-
Notifications
You must be signed in to change notification settings - Fork 77
Expand file tree
/
Copy pathstart.sh
More file actions
executable file
·322 lines (289 loc) · 15.5 KB
/
Copy pathstart.sh
File metadata and controls
executable file
·322 lines (289 loc) · 15.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
#!/bin/sh
################################################################################
# This program and the accompanying materials are made available under the terms of the
# Eclipse Public License v2.0 which accompanies this distribution, and is available at
# https://www.eclipse.org/legal/epl-v20.html
#
# SPDX-License-Identifier: EPL-2.0
#
# Copyright IBM Corporation 2021
################################################################################
# Variables required on shell:
# - JAVA_HOME
# - ZWE_STATIC_DEFINITIONS_DIR
# - ZWE_zowe_certificate_keystore_alias - The default alias of the key within the keystore
# - ZWE_zowe_certificate_keystore_file - The default keystore to use for SSL certificates
# - ZWE_zowe_certificate_keystore_password - The default password to access the keystore supplied by KEYSTORE
# - ZWE_zowe_certificate_truststore_file
# - ZWE_zowe_job_prefix
# - ZWE_zowe_logDirectory
# Optional variables:
# - CMMN_LB
# - LIBPATH
# - LIBRARY_PATH
# - ZWE_components_discovery_port - the port the discovery service will use
# - ZWE_components_gateway_apiml_security_authorization_endpoint_enabled
# - ZWE_components_gateway_apiml_security_authorization_endpoint_url
# - ZWE_components_gateway_apiml_security_authorization_provider
# - ZWE_components_gateway_apiml_security_authorization_resourceClass
# - ZWE_components_gateway_port - the port the api gateway service will use
# - ZWE_configs_server_ssl_enabled
# - ZWE_configs_heap_max
# - ZWE_configs_heap_init
# - ZWE_configs_certificate_keystore_alias - The alias of the key within the keystore
# - ZWE_configs_certificate_keystore_file - The keystore to use for SSL certificates
# - ZWE_configs_certificate_keystore_password - The password to access the keystore supplied by KEYSTORE
# - ZWE_configs_certificate_keystore_type - The keystore type to use for SSL certificates
# - ZWE_configs_certificate_truststore_file
# - ZWE_configs_certificate_truststore_type
# - ZWE_configs_debug
# - ZWE_configs_port - the port the api catalog service will use
# - ZWE_configs_spring_profiles_active
# - ZWE_DISCOVERY_SERVICES_LIST
# - ZWE_GATEWAY_HOST
# - ZWE_zowe_network_server_tls_attls
# - ZWE_haInstance_hostname
# - ZWE_zowe_certificate_keystore_type - The default keystore type to use for SSL certificates
# - ZWE_zowe_verifyCertificates - if we accept only verified certificates
if [ -n "${LAUNCH_COMPONENT}" ]
then
JAR_FILE="${LAUNCH_COMPONENT}/api-catalog-services-lite.jar"
else
JAR_FILE="$(pwd)/bin/api-catalog-services-lite.jar"
fi
echo "jar file: "${JAR_FILE}
# script assumes it's in the catalog component directory and common_lib needs to be relative path
if [ -z "${CMMN_LB}" ]
then
COMMON_LIB="../apiml-common-lib/bin/api-layer-lite-lib-all.jar"
else
COMMON_LIB=${CMMN_LB}
fi
if [ -z "${LIBRARY_PATH}" ]
then
LIBRARY_PATH="../common-java-lib/bin/"
fi
if [ "${ZWE_configs_debug}" = "true" ]
then
if [ -n "${ZWE_configs_spring_profiles_active}" ];
then
ZWE_configs_spring_profiles_active="${ZWE_configs_spring_profiles_active},"
fi
ZWE_configs_spring_profiles_active="${ZWE_configs_spring_profiles_active}debug"
