Puppet Class: wildfly::secure_mgmt_api

Defined in:
manifests/secure_mgmt_api.pp

Overview



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# File 'manifests/secure_mgmt_api.pp', line 1

class wildfly::secure_mgmt_api {

require wildfly::service

$mgmt_port = $wildfly::properties['jboss.management.https.port']

  if $wildfly::mgmt_create_keystores {

    if ($wildfly::mgmt_ssl_cert) and ($wildfly::mgmt_ssl_key) {

      $ks_key = $wildfly::mgmt_ssl_key
      $ks_cert  = $wildfly::mgmt_ssl_cert
    }

    else {

      $ks_key = "${wildfly::dirname}/${wildfly::mode}/configuration/mgmt.key"
      $ks_cert = "${wildfly::dirname}/${wildfly::mode}/configuration/mgmt.crt"

      openssl::certificate::x509 { 'mgmt':
        country      => 'WF',
        organization => 'WFMgmt self signed',
        commonname   => $fqdn,
        base_dir     => "${wildfly::dirname}/${wildfly::mode}/configuration",
        owner        => $wildfly::user,
        group        => $wildfly::group,
        notify       => Java_ks["${wildfly::mgmt_keystore_alias}:mgmtks"],
      }
    }

    java_ks { "${wildfly::mgmt_keystore_alias}:mgmtks":
      ensure      => latest,
      certificate => $ks_cert,
      private_key => $ks_key,
      target      => $wildfly::mgmt_keystore,
      password    => $wildfly::mgmt_keystore_pass,
      path        => ["${wildfly::java_home}/bin"],
      before      => Exec['Set https management interface'],
    }

    file { $wildfly::mgmt_keystore:
      owner   => $wildfly::user,
      group   => $wildfly::group,
      require =>  Java_ks["${wildfly::mgmt_keystore_alias}:mgmtks"],
    }

    java_ks { 'cli:truststore':
      ensure      => latest,
      certificate => $ks_cert,
      password    => 'cli_truststore',
      target      => '/root/.jboss-cli.truststore',
      path        => ["${wildfly::java_home}/bin"],
      before      => Exec['Set https management interface'],
    }

    java_ks { 'wfcli:truststore':
      ensure      => latest,
      certificate => $ks_cert,
      password    => 'cli_truststore',
      target      => "/home/${wildfly::user}/.jboss-cli.truststore",
      path        => ["${wildfly::java_home}/bin"],
      before      => Exec['Set https management interface'],
    }

    file { "/home/${wildfly::user}/.jboss-cli.truststore":
      owner   => $wildfly::user,
      group   => $wildfly::group,
      require => Java_ks['wfcli:truststore'],
    }

  }

  exec { 'secure mgmt reload':
    command     => "jboss-cli.sh -c ':reload'; sleep 5",
    refreshonly => true,
    returns     => ['0', '1'],
    path        => ['/bin', '/usr/bin', '/sbin', "${wildfly::dirname}/bin", "${wildfly::java_home}/bin"],
  }

  exec { 'Set https management interface':
    command => "sleep 5; jboss-cli.sh -c '/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)'",
    unless  => "grep -c \'https=\"management-https\"\' ${wildfly::dirname}/${wildfly::mode}/configuration/${wildfly::config}",
    path    => ['/bin', '/usr/bin', '/sbin', "${wildfly::dirname}/bin", "${wildfly::java_home}/bin"],
    before  => Augeas['set_jboss_cli_xml_https'],
  }

  exec { 'Set Realm to use SSL':
    command     => "jboss-cli.sh -c \'/core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-path=${wildfly::mgmt_keystore},keystore-password=${wildfly::mgmt_keystore_pass},alias=${wildfly::mgmt_keystore_alias}\'",
    unless      => "grep -c ${wildfly::mgmt_keystore} ${wildfly::dirname}/${wildfly::mode}/configuration/${wildfly::config}",
    path        => ['/bin', '/usr/bin', '/sbin', "${wildfly::dirname}/bin", "${wildfly::java_home}/bin"],
    environment => "JAVA_HOME=${wildfly::java_home}",
    before      => Augeas['set_jboss_cli_xml_https'],
    subscribe   => Exec['Set https management interface'],
    notify      => Exec['secure mgmt reload'],
  }

  augeas { 'set_jboss_cli_xml_https':
    lens      => 'Xml.lns',
    incl      => "${wildfly::dirname}/bin/jboss-cli.xml",
    changes   => ['set jboss-cli/default-controller/protocol/#text https-remoting',
                "set jboss-cli/default-controller/port/#text ${mgmt_port}" ],
    subscribe => Exec['secure mgmt reload'],
  }
}