[2.x] Enable security for bwc tests

.github/actions/create-bwc-build/action.yaml

@@ -36,7 +36,7 @@ runs:
       uses: gradle/gradle-build-action@v2
       with:
         cache-disabled: true
-        arguments: assemble -Dbuild.snapshot=false
+        arguments: assemble
         build-root-directory: ${{ inputs.plugin-branch }}
 
     - id: get-opensearch-version
@@ -47,5 +47,5 @@ runs:
     - name: Copy current distro into the expected folder
       run: |
         mkdir -p ./bwc-test/src/test/resources/${{ steps.get-opensearch-version.outputs.version }}
-        cp ${{ inputs.plugin-branch }}/build/distributions/opensearch-security-${{ steps.get-opensearch-version.outputs.version }}.zip ./bwc-test/src/test/resources/${{ steps.get-opensearch-version.outputs.version }}
+        cp ${{ inputs.plugin-branch }}/build/distributions/opensearch-security-${{ steps.get-opensearch-version.outputs.version }}-SNAPSHOT.zip ./bwc-test/src/test/resources/${{ steps.get-opensearch-version.outputs.version }}
       shell: bash

.github/actions/run-bwc-suite/action.yaml

@@ -35,6 +35,9 @@ runs:
         arguments: |
           bwcTestSuite
           -Dtests.security.manager=false
+          -Dtests.opensearch.secure=true
+          -Dtests.opensearch.username=admin
+          -Dtests.opensearch.password=admin
           -Dbwc.version.previous=${{ steps.build-previous.outputs.built-version }}
           -Dbwc.version.next=${{ steps.build-next.outputs.built-version }} -i
         build-root-directory: bwc-test

bwc-test/build.gradle

@@ -44,8 +44,9 @@ ext {
 
 buildscript {
     ext {
-        opensearch_version = System.getProperty("opensearch.version", "2.9.0-SNAPSHOT")
+        opensearch_version = System.getProperty("opensearch.version", "2.10.0-SNAPSHOT")
         opensearch_group = "org.opensearch"
+        common_utils_version = System.getProperty("common_utils.version", '2.9.0.0-SNAPSHOT')
     }
     repositories {
         mavenLocal()
@@ -70,22 +71,23 @@ dependencies {
     testImplementation "com.google.guava:guava:${versions.guava}"
     testImplementation "org.opensearch.test:framework:${opensearch_version}"
     testImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
+    testImplementation "org.opensearch:common-utils:${common_utils_version}"
 }
 
 loggerUsageCheck.enabled = false
 testingConventions.enabled = false
 validateNebulaPom.enabled = false
 
-String previousVersion = System.getProperty("bwc.version.previous", "2.9.0.0")
+String previousVersion = System.getProperty("bwc.version.previous", "2.10.0.0")
 String nextVersion = System.getProperty("bwc.version.next", "2.10.0.0")
 
 String bwcVersion = previousVersion
 String baseName = "securityBwcCluster"
 String bwcFilePath = "src/test/resources/"
 String projectVersion = nextVersion
 
-String previousOpenSearch  = extractVersion(previousVersion);
-String nextOpenSearch  = extractVersion(nextVersion);
+String previousOpenSearch  = extractVersion(previousVersion) + "-SNAPSHOT";
+String nextOpenSearch  = extractVersion(nextVersion) + "-SNAPSHOT";
 
