diff --git a/integration-tests/docker/environment-configs/common b/integration-tests/docker/environment-configs/common index 592246bc948..11853adf733 100644 --- a/integration-tests/docker/environment-configs/common +++ b/integration-tests/docker/environment-configs/common @@ -39,7 +39,7 @@ druid_auth_authorizers=["basic"] druid_client_https_certAlias=druid druid_client_https_keyManagerPassword=druid123 druid_client_https_keyStorePassword=druid123 -druid_client_https_keyStorePath=/tls/server.jks +druid_client_https_keyStorePath=/tls/server.p12 druid_client_https_protocol=TLSv1.2 druid_client_https_trustStoreAlgorithm=PKIX druid_client_https_trustStorePassword=druid123 @@ -56,8 +56,8 @@ druid_server_http_allowedHttpMethods=["OPTIONS"] druid_server_https_certAlias=druid druid_server_https_keyManagerPassword=druid123 druid_server_https_keyStorePassword=druid123 -druid_server_https_keyStorePath=/tls/server.jks -druid_server_https_keyStoreType=jks +druid_server_https_keyStorePath=/tls/server.p12 +druid_server_https_keyStoreType=PKCS12 druid_server_https_requireClientCertificate=true druid_server_https_trustStoreAlgorithm=PKIX druid_server_https_trustStorePassword=druid123 diff --git a/integration-tests/docker/environment-configs/common-ldap b/integration-tests/docker/environment-configs/common-ldap index 418ae108660..425627be260 100644 --- a/integration-tests/docker/environment-configs/common-ldap +++ b/integration-tests/docker/environment-configs/common-ldap @@ -49,7 +49,7 @@ druid_auth_authorizers=["ldapauth"] druid_client_https_certAlias=druid druid_client_https_keyManagerPassword=druid123 druid_client_https_keyStorePassword=druid123 -druid_client_https_keyStorePath=/tls/server.jks +druid_client_https_keyStorePath=/tls/server.p12 druid_client_https_protocol=TLSv1.2 druid_client_https_trustStoreAlgorithm=PKIX druid_client_https_trustStorePassword=druid123 @@ -66,8 +66,8 @@ druid_server_http_allowedHttpMethods=["OPTIONS"] druid_server_https_certAlias=druid druid_server_https_keyManagerPassword=druid123 druid_server_https_keyStorePassword=druid123 -druid_server_https_keyStorePath=/tls/server.jks -druid_server_https_keyStoreType=jks +druid_server_https_keyStorePath=/tls/server.p12 +druid_server_https_keyStoreType=PKCS12 druid_server_https_requireClientCertificate=true druid_server_https_trustStoreAlgorithm=PKIX druid_server_https_trustStorePassword=druid123 diff --git a/integration-tests/docker/tls/generate-expired-client-cert.sh b/integration-tests/docker/tls/generate-expired-client-cert.sh index 9519dd34d01..6d3291ef76f 100755 --- a/integration-tests/docker/tls/generate-expired-client-cert.sh +++ b/integration-tests/docker/tls/generate-expired-client-cert.sh @@ -60,7 +60,7 @@ name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days= 30 -default_md = default +default_md = sha256 preserve = no policy = policy_match serial = certs.seq @@ -118,10 +118,10 @@ rm -rf certs.seq echo 11111115 > certs.seq # Generate a client certificate for this machine -openssl genrsa -out expired_client.key 1024 +openssl genrsa -out expired_client.key 4096 openssl req -new -out expired_client.csr -key expired_client.key -reqexts req_ext -config expired_csr.conf openssl ca -batch -config root_for_expired_client.cnf -policy policy_loose -out expired_client.pem -outdir . -startdate 101010000000Z -enddate 101011000000Z -extensions v3_ca -cert root.pem -keyfile root.key -infiles expired_client.csr # Create a Java keystore containing the generated certificate openssl pkcs12 -export -in expired_client.pem -inkey expired_client.key -out expired_client.p12 -name expired_client -CAfile root.pem -caname druid-it-root -password pass:druid123 -keytool -importkeystore -srckeystore expired_client.p12 -srcstoretype PKCS12 -destkeystore expired_client.