diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle
index 45259c42..dcadd19d 100644
--- a/HIRS_AttestationCAPortal/build.gradle
+++ b/HIRS_AttestationCAPortal/build.gradle
@@ -51,11 +51,11 @@ dependencies {
implementation 'org.junit.jupiter:junit-jupiter:5.4.2'
implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:10.1.5'
- implementation 'org.glassfish.web:jakarta.servlet.jsp.jstl:3.0.0'
- implementation 'jakarta.servlet:jakarta.servlet-api:6.0.0'
- implementation 'jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:3.0.0'
- implementation 'jakarta.servlet.jsp:jakarta.servlet.jsp-api:3.0.0'
- implementation 'jakarta.el:jakarta.el-api:5.0.0'
+// implementation 'org.glassfish.web:jakarta.servlet.jsp.jstl:3.0.0'
+// implementation 'jakarta.servlet:jakarta.servlet-api:6.0.0'
+// implementation 'jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:3.0.0'
+// implementation 'jakarta.servlet.jsp:jakarta.servlet.jsp-api:3.0.0'
+// implementation 'jakarta.el:jakarta.el-api:5.0.0'
compileOnly 'org.projectlombok:lombok'
diff --git a/HIRS_AttestationCAPortal/src/main/resources/application.properties b/HIRS_AttestationCAPortal/src/main/resources/application.properties
index 288f48c4..8b856317 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/application.properties
+++ b/HIRS_AttestationCAPortal/src/main/resources/application.properties
@@ -17,7 +17,7 @@ spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
#spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
# Tomcat Config
-server.tomcat.additional-tld-skip-patterns=*jakarta*.jar, txw2*.jar, *commons*.jar, *annotations*.jar, *checker*.jar, *lombok*.jar, *jsr*.jar, *guava*.jar, *access*.jar, *activation*.jar, *bcprov*.jar, *bcmail*.jar, *bcutil*.jar, *bcpkix*.jar, *json*.jar
+server.tomcat.additional-tld-skip-patterns=jakarta.persistence-api*.jar, jakarta.xml.bind-api*.jar, txw2*.jar, *commons*.jar, *annotations*.jar, *checker*.jar, *lombok*.jar, *jsr*.jar, *guava*.jar, *access*.jar, *activation*.jar, *bcprov*.jar, *bcmail*.jar, *bcutil*.jar, *bcpkix*.jar, *json*.jar
server.tomcat.basedir=/opt/embeddedtomcat
server.servlet.register-default-servlet=true
server.servlet.context-path=/HIRS_AttestationCAPortal
@@ -30,16 +30,6 @@ server.tomcat.accesslog.prefix=access_log
server.tomcat.accesslog.suffix=.log
server.tomcat.accesslog.rotate=true
-# Tomcat TLS support
-server.port=8443
-server.ssl.enabled=true
-server.ssl.trust-store-type=JKS
-server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks
-server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384
-server.ssl.key-store-type=JKS
-server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks
-server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
-
#jdbc.driverClassName = com.mysql.cj.jdbc.Driver
#jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
#jdbc.username = root
@@ -48,5 +38,5 @@ server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
#spring.jpa.hibernate.ddl-auto=update
#spring.jpa.show-sql=true
-# Passwords get appended here ...
+# DB dfault password.
