diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/arm/nestedtemplates/aadNestedTemplate.json b/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/arm/nestedtemplates/aadNestedTemplate.json index e24356192..c028a4409 100644 --- a/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/arm/nestedtemplates/aadNestedTemplate.json +++ b/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/arm/nestedtemplates/aadNestedTemplate.json @@ -136,7 +136,7 @@ } }, "variables": { - "const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', concat('\"',parameters('wlsLDAPPrincipal'),'\"'), ' ', parameters('wlsLDAPPrincipalPassword'), ' ', concat('\"',parameters('wlsLDAPUserBaseDN'),'\"'), ' ', concat('\"',parameters('wlsLDAPGroupBaseDN'),'\"'), ' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'), ' ', parameters('aadsPublicIP'), ' ', variables('const_adminServerName'), ' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]", + "const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', base64(parameters('wlsLDAPPrincipal')), ' ', parameters('wlsLDAPPrincipalPassword'),' ', base64(parameters('wlsLDAPUserBaseDN')),' ', base64(parameters('wlsLDAPGroupBaseDN')),' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'),' ', parameters('aadsPublicIP'),' ',variables('const_adminServerName'),' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]", "const_adminServerName": "admin", "const_wlsAdminPort": "7005", "const_wlsDomainPath": "[concat('/u01/domains/', parameters('wlsDomainName'))]", diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/scripts/aadIntegration.sh b/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/scripts/aadIntegration.sh index 730b5fa8f..aadd4131e 100644 --- a/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/scripts/aadIntegration.sh +++ b/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/scripts/aadIntegration.sh @@ -199,6 +199,48 @@ function mapLDAPHostWithPublicIP() sudo echo "${wlsLDAPPublicIP} ${adServerHost}" >> /etc/hosts } +# This function verifies whether certificate is valid and not expired +function verifyCertValidity() +{ + + CERT_FILE=$1 + CURRENT_DATE=$2 + MIN_CERT_VALIDITY=$3 + VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60))) + + . $oracleHome/oracle_common/common/bin/setWlstEnv.sh + + echo "Verifying $CERT_FILE is valid at least $MIN_CERT_VALIDITY day from the deployment time" + if [ $VALIDITY -le $CURRENT_DATE ]; + then + echo_stderr "Error : Invalid minimum validity days supplied" + exit 1 + fi + + # Check whether CERT_FILE supplied can be opened for reading + # Redirecting as no need to display the contents + sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE > /dev/null 2>&1 + + if [ $? != 0 ]; + then + echo_stderr "Error opening the certificate : $CERT_FILE" + exit 1 + fi + + VALIDITY_PERIOD=`sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE | grep Valid` + echo "Certificate $CERT_FILE is \"$VALIDITY_PERIOD\"" + CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'` + CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s` + VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY` + if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]]; + then + echo_stderr "$CERT_FILE is \"$VALIDITY_PERIOD\"" + echo_stderr "Error : Supplied certificate $CERT_FILE is either expired or expiring soon within $MIN_CERT_VALIDITY day" + exit 1 + fi + echo "$CERT_FILE validation is successful" +} + function parseLDAPCertificate() { echo "create key store" @@ -216,6 +258,9 @@ function parseLDAPCertificate() openssl base64 -d -in ${SCRIPT_PWD}/security/AzureADLDAPCerBase64String.txt -out ${SCRIPT_PWD}/security/AzureADTrust.cer addsCertificate=${SCRIPT_PWD}/security/AzureADTrust.cer + + # Verify certificate validity period more than MIN_CERT_VALIDITY + verifyCertValidity $addsCertificate $CURRENT_DATE $MIN_CERT_VALIDITY } function importAADCertificate() @@ -369,7 +414,12 @@ function createTempFolder() #main -read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adGroupBaseDN adUserBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType +read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adUserBaseDN adGroupBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType + +# Passing these values as base64 as values has space embedded +adPrincipal=$(echo "$adPrincipal" | base64 --decode) +adUserBaseDN=$(echo "$adUserBaseDN" | base64 --decode) +adGroupBaseDN=$(echo "$adGroupBaseDN" | base64 --decode) isCustomSSLEnabled="${isCustomSSLEnabled,,}" @@ -390,7 +440,17 @@ USER_ORACLE="oracle" GROUP_ORACLE="oracle" DOMAIN_PATH="/u01/domains" +# Used for certificate expiry validation +CURRENT_DATE=`date +%s` +# Supplied certificate to have minimum days validity for the deployment +MIN_CERT_VALIDITY="1" + validateInput + +# Executing parse and validate certificates to ensure there are no certificates issues +# If any certificates issues then it will be cuaght earlier +parseLDAPCertificate + createTempFolder echo "check status of admin server" wait_for_admin @@ -400,7 +460,6 @@ enableTLSv12onJDK8 createAADProvider_model createSSL_model mapLDAPHostWithPublicIP -parseLDAPCertificate importAADCertificate importAADCertificateIntoWLSCustomTrustKeyStore configureSSL diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/scripts/setupAdminDomain.sh b/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/scripts/setupAdminDomain.sh index 5437f72e1..94075c0e3 100644 --- a/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/scripts/setupAdminDomain.sh +++ b/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/scripts/setupAdminDomain.sh @@ -75,6 +75,57 @@ function cleanup() echo "Cleanup completed." } +# This function verifies whether certificate is valid and not expired +function verifyCertValidity() +{ + KEYSTORE=$1 + PASSWORD=$2 + CURRENT_DATE=$3 + MIN_CERT_VALIDITY=$4 + KEY_STORE_TYPE=$5 + VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60))) + + echo "Verifying $KEYSTORE is valid at least $MIN_CERT_VALIDITY day from the deployment time" + + if [ $VALIDITY -le $CURRENT_DATE ]; + then + echo_stderr "Error : Invalid minimum validity days supplied" + exit 1 + fi + + # Check whether KEYSTORE supplied can be opened for reading + # Redirecting as no need to display the contents + runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE > /dev/null 2>&1" + if [ $? != 0 ]; + then + echo_stderr "Error opening the keystore : $KEYSTORE" + exit 1 + fi + + aliasList=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE | grep Alias" |awk '{print $3}'` + if [[ -z $aliasList ]]; + then + echo_stderr "Error : No alias found in supplied certificate $KEYSTORE" + exit 1 + fi + + for alias in $aliasList + do + VALIDITY_PERIOD=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE -alias $alias | grep Valid"` + echo "$KEYSTORE is \"$VALIDITY_PERIOD\"" + CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'` + CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s` + VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY` + if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]]; + then + echo_stderr "$KEYSTORE is \"$VALIDITY_PERIOD\"" + echo_stderr "Error : Supplied certificate $KEYSTORE is either expired or expiring soon within $MIN_CERT_VALIDITY day" + exit 1 + fi + done + echo "$KEYSTORE validation is successful" +} + #Creates weblogic deployment model for admin domain function create_admin_model() { @@ -378,6 +429,9 @@ function validateSSLKeyStores() exit 1 fi + # Verify Identity keystore validity period more than MIN_CERT_VALIDITY + verifyCertValidity $customIdentityKeyStoreFileName $customIdentityKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customIdentityKeyStoreType + #validate Trust keystore runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $customTrustKeyStoreFileName -storepass $customTrustKeyStorePassPhrase -storetype $customTrustKeyStoreType | grep 'Entry type:' | grep 'trustedCertEntry'" @@ -386,6 +440,9 @@ function validateSSLKeyStores() exit 1 fi + # Verify Identity keystore validity period more than MIN_CERT_VALIDITY + verifyCertValidity $customTrustKeyStoreFileName $customTrustKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customTrustKeyStoreType + echo "ValidateSSLKeyStores Successfull !!" } @@ -571,6 +628,12 @@ SCRIPT_PWD=`pwd` CURR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" BASE_DIR="$(readlink -f ${CURR_DIR})" +# Used for certificate expiry validation +CURRENT_DATE=`date +%s` +# Supplied certificate to have minimum days validity for the deployment +MIN_CERT_VALIDITY="1" + + #read arguments from stdin read wlsDomainName wlsUserName wlsPassword wlsAdminHost oracleHome storageAccountName storageAccountKey mountpointPath isHTTPAdminListenPortEnabled adminPublicHostName dnsLabelPrefix location virtualNetworkNewOrExisting storageAccountPrivateIp isCustomSSLEnabled customIdentityKeyStoreData customIdentityKeyStorePassPhrase customIdentityKeyStoreType customTrustKeyStoreData customTrustKeyStorePassPhrase customTrustKeyStoreType serverPrivateKeyAlias serverPrivateKeyPassPhrase diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/arm/nestedtemplates/aadNestedTemplate.json b/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/arm/nestedtemplates/aadNestedTemplate.json index 1d6062a23..02b6813ae 100644 --- a/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/arm/nestedtemplates/aadNestedTemplate.json +++ b/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/arm/nestedtemplates/aadNestedTemplate.json @@ -154,7 +154,7 @@ } }, "variables": { - "const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', concat('\"',parameters('wlsLDAPPrincipal'),'\"'), ' ', parameters('wlsLDAPPrincipalPassword'), ' ', concat('\"',parameters('wlsLDAPUserBaseDN'),'\"'), ' ', concat('\"',parameters('wlsLDAPGroupBaseDN'),'\"'), ' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'), ' ', parameters('aadsPublicIP'), ' ',variables('const_adminServerName'), ' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]", + "const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', base64(parameters('wlsLDAPPrincipal')), ' ', parameters('wlsLDAPPrincipalPassword'), ' ', base64(parameters('wlsLDAPUserBaseDN')), ' ', base64(parameters('wlsLDAPGroupBaseDN')), ' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'), ' ', parameters('aadsPublicIP'), ' ',variables('const_adminServerName'), ' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]", "const_adminServerName": "admin", "const_managedVMPrefix": "[concat(parameters('managedServerPrefix'),'VM')]", "const_wlsAdminPort": "7005", diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/aadIntegration.sh