HIRS/package/linux/pki/pki_setup.sh

87 lines
3.1 KiB
Bash
Raw Normal View History

2023-05-12 19:07:28 +00:00
#!/bin/bash
############################################################################################
# Creates 2 Certificate Chains for the ACA:
# 1 RSA 3K SHA 384
# 2 ECC 512 SHA 384
#
2023-05-12 19:07:28 +00:00
############################################################################################
2023-08-23 16:30:06 -04:00
#PROP_FILE=/etc/hirs/aca/application.properties
2023-08-18 16:38:41 +00:00
ACA_PROP=/etc/hirs/aca/aca.properties
SPRING_PROP_FILE="/etc/hirs/aca/application.properties"
LOG_FILE=$1
2023-08-11 09:47:30 -04:00
PKI_PASS=$2
UNATTENDED=$3
2023-08-11 09:47:30 -04:00
LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
LOG_DIR="/var/log/hirs/"
2024-03-28 15:26:21 -04:00
HIRS_DIR=/etc/hirs
2023-08-11 09:47:30 -04:00
HIRS_CONF_DIR=/etc/hirs/aca
2024-03-28 15:26:21 -04:00
HIRS_CERT_DIR=/etc/hirs/certificates
2023-05-12 19:07:28 +00:00
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
2023-08-11 09:47:30 -04:00
mkdir -p $HIRS_CONF_DIR $LOG_DIR
echo "SCRIPT_DIR is $SCRIPT_DIR" | tee -a "$LOG_FILE"
2023-07-13 16:40:15 -04:00
if [ -z "$LOG_FILE" ]; then
2023-08-11 09:47:30 -04:00
LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
echo "using log file $LOG_FILE" | tee -a "$LOG_FILE"
fi
if [ -z "$PKI_PASS" ]; then
if [ -f $ACA_PROP ]; then
source $ACA_PROP
if [ ! -z $hirs_pki_password ]; then
PKI_PASS=$hirs_pki_password
fi
fi
fi
if [ -z "$PKI_PASS" ]; then
PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
echo "Using randomly generated password for the PKI key password" | tee -a "$LOG_FILE"
echo "Using pki password=$PKI_PASS"
2023-08-11 09:47:30 -04:00
fi
2023-07-13 16:40:15 -04:00
# Check for sudo or root user
2023-10-05 20:05:21 +00:00
if [ "$EUID" -ne 0 ]; then
echo "This script requires root. Please run as root" | tee -a "$LOG_FILE"
2023-07-13 16:40:15 -04:00
exit 1
fi
2023-05-12 19:07:28 +00:00
# Create Cert Chains
if [ ! -d "/etc/hirs/certificates" ]; then
if [ -d "/opt/hirs/scripts/pki" ]; then
2023-08-23 16:30:06 -04:00
PKI_SETUP_DIR="/opt/hirs/scripts/pki"
else
PKI_SETUP_DIR="$SCRIPT_DIR"
fi
echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | tee -a "$LOG_FILE"
mkdir -p /etc/hirs/certificates/ | tee -a "$LOG_FILE"
2023-05-12 19:07:28 +00:00
pushd /etc/hirs/certificates/ &> /dev/null
cp $PKI_SETUP_DIR/ca.conf .
2023-10-05 20:05:21 +00:00
$PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE"
$PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
popd &> /dev/null
2023-07-07 20:54:02 +00:00
2024-03-28 15:26:21 -04:00
echo "Setting MYSQL permissions for DB TLS Certs..." | tee -a "$LOG_FILE"
find $HIRS_CERT_DIR -type f -iname "*.pem" -exec chmod 600 {} \;
find $HIRS_CERT_DIR -type f -iname "*.jks" -exec chmod 600 {} \;
find $HIRS_CERT_DIR -type f -iname "*.key" -exec chmod 600 {} \;
chown root:mysql $HIRS_CERT_DIR $HIRS_CERT_DIR/HIRS $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs
chmod 750 $HIRS_CERT_DIR $HIRS_CERT_DIR/HIRS $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs
chmod 755 $HIRS_DIR
chmod 750 $HIRS_CONF_DIR
chmod 755 $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs/HIRS_ecc_512_sha384_Cert_Chain.pem
chmod 755 $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem
2023-08-18 16:38:41 +00:00
echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP
echo "server.ssl.key-store-password="$PKI_PASS >> $SPRING_PROP_FILE
echo "server.ssl.trust-store-password="$PKI_PASS >> $SPRING_PROP_FILE
else
echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
fi
2024-03-28 15:26:21 -04:00
chmod 600 $ACA_PROP