Adding a new keystore to artifactory breaks existing https connection - docker

We have a docker container running artifactory at my job and we need to add a custom keystore with the self-signed certificates to use Crowd authentication mechanism.
What we did was remove the old docker container and run a new one with the following launching argument :
-e EXTRA_JAVA_OPTIONS="-Djavax.net.ssl.trustStore=/var/opt/jfrog/artifactory/keystore/selfsignedcerts.jks -Djavax.net.ssl.trustStorePassword=selfsignedpassword"
This worked and we could use the crowd auth mechanism but it broke the npm-remote repository (https://registry.npmjs.org) (and other https repos too)
We get the following error when the launch argument is used trying to test the npm-remote repo :
Connection to remote repository failed: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
My hypothesis is that using the argument overwrites the default keystore but i am unsure. Instead of replacing it, is there any ways to use two keystores at once or append the self-signed certificates to the existing one? (I can't even locate the keystore).

We managed to find a solution with the following :
https://jfrog.com/knowledge-base/how-to-resolve-unable-to-find-valid-certification-path-to-requested-target-error/
Quick explain: We had to add out intermediate and root certificates to the regular cacerts file that comes with artifactory. We realized the best way to do this was through making a custom docker image based on artifactory :
Dockerfile :
FROM docker.bintray.io/jfrog/artifactory-pro:<your version or latest>
COPY cacerts_with_your_intermediatesAndRoots /etc/ssl/certs/java/cacerts
Then run this new image instead of the barebone artifactory and it'll work.
Note that if you currently have a custom image you should simply add the COPY line to your existing Dockerfile. Also, if you're not running artifactory using Docker, then just add your certificates to the file and restart.
You may also notice i'm using a different path than the one used in the link above. That's because their path is a symbolic link and not the actual file.
In case you have a question feel free to contact me.

Related

Retrieve file from keyvault instead of secure files in InstallAppleCertificate task on azure pipeline

According to the documentation of the InstallAppleCertificate task, there is a certSecureFile parameter that looks for the certificate in the "Secure Files":
https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/install-apple-certificate?view=azure-devops
However in my organization I don't have the permission to upload secure files:
Any other way to select a certificate that isn't uploaded to "Secure Files" for this task?
They did gave me a separate keyvault which I can perfectly link to the pipeline build and get files/secrets from in bash scripts. Yet this InstallAppleCertificate task doesn't allow me to use those instead. I wouldn't even mind to put the certificate in my source repo (I know I shouldn't do this).
The certSecureFile field in InstallAppleCertificate task needs to use the .p12 file in secure file.
I am afraid that files that are not in the secure file cannot be used.
Based on my test, when I use the file from local machine, it will show the following error:
This means that before running the build, it will retrieve the files in the secure file. And the file needs to exist in secure file.
Since you could get the files/secrets , you could try to install the Apple Certificate(.p12 file) via script.
security import ./xxx.p12 -P secretPassword
Here is a thread about install .p12 or .cer in console macos.

Selenium Hub - create a reusable profile

I need to execute integration testing using Python code and Selenium HUB driver.
I'm planning to use remote driver (I'm using Selenium HUB docker image on https://github.com/SeleniumHQ/docker-selenium).
I am unable to figure out how to create a persistent profile in the Selenium HUB image and recall from remote webdriver.
I guess I need to first create the profile on Selenium HUB, than recall in the python code:
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument('user-data-dir=##remotepath')
browser = webdriver.Remote(command_executor='http://127.0.0.1:4444/wd/hub',desired_capabilities = chrome_options.to_capabilities())
browser.get('http://www.google.it')
session_id = browser.session_id
How can I create the "user data dir" profile on docker selenium hub image?
Thx
UPDATE
I run "chrome:\version" and I was able to identify the profile
I was able to specify it in the 'user-data-dir' param but, after committing on docker, when re-launching the image, the path change.
Is it there any way to make it persistent?
UPDATE 2
I've created a folder "/etc/opt/chrome/profile/maya"
I've created a test_policy.json file:
{
"UserDataDir": "/etc/opt/chrome/profile/maya"
}
placed in this directory:
/etc/opt/chrome/policies/managed
When I try to execute the "chrome://policy/" I see this:
Indicating something is wrong:
You can add custom path to chrome using chrome://policy and later add that policy files to docker images.
Try the policy setup manually to assert if this approach works for you. While trying make sure you created valid policy file. Detailed steps are here.
Available policy list
Adding Steps in docker file.
3.1. Creating folder as mentioned in step-1
3.2. Copying the policy file tested in step-1
Build the docker image and use it.
PS: This approach works for me as I did some customization in chrome. Let me know in case you need more information.

