Enable OCSP, minor improvements

scripts/disable_admin.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env -S /bin/bash
+set -e
+# There does not seem to be any sensible flag for this so delete and re-add is the way
+/opt/scripts/delete_user.sh
+/opt/scripts/enable_user.sh

scripts/enable_admin.sh

@@ -2,14 +2,11 @@
 set -e
 TR=/opt/tak
 CONFIG=${TR}/data/CoreConfig.xml
+cd ${TR}
+. ./setenv.sh
 
-# Wait for server start
-echo "enable_admin: Waiting for db"
-WAITFORIT_TIMEOUT=30 /usr/bin/wait-for-it.sh ${POSTGRES_ADDRESS}:5432 -- true
 echo "enable_admin: Waiting for TAK server"
-WAITFORIT_TIMEOUT=60 /usr/bin/wait-for-it.sh localhost:8089 -- true
+WAITFORIT_TIMEOUT=2 /usr/bin/wait-for-it.sh localhost:8089 -- true
 
 echo "enable_admin: Making sure ${ADMIN_CERT_NAME} user is in place"
-cd ${TR}
-. ./setenv.sh
 TAKCL_CORECONFIG_PATH="${CONFIG}" java -jar /opt/tak/utils/UserManager.jar certmod -A "/opt/tak/data/certs/files/${ADMIN_CERT_NAME}.pem"

scripts/firstrun_rm.sh

@@ -1,10 +1,4 @@
 #!/usr/bin/env -S /bin/bash
-if [ -f /opt/tak/data/firstrun.done ]
-then
-  echo "First run already done"
-  exit 0
-fi
-
 TR=/opt/tak
 CR=${TR}/certs
 
@@ -35,8 +29,6 @@ if [[ ! -L "${TR}/certs"  ]];then
   ln -f -s "${TR}/data/certs/" "${TR}/certs"
 fi
 
-set -x
-
 TAK_SERVER_HOSTNAME="$(cat /pvarki/kraftwerk-init.json | jq -r  .product.dns)"
 
 
@@ -49,9 +41,8 @@ if [ $? -ne 0 ] ; then
   LEGACY_PROVIDER="-legacy"
 fi
 
-# FIXME: We need to update these when the LE cert gets updated so these can't be inside of the firstrun.done -check
-#        But they also seem get hissy if you try to add the same cert multiple times
 
+echo "(re)Add TLS keys to keystore"
 # We have to do this pkcs12 song and dance because keytool can't import private keys directly
 # Create takserver.p12 using certificates from RM
 openssl pkcs12 ${LEGACY_PROVIDER} -export -out takserver.p12 \
@@ -60,6 +51,11 @@ openssl pkcs12 ${LEGACY_PROVIDER} -export -out takserver.p12 \
   -name "${TAK_SERVER_HOSTNAME}" \
   -passout pass:${TAKSERVER_KEYSTORE_PASS}
 
+# Remove the old key (if exists)
+keytool -delete \
+  -alias "${TAK_SERVER_HOSTNAME}" \
+  -keystore takserver.jks \
+  -storepass "${TAKSERVER_KEYSTORE_PASS}"
 # Create the Java keystore and import takserver.p12
 keytool -importkeystore -srcstoretype PKCS12 \
   -destkeystore takserver.jks \
@@ -70,20 +66,36 @@ keytool -importkeystore -srcstoretype PKCS12 \
   -destkeypass "${TAKSERVER_KEYSTORE_PASS}"
 
 # Put the CA certs one-by-one (can't import full chains in one go) to the truststore
+# Remove the old root key (if exists)
+keytool -delete \
+  -alias "RM_Root" \
+  -keystore takserver-truststore.jks \
+  -storepass ${KEYSTORE_PASS}
+# Add root key
 keytool -noprompt -import -trustcacerts \
   -file "/ca_public/root_ca.pem" \
   -alias "RM_Root" \
   -keystore takserver-truststore.jks \
   -storepass ${KEYSTORE_PASS}
 
