Merge pull request #3 from MaastrichtUniversity/DHS-1044

Dhs 1044

Dockerfile

@@ -48,6 +48,18 @@ RUN ( yum clean all && rm -rf *.rpm )
 ADD config/davrods-vhost.conf /config/davrods-vhost.conf
 ADD config/irods_environment.json /config/irods_environment.json
 
+# Conditionally trust the custom DataHub Certificate Authority (CA) for iRODS-SSL-connections
+ADD config/test_only_dev_irods_dh_ca_cert.pem /tmp/test_only_dev_irods_dh_ca_cert.pem
+ARG SSL_ENV
+RUN if [[ $SSL_ENV != "acc" ]] && [[ $SSL_ENV != "prod" ]]; then \
+ echo "Adding custom DataHub iRODS-CA-certificate to the CA-rootstore (FOR DEV & TEST ONLY!)..." ; \
+ cp /tmp/test_only_dev_irods_dh_ca_cert.pem /etc/pki/ca-trust/source/anchors/test_only_dev_irods_dh_ca_cert.pem ; \
+ update-ca-trust ; \
+ echo "done!" ; \
+ else \
+ echo "Skipping update of the CA-rootstore" ; \
+ fi
+
 # start httpd
 COPY run-httpd.sh /opt/run-httpd.sh
 RUN ( chmod +x /opt/run-httpd.sh )

README.md

@@ -6,8 +6,8 @@ This is the Research IT version of Davrods. It is based on:
 ### Run instructions for docker-compose
 First, create an `.env` file in the root of your workdir, based on this example:
 ```
-ENV_DAVRODS_IRODS_VERSION=4.2.5
-ENV_DAVRODS_VERSION=4.2.5_1.4.2
+ENV_DAVRODS_IRODS_VERSION=4.2.6
+ENV_DAVRODS_VERSION=4.2.6_1.4.2
 ```
 
