blob: cd59de0955d96a051031f4eaea993c32dd81a5d1 [file] [log] [blame]
<!--
Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved.
This program and the accompanying materials are made available under the
terms of the Eclipse Public License v. 2.0, which is available at
http://www.eclipse.org/legal/epl-2.0.
This Source Code may also be made available under the following Secondary
Licenses when the conditions for such availability set forth in the
Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
version 2 with the GNU Classpath Exception, which is available at
https://www.gnu.org/software/classpath/license.html.
SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
-->
<!-- common security tasks -->
<property name="webtest.classname" value="org.apache.tomcat.task.GTest"/>
<property name="webtest.classpath" value="${env.APS_HOME}/lib/testdriversecurity.jar:${env.APS_HOME}/lib/commons-logging.jar"/>
<property name="webtest.report.dir" value="${env.APS_HOME}/"/>
<!-- this is for referencing generate key/trust stores in client -->
<property name="mykeystore.db.file" value="${env.APS_HOME}/build/__keystore.jks"/>
<property name="mytruststore.db.file" value="${env.APS_HOME}/build/__cacerts.jks"/>
<property name="appserver.config.name" value="server-config"/>
<condition property="wsimport.VMARGS" value="${env.WSIMPORT_OPTS}" else="">
<isset property="env.WSIMPORT_OPTS" />
</condition>
<target name="init-security-util" depends="gethostname">
<!-- <ant dir="${env.APS_HOME}/devtests/security/util" target="all"/>
<taskdef name="s1asCN" classname="devtests.security.util.S1ASCN" classpath="${env.APS_HOME}/devtests/security/util/build:${env.S1AS_HOME}/lib/appserv-rt.jar"/>
<s1asCN/>
<echo message="s1as CN = ${s1asCN}"/> -->
</target>
<target name="gethostname">
<exec executable="hostname" osfamily="unix" failifexecutionfails="false" outputproperty="env.COMPUTERNAME"/>
<property name="s1asCN" value="${env.COMPUTERNAME}" />
<echo message="s1as CN = ${s1asCN}"/>
</target>
<!-- Create auth realm -->
<target name="create-auth-realm" depends="init-common">
<echo message="Creating auth realm ${realmname} ..."/>
<exec executable="${ASADMIN}">
<arg line="create-auth-realm"/>
<arg line="${as.props} --target=${appserver.instance.name}"/>
<arg line="--classname ${realmclass}"/>
<arg line="${realmproperties}"/>
<arg line="${realmname}"/>
</exec>
</target>
<!-- Create file auth realm -->
<target name="create-auth-filerealm">
<!-- workaround for handling the special character : in the admin command -->
<echo message="file=${keyfile.path}" file="temp.txt"/>
<replace file="temp.txt" token="\" value="/"/>
<replace file="temp.txt" token=":" value="\\:"/>
<loadproperties srcFile="temp.txt"/>
<echo message="${file}"/>
<delete file="temp.txt"/>
<antcall target="create-auth-realm">
<param name="realmname" value="${file.realm.name}"/>
<param name="realmclass" value="com.sun.enterprise.security.auth.realm.file.FileRealm"/>
<param name="realmproperties" value="--property file=${file}:jaas-context=fileRealm"/>
</antcall>
</target>
<target name="create-user">
<antcall target="create-user-common">
<param name="user" value="harpreet"/>
<param name="password" value="harpreet"/>
<param name="groups" value="employee"/>
</antcall>
</target>
<target name="delete-user">
<antcall target="delete-user-common">
<param name="user" value="harpreet"/>
</antcall>
</target>
<target name="env-check" depends="init-common">
<!--
Determine if we need to use the certutil or the keytool command to
access the certificate truststore
-->
<property name="nss.db.dir" location="${admin.domain.dir}/${admin.domain}/config"/>
<condition property="isNSS">
<and>
<available file="${nss.db.dir}/cert8.db"/>
<available file="${nss.db.dir}/key3.db"/>
<available file="${nss.db.dir}/secmod.db"/>
</and>
</condition>
</target>
<!-- this target parpare stores with client and server have different keys -->
<target name="prepare-store-common" depends="env-check">
