Add TLS config

Signed-off-by: Kevin Grigorenko <[email protected]>
IBM · Dec 11, 2024 · 978ea53 · 978ea53
1 parent 8f9c7f6
commit 978ea53
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 4 deletions.
diff --git a/pom.xml b/pom.xml
@@ -38,6 +38,11 @@
         <liberty.runtime.groupId>io.openliberty</liberty.runtime.groupId>
         <liberty.runtime.artifactId>openliberty-kernel</liberty.runtime.artifactId>
 
+        <!--
+          liberty.var.* properties generate configDropins/overrides/liberty-plugin-variable-config.xml
+          https://github.com/OpenLiberty/ci.maven/blob/main/docs/common-server-parameters.md
+        -->
+
         <!-- Test dependencies -->
         <version.junit-jupiter-engine>5.10.2</version.junit-jupiter-engine>
         <version.httpclient5>5.3.1</version.httpclient5>

diff --git a/src/main/liberty/config/bootstrap.properties b/src/main/liberty/config/bootstrap.properties
diff --git a/src/main/liberty/config/configDropins/defaults/tls.xml b/src/main/liberty/config/configDropins/defaults/tls.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+ (C) Copyright IBM Corporation 2024.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<server>
+    <featureManager>
+        <feature>transportSecurity-1.0</feature>
+    </featureManager>
+
+    <!--
+      To enable TLS, in addition to the transportSecurity-1.0 feature,
+      either specify keystore_password in server.env or as an
+      environment variable, or specify a keystore element with an explicit
+      password (optionally encrypted):
+      https://openliberty.io/docs/latest/reference/feature/transportSecurity.html
+
+      We choose the latter route so that we can pick up the password from non-envar
+      sources which makes it easy to run without needing to git commit a password in server.env.
+    -->
+    <variable name="self.signed.certificate.password" defaultValue="overrideme" />
+    <keyStore id="defaultKeyStore" password="${self.signed.certificate.password}" />
+</server>
diff --git a/src/main/liberty/config/jvm.options b/src/main/liberty/config/jvm.options
diff --git a/src/main/liberty/config/server.env b/src/main/liberty/config/server.env
diff --git a/src/main/liberty/config/server.xml b/src/main/liberty/config/server.xml
@@ -17,11 +17,11 @@
 <server>
     <featureManager>
         <feature>jsp-2.2</feature>
-        <!-- So that Liberty exposes a TLS port. -->
-        <feature>transportSecurity-1.0</feature>
     </featureManager>
 
     <httpEndpoint host="*" httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint" />
-
-    <webApplication id="helloworldjsp" location="helloworldjsp.war" name="helloworldjsp" contextRoot="/" />
+
+    <webApplication location="helloworldjsp.war" contextRoot="/" />
+
+    <!-- See configDropins/*/*.xml for other configuration -->
 </server>