Tomcat SSL/TLS and Java Keystore and TrustStore Configuration for Linux and Windows Hosts

Learn how to efficiently manage and set up SSL/TLS certificates, Java KeyStores, and Java Truststores using Ansible. This guide includes steps for incorporating both automatically generated and externally obtained certificates.

Projects: c2platform/rws/ansible-gis, c2platform.core, c2platform.mw, c2platform.gis


Overview

This tutorial demonstrates the setup of two Tomcat nodes – one on Ubuntu 22 and another on Windows Server 2022 – for SSL and Java TrustStore configuration. This how-to basically can be used to validate the RWS approach for a simple Ansible based CA server approach as documented in Implementing PKI for RWS GIS with Ansible

Using Vagrant and Ansible the following will be performed:

  1. Vagrant creates two nodes: an LXD box running Ubuntu 22 and a VirtualBox VM with Windows Server 2022.
  2. Vagrant initiates the Ansible provisioner.
  3. Ansible installs Tomcat on both nodes using different roles.
    1. For Linux, the role c2platform.mw.tomcat is used to download and extract apache-tomcat-9.0.87.tar.gz  and then configure Tomcat.
    2. For Windows c2platform.gis.tomcat is used which downloads apache-tomcat-9.0.78.exe  and uses that to install Tomcat on MS Windows.
    3. Both roles include the c2platform.core.cacerts role for SSL/TLS certificate generation, Java KeyStore creation, and Java TrustStore updates with the CA Root CA certificate.
NodeOSDistributionProvider
gsd-tomcat1LinuxUbuntu 22LXD
gsd-tomcat2WindowsWindows Server 2022VirtualBox

Prerequisites

Before proceeding, make sure you have completed the steps to Setup the RWS Development Environment on Ubuntu 22 and have the reverse proxy running

vagrant up gsd-rproxy1

In the RWS Development Environment, the Reverse Proxy gsd-rproxy1 also serves a secondary purpose by functioning as the CA Server. This setup plays a crucial role in managing and distributing certificates and Java Keystores / TrustStores.

Setup

To initialize the Tomcat nodes gsd-tomcat1 and gsd-tomcat2, execute the command below. The provisioning process is expected to take approximately 11 minutes to complete.

vagrant up gsd-tomcat1 gsd-tomcat2

Verify

If Vagrant was able to succesfully provision the two nodes, without errors, you can verify if everything is working correclty with the following steps.

SSL/TLS Configuration

Start FireFox using your FireFox profile ( see Configure a FireFox Profile ) and you should be able to navigate to the links below and see the “Hello World” application. You should not see any SSL/TLS certificate error messages.

  1. https://gsd-tomcat1.internal.c2platform.org:8443/helloworld/ 
  2. https://gsd-tomcat2.internal.c2platform.org:8443/helloworld/ 

With this, you have verified that Tomcat SSL/TLS configuration was performed by Ansible on gsd-tomcat1 and gsd-tomcat2 and is correctly working.

Navigate to the links below. You should see the same messages.

  1. https://helloworld.c2platform.org/ 
  2. https://helloworld2.c2platform.org/ 

This confirms that you are also able to access the Tomcat services running on gsd-tomcat1 and gsd-tomcat2 via the reverse proxy server gsd-rproxy1.

TrustStore

Ansible also updates the Java TrustStore on gsd-tomcat1 and gsd-tomcat2 with CA root certificate. Wich you can verify is working correctly by using a custom Java test class HttpsConnectionTest. Run

Execute the commands below to verify the Java TrustStore on gsd-tomcat1:

  1. Enter the node using SSH:

    vagrant ssh gds-tomcat1
    
  2. From directory /vagrant/scripts/gsd-tomcat run the HttpsConnectionTest:

    cd /vagrant/scripts/gsd-tomcat
    bash test-https.sh
    
    Show me
    vagrant@gsd-tomcat1:/vagrant/scripts/gsd-tomcat$ bash test-https.sh
    google, Dec 14, 2023, trustedCertEntry,
    Certificate fingerprint (SHA-256): 98:2D:C0:52:3D:84:7D:B5:89:AE:22:3E:DD:D8:37:86:72:79:D7:32:40:D6:03:55:D8:A6:F1:70:53:DF:48:95
    c2-ca, Dec 14, 2023, trustedCertEntry,
    Certificate fingerprint (SHA-256): 64:1B:BC:79:EE:0A:37:EA:3D:AC:B9:E3:E5:7F:02:71:3E:7D:C8:82:89:62:C5:E8:11:75:45:37:58:18:71:6F
    Response Code: 200
    Response Message: OK
    Response Code: 200
    Response Message: OK
    Response Code: 200
    Response Message: null
    vagrant@gsd-tomcat1:/vagrant/scripts/gsd-tomcat$
    

To verify the same on gsd-tomcat2 run the following commands:

  1. Enter the node using SSH:

    vagrant ssh gds-tomcat2
    
  2. From directory C:/vagrant/scripts/gsd-tomcat run the HttpsConnectionTest:

    cd /vagrant/scripts/gsd-tomcat
    test-https.bat
    
    Show me
    vagrant@GSD-TOMCAT2 C:\vagrant\scripts\gsd-tomcat>test-https.bat
    
    vagrant@GSD-TOMCAT2 C:\vagrant\scripts\gsd-tomcat>set JAVA_HOME=D:\Apps\jdk-17.0.5\jdk-17.0.5+8
    
    vagrant@GSD-TOMCAT2 C:\vagrant\scripts\gsd-tomcat>set PATH=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\ProgramData\chocolatey\bin;C:\Program Files\PowerShell\7\;C:\Program Files\OpenSSH;C:\Program Files\Git\cmd;C:\Users\vagrant\AppData\Local\Microsoft\WindowsApps;;D:\Apps\jdk-17.0.5\jdk-17.0.5+8\bin;D:\Apps\jdk-17.0.5\jdk-17.0.5+8\bin
    
    vagrant@GSD-TOMCAT2 C:\vagrant\scripts\gsd-tomcat>keytool -list -cacerts -storepass changeit -alias google
    google, Mar 20, 2024, trustedCertEntry,
    Certificate fingerprint (SHA-256): 47:19:35:3D:CE:E0:3D:17:BD:60:C2:28:71:84:03:CD:2F:9F:81:EE:06:C8:A6:63:23:4E:56:95:15:8C:19:C6
    
    vagrant@GSD-TOMCAT2 C:\vagrant\scripts\gsd-tomcat>keytool -list -cacerts -storepass changeit -alias c2-ca
    c2-ca, Dec 14, 2023, trustedCertEntry,
    Certificate fingerprint (SHA-256): 64:1B:BC:79:EE:0A:37:EA:3D:AC:B9:E3:E5:7F:02:71:3E:7D:C8:82:89:62:C5:E8:11:75:45:37:58:18:71:6F
    
    vagrant@GSD-TOMCAT2 C:\vagrant\scripts\gsd-tomcat>javac HttpsConnectionTest.java
    
    vagrant@GSD-TOMCAT2 C:\vagrant\scripts\gsd-tomcat>java HttpsConnectionTest https://www.google.nl
    Response Code: 200
    Response Message: OK
    
    vagrant@GSD-TOMCAT2 C:\vagrant\scripts\gsd-tomcat>java HttpsConnectionTest https://c2platform.org
    Response Code: 200
    Response Message: OK
    
    vagrant@GSD-TOMCAT2 C:\vagrant\scripts\gsd-tomcat>java HttpsConnectionTest https://gsd-tomcat2.internal.c2platform.org:8443/helloworld/
    Response Code: 200
    Response Message: null
    

Alternatively, for gsd-tomcat2, as this is a Windows node, you can also use an RDP connection:

  1. Start RDP connection to 1.1.8.207 login as vagrant with password vagrant

  2. Use the WIndow Commant Prompt shortcut on the desktop named Scripts and run the script test-https.bat. This will compile a simple Java test class that is then used to verify that Java TrustStore was updated correctly with the CA certificate. Running this script should not show any error messages and only a response code of 200 indicating succes.

    Show me
    c:\vagrant\scripts\gsd-tomcat>test-https.bat
    
    c:\vagrant\scripts\gsd-tomcat>set JAVA_HOME=D:\Apps\jdk-17.0.5\jdk-17.0.5+8
    
    c:\vagrant\scripts\gsd-tomcat>set PATH=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\ProgramData\chocolatey\bin;C:\Program Files\PowerShell\7\;C:\Program Files\OpenSSH;C:\Program Files\Git\cmd;%USERPROFILE%\AppData\Local\Microsoft\WindowsApps;%JAVA_HOME%\bin;D:\Apps\jdk-17.0.5\jdk-17.0.5+8\bin;D:\Apps\jdk-17.0.5\jdk-17.0.5+8\bin;D:\Apps\jdk-17.0.5\jdk-17.0.5+8\bin
    
    c:\vagrant\scripts\gsd-tomcat>keytool -list -cacerts -storepass changeit -alias google
    google, Dec 14, 2023, trustedCertEntry,
    Certificate fingerprint (SHA-256): 98:2D:C0:52:3D:84:7D:B5:89:AE:22:3E:DD:D8:37:86:72:79:D7:32:40:D6:03:55:D8:A6:F1:70:53:DF:48:95
    
    c:\vagrant\scripts\gsd-tomcat>keytool -list -cacerts -storepass changeit -alias c2-ca
    c2-ca, Dec 14, 2023, trustedCertEntry,
    Certificate fingerprint (SHA-256): 64:1B:BC:79:EE:0A:37:EA:3D:AC:B9:E3:E5:7F:02:71:3E:7D:C8:82:89:62:C5:E8:11:75:45:37:58:18:71:6F
    
    c:\vagrant\scripts\gsd-tomcat>javac HttpsConnectionTest.java
    
    c:\vagrant\scripts\gsd-tomcat>java HttpsConnectionTest https://www.google.nl
    Response Code: 200
    Response Message: OK
    
    c:\vagrant\scripts\gsd-tomcat>java HttpsConnectionTest https://c2platform.org
    Response Code: 200
    Response Message: OK
    
    c:\vagrant\scripts\gsd-tomcat>java HttpsConnectionTest https://gsd-tomcat2.internal.c2platform.org:8443/helloworld/
    Response Code: 200
    Response Message: null
    
    c:\vagrant\scripts\gsd-tomcat>
    

Review

With regards to the Tomcat Nodes gsd-tomcat1,gsd-tomcat2 and the CA Server gsd-rproxy1 take note of the following files.