fi
# FIXME: APIML_DIAG_MODE_ENABLED is not officially mentioned. We can still use it behind the scene,
# or we can define configs.diagMode in manifest, then use "$ZWE_configs_diagMode".
# if [[ ! -z "${APIML_DIAG_MODE_ENABLED}" ]]
# then
# if [ -n "${ZWE_configs_spring_profiles_active}" ];
# then
# ZWE_configs_spring_profiles_active="${ZWE_configs_spring_profiles_active},"
# fi
# ZWE_configs_spring_profiles_active="${ZWE_configs_spring_profiles_active}diag"
# fi
# NOTE: ZWEAD_EXTERNAL_STATIC_DEF_DIRECTORIES is not defined in Zowe level any more, never heard anyone use it.
# will just use $ZWE_STATIC_DEFINITIONS_DIR directly.
# If set append $ZWEAD_EXTERNAL_STATIC_DEF_DIRECTORIES to $ZWE_STATIC_DEFINITIONS_DIR
# export APIML_STATIC_DEF=${ZWE_STATIC_DEFINITIONS_DIR}
# if [[ ! -z "$ZWEAD_EXTERNAL_STATIC_DEF_DIRECTORIES" ]]
# then
# export APIML_STATIC_DEF="${APIML_STATIC_DEF};${ZWEAD_EXTERNAL_STATIC_DEF_DIRECTORIES}"
# fi
# setting the cookieName based on the instances
if [ "${ZWE_components_gateway_apiml_security_auth_uniqueCookie}" = "true" ]; then
cookieName="apimlAuthenticationToken.${ZWE_zowe_cookieIdentifier}"
fi
# how to verifyCertificates
verify_certificates_config=$(echo "${ZWE_zowe_verifyCertificates}" | tr '[:lower:]' '[:upper:]')
if [ "${verify_certificates_config}" = "DISABLED" ]; then
verifySslCertificatesOfServices=false
nonStrictVerifySslCertificatesOfServices=true
elif [ "${verify_certificates_config}" = "NONSTRICT" ]; then
verifySslCertificatesOfServices=true
nonStrictVerifySslCertificatesOfServices=true
else
# default value is STRICT
verifySslCertificatesOfServices=true
nonStrictVerifySslCertificatesOfServices=false
fi
ZOWE_CONSOLE_LOG_CHARSET=UTF-8
if [ "$(uname)" = "OS/390" ]
then
QUICK_START=-Xquickstart
JAVA_VERSION=$(${JAVA_HOME}/bin/javap -verbose java.lang.String \
| grep "major version" \
| cut -d " " -f5)
if [ $JAVA_VERSION -ge 65 ]; then # Java 21
ZOWE_CONSOLE_LOG_CHARSET=IBM-1047
fi
fi
LIBPATH="$LIBPATH":"/lib"
LIBPATH="$LIBPATH":"/usr/lib"
LIBPATH="$LIBPATH":"${JAVA_HOME}"/bin
LIBPATH="$LIBPATH":"${JAVA_HOME}"/bin/classic
LIBPATH="$LIBPATH":"${JAVA_HOME}"/bin/j9vm
LIBPATH="$LIBPATH":"${JAVA_HOME}"/lib/s390x/classic
LIBPATH="$LIBPATH":"${JAVA_HOME}"/lib/s390x/default
LIBPATH="$LIBPATH":"${JAVA_HOME}"/lib/s390x/j9vm
LIBPATH="$LIBPATH":"${LIBRARY_PATH}"
ADD_OPENS="--add-opens=java.base/java.lang=ALL-UNNAMED
--add-opens=java.base/java.lang.invoke=ALL-UNNAMED
--add-opens=java.base/java.nio.channels.spi=ALL-UNNAMED
--add-opens=java.base/java.util=ALL-UNNAMED
--add-opens=java.base/java.util.concurrent=ALL-UNNAMED
--add-opens=java.base/javax.net.ssl=ALL-UNNAMED
--add-opens=java.base/sun.nio.ch=ALL-UNNAMED
--add-opens=java.base/java.io=ALL-UNNAMED"
ATTLS_ENABLED="false"
ATTLS_CLIENT_ENABLED="false"
if [ "${ZWE_zowe_network_server_tls_attls}" = "true" ]; then
