From 4766903aad1628e7eca24d5c03280505eb1316d0 Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Fri, 11 Aug 2023 09:47:30 -0400 Subject: [PATCH 01/10] initial setup for DB TLS --- HIRS_AttestationCAPortal/build.gradle | 9 +- .../src/main/resources/application.properties | 19 +- .../src/main/resources/log4j2-spring.xml | 2 +- package/scripts/aca/aca_setup.sh | 25 ++- package/scripts/db/db_create.sh | 207 ++++++++++++------ package/scripts/db/db_create.sql | 2 +- package/scripts/db/db_drop.sh | 16 +- package/scripts/pki/pki_chain_gen.sh | 63 ++++-- package/scripts/pki/pki_setup.sh | 27 ++- 9 files changed, 266 insertions(+), 104 deletions(-) diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle index 49746e8c..78d9a1dd 100644 --- a/HIRS_AttestationCAPortal/build.gradle +++ b/HIRS_AttestationCAPortal/build.gradle @@ -149,7 +149,7 @@ ospackage { postInstall 'cp /tmp/aca/default-properties/* /opt/hirs/default-properties/.' postInstall 'rm -rf /tmp/aca/' // postInstall file('../package/scripts/install_tomcat.sh') - + postInstall 'sh /opt/tomcat/bin/catalina.sh start' // Post Uninstall @@ -165,4 +165,11 @@ ospackage { buildDeb { arch = 'amd64' } + +bootRun { + if ( project.hasProperty('jvmArgs') ) { + jvmArgs = (project.jvmArgs.split("\\s+") as List) + + } +} } diff --git a/HIRS_AttestationCAPortal/src/main/resources/application.properties b/HIRS_AttestationCAPortal/src/main/resources/application.properties index 8cdec2dc..1e1b5c54 100644 --- a/HIRS_AttestationCAPortal/src/main/resources/application.properties +++ b/HIRS_AttestationCAPortal/src/main/resources/application.properties @@ -4,12 +4,25 @@ #spring.mvc.view.suffix=.jsp # Logging Config (tomcat may have further config) -logging.level.org.springframework=INFO +logging.level.org.springframework=DEBUG logging.level.org.apache.catalina=DEBUG - +logging.level.org.springframework.web: DEBUG +logging.level.org.hibernate: ERROR +logging.file.path=/var/log/hirs +logging.file.name=hirs.spring.log # Database Config spring.jpa.hibernate.ddl-auto=update -spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false +#spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false +spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&sslMode=PREFERRED +#spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=true&clientCertificateKeyStoreType=JKS&clientCertificateKeyStorePassword="123456"&clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.jks +#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreType=JKS +#spring.datasource.hikari.data-source-properties.clientCertificateKeyStorePassword="123456" +#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.jks + +#spring.datasource.hikari.data-source-properties.autoReconnect=true$useSSL=true +#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreType=PCKS12 +#spring.datasource.hikari.data-source-properties.clientCertificateKeyStorePassword="1234" +#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.p12 spring.datasource.username=hirs_db jakarta.persistence.sharedCache.mode = UNSPECIFIED spring.datasource.driver-class-name=org.mariadb.jdbc.Driver diff --git a/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml b/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml index bbc5413c..4b0c4e8a 100644 --- a/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml +++ b/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml @@ -26,7 +26,7 @@ - + diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh index 93edfa3d..5e9e03f7 100644 --- a/package/scripts/aca/aca_setup.sh +++ b/package/scripts/aca/aca_setup.sh @@ -22,6 +22,15 @@ echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE" pushd $SCRIPT_DIR &>/dev/null +# Set HIRS PKI password +if [ -z $HIRS_PKI_PWD ]; then + # Create a 32 character random password + PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') + echo "Using randomly generated password for the PKI key password" | tee -a "$LOG_FILE" + else + PKI_PASS=$HIRS_PKI_PWD + echo "Using system supplied password for the PKI key password" | tee -a "$LOG_FILE" +fi # Copy HIRS configuration and data files if not a package install if [ -f $SPRING_PROP_FILE ]; then @@ -30,6 +39,14 @@ if [ -f $SPRING_PROP_FILE ]; then cp -n $VENDOR_TABLE $HIRS_PROP_DIR/. fi +sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS +if [ $? -eq 0 ]; then + echo "ACA PKI setup complete" | tee -a "$LOG_FILE" + else + echo "Error setting up ACA PKI" | tee -a "$LOG_FILE" + exit 1 +fi + sh ../db/db_create.sh $LOG_FILE if [ $? -eq 0 ]; then echo "ACA database setup complete" | tee -a "$LOG_FILE" @@ -37,13 +54,7 @@ if [ $? -eq 0 ]; then echo "Error setting up ACA DB" | tee -a "$LOG_FILE" exit 1 fi -sh ../pki/pki_setup.sh $LOG_FILE -if [ $? -eq 0 ]; then - echo "ACA PKI setup complete" | tee -a "$LOG_FILE" - else - echo "Error setting up ACA PKI" | tee -a "$LOG_FILE" - exit 1 -fi + echo "ACA setup complete" | tee -a "$LOG_FILE" diff --git a/package/scripts/db/db_create.sh b/package/scripts/db/db_create.sh index 6dada853..db3c9e0e 100644 --- a/package/scripts/db/db_create.sh +++ b/package/scripts/db/db_create.sh @@ -5,88 +5,173 @@ # Environment variables used: # a. HIRS_MYSQL_ROOT_PWD: Set this variable if mysql root password is already set # b. HIRS_DB_PWD: Set the pwd if default password to hirs_db user needs to be changed -# HIRS_MYSQL_ROOT_NEW_PWD wil be ignored if HIRS_MYSQL_ROOT_EXSITING_PWD is set. ################################################################################ +LOG_FILE=$1 +# LOG_FILE="/var/log/hirs/hirs_aca_install_$(date +%Y-%m-%d).log" # Capture location of the script to allow from invocation from any location SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) -# Set Mysql HIRS DB password -if [ -z $HIRS_DB_PWD ]; then - HIRS_DB_PWD="hirs_db" -fi -# Save hirs_db mysql user password to the properties file -mkdir -p /etc/hirs -echo "hibernate.connection.username="hirs_db"" > /etc/hirs/hibernate.properties -echo "hibernate.connection.password=$HIRS_DB_PWD" >> /etc/hirs/hibernate.properties +SPRING_PROP_FILE="/etc/hirs/aca/application.properties" +ACA_PROP_FILE="/etc/hirs/aca/aca.properties" +DB_ADMIN_PWD="" +DB_USER="hirs_db" +# Db Configuration files +DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf" +DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf" +# Default Server Side Certificates +SSL_DB_SRV_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem"; +SSL_DB_SRV_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.pem"; +SSL_DB_SRV_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.key"; +# Default Client Side Certificates +SSL_DB_CLIENT_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem"; +SSL_DB_CLIENT_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem"; +SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key"; -# Check if we're in a Docker container -if [ -f /.dockerenv ]; then +touch $ACA_PROP_FILE +touch $LOG_FILE +#touch /.dockerenv + +# Make sure required paths exist +mkdir -p /etc/hirs/aca/ +mkdir -p /var/log/hirs/ + +check_for_container () { + # Check if we're in a Docker container + if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then + #if [ -f /.dockerenv ]; then DOCKER_CONTAINER=true -else + echo "ACA is running in a container..." | tee -a "$LOG_FILE" + else DOCKER_CONTAINER=false -fi + echo "ACA is not running in a container..." | tee -a "$LOG_FILE" + fi + if [ -d /opt/hirs/scripts/db ]; then + MYSQL_DIR="/opt/hirs/scripts/db" + else + MYSQL_DIR="$SCRIPT_DIR/../db" + fi + echo "Mysql script directory is $MYSQL_DIR" +} -# Check if mysql is already running, if not initialize -if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then -# Check if running in a container - if [ $DOCKER_CONTAINER = true ]; then - # if in Docker container, avoid services that invoke the D-Bus - echo "ACA is running in a container..." - # Check if mariadb is setup - if [ ! -d "/var/lib/mysql/mysql/" ]; then +start_mysqlsd () { + # Check if mysql is already running, if not initialize + if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then + # Check if running in a container + if [ $DOCKER_CONTAINER = true ]; then + # if in Docker container, avoid services that invoke the D-Bus + echo "ACA is running in a container..." + # Check if mariadb is setup + if [ ! -d "/var/lib/mysql/mysql/" ]; then echo "Installing mariadb" - /usr/bin/mysql_install_db + /usr/bin/mysql_install_db > "$LOG_FILE" chown -R mysql:mysql /var/lib/mysql/ - fi + fi echo "Starting mysql...." chown -R mysql:mysql /var/log/mariadb /usr/bin/mysqld_safe & - else + else SQL_SERVICE="mariadb" systemctl $SQL_SERVICE enable systemctl $SQL_SERVICE start - fi -fi + fi + fi # mysql not running -# Wait for mysql to start before continuing. -echo "Checking mysqld status..." -while ! mysqladmin ping -h "$localhost" --silent; do + # Wait for mysql to start before continuing. + echo "Checking mysqld status..."