HIRS/HIRS_Provisioner/hirs-provisioner-config.sh

74 lines
3.2 KiB
Bash
Raw Permalink Normal View History

2018-09-06 13:47:33 +00:00
#!/bin/bash
PROVISIONER_DIR="/etc/hirs/provisioner"
CERTIFICATES="/etc/hirs/certificates/provisioner"
SITE_CONFIG_FILE="/etc/hirs/hirs-site.config"
PROVISIONER_PROPERTIES="$PROVISIONER_DIR/provisioner.properties"
TMP_PROPERTIES="$PROVISIONER_DIR/tmp.properties"
PROVISIONER_LOG_DIR="/var/log/hirs/provisioner"
PROVISIONER_LOG_FILE="$PROVISIONER_LOG_DIR/HIRS_Provisioner.log"
# ensure log file exists
mkdir -p $PROVISIONER_LOG_DIR
touch $PROVISIONER_LOG_FILE
mkdir -p ${CERTIFICATES}/private
# certificates and key stores generated by this script.
CLIENT_PEM=${CERTIFICATES}/private/hirs.client.pem
CLIENT_CERT=${CERTIFICATES}/hirs.client.cert
INTERNAL_P12=${CERTIFICATES}/hirs.p12
KEYSTORE_JKS=${CERTIFICATES}/keyStoreClient.jks
# delete the key store if it exists
if [ -f ${KEYSTORE_JKS} ]; then
echo "----> Deleting existing key store" | tee -a $PROVISIONER_LOG_FILE
rm -f ${KEYSTORE_JKS}
fi
# Read site config
source ${SITE_CONFIG_FILE}
# Read a block of raw data bytes from /dev/urandom and convert it to text characters.
P12_PASSWORD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
# generate a key and certificate. The key is the private key used to sign the well known CA cert.
echo 'Creating 2048 bit key' >> $PROVISIONER_LOG_FILE 2>&1
openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -keyout ${CLIENT_PEM} -out ${CLIENT_CERT} -subj "/C=US/O=HIRS/OU=Provisioner/CN=$CLIENT_HOSTNAME" >> $PROVISIONER_LOG_FILE 2>&1
# export the certificate and key as a p12 file
echo 'Exporting key' >> $PROVISIONER_LOG_FILE 2>&1
openssl pkcs12 -export -in ${CLIENT_CERT} -inkey ${CLIENT_PEM} -out ${INTERNAL_P12} -passout pass:${P12_PASSWORD} >> $PROVISIONER_LOG_FILE 2>&1
# create a key store using the pk12 file.
echo 'Configuring key store' >> $PROVISIONER_LOG_FILE 2>&1
keytool -importkeystore -srckeystore ${INTERNAL_P12} -destkeystore ${KEYSTORE_JKS} -srcstoretype pkcs12 -srcstorepass ${P12_PASSWORD} -deststoretype jks -deststorepass ${P12_PASSWORD} -noprompt >> $PROVISIONER_LOG_FILE 2>&1
if [ ! -f ${KEYSTORE_JKS} ]; then
echo "${KEYSTORE_JKS} was not created" | tee -a $PROVISIONER_LOG_FILE
exit 1;
fi
grep -v "javax.net.ssl" ${PROVISIONER_PROPERTIES} > ${TMP_PROPERTIES}
mv ${TMP_PROPERTIES} ${PROVISIONER_PROPERTIES}
echo "javax.net.ssl.keyStore=$KEYSTORE_JKS" >> ${PROVISIONER_PROPERTIES}
echo "javax.net.ssl.trustStore=${CERTIFICATES}/TrustStore.jks" >> ${PROVISIONER_PROPERTIES}
echo "javax.net.ssl.keyStorePassword=$P12_PASSWORD" >> ${PROVISIONER_PROPERTIES}
# Checking for existing HIRS TrustStore
if [ -f "${CERTIFICATES}/TrustStore.jks" ]; then
rm -f ${CERTIFICATES}/TrustStore.jks
fi
echo "----> Downloading truststore" | tee -a $PROVISIONER_LOG_FILE
wget https://"$ATTESTATION_CA_FQDN":"$ATTESTATION_CA_PORT"/HIRS_AttestationCA/client-files/TrustStore.jks --no-check-certificate -P ${CERTIFICATES} >/dev/null 2>/dev/null
if [ ! -f "${CERTIFICATES}/TrustStore.jks" ]; then
echo "----> ERROR: Truststore could not be downloaded from $ATTESTATION_CA_FQDN" | tee -a $PROVISIONER_LOG_FILE
exit 1
fi
sed -i "s/provisioner\.aca\.host\s*=\s*.*/provisioner.aca.host = $ATTESTATION_CA_FQDN/" $PROVISIONER_PROPERTIES
sed -i "s/provisioner\.aca\.port\s*=\s*.*/provisioner.aca.port = $ATTESTATION_CA_PORT/" $PROVISIONER_PROPERTIES