From f5912f91fc9ac1b8d17af41bc15b209b8dcde6d1 Mon Sep 17 00:00:00 2001
From: Robert Butora <robert.butora@inaf.it>
Date: Sun, 31 Mar 2024 11:20:07 +0200
Subject: [PATCH] docker: refactors security config in Dockerfile/entrypoint.sh
---
docker/Dockerfile | 19 +++---
docker/config/authpolicy.properties | 6 --
docker/config/context-cutout.xml | 15 -----
docker/config/formatresponsefilter.properties | 7 ---
docker/config/iamtoken.properties | 10 ---
docker/config/neatoken.properties | 7 ---
docker/config/tomcat-users.xml | 48 ---------------
docker/config/vlkb-obscore.datasets.conf | 15 -----
docker/config/vlkbd.datasets.conf | 10 ---
docker/{ => deps}/ast-9.2.9.tar.gz | Bin
docker/{ => deps}/ast_9.2.9-1_amd64.deb | Bin
docker/{ => deps}/postgresql-42.2.5.jar | Bin
docker/{ => deps}/vlkbd_exec.sh | 0
docker/entrypoint.sh | 57 +++---------------
...oda.yaml => example-compose-ska-soda.yaml} | 0
...le-vlkb.yaml => example-compose-vlkb.yaml} | 0
docker/example-security/README.tex | 31 ++++++++++
.../garrtoken}/keystore.jks | Bin
.../garrtoken/neatoken.properties | 10 +++
...onnector-8443.xml-self-signed-keystore-jks | 0
.../ia2token}/auth.properties | 0
.../ia2token/authpolicy.properties | 7 +++
...onnector-8443.xml-SECTIGO-vlkb.ia2.inaf.it | 0
.../iamtoken/iamtoken.properties | 13 ++++
docker/example-security/iamtoken/keystore.jks | Bin 0 -> 2696 bytes
...nnector-8443.xml-self-signed-keystore-jks} | 2 +-
...ificate using OpenSSL - Stack Overflow.pdf | Bin
...t PKI on Linux systems Enable Sysadmin.pdf | Bin
docker/{ => example-security}/ssl/Makefile | 0
docker/ssl/server-connector-8080.xml | 3 -
docker/ssl/server-connector-8443.xml | 11 ----
docker/ssl/server-connector.xml | 11 ----
docker/ssl/server.xml | 39 ------------
33 files changed, 81 insertions(+), 240 deletions(-)
delete mode 100644 docker/config/authpolicy.properties
delete mode 100644 docker/config/context-cutout.xml
delete mode 100644 docker/config/formatresponsefilter.properties
delete mode 100644 docker/config/iamtoken.properties
delete mode 100644 docker/config/neatoken.properties
delete mode 100644 docker/config/tomcat-users.xml
delete mode 100644 docker/config/vlkb-obscore.datasets.conf
delete mode 100644 docker/config/vlkbd.datasets.conf
rename docker/{ => deps}/ast-9.2.9.tar.gz (100%)
rename docker/{ => deps}/ast_9.2.9-1_amd64.deb (100%)
rename docker/{ => deps}/postgresql-42.2.5.jar (100%)
rename docker/{ => deps}/vlkbd_exec.sh (100%)
rename docker/{compose-example-ska-soda.yaml => example-compose-ska-soda.yaml} (100%)
rename docker/{compose-example-vlkb.yaml => example-compose-vlkb.yaml} (100%)
create mode 100644 docker/example-security/README.tex
rename docker/{ssl => example-security/garrtoken}/keystore.jks (100%)
create mode 100644 docker/example-security/garrtoken/neatoken.properties
rename docker/{ssl => example-security/garrtoken}/server-connector-8443.xml-self-signed-keystore-jks (100%)
rename docker/{config => example-security/ia2token}/auth.properties (100%)
create mode 100644 docker/example-security/ia2token/authpolicy.properties
rename docker/{ssl => example-security/ia2token}/server-connector-8443.xml-SECTIGO-vlkb.ia2.inaf.it (100%)
create mode 100644 docker/example-security/iamtoken/iamtoken.properties
create mode 100644 docker/example-security/iamtoken/keystore.jks
rename docker/{ssl/server-connector-8443.xml-self-signed-keystore-jks-ORIG => example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks} (85%)
rename docker/{ => example-security}/ssl/How to generate a self-signed SSL certificate using OpenSSL - Stack Overflow.pdf (100%)