+# Remove the old intermediate key (if exists)
+keytool -delete \
+  -alias "RM_Intermediate" \
+  -keystore takserver-truststore.jks \
+  -storepass ${KEYSTORE_PASS}
+# Add intermediate key
 keytool -noprompt -import -trustcacerts \
   -file "/ca_public/intermediate_ca.pem" \
   -alias "RM_Intermediate" \
   -keystore takserver-truststore.jks \
   -storepass ${KEYSTORE_PASS}
 
 if [[ -f "/ca_public/miniwerk_ca.pem" ]];then
-  ALIAS=$(openssl x509 -noout -subject -in "/ca_public/miniwerk_ca.pem" |md5sum | cut -d" " -f1)
+  # Remove the old key (if exists)
+  keytool -delete \
+    -alias "MW_Root" \
+    -keystore takserver-truststore.jks \
+    -storepass ${KEYSTORE_PASS}
   keytool -noprompt -import -trustcacerts \
     -file /ca_public/miniwerk_ca.pem \
     -alias "MW_Root" \
@@ -98,7 +110,11 @@ cp -v /opt/tak/data/certs/files/takserver-truststore.jks /opt/tak/data/certs/fil
 
 popd >> /dev/null
 
-
+if [ -f /opt/tak/data/firstrun.done ]
+then
+  echo "First run already done, not importing database"
+  exit 0
+fi
 
 
 set -e

scripts/start-tak.sh

@@ -2,21 +2,29 @@
 set -e
 
 TR=/opt/tak
-CONFIG=${TR}/data/CoreConfig.xml
+export TAKCL_CORECONFIG_PATH=${TR}/data/CoreConfig_${1}.xml # use process specific copy
+COMMON_CONFIG_PATH=${TR}/data/CoreConfig.xml  # common path used by various scripts
+sleep 2
 
 # (re-)Create config
 echo "(Re-)Creating config"
-cat /opt/templates/CoreConfig.tpl | gomplate >${CONFIG}
+set -x
+export TAK_OCSP_UPSTREAM_IP=$(getent hosts ${TAK_OCSP_UPSTREAM} | awk '{ print $1 }')
+gomplate -f /opt/templates/CoreConfig.tpl -o ${COMMON_CONFIG_PATH}  # used by various scripts
+# Process specific config
+gomplate -f /opt/templates/CoreConfig.tpl -o ${TAKCL_CORECONFIG_PATH}
 # make sure it's in tak root too
-cp ${CONFIG} ${TR}
+ln -sf ${TAKCL_CORECONFIG_PATH} ${TR}/CoreConfig.xml
+ls -lah ${TR}/CoreConfig.xml
+cat ${TR}/CoreConfig.xml
+set +x
 
-# Symlink the certs coming from Volumes
+# Ensure anything not having the correct config loads certs and saves logs to the volume
+# (yes, we do need to re-check at every start)
 if [[ ! -L "${TR}/certs"  ]];then
   mv ${TR}/certs ${TR}/certs.orig
   ln -s "${TR}/data/certs/" "${TR}/certs"
 fi
-
-# Symlink the log directory coming from Volumes
 if [[ ! -L "${TR}/logs"  ]];then
   mv ${TR}/logs ${TR}/logs.orig
   ln -s "${TR}/data/logs/" "${TR}/logs"
@@ -31,7 +39,7 @@ cd ${TR}
 # Start the right process
 if [ $1 = "messaging" ]; then
     echo "Starting TAK Messaging"
-    java -jar -Xmx${MESSAGING_MAX_HEAP}m -Dspring.profiles.active=messaging,consolelog takserver.war
+    java -jar -Xmx${MESSAGING_MAX_HEAP}m -Dspring.profiles.active=messaging,consolelog -Dkeystore.pkcs12.legacy takserver.war
 elif [ $1 = "api" ]; then
     echo "Starting TAK API"
     java -jar -Xmx${API_MAX_HEAP}m -Dspring.profiles.active=api,consolelog -Dkeystore.pkcs12.legacy takserver.war

