Google Git
Sign in
third-party-mirror / glassfish / ff472358046c28af2e77898e0d6250b4f3f0bca4 / . / appserver / tests / v2-tests / appserv-tests / sqetests / security / sec-common.xml
blob: 0a6056119500286af2dd4f086d7ae8e0fd32b897 [file] [log] [blame]
<!--
Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
This program and the accompanying materials are made available under the
terms of the Eclipse Public License v. 2.0, which is available at
http://www.eclipse.org/legal/epl-2.0.
This Source Code may also be made available under the following Secondary
Licenses when the conditions for such availability set forth in the
Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
version 2 with the GNU Classpath Exception, which is available at
https://www.gnu.org/software/classpath/license.html.
SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
-->
<!--
Security tests - common targets used across all the appserver editions.
author: jagadesh munta
-->
<!-- WSS related targets -->
<target name="create-server-message-security-provider" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="create-message-security-provider"/>
<arg line="${as.props} --target ${appserver.instance.name}"/>
<arg line="--classname com.sun.xml.wss.provider.ServerSecurityAuthModule"/>
<arg line="--requestauthsource ${wss.request.auth.source}"/>
<arg line="--isdefaultprovider"/>
<arg line="--providertype ${wss.server.provider.type}"/>
<arg line="--property security.config=${admin.domain.dir}/${admin.domain}/config/wss-server-config-2.0.xml"/>
<arg line="${wss.server.provider.name}"/>
</exec>
</target>
<target name="create-client-message-security-provider" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="create-message-security-provider"/>
<arg line="${as.props} --target ${appserver.instance.name}"/>
<arg line="--classname com.sun.xml.wss.provider.ClientSecurityAuthModule"/>
<arg line="--requestauthsource ${wss.request.auth.source}"/>
<arg line="--responseauthsource ${wss.response.auth.source}"/>
<arg line="--isdefaultprovider"/>
<arg line="--providertype ${wss.client.provider.type}"/>
<arg line="--property security.config=${admin.domain.dir}/${admin.domain}/config/wss-client-config-2.0.xml"/>
<arg line="${wss.client.provider.name}"/>
</exec>
</target>
<target name="create-message-security-provider">
<antcall target="create-server-message-security-provider"/>
<antcall target="create-client-message-security-provider"/>
</target>
<target name="enable-wss-message-security-provider" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.security-service.message-security-config.SOAP.default_provider=${wss.server.provider.name}"/>
</exec>
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.security-service.message-security-config.SOAP.default_client_provider=${wss.client.provider.name}"/>
</exec>
</target>
<target name="disable-wss-message-security-provider" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.security-service.message-security-config.SOAP.default_provider="/>
</exec>
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.security-service.message-security-config.SOAP.default_client_provider="/>
</exec>
</target>
<target name="delete-message-security-provider">
<antcall target="delete-message-security-provider-common">
<param name="wss.provider.name" value="${wss.server.provider.name}"/>
</antcall>
<antcall target="delete-message-security-provider-common">
<param name="wss.provider.name" value="${wss.client.provider.name}"/>
</antcall>
</target>
<target name="delete-message-security-provider-common" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="delete-message-security-provider"/>
<arg line="${as.props} --target ${appserver.instance.name}"/>
<arg line="--layer SOAP"/>
<arg line="${wss.provider.name}"/>
</exec>
</target>
<target name="set-wss-provider-request-auth-source" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.security-service.message-security-config.SOAP.provider-config.${wss.provider.name}.request-policy.auth_source=${request.auth.source}"/>