spring.datasource.password=hirs_db
diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh
index 2118ba92..a77d10af 100644
--- a/package/scripts/aca/aca_bootRun.sh
+++ b/package/scripts/aca/aca_bootRun.sh
@@ -6,25 +6,8 @@
#
####################################################################################
-PASS_FILE="/etc/hirs/aca/application.properties"
-
-declare -A props
-
-if [ -f $PASS_FILE ]; then
- while IFS="=" read -r key value; do
- #echo "key is $key, value is $value"
- if [ ! -z "$key" ]; then
- props["$key"]="$value"
- fi
- done < "$PASS_FILE"
-else
- echo "error reading $PASS_FILE"
- exit 1
-fi
-
-#echo "server_ssl_trust-store-password = " ${props["server.ssl.trust-store-password"]}
-#echo "server_ssl_key-store-password = " ${props["server.ssl.key-store-password"]}
+CONFIG_FILE="/etc/hirs/aca/application.properties"
echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index"
-./gradlew bootRun --args="--server.ssl.trust-store-password=${props["server.ssl.trust-store-password"]} --server.ssl.key-store-password=${props["server.ssl.key-store-password"]}"
+./gradlew bootRun --args="--spring.config.location=$CONFIG_FILE"
\ No newline at end of file
diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh
index d89cd894..e714fba4 100644
--- a/package/scripts/aca/aca_setup.sh
+++ b/package/scripts/aca/aca_setup.sh
@@ -2,36 +2,43 @@
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties'
+CONF_DIR=/etc/hirs/aca
+LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
+LOG_DIR="/opt/embeddedtomcat/logs/"
+LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
+echo "LOG_FILE is $LOG_FILE"
if [ "$EUID" -ne 0 ]
then echo "The first time this script is run, this script requires root. Please run as root"
exit 1
fi
-mkdir -p /etc/hirs/aca/
+echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
+
+mkdir -p $CONF_DIR $LOG_DIR
pushd $SCRIPT_DIR
# If setup for development start with basic spring config
if [ -f $PROP_FILE ]; then
- cp $PROP_FILE /etc/hirs/aca/.
+ cp $PROP_FILE $CONF_DIR/.
fi
-sh ../db/db_create.sh
+sh ../db/db_create.sh $LOG_FILE
if [ $? -eq 0 ]; then
- echo "ACA database setup complete"
+ echo "ACA database setup complete" | tee -a "$LOG_FILE"
else
- echo "Error setting up ACA DB"
+ echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
exit 1
fi
-sh ../pki/pki_setup.sh
+sh ../pki/pki_setup.sh $LOG_FILE
if [ $? -eq 0 ]; then
- echo "ACA PKI setup complete"
+ echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
else
- echo "Error setting up ACA PKI"
+ echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
exit 1
fi
- echo "ACA setup complete"
+ echo "ACA setup complete" | tee -a "$LOG_FILE"
popd
\ No newline at end of file
diff --git a/package/scripts/pki/ca.conf b/package/scripts/pki/ca.conf
index eed05dab..cc1b92bc 100644
--- a/package/scripts/pki/ca.conf
+++ b/package/scripts/pki/ca.conf
@@ -23,6 +23,11 @@ organizationalUnitName = optional
commonName = optional
emailAddress = optional
+[ alternate_names ]
+DNS.1 = localhost
+DNS.2 = localhost.localdomain
+DNS.3 = 127.0.0.1
+
[ ca_extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
basicConstraints = critical,CA:true,pathlen:1
@@ -38,8 +43,9 @@ keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
-authorityInfoAccess = caIssuers;URI:https://example.com/certs
+authorityInfoAccess = caIssuers;URI:https://example.com/certs
crlDistributionPoints = URI:https://example.com/crl
+subjectAltName = @alternate_names
[ signer_extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment
@@ -47,5 +53,4 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = critical, digitalSignature
authorityInfoAccess = caIssuers;URI:https://example.com/certs/
-crlDistributionPoints = URI:https://example.com/crl
-
+crlDistributionPoints = URI:https://example.com/crl
\ No newline at end of file
diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh
index f4dae1ed..0b3b114b 100644
--- a/package/scripts/pki/pki_chain_gen.sh
+++ b/package/scripts/pki/pki_chain_gen.sh
@@ -20,6 +20,7 @@ ASYM_ALG=$2
ASYM_SIZE=$3
HASH_ALG=$4
PASS=$5
+LOG_FILE=$6
ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test root ca"
INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test intermediate ca"
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test ca"
@@ -32,13 +33,17 @@ KEYSTORE=KeyStore.jks
# Parameter check
if [ -z "${ACTOR}" ] || [ -z "${ASYM_ALG}" ] || [ -z "${ASYM_SIZE}" ] || [ -z "${HASH_ALG}" ] || [ "${ACTOR}" == "-h" ] || [ "${ACTOR}" == "--help" ]; then
