diff --git a/HIRS_AttestationCA/build.gradle b/HIRS_AttestationCA/build.gradle
index c6f20171..c0245393 100644
--- a/HIRS_AttestationCA/build.gradle
+++ b/HIRS_AttestationCA/build.gradle
@@ -41,7 +41,7 @@ dependencies {
implementation libs.minimal.json
implementation 'org.apache.logging.log4j:log4j-core:2.19.0'
implementation 'org.apache.logging.log4j:log4j-api:2.19.0'
-
+
// spring management
compileOnly libs.lombok
implementation libs.lombok
diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle
index 49746e8c..13b1a08f 100644
--- a/HIRS_AttestationCAPortal/build.gradle
+++ b/HIRS_AttestationCAPortal/build.gradle
@@ -52,7 +52,7 @@ dependencies {
implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:10.1.5'
compileOnly 'org.projectlombok:lombok'
- runtimeOnly 'org.mariadb.jdbc:mariadb-java-client'
+ implementation 'org.mariadb.jdbc:mariadb-java-client:3.1.4'
annotationProcessor 'org.projectlombok:lombok'
providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat'
@@ -149,7 +149,7 @@ ospackage {
postInstall 'cp /tmp/aca/default-properties/* /opt/hirs/default-properties/.'
postInstall 'rm -rf /tmp/aca/'
// postInstall file('../package/scripts/install_tomcat.sh')
-
+
postInstall 'sh /opt/tomcat/bin/catalina.sh start'
// Post Uninstall
@@ -165,4 +165,5 @@ ospackage {
buildDeb {
arch = 'amd64'
}
+
}
diff --git a/HIRS_AttestationCAPortal/src/main/resources/application.properties b/HIRS_AttestationCAPortal/src/main/resources/application.properties
index 8cdec2dc..49540c3c 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/application.properties
+++ b/HIRS_AttestationCAPortal/src/main/resources/application.properties
@@ -1,16 +1,13 @@
-#server.error.path=/error
-#spring.mvc.view.prefix=/WEB-INF/jsp/
-#spring.mvc.view.suffix=.jsp
-
# Logging Config (tomcat may have further config)
-logging.level.org.springframework=INFO
-logging.level.org.apache.catalina=DEBUG
-
+logging.level.org.springframework=TRACE
+logging.level.org.apache.catalina=TRACE
+logging.level.org.springframework.web: TRACE
+logging.level.org.hibernate: ERROR
+logging.file.path=/var/log/hirs
+logging.file.name=hirs.spring.log
# Database Config
spring.jpa.hibernate.ddl-auto=update
-spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
-spring.datasource.username=hirs_db
jakarta.persistence.sharedCache.mode = UNSPECIFIED
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
#spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
@@ -30,6 +27,19 @@ server.tomcat.accesslog.prefix=Tomcat_accesslog_
server.tomcat.accesslog.suffix=.log
server.tomcat.accesslog.rotate=true
+# Tomcat TLS support
+server.port=8443
+server.ssl.enabled=true
+server.ssl.trust-store-type=JKS
+server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks
+server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384
+server.ssl.key-store-type=JKS
+server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks
+server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
+
+#--server.ssl.key-store-password=123456
+#--server.ssl.trust-store-password=123456
+
#jdbc.driverClassName = com.mysql.cj.jdbc.Driver
#jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
#jdbc.username = root
@@ -39,4 +49,4 @@ server.tomcat.accesslog.rotate=true
#spring.jpa.show-sql=true
# DB dfault password.
-spring.datasource.password=hirs_db
+#spring.datasource.password=hirs_db
diff --git a/HIRS_AttestationCAPortal/src/main/resources/hibernate.properties b/HIRS_AttestationCAPortal/src/main/resources/hibernate.properties
index c7c47c97..6cca0a71 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/hibernate.properties
+++ b/HIRS_AttestationCAPortal/src/main/resources/hibernate.properties
@@ -1,6 +1,6 @@
-hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
-hibernate.connection.username=hirs_db
-hibernate.connection.password=hirs_db
+#hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
+#hibernate.connection.username=hirs_db
+#hibernate.connection.password=hirs_db
hibernate.connection.driver_class=org.mariadb.jdbc.Driver
hibernate.dialect = org.hibernate.dialect.MariaDBDialect
hibernate.show_sql = false
diff --git a/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml b/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
index bbc5413c..4b0c4e8a 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
+++ b/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
@@ -26,7 +26,7 @@
-
+
diff --git a/package/extras/aca/tomcat-mysql-hirs.pp b/package/extras/aca/tomcat-mysql-hirs.pp
deleted file mode 100755
index 601ca53e..00000000
Binary files a/package/extras/aca/tomcat-mysql-hirs.pp and /dev/null differ
diff --git a/package/extras/aca/tomcat-mysql-hirs.te b/package/extras/aca/tomcat-mysql-hirs.te
deleted file mode 100644
index 0b611f44..00000000
--- a/package/extras/aca/tomcat-mysql-hirs.te
+++ /dev/null
@@ -1,13 +0,0 @@
-
-module tomcat-mysql-hirs 1.0;
-
-require {
- type mysqld_port_t;
- type tomcat_t;
- class tcp_socket name_connect;
-}
-
-#============= tomcat_t ==============
-
-#!!!! This avc is allowed in the current policy
-allow tomcat_t mysqld_port_t:tcp_socket name_connect;
diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh
old mode 100644
new mode 100755
index a77d10af..f98b85aa
--- a/package/scripts/aca/aca_bootRun.sh
+++ b/package/scripts/aca/aca_bootRun.sh
@@ -1,13 +1,80 @@
#!/bin/bash
#####################################################################################
#
-# Script to run ACA using the gradle spring pluing bootRun command with password set
+# Script to run ACA using the gradle spring pluing bootRun command with parameters
+# parameters include setting up the DB with TLS and embedded Tomcat with TLS.
#
-#
-####################################################################################
+#####################################################################################
+USE_WAR=$1
CONFIG_FILE="/etc/hirs/aca/application.properties"
+ALG=RSA
+RSA_PATH=rsa_3k_sha384_certs
+ECC_PATH=ecc_512_sha384_certs
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+LOG_FILE=/dev/null
+GRADLE_WRAPPER="./gradlew"
+
+# Check for sudo or root user
+if [ "$EUID" -ne 0 ]
+ then echo "This script requires root. Please run as root"
+ exit 1
+fi
+
+source $SCRIPT_DIR/../db/start_mysqld.sh
+
+if [ $ALG = "RSA" ]; then
+ CERT_PATH="/etc/hirs/certificates/HIRS/$RSA_PATH"
+ CERT_CHAIN="$CERT_PATH/HIRS_rsa_3k_sha384_Cert_Chain.pem"
+ CLIENT_DB_P12=$CERT_PATH/HIRS_db_client_rsa_3k_sha384.p12
+ ALIAS="hirs_aca_tls_rsa_3k_sha384"
+ else
+ CERT_PATH="/etc/hirs/certificates/HIRS/$ECC_PATH"
+ CERT_CHAIN="$CERT_PATH/HIRS_ecc_512_sha384_Cert_Chain.pem"
+ CLIENT_DB_P12=$CERT_PATH/HIRS_db_client_ecc_512_sha384.p12
+ ALIAS="hirs_aca_tls_ecc_512_sha384"
+fi
+
+check_for_container
+start_mysqlsd
+
+if [ ! -d "$CERT_PATH" ]; then
+ echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again."
+ exit 1;
+fi
+
+if [ ! -f "$GRADLE_WRAPPER" ]; then
+ echo "This script needs to be run from the HIRS top level project directory. Exiting."
+ exit 1;
+fi
echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index"
-./gradlew bootRun --args="--spring.config.location=$CONFIG_FILE"
\ No newline at end of file
+source /etc/hirs/aca/aca.properties;
+
+# Run the embedded tomcat server with Web TLS enabled and database client TLS enabled by overrding critical parameters
+# Note "&" is a sub parameter continuation, space represents a new parameter. Spaces and quotes matter.
+# hibernate.connection.url is used for the DB connector which established DB TLS connectivity
+# server.ssl arguments support the embeded tomcats use of TLS for the ACA Portal
+CONNECTOR_PARAMS="--hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&\
+user=$hirs_db_username&\
+password=$hirs_db_password&\
+sslMode=VERIFY_CA&\
+serverSslCert=$CERT_CHAIN&\
+keyStoreType=PKCS12&\
+keyStorePassword=$hirs_pki_password&\
+keyStore="$CLIENT_DB_P12" "
+
+WEB_TLS_PARAMS="--server.ssl.key-store-password=$hirs_pki_password \
+--server.ssl.trust-store-password=$hirs_pki_password"
+
+# uncomment to show spring boot and hibernate properties used as gradle argumanets
+#echo "--args=\"$CONNECTOR_PARAMS $WEB_TLS_PARAMS\""
+
+if [ "$USE_WAR" == "war" ]; then
+ echo "Booting the ACA from a $USE_WAR file..."
+ java -jar HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war $CONNECTOR_PARAMS$WEB_TLS_PARAMS
+else
+ echo "Booting the ACA from local build..."
+ ./gradlew bootRun --args="$CONNECTOR_PARAMS$WEB_TLS_PARAMS"
+fi
diff --git a/package/scripts/aca/aca_check_setup.sh b/package/scripts/aca/aca_check_setup.sh
new file mode 100755
index 00000000..0ce26ab9
--- /dev/null
+++ b/package/scripts/aca/aca_check_setup.sh
@@ -0,0 +1,266 @@
+#!/bin/bash
+############################################################################################
+# Checks the setup for the ACA:
+# takes a -v option to provide verbose output
+############################################################################################
+
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+LOG_FILE=/dev/null
+CERT_PATH="/etc/hirs/certificates/HIRS/"
+RSA_PATH=rsa_3k_sha384_certs
+ECC_PATH=ecc_512_sha384_certs
+
+RSA_HIRS_ROOT="HIRS_root_ca_rsa_3k_sha384.pem"
+RSA_HIRS_INTERMEDIATE="HIRS_intermediate_ca_rsa_3k_sha384.pem"
+RSA_HIRS_CA1="HIRS_leaf_ca1_rsa_3k_sha384.pem"
+RSA_HIRS_CA2="HIRS_leaf_ca2_rsa_3k_sha384.pem"
+RSA_HIRS_CA3="HIRS_leaf_ca3_rsa_3k_sha384.pem"
+RSA_TRUST_STORE="HIRS_rsa_3k_sha384_Cert_Chain.pem"
+RSA_RIM_SIGNER="HIRS_rim_signer_rsa_3k_sha384.pem"
+RSA_DB_CLIENT_CERT="HIRS_db_client_rsa_3k_sha384.pem"
+RSA_DN_SRV_CERT="HIRS_db_srv_rsa_3k_sha384.pem"
+RSA_WEB_TLS_CERT="HIRS_aca_tls_rsa_3k_sha384.pem"
+
+ECC_HIRS_ROOT="HIRS_root_ca_ecc_512_sha384.pem"
+ECC_HIRS_INTERMEDIATE="HIRS_intermediate_ca_ecc_512_sha384.pem"
+ECC_HIRS_CA1="HIRS_leaf_ca1_ecc_512_sha384.pem"
+ECC_HIRS_CA2="HIRS_leaf_ca2_ecc_512_sha384.pem"
+ECC_HIRS_CA3="HIRS_leaf_ca3_ecc_512_sha384.pem"
+
+ECC_TRUST_STORE="HIRS_ecc_512_sha384_Cert_Chain.pem"
+ECC_RIM_SIGNER="HIRS_rim_signer_ecc_512_sha384.pem"
+ECC_DB_CLIENT_CERT="HIRS_db_client_ecc_512_sha384.pem"
+ECC_DN_SRV_CERT="HIRS_db_srv_ecc_512_sha384.pem"
+ECC_WEB_TLS_CERT="HIRS_aca_tls_ecc_512_sha384.pem"
+
+DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
+DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
+ALL_CHECKS_PASSED=true
+ALL_CERTS_PASSED=true
+
+# Check for Admin privileges
+if [ "$EUID" -ne 0 ]; then
+ echo "This script requires root. Please run as root"
+ exit 1
+fi
+# Check install setup pki files
+if [ ! -d $CERT_PATH ]; then
+ echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again."
+ exit 1;
+fi
+
+# Argument handling
+
+while [[ $# -gt 0 ]]; do
+ case $1 in
+ -v|--verbose)
+ ARG_VERBOSE=YES
+ echo "verbose parameters"
+ shift # past argument
+ ;;
+ -*|--*)
+ echo "Unknown option $1"
+ exit 1
+ ;;
+ *)
+ echo "Unknown argument $1"
+ exit 1
+ shift # past argument
+ ;;
+ esac
+done
+
+source /etc/hirs/aca/aca.properties;
+source $SCRIPT_DIR/../db/start_mysqld.sh
+
+check_pwds () {
+
+PRESENT=true
+echo "Checking if ACA passwords are present..."
+ if [ -z $hirs_pki_password ]; then
+ echo "ACA pki password not set"
+ PRESENT=false
+ fi
+ if [ -z $hirs_db_username ]; then
+ echo "hirs db username not set"
+ PRESENT=false
+ fi
+ if [ -z $hirs_db_password ]; then
+ echo "hirs db user password not set"
+ PRESENT=false
+ fi
+ if [ $PRESENT ]; then
+ echo " ACA passwords were found"
+ else
+ echo " ERROR finding ACA passwords"
+ ALL_CHECKS_PASSED=false
+ fi
+}
+
+check_mysql_setup () {
+ # make sure mysql is running and restart if its not...
+ check_mysql
+ # Check DB server/client TLS setup.
+ if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
+ echo " Mysql server ($DB_SRV_CONF) is NOT configured for Server Side TLS"
+ ALL_CHECKS_PASSED=false
+ else
+ echo " Mysql server ($DB_SRV_CONF) is configured for Server Side TLS"
+ fi
+ if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then
+ echo " Mysql client ($DB_CLIENT_CONF)is NOT configured for command line use of TLS without provding key/cert ino the commandline"
+ ALL_CHECKS_PASSED=false
+ else
+ echo " Mysql client ($DB_CLIENT_CONF) is configured for command line use of TLS"
+ fi
+
+ if [ ! -z $mysql_admin_password ]; then
+ if [ ! -z "${ARG_VERBOSE}" ]; then
+ echo "Mysql status:"
+ mysql -u root --password=$mysql_admin_password -e "STATUS;"
+ echo "Listing mysql users:"
+ mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;"
+ echo "Listing all databses:"
+ mysql -u root --password=$mysql_admin_password -e "show databases;"
+ fi
+ fi
+}
+
+check_cert () {
+TRUST_STORE=$1
+CERT=$2
+RESULT=$(openssl verify -CAfile "$TRUST_STORE" $CERT)
+if [ $? -ne 0 ]; then
+ ALL_CHECKS_PASSED=false
+ ALL_CERTS_PASSED=false
+fi
+if [ ! -z "${ARG_VERBOSE}" ]; then
+ echo " "$RESULT
+fi
+}
+
+check_pki () {
+ echo "Checking ACA PKI certificates..."
+ if [ ! -d "/etc/hirs/certificates" ]; then
+ echo "/etc/hirs/certificates doesn't exists, was aca_setup.sh run ? /
+ Skipping PKI Checks."
+ fi
+
+ pushd $CERT_PATH$RSA_PATH > /dev/null
+ check_cert $RSA_TRUST_STORE $RSA_HIRS_ROOT
+ check_cert $RSA_TRUST_STORE $RSA_HIRS_INTERMEDIATE
+ check_cert $RSA_TRUST_STORE $RSA_HIRS_CA1
+ check_cert $RSA_TRUST_STORE $RSA_HIRS_CA2
+ check_cert $RSA_TRUST_STORE $RSA_HIRS_CA3
+ check_cert $RSA_TRUST_STORE $RSA_RIM_SIGNER
+ check_cert $RSA_TRUST_STORE $RSA_DN_SRV_CERT
+ check_cert $RSA_TRUST_STORE $RSA_DB_CLIENT_CERT
+ check_cert $RSA_TRUST_STORE $RSA_WEB_TLS_CERT
+
+ popd > /dev/null
+ pushd $CERT_PATH$ECC_PATH > /dev/null
+ check_cert $ECC_TRUST_STORE $ECC_HIRS_ROOT
+ check_cert $ECC_TRUST_STORE $ECC_HIRS_INTERMEDIATE
+ check_cert $ECC_TRUST_STORE $ECC_HIRS_CA1
+ check_cert $ECC_TRUST_STORE $ECC_HIRS_CA2
+ check_cert $ECC_TRUST_STORE $ECC_HIRS_CA3
+ check_cert $ECC_TRUST_STORE $ECC_RIM_SIGNER
+ check_cert $ECC_TRUST_STORE $ECC_DN_SRV_CERT
+ check_cert $ECC_TRUST_STORE $ECC_DB_CLIENT_CERT
+ check_cert $ECC_TRUST_STORE $ECC_WEB_TLS_CERT
+ popd > /dev/null
+
+ if [ -z "${ARG_VERBOSE}" ]; then
+ if [ $ALL_CERTS_PASSED == true ]; then
+ echo " All RSA and ECC certificates under $CERT_PATH are valid"
+ else
+ echo " There were error in the certificates under $CERT_PATH"
+ fi
+ keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /' > /dev/null
+ else #verbose
+ echo " Checking KeyStore, Keystore aliases, and pki password"
+ echo " Keystore alias list:"
+ keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /'
+ fi
+
+ if [ $? -eq 0 ]; then
+ echo " JKS Trust Store File (/etc/hirs/certificates/HIRS/TrustStore.jks) is correct: HIRS pki password is correct"
+ else
+ echo " Error with JKS Trust Store: HIRS pki password is NOT correct"
+ ALL_CHECKS_PASSED=false
+ fi
+}
+
+check_db () {
+ echo "Checking DB server TLS configuration..."