 // Extracts the OpenSearch version from a plugin version string, 2.4.0.0 -> 2.4.0.
 def String extractVersion(versionStr) {
@@ -122,7 +124,19 @@ def String extractVersion(versionStr) {
                 node.extraConfigFile("esnode.pem", file("src/test/resources/security/esnode.pem"))
                 node.extraConfigFile("esnode-key.pem", file("src/test/resources/security/esnode-key.pem"))
                 node.extraConfigFile("root-ca.pem", file("src/test/resources/security/root-ca.pem"))
-                node.setting("plugins.security.disabled", "true")
+                node.extraConfigFile("kirk-keystore.jks", file("src/test/resources/security/kirk-keystore.jks"))
+                node.extraConfigFile("opensearch-security/action_groups.yml", file("src/test/resources/security/securityconfig/action_groups.yml"))
+                node.extraConfigFile("opensearch-security/allowlist.yml", file("src/test/resources/security/securityconfig/allowlist.yml"))
+                node.extraConfigFile("opensearch-security/audit.yml", file("src/test/resources/security/securityconfig/audit.yml"))
+                node.extraConfigFile("opensearch-security/config.yml", file("src/test/resources/security/securityconfig/config.yml"))
+                node.extraConfigFile("opensearch-security/internal_users.yml", file("src/test/resources/security/securityconfig/internal_users.yml"))
+                node.extraConfigFile("opensearch-security/nodes_dn.yml", file("src/test/resources/security/securityconfig/nodes_dn.yml"))
+                node.extraConfigFile("opensearch-security/roles.yml", file("src/test/resources/security/securityconfig/roles.yml"))
+                node.extraConfigFile("opensearch-security/roles_mapping.yml", file("src/test/resources/security/securityconfig/roles_mapping.yml"))
+                node.extraConfigFile("opensearch-security/tenants.yml", file("src/test/resources/security/securityconfig/tenants.yml"))
+                node.extraConfigFile("opensearch-security/whitelist.yml", file("src/test/resources/security/securityconfig/whitelist.yml"))
+                node.setting("network.bind_host", "127.0.0.1")
+                node.setting("network.publish_host", "127.0.0.1")
                 node.setting("plugins.security.ssl.transport.pemcert_filepath", "esnode.pem")
                 node.setting("plugins.security.ssl.transport.pemkey_filepath", "esnode-key.pem")
                 node.setting("plugins.security.ssl.transport.pemtrustedcas_filepath", "root-ca.pem")
@@ -131,14 +145,17 @@ def String extractVersion(versionStr) {
                 node.setting("plugins.security.ssl.http.pemcert_filepath", "esnode.pem")
                 node.setting("plugins.security.ssl.http.pemkey_filepath", "esnode-key.pem")
                 node.setting("plugins.security.ssl.http.pemtrustedcas_filepath", "root-ca.pem")
+                // node.setting("plugins.security.ssl.http.truststore_filepath", "truststore.jks")
+                // node.setting("plugins.security.ssl.http.truststore_password", "password")
                 node.setting("plugins.security.allow_unsafe_democertificates", "true")
                 node.setting("plugins.security.allow_default_init_securityindex", "true")
-                node.setting("plugins.security.authcz.admin_dn", "CN=kirk,OU=client,O=client,L=test,C=de")
-                node.setting("plugins.security.audit.type", "internal_elasticsearch")
+                node.setting("plugins.security.authcz.admin_dn", "\"CN=kirk,OU=client,O=client,L=test,C=de\"")
+                node.setting("plugins.security.audit.type", "internal_opensearch")
                 node.setting("plugins.security.enable_snapshot_restore_privilege", "true")
                 node.setting("plugins.security.check_snapshot_restore_write_privileges", "true")
                 node.setting("plugins.security.restapi.roles_enabled", "[\"all_access\", \"security_rest_api_access\"]")
                 node.setting("plugins.security.system_indices.enabled", "true")
+                node.setting("logger.org.opensearch.gradle.testclusters", "debug")
             }
 
             setting 'path.repo', "${buildDir}/cluster/shared/repo/${baseName}"

bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java

@@ -7,21 +7,36 @@
  */
 package org.opensearch.security.bwc;
 
+import java.io.IOException;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 
+import org.apache.http.Header;
+import org.apache.http.HttpHost;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.client.CredentialsProvider;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.impl.client.BasicCredentialsProvider;
+import org.apache.http.message.BasicHeader;
+import org.apache.http.ssl.SSLContextBuilder;
 import org.junit.Assume;
 import org.junit.Before;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.test.rest.OpenSearchRestTestCase;
 
 import org.opensearch.Version;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.hasItem;
 