rename docker/{ => example-security}/ssl/How to use OpenSSL and the Internet PKI on Linux systems Enable Sysadmin.pdf (100%)
rename docker/{ => example-security}/ssl/Makefile (100%)
delete mode 100644 docker/ssl/server-connector-8080.xml
delete mode 100644 docker/ssl/server-connector-8443.xml
delete mode 100644 docker/ssl/server-connector.xml
delete mode 100644 docker/ssl/server.xml
diff --git a/docker/Dockerfile b/docker/Dockerfile
index e3c3652..6d4f46f 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -19,10 +19,11 @@ ENV CATALINA_TMPDIR=/tmp
ENV WEBAPP_DIR=/webapps/vlkb-cutout
-COPY ast_9.2.9-1_amd64.deb ./
+COPY deps/ast_9.2.9-1_amd64.deb ./
RUN dpkg -i /root/ast_9.2.9-1_amd64.deb && ldconfig \
&& mkdir -p ${WEBAPP_DIR} \
- && mkdir -p /srv/surveys && mkdir -p /srv/cutouts
+ && mkdir -p /srv/surveys && mkdir -p /srv/cutouts \
+ && mkdir -p /etc/pki/tls
ARG VLKB_VERSION
@@ -33,7 +34,7 @@ RUN dpkg -i vlkb-${VLKB_VERSION}.deb vlkb-obscore-${VLKB_VERSION}.deb vlkbd-${VL
&& cd ${WEBAPP_DIR} && jar -xf vlkb-cutout-${VLKB_VERSION}.war
# Tomcat must load DB-driver (postgresql_*.jar), vlkb-cutout does not explicitely load DB-drivers
-COPY postgresql-*.jar /var/lib/tomcat9/lib
+COPY deps/postgresql-*.jar /var/lib/tomcat9/lib
@@ -41,7 +42,7 @@ COPY postgresql-*.jar /var/lib/tomcat9/lib
ENV INST_DIR=/usr/local
-COPY vlkbd_exec.sh ${INST_DIR}/bin
+COPY deps/vlkbd_exec.sh ${INST_DIR}/bin
RUN mkdir -p ${INST_DIR}/etc/vlkb-obscore \
&& mkdir -p ${INST_DIR}/etc/vlkbd \
@@ -50,13 +51,11 @@ RUN mkdir -p ${INST_DIR}/etc/vlkb-obscore \
# configure during docker build-time
-COPY config/vlkb-obscore.datasets.conf ${INST_DIR}/etc/vlkb-obscore/datasets.conf
-COPY config/vlkbd.datasets.conf ${INST_DIR}/etc/vlkbd/datasets.conf
+COPY deps/vlkb-obscore.datasets.conf ${INST_DIR}/etc/vlkb-obscore/datasets.conf
+COPY deps/vlkbd.datasets.conf ${INST_DIR}/etc/vlkbd/datasets.conf
-COPY config/auth.properties config/neatoken.properties config/iamtoken.properties ${WEBAPP_DIR}/WEB-INF/classes/
-
-#COPY ssl/keystore.jks /root/
-COPY ssl/server.xml ssl/server-connector-8080.xml ssl/server-connector-8443.xml /etc/tomcat9/
+# precofigure port 8080 (no SSL)
+COPY deps/server.xml deps/server-connector.xml /etc/tomcat9/
# configure during docker run-time
diff --git a/docker/config/authpolicy.properties b/docker/config/authpolicy.properties
deleted file mode 100644
index 1c59ef6..0000000
--- a/docker/config/authpolicy.properties
+++ /dev/null
@@ -1,6 +0,0 @@
-db_uri=jdbc:postgresql://127.0.0.1:5432/vialactea
-db_schema=datasets
-db_user_name=vialactea
-db_password=ia2vlkb
-
-
diff --git a/docker/config/context-cutout.xml b/docker/config/context-cutout.xml
deleted file mode 100644
index 4f5f504..0000000
--- a/docker/config/context-cutout.xml
+++ /dev/null
@@ -1,15 +0,0 @@
-<Context docBase="/webapps/vlkb-cutout">
-
- <Resources allowLinking="true">
- <PostResources readOnly="false"
- className="org.apache.catalina.webresources.DirResourceSet"
- base="/srv/cutouts"
- webAppMount="/cutouts"/>
- <PostResources readOnly="true"
- className="org.apache.catalina.webresources.DirResourceSet"
- base="/srv/surveys"
- webAppMount="/surveys"/>
- </Resources>
-
-</Context>
-
diff --git a/docker/config/formatresponsefilter.properties b/docker/config/formatresponsefilter.properties
deleted file mode 100644
index b8acc01..0000000
--- a/docker/config/formatresponsefilter.properties
+++ /dev/null
@@ -1,7 +0,0 @@
-
-# used to retrieve extraCards to add to FITS_header (VLKB-only)
-surveys_metadata_abs_pathname=/srv/surveys/survey_populate.csv
-
-# these URL's are used to construct cutout merge requests strings in response.xml
-cutout_url=http://vlkb-devel.ia2.inaf.it:8080/vlkb/datasets/vlkb_cutout