+ RESULT=$(mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%have_ssl%'" | grep -o YES )
+ if [ "$RESULT" == "YES" ]; then
+ echo " Mysql Server side TLS is enabled:"
+ else
+ echo " Mysql Sever side TLS is NOT enabled:"
+ ALL_CHECKS_PASSED=false
+ fi
+
+ RESULT=$(mysqlshow --user=hirs_db --password=$hirs_db_password hirs_db| grep -o hirs_db)
+ if [ "$RESULT" == "hirs_db" ]; then
+ echo " The hirs_db database is visable by the hirs_db user"
+ else
+ echo " The hirs_db database is NOT visable by the hirs_db user"
+ ALL_CHECKS_PASSED=false
+ fi
+ if [ ! -z "${ARG_VERBOSE}" ]; then
+ echo " Show hirs_db user config using hirs_db password"
+ mysql -u hirs_db --password=$hirs_db_password -e "SHOW CREATE USER 'hirs_db'@'localhost';" \
+ --ssl-ca=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem \
+ --ssl-cert=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem \
+ --ssl-key=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key
+ echo "Mysql TLS configuration"
+ mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%ssl%'"
+ echo "hirs_db user database access:"
+ mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;";
+ echo "Privileges for the hirs_db user:"
+ mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'"
+ fi
+
+}
+
+# Check selinux status and files that require specific contexts
+check_selinux () {
+ SELINUXSTATUS=$(getenforce)
+ DB_SRV_CONTEXT=$(ls -Z $DB_SRV_CONF)
+ DB_CLIENT_CONTEXT=$(ls -Z $DB_CLIENT_CONF)
+ echo "Checking device selinux status..."
+ if [[ "$SELINUXSTATUS" == *"Enforcing"* ]]; then
+ echo " Selinux is in Enforcing mode."
+ if [[ "$DB_SRV_CONTEXT" == *"mysqld_etc_t"* && "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
+ echo " Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_CLIENT_CONF contexts are correct"
+ elif [[ "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
+ echo " Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT"
+ ALL_CHECKS_PASSED=false
+ else
+ echo " Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT"
+ ALL_CHECKS_PASSED=false
+ fi
+ else
+ echo " Selinux is in NOT in Enforcing mode."
+ fi
+}
+
+check_fips () {
+ echo "Checking FIPS mode on this device..."
+ echo " "$(sysctl -a | grep crypto.fips_enabled)
+}
+
+check_for_container
+check_pwds
+check_pki
+check_mysql_setup
+check_db
+check_selinux
+check_fips
+
+if [ $ALL_CHECKS_PASSED = true ]; then
+ echo "ACA setup checks passed!"
+else
+ echo "ACA setup checks failed."
+fi
\ No newline at end of file
diff --git a/package/scripts/aca/aca_remove_setup.sh b/package/scripts/aca/aca_remove_setup.sh
new file mode 100755
index 00000000..dfe800a9
--- /dev/null
+++ b/package/scripts/aca/aca_remove_setup.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+#####################################################################################
+#
+# Script to remove ACA setup files and database items.
+#
+#
+#####################################################################################
+
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+LOG_FILE=/dev/null
+
+# Check for Admin privileges
+if [ "$EUID" -ne 0 ]; then
+ echo "This script requires root. ACA setup not removed. Please run as root."
+ exit 1
+fi
+if [ ! -f /etc/hirs/aca/aca.properties ]; then
+ echo "aca.properties does not exist, aborting."
+ exit 1
+fi
+
+# remove the hrs-db and hirs_db user
+pushd $SCRIPT_DIR/../db/
+sh db_drop.sh
+popd
+
+# remove pki files and config files
+echo "Removing certificates and config files..."
+rm -rf /etc/hirs
+
+echo "ACA setup removal complete."
\ No newline at end of file
diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh
old mode 100644
new mode 100755
index 93edfa3d..9cb7483b
--- a/package/scripts/aca/aca_setup.sh
+++ b/package/scripts/aca/aca_setup.sh
@@ -1,50 +1,108 @@
#!/bin/bash
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
-SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties'
HIRS_CONF_DIR=/etc/hirs/aca
LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
LOG_DIR="/var/log/hirs/"
-HIRS_PROP_DIR="/opt/hirs/default-properties"
-COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json'
-VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json'
LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
-echo "LOG_FILE is $LOG_FILE"
+HIRS_PROP_DIR="/opt/hirs/default-properties"
-if [ "$EUID" -ne 0 ]
- then echo "The first time this script is run, this script requires root. Please run as root"
+help () {
+ echo " Setup script for the HIRS ACA"
+ echo " Syntax: sh aca_setup.sh [-u|h|sb|sp|--skip-db|--skip-pki]"
+ echo " options:"
+ echo " -u | --unattended Run unattended"
+ echo " -h | --help Print this Help."
+ echo " -sp | --skip-pki run the setup without pki setup."
+ echo " -sb | --skip-db run the setup without databse setup."
+ echo
+}
+
+# Process parameters Argument handling
+POSITIONAL_ARGS=()
+ORIGINAL_ARGS=("$@")
+while [[ $# -gt 0 ]]; do
+ case $1 in
+ -sd|--skip-db)
+ ARG_SKIP_DB=YES
+ shift # past argument
+ ;;
+ -sp|--skip-pki)
+ ARG_SKIP_PKI=YES
+ shift # past argument
+ ;;
+ -u|--unattended)
+ ARG_UNATTEND=YES
+ shift # past argument
+ ;;
+ -h|--help)
+ help
+ exit 0
+ shift # past argument
+ ;;
+ -*|--*)
+ echo "aca_setup.sh: Unknown option $1"
+ help
exit 1
-fi
+ ;;
+ *)
+ POSITIONAL_ARGS+=("$1") # save positional arg
+ # shift # past argument
+ break
+ ;;
+ esac
+done
+
+set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
-echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
+echo "ACA setup log file is $LOG_FILE"
+
+if [ "$EUID" -ne 0 ]
+ then echo "This script requires root. Please run as root"
+ exit 1
+fi
+
+touch "$LOG_FILE"
+echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" >> "$LOG_FILE"
pushd $SCRIPT_DIR &>/dev/null
-
-# Copy HIRS configuration and data files if not a package install
-if [ -f $SPRING_PROP_FILE ]; then
- cp -n $SPRING_PROP_FILE $HIRS_CONF_DIR/.
- cp -n $COMP_JSON $HIRS_PROP_DIR/.
- cp -n $VENDOR_TABLE $HIRS_PROP_DIR/.
-fi
-
-sh ../db/db_create.sh $LOG_FILE
-if [ $? -eq 0 ]; then
- echo "ACA database setup complete" | tee -a "$LOG_FILE"
+# Set HIRS PKI password
+if [ -z $HIRS_PKI_PWD ]; then
+ # Create a 32 character random password
+ PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
+ echo "Using randomly generated password for the PKI key password" | tee -a "$LOG_FILE"
else
- echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
- exit 1
-fi
-sh ../pki/pki_setup.sh $LOG_FILE
-if [ $? -eq 0 ]; then
- echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
- else
- echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
- exit 1
+ PKI_PASS=$HIRS_PKI_PWD
+ echo "Using system supplied password for the PKI key password" | tee -a "$LOG_FILE"
fi
- echo "ACA setup complete" | tee -a "$LOG_FILE"
+if [ -z "${ARG_SKIP_PKI}" ]; then
+ sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND
+ if [ $? -eq 0 ]; then
+ echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
+ else
+ echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
+ exit 1
+ fi
+ else
+ echo "ACA PKI setup not run due to command line argument: $ORIGINAL_ARGS" | tee -a "$LOG_FILE"
+fi
+
+if [ -z "${ARG_SKIP_DB}" ]; then
+ sh ../db/db_create.sh $LOG_FILE $ARG_UNATTEND
+ if [ $? -eq 0 ]; then
+ echo "ACA database setup complete" | tee -a "$LOG_FILE"
+ else
+ echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
+ exit 1
+ fi
+ else
+ echo "ACA Database setup not run due to command line argument: $ORIGINAL_ARGS" | tee -a "$LOG_FILE"
+fi
+
+echo "ACA setup complete" | tee -a "$LOG_FILE"
popd &>/dev/null
\ No newline at end of file
diff --git a/package/scripts/aca/certificate_generate.sh b/package/scripts/aca/certificate_generate.sh
deleted file mode 100644
index 17f35bf6..00000000
--- a/package/scripts/aca/certificate_generate.sh
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/usr/bin/env bash
-
-# Check if we're in a Docker container
-if [ -f /.dockerenv ]; then
- DOCKER_CONTAINER=true
-else
- DOCKER_CONTAINER=false
-fi
-
-# variables for the CA certificates
-CA_PATH=/etc/hirs/certificates
-CA_KEYSTORE=${CA_PATH}/TrustStore.jks
-
-# variables for the ACA certificates
-ACA_CERTS=/etc/hirs/aca/certificates
-ACA_KEY=${ACA_CERTS}/aca.key
-ACA_CRT=${ACA_CERTS}/aca.crt
-ACA_P12=${ACA_CERTS}/aca.p12
-ACA_JKS=${ACA_CERTS}/keyStore.jks
-ACA_CONF=${ACA_CERTS}/aca.conf
-
-# generate the OpenSSL conf file
-echo "[req]" >> ${ACA_CONF}
-echo "req_extensions=aca" >> ${ACA_CONF}
-echo "distinguished_name=distname" >> ${ACA_CONF}
-echo "" >> ${ACA_CONF}
-echo "[aca]" >> ${ACA_CONF}
-echo "keyUsage=critical,keyCertSign" >> ${ACA_CONF}
-echo "basicConstraints=critical,CA:true" >> ${ACA_CONF}
-echo "subjectKeyIdentifier=hash" >> ${ACA_CONF}
-echo "" >> ${ACA_CONF}
-echo "[distname]" >> ${ACA_CONF}
-echo "# empty" >> ${ACA_CONF}
-
-# generate the ACA signing key and self-signed certificate
-openssl req -x509 -config ${ACA_CONF} -extensions aca -days 3652 -set_serial 01 -subj "/C=US/O=HIRS/OU=Attestation CA/CN=$HOSTNAME" -newkey rsa:2048 -nodes -keyout ${ACA_KEY} -out ${ACA_CRT}
-
-# if the trust store already has an older HIRS_ACA_KEY in it, remove it
-keytool -list -keystore ${CA_KEYSTORE} -storepass password -alias HIRS_ACA_KEY
-rc=$?
