AMBARI-5040 2-way auth fails when using jdk7 (dsen)

ambari-server/conf/unix/ca.config

@@ -19,6 +19,11 @@ countryName            = optional
 stateOrProvinceName    = optional 
 localityName           = optional
 organizationName       = optional
-organizationalUnitName = supplied 
+organizationalUnitName = optional
 commonName             = optional   
 emailAddress           = optional       
+
+[ jdk7_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = CA:true

ambari-server/pom.xml

@@ -116,7 +116,6 @@
             <exclude>src/test/resources/gsInstaller-hosts.txt</exclude>
             <exclude>src/test/resources/temporal_ganglia_data.txt</exclude>
             <exclude>src/test/resources/users.ldif</exclude>
-            <exclude>src/main/resources/ca.config</exclude>
             <exclude>src/main/resources/hive-schema-0.10.0.oracle.sql</exclude>
             <exclude>src/main/resources/hive-schema-0.12.0.oracle.sql</exclude>
             <exclude>src/main/resources/db/serial</exclude>

ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java

@@ -66,6 +66,7 @@ public class Configuration {
   public static final String SRVR_ONE_WAY_SSL_PORT_KEY = "security.server.one_way_ssl.port";
   public static final String SRVR_KSTR_DIR_KEY = "security.server.keys_dir";
   public static final String SRVR_CRT_NAME_KEY = "security.server.cert_name";
+  public static final String SRVR_CSR_NAME_KEY = "security.server.csr_name";
   public static final String SRVR_KEY_NAME_KEY = "security.server.key_name";
   public static final String KSTR_NAME_KEY =
       "security.server.keystore_name";
@@ -176,6 +177,7 @@ public class Configuration {
   public static final String SRVR_ONE_WAY_SSL_PORT_DEFAULT = "8440";
   public static final String SRVR_CRT_NAME_DEFAULT = "ca.crt";
   public static final String SRVR_KEY_NAME_DEFAULT = "ca.key";
+  public static final String SRVR_CSR_NAME_DEFAULT = "ca.csr";
   public static final String KSTR_NAME_DEFAULT = "keystore.p12";
   public static final String CLIENT_API_SSL_KSTR_NAME_DEFAULT = "https.keystore.p12";
   public static final String CLIENT_API_SSL_CRT_PASS_FILE_NAME_DEFAULT = "https.pass.txt";
@@ -299,7 +301,9 @@ public class Configuration {
     configsMap.put(SRVR_CRT_NAME_KEY, properties.getProperty(
         SRVR_CRT_NAME_KEY, SRVR_CRT_NAME_DEFAULT));
     configsMap.put(SRVR_KEY_NAME_KEY, properties.getProperty(
-        SRVR_KEY_NAME_KEY, SRVR_KEY_NAME_DEFAULT));
+      SRVR_KEY_NAME_KEY, SRVR_KEY_NAME_DEFAULT));
+    configsMap.put(SRVR_CSR_NAME_KEY, properties.getProperty(
+      SRVR_CSR_NAME_KEY, SRVR_CSR_NAME_DEFAULT));
     configsMap.put(KSTR_NAME_KEY, properties.getProperty(
         KSTR_NAME_KEY, KSTR_NAME_DEFAULT));
     configsMap.put(SRVR_CRT_PASS_FILE_KEY, properties.getProperty(

ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java

@@ -49,10 +49,11 @@ public class CertificateManager {
   private static final String GEN_SRVR_KEY = "openssl genrsa -des3 " +
       "-passout pass:{0} -out {1}/{2} 4096 ";
   private static final String GEN_SRVR_REQ = "openssl req -passin pass:{0} " +
-      "-new -key {1}/{2} -out {1}/{3} -batch";
-  private static final String SIGN_SRVR_CRT = "openssl x509 " +
-      "-passin pass:{0} -req -days 365 -in {1}/{3} -signkey {1}/{2} " +
-      "-out {1}/{3} \n";
+      "-new -key {1}/{2} -out {1}/{5} -batch";
+  private static final String SIGN_SRVR_CRT = "openssl ca -create_serial " +
+    "-out {1}/{3} -days 365 -keyfile {1}/{2} -key {0} -selfsign " +
+    "-extensions jdk7_ca -config {1}/ca.config -batch " +
+    "-infiles {1}/{5}";
   private static final String EXPRT_KSTR = "openssl pkcs12 -export" +
       " -in {1}/{3} -inkey {1}/{2} -certfile {1}/{3} -out {1}/{4} " +
       "-password pass:{0} -passin pass:{0} \n";
@@ -139,12 +140,13 @@ public class CertificateManager {
     Map<String, String> configsMap = configs.getConfigsMap();
     String srvrKstrDir = configsMap.get(Configuration.SRVR_KSTR_DIR_KEY);
     String srvrCrtName = configsMap.get(Configuration.SRVR_CRT_NAME_KEY);
+    String srvrCsrName = configsMap.get(Configuration.SRVR_CSR_NAME_KEY);;
     String srvrKeyName = configsMap.get(Configuration.SRVR_KEY_NAME_KEY);
     String kstrName = configsMap.get(Configuration.KSTR_NAME_KEY);
     String srvrCrtPass = configsMap.get(Configuration.SRVR_CRT_PASS_KEY);
 
