Skip to content

Commit 2151efa

Browse files
Docker SSI: Fix websphere weblog (#7218)
1 parent 7c08584 commit 2151efa

2 files changed

Lines changed: 45 additions & 1 deletion

File tree

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
#!/bin/bash
2+
# Re-issue the WebSphere SOAP/SSL personal certificate during the image build.
3+
#
4+
# The base image ships a self-signed "default" certificate with a 1-year
5+
# validity. Once it expires, the wsadmin SOAP-over-SSL handshake fails with
6+
# "PKIX path building failed: unable to find valid certification path to
7+
# requested target" and the application deployment cannot run. We re-issue the
8+
# certificate signed by the existing (long-lived, ~2040) root CA so the client
9+
# truststore keeps trusting it without any further changes.
10+
set -euo pipefail
11+
12+
WAS=/opt/IBM/WebSphere/AppServer
13+
KT="${WAS}/java/8.0/bin/keytool"
14+
CFG="${WAS}/profiles/AppSrv01/config/cells/DefaultCell01/nodes/DefaultNode01"
15+
PW=WebAS
16+
# keytool requires new key passwords to be at least 6 chars, but the WebSphere
17+
# keystore password is 5 chars, so we mint the key in a temp store first.
18+
TMP=changeit
19+
DN="CN=localhost,OU=DefaultCell01,OU=DefaultNode01,O=IBM,C=US"
20+
NEW=/tmp/new_default.p12
21+
22+
"${KT}" -genkeypair -alias default -dname "${DN}" -keyalg RSA -keysize 2048 \
23+
-sigalg SHA256withRSA -validity 7300 -keystore "${NEW}" -storepass "${TMP}" \
24+
-keypass "${TMP}" -storetype PKCS12
25+
"${KT}" -certreq -alias default -keystore "${NEW}" -storepass "${TMP}" \
26+
-file /tmp/default.csr
27+
"${KT}" -gencert -alias root -keystore "${CFG}/root-key.p12" -storepass "${PW}" \
28+
-storetype PKCS12 -infile /tmp/default.csr -outfile /tmp/default.cer \
29+
-validity 7300 -sigalg SHA256withRSA -rfc
30+
"${KT}" -exportcert -alias root -keystore "${CFG}/root-key.p12" -storepass "${PW}" \
31+
-storetype PKCS12 -rfc -file /tmp/root.cer
32+
"${KT}" -importcert -noprompt -alias root -file /tmp/root.cer -keystore "${NEW}" \
33+
-storepass "${TMP}" -storetype PKCS12
34+
"${KT}" -importcert -noprompt -alias default -file /tmp/default.cer -keystore "${NEW}" \
35+
-storepass "${TMP}" -storetype PKCS12
36+
"${KT}" -delete -alias default -keystore "${CFG}/key.p12" -storepass "${PW}" \
37+
-storetype PKCS12 || true
38+
"${KT}" -importkeystore -noprompt -srckeystore "${NEW}" -srcstorepass "${TMP}" \
39+
-srcstoretype PKCS12 -srcalias default -destkeystore "${CFG}/key.p12" \
40+
-deststorepass "${PW}" -destkeypass "${PW}" -deststoretype PKCS12 -destalias default
41+
42+
echo "WebSphere SOAP/SSL certificate re-issued (signed by existing root CA)."

utils/build/ssi/java/websphere-app.Dockerfile

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,9 @@ RUN ln -s /opt/IBM/WebSphere/AppServer/java/8.0/bin/java /usr/bin/java
1111
COPY --from=build app/ee-app-ear/target/ee-app.ear /tmp/
1212
COPY utils/build/ssi/java/resources/common/netstat.sh /tmp/
1313
COPY utils/build/ssi/java/resources/websphere-app/ws_deploy.jacl /tmp/
14-
RUN /bin/bash -c '/work/start_server.sh &' && \
14+
COPY utils/build/ssi/java/resources/websphere-app/renew_cert.sh /tmp/
15+
RUN /bin/bash /tmp/renew_cert.sh && \
16+
/bin/bash -c '/work/start_server.sh &' && \
1517
/bin/bash -c 'while ! /tmp/netstat.sh | grep ":9043"; do sleep 1; done' && \
1618
/bin/bash -c 'yes | /opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -f /tmp/ws_deploy.jacl -user wsadmin -password $(cat /tmp/PASSWORD) -lang jacl' && \
1719
/bin/bash -c '/opt/IBM/WebSphere/AppServer/bin/stopServer.sh server1 -user wsadmin -password $(cat /tmp/PASSWORD)'

0 commit comments

Comments
 (0)