[PLAT-11176][PLAT-11170] Pass Java PKCS TrustStore for play.ws.ssl co…

…nnections Summary: This diff fixes two issues - - **PLAT-11176**: Previously, we were only passing YBA's PEM trust store from the custom CA trust store for `play.ws.ssl` TLS handshakes. Consequently, when we attempted to upload multiple CA certificates to YBA's trust store, it resulted in SSL handshake failures for the previously uploaded certificates. With this update, we have included YBA's Java trust store as well. - **PLAT-11170**: There was an issue with deletion of CA cert from YBA's trust store. Specifically, when we had uploaded one certificate chain and another certificate that only contained the root of the previously uploaded certificate chain, the deletion of the latter was failing. This issue has been resolved in this diff. Test Plan: **PLAT-11170** - Uploaded the root cert to YBA's trust store. - Created a certificate chain using the root certificate mentioned above and also uploaded it. - Verified that deletion of cert uploaded in #1 was successful. **PLAT-11176** - Created HA setup with two standup portals. - Each portal is using it's own custom CA certs. - Uploaded both the cert chains to YBA's trust store. - Verified that the backup is successful on both the standby setups configured. Reviewers: amalyshev Reviewed By: amalyshev Subscribers: yugaware Differential Revision: https://phorge.dev.yugabyte.com/D29985
premkumr · Nov 7, 2023 · 4c8978b · 4c8978b
1 parent e52ade1
commit 4c8978b
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/managed/src/main/java/com/yugabyte/yw/common/WSClientRefresher.java b/managed/src/main/java/com/yugabyte/yw/common/WSClientRefresher.java
@@ -79,6 +79,7 @@ private WSClient newClient(String ybWsConfigPath) {
     if (!ybaStoreConfig.isEmpty() && customCAStoreManager.isEnabled()) {
       // Add JRE default cert paths as well in this case.
       ybaStoreConfig.add(customCAStoreManager.getJavaDefaultConfig());
+      ybaStoreConfig.addAll(customCAStoreManager.getYBAJavaKeyStoreConfig());
 
       Config customWsConfig =
           ConfigFactory.empty()
@@ -89,7 +90,7 @@ private WSClient newClient(String ybWsConfigPath) {
       ybWsOverrides = customWsConfig.getValue("play.ws");
     }
 
-    log.info(
+    log.debug(
         "Creating ws client with config override: {}",
         ybWsOverrides.render(ConfigRenderOptions.concise()));
 

diff --git a/managed/src/main/java/com/yugabyte/yw/common/certmgmt/castore/CustomCAStoreManager.java b/managed/src/main/java/com/yugabyte/yw/common/certmgmt/castore/CustomCAStoreManager.java
@@ -344,6 +344,27 @@ public List<Map<String, String>> getPemStoreConfig() {
 
   // -------------- PKCS12 CA trust-store specific methods ------------
 
+  public List<Map<String, String>> getYBAJavaKeyStoreConfig() {
+    String storagePath = AppConfigHelper.getStoragePath();
+    String trustStoreHome = getTruststoreHome(storagePath);
+    List ybaJavaKeyStoreConfig = new ArrayList<>();
+
+    if (Files.exists(Paths.get(trustStoreHome))) {
+      String javaTrustStorePathStr = pkcs12TrustStoreManager.getYbaTrustStorePath(trustStoreHome);
+      Path javaTrustStorePath = Paths.get(javaTrustStorePathStr);
+      if (Files.exists(javaTrustStorePath)) {
+        Map<String, String> trustStoreMap = new HashMap<>();
+        trustStoreMap.put("path", javaTrustStorePathStr);
+        trustStoreMap.put("type", pkcs12TrustStoreManager.getYbaTrustStoreType());
+        trustStoreMap.put("password", new String(getTruststorePassword()));
+        ybaJavaKeyStoreConfig.add(trustStoreMap);
+      }
+    }
+
+    log.debug("YBA's custom java trust store config is {}", ybaJavaKeyStoreConfig);
+    return ybaJavaKeyStoreConfig;
+  }
+
   private KeyStore getYbaKeyStore() {
     String storagePath = AppConfigHelper.getStoragePath();
     String trustStoreHome = getTruststoreHome(storagePath);

diff --git a/managed/src/main/java/com/yugabyte/yw/common/certmgmt/castore/PemTrustStoreManager.java b/managed/src/main/java/com/yugabyte/yw/common/certmgmt/castore/PemTrustStoreManager.java
@@ -171,6 +171,7 @@ public void remove(
     List<Certificate> trustCerts = getCertificates(trustStorePath);
     // Check if such an alias already exists.
     List<Certificate> certToRemove = getX509Certificate(certPath);
+    int certToRemoveCount = certToRemove.size();
     // Iterate through each certificate in certToRemove and check if it's used in any chain
     boolean exists = false;
     Iterator<Certificate> certIterator = certToRemove.iterator();
@@ -179,13 +180,20 @@ public void remove(
       if (isCertificateUsedInOtherChain(cert)) {
         // Certificate is part of a chain, do not remove it
         log.debug("Certificate {} is part of a chain, skipping removal.", certAlias);
+        certToRemoveCount -= 1;
         certIterator.remove();
       } else {
         // Certificate is not part of a chain
         exists = true;
       }
     }
 
+    if (certToRemoveCount == 0) {
+      log.debug(
+          "Skipping removal of cert from PEM truststore, as the cert is part of other trust chain");
+      return;
+    }
+
     if (!exists && !suppressErrors) {
       String msg = String.format("Certificate '%s' does not exist to delete", certAlias);
       log.error(msg);