b/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/aadIntegration.sh index 0795e454f..ce645079a 100644 --- a/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/aadIntegration.sh +++ b/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/aadIntegration.sh @@ -236,6 +236,48 @@ function mapLDAPHostWithPublicIP() sudo echo "${wlsLDAPPublicIP} ${adServerHost}" >> /etc/hosts } +# This function verifies whether certificate is valid and not expired +function verifyCertValidity() +{ + + CERT_FILE=$1 + CURRENT_DATE=$2 + MIN_CERT_VALIDITY=$3 + VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60))) + + . $oracleHome/oracle_common/common/bin/setWlstEnv.sh + + echo "Verifying $CERT_FILE is valid at least $MIN_CERT_VALIDITY day from the deployment time" + if [ $VALIDITY -le $CURRENT_DATE ]; + then + echo_stderr "Error : Invalid minimum validity days supplied" + exit 1 + fi + + # Check whether CERT_FILE supplied can be opened for reading + # Redirecting as no need to display the contents + sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE > /dev/null 2>&1 + + if [ $? != 0 ]; + then + echo_stderr "Error opening the certificate : $CERT_FILE" + exit 1 + fi + + VALIDITY_PERIOD=`sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE | grep Valid` + echo "Certificate $CERT_FILE is \"$VALIDITY_PERIOD\"" + CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'` + CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s` + VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY` + if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]]; + then + echo_stderr "$CERT_FILE is \"$VALIDITY_PERIOD\"" + echo_stderr "Error : Supplied certificate $CERT_FILE is either expired or expiring soon within $MIN_CERT_VALIDITY day" + exit 1 + fi + echo "$CERT_FILE validation is successful" +} + function parseLDAPCertificate() { echo "create key store" @@ -253,6 +295,9 @@ function parseLDAPCertificate() openssl base64 -d -in ${SCRIPT_PWD}/security/AzureADLDAPCerBase64String.txt -out ${SCRIPT_PWD}/security/AzureADTrust.cer addsCertificate=${SCRIPT_PWD}/security/AzureADTrust.cer + + # Verify certificate validity period more than MIN_CERT_VALIDITY + verifyCertValidity $addsCertificate $CURRENT_DATE $MIN_CERT_VALIDITY } function importAADCertificate() @@ -438,7 +483,12 @@ function createTempFolder() #main #read arguments from stdin -read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adGroupBaseDN adUserBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType vmIndex +read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adUserBaseDN adGroupBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType vmIndex + +# Passing these values as base64 as values has space embedded +adPrincipal=$(echo "$adPrincipal" | base64 --decode) +adUserBaseDN=$(echo "$adUserBaseDN" | base64 --decode) +adGroupBaseDN=$(echo "$adGroupBaseDN" | base64 --decode) isCustomSSLEnabled="${isCustomSSLEnabled,,}" @@ -459,6 +509,16 @@ USER_ORACLE="oracle" GROUP_ORACLE="oracle" DOMAIN_PATH="/u01/domains" +# Used for certificate expiry validation +CURRENT_DATE=`date +%s` +# Supplied certificate to have minimum days validity for the deployment +MIN_CERT_VALIDITY="1" + +validateInput + +# Executing parse and validate certificates to ensure there are no certificates issues +# If any certificates issues then it will be cuaght earlier +parseLDAPCertificate if [ $vmIndex -eq 0 ]; then @@ -471,7 +531,6 @@ then createAADProvider_model createSSL_model mapLDAPHostWithPublicIP - parseLDAPCertificate importAADCertificate importAADCertificateIntoWLSCustomTrustKeyStore configureSSL @@ -487,7 +546,6 @@ then else cleanup mapLDAPHostWithPublicIP - parseLDAPCertificate importAADCertificate importAADCertificateIntoWLSCustomTrustKeyStore cleanup diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/setupClusterDomain.sh b/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/setupClusterDomain.sh index 06f2ba922..a441b39a3 100644 --- a/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/setupClusterDomain.sh +++ b/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/setupClusterDomain.sh @@ -129,6 +129,57 @@ function cleanup() echo "Cleanup completed." } +# This function verifies whether certificate is valid and not expired +function verifyCertValidity() +{ + KEYSTORE=$1 + PASSWORD=$2 + CURRENT_DATE=$3 + MIN_CERT_VALIDITY=$4 + KEY_STORE_TYPE=$5 + VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60))) + + echo "Verifying $KEYSTORE is valid at least $MIN_CERT_VALIDITY day from the deployment time" + + if [ $VALIDITY -le $CURRENT_DATE ]; + then + echo "Error : Invalid minimum validity days supplied" + exit 1 + fi + + # Check whether KEYSTORE supplied can be opened for reading + # Redirecting as no need to display the contents + runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE > /dev/null 2>&1" + if [ $? != 0 ]; + then + echo "Error opening the keystore : $KEYSTORE" + exit 1 + fi + + aliasList=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE | grep Alias" |awk '{print $3}'` + if [[ -z $aliasList ]]; + then + echo "Error : No alias found in supplied certificate" + exit 1 + fi + + for alias in $aliasList + do + VALIDITY_PERIOD=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE -alias $alias | grep Valid"` + echo "$KEYSTORE is \"$VALIDITY_PERIOD\"" + CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'` + CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s` + VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY` + if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]]; + then + echo_stderr "$KEYSTORE is \"$VALIDITY_PERIOD\"" + echo_stderr "Error : Supplied certificate $KEYSTORE is either expired or expiring soon within $MIN_CERT_VALIDITY day" + exit 1 + fi + done + echo "$KEYSTORE validation is successful" +} + #Creates weblogic deployment model for cluster domain admin setup function create_admin_model() { @@ -350,7 +401,6 @@ function create_adminSetup() exit 1 fi - storeCustomSSLCerts create_admin_model sudo chown -R $username:$groupname $DOMAIN_PATH runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; $DOMAIN_PATH/weblogic-deploy/bin/createDomain.sh -oracle_home $oracleHome -domain_parent $DOMAIN_PATH -domain_type WLS -model_file $DOMAIN_PATH/admin-domain.yaml" @@ -521,8 +571,6 @@ function create_managedSetup(){ exit 1 fi - storeCustomSSLCerts - echo "Creating managed server model files" create_managed_model create_machine_model @@ -659,6 +707,9 @@ function validateSSLKeyStores() exit 1 fi + # Verify Identity keystore validity period more than MIN_CERT_VALIDITY + verifyCertValidity $customIdentityKeyStoreFileName $customIdentityKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customIdentityKeyStoreType + #validate Trust keystore runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $customTrustKeyStoreFileName -storepass $customTrustKeyStorePassPhrase -storetype $customTrustKeyStoreType | grep 'Entry type:' | grep 'trustedCertEntry'" @@ -667,6 +718,9 @@ function validateSSLKeyStores() exit 1 fi + # Verify Identity keystore validity period more than MIN_CERT_VALIDITY + verifyCertValidity $customTrustKeyStoreFileName $customTrustKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customTrustKeyStoreType + echo "ValidateSSLKeyStores Successfull !!" } @@ -874,6 +928,12 @@ function restartAdminServer() CURR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" BASE_DIR="$(readlink -f ${CURR_DIR})" +# Used for certificate expiry validation +CURRENT_DATE=`date +%s` +# Supplied certificate to have minimum days validity for the deployment +# In this case set for 1 day +MIN_CERT_VALIDITY="1" + #read arguments from stdin read wlsDomainName wlsUserName wlsPassword wlsServerName wlsAdminHost oracleHome storageAccountName storageAccountKey mountpointPath isHTTPAdminListenPortEnabled isCustomSSLEnabled customDNSNameForAdminServer dnsLabelPrefix location virtualNetworkNewOrExisting storageAccountPrivateIp customIdentityKeyStoreData customIdentityKeyStorePassPhrase customIdentityKeyStoreType customTrustKeyStoreData customTrustKeyStorePassPhrase customTrustKeyStoreType serverPrivateKeyAlias serverPrivateKeyPassPhrase @@ -924,6 +984,9 @@ groupname="oracle" cleanup +# Executing this function first just to make sure certificate errors are first caught +storeCustomSSLCerts + installUtilities mountFileShare diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/setupCoherence.sh b/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/setupCoherence.sh index 8b68ec910..fb0c68756 100644 --- a/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/setupCoherence.sh +++ b/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/setupCoherence.sh @@ -127,6 +127,56 @@ function validateInput() { fi } +# This function verifies whether certificate is valid and not expired +function verifyCertValidity() +{ + KEYSTORE=$1 + PASSWORD=$2 + CURRENT_DATE=$3 + MIN_CERT_VALIDITY=$4 + KEY_STORE_TYPE=$5 + VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60))) + + echo "Verifying $KEYSTORE is valid at least $MIN_CERT_VALIDITY day from the deployment time" + + if [ $VALIDITY -le $CURRENT_DATE ]; + then + echo "Error : Invalid minimum validity days supplied" + exit 1 + fi + + # Check whether KEYSTORE supplied can be opened for reading + # Redirecting as no need to display the contents + runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE > /dev/null 2>&1" + if [ $? != 0 ]; + then + echo "Error opening the keystore : $KEYSTORE" + exit 1 + fi + + aliasList=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE | grep Alias" |awk '{print $3}'` + if [[ -z $aliasList ]]; + then + echo "Error : No alias found in supplied certificate" + exit 1 + fi + + for alias in $aliasList + do + VALIDITY_PERIOD=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE -alias $alias | grep Valid"` + echo "$KEYSTORE is \"$VALIDITY_PERIOD\"" + CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'` + CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s` + VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY` + if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]]; + then + echo "Error : Supplied certificate is either expired or expiring soon within $MIN_CERT_VALIDITY day" + exit 1 + fi + done + echo "$KEYSTORE validation