mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-20 21:43:18 +00:00
updated application.settings to use tls
This commit is contained in:
parent
210c48dada
commit
146d05961d
@ -3,18 +3,26 @@
|
|||||||
#spring.mvc.view.prefix=/WEB-INF/jsp/
|
#spring.mvc.view.prefix=/WEB-INF/jsp/
|
||||||
#spring.mvc.view.suffix=.jsp
|
#spring.mvc.view.suffix=.jsp
|
||||||
|
|
||||||
|
# Logging Config (tomcat may have further config)
|
||||||
logging.level.org.springframework=INFO
|
logging.level.org.springframework=INFO
|
||||||
logging.level.org.apache.catalina=DEBUG
|
logging.level.org.apache.catalina=DEBUG
|
||||||
|
|
||||||
|
# Database Config
|
||||||
spring.jpa.hibernate.ddl-auto=update
|
spring.jpa.hibernate.ddl-auto=update
|
||||||
spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
|
spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
|
||||||
spring.datasource.username=hirs_db
|
spring.datasource.username=hirs_db
|
||||||
spring.datasource.password=hirs_db
|
|
||||||
jakarta.persistence.sharedCache.mode = UNSPECIFIED
|
jakarta.persistence.sharedCache.mode = UNSPECIFIED
|
||||||
|
|
||||||
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
|
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
|
||||||
#spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
|
#spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
|
||||||
#spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
|
#spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
|
||||||
|
|
||||||
|
# Tomcat Config
|
||||||
|
server.tomcat.additional-tld-skip-patterns=*.jar
|
||||||
|
server.tomcat.basedir=/opt/embeddedtomcat
|
||||||
|
server.servlet.register-default-servlet=true
|
||||||
|
server.servlet.context-path=/HIRS_AttestationCAPortal
|
||||||
|
spring.mvc.servlet.path=/portal
|
||||||
|
|
||||||
server.tomcat.accesslog.enabled=true
|
server.tomcat.accesslog.enabled=true
|
||||||
server.tomcat.accesslog.directory=logs
|
server.tomcat.accesslog.directory=logs
|
||||||
server.tomcat.accesslog.file-date-format=yyyy-MM-dd
|
server.tomcat.accesslog.file-date-format=yyyy-MM-dd
|
||||||
@ -22,10 +30,15 @@ server.tomcat.accesslog.prefix=access_log
|
|||||||
server.tomcat.accesslog.suffix=.log
|
server.tomcat.accesslog.suffix=.log
|
||||||
server.tomcat.accesslog.rotate=true
|
server.tomcat.accesslog.rotate=true
|
||||||
|
|
||||||
server.tomcat.basedir=/opt/embeddedtomcat
|
# Tomcat TLS support
|
||||||
server.servlet.register-default-servlet=true
|
server.port=8443
|
||||||
server.servlet.context-path=/HIRS_AttestationCAPortal
|
server.ssl.enabled=true
|
||||||
spring.mvc.servlet.path=/portal
|
server.ssl.trust-store-type=JKS
|
||||||
|
server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks
|
||||||
|
server.ssl.trust-store-password=53d035ff814c1dd5c7e303f5fa080c18
|
||||||
|
server.ssl.key-store-type=JKS
|
||||||
|
server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks
|
||||||
|
server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
|
||||||
|
|
||||||
#jdbc.driverClassName = com.mysql.cj.jdbc.Driver
|
#jdbc.driverClassName = com.mysql.cj.jdbc.Driver
|
||||||
#jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
|
#jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
|
||||||
@ -34,3 +47,9 @@ spring.mvc.servlet.path=/portal
|
|||||||
#entitymanager.packagesToScan: hirs.attestationca.portal.page.controllers
|
#entitymanager.packagesToScan: hirs.attestationca.portal.page.controllers
|
||||||
#spring.jpa.hibernate.ddl-auto=update
|
#spring.jpa.hibernate.ddl-auto=update
|
||||||
#spring.jpa.show-sql=true
|
#spring.jpa.show-sql=true
|
||||||
|
|
||||||
|
# Passwords get appended here ...
|
||||||
|
spring.datasource.password=hirs_db
|
||||||
|
server.ssl.trust-store-password=53d035ff814c1dd5c7e303f5fa080c18
|
||||||
|
server.ssl.key-store-password=53d035ff814c1dd5c7e303f5fa080c18
|
||||||
|
|
||||||
|
30
package/scripts/aca/aca_bootRun.sh
Normal file
30
package/scripts/aca/aca_bootRun.sh
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#####################################################################################
|
||||||
|
#
|
||||||
|
# Script to run ACA using the gradle spring pluing bootRun command with password set
|
||||||
|
#
|
||||||
|
#
|
||||||
|
####################################################################################
|
||||||
|
|
||||||
|
PASS_FILE="/etc/hirs/aca/application.properties"
|
||||||
|
|
||||||
|
declare -A props
|
||||||
|
|
||||||
|
if [ -f $PASS_FILE ]; then
|
||||||
|
while IFS="=" read -r key value; do
|
||||||
|
echo "key is $key, value is $value"
|
||||||
|
if [ ! -z "$key" ]; then
|
||||||
|
props["$key"]="$value"
|
||||||
|
fi
|
||||||
|
done < "$PASS_FILE"
|
||||||
|
else
|
||||||
|
echo "error reading $PASS_FILE"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "server_ssl_trust-store-password = " ${props["server.ssl.trust-store-password"]}
|
||||||
|
echo "server_ssl_key-store-password = " ${props["server.ssl.key-store-password"]}
|
||||||
|
|
||||||
|
#./gradlew bootRun --args=--server.ssl.trust-store-password=${props["server.ssl.trust-store-password"]},--server.ssl.key-store-password=${props["server.ssl.key-store-password"]}
|
||||||
|
|
||||||
|
