Story #15211: separate client and server certificate

Author: GiooDev

deployment/ansible-vitamui/app_api_gateway.yml

@@ -8,7 +8,8 @@
   vars:
     vitamui_struct: "{{ vitamui.api_gateway }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_api_gateway }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_api_gateway }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_api_gateway }}"
     password_truststore: "{{ truststores_client_external }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"
     consul_tags: "api-gateway, api, internal"

deployment/ansible-vitamui/app_archive_search.yml

@@ -7,8 +7,8 @@
   vars:
     vitamui_struct: "{{ vitamui.archive_search_internal }}"
     vitamui_certificate_type: server
-    password_keystore: "{{ keystores_server_archive_search_internal }}"
-    password_truststore: "{{ truststores_server }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_archive_search_internal }}"
+    password_truststore: "{{ truststores_vitamui }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"
     consul_tags: "archive-search-internal, api, internal"
 
@@ -21,6 +21,7 @@
   vars:
     vitamui_struct: "{{ vitamui.archive_search_external }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_archive_search_external }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_archive_search_external }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_archive_search_external }}"
     password_truststore: "{{ truststores_client_external }}"
     consul_tags: "archive-search-external, api, external"

deployment/ansible-vitamui/app_collect.yml

@@ -7,8 +7,8 @@
   vars:
     vitamui_struct: "{{ vitamui.collect_internal }}"
     vitamui_certificate_type: server
-    password_keystore: "{{ keystores_server_collect_internal }}"
-    password_truststore: "{{ truststores_server }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_collect }}"
+    password_truststore: "{{ truststores_vitamui }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"
     consul_tags: "collect-internal, api, internal"
 
@@ -21,6 +21,7 @@
   vars:
     vitamui_struct: "{{ vitamui.collect_external }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_collect_external }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_collect }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_collect }}"
     password_truststore: "{{ truststores_client_external }}"
     consul_tags: "collect-external, api, external"

deployment/ansible-vitamui/app_ingest.yml

@@ -7,8 +7,8 @@
   vars:
     vitamui_struct: "{{ vitamui.ingest_internal }}"
     vitamui_certificate_type: server
-    password_keystore: "{{ keystores_server_ingest_internal }}"
-    password_truststore: "{{ truststores_server }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_ingest_internal }}"
+    password_truststore: "{{ truststores_vitamui }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"
     consul_tags: "ingest-internal, api, internal"
 
@@ -21,6 +21,7 @@
   vars:
     vitamui_struct: "{{ vitamui.ingest_external }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_ingest_external }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_ingest_external }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_ingest_external }}"
     password_truststore: "{{ truststores_client_external }}"
     consul_tags: "ingest-external, api, external"

deployment/ansible-vitamui/app_pastis.yml

@@ -7,7 +7,8 @@
   vars:
     vitamui_struct: "{{ vitamui.pastis_external }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_pastis_external }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_pastis_external }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_pastis_external }}"
     password_truststore: "{{ truststores_client_external }}"
     consul_tags: "pastis-external, api, external"
     vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_referential.yml

@@ -7,8 +7,8 @@
   vars:
     vitamui_struct: "{{ vitamui.referential_internal }}"
     vitamui_certificate_type: server
-    password_keystore: "{{ keystores_server_referential_internal }}"
-    password_truststore: "{{ truststores_server }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_referential_internal }}"
+    password_truststore: "{{ truststores_vitamui }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"
     consul_tags: "referential-internal, api, internal"
 
@@ -21,6 +21,7 @@
   vars:
     vitamui_struct: "{{ vitamui.referential_external }}"
     vitamui_certificate_type: external
-    password_keystore: "{{ keystores_server_referential_external }}"
+    password_keystore_server: "{{ keystores_server_vitamui_services_referential_external }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_referential_external }}"
     password_truststore: "{{ truststores_client_external }}"
     consul_tags: "referential-external, api, external"

deployment/ansible-vitamui/vitamui_apps.yml

@@ -8,9 +8,9 @@
     - vitamui
   vars:
     vitamui_struct: "{{ vitamui.iam_internal }}"
-    vitamui_certificate_type: "server"
-    password_keystore: "{{ keystores_server_iam_internal }}"
-    password_truststore: "{{ truststores_server }}"
+    vitamui_certificate_type: server
+    password_keystore_server: "{{ keystores_server_vitamui_services_iam_internal }}"
+    password_truststore: "{{ truststores_vitamui }}"
     vitam_cert: "{{ vitam_certs.vitamui }}"
     consul_tags: "iam-internal, api, internal"
   tags:
@@ -23,9 +23,9 @@
     - vitamui
   vars:
     vitamui_struct: "{{ vitamui.security_internal }}"
-    vitamui_certificate_type: "server"
-    password_keystore: "{{ keystores_server_security_internal }}"
-    password_truststore: "{{ truststores_server }}"
+    vitamui_certificate_type: server
+    password_keystore_server: "{{ keystores_server_vitamui_services_security_internal }}"
+    password_truststore: "{{ truststores_vitamui }}"
     consul_tags: "security-internal, api, internal"
   tags:
     - security-internal
@@ -38,8 +38,9 @@
     - vitamui
   vars:
     vitamui_struct: "{{ vitamui.iam_external }}"
-    vitamui_certificate_type: "external"
-    password_keystore: "{{ keystores_server_iam_external }}"
+    vitamui_certificate_type: external
+    password_keystore_server: "{{ keystores_server_vitamui_services_iam_external }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_iam_external }}"
     password_truststore: "{{ truststores_client_external }}"
     consul_tags: "iam-external, api, external"
   tags:
@@ -53,8 +54,9 @@
     - vitamui
   vars:
     vitamui_struct: "{{ vitamui.cas_server }}"
-    vitamui_certificate_type: "external"
-    password_keystore: "{{ keystores_server_cas_server }}"
+    vitamui_certificate_type: external
+    password_keystore_server: "{{ keystores_server_vitamui_services_cas_server }}"
+    password_keystore_client: "{{ keystores_client_vitamui_services_cas_server }}"
     password_truststore: "{{ truststores_client_external }}"
     consul_tags: "cas-server, cas, external"
   tags:

deployment/pki/config/crt-config

@@ -54,8 +54,8 @@ issuerAltName                   = issuer:copy
 subjectAltName                  = ${ENV::OPENSSL_SAN}
 basicConstraints                = critical,CA:FALSE
 keyUsage                        = digitalSignature, keyEncipherment
-nsCertType                      = server, client
-extendedKeyUsage                = serverAuth, clientAuth
+nsCertType                      = server
+extendedKeyUsage                = serverAuth
 
 [ extension_client ]
 nsComment                       = "Certificat Client SSL"

deployment/pki/scripts/generate_ca.sh

@@ -12,7 +12,7 @@ set -e
 ######################################################################
 
 function get_autorities() {
-    echo "server client-external client-vitam"
+    echo "vitamui-services client-external client-vitam"
 }
 
 ######################################################################

deployment/pki/scripts/generate_ca_dev.sh

@@ -14,7 +14,7 @@ set -e
 REPERTOIRE_ROOT="$( cd "$( readlink -f $(dirname ${BASH_SOURCE[0]}) )/../../../dev-deployment" ; pwd )"
 
 function get_autorities() {
-    echo "server client-external client-vitam"
+    echo "vitamui-services client-external client-vitam"
 }
 
 ######################################################################