update to use store file

.gitignore

@@ -14,6 +14,7 @@ cws-service/src/main/resources/camunda/bpmn/*.bpmn
 
 .keystore
 cws_truststore.jks
+.storepass
 cws.crt
 
 cookies.txt

README.md

@@ -34,16 +34,19 @@ See the [wiki](https://github.com/NASA-AMMOS/common-workflow-service/wiki) for m
 - **Logstash 8.8.0+**: Download Logstash for your platform. Uncompress it (only if it is a .tar.gz) and then ZIP back it up with the filename 'logstash-8.8.0.zip' and place in `install/logging/`. This is a temporary workaround while we clean up our installation process. You can find the zip download [here](https://www.elastic.co/downloads/logstash).
 - **Elasticsearch 8.8.0+**: CWS requires an externally-configured elasticsearch cluster to be set up. You can use an SSL Secure Elasticsearch with or without authentication, or an Insecure HTTP Elasticsearch.
   - The "Elasticsearch Setup" instruction below provides a contained Dockerized way of running Elasticsearch. This serves as an alternative to installing Elasticsearch.
-- Tomcat **keystore and truststore files** (needed for CWS web console to work properly):
+- Tomcat **keystore, truststore, storepass files** (needed for CWS web console to work properly):
     - You will need to add your own Tomcat keystore file to this path: `install/.keystore`
     - You will need to add your own truststore file to this path: `install/tomcat_lib/cws_truststore.jks`
+    - You will need to add your own .storepass file, which carries the keystore password, to this path: `install/tomcat_lib/.storepass`
+      - The **.storepass** file must have the read/write permission set to Owner-Only, *'600'* or *'-rw-------'* at maximum
+        - `chmod 600 .storepass`
     - See: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
-  - **Java 11 JDK**: CWS only runs on JDK 11 now, but planning for JDK 17 soon.
-    - For Homebrew users:
-      - Install OpenJDK 11 using: `brew install openjdk@11`
-      - Check the exact version installed using `/usr/libexec/java_home -V`
-      - Add to your Shell startup (e.g. .zprofile): `export JAVA_HOME=$(/usr/libexec/java_home -v X.X.X)`
-        - Replace the X.X.X version above with the OpenJDK 11 output from the `/usr/libexec/java_home -V` command.
+    - **Java 11 JDK**: CWS only runs on JDK 11 now, but planning for JDK 17 soon.
+      - For Homebrew users:
+        - Install OpenJDK 11 using: `brew install openjdk@11`
+        - Check the exact version installed using `/usr/libexec/java_home -V`
+        - Add to your Shell startup (e.g. .zprofile): `export JAVA_HOME=$(/usr/libexec/java_home -v X.X.X)`
+          - Replace the X.X.X version above with the OpenJDK 11 output from the `/usr/libexec/java_home -V` command.
 
 
 ### **Development Environment Configuration**

create_server_dist.sh

@@ -96,6 +96,7 @@ TOMCAT_CONF_DIR=${CWS_TOMCAT_ROOT}/conf
 print 'Installing key and trust store to Tomcat...'
 cp ${INSTALL_DIR}/.keystore ${CWS_TOMCAT_ROOT}/conf/.keystore
 cp ${INSTALL_DIR}/tomcat_lib/cws_truststore.jks ${TOMCAT_LIB_DIR}
+cp ${INSTALL_DIR}/tomcat_lib/.storepass ${TOMCAT_LIB_DIR}
 
 # ___________________________________________________________________
 # MAKE TOMCAT ROOT POINT TO cws-ui AND REMOVE DEFAULT TOMCAT ROOT APP

cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java

@@ -267,7 +267,7 @@ public static void main(String args[]) {
 			setupNotificationEmails();
 			setupTokenExpirationHours();
 			setupPorts();
-			setupKeystorePassword();
+			getKeystorePassword();
 			setupTaskAssigmentEmails();
 			setupSMTP();
 			setupElasticsearch();
@@ -1063,21 +1063,33 @@ private static void setupLimitToRemoveAbandonedWorkersByDays() {
 	}
 
 
-	private static void setupKeystorePassword() {
-		cws_keystore_storepass = getPreset("default_cws_keytool_keystore_storepass");
-
-		if (cws_installer_mode.equals("interactive")) {
-			if (cws_keystore_storepass == null) {
-				cws_keystore_storepass = readRequiredLine("Enter the Keystore password of .keystore. ",
-					"Must specify a Keystore password!");
-			} else {
-				cws_keystore_storepass = readLine("Enter the Keystore password of .keystore. " +
-					"Default is " + cws_keystore_storepass + ": ", cws_keystore_storepass);
+	private static void getKeystorePassword() {
+		Path filePath;
+		filePath = Paths.get(cws_tomcat_lib + SEP + ".storepass");
+		String storepassFilePath = filePath.toString();
+		File storepassReadFile = new File(storepassFilePath);
+
+		boolean fileExists = storepassReadFile.exists();
+		if (fileExists == true) {
+			if (!storepassReadFile.canRead()) {
+				print("ERROR: .storepass in path '" + cws_tomcat_lib + SEP + "' is NOT readable by system user.");
+				print("     ");
+				print("WARNING:  Read and fulfill the Keystore/Truststore prerequisites before continuing installation: ");
+				print("          https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites");
+				exit(1);
 			}
 		} else {
-			if (cws_keystore_storepass == null) {
-				bailOutMissingOption("default_cws_keytool_keystore_storepass");
-			}
+			print("ERROR: .storepass does NOT exist in path '" + cws_tomcat_lib + SEP + "' ");
+			print("     ");
+			print("WARNING:  Make sure to place .storepass in the correct path and satisfy the following Keystore/Truststore prerequisites: ");
+			print("          https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites");
+			exit(1);
+		}
+
+		try {
+			cws_keystore_storepass = Files.readString(Paths.get(storepassFilePath)).trim();
+		} catch (IOException e) {
+			e.printStackTrace();
 		}
 	}
 

install/installerPresets.properties

@@ -10,7 +10,6 @@ default_amq_port=31616
 default_amq_jmx_port=37099
 default_cws_jmx_port=31099
 default_cws_auth_scheme=LDAP
-default_cws_keytool_keystore_storepass=changeit
 default_startup_autoregister_process_defs=false
 default_cws_token_expiration_hours=24
 default_smtp_hostname=smtp.localhost