-if [[ $rc = 0 ]]; then
- keytool -delete -alias HIRS_ACA_KEY -storepass password -keystore ${CA_KEYSTORE}
-fi
-
-# load the generated certificate into the CA trust store
-keytool -import -keystore ${CA_KEYSTORE} -storepass password -file ${ACA_CRT} -noprompt -alias HIRS_ACA_KEY
-
-# export the cert and key to a p12 file
-openssl pkcs12 -export -in ${ACA_CRT} -inkey ${ACA_KEY} -out ${ACA_P12} -passout pass:password
-
-# create a key store using the p12 file
-keytool -importkeystore -srckeystore ${ACA_P12} -destkeystore ${ACA_JKS} -srcstoretype pkcs12 -srcstorepass password -deststoretype jks -deststorepass password -noprompt -alias 1 -destalias HIRS_ACA_KEY
-
-# set the password in the aca properties file
-sed -i "s/aca\.keyStore\.password\s*=/aca.keyStore.password=password/" /etc/hirs/aca/aca.properties
-
-# copy the trust store to the ACA
-cp ${CA_KEYSTORE} /etc/hirs/aca/client-files/
-
-# start up the tomcat service
-
-# Guess where Tomcat is installed and what it's called:
-if [ -d /usr/share/tomcat6 ] ; then
- TOMCAT_SERVICE=tomcat6
-elif [ -d /usr/share/tomcat ] ; then
- TOMCAT_SERVICE=tomcat
-else
- echo "Can't find Tomcat installation"
- exit 1
-fi
-
-# restart tomcat after updating the trust store.
-if [ $DOCKER_CONTAINER = true ]; then
- # If in Docker container, avoid services that invoke the D-Bus
- if [[ $(ss -t -l -n | grep -q LISTEN.*:::8009) -eq 0 ]]; then
- echo "Tomcat is running, so we restart it."
- /usr/libexec/tomcat/server stop
- # Wait for Tomcat to stop completely and prevent port bind collisions
- while [ -z "$(tail -n 1 /var/log/tomcat/catalina.$(date +"%Y-%m-%d").log | grep "Destroying ProtocolHandler \[\"http-bio-8443\"\]")" ]; do
- :
- done
- (/usr/libexec/tomcat/server start) &
- # Wait for Tomcat to boot completely
- until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do
- :
- done
- fi
-else
- /sbin/service ${TOMCAT_SERVICE} restart;
-fi
diff --git a/package/scripts/common/firewall_configure_tomcat.sh b/package/scripts/common/firewall_configure_tomcat.sh
deleted file mode 100644
index 69064592..00000000
--- a/package/scripts/common/firewall_configure_tomcat.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-if ! [ $(id -u) = 0 ]; then
- echo "Please run this script as root."
- exit 1
-fi
-
-if [[ -f /etc/redhat-release ]] ; then
-CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh`
-elif [[ -f /etc/os-release ]] ; then
-AMAZON_VER=`/opt/hirs/scripts/common/get_amazon_linux_major_version.sh`
-fi
-
-if [ $CENTOS_VER -eq "6" ] ; then
- checkHTTPS=`iptables-save | grep -- "--dport 8443 -j ACCEPT"`
- if [[ $checkHTTPS == "" ]]; then
- echo "Tomcat HTTPS firewall rule doesn't exist, adding now"
- iptables -I INPUT 1 -p tcp -m tcp --dport 8443 -j ACCEPT
- service iptables save
- fi
-elif [ $CENTOS_VER -eq "7" ] || [ $AMAZON_VER -eq "2" ] ; then
- firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p tcp --dport 8443 -j ACCEPT
- firewall-cmd --reload
-else
- echo "Unsupported Linux detected"
- exit 1
-fi
-
diff --git a/package/scripts/common/get_centos_major_version.sh b/package/scripts/common/get_centos_major_version.sh
deleted file mode 100644
index 83475610..00000000
--- a/package/scripts/common/get_centos_major_version.sh
+++ /dev/null
@@ -1 +0,0 @@
-cat /etc/redhat-release | grep -Eo "release [0-9]" | tail -c 2
\ No newline at end of file
diff --git a/package/scripts/common/get_db_service.sh b/package/scripts/common/get_db_service.sh
deleted file mode 100644
index 76be3c03..00000000
--- a/package/scripts/common/get_db_service.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-if [[ $(rpm -qa mariadb*) ]]; then
- echo "mariadb"
-elif [[ $(rpm -qa mysql-server*) ]]; then
- echo "mysqld"
-else
- echo "Could not determine installed database"
- exit 1
-fi
\ No newline at end of file
diff --git a/package/scripts/common/jvm_version_check.sh b/package/scripts/common/jvm_version_check.sh
deleted file mode 100755
index 3292bd10..00000000
--- a/package/scripts/common/jvm_version_check.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# only argument to this script is the java command to use in this version check
-JAVA_SPEC_VER=`$1 -XshowSettings:properties -version 2>&1 | grep java.specification.version | grep -Eo "[0-9]\.[0-9]+"`
-case "$JAVA_SPEC_VER" in
- "1.8"|"1.9"|"1.10"|"1.11"|"1.12" ) ;;
- * ) echo "HIRS needs to be run with a JVM supporting at least specification 1.8. Found $JAVA_SPEC_VER." && exit 1 ;;
-esac
diff --git a/package/scripts/common/my.cnf.el7 b/package/scripts/common/my.cnf.el7
deleted file mode 100644
index c96f1996..00000000
--- a/package/scripts/common/my.cnf.el7
+++ /dev/null
@@ -1,8 +0,0 @@
-#begin-hirs-cfg
-ssl-ca=/etc/hirs/certificates/mysql/hirs.ca.cert
-ssl-cert=/etc/hirs/certificates/mysql/hirs-cert.pem
-ssl-key=/etc/hirs/certificates/mysql/hirs-key.pem
-innodb_large_prefix=1
-innodb_file_format=BARRACUDA
-innodb_file_per_table=1
-#end-hirs-cfg
diff --git a/package/scripts/common/secure_mysql.sql b/package/scripts/common/secure_mysql.sql
deleted file mode 100644
index 8589affe..00000000
--- a/package/scripts/common/secure_mysql.sql
+++ /dev/null
@@ -1,5 +0,0 @@
-DELETE FROM mysql.user WHERE User='';
-DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
-DROP DATABASE IF EXISTS test;
-DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
-FLUSH PRIVILEGES
diff --git a/package/scripts/common/ssl_configure.sh b/package/scripts/common/ssl_configure.sh
deleted file mode 100755
index 3dc49c55..00000000
--- a/package/scripts/common/ssl_configure.sh
+++ /dev/null
@@ -1,253 +0,0 @@
-#!/usr/bin/env bash
-
-# certificates and key stores generated by this script
-CERTIFICATES="/etc/hirs/certificates"
-CA_CERT=${CERTIFICATES}/hirs.ca.cert
-INTERNAL_P12=${CERTIFICATES}/hirs.p12
-KEYSTORE_JKS=${CERTIFICATES}/keyStore.jks
-TRUSTSTORE_JKS=${CERTIFICATES}/TrustStore.jks
-CA_CERT_DIR_ESCAPED=\\/etc\\/hirs\\/certificates
-
-# 'private' data generated by this script
-CA_PEM=${CERTIFICATES}/private/hirs.ca.pem
-P12_DATA=${CERTIFICATES}/private/p12.data
-
-echo 'Checking SSL configuration for HIRS'
-
-# Check if we're in a Docker container
-if [ -f /.dockerenv ]; then
- DOCKER_CONTAINER=true
-else
- DOCKER_CONTAINER=false
-fi
-
-#################
-# Key Generation
-#################
-
-# if the CA PEM file does not exist, generate the HIRS CA file and associated keystore and truststores
-if ! [ -f $CA_PEM ]; then
- echo 'Generating certificates'
- # create directory structure
- mkdir -p ${CERTIFICATES}/private
-
- # Generate our random key store password. We need to do this before configuring Tomcat, as we'll
- # need to add it to Tomcat's configuration file. Read a block of raw data bytes from /dev/urandom
- # and convert it to text characters. Not the greatest, but hey:
- echo 'Creating random key material'
- P12_PASSWORD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
-
- # generate a key and certificate. The key is the private key used to sign the well known CA cert.
- echo 'Creating 2048 bit key'
- openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -keyout ${CA_PEM} -out ${CA_CERT} -subj "/C=US/O=HIRS/OU=Common/CN=$(hostname)"
-
- # export the certificate and key as a p12 file
- echo 'Exporting key'
- openssl pkcs12 -export -in ${CA_CERT} -inkey ${CA_PEM} -out ${INTERNAL_P12} -passout pass:${P12_PASSWORD}
-
- # create a key store using the pk12 file.
- echo 'Configuring keystore'
- keytool -importkeystore -srckeystore ${INTERNAL_P12} -destkeystore ${KEYSTORE_JKS} -srcstoretype pkcs12 -srcstorepass ${P12_PASSWORD} -deststoretype jks -deststorepass ${P12_PASSWORD} -noprompt
-
- # import the root CA certificate into the trust store.
