Puppet Class: wildfly::secure_mgmt_api
- Defined in:
- manifests/secure_mgmt_api.pp
Overview
Manages secure management api
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
# File 'manifests/secure_mgmt_api.pp', line 4
class wildfly::secure_mgmt_api {
require wildfly::service
$mgmt_port = $wildfly::properties['jboss.management.https.port']
if $wildfly::mgmt_create_keystores {
if ($wildfly::mgmt_ssl_cert) and ($wildfly::mgmt_ssl_key) {
$ks_key = $wildfly::mgmt_ssl_key
$ks_cert = $wildfly::mgmt_ssl_cert
}
else {
$ks_key = "${wildfly::dirname}/${wildfly::mode}/configuration/mgmt.key"
$ks_cert = "${wildfly::dirname}/${wildfly::mode}/configuration/mgmt.crt"
openssl::certificate::x509 { 'mgmt':
country => 'WF',
organization => 'WFMgmt self signed',
commonname => $facts['networking']['fqdn'],
base_dir => "${wildfly::dirname}/${wildfly::mode}/configuration",
owner => $wildfly::user,
group => $wildfly::group,
notify => Java_ks["${wildfly::mgmt_keystore_alias}:mgmtks"],
}
}
java_ks { "${wildfly::mgmt_keystore_alias}:mgmtks":
ensure => latest,
certificate => $ks_cert,
private_key => $ks_key,
target => $wildfly::mgmt_keystore,
password => $wildfly::mgmt_keystore_pass,
path => ["${wildfly::java_home}/bin"],
before => Exec['Set https management interface'],
}
file { $wildfly::mgmt_keystore:
owner => $wildfly::user,
group => $wildfly::group,
require => Java_ks["${wildfly::mgmt_keystore_alias}:mgmtks"],
}
java_ks { 'cli:truststore':
ensure => latest,
certificate => $ks_cert,
password => 'cli_truststore',
target => '/root/.jboss-cli.truststore',
path => ["${wildfly::java_home}/bin"],
before => Exec['Set https management interface'],
}
java_ks { 'wfcli:truststore':
ensure => latest,
certificate => $ks_cert,
password => 'cli_truststore',
target => "/home/${wildfly::user}/.jboss-cli.truststore",
path => ["${wildfly::java_home}/bin"],
before => Exec['Set https management interface'],
}
file { "/home/${wildfly::user}/.jboss-cli.truststore":
owner => $wildfly::user,
group => $wildfly::group,
require => Java_ks['wfcli:truststore'],
}
}
exec { 'secure mgmt reload':
command => "jboss-cli.sh -c ':reload'; sleep 5",
refreshonly => true,
returns => ['0', '1'],
path => ['/bin', '/usr/bin', '/sbin', "${wildfly::dirname}/bin", "${wildfly::java_home}/bin"],
}
exec { 'Set https management interface':
command => "sleep 5; jboss-cli.sh -c '/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)'", # lint:ignore:140chars
unless => "grep -c \'https=\"management-https\"\' ${wildfly::dirname}/${wildfly::mode}/configuration/${wildfly::config}",
path => ['/bin', '/usr/bin', '/sbin', "${wildfly::dirname}/bin", "${wildfly::java_home}/bin"],
before => Augeas['set_jboss_cli_xml_https'],
}
exec { 'Set Realm to use SSL':
command => "jboss-cli.sh -c \'/core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-path=${wildfly::mgmt_keystore},keystore-password=${wildfly::mgmt_keystore_pass},alias=${wildfly::mgmt_keystore_alias}\'", # lint:ignore:140chars
unless => "grep -c ${wildfly::mgmt_keystore} ${wildfly::dirname}/${wildfly::mode}/configuration/${wildfly::config}",
path => ['/bin', '/usr/bin', '/sbin', "${wildfly::dirname}/bin", "${wildfly::java_home}/bin"],
environment => "JAVA_HOME=${wildfly::java_home}",
before => Augeas['set_jboss_cli_xml_https'],
subscribe => Exec['Set https management interface'],
notify => Exec['secure mgmt reload'],
}
augeas { 'set_jboss_cli_xml_https':
lens => 'Xml.lns',
incl => "${wildfly::dirname}/bin/jboss-cli.xml",
changes => ['set jboss-cli/default-controller/protocol/#text https-remoting',
"set jboss-cli/default-controller/port/#text ${mgmt_port}"],
subscribe => Exec['secure mgmt reload'],
}
}
|