| <!-- |
| |
| Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved. |
| |
| This program and the accompanying materials are made available under the |
| terms of the Eclipse Public License v. 2.0, which is available at |
| http://www.eclipse.org/legal/epl-2.0. |
| |
| This Source Code may also be made available under the following Secondary |
| Licenses when the conditions for such availability set forth in the |
| Eclipse Public License v. 2.0 are satisfied: GNU General Public License, |
| version 2 with the GNU Classpath Exception, which is available at |
| https://www.gnu.org/software/classpath/license.html. |
| |
| SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 |
| |
| --> |
| |
| <!-- common security tasks --> |
| <property name="webtest.classname" value="org.apache.tomcat.task.GTest"/> |
| <property name="webtest.classpath" value="${env.APS_HOME}/lib/testdriversecurity.jar:${env.APS_HOME}/lib/commons-logging.jar"/> |
| <property name="webtest.report.dir" value="${env.APS_HOME}/"/> |
| <!-- this is for referencing generate key/trust stores in client --> |
| <property name="mykeystore.db.file" value="${env.APS_HOME}/build/__keystore.jks"/> |
| <property name="mytruststore.db.file" value="${env.APS_HOME}/build/__cacerts.jks"/> |
| <property name="appserver.config.name" value="server-config"/> |
| |
| <condition property="wsimport.VMARGS" value="${env.WSIMPORT_OPTS}" else=""> |
| <isset property="env.WSIMPORT_OPTS" /> |
| </condition> |
| |
| <target name="init-security-util" depends="gethostname"> |
| <!-- <ant dir="${env.APS_HOME}/devtests/security/util" target="all"/> |
| <taskdef name="s1asCN" classname="devtests.security.util.S1ASCN" classpath="${env.APS_HOME}/devtests/security/util/build:${env.S1AS_HOME}/lib/appserv-rt.jar"/> |
| <s1asCN/> |
| <echo message="s1as CN = ${s1asCN}"/> --> |
| </target> |
| <target name="gethostname"> |
| <exec executable="hostname" osfamily="unix" failifexecutionfails="false" outputproperty="env.COMPUTERNAME"/> |
| <property name="s1asCN" value="${env.COMPUTERNAME}" /> |
| <echo message="s1as CN = ${s1asCN}"/> |
| </target> |
| <!-- Create auth realm --> |
| <target name="create-auth-realm" depends="init-common"> |
| <echo message="Creating auth realm ${realmname} ..."/> |
| <exec executable="${ASADMIN}"> |
| <arg line="create-auth-realm"/> |
| <arg line="${as.props} --target=${appserver.instance.name}"/> |
| <arg line="--classname ${realmclass}"/> |
| <arg line="${realmproperties}"/> |
| <arg line="${realmname}"/> |
| </exec> |
| </target> |
| |
| <!-- Create file auth realm --> |
| <target name="create-auth-filerealm"> |
| <!-- workaround for handling the special character : in the admin command --> |
| <echo message="file=${keyfile.path}" file="temp.txt"/> |
| <replace file="temp.txt" token="\" value="/"/> |
| <replace file="temp.txt" token=":" value="\\:"/> |
| <loadproperties srcFile="temp.txt"/> |
| <echo message="${file}"/> |
| <delete file="temp.txt"/> |
| |
| <antcall target="create-auth-realm"> |
| <param name="realmname" value="${file.realm.name}"/> |
| <param name="realmclass" value="com.sun.enterprise.security.auth.realm.file.FileRealm"/> |
| <param name="realmproperties" value="--property file=${file}:jaas-context=fileRealm"/> |
| </antcall> |
| </target> |
| |
| <target name="create-user"> |
| <antcall target="create-user-common"> |
| <param name="user" value="harpreet"/> |
| <param name="password" value="harpreet"/> |
| <param name="groups" value="employee"/> |
| </antcall> |
| </target> |
| |
| <target name="delete-user"> |