 Then add a `docker-compose.yml` file based on this example:
@@ -20,6 +20,7 @@ services:
  args:
  - ENV_DAVRODS_IRODS_VERSION
  - ENV_DAVRODS_VERSION
+ - SSL_ENV=prod # Whether to add our own CA-certificate to the CA-rootstore
 ```
 
 Edit the `config/davrods-vhost.conf` file and enter values that correspond to your iRODS environment. Especially look for these variables
@@ -35,4 +36,22 @@ Finally, build and run the container
 ```
 docker-compose build davrods
 docker-compose up -d davrods
+```
+
+### iRODS SSL/TLS
+Configure the client-side SSL setting by editing the `config/irods_environment.json` file.
+
+When connecting to iRODS servers that have SSL **disabled**:
+```
+ "irods_client_server_policy": "CS_NEG_REFUSE",
+```
+
+When connecting to iRODS servers that have SSL **enabled**:
+```
+ "irods_client_server_policy": "CS_NEG_REQUIRE",
+```
+
+Or, when you don't want to enforce this on the client side and just connect to whatever the server is offering, use:
+```
+ "irods_client_server_policy": "CS_NEG_DONT_CARE",
 ```

config/irods_environment.json

@@ -7,7 +7,7 @@
  "irods_user_name": "will_be_overwritten",
  "irods_zone_name": "will_be_overwritten",
  "irods_client_server_negotiation": "request_server_negotiation",
- "irods_client_server_policy": "CS_NEG_REFUSE",
+ "irods_client_server_policy": "CS_NEG_REQUIRE",
  "irods_encryption_key_size": 32,
  "irods_encryption_salt_size": 8,
  "irods_encryption_num_hash_rounds": 16,
@@ -21,5 +21,5 @@
  "irods_maximum_size_for_single_buffer_in_megabytes": 32,
  "irods_default_number_of_transfer_threads": 4,
  "irods_transfer_buffer_size_for_parallel_transfer_in_megabytes": 4,
- "irods_ssl_verify_server": "hostname"
-}
+ "irods_ssl_verify_server": "cert"
+}

config/test_only_dev_irods_dh_ca_cert.pem

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGGzCCBAMCFDGCc8JuG6jP6vpbhPlZ8EjymP6rMA0GCSqGSIb3DQEBCwUAMIHJ
+MQswCQYDVQQGEwJOTDEQMA4GA1UECAwHTGltYnVyZzETMBEGA1UEBwwKTWFhc3Ry
+aWNodDEeMBwGA1UECgwVTWFhc3RyaWNodCBVbml2ZXJzaXR5MSkwJwYDVQQLDCBU
+ZXN0aW5nIE9OTFkgRGV2ZWxvcG1lbnQgRGF0YUh1YjFIMEYGA1UEAww/VGVzdGlu
+ZyBPbmx5IERldmVsb3BtZW50IGlST0RTIERhdGFIdWIgTWFhc3RyaWNodCBVbml2
+ZXJzaXR5IENBMB4XDTIxMDkyNzIyMDczMFoXDTI1MDkyNjIyMDczMFowgckxCzAJ
+BgNVBAYTAk5MMRAwDgYDVQQIDAdMaW1idXJnMRMwEQYDVQQHDApNYWFzdHJpY2h0
+MR4wHAYDVQQKDBVNYWFzdHJpY2h0IFVuaXZlcnNpdHkxKTAnBgNVBAsMIFRlc3Rp
+bmcgT05MWSBEZXZlbG9wbWVudCBEYXRhSHViMUgwRgYDVQQDDD9UZXN0aW5nIE9u
+bHkgRGV2ZWxvcG1lbnQgaVJPRFMgRGF0YUh1YiBNYWFzdHJpY2h0IFVuaXZlcnNp
+dHkgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDEYmVB0Cr+Cm6w
+SKDMVLGkOUzhoPhZF5Kv9ToJTuq7zpTImULRurFndJuTrl2d24RW3vqvu0AHG03g
+O7ihxPF5Oxfl8fWJ+3IC4nD69fKd94QLdZyZtIk2fCeR1ygPNpK/K6wfFpkkKpH3
+DyOsCzuUuNvxVH4TsNnBX9QtoEtlbzG6vWOF8RzyIfPkbN9sBnhG5lQ/bnzeO9BZ
+k3E7LH3dkcNMc0h21OAP+mw/HzqP0T+B8s9AAFlwzvDLNLGHs4YXIIYIayF3c9kz
+9s0ep/G/2J8eIbXVaMvUTjdsqvkNA37KMzC4CbztjJ/+exAN3FS3ZyP3o+wWTNJN
+FV2zJWzOu0czIOzkLo9GHWBh8A7mb8OxRSzcDidZ9wUMI2zQrgiS9AP5oZAwKPT5
+nXlo+nF16WmbymwZChIMuygazY6dQGFJqPeNA+c8juvraH8hZKHcZ/pe6mods45M
+81f1PQddg3Lac38vmwD1rm1E1HC5Zmwibjpe+Nu5qpL7gg0hvp/pdQ9DUAdneDST
+e3M7/nSwZOtpcAqNS71MlwmzC966US5McdLCglEpH+ifIWM+p7ensIBCDLsQlCrI
+nAngdGFgzYeOU1ivuGkWowfhz4P4IImlahgZudL9S1D7F3SF3CJj0XyckxLLs6QL
+Vi/jcM2PNaUYm62MieEFE5sPzOukvQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQA1
+cc34RDwSP22g4UVQRySXQWT578lPmUXbkcy68gv0GDn8Ljvehgl5VXY3A1Bp395k
+TjSL23YZFmrLIayhCbej5UG3+CMf4jfiZQ+kcQpeRljlDbamLOf4ZaI4XGIAlrzW
+pQQ2bSKWB/S0e1f1B3gV7mjtJ4LAJrIQIdn8704fV5vjkubf5X7mflPRq55n4X7Q
+aCs70heuACWqGrqgZbNkz21Jlvov8BOw3aqlWL2z3jhIXJns8SLCATzj20MtPrzr
+2A1kG+j1OYdTeqhlyMqPEah3KOGRqv6EJKpV+qBmbQHPXL1wzmHUlmd23HRM1/D+
+3glx2eZ1H6dH2dUELsXfa+FcR30wPKdlYwVQG1kFEuoEF47as7lIlPTs9VtoOlUg
+9ouRFtDopYMTODGndte4OtMARuW8cXiVmCWNAMNEvtbvo3KFgj5xMw1GboyLH+wb
+eD//PnyM914Ut/r3z0nm9bjhj/VH1vxH3VVGzuDJoRZb0AIiCbFu8urpK/6W6hMM
+f7byAvhKxqrmrNZxooCeJXCFuGtd5AxwNTJ4RghIdGY16P1pYdmpYl24xZqCYL5o
+syahAFMSKl7pyJ6O47aEVYtKPaNGqoaQeQLfsW0NgxO8IuGaZeKnwxGVx6s5tQ1U
+JL/uyObGbYmbvaFDQpEZy7Nhg+Do9B8J1iwzYCtaBA==
+-----END CERTIFICATE-----