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123 +keytool -importkeystore -srckeystore expired_client.p12 -srcstoretype PKCS12 -destkeystore expired_client.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123 diff --git a/integration-tests/docker/tls/generate-good-client-cert.sh b/integration-tests/docker/tls/generate-good-client-cert.sh index 63d3175bf6e..e8293529214 100755 --- a/integration-tests/docker/tls/generate-good-client-cert.sh +++ b/integration-tests/docker/tls/generate-good-client-cert.sh @@ -50,13 +50,13 @@ DNS.2 = localhost EOT # Generate a client certificate for this machine -openssl genrsa -out client.key 1024 +openssl genrsa -out client.key 4096 openssl req -new -out client.csr -key client.key -reqexts req_ext -config csr.conf openssl x509 -req -days 3650 -in client.csr -CA root.pem -CAkey root.key -set_serial 0x11111111 -out client.pem -sha256 -extfile csr.conf -extensions req_ext # Create a Java keystore containing the generated certificate openssl pkcs12 -export -in client.pem -inkey client.key -out client.p12 -name druid -CAfile root.pem -caname druid-it-root -password pass:druid123 -keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -destkeystore client.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123 +keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -destkeystore client.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123 # Create a Java truststore with the druid test cluster root CA keytool -import -alias druid-it-root -keystore truststore.jks -file root.pem -storepass druid123 -noprompt diff --git a/integration-tests/docker/tls/generate-incorrect-hostname-client-cert.sh b/integration-tests/docker/tls/generate-incorrect-hostname-client-cert.sh index 2d224dcea85..996aab19560 100755 --- a/integration-tests/docker/tls/generate-incorrect-hostname-client-cert.sh +++ b/integration-tests/docker/tls/generate-incorrect-hostname-client-cert.sh @@ -46,11 +46,11 @@ DNS.1 = thisisprobablywrongtoo EOT -openssl genrsa -out invalid_hostname_client.key 1024 +openssl genrsa -out invalid_hostname_client.key 4096 openssl req -new -out invalid_hostname_client.csr -key invalid_hostname_client.key -reqexts req_ext -config invalid_hostname_csr.conf openssl x509 -req -days 3650 -in invalid_hostname_client.csr -CA root.pem -CAkey root.key -set_serial 0x11111112 -out invalid_hostname_client.pem -sha256 -extfile invalid_hostname_csr.conf -extensions req_ext # Create a Java keystore containing the generated certificate openssl pkcs12 -export -in invalid_hostname_client.pem -inkey invalid_hostname_client.key -out invalid_hostname_client.p12 -name invalid_hostname_client -CAfile root.pem -caname druid-it-root -password pass:druid123 -keytool -importkeystore -srckeystore invalid_hostname_client.p12 -srcstoretype PKCS12 -destkeystore invalid_hostname_client.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123 +keytool -importkeystore -srckeystore invalid_hostname_client.p12 -srcstoretype PKCS12 -destkeystore invalid_hostname_client.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123 diff --git a/integration-tests/docker/tls/generate-invalid-intermediate-client-cert.sh b/integration-tests/docker/tls/generate-invalid-intermediate-client-cert.sh index 2016b810c5e..ea65e786f98 100755 --- a/integration-tests/docker/tls/generate-invalid-intermediate-client-cert.sh +++ b/integration-tests/docker/tls/generate-invalid-intermediate-client-cert.sh @@ -45,7 +45,7 @@ IP.1 = 9.9.9.9 EOT # Generate a bad intermediate certificate -openssl genrsa -out invalid_ca_intermediate.key 1024 +openssl genrsa -out invalid_ca_intermediate.key 4096 openssl req -new -out invalid_ca_intermediate.csr -key invalid_ca_intermediate.key -reqexts req_ext -config invalid_ca_intermediate.conf openssl x509 -req -days 3650 -in invalid_ca_intermediate.csr -CA root.pem -CAkey root.key -set_serial 0x33333331 -out invalid_ca_intermediate.pem -sha256 -extfile invalid_ca_intermediate.conf -extensions req_ext @@ -81,7 +81,7 @@ DNS.2 = localhost EOT # Generate a client certificate for this machine -openssl genrsa -out invalid_ca_client.key 1024 +openssl genrsa -out invalid_ca_client.key 4096 openssl req -new -out invalid_ca_client.csr -key invalid_ca_client.key -reqexts req_ext -config invalid_ca_client.conf openssl x509 -req -days 3650 -in invalid_ca_client.csr -CA invalid_ca_intermediate.pem -CAkey invalid_ca_intermediate.key -set_serial 0x33333333 -out invalid_ca_client.pem -sha256 -extfile invalid_ca_client.conf -extensions req_ext @@ -91,4 +91,4 @@ cat invalid_ca_intermediate.pem >> invalid_ca_client.pem # Create a Java keystore containing the generated certificate openssl pkcs12 -export -in invalid_ca_client.pem -inkey invalid_ca_client.key -out invalid_ca_client.p12 -name invalid_ca_client -CAfile invalid_ca_intermediate.pem -caname druid-it-root -password pass:druid123 -keytool -importkeystore -srckeystore invalid_ca_client.p12 -srcstoretype PKCS12 -destkeystore invalid_ca_client.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123 +keytool -importkeystore -srckeystore invalid_ca_client.p12 -srcstoretype PKCS12 -destkeystore invalid_ca_client.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123 diff --git a/integration-tests/docker/tls/generate-server-certs-and-keystores.sh b/integration-tests/docker/tls/generate-server-certs-and-keystores.sh index 931b6e4752c..635079149cb 100755 --- a/integration-tests/docker/tls/generate-server-certs-and-keystores.sh +++ b/integration-tests/docker/tls/generate-server-certs-and-keystores.sh @@ -61,13 +61,12 @@ DNS.2 = localhost EOT # Generate a server certificate for this machine -openssl genrsa -out server.key 1024 +openssl genrsa -out server.key 4096 openssl req -new -out server.csr -key server.key -reqexts req_ext -config csr.conf openssl x509 -req -days 3650 -in server.csr -CA root.pem -CAkey root.key -set_serial 0x22222222 -out server.pem -sha256 -extfile csr.conf -extensions req_ext -# Create a Java keystore containing the generated certificate +# Create a Java keystore containing the generated certificate in PKCS12 format openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12 -name druid -CAfile root.pem -caname druid-it-root -password pass:druid123 -keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore server.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123 # Create a Java truststore with the druid test cluster root CA keytool -import -alias druid-it-root -keystore truststore.jks -file root.pem -storepass druid123 -noprompt diff --git a/integration-tests/docker/tls/generate-to-be-revoked-client-cert.sh b/integration-tests/docker/tls/generate-to-be-revoked-client-cert.sh index 40588201cb8..d863248d9c9 100755 --- a/integration-tests/docker/tls/generate-to-be-revoked-client-cert.sh +++ b/integration-tests/docker/tls/generate-to-be-revoked-client-cert.sh @@ -52,10 +52,10 @@ DNS.2 = localhost EOT # Generate a client certificate for this machine -openssl genrsa -out revoked_client.key 1024 +openssl genrsa -out revoked_client.key 4096 openssl req -new -out revoked_client.csr -key revoked_client.key -reqexts req_ext -config revoked_csr.conf openssl x509 -req -days 3650 -in revoked_client.csr -CA root.pem -CAkey root.key -set_serial 0x11111113 -out revoked_client.pem -sha256 -extfile revoked_csr.conf -extensions req_ext # Create a Java keystore containing the generated certificate openssl pkcs12 -export -in revoked_client.pem -inkey revoked_client.key -out revoked_client.p12 -name revoked_druid -CAfile root.pem -caname druid-it-root -password pass:druid123 -keytool -importkeystore -srckeystore revoked_client.p12 -srcstoretype PKCS12 -destkeystore revoked_client.