- echo "parameter missing to pki_chain_gen.sh, exiting pki setup"
+ echo "parameter missing to pki_chain_gen.sh, exiting pki setup" | tee -a "$LOG_FILE"
exit 1;
fi
if ! { [ $ASYM_ALG == "rsa" ] || [ $ASYM_ALG == "ecc" ]; }; then
- echo "$ASYM_ALG is an unsupported assymetric algorithm, exiting pki setup"
- exit 1
+ echo "$ASYM_ALG is an unsupported assymetric algorithm, exiting pki setup" | tee -a "$LOG_FILE"
+ exit 1;
+fi
+
+if [ -z ${LOG_FILE} ]; then
+ LOG_FILE="/dev/null"
fi
case $ASYM_SIZE in
@@ -52,7 +57,7 @@ case $ASYM_SIZE in
3072) KSIZE=3k;;
4096) KSIZE=4k;;
*)
- echo "$ASYM_SIZE is an unsupported key size, exiting pki setup"
+ echo "$ASYM_SIZE is an unsupported key size, exiting pki setup" | tee -a "$LOG_FILE"
exit 1;;
esac
@@ -72,25 +77,41 @@ ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
-TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN=localhost"
+TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
# Add check for existing folder and halt if it exists
if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
- echo "Folder for $CERT_FOLDER exists, exiting..."
+ echo "Folder for $CERT_FOLDER exists, exiting..." | tee -a "$LOG_FILE"
exit 1;
fi
# Intialize sub folders
-echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."
+echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..." | tee -a "$LOG_FILE"
mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs
cp ca.conf "$ACTOR_ALT"/.
pushd "$ACTOR_ALT" &> /dev/null
touch ca/db
+touch openssl-san.cnf
if [ ! -f "ca/serial.txt" ]; then
- echo "01" > ca/serial.txt
+ echo "01" > ca/serial.txt | tee -a "$LOG_FILE"
fi
+# Function to add Cert to Truststore and key to Keystore
+add_to_stores () {
+ CERT_PATH=$1
+ ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
+ echo "Addding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE"
+ # Add the cert and key to the key store. make a p12 file to import into te keystore
+ openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
+ # Use the p12 file to import into a java keystore via keytool
+ keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
+ # Import the cert into a java trust store via keytool
+ keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
+ # Remove the temp p1 file.
+ rm tmpkey.p12
+}
+
# Function to create an Intermediate Key, CSR, and Certificate
# PARMS:
# 1. Cert Type String
@@ -106,16 +127,16 @@ create_cert () {
ISSUER_CERT="$ISSUER".pem
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
- echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..."
+ echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..." | tee -a "$LOG_FILE"
if [ "$ASYM_ALG" == "rsa" ]; then
openssl req -newkey rsa:"$ASYM_SIZE" \
-keyout "$CERT_PATH".key \
-out "$CERT_PATH".csr -subj "$SUBJ_DN" \
- -passout pass:"$PASS" &> /dev/null
+ -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
else
- openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
- openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" &> /dev/null
+ openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key >> "$LOG_FILE" 2>&1
+ openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
fi
openssl ca -config ca.conf \
@@ -127,17 +148,18 @@ create_cert () {
-in "$CERT_PATH".csr \
-passin pass:"$PASS" \
-batch \
- -notext &> /dev/null
+ -notext >> "$LOG_FILE" 2>&1
# Increment the cert serial number
- awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt &> /dev/null
+ SERIAL=$(awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt)
+ echo "Cert Serial Number = $SERIAL" >> "$LOG_FILE";
# remove csr file
rm -f "$CERT_PATH".csr
# Add the cert and key to the key store. make a p12 file to import into te keystore
- openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -passout pass:$PASS
+ openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
# Use the p12 file to import into a java keystore via keytool
- keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" &> /dev/null
+ keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
# Import the cert into a java trust store via keytool
- keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" &> /dev/null
+ keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
# Remove the temp p1 file.
rm tmpkey.p12
}
@@ -168,30 +190,35 @@ create_cert_chain () {
cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" > "$TRUST_STORE_FILE"