+import org.opensearch.client.RestClient;
+import org.opensearch.client.RestClientBuilder;
+
 public class SecurityBackwardsCompatibilityIT extends OpenSearchRestTestCase {
 
     private ClusterType CLUSTER_TYPE;
@@ -35,6 +50,11 @@ private void testSetup() {
         CLUSTER_NAME = System.getProperty("tests.clustername");
     }
 
+    @Override
+    protected final boolean preserveClusterUponCompletion() {
+        return true;
+    }
+
     @Override
     protected final boolean preserveIndicesUponCompletion() {
         return true;
@@ -50,6 +70,11 @@ protected boolean preserveTemplatesUponCompletion() {
         return true;
     }
 
+    @Override
+    protected String getProtocol() {
+        return "https";
+    }
+
     @Override
     protected final Settings restClientSettings() {
         return Settings.builder()
@@ -61,6 +86,44 @@ protected final Settings restClientSettings() {
             .build();
     }
 
+    @Override
+    protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException {
+        RestClientBuilder builder = RestClient.builder(hosts);
+        configureHttpsClient(builder, settings);
+        boolean strictDeprecationMode = settings.getAsBoolean("strictDeprecationMode", true);
+        builder.setStrictDeprecationMode(strictDeprecationMode);
+        return builder.build();
+    }
+
+    protected static void configureHttpsClient(RestClientBuilder builder, Settings settings) throws IOException {
+        Map<String, String> headers = ThreadContext.buildDefaultHeaders(settings);
+        Header[] defaultHeaders = new Header[headers.size()];
+        int i = 0;
+        for (Map.Entry<String, String> entry : headers.entrySet()) {
+            defaultHeaders[i++] = new BasicHeader(entry.getKey(), entry.getValue());
+        }
+        builder.setDefaultHeaders(defaultHeaders);
+        builder.setHttpClientConfigCallback(httpClientBuilder -> {
+            String userName = Optional.ofNullable(System.getProperty("tests.opensearch.username"))
+                .orElseThrow(() -> new RuntimeException("user name is missing"));
+            String password = Optional.ofNullable(System.getProperty("tests.opensearch.password"))
+                .orElseThrow(() -> new RuntimeException("password is missing"));
+            CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
+            credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(userName, password));
+            try {
+                return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider)
+                    // disable the certificate since our testing cluster just uses the default security configuration
+                    .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
+                    .setSSLContext(SSLContextBuilder.create().loadTrustMaterial(null, (chains, authType) -> true).build());
+            } catch (Exception e) {
+                throw new RuntimeException(e);
+            }
+        });
+
+        // final TimeValue socketTimeout = TimeValue.parseTimeValue("60s");
+        // builder.setRequestConfigCallback(conf -> conf.setSocketTimeout(Math.toIntExact(socketTimeout.getMillis())));
+    }
+
     public void testBasicBackwardsCompatibility() throws Exception {
         String round = System.getProperty("tests.rest.bwcsuite_round");
 