-merge_url=http://vlkb-devel.ia2.inaf.it:8080/vlkb/datasets/vlkb_merge
diff --git a/docker/config/iamtoken.properties b/docker/config/iamtoken.properties
deleted file mode 100644
index e0935bb..0000000
--- a/docker/config/iamtoken.properties
+++ /dev/null
@@ -1,10 +0,0 @@
-
-#jwks_url=https://iam-escape.cloud.cnaf.infn.it/jwk
-introspect=https://iam-escape.cloud.cnaf.infn.it/introspect
-client_name=02cc260f-9837-4907-b2cb-a1a2d764fb15
-client_password=AJMi3qrB6AHRp_6y55tEwU-IpJ8uZ6X4QXeQ3W4la6dc-BlkzAY1OQpAE9hb1W7-VfYl4208FUtjE2Cl3hUYLkQ
-
-resource_id=vlkb
-
-non_authn_username=anonymous
-
diff --git a/docker/config/neatoken.properties b/docker/config/neatoken.properties
deleted file mode 100644
index 21793e2..0000000
--- a/docker/config/neatoken.properties
+++ /dev/null
@@ -1,7 +0,0 @@
-
-jwks_url=https://sso.neanias.eu/auth/realms/neanias-production/protocol/openid-connect/certs
-
-resource_id=vlkb
-
-non_authn_username=anonymous
-
diff --git a/docker/config/tomcat-users.xml b/docker/config/tomcat-users.xml
deleted file mode 100644
index 6587e75..0000000
--- a/docker/config/tomcat-users.xml
+++ /dev/null
@@ -1,48 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<tomcat-users xmlns="http://tomcat.apache.org/xml"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
- version="1.0">
-<!--
- NOTE: By default, no user is included in the "manager-gui" role required
- to operate the "/manager/html" web application. If you wish to use this app,
- you must define such a user - the username and password are arbitrary. It is
- strongly recommended that you do NOT use one of the users in the commented out
- section below since they are intended for use with the examples web
- application.
--->
-<!--
- NOTE: The sample user and role entries below are intended for use with the
- examples web application. They are wrapped in a comment and thus are ignored
- when reading this file. If you wish to configure these users for use with the
- examples web application, do not forget to remove the <!.. ..> that surrounds
- them. You will also need to set the passwords to something appropriate.
--->
-<!--
- <role rolename="tomcat"/>
- <role rolename="role1"/>
- <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
- <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
- <user username="role1" password="<must-be-changed>" roles="role1"/>
--->
-
- <role rolename="manager-script"/>
- <user username="admin" password="IA2lbt09" roles="manager-script"/>
-</tomcat-users>
-
diff --git a/docker/config/vlkb-obscore.datasets.conf b/docker/config/vlkb-obscore.datasets.conf
deleted file mode 100644
index 9572cd4..0000000
--- a/docker/config/vlkb-obscore.datasets.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-
-# root of path for local access
-fits_path_surveys=/srv/surveys
-
-# obs_publisher_did = <obscore publisher> ? <generated-pubdid>
-obscore_publisher=ivo://ia2.inaf.it/vlkb/datasets
-
-# full access URL: <obscore_access_url>/<storage-path>/<file-name>
-obscore_access_url=https://vlkb-devel.ia2.inaf.it:8443/vlkb/datasets/surveys
-obscore_access_format=application/fits
-
-# logging (holds last exec only)
-# log_dir=/tmp
-# log_filename=vlkb-obscore.log
-
diff --git a/docker/config/vlkbd.datasets.conf b/docker/config/vlkbd.datasets.conf
deleted file mode 100644
index bccc418..0000000
--- a/docker/config/vlkbd.datasets.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-
-# path to original files
-fits_path_surveys=/srv/surveys
-# path to generated cutouts
-fits_path_cutouts=/srv/cutouts
-
-# logging records last request only
-# log_dir=/tmp
-# log_filename=vlkbd.log
-
