initial setup for DB TLS

2024-12-18 20:47:58 +00:00 · 2023-08-11 09:47:30 -04:00 · 2023-08-11 09:47:30 -04:00 · 4766903aad
commit 4766903aad
parent 1dd3a2fea9
9 changed files with 266 additions and 104 deletions
--- a/HIRS_AttestationCAPortal/build.gradle
+++ b/HIRS_AttestationCAPortal/build.gradle
@ -149,7 +149,7 @@ ospackage {
    postInstall 'cp /tmp/aca/default-properties/* /opt/hirs/default-properties/.'
    postInstall 'rm -rf /tmp/aca/'
 //  postInstall file('../package/scripts/install_tomcat.sh')
-     
+
    postInstall 'sh /opt/tomcat/bin/catalina.sh start'
    // Post Uninstall
@ -165,4 +165,11 @@ ospackage {
    buildDeb {
        arch = 'amd64'
    }
 bootRun {
    if ( project.hasProperty('jvmArgs') ) {
        jvmArgs = (project.jvmArgs.split("\\s+") as List)
    }
 }
 }
--- a/HIRS_AttestationCAPortal/src/main/resources/application.properties
+++ b/HIRS_AttestationCAPortal/src/main/resources/application.properties
@ -4,12 +4,25 @@
 #spring.mvc.view.suffix=.jsp
 # Logging Config (tomcat may have further config)
-logging.level.org.springframework=INFO
+logging.level.org.springframework=DEBUG
 logging.level.org.apache.catalina=DEBUG
-
+logging.level.org.springframework.web: DEBUG
 logging.level.org.hibernate: ERROR
 logging.file.path=/var/log/hirs
 logging.file.name=hirs.spring.log
 # Database Config
 spring.jpa.hibernate.ddl-auto=update
-spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
+#spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
 spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&sslMode=PREFERRED
 #spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=true&clientCertificateKeyStoreType=JKS&clientCertificateKeyStorePassword="123456"&clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.jks
 #spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreType=JKS
 #spring.datasource.hikari.data-source-properties.clientCertificateKeyStorePassword="123456"
 #spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.jks
 #spring.datasource.hikari.data-source-properties.autoReconnect=true$useSSL=true
 #spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreType=PCKS12
 #spring.datasource.hikari.data-source-properties.clientCertificateKeyStorePassword="1234"
 #spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.p12
 spring.datasource.username=hirs_db
 jakarta.persistence.sharedCache.mode = UNSPECIFIED
 spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
--- a/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
+++ b/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
@ -26,7 +26,7 @@
        <SpringProfile name="!development, !production">
            <Logger name="hirs.attestationca" level="trace" />
        </SpringProfile>
-        <Logger name="org.hibernate" level="WARN" />
+        <Logger name="org.hibernate" level="DEBUG" />
    </Loggers>
    <!-- prevents an out-of-memory exception caused by  the debug logging of very large inserts -->
    <category name="org.hibernate.event.def.AbstractFlushingEventListener">
--- a/package/scripts/aca/aca_setup.sh
+++ b/package/scripts/aca/aca_setup.sh
@ -22,6 +22,15 @@ echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
 pushd $SCRIPT_DIR &>/dev/null
 # Set HIRS PKI  password
 if [ -z $HIRS_PKI_PWD ]; then
   # Create a 32 character random password
   PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
   echo "Using randomly generated password for the PKI key password" | tee -a "$LOG_FILE"
  else
   PKI_PASS=$HIRS_PKI_PWD
   echo "Using system supplied password for the PKI key password" | tee -a "$LOG_FILE"
 fi
 # Copy HIRS configuration and data files if not a package install
 if [ -f $SPRING_PROP_FILE ]; then
@ -30,6 +39,14 @@ if [ -f $SPRING_PROP_FILE ]; then
   cp -n $VENDOR_TABLE $HIRS_PROP_DIR/.