</exec>
</target>
<target name="set-wss-provider-request-auth-recipient" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.security-service.message-security-config.SOAP.provider-config.${wss.provider.name}.request-policy.auth_recipient=${request.auth.recipient}"/>
</exec>
</target>
<target name="set-wss-provider-response-auth-source" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.security-service.message-security-config.SOAP.provider-config.${wss.provider.name}.response-policy.auth_source=${response.auth.source}"/>
</exec>
</target>
<target name="set-wss-provider-response-auth-recipient" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.security-service.message-security-config.SOAP.provider-config.${wss.provider.name}.response-policy.auth_recipient=${response.auth.recipient}"/>
</exec>
</target>
<target name="set-wss-provider-security-config" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.security-service.message-security-config.SOAP.provider-config.${wss.provider.name}.security_config=${security.config.file}"/>
</exec>
</target>
<!-- Configure NSS for IIOP -->
<target name="config-nss-iiop" depends="init-common">
<antcall target="set-jvm-option">
<param name="jvm.option" value="-DNSS_USE_FOR_IIOP=true"/>
</antcall>
</target>
<!-- Remove NSS config for IIOP -->
<target name="remove-nss-iiop" depends="init-common">
<antcall target="unset-jvm-option">
<param name="jvm.option" value="-DNSS_USE_FOR_IIOP=true"/>
</antcall>
</target>
<!-- Get certificate from NSS db to JKS format -->
<target name="get-certdb-to-jks" depends="init-common">
<exec executable="${env.S1AS_HOME}/lib/certutil" output="${admin.domain.dir}/${admin.domain}/config/certdb.rfc">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/>
<arg line="-L -n ${cert.nickname}"/>
<arg line="-d ${admin.domain.dir}/${admin.domain}/config -a"/>
</exec>
<concat>
<filelist dir="${admin.domain.dir}/${admin.domain}/config" files="certdb.rfc"/>
</concat>
<antcall target="import-cert-jks">
<param name="cert.alias" value="${cert.nickname}"/>
<param name="keystore.file" value="${admin.domain.dir}/${admin.domain}/config/certdb_cacerts.jks"/>
<param name="cert.file" value="${admin.domain.dir}/${admin.domain}/config/certdb.rfc"/>
</antcall>
</target>
<target name="get-certdb-to-jks-token" depends="init-common">
<exec executable="${env.S1AS_HOME}/lib/certutil" output="${admin.domain.dir}/${admin.domain}/config/certdb.rfc">
<arg line="-L -n ${token.name}:${cert.nickname}"/>
<arg line="-d ${admin.domain.dir}/${admin.domain}/config -a"/>
</exec>
<concat>
<filelist dir="${admin.domain.dir}/${admin.domain}/config" files="certdb.rfc"/>
</concat>
<antcall target="import-cert-jks">
<param name="cert.alias" value="${token.name}:${cert.nickname}"/>
<param name="keystore.file" value="${admin.domain.dir}/${admin.domain}/config/certdb_cacerts.jks"/>
<param name="cert.file" value="${admin.domain.dir}/${admin.domain}/config/certdb.rfc"/>
</antcall>
</target>
<!-- get the appserver edition -->
<target name="set-appserver-version" depends="init-common">
<!--
<exec executable="${ASADMIN}" output="as_version.txt">
<arg line="version"/>
<arg line="${as.props}"/>
</exec>
<loadfile property="Version" srcFile="as_version.txt" failonerror="false"/>
<echo message="Got the version=${Version}"/>
-->
<!-- use the following workaround to find the appserver edition until I figureout the above parse method -->
<available file="${admin.domain.dir}/${admin.domain}/config/cert8.db" type="file" property="isEE"/>
</target>
<target name="import-cert-nss" depends="init-common">
<echo message="${certdb.pwd}" file="passfile"/>
<exec executable="${env.S1AS_HOME}/lib/certutil">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/>
<arg line="-A"/>
<arg line="-a"/>
<arg line="-n ${cert.nickname}"/>
<arg line="-t '${cert.trust.options}'"/>
<arg line="-d ${cert.dir}"/>
<arg line="-f passfile"/>
<arg line="-i ${cert.file}"/>
</exec>
</target>