| <antcall target="delete-user-common"> |
| <param name="user" value="harpreet"/> |
| </antcall> |
| </target> |
| |
| <target name="env-check" depends="init-common"> |
| <!-- |
| Determine if we need to use the certutil or the keytool command to |
| access the certificate truststore |
| --> |
| <property name="nss.db.dir" location="${admin.domain.dir}/${admin.domain}/config"/> |
| <condition property="isNSS"> |
| <and> |
| <available file="${nss.db.dir}/cert8.db"/> |
| <available file="${nss.db.dir}/key3.db"/> |
| <available file="${nss.db.dir}/secmod.db"/> |
| </and> |
| </condition> |
| </target> |
| |
| <!-- this target parpare stores with client and server have different keys --> |
| <target name="prepare-store-common" depends="env-check"> |
| <property name="cert.rfc.file" location="${build.base.dir}/${cert.nickname}.rfc"/> |
| <property name="keycert.rfc.file" location="${build.base.dir}/ssltest.rfc"/> |
| <delete quiet="true" file="${mytruststore.db.file}"/> |
| <delete quiet="true" file="${mykeystore.db.file}"/> |
| <delete quiet="true" file="${cert.rfc.file}"/> |
| <delete quiet="true" file="${keycert.rfc.file}"/> |
| |
| <mkdir dir="${build.base.dir}"/> |
| <antcall target="prepare-store-certutil-common"/> |
| <antcall target="prepare-store-keytool-common"/> |
| </target> |
| |
| <target name="prepare-store-certutil-common" depends="init-common" if="isNSS"> |
| <exec executable="${env.S1AS_HOME}/lib/certutil" failonerror="true" output="${cert.rfc.file}"> |
| <!-- |
| LD_LIBRARY_PATH is needed on Unix platforms and should have no |
| effect on Windows |
| --> |
| <env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib"/> |
| <arg line="-L -n '${cert.nickname}' -a"/> |
| <arg value="-d"/> |
| <arg file="${nss.db.dir}"/> |
| </exec> |
| <antcall target="import-cert-jks"> |
| <param name="cert.alias" value="${cert.nickname}"/> |
| <param name="keystore.file" value="${mytruststore.db.file}"/> |
| <param name="cert.file" value="${cert.rfc.file}"/> |
| </antcall> |
| |
| <antcall target="generate-jks-key"/> |
| <exec executable="${java.home}/bin/keytool" failonerror="true"> |
| <arg line="-export -rfc -alias ssltest -file ${keycert.rfc.file} -keystore ${mykeystore.db.file} -storepass ${ssl.password}"/> |
| </exec> |
| |
| <exec executable="${env.S1AS_HOME}/lib/certutil" failonerror="true"> |
| <!-- |
| LD_LIBRARY_PATH is needed on Unix platforms and should have no |
| effect on Windows |
| --> |
| <env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib"/> |
| <arg line="-A -n ssltest -i ${keycert.rfc.file} -a"/> |
| <arg value="-t"/> |
| <arg value="P,p,p"/> |
| <arg value="-d"/> |
| <arg file="${nss.db.dir}"/> |
| </exec> |
| </target> |
| |
| <target name="prepare-store-keytool-common" depends="init-common" unless="isNSS"> |
| <copy file="${admin.domain.dir}/${admin.domain}/config/cacerts.jks" tofile="${mytruststore.db.file}"/> |
| <antcall target="generate-jks-key"/> |
| |
| <exec executable="${java.home}/bin/keytool" failonerror="true"> |
| <arg line="-export -rfc -alias ssltest -file ${keycert.rfc.file} -keystore ${mykeystore.db.file} -storepass ${ssl.password}"/> |
| </exec> |
| <exec executable="${java.home}/bin/keytool" failonerror="true"> |
| <arg line="-import -trustcacerts -alias ssltest -storepass '${ssl.password}' -noprompt "/> |
| <arg value="-file"/> |
| <arg file="${keycert.rfc.file}"/> |
| <arg value="-keystore"/> |
| <arg file="${admin.domain.dir}/${admin.domain}/config/cacerts.jks"/> |
| </exec> |
| </target> |
| |
| <target name="generate-jks-key" depends="init-common"> |