diff --git a/docker/ast-9.2.9.tar.gz b/docker/deps/ast-9.2.9.tar.gz
similarity index 100%
rename from docker/ast-9.2.9.tar.gz
rename to docker/deps/ast-9.2.9.tar.gz
diff --git a/docker/ast_9.2.9-1_amd64.deb b/docker/deps/ast_9.2.9-1_amd64.deb
similarity index 100%
rename from docker/ast_9.2.9-1_amd64.deb
rename to docker/deps/ast_9.2.9-1_amd64.deb
diff --git a/docker/postgresql-42.2.5.jar b/docker/deps/postgresql-42.2.5.jar
similarity index 100%
rename from docker/postgresql-42.2.5.jar
rename to docker/deps/postgresql-42.2.5.jar
diff --git a/docker/vlkbd_exec.sh b/docker/deps/vlkbd_exec.sh
similarity index 100%
rename from docker/vlkbd_exec.sh
rename to docker/deps/vlkbd_exec.sh
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 8550095..f15a97a 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -30,13 +30,13 @@ echo "CATALINA_TMPDIR : "$CATALINA_TMPDIR
#########################################################################
## configure vlkb-tools
+
if test -n "$VLKBOBSCORE_PG_URI"
then
echo "pg_uri=$VLKBOBSCORE_PG_URI" >> $INST_DIR/etc/vlkb-obscore/datasets.conf
echo "pg_schema=datasets" >> $INST_DIR/etc/vlkb-obscore/datasets.conf
fi
-
## configure VLKB access
cp $WEBAPP_DIR/META-INF/context.xml $CATALINA_BASE/conf/Catalina/localhost/$ACCESS_CONTEXT_ROOT.xml
@@ -90,62 +90,25 @@ then
fi
+#### Security
-if test -n "$SECURITY"
-then
- cd $WEBAPP_DIR/WEB-INF/ && rm -f web.xml && cp web-cutout-$SECURITY.xml web.xml && cd -
- echo "db_uri=$AUTH_DB_URI" > $WEBAPP_DIR/WEB-INF/classes/authpolicy.properties
- echo "db_schema=$AUTH_DB_SCHEMA" >> $WEBAPP_DIR/WEB-INF/classes/authpolicy.properties
- echo "db_user_name=$AUTH_DB_USERNAME" >> $WEBAPP_DIR/WEB-INF/classes/authpolicy.properties
- echo "db_password=$AUTH_DB_PASSWORD" >> $WEBAPP_DIR/WEB-INF/classes/authpolicy.properties
-fi
-
-# configure access-token validation
-if test -f /srv/surveys/iamtoken.properties
-then
- cp /srv/surveys/iamtoken.properties $WEBAPP_DIR/WEB-INF/classes/
-fi
-
-# configure port/SSL connector: (path is relative to the dir where compose.yaml is
-# - web.xml to run filters set above
-# * ssl: set tomcat connector with certificates (ia2 needs SECTIGO, iam needs self-signed keystore.jks)
-# * keep right jjwt*.jar libs (ia2 authlib needs v0.11, iam needs v0.12)
-# assume all files in ssl sub-dir relative to where compose.yaml is
-# set volume mapping in compose.yaml: ssl/ -> /etc/pki/tls/
case $SECURITY in
ia2token)
- #cp ssl/server-connector-8443.xml-SECTIGO-vlkb_ia2_inaf_it /etc/tomcat9/server-connector-8443.xml
- cp /root/ssl/server-connector-8443.xml /etc/tomcat9/server-connector-8443.xml
- # map volume instead of this: cp -r ssl/SECTIGO /etc/pki/tls/
- rm /webapps/vlkb-cutout/WEB-INF/lib/jjwt-*0.12*.jar
+ cd $WEBAPP_DIR/WEB-INF/ && rm -f web.xml && cp web-cutout-$SECURITY.xml web.xml && cd -
+ cp /etc/pki/tls/server-connector.xml /etc/tomcat9/
+ cp /etc/pki/tls/auth*.properties $WEBAPP_DIR/WEB-INF/classes/
+ rm -f /webapps/vlkb-cutout/WEB-INF/lib/jjwt-*0.12*.jar
;;
iamtoken)
- #cp ssl/server-connector-8443.xml-keystore-self-signed /etc/tomcat9/server-connector-8443.xml
- cp /root/ssl/server-connector-8443.xml /etc/tomcat9/server-connector-8443.xml
- # map volume somedir:/etc/pki/tls with somedir/{keystore.jks,SECTIGO/*} XXX cp ssl/keystore.jks /etc/pki/tls/
- rm /webapps/vlkb-cutout/WEB-INF/lib/jjwt-*0.11*.jar
+ cd $WEBAPP_DIR/WEB-INF/ && rm -f web.xml && cp web-cutout-$SECURITY.xml web.xml && cd -
+ cp /etc/pki/tls/server-connector.xml /etc/tomcat9/
+ cp /etc/pki/tls/iamtoken.properties $WEBAPP_DIR/WEB-INF/classes/
+ rm -f /webapps/vlkb-cutout/WEB-INF/lib/jjwt-*0.11*.jar
;;
*)
echo "Security not configured, runs open."