<target name="import-cert-p12-nss" depends="init-common">
<echo message="${certdb.pwd}" file="passfile"/>
<echo message="${cert.pwd}" file="certpassfile"/>
<exec executable="${env.S1AS_HOME}/lib/pk12util">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/>
<arg line="-i ${cert.file}"/>
<arg line="-d ${cert.dir}"/>
<arg line="-k passfile"/>
<arg line="-w certpassfile"/>
</exec>
</target>
<target name="import-cert-p12-nss-token" depends="init-common">
<echo message="Importing certificate ${cert.nickname} in ${cert.file} into token ${token.name} under ${cert.dir} ..."/>
<echo message="${certdb.pwd}" file="passfile"/>
<echo message="${cert.pwd}" file="certpassfile"/>
<echo message="${token.pwd}" file="tokenpassfile"/>
<exec executable="${env.S1AS_HOME}/lib/pk12util">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/>
<arg line="-i ${cert.file}"/>
<arg line="-d ${cert.dir}"/>
<arg line="-k passfile"/>
<arg line="-w certpassfile"/>
<arg line="-h ${token.name}"/>
<arg line="-k tokenpassfile"/>
</exec>
</target>
<target name="export-cert-p12-nss" depends="init-common">
<echo message="${certdb.pwd}" file="passfile"/>
<echo message="${cert.pwd}" file="certpassfile"/>
<exec executable="${env.S1AS_HOME}/lib/pk12util">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/>
<arg line="-o ${cert.file}"/>
<arg line="-d ${cert.dir}"/>
<arg line="-n ${cert.nickname}"/>
<arg line="-k passfile"/>
<arg line="-w certpassfile"/>
</exec>
</target>
<target name="export-cert-p12-nss-token" depends="init-common">
<echo message="Exporting certificate ${cert.nickname} to ${cert.file} from token ${token.name} under ${cert.dir} ..."/>
<echo message="${certdb.pwd}" file="passfile"/>
<echo message="${cert.pwd}" file="certpassfile"/>
<echo message="${token.pwd}" file="tokenpassfile"/>
<exec executable="${env.S1AS_HOME}/lib/pk12util">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/>
<arg line="-o ${cert.file}"/>
<arg line="-d ${cert.dir}"/>
<arg line="-n ${cert.nickname}"/>
<arg line="-k passfile"/>
<arg line="-w certpassfile"/>
<arg line="-h ${token.name}"/>
<arg line="-k tokenpassfile"/>
</exec>
</target>
<target name="convert-pkcs12-to-jks" depends="init-common">
<delete file="${jks.file}" failonerror="false"/>
<java classname="com.sun.appserver.sqe.security.ssl.util.KeyTool">
<arg line="-pkcs12"/>
<arg line="-pkcsFile ${pkcs12.file}"/>
<arg line="-pkcsKeyStorePass ${pkcs12.pass}"/>
<arg line="-pkcsKeyPass ${pkcs12.pass}"/>
<arg line="-jksFile ${jks.file}"/>
<arg line="-jksKeyStorePass ${jks.pass}"/>
<classpath>
<pathelement path="${s1as.classpath}"/>
<pathelement path="${env.APS_HOME}/lib/sslutil.jar"/>
<pathelement path="${env.JAVA_HOME}/jre/lib/jsse.jar"/>
</classpath>
</java>
</target>
<target name="export-cert-nss" depends="init-common">
<echo message="${certdb.pwd}" file="passfile"/>
<exec executable="${env.S1AS_HOME}/lib/certutil" output="${cert.file}">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/>
<arg line="-L"/>
<arg line="-a"/>
<arg line="-n ${cert.nickname}"/>
<arg line="-d ${cert.dir}"/>
<arg line="-f passfile"/>
</exec>
</target>
<target name="delete-cert-nss" depends="init-common">
<echo message="${certdb.pwd}" file="passfile"/>
<exec executable="${env.S1AS_HOME}/lib/certutil">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/>
<arg line="-D"/>
<arg line="-n ${cert.nickname}"/>
<arg line="-d ${cert.dir}"/>
<arg line="-f passfile"/>
</exec>
</target>
<!-- ============================================================================= -->
<!-- SSL over http related targets -->
<!-- ============================================================================= -->
<target name="set-default-https-port" depends="init-common">
<echo message="Set default ssl port 443 for http-listener ..."/>
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.http-service.http-listener.http-listener-2.port=443"/>
</exec>
</target>
<target name="enable-https-protocol" depends="init-common">
<echo message="Enable https protocol for http-listener ..."/>