templates/CoreConfig.tpl

@@ -1,74 +1,21 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Configuration xmlns="http://bbn.com/marti/xml/config"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="CoreConfig.xsd">
+        xsi:schemaLocation="/opt/tak/CoreConfig.xsd">
     <network multicastTTL="5">
         <input _name="stdssl" protocol="tls" port="8089"/>
-        <!--
-        <input _name="stdtcp" protocol="tcp" port="8087" auth="anonymous"/>
-        <input _name="stdudp" protocol="udp" port="8087" auth="anonymous"/>
-        <input _name="streamtcp" protocol="stcp" port="8088" auth="anonymous"/>
-        -->
-        <!-- <input _name="SAproxy" protocol="mcast" group="239.2.3.1" port="6969" proxy="true" auth="anonymous" /> -->
-        <!-- <input _name="GeoChatproxy" protocol="mcast" group="224.10.10.1" port="17012" proxy="true" auth="anonymous" /> -->
-        <!--<announce enable="true" uid="Marti1" group="239.2.3.1" port="6969" interval="1" ip="192.168.1.137" />-->
-         <!--<input _name="stdssl" protocol="tls" port="8089"/>-->
-         <!--<input _name="sslauth" protocol="tls" port="8090" auth="ldap"/> -->
-        <!--<input _name="stdtcpwithgroups" protocol="tcp" port="8087" auth="anonymous">-->
-            <!--<filtergroup>group one</filtergroup>-->
-            <!--<filtergroup>group two</filtergroup>-->
-        <!--</input>-->
-        <!--<input _name="stdtcpwithfilters" protocol="tcp" port="8087" auth="anonymous">-->
-            <!--<filter>-->
-                <!--<geospatialFilter>-->
-                    <!--<boundingBox minLongitude="-80" minLatitude="34" maxLongitude="-70" maxLatitude="36" />-->
-                    <!--<boundingBox minLongitude="-100" minLatitude="34" maxLongitude="-90" maxLatitude="36" />-->
-                <!--</geospatialFilter>-->
-            <!--</filter>-->
-        <!--</input>-->
 
         <!-- web connectors -->
         <connector port="8443" _name="https"/>
         <connector port="8444" useFederationTruststore="true" _name="fed_https"/>
         <connector port="8446" clientAuth="false" _name="cert_https"/>
-        <connector port="8080" tls="false" _name="http_plaintext"/>
     </network>
     <auth>
-                <!-- Example OpenLDAP -->
-        <!--
-        <ldap
-            url="ldap://hostname.bbn.com/"
-            userstring="uid={username},ou=People,dc=XXX,dc=bbn,dc=com"
-            updateinterval="60"
-            style="DS"
-        />
-        -->
-
-        <!-- Example ActiveDirectory -->
-
-        <!--NOTE!! In the example below, GroupBaseDN should be specified relative to the naming context provided in the url attribute below -->
-        <!--
-        <ldap
-            url="ldap://hostname.bbn.com/dc=XXX,dc=bbn,dc=com"
-            userstring="DOMAIN\{username}"
-            updateinterval="60"
-            groupprefix=""
-            style="AD"
-            ldapSecurityType="simple"
-            serviceAccountDN="cn=fred001,cn=Users,cn=Partition1,dc=XYZ,dc=COM"
-            serviceAccountCredential="XXXXXX"
-            groupObjectClass="group"
-            groupBaseRDN="CN=Groups"/>
-        />
-
-        -->
-            <File location="UserAuthenticationFile.xml"/>
+        <File location="/opt/tak/data/UserAuthenticationFile.xml"/>
     </auth>
     <submission ignoreStaleMessages="false" validateXml="false"/>
 
     <subscription reloadPersistent="false">
-        <!-- example static subscription that publishes messages to a UDP multicast address and port -->
-        <!-- <static _name="MulticastProxy" protocol="udp" address="239.2.3.1" port="6969" /> -->
     </subscription>
 
     <repository enable="true" numDbConnections="50" primaryKeyBatchSize="500" insertionBatchSize="500">
@@ -88,12 +35,6 @@
     <filter>
         <flowtag enable="false" text=""/>
         <streamingbroker enable="true"/>
-        <!--
-        <dropfilter>
-            <typefilter type="u-d-p" />
-            <typefilter type="u-d-c" />
-        </dropfilter>
-        -->
         <scrubber enable="false" action="overwrite"/>
     </filter>
 
@@ -102,68 +43,41 @@
         <queue/>
     </buffer>
 
+<!-- With  "Authority Information Access" included in certs this works for both 8089 and 8443 but I see no OCSP query for 8443 -->
     <security>
-        <tls context="TLSv1.2"
-            keymanager="SunX509"
-            keystore="JKS" keystoreFile="/opt/tak/certs/files/takserver.jks" keystorePass="{{.Env.TAKSERVER_CERT_PASS}}"
-            truststore="JKS" truststoreFile="/opt/tak/certs/files/truststore-root.jks" truststorePass="{{.Env.CA_PASS}}">
-         <!-- <crl _name="TAKServer CA" crlFile="certs/files/ca.crl"/>  -->
-
-        </tls>
-
-         <!-- previous locations of keystore and truststore -->
-         <!--
-         <tls context="TLSv1.2"
-            keymanager="SunX509"
-            keystore="JKS" keystoreFile="certs/TAKServer.jks" keystorePass="{{.Env.TAKSERVER_CERT_PASS}}"
-            truststore="JKS" truststoreFile="certs/truststore.jks" truststorePass="{{.Env.CA_PASS}}">
-        </tls>
-        -->
-
+        <tls keymanager="SunX509"
+            keystore="JKS" keystoreFile="/opt/tak/data/certs/files/takserver.jks" keystorePass="{{.Env.TAKSERVER_CERT_PASS}}"
+            truststore="JKS" truststoreFile="/opt/tak/data/certs/files/truststore-root.jks" truststorePass="{{.Env.CA_PASS}}"
+            enableOCSP="true" responderUrl="http://{{.Env.TAK_OCSP_UPSTREAM_IP}}:{{.Env.TAK_OCSP_PORT}}"
+            />
     </security>
 
