Story #15211: Cleaning truststore and configuration.

Author: GiooDev

deployment/roles/vitamui/defaults/main.yml

@@ -10,6 +10,7 @@ jvm_opts:
 start_timeout: "{{ vitamui_defaults.services.start_timeout | default(300) }}"
 at_boot: "{{ vitamui_defaults.services.at_boot | default(false) }}"
 secure: "{{ vitamui_defaults.services.secure | default(true) | bool }}"
+ssl_hostname_verification: "{{ vitamui_defaults.services.ssl_hostname_verification | default(true) | bool }}"
 jvm_log: "{{ vitamui_defaults.services.jvm_log | default(false) | bool }}"
 accesslogs: "{{ vitamui_defaults.services.accesslogs | default('true') | lower }}"
 access_retention_days: "{{ vitamui_defaults.services.access_retention_days | default(365) }}"

deployment/roles/vitamui/tasks/main.yml

@@ -48,9 +48,9 @@
   file:
     path: "{{ vitamui_defaults.folder.root_path | default('/vitamui') }}/{{ item }}/{{ vitamui_struct.vitamui_component }}"
     state: directory
-    owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}"
-    group: "{{ vitamui_defaults.users.group | default('vitamui') }}"
-    mode: "{{ vitamui_defaults.folder.folder_permission | default('0750') }}"
+    owner: "{{ vitamui_defaults.users.vitamui }}"
+    group: "{{ vitamui_defaults.users.group }}"
+    mode: "{{ vitamui_defaults.folder.folder_permission }}"
   with_items:
     - app
     - bin
@@ -66,9 +66,9 @@
   file:
     path: "{{ vitamui_folder_conf }}/sysconfig"
     state: directory
-    owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}"
-    group: "{{ vitamui_defaults.users.group | default('vitamui') }}"
-    mode: "{{ vitamui_defaults.folder.folder_permission | default('0750') }}"
+    owner: "{{ vitamui_defaults.users.vitamui }}"
+    group: "{{ vitamui_defaults.users.group }}"
+    mode: "{{ vitamui_defaults.folder.folder_permission }}"
   notify: restart service
   when: install_mode != "container"
 
@@ -83,9 +83,9 @@
   template:
     src: java_opts.j2
     dest: "{{ vitamui_folder_conf }}/sysconfig/java_opts"
-    owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}"
-    group: "{{ vitamui_defaults.users.group | default('vitamui') }}"
-    mode: "{{ vitamui_defaults.folder.conf_permission | default('0440') }}"
+    owner: "{{ vitamui_defaults.users.vitamui }}"
+    group: "{{ vitamui_defaults.users.group }}"
+    mode: "{{ vitamui_defaults.folder.conf_permission }}"
   tags:
     - update_vitamui_jvmopts
     - update_vitamui_configuration
@@ -95,7 +95,7 @@
 - name: get passwd for vitamui
   getent:
     database: passwd
-    key: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}"
+    key: "{{ vitamui_defaults.users.vitamui }}"
 
 - name: Deploy systemd service file
   template:
@@ -112,19 +112,19 @@
   template:
     src: logback.xml.j2
     dest: "{{ vitamui_folder_conf }}/logback.xml"
-    owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}"
-    group: "{{ vitamui_defaults.users.group | default('vitamui') }}"
-    mode: "{{ vitamui_defaults.folder.conf_permission | default('0440') }}"
+    owner: "{{ vitamui_defaults.users.vitamui }}"
+    group: "{{ vitamui_defaults.users.group }}"
+    mode: "{{ vitamui_defaults.folder.conf_permission }}"
   tags: update_vitamui_configuration
   notify: restart service
 
 - name: Deploy specific configuration files
   template:
     src: "{{ item }}"
     dest: "{{ vitamui_folder_conf }}/{{ item | basename | regex_replace('\\.j2$') }}"
-    owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}"
-    group: "{{ vitamui_defaults.users.group | default('vitamui') }}"
-    mode: "{{ vitamui_defaults.folder.conf_permission | default('0440') }}"
+    owner: "{{ vitamui_defaults.users.vitamui }}"
+    group: "{{ vitamui_defaults.users.group }}"
+    mode: "{{ vitamui_defaults.folder.conf_permission }}"
   with_fileglob:
     - "{{ role_path }}/templates/{{ vitamui_struct.vitamui_component }}/*"
   #no_log: "{{ hide_passwords_during_deploy }}"
@@ -133,61 +133,56 @@
     - update_vitamui_certificates # Mandatory to update configuration file containing keystore password
   notify: restart service
 
