initial setup for DB TLS

HIRS_AttestationCAPortal/build.gradle

@@ -149,7 +149,7 @@ ospackage {
     postInstall 'cp /tmp/aca/default-properties/* /opt/hirs/default-properties/.'
     postInstall 'rm -rf /tmp/aca/'
  //  postInstall file('../package/scripts/install_tomcat.sh')
-     
+
     postInstall 'sh /opt/tomcat/bin/catalina.sh start'
 
     // Post Uninstall
@@ -165,4 +165,11 @@ ospackage {
     buildDeb {
         arch = 'amd64'
     }
+
+bootRun {
+    if ( project.hasProperty('jvmArgs') ) {
+        jvmArgs = (project.jvmArgs.split("\\s+") as List)
+
+    }
+}
 }

HIRS_AttestationCAPortal/src/main/resources/application.properties

@@ -4,12 +4,25 @@
 #spring.mvc.view.suffix=.jsp
 
 # Logging Config (tomcat may have further config)
-logging.level.org.springframework=INFO
+logging.level.org.springframework=DEBUG
 logging.level.org.apache.catalina=DEBUG
-
+logging.level.org.springframework.web: DEBUG
+logging.level.org.hibernate: ERROR
+logging.file.path=/var/log/hirs
+logging.file.name=hirs.spring.log
 # Database Config
 spring.jpa.hibernate.ddl-auto=update
-spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
+#spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
+spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&sslMode=PREFERRED
+#spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=true&clientCertificateKeyStoreType=JKS&clientCertificateKeyStorePassword="123456"&clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.jks
+#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreType=JKS
+#spring.datasource.hikari.data-source-properties.clientCertificateKeyStorePassword="123456"
+#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.jks
+
+#spring.datasource.hikari.data-source-properties.autoReconnect=true$useSSL=true
+#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreType=PCKS12
+#spring.datasource.hikari.data-source-properties.clientCertificateKeyStorePassword="1234"
+#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.p12
 spring.datasource.username=hirs_db
 jakarta.persistence.sharedCache.mode = UNSPECIFIED
 spring.datasource.driver-class-name=org.mariadb.jdbc.Driver

HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml

@@ -26,7 +26,7 @@
         <SpringProfile name="!development, !production">
             <Logger name="hirs.attestationca" level="trace" />
         </SpringProfile>
-        <Logger name="org.hibernate" level="WARN" />
+        <Logger name="org.hibernate" level="DEBUG" />
     </Loggers>
     <!-- prevents an out-of-memory exception caused by  the debug logging of very large inserts -->
     <category name="org.hibernate.event.def.AbstractFlushingEventListener">

package/scripts/aca/aca_setup.sh

@@ -22,6 +22,15 @@ echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
 
 pushd $SCRIPT_DIR &>/dev/null
 
+# Set HIRS PKI  password
+if [ -z $HIRS_PKI_PWD ]; then
+   # Create a 32 character random password
+   PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
+   echo "Using randomly generated password for the PKI key password" | tee -a "$LOG_FILE"
+  else
+   PKI_PASS=$HIRS_PKI_PWD
+   echo "Using system supplied password for the PKI key password" | tee -a "$LOG_FILE"
+fi
 
 # Copy HIRS configuration and data files if not a package install
 if [ -f $SPRING_PROP_FILE ]; then
@@ -30,6 +39,14 @@ if [ -f $SPRING_PROP_FILE ]; then
    cp -n $VENDOR_TABLE $HIRS_PROP_DIR/.
 fi
 
+sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS
+if [ $? -eq 0 ]; then 
+      echo "ACA PKI  setup complete" | tee -a "$LOG_FILE"
+  else
+    echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
+    exit 1
+fi
+
 sh ../db/db_create.sh $LOG_FILE
 if [ $? -eq 0 ]; then
     echo "ACA database setup complete" | tee -a "$LOG_FILE"
@@ -37,13 +54,7 @@ if [ $? -eq 0 ]; then
     echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
     exit 1
 fi
-sh ../pki/pki_setup.sh $LOG_FILE
-if [ $? -eq 0 ]; then 
-      echo "ACA PKI  setup complete" | tee -a "$LOG_FILE"
-  else
-    echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
-    exit 1
-fi
+
 
  echo "ACA setup complete" | tee -a "$LOG_FILE"
 

package/scripts/db/db_create.sh

@@ -5,88 +5,173 @@
 # Environment variables used:
 # a. HIRS_MYSQL_ROOT_PWD: Set this variable if mysql root password is already set
 # b. HIRS_DB_PWD: Set the pwd if default password to hirs_db user needs to be changed
-# HIRS_MYSQL_ROOT_NEW_PWD wil be ignored if HIRS_MYSQL_ROOT_EXSITING_PWD is set.
 ################################################################################
 
