added a -h|--help and -u|--unattended option for aca_setup.sh

2025-02-20 17:52:47 +00:00 · 2023-08-31 16:29:40 -04:00 · 2023-08-31 16:29:40 -04:00 · 2ce4264f6e
commit 2ce4264f6e
parent 410dbc8444
8 changed files with 158 additions and 165 deletions
--- a/package/scripts/aca/aca_bootRun.sh
+++ b/package/scripts/aca/aca_bootRun.sh
@ -38,8 +38,6 @@ fi
 check_for_container
 start_mysqlsd

-
-
 if [ ! -d "$CERT_PATH" ]; then
     echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again."
     exit 1;
--- a/package/scripts/aca/aca_check_setup.sh
+++ b/package/scripts/aca/aca_check_setup.sh
@ -1,7 +1,7 @@
 #!/bin/bash
 ############################################################################################
 # Checks the setup for the ACA:
-# 
+#  takes a -v option to provide verbose output
 ############################################################################################

 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
@ -71,13 +71,14 @@ while [[ $# -gt 0 ]]; do
 done

 source /etc/hirs/aca/aca.properties;
+source $SCRIPT_DIR/../db/start_mysqld.sh

 check_pwds () {

 PRESENT=true
-echo "Checking if ACA passwords are in aca.properties"
+echo "Checking if ACA passwords are present..."
 if [ -z $hirs_pki_password ]; then
-   echo "hirs pki password not set" 
+   echo "ACA pki password not set" 
   PRESENT=false 
 fi
 if [ -z $hirs_db_username ]; then
@ -85,34 +86,20 @@ echo "Checking if ACA passwords are in aca.properties"
   PRESENT=false 
 fi
 if [ -z $hirs_db_password ]; then
-   echo "hirs db password not set"
+   echo "hirs db user password not set"
   PRESENT=false  
 fi
 if [ $PRESENT ]; then
-   echo "   HIRS passwords were created"
+   echo "   ACA passwords were found"
  else
-   echo "   ERROR finding HIRS passwords"
+   echo "   ERROR finding ACA passwords"
   ALL_CHECKS_PASSED=false
 fi
 }

-check_mysql () {
-  echo "Checking mysqld status..."
-  if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then
-      echo "   mysql process exists..."
-    else
-      echo "   mysqld process does NOT exist, attempting to restart mysql..."
-    /usr/bin/mysqld_safe &
-  fi
-
- # Wait for mysql to start before continuing.
-
-  while ! mysqladmin ping -h "$localhost" --silent; do
-     sleep 1;
-  done
-
-  echo "   mysqld is running."
-
+check_mysql_setup () {
+  # make sure mysql is running and restart if its not...
+  check_mysql
  # Check DB server/client TLS setup.
  if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
     echo "   Mysql server ($DB_SRV_CONF) is NOT configured for Server Side TLS"
@ -153,7 +140,7 @@ fi
 }

 check_pki () {
- echo "Checking HIRS PKI certificates"
+ echo "Checking ACA PKI certificates..."
  if [ ! -d "/etc/hirs/certificates" ]; then
     echo "/etc/hirs/certificates doesn't exists, was aca_setup.sh run ? /
           Skipping PKI Checks." 
@ -205,7 +192,7 @@ check_pki () {
 }

 check_db () {
-  echo "Check DB server TLS config..."
+  echo "Checking DB server TLS configuration..."
  RESULT=$(mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%have_ssl%'" |  grep -o YES )
  if [ "$RESULT" == "YES" ]; then
      echo "   Mysql Server side TLS is enabled:"
@ -242,25 +229,35 @@ check_selinux () {
   SELINUXSTATUS=$(getenforce)
   DB_SRV_CONTEXT=$(ls -Z $DB_SRV_CONF)
   DB_CLIENT_CONTEXT=$(ls -Z $DB_CLIENT_CONF)
-   
+   echo "Checking device selinux status..."
   if [[ "$SELINUXSTATUS" == *"Enforcing"* ]]; then
+     echo "   Selinux is in Enforcing mode."
     if [[ "$DB_SRV_CONTEXT" == *"mysqld_etc_t"* &&  "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
-         echo "Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_SRV_CONF contexts are correct"
+         echo "   Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_CLIENT_CONF contexts are correct"
     elif [[ "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
-        echo "Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT"
+        echo "   Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT"
        ALL_CHECKS_PASSED=false
     else
-        echo "Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT"
+        echo "   Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT"
        ALL_CHECKS_PASSED=false
     fi
+     else
+     echo "   Selinux is in NOT in Enforcing mode."
   fi
 }

