Created
April 23, 2013 15:06
-
-
Save anonymous/5444348 to your computer and use it in GitHub Desktop.
This is the function that modify the keystores.
The last ruby_block replace the original keystores only if different in size.
This is the simpliest way I've found at the moment.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def update_keystores( resource ) | |
carbon_home = wso2_home( resource ) | |
keystore_folder = carbon_home + "/repository/resources/security" | |
# Makes keystore working copy | |
bash "keystore_working_copy" do | |
cwd keystore_folder | |
user resource.owner | |
group resource.group | |
code <<-EOH | |
cp wso2carbon.jks cheftmp_wso2carbon.jks | |
cp client-truststore.jks cheftmp_client-truststore.jks | |
EOH | |
end | |
# Creates private key and public cert files | |
ruby_block "create_key_files" do | |
block do | |
::File.open(keystore_folder + "/cheftmp_server.key", ::File::CREAT|::File::TRUNC|::File::RDWR, 00600) do |file| | |
file.write(resource.private_key) | |
end | |
::FileUtils.chown resource.owner, resource.group, keystore_folder + "/cheftmp_server.key" | |
::File.open(keystore_folder + "/cheftmp_server.pem", ::File::CREAT|::File::TRUNC|::File::RDWR, 00600) do |file| | |
file.write(resource.public_cert) | |
end | |
::FileUtils.chown resource.owner, resource.group, keystore_folder + "/cheftmp_server.pem" | |
end | |
not_if { resource.private_key.nil? } | |
end | |
# Creates CA public cert files | |
ruby_block "create_ca_files" do | |
block do | |
resource.cacerts.each do |ca| | |
::File.open("#{keystore_folder}/cheftmp_#{ca['alias']}.pem", ::File::CREAT|::File::TRUNC|::File::RDWR, 00600) do |file| | |
file.write(ca['cert']) | |
end | |
::FileUtils.chown resource.owner, resource.group, "#{keystore_folder}/cheftmp_#{ca['alias']}.pem" | |
end | |
end | |
not_if { resource.cacerts.nil? } | |
end | |
# CA import commands | |
ca_replace_cmds = "" | |
resource.cacerts.each do |ca| | |
ca_replace_cmds << "#{resource.java_home}/bin/keytool -delete -v -alias #{ca['alias']} -keystore cheftmp_wso2carbon.jks -storepass wso2carbon\n" | |
ca_replace_cmds << "#{resource.java_home}/bin/keytool -importcert -v -alias #{ca['alias']} -trustcacerts -file cheftmp_#{ca['alias']}.pem -keystore cheftmp_wso2carbon.jks -storepass wso2carbon -noprompt\n" | |
ca_replace_cmds << "#{resource.java_home}/bin/keytool -delete -v -alias #{ca['alias']} -keystore cheftmp_client-truststore.jks -storepass wso2carbon\n" | |
ca_replace_cmds << "#{resource.java_home}/bin/keytool -importcert -v -alias #{ca['alias']} -trustcacerts -file cheftmp_#{ca['alias']}.pem -keystore cheftmp_client-truststore.jks -storepass wso2carbon -noprompt\n" | |
end | |
# Update with server private key and public certificate | |
bash "add_server_keys" do | |
cwd keystore_folder | |
user resource.owner | |
group resource.group | |
code <<-EOH | |
openssl pkcs12 -export -in cheftmp_server.pem -inkey cheftmp_server.key -out cheftmp_server.pkcs12 -password pass:wso2carbon | |
#{resource.java_home}/bin/keytool -delete -v -alias wso2carbon -keystore cheftmp_wso2carbon.jks -storepass wso2carbon | |
#{resource.java_home}/bin/keytool -delete -v -alias localhost -keystore cheftmp_wso2carbon.jks -storepass wso2carbon | |
#{resource.java_home}/bin/keytool -importkeystore -deststorepass wso2carbon -destkeypass wso2carbon -destkeystore cheftmp_wso2carbon.jks -srckeystore cheftmp_server.pkcs12 -srcstoretype PKCS12 -srcstorepass wso2carbon -alias 1 | |
#{resource.java_home}/bin/keytool -changealias -keystore cheftmp_wso2carbon.jks -alias 1 -destalias wso2carbon -storepass wso2carbon | |
#{resource.java_home}/bin/keytool -delete -v -alias localhost -keystore cheftmp_client-truststore.jks -storepass wso2carbon | |
#{resource.java_home}/bin/keytool -delete -v -alias wso2carbon -keystore cheftmp_client-truststore.jks -storepass wso2carbon | |
#{resource.java_home}/bin/keytool -importcert -alias wso2carbon -trustcacerts -file cheftmp_server.pem -keystore cheftmp_client-truststore.jks -storepass wso2carbon -noprompt | |
EOH | |
not_if { resource.private_key.nil? } | |
end | |
# Update with CA public certificates | |
bash "add_ca_certs" do | |
cwd keystore_folder | |
user resource.owner | |
group resource.group | |
code <<-EOH | |
#{ca_replace_cmds} | |
EOH | |
not_if { resource.cacerts.nil? } | |
end | |
# Replace new keystores if different in size and cleans temporary files | |
ruby_block "replace_and_clean" do | |
block do | |
unless ::File.size("#{keystore_folder}/wso2carbon.jks") == ::File.size("#{keystore_folder}/cheftmp_wso2carbon.jks") | |
::FileUtils.mv "#{keystore_folder}/wso2carbon.jks", "#{keystore_folder}/wso2carbon.jks.old" | |
::FileUtils.mv "#{keystore_folder}/cheftmp_wso2carbon.jks", "#{keystore_folder}/wso2carbon.jks" | |
end | |
unless ::File.size("#{keystore_folder}/client-truststore.jks") == ::File.size("#{keystore_folder}/cheftmp_client-truststore.jks") | |
::FileUtils.mv "#{keystore_folder}/client-truststore.jks", "#{keystore_folder}/client-truststore.jks.old" | |
::FileUtils.mv "#{keystore_folder}/cheftmp_client-truststore.jks", "#{keystore_folder}/client-truststore.jks" | |
end | |
::FileUtils.rm( Dir.glob("#{keystore_folder}/cheftmp_*"), :force => true ) | |
end | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment