Merge branch 'develop' into 11198-list-file-versions-api

Author: stevenwinship

doc/release-notes/ds27-samesite-attr.md

@@ -0,0 +1,35 @@
+### SameSite Cookie Attribute
+
+The SameSite cookie attribute is defined in an upcoming revision to [RFC 6265](https://datatracker.ietf.org/doc/html/rfc6265) (HTTP State Management Mechanism) called [6265bis](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-19>) ("bis" meaning "repeated"). The possible values are "None", "Lax", and "Strict".
+
+"If no SameSite attribute is set, the cookie is treated as Lax by default" by browsers according to [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#controlling_third-party_cookies_with_samesite). This was the previous behavior of Dataverse, to not set the SameSite attribute.
+
+New Dataverse installations now explicitly set to the SameSite cookie attribute to "Lax" out of the box through the installer (in the case of a "classic" installation) or through an updated base image (in the case of a Docker installation). Classic installations should follow the upgrade instructions below to bring their installation up to date with the behavior for new installations. Docker installations will automatically get the updated base image.
+
+While you are welcome to experiment with "Strict", which is intended to help prevent Cross-Site Request Forgery (CSRF) attacks, as described in the RFC proposal and an OWASP [cheetsheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute), our testing so far indicates that some functionality, such as OIDC login, seems to be incompatible with "Strict".
+
+You should avoid the use of "None" as it is less secure that "Lax". See also [the guides](https://dataverse-guide--11210.org.readthedocs.build/en/11210/installation/config.html#samesite-cookie-attribute), https://github.com/IQSS/dataverse-security/issues/27, #11210, and the upgrade instructions below.
+
+## Upgrade instructions
+
+To bring your Dataverse installation in line with new installations, as described in [the guides](https://dataverse-guide--11210.org.readthedocs.build/en/11210/installation/config.html#samesite-cookie-attribute), we recommend running the following commands:
+
+```
+./asadmin set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-value=Lax
+
+./asadmin set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-enabled=true
+```
+
+Please note that "None" is less secure than "Lax" and should be avoided. You can test the setting by inspecting headers with curl, looking at the JSESSIONID cookie for "SameSite=Lax" (yes, it's expected to be repeated, probably due to a bug in Payara) like this:
+
+```
+% curl -s -I http://localhost:8080 | grep JSESSIONID
+Set-Cookie: JSESSIONID=6574324d75aebeb86dc96ecb3bb0; Path=/;SameSite=Lax;SameSite=Lax
+```
+
+Before making the changes above, SameSite attribute should be absent, like this:
+
+```
+% curl -s -I http://localhost:8080 | grep JSESSIONID
+Set-Cookie: JSESSIONID=6574324d75aebeb86dc96ecb3bb0; Path=/
+```

doc/sphinx-guides/source/installation/config.rst

@@ -151,6 +151,18 @@ Password complexity rules for "builtin" accounts can be adjusted with a variety
 - :ref:`:PVGoodStrength`
 - :ref:`:PVCustomPasswordResetAlertMessage`
 
+.. _samesite-cookie-attribute:
+
+SameSite Cookie Attribute
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The SameSite cookie attribute is defined in an upcoming revision to `RFC 6265 <https://datatracker.ietf.org/doc/html/rfc6265>`_ (HTTP State Management Mechanism) called `6265bis <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-19>`_ ("bis" meaning "repeated"). The possible values are "None", "Lax", and "Strict". "Strict" is intended to help prevent Cross-Site Request Forgery (CSRF) attacks, as described in the RFC proposal and an OWASP `cheetsheet <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute>`_. We don't recommend "None" for security reasons.
+
+By default, Payara doesn't send the SameSite cookie attribute, which browsers should interpret as "Lax" according to `MDN <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#controlling_third-party_cookies_with_samesite>`_.
+Dataverse installations are explicity set to "Lax" out of the box by the installer (in the case of a "classic" installation) or through the base image (in the case of a Docker installation). For classic, see :ref:`http.cookie-same-site-value` and :ref:`http.cookie-same-site-enabled` for how to change the values. For Docker, you must rebuild the :doc:`base image </container/base-image>`. See also Payara's `documentation <https://docs.payara.fish/community/docs/6.2024.6/Technical%20Documentation/Payara%20Server%20Documentation/General%20Administration/Administering%20HTTP%20Connectivity.html>`_ for the settings above.
+
+To inspect cookie attributes like SameSite, you can use ``curl -s -I http://localhost:8080 | grep JSESSIONID``, for example, looking for the "Set-Cookie" header.
+
 .. _ongoing-security:
 
 Ongoing Security of Your Installation
@@ -3529,6 +3541,32 @@ To facilitate large file upload and download, the Dataverse Software installer b
 
 and restart Payara to apply your change.
 