- echo 'Configuring truststore'
- keytool -import -keystore ${TRUSTSTORE_JKS} -storepass password -file ${CA_CERT} -noprompt
-
- # write P12 password to file
- echo $P12_PASSWORD > $P12_DATA
-
- # set appropriate permissions on certificates
- chmod 775 /etc/hirs/certificates/
- chmod -R 664 /etc/hirs/certificates/*
- chmod 700 /etc/hirs/certificates/private
- chmod -R 600 /etc/hirs/certificates/private/*
-else
- # if the certificate was previously generated, grab the P12 password out of the file
- P12_PASSWORD=`cat $P12_DATA`
-fi
-
-#################
-# ActiveMQ
-#################
-
-if [[ $1 = "server" ]]; then
- if [ -f "/srv/activemq/current/conf/activemq.xml" ] ; then
- if [[ -n `grep -o "keyStorePassword=\"\"" /srv/activemq/current/conf/activemq.xml` ]]; then
- echo "Configuring ActiveMQ SSL"
-
- # set the key store password for the messaging service
- sed -i -r "s/keyStorePassword=\"\w*\"/keyStorePassword=\"${P12_PASSWORD}\"/g" /srv/activemq/current/conf/activemq.xml
- fi
- fi
-fi
-
-#################
-# Tomcat
-#################
-
-if [[ $1 = "server" ]]; then
- # determine which version of tomcat is installed
- rpm -q tomcat6
- if [[ $? -eq 0 ]]; then
- TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat6`
- else
- TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat`
- fi
-
- TOMCAT_MAJOR_VERSION=`echo $TOMCAT_VERSION | head -c 1`
-
- if [[ $TOMCAT_MAJOR_VERSION = '6' ]]; then
- CATALINA_HOME=/usr/share/tomcat6
- TOMCAT_SERVICE=tomcat6
- TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat6.conf
- elif [[ $TOMCAT_MAJOR_VERSION = '7' ]] ; then
- CATALINA_HOME=/usr/share/tomcat
- TOMCAT_SERVICE=tomcat
- TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat.conf
- else
- echo "Unsupported Tomcat version: ${TOMCAT_MAJOR_VERSION}"
- exit 1
- fi
-
- if [[ -z `grep -o "keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\"" $CATALINA_HOME/conf/server.xml` ]]; then
- echo "Configuring Tomcat SSL"
-
- chown -R root:tomcat /etc/hirs/certificates/
-
- # create an alias in the keystore for tomcat
- alias=$(keytool -list -v -keystore ${KEYSTORE_JKS} -storepass ${P12_PASSWORD} | grep -B2 'PrivateKeyEntry' | grep 'Alias name:')
- keytool -changealias -alias ${alias#*:} -destalias tomcat -v -keystore ${KEYSTORE_JKS} -storepass ${P12_PASSWORD}
-
- # Set up Tomcat. We need to ensure that Tomcat is running as a service
- chkconfig ${TOMCAT_SERVICE} on
-
- # Configure the server.xml file such that it uses our key store and trust store
- if [ $DOCKER_CONTAINER = true ]; then
- # If in Docker container, avoid services that invoke the D-Bus
- if [[ $(pgrep -c -f /usr/share/tomcat) -ne 0 ]]; then
- echo "Tomcat is running, so we stop it."
- /usr/libexec/tomcat/server stop
- fi
- else
- service ${TOMCAT_SERVICE} stop
- fi
-
- # Configure Tomcat SSL properly. The method for doing this changes from 6.0.38 onward.
- rpmdev-vercmp 6.0.38 $TOMCAT_VERSION
- VERCMP_STATUS=$?
- if [[ $VERCMP_STATUS -eq 0 ]] || [[ $VERCMP_STATUS -eq 12 ]]; then
- # Tomcat v 6.0.38 or newer
- sed -i "s/.*<\/Service>/<\/Service>/" $CATALINA_HOME/conf/server.xml
- elif [[ $VERCMP_STATUS -eq 11 ]]; then
- # Older than Tomcat 6.0.38
- sed -i "s/.*<\/Service>/<\/Service>/" $CATALINA_HOME/conf/server.xml
- else
- echo "Unknown rpmdev-vercmp exit code: ${VERCMP_STATUS}"
- exit 1
- fi
-
- sed -i 's/.*<\/tomcat-users>/ <\/tomcat-users>/' $CATALINA_HOME/conf/tomcat-users.xml
-
- # ensure tomcat is using the trust store and key store for all other SSL operations.
- cat << EOF >> ${TOMCAT_CONF}
-#begin-hirs-conf
-JAVA_OPTS="-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Xmx1536m -Djavax.net.ssl.keyStore=${KEYSTORE_JKS} -Djavax.net.ssl.keyStorePassword=${P12_PASSWORD} -Djavax.net.ssl.trustStore=${TRUSTSTORE_JKS} -Djavax.net.ssl.trustStorePassword=password"
-#end-hirs-conf
-EOF
-
- # (3) set tomcat user as owner of tomcat installation
- chgrp -R tomcat ${CATALINA_HOME}
-
- if [ $DOCKER_CONTAINER = true ]; then
- # If in Docker container, avoid services that invoke the D-Bus
- (/usr/libexec/tomcat/server start) &
- # Wait for Tomcat to boot completely
- until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do
- :
- done
- else
- service ${TOMCAT_SERVICE} start
- fi
- fi
-fi
-
-#################
-# Appraiser
-#################
-
-if [[ $1 = "appraiser" ]]; then
- APPRAISER_SCRIPT="/opt/hirs/appraiser/bin/HIRS_Appraiser"
-
- if [[ -z `grep -o "\-Djavax.net.ssl.keyStorePassword" $APPRAISER_SCRIPT` ]]; then
- echo "Configuring Appraiser SSL"
-
- # grab the line number of the JVM options for the client script
- VM_OPTS=$(awk '/DEFAULT_JVM_OPTS/{print NR; exit }' ${APPRAISER_SCRIPT})
-
- # append the key store password to the client startup script
- sed -i "${VM_OPTS}s/'$/ \"-Djavax.net.ssl.keyStorePassword=${P12_PASSWORD}\"\'/" ${APPRAISER_SCRIPT}
- fi
-fi
-
-#################
-# MySQL/MariaDB
-#################
-
-if [[ $1 = "server" ]]; then
- MYSQL_CERT_DIR=/etc/hirs/certificates/mysql/
-
- if ! [[ -d $MYSQL_CERT_DIR ]]; then
- echo "Configuring MySQL SSL"
-
- # apply MySQL SSL configuration:
- mkdir -p $MYSQL_CERT_DIR
-
- # copy CA cert over
- cp $CA_CERT $MYSQL_CERT_DIR/
-
- # convert p12 key to pem
- openssl pkcs12 -in $INTERNAL_P12 -out $MYSQL_CERT_DIR/hirs.pem -nodes -passin pass:${P12_PASSWORD} -passout pass:
-
- # extract cert from pem into its own file
- openssl x509 -in $MYSQL_CERT_DIR/hirs.pem -outform PEM -out $MYSQL_CERT_DIR/hirs-cert.pem
-
- # extract key from pem into its own file
- openssl pkey -in $MYSQL_CERT_DIR/hirs.pem -outform PEM -out $MYSQL_CERT_DIR/hirs-key.pem
-
- # make readable to user named 'mysql'
- chgrp -R mysql $MYSQL_CERT_DIR
- chmod -R 770 $MYSQL_CERT_DIR
-
- # update MySQL/MariaDB SSL and index configuration
- if [[ -f /etc/redhat-release ]] ; then
- CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh`
- elif [[ -f /etc/os-release ]] ; then
- AMAZON_VER=`/opt/hirs/scripts/common/get_amazon_linux_major_version.sh`
- fi
- if [ $CENTOS_VER -eq "6" ] ; then
- MYSQL_ADDITIONS_FILE=/opt/hirs/scripts/common/my.cnf.el6
- elif [ $CENTOS_VER -eq "7" ] || [ $AMAZON_VER -eq "2" ] ; then
- MYSQL_ADDITIONS_FILE=/opt/hirs/scripts/common/my.cnf.el7
- else
- echo "Unsupported Linux detected"
- exit 1
- fi
-
- sed -i "/\[mysqld\]/r $MYSQL_ADDITIONS_FILE" /etc/my.cnf
-
- if [ $DOCKER_CONTAINER = true ]; then
- # If in Docker container, avoid services that invoke the D-Bus
- if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then
- echo "MariaDB is running, so we'll need to restart it."
