TLS Ciphers Config (#45)

* feat: added recommended ciphers. TLSv1.3 ciphers are not being added yet * feat: add support for TLSv1.3 * feat: add env variables for TLS ciphers * fix: add env variable for keystore * fix: add SSL contexts * Update ci-master.yml * fix: remove creation of keystores dir * fix: removed commented code Co-authored-by: Julien Hagestedt <julien.hagestedt@gmail.com> Co-authored-by: ascheibal <andreas.scheibal@t-systems.com>
corona-warn-app · Jul 1, 2020 · d043f96 · d043f96
1 parent ceb602b
commit d043f96
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 9 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -10,6 +10,8 @@ RUN cp -r /opt/jboss/keycloak/themes/base/* /opt/jboss/keycloak/themes/cwa/
 RUN cp -r ${WORK_DIR}/src/themes/cwa/login /opt/jboss/keycloak/themes/cwa/
 RUN cp -r ${WORK_DIR}/src/themes/cwa/account /opt/jboss/keycloak/themes/cwa/
 RUN cp ${WORK_DIR}/src/standalone/configuration/standalone-ha.xml /opt/jboss/keycloak/standalone/configuration/
+RUN cp ${WORK_DIR}/src/standalone/configuration/keystores/test-only-https-keystore.jks /opt/jboss/keycloak/standalone/configuration/
+RUN cp ${WORK_DIR}/src/opt/jboss/tools/cli/x509-keystore.cli /opt/jboss/tools/cli/
 
 EXPOSE 8080
 EXPOSE 8443

diff --git a/README.md b/README.md
@@ -40,7 +40,7 @@ In the world of the Corona Warn App the Verification Identity and Access Managem
  So be sure to have [docker](https://docker.com) installed on your machine.
 ````bash
 docker build --pull --rm -f "Dockerfile" -t cwa-verification-iam "."
-docker run -p "8080:8080"  -p "8443:8443" -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e SSL_KEY_STORE=/opt/jboss/keycloak/standalone/configuration/ONLY_FOR_TEST_keystore.jks -e SSL_KEY_STORE_PASSWORD=secret cwa-verification-iam
+docker run -p "8080:8080"  -p "8443:8443" -p "7443:7443" -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin  cwa-verification-iam
  ````
 After that you will have run a Keykloak IAM Solution on you machine. The landing page of the Keykloak system will provide you with further information on how to setup the system and add new users.  
 For a detailed view on all the features please refer to the manual pages, also linked on the landing page.

diff --git a/src/opt/jboss/tools/cli/x509-keystore.cli b/src/opt/jboss/tools/cli/x509-keystore.cli
@@ -0,0 +1,11 @@
+embed-server --server-config=$configuration_file --std-out=discard
+/subsystem=elytron/key-store=cwa-keystore:add(path=$keycloak_tls_keystore_file,type=JKS,credential-reference={clear-text=$keycloak_tls_keystore_password})
+/subsystem=elytron/key-manager=cwa-key-manager:add(key-store=cwa-keystore,credential-reference={clear-text=$keycloak_tls_keystore_password})
+/subsystem=elytron/server-ssl-context=cwa-ssl-context:add(key-manager=cwa-key-manager,protocols=["TLSv1.2","TLSv1.3"],cipher-suite-names="${env.TLSv1_3_CIPHERS:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256}",cipher-suite-filter="${env.TLSv1_2_CIPHERS:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384}")
+batch
+/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
+/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=cwa-ssl-context)
+/subsystem=undertow/server=default-server/https-listener=https-admin:undefine-attribute(name=security-realm)
+/subsystem=undertow/server=default-server/https-listener=https-admin:write-attribute(name=ssl-context,value=cwa-ssl-context)
+run-batch
+stop-embedded-server
diff --git a/src/standalone/configuration/keystores/test-only-https-keystore.jks b/src/standalone/configuration/keystores/test-only-https-keystore.jks
diff --git a/src/standalone/configuration/standalone-ha.xml b/src/standalone/configuration/standalone-ha.xml
@@ -43,12 +43,6 @@
         </authorization>
       </security-realm>
       <security-realm name="ApplicationRealm">
-        <server-identities>
-          <ssl>
-            <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password"
-                      alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
-          </ssl>
-        </server-identities>
         <authentication>
           <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
           <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
@@ -249,6 +243,25 @@
     </subsystem>
     <subsystem xmlns="urn:wildfly:elytron:9.0" final-providers="combined-providers"
                disallowed-providers="OracleUcrypto">
+      <tls>
+        <key-stores>
+          <key-store name="cwa-keystore-test">
+            <credential-reference clear-text="changeit"/>
+            <implementation type="JKS"/>
+            <file path="test-only-https-keystore.jks"
+                  relative-to="jboss.server.config.dir"/>
+          </key-store>
+        </key-stores>
+        <key-managers>
+          <key-manager name="cwa-key-manager-test" key-store="cwa-keystore-test">
+            <credential-reference clear-text="changeit"/>
+          </key-manager>
+        </key-managers>
+        <server-ssl-contexts>
+          <server-ssl-context name="cwa-ssl-context-test"
+                              key-manager="cwa-key-manager-test" />
+        </server-ssl-contexts>
+      </tls>
       <providers>
         <aggregate-providers name="combined-providers">
           <providers name="elytron"/>
@@ -670,12 +683,14 @@
                        proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" enable-http2="true"/>
         <https-listener name="https" socket-binding="https"
                         proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}"
-                        security-realm="ApplicationRealm" enable-http2="true"/>
+                        enable-http2="true"
+                        ssl-context="cwa-ssl-context-test"/>
         <http-listener name="http-admin" socket-binding="http-admin" redirect-socket="https"
                        proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" enable-http2="true"/>
         <https-listener name="https-admin" socket-binding="https-admin"
                         proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}"
-                        security-realm="ApplicationRealm" enable-http2="true"/>
+                        enable-http2="true"
+                        ssl-context="cwa-ssl-context-test"/>
         <host name="default-host" alias="localhost">
           <location name="/" handler="welcome-content"/>
           <http-invoker security-realm="ApplicationRealm"/>