+.. _http.cookie-same-site-value:
+
+http.cookie-same-site-value
+++++++++++++++++++++++++++++
+
+See :ref:`samesite-cookie-attribute` for context.
+
+The Dataverse installer configures the Payara **server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-value** setting to "Lax". From `Payara's documentation <https://docs.payara.fish/community/docs/6.2024.6/Technical%20Documentation/Payara%20Server%20Documentation/General%20Administration/Administering%20HTTP%20Connectivity.html>`_, the other possible values are "Strict" or "None". To change this to "Strict", for example, you could run the following command...
+
+``./asadmin set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-value=Strict``
+
+... and restart Payara to apply your change.
+
+.. _http.cookie-same-site-enabled:
+
+http.cookie-same-site-enabled
++++++++++++++++++++++++++++++
+
+See :ref:`samesite-cookie-attribute` for context.
+
+The Dataverse installer configures the Payara **server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-enabled** setting to true. To change this to false, you could run the following command...
+
+``./asadmin set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-enabled=true``
+
+... and restart Payara to apply your change.
+
 mp.config.profile
 +++++++++++++++++
 

modules/container-base/src/main/docker/Dockerfile

@@ -199,6 +199,13 @@ RUN <<EOF
     ${ASADMIN} set server-config.network-config.protocols.protocol.http-listener-2.http.file-cache.enabled="true"
     ${ASADMIN} set default-config.network-config.protocols.protocol.http-listener-1.http.file-cache.enabled="true"
     ${ASADMIN} set default-config.network-config.protocols.protocol.http-listener-2.http.file-cache.enabled="true"
+    # Set SameSite cookie value: https://docs.payara.fish/community/docs/6.2024.6/Technical%20Documentation/Payara%20Server%20Documentation/General%20Administration/Administering%20HTTP%20Connectivity.html
+    # The following dynamic version is what we want, modeled off "${MPCONFIG=dataverse.http.timeout:900}"
+    # but it's not working so it's commented out. Instead, we hard code the value to "Lax". This means you have
+    # to build your own base image if you'd like to change it.
+    #${ASADMIN} set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-value=${MPCONFIG=dataverse.cookie-same-site-value:Lax}'
+    ${ASADMIN} set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-value="Lax"
+    ${ASADMIN} set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-enabled="true"
     # Disable the HTTPS listener (we are always fronting our appservers with a reverse proxy handling SSL)
     ${ASADMIN} set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-2.enabled="false"
     # Enlarge and tune EJB pools (cannot do this for server-config as set does not create new entries)

scripts/installer/as-setup.sh

@@ -124,6 +124,10 @@ function preliminary_setup()
   # bump the http-listener timeout from 900 to 3600
   ./asadmin $ASADMIN_OPTS set server-config.network-config.protocols.protocol.http-listener-1.http.request-timeout-seconds="${GLASSFISH_REQUEST_TIMEOUT}"
 
+  # Set SameSite cookie value: https://docs.payara.fish/community/docs/6.2024.6/Technical%20Documentation/Payara%20Server%20Documentation/General%20Administration/Administering%20HTTP%20Connectivity.html
+  ./asadmin $ASADMIN_OPTS set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-value="Lax"
+  ./asadmin $ASADMIN_OPTS set server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-enabled="true"
+
   # so we can front with apache httpd ( ProxyPass / ajp://localhost:8009/ )
   ./asadmin $ASADMIN_OPTS create-network-listener --protocol http-listener-1 --listenerport 8009 --jkenabled true jk-connector
 }

src/test/java/edu/harvard/iq/dataverse/util/MailSessionProducerIT.java

@@ -77,7 +77,7 @@ class WithoutAuthentication {
         @Container
         static GenericContainer<?> maildev = new GenericContainer<>("maildev/maildev:2.1.0")
             .withExposedPorts(PORT_HTTP, PORT_SMTP)
-            .waitingFor(Wait.forHttp("/"));
+            .waitingFor(Wait.forHttp("/").forPort(PORT_HTTP));
 
         static String tcSmtpHost() {
             return maildev.getHost();
@@ -119,6 +119,13 @@ void createSession() {
 