+<!-- 8089 works (until CRL expires) but 8443 doesn't, there is no sane way to refresh the CRL (process restart is way too slow)
+     and I see *no* queries to OCSP server -->
 <!--
-    <federation>
-      <federation-server port="9000">
-        <tls context="TLSv1.2"
-         keymanager="SunX509"
-         keystore="JKS" keystoreFile="certs/files/takserver.jks" keystorePass="{{.Env.TAKSERVER_CERT_PASS}}"
-         truststore="JKS" truststoreFile="certs/files/fed-truststore.jks" truststorePass="{{.Env.CA_PASS}}"/>
-      </federation-server>
-    </federation>
+    <security>
+        <tls keymanager="SunX509"
+            keystore="JKS" keystoreFile="/opt/tak/data/certs/files/takserver.jks" keystorePass="{{.Env.TAKSERVER_CERT_PASS}}"
+            truststore="JKS" truststoreFile="/opt/tak/data/certs/files/truststore-root.jks" truststorePass="{{.Env.CA_PASS}}"
+            enableOCSP="true" responderUrl="http://{{.Env.TAK_OCSP_UPSTREAM_IP}}:{{.Env.TAK_OCSP_PORT}}"
+            >
+            <crl _name="ROOT CA" crlFile="/ca_public/crl_root.pem"/>
+            <crl _name="RASENMAEHER CA" crlFile="/ca_public/crl_intermediate.pem"/>
+        </tls>
+    </security>
 -->
- <!-- previous locations of federate keystore and truststore -->
- <!--
- <tls context="TLSv1.2"
-         keymanager="SunX509"
-         keystore="JKS" keystoreFile="certs/TAKServer.jks" keystorePass="{{.Env.TAKSERVER_CERT_PASS}}"
-         truststore="JKS" truststoreFile="certs/fed-truststore.jks" truststorePass="{{.Env.CA_PASS}}"/>
- -->
-
-<!--
 
-<certificateSigning CA="{TAKServer | MicrosoftCA}">
-    <certificateConfig>
-        <nameEntries>
-            <nameEntry name="O" value="Test Org Name"/>
-            <nameEntry name="OU" value="Test Org Unit Name"/>
-        </nameEntries>
-    </certificateConfig>
-    <TAKServerCAConfig
-        keystore="JKS"
-        keystoreFile="certs/files/intermediate-ca-signing.jks"
-        keystorePass="atakatak"
-        validityDays="30"
-        signatureAlg="SHA256WithRSA" />
-    <MicrosoftCAConfig
-        username="{MS CA Username}"
-        password="{MS CA Password}"
-        truststore="/opt/tak/certs/files/keystore.jks"
-        truststorePass="atakatak"
-        svcUrl="https://{server}/{CA name}_CES_UsernamePassword/service.svc"
-        templateName="Copy of User"/>
-</certificateSigning>
+<!-- in both of the above cases we get: [services-deployment-worker-#57%ignite-takserver%] WARN com.bbn.marti.service.SSLConfig - TLS enabled, but no certificate revocation lists, and OSCP is not enabled in Core Config!
+     however in the below case we get similar complaint a *second* time when the 8089 port actually starts serving -->
 
+<!-- 8089 and 8443 work but obviously revocation checks do not work -->
+<!--
+    <security>
+        <tls keymanager="SunX509"
+            keystore="JKS" keystoreFile="/opt/tak/data/certs/files/takserver.jks" keystorePass="{{.Env.TAKSERVER_CERT_PASS}}"
+            truststore="JKS" truststoreFile="/opt/tak/data/certs/files/truststore-root.jks" truststorePass="{{.Env.CA_PASS}}"
+            />
+    </security>
 -->
 
 </Configuration>