./gradlew bootRun --args="--server.ssl.trust-store-password=53d035ff814c1dd5c7e303f5fa080c18 --server.ssl.key-store-password=53d035ff814c1dd5c7e303f5fa080c18"
|
@ -35,7 +35,7 @@ crlDistributionPoints = URI:https://example.com/crl
|
|||||||
|
|
||||||
[ server_extensions ]
|
[ server_extensions ]
|
||||||
keyUsage = critical,digitalSignature,keyEncipherment
|
keyUsage = critical,digitalSignature,keyEncipherment
|
||||||
basicConstraints = CA:false
|
basicConstraints = critical
|
||||||
extendedKeyUsage = serverAuth,clientAuth
|
extendedKeyUsage = serverAuth,clientAuth
|
||||||
subjectKeyIdentifier = hash
|
subjectKeyIdentifier = hash
|
||||||
authorityKeyIdentifier = keyid:always
|
authorityKeyIdentifier = keyid:always
|
||||||
@ -46,7 +46,7 @@ crlDistributionPoints = URI:https://example.com/crl
|
|||||||
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment
|
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment
|
||||||
subjectKeyIdentifier = hash
|
subjectKeyIdentifier = hash
|
||||||
authorityKeyIdentifier = keyid:always,issuer
|
authorityKeyIdentifier = keyid:always,issuer
|
||||||
basicConstraints = critical,CA:false
|
basicConstraints = critical
|
||||||
keyUsage = critical, digitalSignature
|
keyUsage = critical, digitalSignature
|
||||||
authorityInfoAccess = caIssuers;URI:https://example.com/certs/
|
authorityInfoAccess = caIssuers;URI:https://example.com/certs/
|
||||||
crlDistributionPoints = URI:https://example.com/crl
|
crlDistributionPoints = URI:https://example.com/crl
|
||||||
|
@ -72,7 +72,7 @@ ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
|
|||||||
INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
|
INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
|
||||||
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
|
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
|
||||||
SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
|
SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
|
||||||
TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
|
TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="localhost"
|
||||||
|
|
||||||
# Add check for existing folder and halt if it exists
|
# Add check for existing folder and halt if it exists
|
||||||
if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
|
if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
|
||||||
|
@ -6,28 +6,35 @@
|
|||||||
#
|
#
|
||||||
############################################################################################
|
############################################################################################
|
||||||
|
|
||||||
|
PROP_FILE=/etc/hirs/aca/apllication.properties
|
||||||
|
|
||||||
# Capture location of the script to allow from invocation from any location
|
# Capture location of the script to allow from invocation from any location
|
||||||
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
|
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
|
||||||
# Set HIRS PKI password
|
# Set HIRS PKI password
|
||||||
if [ -z $HIRS_PKI_PWD ]; then
|
if [ -z $HIRS_PKI_PWD ]; then
|
||||||
# Create a 32 character random password
|
# Create a 32 character random password
|
||||||
PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
|
PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
|
||||||
#PKI_PASS="xrb204k"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create an ACA properties file using the new password
|
# Create an ACA properties file using the new password
|
||||||
pushd $SCRIPT_DIR &> /dev/null
|
#pushd $SCRIPT_DIR &> /dev/null
|
||||||
if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
|
# if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
|
||||||
if [ -d /opt/hirs/scripts/aca ]; then
|
# if [ -d /opt/hirs/scripts/aca ]; then
|
||||||
ACA_SETUP_DIR="/opt/hirs/scripts/aca"
|
# ACA_SETUP_DIR="/opt/hirs/scripts/aca"
|
||||||
else
|
# else
|
||||||
ACA_SETUP_DIR=="$SCRIPT_DIR/../aca"
|
# ACA_SETUP_DIR="$SCRIPT_DIR/../aca"
|
||||||
fi
|
# fi
|
||||||
echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
|
# echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
|
||||||
sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
|
# sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
|
||||||
else
|
# else
|
||||||
echo "aca property file exists, skipping"
|
# echo "aca property file exists, skipping"
|
||||||
fi
|
# fi
|
||||||
|
|
||||||
|
# Add password to properties file
|
||||||
|
echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
|
||||||
|
echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
|
||||||
|
|
||||||
|
# Clear out previous pki password and set new password in the application.properties file for embedded tomcat
|
||||||
|
|
||||||
popd &> /dev/null
|
popd &> /dev/null
|
||||||
|
|
||||||
|
81
package/scripts/pki/pki_update_tls_cert.sh
Normal file
81
package/scripts/pki/pki_update_tls_cert.sh
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
CN=$1
|
||||||
|
PASS=$2
|
||||||
|
ACTOR="HIRS"
|
||||||
|
ACTOR_ALT=${ACTOR// /_}
|
||||||
|
ASYM_ALG="rsa"
|
||||||
|
ASYM_SIZE=3072
|
||||||
|
KSIZE="3k"
|
||||||
|
HASH_ALG="sha384"
|
||||||
|
CERT_FOLDER="/etc/hirs/certificates/HIRS/$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"_certs
|
||||||
|
#CERT_FOLDER="."