     }
 
+    /*
+     * Self-signed certificate and key can be created using OpenSSL on the terminal:
+     * $ cd src/test/resources/mail
+     * $ openssl req -batch -x509 -new -days 3650 -config openssl.cnf -keyout key.pem -out cert.pem
+     *
+     * Note that you can edit the openssl.cnf file to adjust details of the certificate and key (or use CLI args).
+     */
     @Nested
     @LocalJvmSettings
     @JvmSetting(key = JvmSettings.MAIL_MTA_SETTING, method = "tcSmtpHost", varArgs = "host")
@@ -136,7 +143,7 @@ class WithSSLWithoutAuthentication {
                 "MAILDEV_INCOMING_CERT", "/cert.pem",
                 "MAILDEV_INCOMING_KEY", "/key.pem"
             ))
-            .waitingFor(Wait.forHttp("/"));
+            .waitingFor(Wait.forHttp("/").forPort(PORT_HTTP));
 
         static String tcSmtpHost() {
             return maildev.getHost();
@@ -196,7 +203,7 @@ class WithAuthentication {
                 "MAILDEV_INCOMING_USER", username,
                 "MAILDEV_INCOMING_PASS", password
             ))
-            .waitingFor(Wait.forHttp("/"));
+            .waitingFor(Wait.forHttp("/").forPort(PORT_HTTP));
 
         static String tcSmtpHost() {
             return maildev.getHost();

