/iam-internal.pem', 'iam_internal_context', 'hosts_vitamui_iam_internal') }}

{{ process('{{ pki_dir }}/server/hosts/%host%/ui-portal.pem', 'ui_portal_context', 'hosts_ui_portal') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-identity.pem', 'ui_identity_context', 'hosts_ui_identity') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-identity-admin.pem', 'ui_admin_identity_context', 'hosts_ui_identity_admin') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-referential.pem', 'ui_referential_context', 'hosts_ui_referential') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-archive-search.pem', 'ui_archive_search_context', 'hosts_ui_archive_search') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-ingest.pem', 'ui_ingest_context', 'hosts_ui_ingest') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-pastis.pem', 'ui_pastis_context', 'hosts_ui_pastis') }}
{{ process('{{ pki_dir }}/server/hosts/%host%/ui-collect.pem', 'ui_collect_context', 'hosts_ui_collect') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/cas-server/cas-server.pem', 'cas_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-portal/ui-portal.pem', 'ui_portal_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-identity/ui-identity.pem', 'ui_identity_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-identity-admin/ui-identity-admin.pem', 'ui_admin_identity_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-referential/ui-referential.pem', 'ui_referential_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-archive-search/ui-archive-search.pem', 'ui_archive_search_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-ingest/ui-ingest.pem', 'ui_ingest_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-pastis/ui-pastis.pem', 'ui_pastis_context') }}
{{ insertCertificate('{{ pki_dir }}/client-external/clients/ui-collect/ui-collect.pem', 'ui_collect_context') }}

print("END security.populate_certificates.js");