Skip to content

Handling expired certificate and AAD script space based arguments #187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Aug 4, 2022
Merged

Handling expired certificate and AAD script space based arguments #187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f03a1c2
Handled expired certificate with appropriate error message
Jul 27, 2022
813b3c3
Handled expired certificate and AAD space included arguments
Jul 27, 2022
cd28130
Updated storeCustomSSLCerts execution flow
Jul 28, 2022
4876a95
Formatted the error message on expired certificate
Jul 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ...ic-azure-vm/arm-oraclelinux-wls-admin/src/main/arm/nestedtemplates/aadNestedTemplate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@
}
},
"variables": {
"const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', concat('\"',parameters('wlsLDAPPrincipal'),'\"'), ' ', parameters('wlsLDAPPrincipalPassword'), ' ', concat('\"',parameters('wlsLDAPUserBaseDN'),'\"'), ' ', concat('\"',parameters('wlsLDAPGroupBaseDN'),'\"'), ' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'), ' ', parameters('aadsPublicIP'), ' ', variables('const_adminServerName'), ' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]",
"const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', base64(parameters('wlsLDAPPrincipal')), ' ', parameters('wlsLDAPPrincipalPassword'),' ', base64(parameters('wlsLDAPUserBaseDN')),' ', base64(parameters('wlsLDAPGroupBaseDN')),' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'),' ', parameters('aadsPublicIP'),' ',variables('const_adminServerName'),' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]",
"const_adminServerName": "admin",
"const_wlsAdminPort": "7005",
"const_wlsDomainPath": "[concat('/u01/domains/', parameters('wlsDomainName'))]",
Expand Down
63 changes: 61 additions & 2 deletions weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/scripts/aadIntegration.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,48 @@ function mapLDAPHostWithPublicIP()
sudo echo "${wlsLDAPPublicIP} ${adServerHost}" >> /etc/hosts
}

# This function verifies whether certificate is valid and not expired
function verifyCertValidity()
{

CERT_FILE=$1
CURRENT_DATE=$2
MIN_CERT_VALIDITY=$3
VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60)))

. $oracleHome/oracle_common/common/bin/setWlstEnv.sh

echo "Verifying $CERT_FILE is valid at least $MIN_CERT_VALIDITY day from the deployment time"
if [ $VALIDITY -le $CURRENT_DATE ];
then
echo_stderr "Error : Invalid minimum validity days supplied"
exit 1
fi

# Check whether CERT_FILE supplied can be opened for reading
# Redirecting as no need to display the contents
sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE > /dev/null 2>&1

if [ $? != 0 ];
then
echo_stderr "Error opening the certificate : $CERT_FILE"
exit 1
fi

VALIDITY_PERIOD=`sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE | grep Valid`
echo "Certificate $CERT_FILE is \"$VALIDITY_PERIOD\""
CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'`
CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s`
VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY`
if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]];
then
echo_stderr "$CERT_FILE is \"$VALIDITY_PERIOD\""
echo_stderr "Error : Supplied certificate $CERT_FILE is either expired or expiring soon within $MIN_CERT_VALIDITY day"
exit 1
fi
echo "$CERT_FILE validation is successful"
}

function parseLDAPCertificate()
{
echo "create key store"
Expand All @@ -216,6 +258,9 @@ function parseLDAPCertificate()

openssl base64 -d -in ${SCRIPT_PWD}/security/AzureADLDAPCerBase64String.txt -out ${SCRIPT_PWD}/security/AzureADTrust.cer
addsCertificate=${SCRIPT_PWD}/security/AzureADTrust.cer

# Verify certificate validity period more than MIN_CERT_VALIDITY
verifyCertValidity $addsCertificate $CURRENT_DATE $MIN_CERT_VALIDITY
}

function importAADCertificate()
Expand Down Expand Up @@ -369,7 +414,12 @@ function createTempFolder()

#main

read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adGroupBaseDN adUserBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType
read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adUserBaseDN adGroupBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType

# Passing these values as base64 as values has space embedded
adPrincipal=$(echo "$adPrincipal" | base64 --decode)
adUserBaseDN=$(echo "$adUserBaseDN" | base64 --decode)
adGroupBaseDN=$(echo "$adGroupBaseDN" | base64 --decode)

isCustomSSLEnabled="${isCustomSSLEnabled,,}"

Expand All @@ -390,7 +440,17 @@ USER_ORACLE="oracle"
GROUP_ORACLE="oracle"
DOMAIN_PATH="/u01/domains"

