Project

General

Profile

« Previous | Next » 

Revision cbc1fac8

Added by Eric Helms about 4 years ago

Refs #28924: Drop amqp key and truststore

View differences:

manifests/candlepin.pp
$pki_dir = $certs::pki_dir,
$keystore = $certs::candlepin_keystore,
$keystore_password_file = $certs::keystore_password_file,
$amqp_truststore = $certs::candlepin_amqp_truststore,
$amqp_keystore = $certs::candlepin_amqp_keystore,
$amqp_store_dir = $certs::candlepin_amqp_store_dir,
$country = $certs::country,
$state = $certs::state,
$city = $certs::city,
......
}
$java_client_cert_name = 'java-client'
$artemis_alias = 'artemis-client'
$artemis_client_dn = "CN=${hostname}, OU=${org_unit}, O=candlepin, ST=${state}, C=${country}"
cert { $java_client_cert_name:
ensure => present,
......
mode => '0640',
} ~>
certs::keypair { 'candlepin':
key_pair => Cert[$java_client_cert_name],
key_file => $client_key,
cert_file => $client_cert,
} ~>
file { $amqp_store_dir:
ensure => directory,
owner => 'tomcat',
group => $group,
mode => '0750',
key_pair => Cert[$java_client_cert_name],
key_file => $client_key,
cert_file => $client_cert,
manage_cert => true,
cert_owner => $user,
cert_group => $group,
cert_mode => '0440',
manage_key => true,
key_owner => $user,
key_group => $group,
key_mode => '0440',
} ~>
exec { 'import CA into Candlepin truststore':
command => "keytool -import -trustcacerts -v -keystore ${keystore} -storepass ${keystore_password} -alias ${alias} -file ${ca_cert} -noprompt",
unless => "keytool -list -keystore ${keystore} -storepass ${keystore_password} -alias ${alias}",
} ~>
exec { 'import CA into Candlepin AMQP truststore':
command => "keytool -import -v -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${alias} -file ${ca_cert} -trustcacerts -noprompt",
unless => "keytool -list -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${alias}",
} ~>
exec { 'import client certificate into Candlepin keystore':
# Stupid keytool doesn't allow you to import a keypair. You can only import a cert. Hence, we have to
# create the store as an PKCS12 and convert to JKS. See http://stackoverflow.com/a/8224863
command => "openssl pkcs12 -export -name amqp-client -in ${client_cert} -inkey ${client_key} -out /tmp/keystore.p12 -passout file:${password_file} && keytool -importkeystore -destkeystore ${amqp_keystore} -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass ${keystore_password} -srcstorepass ${keystore_password} -noprompt && rm /tmp/keystore.p12",
unless => "keytool -list -keystore ${amqp_keystore} -storepass ${keystore_password} -alias amqp-client",
} ~>
file { $amqp_keystore:
ensure => file,
owner => 'tomcat',
group => $group,
mode => '0640',
command => "openssl pkcs12 -export -name ${artemis_alias} -in ${client_cert} -inkey ${client_key} -out /tmp/keystore.p12 -passout file:${password_file} && keytool -importkeystore -destkeystore ${keystore} -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias ${artemis_alias} -storepass ${keystore_password} -srcstorepass ${keystore_password} -noprompt && rm /tmp/keystore.p12",
unless => "keytool -list -keystore ${keystore} -storepass ${keystore_password} -alias ${artemis_alias} | grep $(openssl x509 -noout -fingerprint -in ${client_cert} | cut -d '=' -f 2)",
}
}
}
manifests/params.pp
$candlepin_keystore = "${candlepin_certs_dir}/keystore"
$candlepin_ca_cert = "${candlepin_certs_dir}/candlepin-ca.crt"
$candlepin_ca_key = "${candlepin_certs_dir}/candlepin-ca.key"
$candlepin_amqp_store_dir = "${candlepin_certs_dir}/amqp"
$candlepin_amqp_truststore = "${candlepin_amqp_store_dir}/candlepin.truststore"
$candlepin_amqp_keystore = "${candlepin_amqp_store_dir}/candlepin.jks"
# Settings for uploading packages to Katello
$katello_user = undef
spec/acceptance/candlepin_spec.rb
ensure => present,
}
['/usr/share/tomcat/conf', '/etc/candlepin/certs/amqp'].each |$dir| {
['/usr/share/tomcat/conf', '/etc/candlepin/certs'].each |$dir| {
exec { "mkdir -p ${dir}":
creates => $dir,
path => ['/bin', '/usr/bin'],
......
describe command("keytool -list -keystore /etc/candlepin/certs/keystore -storepass $(cat #{keystore_password_file})") do
its(:exit_status) { should eq 0 }
its(:stdout) { should match(/^Keystore type: PKCS12$/i) }
its(:stdout) { should match(/^Your keystore contains 2 entries$/) }
its(:stdout) { should match(/^Your keystore contains 3 entries$/) }
its(:stdout) { should match(/^tomcat, .+, PrivateKeyEntry, $/) }
its(:stdout) { should match(/^candlepin-ca, .+, trustedCertEntry, $/) }
end
......
its(:stdout) { should match(/^Owner: CN=#{host_inventory['fqdn']}, OU=SomeOrgUnit, O=Katello, L=Raleigh, ST=North Carolina, C=US$/) }
its(:stdout) { should match(/^Issuer: CN=#{host_inventory['fqdn']}, OU=SomeOrgUnit, O=Katello, L=Raleigh, ST=North Carolina, C=US$/) }
end
describe command("keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.truststore -storepass $(cat #{keystore_password_file})") do
its(:exit_status) { should eq 0 }
its(:stdout) { should match(/^Keystore type: JKS$/i) }
its(:stdout) { should match(/^Your keystore contains 1 entry$/) }
its(:stdout) { should match(/^candlepin-ca, .+, trustedCertEntry, $/) }
end
describe command("keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.jks -storepass $(cat #{keystore_password_file})") do
its(:exit_status) { should eq 0 }
its(:stdout) { should match(/^Keystore type: JKS$/i) }
its(:stdout) { should match(/^Your keystore contains 1 entry$/) }
its(:stdout) { should match(/^amqp-client, .+, PrivateKeyEntry, $/) }
end
end
describe 'with localhost' do

Also available in: Unified diff