1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
# File 'manifests/secure_mgmt_api.pp', line 1
class wildfly::secure_mgmt_api {
require wildfly::service
$mgmt_port = $wildfly::properties['jboss.management.https.port']
if $wildfly::mgmt_create_keystores {
if ($wildfly::mgmt_ssl_cert) and ($wildfly::mgmt_ssl_key) {
$ks_key = $wildfly::mgmt_ssl_key
$ks_cert = $wildfly::mgmt_ssl_cert
}
else {
$ks_key = "${wildfly::dirname}/${wildfly::mode}/configuration/mgmt.key"
$ks_cert = "${wildfly::dirname}/${wildfly::mode}/configuration/mgmt.crt"
openssl::certificate::x509 { 'mgmt':
country => 'WF',
organization => 'WFMgmt self signed',
commonname => $fqdn,
base_dir => "${wildfly::dirname}/${wildfly::mode}/configuration",
owner => $wildfly::user,
group => $wildfly::group,
notify => Java_ks["${wildfly::mgmt_keystore_alias}:mgmtks"],
}
}
java_ks { "${wildfly::mgmt_keystore_alias}:mgmtks":
ensure => latest,
certificate => $ks_cert,
private_key => $ks_key,
target => $wildfly::mgmt_keystore,
password => $wildfly::mgmt_keystore_pass,
path => ["${wildfly::java_home}/bin"],
before => Exec['Set https management interface'],
}
file { $wildfly::mgmt_keystore:
owner => $wildfly::user,
group => $wildfly::group,
require => Java_ks["${wildfly::mgmt_keystore_alias}:mgmtks"],
}
java_ks { 'cli:truststore':
ensure => latest,
certificate => $ks_cert,
password => 'cli_truststore',
target => '/root/.jboss-cli.truststore',
path => ["${wildfly::java_home}/bin"],
before => Exec['Set https management interface'],
}
java_ks { 'wfcli:truststore':
ensure => latest,
certificate => $ks_cert,
password => 'cli_truststore',
target => "/home/${wildfly::user}/.jboss-cli.truststore",
path => ["${wildfly::java_home}/bin"],
before => Exec['Set https management interface'],
}
file { "/home/${wildfly::user}/.jboss-cli.truststore":
owner => $wildfly::user,
group => $wildfly::group,
require => Java_ks['wfcli:truststore'],
}
}
exec { 'secure mgmt reload':
command => "jboss-cli.sh -c ':reload'; sleep 5",
refreshonly => true,
returns => ['0', '1'],
path => ['/bin', '/usr/bin', '/sbin', "${wildfly::dirname}/bin", "${wildfly::java_home}/bin"],
}
exec { 'Set https management interface':
command => "sleep 5; jboss-cli.sh -c '/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)'",
unless => "grep -c \'https=\"management-https\"\' ${wildfly::dirname}/${wildfly::mode}/configuration/${wildfly::config}",
path => ['/bin', '/usr/bin', '/sbin', "${wildfly::dirname}/bin", "${wildfly::java_home}/bin"],
before => Augeas['set_jboss_cli_xml_https'],
}
exec { 'Set Realm to use SSL':
command => "jboss-cli.sh -c \'/core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-path=${wildfly::mgmt_keystore},keystore-password=${wildfly::mgmt_keystore_pass},alias=${wildfly::mgmt_keystore_alias}\'",
unless => "grep -c ${wildfly::mgmt_keystore} ${wildfly::dirname}/${wildfly::mode}/configuration/${wildfly::config}",
path => ['/bin', '/usr/bin', '/sbin', "${wildfly::dirname}/bin", "${wildfly::java_home}/bin"],
environment => "JAVA_HOME=${wildfly::java_home}",
before => Augeas['set_jboss_cli_xml_https'],
subscribe => Exec['Set https management interface'],
notify => Exec['secure mgmt reload'],
}
augeas { 'set_jboss_cli_xml_https':
lens => 'Xml.lns',
incl => "${wildfly::dirname}/bin/jboss-cli.xml",
changes => ['set jboss-cli/default-controller/protocol/#text https-remoting',
"set jboss-cli/default-controller/port/#text ${mgmt_port}" ],
subscribe => Exec['secure mgmt reload'],
}
}
|