From 2e468b8c985e8c9aff562fa3a2f637a381c97575 Mon Sep 17 00:00:00 2001
From: Anjum Fatima <anjum.fatima@ibm.com>
Date: Fri, 17 Jan 2025 10:42:53 -0600
Subject: [PATCH 1/2] Test wsSecurity with updated config between checkpoint
 and restore

---
 .../fat/cxf/sample/CxfSampleTests.java        | 54 ++++++++++++++++---
 .../server.env                                |  5 ++
 .../server_asym.xml                           | 12 ++---
 .../server_asym_wss4j.xml                     | 12 ++---
 4 files changed, 63 insertions(+), 20 deletions(-)
 create mode 100644 dev/com.ibm.ws.wssecurity_fat.wsscxf.1/publish/servers/com.ibm.ws.wssecurity_fat.sample/server.env

diff --git a/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/fat/src/com/ibm/ws/wssecurity/fat/cxf/sample/CxfSampleTests.java b/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/fat/src/com/ibm/ws/wssecurity/fat/cxf/sample/CxfSampleTests.java
index 164fcd401ec2..a075780df1c1 100644
--- a/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/fat/src/com/ibm/ws/wssecurity/fat/cxf/sample/CxfSampleTests.java
+++ b/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/fat/src/com/ibm/ws/wssecurity/fat/cxf/sample/CxfSampleTests.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2020, 2024 IBM Corporation and others.
+ * Copyright (c) 2020, 2025 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -13,13 +13,18 @@
 
 package com.ibm.ws.wssecurity.fat.cxf.sample;
 
-import static componenttest.annotation.SkipForRepeat.CHECKPOINT_RULE;
+import static java.util.Collections.emptyMap;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 
 import java.io.File;
+import java.io.FileOutputStream;
+import java.io.OutputStream;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Properties;
 import java.util.Set;
 
 import org.junit.ClassRule;
@@ -71,12 +76,20 @@ public class CxfSampleTests {
 
     @ClassRule
     public static CheckpointRule checkpointRule = new CheckpointRule()
-                                                      .setConsoleLogName(CxfSampleTests.class.getSimpleName()+ ".log")
-                                                      .setServerSetup(CxfSampleTests::serverSetUp)
-                                                      .setServerStart(CxfSampleTests::serverStart)
-                                                      .setServerTearDown(CxfSampleTests::serverTearDown)
-                                                      .addUnsupportedRepeatIDs(EmptyAction.ID, RepeatWithEE7cbh20.ID)
-                                                      .addCheckpointRegexIgnoreMessages("CWWKG0101W", "SRVE0274W");
+                                                        .setConsoleLogName(CxfSampleTests.class.getSimpleName()+ ".log")
+                                                        .setServerSetup(CxfSampleTests::serverSetUp)
+                                                        .setServerStart(CxfSampleTests::serverStart)
+                                                        .setServerTearDown(CxfSampleTests::serverTearDown)
+                                                        .addUnsupportedRepeatIDs(EmptyAction.ID, RepeatWithEE7cbh20.ID)
+                                                        .addCheckpointRegexIgnoreMessages("CWWKG0101W", "SRVE0274W")
+                                                        .setPostCheckpointLambda(server -> {
+                                                            try {
+                                                                configureBeforeRestore();
+                                                            } catch (Exception e) {
+                                                                // TODO Auto-generated catch block
+                                                                e.printStackTrace();
+                                                            }
+                                                        });
 
     public static LibertyServer serverSetUp(ServerMode mode) throws Exception {
         //issue 23060
@@ -109,9 +122,32 @@ public static LibertyServer serverSetUp(ServerMode mode) throws Exception {
             JakartaEEAction.transformApp(WSSampleSei_archive);
         }
 
+        //Environment variable values are not set before checkpoint.
+        if (CheckpointRule.isActive()) {
+            configureEnvVariable(server, emptyMap());
+        }
         return server;
     }
 
+    private static void configureBeforeRestore() throws Exception {
+        Map<String, String> config = new HashMap<>();
+        config.put("WS_SECURITY_PWD", "security");
+        config.put("CLIENT_SIGNATURE_PWD", "LibertyX509Client");
+        config.put("CLIENT_SIGNATURE_KEYSTORE", "x509ClientDefault.jks");
+        config.put("PROVIDER_ENCRYPTION_KEYSTORE", "x509ServerDefault.jks");
+        config.put("PROVIDER_ENCRYPTION_PWD", "LibertyX509Server");
+        configureEnvVariable(server, config);
+    }
+
+    private static void configureEnvVariable(LibertyServer server, Map<String, String> newEnv) throws Exception {
+        Properties serverEnvProperties = new Properties();
+        serverEnvProperties.putAll(newEnv);
+        File serverEnvFile = new File(server.getFileFromLibertyServerRoot("server.env").getAbsolutePath());
+        try (OutputStream out = new FileOutputStream(serverEnvFile)) {
+            serverEnvProperties.store(out, "");
+        }
+    }
+
     public static void serverStart(ServerMode mode, LibertyServer server) throws Exception {
         String thisMethod = "serverStart";
         String defaultPort = "8010";
@@ -127,6 +163,8 @@ public static void serverStart(ServerMode mode, LibertyServer server) throws Exc
             server.addInstalledAppForValidation("webcontent");
         }
 