src/test/resources/mail/cert.pem

@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEFTCCAv0CFAIjr/AvBVg4EX5/rk5+eFdfsquOMA0GCSqGSIb3DQEBCwUAMIHG
-MQswCQYDVQQGEwJEVjEaMBgGA1UECAwRRGF0YXZlcnNlIENvdW50cnkxFzAVBgNV
-BAcMDkRhdGF2ZXJzZSBDaXR5MS4wLAYDVQQKDCVHbG9iYWwgRGF0YXZlcnNlIENv
-bW11bml0eSBDb25zb3J0aXVtMRswGQYDVQQLDBJUZXN0aW5nIERlcGFydG1lbnQx
-FDASBgNVBAMMC2V4YW1wbGUub3JnMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1w
-bGUub3JnMB4XDTI0MDIyMDA3MTkxOVoXDTM0MDIxNzA3MTkxOVowgcYxCzAJBgNV
-BAYTAkRWMRowGAYDVQQIDBFEYXRhdmVyc2UgQ291bnRyeTEXMBUGA1UEBwwORGF0
-YXZlcnNlIENpdHkxLjAsBgNVBAoMJUdsb2JhbCBEYXRhdmVyc2UgQ29tbXVuaXR5
-IENvbnNvcnRpdW0xGzAZBgNVBAsMElRlc3RpbmcgRGVwYXJ0bWVudDEUMBIGA1UE
-AwwLZXhhbXBsZS5vcmcxHzAdBgkqhkiG9w0BCQEWEHRlc3RAZXhhbXBsZS5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzQ55QKM/sVJMb9c5MKtc/
-YW3+MlCrCnGlo42DCjl6noZg8Gji4dOEMo29UcRtYqhOsx7HOXZ5ulj3YKiBfzht
-+QV/ZofhMIN9F/N5XCi4MRPorFz+mPck5NDzH1SqYn5zGm5APPqFJlwBWxDKEfqe
-6ir5gG91MzHHuJJSQq3nrSDq+/DXRwg/7L2O7da6pBqti7nYU0T5ql88nddkRhR8
-7NdeZndI+UVmkcnal/3ZpybW8ZNzpiP8nCJO3ASz9kXRC3cITS0zgKxl6USDZs+8
-NAM6R0r8icB89L+i8bOfbyU7nkN9T+xUTTOmalSmsYrMIedIBmcB7NuqbXPLEpeJ
-AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAA4U/uhswbeJB0gX4vfVqYf30A131Rvu
-J4eaVrVLzuByP1R0MvbBCMMYZBlDVDhiFqRh4KdoVWBvTfxf/4McYZ1FhXkgRlOb
-mv/mxVBqnXEu5msviApYmoLzMqgd91F3T4CWs66QIWVTJYh2McRKLG0+IfGp3aox
-YKC/W2RPsUO2fKFnUDkYetXMuWg1KJYKuqE6u2lcoV3uHFphXplClnlwN+IwtWWY
-cgfNBBRpwx6RXTk2XXgpCKYRBthBu1rowp7qiAwX7R5am6wDx0EIbevfR32bDReX
-oAV8c9soJWwAUwH63jqq7KTO8Dg1oGHveZMk4HHGkCqZeGCjbDPaak4=
+MIID/TCCAuWgAwIBAgIUC7cfckUO6xQIPkK7nahzmjfOvhIwDQYJKoZIhvcNAQEN
+BQAwgaYxCzAJBgNVBAYTAkRWMRowGAYDVQQIExFEYXRhdmVyc2UgQ291bnRyeTEX
+MBUGA1UEBxMORGF0YXZlcnNlIENpdHkxDTALBgNVBAoTBEdEQ0MxGzAZBgNVBAsT
+ElRlc3RpbmcgRGVwYXJ0bWVudDESMBAGA1UEAxMJbG9jYWxob3N0MSIwIAYJKoZI
+hvcNAQkBFhN0ZXN0aW5nQGV4YW1wbGUub3JnMB4XDTI1MDMwNzIzMDE0NFoXDTM1
+MDMwNTIzMDE0NFowgaYxCzAJBgNVBAYTAkRWMRowGAYDVQQIExFEYXRhdmVyc2Ug
+Q291bnRyeTEXMBUGA1UEBxMORGF0YXZlcnNlIENpdHkxDTALBgNVBAoTBEdEQ0Mx
+GzAZBgNVBAsTElRlc3RpbmcgRGVwYXJ0bWVudDESMBAGA1UEAxMJbG9jYWxob3N0
+MSIwIAYJKoZIhvcNAQkBFhN0ZXN0aW5nQGV4YW1wbGUub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw46TVGACGtJYbj9r8v4hpLc+mqWM70uKqi7F
+Stzj1lUFFw5efFM4Vam4doN8dWzaocAyL3tfHZKnOxFRKd5hGf23y26sRdylYeLq
+gMa6yj+M8luHQb7Jp9KoPQJZQJnRy+X0TCECya9YiWrlAMhL3pGkbzOmPCb9/FuX
+C2Iq6UCt9vAoAqyUEyreXhwkE2Kf9vZXp9OX1dZlLoWoIg0VUYP8Lnk5Td6QMThE
+wTPIrx5d1Q/BxtaJZA5qVXfmPFD/Agdx/GeXXR3wv4zhwQuK5/ChGroCUY/A7jEG
+ht8QaF2TG7SESGy3GDTxLSJRTBwdWvcQu+VlyqUDvFg9X5i9DwIDAQABoyEwHzAd
+BgNVHQ4EFgQUlv9ozFLc+NCrK4bgh2tyx2+cu9MwDQYJKoZIhvcNAQENBQADggEB
+AJUmJ1yQjISnqwqGfHWAQMsfZZ1KWKvR7wVe3Qlr2s8EY/G7CqmvljEPw6j0CjhN
+JfG0l27qqvfNnVjRNNIc4h68DcfM+qP2WbYmFF5RUT+qSoKTCbUEUzWBd/2DhwBD
+SrKPTmA5MpSvJLsOE4aw7hy5HkJZNNWYUph2ifs+yT7LicPqM1i0Y+nEVVccD+76
+l4D3z74X1C6mzr9u/c1HjlvOTBQYPz/edKQ+BcUfhU2GlSbr0kH8qqmMrXtA5ohO
+RN0TaFIYcqxPJdvwYyDa/p9Gf5VNAE3WCgkrAH5/QbL3qQ3E2+v9N0Ljdte1gkv7
+XrneaADE2d10oFFdozRO3fY=
 -----END CERTIFICATE-----