ATTLS_ENABLED="true"
fi
if [ "${ZWE_zowe_network_client_tls_attls}" = "true" ]; then
ATTLS_CLIENT_ENABLED="true"
fi
if [ "${ATTLS_ENABLED}" = "true" ]; then
ZWE_configs_server_ssl_enabled="false"
if [ -n "${ZWE_configs_spring_profiles_active}" ]; then
ZWE_configs_spring_profiles_active="${ZWE_configs_spring_profiles_active},"
fi
ZWE_configs_spring_profiles_active="${ZWE_configs_spring_profiles_active}attls"
fi
if [ "${ZWE_configs_server_ssl_enabled:-true}" = "true" -o "$ATTLS_ENABLED" = "true" ]; then
externalProtocol="https"
else
externalProtocol="http"
fi
internalProtocol="https"
ZWE_DISCOVERY_SERVICES_LIST=${ZWE_DISCOVERY_SERVICES_LIST:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_discovery_port:-7553}/eureka/"}
if [ "$ATTLS_CLIENT_ENABLED" = "true" ]; then
ZWE_DISCOVERY_SERVICES_LIST=$(echo "${ZWE_DISCOVERY_SERVICES_LIST=}" | sed -e 's|https://|http://|g')
internalProtocol="http"
fi
get_enabled_protocol_limit() {
target=$1
type=$2
default=$3
key_component="ZWE_configs_zowe_network_${target}_tls_${type}Tls"
value_component=$(eval echo \$$key_component)
key_zowe="ZWE_zowe_network_${target}_tls_${type}Tls"
value_zowe=$(eval echo \$$key_zowe)
enabled_protocol_limit=${value_component:-${value_zowe:-${default}}}
}
extract_between() {
echo "$1" | sed -e "s/.*$2,//" -e "s/$3.*//"
}
get_enabled_protocol() {
target=$1
get_enabled_protocol_limit "${target}" "min" "TLSv1.2"
enabled_protocols_min=${enabled_protocol_limit}
get_enabled_protocol_limit "${target}" "max" "TLSv1.3"
enabled_protocols_max=${enabled_protocol_limit}
if [ "${enabled_protocols_min:-}" = "${enabled_protocols_max:-}" ]; then
result="${enabled_protocols_max:-}"
elif [ -z "${enabled_protocols_min:-}" ]; then
result="${enabled_protocols_max:-}"
else
enabled_protocols_max=${enabled_protocols_max:-"TLSv1.3"}
enabled_protocols=,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3,TLSv1.4,
# Extract protocols between min and max (inclusive)
result=$(extract_between "$enabled_protocols" "$enabled_protocols_min" "$enabled_protocols_max")
result="$enabled_protocols_min,$result$enabled_protocols_max"
fi
}
server_protocol="TLS"
get_enabled_protocol "server"
server_enabled_protocols=${result:-"TLSv1.3"}
server_ciphers=${ZWE_configs_zowe_network_server_tls_ciphers:-${ZWE_components_gateway_zowe_network_server_tls_ciphers:-${ZWE_zowe_network_server_tls_ciphers:-TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV}}}
get_enabled_protocol "client"
client_enabled_protocols=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-${result:-${server_enabled_protocols}}}
client_ciphers=${ZWE_configs_zowe_network_client_tls_ciphers:-${ZWE_components_gateway_zowe_network_client_tls_ciphers:-${ZWE_zowe_network_client_tls_ciphers:-${server_ciphers}}}}
keystore_type="${ZWE_configs_certificate_keystore_type:-${ZWE_zowe_certificate_keystore_type:-PKCS12}}"