bwc-test/src/test/resources/security/esnode-key.pem

@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCWvn+O+rywfgMC
-ud24mAclMDfuNA/IzCKLxl5usIE/PvUm7PPfXQ14LfQhNQXqOuaD9fiVM+HO1BzK
-wmN3j4g7eHInR1cxENoNGKFa0Fr9EXnUv8sfwyobPD8NTu9eaH7T+d6f9oow+Q4n
-xb9Xin5IRR/pcJ8v7zEjcXpZaZejcSU4iVZ0PR2Di4H9rfe9SEyR5wLrsVBePB3L
-jaL1uK4bZF3n/JGgDe3BNy1PgPU+O+FCzQipBBTyJWQCjd4iTRXVbMa01PglAR85
-O9w6NXApBLyWdGRY6dGd8vMC2P4KlhnxlcgPZdglKniGTX+eTzT7Rszq77zjYrou
-PLwSh9S7AgMBAAECggEABwiohxFoEIwws8XcdKqTWsbfNTw0qFfuHLuK2Htf7IWR
-htlzn66F3F+4jnwc5IsPCoVFriCXnsEC/usHHSMTZkL+gJqxlNaGdin6DXS/aiOQ
-nb69SaQfqNmsz4ApZyxVDqsQGkK0vAhDAtQVU45gyhp/nLLmmqP8lPzMirOEodmp
-U9bA8t/ttrzng7SVAER42f6IVpW0iTKTLyFii0WZbq+ObViyqib9hVFrI6NJuQS+
-IelcZB0KsSi6rqIjXg1XXyMiIUcSlhq+GfEa18AYgmsbPwMbExate7/8Ci7ZtCbh
-lx9bves2+eeqq5EMm3sMHyhdcg61yzd5UYXeZhwJkQKBgQDS9YqrAtztvLY2gMgv
-d+wOjb9awWxYbQTBjx33kf66W+pJ+2j8bI/XX2CpZ98w/oq8VhMqbr9j5b8MfsrF
-EoQvedA4joUo8sXd4j1mR2qKF4/KLmkgy6YYusNP2UrVSw7sh77bzce+YaVVoO/e
-0wIVTHuD/QZ6fG6MasOqcbl6hwKBgQC27cQruaHFEXR/16LrMVAX+HyEEv44KOCZ
-ij5OE4P7F0twb+okngG26+OJV3BtqXf0ULlXJ+YGwXCRf6zUZkld3NMy3bbKPgH6
-H/nf3BxqS2tudj7+DV52jKtisBghdvtlKs56oc9AAuwOs37DvhptBKUPdzDDqfys
-Qchv5JQdLQKBgERev+pcqy2Bk6xmYHrB6wdseS/4sByYeIoi0BuEfYH4eB4yFPx6
-UsQCbVl6CKPgWyZe3ydJbU37D8gE78KfFagtWoZ56j4zMF2RDUUwsB7BNCDamce/
-OL2bCeG/Erm98cBG3lxufOX+z47I8fTNfkdY2k8UmhzoZwurLm73HJ3RAoGBAKsp
-6yamuXF2FbYRhUXgjHsBbTD/vJO72/yO2CGiLRpi/5mjfkjo99269trp0C8sJSub
-5PBiSuADXFsoRgUv+HI1UAEGaCTwxFTQWrRWdtgW3d0sE2EQDVWL5kmfT9TwSeat
-mSoyAYR5t3tCBNkPJhbgA7pm4mASzHQ50VyxWs25AoGBAKPFx9X2oKhYQa+mW541
-bbqRuGFMoXIIcr/aeM3LayfLETi48o5NDr2NDP11j4yYuz26YLH0Dj8aKpWuehuH
-uB27n6j6qu0SVhQi6mMJBe1JrKbzhqMKQjYOoy8VsC2gdj5pCUP/kLQPW7zm9diX