+LOG_FILE=$1
+# LOG_FILE="/var/log/hirs/hirs_aca_install_$(date +%Y-%m-%d).log"
 # Capture location of the script to allow from invocation from any location
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
-# Set Mysql HIRS DB  password
-if [ -z $HIRS_DB_PWD ]; then
-   HIRS_DB_PWD="hirs_db"
-fi
-# Save hirs_db mysql user password to the properties file
-mkdir -p /etc/hirs
-echo "hibernate.connection.username="hirs_db"" > /etc/hirs/hibernate.properties
-echo "hibernate.connection.password=$HIRS_DB_PWD" >> /etc/hirs/hibernate.properties
+SPRING_PROP_FILE="/etc/hirs/aca/application.properties"
+ACA_PROP_FILE="/etc/hirs/aca/aca.properties"
+DB_ADMIN_PWD=""
+DB_USER="hirs_db"
+# Db Configuration files
+DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
+DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
+# Default Server Side Certificates
+SSL_DB_SRV_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";
+SSL_DB_SRV_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.pem"; 
+SSL_DB_SRV_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.key";
+# Default Client Side Certificates
+SSL_DB_CLIENT_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";
+SSL_DB_CLIENT_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem"; 
+SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key";
 
-# Check if we're in a Docker container
-if [ -f /.dockerenv ]; then
+touch $ACA_PROP_FILE
+touch $LOG_FILE
+#touch /.dockerenv
+
+# Make sure required paths exist
+mkdir -p /etc/hirs/aca/
+mkdir -p /var/log/hirs/
+
+check_for_container () {
+  # Check if we're in a Docker container
+  if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then  
+  #if [ -f /.dockerenv ]; then
     DOCKER_CONTAINER=true
-else
+    echo "ACA is running in a container..." | tee -a "$LOG_FILE"
+  else
     DOCKER_CONTAINER=false
-fi
+    echo "ACA is not running in a container..." | tee -a "$LOG_FILE"
+  fi
+  if [ -d /opt/hirs/scripts/db ]; then
+    MYSQL_DIR="/opt/hirs/scripts/db"
+  else
+   MYSQL_DIR="$SCRIPT_DIR/../db"
+  fi
+  echo "Mysql script directory is $MYSQL_DIR"
+}
 
-# Check if mysql is already running, if not initialize
-if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
-# Check if running in a container
-   if [ $DOCKER_CONTAINER  = true ]; then
-   # if in Docker container, avoid services that invoke the D-Bus
-       echo "ACA is running in a container..."
-       # Check if mariadb is setup
-       if [ ! -d "/var/lib/mysql/mysql/" ]; then
+start_mysqlsd () {
+   # Check if mysql is already running, if not initialize
+   if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
+   # Check if running in a container
+      if [ $DOCKER_CONTAINER  = true ]; then
+      # if in Docker container, avoid services that invoke the D-Bus
+      echo "ACA is running in a container..."
+         # Check if mariadb is setup
+         if [ ! -d "/var/lib/mysql/mysql/" ]; then
            echo "Installing mariadb"
-           /usr/bin/mysql_install_db
+           /usr/bin/mysql_install_db > "$LOG_FILE"
            chown -R mysql:mysql /var/lib/mysql/
-       fi
+         fi
        echo "Starting mysql...."
        chown -R mysql:mysql /var/log/mariadb
        /usr/bin/mysqld_safe &
-   else
+     else
        SQL_SERVICE="mariadb"
        systemctl $SQL_SERVICE enable
        systemctl $SQL_SERVICE start
-   fi
-fi
+     fi
+   fi  # mysql not running 
 
