diff --git a/.github/workflows/camunda.yml b/.github/workflows/camunda.yml index b86a8dd7..8e33a46d 100644 --- a/.github/workflows/camunda.yml +++ b/.github/workflows/camunda.yml @@ -46,6 +46,12 @@ jobs: chmod +x generate-certs.sh ./generate-certs.sh + - name: Set up Keystore storepass + run: | + mkdir ~/.cws/ + echo ${{ secrets.KEYSTORE_PASSWORD }} > ~/.cws/creds + chmod 700 ~/.cws/creds + - name: Download Logstash uses: carlosperate/download-file-action@v1 with: diff --git a/.github/workflows/ldap.yml b/.github/workflows/ldap.yml index 75e7e5ae..697e3f32 100644 --- a/.github/workflows/ldap.yml +++ b/.github/workflows/ldap.yml @@ -46,6 +46,12 @@ jobs: chmod +x generate-certs.sh ./generate-certs.sh + - name: Set up Keystore storepass + run: | + mkdir ~/.cws/ + echo ${{ secrets.KEYSTORE_PASSWORD }} > ~/.cws/creds + chmod 700 ~/.cws/creds + - name: Download Logstash uses: carlosperate/download-file-action@v1 with: diff --git a/.gitignore b/.gitignore index 162dfba1..e866a95a 100644 --- a/.gitignore +++ b/.gitignore @@ -14,7 +14,6 @@ cws-service/src/main/resources/camunda/bpmn/*.bpmn .keystore cws_truststore.jks -.storepass cws.crt cookies.txt @@ -35,4 +34,4 @@ install/logging/logstash-*.zip /jacoco-reports /test-screenshots -*.cnf \ No newline at end of file +*.cnf diff --git a/README.md b/README.md index 9bfe6735..ce3b085d 100644 --- a/README.md +++ b/README.md @@ -37,9 +37,9 @@ See the [wiki](https://github.com/NASA-AMMOS/common-workflow-service/wiki) for m - Tomcat **keystore, truststore, storepass files** (needed for CWS web console to work properly): - You will need to add your own Tomcat keystore file to this path: `install/.keystore` - You will need to add your own truststore file to this path: `install/tomcat_lib/cws_truststore.jks` - - You will need to add your own .storepass file, which carries the keystore password, to this path: `install/tomcat_lib/.storepass` - - The **.storepass** file must have the read/write permission set to Owner-Only, *'600'* or *'-rw-------'* at maximum - - `chmod 600 .storepass` + - You will need to add your own creds file, which carries the keystore password, to this path: `~/.cws/creds` + - The **~/.cws/** directory and **creds** file must have the read/write/execute permission set to Owner-Only, *'700'* or *'-rwx------'* at maximum + - `chmod 700 creds` - See: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html - **Java 11 JDK**: CWS only runs on JDK 11 now, but planning for JDK 17 soon. - For Homebrew users: diff --git a/create_server_dist.sh b/create_server_dist.sh index 8103b720..7d03d6c2 100755 --- a/create_server_dist.sh +++ b/create_server_dist.sh @@ -96,7 +96,6 @@ TOMCAT_CONF_DIR=${CWS_TOMCAT_ROOT}/conf print 'Installing key and trust store to Tomcat...' cp ${INSTALL_DIR}/.keystore ${CWS_TOMCAT_ROOT}/conf/.keystore cp ${INSTALL_DIR}/tomcat_lib/cws_truststore.jks ${TOMCAT_LIB_DIR} -cp ${INSTALL_DIR}/tomcat_lib/.storepass ${TOMCAT_LIB_DIR} # ___________________________________________________________________ # MAKE TOMCAT ROOT POINT TO cws-ui AND REMOVE DEFAULT TOMCAT ROOT APP diff --git a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java index c6a27bf7..56831601 100644 --- a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java +++ b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java @@ -1064,32 +1064,37 @@ private static void setupLimitToRemoveAbandonedWorkersByDays() { private static void getKeystorePassword() { - Path filePath; - filePath = Paths.get(cws_tomcat_lib + SEP + ".storepass"); - String storepassFilePath = filePath.toString(); - File storepassReadFile = new File(storepassFilePath); - - boolean fileExists = storepassReadFile.exists(); - if (fileExists == true) { - if (!storepassReadFile.canRead()) { - print("ERROR: .storepass in path '" + cws_tomcat_lib + SEP + "' is NOT readable by system user."); - print(" "); - print("WARNING: Read and fulfill the Keystore/Truststore prerequisites before continuing installation: "); - print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); - exit(1); - } - } else { - print("ERROR: .storepass does NOT exist in path '" + cws_tomcat_lib + SEP + "' "); - print(" "); - print("WARNING: Make sure to place .storepass in the correct path and satisfy the following Keystore/Truststore prerequisites: "); - print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); - exit(1); - } - - try { - cws_keystore_storepass = Files.readString(Paths.get(storepassFilePath)).trim(); - } catch (IOException e) { - e.printStackTrace(); + cws_keystore_storepass = getPreset("default_cws_keystore_storepass"); + + if (cws_keystore_storepass == null) { + Path filePath; + filePath = Paths.get("~/.cws/creds"); + String storepassFilePath = filePath.toString(); + storepassFilePath = storepassFilePath.replaceFirst("^~", System.getProperty("user.home")); + File storepassReadFile = new File(storepassFilePath); + boolean fileExists = storepassReadFile.exists(); + + if (fileExists == true) { + if (!storepassReadFile.canRead()) { + print("ERROR: creds in path '" + "~/.cws/creds" + "' is NOT readable by system user."); + print(" "); + print("WARNING: Read and fulfill the Keystore/Truststore prerequisites before continuing installation: "); + print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); + exit(1); + } + } else { + print("ERROR: creds does NOT exist in path '" + "~/.cws/creds" + "' "); + print(" "); + print("WARNING: Make sure to place creds in the correct path and satisfy the following Keystore/Truststore prerequisites: "); + print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); + exit(1); + } + + try { + cws_keystore_storepass = Files.readString(Paths.get(storepassFilePath)).trim(); + } catch (IOException e) { + e.printStackTrace(); + } } } @@ -3345,4 +3350,4 @@ private static void setPreset(String key, String value) { } } -} \ No newline at end of file +}