-CiKTtKgPIeYdigor7V3AHcVT
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD1uCtmgJW3zlvo
+6VM6dpGHH/vnj73x6Xi19I3FzVMSok6Bd3ZaUZ09jqy1xz58uUc4QJcPW79CdqjN
+zEWRUkCyNBtgi21LGV0FY6tUtcm7Dh82Y0Jpk8DPzw6WgUIDqfp2Zr4ric88asaI
+R7dzjr7NTlIKKjcC+zuo1NqgYg0ElYtOof2wdxZ/17akOQmLAKrdDwtYfBgbBkYD
+PDvAYNYVM7+DhWhtLbjizskc20u1En4UikWWwq+1mWR2DyvDoRuRtem//JYmK7+B
+YzXV6aTm7Erw8KAWpUL5F7HcgmGWHOIPEPNfskB1egdKoTdDRosKOOVxHVAr7+fj
+Wj8610BJAgMBAAECggEACJy44LHXDYctD3/GDAGF3j+Pu7D9DlKJiY8VvP4SUE/i
+AoWmX0oHAdZTVVezZ/mydlVFNiOYE4NHLVdghNRmMhjDcOHSJdSwvvScV667cFPx
+Yh2egUbNdjsinsHPB4PYpHe7aJk+6zYu2S3yTxmMtHNvSq3qGa+miqdTNlXZcPSf
+RWh9iXrk+XDkq8iFknI7U8NNoVXkk0UyNpw0o0CG/Vh6k6HnIR6CwOy3asxdaKug
+Jqndm5MyvCy/NOknsjA6eJwwJDEZg4ARzalyEpT5jxoQHngFRI6+9hRUPZC8tD+6
+osg5IB0iLp7JR4TYe+CVOups/a3J2jLqbPbSm5j3UQKBgQD8mcw+JY2VwVXx1dQr
+BixMuuT7fIX0H0yb9sAKq4/LQlAfWT6DBgbLy2r+Z09SQ5m69H6aqn/gqhUI/7Jk
+DpZfIZz8OXgj8E/+1I/dCdVdxPFoywTViUgzsJNC6G3Oxc3xC8AUqObzVyJRhIWw
+Mel5nfo3WsK7BnDNWjA5noOMNQKBgQD5Bqpmf2J8lUkHRCzFOS1UcBvdMJrfiPUf
+32mp14A23E9n+2okCQRkEjXyqYjUqTFXxFIS2zsVjRROy5TFjSa/dwuU4W74Gygs
+XY6cqsAeHFaU9zVEFFPc7W44Icb5dd/Ww+quTqvW5ddUx1HNpXkHq889n3YptdmH
+/iie6yteRQKBgQDPjySncD4N7sZLKBPlonXmOrALAYAkX0+Y3EFiwyQttXiWucNG
+8D3HWYe6MXOZOhjo6RvaxPy8w6TzNwADfYUL+FfBXQueJEnnMAxiaUEcgsaHAEMh
+n2NnrdDjao9IF3sodSpJD5xuGYwGhalAZVLebvP6ZiaafSlVY6U6w0h+fQKBgQDR
+4XdOacBU5fElyaS+GIGG7/HcC3IMQj7uPPquJa2vDyFxruj3NA5aVSrYuWBUc8Dd
+it3tfI4gjMX33wclNODab/f348QGIcVLFxLyIctH1XR3mp5vIX7I7ed+MaGkcF9W
+f8rUXAPiW9aPYmokm3kVKQ3Cjxok71pGjsQnpGbpzQKBgAqd1RwnhotvkcldmLEq
+AB3Ayb0XhsJLl0ubyf37DodPsIdMlSPKyg4YnYRpnrATeGVweS9rxdmDDnsvtEEv
+8E+/RhSn9temcZV7J8M4uQlZBDHbyL8Q5g3Bg/mq2fAMS0szaAcAqS+CXJ1UnDYd
+UaMFpGE7ajMoVZOg8ItfEAGn
 -----END PRIVATE KEY-----