+check_fips () {
+   echo "Checking FIPS mode on this device..."
+   echo "   "$(sysctl -a | grep crypto.fips_enabled)
+}
+
+check_for_container
 check_pwds
 check_pki
-check_mysql
+check_mysql_setup
 check_db
 check_selinux
+check_fips

 if [ $ALL_CHECKS_PASSED = true  ]; then
  echo "ACA setup checks passed!"
--- a/package/scripts/aca/aca_setup.sh
+++ b/package/scripts/aca/aca_setup.sh
@ -1,52 +1,78 @@
 #!/bin/bash
 # Capture location of the script to allow from invocation from any location
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
-SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties'
+#SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties'
 HIRS_CONF_DIR=/etc/hirs/aca
 LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log 
 LOG_DIR="/var/log/hirs/"
 LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
 HIRS_PROP_DIR="/opt/hirs/default-properties"
-COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json'
-VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json'
+#COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json'
+#VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json'

-echo "LOG_FILE is $LOG_FILE"
+help () {
+  echo "  Setup script for the HIRS ACA"
+  echo "  Syntax: sh aca_setup.sh [-u|h|sb|sp|--skip-db|--skip-pki]"
+  echo "  options:"
+  echo "     -u  | --unattended   Run unattended"
+  echo "     -h  | --help   Print this Help."
+  echo "     -sp | --skip-pki run the setup without pki setup."
+  echo "     -sb | --skip-db run the setup without databse setup."
+  echo
+}

- echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD"
- 
-if [ "$EUID" -ne 0 ]
-      then echo "This script requires root.  Please run as root"
-      exit 1
-fi
-
-mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
-
-# Process parameters
-# Argument handling 
+# Process parameters Argument handling 
 POSITIONAL_ARGS=()

 while [[ $# -gt 0 ]]; do
  case $1 in
-    --skip-db)
+    -sd|--skip-db)
      ARG_SKIP_DB=YES
      shift # past argument
      ;;
-    --skip-pki)
+    -sp|--skip-pki)
      ARG_SKIP_PKI=YES
      shift # past argument
      ;;
+    -u|--unattended)
+      ARG_UNATTEND=YES
+      shift # past argument
+      ;;
+    -h|--help)
+      help     
+      exit 0
+      shift # past argument
+      ;; 
    -*|--*)
      echo "aca_setup.sh: Unknown option $1"
+      help
+      exit 1
      ;;
    *)
-      POSITIONAL_ARGS+=("$1") # save positional arg
-      shift # past argument
+     POSITIONAL_ARGS+=("$1") # save positional arg
+     # shift # past argument
+     break
      ;;
  esac
 done

 set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
- 
+
+mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
+
+echo "ACA setup log file is $LOG_FILE"
+
+if [ -z $HIRS_MYSQL_ROOT_PWD ]; then 
+    echo "HIRS_MYSQL_ROOT_PWD is not set, using locally generated mysql root password"
+  else 
+    echo "HIRS_MYSQL_ROOT_PWD is set, using previously set mysql root password"
+fi
+
+if [ "$EUID" -ne 0 ]
+      then echo "This script requires root.  Please run as root"
+      exit 1
+fi
+
 echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"

 pushd $SCRIPT_DIR &>/dev/null
@ -62,14 +88,14 @@ if [ -z $HIRS_PKI_PWD ]; then
 fi

 # Copy HIRS configuration and data files if not a package install
-if [ -f $SPRING_PROP_FILE ]; then
-   cp -n $SPRING_PROP_FILE $HIRS_CONF_DIR/.
-   cp -n $COMP_JSON $HIRS_PROP_DIR/.
-   cp -n $VENDOR_TABLE $HIRS_PROP_DIR/.
-fi
+#if [ -f $SPRING_PROP_FILE ]; then
+#   cp -n $SPRING_PROP_FILE $HIRS_CONF_DIR/.
+#   cp -n $COMP_JSON $HIRS_PROP_DIR/.
+#   cp -n $VENDOR_TABLE $HIRS_PROP_DIR/.
+#fi