| <exec executable="${java.home}/bin/keytool" failonerror="true"> |
| <arg line="-genkey -alias ssltest"/> |
| <arg value="-keyalg" /> |
| <arg value="RSA" /> |
| <arg value="-dname" /> |
| <arg value="CN=SSLTest, OU=Sun Java System Application Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US"/> |
| <arg value="-validity"/> |
| <arg value="3650"/> |
| <arg value="-keypass"/> |
| <arg value="${ssl.password}"/> |
| <arg value="-keystore"/> |
| <arg value="${mykeystore.db.file}"/> |
| <arg value="-storepass"/> |
| <arg value="${ssl.password}"/> |
| </exec> |
| </target> |
| |
| <target name="remove-store-common" depends="env-check"> |
| <property name="keycert.rfc.file" location="${build.base.dir}/ssltest.rfc"/> |
| |
| <delete quiet="true" file="${mykeystore.db.file}"/> |
| <delete quiet="true" file="${keycert.rfc.file}"/> |
| |
| <antcall target="remove-store-certutil-common"/> |
| <antcall target="remove-store-keytool-common"/> |
| </target> |
| |
| <target name="remove-store-certutil-common" depends="init-common" if="isNSS"> |
| <exec executable="${env.S1AS_HOME}/lib/certutil" failonerror="true"> |
| <!-- |
| LD_LIBRARY_PATH is needed on Unix platforms and should have no |
| effect on Windows |
| --> |
| <env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib"/> |
| <arg line="-D -n ssltest "/> |
| <arg value="-d"/> |
| <arg file="${nss.db.dir}"/> |
| </exec> |
| </target> |
| |
| <target name="remove-store-keytool-common" depends="init-common" unless="isNSS"> |
| <exec executable="${java.home}/bin/keytool" failonerror="true"> |
| <arg line="-delete -alias ssltest -storepass '${ssl.password}'"/> |
| <arg value="-keystore"/> |
| <arg file="${admin.domain.dir}/${admin.domain}/config/cacerts.jks"/> |
| </exec> |
| </target> |
| |
| <!-- this target parpare stores with client and server have the same key --> |
| <target name="prepare-store-nickname-common" depends="env-check"> |
| <property name="cert.rfc.file" location="${build.base.dir}/${cert.nickname}.rfc"/> |
| <property name="keycert.rfc.file" location="${build.base.dir}/ssltest.rfc"/> |
| <delete quiet="true" file="${mytruststore.db.file}"/> |
| <delete quiet="true" file="${mykeystore.db.file}"/> |
| <delete quiet="true" file="${cert.rfc.file}"/> |
| <delete quiet="true" file="${keycert.rfc.file}"/> |
| |
| <mkdir dir="${build.base.dir}"/> |
| <antcall target="prepare-store-nickname-certutil-common"/> |
| <antcall target="prepare-store-nickname-keytool-common"/> |
| </target> |
| |
| <target name="prepare-store-nickname-keytool-common" depends="init-common" unless="isNSS"> |
| <copy file="${admin.domain.dir}/${admin.domain}/config/keystore.jks" tofile="${mykeystore.db.file}"/> |
| <copy file="${admin.domain.dir}/${admin.domain}/config/cacerts.jks" tofile="${mytruststore.db.file}"/> |
| </target> |
| |
| <target name="prepare-store-nickname-certutil-common" depends="init-common" if="isNSS"> |
| <antcall target="export-cert-p12-nss"> |
| <param name="cert.file" value="${build.base.dir}/s1as.p12"/> |
| <param name="cert.dir" value="${nss.db.dir}"/> |
| <param name="certdb.pwd" value="${ssl.password}"/> |
| <param name="cert.pwd" value="${ssl.password}"/> |
| <param name="cert.nickname" value="${cert.nickname}"/> |
| </antcall> |
| <antcall target="convert-pkcs12-to-jks"> |
| <param name="pkcs12.file" value="${build.base.dir}/s1as.p12"/> |
| <param name="pkcs12.pass" value="${ssl.password}"/> |
| <param name="jks.file" value="${mykeystore.db.file}"/> |
| <param name="jks.pass" value="${ssl.password}"/> |
