diff --git a/src/certificate/create-leaf-bsm-lab-postgres.md b/src/certificate/create-leaf-bsm-lab-postgres.md index 92363ed..7d58214 100644 --- a/src/certificate/create-leaf-bsm-lab-postgres.md +++ b/src/certificate/create-leaf-bsm-lab-postgres.md @@ -116,3 +116,66 @@ openssl pkcs12 -export -inkey dfxagent-bsm-lab-postgres.key -in dfxagent-bsm-lab Enter Export Password: 백세민1! --- + +# TLS 적용시 실행환경에 옵션 추가 필요 + +## 1) java 옵션 설정 + +### 필수 옵션 +``` + -Djavax.net.ssl.trustStore="D:\projects\bsm-lab\dfx\dfxagent\src\docs\agent-bsm-lab-postgres\cert\truststore-merged.jks" + -Djavax.net.ssl.trustStorePassword=changeit + -Djavax.net.ssl.keyStore="D:\projects\bsm-lab\dfx\dfxagent\src\docs\agent-bsm-lab-postgres\cert\dfxagent-bsm-lab-postgres.p12" + -Djavax.net.ssl.keyStorePassword=qortpals1! + -Djavax.net.ssl.keyStoreType=PKCS12 +``` + +### 메모리 설정, 디버그 등 선택 옵션 +``` + -Dfile.encoding=UTF-8 -Xms2048m -Xmx8192m -XshowSettings:properties + -Djavax.net.debug=ssl,handshake,trustmanager +``` + +> 주의할 점 : -jar 옵션 앞에 위치하여야 함 + +## 2) 실행 스크립트 + +### 2-1) linux 환경 +```bash +#!/bin/sh +AGENT_HOME=/home/dfxagent/agent +JAVA_OPTS="-Xms2048m -Xmx8192m" +TLS_OPTS="-Djavax.net.ssl.trustStore=$AGENT_HOME/cert/truststore-merged.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=$AGENT_HOME/cert/dfxagent-tuf-a15-defree-oracle.p12 -Djavax.net.ssl.keyStorePassword=qortpals1! -Djavax.net.ssl.keyStoreType=PKCS12" +TODAY=$(date "+%Y%m%d") +#java -jar $AGENT_HOME/lib/dfxagent.jar -Xms2048m -Xmx8192m --setting.file=$AGENT_HOME/conf/settings.json & +java -XX:TieredStopAtLevel=1 $JAVA_OPTS $TLS_OPTS -jar $AGENT_HOME/lib/dfxagent.jar -Xms2048m -Xmx8192m --setting.file=$AGENT_HOME/conf/settings.json & +#JDK: Red Hat OpenJDK 17.0.11+9 (LTS), OS: Rocky Linux 8.10 사용 중 하기의 오류 발생 -> -XX:TieredStopAtLevel=1 추가 (C1만 사용하여 C2 비활성화) +#크래시 시그널: SIGSEGV +#문제 프레임: PhaseOutput::BuildOopMaps() (HotSpot C2 JIT 내부) +#크래시 스레드: "C2 CompilerThread2" (JIT 컴파일러 스레드) +#크래시 직전 컴파일 중이던 메서드: C2: ... org.springframework.boot.loader.net.protocol.jar.Handler::openConnection (5 bytes) +``` + +### 2-2) windows 환경 +```cmd +@echo off +setlocal + +REM Update this path for your Windows environment. +set "JAVA_HOME=C:\Program Files\Java\jdk-17" +set "AGENT_HOME=D:\projects\bsm-lab\dfx\dfxagent\src\docs\agent-bsm-lab-postgres" +set "JAVA_OPTS= -Dfile.encoding=UTF-8 -Xms2048m -Xmx8192m -XshowSettings:properties" +set "TLS_OPTS= -Djavax.net.debug=ssl,handshake,trustmanager -Djavax.net.ssl.trustStore="%AGENT_HOME%\cert\truststore-merged.jks" -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore="%AGENT_HOME%\cert\dfxagent-bsm-lab-postgres.p12" -Djavax.net.ssl.keyStorePassword=qortpals1! -Djavax.net.ssl.keyStoreType=PKCS12" + +for /f %%i in ('powershell -NoProfile -Command "Get-Date -Format yyyyMMdd"') do set "TODAY=%%i" + +chcp 65001 +REM 콘솔 출력이 필요한 경우 아래의 명령으로 실행 +REM start "" cmd /c ""%JAVA_HOME%\bin\java.exe" %JAVA_OPTS% %TLS_OPTS% -jar "%AGENT_HOME%\..