# Used for certificate expiry validation
CURRENT_DATE=`date +%s`
# Supplied certificate to have minimum days validity for the deployment
MIN_CERT_VALIDITY="1"

validateInput

# Executing parse and validate certificates to ensure there are no certificates issues
# If any certificates issues then it will be cuaght earlier
parseLDAPCertificate

createTempFolder
echo "check status of admin server"
wait_for_admin
Expand All @@ -400,7 +460,6 @@ enableTLSv12onJDK8
createAADProvider_model
createSSL_model
mapLDAPHostWithPublicIP
parseLDAPCertificate
importAADCertificate
importAADCertificateIntoWLSCustomTrustKeyStore
configureSSL
Expand Down
63 changes: 63 additions & 0 deletions weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/scripts/setupAdminDomain.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,57 @@ function cleanup()
echo "Cleanup completed."
}

# This function verifies whether certificate is valid and not expired
function verifyCertValidity()
{
KEYSTORE=$1
PASSWORD=$2
CURRENT_DATE=$3
MIN_CERT_VALIDITY=$4
KEY_STORE_TYPE=$5
VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60)))

echo "Verifying $KEYSTORE is valid at least $MIN_CERT_VALIDITY day from the deployment time"

if [ $VALIDITY -le $CURRENT_DATE ];
then
echo_stderr "Error : Invalid minimum validity days supplied"
exit 1
fi

# Check whether KEYSTORE supplied can be opened for reading
# Redirecting as no need to display the contents
runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE > /dev/null 2>&1"
if [ $? != 0 ];
then
echo_stderr "Error opening the keystore : $KEYSTORE"
exit 1
fi

aliasList=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE | grep Alias" |awk '{print $3}'`
if [[ -z $aliasList ]];
then
echo_stderr "Error : No alias found in supplied certificate $KEYSTORE"
exit 1
fi

for alias in $aliasList
do
VALIDITY_PERIOD=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE -alias $alias | grep Valid"`
echo "$KEYSTORE is \"$VALIDITY_PERIOD\""
CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'`
CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s`
VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY`
if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]];
then
echo_stderr "$KEYSTORE is \"$VALIDITY_PERIOD\""
echo_stderr "Error : Supplied certificate $KEYSTORE is either expired or expiring soon within $MIN_CERT_VALIDITY day"
exit 1
fi
done
echo "$KEYSTORE validation is successful"
}

#Creates weblogic deployment model for admin domain
function create_admin_model()
{
Expand Down Expand Up @@ -378,6 +429,9 @@ function validateSSLKeyStores()
exit 1
fi

# Verify Identity keystore validity period more than MIN_CERT_VALIDITY
verifyCertValidity $customIdentityKeyStoreFileName $customIdentityKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customIdentityKeyStoreType

#validate Trust keystore
runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $customTrustKeyStoreFileName -storepass $customTrustKeyStorePassPhrase -storetype $customTrustKeyStoreType | grep 'Entry type:' | grep 'trustedCertEntry'"

Expand All @@ -386,6 +440,9 @@ function validateSSLKeyStores()
exit 1
fi

# Verify Identity keystore validity period more than MIN_CERT_VALIDITY
verifyCertValidity $customTrustKeyStoreFileName $customTrustKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customTrustKeyStoreType

echo "ValidateSSLKeyStores Successfull !!"
}

Expand Down Expand Up @@ -571,6 +628,12 @@ SCRIPT_PWD=`pwd`
CURR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
BASE_DIR="$(readlink -f ${CURR_DIR})"

# Used for certificate expiry validation
CURRENT_DATE=`date +%s`
# Supplied certificate to have minimum days validity for the deployment
MIN_CERT_VALIDITY="1"


#read arguments from stdin
read wlsDomainName wlsUserName wlsPassword wlsAdminHost oracleHome storageAccountName storageAccountKey mountpointPath isHTTPAdminListenPortEnabled adminPublicHostName dnsLabelPrefix location virtualNetworkNewOrExisting storageAccountPrivateIp isCustomSSLEnabled customIdentityKeyStoreData customIdentityKeyStorePassPhrase customIdentityKeyStoreType customTrustKeyStoreData customTrustKeyStorePassPhrase customTrustKeyStoreType serverPrivateKeyAlias serverPrivateKeyPassPhrase

