Skip to content

Commit aee4465

Browse files
breskebybreskeby
authored
Ensure BCFKS based cacert truststore is used for cloud ess fips (elastic#127716)
* Ensure we use BCFKS based cacert truststore for cloud ess fips * Make truststore default password 14 characters
1 parent 1588d54 commit aee4465

File tree

1 file changed

+26
-14
lines changed

1 file changed

+26
-14
lines changed

distribution/docker/src/docker/Dockerfile.ess-fips

Lines changed: 26 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -96,15 +96,6 @@ COPY fips/resources/fips_java.policy /usr/share/elasticsearch/config/fips_java.p
9696

9797
WORKDIR /usr/share/elasticsearch/config
9898

99-
## Add fips specific JVM options
100-
RUN cat <<EOF > /usr/share/elasticsearch/config/jvm.options.d/fips.options
101-
-Djavax.net.ssl.keyStoreType=BCFKS
102-
-Dorg.bouncycastle.fips.approved_only=true
103-
-Djava.security.properties=config/fips_java.security
104-
-Djava.security.policy=config/fips_java.policy
105-
EOF
106-
107-
10899
################################################################################
109100
# Build stage 2 (the actual Elasticsearch image):
110101
#
@@ -136,6 +127,10 @@ ENV ELASTIC_CONTAINER=true
136127
WORKDIR /usr/share/elasticsearch
137128

138129
COPY --from=builder --chown=0:0 /usr/share/elasticsearch /usr/share/elasticsearch
130+
COPY --from=builder --chown=0:0 /fips/libs/*.jar /usr/share/elasticsearch/lib/
131+
COPY --from=builder --chown=0:0 /opt /opt
132+
133+
ENV ES_PLUGIN_ARCHIVE_DIR=/opt/plugins/archive
139134
ENV PATH=/usr/share/elasticsearch/bin:\$PATH
140135
ENV SHELL=/bin/bash
141136
COPY ${bin_dir}/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
@@ -159,6 +154,28 @@ RUN chmod g=u /etc/passwd && \\
159154

160155
RUN ln -sf /etc/ssl/certs/java/cacerts /usr/share/elasticsearch/jdk/lib/security/cacerts
161156

157+
# Convert cacerts (PKCS12) to BCFKS format using POSIX-compatible shell syntax
158+
RUN printf "\\n" | jdk/bin/keytool -importkeystore \
159+
-srckeystore /usr/share/elasticsearch/jdk/lib/security/cacerts \
160+
-srcstoretype PKCS12 \
161+
-destkeystore config/cacerts.bcfks \
162+
-deststorepass passwordcacert \
163+
-deststoretype BCFKS \
164+
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
165+
-providerpath lib/bc-fips-1.0.2.5.jar \
166+
-destprovidername BCFIPS
167+
168+
169+
## Add fips specific JVM options
170+
RUN cat <<EOF > /usr/share/elasticsearch/config/jvm.options.d/fips.options
171+
-Djavax.net.ssl.keyStoreType=BCFKS
172+
-Dorg.bouncycastle.fips.approved_only=true
173+
-Djava.security.properties=config/fips_java.security
174+
-Djava.security.policy=config/fips_java.policy
175+
-Djavax.net.ssl.trustStore=config/cacerts.bcfks
176+
-Djavax.net.ssl.trustStorePassword=passwordcacert
177+
EOF
178+
162179
EXPOSE 9200 9300
163180

164181
LABEL org.label-schema.build-date="${build_date}" \\
@@ -196,11 +213,6 @@ CMD ["/app/elasticsearch.sh"]
196213

197214
USER 1000:0
198215

199-
COPY --from=builder --chown=0:0 /opt /opt
200-
ENV ES_PLUGIN_ARCHIVE_DIR=/opt/plugins/archive
201-
WORKDIR /usr/share/elasticsearch
202-
COPY --from=builder --chown=0:0 /fips/libs/*.jar /usr/share/elasticsearch/lib/
203-
204216
################################################################################
205217
# End of multi-stage Dockerfile
206218
################################################################################

0 commit comments

Comments
 (0)