     Object[] scriptArgs = {srvrCrtPass, srvrKstrDir, srvrKeyName,
-        srvrCrtName, kstrName};
+        srvrCrtName, kstrName, srvrCsrName};
 
     String command = MessageFormat.format(GEN_SRVR_KEY,scriptArgs);
     runCommand(command);

ambari-server/src/main/resources/ca.config

@@ -1,24 +0,0 @@
-[ ca ]
-default_ca             = CA_CLIENT
-[ CA_CLIENT ]
-dir		                 = keystore/db
-certs                  = $dir/certs
-new_certs_dir          = $dir/newcerts
-
-database               = $dir/index.txt
-serial                 = $dir/serial
-default_days           = 365    
-
-default_crl_days       = 7  
-default_md             = md5 
-
-policy                 = policy_anything 
-
-[ policy_anything ]
-countryName            = optional
-stateOrProvinceName    = optional 
-localityName           = optional
-organizationName       = optional
-organizationalUnitName = supplied 
-commonName             = optional   
-emailAddress           = optional       

ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java

@@ -23,7 +23,9 @@ import java.lang.reflect.Constructor;
 import java.util.Map;
 import java.util.Properties;
 
+import com.google.common.io.Files;
 import org.apache.ambari.server.configuration.Configuration;
+import org.apache.commons.io.IOUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.junit.After;
@@ -64,17 +66,16 @@ public class CertGenerationTest extends TestCase {
   
   protected Properties buildTestProperties() {
     try {
-		temp.create();
-	} catch (IOException e) {
-		e.printStackTrace();
-	}
-	Properties properties = new Properties();
-	properties.setProperty(Configuration.SRVR_KSTR_DIR_KEY, temp.getRoot().getAbsolutePath());
-	
-	
-	System.out.println(properties.get(Configuration.SRVR_CRT_PASS_KEY));
+      temp.create();
+    } catch (IOException e) {
+      e.printStackTrace();
+    }
+	  Properties properties = new Properties();
+	  properties.setProperty(Configuration.SRVR_KSTR_DIR_KEY,
+      temp.getRoot().getAbsolutePath());
+    System.out.println(properties.get(Configuration.SRVR_CRT_PASS_KEY));
 	
-	return properties;
+	  return properties;
   }
  
   protected Constructor<Configuration> getConfigurationConstructor() {
@@ -92,6 +93,24 @@ public class CertGenerationTest extends TestCase {
     injector = Guice.createInjector(new SecurityModule());
     certMan = injector.getInstance(CertificateManager.class);
 
+    //Test using actual ca.config.
+    try {
+      File caConfig = new File("conf/unix/ca.config");
+      File caConfigTest  =
+        new File(temp.getRoot().getAbsolutePath(), "ca.config");
+      File newCertsDir = new File(temp.getRoot().getAbsolutePath(), "newcerts");
+      newCertsDir.mkdirs();
+      File indexTxt = new File(temp.getRoot().getAbsolutePath(), "index.txt");
+      indexTxt.createNewFile();
+
+      String content = IOUtils.toString(new FileInputStream(caConfig));
+      content = content.replaceAll("/var/lib/ambari-server/keys/db", temp.getRoot().getAbsolutePath());
+      IOUtils.write(content, new FileOutputStream(caConfigTest));
+    } catch (IOException e) {
+      e.printStackTrace();
+      fail();
+    }
+
     certMan.initRootCert();
   }
 	
@@ -139,8 +158,6 @@ public class CertGenerationTest extends TestCase {
     //Emulate existing agent certificate
     File fakeAgentCertFile = new File(temp.getRoot().getAbsoluteFile() +
       File.separator + agentHostname + ".crt");
-    assertFalse(fakeAgentCertFile.exists());
-    fakeAgentCertFile.createNewFile();
     assertTrue(fakeAgentCertFile.exists());
 
     //Revoke command was executed