;;
esac
-#
-#if test -f /srv/surveys/keystore.jks
-#then
-# cp /srv/surveys/keystore.jks /root/
-#fi
-#if test -f /srv/surveys/server-connector-8443.xml /etc/tomcat9/
-#then
-# cp /srv/surveys/server-connector-8443.xml /etc/tomcat9/
-#fi
-#
-if test -n "$SECURITY"
-then
- cd /etc/tomcat9/ && ln -s server-connector-8443.xml server-connector.xml && cd -
-else
- cd /etc/tomcat9/ && ln -s server-connector-8080.xml server-connector.xml && cd -
-fi
-
#########################################################################
diff --git a/docker/compose-example-ska-soda.yaml b/docker/example-compose-ska-soda.yaml
similarity index 100%
rename from docker/compose-example-ska-soda.yaml
rename to docker/example-compose-ska-soda.yaml
diff --git a/docker/compose-example-vlkb.yaml b/docker/example-compose-vlkb.yaml
similarity index 100%
rename from docker/compose-example-vlkb.yaml
rename to docker/example-compose-vlkb.yaml
diff --git a/docker/example-security/README.tex b/docker/example-security/README.tex
new file mode 100644
index 0000000..8352fe1
--- /dev/null
+++ b/docker/example-security/README.tex
@@ -0,0 +1,31 @@
+
+# notes on security:
+# set volume mapping in compose.yaml: security/ -> /etc/pki/tls/
+# configure port/SSL connector: (path is relative to the dir where compose.yaml is
+# * server-connector.xml : set tomcat connector with certificates
+# -- ia2 needs SECTIGO
+# -- iam needs self-signed keystore.jks
+# * keep right jjwt*.jar libs (ia2 authlib needs v0.11, iam needs v0.12)
+# FIXME implement *.properties and server-connector.xml by paramters
+
+
+
+#### Security
+# SSL-certificates are site-dependent and must be regularly updated:
+# vlkb-cutout expects them in /etc/pki/tls
+#
+# map volume: ./security:/etc/pki/tls:z,ro
+#
+# ia2token:
+# auth.propeties
+# authpolicy.properties
+# server-connector.xml
+# SECTIGO/*
+#
+# iamtoken:
+# iamtoken.properties
+# server-connector.xml
+# keystore.jks
+#
+
+
diff --git a/docker/ssl/keystore.jks b/docker/example-security/garrtoken/keystore.jks
similarity index 100%
rename from docker/ssl/keystore.jks
rename to docker/example-security/garrtoken/keystore.jks
diff --git a/docker/example-security/garrtoken/neatoken.properties b/docker/example-security/garrtoken/neatoken.properties
new file mode 100644
index 0000000..839e15d
--- /dev/null
+++ b/docker/example-security/garrtoken/neatoken.properties
@@ -0,0 +1,10 @@
+
+# certificates endpoint
+jwks_url=
+
+# account created for the service
+resource_id=
+
+# username for non-authenticated requests
+non_authn_username=anonymous
+
diff --git a/docker/ssl/server-connector-8443.xml-self-signed-keystore-jks b/docker/example-security/garrtoken/server-connector-8443.xml-self-signed-keystore-jks
similarity index 100%
rename from docker/ssl/server-connector-8443.xml-self-signed-keystore-jks
rename to docker/example-security/garrtoken/server-connector-8443.xml-self-signed-keystore-jks
diff --git a/docker/config/auth.properties b/docker/example-security/ia2token/auth.properties
similarity index 100%
rename from docker/config/auth.properties
rename to docker/example-security/ia2token/auth.properties
diff --git a/docker/example-security/ia2token/authpolicy.properties b/docker/example-security/ia2token/authpolicy.properties
new file mode 100644
index 0000000..d1d5756
--- /dev/null
+++ b/docker/example-security/ia2token/authpolicy.properties
@@ -0,0 +1,7 @@
+# database for table with permissions
+db_uri=
+db_schema=
+db_user_name=
+db_password=
+
+
diff --git a/docker/ssl/server-connector-8443.xml-SECTIGO-vlkb.ia2.inaf.it b/docker/example-security/ia2token/server-connector-8443.xml-SECTIGO-vlkb.ia2.inaf.it
similarity index 100%
rename from docker/ssl/server-connector-8443.xml-SECTIGO-vlkb.ia2.inaf.it
rename to docker/example-security/ia2token/server-connector-8443.xml-SECTIGO-vlkb.ia2.inaf.it
diff --git a/docker/example-security/iamtoken/iamtoken.properties b/docker/example-security/iamtoken/iamtoken.properties
new file mode 100644
index 0000000..d275d68
--- /dev/null
+++ b/docker/example-security/iamtoken/iamtoken.properties
@@ -0,0 +1,13 @@
+
+# certificates endpoint
+#jwks_url=
+introspect=
+client_name=
+client_password=
+
+# account created for the service
+resource_id=
+
+# username for non-authenticated requests
+non_authn_username=anonymous
+
diff --git a/docker/example-security/iamtoken/keystore.jks b/docker/example-security/iamtoken/keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..57c469584925bdc3de5f6919123d67c5a3189560
GIT binary patch
literal 2696
zcmXqL;%Z@HWHxBx(qrS)YV&CO&dbQoxS)wko~4OP+MtO`+@Ohd9f}m|e3mBG*#=Fl
z(+!$fC$n)wb@6a9GA(FgbuegRwJ}J8>tN+Ih%~T3aCr>0Swwoy-!5T2an-bV!Exr7
z`d^OPRCARwF{ukMF)A4FuyH_4Wa4CHFpy>AOlb39Ol4+a)M62s`ut~rMp<C0t-bE!
