Wdt 609 ssl db connection (#1109)

* handle SSL db in rcu

* jps changes for type of trust

* add code into jps

* SSL DB connection for opss

* fix for local variable

* fix for local variable

* fix for local variable

* fix for local variable

* fix sonar bug

* between

* duplicate code reduction

* documentation change

* documentation change

* fix build problem

Author: CarolynRountree

core/src/main/java/oracle/weblogic/deploy/create/RCURunner.java

@@ -69,6 +69,8 @@ public class RCURunner {
     private final String rcuVariables;
 
     private boolean atpDB = false;
+    private boolean sslDB = false;
+ 
     private String atpSSlArgs = null;
     private String atpAdminUser = null;
     private String rcuAdminUser = DB_USER;
@@ -165,7 +167,7 @@ public static RCURunner createAtpRunner(String domainType, String oracleHome, St
         sslArgs.append(",javax.net.ssl.keyStorePassword=");
         sslArgs.append(keyStorePassword);
         sslArgs.append(",oracle.jdbc.fanEnabled=false");
-        sslArgs.append(",oracle.net.ssl_server_dn_match=true");
+        sslArgs.append(",oracle.net.ssl_server_dn_match=false");
 
         runner.atpDB = true;
         runner.atpSSlArgs = sslArgs.toString();
@@ -174,6 +176,61 @@ public static RCURunner createAtpRunner(String domainType, String oracleHome, St
         runner.atpTemporaryTablespace = get(rcuProperties, "atp.temp.tablespace");
         return runner;
     }
+    /**
+     * Build an RCU runner for an SSL database.
+     *
+     * @param domainType the domain type
+     * @param oracleHome the ORACLE_HOME location
+     * @param javaHome   the JAVA_HOME location
+     * @param rcuDb The URL of the database
+     * @param rcuPrefix The prefix used for the tablespaces
+     * @param rcuSchemas the list of RCU schemas to create (this list should not include STB)
+     * @param rcuVariables a comma separated list of key=value variables
+     * @param rcuProperties dictionary of SSL specific arguments
+     * @throws CreateException if a parameter validation error occurs
+     */
+    public static RCURunner createSslRunner(String domainType, String oracleHome, String javaHome, String rcuDb,
+                                            String rcuPrefix, List<String> rcuSchemas, String rcuVariables,
+                                            PyDictionary rcuProperties) throws CreateException {
+
+        String tnsAdmin = get(rcuProperties, "oracle.net.tns_admin");
+
+        RCURunner runner = new RCURunner(domainType, oracleHome, javaHome, rcuDb, rcuPrefix, rcuSchemas, rcuVariables);
+        String trustStorePassword = get(rcuProperties, "javax.net.ssl.trustStorePassword");
+        String trustStore = get(rcuProperties, "javax.net.ssl.keyStore");
+        String trustStoreType = get(rcuProperties, "javax.net.ssl.keyStoreType");
+        String keyStorePassword = get(rcuProperties, "javax.net.ssl.keyStorePassword");
+        String keyStore = get(rcuProperties, "javax.net.ssl.keyStore");
+        String keyStoreType = get(rcuProperties, "javax.net.ssl.keyStoreType");
+        String matchType = get(rcuProperties, "oracle.net.ssl_server_dn_match");
+        if (matchType == null || matchType.equals("None"))  {
+            matchType = Boolean.FALSE.toString();
+        }
+
+
+        StringBuilder sslArgs = new StringBuilder();
+        sslArgs.append("oracle.net.tns_admin=");
+        sslArgs.append(tnsAdmin);
+
+        sslArgs.append(",javax.net.ssl.trustStore=");
+        sslArgs.append(tnsAdmin + "/" + trustStore);
+        sslArgs.append(",javax.net.ssl.trustStoreType=" + trustStoreType);
+        // If wallet type is SSO, no password present
+        if (trustStorePassword != null && !trustStorePassword.equals("None")) {
+            sslArgs.append(",javax.net.ssl.trustStorePassword="+ trustStorePassword);
+        }
+        sslArgs.append(",javax.net.ssl.keyStore=");
+        sslArgs.append(tnsAdmin + "/" + keyStore);
+        sslArgs.append(",javax.net.ssl.keyStoreType=" + keyStoreType);
+        if (keyStorePassword != null && !keyStorePassword.equals("None")) {
+            sslArgs.append(",javax.net.ssl.keyStorePassword="+ keyStorePassword);
+        }
+        sslArgs.append(",oracle.net.ssl_server_dn_match="+ matchType);
+
+        runner.sslDB = true;
+        runner.atpSSlArgs = sslArgs.toString();
+        return runner;
+    }
 