 if [ -z "${ARG_SKIP_PKI}" ]; then
-   sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS
+   sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND
   if [ $? -eq 0 ]; then 
        echo "ACA PKI  setup complete" | tee -a "$LOG_FILE"
      else
@ -81,7 +107,7 @@ if [ -z "${ARG_SKIP_PKI}" ]; then
 fi

 if [ -z "${ARG_SKIP_DB}" ]; then
-   sh ../db/db_create.sh $LOG_FILE
+   sh ../db/db_create.sh $LOG_FILE $ARG_UNATTEND
   if [ $? -eq 0 ]; then
      echo "ACA database setup complete" | tee -a "$LOG_FILE"
    else
@ -92,6 +118,6 @@ if [ -z "${ARG_SKIP_DB}" ]; then
      echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE"
 fi

- echo "ACA setup complete" | tee -a "$LOG_FILE"
+echo "ACA setup complete" | tee -a "$LOG_FILE"

 popd &>/dev/null
--- a/package/scripts/db/db_create.sh
+++ b/package/scripts/db/db_create.sh
@ -8,13 +8,13 @@
 ################################################################################

 LOG_FILE=$1
+UNATTENDED=$2
 # LOG_FILE="/var/log/hirs/hirs_aca_install_$(date +%Y-%m-%d).log"
 # Capture location of the script to allow from invocation from any location
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
 SPRING_PROP_FILE="/etc/hirs/aca/application.properties"
 ACA_PROP_FILE="/etc/hirs/aca/aca.properties"
 DB_ADMIN_PWD=""
-#DB_USER="hirs_db"
 # Db Configuration files
 DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
 DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
@ -40,18 +40,24 @@ source $ACA_PROP_FILE

 check_mysql_root_pwd () {
  # Check if DB root password needs to be obtained
-  echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD"
+ 
  if [ -z $HIRS_MYSQL_ROOT_PWD ]; then
 	 # Create a 32 character random password
 	 echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE"
 	 DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
 	 echo "DB Admin will be set to $DB_ADMIN_PWD , please make note for next mysql use."
-	 read -p "Do you wish to save this password to the aca.properties file? " confirm
-	 if [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; then
-	    echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE
-	    echo "Password saved."
-	   else
-	    echo "Password not saved."
+     # Check i UNATTENDED flag set m if not then prompt user for permission ot store mysql root password
+	 if [ -z $UNATTENDED ]; then
+	   read -p "Do you wish to save this password to the aca.properties file? " confirm
+	   if [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; then
+	      echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE
+	      echo "Mysql root password saved locally"
+	    else
+	      echo "Mysql root password not saved locally"
+	   fi
+	 else
+	   echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE
+	   echo "Mysql root password has been saved locally."
 	 fi
 	 mysqladmin --user=root password "$DB_ADMIN_PWD"
  else
@ -84,7 +90,7 @@ set_mysql_server_tls () {
    selinuxenabled
    if [ $? -eq 0 ]; then
       semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF  > /dev/null #adds the context type to file
-       restorecon -v -F $DB_SRV_CONF                           # changes the file's context type
+       restorecon -v -F $DB_SRV_CONF      > /dev/null                 # changes the file's context type
    fi
  else
       echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE"
@ -103,7 +109,7 @@ if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then
  selinuxenabled
  if [ $? -eq 0 ]; then
      semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null  #adds the context type to file
-      restorecon -F $DB_CLIENT_CONF                                     #changes the file's context type
+      restorecon -F $DB_CLIENT_CONF                         > /dev/null #changes the file's context type
  fi                           
 fi
 }
@ -140,7 +146,6 @@ create_hirs_db_with_tls () {
  fi
 }