bwc-test/src/test/resources/security/esnode.pem

@@ -1,28 +1,50 @@
 -----BEGIN CERTIFICATE-----
-MIIEyTCCA7GgAwIBAgIGAWLrc1O2MA0GCSqGSIb3DQEBCwUAMIGPMRMwEQYKCZIm
-iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ
-RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290
-IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMTgwNDIy
-MDM0MzQ3WhcNMjgwNDE5MDM0MzQ3WjBeMRIwEAYKCZImiZPyLGQBGRYCZGUxDTAL
-BgNVBAcMBHRlc3QxDTALBgNVBAoMBG5vZGUxDTALBgNVBAsMBG5vZGUxGzAZBgNV
-BAMMEm5vZGUtMC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAJa+f476vLB+AwK53biYByUwN+40D8jMIovGXm6wgT8+9Sbs899dDXgt
-9CE1Beo65oP1+JUz4c7UHMrCY3ePiDt4cidHVzEQ2g0YoVrQWv0RedS/yx/DKhs8
-Pw1O715oftP53p/2ijD5DifFv1eKfkhFH+lwny/vMSNxellpl6NxJTiJVnQ9HYOL
-gf2t971ITJHnAuuxUF48HcuNovW4rhtkXef8kaAN7cE3LU+A9T474ULNCKkEFPIl
-ZAKN3iJNFdVsxrTU+CUBHzk73Do1cCkEvJZ0ZFjp0Z3y8wLY/gqWGfGVyA9l2CUq
-eIZNf55PNPtGzOrvvONiui48vBKH1LsCAwEAAaOCAVkwggFVMIG8BgNVHSMEgbQw
-gbGAFJI1DOAPHitF9k0583tfouYSl0BzoYGVpIGSMIGPMRMwEQYKCZImiZPyLGQB
-GRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhhbXBs
-ZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENBMSEw
-HwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCAQEwHQYDVR0OBBYEFKyv
-78ZmFjVKM9g7pMConYH7FVBHMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg
-MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA1BgNVHREELjAsiAUq
-AwQFBYISbm9kZS0wLmV4YW1wbGUuY29tgglsb2NhbGhvc3SHBH8AAAEwDQYJKoZI
-hvcNAQELBQADggEBAIOKuyXsFfGv1hI/Lkpd/73QNqjqJdxQclX57GOMWNbOM5H0
-5/9AOIZ5JQsWULNKN77aHjLRr4owq2jGbpc/Z6kAd+eiatkcpnbtbGrhKpOtoEZy
-8KuslwkeixpzLDNISSbkeLpXz4xJI1ETMN/VG8ZZP1bjzlHziHHDu0JNZ6TnNzKr
-XzCGMCohFfem8vnKNnKUneMQMvXd3rzUaAgvtf7Hc2LTBlf4fZzZF1EkwdSXhaMA
-1lkfHiqOBxtgeDLxCHESZ2fqgVqsWX+t3qHQfivcPW6txtDyrFPRdJOGhiMGzT/t
-e/9kkAtQRgpTb3skYdIOOUOV0WGQ60kJlFhAzIs=
+MIIEITCCAwmgAwIBAgIUGPqmZdMIOqjgbQ0nRdJ2F/VUkPgwDQYJKoZIhvcNAQEL
+BQAwga4xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt
+cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl
+IENvbSBJbmMuIFJvb3QgQ0ExQDA+BgNVBAMMN0V4YW1wbGUgQ29tIEluYy4gUm9v
+dCBDQSwgQ04gPSBFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMjMwODEwMjEx
+NTA3WhcNMzMwODA3MjExNTA3WjBXMQswCQYDVQQGEwJkZTENMAsGA1UEBwwEdGVz
+dDENMAsGA1UECgwEbm9kZTENMAsGA1UECwwEbm9kZTEbMBkGA1UEAwwSbm9kZS0w
+LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9bgr
+ZoCVt85b6OlTOnaRhx/754+98el4tfSNxc1TEqJOgXd2WlGdPY6stcc+fLlHOECX
+D1u/QnaozcxFkVJAsjQbYIttSxldBWOrVLXJuw4fNmNCaZPAz88OloFCA6n6dma+