zt@o5ISejTa1ahn>+!lHH;AKVoV_{B{oEG^p);+iq(aRZHZx^xcJ^NOZ`*S~i@MaRd
zmnO)+=3@COojI@V<jk%FrS3gG|J>%e6CeK7o^e8hKcU&Gx5W4VH%<eepX=-|ShC;P
zCG)Sxk5ME;b?1U`1EbaNMLxB2uuRS4t9s1hn44`Se9U?E0psFRF-5-bmhIjqF`e=C
zPs7|5@gFT_8yu~k7_n}uC*PdnlwJE*{rR^1>z6LiMSdZtxGz`CiMPM1t=-o6$N0gw
zuKm_+FDg$xo)K97Ead-(6LY-lp3b#itj}{<tVH7YTa!Oo+s_%Vu-MMq|MSy6NB>`G
zp*}W?_|Gt`O^M8@v0!cRxwKiN+#smnBhTA=r?gV6jRelm*md#zjR}4K?;hEdeyTK$
zBbQ<K+g+|xuPNm@S>z{I&FAP6WU+Uc#`5aTGryaWs#*G31xm%IRO|PvS4S+cxy!Dw
zCC>28ZOsbZSz8ly#eVfXdY9R3rx(o`CU)oFVlnp87y573+>J@QnJy6jA(ipb+Wc&Z
zr@mX2^_I<v$y&5F!T)i?sT;zFrp1b`{mD9G<)#h!O4A>`Ia%Pt7=K&S^tLsB<^uWF
zDPracLLQj`e6=~b_WFxwst8tBUCX~N-x_mOCoe#K%`^8;6Y|+Fzk0~Df2rN8Bac=^
zgqA<f@hvz~bEa5do;%XftLv7EzHQwc)~!5uF1=0Rcr{^L=0~~avOAI=d`*=^w@E!X
z!FITUJM824uV-soJmusHzAwDDI6S7N)6R6=Q?6Mpzck{C;zLaQ0(cxu-5xKPDbqIN
z_=hX=w%&cYPGHm7-hRQIg&w~HcK(03?75dC$AxtHFRR4P%9p4WtEH9fl74%U<x`S(
zOHNyyadbkZsGGtGRuLV?s7veTC_6Wl%szW}`tRwnQR$-3lEkwgU5@e-RJ_?-H2LSF
zlbN&ryWTdeI6ccmAbic#4GH?yhwe|fJvES<x30A68RurL<#&P%ryqVadr#Z>=xZ?(
z7Q1e{92<G}+2bh*N)1*r#j`ec8ZpK?g&J_)bC@E?|3|1sH0V8xl?d<V|9biiZ3(k-
zO%57=j;Iz7+VMtAyLH_=@f*T|ueiTmm2`R&@#(gFjQ*0QPw|(Pw|9Fiy5AA-{O_g*
zt$EkxGJMvG4cKuqqd#Wr`j!8E3y;+sg@698mgDSnS0?L@_?v&S!NRNODVknTGTZCE
z;=wA-=?ND?=UZ;i_M5!l<>B9w2eLbPf6a6WbBNhlZ1ksi|2e(2ytf1-Ht#UDFs%9&
z)DdGP;Wy`A-l<I{{j2|3iHdQiMxByg)>`(h@VDTFWBk7=?i$Uy<Xs(I(&v4o;a@H@
z@0w-VicBS*i&SH+&ous8aD4LwQ$;nQSx0$~++#`Zf0o%@bmCdb7wNuZCmeYetQCt*
z5n(sdQO{jr{a|ihc4FaL=gV9QJx?ZX+{aV%dUr_#=aplbHN4_sZ<RD2T@~|KJ+JIQ
zU_ZBM#r0qJ=I$2Q6lL7*W$4Q*Tk8?Hh^uMg_f6N$72f+j+r3mjAobVIhe6G9)~2k=
zx0g&jD)oHQvs<Et!aap+?Y2(b%TxTG<9D}X-jDUOIUg8Hr$6t~3$HAf+W*I;B1@ZP
zR(ST#P0<V7V)o2ToFw$>fT*GU?G3hfr>VDGJ@(}B%#f;JON(_c4ILZYT)6uFnK<2@
zzU_Lwx1oc9G`zUv6fxwJ<6$Ua$Y;o9NM=Z6C^1k(NQxSYun2`@=B6qbnj4rKnHZXz
zTNoOf88opZ!WFTzEofp1GH7D)V`5}5Xku|k$S@KrrVUNR8tg8{Oq{+WtjVU~!q$BE
z+)u<5(`;rl9Pc)=mIU<jGW}Q~pwiI9e1UnEwfv`uDSC>twrbC?{wmYp<o)i9i;4fi
z636pr?%egtn%EW7tjAx_qszf@_~wg$Rdpv01)pxwIJfWjniKU|JVE!>3rqGl1swfl
zz!Tn>y>yxJj0vlHCfNEPJCkM;buLNqYFPU}%Ps%hF7*p-;B=dH@pf;?N29XLoQ5ll
z)=s&){hP#+Ni*H0{oCyo#HQalcqq>xtbX-DKB1M{lKNC_mwaCkrMt$~Id4^pZQ--H
z7l$}QZ_RIuR{Xb3oFP=yoo739fw-T9`xgHnZc|saE0{4}czRHD$L*c(U4PluT>6pR
z<9H>{$H>^yWY1>Rv)+nx4;|9foG_y>`@&h<<b9$a{|j6Hm3yaiI;r8<6{fBn*R}OG
zpK9(4o*J04l6%drnd*_Myh)~U!c%wb{C4kE%Blc0&!k;G_x6~%XLAYPTw!c9i*s*h
z{+pw1QvKV%uijngy?SZn^gh|pXI{GZ4+*@HdZ`-T(DB?n?Du)L%T=D1s$Un}P@M2Y
z-Se@)d95|~m*mCOYTe*2Zri&{l}AFy#OD>mixvqVk7ueU)~vmmbjGDG!NJy1VAuAw
zUu=s$E-9}%%EGg4wbIl}QU~;&uDO0|(lh4oZ0xKB0oD6bIa~iV|8bw{WbByaRFln=
zB=hO@!IjHcm;yUnt2_Jl_OymDcOTK8Q>UP`KVQ6HN8SG2oDP#Gvi_|u+4N9$vY(;>
zNB+IzoSi2>J+hF0pRwclQ;Xa*0k1<2{d>-D4r{u1%#!u}2Iqs8C9f)0AIs@$y!m>j
zw1zT2&j+9W!fz>4JVi^dTZPAZ-*K3fp&2Z4@YKa}qw^WAQ{+6g<@^t>c2MJ0ekI7?