+        //LibertyX509Client
+
         server.startServer(); // check CWWKS0008I: The security service is ready.
         SharedTools.waitForMessageInLog(server, "CWWKS0008I");
 
diff --git a/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/publish/servers/com.ibm.ws.wssecurity_fat.sample/server.env b/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/publish/servers/com.ibm.ws.wssecurity_fat.sample/server.env
new file mode 100644
index 000000000000..1cd36859a1cc
--- /dev/null
+++ b/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/publish/servers/com.ibm.ws.wssecurity_fat.sample/server.env
@@ -0,0 +1,5 @@
+WS_SECURITY_PWD=security
+CLIENT_SIGNATURE_KEYSTORE=x509ClientDefault.jks
+CLIENT_SIGNATURE_PWD=LibertyX509Client
+PROVIDER_ENCRYPTION_KEYSTORE=x509ServerDefault.jks
+PROVIDER_ENCRYPTION_PWD=LibertyX509Server
diff --git a/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/publish/servers/com.ibm.ws.wssecurity_fat.sample/server_asym.xml b/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/publish/servers/com.ibm.ws.wssecurity_fat.sample/server_asym.xml
index dc3dc6882c58..d7f2f02d05dd 100644
--- a/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/publish/servers/com.ibm.ws.wssecurity_fat.sample/server_asym.xml
+++ b/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/publish/servers/com.ibm.ws.wssecurity_fat.sample/server_asym.xml
@@ -1,5 +1,5 @@
 <!--
-    Copyright (c) 2020, 2021 IBM Corporation and others.
+    Copyright (c) 2020, 2025 IBM Corporation and others.
     All rights reserved. This program and the accompanying materials
     are made available under the terms of the Eclipse Public License 2.0
     which accompanies this distribution, and is available at
@@ -89,7 +89,7 @@
 	<!-- provide WebServiceClient user-ID and password -->
 	<wsSecurityClient
 		id="default"
-		ws-security.password="security"
+		ws-security.password="${ws_security_pwd}"
 		ws-security.username="user1"
 		ws-security.callback-handler="com.ibm.ws.wssecurity.example.cbh.CommonPasswordCallback"
 	>
@@ -98,9 +98,9 @@
 		<signatureProperties
 			signatureAlgorithm="sha256"
 			org.apache.ws.security.crypto.merlin.keystore.type="jks"
-			org.apache.ws.security.crypto.merlin.keystore.password="LibertyX509Client"
+			org.apache.ws.security.crypto.merlin.keystore.password="${client_signature_pwd}"
 			org.apache.ws.security.crypto.merlin.keystore.alias="x509ClientDefault"
-			org.apache.ws.security.crypto.merlin.file="${server.config.dir}/x509ClientDefault.jks" />
+			org.apache.ws.security.crypto.merlin.file="${server.config.dir}/${client_signature_keystore}" />
 		<encryptionProperties
 			org.apache.ws.security.crypto.merlin.keystore.type="jks"
 			org.apache.ws.security.crypto.merlin.keystore.password="LibertyX509Client2"
@@ -122,9 +122,9 @@
 			org.apache.ws.security.crypto.merlin.file="${server.config.dir}/x509ServerSecond.jks" />
 		<encryptionProperties
 			org.apache.ws.security.crypto.merlin.keystore.type="jks"
-			org.apache.ws.security.crypto.merlin.keystore.password="LibertyX509Server"
+			org.apache.ws.security.crypto.merlin.keystore.password="${provider_encryption_pwd}"
 			org.apache.ws.security.crypto.merlin.keystore.alias="x509ClientDefaultCert"
-			org.apache.ws.security.crypto.merlin.file="${server.config.dir}/x509ServerDefault.jks" />
+			org.apache.ws.security.crypto.merlin.file="${server.config.dir}/${provider_encryption_keystore}" />
 	</wsSecurityProvider>
   