Expand Down
2 changes: 1 addition & 1 deletion ...s-cluster/arm-oraclelinux-wls-cluster/src/main/arm/nestedtemplates/aadNestedTemplate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@
}
},
"variables": {
"const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', concat('\"',parameters('wlsLDAPPrincipal'),'\"'), ' ', parameters('wlsLDAPPrincipalPassword'), ' ', concat('\"',parameters('wlsLDAPUserBaseDN'),'\"'), ' ', concat('\"',parameters('wlsLDAPGroupBaseDN'),'\"'), ' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'), ' ', parameters('aadsPublicIP'), ' ',variables('const_adminServerName'), ' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]",
"const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', base64(parameters('wlsLDAPPrincipal')), ' ', parameters('wlsLDAPPrincipalPassword'), ' ', base64(parameters('wlsLDAPUserBaseDN')), ' ', base64(parameters('wlsLDAPGroupBaseDN')), ' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'), ' ', parameters('aadsPublicIP'), ' ',variables('const_adminServerName'), ' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]",
"const_adminServerName": "admin",
"const_managedVMPrefix": "[concat(parameters('managedServerPrefix'),'VM')]",
"const_wlsAdminPort": "7005",
Expand Down
64 changes: 61 additions & 3 deletions ...rm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/aadIntegration.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,48 @@ function mapLDAPHostWithPublicIP()
sudo echo "${wlsLDAPPublicIP} ${adServerHost}" >> /etc/hosts
}

# This function verifies whether certificate is valid and not expired
function verifyCertValidity()
{

CERT_FILE=$1
CURRENT_DATE=$2
MIN_CERT_VALIDITY=$3
VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60)))

. $oracleHome/oracle_common/common/bin/setWlstEnv.sh

echo "Verifying $CERT_FILE is valid at least $MIN_CERT_VALIDITY day from the deployment time"
if [ $VALIDITY -le $CURRENT_DATE ];
then
echo_stderr "Error : Invalid minimum validity days supplied"
exit 1
fi

# Check whether CERT_FILE supplied can be opened for reading
# Redirecting as no need to display the contents
sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE > /dev/null 2>&1

if [ $? != 0 ];
then
echo_stderr "Error opening the certificate : $CERT_FILE"
exit 1
fi

VALIDITY_PERIOD=`sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE | grep Valid`
echo "Certificate $CERT_FILE is \"$VALIDITY_PERIOD\""
CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'`
CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s`
VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY`
if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]];
then
echo_stderr "$CERT_FILE is \"$VALIDITY_PERIOD\""
echo_stderr "Error : Supplied certificate $CERT_FILE is either expired or expiring soon within $MIN_CERT_VALIDITY day"
exit 1
fi
echo "$CERT_FILE validation is successful"
}

function parseLDAPCertificate()
{
echo "create key store"
Expand All @@ -253,6 +295,9 @@ function parseLDAPCertificate()

openssl base64 -d -in ${SCRIPT_PWD}/security/AzureADLDAPCerBase64String.txt -out ${SCRIPT_PWD}/security/AzureADTrust.cer
addsCertificate=${SCRIPT_PWD}/security/AzureADTrust.cer

# Verify certificate validity period more than MIN_CERT_VALIDITY
verifyCertValidity $addsCertificate $CURRENT_DATE $MIN_CERT_VALIDITY
}

function importAADCertificate()
Expand Down Expand Up @@ -438,7 +483,12 @@ function createTempFolder()
#main

#read arguments from stdin
read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adGroupBaseDN adUserBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType vmIndex
read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adUserBaseDN adGroupBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType vmIndex

# Passing these values as base64 as values has space embedded
adPrincipal=$(echo "$adPrincipal" | base64 --decode)
adUserBaseDN=$(echo "$adUserBaseDN" | base64 --decode)
adGroupBaseDN=$(echo "$adGroupBaseDN" | base64 --decode)

isCustomSSLEnabled="${isCustomSSLEnabled,,}"

Expand All @@ -459,6 +509,16 @@ USER_ORACLE="oracle"
GROUP_ORACLE="oracle"
DOMAIN_PATH="/u01/domains"

# Used for certificate expiry validation
CURRENT_DATE=`date +%s`
# Supplied certificate to have minimum days validity for the deployment
MIN_CERT_VALIDITY="1"

validateInput

# Executing parse and validate certificates to ensure there are no certificates issues
# If any certificates issues then it will be cuaght earlier
parseLDAPCertificate

if [ $vmIndex -eq 0 ];
then
Expand All @@ -471,7 +531,6 @@ then
createAADProvider_model
createSSL_model
mapLDAPHostWithPublicIP
parseLDAPCertificate
importAADCertificate
importAADCertificateIntoWLSCustomTrustKeyStore
configureSSL
Expand All @@ -487,7 +546,6 @@ then
else
cleanup
mapLDAPHostWithPublicIP
parseLDAPCertificate
importAADCertificate
importAADCertificateIntoWLSCustomTrustKeyStore
cleanup
Expand Down
Loading