NodeProjectPlayFile
gsd-rproxy1GIS Platformplays/mgmt/cacerts_server.ymlgroup_vars/all/certs.yml
gsd-tomcat1GIS Platformplays/mw/tomcat.ymlgroup_vars/tomcat_linux/certs.yml
gsd-tomcat2GIS Platformplays/mw/tomcat.ymlgroup_vars/tomcat_win/certs.yml

Node gsd-tomcat1

For node gsd-tomcat1 the configuration is group_vars/tomcat_linux/certs.yml

---
tomcat_cacerts2_certificates:
  - common_name: "{{ inventory_hostname }}"  # alias
    country_name: NL
    locality_name: Den Haag
    organization_name: C2
    organizational_unit_name: C2 GIS Platform Team
    state_or_province_name: Zuid-Holland
    subject_alt_name:
      - "DNS:{{ inventory_hostname }}"
      - "DNS:{{ inventory_hostname }}.internal.c2platform.org"
      - "IP:{{ ansible_eth1.ipv4.address }}"
    ansible_group: tomcat
    deploy:
      keystore:
        dir: "{{ tomcat_home_version }}/conf"
        password: secret
        owner: "{{ tomcat_user }}"
        group: "{{ tomcat_group }}"
        notify: restart tomcat instance
      truststore:
        dest: "{{ java_version | c2platform.core.java_home }}/lib/security/cacerts"
        sites:
          - name: www.google.com
            port: 443
            alias: google

This configuration results in the creation of a file named gsd-tomcat1-gsd-tomcat1.keystore on the CA Server gsd-rproxy1.

vagrant@gsd-rproxy1:~$ ls /vagrant/.ca/c2/tomcat/ | grep tomcat1
gsd-tomcat1-gsd-tomcat1.crt
gsd-tomcat1-gsd-tomcat1.csr
gsd-tomcat1-gsd-tomcat1.key
gsd-tomcat1-gsd-tomcat1.keystore
gsd-tomcat1-gsd-tomcat1.p12
gsd-tomcat1-gsd-tomcat1.pem
gsd-tomcat1-gsd-tomcat1.truststore

This file is subsequently distributed to the gsd-tomcat1 node, as shown in the following directory listing:

root@gsd-tomcat1:~# ls /opt/tomcat/tomcat/conf/
Catalina             gsd-tomcat1-gsd-tomcat1.keystore  jmxremote.password  tomcat-users.xsd
catalina.policy      jaspic-providers.xml              logging.properties  web.xml
catalina.properties  jaspic-providers.xsd              server.xml
context.xml          jmxremote.access                  tomcat-users.xml
root@gsd-tomcat1:~#

This configuration also updates / manages the Java TrustStore. Using keytool you can verify that the certificate of ttps://www.google.com:443  and the C2 Root CA Certificate were imported into the Java Truststore.

keytool -list -cacerts -storepass changeit -alias google
keytool -list -cacerts -storepass changeit -alias c2-ca
Show me
root@gsd-tomcat1:~# keytool -list -cacerts -storepass changeit -alias google
google, Dec 14, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 98:2D:C0:52:3D:84:7D:B5:89:AE:22:3E:DD:D8:37:86:72:79:D7:32:40:D6:03:55:D8:A6:F1:70:53:DF:48:95
root@gsd-tomcat1:~# keytool -list -cacerts -storepass changeit -alias c2-ca
c2-ca, Dec 14, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 64:1B:BC:79:EE:0A:37:EA:3D:AC:B9:E3:E5:7F:02:71:3E:7D:C8:82:89:62:C5:E8:11:75:45:37:58:18:71:6F
root@gsd-tomcat1:~#

Node gsd-tomcat2

For node gsd-tomcat2 the configuration is group_vars/tomcat_win/certs.yml

tomcat_cacerts2_certificates:
  - common_name: "{{ inventory_hostname }}"  # alias
    country_name: NL
    locality_name: Den Haag
    organization_name: C2
    organizational_unit_name: C2 GIS Platform Team
    state_or_province_name: Zuid-Holland
    subject_alt_name:
      - "DNS:{{ inventory_hostname }}"
      - "DNS:{{ inventory_hostname }}.internal.c2platform.org"
      - "DNS:{{ inventory_hostname }}.ad.c2platform.org"
      - "IP:{{ ansible_host }}"
    ansible_group: tomcat
    deploy:
      keystore:
        dir: "{{ tomcat_home }}/conf"
        password: secret
        notify: Restart Tomcat service
      truststore:
        dest: "{{ java_install_dir }}/jdk-17.0.5+8/lib/security/cacerts"
        sites:
          - name: www.google.com
            port: 443
            alias: google

This configuration results in the creation of a file named gsd-tomcat2-GSD-TOMCAT2.keystore on the CA Server gsd-rproxy1.