src/test/resources/mail/key.pem

@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzQ55QKM/sVJMb
-9c5MKtc/YW3+MlCrCnGlo42DCjl6noZg8Gji4dOEMo29UcRtYqhOsx7HOXZ5ulj3
-YKiBfzht+QV/ZofhMIN9F/N5XCi4MRPorFz+mPck5NDzH1SqYn5zGm5APPqFJlwB
-WxDKEfqe6ir5gG91MzHHuJJSQq3nrSDq+/DXRwg/7L2O7da6pBqti7nYU0T5ql88
-nddkRhR87NdeZndI+UVmkcnal/3ZpybW8ZNzpiP8nCJO3ASz9kXRC3cITS0zgKxl
-6USDZs+8NAM6R0r8icB89L+i8bOfbyU7nkN9T+xUTTOmalSmsYrMIedIBmcB7Nuq
-bXPLEpeJAgMBAAECggEAQ3h3TQ9XVslsRxFIsLVNJ49JoWuZng7DwIai3AfMo4Cn
-7jN+HqrFfBO08mUkq9D+rQRQ2MYhd+Zx1sXcFkVmXUnlTlKuYMzsKHiLzIkp0E20
-gxXguHilSI8Qr/kCWlDQ7AyuI2JwHg5WgbIfSxbiP86+FwNGsBNxMI0hEXIEV1ZY
-OFXO6AWO63D4zwbwMT30k8cjfyjGvjEtoGmjnBJcrJLSADCIWLcFCw+Cm8vcRkCd
-BEpfRzeEos/NVdOqCpi1ea3OkGAY94mXxz6gaFRbeJFj9b6st7oVZLBOiMx1eafH
-hgB9JkfVtDogl9B13MkqRN8WAiOgAjIo2Ukq8x1ZkwKBgQD88sdh8k1eldO9UXG1
-BjEsB2mEnzp1hvjuRlMQtnvOjDakbqozzbNQlq9YJxocphLyUPM/BKTsIGp0SPpd
-vo0lgspDJ5eLnHd/Xf/guYvKg90NsHZR6V7hf9Z4JcrwrwvXpf7Lp/m95Jwd930j
-/kPXw25gRFmpJ8Q9ciIk0PF0NwKBgQC1bUTK8iarZHhDGnR+/AhjkfSnb0z725Qb
-w7MYRvicRNWT0wnk3njMMfXYS0rbxw7O5LlSoyCf+n6dGtHqJWCS1+lYuCjCz1vr
-hMVFbpcEhob0OAhg8YMgzQRsmeJcBm8slVEOrmmVhQQZPRBjAaQw2f6cjW/ZhzZd
-JHSiDw3yPwKBgQDLSleB2Zni3al56v3mzh4w05gzVUFHeX2RCoXx1ad1He1AhAxY
-bAakSyaLQ4nR4osxomuMhzAA8iB8araFJwMLVa03AZfjRZIolCR0uMqnrQi42syN
-EnEF7JcyorUScKyk2S0JAmxN+HCcCO7TQaPGwbNwvR4OO/6Un6jfS+nySwKBgH6n
-4bashkJwyWRPO7TKzjB03I9nLB9Hk4YugQEZysWNaGzij62vgjVLS43MQl5cAQJ+
-usHuEACfJ3UWHCWSInFhOg4twob9q/YnonBuXA9UuzITTAYhlKF5fvUyGMyV0VcW
-hpfxOtSfH9Vew+naY32XMiCovMTnmBQ+Nw5L5DiRAoGAV5/JT4z57Y+8npBCRr1m
-NJZBXjQ8rmjYBCs+jOQ48wK2mEgcgARIgVGgi9MZZ2BUFHPThGS1o4OYE+fdqD95
-bvg1XInVpNwebLP6UZa9xZ8oGd3Auxfsav1WJB+CZo2tOX5Qt+GnwiumEr3Dlf1d
-UVXDNM5A/sl1IDL3T3IEdSw=
+MIIEugIBADANBgkqhkiG9w0BAQEFAASCBKQwggSgAgEAAoIBAQDDjpNUYAIa0lhu
+P2vy/iGktz6apYzvS4qqLsVK3OPWVQUXDl58UzhVqbh2g3x1bNqhwDIve18dkqc7
+EVEp3mEZ/bfLbqxF3KVh4uqAxrrKP4zyW4dBvsmn0qg9AllAmdHL5fRMIQLJr1iJ
+auUAyEvekaRvM6Y8Jv38W5cLYirpQK328CgCrJQTKt5eHCQTYp/29len05fV1mUu
+hagiDRVRg/wueTlN3pAxOETBM8ivHl3VD8HG1olkDmpVd+Y8UP8CB3H8Z5ddHfC/
+jOHBC4rn8KEaugJRj8DuMQaG3xBoXZMbtIRIbLcYNPEtIlFMHB1a9xC75WXKpQO8