-# Wait for mysql to start before continuing.
-echo "Checking mysqld status..."
-while ! mysqladmin ping -h "$localhost" --silent; do
+  # Wait for mysql to start before continuing.
+  echo "Checking mysqld status..."| tee -a "$LOG_FILE"
+  while ! mysqladmin ping -h "$localhost" --silent; do
   sleep 1;
-done
-if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
-    echo "HIRS_MYSQL_ROOT_PWD environment variable not set"
-    mysql -fu root  -e 'quit'  &> /dev/null;
-else
-   echo "Using $HIRS_MYSQL_ROOT_PWD as the mysql root password"
-   $(mysql -u root -p$HIRS_MYSQL_ROOT_PWD -e 'quit'  &> /dev/null);
-fi
-if [ $? -eq 0 ]; then
- echo "root password verified"
-else
- echo "MYSQL root password was not the default, not supplied,  or was incorrect"
- echo "      please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
- echo "      ********** ACA Mysql setup aborted ********" ;
- exit 1;
+  done
+
+  echo "mysqld is running."| tee -a "$LOG_FILE"
+}
+
+check_mysql_root_pwd () {
+  # Check if DB root password needs to be obtained
+  if [ -z $HIRS_MYSQL_ROOT_PWD ]; then
+	 # Create a 32 character random password
+	 echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE"
+	 DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
+	 echo "DB Admin will be set to $DB_ADMIN_PWD, please make note for next mysql use."
+	 mysqladmin --user=root password "$DB_ADMIN_PWD"
+  else
+    DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD
+    echo "Using system variable supplied password" | tee -a "$LOG_FILE"
+  fi
+  # Make sure root password is correct
+  $(mysql -u root -p$DB_ADMIN_PWD -e 'quit'  &> /dev/null);
+  if [ $? -eq 0 ]; then
+     echo "root password verified"  | tee -a "$LOG_FILE"
+  else
+     echo "MYSQL root password was not the default, not supplied,  or was incorrect"
+     echo "      please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
+     echo "      ********** ACA Mysql setup aborted ********" ;
+     exit 1;
+  fi
+}
+
+set_mysql_server_tls () {
+  # Check DB server setup. If ssl params dont exist then we need to add them.
+  if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then 
+    # Add TLS files to my.cnf
+    echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE"
+    echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
+    echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF"
+    echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"
+    # Make sure mysql can access them 
+    chown mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
+  else
+       echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE"
+  fi   
+}
+
+set_mysql_client_tls () {
+# Update ACA property file with client cert info, if not there already
+if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then 
+  echo "Updating $DB_CLIENT_CONF with ssl parameters..." | tee -a "$LOG_FILE"
+  echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF
+  echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF
+  echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF
 fi
+}
 
-echo "HIRS_DB_PWD is $HIRS_DB_PWD"
-echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD"
+# Process HIRS DB USER ...
+set_hirs_db_pwd () {
+# Check if Mysql HIRS DB  password set by system variable or set to random number
+  if [ -z $HIRS_DB_PWD ]; then
+     HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
+  fi
 
-if [ -d /opt/hirs/scripts/db ]; then
-   MYSQL_DIR="/opt/hirs/scripts/db"
-else
+  # Remove any existing password for hirs db
+  if [ -f $ACA_PROP_FILE ];then
+     sed -i '/hirs_db_username/d' $ACA_PROP_FILE &>/dev/null
+     sed -i '/hirs_db_password/d' $ACA_PROP_FILE &>/dev/null
+  fi
 
-   MYSQL_DIR="$SCRIPT_DIR/../db"
-fi
+  echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE
+  echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE
 
-echo "MYSQL_DIR is $MYSQL_DIR"
+  echo "hir_db user password is $HIRS_DB_PWD"
+  echo "mysql root password is $DB_ADMIN_PWD"
+}
 
-# Check if hirs_db not created and create it if it wasn't
-mysqlshow --user=root --password="$HIRS_MYSQL_ROOT_PWD" | grep "hirs_db" > /dev/null 2>&1
-if [ $? -eq 0 ]; then
-   echo "hirs_db exists, skipping hirs_db create"
-else
-   mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/db_create.sql
-   mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/secure_mysql.sql
-   mysql -u root --password=$HIRS_MYSQL_ROOT_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
-fi
+# Create a hirs_db user with client side TLS enabled
+create_hirs_db_with_tls () {
+  # Check if hirs_db not created and create it if it wasn't
+  mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+     echo "hirs_db exists, skipping hirs_db create"
+  else
+     mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql
+     mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql
+     mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
+  fi
+}
+
+# HIRS ACA Mysqld processing ...
+check_for_container
+set_mysql_server_tls
+set_mysql_client_tls
+set_hirs_db_pwd
+start_mysqlsd
+check_mysql_root_pwd
+create_hirs_db_with_tls

package/scripts/db/db_create.sql

@@ -1,2 +1,2 @@
 CREATE DATABASE IF NOT EXISTS `hirs_db` CHARACTER SET = 'utf8mb4' COLLATE = 'utf8mb4_general_ci';
-GRANT ALL  ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD";
+GRANT ALL  ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD" REQUIRE SSL;

package/scripts/db/db_drop.sh

@@ -1,11 +1,21 @@
 #!/bin/bash
 
+PASS=$1
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )";)
+
+ if [ -d /opt/hirs/scripts/db ]; then
+    MYSQL_DIR="/opt/hirs/scripts/db"
+  else
+   MYSQL_DIR="$SCRIPT_DIR"
+fi
+
 echo "dropping hirs database"
 