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.http-service.http-protocol.ssl_enabled=true"/>
</exec>
</target>
<!-- setup the SSL element for mutual auth in http listener2 -->
<target name="create-http-ssl-mutualauth-ee" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="create-ssl"/>
<arg line="${as.props} --target ${appserver.instance.name}"/>
<arg line="--type http-listener"/>
<arg line="--certname ${server.cert.nickname}"/>
<arg line="--clientauthenabled=true"/>
<arg line="${https.listener}"/>
</exec>
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.http-service.http-listener.http-listener-2.ssl.ssl3_tls_ciphers=${https.ssl3ciphers}"/>
</exec>
</target>
<!-- Enable the client authentication for a given listener -->
<target name="set-iiop-ssl-cert" depends="init-common">
<echo message="set cert alias, ${cert.nickname} in iiop-service ..."/>
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.iiop-service.iiop-listener.SSL.ssl.cert_nickname=${cert.nickname}"/>
</exec>
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.iiop-service.iiop-listener.SSL_MUTUALAUTH.ssl.cert_nickname=${cert.nickname}"/>
</exec>
</target>
<target name="create-ssl-client-config" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="create-ssl"/>
<arg line="${as.props} --target ${appserver.instance.name}"/>
<arg line="--type iiop-service"/>
<arg line="--certname ${outbound.cert.nickname}"/>
</exec>
</target>
<target name="delete-ssl-client-config" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="delete-ssl"/>
<arg line="${as.props} --target ${appserver.instance.name}"/>
<arg line="--type iiop-service"/>
</exec>
</target>
<target name="enable-ssl-mutual-auth-over-iiop" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.iiop-service.iiop-listener.SSL_MUTUALAUTH.ssl.client_auth_enabled=true"/>
</exec>
</target>
<target name="create-sample-self-jks-cert" depends="init-common">
<antcall target="create-cert-jks">
<param name="keystore.file" value="s1as.jks"/>
<param name="keystore.pass" value="changeit"/>
<param name="key.pass" value="changeit"/>
<param name="key.alias" value="s1as"/>
<param name="dname" value="CN=S1AS, OU=Sun Java System, O=Sun Microsystems, L=Santa Clara, ST=California, C=US"/>
</antcall>
<antcall target="list-cert-jks">
<param name="keystore.file" value="s1as.jks"/>
<param name="keystore.pass" value="changeit"/>
</antcall>
</target>
<target name="create-cert-jks-rsa" depends="init-common">
<echo message="Create certificate in ${keystore.file} ..."/>
<exec executable="${env.JAVA_HOME}/bin/keytool">
<arg value="-genkey"/>
<arg value="-keyalg"/>
<arg value="RSA"/>
<arg value="-trustcacerts"/>
<arg value="-keystore"/>
<arg value="${keystore.file}"/>
<arg value="-storepass"/>
<arg value="${keystore.pass}"/>
<arg value="-alias"/>
<arg value="${key.alias}"/>
<arg value="-dname"/>
<arg value="${dname}"/>
<arg value="-keypass"/>
<arg value="${key.pass}"/>
</exec>
</target>
<!--
<arg value="-noprompt"/>
<param name="dname" value="EMAILADDRESS=jagadesh.munta@sun.com, CN=Jagadesh Munta, UID=munta, OU=Java Software, O=Sun Microsystems Inc, C=US"/>
-->
<!-- Password Encryption related targets-->
<!-- alias.name=username -->
<target name="create-password-alias" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="create-password-alias"/>
<arg line="${as.props}"/>
<arg line="--aliaspassword ${alias.password}"/>
<arg line="${alias.name}"/>
</exec>
</target>
<target name="delete-password-alias" depends="init-common">
<exec executable="${ASADMIN}">
<arg line="delete-password-alias"/>
<arg line="${as.props}"/>
<arg line="${alias.name}"/>
</exec>
</target>
<target name="get-java-version">
<echo message="Ant java version=${ant.java.version}"/>
<echo message="Java version=${java.version}"/>
<condition property="jdk14" value="true">
<contains string="${java.version}" substring="1.4" casesensitive="no"/>
</condition>
<condition property="jdk15" value="true">
<contains string="${java.version}" substring="1.5" casesensitive="no"/>