     public void setRCUAdminUser(String rcuDBUser) {
         rcuAdminUser = rcuDBUser;
@@ -251,7 +308,7 @@ public void runRcu(String rcuSysPass, String rcuSchemaPass) throws CreateExcepti
     ///////////////////////////////////////////////////////////////////////////
 
     private void addATPEnv(Map<String, String> env) {
-        if (atpDB) {
+        if (atpDB || sslDB) {
             env.put("RCU_SSL_MODE", "true");
             env.put("SKIP_CONNECTSTRING_VALIDATION", "true");
             env.put("RCU_SKIP_PRE_REQS", "ALL");
@@ -312,6 +369,14 @@ private String[] getCommandLineArgs(String operationSwitch) {
             arguments.add("CN=ignored");
             arguments.add(SSLARGS);
             arguments.add(atpSSlArgs);
+        } else if (sslDB) {
+            arguments.add(USE_SSL_SWITCH);
+            arguments.add(SSLARGS);
+            arguments.add(atpSSlArgs);
+            arguments.add(DB_ROLE_SWITCH);
+            arguments.add(DB_ROLE);
+            arguments.add(DB_USER_SWITCH);
+            arguments.add(getRCUAdminUser());
         } else {
             arguments.add(DB_USER_SWITCH);
             arguments.add(getRCUAdminUser());

core/src/main/python/create.py

@@ -43,6 +43,7 @@
 from wlsdeploy.util.cla_utils import TOOL_TYPE_CREATE
 from wlsdeploy.util.weblogic_helper import WebLogicHelper
 from wlsdeploy.tool.create import atp_helper
+from wlsdeploy.tool.create import ssl_helper
 
 wlst_helper.wlst_functions = globals()
 
@@ -231,13 +232,15 @@ def validate_rcu_args_and_model(model_context, model, archive_helper, aliases):
     _method_name = 'validate_rcu_args_and_model'
 
     has_atpdbinfo = 0
+    has_ssldbinfo = 0
     domain_info = model[model_constants.DOMAIN_INFO]
     if domain_info is not None:
         if model_constants.RCU_DB_INFO in domain_info:
             rcu_db_info = RcuDbInfo(model_context, aliases, domain_info[model_constants.RCU_DB_INFO])
             has_tns_admin = rcu_db_info.has_tns_admin()
             has_regular_db = rcu_db_info.is_regular_db()
             has_atpdbinfo = rcu_db_info.has_atpdbinfo()
+            has_ssldbinfo = rcu_db_info.has_ssldbinfo()
 
             if archive_helper and not has_regular_db:
                 System.setProperty('oracle.jdbc.fanEnabled', 'false')
@@ -264,7 +267,7 @@ def validate_rcu_args_and_model(model_context, model, archive_helper, aliases):
                     cla_helper.clean_up_temp_files()
                     tool_exit.end(model_context, CommandLineArgUtil.PROG_ERROR_EXIT_CODE)
 
-    return has_atpdbinfo
+    return has_atpdbinfo, has_ssldbinfo
 
 
 def _get_domain_path(model_context, model):
@@ -324,7 +327,7 @@ def main(args):
             domain_path = _get_domain_path(model_context, model_dictionary)
             archive_helper = ArchiveHelper(archive_file_name, domain_path, __logger, ExceptionType.CREATE)
 
-        has_atp = validate_rcu_args_and_model(model_context, model_dictionary, archive_helper, aliases)
+        has_atp, has_ssl = validate_rcu_args_and_model(model_context, model_dictionary, archive_helper, aliases)
 