# echo "Checking signer cert using tust store..."
- openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem
+ openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE"
}
-if [ "$ASYM_ALG" == "rsa" ]; then
+if [ "$ASYM_ALG" == "rsa" ]; then
# Create Root CA key pair and self signed cert
- openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" &> /dev/null
-
+ echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE"
+ openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
+
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
- -passout pass:"$PASS" &> /dev/null
+ -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+ # Add the CA root cert to the Trust and Key stores
+ add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
- create_cert_chain
+ create_cert_chain
fi
if [ "$ASYM_ALG" == "ecc" ]; then
# Create Root CA key pair and self signed cert
- openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key
+ echo "Generating Ecc Root CA ...." | tee -a "$LOG_FILE"
+ openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
- -passout pass:"$PASS"
+ -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+ # Add the CA root cert to the Trust and Key stores
+ add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
create_cert_chain
-fi
-
+fi
\ No newline at end of file
diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh
index cf2c2a52..a6492ae2 100644
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@@ -7,14 +7,15 @@
############################################################################################
PROP_FILE=/etc/hirs/aca/application.properties
+LOG_FILE=$1
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
-echo "SCRIPT_DIR is $SCRIPT_DIR"
+echo "SCRIPT_DIR is $SCRIPT_DIR" | tee -a "$LOG_FILE"
# Check for sudo or root user
if [ "$EUID" -ne 0 ]
- then echo "The first time this script is run, this script requires root. Please run as root"
+ then echo "The first time this script is run, this script requires root. Please run as root" | tee -a "$LOG_FILE"
exit 1
fi
@@ -22,24 +23,12 @@ fi
if [ -z $HIRS_PKI_PWD ]; then
# Create a 32 character random password
PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
+ echo "Using randomly generated password" | tee -a "$LOG_FILE"
+ else
+ PKI_PASS=$HIRS_PKI_PWD
+ echo "Using system supplied password" | tee -a "$LOG_FILE"
fi
-# Create an ACA properties file using the new password
-#pushd $SCRIPT_DIR &> /dev/null
-# if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
-# if [ -d /opt/hirs/scripts/aca ]; then
-# ACA_SETUP_DIR="/opt/hirs/scripts/aca"
-# else
-# ACA_SETUP_DIR="$SCRIPT_DIR/../aca"
-# fi
-# echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
-# sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
-# else
-# echo "aca property file exists, skipping"
-# fi
-
-popd &> /dev/null
-
# Create Cert Chains
if [ ! -d "/etc/hirs/certificates" ]; then
@@ -48,24 +37,28 @@ if [ ! -d "/etc/hirs/certificates" ]; then
else
PKI_SETUP_DIR="$SCRIPT_DIR"
fi
- echo "PKI_SETUP_DIR is $PKI_SETUP_DIR"
+ echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | tee -a "$LOG_FILE"
+
+ mkdir -p /etc/hirs/certificates/ | tee -a "$LOG_FILE"
- mkdir -p /etc/hirs/certificates/
-
pushd /etc/hirs/certificates/ &> /dev/null
cp $PKI_SETUP_DIR/ca.conf .
- sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS"
- sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS"
+ sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE"
+ sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
popd &> /dev/null
- # Add/Replace password to properties file
- if [ -f $PROP_FILE ]; then
- sed -i '/server.ssl.key-store-password/d' $PROP_FILE
- sed -i '/server.ssl.trust-store-password/d' $PROP_FILE
- fi
+ # Add tomcat TLS support to the application.properties file
+ echo "# Tomcat TLS support">> $PROP_FILE
+ echo "server.port=8443">> $PROP_FILE
+ echo "server.ssl.enabled=true">> $PROP_FILE
+ echo "server.ssl.trust-store-type=JKS">> $PROP_FILE
+ echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE
+ echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
+ echo "server.ssl.key-store-type=JKS">> $PROP_FILE
+ echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE
+ echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
-
else
- echo "/etc/hirs/certificates exists, skipping"
+ echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
fi