- mysqladmin shutdown
- /usr/libexec/mariadb-prepare-db-dir
- nohup /usr/bin/mysqld_safe --basedir=/usr &>/dev/null &
- MYSQLD_PID=$(pgrep -u mysql mysqld)
- /usr/libexec/mariadb-wait-ready $MYSQLD_PID
- fi
- else
- SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh`
- service $SQL_SERVICE restart
- fi
- fi
-fi
diff --git a/package/scripts/common/ssl_deconfigure.sh b/package/scripts/common/ssl_deconfigure.sh
deleted file mode 100644
index 815ef7f3..00000000
--- a/package/scripts/common/ssl_deconfigure.sh
+++ /dev/null
@@ -1,92 +0,0 @@
-#!/usr/bin/env bash
-
-# certificates and key stores generated by this script
-CERTIFICATES="/etc/hirs/certificates"
-
-#################
-# Key Generation
-#################
-
-# leave certificate directory intact on uninstall
-
-#################
-# ActiveMQ
-#################
-
-# no need to deconfigure, as it will be completely removed during uninstall
-
-#################
-# Tomcat
-#################
-
-if [[ $1 = "server" ]]; then
- # determine which version of tomcat is installed
- rpm -q tomcat6
- if [[ $? -eq 0 ]]; then
- TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat6`
- else
- TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat`
- fi
-
- TOMCAT_MAJOR_VERSION=`echo $TOMCAT_VERSION | head -c 1`
-
- if [[ $TOMCAT_MAJOR_VERSION = '6' ]]; then
- CATALINA_HOME=/usr/share/tomcat6
- TOMCAT_SERVICE=tomcat6
- TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat6.conf
- elif [[ $TOMCAT_MAJOR_VERSION = '7' ]] ; then
- CATALINA_HOME=/usr/share/tomcat
- TOMCAT_SERVICE=tomcat
- TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat.conf
- else
- echo "Unsupported Tomcat version: ${TOMCAT_MAJOR_VERSION}"
- exit 1
- fi
-
- if [[ -n `grep -o keystorePass $CATALINA_HOME/conf/server.xml` ]]; then
- SERVER_CONF=${CATALINA_HOME}/conf/server.xml
- TOMCAT_USERS=${CATALINA_HOME}/conf/tomcat-users.xml
-
- echo "Restoring $TOMCAT_CONF"
- sed -i "/^#begin-hirs-conf/,/^#end-hirs-conf/d" "$TOMCAT_CONF"
-
- echo "Restoring $SERVER_CONF"
- sed -i "s^^^" "$SERVER_CONF"
-
- echo "Restoring $TOMCAT_USERS"
- sed -i "s//<\/tomcat-users>/" "$TOMCAT_USERS"
- fi
-fi
-
-#################
-# Appraiser
-#################
-
-# no need to deconfigure, as it will be completely removed during uninstall
-
-#################
-# MySQL/MariaDB
-#################
-
-if [[ $1 = "server" ]]; then
- MYSQL_CERT_DIR=${CERTIFICATES}/mysql/
-
- if [[ -d $MYSQL_CERT_DIR ]]; then
- # stop the database
- if [[ $(rpm -qa mariadb*) ]]; then
- service mariadb stop
- else
- service mysqld stop
- fi
-
- rm -rf $MYSQL_CERT_DIR
- sed -i "/^#begin-hirs-conf/,/^#end-hirs-conf/d" /etc/my.cnf
-
- # start the database
- if [[ $(rpm -qa mariadb*) ]]; then
- service mariadb start
- else
- service mysqld start
- fi
- fi
-fi
\ No newline at end of file
diff --git a/package/scripts/db/db_create.sh b/package/scripts/db/db_create.sh
index 6dada853..8cee8db8 100644
--- a/package/scripts/db/db_create.sh
+++ b/package/scripts/db/db_create.sh
@@ -5,88 +5,153 @@
# Environment variables used:
# a. HIRS_MYSQL_ROOT_PWD: Set this variable if mysql root password is already set
# b. HIRS_DB_PWD: Set the pwd if default password to hirs_db user needs to be changed
-# HIRS_MYSQL_ROOT_NEW_PWD wil be ignored if HIRS_MYSQL_ROOT_EXSITING_PWD is set.
################################################################################
+LOG_FILE=$1
+UNATTENDED=$2
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
-# Set Mysql HIRS DB password
-if [ -z $HIRS_DB_PWD ]; then
- HIRS_DB_PWD="hirs_db"
+SPRING_PROP_FILE="/etc/hirs/aca/application.properties"
+ACA_PROP_FILE="/etc/hirs/aca/aca.properties"
+DB_ADMIN_PWD=""
+# Db Configuration files
+DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
+DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
+# Default Server Side Certificates
+SSL_DB_SRV_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";
+SSL_DB_SRV_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.pem";
+SSL_DB_SRV_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.key";
+# Default Client Side Certificates
+SSL_DB_CLIENT_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";
+SSL_DB_CLIENT_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem";
+SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key";
+
+touch $ACA_PROP_FILE
+touch $LOG_FILE
+touch $DB_SRV_CONF
+
+# Make sure required paths exist
+mkdir -p /etc/hirs/aca/
+mkdir -p /var/log/hirs/
+
+source $SCRIPT_DIR/start_mysqld.sh
+source $ACA_PROP_FILE
+
+check_mysql_root_pwd () {
+ # Check if DB root password needs to be obtained
+
+ if [ -z $HIRS_MYSQL_ROOT_PWD ]; then
+ # Create a 32 character random password
+ echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE"
+ DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
+ echo "DB Admin will be set to $DB_ADMIN_PWD , please make note for next mysql use."
+ # Check UNATTENDED flag set m if not then prompt user for permission ot store mysql root password
+ if [ -z $UNATTENDED ]; then
+ read -p "Do you wish to save this password to the aca.properties file? " confirm
+ if [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; then
+ echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE
+ echo "Mysql root password saved locally"
+ else
+ echo "Mysql root password not saved locally"
+ fi
+ else
+ echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE
+ echo "Mysql root password has been saved locally."
+ fi
+ mysqladmin --user=root password "$DB_ADMIN_PWD"
+ else
+ DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD
+ echo "Using system variable supplied password" | tee -a "$LOG_FILE"
+ fi
+ # Make sure root password is correct
+ $(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null);
+ if [ $? -eq 0 ]; then
+ echo "root password verified" | tee -a "$LOG_FILE"
+ else
+ echo "MYSQL root password was not the default, not supplied, or was incorrect"
+ echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
+ echo " ********** ACA Mysql setup aborted ********" ;
+ exit 1;
+ fi
+}
+
+set_mysql_server_tls () {
+ # Check DB server setup. If ssl params dont exist then we need to add them.
+ if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
+ # Add TLS files to my.cnf
+ echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE"
+ echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
+ echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF"
+ echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"
+ # Make sure mysql can access them
+ chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
+ # Make selinux contexts for config files, if selinux is enabled
+ selinuxenabled
+ if [ $? -eq 0 ]; then
+ semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF > /dev/null #adds the context type to file
+ restorecon -v -F $DB_SRV_CONF > /dev/null # changes the file's context type
+ fi
+ else
+ echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE"
+ fi
+}
+
+set_mysql_client_tls () {
+# Update ACA property file with client cert info, if not there already
+if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then
+ echo "Updating $DB_CLIENT_CONF with ssl parameters..." | tee -a "$LOG_FILE"
+ echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF
+ echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF
+ echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF
+ chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY
+ # Make selinux contexts for config files, if selinux is enabled
+ selinuxenabled
+ if [ $? -eq 0 ]; then
+ semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null #adds the context type to file
+ restorecon -F $DB_CLIENT_CONF > /dev/null #changes the file's context type
+ fi
fi
-# Save hirs_db mysql user password to the properties file
-mkdir -p /etc/hirs
-echo "hibernate.connection.username="hirs_db"" > /etc/hirs/hibernate.properties
-echo "hibernate.connection.password=$HIRS_DB_PWD" >> /etc/hirs/hibernate.properties
+}
-# Check if we're in a Docker container
-if [ -f /.dockerenv ]; then
- DOCKER_CONTAINER=true
-else
- DOCKER_CONTAINER=false
-fi
+# Process HIRS DB USER
+set_hirs_db_pwd () {
-# Check if mysql is already running, if not initialize
-if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
-# Check if running in a container
- if [ $DOCKER_CONTAINER = true ]; then
- # if in Docker container, avoid services that invoke the D-Bus
- echo "ACA is running in a container..."
- # Check if mariadb is setup
- if [ ! -d "/var/lib/mysql/mysql/" ]; then
- echo "Installing mariadb"
- /usr/bin/mysql_install_db
- chown -R mysql:mysql /var/lib/mysql/
- fi
- echo "Starting mysql...."
- chown -R mysql:mysql /var/log/mariadb
- /usr/bin/mysqld_safe &
- else
- SQL_SERVICE="mariadb"
- systemctl $SQL_SERVICE enable
- systemctl $SQL_SERVICE start
- fi
-fi
+ RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
+ if [ "$RESULT" = 1 ]; then
+ echo "hirs-db user exists"
+ HIRS_DB_PWD=$hirs_db_password
+ else
+ # Check if Mysql HIRS DB password set by system variable or set to random number
+ if [ -z $HIRS_DB_PWD ]; then
+ HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
+ fi
-# Wait for mysql to start before continuing.
-echo "Checking mysqld status..."