-- name: "Copy {{ vitamui_struct.service_name | default(service_name) }} jks keystore (server)"
-  copy:
-    src: "{{ inventory_dir }}/keystores/vitamui-services/server/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.jks"
-    dest: "{{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks"
-    owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}"
-    group: "{{ vitamui_defaults.users.group | default('vitamui') }}"
-    mode: "{{ vitamui_defaults.folder.folder_permission | default('0750') }}"
-  when:
-    - vitamui_struct.secure | default(secure) | lower == 'true'
-    - lookup('pipe', 'test -f {{ inventory_dir }}/keystores/vitamui-services/server/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.jks || echo nofile') == ''
-  tags: update_vitamui_certificates
-  notify: restart service
+- block: # when secure is true
 
-- name: "Copy {{ vitamui_struct.service_name | default(service_name) }} jks keystore (client)"
-  copy:
-    src: "{{ inventory_dir }}/keystores/vitamui-services/clients/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.jks"
-    dest: "{{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks"
-    owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}"
-    group: "{{ vitamui_defaults.users.group | default('vitamui') }}"
-    mode: "{{ vitamui_defaults.folder.folder_permission | default('0750') }}"
-  when:
-    - vitamui_struct.secure | default(secure) | lower == 'true'
-    - lookup('pipe', 'test -f {{ inventory_dir }}/keystores/vitamui-services/clients/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.jks || echo nofile') == ''
-  tags: update_vitamui_certificates
-  notify: restart service
+    - name: "Copy {{ vitamui_struct.service_name | default(service_name) }} jks keystore (server)"
+      copy:
+        src: "{{ inventory_dir }}/keystores/vitamui-services/server/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.jks"
+        dest: "{{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks"
+        owner: "{{ vitamui_defaults.users.vitamui }}"
+        group: "{{ vitamui_defaults.users.group }}"
+        mode: "{{ vitamui_defaults.folder.folder_permission }}"
+      tags: update_vitamui_certificates
+      notify: restart service
 
-# Copy the trustore for all vitamui components in order to communicate between them.
-- name: Copy vitamui-services truststore
-  copy:
-    src: "{{ inventory_dir }}/keystores/vitamui-services/truststore_vitamui.jks"
-    dest: "{{ vitamui_folder_conf }}/truststore_vitamui.jks"
-    owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}"
-    group: "{{ vitamui_defaults.users.group | default('vitamui') }}"
-    mode: "{{ vitamui_defaults.folder.folder_permission | default('0750') }}"
-  when:
-    - vitamui_struct.secure | default(secure) | lower == 'true'
-    - vitamui_certificate_type | default('none') | lower == 'vitamui-services'
-    - lookup('pipe', 'test -f {{ inventory_dir }}/keystores/vitamui-services/truststore_vitamui.jks || echo nofile') == ''
-  tags: update_vitamui_certificates
-  notify: restart service
+    - name: "Copy {{ vitamui_struct.service_name | default(service_name) }} jks keystore (client)"
+      copy:
+        src: "{{ inventory_dir }}/keystores/vitamui-services/clients/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.jks"
+        dest: "{{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks"
+        owner: "{{ vitamui_defaults.users.vitamui }}"
+        group: "{{ vitamui_defaults.users.group }}"
+        mode: "{{ vitamui_defaults.folder.folder_permission }}"
+      when:
+        - lookup('pipe', 'test -f {{ inventory_dir }}/keystores/vitamui-services/clients/{{ vitamui_struct.vitamui_component }}/keystore_{{ vitamui_struct.vitamui_component }}.jks || echo nofile') == ''
+      tags: update_vitamui_certificates
+      notify: restart service
 
-# Copy the truststore for all external API in order to communicate with vitamui components (ui, external APIs, cas) and externals apps.
-- name: Copy external truststore
-  copy:
-    src: "{{ inventory_dir }}/keystores/client-{{ vitamui_certificate_type }}/truststore_{{ vitamui_certificate_type }}.jks"
-    dest: "{{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks"
-    owner: "{{ vitamui_defaults.users.vitamui | default('vitamui') }}"
-    group: "{{ vitamui_defaults.users.group | default('vitamui') }}"
-    mode: "{{ vitamui_defaults.folder.folder_permission | default('0750') }}"
-  when:
-    - vitamui_struct.secure | default(secure) | lower == 'true'
-    - vitamui_certificate_type | default('none') | lower == 'external'
-    - lookup('pipe', 'test -f {{ inventory_dir }}/keystores/client-{{ vitamui_certificate_type }}/truststore_{{ vitamui_certificate_type }}.jks || echo nofile') == ''
-  tags: update_vitamui_certificates
-  notify: restart service
+    # Copy the trustore for all vitamui components in order to communicate between them.
+    - name: Copy vitamui-services truststore
+      copy:
+        src: "{{ inventory_dir }}/keystores/vitamui-services/truststore_vitamui.jks"
+        dest: "{{ vitamui_folder_conf }}/truststore_vitamui.jks"
+        owner: "{{ vitamui_defaults.users.vitamui }}"
+        group: "{{ vitamui_defaults.users.group }}"
+        mode: "{{ vitamui_defaults.folder.folder_permission }}"
+      tags: update_vitamui_certificates
+      notify: restart service
+
+    # Copy the truststore for all external API in order to communicate with vitamui components (ui, external APIs, cas) and externals apps.
+    - name: Copy external truststore
+      copy:
+        src: "{{ inventory_dir }}/keystores/client-external/truststore_external.jks"
+        dest: "{{ vitamui_folder_conf }}/truststore_external.jks"
+        owner: "{{ vitamui_defaults.users.vitamui }}"
+        group: "{{ vitamui_defaults.users.group }}"
+        mode: "{{ vitamui_defaults.folder.folder_permission }}"
+      when:
+        - vitamui_certificate_type | default('none') | lower == 'external'
+        - lookup('pipe', 'test -f {{ inventory_dir }}/keystores/client-external/truststore_external.jks || echo nofile') == ''
+      tags: update_vitamui_certificates
+      notify: restart service
+
+  when: vitamui_struct.secure | default(secure) | bool
 