Show me
root@gsd-rproxy1:~# ls /vagrant/.ca/c2/tomcat/ | grep tomcat2
gsd-tomcat2-GSD-TOMCAT2.crt
gsd-tomcat2-GSD-TOMCAT2.csr
gsd-tomcat2-GSD-TOMCAT2.key
gsd-tomcat2-GSD-TOMCAT2.keystore
gsd-tomcat2-GSD-TOMCAT2.p12
gsd-tomcat2-GSD-TOMCAT2.pem
gsd-tomcat2-GSD-TOMCAT2.truststore
root@gsd-rproxy1:~#

Which is deployed to directory d:\Apps\tomcat\conf on gsd-tomcat2.

Show me
Microsoft Windows [Version 10.0.20348.707]
(c) Microsoft Corporation. All rights reserved.

vagrant@GSD-TOMCAT2 C:\Users\vagrant>dir d:\Apps\tomcat\conf
 Volume in drive D is Data
 Volume Serial Number is DCAD-2354

 Directory of d:\Apps\tomcat\conf

12/15/2023  03:15 AM    <DIR>          .
12/15/2023  03:14 AM    <DIR>          ..
12/15/2023  03:15 AM    <DIR>          Catalina
07/04/2023  01:15 PM            13,216 catalina.policy
07/04/2023  01:15 PM             7,849 catalina.properties
07/04/2023  01:15 PM             1,431 context.xml
12/15/2023  03:15 AM             4,530 gsd-tomcat2-GSD-TOMCAT2.keystore
07/04/2023  01:15 PM             1,172 jaspic-providers.xml
07/04/2023  01:15 PM             2,365 jaspic-providers.xsd
07/04/2023  01:15 PM             4,223 logging.properties
12/15/2023  03:15 AM             2,508 server.xml
12/15/2023  03:14 AM             8,034 server.xml.3200.20231215-031501.bak
12/15/2023  03:14 AM             2,813 tomcat-users.xml
07/04/2023  01:15 PM             2,617 tomcat-users.xsd
07/04/2023  01:15 PM           177,316 web.xml
              12 File(s)        228,074 bytes
               3 Dir(s)  321,481,920,512 bytes free

vagrant@GSD-TOMCAT2 C:\Users\vagrant>

Deploy RWS Certificate

In this section we are going to deploy simulate deployment of an official / external RWS certificate.

  1. Lookup and save the thumbprint of the current certificate:

    vagrant ssh gsd-tomcat1
    
    echo -n | openssl s_client -connect gsd-tomcat1.internal.c2platform.org:8443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/gsd-tomcat1.pem
    openssl x509 -noout -fingerprint -sha256 -inform pem -in /tmp/gsd-tomcat1.pem
    
    Show me
    vagrant@gsd-tomcat1:~$ echo -n | openssl s_client -connect gsd-tomcat1.internal.c2platform.org:8443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/gsd-tomcat1.pem
    depth=1 CN = c2
    verify return:1
    depth=0 C = NL, ST = Zuid-Holland, L = Den Haag, O = C2, OU = C2 GIS Platform Team, CN = gsd-tomcat1
    verify return:1
    DONE
    vagrant@gsd-tomcat1:~$ openssl x509 -noout -fingerprint -sha256 -inform pem -in /tmp/gsd-tomcat1.pem
    sha256 Fingerprint=7B:63:B1:A0:F8:DC:CA:6F:14:92:A8:F5:A1:43:92:DD:1D:44:8F:90:BE:77:E4:96:08:D4:A7:84:F9:3D:23:05
    vagrant@gsd-tomcat1:~$
    
  2. We are going the remove the self-signed certificate gsd-tomcat1-gsd-tomcat1.crt by renaming it to gsd-tomcat1-gsd-tomcat1.crt.saved. In subsequent tests we are going to treat as if it is a certificate from an external CSP. On the host in the root of the project run:

    sudo chown $USER:$USER .ca/c2/tomcat/*
    sudo mv .ca/c2/tomcat/gsd-tomcat1-gsd-tomcat1.crt .ca/c2/tomcat/gsd-tomcat1-gsd-tomcat1.crt.saved
    

    Provision gsd-tomcat1

    vagrant provision gsd-tomcat1 | tee provision.log
    

    Check the provision.log file where you should see that a new SSL / TLS certificate, a new Java KeyStore were created and deployed and that these changes triggered a restart of the Tomcat services. If you run the commands to check the thumbprint you should see a different value now. Indicating that the Tomcat service is indeed using a different certificate.

    Show me
    ==> gsd-tomcat1: Running provisioner: shell...
        gsd-tomcat1: Running: inline script
    ==> gsd-tomcat1: Running provisioner: ansible...
        gsd-tomcat1: Running ansible-playbook...
    [DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks
    instead. See https://docs.ansible.com/ansible-
    core/2.15/user_guide/playbooks_reuse_includes.html for details. This feature
    will be removed in version 2.16. Deprecation warnings can be disabled by
    setting deprecation_warnings=False in ansible.cfg.
    