| </antcall> |
| <antcall target="get-certdb-to-jks"> |
| <param name="cert.nickname" value="${cert.nickname}"/> |
| </antcall> |
| </target> |
| |
| <target name="export-cert-p12-nss" depends="init-common"> |
| <exec executable="${env.S1AS_HOME}/lib/pk12util"> |
| <env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/> |
| <arg line="-o ${cert.file}"/> |
| <arg line="-d ${cert.dir}"/> |
| <arg line="-n ${cert.nickname}"/> |
| <arg line="-K ${certdb.pwd}"/> |
| <arg line="-W ${cert.pwd}"/> |
| </exec> |
| </target> |
| |
| |
| <target name="convert-pkcs12-to-jks" depends="init-common"> |
| <delete file="${jks.file}" failonerror="false"/> |
| <java classname="com.sun.enterprise.security.KeyTool"> |
| <arg line="-pkcs12"/> |
| <arg line="-pkcsFile ${pkcs12.file}"/> |
| <arg line="-pkcsKeyStorePass ${pkcs12.pass}"/> |
| <arg line="-pkcsKeyPass ${pkcs12.pass}"/> |
| <arg line="-jksFile ${jks.file}"/> |
| <arg line="-jksKeyStorePass ${jks.pass}"/> |
| <classpath> |
| <pathelement path="${s1as.classpath}"/> |
| <pathelement path="${env.JAVA_HOME}/jre/lib/jsse.jar"/> |
| <pathelement path="${env.JAVA_HOME}/bundle/Classes/jsse.jar"/> |
| </classpath> |
| </java> |
| </target> |
| |
| |
| <!-- Get certificate from NSS db to JKS format --> |
| <target name="get-certdb-to-jks" depends="init-common"> |
| <exec executable="${env.S1AS_HOME}/lib/certutil" output="${admin.domain.dir}/${admin.domain}/config/certdb.rfc"> |
| <env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib"/> |
| <arg line="-L -n ${cert.nickname}"/> |
| <arg line="-d ${nss.db.dir} -a"/> |
| </exec> |
| <antcall target="import-cert-jks"> |
| <param name="cert.alias" value="${cert.nickname}"/> |
| <param name="keystore.file" value="${mytruststore.db.file}"/> |
| <param name="cert.file" value="${admin.domain.dir}/${admin.domain}/config/certdb.rfc"/> |
| </antcall> |
| </target> |
| |
| <target name="import-cert-jks"> |
| <exec executable="${java.home}/bin/keytool" failonerror="true"> |
| <arg line="-import -trustcacerts -alias ${cert.alias} -storepass '${ssl.password}' -noprompt "/> |
| <arg value="-file"/> |
| <arg file="${cert.file}"/> |
| <arg value="-keystore"/> |
| <arg file="${keystore.file}"/> |
| </exec> |
| </target> |
| |
| <!-- for WSS --> |
| <target name="enable-wss-message-security-provider" depends="init-common"> |
| <exec executable="${ASADMIN}"> |
| <arg line="set"/> |
| <arg line="${as.props}"/> |
| <arg line="${appserver.config.name}.security-service.message-security-config.SOAP.default_provider=${wss.server.provider.name}"/> |
| </exec> |
| <exec executable="${ASADMIN}"> |
| <arg line="set"/> |
| <arg line="${as.props}"/> |
| <arg line="${appserver.config.name}.security-service.message-security-config.SOAP.default_client_provider=${wss.client.provider.name}"/> |
| </exec> |
| </target> |
| |
| <target name="disable-wss-message-security-provider" depends="init-common"> |
| <exec executable="${ASADMIN}"> |
| <arg line="set"/> |
| <arg line="${as.props}"/> |
| <arg line="${appserver.config.name}.security-service.message-security-config.SOAP.default_provider="/> |
| </exec> |
| <exec executable="${ASADMIN}"> |
| <arg line="set"/> |
| <arg line="${as.props}"/> |
| <arg line="${appserver.config.name}.security-service.message-security-config.SOAP.default_client_provider="/> |
| </exec> |
| </target> |
| |
| <target name="set-wss-provider-request-auth-recipient" depends="init-common"> |
| <exec executable="${ASADMIN}"> |
| <arg line="set"/> |
| <arg line="${as.props}"/> |