 fi
 sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS
 if [ $? -eq 0 ]; then 
      echo "ACA PKI  setup complete" | tee -a "$LOG_FILE"
  else
    echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
    exit 1
 fi
 sh ../db/db_create.sh $LOG_FILE
 if [ $? -eq 0 ]; then
    echo "ACA database setup complete" | tee -a "$LOG_FILE"
@ -37,13 +54,7 @@ if [ $? -eq 0 ]; then
    echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
    exit 1
 fi
-sh ../pki/pki_setup.sh $LOG_FILE
+
 if [ $? -eq 0 ]; then 
      echo "ACA PKI  setup complete" | tee -a "$LOG_FILE"
  else
    echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
    exit 1
 fi
 echo "ACA setup complete" | tee -a "$LOG_FILE"
--- a/package/scripts/db/db_create.sh
+++ b/package/scripts/db/db_create.sh
@ -5,88 +5,173 @@
 # Environment variables used:
 # a. HIRS_MYSQL_ROOT_PWD: Set this variable if mysql root password is already set
 # b. HIRS_DB_PWD: Set the pwd if default password to hirs_db user needs to be changed
 # HIRS_MYSQL_ROOT_NEW_PWD wil be ignored if HIRS_MYSQL_ROOT_EXSITING_PWD is set.
 ################################################################################
 LOG_FILE=$1
 # LOG_FILE="/var/log/hirs/hirs_aca_install_$(date +%Y-%m-%d).log"
 # Capture location of the script to allow from invocation from any location
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
-# Set Mysql HIRS DB  password
+SPRING_PROP_FILE="/etc/hirs/aca/application.properties"
-if [ -z $HIRS_DB_PWD ]; then
+ACA_PROP_FILE="/etc/hirs/aca/aca.properties"
-   HIRS_DB_PWD="hirs_db"
+DB_ADMIN_PWD=""
-fi
+DB_USER="hirs_db"
-# Save hirs_db mysql user password to the properties file
+# Db Configuration files
-mkdir -p /etc/hirs
+DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
-echo "hibernate.connection.username="hirs_db"" > /etc/hirs/hibernate.properties
+DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
-echo "hibernate.connection.password=$HIRS_DB_PWD" >> /etc/hirs/hibernate.properties
+# Default Server Side Certificates
 SSL_DB_SRV_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";
 SSL_DB_SRV_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.pem"; 
 SSL_DB_SRV_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.key";
 # Default Client Side Certificates
 SSL_DB_CLIENT_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";
 SSL_DB_CLIENT_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem"; 
 SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key";
-# Check if we're in a Docker container
+touch $ACA_PROP_FILE
-if [ -f /.dockerenv ]; then
+touch $LOG_FILE
 #touch /.dockerenv
 # Make sure required paths exist
 mkdir -p /etc/hirs/aca/
 mkdir -p /var/log/hirs/
 check_for_container () {
  # Check if we're in a Docker container
  if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then  
  #if [ -f /.dockerenv ]; then
    DOCKER_CONTAINER=true
-else
+    echo "ACA is running in a container..." | tee -a "$LOG_FILE"
  else
    DOCKER_CONTAINER=false
-fi
+    echo "ACA is not running in a container..." | tee -a "$LOG_FILE"
  fi
  if [ -d /opt/hirs/scripts/db ]; then
    MYSQL_DIR="/opt/hirs/scripts/db"
  else
   MYSQL_DIR="$SCRIPT_DIR/../db"
  fi
  echo "Mysql script directory is $MYSQL_DIR"
 }
-# Check if mysql is already running, if not initialize
+start_mysqlsd () {
-if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
+   # Check if mysql is already running, if not initialize
-# Check if running in a container
+   if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
-   if [ $DOCKER_CONTAINER  = true ]; then
+   # Check if running in a container
-   # if in Docker container, avoid services that invoke the D-Bus
+      if [ $DOCKER_CONTAINER  = true ]; then
-       echo "ACA is running in a container..."
+      # if in Docker container, avoid services that invoke the D-Bus
-       # Check if mariadb is setup
+      echo "ACA is running in a container..."
-       if [ ! -d "/var/lib/mysql/mysql/" ]; then
+         # Check if mariadb is setup
         if [ ! -d "/var/lib/mysql/mysql/" ]; then
           echo "Installing mariadb"
-           /usr/bin/mysql_install_db
+           /usr/bin/mysql_install_db > "$LOG_FILE"
           chown -R mysql:mysql /var/lib/mysql/
-       fi
+         fi
       echo "Starting mysql...."
       chown -R mysql:mysql /var/log/mariadb
       /usr/bin/mysqld_safe &
-   else
+     else
       SQL_SERVICE="mariadb"
       systemctl $SQL_SERVICE enable
       systemctl $SQL_SERVICE start
-   fi
+     fi
-fi
+   fi  # mysql not running 
-# Wait for mysql to start before continuing.
+  # Wait for mysql to start before continuing.
-echo "Checking mysqld status..."