| tee -a "$LOG_FILE" + while ! mysqladmin ping -h "$localhost" --silent; do sleep 1; -done -if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then - echo "HIRS_MYSQL_ROOT_PWD environment variable not set" - mysql -fu root -e 'quit' &> /dev/null; -else - echo "Using $HIRS_MYSQL_ROOT_PWD as the mysql root password" - $(mysql -u root -p$HIRS_MYSQL_ROOT_PWD -e 'quit' &> /dev/null); -fi -if [ $? -eq 0 ]; then - echo "root password verified" -else - echo "MYSQL root password was not the default, not supplied, or was incorrect" - echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry." - echo " ********** ACA Mysql setup aborted ********" ; - exit 1; + done + + echo "mysqld is running."| tee -a "$LOG_FILE" +} + +check_mysql_root_pwd () { + # Check if DB root password needs to be obtained + if [ -z $HIRS_MYSQL_ROOT_PWD ]; then + # Create a 32 character random password + echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE" + DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') + echo "DB Admin will be set to $DB_ADMIN_PWD, please make note for next mysql use." + mysqladmin --user=root password "$DB_ADMIN_PWD" + else + DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD + echo "Using system variable supplied password" | tee -a "$LOG_FILE" + fi + # Make sure root password is correct + $(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null); + if [ $? -eq 0 ]; then + echo "root password verified" | tee -a "$LOG_FILE" + else + echo "MYSQL root password was not the default, not supplied, or was incorrect" + echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry." + echo " ********** ACA Mysql setup aborted ********" ; + exit 1; + fi +} + +set_mysql_server_tls () { + # Check DB server setup. If ssl params dont exist then we need to add them. + if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then + # Add TLS files to my.cnf + echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE" + echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF" + echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF" + echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF" + # Make sure mysql can access them + chown mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY + else + echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE" + fi +} + +set_mysql_client_tls () { +# Update ACA property file with client cert info, if not there already +if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then + echo "Updating $DB_CLIENT_CONF with ssl parameters..." | tee -a "$LOG_FILE" + echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF + echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF + echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF fi +} -echo "HIRS_DB_PWD is $HIRS_DB_PWD" -echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD" +# Process HIRS DB USER ... +set_hirs_db_pwd () { +# Check if Mysql HIRS DB password set by system variable or set to random number + if [ -z $HIRS_DB_PWD ]; then + HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') + fi -if [ -d /opt/hirs/scripts/db ]; then - MYSQL_DIR="/opt/hirs/scripts/db" -else + # Remove any existing password for hirs db + if [ -f $ACA_PROP_FILE ];then + sed -i '/hirs_db_username/d' $ACA_PROP_FILE &>/dev/null + sed -i '/hirs_db_password/d' $ACA_PROP_FILE &>/dev/null + fi - MYSQL_DIR="$SCRIPT_DIR/../db" -fi + echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE + echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE -echo "MYSQL_DIR is $MYSQL_DIR" + echo "hir_db user password is $HIRS_DB_PWD" + echo "mysql root password is $DB_ADMIN_PWD" +} -# Check if hirs_db not created and create it if it wasn't -mysqlshow --user=root --password="$HIRS_MYSQL_ROOT_PWD" | grep "hirs_db" > /dev/null 2>&1 -if [ $? -eq 0 ]; then - echo "hirs_db exists, skipping hirs_db create" -else - mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/db_create.sql - mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/secure_mysql.sql - mysql -u root --password=$HIRS_MYSQL_ROOT_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;"; -fi +# Create a hirs_db user with client side TLS enabled +create_hirs_db_with_tls () { + # Check if hirs_db not created and create it if it wasn't + mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" > /dev/null 2>&1 + if [ $? -eq 0 ]; then + echo "hirs_db exists, skipping hirs_db create" + else + mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql + mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql + mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;"; + fi +} + +# HIRS ACA Mysqld processing ... +check_for_container +set_mysql_server_tls +set_mysql_client_tls +set_hirs_db_pwd +start_mysqlsd +check_mysql_root_pwd +create_hirs_db_with_tls diff --git a/package/scripts/db/db_create.sql b/package/scripts/db/db_create.sql index 63ee7a95..510295bc 100644 --- a/package/scripts/db/db_create.sql +++ b/package/scripts/db/db_create.sql @@ -1,2 +1,2 @@ CREATE DATABASE IF NOT EXISTS `hirs_db` CHARACTER SET = 'utf8mb4' COLLATE = 'utf8mb4_general_ci'; -GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD"; +GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD" REQUIRE SSL; \ No newline at end of file diff --git a/package/scripts/db/db_drop.sh b/package/scripts/db/db_drop.sh index cb477ff8..a751cc5f 100644 --- a/package/scripts/db/db_drop.sh +++ b/package/scripts/db/db_drop.sh @@ -1,11 +1,21 @@ #!/bin/bash +PASS=$1 +SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )";) + + if [ -d /opt/hirs/scripts/db ]; then + MYSQL_DIR="/opt/hirs/scripts/db" + else + MYSQL_DIR="$SCRIPT_DIR" +fi + echo "dropping hirs database" + if pgrep mysqld >/dev/null 2>&1; then - if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then - mysql -u "root" < /opt/hirs/scripts/db/db_drop.sql + if [ -z ${PASS} ]; then + mysql -u "root" < $MYSQL_DIR/db_drop.sql else - mysql -u "root" -p$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/db/db_drop.sq1 + mysql -u "root" -p$PASS < $MYSQL_DIR/db_drop.sql fi fi diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh index 0b3b114b..d83f2643 100644 --- a/package/scripts/pki/pki_chain_gen.sh +++ b/package/scripts/pki/pki_chain_gen.sh @@ -71,6 +71,8 @@ PKI_CA2="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca2_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG" PKI_CA3="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca3_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG" RIM_SIGNER="$CERT_FOLDER"/"$ACTOR_ALT"_rim_signer_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG" TLS_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_aca_tls_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG" +DB_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_db_srv_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG" +DB_CLIENT="$CERT_FOLDER"/"$ACTOR_ALT"_db_client_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG" TRUST_STORE_FILE="$CERT_FOLDER"/"$ACTOR_ALT"_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"_Cert_Chain.pem ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca" @@ -78,6 +80,8 @@ INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca" LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca" SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer" TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal" +DB_SRV_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" DB Server" +DB_CLIENT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" DB