         # check if there is an atpwallet and extract in the domain dir
         # it is to support non JRF domain but user wants to use ATP database
@@ -338,7 +341,10 @@ def main(args):
             rcu_properties_map = model_dictionary[model_constants.DOMAIN_INFO][model_constants.RCU_DB_INFO]
             rcu_db_info = RcuDbInfo(model_context, aliases, rcu_properties_map)
             atp_helper.fix_jps_config(rcu_db_info, model_context)
-
+        elif has_ssl:
+            rcu_properties_map = model_dictionary[model_constants.DOMAIN_INFO][model_constants.RCU_DB_INFO]
+            rcu_db_info = RcuDbInfo(model_context, aliases, rcu_properties_map)
+            ssl_helper.fix_jps_config(rcu_db_info, model_context)
     except WLSDeployArchiveIOException, ex:
         __logger.severe('WLSDPLY-12409', _program_name, ex.getLocalizedMessage(), error=ex,
                         class_name=_class_name, method_name=_method_name)

core/src/main/python/wlsdeploy/aliases/model_constants.py

@@ -276,6 +276,8 @@
 SOURCE_DESTINATION = 'SourceDestination'
 SQL_AUTHENTICATOR = 'SQLAuthenticator'
 SSL = 'SSL'
+SSL_ADMIN_USER = 'ssl.admin.user'
+SSL_TNS_ENTRY = 'tns.alias'
 STARTUP_CLASS = 'StartupClass'
 STORE = 'Store'
 SUB_DEPLOYMENT = 'SubDeployment'
@@ -300,6 +302,7 @@
 USER = 'User'
 USER_ATTRIBUTES = 'UserAttribute'
 USE_SAMPLE_DATABASE = 'UseSampleDatabase'
+USE_SSL = "useSSL"
 VIRTUAL_HOST = 'VirtualHost'
 VIRTUAL_TARGET = 'VirtualTarget'
 VIRTUAL_USER_AUTHENTICATOR = 'VirtualUserAuthenticator'

core/src/main/python/wlsdeploy/tool/create/domain_creator.py

@@ -65,6 +65,7 @@
 from wlsdeploy.aliases.model_constants import SET_OPTION_DOMAIN_NAME
 from wlsdeploy.aliases.model_constants import SET_OPTION_JAVA_HOME
 from wlsdeploy.aliases.model_constants import SET_OPTION_SERVER_START_MODE
+from wlsdeploy.aliases.model_constants import SSL_ADMIN_USER
 from wlsdeploy.aliases.model_constants import UNIX_MACHINE
 from wlsdeploy.aliases.model_constants import URL
 from wlsdeploy.aliases.model_constants import USER
@@ -78,6 +79,7 @@
 from wlsdeploy.exception import exception_helper
 from wlsdeploy.exception.expection_types import ExceptionType
 from wlsdeploy.tool.create import atp_helper
+from wlsdeploy.tool.create import ssl_helper
 from wlsdeploy.tool.create import rcudbinfo_helper
 from wlsdeploy.tool.create.creator import Creator
 from wlsdeploy.tool.create.security_provider_creator import SecurityProviderCreator
@@ -306,6 +308,13 @@ def __run_rcu(self):
             runner = RCURunner.createAtpRunner(domain_type, oracle_home, java_home, rcu_prefix, rcu_schemas,
                                                rcu_db_info.get_rcu_variables(), rcu_runner_map)
 
+        elif rcu_db_info.is_use_ssl():
+            rcu_db = rcu_db_info.get_preferred_db()
+            rcu_properties_map = self.model.get_model_domain_info()[RCU_DB_INFO]
+            rcu_runner_map =dict(rcu_properties_map)
+            rcu_runner_map[SSL_ADMIN_USER] = rcu_db_info.get_ssl_tns_admin()
+            runner = RCURunner.createSslRunner(domain_type, oracle_home, java_home, rcu_db, rcu_prefix, rcu_schemas,
+                                               rcu_db_info.get_rcu_variables(), rcu_runner_map)
         else:
             # Non-ATP database, use DB config from the command line or RCUDbInfo in the model.
             rcu_db = rcu_db_info.get_preferred_db()
@@ -958,7 +967,7 @@ def __set_atp_connection_property(self, root_location, property_name, property_v
 
         root_location.remove_name_token(property_name)
 