+  echo "Checking mysqld status..."| tee -a "$LOG_FILE"
-while ! mysqladmin ping -h "$localhost" --silent; do
+  while ! mysqladmin ping -h "$localhost" --silent; do
  sleep 1;
-done
+  done
-if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
+
-    echo "HIRS_MYSQL_ROOT_PWD environment variable not set"
+  echo "mysqld is running."| tee -a "$LOG_FILE"
-    mysql -fu root  -e 'quit'  &> /dev/null;
+}
-else
+
-   echo "Using $HIRS_MYSQL_ROOT_PWD as the mysql root password"
+check_mysql_root_pwd () {
-   $(mysql -u root -p$HIRS_MYSQL_ROOT_PWD -e 'quit'  &> /dev/null);
+  # Check if DB root password needs to be obtained
-fi
+  if [ -z $HIRS_MYSQL_ROOT_PWD ]; then
-if [ $? -eq 0 ]; then
+	 # Create a 32 character random password
- echo "root password verified"
+	 echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE"
-else
+	 DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
- echo "MYSQL root password was not the default, not supplied,  or was incorrect"
+	 echo "DB Admin will be set to $DB_ADMIN_PWD, please make note for next mysql use."
- echo "      please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
+	 mysqladmin --user=root password "$DB_ADMIN_PWD"
- echo "      ********** ACA Mysql setup aborted ********" ;
+  else
- exit 1;
+    DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD
    echo "Using system variable supplied password" | tee -a "$LOG_FILE"
  fi
  # Make sure root password is correct
  $(mysql -u root -p$DB_ADMIN_PWD -e 'quit'  &> /dev/null);
  if [ $? -eq 0 ]; then
     echo "root password verified"  | tee -a "$LOG_FILE"
  else
     echo "MYSQL root password was not the default, not supplied,  or was incorrect"
     echo "      please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
     echo "      ********** ACA Mysql setup aborted ********" ;
     exit 1;
  fi
 }
 set_mysql_server_tls () {
  # Check DB server setup. If ssl params dont exist then we need to add them.
  if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then 
    # Add TLS files to my.cnf
    echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE"
    echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
    echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF"
    echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"
    # Make sure mysql can access them 
    chown mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
  else
       echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE"
  fi   
 }
 set_mysql_client_tls () {
 # Update ACA property file with client cert info, if not there already
 if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then 
  echo "Updating $DB_CLIENT_CONF with ssl parameters..." | tee -a "$LOG_FILE"
  echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF
  echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF
  echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF
 fi
 }
-echo "HIRS_DB_PWD is $HIRS_DB_PWD"
+# Process HIRS DB USER ...
-echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD"
+set_hirs_db_pwd () {
 # Check if Mysql HIRS DB  password set by system variable or set to random number
  if [ -z $HIRS_DB_PWD ]; then
     HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
  fi
-if [ -d /opt/hirs/scripts/db ]; then
+  # Remove any existing password for hirs db
-   MYSQL_DIR="/opt/hirs/scripts/db"
+  if [ -f $ACA_PROP_FILE ];then
-else
+     sed -i '/hirs_db_username/d' $ACA_PROP_FILE &>/dev/null
     sed -i '/hirs_db_password/d' $ACA_PROP_FILE &>/dev/null
  fi
-   MYSQL_DIR="$SCRIPT_DIR/../db"
+  echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE
-fi
+  echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE
-echo "MYSQL_DIR is $MYSQL_DIR"
+  echo "hir_db user password is $HIRS_DB_PWD"
  echo "mysql root password is $DB_ADMIN_PWD"
 }
-# Check if hirs_db not created and create it if it wasn't
+# Create a hirs_db user with client side TLS enabled
-mysqlshow --user=root --password="$HIRS_MYSQL_ROOT_PWD" | grep "hirs_db" > /dev/null 2>&1
+create_hirs_db_with_tls () {
-if [ $? -eq 0 ]; then
+  # Check if hirs_db not created and create it if it wasn't
-   echo "hirs_db exists, skipping hirs_db create"
+  mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" > /dev/null 2>&1
-else
+  if [ $? -eq 0 ]; then
-   mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/db_create.sql
+     echo "hirs_db exists, skipping hirs_db create"
-   mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/secure_mysql.sql
+  else
-   mysql -u root --password=$HIRS_MYSQL_ROOT_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
