!WIP Implement alternatve method to load a JavaKeystore with host key

[nathanlcarlson]

This issue is documented in #647 on the esgf-installer Github repo. Look there for details.

[nathanlcarlson]

This has gone through a fair amount of manual testing and I am confident in the new functionality. I would like to clean up everything around the old functionality, but truststore/keystore creation is not isolated to their respective files. Specifically I see truststore/keystore creation occuring in esg_tomcat_manager. I don't know if that is required and would like to clean it out, but fear that it will cause unforeseen problems with dependencies. It may be worth it even if errors arise, that way the code will become clearer about what actually needs to happen and when.

[nathanlcarlson]

@pchengi2 How is https://github.com/ESGF/esgf-installer/commit/aeb31218e5287e974b75780a0a3402c8673bfbb8 related to the intent of this PR, which is to implement an alternative method for generating the Java keystores used by the node? Is there some issue you encountered with this branch with bzip2 missing?

[nathanlcarlson]

@pchengi2 Also, please note the "Contributing" section https://github.com/ESGF/esgf-installer/tree/python_devel#contributing of the README.

[pchengi2]

Duly noted.

/Prashanth

On Mon, 22 Oct 2018, nathanlcarlson wrote:

@pchengi2 Also, please note the "Contributing" section https://github.com/ESGF/esgf-installer/tree/python_devel#contributing of the README.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.[AdaGc5kG-NibWJRpRtFFXvZ7p4dtUflyks5uneqygaJpZM4XxhcP.gif]

[pchengi2]

Hi Nathan,

Sorry! The bzip2 issue wasn't related to this particular commit. I noted that installations of 2.8 failed on Centos 7 due to the fact that bzip2 isn't installed by default, and I knew that the same issue would affect the pythonized installer too, so thought of fixing it myself, instead of sending in a PR. I'll send in a PR against python-devel, in the future.

/Prashanth

On Mon, 22 Oct 2018, nathanlcarlson wrote:

@pchengi2 How is aeb3121 related to the intent of this PR, which is to implement an alternative method for generating the Java keystores used by the node? Is there some issue you encountered with this branch with bzip2 missing?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.[AdaGc9jsCrFEyLJg8PuMh8qRfOCTxPR-ks5uneBigaJpZM4XxhcP.gif]

[nathanlcarlson]

With the latest commit, most, ideally all, the required functionality is implemented. The next step is to have installer use it. There are several use cases of this so-called "trust" module. Case 1

• The user did not provide any certificates and would like to perform a fresh install. In which case the two primary functions web_services and globus_services are invoked without any arguments near the end of the installation process, but before services are started. The user will need to obtain a key/certificate signed by a known, trusted, CA as well as use the generated certificate signing requests to obtain key/certificates for the gridFTP identity and the myproxy CA. That brings us to Case 2.

Case 2

• The user has done an install without providing any key/certificate pairs. They have now obtained an official signed key/certificate from a known, trusted, CA for web services and fulfilled both of the generated CSR's for globus services. They can now invoke some command line directives with these new files specified correctly. Note this will likely be two separate invocations at the command line. The two primary functions web_services and globus_services will be invoked with these files appropriately specified. This case also applies if new certificates are obtained by the user and they would like to install them.

Case 3

• The user obtained an official signed key/certificate from a known, trusted, CA for web services prior to installation. These files can be specified in the properties file and properly passed to web_services in the "trust" module.