Replace Self-Signed Certs for TCPS with ACM Certs (#526)

* Revised version to use ACM

* Go to the new client wallet directory

* Put the wallet into /tmp

* Missing trailing slash

* Find files locally

* Fix typo

* Debug skip standby

* Add verbose option

* Match variable name

* Only put the intermediate certificate in the client wallet

* Tidy up at end

* Commit changes made by code formatters

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: bill-buchan

.github/workflows/oracle-db-ssl-wallet.yml

@@ -24,6 +24,15 @@ on:
         type: choice
         options: 
           - "delius_dbs"
+      Verbose: 
+        description: "Verbose Output level"
+        type: choice
+        options:
+          - ""
+          - "-v"
+          - "-vv"
+          - "-vvv"
+          - "-vvvv"
       SourceCodeVersion:
         description: "Source version for the  hmpps-delius-operation-automation. Enter a pull request, branch, commit ID, tag, or reference."
         type: string
@@ -106,4 +115,4 @@ jobs:
         run: |
           export ANSIBLE_CONFIG=$ansible_config
           $command -i $inventory -e ansible_aws_ssm_bucket_name=${{ vars.ANSIBLE_AWS_SSM_BUCKET_NAME }} \
-          -e target_hosts=${{ steps.prepareinventorynames.outputs.hosts }}
+          -e target_hosts=${{ steps.prepareinventorynames.outputs.hosts }} ${{ github.event.inputs.Verbose }}

playbooks/oracle_ssl_wallet/oracle_ssl_wallet/tasks/configure_client_wallet.yml

@@ -0,0 +1,27 @@
+# We only need to create the Client Wallet once - we then upload it to the DMS instance.
+# It only needs to contain the Subordinate CA Certificate.
+# We perform the creation on the primary host.
+- name: Create Client Wallet
+  when: database_primary_sid is defined
+  block:
+    # Ensure we are starting fresh by removing any existing client wallet
+    - name: Remove SSL Wallet Directory
+      file:
+        path: "{{ client_wallet_directory }}"
+        state: absent
+
+    # The Client Wallet should NOT contain the Private Key
+    - name: Create Client SSL Wallet Directory
+      file:
+        path: "{{ client_wallet_directory }}"
+        state: directory
+
+    - name: Create Oracle Wallet
+      shell: |
+        . ~/.bash_profile
+        orapki wallet create -wallet {{ client_wallet_directory }}  -auto_login_only
+
+    - name: Import Subordinate CA Certificate into Oracle Wallet as Trusted Certificate
+      shell: |
+        . ~/.bash_profile
+        orapki wallet add -wallet {{ client_wallet_directory }} -trusted_cert -cert {{ wallet_working_directory }}/certificatechain.pem -auto_login_only

playbooks/oracle_ssl_wallet/oracle_ssl_wallet/tasks/configure_listener.yml

@@ -69,7 +69,7 @@
          (SOURCE =
             (METHOD = FILE)
             (METHOD_DATA =
-                 (DIRECTORY = {{ wallet_directory }})
+                 (DIRECTORY = {{ listener_wallet_directory }})
             )
           )
       SSL_CLIENT_AUTHENTICATION = FALSE

playbooks/oracle_ssl_wallet/oracle_ssl_wallet/tasks/configure_listener_wallet.yml

@@ -0,0 +1,31 @@
+- name: Create Listener SSL Wallet Parent Directory
+  file:
+    path: "{{ listener_wallet_directory | dirname }}"
+    state: directory
+
+- name: Create Listener SSL Wallet Directory
+  file:
+    path: "{{ listener_wallet_directory }}"
+    state: directory
+
+# We remove any existing wallet as we will be importing a new certificate and if it has the same DN value
+# as one already in the wallet this may result in a failure for the correct certificate to be used
+- name: Remove Any Existing Wallet and Lock File
+  file:
+    path: "{{ listener_wallet_directory }}/{{ item }}"
+    state: absent
+  loop:
+    - cwallet.sso
+    - cwallet.sso.lck
+
+- name: Create Oracle Wallet
+  shell: |
+    . ~/.bash_profile
+    orapki wallet create -wallet {{ listener_wallet_directory }}  -auto_login_only
+
+- name: Import PKCS12 File into Oracle Wallet
+  shell: |
+    . ~/.bash_profile
+    orapki wallet import_pkcs12 -wallet {{ listener_wallet_directory }} -pkcs12file {{ wallet_working_directory }}/listener.p12 -auto_login_only -pkcs12pwd ${PKCS12PASSWORD}
+  environment:
+    PKCS12PASSWORD: "{{ pkcs12password }}"