keystore_pass="${ZWE_configs_certificate_keystore_password:-${ZWE_zowe_certificate_keystore_password}}"
key_alias="${ZWE_configs_certificate_keystore_alias:-${ZWE_zowe_certificate_keystore_alias}}"
key_pass="${ZWE_configs_certificate_key_password:-${ZWE_zowe_certificate_key_password:-${keystore_pass}}}"
truststore_type="${ZWE_configs_certificate_truststore_type:-${ZWE_zowe_certificate_truststore_type:-PKCS12}}"
truststore_pass="${ZWE_configs_certificate_truststore_password:-${ZWE_zowe_certificate_truststore_password}}"
keystore_location="${ZWE_configs_certificate_keystore_file:-${ZWE_zowe_certificate_keystore_file}}"
truststore_location="${ZWE_configs_certificate_truststore_file:-${ZWE_zowe_certificate_truststore_file}}"
if [ "${keystore_type}" = "JCERACFKS" ]; then
keystore_location=$(echo "${keystore_location}" | sed s_safkeyring://_safkeyringjce://_)
truststore_location=$(echo "${truststore_location}" | sed s_safkeyring://_safkeyringjce://_)
elif [ "${keystore_type}" = "JCECCARACFKS" ]; then
keystore_location=$(echo "${keystore_location}" | sed s_safkeyring://_safkeyringjcecca://_)
truststore_location=$(echo "${truststore_location}" | sed s_safkeyring://_safkeyringjcecca://_)
elif [ "${keystore_type}" = "JCEHYBRIDRACFKS" ]; then
keystore_location=$(echo "${keystore_location}" | sed s_safkeyring://_safkeyringjcehybrid://_)
truststore_location=$(echo "${truststore_location}" | sed s_safkeyring://_safkeyringjcehybrid://_)
fi
if [ "${ATTLS_ENABLED}" = "true" -a "${APIML_ATTLS_LOAD_KEYRING:-false}" = "true" ]; then
keystore_type=
keystore_pass=
key_pass=
key_alias=
keystore_location=
fi
# NOTE: these are moved from below
# -Dapiml.service.ipAddress=${ZOWE_IP_ADDRESS:-127.0.0.1} \
# -Dapiml.service.preferIpAddress=false \
if [ -n "${ZWE_java_home}" ]; then
JAVA_BIN_DIR=${ZWE_java_home}/bin/
fi
CATALOG_CODE=AC
_BPXK_AUTOCVT=OFF
_BPX_JOBNAME=${ZWE_zowe_job_prefix}${CATALOG_CODE} ${JAVA_BIN_DIR}java \
-Xms${ZWE_configs_heap_init:-32}m -Xmx${ZWE_configs_heap_max:-512}m \
-XX:+ExitOnOutOfMemoryError \
${QUICK_START} \
${ADD_OPENS} \
-Dibm.serversocket.recover=true \
-Dfile.encoding=UTF-8 \
-Dlogging.charset.console=${ZOWE_CONSOLE_LOG_CHARSET} \
-Djava.io.tmpdir=${TMPDIR:-/tmp} \
-Dspring.profiles.active=${ZWE_configs_spring_profiles_active:-} \
-Dapiml.service.hostname=${ZWE_haInstance_hostname:-localhost} \
-Dapiml.service.port=${ZWE_configs_port:-7552} \
-Dapiml.service.discoveryServiceUrls=${ZWE_DISCOVERY_SERVICES_LIST} \
-Dapiml.service.gatewayHostname=${ZWE_GATEWAY_HOST:-${ZWE_haInstance_hostname:-localhost}} \
-Dapiml.logs.location=${ZWE_zowe_logDirectory} \
-Dapiml.health.protected=${ZWE_configs_apiml_health_protected:-true} \
-Dapiml.service.externalUrl="${externalProtocol}://${ZWE_zowe_externalDomains_0}:${ZWE_zowe_externalPort}" \