-    def __retrieve_atp_rcudbinfo(self, rcu_db_info, checkAdminPwd=False):
+    def __retrieve_atp_rcudbinfo(self, rcu_db_info, check_admin_pwd=False):
         """
         Check and return atp connection info and make sure atp rcudb info is complete
         :raises: CreateException: if an error occurs
@@ -998,7 +1007,7 @@ def __retrieve_atp_rcudbinfo(self, rcu_db_info, checkAdminPwd=False):
                                                           "'javax.net.ssl.trustStorePassword']")
             raise ex
 
-        if checkAdminPwd:
+        if check_admin_pwd:
             admin_pwd = rcu_db_info.get_admin_password()
             if admin_pwd is None:
                 ex = exception_helper.create_create_exception('WLSDPLY-12413','rcu_admin_password',
@@ -1008,6 +1017,44 @@ def __retrieve_atp_rcudbinfo(self, rcu_db_info, checkAdminPwd=False):
 
         return tns_admin, rcu_database, keystore_pwd, truststore_pwd
 
+    def __retrieve_ssl_rcudbinfo(self, rcu_db_info, check_admin_pwd=False):
+        """
+        Check and return ssl connection info and make sure ssl rcudb info is complete
+        :raises: CreateException: if an error occurs
+        """
+        _method_name = '__retrieve_ssl_rcudbinfo'
+
+        tns_admin = rcu_db_info.get_ssl_tns_admin()
+        truststore = rcu_db_info.get_truststore()
+        if tns_admin is None or not os.path.exists(tns_admin + os.sep + "tnsnames.ora") \
+         or not os.path.exists(tns_admin + os.sep + truststore):
+            ex = exception_helper.create_create_exception('WLSDPLY-12562')
+            self.logger.throwing(ex, class_name=self.__class_name, method_name=_method_name)
+            raise ex
+
+        if rcu_db_info.get_ssl_entry() is None:
+            ex = exception_helper.create_create_exception('WLSDPLY-12413','tns.alias',
+                                                          "['tns.alias','javax.net.ssl.keyStorePassword',"
+                                                          "'javax.net.ssl.trustStorePassword']")
+            self.logger.throwing(ex, class_name=self.__class_name, method_name=_method_name)
+            raise ex
+
+        rcu_database, error = ssl_helper.get_ssl_connect_string(tns_admin + os.sep + 'tnsnames.ora',
+                                                         rcu_db_info.get_ssl_entry())
+        truststore = rcu_db_info.get_truststore()
+        truststore_type = rcu_db_info.get_truststore_type()
+        truststore_pwd = rcu_db_info.get_truststore_password()
+
+        if check_admin_pwd:
+            admin_pwd = rcu_db_info.get_admin_password()
+            if admin_pwd is None:
+                ex = exception_helper.create_create_exception('WLSDPLY-12413','rcu_admin_password',
+                                                              "['rcu_prefix','rcu_schema_password',"
+                                                              "'rcu_admin_password']")
+                raise ex
+
+        return tns_admin, rcu_database, truststore_pwd, truststore_type, truststore
+
     def __configure_fmw_infra_database(self):
         """
         Configure the FMW Infrastructure DataSources.
@@ -1042,14 +1089,19 @@ def __configure_fmw_infra_database(self):
         # load atp connection properties from properties file
         # HANDLE ATP case
 
-        if rcu_db_info.has_atpdbinfo():
-            has_atp = 1
+        if rcu_db_info.has_atpdbinfo() or rcu_db_info.is_use_ssl():
+            has_atp = rcu_db_info.has_atpdbinfo()
             # parse the tnsnames.ora file and retrieve the connection string
             # tns_admin is the wallet path either the path to $DOMAIN_HOME/atpwallet or
             # specified in RCUDbinfo.oracle.net.tns_admin
 