<property name="cert.rfc.file" location="${build.base.dir}/${cert.nickname}.rfc"/>
<property name="keycert.rfc.file" location="${build.base.dir}/ssltest.rfc"/>
<delete quiet="true" file="${mytruststore.db.file}"/>
<delete quiet="true" file="${mykeystore.db.file}"/>
<delete quiet="true" file="${cert.rfc.file}"/>
<delete quiet="true" file="${keycert.rfc.file}"/>
<mkdir dir="${build.base.dir}"/>
<antcall target="prepare-store-certutil-common"/>
<antcall target="prepare-store-keytool-common"/>
</target>
<target name="prepare-store-certutil-common" depends="init-common" if="isNSS">
<exec executable="${env.S1AS_HOME}/lib/certutil" failonerror="true" output="${cert.rfc.file}">
<!--
LD_LIBRARY_PATH is needed on Unix platforms and should have no
effect on Windows
-->
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib"/>
<arg line="-L -n '${cert.nickname}' -a"/>
<arg value="-d"/>
<arg file="${nss.db.dir}"/>
</exec>
<antcall target="import-cert-jks">
<param name="cert.alias" value="${cert.nickname}"/>
<param name="keystore.file" value="${mytruststore.db.file}"/>
<param name="cert.file" value="${cert.rfc.file}"/>
</antcall>
<antcall target="generate-jks-key"/>
<exec executable="${java.home}/bin/keytool" failonerror="true">
<arg line="-export -rfc -alias ssltest -file ${keycert.rfc.file} -keystore ${mykeystore.db.file} -storepass ${ssl.password}"/>
</exec>
<exec executable="${env.S1AS_HOME}/lib/certutil" failonerror="true">
<!--
LD_LIBRARY_PATH is needed on Unix platforms and should have no
effect on Windows
-->
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib"/>
<arg line="-A -n ssltest -i ${keycert.rfc.file} -a"/>
<arg value="-t"/>
<arg value="P,p,p"/>
<arg value="-d"/>
<arg file="${nss.db.dir}"/>
</exec>
</target>
<target name="prepare-store-keytool-common" depends="init-common" unless="isNSS">
<copy file="${admin.domain.dir}/${admin.domain}/config/cacerts.jks" tofile="${mytruststore.db.file}"/>
<antcall target="generate-jks-key"/>
<exec executable="${java.home}/bin/keytool" failonerror="true">
<arg line="-export -rfc -alias ssltest -file ${keycert.rfc.file} -keystore ${mykeystore.db.file} -storepass ${ssl.password}"/>
</exec>
<exec executable="${java.home}/bin/keytool" failonerror="true">
<arg line="-import -trustcacerts -alias ssltest -storepass '${ssl.password}' -noprompt "/>
<arg value="-file"/>
<arg file="${keycert.rfc.file}"/>
<arg value="-keystore"/>
<arg file="${admin.domain.dir}/${admin.domain}/config/cacerts.jks"/>
</exec>
</target>
<target name="generate-jks-key" depends="init-common">
<exec executable="${java.home}/bin/keytool" failonerror="true">
<arg line="-genkey -alias ssltest -dname"/>
<arg value="CN=SSLTest, OU=Sun Java System Application Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US"/>
<arg value="-validity"/>
<arg value="3650"/>
<arg value="-keypass"/>
<arg value="${ssl.password}"/>
<arg value="-keystore"/>
<arg value="${mykeystore.db.file}"/>
<arg value="-storepass"/>
<arg value="${ssl.password}"/>
</exec>
</target>
<target name="remove-store-common" depends="env-check">
<property name="keycert.rfc.file" location="${build.base.dir}/ssltest.rfc"/>
<delete quiet="true" file="${mykeystore.db.file}"/>
<delete quiet="true" file="${keycert.rfc.file}"/>
<antcall target="remove-store-certutil-common"/>
<antcall target="remove-store-keytool-common"/>
</target>
<target name="remove-store-certutil-common" depends="init-common" if="isNSS">
<exec executable="${env.S1AS_HOME}/lib/certutil" failonerror="true">
<!--
LD_LIBRARY_PATH is needed on Unix platforms and should have no
effect on Windows
-->
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib"/>
<arg line="-D -n ssltest "/>
<arg value="-d"/>
<arg file="${nss.db.dir}"/>
</exec>
</target>
<target name="remove-store-keytool-common" depends="init-common" unless="isNSS">
<exec executable="${java.home}/bin/keytool" failonerror="true">
<arg line="-delete -alias ssltest -storepass '${ssl.password}'"/>