+K4nPPGrGiEe3c46+zU5SCio3Avs7qNTaoGINBJWLTqH9sHcWf9e2pDkJiwCq3Q8L
+WHwYGwZGAzw7wGDWFTO/g4VobS244s7JHNtLtRJ+FIpFlsKvtZlkdg8rw6EbkbXp
+v/yWJiu/gWM11emk5uxK8PCgFqVC+Rex3IJhlhziDxDzX7JAdXoHSqE3Q0aLCjjl
+cR1QK+/n41o/OtdASQIDAQABo4GMMIGJMEcGA1UdEQRAMD6CEm5vZGUtMC5leGFt
+cGxlLmNvbYIJbG9jYWxob3N0hxAAAAAAAAAAAAAAAAAAAAABhwR/AAABiAUqAwQF
+BTAdBgNVHQ4EFgQUwEDN1zWWQ4ULvKofWCRi+a/uTt8wHwYDVR0jBBgwFoAU6bJR
+I4km9IzZNac3Yt+Jyn9KkskwDQYJKoZIhvcNAQELBQADggEBAJd/5+cVSmsL2Gx4
+Dq36U4XOHfUSIVJUuOuu19ZxQ5a9ObUfNX0gSLXbcWnLcdOCUgN4OutjxUw16FeL
+G9t2tT/dKbJZiCkF0QPorugNGeeMt0fExRQ3D0a8OisGdqYurcHxVDjViyWurh1B
+ETFU6Gm2E1Rya3zCrW5wEll2GSNe1Xdc+1ANh1mW8E8TbzX3vhY6gXu9o8uNCXLU
+N0JE0ggugkOBLSSP9MbFvQDWWAY7nMaQxuXwULyiXMSm2QQOOlNqcGMASWo7sWij
+ELDpYc5XPVplpQObdTkEFrooHe7oBl91WZ9oY9iu/H2Yx6HS/zJs6knZvwNxz3uY
+ZcvdYXw=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEQjCCAyqgAwIBAgIUFhF0GAuR4yaen/L/JyIXdSxFstcwDQYJKoZIhvcNAQEL
+BQAwga4xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt
+cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl
+IENvbSBJbmMuIFJvb3QgQ0ExQDA+BgNVBAMMN0V4YW1wbGUgQ29tIEluYy4gUm9v
+dCBDQSwgQ04gPSBFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMjMwODEwMjEx
+NDUxWhcNMjUwODA5MjExNDUxWjCBrjETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUG
+CgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1wbGUgQ29tIEluYy4x
+ITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTFAMD4GA1UEAww3RXhh
+bXBsZSBDb20gSW5jLiBSb290IENBLCBDTiA9IEV4YW1wbGUgQ29tIEluYy4gUm9v
+dCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKrZtvfOZimo0YWw
+CWqLeujnEITxQyFM+LKpw7vhcvu2xwFYUsT9lx3OaZKjivT5icKoKRXB95aKAwUE
+vvqvP8Mg7/ZRIG6zH90oMoRjADUMx1eHTm6/y5R7YqETfFj1jvRwIkVH+XUmPN2f
+OkTtsYGnfI2qrf99rmgd5OB0KZhrgn4NaTG/UbX3HlzOWhqdL1q5iJFOTJwXDUQ5
+uw/OG2t8zngxxrO2hXCc8WA/uM6PrgXhkZq3s03C91/0wFscAJygYGPAPMzeL78P
+UqFiuPy3XaKnEVfjxVaruVaEpG+q5lm4a6/KgI2OlR/KExCr+XOQzvwPdHrSSQQm
+ZshOxd0CAwEAAaNWMFQwHQYDVR0OBBYEFOmyUSOJJvSM2TWnN2Lficp/SpLJMB8G
+A1UdIwQYMBaAFOmyUSOJJvSM2TWnN2Lficp/SpLJMBIGA1UdEwEB/wQIMAYBAf8C
+AQEwDQYJKoZIhvcNAQELBQADggEBAGd8tl2b04fbb5ACYZNtYC4LFyj8D9CMuy+G
+XBXx4KdXevduEoXlz8EZUrvL6KyCtYN4EW1I65JY60eJ74Ugntbl9lxHdscKfz4n
+Yy5PRAxqS+9BQQxJJ4fxn0rKh7oR2qrf7rhRRl/BI3JLbk8c7nuMquVlTvBqAhto
+KpGEF0YIw/lP4LF73ew8UCVk/AnH1cyso7QWZZj/EmJiwi3TtntviRJwezQMEkkQ
+FMxwO9E85H3eyP53hOjg99EV7JZhtMlMmQB3Jw6lXq1jZEdsMlagalI/jYjsGU7x
+p82p85JT+Z7s3VQnSC1w+r17lYQxjHJzjRRUdT1Dip65bGsq4GA=
 -----END CERTIFICATE-----