\..\..\build\libs\dfxagent-1.0.9.jar" --setting.file="%AGENT_HOME%\conf\dfxagent-bsm-lab-postgres.json" 1>>"dfxagent-bsm-lab-postgres-console-debug-%TODAY%.log" 2>&1" +REM 일반적으로 실행할 경우 아래의 명령으로 실행 +start "" "%JAVA_HOME%\bin\java.exe" %JAVA_OPTS% %TLS_OPTS% -jar "%AGENT_HOME%\..\..\..\build\libs\dfxagent-1.0.9.jar" --setting.file="%AGENT_HOME%\conf\dfxagent-bsm-lab-postgres.json" 2>&1 + +endlocal +``` + +--- \ No newline at end of file diff --git a/src/certificate/create-leaf-tuf-a15-defree-oracle.md b/src/certificate/create-leaf-tuf-a15-defree-oracle.md index eaee84b..8da0362 100644 --- a/src/certificate/create-leaf-tuf-a15-defree-oracle.md +++ b/src/certificate/create-leaf-tuf-a15-defree-oracle.md @@ -117,3 +117,65 @@ Enter Export Password: 백세민1! --- +# TLS 적용시 실행환경에 옵션 추가 필요 + +## 1) java 옵션 설정 + +### 필수 옵션 +``` + -Djavax.net.ssl.trustStore="D:\projects\bsm-lab\dfx\dfxagent\src\docs\agent-tuf-a15-defree-oracle\cert\truststore-merged.jks" + -Djavax.net.ssl.trustStorePassword=changeit + -Djavax.net.ssl.keyStore="D:\projects\bsm-lab\dfx\dfxagent\src\docs\agent-tuf-a15-defree-oracle\cert\dfxagent-tuf-a15-defree-oracle.p12" + -Djavax.net.ssl.keyStorePassword=qortpals1! + -Djavax.net.ssl.keyStoreType=PKCS12 +``` + +### 메모리 설정, 디버그 등 선택 옵션 +``` + -Dfile.encoding=UTF-8 -Xms2048m -Xmx8192m -XshowSettings:properties + -Djavax.net.debug=ssl,handshake,trustmanager +``` + +> 주의할 점 : -jar 옵션 앞에 위치하여야 함 + +## 2) 실행 스크립트 + +### 2-1) linux 환경 +```bash +#!/bin/sh +AGENT_HOME=/home/dfxagent/agent +JAVA_OPTS="-Xms2048m -Xmx8192m" +TLS_OPTS="-Djavax.net.ssl.trustStore=$AGENT_HOME/cert/truststore-merged.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=$AGENT_HOME/cert/dfxagent-tuf-a15-defree-oracle.p12 -Djavax.net.ssl.keyStorePassword=qortpals1! -Djavax.net.ssl.keyStoreType=PKCS12" +TODAY=$(date "+%Y%m%d") +#java -jar $AGENT_HOME/lib/dfxagent.jar -Xms2048m -Xmx8192m --setting.file=$AGENT_HOME/conf/settings.json & +java -XX:TieredStopAtLevel=1 $JAVA_OPTS $TLS_OPTS -jar $AGENT_HOME/lib/dfxagent.jar -Xms2048m -Xmx8192m --setting.file=$AGENT_HOME/conf/settings.json & +#JDK: Red Hat OpenJDK 17.0.11+9 (LTS), OS: Rocky Linux 8.10 사용 중 하기의 오류 발생 -> -XX:TieredStopAtLevel=1 추가 (C1만 사용하여 C2 비활성화) +#크래시 시그널: SIGSEGV +#문제 프레임: PhaseOutput::BuildOopMaps() (HotSpot C2 JIT 내부) +#크래시 스레드: "C2 CompilerThread2" (JIT 컴파일러 스레드) +#크래시 직전 컴파일 중이던 메서드: C2: ... org.springframework.boot.loader.net.protocol.jar.Handler::openConnection (5 bytes) +``` + +### 2-2) windows 환경 +```cmd +@echo off +setlocal + +REM Update this path for your Windows environment. +set "JAVA_HOME=C:\Program Files\Java\jdk-17" +set "AGENT_HOME=D:\projects\bsm-lab\dfx\dfxagent\src\docs\agent-tuf-a15-defree-oracle" +set "JAVA_OPTS= -Dfile.encoding=UTF-8 -Xms2048m -Xmx8192m -XshowSettings:properties" +set "TLS_OPTS= -Djavax.net.debug=ssl,handshake,trustmanager -Djavax.net.ssl.trustStore="%AGENT_HOME%\cert\truststore-merged.jks" -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore="%AGENT_HOME%\cert\dfxagent-tuf-a15-defree-oracle.p12" -Djavax.net.ssl.keyStorePassword=qortpals1! -Djavax.net.ssl.keyStoreType=PKCS12" + +for /f %%i in ('powershell -NoProfile -Command "Get-Date -Format yyyyMMdd"') do set "TODAY=%%i" + +chcp 65001 +REM 콘솔 출력이 필요한 경우 아래의 명령으로 실행 +REM start "" cmd /c ""%JAVA_HOME%\bin\java.exe" %JAVA_OPTS% %TLS_OPTS% -jar "%AGENT_HOME%\..\..\..\build\libs\dfxagent-1.0.9.jar" --setting.file="%AGENT_HOME%\conf\dfxagent-bsm-lab-postgres.json" 1>>"dfxagent-bsm-lab-postgres-console-debug-%TODAY%.log" 2>&1" +REM 일반적으로 실행할 경우 아래의 명령으로 실행 +start "" "%JAVA_HOME%\bin\java.exe" %JAVA_OPTS% %TLS_OPTS% -jar "%AGENT_HOME%\..\..\..\build\libs\dfxagent-1.0.9.jar" --setting.file="%AGENT_HOME%\conf\dfxagent-bsm-lab-postgres.json" 2>&1 + +endlocal +``` + +--- \ No newline at end of file diff --git a/src/certificate/create-rootca.md b/src/certificate/create-rootca.md index fac5518..c55fb76 100644 --- a/src/certificate/create-rootca.md +++ b/src/certificate/create-rootca.md @@ -110,13 +110,17 @@ type ..\intermediate\intermediate-kdn.crt rootca-kdn.crt > ..\intermediate\ca-ch --- -## 3) (클라이언트 검증용) truststore 만들기 - JKS truststore +## 3) 공인 CA + (클라이언트 검증용) truststore 만들기 - JKS truststore ```bash cd ../intermediate -keytool -importcert -alias dfxagent-kdn -file ca-chain-kdn.crt -keystore truststore-dfxagent-kdn.jks -storepass qortpals1! -noprompt +cp $JAVA_HOME/lib/security/cacerts truststore-public.jks +cp truststore-public.jks truststore-merged.jks +keytool -importcert -alias dfxagent-kdn -file ca-chain-kdn.crt -keystore truststore-merged.jks -storepass changeit -noprompt ``` +console 등 공인 CA를 사용할 수도 있기 때문에 jdk에 포함된 CA truststore에 생성한 keystore 추가함(cacerts + --- ## 4) 다음 단계(참고): leaf(에이전트/웹서버) 발급은 Intermediate로 diff --git a/src/main/java/com/bsmlab/dfx/agent/config/AgentConfigDto.java b/src/main/java/com/bsmlab/dfx/agent/config/AgentConfigDto.java index 3a579f7..11769c1 100644 --- a/src/main/java/com/bsmlab/dfx/agent/config/AgentConfigDto.java +++ b/src/main/java/com/bsmlab/dfx/agent/config/AgentConfigDto.java @@ -12,11 +12,6 @@ public class AgentConfigDto { private String myHostName; private int myListenPort; private boolean sslEnabled; - private String keyStorePath; - private String keyStorePassword; - private String keyStoreAlias; - private String trustStorePath; - private String trustStorePassword; private List knownAgentList; private StatusChecker statusChecker; private List dataSourceConfig;