     <include location="imports/java2Permissions.xml" />
diff --git a/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/publish/servers/com.ibm.ws.wssecurity_fat.sample/server_asym_wss4j.xml b/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/publish/servers/com.ibm.ws.wssecurity_fat.sample/server_asym_wss4j.xml
index 778ad0ec4b91..e3e409c16496 100644
--- a/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/publish/servers/com.ibm.ws.wssecurity_fat.sample/server_asym_wss4j.xml
+++ b/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/publish/servers/com.ibm.ws.wssecurity_fat.sample/server_asym_wss4j.xml
@@ -1,5 +1,5 @@
 <!--
-    Copyright (c) 2020, 2022 IBM Corporation and others.
+    Copyright (c) 2020, 2025 IBM Corporation and others.
     All rights reserved. This program and the accompanying materials
     are made available under the terms of the Eclipse Public License 2.0
     which accompanies this distribution, and is available at
@@ -89,7 +89,7 @@
 	<!-- provide WebServiceClient user-ID and password -->
 	<wsSecurityClient
 		id="default"
-		ws-security.password="security"
+		ws-security.password="${ws_security_pwd}"
 		ws-security.username="user1"
 		ws-security.callback-handler="com.ibm.ws.wssecurity.example.cbhwss4j.CommonPasswordCallbackWss4j"
 	>
@@ -98,9 +98,9 @@
 		<signatureProperties
 			signatureAlgorithm="sha256"
 			org.apache.ws.security.crypto.merlin.keystore.type="jks"
-			org.apache.ws.security.crypto.merlin.keystore.password="LibertyX509Client"
+			org.apache.ws.security.crypto.merlin.keystore.password="${client_signature_pwd}"
 			org.apache.ws.security.crypto.merlin.keystore.alias="x509ClientDefault"
-			org.apache.ws.security.crypto.merlin.file="${server.config.dir}/x509ClientDefault.jks" />
+			org.apache.ws.security.crypto.merlin.file="${server.config.dir}/${client_signature_keystore}" />
 		<encryptionProperties
 			org.apache.ws.security.crypto.merlin.keystore.type="jks"
 			org.apache.ws.security.crypto.merlin.keystore.password="LibertyX509Client2"
@@ -122,9 +122,9 @@
 			org.apache.ws.security.crypto.merlin.file="${server.config.dir}/x509ServerSecond.jks" />
 		<encryptionProperties
 			org.apache.ws.security.crypto.merlin.keystore.type="jks"
-			org.apache.ws.security.crypto.merlin.keystore.password="LibertyX509Server"
+			org.apache.ws.security.crypto.merlin.keystore.password="${provider_encryption_pwd}"
 			org.apache.ws.security.crypto.merlin.keystore.alias="x509ClientDefaultCert"
-			org.apache.ws.security.crypto.merlin.file="${server.config.dir}/x509ServerDefault.jks" />
+			org.apache.ws.security.crypto.merlin.file="${server.config.dir}/${provider_encryption_keystore}" />
 	</wsSecurityProvider>
   
     <include location="imports/java2Permissions.xml" />

From fb91a065ceb2309c153a508b5f424a7e79efe50a Mon Sep 17 00:00:00 2001
From: Anjum Fatima <anjum.fatima@ibm.com>
Date: Fri, 17 Jan 2025 10:58:16 -0600
Subject: [PATCH 2/2] Temporarily disabling CRIU security provider until CRIU
 security provider in OpenJ9 is enhanced to support wsSecurity

---
 .../ibm/ws/wssecurity/fat/cxf/sample/CxfSampleTests.java  | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/fat/src/com/ibm/ws/wssecurity/fat/cxf/sample/CxfSampleTests.java b/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/fat/src/com/ibm/ws/wssecurity/fat/cxf/sample/CxfSampleTests.java
index a075780df1c1..b049437a8da0 100644
--- a/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/fat/src/com/ibm/ws/wssecurity/fat/cxf/sample/CxfSampleTests.java
+++ b/dev/com.ibm.ws.wssecurity_fat.wsscxf.1/fat/src/com/ibm/ws/wssecurity/fat/cxf/sample/CxfSampleTests.java
@@ -22,7 +22,9 @@
 import java.io.OutputStream;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
@@ -44,7 +46,6 @@
 
 import componenttest.annotation.CheckpointTest;
 import componenttest.annotation.Server;
-import componenttest.annotation.SkipForRepeat;
 import componenttest.custom.junit.runner.FATRunner;
 import componenttest.rules.repeater.CheckpointRule;
 import componenttest.rules.repeater.CheckpointRule.ServerMode;
@@ -125,6 +126,10 @@ public static LibertyServer serverSetUp(ServerMode mode) throws Exception {
         //Environment variable values are not set before checkpoint.
         if (CheckpointRule.isActive()) {
             configureEnvVariable(server, emptyMap());
+            //Temporarily disabling CRIU security provider until CRIU security provider in OpenJ9 is enhanced to support wsSecurity
+            List<String> options = new ArrayList<>();
+            options.add("-XX:-CRIUSecProvider");
+            server.setJvmOptions(options);
         }
         return server;
     }
@@ -282,7 +287,6 @@ public void testEchoService() throws Exception {
     }
 
     @Test
-    @SkipForRepeat({ CHECKPOINT_RULE })
     public void testEcho4Service() throws Exception {
         String thisMethod = "testEcho4Service";