|
||||||
|
EXTENSION="server_extensions"
|
||||||
|
TRUSTSTORE="/etc/hirs/certificates/HIRS/TrustStore.jks"
|
||||||
|
|
||||||
|
echo "CERT_FOLDER is $CERT_FOLDER"
|
||||||
|
|
||||||
|
|
||||||
|
if [ -z "${CN}" ] || [ -z "${PASS}" ] || [ "${CN}" == "-h" ] || [ "${CN}" == "--help" ]; then
|
||||||
|
echo "parameter missing to pki_tls_update.sh, exiting"
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN=$CN"
|
||||||
|
|
||||||
|
TLS_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_aca_tls_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
|
||||||
|
PKI_CA3="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca3_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
|
||||||
|
|
||||||
|
echo "TLS_SERVER is $TLS_SERVER"
|
||||||
|
create_cert () {
|
||||||
|
CERT_PATH="$1"
|
||||||
|
ISSUER="$2"
|
||||||
|
SUBJ_DN="$3"
|
||||||
|
ISSUER_KEY="$ISSUER".key
|
||||||
|
ISSUER_CERT="$ISSUER".pem
|
||||||
|
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
|
||||||
|
|
||||||
|
pushd /etc/hirs/certificates/HIRS
|
||||||
|
|
||||||
|
# if [ "$CERT_TYPE" == "rim_signer" ]; then
|
||||||
|
# EXTENSION="signer_extensions"
|
||||||
|
# else
|
||||||
|
# EXTENSION="ca_extensions"
|
||||||
|
# fi
|
||||||
|
|
||||||
|
echo "Updating cert for "$CERT_PATH".pem using $ISSUER_KEY with a DN="$SUBJ_DN" using $EXTENSION."
|
||||||
|
|
||||||
|
if [ "$ASYM_ALG" == "rsa" ]; then
|
||||||
|
openssl req -newkey rsa:"$ASYM_SIZE" \
|
||||||
|
-keyout "$CERT_PATH".key \
|
||||||
|
-out "$CERT_PATH".csr -subj "$SUBJ_DN" \
|
||||||
|
-passout pass:"$PASS"
|
||||||
|
#&> /dev/null
|
||||||
|
else
|
||||||
|
openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
|
||||||
|
openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" &> /dev/null
|
||||||
|
fi
|
||||||
|
openssl ca -config ca.conf \
|
||||||
|
-keyfile "$ISSUER_KEY" \
|
||||||
|
-md $HASH_ALG \
|
||||||
|
-cert "$ISSUER_CERT" \
|
||||||
|
-extensions "$EXTENSION" \
|
||||||
|
-out "$CERT_PATH".pem \
|
||||||
|
-in "$CERT_PATH".csr \
|
||||||
|
-passin pass:"$PASS" \
|
||||||
|
-batch \
|
||||||
|
-notext
|
||||||
|
popd
|
||||||
|
|
||||||
|
#&> /dev/null
|
||||||
|
# Increment the cert serial number
|
||||||
|
awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt &> /dev/null
|
||||||
|
# remove csr file
|
||||||
|
rm -f "$CERT_PATH".csr
|
||||||
|
# remove all cert from TrustStore.jks
|
||||||
|
keytool -delete -noprompt -alias hirs_aca_tls_rsa_3k_sha384 -keystore $TRUSTSTORE -storepass $PASS
|
||||||
|
# insert new cert into TrustStore.jks with same alias
|
||||||
|
keytool -import -file ""$CERT_PATH".pem" -alias hirs_aca_tls_rsa_3k_sha384 -keystore $TRUSTSTORE -storepass $PASS
|
||||||
|
}
|
||||||
|
|
||||||
|
create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN"
|
Loading…
Reference in New Issue
Block a user