Client" # Add check for existing folder and halt if it exists if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then @@ -129,17 +133,29 @@ create_cert () { echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..." | tee -a "$LOG_FILE" - if [ "$ASYM_ALG" == "rsa" ]; then - openssl req -newkey rsa:"$ASYM_SIZE" \ - -keyout "$CERT_PATH".key \ - -out "$CERT_PATH".csr -subj "$SUBJ_DN" \ - -passout pass:"$PASS" >> "$LOG_FILE" 2>&1 + # Database doesnt support encypted key so create DB without passwords + if [[ "$SUBJ_DN" = *"DB"* ]]; then + if [ "$ASYM_ALG" == "rsa" ]; then + openssl genrsa -out "$CERT_PATH".key "$ASYM_SIZE" >> "$LOG_FILE" 2>&1 + openssl req -new -key "$CERT_PATH".key \ + -out "$CERT_PATH".csr -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1 + else + openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key >> "$LOG_FILE" 2>&1 + openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1 + fi else - openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key >> "$LOG_FILE" 2>&1 - openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1 + if [ "$ASYM_ALG" == "rsa" ]; then + openssl req -newkey rsa:"$ASYM_SIZE" \ + -keyout "$CERT_PATH".key \ + -out "$CERT_PATH".csr -subj "$SUBJ_DN" \ + -passout pass:"$PASS" >> "$LOG_FILE" 2>&1 + else + openssl genpkey -algorithm "EC" -pkeyopt ec_paramgen_curve:P-521 -aes256 --pass "pass:$PASS" -out "$CERT_PATH".key + openssl req -new -key "$CERT_PATH".key -passin "pass:$PASS" -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" + fi + fi - - openssl ca -config ca.conf \ + openssl ca -config ca.conf \ -keyfile "$ISSUER_KEY" \ -md $HASH_ALG \ -cert "$ISSUER_CERT" \ @@ -148,7 +164,7 @@ create_cert () { -in "$CERT_PATH".csr \ -passin pass:"$PASS" \ -batch \ - -notext >> "$LOG_FILE" 2>&1 + -notext >> "$LOG_FILE" 2>&1 # Increment the cert serial number SERIAL=$(awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt) echo "Cert Serial Number = $SERIAL" >> "$LOG_FILE"; @@ -161,7 +177,7 @@ create_cert () { # Import the cert into a java trust store via keytool keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1 # Remove the temp p1 file. - rm tmpkey.p12 + rm -f tmpkey.p12 &>/dev/null } create_cert_chain () { @@ -186,22 +202,36 @@ create_cert_chain () { # Create a ACA Sever Cert for TLS use create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN" "server_extensions" + # Create a DB Sever Cert for TLS use + create_cert "$DB_SERVER" "$PKI_CA3" "$DB_SRV_DN" "server_extensions" + + # Create a ACA Sever Cert for TLS use + create_cert "$DB_CLIENT" "$PKI_CA3" "$DB_CLIENT_DN" "server_extensions" + # Create Cert trust store by adding the Intermediate and root certs cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" > "$TRUST_STORE_FILE" # echo "Checking signer cert using tust store..." openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE" + + # Make JKS files for the mysql DB connector. P12 first then JKS... + openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key -aes256 \ + -passin pass:"$PASS" -aes256 -passout pass:$PASS \ + -name "mysqlclientkey" -out $DB_CLIENT.p12 + + keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype pkcs12 \ + -srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS } if [ "$ASYM_ALG" == "rsa" ]; then # Create Root CA key pair and self signed cert echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE" - openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1 + openssl genrsa -out "$PKI_ROOT".key -aes256 -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1 # Create a self signed CA certificate openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \ -extensions ca_extensions -out "$PKI_ROOT".pem \ - -passout pass:"$PASS" >> "$LOG_FILE" 2>&1 + -passin pass:"$PASS" >> "$LOG_FILE" 2>&1 # Add the CA root cert to the Trust and Key stores add_to_stores $PKI_ROOT # Create an intermediate CA, 2 Leaf CAs, and Signer Certs @@ -211,12 +241,13 @@ fi if [ "$ASYM_ALG" == "ecc" ]; then # Create Root CA key pair and self signed cert echo "Generating Ecc Root CA ...." | tee -a "$LOG_FILE" - openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1 - + #openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1 + openssl genpkey -algorithm "EC" -pkeyopt ec_paramgen_curve:P-521 -aes256 --pass "pass:$PASS" -out "$PKI_ROOT".key + # Create a self signed CA certificate openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \ -extensions ca_extensions -out "$PKI_ROOT".pem \ - -passout pass:"$PASS" >> "$LOG_FILE" 2>&1 + -passin pass:"$PASS" >> "$LOG_FILE" 2>&1 # Add the CA root cert to the Trust and Key stores add_to_stores $PKI_ROOT # Create an intermediate CA, 2 Leaf CAs, and Signer Certs diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh index a6492ae2..cd094581 100644 --- a/package/scripts/pki/pki_setup.sh +++ b/package/scripts/pki/pki_setup.sh @@ -8,27 +8,32 @@ PROP_FILE=/etc/hirs/aca/application.properties LOG_FILE=$1 - +PKI_PASS=$2 +LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log +LOG_DIR="/var/log/hirs/" +HIRS_CONF_DIR=/etc/hirs/aca # Capture location of the script to allow from invocation from any location SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) + +mkdir -p $HIRS_CONF_DIR $LOG_DIR echo "SCRIPT_DIR is $SCRIPT_DIR" | tee -a "$LOG_FILE" +if [ -z "$1" ]; then + LOG_FILE="$LOG_DIR$LOG_FILE_NAME" + echo "using log file $LOG_FILE" | tee -a "$LOG_FILE" +fi +if [ -z "$2" ]; then + PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') + echo "Using randomly generated password for the PKI key password" | tee -a "$LOG_FILE" + echo "Using pki password=$PKI_PASS" +fi + # Check for sudo or root user if [ "$EUID" -ne 0 ] then echo "The first time this script is run, this script requires root. Please run as root" | tee -a "$LOG_FILE" exit 1 fi -# Set HIRS PKI password -if [ -z $HIRS_PKI_PWD ]; then - # Create a 32 character random password - PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') - echo "Using randomly generated password" | tee -a "$LOG_FILE" - else - PKI_PASS=$HIRS_PKI_PWD - echo "Using system supplied password" | tee -a "$LOG_FILE" -fi - # Create Cert Chains if [ ! -d "/etc/hirs/certificates" ]; then From 88aa10010b361a56be745c6f971a758f3fb72715 Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Fri, 18 Aug 2023 16:38:41 +0000 Subject: [PATCH 02/10] cleaned up unused file --- HIRS_AttestationCA/build.gradle | 2 +- HIRS_AttestationCAPortal/build.gradle | 8 +- .../src/main/resources/application.properties | 37 ++- .../src/main/resources/hibernate.properties | 6 +- package/scripts/aca/aca_bootRun.sh | 74 ++++- package/scripts/aca/aca_setup.sh | 40 ++- package/scripts/aca/certificate_generate.sh | 90 ------- .../common/firewall_configure_tomcat.sh | 26 -- .../common/get_centos_major_version.sh | 1 - package/scripts/common/get_db_service.sh | 8 - package/scripts/common/jvm_version_check.sh | 6 - package/scripts/common/my.cnf.el7 | 8 - package/scripts/common/secure_mysql.sql | 5 - package/scripts/common/ssl_configure.sh | 253 ------------------ package/scripts/common/ssl_deconfigure.sh | 92 ------- package/scripts/db/db_create.sh | 58 +--- package/scripts/db/db_create.sql | 2 +- package/scripts/db/start_mysqld.sh | 57 ++++ package/scripts/pki/pki_chain_gen.sh | 9 +- package/scripts/pki/pki_setup.sh | 4 +- 20 files changed, 197 insertions(+), 589 deletions(-) delete mode 100644 package/scripts/aca/certificate_generate.sh delete mode 100644 package/scripts/common/firewall_configure_tomcat.sh delete mode 100644 package/scripts/common/get_centos_major_version.sh delete mode 100644 package/scripts/common/get_db_service.sh delete mode 100755 package/scripts/common/jvm_version_check.sh delete mode 100644 package/scripts/common/my.cnf.el7 delete mode 100644 package/scripts/common/secure_mysql.sql delete mode 100755 package/scripts/common/ssl_configure.sh delete mode 100644 package/scripts/common/ssl_deconfigure.sh create mode 100644 package/scripts/db/start_mysqld.sh diff --git a/HIRS_AttestationCA/build.gradle b/HIRS_AttestationCA/build.gradle index c6f20171..c0245393 100644 --- a/HIRS_AttestationCA/build.gradle +++ b/HIRS_AttestationCA/build.gradle @@ -41,7 +41,7 @@ dependencies { implementation libs.minimal.json implementation 'org.apache.logging.log4j:log4j-core:2.19.0' implementation 'org.apache.logging.log4j:log4j-api:2.19.0' - + // spring management compileOnly libs.lombok implementation libs.lombok diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle index 78d9a1dd..78672323 100644 --- a/HIRS_AttestationCAPortal/build.gradle +++ b/HIRS_AttestationCAPortal/build.gradle @@ -52,7 +52,7 @@ dependencies { implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:10.1.5' compileOnly 'org.projectlombok:lombok' - runtimeOnly 'org.mariadb.jdbc:mariadb-java-client' + runtimeOnly 'org.mariadb.jdbc:mariadb-java-client:3.1.0' annotationProcessor 'org.projectlombok:lombok' providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat' @@ -166,10 +166,4 @@ ospackage { arch = 'amd64' } -bootRun { - if ( project.hasProperty('jvmArgs') ) { - jvmArgs = (project.jvmArgs.split("\\s+") as List) - - } -} } diff --git a/HIRS_AttestationCAPortal/src/main/resources/application.properties b/HIRS_AttestationCAPortal/src/main/resources/application.properties index 1e1b5c54..49540c3c 100644 --- a/HIRS_AttestationCAPortal/src/main/resources/application.properties +++ b/HIRS_AttestationCAPortal/src/main/resources/application.properties @@ -1,29 +1,13 @@ -#server.error.path=/error -#spring.mvc.view.prefix=/WEB-INF/jsp/ -#spring.mvc.view.suffix=.jsp - # Logging Config (tomcat may have further config) -logging.level.org.springframework=DEBUG -logging.level.org.apache.catalina=DEBUG -logging.level.org.springframework.web: DEBUG +logging.level.org.springframework=TRACE +logging.level.org.apache.catalina=TRACE +logging.level.org.springframework.web: TRACE logging.level.org.hibernate: ERROR logging.file.path=/var/log/hirs logging.file.name=hirs.spring.log # Database Config spring.jpa.hibernate.ddl-auto=update -#spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false -spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&sslMode=PREFERRED -#spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=true&clientCertificateKeyStoreType=JKS&clientCertificateKeyStorePassword="123456"&clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.jks -#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreType=JKS -#spring.datasource.hikari.data-source-properties.clientCertificateKeyStorePassword="123456" -#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.jks - -#spring.datasource.hikari.data-source-properties.autoReconnect=true$useSSL=true -#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreType=PCKS12 -#spring.datasource.hikari.data-source-properties.clientCertificateKeyStorePassword="1234" -#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.p12 -spring.datasource.username=hirs_db jakarta.persistence.sharedCache.mode = UNSPECIFIED spring.datasource.driver-class-name=org.mariadb.jdbc.Driver #spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver @@ -43,6 +27,19 @@ server.tomcat.accesslog.prefix=Tomcat_accesslog_ server.tomcat.accesslog.suffix=.log server.tomcat.accesslog.rotate=true +# Tomcat TLS support +server.port=8443 +server.ssl.enabled=true +server.ssl.trust-store-type=JKS +server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks +server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384 +server.ssl.key-store-type=JKS +server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks +server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384 + +#--server.ssl.key-store-password=123456 +#--server.ssl.trust-store-password=123456 + #jdbc.driverClassName = com.mysql.cj.jdbc.Driver #jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false #jdbc.username = root @@ -52,4 +49,4 @@ server.tomcat.accesslog.rotate=true #spring.jpa.show-sql=true # DB dfault password. -spring.datasource.password=hirs_db +#spring.datasource.password=hirs_db diff --git a/HIRS_AttestationCAPortal/src/main/resources/hibernate.properties b/HIRS_AttestationCAPortal/src/main/resources/hibernate.properties index c7c47c97..6cca0a71 100644 --- a/HIRS_AttestationCAPortal/src/main/resources/hibernate.properties +++ b/HIRS_AttestationCAPortal/src/main/resources/hibernate.properties @@ -1,6 +1,6 @@ -hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false -hibernate.connection.username=hirs_db -hibernate.connection.password=hirs_db +#hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false +#hibernate.connection.username=hirs_db +#hibernate.connection.password=hirs_db hibernate.connection.driver_class=org.mariadb.jdbc.Driver hibernate.dialect = org.hibernate.dialect.MariaDBDialect hibernate.show_sql = false diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh index a77d10af..bbecedd8 100644 --- a/package/scripts/aca/aca_bootRun.sh +++ b/package/scripts/aca/aca_bootRun.sh @@ -1,13 +1,79 @@ #!/bin/bash ##################################################################################### # -# Script to run ACA using the gradle spring pluing bootRun command with password set +# Script to run ACA using the gradle spring pluing bootRun command with parameters +# parameters include setting up the DB with TLS and embedded Tomcat with TLS. # -# -#################################################################################### +##################################################################################### +USE_WAR=$1 CONFIG_FILE="/etc/hirs/aca/application.properties" +ALG=RSA +RSA_PATH=rsa_3k_sha384_certs +ECC_PATH=ecc_512_sha384_certs +SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) +LOG_FILE=/dev/null +source $SCRIPT_DIR/../db/start_mysqld.sh + +if [ $ALG = "RSA" ]; then + CERT_PATH="/etc/hirs/certificates/HIRS/$RSA_PATH" + CERT_CHAIN="$CERT_PATH/HIRS_rsa_3k_sha384_Cert_Chain.pem" + CLIENT_DB_P12=$CERT_PATH/HIRS_db_client_rsa_3k_sha384.p12 + ALIAS="hirs_aca_tls_rsa_3k_sha384" + else + CERT_PATH="/etc/hirs/certificates/HIRS/$ECC_PATH" + CERT_CHAIN="$CERT_PATH/HIRS_ecc_512_sha384_Cert_Chain.pem" + CLIENT_DB_P12=$CERT_PATH/HIRS_db_client_ecc_512_sha384.p12 + ALIAS="hirs_aca_tls_ecc_512_sha384" +fi + +check_for_container +start_mysqlsd + +# Check for sudo or root user +if [ "$EUID" -ne 0 ] + then echo "This script requires root. Please run as root" + exit 1 +fi + +if [ ! -d "$CERT_PATH" ]; then + echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again." + exit 1; +fi echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index" -./gradlew bootRun --args="--spring.config.location=$CONFIG_FILE" \ No newline at end of file +source /etc/hirs/aca/aca.properties; + +echo "Client Keystore is $CLIENT_DB_P12" +echo "DB using $hirs_db_username user and user password $hirs_db_password" +echo "Server PKI chain is $CERT_CHAIN" +echo "Server password is $hirs_pki_password" +echo "Tomcat key alias is $ALIAS" + +# Run the embedded tomcat server with Web TLS enabled and database client TLS enabled by overrding critical parameters +# Note "&" is a sub parameter continuation, space represents a new parameter. Spaces and quotes matter. +# hibernate.connection.url is used for the DB connector which established DB TLS connectivity +# server.ssl arguments support the embeded tomcats use of TLS for the ACA Portal +ARGS="--hibernate.connection.url=\"jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&\ +user=\"$hirs_db_username\"&\ +password=\"$hirs_db_password\"&\ +sslMode=VERIFY_CA&\ +serverSslCert=$CERT_CHAIN&\ +keyStoreType=PKCS12&\ +keyStorePassword=\"$hirs_pki_password\"&\ +keyStore="$CLIENT_DB_P12" \ +--server.ssl.key-store-password=\"$hirs_pki_password\" \ +--server.ssl.trust-store-password=\"$hirs_pki_password\"\"" + +# --hibernate.connection.driver_class=\"org.mariadb.jdbc.Driver\" \ + +echo "--args="$ARGS"" + +if [ "$USE_WAR" == "war" ]; then + echo "Booting the ACA from a $USE_WAR file..." + java -jar HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war $ARGS +else + echo "Booting the ACA from local build..." + ./gradlew bootRun --args="\"$ARGS\"" +fi diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh index 5e9e03f7..37266bcb 100644 --- a/package/scripts/aca/aca_setup.sh +++ b/package/scripts/aca/aca_setup.sh @@ -12,12 +12,34 @@ LOG_FILE="$LOG_DIR$LOG_FILE_NAME" echo "LOG_FILE is $LOG_FILE" if [ "$EUID" -ne 0 ] - then echo "The first time this script is run, this script requires root. Please run as root" + then echo "This script requires root. Please run as root" exit 1 fi mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR +# Process parameters +# Argument handling https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash +POSITIONAL_ARGS=() + +while [[ $# -gt 0 ]]; do + case $1 in + --skip-db) + ARG_SKIP_DB=YES + shift # past argument + ;; + -*|--*) + echo "aca_setup.sh: Unknown option $1" + ;; + *) + POSITIONAL_ARGS+=("$1") # save positional arg + shift # past argument + ;; + esac +done + +set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters + echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE" pushd $SCRIPT_DIR &>/dev/null @@ -39,12 +61,15 @@ if [ -f $SPRING_PROP_FILE ]; then cp -n $VENDOR_TABLE $HIRS_PROP_DIR/. fi -sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS -if [ $? -eq 0 ]; then - echo "ACA PKI setup complete" | tee -a "$LOG_FILE" - else - echo "Error setting up ACA PKI" | tee -a "$LOG_FILE" - exit 1 +if [ -z "${ARG_SKIP_DB}" ]; then + sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS + if [ $? -eq 0 ]; then + echo "ACA PKI setup complete" | tee -a "$LOG_FILE" + else + echo "Error setting up ACA PKI" | tee -a "$LOG_FILE" + exit 1 + fi + echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE" fi sh ../db/db_create.sh $LOG_FILE @@ -55,7 +80,6 @@ if [ $? -eq 0 ]; then exit 1 fi - echo "ACA setup complete" | tee -a "$LOG_FILE" popd &>/dev/null \ No newline at end of file diff --git a/package/scripts/aca/certificate_generate.sh b/package/scripts/aca/certificate_generate.sh deleted file mode 100644 index 17f35bf6..00000000 --- a/package/scripts/aca/certificate_generate.sh +++ /dev/null @@ -1,90 +0,0 @@ -#!/usr/bin/env bash - -# Check if we're in a Docker container -if [ -f /.dockerenv ]; then - DOCKER_CONTAINER=true -else - DOCKER_CONTAINER=false -fi - -# variables for the CA certificates -CA_PATH=/etc/hirs/certificates -CA_KEYSTORE=${CA_PATH}/TrustStore.jks - -# variables for the ACA certificates -ACA_CERTS=/etc/hirs/aca/certificates -ACA_KEY=${ACA_CERTS}/aca.key -ACA_CRT=${ACA_CERTS}/aca.crt -ACA_P12=${ACA_CERTS}/aca.p12 -ACA_JKS=${ACA_CERTS}/keyStore.jks -ACA_CONF=${ACA_CERTS}/aca.conf - -# generate the OpenSSL conf file -echo "[req]" >> ${ACA_CONF} -echo "req_extensions=aca" >> ${ACA_CONF} -echo "distinguished_name=distname" >> ${ACA_CONF} -echo "" >> ${ACA_CONF} -echo "[aca]" >> ${ACA_CONF} -echo "keyUsage=critical,keyCertSign" >> ${ACA_CONF} -echo "basicConstraints=critical,CA:true" >> ${ACA_CONF} -echo "subjectKeyIdentifier=hash" >> ${ACA_CONF} -echo "" >> ${ACA_CONF} -echo "[distname]" >> ${ACA_CONF} -echo "# empty" >> ${ACA_CONF} - -# generate the ACA signing key and self-signed certificate -openssl req -x509 -config ${ACA_CONF} -extensions aca -days 3652 -set_serial 01 -subj "/C=US/O=HIRS/OU=Attestation CA/CN=$HOSTNAME" -newkey rsa:2048 -nodes -keyout ${ACA_KEY} -out ${ACA_CRT} - -# if the trust store already has an older HIRS_ACA_KEY in it, remove it -keytool -list -keystore ${CA_KEYSTORE} -storepass password -alias HIRS_ACA_KEY -rc=$? -if [[ $rc = 0 ]]; then - keytool -delete -alias HIRS_ACA_KEY -storepass password -keystore ${CA_KEYSTORE} -fi - -# load the generated certificate into the CA trust store -keytool -import -keystore ${CA_KEYSTORE} -storepass password -file ${ACA_CRT} -noprompt -alias HIRS_ACA_KEY - -# export the cert and key to a p12 file -openssl pkcs12 -export -in ${ACA_CRT} -inkey ${ACA_KEY} -out ${ACA_P12} -passout pass:password - -# create a key store using the p12 file -keytool -importkeystore -srckeystore ${ACA_P12} -destkeystore ${ACA_JKS} -srcstoretype pkcs12 -srcstorepass password -deststoretype jks -deststorepass password -noprompt -alias 1 -destalias HIRS_ACA_KEY - -# set the password in the aca properties file -sed -i "s/aca\.keyStore\.password\s*=/aca.keyStore.password=password/" /etc/hirs/aca/aca.properties - -# copy the trust store to the ACA -cp ${CA_KEYSTORE} /etc/hirs/aca/client-files/ - -# start up the tomcat service - -# Guess where Tomcat is installed and what it's called: -if [ -d /usr/share/tomcat6 ] ; then - TOMCAT_SERVICE=tomcat6 -elif [ -d /usr/share/tomcat ] ; then - TOMCAT_SERVICE=tomcat -else - echo "Can't find Tomcat installation" - exit 1 -fi - -# restart tomcat after updating the trust store. -if [ $DOCKER_CONTAINER = true ]; then - # If in Docker container, avoid services that invoke the D-Bus - if [[ $(ss -t -l -n | grep -q LISTEN.*:::8009) -eq 0 ]]; then - echo "Tomcat is running, so we restart it." - /usr/libexec/tomcat/server stop - # Wait for Tomcat to stop completely and prevent port bind collisions - while [ -z "$(tail -n 1 /var/log/tomcat/catalina.$(date +"%Y-%m-%d").log | grep "Destroying ProtocolHandler \[\"http-bio-8443\"\]")" ]; do - : - done - (/usr/libexec/tomcat/server start) & - # Wait for Tomcat to boot completely - until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do - : - done - fi -else - /sbin/service ${TOMCAT_SERVICE} restart; -fi diff --git a/package/scripts/common/firewall_configure_tomcat.sh b/package/scripts/common/firewall_configure_tomcat.sh deleted file mode 100644 index 69064592..00000000 --- a/package/scripts/common/firewall_configure_tomcat.sh +++ /dev/null @@ -1,26 +0,0 @@ -if ! [ $(id -u) = 0 ]; then - echo "Please run this script as root." - exit 1 -fi - -if [[ -f /etc/redhat-release ]] ; then -CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh` -elif [[ -f /etc/os-release ]] ; then -AMAZON_VER=`/opt/hirs/scripts/common/get_amazon_linux_major_version.sh` -fi - -if [ $CENTOS_VER -eq "6" ] ; then - checkHTTPS=`iptables-save | grep -- "--dport 8443 -j ACCEPT"` - if [[ $checkHTTPS == "" ]]; then - echo "Tomcat HTTPS firewall rule doesn't exist, adding now" - iptables -I INPUT 1 -p tcp -m tcp --dport 8443 -j ACCEPT - service iptables save - fi -elif [ $CENTOS_VER -eq "7" ] || [ $AMAZON_VER -eq "2" ] ; then - firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p tcp --dport 8443 -j ACCEPT - firewall-cmd --reload -else - echo "Unsupported Linux detected" - exit 1 -fi - diff --git a/package/scripts/common/get_centos_major_version.sh b/package/scripts/common/get_centos_major_version.sh deleted file mode 100644 index 83475610..00000000 --- a/package/scripts/common/get_centos_major_version.sh +++ /dev/null @@ -1 +0,0 @@ -cat /etc/redhat-release | grep -Eo "release [0-9]" | tail -c 2 \ No newline at end of file diff --git a/package/scripts/common/get_db_service.sh b/package/scripts/common/get_db_service.sh deleted file mode 100644 index 76be3c03..00000000 --- a/package/scripts/common/get_db_service.sh +++ /dev/null @@ -1,8 +0,0 @@ -if [[ $(rpm -qa mariadb*) ]]; then - echo "mariadb" -elif [[ $(rpm -qa mysql-server*) ]]; then - echo "mysqld" -else - echo "Could not determine installed database" - exit 1 -fi \ No newline at end of file diff --git a/package/scripts/common/jvm_version_check.sh b/package/scripts/common/jvm_version_check.sh deleted file mode 100755 index 3292bd10..00000000 --- a/package/scripts/common/jvm_version_check.sh +++ /dev/null @@ -1,6 +0,0 @@ -# only argument to this script is the java command to use in this version check -JAVA_SPEC_VER=`$1 -XshowSettings:properties -version 2>&1 | grep java.specification.version | grep -Eo "[0-9]\.[0-9]+"` -case "$JAVA_SPEC_VER" in - "1.8"|"1.9"|"1.10"|"1.11"|"1.12" ) ;; - * ) echo "HIRS needs to be run with a JVM supporting at least specification 1.8. Found $JAVA_SPEC_VER." && exit 1 ;; -esac diff --git a/package/scripts/common/my.cnf.el7 b/package/scripts/common/my.cnf.el7 deleted file mode 100644 index c96f1996..00000000 --- a/package/scripts/common/my.cnf.el7 +++ /dev/null @@ -1,8 +0,0 @@ -#begin-hirs-cfg -ssl-ca=/etc/hirs/certificates/mysql/hirs.ca.cert -ssl-cert=/etc/hirs/certificates/mysql/hirs-cert.pem -ssl-key=/etc/hirs/certificates/mysql/hirs-key.pem -innodb_large_prefix=1 -innodb_file_format=BARRACUDA -innodb_file_per_table=1 -#end-hirs-cfg diff --git a/package/scripts/common/secure_mysql.sql b/package/scripts/common/secure_mysql.sql deleted file mode 100644 index 8589affe..00000000 --- a/package/scripts/common/secure_mysql.sql +++ /dev/null @@ -1,5 +0,0 @@ -DELETE FROM mysql.user WHERE User=''; -DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); -DROP DATABASE IF EXISTS test; -DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'; -FLUSH PRIVILEGES diff --git a/package/scripts/common/ssl_configure.sh b/package/scripts/common/ssl_configure.sh deleted file mode 100755 index 3dc49c55..00000000 --- a/package/scripts/common/ssl_configure.sh +++ /dev/null @@ -1,253 +0,0 @@ -#!