| <arg line="${appserver.config.name}.security-service.message-security-config.SOAP.provider-config.${wss.provider.name}.request-policy.auth_recipient=${request.auth.recipient}"/> |
| </exec> |
| </target> |
| |
| <target name="set-wss-provider-response-auth-recipient" depends="init-common"> |
| <exec executable="${ASADMIN}"> |
| <arg line="set"/> |
| <arg line="${as.props}"/> |
| <arg line="${appserver.config.name}.security-service.message-security-config.SOAP.provider-config.${wss.provider.name}.response-policy.auth_recipient=${response.auth.recipient}"/> |
| </exec> |
| </target> |
| |
| <target name="backup-glassfish-acc.xml" depends="init-common"> |
| <copy overwrite="true" failonerror="false" file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" tofile="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml.SAVE"/> |
| </target> |
| |
| <target name="enable-wss-appclient-message-security-provider" depends="init-common"> |
| <replace file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" token=""SOAP">" value=""SOAP" default-client-provider="${wss.client.provider.name}">"/> |
| </target> |
| |
| <target name="set-wss-appclient-request-recipient"> |
| <replace file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" token="request-policy auth-source" value="request-policy auth-recipient="${request.auth.recipient}" auth-source"/> |
| </target> |
| |
| <target name="set-wss-appclient-response-recipient"> |
| <replace file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" token="response-policy auth-source" value="response-policy auth-recipient="${response.auth.recipient}" auth-source"/> |
| </target> |
| |
| <target name="disable-wss-appclient-message-security-provider" depends="init-common"> |
| <replace file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" token=""SOAP" default-client-provider="${wss.client.provider.name}">" value=""SOAP">"/> |
| </target> |
| |
| <target name="unset-wss-appclient-request-recipient"> |
| <replace file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" token="request-policy auth-recipient="${request.auth.recipient}" auth-source" value="request-policy auth-source"/> |
| </target> |
| |
| <target name="unset-wss-appclient-response-recipient"> |
| <replace file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml" token="response-policy auth-recipient="${response.auth.recipient}" auth-source" value="response-policy auth-source"/> |
| </target> |
| |
| <target name="setJAXWSToolsForWin" if="isWindows"> |
| <property name="WSGEN" value="${env.S1AS_HOME}/bin/wsgen.bat"/> |
| <property name="WSIMPORT" value="${env.S1AS_HOME}/bin/wsimport.bat"/> |
| <property name="ASAPT" value="${env.S1AS_HOME}/bin/asapt.bat"/> |
| </target> |
| |
| <target name="setJAXWSToolsForUnix" if="isUnix"> |
| <property name="WSGEN" value="${env.S1AS_HOME}/bin/wsgen"/> |
| <property name="WSIMPORT" value="${env.S1AS_HOME}/bin/wsimport"/> |
| <property name="ASAPT" value="${env.S1AS_HOME}/bin/asapt"/> |
| </target> |
| |
| <target name="wsgen" depends="init-common,setJAXWSToolsForWin,setJAXWSToolsForUnix"> |
| <exec executable="${WSGEN}" failonerror="true" > |
| <env key="AS_JAVA" value="${env.JAVA_HOME}" /> |
| <arg line="${wsgen.args}" /> |
| </exec> |
| </target> |
| |
| <target name="wsimport" depends="init-common,setJAXWSToolsForWin,setJAXWSToolsForUnix"> |
| <exec executable="${WSIMPORT}" failonerror="true" > |
| <env key="AS_JAVA" value="${env.JAVA_HOME}" /> |
| <env key="WSIMPORT_OPTS" value="${wsimport.VMARGS}"/> |
| <arg line="${wsimport.args}" /> |
| </exec> |
| </target> |