 - name: "Execute sub-tasks for the component: {{ vitamui_struct.vitamui_component }}"
   include_tasks: "{{ vitamui_struct.vitamui_component }}.yml"

deployment/roles/vitamui/templates/api-gateway/application.yml.j2

@@ -7,8 +7,8 @@ server:
     key-store: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks
     key-store-password: {{ password_keystore_server }}
     key-password: {{ password_keystore_server }}
-    trust-store: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks
-    trust-store-password: {{ password_truststore }}
+    trust-store: {{ vitamui_folder_conf }}/truststore_vitamui.jks
+    trust-store-password: {{ truststores_vitamui }}
     client-auth: need
 {% endif %}
   max-http-request-header-size: {{ vitamui_struct.server_max_http_header_size | default('10KB') }}

deployment/roles/vitamui/templates/archive-search/application.yml.j2

@@ -27,8 +27,8 @@ server:
     key-store: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks
     key-store-password: {{ password_keystore_server }}
     key-password: {{ password_keystore_server }}
-    trust-store: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks
-    trust-store-password: {{ password_truststore }}
+    trust-store: {{ vitamui_folder_conf }}/truststore_vitamui.jks
+    trust-store-password: {{ truststores_vitamui }}
     client-auth: want
     client-certificate-header-name: {{ vitamui.api_gateway.client_certificate_header_name | default('x-ssl-cert') }}
 {% endif %}
@@ -67,28 +67,30 @@ archive-search:
   security-client:
     server-host: {{ vitamui.security.host }}
     server-port: {{ vitamui.security.port_service }}
-{% if vitamui.security.secure | default(secure) | bool == true %}
-    secure: {{ vitamui.security.secure | default(secure) | lower }}
+{% if vitamui.security.secure | default(secure) | bool %}
+    secure: true
     ssl-configuration:
+      keystore:
+        key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks
+        key-password: {{ password_keystore_client }}
       truststore:
         key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks
         key-password: {{ password_truststore }}
-      hostname-verification: true
+      hostname-verification: {{ vitamui_struct.ssl_hostname_verification | default(ssl_hostname_verification) | lower }}
 {% endif %}
   iam-client:
     server-host: {{ vitamui.iam.host }}
     server-port: {{ vitamui.iam.port_service }}
-{% if vitamui.iam.secure | default(secure) | bool == true %}
-    secure: {{ vitamui.iam.secure | default(secure) | lower }}
+{% if vitamui.iam.secure | default(secure) | bool %}
+    secure: true
     ssl-configuration:
       keystore:
         key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks
         key-password: {{ password_keystore_client }}
-        type: JKS
       truststore:
         key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks
         key-password: {{ password_truststore }}
-      hostname-verification: true
+      hostname-verification: {{ vitamui_struct.ssl_hostname_verification | default(ssl_hostname_verification) | lower }}
 {% endif %}
 