<arg value="-keystore"/>
<arg file="${admin.domain.dir}/${admin.domain}/config/cacerts.jks"/>
</exec>
</target>
<!-- this target parpare stores with client and server have the same key -->
<target name="prepare-store-nickname-common" depends="env-check">
<property name="cert.rfc.file" location="${build.base.dir}/${cert.nickname}.rfc"/>
<property name="keycert.rfc.file" location="${build.base.dir}/ssltest.rfc"/>
<delete quiet="true" file="${mytruststore.db.file}"/>
<delete quiet="true" file="${mykeystore.db.file}"/>
<delete quiet="true" file="${cert.rfc.file}"/>
<delete quiet="true" file="${keycert.rfc.file}"/>
<mkdir dir="${build.base.dir}"/>
<antcall target="prepare-store-nickname-certutil-common"/>
<antcall target="prepare-store-nickname-keytool-common"/>
</target>
<target name="prepare-store-nickname-keytool-common" depends="init-common" unless="isNSS">
<copy file="${admin.domain.dir}/${admin.domain}/config/keystore.jks" tofile="${mykeystore.db.file}"/>
<copy file="${admin.domain.dir}/${admin.domain}/config/cacerts.jks" tofile="${mytruststore.db.file}"/>
</target>
<target name="prepare-store-nickname-certutil-common" depends="init-common" if="isNSS">
<antcall target="export-cert-p12-nss">
<param name="cert.file" value="${build.base.dir}/s1as.p12"/>
<param name="cert.dir" value="${nss.db.dir}"/>
<param name="certdb.pwd" value="${ssl.password}"/>
<param name="cert.pwd" value="${ssl.password}"/>
<param name="cert.nickname" value="${cert.nickname}"/>
</antcall>
<antcall target="convert-pkcs12-to-jks">
<param name="pkcs12.file" value="${build.base.dir}/s1as.p12"/>
<param name="pkcs12.pass" value="${ssl.password}"/>
<param name="jks.file" value="${mykeystore.db.file}"/>
<param name="jks.pass" value="${ssl.password}"/>
</antcall>
<antcall target="get-certdb-to-jks">
<param name="cert.nickname" value="${cert.nickname}"/>
</antcall>
</target>
<target name="export-cert-p12-nss" depends="init-common">
<exec executable="${env.S1AS_HOME}/lib/pk12util">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/>
<arg line="-o ${cert.file}"/>
<arg line="-d ${cert.dir}"/>
<arg line="-n ${cert.nickname}"/>
<arg line="-K ${certdb.pwd}"/>
<arg line="-W ${cert.pwd}"/>
</exec>
</target>
<target name="convert-pkcs12-to-jks" depends="init-common">
<delete file="${jks.file}" failonerror="false"/>
<java classname="com.sun.enterprise.security.KeyTool">
<arg line="-pkcs12"/>
<arg line="-pkcsFile ${pkcs12.file}"/>
<arg line="-pkcsKeyStorePass ${pkcs12.pass}"/>
<arg line="-pkcsKeyPass ${pkcs12.pass}"/>
<arg line="-jksFile ${jks.file}"/>
<arg line="-jksKeyStorePass ${jks.pass}"/>
<classpath>
<pathelement path="${s1as.classpath}"/>
<pathelement path="${env.JAVA_HOME}/jre/lib/jsse.jar"/>
<pathelement path="${env.JAVA_HOME}/bundle/Classes/jsse.jar"/>
</classpath>
</java>
</target>
<!-- Get certificate from NSS db to JKS format -->
<target name="get-certdb-to-jks" depends="init-common">
<exec executable="${env.S1AS_HOME}/lib/certutil" output="${admin.domain.dir}/${admin.domain}/config/certdb.rfc">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib"/>
<arg line="-L -n ${cert.nickname}"/>
<arg line="-d ${nss.db.dir} -a"/>
</exec>
<antcall target="import-cert-jks">
<param name="cert.alias" value="${cert.nickname}"/>
<param name="keystore.file" value="${mytruststore.db.file}"/>
<param name="cert.file" value="${admin.domain.dir}/${admin.domain}/config/certdb.rfc"/>
</antcall>
</target>
<target name="import-cert-jks">
<exec executable="${java.home}/bin/keytool" failonerror="true">
<arg line="-import -trustcacerts -alias ${cert.alias} -storepass '${ssl.password}' -noprompt "/>
<arg value="-file"/>
<arg file="${cert.file}"/>
<arg value="-keystore"/>
<arg file="${keystore.file}"/>
</exec>
</target>
<!-- for WSS -->
<target name="enable-wss-message-security-provider" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.config.name}.security-service.message-security-config.SOAP.default_provider=${wss.server.provider.name}"/>