-while ! mysqladmin ping -h "$localhost" --silent; do
- sleep 1;
-done
-if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
- echo "HIRS_MYSQL_ROOT_PWD environment variable not set"
- mysql -fu root -e 'quit' &> /dev/null;
-else
- echo "Using $HIRS_MYSQL_ROOT_PWD as the mysql root password"
- $(mysql -u root -p$HIRS_MYSQL_ROOT_PWD -e 'quit' &> /dev/null);
-fi
-if [ $? -eq 0 ]; then
- echo "root password verified"
-else
- echo "MYSQL root password was not the default, not supplied, or was incorrect"
- echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
- echo " ********** ACA Mysql setup aborted ********" ;
- exit 1;
-fi
+ echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE
+ echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE
+ fi
-echo "HIRS_DB_PWD is $HIRS_DB_PWD"
-echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD"
+}
-if [ -d /opt/hirs/scripts/db ]; then
- MYSQL_DIR="/opt/hirs/scripts/db"
-else
+# Create a hirs_db with client side TLS enabled
+create_hirs_db_with_tls () {
+ # Check if hirs_db not created and create it if it wasn't
+ mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" > /dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ echo "hirs_db exists, skipping hirs_db create"
+ else
+ mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql
+ mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql
+ mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
+ fi
+}
- MYSQL_DIR="$SCRIPT_DIR/../db"
-fi
-
-echo "MYSQL_DIR is $MYSQL_DIR"
-
-# Check if hirs_db not created and create it if it wasn't
-mysqlshow --user=root --password="$HIRS_MYSQL_ROOT_PWD" | grep "hirs_db" > /dev/null 2>&1
-if [ $? -eq 0 ]; then
- echo "hirs_db exists, skipping hirs_db create"
-else
- mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/db_create.sql
- mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/secure_mysql.sql
- mysql -u root --password=$HIRS_MYSQL_ROOT_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
-fi
+# HIRS ACA Mysqld processing ...
+check_mariadb_install
+check_for_container
+set_mysql_server_tls
+set_mysql_client_tls
+start_mysqlsd
+check_mysql_root_pwd
+set_hirs_db_pwd
+create_hirs_db_with_tls
+mysqld_reboot
diff --git a/package/scripts/db/db_create.sql b/package/scripts/db/db_create.sql
index 63ee7a95..a803ebcb 100644
--- a/package/scripts/db/db_create.sql
+++ b/package/scripts/db/db_create.sql
@@ -1,2 +1,2 @@
CREATE DATABASE IF NOT EXISTS `hirs_db` CHARACTER SET = 'utf8mb4' COLLATE = 'utf8mb4_general_ci';
-GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD";
+GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD" REQUIRE X509;
\ No newline at end of file
diff --git a/package/scripts/db/db_drop.sh b/package/scripts/db/db_drop.sh
index cb477ff8..a994d505 100644
--- a/package/scripts/db/db_drop.sh
+++ b/package/scripts/db/db_drop.sh
@@ -1,11 +1,66 @@
#!/bin/bash
-echo "dropping hirs database"
+SRV_CNF=/etc/my.cnf.d/mariadb-server.cnf
+CLIENT_CNF=/etc/my.cnf.d/client.cnf
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )";)
+LOG_FILE=/dev/null
+
+source /etc/hirs/aca/aca.properties;
+source $SCRIPT_DIR/start_mysqld.sh
+
+# Check for sudo or root user, not actually needed but a good idea
+if [ "$EUID" -ne 0 ]
+ then echo "This script requires root. Please run as root"
+ exit 1
+fi
+
+if [ -z $mysql_admin_password ]; then
+ read -p "Enter mysql root password" DB_ADMIN_PWD
+ else
+ DB_ADMIN_PWD=$mysql_admin_password
+fi
+
+if [ -d /opt/hirs/scripts/db ]; then
+ MYSQL_DIR="/opt/hirs/scripts/db"
+ else
+ MYSQL_DIR="$SCRIPT_DIR"
+fi
+
+echo "dropping hirs_db database"
if pgrep mysqld >/dev/null 2>&1; then
- if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
- mysql -u "root" < /opt/hirs/scripts/db/db_drop.sql
- else
- mysql -u "root" -p$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/db/db_drop.sq1
- fi
+ mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH HOSTS; FLUSH LOGS; FLUSH STATUS; FLUSH PRIVILEGES; FLUSH USER_RESOURCES"
+ mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';"
+ mysql -u root --password=$DB_ADMIN_PWD -e "DROP DATABASE IF EXISTS hirs_db;"
+ echo "hirs_db database and hirs_db user removed"
+ else
+ echo "mysql is not running. DB was not removed."
fi
+
+# reset the mysql root if the password was left in the properties fiel
+if [ ! -z $mysql_admin_password ]; then
+ echo "Resetting mysql root password to empty"
+ mysql -u root --password=$mysql_admin_password -e "SET PASSWORD FOR "root@localhost" = PASSWORD('');"
+ echo "Current list of databases:"
+ mysql -u "root" -e "FLUSH LOGS;"
+ mysql -u "root" -e "SHOW DATABASES;"
+ echo "Current list of users:"
+ mysql -u root -e "Select user from mysql.user;"
+ else
+ echo "Note root password was NOT reset"
+fi
+
+# Remove key , cert and truststore entries from client.cnf andf mariadb.cnf
+
+echo "Removing hirs cert references from mariadb configuration files"
+grep -v "hirs" $SRV_CNF > tmpfile && mv tmpfile $SRV_CNF
+grep -v "hirs" $CLIENT_CNF > tmpfile && mv tmpfile $CLIENT_CNF
+
+echo "restarting mariadb"
+
+mysql -u root -e "SHUTDOWN"
+sleep 2
+check_for_container
+start_mysqlsd
+
+mysql -u root -e "SHOW VARIABLES LIKE '%ssl%'"
diff --git a/package/scripts/db/db_drop.sql b/package/scripts/db/db_drop.sql
index 4f0fbe18..6ff66ab5 100644
--- a/package/scripts/db/db_drop.sql
+++ b/package/scripts/db/db_drop.sql
@@ -1,2 +1,2 @@
-DROP SCHEMA IF EXISTS hirs_db;
DROP USER "hirs_db"@"localhost";
+DROP DATABASE IF EXISTS hirs_db;
\ No newline at end of file
diff --git a/package/scripts/db/start_mysqld.sh b/package/scripts/db/start_mysqld.sh
new file mode 100644
index 00000000..7d39fa79
--- /dev/null
+++ b/package/scripts/db/start_mysqld.sh
@@ -0,0 +1,111 @@
+#!/bin/bash
+#####################################################################################
+#
+# Functions to check mysql and start if not running.
+# Also a function for checking if running in a container
+#
+#####################################################################################
+SQL_SERVICE="mariadb"
+
+check_for_container () {
+ # Check if we're in a Docker container
+ if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then
+ #if [ -f /.dockerenv ]; then
+ DOCKER_CONTAINER=true
+ echo "ACA is running in a container..." | tee -a "$LOG_FILE"
+ else
+ DOCKER_CONTAINER=false
+ echo "ACA is not running in a container..." | tee -a "$LOG_FILE"
+ fi
+ if [ -d /opt/hirs/scripts/db ]; then
+ MYSQL_DIR="/opt/hirs/scripts/db"
+ else
+ MYSQL_DIR="$SCRIPT_DIR/../db"
+ fi
+}
+
+# Check for mysql command line
+check_mariadb_install () {
+ type mysql >/dev/null 2>&1 && installed=true || installed=false
+ if [ $installed = true ]; then
+ echo "mysql has been installed"
+ else
+ echo "mysql has NOT been installed, aborting install"
+ exit 1;
+ fi
+}
+# Starts mariadb during intial install
+start_mysqlsd () {
+ # Check if mysql is already running, if not initialize
+ if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
+ # Check if running in a container
+ if [ $DOCKER_CONTAINER = true ]; then
+ # if in Docker container, avoid services that invoke the D-Bus
+ echo "ACA is running in a container..."
+ # Check if mariadb is setup
+ if [ ! -d "/var/lib/mysql/mysql/" ]; then
+ echo "Installing mariadb"
+ /usr/bin/mysql_install_db > "$LOG_FILE"
+ chown -R mysql:mysql /var/lib/mysql/
+ fi
+ echo "Starting mysql...."
+ chown -R mysql:mysql /var/log/mariadb
+ /usr/bin/mysqld_safe &
+ else #not a container
+ systemctl enable $SQL_SERVICE
+ systemctl start $SQL_SERVICE
+ fi
+ else # mysql process is running
+ # check if mysql service is running
+ if [ ! $DOCKER_CONTAINER = true ]; then
+ DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l )
+ if [ $DB_STATUS -eq 0 ]; then
+ echo "mariadb not running , attempting to restart"
+ systemctl start mariadb
+ fi
+ fi
+ fi
+
+ # Wait for mysql to start before continuing.
+ echo "Checking mysqld status..."| tee -a "$LOG_FILE"
+ while ! mysqladmin ping -h "$localhost" --silent; do
+ sleep 1;
+ done
+
+ echo "mysqld is running."| tee -a "$LOG_FILE"
+}
+
+# Basic check for marai db status, attempts restart if not running
+check_mysql () {
+ echo "Checking mysqld status..."
+ if [ $DOCKER_CONTAINER = true ]; then
+ if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
+ echo "mariadb not running , attempting to restart"
+ /usr/bin/mysqld_safe &
+ fi
+ else # not in a contianer
+ DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l )
+ if [ $DB_STATUS -eq 0 ]; then
+ echo "mariadb not running , attempting to restart"
+ systemctl start mariadb
+ fi
+ fi
+
+ # Wait for mysql to start before continuing.
+
+ while ! mysqladmin ping -h "$localhost" --silent; do
+ sleep 1;
+ done
+
+ echo " Mariadb is running."