ADD command with network path in Windows Containers Dockerfiles

I'm creating some Windows Container images that I need but the source file I want to ADD are in a network share \\myserver\myshare\here.
I've tried in any possible way but I always get the message error The system cannot find the path specified.
Is it because I have not yet found the right way to set it or is it that it is just not possible?
From the Docker site:
Multiple resource may be specified but if they are files or directories then they must be relative to the source directory that is being built (the context of the build).
Is that why I can't accomplish what I need?
Full error message: GetFileAttributesEx \\myserver\myshare\here\: The system cannot find the path specified.
Whatever you ADD or COPY must be in the docker build context.
When you do this:
docker build .
That directory param (the . in the example) is the context that is copied and sent to the Docker daemon. Then the docker daemon use those files to COPY or ADD. It won't use any file that is not in that context.
That is the issue that you are experiencing. I'm not sure how you can solve it anything than copying the files from \\myserver to your build directory.
ADD is capable of download files by providing an URL (should investigate if it supports Windows' shares)

iOS Google Tag Manager Integration: How to add multiple containers per App environment?

I completed the integration of the latest Google Tag Manager (v5) for iOS together with Firebase (https://developers.google.com/tag-manager/ios/v5/).
The big change here is that the default container file is not binary anymore, it is plain JSON.
The integration requires that you have a folder (not group!) with the name "container" inside your app workspace. Within this folder the container file should be located. This raises my issue: We have two different GTM Containers, one for the testing/development app and one for production.
By using a folder it is not possible for me to add a different container file and set target references.
I can not create an additional folder since GTM requires the folder on root level and with the exact name "container"
Does anybody have an idea how this can be solved?
Thanks,
Fahim
You should be able to configure an XCode "run script" build step that clears the container directory and copies the correct container into place.
Sample Run Script (if somebody has the same issue):
rm -vf ${SRCROOT}/root_folder/container/*
cp "${SRCROOT}/root_folder/target/test/GTM-XXXXX.json" "${SRCROOT}/root_folder/container/"
It is important that this copy job is done at first within Build Phases, otherwise some other precompiling stuff of GTM does not recognize the container.

How to run Grails Wrapper (grailsw) behind a proxy?

I tried to run grailsw, but the wrapper cannot connect to download grails-2.2.1-download.zip (creates a 0 byte file instead).
I need to use a proxy server to connect to the internet, where do I configure proxy settings for the Grails Wrapper?
After running grails wrapper, your project directory has a new subdirectory called wrapper, with a file grails-wrapper.properties. You can configure your proxy settings in there, with the following properties:
systemProp.http.proxyHost=
systemProp.http.proxyPort=
systemProp.http.proxyUser=
systemProp.http.proxyPassword=
systemProp.http.nonProxyHosts=
I solved this problem for myself.
It is a two step process
1.a) Back up your JRE_HOME\lib\security folder. This is essential because the below steps might corrupt cacerts file under jre.
1.b) You need to install the ssl public key of Github.com to your local file system. To do that you have to use the InstallCert.java program( Link to InstallCert.java )
It is supposed to be run as java InstallCert github.com
and when it asks to enter cert number you need to enter 1
It will create a file with name "jssecacerts" in the current directory
1.c) But this program will not work because it does not know about how to authenticate with proxy. For this you need the code from SSLSocketClientWithTunneling page
Use the above two and create a program that tunnels through the proxy retrieves the ssl key and writes a file called jssecerts
2) Update your grails.bat with addtional options. Add these options to the %JAVA_EXE% command line. Paste them after %DEFAULT_JVM_OPTS%
-Dhttp.proxyHost=YourproxyURL -Dhttp.proxyPort=YourproxyPort -Dhttps.proxyHost=YourproxyURL -Dhttps.proxyPort=YourproxyPort -Dhttp.proxyUser=YourProxyUserID -Dhttp.proxyPassword=YourProxyPassword -Dhttps.proxyUser=YourProxyUserID -Dhttps.proxyPassword=YourProxyPassword -Djavax.net.ssl.trustStore=path-to-your-jssecacerts-created-in-step-1

Resources