-Dapiml.discovery.staticApiDefinitionsDirectories=${ZWE_STATIC_DEFINITIONS_DIR} \
-Dapiml.security.ssl.verifySslCertificatesOfServices=${verifySslCertificatesOfServices:-false} \
-Dapiml.security.ssl.nonStrictVerifySslCertificatesOfServices=${nonStrictVerifySslCertificatesOfServices:-false} \
-Dapiml.security.authorization.provider=${ZWE_configs_apiml_security_authorization_provider:-${ZWE_components_gateway_apiml_security_authorization_provider:-"native"}} \
-Dapiml.security.authorization.endpoint.enabled=${ZWE_components_gateway_apiml_security_authorization_endpoint_enabled:-false} \
-Dapiml.security.authorization.endpoint.url=${ZWE_components_gateway_apiml_security_authorization_endpoint_url:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port}/zss/api/v1/saf-auth"} \
-Dapiml.security.authorization.resourceClass=${ZWE_components_gateway_apiml_security_authorization_resourceClass:-ZOWE} \
-Dapiml.security.auth.cookieProperties.cookieName=${cookieName:-apimlAuthenticationToken} \
-Dapiml.catalog.hide.serviceInfo=${ZWE_configs_apiml_catalog_hide_serviceInfo:-false} \
-Dapiml.catalog.customStyle.logo=${ZWE_configs_apiml_catalog_customStyle_logo:-} \
-Dapiml.catalog.customStyle.fontFamily=${ZWE_configs_apiml_catalog_customStyle_fontFamily:-} \
-Dapiml.catalog.customStyle.backgroundColor=${ZWE_configs_apiml_catalog_customStyle_backgroundColor:-} \
-Dapiml.catalog.customStyle.titlesColor=${ZWE_configs_apiml_catalog_customStyle_titlesColor:-} \
-Dapiml.catalog.customStyle.headerColor=${ZWE_configs_apiml_catalog_customStyle_headerColor:-} \
-Dapiml.catalog.customStyle.textColor=${ZWE_configs_apiml_catalog_customStyle_textColor:-} \
-Dapiml.catalog.customStyle.docLink=${ZWE_configs_apiml_catalog_customStyle_docLink:-} \
-Dapiml.httpclient.ssl.enabled-protocols=${client_enabled_protocols} \
-Djdk.tls.client.cipherSuites=${client_ciphers} \
-Dserver.ssl.ciphers=${server_ciphers} \
-Dserver.ssl.protocol=${server_protocol} \
-Dserver.ssl.enabled-protocols=${server_enabled_protocols} \
-Dserver.address=${ZWE_configs_zowe_network_server_listenAddresses_0:-${ZWE_zowe_network_server_listenAddresses_0:-"0.0.0.0"}} \
-Dserver.ssl.enabled=${ZWE_configs_server_ssl_enabled:-true} \
-Dserver.ssl.keyStore="${keystore_location}" \
-Dserver.ssl.keyStoreType="${keystore_type}" \
-Dserver.ssl.keyStorePassword="${keystore_pass}" \
-Dserver.ssl.keyAlias="${key_alias}" \
-Dserver.ssl.keyPassword="${key_pass}" \
-Dserver.ssl.trustStore="${truststore_location}" \
-Dserver.ssl.trustStoreType="${truststore_type}" \
-Dserver.ssl.trustStorePassword="${truststore_pass}" \
-Djava.protocol.handler.pkgs=com.ibm.crypto.provider \
-Dloader.path=${COMMON_LIB} \
-Djava.library.path=${LIBPATH} \
-Djavax.net.debug=${ZWE_configs_sslDebug:-""} \
-jar "${JAR_FILE}" &
pid=$!
echo "pid=${pid}"
wait %1