/usr/bin/env bash - -# certificates and key stores generated by this script -CERTIFICATES="/etc/hirs/certificates" -CA_CERT=${CERTIFICATES}/hirs.ca.cert -INTERNAL_P12=${CERTIFICATES}/hirs.p12 -KEYSTORE_JKS=${CERTIFICATES}/keyStore.jks -TRUSTSTORE_JKS=${CERTIFICATES}/TrustStore.jks -CA_CERT_DIR_ESCAPED=\\/etc\\/hirs\\/certificates - -# 'private' data generated by this script -CA_PEM=${CERTIFICATES}/private/hirs.ca.pem -P12_DATA=${CERTIFICATES}/private/p12.data - -echo 'Checking SSL configuration for HIRS' - -# Check if we're in a Docker container -if [ -f /.dockerenv ]; then - DOCKER_CONTAINER=true -else - DOCKER_CONTAINER=false -fi - -################# -# Key Generation -################# - -# if the CA PEM file does not exist, generate the HIRS CA file and associated keystore and truststores -if ! [ -f $CA_PEM ]; then - echo 'Generating certificates' - # create directory structure - mkdir -p ${CERTIFICATES}/private - - # Generate our random key store password. We need to do this before configuring Tomcat, as we'll - # need to add it to Tomcat's configuration file. Read a block of raw data bytes from /dev/urandom - # and convert it to text characters. Not the greatest, but hey: - echo 'Creating random key material' - P12_PASSWORD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') - - # generate a key and certificate. The key is the private key used to sign the well known CA cert. - echo 'Creating 2048 bit key' - openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -keyout ${CA_PEM} -out ${CA_CERT} -subj "/C=US/O=HIRS/OU=Common/CN=$(hostname)" - - # export the certificate and key as a p12 file - echo 'Exporting key' - openssl pkcs12 -export -in ${CA_CERT} -inkey ${CA_PEM} -out ${INTERNAL_P12} -passout pass:${P12_PASSWORD} - - # create a key store using the pk12 file. - echo 'Configuring keystore' - keytool -importkeystore -srckeystore ${INTERNAL_P12} -destkeystore ${KEYSTORE_JKS} -srcstoretype pkcs12 -srcstorepass ${P12_PASSWORD} -deststoretype jks -deststorepass ${P12_PASSWORD} -noprompt - - # import the root CA certificate into the trust store. - echo 'Configuring truststore' - keytool -import -keystore ${TRUSTSTORE_JKS} -storepass password -file ${CA_CERT} -noprompt - - # write P12 password to file - echo $P12_PASSWORD > $P12_DATA - - # set appropriate permissions on certificates - chmod 775 /etc/hirs/certificates/ - chmod -R 664 /etc/hirs/certificates/* - chmod 700 /etc/hirs/certificates/private - chmod -R 600 /etc/hirs/certificates/private/* -else - # if the certificate was previously generated, grab the P12 password out of the file - P12_PASSWORD=`cat $P12_DATA` -fi - -################# -# ActiveMQ -################# - -if [[ $1 = "server" ]]; then - if [ -f "/srv/activemq/current/conf/activemq.xml" ] ; then - if [[ -n `grep -o "keyStorePassword=\"\"" /srv/activemq/current/conf/activemq.xml` ]]; then - echo "Configuring ActiveMQ SSL" - - # set the key store password for the messaging service - sed -i -r "s/keyStorePassword=\"\w*\"/keyStorePassword=\"${P12_PASSWORD}\"/g" /srv/activemq/current/conf/activemq.xml - fi - fi -fi - -################# -# Tomcat -################# - -if [[ $1 = "server" ]]; then - # determine which version of tomcat is installed - rpm -q tomcat6 - if [[ $? -eq 0 ]]; then - TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat6` - else - TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat` - fi - - TOMCAT_MAJOR_VERSION=`echo $TOMCAT_VERSION | head -c 1` - - if [[ $TOMCAT_MAJOR_VERSION = '6' ]]; then - CATALINA_HOME=/usr/share/tomcat6 - TOMCAT_SERVICE=tomcat6 - TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat6.conf - elif [[ $TOMCAT_MAJOR_VERSION = '7' ]] ; then - CATALINA_HOME=/usr/share/tomcat - TOMCAT_SERVICE=tomcat - TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat.conf - else - echo "Unsupported Tomcat version: ${TOMCAT_MAJOR_VERSION}" - exit 1 - fi - - if [[ -z `grep -o "keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\"" $CATALINA_HOME/conf/server.xml` ]]; then - echo "Configuring Tomcat SSL" - - chown -R root:tomcat /etc/hirs/certificates/ - - # create an alias in the keystore for tomcat - alias=$(keytool -list -v -keystore ${KEYSTORE_JKS} -storepass ${P12_PASSWORD} | grep -B2 'PrivateKeyEntry' | grep 'Alias name:') - keytool -changealias -alias ${alias#*:} -destalias tomcat -v -keystore ${KEYSTORE_JKS} -storepass ${P12_PASSWORD} - - # Set up Tomcat. We need to ensure that Tomcat is running as a service - chkconfig ${TOMCAT_SERVICE} on - - # Configure the server.xml file such that it uses our key store and trust store - if [ $DOCKER_CONTAINER = true ]; then - # If in Docker container, avoid services that invoke the D-Bus - if [[ $(pgrep -c -f /usr/share/tomcat) -ne 0 ]]; then - echo "Tomcat is running, so we stop it." - /usr/libexec/tomcat/server stop - fi - else - service ${TOMCAT_SERVICE} stop - fi - - # Configure Tomcat SSL properly. The method for doing this changes from 6.0.38 onward. - rpmdev-vercmp 6.0.38 $TOMCAT_VERSION - VERCMP_STATUS=$? - if [[ $VERCMP_STATUS -eq 0 ]] || [[ $VERCMP_STATUS -eq 12 ]]; then - # Tomcat v 6.0.38 or newer - sed -i "s/.*<\/Service>/<\/Service>/" $CATALINA_HOME/conf/server.xml - elif [[ $VERCMP_STATUS -eq 11 ]]; then - # Older than Tomcat 6.0.38 - sed -i "s/.*<\/Service>/<\/Service>/" $CATALINA_HOME/conf/server.xml - else - echo "Unknown rpmdev-vercmp exit code: ${VERCMP_STATUS}" - exit 1 - fi - - sed -i 's/.*<\/tomcat-users>/ <\/tomcat-users>/' $CATALINA_HOME/conf/tomcat-users.xml - - # ensure tomcat is using the trust store and key store for all other SSL operations. - cat << EOF >> ${TOMCAT_CONF} -#begin-hirs-conf -JAVA_OPTS="-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Xmx1536m -Djavax.net.ssl.keyStore=${KEYSTORE_JKS} -Djavax.net.ssl.keyStorePassword=${P12_PASSWORD} -Djavax.net.ssl.trustStore=${TRUSTSTORE_JKS} -Djavax.net.ssl.trustStorePassword=password" -#end-hirs-conf -EOF - - # (3) set tomcat user as owner of tomcat installation - chgrp -R tomcat ${CATALINA_HOME} - - if [ $DOCKER_CONTAINER = true ]; then - # If in Docker container, avoid services that invoke the D-Bus - (/usr/libexec/tomcat/server start) & - # Wait for Tomcat to boot completely - until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do - : - done - else - service ${TOMCAT_SERVICE} start - fi - fi -fi - -################# -# Appraiser -################# - -if [[ $1 = "appraiser" ]]; then - APPRAISER_SCRIPT="/opt/hirs/appraiser/bin/HIRS_Appraiser" - - if [[ -z `grep -o "\-Djavax.net.ssl.keyStorePassword" $APPRAISER_SCRIPT` ]]; then - echo "Configuring Appraiser SSL" - - # grab the line number of the JVM options for the client script - VM_OPTS=$(awk '/DEFAULT_JVM_OPTS/{print NR; exit }' ${APPRAISER_SCRIPT}) - - # append the key store password to the client startup script - sed -i "${VM_OPTS}s/'$/ \"-Djavax.net.ssl.keyStorePassword=${P12_PASSWORD}\"\'/" ${APPRAISER_SCRIPT} - fi -fi - -################# -# MySQL/MariaDB -################# - -if [[ $1 = "server" ]]; then - MYSQL_CERT_DIR=/etc/hirs/certificates/mysql/ - - if ! [[ -d $MYSQL_CERT_DIR ]]; then - echo "Configuring MySQL SSL" - - # apply MySQL SSL configuration: - mkdir -p $MYSQL_CERT_DIR - - # copy CA cert over - cp $CA_CERT $MYSQL_CERT_DIR/ - - # convert p12 key to pem - openssl pkcs12 -in $INTERNAL_P12 -out $MYSQL_CERT_DIR/hirs.pem -nodes -passin pass:${P12_PASSWORD} -passout pass: - - # extract cert from pem into its own file - openssl x509 -in $MYSQL_CERT_DIR/hirs.pem -outform PEM -out $MYSQL_CERT_DIR/hirs-cert.pem - - # extract key from pem into its own file - openssl pkey -in $MYSQL_CERT_DIR/hirs.pem -outform PEM -out $MYSQL_CERT_DIR/hirs-key.pem - - # make readable to user named 'mysql' - chgrp -R mysql $MYSQL_CERT_DIR - chmod -R 770 $MYSQL_CERT_DIR - - # update MySQL/MariaDB SSL and index configuration - if [[ -f /etc/redhat-release ]] ; then - CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh` - elif [[ -f /etc/os-release ]] ; then - AMAZON_VER=`/opt/hirs/scripts/common/get_amazon_linux_major_version.sh` - fi - if [ $CENTOS_VER -eq "6" ] ; then - MYSQL_ADDITIONS_FILE=/opt/hirs/scripts/common/my.cnf.el6 - elif [ $CENTOS_VER -eq "7" ] || [ $AMAZON_VER -eq "2" ] ; then - MYSQL_ADDITIONS_FILE=/opt/hirs/scripts/common/my.cnf.el7 - else - echo "Unsupported Linux detected" - exit 1 - fi - - sed -i "/\[mysqld\]/r $MYSQL_ADDITIONS_FILE" /etc/my.cnf - - if [ $DOCKER_CONTAINER = true ]; then - # If in Docker container, avoid services that invoke the D-Bus - if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then - echo "MariaDB is running, so we'll need to restart it." - mysqladmin shutdown - /usr/libexec/mariadb-prepare-db-dir - nohup /usr/bin/mysqld_safe --basedir=/usr &>/dev/null & - MYSQLD_PID=$(pgrep -u mysql mysqld) - /usr/libexec/mariadb-wait-ready $MYSQLD_PID - fi - else - SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh` - service $SQL_SERVICE restart - fi - fi -fi diff --git a/package/scripts/common/ssl_deconfigure.sh b/package/scripts/common/ssl_deconfigure.sh deleted file mode 100644 index 815ef7f3..00000000 --- a/package/scripts/common/ssl_deconfigure.sh +++ /dev/null @@ -1,92 +0,0 @@ -#!/usr/bin/env bash - -# certificates and key stores generated by this script -CERTIFICATES="/etc/hirs/certificates" - -################# -# Key Generation -################# - -# leave certificate directory intact on uninstall - -################# -# ActiveMQ -################# - -# no need to deconfigure, as it will be completely removed during uninstall - -################# -# Tomcat -################# - -if [[ $1 = "server" ]]; then - # determine which version of tomcat is installed - rpm -q tomcat6 - if [[ $? -eq 0 ]]; then - TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat6` - else - TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat` - fi - - TOMCAT_MAJOR_VERSION=`echo $TOMCAT_VERSION | head -c 1` - - if [[ $TOMCAT_MAJOR_VERSION = '6' ]]; then - CATALINA_HOME=/usr/share/tomcat6 - TOMCAT_SERVICE=tomcat6 - TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat6.conf - elif [[ $TOMCAT_MAJOR_VERSION = '7' ]] ; then - CATALINA_HOME=/usr/share/tomcat - TOMCAT_SERVICE=tomcat - TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat.conf - else - echo "Unsupported Tomcat version: ${TOMCAT_MAJOR_VERSION}" - exit 1 - fi - - if [[ -n `grep -o keystorePass $CATALINA_HOME/conf/server.xml` ]]; then - SERVER_CONF=${CATALINA_HOME}/conf/server.xml - TOMCAT_USERS=${CATALINA_HOME}/conf/tomcat-users.xml - - echo "Restoring $TOMCAT_CONF" - sed -i "/^#begin-hirs-conf/,/^#end-hirs-conf/d" "$TOMCAT_CONF" - - echo "Restoring $SERVER_CONF" - sed -i "s^^^" "$SERVER_CONF" - - echo "Restoring $TOMCAT_USERS" - sed -i "s//<\/tomcat-users>/" "$TOMCAT_USERS" - fi -fi - -################# -# Appraiser -################# - -# no need to deconfigure, as it will be completely removed during uninstall - -################# -# MySQL/MariaDB -################# - -if [[ $1 = "server" ]]; then - MYSQL_CERT_DIR=${CERTIFICATES}/mysql/ - - if [[ -d $MYSQL_CERT_DIR ]]; then - # stop the database - if [[ $(rpm -qa mariadb*) ]]; then - service mariadb stop - else - service mysqld stop - fi - - rm -rf $MYSQL_CERT_DIR - sed -i "/^#begin-hirs-conf/,/^#end-hirs-conf/d" /etc/my.cnf - - # start the database - if [[ $(rpm -qa mariadb*) ]]; then - service mariadb start - else - service mysqld start - fi - fi -fi \ No newline at end of file diff --git a/package/scripts/db/db_create.sh b/package/scripts/db/db_create.sh index db3c9e0e..8b5db7bb 100644 --- a/package/scripts/db/db_create.sh +++ b/package/scripts/db/db_create.sh @@ -14,7 +14,7 @@ SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) SPRING_PROP_FILE="/etc/hirs/aca/application.properties" ACA_PROP_FILE="/etc/hirs/aca/aca.properties" DB_ADMIN_PWD="" -DB_USER="hirs_db" +#DB_USER="hirs_db" # Db Configuration files DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf" DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf" @@ -35,55 +35,7 @@ touch $LOG_FILE mkdir -p /etc/hirs/aca/ mkdir -p /var/log/hirs/ -check_for_container () { - # Check if we're in a Docker container - if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then - #if [ -f /.dockerenv ]; then - DOCKER_CONTAINER=true - echo "ACA is running in a container..." | tee -a "$LOG_FILE" - else - DOCKER_CONTAINER=false - echo "ACA is not running in a container..." | tee -a "$LOG_FILE" - fi - if [ -d /opt/hirs/scripts/db ]; then - MYSQL_DIR="/opt/hirs/scripts/db" - else - MYSQL_DIR="$SCRIPT_DIR/../db" - fi - echo "Mysql script directory is $MYSQL_DIR" -} - -start_mysqlsd () { - # Check if mysql is already running, if not initialize - if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then - # Check if running in a container - if [ $DOCKER_CONTAINER = true ]; then - # if in Docker container, avoid services that invoke the D-Bus - echo "ACA is running in a container..." - # Check if mariadb is setup - if [ ! -d "/var/lib/mysql/mysql/" ]; then - echo "Installing mariadb" - /usr/bin/mysql_install_db > "$LOG_FILE" - chown -R mysql:mysql /var/lib/mysql/ - fi - echo "Starting mysql...." - chown -R mysql:mysql /var/log/mariadb - /usr/bin/mysqld_safe & - else - SQL_SERVICE="mariadb" - systemctl $SQL_SERVICE enable - systemctl $SQL_SERVICE start - fi - fi # mysql not running - - # Wait for mysql to start before continuing. - echo "Checking mysqld status..."| tee -a "$LOG_FILE" - while ! mysqladmin ping -h "$localhost" --silent; do - sleep 1; - done - - echo "mysqld is running."| tee -a "$LOG_FILE" -} +source start_mysqld.sh check_mysql_root_pwd () { # Check if DB root password needs to be obtained @@ -111,17 +63,17 @@ check_mysql_root_pwd () { set_mysql_server_tls () { # Check DB server setup. If ssl params dont exist then we need to add them. - if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then + if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then # Add TLS files to my.cnf echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE" echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF" echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF" echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF" - # Make sure mysql can access them + # Make sure mysql can access them chown mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY else echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE" - fi + fi } set_mysql_client_tls () { diff --git a/package/scripts/db/db_create.sql b/package/scripts/db/db_create.sql index 510295bc..a803ebcb 100644 --- a/package/scripts/db/db_create.sql +++ b/package/scripts/db/db_create.sql @@ -1,2 +1,2 @@ CREATE DATABASE IF NOT EXISTS `hirs_db` CHARACTER SET = 'utf8mb4' COLLATE = 'utf8mb4_general_ci'; -GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD" REQUIRE SSL; \ No newline at end of file +GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD" REQUIRE X509; \ No newline at end of file diff --git a/package/scripts/db/start_mysqld.sh b/package/scripts/db/start_mysqld.sh new file mode 100644 index 00000000..8e0a2731 --- /dev/null +++ b/package/scripts/db/start_mysqld.sh @@ -0,0 +1,57 @@ +#!