    PLAY [Tomcat] ******************************************************************
    
    TASK [Gathering Facts] *********************************************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.server_update : include_tasks] ***************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/server_update/tasks/update_cache.yml for gsd-tomcat1
    
    TASK [c2platform.core.server_update : Apt update cache] ************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.bootstrap : include_tasks] *******************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/package.yml for gsd-tomcat1 => (item=python3-pip)
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/package.yml for gsd-tomcat1 => (item=upgrade pip and setuptools)
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/package.yml for gsd-tomcat1 => (item=['setuptools', 'pyOpenSSL==22.0.0', 'psycopg2-binary', 'lxml', 'cryptography==38.0.4'])
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/package.yml for gsd-tomcat1 => (item=['nano', 'wget', 'tree', 'unzip', 'zip', 'jq', 'build-essential', 'python3-dev', 'python3-wheel', 'libsasl2-dev', 'libldap2-dev', 'libssl-dev', 'git', 'nfs-common', 'net-tools', 'telnet', 'curl', 'dnsutils', 'python2'])
    
    TASK [c2platform.core.bootstrap : OS package] **********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.bootstrap : Custom command upgrade pip and setuptools] ***
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.bootstrap : PIP package] *********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.bootstrap : OS package] **********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.os_trusts : CA distribute ( Debian )] ********************
    ok: [gsd-tomcat1] => (item=https://letsencrypt.org/certs/isrgrootx1.pem)
    ok: [gsd-tomcat1] => (item=file:///vagrant/.ca/c2/c2.crt)
    
    TASK [c2platform.core.secrets : Stat secret dir] *******************************
    ok: [gsd-tomcat1 -> localhost] => (item=/home/ostraaten/git/gitlab/c2/ansible-gis/secret_vars/development)
    ok: [gsd-tomcat1 -> localhost] => (item=/runner/project/secret_vars/development)
    
    TASK [c2platform.core.secrets : Include secrets] *******************************
    ok: [gsd-tomcat1] => (item=/home/ostraaten/git/gitlab/c2/ansible-gis/secret_vars/development)
    
    TASK [c2platform.core.files : include_tasks] ***********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/files/tasks/files.yml for gsd-tomcat1 => (item=marker)
    
    TASK [c2platform.core.files : include_tasks] ***********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/files/tasks/files_src.yml for gsd-tomcat1
    
    TASK [c2platform.core.files : Link] ********************************************
    ok: [gsd-tomcat1] => (item=/usr/bin/python → /usr/bin/python2)
    
    TASK [c2platform.core.files : Lineinfile] **************************************
    ok: [gsd-tomcat1] => (item=/home/vagrant/.bashrc)
    ok: [gsd-tomcat1] => (item=/root/.bashrc)
    
    TASK [c2platform.core.lcm : Ansible roles names without prefix] ****************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.lcm : lcm_roles_node] ************************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.lvm : Get disks] *****************************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.lvm : Get usable devices] ********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.lvm : Get nodes lvm roles] *******************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.hosts : Set up /etc/hostname.] ***************************
    ok: [gsd-tomcat1] => (item=/home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/hosts/templates/../templates/hostname.j2)
    
    TASK [c2platform.core.hosts : Set up /etc/hosts.] ******************************
    ok: [gsd-tomcat1] => (item=/home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/hosts/templates/../templates/hosts.j2)
    
    TASK [c2platform.core.alias : Set fact node roles] *****************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.common : Remove custom prompt] ***************************
    ok: [gsd-tomcat1]
    
    TASK [Include role(s)] *********************************************************
    
    TASK [c2platform.core.java : Set additional java facts] ************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.java : Install Java] *************************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/java/tasks/install.yml for gsd-tomcat1 => (item=jdk17)
    
    TASK [c2platform.core.java : Check installed] **********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.java : Create etc profile] *******************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : test if tomcat_versions is set correctly] *********
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_home is set correctly] *************
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_version is set correctly] **********
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_user is set correctly] *************
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_group is set correctly] ************
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_catalina_opts is set correctly] ****
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_non_ssl_connector_port is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_ssl_connector_port is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_shutdown_port is set correctly] ****
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_ajp_port is set correctly] *********
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if port collisions occur is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_jre_home is set correctly] *********
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_service_state is set correctly] ****
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_service_enabled is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_address is set correctly] **********
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_access_log_enabled is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_access_log_directory is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_access_log_prefix is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_access_log_suffix is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_access_log_pattern is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : Group] ********************************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : User] *********************************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Home directory] ***********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Create home link] *********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Stat bin dir] *************************************
    ok: [gsd-tomcat1]
    
    TASK [Include certs tasks] *****************************************************
    
    TASK [c2platform.core.cacerts2 : Set fact cacerts2_certificates] ***************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.cacerts2 : cacerts2_certificates] ************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.cacerts2 : Set various certificate facts] ****************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.cacerts2 : Set fact cacerts2_certificates] ***************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.cacerts2 : include_tasks] ********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/cacerts2/tasks/certs/certs_group.yml for gsd-tomcat1
    
    TASK [c2platform.core.cacerts2 : include_tasks] ********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/cacerts2/tasks/certs/cert.yml for gsd-tomcat1 => (item=gsd-tomcat1)
    
    TASK [c2platform.core.cacerts2 : Stat key] *************************************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Stat crt] *************************************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Stat dir] *************************************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Generate an OpenSSL private key] **************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Generate an OpenSSL Certificate Signing Request] ***
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Generate an OpenSSL certificate] **************
    changed: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Generate pkcs12 file] *************************
    changed: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Include Java KeyStore tasks] ******************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/cacerts2/tasks/certs/java_keystore.yml for gsd-tomcat1
    