is successful" +} + #run on admin server #create coherence cluster #associate cluster1 with the coherence cluster @@ -608,6 +658,9 @@ function validateSSLKeyStores() exit 1 fi + # Verify Identity keystore validity period more than MIN_CERT_VALIDITY + verifyCertValidity $customIdentityKeyStoreFileName $customIdentityKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customIdentityKeyStoreType + #validate Trust keystore runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $customTrustKeyStoreFileName -storepass $customTrustKeyStorePassPhrase -storetype $customTrustKeyStoreType | grep 'Entry type:' | grep 'trustedCertEntry'" @@ -615,7 +668,10 @@ function validateSSLKeyStores() echo "Error : Trust Keystore Validation Failed !!" exit 1 fi - + + # Verify Identity keystore validity period more than MIN_CERT_VALIDITY + verifyCertValidity $customTrustKeyStoreFileName $customTrustKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customTrustKeyStoreType + echo "ValidateSSLKeyStores Successfull !!" } @@ -718,6 +774,11 @@ SCRIPT_PWD=$(pwd) CURR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" BASE_DIR="$(readlink -f ${CURR_DIR})" +# Used for certificate expiry validation +CURRENT_DATE=`date +%s` +# Supplied certificate to have minimum days validity for the deployment +MIN_CERT_VALIDITY="1" + read wlsDomainName wlsUserName wlsPassword adminVMName oracleHome wlsDomainPath storageAccountName storageAccountKey mountpointPath enableWebLocalStorage enableELK elasticURI elasticUserName elasticPassword logsToIntegrate logIndex managedServerPrefix serverIndex customDNSNameForAdminServer dnsLabelPrefix location addnodeFlag isCustomSSLEnabled customIdentityKeyStoreData customIdentityKeyStorePassPhrase customIdentityKeyStoreType customTrustKeyStoreData customTrustKeyStorePassPhrase customTrustKeyStoreType serverPrivateKeyAlias serverPrivateKeyPassPhrase echo "$wlsDomainName $wlsUserName $wlsPassword $adminVMName $oracleHome $wlsDomainPath $storageAccountName $storageAccountKey $mountpointPath $enableWebLocalStorage $enableELK $elasticURI $elasticUserName $elasticPassword $logsToIntegrate $logIndex $managedServerPrefix $serverIndex $customDNSNameForAdminServer $dnsLabelPrefix $location $addnodeFlag $isCustomSSLEnabled $customIdentityKeyStoreData $customIdentityKeyStorePassPhrase $customIdentityKeyStoreType $customTrustKeyStoreData $customTrustKeyStorePassPhrase $customTrustKeyStoreType $serverPrivateKeyAlias $serverPrivateKeyPassPhrase" @@ -765,6 +826,9 @@ fi validateInput cleanup +# Executing this function first just to make sure certificate errors are first caught +storeCustomSSLCerts + if [ "$wlsServerName" == "${wlsAdminServerName}" ]; then createCoherenceCluster restartManagedServers @@ -772,7 +836,6 @@ else installUtilities mountFileShare openManagedServerPorts - storeCustomSSLCerts createManagedSetup generateCustomHostNameVerifier copyCustomHostNameVerifierJarsToWebLogicClasspath diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/arm/nestedtemplates/aadNestedTemplate.json b/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/arm/nestedtemplates/aadNestedTemplate.json index 4db95bcfc..a3973e9d1 100644 --- a/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/arm/nestedtemplates/aadNestedTemplate.json +++ b/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/arm/nestedtemplates/aadNestedTemplate.json @@ -154,7 +154,7 @@ } }, "variables": { - "const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', concat('\"',parameters('wlsLDAPPrincipal'),'\"'), ' ', parameters('wlsLDAPPrincipalPassword'), ' ', concat('\"',parameters('wlsLDAPUserBaseDN'),'\"'), ' ', concat('\"',parameters('wlsLDAPGroupBaseDN'),'\"'), ' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'), ' ', parameters('aadsPublicIP'), ' ', variables('const_adminServerName'),' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]", + "const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', base64(parameters('wlsLDAPPrincipal')), ' ', parameters('wlsLDAPPrincipalPassword'), ' ', base64(parameters('wlsLDAPUserBaseDN')), ' ', base64(parameters('wlsLDAPGroupBaseDN')), ' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'), ' ', parameters('aadsPublicIP'), ' ', variables('const_adminServerName'),' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]", "const_adminServerName": "admin", "const_managedVMPrefix": "[concat(parameters('managedServerPrefix'),'VM')]", "const_wlsAdminPort": "7005", diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/aadIntegration.sh b/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/aadIntegration.sh index 84c36709e..2831cca5a 100644 --- a/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/aadIntegration.sh +++ b/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/aadIntegration.sh @@ -240,6 +240,48 @@ function mapLDAPHostWithPublicIP() sudo echo "${wlsLDAPPublicIP} ${adServerHost}" >> /etc/hosts } +# This function verifies whether certificate is valid and not expired +function verifyCertValidity() +{ + + CERT_FILE=$1 + CURRENT_DATE=$2 + MIN_CERT_VALIDITY=$3 + VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60))) + + . $oracleHome/oracle_common/common/bin/setWlstEnv.sh + + echo "Verifying $CERT_FILE