zz~<d>G=p{4t<aJ$O9KwK1ov5QIVBUe_YBY0_Lhmp!ZFLHyc4$gzFPU;T_y47CuS);
zb18c2z}Vp*_>-$__3t&M;$6J*Np>2Ol7g09ne$=k2X@!2PvxlsFHKheUl#DaNBzOf
zRJCWf4Ekr?Rr~ru!|%qIz5fnX?)_C_6&YRCT*r1nLjQa7;(yHIMYkTS`=^z!H+fX|
zA>s5SIW4~D=PXiodanNXeNkI{z|wBki?!G0+Ff|Sf9314_YYTpT&VnCIXIj@(D%&B
zYqtVFC1f15tI~XU_0YMSS>4g~49?-24l!@uDC_E*ecDvV+}WU+%O4#P=rL)zX>$W-
z!o9c&m;SClxa7!Eo+;d-5%<KiKHgiD@#Ds1gHsF>G#mX-H;CQo5f7<~PxI+!_mt32
zzZupvf9Lr-;??z%o0k1kulw2j>wQmEV8Ap{#kZ@U_<uSlY<K)Z{-f*fy_+RcV$@#l
zinWRgcpLqF$E^Jqd<}dJ3=MeUturP@Rt6S@-?FC)u3bHt@gO}({=|PNzm*J2?+du{
o78dPcduDHt`kY0i{>&}rGm2)c6BLvDcHaLmsW$e|9#D}20F5WYiU0rr
literal 0
HcmV?d00001
diff --git a/docker/ssl/server-connector-8443.xml-self-signed-keystore-jks-ORIG b/docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks
similarity index 85%
rename from docker/ssl/server-connector-8443.xml-self-signed-keystore-jks-ORIG
rename to docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks
index 323456a..02ca450 100644
--- a/docker/ssl/server-connector-8443.xml-self-signed-keystore-jks-ORIG
+++ b/docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks
@@ -3,7 +3,7 @@
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyAlias="tomcat"
- certificateKeystoreFile="/root/keystore.jks"
+ certificateKeystoreFile="/etc/pki/tls/keystore.jks"
certificateKeystorePassword="tomcatskassl"
type="RSA" />
</SSLHostConfig>
diff --git a/docker/ssl/How to generate a self-signed SSL certificate using OpenSSL - Stack Overflow.pdf b/docker/example-security/ssl/How to generate a self-signed SSL certificate using OpenSSL - Stack Overflow.pdf
similarity index 100%
rename from docker/ssl/How to generate a self-signed SSL certificate using OpenSSL - Stack Overflow.pdf
rename to docker/example-security/ssl/How to generate a self-signed SSL certificate using OpenSSL - Stack Overflow.pdf
diff --git a/docker/ssl/How to use OpenSSL and the Internet PKI on Linux systems Enable Sysadmin.pdf b/docker/example-security/ssl/How to use OpenSSL and the Internet PKI on Linux systems Enable Sysadmin.pdf
similarity index 100%
rename from docker/ssl/How to use OpenSSL and the Internet PKI on Linux systems Enable Sysadmin.pdf
rename to docker/example-security/ssl/How to use OpenSSL and the Internet PKI on Linux systems Enable Sysadmin.pdf
diff --git a/docker/ssl/Makefile b/docker/example-security/ssl/Makefile
similarity index 100%
rename from docker/ssl/Makefile
rename to docker/example-security/ssl/Makefile
diff --git a/docker/ssl/server-connector-8080.xml b/docker/ssl/server-connector-8080.xml
deleted file mode 100644
index 2917f61..0000000
--- a/docker/ssl/server-connector-8080.xml
+++ /dev/null
@@ -1,3 +0,0 @@
- <Connector port="8080" protocol="HTTP/1.1"
