diff --git a/Dockerfile b/Dockerfile index b7804388..95ca50ba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -206,16 +206,34 @@ RUN mkdir -p /opt/pega/kafkadata && \ chmod -R g+rw /opt/pega/kafkadata && \ chown -R pegauser /opt/pega/kafkadata -# Set up dir for prometheus lib +# download necessary jars RUN apt-get update && \ apt-get install -y gpg && \ rm -rf /var/lib/apt/lists/* && \ mkdir -p /opt/pega/prometheus && \ + mkdir -p /opt/pega/bcfips && \ curl -sL -o /opt/pega/prometheus/jmx_prometheus_javaagent.jar https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.18.0/jmx_prometheus_javaagent-0.18.0.jar && \ curl -sL -o /tmp/jmx_prometheus_javaagent-0.18.0.jar.asc https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.18.0/jmx_prometheus_javaagent-0.18.0.jar.asc && \ gpg --import /keys/prometheus.asc && \ gpg --verify /tmp/jmx_prometheus_javaagent-0.18.0.jar.asc /opt/pega/prometheus/jmx_prometheus_javaagent.jar && \ rm /tmp/jmx_prometheus_javaagent-0.18.0.jar.asc && \ + curl -sL -o /opt/pega/bcfips/bc-fips-2.0.0.jar https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/2.0.0/bc-fips-2.0.0.jar && \ + curl -sL -o /tmp/bc-fips-2.0.0.jar.asc https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/2.0.0/bc-fips-2.0.0.jar.asc && \ + curl -sL -o /opt/pega/bcfips/bctls-fips-2.0.19.jar https://repo1.maven.org/maven2/org/bouncycastle/bctls-fips/2.0.19/bctls-fips-2.0.19.jar && \ + curl -sL -o /tmp/bctls-fips-2.0.19.jar.asc https://repo1.maven.org/maven2/org/bouncycastle/bctls-fips/2.0.19/bctls-fips-2.0.19.jar.asc && \ + curl -sL -o /opt/pega/bcfips/bcpkix-fips-2.0.7.jar https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-fips/2.0.7/bcpkix-fips-2.0.7.jar && \ + curl -sL -o /tmp/bcpkix-fips-2.0.7.jar.asc https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-fips/2.0.7/bcpkix-fips-2.0.7.jar.asc && \ + curl -sL -o /opt/pega/bcfips/bcutil-fips-2.0.3.jar https://repo1.maven.org/maven2/org/bouncycastle/bcutil-fips/2.0.3/bcutil-fips-2.0.3.jar && \ + curl -sL -o /tmp/bcutil-fips-2.0.3.jar.asc https://repo1.maven.org/maven2/org/bouncycastle/bcutil-fips/2.0.3/bcutil-fips-2.0.3.jar.asc && \ + gpg --import /keys/bc_maven_public_key.asc && \ + gpg --verify /tmp/bc-fips-2.0.0.jar.asc /opt/pega/bcfips/bc-fips-2.0.0.jar && \ + rm /tmp/bc-fips-2.0.0.jar.asc && \ + gpg --verify /tmp/bctls-fips-2.0.19.jar.asc /opt/pega/bcfips/bctls-fips-2.0.19.jar && \ + rm /tmp/bctls-fips-2.0.19.jar.asc && \ + gpg --verify /tmp/bcpkix-fips-2.0.7.jar.asc /opt/pega/bcfips/bcpkix-fips-2.0.7.jar && \ + rm /tmp/bcpkix-fips-2.0.7.jar.asc && \ + gpg --verify /tmp/bcutil-fips-2.0.3.jar.asc /opt/pega/bcfips/bcutil-fips-2.0.3.jar && \ + rm /tmp/bcutil-fips-2.0.3.jar.asc && \ apt-get autoremove --purge -y gpg && \ chgrp -R 0 /opt/pega/prometheus && \ chmod -R g+rw /opt/pega/prometheus && \ diff --git a/keys/bc_maven_public_key.asc b/keys/bc_maven_public_key.asc new file mode 100644 index 00000000..a3514093 --- /dev/null +++ b/keys/bc_maven_public_key.asc @@ -0,0 +1,25 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGR/8HUBDADJ+V5VgTXFG4xVI/1r07a/pTXoAQhHyJMkVdFScGARsps07VXI +IsYgPsifOFU55E7uRMZPTLAx5F1uxoZAWGtXIz0d4ISKhobFquH8jZe7TnsJBJNV +eo3u7G54iSfLifiJ4q17NvaESBNSirPaAPfEni93+gQvdn3zVnDPfO+mhO00l/fE +5GnqHt/Q2z2WKVQt3Vg0R66phe2XaFnycY/d+an73FiXqhuhm4sXlcA++gfSt1H1 +K7+ApqJsX9yw79A1FlGTPOeimqZqE75+OyQ9Kz0XTvN/GmHeEygTrNEnMDTr1BWz +P0/ut0UXmktJtJXgLi5wUCncwwi+UpCSwwou7/3r+eBh5aykxSo9OtYe4xPNKWSo +EiPZXpCH5Wjq9TpXOuhnZvRFqbR24mWz5+J/DoaVP3pwEhGXxr5VjVc1f8gJ8A34 +YYPlxUGcl8f3kykzvl4X5HDIbHb9MAl+9qtwQo1tFA9umD2Da/8bSsxrnZdkkzEA +OpJYwT1EkQRZRcUAEQEAAbRmVGhlIExlZ2lvbiBvZiB0aGUgQm91bmN5IENhc3Rs +ZSBJbmMuIChNYXZlbiBSZXBvc2l0b3J5IEFydGlmYWN0IFNpZ25lcikgPGJjbWF2 +ZW5zeW5jQGJvdW5jeWNhc3RsZS5vcmc+iQHUBBMBCgA+FiEEexIbdqftbObmCtUX +hOkTqOOnSMAFAmR/8HUCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA +CgkQhOkTqOOnSMCTYgv/c9RSHcO056c7G3mH94eTqCMNSzhaiVIMKPgRwro10vpu +hOLdRfwkxe9nsa9tDGiv64sqUZADfnPxNP6mSE4la+fucwn5j1KxIicQt11zRO/e +Ep2vqBZoq60D9p23foDi4/XGuKtnwYQxyaLrvkFaAUpKYzCr7aU1ftqFfE+lKyYB +poQtib1PNqltKs/dX0IHACOeYbZ+j4YZnd6Qsl1XhDtVAYzIW60A3nDwDjOWTNaQ +2W0qX4xrG5XetqnhQj+nwGtkJFXJj7FF1QkIcWiwkAQZTxZk3F0hxlNrZY2rq9BE +nbmwMMCk8S/nn9gBeGriom2StkZC+1Bv/w7BS5fWUW9YzJ5803RVkOd+8Taeu2yn +XUvPNfvijmRO1doTXl7uE5fXAxFmG0+09W5sLVf0KBtdrQ1jzFUZas5iPQiXDNTF +aD3d7kQH7divX3PoZIbq1aaiI2yVI8k5MCYjQPQJbDiBGZumxgkm8J5ooOYVkR9F +dETovzOLJ8QqCzo41kBp +=gIeQ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh index 97d33d6d..3a640ae0 100644 --- a/scripts/docker-entrypoint.sh +++ b/scripts/docker-entrypoint.sh @@ -42,7 +42,7 @@ final_config_root=$config_root if [ "$IS_PEGA_CONFIG_COMPRESSED" == true ]; then final_config_root=$decompressed_root - file_list=("prlog4j2.xml" "prconfig.xml" "context.xml" "server.xml" "web.xml" "tomcat-users.xml" "catalina.properties" "prbootstrap.properties" "java.security.overwrite" "tomcat-web.xml" "server.xml.tmpl" "context.xml.tmpl") + file_list=("prlog4j2.xml" "prconfig.xml" "context.xml" "server.xml" "web.xml" "tomcat-users.xml" "catalina.properties" "prbootstrap.properties" "java.security.overwrite" "tomcat-web.xml" "server.xml.tmpl" "context.xml.tmpl" "java.security.overwrite.tmpl") # decompressing the files if exists for filename in "${file_list[@]}"; do if [ -e "${config_root}/${filename}" ]; then @@ -342,6 +342,10 @@ fi if [ -e "${java_security_overwrite}" ]; then echo "Loading java.security.overwrite from ${java_security_overwrite}..."; cp "${java_security_overwrite}" "${CATALINA_HOME}/conf/" +elif [ -e "${final_config_root}/java.security.overwrite.tmpl" ]; then + echo "No java.security.overwrite was specified in ${java_security_overwrite}. Generating from templates" + cp ${final_config_root}/java.security.overwrite.tmpl "${CATALINA_HOME}"/conf/java.security.overwrite.tmpl + /bin/detemplatize -template "${CATALINA_HOME}"/conf/java.security.overwrite.tmpl:"${CATALINA_HOME}"/conf/java.security.overwrite else echo "No java.security.overwrite was specified in ${java_security_overwrite}. Using defaults." fi diff --git a/tomcat-bin/setenv.sh b/tomcat-bin/setenv.sh index 5adb2934..03c80047 100644 --- a/tomcat-bin/setenv.sh +++ b/tomcat-bin/setenv.sh @@ -41,6 +41,12 @@ else echo "No krb5.conf was specified in ${krb5_conf}." fi +if [ "${FIPS_140_3_MODE}" == "true" ]; then + JAVA_OPTS="${JAVA_OPTS} -Dorg.bouncycastle.fips.approved_only=true" + export CLASSPATH="/opt/pega/bcfips/*" + HIGHLY_SECURE_CRYPTO_MODE_ENABLED=true +fi + if [ "${HIGHLY_SECURE_CRYPTO_MODE_ENABLED}" == "true" ]; then JAVA_OPTS="${JAVA_OPTS} -DHighSecureCryptoModeEnabled=true " fi