    TASK [c2platform.core.cacerts2 : Stat KeyStore] ********************************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Manage Java KeyStore] *************************
    changed: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Create PEM file] ******************************
    changed: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : include_tasks] ********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/cacerts2/tasks/certs/cert_deploy.yml for gsd-tomcat1 => (item=gsd-tomcat1)
    
    TASK [c2platform.core.cacerts2 : Copy to control node ( fetch )] ***************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)] => (item=key)
    changed: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)] => (item=crt)
    changed: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)] => (item=keystore)
    
    TASK [c2platform.core.cacerts2 : Stat parent dir] ******************************
    ok: [gsd-tomcat1] => (item=key)
    ok: [gsd-tomcat1] => (item=crt)
    ok: [gsd-tomcat1] => (item=keystore)
    
    TASK [c2platform.core.cacerts2 : Copy file] ************************************
    ok: [gsd-tomcat1] => (item=key)
    changed: [gsd-tomcat1] => (item=crt)
    changed: [gsd-tomcat1] => (item=keystore)
    
    TASK [c2platform.mw.tomcat : Configure conf/server.xml] ************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Configure conf/tomcat-users.xml] ******************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Configure bin/setenv.sh] **************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Stat manager] *************************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Configure webapps/manager/META-INF/context.xml] ***
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Properties folder] ********************************
    ok: [gsd-tomcat1] => (item=/opt/tomcat/tomcat/conf)
    
    TASK [c2platform.mw.tomcat : Deploy WAR] ***************************************
    ok: [gsd-tomcat1] => (item=https://github.com/aeimer/java-example-helloworld-war/raw/master/dist/helloworld.war → helloworld.war)
    
    TASK [Files] *******************************************************************
    
    TASK [c2platform.core.files : include_tasks] ***********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/files/tasks/files.yml for gsd-tomcat1 => (item=jmx)
    
    TASK [c2platform.core.files : Stat no update files] ****************************
    ok: [gsd-tomcat1] => (item=/opt/tomcat/tomcat/conf/jmxremote.password)
    
    TASK [c2platform.core.files : Content file] ************************************
    ok: [gsd-tomcat1] => (item=/opt/tomcat/tomcat/conf/jmxremote.access)
    
    TASK [c2platform.core.files : include_tasks] ***********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/files/tasks/files_src.yml for gsd-tomcat1
    
    TASK [Service] *****************************************************************
    
    TASK [c2platform.core.service : Fact _services] ********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.service : Configure systemd service] *********************
    ok: [gsd-tomcat1] => (item=tomcat)
    
    TASK [c2platform.mw.tomcat : Manage service] ***********************************
    ok: [gsd-tomcat1]
    
    TASK [copy] ********************************************************************
    ok: [gsd-tomcat1]
    
    RUNNING HANDLER [c2platform.mw.tomcat : restart tomcat instance] ***************
    changed: [gsd-tomcat1]
    
    PLAY RECAP *********************************************************************
    gsd-tomcat1                : ok=93   changed=7    unreachable=0    failed=0    skipped=86   rescued=0    ignored=0
    
  3. Deploy the external certificate

    Simulate the manual download

    sudo mv .ca/c2/tomcat/gsd-tomcat1-gsd-tomcat1.crt.saved .ca/c2/tomcat/gsd-tomcat1-gsd-tomcat1.rws-csp.crt
    
    vagrant provision gsd-tomcat1 | tee provision.log
    

    Note the changes in the file provision.log

    1. Generate pkcs12 file
    2. Manage Java KeyStore
    3. Copy to control node ( fetch )
    Show me
    ==> gsd-tomcat1: Running provisioner: shell...
        gsd-tomcat1: Running: inline script
    ==> gsd-tomcat1: Running provisioner: ansible...
        gsd-tomcat1: Running ansible-playbook...
    [DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks
    instead. See https://docs.ansible.com/ansible-
    core/2.15/user_guide/playbooks_reuse_includes.html for details. This feature
    will be removed in version 2.16. Deprecation warnings can be disabled by
    setting deprecation_warnings=False in ansible.cfg.
    
    PLAY [Tomcat] ******************************************************************
    
    TASK [Gathering Facts] *********************************************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.server_update : include_tasks] ***************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/server_update/tasks/update_cache.yml for gsd-tomcat1
    
    TASK [c2platform.core.server_update : Apt update cache] ************************
    changed: [gsd-tomcat1]
    
    TASK [c2platform.core.bootstrap : include_tasks] *******************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/package.yml for gsd-tomcat1 => (item=python3-pip)
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/package.yml for gsd-tomcat1 => (item=upgrade pip and setuptools)
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/package.yml for gsd-tomcat1 => (item=['setuptools', 'pyOpenSSL==22.0.0', 'psycopg2-binary', 'lxml', 'cryptography==38.0.4'])
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/package.yml for gsd-tomcat1 => (item=['nano', 'wget', 'tree', 'unzip', 'zip', 'jq', 'build-essential', 'python3-dev', 'python3-wheel', 'libsasl2-dev', 'libldap2-dev', 'libssl-dev', 'git', 'nfs-common', 'net-tools', 'telnet', 'curl', 'dnsutils', 'python2'])
    