is valid at least $MIN_CERT_VALIDITY day from the deployment time" + if [ $VALIDITY -le $CURRENT_DATE ]; + then + echo_stderr "Error : Invalid minimum validity days supplied" + exit 1 + fi + + # Check whether CERT_FILE supplied can be opened for reading + # Redirecting as no need to display the contents + sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE > /dev/null 2>&1 + + if [ $? != 0 ]; + then + echo_stderr "Error opening the certificate : $CERT_FILE" + exit 1 + fi + + VALIDITY_PERIOD=`sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE | grep Valid` + echo "Certificate $CERT_FILE is \"$VALIDITY_PERIOD\"" + CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'` + CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s` + VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY` + if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]]; + then + echo_stderr "$CERT_FILE is \"$VALIDITY_PERIOD\"" + echo_stderr "Error : Supplied certificate $CERT_FILE is either expired or expiring soon within $MIN_CERT_VALIDITY day" + exit 1 + fi + echo "$CERT_FILE validation is successful" +} + function parseLDAPCertificate() { echo "create key store" @@ -257,6 +299,9 @@ function parseLDAPCertificate() openssl base64 -d -in ${SCRIPT_PWD}/security/AzureADLDAPCerBase64String.txt -out ${SCRIPT_PWD}/security/AzureADTrust.cer addsCertificate=${SCRIPT_PWD}/security/AzureADTrust.cer + + # Verify certificate validity period more than MIN_CERT_VALIDITY + verifyCertValidity $addsCertificate $CURRENT_DATE $MIN_CERT_VALIDITY } function importAADCertificate() @@ -445,7 +490,18 @@ USER_ORACLE="oracle" GROUP_ORACLE="oracle" DOMAIN_PATH="/u01/domains" -read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adGroupBaseDN adUserBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType vmIndex +# Used for certificate expiry validation +CURRENT_DATE=`date +%s` +# Supplied certificate to have minimum days validity for the deployment +MIN_CERT_VALIDITY="1" + + +read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adUserBaseDN adGroupBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType vmIndex + +# Passing these values as base64 as values has space embedded +adPrincipal=$(echo "$adPrincipal" | base64 --decode) +adUserBaseDN=$(echo "$adUserBaseDN" | base64 --decode) +adGroupBaseDN=$(echo "$adGroupBaseDN" | base64 --decode) isCustomSSLEnabled="${isCustomSSLEnabled,,}" @@ -455,6 +511,12 @@ then customTrustKeyStoreType=$(echo "$customTrustKeyStoreType" | base64 --decode) fi +validateInput + +# Executing parse and validate certificates to ensure there are no certificates issues +# If any certificates issues then it will be cuaght earlier +parseLDAPCertificate + wlsAdminURL=$wlsAdminHost:$wlsAdminPort if [ $vmIndex -eq 0 ]; @@ -468,7 +530,6 @@ then createAADProvider_model createSSL_model mapLDAPHostWithPublicIP - parseLDAPCertificate importAADCertificate importAADCertificateIntoWLSCustomTrustKeyStore configureSSL @@ -483,7 +544,6 @@ then else createTempFolder mapLDAPHostWithPublicIP - parseLDAPCertificate importAADCertificate importAADCertificateIntoWLSCustomTrustKeyStore cleanup diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupCoherence.sh b/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupCoherence.sh index 2b0c1297e..56d7b7269 100644 --- a/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupCoherence.sh +++ b/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupCoherence.sh @@ -123,6 +123,57 @@ function validateInput() { fi } + +# This function verifies whether certificate is valid and not expired +function verifyCertValidity() +{ + KEYSTORE=$1 + PASSWORD=$2 + CURRENT_DATE=$3 + MIN_CERT_VALIDITY=$4 + KEY_STORE_TYPE=$5 + VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60))) + + echo "Verifying $KEYSTORE is valid at least $MIN_CERT_VALIDITY day from the deployment time" + + if [ $VALIDITY -le $CURRENT_DATE ]; + then + echo "Error : Invalid minimum validity days supplied" + exit 1 + fi + + # Check whether KEYSTORE supplied can be opened for reading + # Redirecting as no need to display the contents + runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE > /dev/null 2>&1" + if [ $? != 0 ]; + then + echo "Error opening the keystore : $KEYSTORE" + exit 1 + fi + + aliasList=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE | grep Alias" |awk '{print $3}'` + if [[ -z $aliasList ]]; + then + echo "Error : No alias found in supplied certificate" + exit 1 + fi + + for alias in $aliasList + do + VALIDITY_PERIOD=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE -alias $alias | grep Valid"` + echo "$KEYSTORE is \"$VALIDITY_PERIOD\"" + CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'` + CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s` + VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY` + if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]]; + then + echo "Error : Supplied certificate is either expired or expiring soon within $MIN_CERT_VALIDITY day" + exit 1 + fi + done + echo "$KEYSTORE validation is successful" +} + #run on admin server #create coherence cluster #associate cluster1 with the coherence cluster @@ -568,6 +619,9 @@ function validateSSLKeyStores() echo "Error : Identity