-
 # HIRS ACA Mysqld processing ...
 check_mariadb_install
 check_for_container
@ -150,8 +155,4 @@ start_mysqlsd
 check_mysql_root_pwd
 set_hirs_db_pwd
 create_hirs_db_with_tls
-# reboot mysql server
-mysql -u root --password=$DB_ADMIN_PWD -e "SHUTDOWN"
-sleep 2
-check_for_container
-start_mysqlsd
+mysqld_reboot
--- a/package/scripts/db/reset_hirs_db_user.sh
+++ b/package/scripts/db/reset_hirs_db_user.sh
@ -1,60 +0,0 @@
-#!/bin/bash
-
-SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
-
-source /etc/hirs/aca/aca.properties;
-
-if [ -z $mysql_admin_password ]; then
-  read -p "Enter mysql root password" DB_ADMIN_PWD
-  else 
-      DB_ADMIN_PWD=$mysql_admin_password
-fi
-
-if [ -z $hirs_db_password ]; then
-  read -p "Enter mysql root password" hirs_db_password
-  else 
-      HIRS_DB_PWD=$hirs_db_password
-fi
-
-echo "HIRS_DB_PWD is $HIRS_DB_PWD"
-echo "DB_ADMIN_PWD is $DB_ADMIN_PWD"
-
-# check if hirs_db user exists
-RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
-if [ "$RESULT" = 1 ]; then
-  echo "hirs_db user found, dropping hirs-db user"
-  mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR "hirs_db@localhost" = PASSWORD('');"
-  mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';"
-
-  if [ $? -ne 0 ]; then
-     echo "Removing the existing hirs_db user failed"
-     else
-     echo "Removing the existing hirs_db was successful"
-  fi
-  else
-  echo "no hirs_db user found, creating one..."
-fi
-
-mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;"
-echo "Creating hirs_db user"
-#mysql -u root --password=$DB_ADMIN_PWD < $SCRIPT_DIR/db_create.sql
-#mysql -u root --password=$mysql_admin_password -e "FLUSH PRIVILEGES;"
-
-mysql -u root --password=$DB_ADMIN_PWD -e "CREATE USER 'hirs_db'@'localhost' IDENTIFIED BY 'hirs_db';" 
-mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '$HIRS_DB_PWD'; FLUSH PRIVILEGES;"
-mysql -u root --password=$DB_ADMIN_PWD -e "GRANT ALL ON hirs_db.* TO 'hirs_db'@'localhost' REQUIRE X509;"
-mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH PRIVILEGES;"
-
-mysql -u root --password=$mysql_admin_password -e "show databases;"
-
-mysql -u root --password=$mysql_admin_password -e  "CHECK TABLE mysql.user;"
-
-mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;"
-#mysql -u root --password=$mysql_admin_password -e "SHOW CREATE USER 'hirs_db'@'localhost';"
-mysql -u root --password=$mysql_admin_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" 
-
-
-echo "HIRS_DB_PWD is $HIRS_DB_PWD"
-echo "Checking hirs_db user..."
-# check user
-mysql -u hirs_db --password=$HIRS_DB_PWD -e "SHOW DATABASES;";
--- a/package/scripts/db/start_mysqld.sh
+++ b/package/scripts/db/start_mysqld.sh
@ -1,10 +1,11 @@
 #!/bin/bash
 #####################################################################################
 #
-# Function to check mysql and start if not running.
+# Functions to check mysql and start if not running.
 #    Also a function for checking if running in a container
 #
 #####################################################################################
+SQL_SERVICE="mariadb"

 check_for_container () {
  # Check if we're in a Docker container
@ -21,9 +22,9 @@ check_for_container () {
  else
   MYSQL_DIR="$SCRIPT_DIR/../db"
  fi
-  echo "Mysql script directory is $MYSQL_DIR"
 }

+# Check for mysql command line
 check_mariadb_install () {
   type mysql >/dev/null 2>&1 && installed=true || installed=false
   if [ $installed = true ]; then
@ -33,7 +34,7 @@ check_mariadb_install () {
      exit 1;
   fi 
 }
-
+# Starts mariadb during intial install 
 start_mysqlsd () {
   # Check if mysql is already running, if not initialize
   if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
@ -47,16 +48,22 @@ start_mysqlsd () {
           /usr/bin/mysql_install_db > "$LOG_FILE"
           chown -R mysql:mysql /var/lib/mysql/
         fi
-       echo "Starting mysql...."
-       chown -R mysql:mysql /var/log/mariadb
-       /usr/bin/mysqld_safe &
-     else #not a container
-       SQL_SERVICE="mariadb"
-       systemctl enable $SQL_SERVICE 
-       systemctl start $SQL_SERVICE 
+         echo "Starting mysql...."
+         chown -R mysql:mysql /var/log/mariadb
+         /usr/bin/mysqld_safe &
+       else #not a container
+         systemctl enable $SQL_SERVICE 
+         systemctl start $SQL_SERVICE 
+       fi
+     else # mysql process is running
+     # check if mysql service is running 
+     if [ ! $DOCKER_CONTAINER  = true ]; then
+     DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l )
+       if [ $DB_STATUS -eq 0 ]; then 
+         echo "mariadb not running , attempting to restart"
+         systemctl start mariadb
+       fi
     fi
-     else # mysql running
-     echo "mysql process running.."
   fi   