    TASK [c2platform.core.bootstrap : OS package] **********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.bootstrap : Custom command upgrade pip and setuptools] ***
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.bootstrap : PIP package] *********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.bootstrap : OS package] **********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.os_trusts : CA distribute ( Debian )] ********************
    ok: [gsd-tomcat1] => (item=https://letsencrypt.org/certs/isrgrootx1.pem)
    ok: [gsd-tomcat1] => (item=file:///vagrant/.ca/c2/c2.crt)
    
    TASK [c2platform.core.secrets : Stat secret dir] *******************************
    ok: [gsd-tomcat1 -> localhost] => (item=/home/ostraaten/git/gitlab/c2/ansible-gis/secret_vars/development)
    ok: [gsd-tomcat1 -> localhost] => (item=/runner/project/secret_vars/development)
    
    TASK [c2platform.core.secrets : Include secrets] *******************************
    ok: [gsd-tomcat1] => (item=/home/ostraaten/git/gitlab/c2/ansible-gis/secret_vars/development)
    
    TASK [c2platform.core.files : include_tasks] ***********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/files/tasks/files.yml for gsd-tomcat1 => (item=marker)
    
    TASK [c2platform.core.files : include_tasks] ***********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/files/tasks/files_src.yml for gsd-tomcat1
    
    TASK [c2platform.core.files : Link] ********************************************
    ok: [gsd-tomcat1] => (item=/usr/bin/python → /usr/bin/python2)
    
    TASK [c2platform.core.files : Lineinfile] **************************************
    ok: [gsd-tomcat1] => (item=/home/vagrant/.bashrc)
    ok: [gsd-tomcat1] => (item=/root/.bashrc)
    
    TASK [c2platform.core.lcm : Ansible roles names without prefix] ****************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.lcm : lcm_roles_node] ************************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.lvm : Get disks] *****************************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.lvm : Get usable devices] ********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.lvm : Get nodes lvm roles] *******************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.hosts : Set up /etc/hostname.] ***************************
    ok: [gsd-tomcat1] => (item=/home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/hosts/templates/../templates/hostname.j2)
    
    TASK [c2platform.core.hosts : Set up /etc/hosts.] ******************************
    ok: [gsd-tomcat1] => (item=/home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/hosts/templates/../templates/hosts.j2)
    
    TASK [c2platform.core.alias : Set fact node roles] *****************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.common : Remove custom prompt] ***************************
    ok: [gsd-tomcat1]
    
    TASK [Include role(s)] *********************************************************
    
    TASK [c2platform.core.java : Set additional java facts] ************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.java : Install Java] *************************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/java/tasks/install.yml for gsd-tomcat1 => (item=jdk17)
    
    TASK [c2platform.core.java : Check installed] **********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.java : Create etc profile] *******************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : test if tomcat_versions is set correctly] *********
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_home is set correctly] *************
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_version is set correctly] **********
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_user is set correctly] *************
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_group is set correctly] ************
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_catalina_opts is set correctly] ****
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_non_ssl_connector_port is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_ssl_connector_port is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_shutdown_port is set correctly] ****
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_ajp_port is set correctly] *********
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if port collisions occur is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_jre_home is set correctly] *********
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_service_state is set correctly] ****
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_service_enabled is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_address is set correctly] **********
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_access_log_enabled is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_access_log_directory is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_access_log_prefix is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_access_log_suffix is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : test if tomcat_access_log_pattern is set correctly] ***
    ok: [gsd-tomcat1 -> localhost]
    
    TASK [c2platform.mw.tomcat : Group] ********************************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : User] *********************************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Home directory] ***********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Create home link] *********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Stat bin dir] *************************************
    ok: [gsd-tomcat1]
    
    TASK [Include certs tasks] *****************************************************
    
    TASK [c2platform.core.cacerts2 : Set fact cacerts2_certificates] ***************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.cacerts2 : cacerts2_certificates] ************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.cacerts2 : Set various certificate facts] ****************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.cacerts2 : Set fact cacerts2_certificates] ***************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.cacerts2 : include_tasks] ********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/cacerts2/tasks/certs/certs_group.yml for gsd-tomcat1
    
    TASK [c2platform.core.cacerts2 : include_tasks] ********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/cacerts2/tasks/certs/cert.yml for gsd-tomcat1 => (item=gsd-tomcat1)
    
    TASK [c2platform.core.cacerts2 : Stat key] *************************************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Stat crt] *************************************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Stat dir] *************************************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Generate an OpenSSL private key] **************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Generate an OpenSSL Certificate Signing Request] ***
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Generate an OpenSSL certificate] **************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Generate pkcs12 file] *************************
    changed: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Include Java KeyStore tasks] ******************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/cacerts2/tasks/certs/java_keystore.yml for gsd-tomcat1
    
    TASK [c2platform.core.cacerts2 : Stat KeyStore] ********************************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Manage Java KeyStore] *************************
    changed: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : Create PEM file] ******************************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)]
    
    TASK [c2platform.core.cacerts2 : include_tasks] ********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/cacerts2/tasks/certs/cert_deploy.yml for gsd-tomcat1 => (item=gsd-tomcat1)
    