</exec>
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.config.name}.security-service.message-security-config.SOAP.default_client_provider=${wss.client.provider.name}"/>
</exec>
</target>
<target name="disable-wss-message-security-provider" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.config.name}.security-service.message-security-config.SOAP.default_provider="/>
</exec>
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.config.name}.security-service.message-security-config.SOAP.default_client_provider="/>
</exec>
</target>
<target name="set-wss-provider-request-auth-recipient" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.config.name}.security-service.message-security-config.SOAP.provider-config.${wss.provider.name}.request-policy.auth_recipient=${request.auth.recipient}"/>
</exec>
</target>
<target name="set-wss-provider-response-auth-recipient" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.config.name}.security-service.message-security-config.SOAP.provider-config.${wss.provider.name}.response-policy.auth_recipient=${response.auth.recipient}"/>
</exec>
</target>
<target name="backup-glassfish-acc.xml" depends="init-common">
<copy overwrite="true" failonerror="false" file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" tofile="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml.SAVE"/>
</target>
<target name="enable-wss-appclient-message-security-provider" depends="init-common">
<replace file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" token="&quot;SOAP&quot;>" value="&quot;SOAP&quot; default-client-provider=&quot;${wss.client.provider.name}&quot;>"/>
</target>
<target name="set-wss-appclient-request-recipient">
<replace file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" token="request-policy auth-source" value="request-policy auth-recipient=&quot;${request.auth.recipient}&quot; auth-source"/>
</target>
<target name="set-wss-appclient-response-recipient">
<replace file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" token="response-policy auth-source" value="response-policy auth-recipient=&quot;${response.auth.recipient}&quot; auth-source"/>
</target>
<target name="disable-wss-appclient-message-security-provider" depends="init-common">
<replace file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" token="&quot;SOAP&quot; default-client-provider=&quot;${wss.client.provider.name}&quot;>" value="&quot;SOAP&quot;>"/>
</target>
<target name="unset-wss-appclient-request-recipient">
<replace file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" token="request-policy auth-recipient=&quot;${request.auth.recipient}&quot; auth-source" value="request-policy auth-source"/>
</target>
<target name="unset-wss-appclient-response-recipient">
<replace file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" token="response-policy auth-recipient=&quot;${response.auth.recipient}&quot; auth-source" value="response-policy auth-source"/>
</target>
<target name="setJAXWSToolsForWin" if="isWindows">
<property name="WSGEN" value="${env.S1AS_HOME}/bin/wsgen.bat"/>
<property name="WSIMPORT" value="${env.S1AS_HOME}/bin/wsimport.bat"/>
<property name="ASAPT" value="${env.S1AS_HOME}/bin/asapt.bat"/>
</target>
<target name="setJAXWSToolsForUnix" if="isUnix">
<property name="WSGEN" value="${env.S1AS_HOME}/bin/wsgen"/>
<property name="WSIMPORT" value="${env.S1AS_HOME}/bin/wsimport"/>
<property name="ASAPT" value="${env.S1AS_HOME}/bin/asapt"/>
</target>
<target name="wsgen" depends="init-common,setJAXWSToolsForWin,setJAXWSToolsForUnix">
<exec executable="${WSGEN}" failonerror="true" >
<arg line="${wsgen.args}" />
</exec>
</target>
<target name="wsimport" depends="init-common,setJAXWSToolsForWin,setJAXWSToolsForUnix">
<exec executable="${WSIMPORT}" failonerror="true" >
<env key="WSIMPORT_OPTS" value="${wsimport.VMARGS}"/>
<arg line="${wsimport.args}" />
</exec>
</target>