+WD1fmL0PAgMBAAECgf97qOIaOZ81s9r4Z+n5KNUGMm+coOSpSJn5K6DcgPnAklKB
+Gf9mdtW3wA+Boq26pA2wsrdZQd+1LWfsMUz2fKj3vJODUzzpTaQ2WTbm5LAiMR4y
+RKSm5Gwh3seA1tN4YBWM6sIzxYeQDx+aXuoaX1xbcmp4HGmRLwmvdtRZL+W22AMv
+9XKg2/xbzd2qa2orTSCE5Fi6Md0yo00om+g7nmyMS2bugGD2GhKsN257H+B8KW/F
+1zHSEQTztvYf7gYUoTXYOzymZiRgyk/sHtWfyYxZTsv6eeRSlrAr3JZ773Bh1vHT
+ir6GtaONAUI5YoiDnk5BXT7e/ZfTkkGI9lKT5WkCgYEA8kpC6EFHPn9NJfU96kpz
+Ic1+mCbyvAMfaGYfkok56b3+SR7sY7sBTAhRJ6KQc0gqqfRW7sg108maWY1woo1I
+dfwtJD4dfOQt0BFSAws2TXSsibSVaPpcczq+e/TXjdJghOX7cNtJEcUK/Of4UQAY
+OUsBJ3FDVkwapWfFoeUQwyUCgYEAzp9aMoZmG9nnDx2EL3KdGbBjwGSay1OoDDMc
+C5lJdE17jPnEwor6UE4HViNIgV/TZdtAfB9xzvVcumM3rtUAKxLPyGAgL8CuA6np
+IAM9ynNpV46vBYBWSEn6+62a/QAy+81xxWDw8dN9swep0esqvsf28m2lSlDE+bFY
+PTMgIyMCgYAF7hNdI9veh7cXqrztMw1GUoU6rBlcyKbII1e6emlUczX6DCu09Sq+
+9aUm1y+54pZIupY2GehXWqPQdUnAcLzJRnbEYFDQcbU9Vm8va+LUWnqulCDkBNym
+ZVWsKv3rlq6OEiLpTDSpnqz6K6NEOEBfhppsoLUJM6ujSLrpj3WtkQKBgCc/q+GH
+GCRYOwTrBW4B5oe3susb8S+IX5aZqs0lPAfEpCB+XXra7XuNpuUc5Kv2qPBjOpeZ
+XYQDpa6eJDioq1SDSUb1w4duoV9+yhLTqswnKi6Aowx3eWxX6T4flx5SCF0+hEsL
+BBnbo7f7T63ZbxA4addZLpm0SAZqQqm1aXhjAoGAGv0HkRqxznz4RVnNbOJO1jMl
+zYsKbXJVLsz9z4AdBcr0gagibFXHBRNL80M9JXZl+DUiz9s8weOysVqkl7Xs6qgc
+EPJCwZqWMe2pV6Z60e3wGJWbc5TEZaE/T7ARjmjjVWQDfwoxpqhOKMkXuMWKkBw/
+dHpyiIU4c3eal6b11mo=
 -----END PRIVATE KEY-----

src/test/resources/mail/openssl.cnf

@@ -0,0 +1,25 @@
+[ req ]
+default_bits       = 2048
+default_md         = sha512
+prompt             = no
+encrypt_key        = no
+
+distinguished_name = req_distinguished_name
+string_mask = nombstr
+
+# The extensions to add to a certificate request
+req_extensions = v3_req
+
+# FZJ (+IEK-4) default options for certificate request
+[ req_distinguished_name ]
+countryName            = DV
+stateOrProvinceName    = Dataverse Country
+localityName           = Dataverse City
+organizationName       = GDCC
+organizationalUnitName = Testing Department
+commonName             = localhost
+emailAddress           = [email protected]
+
+[ v3_req ]
+# You can add more names by adding (repetitive) ", DNS:<name>" entries to this config key
+subjectAltName = DNS:localhost