playbooks/oracle_ssl_wallet/oracle_ssl_wallet/tasks/configure_wallet.yml

@@ -0,0 +1,64 @@
+---
+- name: Create a working directory for the certificate
+  ansible.builtin.file:
+    path: "{{ wallet_working_directory }}"
+    state: directory
+    mode: "0755"
+
+# We always clear out the working directory before we begin
+# to ensure that we create a fresh private key and certificates
+# which are consistent with it.
+- name: Find all files in the working directory
+  find:
+    paths: "{{ wallet_working_directory }}"
+    file_type: file
+  register: files_to_delete
+
+- name: Delete files found in the working directory
+  file:
+    path: "{{ item.path }}"
+    state: absent
+  loop: "{{ files_to_delete.files }}"
+
+# We use a different certificate for each instance which we download from
+# AWS Certificate Manager (ACM).
+
+# Download the Certificate (Note that there is an Ansible ACM module but
+# it does not currently support downloading certificates so we need
+# to use the AWS CLI).
+
+- name: Get ARN of Certificate for this Host
+  shell: |
+    aws acm list-certificates --query "CertificateSummaryList" --output json | \
+    jq -r --arg hostname "$(hostname)" ' map(select(.SubjectAlternativeNameSummaries[]? | contains($hostname))) | .[].CertificateArn'
+  register: get_certificate_arn
+  changed_when: false
+
+# Ensure the passphrase file does not contain a line terminator.
+# See: https://docs.aws.amazon.com/acm/latest/userguide/export-private.html
+- name: Create a Random Passphrase
+  shell: |
+    openssl rand -base64 32  | tr -d '\n' > {{ wallet_working_directory }}/passphrase.txt
+
+- name: Download Certificate from ACM
+  shell: |
+    aws acm export-certificate \
+    --certificate-arn {{ get_certificate_arn.stdout | trim }} \
+    --passphrase fileb://{{ wallet_working_directory }}/passphrase.txt > {{ wallet_working_directory }}/certificate.json
+
+- name: Extract PEM Files from Downloaded Certificate
+  shell: |
+    jq -r '.Certificate' {{ wallet_working_directory }}/certificate.json > {{ wallet_working_directory }}/certificate.pem
+    jq -r '.CertificateChain' {{ wallet_working_directory }}/certificate.json > {{ wallet_working_directory }}/certificatechain.pem
+    jq -r '.PrivateKey' {{ wallet_working_directory }}/certificate.json > {{ wallet_working_directory }}/privatekey.pem
+
+- name: Create PKCS12 File for Use with Listener
+  shell: |
+    openssl pkcs12 -export -in {{ wallet_working_directory }}/certificate.pem \
+    -certfile {{ wallet_working_directory }}/certificatechain.pem \
+    -inkey {{ wallet_working_directory }}/privatekey.pem \
+    -out {{ wallet_working_directory }}/listener.p12 \
+    -passout env:PKCS12PASSWORD \
+    -passin file:{{ wallet_working_directory }}/passphrase.txt
+  environment:
+    PKCS12PASSWORD: "{{ pkcs12password }}"

playbooks/oracle_ssl_wallet/oracle_ssl_wallet/tasks/create_certificates.yml

@@ -1,15 +1,33 @@
-- name: Create CA Certificate
-  include_tasks: create_certificates.yml
-  tags: create
+- name: Generate Random Password for PKCS12 File
+  set_fact:
+    pkcs12password: "{{ lookup('password', '/dev/null', length=16) }}"
 
-- name: Configure Wallet
-  include_tasks: configure_wallet.yml
-  tags: wallet
+- block:
+    - name: Download CA Certificate from ACM
+      include_tasks: download_certificates.yml
+      tags: create
 
-- name: Configure Listener
-  include_tasks: configure_listener.yml
-  tags: listener
+    - name: Configure Listener Wallet
+      include_tasks: configure_listener_wallet.yml
+      tags: wallet
 
-- name: Upload Certificate
-  include_tasks: upload_certificate.yml
-  tags: upload
+    - name: Configure Listener
+      include_tasks: configure_listener.yml
+      tags: listener
+
+    - name: Configure Client Wallet
+      include_tasks: configure_client_wallet.yml
+      tags: wallet
+
+    # The Client Wallet is prepared on the primary database host so
+    # we only need to upload it from there
+    - name: Upload Certificate to DMS
+      include_tasks: upload_certificate.yml
+      when: database_primary_sid is defined
+      tags: upload
+
+  always:
+    - name: Clean Up Working Directory
+      file:
+        path: "{{ wallet_working_directory }}"
+        state: absent