Keystore Validation Failed !!" exit 1 fi + + # Verify Identity keystore validity period more than MIN_CERT_VALIDITY + verifyCertValidity $customIdentityKeyStoreFileName $customIdentityKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customIdentityKeyStoreType #validate Trust keystore runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $customTrustKeyStoreFileName -storepass $customTrustKeyStorePassPhrase -storetype $customTrustKeyStoreType | grep 'Entry type:' | grep 'trustedCertEntry'" @@ -577,6 +631,9 @@ function validateSSLKeyStores() exit 1 fi + # Verify Identity keystore validity period more than MIN_CERT_VALIDITY + verifyCertValidity $customTrustKeyStoreFileName $customTrustKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customTrustKeyStoreType + echo "ValidateSSLKeyStores Successfull !!" } @@ -675,6 +732,12 @@ SCRIPT_PWD=$(pwd) CURR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" BASE_DIR="$(readlink -f ${CURR_DIR})" +# Used for certificate expiry validation +CURRENT_DATE=`date +%s` +# Supplied certificate to have minimum days validity for the deployment +MIN_CERT_VALIDITY="1" + + # store arguments in a special array #args=("$@") # get number of elements @@ -718,6 +781,9 @@ fi validateInput cleanup +# Executing this function first just to make sure certificate errors are first caught +storeCustomSSLCerts + if [ $wlsServerName == "admin" ]; then createCoherenceClusterModel cleanup @@ -725,7 +791,6 @@ else installUtilities mountFileShare openPortsForCoherence - storeCustomSSLCerts createManagedSetup generateCustomHostNameVerifier copyCustomHostNameVerifierJarsToWebLogicClasspath diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupDynamicClusterDomain.sh b/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupDynamicClusterDomain.sh index 61df1402e..b5c957792 100644 --- a/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupDynamicClusterDomain.sh +++ b/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupDynamicClusterDomain.sh @@ -134,6 +134,58 @@ function cleanup() echo "Cleanup completed." } +# This function verifies whether certificate is valid and not expired +function verifyCertValidity() +{ + KEYSTORE=$1 + PASSWORD=$2 + CURRENT_DATE=$3 + MIN_CERT_VALIDITY=$4 + KEY_STORE_TYPE=$5 + VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60))) + + echo "Verifying $KEYSTORE is valid at least $MIN_CERT_VALIDITY day from the deployment time" + + if [ $VALIDITY -le $CURRENT_DATE ]; + then + echo "Error : Invalid minimum validity days supplied" + exit 1 + fi + + # Check whether KEYSTORE supplied can be opened for reading + # Redirecting as no need to display the contents + runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE > /dev/null 2>&1" + if [ $? != 0 ]; + then + echo "Error opening the keystore : $KEYSTORE" + exit 1 + fi + + aliasList=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE | grep Alias" |awk '{print $3}'` + if [[ -z $aliasList ]]; + then + echo "Error : No alias found in supplied certificate" + exit 1 + fi + + for alias in $aliasList + do + VALIDITY_PERIOD=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE -alias $alias | grep Valid"` + echo "$KEYSTORE is \"$VALIDITY_PERIOD\"" + CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'` + CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s` + VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY` + if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]]; + then + echo_stderr "$KEYSTORE is \"$VALIDITY_PERIOD\"" + echo_stderr "Error : Supplied certificate $KEYSTORE is either expired or expiring soon within $MIN_CERT_VALIDITY day" + exit 1 + fi + done + echo "$KEYSTORE validation is successful" +} + + #Creates weblogic deployment model for admin domain function create_admin_model() { @@ -376,8 +428,6 @@ function create_adminSetup() exit 1 fi - storeCustomSSLCerts - create_admin_model sudo chown -R $username:$groupname $DOMAIN_PATH runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; $DOMAIN_PATH/weblogic-deploy/bin/createDomain.sh -oracle_home $oracleHome -domain_parent $DOMAIN_PATH -domain_type WLS -model_file $DOMAIN_PATH/admin-domain.yaml" @@ -482,8 +532,6 @@ function create_managedSetup(){ exit 1 fi - storeCustomSSLCerts - echo "Creating managed server model files" create_managed_model createServerStartArgumentPyScript @@ -764,6 +812,9 @@ function validateSSLKeyStores() exit 1 fi + # Verify Identity keystore validity period more than MIN_CERT_VALIDITY + verifyCertValidity $customIdentityKeyStoreFileName $customIdentityKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customIdentityKeyStoreType + #validate Trust keystore runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $customTrustKeyStoreFileName -storepass $customTrustKeyStorePassPhrase -storetype $customTrustKeyStoreType | grep 'Entry type:' | grep 'trustedCertEntry'" @@ -771,6 +822,9 @@ function validateSSLKeyStores() echo "Error : Trust Keystore Validation Failed !!" exit 1 fi + + # Verify Identity keystore validity period more than MIN_CERT_VALIDITY + verifyCertValidity $customTrustKeyStoreFileName $customTrustKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customTrustKeyStoreType echo "ValidateSSLKeyStores Successfull !!" } @@ -962,6 +1016,12 @@ SCRIPT_PWD=`pwd` CURR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" BASE_DIR="$(readlink -f ${CURR_DIR})" +# Used for certificate expiry validation +CURRENT_DATE=`date +%s` +# Supplied certificate to have minimum days validity for the deployment +# In this case set for 1 day +MIN_CERT_VALIDITY="1" + read wlsDomainName wlsUserName wlsPassword managedServerPrefix indexValue vmNamePrefix maxDynamicClusterSize dynamicClusterSize adminVMName oracleHome storageAccountName storageAccountKey mountpointPath isHTTPAdminListenPortEnabled customDNSNameForAdminServer dnsLabelPrefix location virtualNetworkNewOrExisting storageAccountPrivateIp isCustomSSLEnabled customIdentityKeyStoreData customIdentityKeyStorePassPhrase customIdentityKeyStoreType customTrustKeyStoreData customTrustKeyStorePassPhrase customTrustKeyStoreType serverPrivateKeyAlias serverPrivateKeyPassPhrase @@ -1021,6 +1081,9 @@ fi cleanup +# Executing this function first just to make sure certificate errors are first caught +storeCustomSSLCerts + installUtilities mountFileShare diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupOHS.sh b/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupOHS.sh index cd47013ae..71070943d 100644 --- a/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupOHS.sh +++ b/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupOHS.sh @@ -90,6 +90,57 @@ function validateInput() fi } +# This function verifies whether certificate is valid and not expired +function verifyCertValidity() +{ + KEYSTORE=$1 + PASSWORD=$2 + CURRENT_DATE=$3 + MIN_CERT_VALIDITY=$4 + KEY_STORE_TYPE=$5 + VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60))) + + echo "Verifying $KEYSTORE is valid at least $MIN_CERT_VALIDITY day from the OHS deployment time" + + if [ $VALIDITY -le $CURRENT_DATE ]; + then + echo_stderr "Error : Invalid minimum validity days supplied" + exit 1 + fi + + # Check whether KEYSTORE supplied can be opened for reading + # Redirecting as no need to display the contents + runuser -l oracle -c "keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE > /dev/null 2>&1" + if [ $? != 0 ]; + then + echo_stderr "Error opening the keystore : $KEYSTORE" + exit 1 + fi + + aliasList=`runuser -l oracle -c "keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE | grep Alias" |awk '{print $3}'` + if [[ -z $aliasList ]]; + then + echo_stderr "Error : No alias found in supplied certificate $KEYSTORE" + exit 1 + fi + + for alias in $aliasList + do + VALIDITY_PERIOD=`runuser -l oracle -c "keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE -alias $alias | grep Valid"` + echo "$KEYSTORE is \"$VALIDITY_PERIOD\"" + CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'` + CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s` + VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY` + if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]]; + then + echo_stderr "$KEYSTORE is \"$VALIDITY_PERIOD\"" + echo_stderr "Error : Supplied certificate $KEYSTORE is either expired or expiring soon within $MIN_CERT_VALIDITY day" + exit 1 + fi + done + echo "$KEYSTORE validation is successful" +} + # Setup Domain path function setupDomainPath() { @@ -413,6 +464,8 @@ function addCertficateToOracleVault() echo "$ohsKeyStoreData" | base64 --decode > ${OHS_VAULT_PATH}/ohsKeystore.jks sudo chown -R $username:$groupname ${OHS_VAULT_PATH}/ohsKeystore.jks # Validate JKS file + verifyCertValidity ${OHS_VAULT_PATH}/ohsKeystore.jks $ohsKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY "JKS" + KEY_TYPE=`keytool -list -v -keystore ${OHS_VAULT_PATH}/ohsKeystore.jks -storepass ${ohsKeyStorePassPhrase} | grep 'Keystore type:'` if [[ $KEY_TYPE == *"jks"* ]]; then runuser -l oracle -c "${INSTALL_PATH}/oracle/middleware/oracle_home/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet ${OHS_VAULT_PATH} -pwd ${ORACLE_VAULT_PASSWORD} -keystore ${OHS_VAULT_PATH}/ohsKeystore.jks -jkspwd ${ohsKeyStorePassPhrase}" @@ -431,6 +484,9 @@ function addCertficateToOracleVault() "PKCS12") echo "$ohsKeyStoreData" | base64 --decode > ${OHS_VAULT_PATH}/ohsCert.p12 sudo chown -R $username:$groupname ${OHS_VAULT_PATH}/ohsCert.p12 + # Validate PKCS12 file + verifyCertValidity ${OHS_VAULT_PATH}/ohsCert.p12 $ohsKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY "PKCS12" + runuser -l oracle -c "${INSTALL_PATH}/oracle/middleware/oracle_home/oracle_common/bin/orapki wallet import_pkcs12 -wallet ${OHS_VAULT_PATH} -pwd ${ORACLE_VAULT_PASSWORD} -pkcs12file ${OHS_VAULT_PATH}/ohsCert.p12 -pkcs12pwd ${ohsKeyStorePassPhrase}" if [[ $? == 0 ]]; then echo "Successfully added certificate to Oracle Wallet" @@ -472,6 +528,12 @@ function verifyService() CURR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" BASE_DIR="$(readlink -f ${CURR_DIR})" +# Used for certificate expiry validation +CURRENT_DATE=`date +%s` +# Supplied certificate to have minimum days validity for the deployment +# In this case set for 1 day +MIN_CERT_VALIDITY="1" + read OHS_DOMAIN_NAME OHS_COMPONENT_NAME OHS_NM_USER OHS_NM_PSWD OHS_HTTP_PORT OHS_HTTPS_PORT WLS_REST_URL WLS_USER WLS_PASSWORD OHS_KEY_STORE_DATA OHS_KEY_STORE_PASSPHRASE ORACLE_VAULT_PASSWORD OHS_KEY_TYPE JDK_PATH="/u01/app/jdk"