Re: Making your landscape trust a certain certificate authority


Daniel Mikusa
 

Eric,

Some comments inline...

On Fri, Oct 2, 2015 at 5:02 AM, Eric Westenberger <
eric.westenberger(a)gmail.com> wrote:

Hello,

I am trying to implement option 1 above but I am struggling from where to
pick up the certificate files which I have packaged with my application
(for experimentation I put the certificates both in the .profile.d
directory and a ssl folder in my webapp).
This is a little tricky with Java apps because of how they get packaged
up. You need to make sure that `.profile.d` is included at the root of
your WAR file. If you run `jar tf file.war` it should list `.profile.d/`
and nothing in the path before that.

When your app gets uploaded to CF, the files are extracted from the WAR and
you end up with an exploded WAR director at `/home/vcap/app`. Since
`.profile.d` is at the root of your WAR, that means
`/home/vcap/app/.profile.d` is where you should be able to find your script
and anything else you put in that directory.


I tried the following variants
keytool -keystore ... -storepass ... -importcert -alias MyCert -file
MyCert.crt
keytool -keystore ... -storepass ... -importcert -alias MyCert -file
/home/vcap/app/.java-buildpack/tomcat/webapps/ROOT/ssl/MyCert.crt
keytool -keystore ... -storepass ... -importcert -alias MyCert -file
/home/vcap/app/ssl/MyCert.crt
If I understand your comment above, I'd have expected the last one to
work. You said that you put a `ssl` director at the root of your WAR file
and that contained the certs. I'd also expect the path
`/home/vcap/app/.profile.d/MyCert.crt` to work since you said you put the
certs into the `.profile.d` folder too.



I all cases I am getting
(No such file or directory)[App/0] OUT keytool error:
java.io.FileNotFoundException: ...MyCert.crt (or similar)
( I checked using cf files myapp app/.profile.d that the files are
deployed)
A few tips for debugging `.profile.d` scripts.

1.) Put `sleep 2` as the first line of the script, right after the
`#!/bin/bash`. This works around a known issue with logging, which can
sometimes cause log entries to be lost.

2.) Add copious echo statements to your script. You can also do things
like run `ls` and `pwd` to inspect the environment. Anything that writes
to STDOUT should show up when the script runs.

3.) You can use environment variables like `$PWD` and `$HOME` so you don't
have to deal with full paths. `$HOME` points to `/home/vcap/app` and
`$PWD` points to the working directory, which should also be
`/home/vcap/app`.



Does someone have an idea how to address within the profile.d script files
from the deployed application?
You're close. Try adding some `ls` statements if you need to confirm
exactly where things are at. The output should show up when you run your
script.



Best,
Eric

PS: I had to put the profile.d folder into the web app root folder in
order to be picked up, which makes it a public resource. The documentation
is also not very clear where to put it. Any ideas in this direction would
also be appreciated.
The `.profile.d` folder has to be in the root of what you push to CF.
That's the only place it will get picked up.

It depends on your app and how it's configured to serve up public files,
but you can generally put anything that you need to protect under `WEB-INF`
since that shouldn't be publicly accessible. For example if you want to
keep someone from seeing your script you could put `.profile.d/wrapper.sh`
which will get called by CF and have it call `WEB-INF/secret-script.sh`,
which is your actual script.

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.