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123 +keytool -importkeystore -srckeystore revoked_client.p12 -srcstoretype PKCS12 -destkeystore revoked_client.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123 diff --git a/integration-tests/docker/tls/generate-untrusted-root-client-cert.sh b/integration-tests/docker/tls/generate-untrusted-root-client-cert.sh index 3773209360d..188617414e4 100755 --- a/integration-tests/docker/tls/generate-untrusted-root-client-cert.sh +++ b/integration-tests/docker/tls/generate-untrusted-root-client-cert.sh @@ -50,11 +50,11 @@ DNS.2 = localhost EOT # Generate a client certificate for this machine -openssl genrsa -out client_another_root.key 1024 +openssl genrsa -out client_another_root.key 4096 openssl req -new -out client_another_root.csr -key client_another_root.key -reqexts req_ext -config csr_another_root.conf openssl x509 -req -days 3650 -in client_another_root.csr -CA untrusted_root.pem -CAkey untrusted_root.key -set_serial 0x11111114 -out client_another_root.pem -sha256 -extfile csr_another_root.conf -extensions req_ext # Create a Java keystore containing the generated certificate openssl pkcs12 -export -in client_another_root.pem -inkey client_another_root.key -out client_another_root.p12 -name druid_another_root -CAfile untrusted_root.pem -caname druid-it-untrusted-root -password pass:druid123 -keytool -importkeystore -srckeystore client_another_root.p12 -srcstoretype PKCS12 -destkeystore client_another_root.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123 +keytool -importkeystore -srckeystore client_another_root.p12 -srcstoretype PKCS12 -destkeystore client_another_root.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123 diff --git a/integration-tests/docker/tls/generate-valid-intermediate-client-cert.sh b/integration-tests/docker/tls/generate-valid-intermediate-client-cert.sh index 5d26f01f793..ef754d322ff 100755 --- a/integration-tests/docker/tls/generate-valid-intermediate-client-cert.sh +++ b/integration-tests/docker/tls/generate-valid-intermediate-client-cert.sh @@ -45,7 +45,7 @@ IP.1 = 9.9.9.9 EOT # Generate an intermediate certificate -openssl genrsa -out ca_intermediate.key 1024 +openssl genrsa -out ca_intermediate.key 4096 openssl req -new -out ca_intermediate.csr -key ca_intermediate.key -reqexts req_ext -config ca_intermediate.conf openssl x509 -req -days 3650 -in ca_intermediate.csr -CA root.pem -CAkey root.key -set_serial 0x33333332 -out ca_intermediate.pem -sha256 -extfile ca_intermediate.conf -extensions req_ext @@ -81,7 +81,7 @@ DNS.2 = localhost EOT # Generate a client certificate for this machine -openssl genrsa -out intermediate_ca_client.key 1024 +openssl genrsa -out intermediate_ca_client.key 4096 openssl req -new -out intermediate_ca_client.csr -key intermediate_ca_client.key -reqexts req_ext -config intermediate_ca_client.conf openssl x509 -req -days 3650 -in intermediate_ca_client.csr -CA ca_intermediate.pem -CAkey ca_intermediate.key -set_serial 0x33333333 -out intermediate_ca_client.pem -sha256 -extfile intermediate_ca_client.conf -extensions req_ext @@ -91,4 +91,4 @@ cat ca_intermediate.pem >> intermediate_ca_client.pem # Create a Java keystore containing the generated certificate openssl pkcs12 -export -in intermediate_ca_client.pem -inkey intermediate_ca_client.key -out intermediate_ca_client.p12 -name intermediate_ca_client -CAfile ca_intermediate.pem -caname druid-it-root -password pass:druid123 -keytool -importkeystore -srckeystore intermediate_ca_client.p12 -srcstoretype PKCS12 -destkeystore intermediate_ca_client.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123 +keytool -importkeystore -srckeystore intermediate_ca_client.p12 -srcstoretype PKCS12 -destkeystore intermediate_ca_client.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123