+     mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql
-fi
+     mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql
     mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
  fi
 }
 # HIRS ACA Mysqld processing ...
 check_for_container
 set_mysql_server_tls
 set_mysql_client_tls
 set_hirs_db_pwd
 start_mysqlsd
 check_mysql_root_pwd
 create_hirs_db_with_tls
--- a/package/scripts/db/db_create.sql
+++ b/package/scripts/db/db_create.sql
@ -1,2 +1,2 @@
 CREATE DATABASE IF NOT EXISTS `hirs_db` CHARACTER SET = 'utf8mb4' COLLATE = 'utf8mb4_general_ci';
-GRANT ALL  ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD";
+GRANT ALL  ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD" REQUIRE SSL;
--- a/package/scripts/db/db_drop.sh
+++ b/package/scripts/db/db_drop.sh
@ -1,11 +1,21 @@
 #!/bin/bash
 PASS=$1
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )";)
 if [ -d /opt/hirs/scripts/db ]; then
    MYSQL_DIR="/opt/hirs/scripts/db"
  else
   MYSQL_DIR="$SCRIPT_DIR"
 fi
 echo "dropping hirs database"
 if pgrep  mysqld >/dev/null 2>&1; then
-  if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
+  if [ -z ${PASS} ]; then
-    mysql -u "root" < /opt/hirs/scripts/db/db_drop.sql
+    mysql -u "root" < $MYSQL_DIR/db_drop.sql
  else
-    mysql -u "root" -p$HIRS_MYSQL_ROOT_PWD  < /opt/hirs/scripts/db/db_drop.sq1
+    mysql -u "root" -p$PASS  < $MYSQL_DIR/db_drop.sql
  fi
 fi
--- a/package/scripts/pki/pki_chain_gen.sh
+++ b/package/scripts/pki/pki_chain_gen.sh
@ -71,6 +71,8 @@ PKI_CA2="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca2_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
 PKI_CA3="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca3_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
 RIM_SIGNER="$CERT_FOLDER"/"$ACTOR_ALT"_rim_signer_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
 TLS_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_aca_tls_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
 DB_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_db_srv_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
 DB_CLIENT="$CERT_FOLDER"/"$ACTOR_ALT"_db_client_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
 TRUST_STORE_FILE="$CERT_FOLDER"/"$ACTOR_ALT"_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"_Cert_Chain.pem
 ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
@ -78,6 +80,8 @@ INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
 LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
 SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
 TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
 DB_SRV_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" DB Server"
 DB_CLIENT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" DB Client"
 # Add check for existing folder and halt if it exists
 if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
@ -129,17 +133,29 @@ create_cert () {
   echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..." | tee -a "$LOG_FILE"
-   if [ "$ASYM_ALG" == "rsa" ]; then 
+   # Database doesnt support encypted key so create DB without passwords 
-       openssl req -newkey rsa:"$ASYM_SIZE" \
+   if [[ "$SUBJ_DN" = *"DB"* ]]; then
-            -keyout "$CERT_PATH".key \
+       if [ "$ASYM_ALG" == "rsa" ]; then 
-            -out "$CERT_PATH".csr  -subj "$SUBJ_DN" \
+           openssl genrsa -out "$CERT_PATH".key "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
-            -passout pass:"$PASS"  >> "$LOG_FILE" 2>&1
+           openssl req -new -key "$CERT_PATH".key \
                -out "$CERT_PATH".csr  -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
 	   else
 	       openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key  >> "$LOG_FILE" 2>&1
 	       openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG  -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
 	   fi
   else
-       openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key  >> "$LOG_FILE" 2>&1
+       if [ "$ASYM_ALG" == "rsa" ]; then 
-       openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG  -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
+           openssl req -newkey rsa:"$ASYM_SIZE" \
                -keyout "$CERT_PATH".key \
                -out "$CERT_PATH".csr  -subj "$SUBJ_DN" \
                -passout pass:"$PASS"  >> "$LOG_FILE" 2>&1
 	   else
 	       openssl genpkey -algorithm "EC" -pkeyopt ec_paramgen_curve:P-521 -aes256 --pass "pass:$PASS" -out "$CERT_PATH".key 
 	       openssl req -new -key "$CERT_PATH".key -passin "pass:$PASS" -out "$CERT_PATH".csr -$HASH_ALG  -subj "$SUBJ_DN" 
 	   fi
   fi
-
+     openssl ca -config ca.conf \
   openssl ca -config ca.conf \
           -keyfile "$ISSUER_KEY" \
           -md $HASH_ALG \
           -cert "$ISSUER_CERT" \
@ -148,7 +164,7 @@ create_cert () {
           -in "$CERT_PATH".csr \
           -passin pass:"$PASS" \
           -batch \
-           -notext                       >> "$LOG_FILE" 2>&1
+           -notext       >> "$LOG_FILE" 2>&1       
   # Increment the cert serial number
   SERIAL=$(awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt)
   echo "Cert Serial Number = $SERIAL" >> "$LOG_FILE";
@ -161,7 +177,7 @@ create_cert () {
   # Import the cert into a java trust store via keytool
   keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem  -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