-            tns_admin, rcu_database, keystore_pwd, truststore_pwd = self.__retrieve_atp_rcudbinfo(rcu_db_info)
-
+            keystore_pwd = None
+            truststore_type = None
+            truststore = None
+            if has_atp:
+                tns_admin, rcu_database, keystore_pwd, truststore_pwd = self.__retrieve_atp_rcudbinfo(rcu_db_info)
+            else:
+                tns_admin, rcu_database, truststore_pwd, truststore_type, truststore = self.__retrieve_ssl_rcudbinfo(rcu_db_info)
             # Need to set for the connection property for each datasource
 
             fmw_database = self.wls_helper.get_jdbc_url_from_rcu_connect_string(rcu_database)
@@ -1094,23 +1146,30 @@ def __configure_fmw_infra_database(self):
 
                 location.remove_name_token(DRIVER_PARAMS_USER_PROPERTY)
 
-                self.__set_atp_connection_property(location, DRIVER_PARAMS_kEYSTORE_PROPERTY, tns_admin + os.sep
-                                                   + 'keystore.jks')
-                self.__set_atp_connection_property(location, DRIVER_PARAMS_KEYSTORETYPE_PROPERTY,
-                                                   'JKS')
-                self.__set_atp_connection_property(location, DRIVER_PARAMS_KEYSTOREPWD_PROPERTY, keystore_pwd)
-                self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTORE_PROPERTY, tns_admin + os.sep
-                                                   + 'truststore.jks')
-                self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTORETYPE_PROPERTY,
-                                                   'JKS')
-                self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY, truststore_pwd)
-
-                self.__set_atp_connection_property(location, DRIVER_PARAMS_NET_SSL_VERSION, '1.2')
-                self.__set_atp_connection_property(location, DRIVER_PARAMS_NET_SERVER_DN_MATCH_PROPERTY, 'true')
-                self.__set_atp_connection_property(location, DRIVER_PARAMS_NET_TNS_ADMIN, tns_admin)
-                self.__set_atp_connection_property(location, DRIVER_PARAMS_NET_FAN_ENABLED, 'false')
-
-        if not has_atp:
+                if has_atp:
+                    self.__set_atp_connection_property(location, DRIVER_PARAMS_kEYSTORE_PROPERTY, tns_admin + os.sep
+                                                       + 'keystore.jks')
+                    self.__set_atp_connection_property(location, DRIVER_PARAMS_KEYSTORETYPE_PROPERTY,
+                                                       'JKS')
+                    self.__set_atp_connection_property(location, DRIVER_PARAMS_KEYSTOREPWD_PROPERTY, keystore_pwd)
+                    self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTORE_PROPERTY, tns_admin + os.sep
+                                                       + 'truststore.jks')
+                    self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTORETYPE_PROPERTY,
+                                                       'JKS')
+                    self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY, truststore_pwd)
+
+                    self.__set_atp_connection_property(location, DRIVER_PARAMS_NET_SSL_VERSION, '1.2')
+                    self.__set_atp_connection_property(location, DRIVER_PARAMS_NET_SERVER_DN_MATCH_PROPERTY, 'true')
+                    self.__set_atp_connection_property(location, DRIVER_PARAMS_NET_TNS_ADMIN, tns_admin)
+                    self.__set_atp_connection_property(location, DRIVER_PARAMS_NET_FAN_ENABLED, 'false')
+                else:
+                    self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTORE_PROPERTY, tns_admin + os.sep
+                                                       + truststore)
+                    self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTORETYPE_PROPERTY,
+                                                         truststore_type)
+                    if truststore_pwd is not None and truststore_pwd != 'None':
+                        self.__set_atp_connection_property(location, DRIVER_PARAMS_TRUSTSTOREPWD_PROPERTY, truststore_pwd)
+        else:
             rcu_database = rcu_db_info.get_preferred_db()
             if rcu_database is None:
                 ex = exception_helper.create_create_exception('WLSDPLY-12564')