+
+}
+
+# restart maraidb
+mysqld_reboot () {
+ # reboot mysql server
+ mysql -u root --password=$DB_ADMIN_PWD -e "SHUTDOWN"
+ sleep 2
+ check_for_container
+ start_mysqlsd
+}
\ No newline at end of file
diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh
index 0b3b114b..c2e08893 100644
--- a/package/scripts/pki/pki_chain_gen.sh
+++ b/package/scripts/pki/pki_chain_gen.sh
@@ -29,6 +29,7 @@ SERVER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" aca"
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
TRUSTSTORE=TrustStore.jks
+TRUSTSTORE_P12=TrustStore.p12
KEYSTORE=KeyStore.jks
# Parameter check
@@ -71,6 +72,8 @@ PKI_CA2="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca2_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
PKI_CA3="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca3_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
RIM_SIGNER="$CERT_FOLDER"/"$ACTOR_ALT"_rim_signer_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
TLS_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_aca_tls_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
+DB_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_db_srv_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
+DB_CLIENT="$CERT_FOLDER"/"$ACTOR_ALT"_db_client_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
TRUST_STORE_FILE="$CERT_FOLDER"/"$ACTOR_ALT"_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"_Cert_Chain.pem
ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
@@ -78,6 +81,8 @@ INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
+DB_SRV_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" DB Server"
+DB_CLIENT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" DB Client"
# Add check for existing folder and halt if it exists
if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
@@ -101,13 +106,13 @@ fi
add_to_stores () {
CERT_PATH=$1
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
- echo "Addding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE"
+ echo "Adding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE"
# Add the cert and key to the key store. make a p12 file to import into te keystore
- openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
+ openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC -passout pass:$PASS >> "$LOG_FILE" 2>&1
# Use the p12 file to import into a java keystore via keytool
- keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
+ keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1
# Import the cert into a java trust store via keytool
- keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
+ keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" >> "$LOG_FILE" 2>&1
# Remove the temp p1 file.
rm tmpkey.p12
}
@@ -129,17 +134,29 @@ create_cert () {
echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..." | tee -a "$LOG_FILE"
- if [ "$ASYM_ALG" == "rsa" ]; then
- openssl req -newkey rsa:"$ASYM_SIZE" \
- -keyout "$CERT_PATH".key \
- -out "$CERT_PATH".csr -subj "$SUBJ_DN" \
- -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+ # Database doesnt support encypted key so create DB without passwords
+ if [[ "$SUBJ_DN" = *"DB"* ]]; then
+ if [ "$ASYM_ALG" == "rsa" ]; then
+ openssl genrsa -out "$CERT_PATH".key "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
+ openssl req -new -key "$CERT_PATH".key \
+ -out "$CERT_PATH".csr -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
+ else
+ openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key >> "$LOG_FILE" 2>&1
+ openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
+ fi
else
- openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key >> "$LOG_FILE" 2>&1
- openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
+ if [ "$ASYM_ALG" == "rsa" ]; then
+ openssl req -newkey rsa:"$ASYM_SIZE" \
+ -keyout "$CERT_PATH".key \
+ -out "$CERT_PATH".csr -subj "$SUBJ_DN" \
+ -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+ else
+ openssl genpkey -algorithm "EC" -pkeyopt ec_paramgen_curve:P-521 -aes256 --pass "pass:$PASS" -out "$CERT_PATH".key
+ openssl req -new -key "$CERT_PATH".key -passin "pass:$PASS" -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN"
+ fi
+
fi
-
- openssl ca -config ca.conf \
+ openssl ca -config ca.conf \
-keyfile "$ISSUER_KEY" \
-md $HASH_ALG \
-cert "$ISSUER_CERT" \
@@ -148,20 +165,20 @@ create_cert () {
-in "$CERT_PATH".csr \
-passin pass:"$PASS" \
-batch \
- -notext >> "$LOG_FILE" 2>&1
+ -notext >> "$LOG_FILE" 2>&1
# Increment the cert serial number
SERIAL=$(awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt)
echo "Cert Serial Number = $SERIAL" >> "$LOG_FILE";
# remove csr file
rm -f "$CERT_PATH".csr
# Add the cert and key to the key store. make a p12 file to import into te keystore
- openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
+ openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:$PASS -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC -passout pass:$PASS >> "$LOG_FILE" 2>&1
# Use the p12 file to import into a java keystore via keytool
- keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
+ keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1
# Import the cert into a java trust store via keytool
- keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
+ keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" >> "$LOG_FILE" 2>&1
# Remove the temp p1 file.
- rm tmpkey.p12
+ rm -f tmpkey.p12 &>/dev/null
}
create_cert_chain () {
@@ -186,22 +203,38 @@ create_cert_chain () {
# Create a ACA Sever Cert for TLS use
create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN" "server_extensions"
+ # Create a DB Sever Cert for TLS use
+ create_cert "$DB_SERVER" "$PKI_CA3" "$DB_SRV_DN" "server_extensions"
+
+ # Create a ACA Sever Cert for TLS use
+ create_cert "$DB_CLIENT" "$PKI_CA3" "$DB_CLIENT_DN" "server_extensions"
+
# Create Cert trust store by adding the Intermediate and root certs
cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" > "$TRUST_STORE_FILE"
- # echo "Checking signer cert using tust store..."
+ # echo "Checking signer cert using tust store..."
openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE"
+
+ # Make JKS files for the mysql DB connector. P12 first then JKS...
+ openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key \
+ -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC \
+ -passin pass:$PASS -passout pass:$PASS \
+ -name "mysqlclientkey" -out $DB_CLIENT.p12 >> "$LOG_FILE" 2>&1
+
+ keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype PKCS12 \
+ -srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS >> "$LOG_FILE" 2>&1
}
if [ "$ASYM_ALG" == "rsa" ]; then
# Create Root CA key pair and self signed cert
echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE"
- openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
-
+ #openssl genrsa -out "$PKI_ROOT".key -aes256 -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
+ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes256 --pass "pass:$PASS" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
+
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
- -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+ -passin pass:"$PASS" >> "$LOG_FILE" 2>&1
# Add the CA root cert to the Trust and Key stores
add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
@@ -211,12 +244,13 @@ fi
if [ "$ASYM_ALG" == "ecc" ]; then
# Create Root CA key pair and self signed cert
echo "Generating Ecc Root CA ...." | tee -a "$LOG_FILE"
- openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
-
+ #openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
+ openssl genpkey -algorithm "EC" -pkeyopt ec_paramgen_curve:P-521 -aes256 --pass "pass:$PASS" -out "$PKI_ROOT".key
+
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
- -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+ -passin pass:"$PASS" >> "$LOG_FILE" 2>&1
# Add the CA root cert to the Trust and Key stores
add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh
index a6492ae2..db16f0a1 100644
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@@ -3,40 +3,48 @@
# Creates 2 Certificate Chains for the ACA:
# 1 RSA 3K SHA 384
# 2 ECC 512 SHA 384
-#
+#
############################################################################################
-PROP_FILE=/etc/hirs/aca/application.properties
+#PROP_FILE=/etc/hirs/aca/application.properties
+ACA_PROP=/etc/hirs/aca/aca.properties
LOG_FILE=$1
-
+PKI_PASS=$2
+UNATTENDED=$3
+LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
+LOG_DIR="/var/log/hirs/"
+HIRS_CONF_DIR=/etc/hirs/aca
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+
+mkdir -p $HIRS_CONF_DIR $LOG_DIR
echo "SCRIPT_DIR is $SCRIPT_DIR" | tee -a "$LOG_FILE"
+if [ -z "$1" ]; then
+ LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
+ echo "using log file $LOG_FILE" | tee -a "$LOG_FILE"
+fi
+
+if [ -z "$2" ]; then
+ PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
+ echo "Using randomly generated password for the PKI key password" | tee -a "$LOG_FILE"
+ echo "Using pki password=$PKI_PASS"
+fi
+
# Check for sudo or root user
if [ "$EUID" -ne 0 ]
- then echo "The first time this script is run, this script requires root. Please run as root" | tee -a "$LOG_FILE"
+ then echo "This script requires root. Please run as root" | tee -a "$LOG_FILE"
exit 1
fi
-# Set HIRS PKI password
-if [ -z $HIRS_PKI_PWD ]; then
- # Create a 32 character random password
- PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
- echo "Using randomly generated password" | tee -a "$LOG_FILE"
- else
- PKI_PASS=$HIRS_PKI_PWD
- echo "Using system supplied password" | tee -a "$LOG_FILE"
-fi
-
# Create Cert Chains
if [ ! -d "/etc/hirs/certificates" ]; then
if [ -d "/opt/hirs/scripts/pki" ]; then
- PKI_SETUP_DIR="/opt/hirs/scripts/pki"
- else
- PKI_SETUP_DIR="$SCRIPT_DIR"
- fi
+ PKI_SETUP_DIR="/opt/hirs/scripts/pki"
+ else
+ PKI_SETUP_DIR="$SCRIPT_DIR"
+ fi
echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | tee -a "$LOG_FILE"
mkdir -p /etc/hirs/certificates/ | tee -a "$LOG_FILE"
@@ -47,18 +55,7 @@ if [ ! -d "/etc/hirs/certificates" ]; then
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
popd &> /dev/null
- # Add tomcat TLS support to the application.properties file
- echo "# Tomcat TLS support">> $PROP_FILE
- echo "server.port=8443">> $PROP_FILE
- echo "server.ssl.enabled=true">> $PROP_FILE
- echo "server.ssl.trust-store-type=JKS">> $PROP_FILE
- echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE
- echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
- echo "server.ssl.key-store-type=JKS">> $PROP_FILE
- echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE
- echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
- echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
- echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
+ echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP
else
echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
fi