[Engine-patches] Change in ovirt-engine[master]: packaging: Creating keystore for jboss use

alourie Sun, 24 Feb 2013 04:02:23 -0800

Alex Lourie has uploaded a new change for review.

Change subject: packaging: Creating keystore for jboss use
......................................................................


packaging: Creating keystore for jboss use

Currently jboss uses apache.p12 keystore file. In cases
where apache is not used for proxying, jboss tries to
use this file directly and fails on permissions.

This patch tries to resolve the issue by adding an additional
keystore jboss.p12 during setup/upgrade for the use by the jboss.

Change-Id: I22d71d9de011e8af4bde26d9e2a048a6387ce70f
Signed-off-by: Alex Lourie <alou...@redhat.com>
---
M backend/manager/conf/ca/installCA.sh
M packaging/fedora/engine-service.xml.in
M packaging/fedora/setup/basedefs.py
M packaging/fedora/setup/engine-cleanup.py
M packaging/fedora/setup/engine-upgrade.py
5 files changed, 19 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/74/12374/1

diff --git a/backend/manager/conf/ca/installCA.sh 
b/backend/manager/conf/ca/installCA.sh
index ff8dd6e..2af9f34 100755
--- a/backend/manager/conf/ca/installCA.sh
+++ b/backend/manager/conf/ca/installCA.sh
@@ -77,6 +77,7 @@
 echo "} Creating client certificates for oVirt..."
 enroll_certificate engine "$PASS" "/C=${COUNTRY}/O=${ORG}/CN=${SUBJECT}"
 enroll_certificate apache "$PASS" "/C=${COUNTRY}/O=${ORG}/CN=${SUBJECT}"
+enroll_certificate jboss "$PASS" "/C=${COUNTRY}/O=${ORG}/CN=${SUBJECT}"
 
 exit 0
 
diff --git a/packaging/fedora/engine-service.xml.in 
b/packaging/fedora/engine-service.xml.in
index eedf03d..4f820f4 100644
--- a/packaging/fedora/engine-service.xml.in
+++ b/packaging/fedora/engine-service.xml.in
@@ -252,7 +252,7 @@
       #end if
       #if $getBoolean('ENGINE_HTTPS_ENABLED')
         <connector name="https" protocol="HTTP/1.1" scheme="https" 
socket-binding="https" secure="true">
-          <ssl name="ssl" password="mypass" 
certificate-key-file="$getString('ENGINE_PKI')/keys/apache.p12" 
keystore-type="PKCS12" key-alias="1" 
protocol="$getString('ENGINE_HTTPS_PROTOCOLS')" verify-client="false"/>
+          <ssl name="ssl" password="mypass" 
certificate-key-file="$getString('ENGINE_PKI')/keys/jboss.p12" 
keystore-type="PKCS12" key-alias="1" 
protocol="$getString('ENGINE_HTTPS_PROTOCOLS')" verify-client="false"/>
         </connector>
       #end if
       #if $getBoolean('ENGINE_AJP_ENABLED')
diff --git a/packaging/fedora/setup/basedefs.py 
b/packaging/fedora/setup/basedefs.py
index 4074022..255c67e 100644
--- a/packaging/fedora/setup/basedefs.py
+++ b/packaging/fedora/setup/basedefs.py
@@ -93,6 +93,7 @@
 FILE_TRUSTSTORE="%s/.truststore"%(DIR_OVIRT_PKI)
 FILE_ENGINE_KEYSTORE="%s/keys/engine.p12"%(DIR_OVIRT_PKI)
 FILE_APACHE_KEYSTORE="%s/keys/apache.p12"%(DIR_OVIRT_PKI)
+FILE_JBOSS_KEYSTORE="%s/keys/jboss.p12"%(DIR_OVIRT_PKI)
 FILE_APACHE_PRIVATE_KEY="%s/keys/apache.key.nopass"%(DIR_OVIRT_PKI)
 FILE_SSH_PRIVATE_KEY="%s/keys/engine_id_rsa"%(DIR_OVIRT_PKI)
 FILE_YUM_VERSION_LOCK="/etc/yum/pluginconf.d/versionlock.list"
diff --git a/packaging/fedora/setup/engine-cleanup.py 
b/packaging/fedora/setup/engine-cleanup.py
index 432836d..d63a4b7 100755
--- a/packaging/fedora/setup/engine-cleanup.py
+++ b/packaging/fedora/setup/engine-cleanup.py
@@ -282,6 +282,7 @@
             basedefs.FILE_TRUSTSTORE,
             basedefs.FILE_ENGINE_KEYSTORE,
             basedefs.FILE_APACHE_KEYSTORE,
+            basedefs.FILE_JBOSS_KEYSTORE,
             basedefs.FILE_APACHE_PRIVATE_KEY,
             basedefs.FILE_SSH_PRIVATE_KEY
         ):
diff --git a/packaging/fedora/setup/engine-upgrade.py 
b/packaging/fedora/setup/engine-upgrade.py
index 6cd55a2..4be6649 100755
--- a/packaging/fedora/setup/engine-upgrade.py
+++ b/packaging/fedora/setup/engine-upgrade.py
@@ -509,6 +509,20 @@
                 logging.error("PKI: Cannot dup ca for apache")
                 raise
 
+        # If jboss keystore file does not exist, copy one from apache
+        if not os.path.exists(basedefs.FILE_JBOSS_KEYSTORE):
+            logging.debug("PKI: dup cert for jboss")
+            try:
+                utils.copyFile(
+                    filename=basedefs.FILE_APACHE_KEYSTORE,
+                    destination=basedefs.FILE_JBOSS_KEYSTORE,
+                    filemod=0640,
+                )
+                utils.chownToEngine(basedefs.FILE_JBOSS_KEYSTORE)
+            except OSError:
+                logging.error("PKI: Cannot dup ca for jboss")
+                raise
+
         shutil.copyfile(
             basedefs.FILE_HTTPD_SSL_CONFIG,
             self.TMPAPACHECONF
@@ -544,6 +558,7 @@
                 self.TMPAPACHECONF,
                 basedefs.FILE_ENGINE_KEYSTORE,
                 basedefs.FILE_APACHE_KEYSTORE,
+                basedefs.FILE_JBOSS_KEYSTORE,
                 basedefs.FILE_APACHE_CA_CRT_SRC,
                 basedefs.FILE_APACHE_CERT,
                 basedefs.FILE_APACHE_PRIVATE_KEY


--
To view, visit http://gerrit.ovirt.org/12374
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I22d71d9de011e8af4bde26d9e2a048a6387ce70f
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alex Lourie <alou...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

[Engine-patches] Change in ovirt-engine[master]: packaging: Creating keystore for jboss use

Reply via email to