</condition>
<echo message="Using java version: jdk1.5.x=${jdk15} ; jdk1.4.x=${jdk14}"/>
</target>
<!--
Hardware Accelerator setup related targets
-->
<target name="add-pkcs11-module-token" depends="init-common">
<echo message="Adding PKCS11 Module or token to NSS Certdb..."/>
<exec executable="${env.S1AS_HOME}/lib/modutil">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/>
<arg line="-add &quot;${token.module.name}&quot;"/>
<arg line="-nocertdb -force "/>
<arg line="-dbdir ${admin.domain.dir}/${admin.domain}/config"/>
<arg line="-libfile ${SCA.lib.path}"/>
<arg line="-mechanisms RSA:DSA:RC4:DES"/>
</exec>
</target>
<target name="delete-pkcs11-module-token" depends="init-common">
<echo message="Deleting PKCS11 module or token ${token.name} from NSS Certdb..."/>
<exec executable="${env.S1AS_HOME}/lib/modutil">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/>
<arg line="-delete &quot;${token.module.name}&quot;"/>
<arg line="-nocertdb -force "/>
<arg line="-dbdir ${admin.domain.dir}/${admin.domain}/config"/>
<arg line="-libfile ${SCA.lib.path}"/>
<arg line="-mechanisms RSA:DSA:RC4:DES"/>
</exec>
</target>
<target name="list-module-token" depends="init-common">
<echo message="Listing PKCS11 Modules or tokens from NSS Certdb..."/>
<exec executable="${env.S1AS_HOME}/lib/modutil">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/>
<arg line="-list"/>
<arg line="-dbdir ${admin.domain.dir}/${admin.domain}/config"/>
</exec>
</target>
<target name="list-cert-token" depends="init-common">
<echo message="Listing Certs from PKCS11 Module or Token..."/>
<echo message="${token.pwd}" file="passfile"/>
<exec executable="${env.S1AS_HOME}/lib/certutil">
<env key="LD_LIBRARY_PATH" path="${env.S1AS_HOME}/lib:${os.nss.path}"/>
<arg line="-L"/>
<arg line="-d ${admin.domain.dir}/${admin.domain}/config"/>
<arg line="-h ${token.name}"/>
<arg line="-f passfile"/>
</exec>
</target>
<!-- Log related -->
<target name="set-client-log-level" depends="init-common">
<echo message="Setting client default log level WARNING to ${log.level}"/>
<replace
token="WARNING"
value="${log.level}"
file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml"/>
</target>
<target name="set-client-default-log-level" depends="init-common">
<echo message="Setting client default log level WARNING from ${log.level}"/>
<replace
token="${log.level}"
value="WARNING"
file="${admin.domain.dir}/${admin.domain}/config/glassfish-acc.xml"/>
</target>
<target name="set-server-security-log-level" depends="init-common">
<echo message="Setting server security module log level to ${log.level}"/>
<exec executable="${ASADMIN}">
<arg line="set"/>
<arg line="${as.props}"/>
<arg line="${appserver.instance.name}.log-service.module-log-levels.security=${log.level}"/>
</exec>
</target>
<target name="set-server-security-fine-log-level">
<echo message="Setting server security module log level to FINE"/>
<antcall target="set-server-security-log-level">
<param name="log.level" value="FINE"/>
</antcall>
</target>
<target name="set-server-security-default-log-level">
<echo message="Setting server security module log level to INFO"/>
<antcall target="set-server-security-log-level">
<param name="log.level" value="INFO"/>
</antcall>
</target>
<target name="set-Props-MacOS" if="isMac" depends="init-common">
<property name="java.lib.path" value="${env.JAVA_HOME}/lib"/>
</target>
<target name="set-Props-nonMacOS" unless="isMac" depends="init-common">
<property name="java.lib.path" value="${env.JAVA_HOME}/jre/lib"/>
</target>
<target name="import-cert-jks" depends="init-common">
<echo message="Installing certificate in ${keystore.file} ..."/>
<exec executable="${env.JAVA_HOME}/bin/keytool">
<arg value="-import"/>
<arg value="-noprompt"/>
<arg value="-trustcacerts"/>
<arg value="-keystore"/>
<arg value="${keystore.file}"/>
<arg value="-storepass"/>
<arg value="changeit"/>
<arg value="-alias"/>
<arg value="${cert.alias}"/>
<arg value="-file"/>
<arg value="${cert.file}"/>
</exec>
</target>