+ 
 if pgrep  mysqld >/dev/null 2>&1; then
-  if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
-    mysql -u "root" < /opt/hirs/scripts/db/db_drop.sql
+  if [ -z ${PASS} ]; then
+    mysql -u "root" < $MYSQL_DIR/db_drop.sql
   else
-    mysql -u "root" -p$HIRS_MYSQL_ROOT_PWD  < /opt/hirs/scripts/db/db_drop.sq1
+    mysql -u "root" -p$PASS  < $MYSQL_DIR/db_drop.sql
   fi
 fi

package/scripts/pki/pki_chain_gen.sh

@@ -71,6 +71,8 @@ PKI_CA2="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca2_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
 PKI_CA3="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca3_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
 RIM_SIGNER="$CERT_FOLDER"/"$ACTOR_ALT"_rim_signer_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
 TLS_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_aca_tls_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
+DB_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_db_srv_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
+DB_CLIENT="$CERT_FOLDER"/"$ACTOR_ALT"_db_client_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
 TRUST_STORE_FILE="$CERT_FOLDER"/"$ACTOR_ALT"_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"_Cert_Chain.pem
 
 ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
@@ -78,6 +80,8 @@ INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
 LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
 SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
 TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
+DB_SRV_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" DB Server"
+DB_CLIENT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" DB Client"
 
 # Add check for existing folder and halt if it exists
 if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
@@ -129,17 +133,29 @@ create_cert () {
 
    echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..." | tee -a "$LOG_FILE"
 
-   if [ "$ASYM_ALG" == "rsa" ]; then 
-       openssl req -newkey rsa:"$ASYM_SIZE" \
-            -keyout "$CERT_PATH".key \
-            -out "$CERT_PATH".csr  -subj "$SUBJ_DN" \
-            -passout pass:"$PASS"  >> "$LOG_FILE" 2>&1
+   # Database doesnt support encypted key so create DB without passwords 
+   if [[ "$SUBJ_DN" = *"DB"* ]]; then
+       if [ "$ASYM_ALG" == "rsa" ]; then 
+           openssl genrsa -out "$CERT_PATH".key "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
+           openssl req -new -key "$CERT_PATH".key \
+                -out "$CERT_PATH".csr  -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
+	   else
+	       openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key  >> "$LOG_FILE" 2>&1
+	       openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG  -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
+	   fi
    else
-       openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key  >> "$LOG_FILE" 2>&1
-       openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG  -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
+       if [ "$ASYM_ALG" == "rsa" ]; then 
+           openssl req -newkey rsa:"$ASYM_SIZE" \
+                -keyout "$CERT_PATH".key \
+                -out "$CERT_PATH".csr  -subj "$SUBJ_DN" \
+                -passout pass:"$PASS"  >> "$LOG_FILE" 2>&1
+	   else
+	       openssl genpkey -algorithm "EC" -pkeyopt ec_paramgen_curve:P-521 -aes256 --pass "pass:$PASS" -out "$CERT_PATH".key 
+	       openssl req -new -key "$CERT_PATH".key -passin "pass:$PASS" -out "$CERT_PATH".csr -$HASH_ALG  -subj "$SUBJ_DN" 
+	   fi
+	 
    fi
-
-   openssl ca -config ca.conf \
+     openssl ca -config ca.conf \
            -keyfile "$ISSUER_KEY" \
            -md $HASH_ALG \
            -cert "$ISSUER_CERT" \
@@ -148,7 +164,7 @@ create_cert () {
            -in "$CERT_PATH".csr \
            -passin pass:"$PASS" \
            -batch \
-           -notext                       >> "$LOG_FILE" 2>&1
+           -notext       >> "$LOG_FILE" 2>&1       
    # Increment the cert serial number
    SERIAL=$(awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt)
    echo "Cert Serial Number = $SERIAL" >> "$LOG_FILE";
@@ -161,7 +177,7 @@ create_cert () {
    # Import the cert into a java trust store via keytool
    keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem  -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
    # Remove the temp p1 file.
-   rm tmpkey.p12
+   rm -f tmpkey.p12 &>/dev/null
 }
 
 create_cert_chain () {
@@ -186,22 +202,36 @@ create_cert_chain () {
    # Create a ACA Sever Cert for TLS use
    create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN" "server_extensions"
 