 {% if opentracing.jaeger.enabled | default(false) | bool %}

deployment/roles/vitamui/templates/cas-server/application.yml.j2

@@ -69,11 +69,10 @@ iam-client:
     keystore:
       key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks
       key-password: {{ password_keystore_client }}
-      type: JKS
     truststore:
       key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks
       key-password: {{ password_truststore }}
-    hostname-verification: true
+    hostname-verification: {{ vitamui_struct.ssl_hostname_verification | default(ssl_hostname_verification) | lower }}
 {% endif %}
 
 cas.authn.accept.users:

deployment/roles/vitamui/templates/collect/application.yml.j2

@@ -36,8 +36,8 @@ server:
     key-store: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks
     key-store-password: {{ password_keystore_server }}
     key-password: {{ password_keystore_server }}
-    trust-store: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks
-    trust-store-password: {{ password_truststore }}
+    trust-store: {{ vitamui_folder_conf }}/truststore_vitamui.jks
+    trust-store-password: {{ truststores_vitamui }}
     client-auth: want
     client-certificate-header-name: {{ vitamui.api_gateway.client_certificate_header_name | default('x-ssl-cert') }}
 {% endif %}
@@ -76,28 +76,30 @@ collect:
   security-client:
     server-host: {{ vitamui.security.host }}
     server-port: {{ vitamui.security.port_service }}
-{% if vitamui.security.secure | default(secure) | bool == true %}
-    secure: {{ vitamui.security.secure | default(secure) | lower }}
+{% if vitamui.security.secure | default(secure) | bool %}
+    secure: true
     ssl-configuration:
+      keystore:
+        key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks
+        key-password: {{ password_keystore_client }}
       truststore:
         key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks
         key-password: {{ password_truststore }}
-      hostname-verification: true
+      hostname-verification: {{ vitamui_struct.ssl_hostname_verification | default(ssl_hostname_verification) | lower }}
 {% endif %}
   iam-client:
     server-host: {{ vitamui.iam.host }}
     server-port: {{ vitamui.iam.port_service }}
-{% if vitamui.iam.secure | default(secure) | bool == true %}
-    secure: {{ vitamui.iam.secure | default(secure) | lower }}
+{% if vitamui.iam.secure | default(secure) | bool %}
+    secure: true
     ssl-configuration:
       keystore:
         key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks
         key-password: {{ password_keystore_client }}
-        type: JKS
       truststore:
         key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks
         key-password: {{ password_truststore }}
-      hostname-verification: true
+      hostname-verification: {{ vitamui_struct.ssl_hostname_verification | default(ssl_hostname_verification) | lower }}
 {% endif %}
 
 ontologies_file_path: {{ vitamui_folder_data }}/external_ontology_fields.json

deployment/roles/vitamui/templates/iam/application.yml.j2

@@ -30,8 +30,8 @@ server:
     key-store: {{ vitamui_folder_conf }}/keystore_{{ vitamui_struct.service_name | default(service_name) }}.jks
     key-store-password: {{ password_keystore_server }}
     key-password: {{ password_keystore_server }}
-    trust-store: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks
-    trust-store-password: {{ password_truststore }}
+    trust-store: {{ vitamui_folder_conf }}/truststore_vitamui.jks
+    trust-store-password: {{ truststores_vitamui }}
     client-auth: want
     client-certificate-header-name: {{ vitamui.api_gateway.client_certificate_header_name | default('x-ssl-cert') }}
 {% endif %}
@@ -72,13 +72,16 @@ iam:
   security-client:
     server-host: {{ vitamui.security.host }}
     server-port: {{ vitamui.security.port_service }}
-{% if vitamui.security.secure | default(secure) | bool == true %}
+{% if vitamui.security.secure | default(secure) | bool %}
     secure: true
     ssl-configuration:
+      keystore:
+        key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks
+        key-password: {{ password_keystore_client }}
       truststore:
         key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks
         key-password: {{ password_truststore }}
-      hostname-verification: true
+      hostname-verification: {{ vitamui_struct.ssl_hostname_verification | default(ssl_hostname_verification) | lower }}
 {% endif %}
 
 list-enable-external-identifiers:
@@ -104,17 +107,16 @@ login:
 cas-client:
   server-host: {{ vitamui.cas_server.host }}
   server-port: {{ vitamui.cas_server.port_service }}
-{% if vitamui.cas_server.secure | default(secure) | bool == true %}
+{% if vitamui.cas_server.secure | default(secure) | bool %}
   secure: true
   ssl-configuration:
     keystore:
       key-path: {{ vitamui_folder_conf }}/keystore_client_{{ vitamui_struct.service_name | default(service_name) }}.jks
       key-password: {{ password_keystore_client }}
-      type: JKS
     truststore:
       key-path: {{ vitamui_folder_conf }}/truststore_{{ vitamui_certificate_type }}.jks
       key-password: {{ password_truststore }}
-    hostname-verification: true
+    hostname-verification: {{ vitamui_struct.ssl_hostname_verification | default(ssl_hostname_verification) | lower }}
 {% endif %}
 
 cas.reset.password.url: {{ vitamui.cas_server.base_url | default('/cas') }}{{ vitamui.cas_server.reset_password_url | default('/extras/resetPassword?username={username}&firstname={firstname}&lastname={lastname}&language={language}&customerId={customerId}&ttl=1day') }}