- connectionTimeout="20000" />
-
diff --git a/docker/ssl/server-connector-8443.xml b/docker/ssl/server-connector-8443.xml
deleted file mode 100644
index 1ad6147..0000000
--- a/docker/ssl/server-connector-8443.xml
+++ /dev/null
@@ -1,11 +0,0 @@
- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
- sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
- maxThreads="150" SSLEnabled="true">
- <SSLHostConfig>
- <Certificate certificateKeyFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.key"
- certificateFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.crt"
- certificateChainFile="/etc/pki/tls/SECTIGO/CA.crt"
- type="RSA" />
- </SSLHostConfig>
- </Connector>
-
diff --git a/docker/ssl/server-connector.xml b/docker/ssl/server-connector.xml
deleted file mode 100644
index 1ad6147..0000000
--- a/docker/ssl/server-connector.xml
+++ /dev/null
@@ -1,11 +0,0 @@
- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
- sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
- maxThreads="150" SSLEnabled="true">
- <SSLHostConfig>
- <Certificate certificateKeyFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.key"
- certificateFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.crt"
- certificateChainFile="/etc/pki/tls/SECTIGO/CA.crt"
- type="RSA" />
- </SSLHostConfig>
- </Connector>
-
diff --git a/docker/ssl/server.xml b/docker/ssl/server.xml
deleted file mode 100644
index 3ea1423..0000000
--- a/docker/ssl/server.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<!DOCTYPE server-xml [
- <!ENTITY connector-config SYSTEM "server-connector.xml">
-]>
-
-<Server port="-1" shutdown="SHUTDOWN">
- <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
- <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
- <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
- <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
-
- <GlobalNamingResources>
- <Resource name="UserDatabase" auth="Container"
- type="org.apache.catalina.UserDatabase"
- description="User database that can be updated and saved"
- factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
- pathname="conf/tomcat-users.xml" />
- </GlobalNamingResources>
-
- <Service name="Catalina">
-
- &connector-config;
-
- <Engine name="Catalina" defaultHost="localhost">
- <Realm className="org.apache.catalina.realm.LockOutRealm">
- <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
- resourceName="UserDatabase"/>
- </Realm>
- <Host name="localhost" appBase="webapps"
- unpackWARs="true" autoDeploy="true">
- <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
- prefix="localhost_access_log" suffix=".txt"
- pattern="%h %l %u %t "%r" %s %b" />
- </Host>
- </Engine>
- </Service>
-</Server>
--
GitLab