Related PMR #00359687
As a DevOps Engineer, I am looking for Product's signature to verify the authenticity of all the binaries (JARs) present in Curam out-of-the-box source code to ascertain the validity during Build & Deployment process and prevent malicious attacks.
OR
As a DevOps Engineer, I am looking for silent installation options in installing/upgrading Curam SPM OOTB in Linux environment so that there is no opportunity of manual intervention/manipulation of generated OOTB source code during the installation process.
In ESDC OAS Project, as part of ongoing efforts to strengthen DevOps Security, the Infrastructure team are aiming to ensure full traceability of all the software binaries being used as part of the Pipelines. Infra team already established an approach to sign and verify Curam docker container images created during the Build process. Now they are trying to validate traceability of other binaries involved in the Curam codebase.
Below is the current process followed in ESDC (OAS) to install/upgrade Curam packages that includes unavoidable manual steps which demands a need for verifying authenticity of binaries involved in Curam OOTB source code:
ESDC Authorized Rep downloads the Software bundle from Merative Customer Portal and uploads it to a Shared Drive.
One of the SI developers manually picks the package from the shared drive, runs the installer in his/her developer machine (Windows), delivers the upgraded OOTB zip file into ADO Artifacts.
DevOps Pipelines automatically pick the upgraded OOTB zip file from the ADO Artifacts storage and proceed with the Build & Deployment.
Since the OOTB source code zip file is manually installed/upgraded by a developer, the DevOps team is trying to make sure the binaries involved within the source is either "verifiable" or if there is an option to avoid manual intervention during Curam installation/upgrades.
We could think of the following 2 solution options regarding this:
1) If Merative can provide "signature" for all the JAR files present in OOTB source, ESDC can "verify" the signatures after downloading the OOTB zip file during the Build stage. Curam Product, by default, comes with limited number of JAR signatures. Examples:
CuramCDEJ/lib/curam/jar/signed/sha-2/WordIntegrationApplet
CuramCDEJ/lib/ext/jar/signed/sha-2/commons-codec-1.16.0
CuramCDEJ/lib/ext/jar/signed/sha-2/commons-codec-1.16.0
CuramCDEJ/lib/ext/jar/signed/sha-2/jacob-1.20
2) Silent installation of Curam packages in Linux environments: The software packages from Merative are installable in Windows based GUI environments. If there is a way to do this automatically in Linux environments, probably ESDC can explore automating this step through a pipeline which might eliminate the need for signing individual JARs. We tested the current behavior and below are the observations:
When we run the Curam Installer JAR file, GUI based Curam installation works in Linux just like in Windows.
When we run the Curam Installer JAR file in non-GUI (with -console), installation is not working as expected. We observe inconsistencies and weird behaviors which is preventing the installation process.
Please suggest what's PD's viewpoint on this problem statement and the viable solution option.
Is it feasible to sign all the Curam OOTB JARs? OR is it better to request PD to make the silent Curam installation to work? OR anything else?
Note: This request is mainly around SPM code base and doesn't intend to cover UA.