   # Remove the temp p1 file.
-   rm tmpkey.p12
+   rm -f tmpkey.p12 &>/dev/null
 }
 create_cert_chain () {
@ -186,22 +202,36 @@ create_cert_chain () {
   # Create a ACA Sever Cert for TLS use
   create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN" "server_extensions"
   # Create a DB Sever Cert for TLS use
   create_cert "$DB_SERVER" "$PKI_CA3" "$DB_SRV_DN" "server_extensions"
   # Create a ACA Sever Cert for TLS use
   create_cert "$DB_CLIENT" "$PKI_CA3" "$DB_CLIENT_DN" "server_extensions"
   # Create Cert trust store by adding the Intermediate and root certs 
   cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" >  "$TRUST_STORE_FILE"
 # echo "Checking signer cert using tust store..." 
   openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE"
   # Make JKS files for the mysql DB connector. P12 first then JKS...
   openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key -aes256 \
        -passin pass:"$PASS" -aes256 -passout pass:$PASS \
        -name "mysqlclientkey" -out $DB_CLIENT.p12
   keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype pkcs12 \
         -srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS
 }
 if [ "$ASYM_ALG" == "rsa" ]; then
   # Create Root CA key pair and self signed cert
   echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE"
-   openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
+   openssl genrsa -out "$PKI_ROOT".key -aes256 -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
   # Create a self signed CA certificate
   openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
          -extensions ca_extensions -out "$PKI_ROOT".pem \
-          -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+          -passin pass:"$PASS" >> "$LOG_FILE" 2>&1
   # Add the CA root cert to the Trust and Key stores
   add_to_stores $PKI_ROOT
   # Create an intermediate CA, 2 Leaf CAs, and Signer Certs 
@ -211,12 +241,13 @@ fi
 if [ "$ASYM_ALG" == "ecc" ]; then
    # Create Root CA key pair and self signed cert
    echo "Generating Ecc Root CA ...." | tee -a "$LOG_FILE"
-    openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
+    #openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
-
+    openssl genpkey -algorithm "EC" -pkeyopt ec_paramgen_curve:P-521 -aes256 --pass "pass:$PASS" -out "$PKI_ROOT".key 
    # Create a self signed CA certificate
    openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
          -extensions ca_extensions -out "$PKI_ROOT".pem \
-          -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+          -passin pass:"$PASS" >> "$LOG_FILE" 2>&1
    # Add the CA root cert to the Trust and Key stores
    add_to_stores $PKI_ROOT
    # Create an intermediate CA, 2 Leaf CAs, and Signer Certs 
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@ -8,27 +8,32 @@
 PROP_FILE=/etc/hirs/aca/application.properties
 LOG_FILE=$1
-
+PKI_PASS=$2
 LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
 LOG_DIR="/var/log/hirs/"
 HIRS_CONF_DIR=/etc/hirs/aca
 # Capture location of the script to allow from invocation from any location 
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
 mkdir -p $HIRS_CONF_DIR $LOG_DIR
 echo "SCRIPT_DIR is $SCRIPT_DIR" | tee -a "$LOG_FILE"
 if [ -z "$1" ]; then
   LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
   echo "using log file $LOG_FILE" | tee -a "$LOG_FILE"
 fi
 if [ -z "$2" ]; then
   PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
   echo "Using randomly generated password for the PKI key password" | tee -a "$LOG_FILE"
   echo "Using pki password=$PKI_PASS"
 fi
 # Check for sudo or root user 
 if [ "$EUID" -ne 0 ]
        then echo "The first time this script is run, this script requires root.  Please run as root" | tee -a "$LOG_FILE"
        exit 1
 fi
 # Set HIRS PKI  password
 if [ -z $HIRS_PKI_PWD ]; then
   # Create a 32 character random password
   PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
   echo "Using randomly generated password" | tee -a "$LOG_FILE"
  else
   PKI_PASS=$HIRS_PKI_PWD
   echo "Using system supplied password" | tee -a "$LOG_FILE"
 fi
 # Create Cert Chains
 if [ ! -d "/etc/hirs/certificates" ]; then
`@ -1,2 +1,2 @@`
	CREATE DATABASE IF NOT EXISTS `hirs_db` CHARACTER SET = 'utf8mb4' COLLATE = 'utf8mb4_general_ci';	CREATE DATABASE IF NOT EXISTS `hirs_db` CHARACTER SET = 'utf8mb4' COLLATE = 'utf8mb4_general_ci';
	`GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD";`	`GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD" REQUIRE SSL;`