Revision cbc1fac8
Added by Eric Helms about 4 years ago
manifests/candlepin.pp | ||
---|---|---|
$pki_dir = $certs::pki_dir,
|
||
$keystore = $certs::candlepin_keystore,
|
||
$keystore_password_file = $certs::keystore_password_file,
|
||
$amqp_truststore = $certs::candlepin_amqp_truststore,
|
||
$amqp_keystore = $certs::candlepin_amqp_keystore,
|
||
$amqp_store_dir = $certs::candlepin_amqp_store_dir,
|
||
$country = $certs::country,
|
||
$state = $certs::state,
|
||
$city = $certs::city,
|
||
... | ... | |
}
|
||
|
||
$java_client_cert_name = 'java-client'
|
||
$artemis_alias = 'artemis-client'
|
||
$artemis_client_dn = "CN=${hostname}, OU=${org_unit}, O=candlepin, ST=${state}, C=${country}"
|
||
|
||
cert { $java_client_cert_name:
|
||
ensure => present,
|
||
... | ... | |
mode => '0640',
|
||
} ~>
|
||
certs::keypair { 'candlepin':
|
||
key_pair => Cert[$java_client_cert_name],
|
||
key_file => $client_key,
|
||
cert_file => $client_cert,
|
||
} ~>
|
||
file { $amqp_store_dir:
|
||
ensure => directory,
|
||
owner => 'tomcat',
|
||
group => $group,
|
||
mode => '0750',
|
||
key_pair => Cert[$java_client_cert_name],
|
||
key_file => $client_key,
|
||
cert_file => $client_cert,
|
||
manage_cert => true,
|
||
cert_owner => $user,
|
||
cert_group => $group,
|
||
cert_mode => '0440',
|
||
manage_key => true,
|
||
key_owner => $user,
|
||
key_group => $group,
|
||
key_mode => '0440',
|
||
} ~>
|
||
exec { 'import CA into Candlepin truststore':
|
||
command => "keytool -import -trustcacerts -v -keystore ${keystore} -storepass ${keystore_password} -alias ${alias} -file ${ca_cert} -noprompt",
|
||
unless => "keytool -list -keystore ${keystore} -storepass ${keystore_password} -alias ${alias}",
|
||
} ~>
|
||
exec { 'import CA into Candlepin AMQP truststore':
|
||
command => "keytool -import -v -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${alias} -file ${ca_cert} -trustcacerts -noprompt",
|
||
unless => "keytool -list -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${alias}",
|
||
} ~>
|
||
exec { 'import client certificate into Candlepin keystore':
|
||
# Stupid keytool doesn't allow you to import a keypair. You can only import a cert. Hence, we have to
|
||
# create the store as an PKCS12 and convert to JKS. See http://stackoverflow.com/a/8224863
|
||
command => "openssl pkcs12 -export -name amqp-client -in ${client_cert} -inkey ${client_key} -out /tmp/keystore.p12 -passout file:${password_file} && keytool -importkeystore -destkeystore ${amqp_keystore} -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass ${keystore_password} -srcstorepass ${keystore_password} -noprompt && rm /tmp/keystore.p12",
|
||
unless => "keytool -list -keystore ${amqp_keystore} -storepass ${keystore_password} -alias amqp-client",
|
||
} ~>
|
||
file { $amqp_keystore:
|
||
ensure => file,
|
||
owner => 'tomcat',
|
||
group => $group,
|
||
mode => '0640',
|
||
command => "openssl pkcs12 -export -name ${artemis_alias} -in ${client_cert} -inkey ${client_key} -out /tmp/keystore.p12 -passout file:${password_file} && keytool -importkeystore -destkeystore ${keystore} -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias ${artemis_alias} -storepass ${keystore_password} -srcstorepass ${keystore_password} -noprompt && rm /tmp/keystore.p12",
|
||
unless => "keytool -list -keystore ${keystore} -storepass ${keystore_password} -alias ${artemis_alias} | grep $(openssl x509 -noout -fingerprint -in ${client_cert} | cut -d '=' -f 2)",
|
||
}
|
||
}
|
||
}
|
manifests/params.pp | ||
---|---|---|
$candlepin_keystore = "${candlepin_certs_dir}/keystore"
|
||
$candlepin_ca_cert = "${candlepin_certs_dir}/candlepin-ca.crt"
|
||
$candlepin_ca_key = "${candlepin_certs_dir}/candlepin-ca.key"
|
||
$candlepin_amqp_store_dir = "${candlepin_certs_dir}/amqp"
|
||
$candlepin_amqp_truststore = "${candlepin_amqp_store_dir}/candlepin.truststore"
|
||
$candlepin_amqp_keystore = "${candlepin_amqp_store_dir}/candlepin.jks"
|
||
|
||
# Settings for uploading packages to Katello
|
||
$katello_user = undef
|
spec/acceptance/candlepin_spec.rb | ||
---|---|---|
ensure => present,
|
||
}
|
||
|
||
['/usr/share/tomcat/conf', '/etc/candlepin/certs/amqp'].each |$dir| {
|
||
['/usr/share/tomcat/conf', '/etc/candlepin/certs'].each |$dir| {
|
||
exec { "mkdir -p ${dir}":
|
||
creates => $dir,
|
||
path => ['/bin', '/usr/bin'],
|
||
... | ... | |
describe command("keytool -list -keystore /etc/candlepin/certs/keystore -storepass $(cat #{keystore_password_file})") do
|
||
its(:exit_status) { should eq 0 }
|
||
its(:stdout) { should match(/^Keystore type: PKCS12$/i) }
|
||
its(:stdout) { should match(/^Your keystore contains 2 entries$/) }
|
||
its(:stdout) { should match(/^Your keystore contains 3 entries$/) }
|
||
its(:stdout) { should match(/^tomcat, .+, PrivateKeyEntry, $/) }
|
||
its(:stdout) { should match(/^candlepin-ca, .+, trustedCertEntry, $/) }
|
||
end
|
||
... | ... | |
its(:stdout) { should match(/^Owner: CN=#{host_inventory['fqdn']}, OU=SomeOrgUnit, O=Katello, L=Raleigh, ST=North Carolina, C=US$/) }
|
||
its(:stdout) { should match(/^Issuer: CN=#{host_inventory['fqdn']}, OU=SomeOrgUnit, O=Katello, L=Raleigh, ST=North Carolina, C=US$/) }
|
||
end
|
||
|
||
describe command("keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.truststore -storepass $(cat #{keystore_password_file})") do
|
||
its(:exit_status) { should eq 0 }
|
||
its(:stdout) { should match(/^Keystore type: JKS$/i) }
|
||
its(:stdout) { should match(/^Your keystore contains 1 entry$/) }
|
||
its(:stdout) { should match(/^candlepin-ca, .+, trustedCertEntry, $/) }
|
||
end
|
||
|
||
describe command("keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.jks -storepass $(cat #{keystore_password_file})") do
|
||
its(:exit_status) { should eq 0 }
|
||
its(:stdout) { should match(/^Keystore type: JKS$/i) }
|
||
its(:stdout) { should match(/^Your keystore contains 1 entry$/) }
|
||
its(:stdout) { should match(/^amqp-client, .+, PrivateKeyEntry, $/) }
|
||
end
|
||
end
|
||
|
||
describe 'with localhost' do
|
Also available in: Unified diff
Refs #28924: Drop amqp key and truststore