+   # Create a DB Sever Cert for TLS use
+   create_cert "$DB_SERVER" "$PKI_CA3" "$DB_SRV_DN" "server_extensions"
+   
+   # Create a ACA Sever Cert for TLS use
+   create_cert "$DB_CLIENT" "$PKI_CA3" "$DB_CLIENT_DN" "server_extensions"
+   
    # Create Cert trust store by adding the Intermediate and root certs 
    cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" >  "$TRUST_STORE_FILE"
 
  # echo "Checking signer cert using tust store..." 
    openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE"
+   
+   # Make JKS files for the mysql DB connector. P12 first then JKS...
+   openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key -aes256 \
+        -passin pass:"$PASS" -aes256 -passout pass:$PASS \
+        -name "mysqlclientkey" -out $DB_CLIENT.p12
+
+   keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype pkcs12 \
+         -srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS
 }
 
 if [ "$ASYM_ALG" == "rsa" ]; then
    # Create Root CA key pair and self signed cert
    echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE"
-   openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
+   openssl genrsa -out "$PKI_ROOT".key -aes256 -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
    
    # Create a self signed CA certificate
    openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
           -extensions ca_extensions -out "$PKI_ROOT".pem \
-          -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+          -passin pass:"$PASS" >> "$LOG_FILE" 2>&1
    # Add the CA root cert to the Trust and Key stores
    add_to_stores $PKI_ROOT
    # Create an intermediate CA, 2 Leaf CAs, and Signer Certs 
@@ -211,12 +241,13 @@ fi
 if [ "$ASYM_ALG" == "ecc" ]; then
     # Create Root CA key pair and self signed cert
     echo "Generating Ecc Root CA ...." | tee -a "$LOG_FILE"
-    openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
-
+    #openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
+    openssl genpkey -algorithm "EC" -pkeyopt ec_paramgen_curve:P-521 -aes256 --pass "pass:$PASS" -out "$PKI_ROOT".key 
+    
     # Create a self signed CA certificate
     openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
           -extensions ca_extensions -out "$PKI_ROOT".pem \
-          -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+          -passin pass:"$PASS" >> "$LOG_FILE" 2>&1
     # Add the CA root cert to the Trust and Key stores
     add_to_stores $PKI_ROOT
     # Create an intermediate CA, 2 Leaf CAs, and Signer Certs 

package/scripts/pki/pki_setup.sh

@@ -8,27 +8,32 @@
 
 PROP_FILE=/etc/hirs/aca/application.properties
 LOG_FILE=$1
-
+PKI_PASS=$2
+LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
+LOG_DIR="/var/log/hirs/"
+HIRS_CONF_DIR=/etc/hirs/aca
 # Capture location of the script to allow from invocation from any location 
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+
+mkdir -p $HIRS_CONF_DIR $LOG_DIR
 echo "SCRIPT_DIR is $SCRIPT_DIR" | tee -a "$LOG_FILE"
 
+if [ -z "$1" ]; then
+   LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
+   echo "using log file $LOG_FILE" | tee -a "$LOG_FILE"
+fi
+if [ -z "$2" ]; then
+   PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
+   echo "Using randomly generated password for the PKI key password" | tee -a "$LOG_FILE"
+   echo "Using pki password=$PKI_PASS"
+fi
+
 # Check for sudo or root user 
 if [ "$EUID" -ne 0 ]
         then echo "The first time this script is run, this script requires root.  Please run as root" | tee -a "$LOG_FILE"
         exit 1
 fi
 
-# Set HIRS PKI  password
-if [ -z $HIRS_PKI_PWD ]; then
-   # Create a 32 character random password
-   PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
-   echo "Using randomly generated password" | tee -a "$LOG_FILE"
-  else
-   PKI_PASS=$HIRS_PKI_PWD
-   echo "Using system supplied password" | tee -a "$LOG_FILE"
-fi
-
 # Create Cert Chains
 if [ ! -d "/etc/hirs/certificates" ]; then