Generate a datomic transactor property file for google cloud mysql storage engine with SSL and client authentication

gen-transactor-props.sh

#!/bin/sh
# Generate datomic transactor properties file and command line arguments.

# Specific scenario: using Google Mysql Cloud storage with SSL and client
# authentication.

OUTFILE='transactor.properties'

#TRANSACTOR_ARGS_FILE='transactor-arguments.txt'

## IGNORE THIS, just say bin/transactor -Xms4g -Xmx4g $OUTFILE
## NOT GENERATING ARGS FILE NOW, but see commented-out code at the bottom.
# After this script is run, invoke transactor like so:
#     bin/transactor $(cat $TRANSACTOR_ARGS_FILE) $OUTFILE

# Internal network IP transactor should bind to.
IP='127.0.0.1'
# External network IP transactor should bind to.
EXIP='127.0.0.1'
# Address of the storage server (e.g. MySQL) transactor should use.
STORAGE_ADDRESS=

# Certificate Stores

# Instead of encrypted keystores, it is also possible to use the PEM files
# directly with mysql using
# sslca=server-ca.pem;sslcert=client-cert.pem;sslkey=client-key.pem

# Client certificates (private+public key) to present to the server.

## NOTE ON GETTING KEYSTORE AND TRUSTSTORE FILES.
## They should *not* be stored in any VM images. I recommend putting them in
## a GS bucket made acessible to the current VM via the right service account
## identities. https://cloud.google.com/compute/docs/authentication#whatis

## Unfortunately you need to add some headers to the https request to get these
## files, so you cannot use a simple "https://" url for the keystore because
## java won't grab it correctly. Use gsutil or curl to download to disk first.

# Create PKCS12 from signed client cert and its private key:
#
#     openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out tx-keystore.p12 -CAfile server-ca.pem
#
# It can then be converted to JKS using keytool, but this is not necessary:
#
#     keytool -importkeystore -deststorepass ${KEYSTORE_PW}
#         -destkeystore ${KEYSTORE} -srckeystore tx-keystore.p12
#         -srcstoretype PKCS12 -srcstorepass ${KEYSTORE_PW}
KEYSTORE='file://tx-keystore.p12'
KEYSTORE_PW=
KEYSTORE_TYPE='PKCS12'

# Server certificates (public key) the client will verify. Created with:
#
#     keytool -importcert -keystore ${TRUSTSTORE} -storepass ${TRUSTSTORE_PW} -trustcacerts -file server-ca.pem
TRUSTSTORE='file://tx-truststore.jks'
TRUSTSTORE_PW=
TRUSTSTORE_TYPE='JKS'

# Should be a user specific to the transactor which only has SELECT INSERT
# UPDATE and DELETE permissions on a specific datomic_kvs table.
DB_USER=
DB_PASS=
LOG_DIR='/var/log/datomic'


cat << EOT > $OUTFILE
################################################################
protocol=sql
host=${IP}
alt-host=${EXIP}
port=4334
license-key=
################################################################
# See http://docs.datomic.com/storage.html

sql-url=jdbc:mysql://${STORAGE_ADDRESS}:3306/datomic
sql-user=${DB_USER}
sql-password=${DB_PASS}
sql-driver-class=com.mysql.jdbc.Driver

# Driver specified params, as semicolon-separated pairs.
# NOTE: Normal JDBC strings use '&' as a separator, which is what you need for
#  datomic.api/connect uris.
# Optional MySQL-specific optimizations:
# elideSetAutoCommits=true;cachePrepStmts=true;useLocalSessionState=true
sql-driver-params=elideSetAutoCommits=true;cachePrepStmts=true;useLocalSessionState=true;useSSL=true;requireSSL=true;verifyServerCertificate=true;clientCertificateKeyStoreUrl=${KEYSTORE};clientCertificateKeyStorePassword=${KEYSTORE_PW};clientCertificateKeyStoreType=${KEYSTORE_TYPE};trustCertificateKeyStoreUrl=${TRUSTSTORE};trustCertificateKeyStorePassword=${TRUSTSTORE_PW};trustCertificateKeyStoreType=${TRUSTSTORE_TYPE}

################################################################
# See http://docs.datomic.com/capacity.html
# Recommended settings for -Xmx4g production usage.
memory-index-threshold=32m
memory-index-max=512m
object-cache-max=1g
# Recommended settings for -Xmx1g usage, e.g. dev laptops.
# memory-index-threshold=32m
# memory-index-max=256m
# object-cache-max=128m

log-dir=${LOG_DIR}
EOT

# System property                          JDBC argument
# -----------------------------------------------------------------------------
# javax.net.ssl.keyStore                   clientCertificateKeyStoreUrl
# javax.net.ssl.keyStorePassword           clientCertificateKeyStorePassword
# javax.net.ssl.keyStoreType               clientCertificateKeyStoreType
# javax.net.ssl.trustStore                 trustCertificateKeyStoreUrl
# javax.net.ssl.trustStorePassword         trustCertificateKeyStorePassword
# javax.net.ssl.trustStoreType             trustCertificateKeyStoreType

# This turns on SSL logging. 
#-Djavax.net.debug=ssl

# Keeping this info out of the connection string so it doesn't show up in logs.
# However now it's on a command line, so I'm not sure what is better!
# Datomic docs mention this method for cassandra and use passwords-in-command-line
# in their examples. I guess they have no better way?

#Equivalent to this in the JDBC:

#clientCertificateKeyStoreUrl=${KEYSTORE};clientCertificateKeyStorePassword=${KEYSTORE_PW};clientCertificateKeyStoreType=${KEYSTORE_TYPE};trustCertificateKeyStoreUrl=${TRUSTSTORE};trustCertificateKeyStorePassword=${TRUSTSTORE_PW};trustCertificateKeyStoreType=${TRUSTSTORE_TYPE}

# cat << EOT > $TRANSACTOR_ARGS_FILE
# -Xms4g -Xmx4g -XX:+UseG1GC -XX:MaxGCPauseMillis=50 \
# -Djavax.net.ssl.keyStore=${KEYSTORE} \
# -Djavax.net.ssl.keyStorePassword=${KEYSTORE_PW} \
# -Djavax.net.ssl.keyStoreType=${KEYSTORE_TYPE} \
# -Djavax.net.ssl.trustStore=${TRUSTSTORE} \
# -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PW} \
# -Djavax.net.ssl.trustStoreType=${TRUSTSTORE_TYPE}
# EOT