  # Wait for mysql to start before continuing.
@ -68,3 +75,37 @@ start_mysqlsd () {
  echo "mysqld is running."| tee -a "$LOG_FILE"
 }

+# Basic check for marai db status, attempts restart if not running
+check_mysql () {
+ echo "Checking mysqld status..."
+  if [ $DOCKER_CONTAINER  = true ]; then
+       if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
+          echo "mariadb not running , attempting to restart"
+          /usr/bin/mysqld_safe &
+       fi
+  else  # not in a contianer
+    DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l )
+    if [ $DB_STATUS -eq 0 ]; then 
+       echo "mariadb not running , attempting to restart"
+       systemctl start mariadb
+    fi
+  fi 
+
+ # Wait for mysql to start before continuing.
+
+  while ! mysqladmin ping -h "$localhost" --silent; do
+     sleep 1;
+  done
+
+  echo "   Mariadb is running."
+
+}
+
+# restart maraidb
+mysqld_reboot () {
+  # reboot mysql server
+  mysql -u root --password=$DB_ADMIN_PWD -e "SHUTDOWN"
+  sleep 2
+  check_for_container
+  start_mysqlsd
+}
--- a/package/scripts/pki/pki_chain_gen.sh
+++ b/package/scripts/pki/pki_chain_gen.sh
@ -110,9 +110,9 @@ add_to_stores () {
   # Add the cert and key to the key store. make a p12 file to import into te keystore
   openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS  >> "$LOG_FILE" 2>&1
   # Use the p12 file to import into a java keystore via keytool
-   keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1 
+   keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1 
   # Import the cert into a java trust store via keytool
-   keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem  -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
+   keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem  -noprompt -alias "$ALIAS" >> "$LOG_FILE" 2>&1
   # Remove the temp p1 file.
   rm tmpkey.p12
 } 
@ -174,9 +174,9 @@ create_cert () {
   # Add the cert and key to the key store. make a p12 file to import into te keystore
   openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:$PASS -aes256 -passout pass:$PASS  >> "$LOG_FILE" 2>&1
   # Use the p12 file to import into a java keystore via keytool
-   keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1 
+   keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1 
   # Import the cert into a java trust store via keytool
-   keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem  -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
+   keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem  -noprompt -alias "$ALIAS" >> "$LOG_FILE" 2>&1
   # Remove the temp p1 file.
   rm -f tmpkey.p12 &>/dev/null
 }
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@ -3,13 +3,14 @@
 # Creates 2 Certificate Chains for the ACA:
 # 1 RSA 3K SHA 384
 # 2 ECC 512 SHA 384
-#
+# 
 ############################################################################################

 #PROP_FILE=/etc/hirs/aca/application.properties
 ACA_PROP=/etc/hirs/aca/aca.properties
 LOG_FILE=$1
 PKI_PASS=$2
+UNATTENDED=$3
 LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
 LOG_DIR="/var/log/hirs/"
 HIRS_CONF_DIR=/etc/hirs/aca
@ -23,6 +24,7 @@ if [ -z "$1" ]; then
   LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
   echo "using log file $LOG_FILE" | tee -a "$LOG_FILE"
 fi
+
 if [ -z "$2" ]; then
   PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
   echo "Using randomly generated password for the PKI key password" | tee -a "$LOG_FILE"
@ -53,18 +55,6 @@ if [ ! -d "/etc/hirs/certificates" ]; then
  sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
  popd &> /dev/null

-  # Add tomcat TLS support to the application.properties file 
-  #echo "# Tomcat TLS support">> $PROP_FILE
-  #echo "server.port=8443">> $PROP_FILE
-  #echo "server.ssl.enabled=true">> $PROP_FILE
-  #echo "server.ssl.trust-store-type=JKS">> $PROP_FILE
-  #echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE
-  #echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
-  #echo "server.ssl.key-store-type=JKS">> $PROP_FILE
-  #echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE
-  #echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
-  #echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
-  #echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
  echo "hirs_pki_password="$PKI_PASS >>  $ACA_PROP
 else 
  echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"