    TASK [c2platform.core.cacerts2 : Copy to control node ( fetch )] ***************
    ok: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)] => (item=key)
    changed: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)] => (item=crt)
    changed: [gsd-tomcat1 -> gsd-rproxy1(1.1.5.205)] => (item=keystore)
    
    TASK [c2platform.core.cacerts2 : Stat parent dir] ******************************
    ok: [gsd-tomcat1] => (item=key)
    ok: [gsd-tomcat1] => (item=crt)
    ok: [gsd-tomcat1] => (item=keystore)
    
    TASK [c2platform.core.cacerts2 : Copy file] ************************************
    ok: [gsd-tomcat1] => (item=key)
    changed: [gsd-tomcat1] => (item=crt)
    changed: [gsd-tomcat1] => (item=keystore)
    
    TASK [c2platform.mw.tomcat : Configure conf/server.xml] ************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Configure conf/tomcat-users.xml] ******************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Configure bin/setenv.sh] **************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Stat manager] *************************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Configure webapps/manager/META-INF/context.xml] ***
    ok: [gsd-tomcat1]
    
    TASK [c2platform.mw.tomcat : Properties folder] ********************************
    ok: [gsd-tomcat1] => (item=/opt/tomcat/tomcat/conf)
    
    TASK [c2platform.mw.tomcat : Deploy WAR] ***************************************
    ok: [gsd-tomcat1] => (item=https://github.com/aeimer/java-example-helloworld-war/raw/master/dist/helloworld.war → helloworld.war)
    
    TASK [Files] *******************************************************************
    
    TASK [c2platform.core.files : include_tasks] ***********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/files/tasks/files.yml for gsd-tomcat1 => (item=jmx)
    
    TASK [c2platform.core.files : Stat no update files] ****************************
    ok: [gsd-tomcat1] => (item=/opt/tomcat/tomcat/conf/jmxremote.password)
    
    TASK [c2platform.core.files : Content file] ************************************
    ok: [gsd-tomcat1] => (item=/opt/tomcat/tomcat/conf/jmxremote.access)
    
    TASK [c2platform.core.files : include_tasks] ***********************************
    included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/files/tasks/files_src.yml for gsd-tomcat1
    
    TASK [Service] *****************************************************************
    
    TASK [c2platform.core.service : Fact _services] ********************************
    ok: [gsd-tomcat1]
    
    TASK [c2platform.core.service : Configure systemd service] *********************
    ok: [gsd-tomcat1] => (item=tomcat)
    
    TASK [c2platform.mw.tomcat : Manage service] ***********************************
    ok: [gsd-tomcat1]
    
    TASK [copy] ********************************************************************
    changed: [gsd-tomcat1]
    
    RUNNING HANDLER [c2platform.mw.tomcat : restart tomcat instance] ***************
    changed: [gsd-tomcat1]
    
    PLAY RECAP *********************************************************************
    gsd-tomcat1                : ok=93   changed=7    unreachable=0    failed=0    skipped=86   rescued=0    ignored=0
        ```
    
    </details>
    
  4. Verify that the deployed certificate is the correct / new certificate.

    Show me
    vagrant@gsd-tomcat1:~$     echo -n | openssl s_client -connect gsd-tomcat1.internal.c2platform.org:8443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/gsd-tomcat1.pem
        openssl x509 -noout -fingerprint -sha256 -inform pem -in /tmp/gsd-tomcat1.pem
    depth=1 CN = c2
    verify return:1
    depth=0 C = NL, ST = Zuid-Holland, L = Den Haag, O = C2, OU = C2 GIS Platform Team, CN = gsd-tomcat1
    verify return:1
    DONE
    sha256 Fingerprint=B8:65:69:8B:8B:DF:94:5F:37:5C:CA:0F:04:EE:32:D2:2E:67:4D:04:D0:DF:38:1F:4F:DB:B6:54:02:78:63:B3
    vagrant@gsd-tomcat1:~$ openssl x509 -noout -fingerprint -sha256 -inform pem -in /vagrant/.ca/c2/tomcat/gsd-tomcat1-gsd-tomcat1.
    gsd-tomcat1-gsd-tomcat1.crt          gsd-tomcat1-gsd-tomcat1.keystore     gsd-tomcat1-gsd-tomcat1.rws-csp.crt
    gsd-tomcat1-gsd-tomcat1.csr          gsd-tomcat1-gsd-tomcat1.p12
    gsd-tomcat1-gsd-tomcat1.key          gsd-tomcat1-gsd-tomcat1.pem
    vagrant@gsd-tomcat1:~$ openssl x509 -noout -fingerprint -sha256 -inform pem -in /vagrant/.ca/c2/tomcat/gsd-tomcat1-gsd-tomcat1.rws-csp.crt
    sha256 Fingerprint=B8:65:69:8B:8B:DF:94:5F:37:5C:CA:0F:04:EE:32:D2:2E:67:4D:04:D0:DF:38:1F:4F:DB:B6:54:02:78:63:B3
    vagrant@gsd-tomcat1:~$
    

Additional Information

For additional insights and guidance:



Last modified November 20, 2024: ansibe concept C2-572 (dd7007e)