/bin/bash +##################################################################################### +# +# Function to check mysql and start if not running. +# Also a function for checking if running in a container +# +##################################################################################### + +check_for_container () { + # Check if we're in a Docker container + if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then + #if [ -f /.dockerenv ]; then + DOCKER_CONTAINER=true + echo "ACA is running in a container..." | tee -a "$LOG_FILE" + else + DOCKER_CONTAINER=false + echo "ACA is not running in a container..." | tee -a "$LOG_FILE" + fi + if [ -d /opt/hirs/scripts/db ]; then + MYSQL_DIR="/opt/hirs/scripts/db" + else + MYSQL_DIR="$SCRIPT_DIR/../db" + fi + echo "Mysql script directory is $MYSQL_DIR" +} + +start_mysqlsd () { + # Check if mysql is already running, if not initialize + if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then + # Check if running in a container + if [ $DOCKER_CONTAINER = true ]; then + # if in Docker container, avoid services that invoke the D-Bus + echo "ACA is running in a container..." + # Check if mariadb is setup + if [ ! -d "/var/lib/mysql/mysql/" ]; then + echo "Installing mariadb" + /usr/bin/mysql_install_db > "$LOG_FILE" + chown -R mysql:mysql /var/lib/mysql/ + fi + echo "Starting mysql...." + chown -R mysql:mysql /var/log/mariadb + /usr/bin/mysqld_safe & + else + SQL_SERVICE="mariadb" + systemctl $SQL_SERVICE enable + systemctl $SQL_SERVICE start + fi + fi # mysql not running + + # Wait for mysql to start before continuing. + echo "Checking mysqld status..."| tee -a "$LOG_FILE" + while ! mysqladmin ping -h "$localhost" --silent; do + sleep 1; + done + + echo "mysqld is running."| tee -a "$LOG_FILE" +} \ No newline at end of file diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh index d83f2643..386f38be 100644 --- a/package/scripts/pki/pki_chain_gen.sh +++ b/package/scripts/pki/pki_chain_gen.sh @@ -29,6 +29,7 @@ SERVER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" aca" # Capture location of the script to allow from invocation from any location SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) TRUSTSTORE=TrustStore.jks +TRUSTSTORE_P12=TrustStore.p12 KEYSTORE=KeyStore.jks # Parameter check @@ -216,11 +217,15 @@ create_cert_chain () { # Make JKS files for the mysql DB connector. P12 first then JKS... openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key -aes256 \ - -passin pass:"$PASS" -aes256 -passout pass:$PASS \ + -passin pass:"$PASS"-passout pass:$PASS -aes256 \ -name "mysqlclientkey" -out $DB_CLIENT.p12 - keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype pkcs12 \ + keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype PKCS12 \ -srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS + + # Make a p12 TrustStore + keytool -importkeystore -srckeystore $TRUSTSTORE -destkeystore $TRUSTSTORE_P12 \ + -srcstoretype JKS -deststoretype PKCS12 -srcstorepass $pass -deststorepass $pass -noprompt } if [ "$ASYM_ALG" == "rsa" ]; then diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh index cd094581..33b67b75 100644 --- a/package/scripts/pki/pki_setup.sh +++ b/package/scripts/pki/pki_setup.sh @@ -7,6 +7,7 @@ ############################################################################################ PROP_FILE=/etc/hirs/aca/application.properties +ACA_PROP=/etc/hirs/aca/aca.properties LOG_FILE=$1 PKI_PASS=$2 LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log @@ -30,7 +31,7 @@ fi # Check for sudo or root user if [ "$EUID" -ne 0 ] - then echo "The first time this script is run, this script requires root. Please run as root" | tee -a "$LOG_FILE" + then echo "This script requires root. Please run as root" | tee -a "$LOG_FILE" exit 1 fi @@ -64,6 +65,7 @@ if [ ! -d "/etc/hirs/certificates" ]; then echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE + echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP else echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE" fi From aef7a2b9acbb8b9ddba17c38486a7e1f5ba5f777 Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Wed, 23 Aug 2023 16:30:06 -0400 Subject: [PATCH 03/10] Added aca_setup_check.sh --- HIRS_AttestationCAPortal/build.gradle | 2 +- package/scripts/aca/aca_bootRun.sh | 34 ++-- package/scripts/aca/aca_check_setup.sh | 192 +++++++++++++++++++++++ package/scripts/aca/aca_remove_setup.sh | 27 ++++ package/scripts/aca/aca_setup.sh | 28 +++- package/scripts/db/db_create.sh | 50 +++--- package/scripts/db/db_drop.sh | 57 +++++-- package/scripts/db/reset_hirs_db_user.sh | 45 ++++++ package/scripts/db/start_mysqld.sh | 23 ++- package/scripts/pki/pki_chain_gen.sh | 16 +- package/scripts/pki/pki_setup.sh | 32 ++-- 11 files changed, 420 insertions(+), 86 deletions(-) create mode 100644 package/scripts/aca/aca_check_setup.sh create mode 100644 package/scripts/aca/aca_remove_setup.sh create mode 100644 package/scripts/db/reset_hirs_db_user.sh diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle index 78672323..13b1a08f 100644 --- a/HIRS_AttestationCAPortal/build.gradle +++ b/HIRS_AttestationCAPortal/build.gradle @@ -52,7 +52,7 @@ dependencies { implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:10.1.5' compileOnly 'org.projectlombok:lombok' - runtimeOnly 'org.mariadb.jdbc:mariadb-java-client:3.1.0' + implementation 'org.mariadb.jdbc:mariadb-java-client:3.1.4' annotationProcessor 'org.projectlombok:lombok' providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat' diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh index bbecedd8..8b8b0a59 100644 --- a/package/scripts/aca/aca_bootRun.sh +++ b/package/scripts/aca/aca_bootRun.sh @@ -13,6 +13,8 @@ RSA_PATH=rsa_3k_sha384_certs ECC_PATH=ecc_512_sha384_certs SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) LOG_FILE=/dev/null +GRADLE_WRAPPER="./gradlew" + source $SCRIPT_DIR/../db/start_mysqld.sh if [ $ALG = "RSA" ]; then @@ -41,39 +43,37 @@ if [ ! -d "$CERT_PATH" ]; then exit 1; fi +if [ ! -f "$GRADLE_WRAPPER" ]; then + echo "This script needs to be run from the HIRS top level project directory. Exiting." + exit 1; +fi + echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index" source /etc/hirs/aca/aca.properties; -echo "Client Keystore is $CLIENT_DB_P12" -echo "DB using $hirs_db_username user and user password $hirs_db_password" -echo "Server PKI chain is $CERT_CHAIN" -echo "Server password is $hirs_pki_password" -echo "Tomcat key alias is $ALIAS" - # Run the embedded tomcat server with Web TLS enabled and database client TLS enabled by overrding critical parameters # Note "&" is a sub parameter continuation, space represents a new parameter. Spaces and quotes matter. # hibernate.connection.url is used for the DB connector which established DB TLS connectivity # server.ssl arguments support the embeded tomcats use of TLS for the ACA Portal -ARGS="--hibernate.connection.url=\"jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&\ -user=\"$hirs_db_username\"&\ -password=\"$hirs_db_password\"&\ +CONNECTOR_PARAMS="--hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&\ +user=$hirs_db_username&\ +password=$hirs_db_password&\ sslMode=VERIFY_CA&\ serverSslCert=$CERT_CHAIN&\ keyStoreType=PKCS12&\ -keyStorePassword=\"$hirs_pki_password\"&\ -keyStore="$CLIENT_DB_P12" \ ---server.ssl.key-store-password=\"$hirs_pki_password\" \ ---server.ssl.trust-store-password=\"$hirs_pki_password\"\"" +keyStorePassword=$hirs_pki_password&\ +keyStore="$CLIENT_DB_P12" " -# --hibernate.connection.driver_class=\"org.mariadb.jdbc.Driver\" \ +WEB_TLS_PARAMS="--server.ssl.key-store-password=$hirs_pki_password \ +--server.ssl.trust-store-password=$hirs_pki_password" -echo "--args="$ARGS"" +echo "--args=\"$CONNECTOR_PARAMS $WEB_TLS_PARAMS\"" if [ "$USE_WAR" == "war" ]; then echo "Booting the ACA from a $USE_WAR file..." - java -jar HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war $ARGS + java -jar HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war $CONNECTOR_PARAMS$WEB_TLS_PARAMS else echo "Booting the ACA from local build..." - ./gradlew bootRun --args="\"$ARGS\"" + ./gradlew bootRun --args="$CONNECTOR_PARAMS$WEB_TLS_PARAMS" fi diff --git a/package/scripts/aca/aca_check_setup.sh b/package/scripts/aca/aca_check_setup.sh new file mode 100644 index 00000000..1b10997f --- /dev/null +++ b/package/scripts/aca/aca_check_setup.sh @@ -0,0 +1,192 @@ +#!/bin/bash +############################################################################################ +# Checks the setup for the ACA: +# +############################################################################################ + +SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) +LOG_FILE=/dev/null +CERT_PATH="/etc/hirs/certificates/HIRS/" +RSA_PATH=rsa_3k_sha384_certs +ECC_PATH=ecc_512_sha384_certs + +RSA_HIRS_ROOT="HIRS_root_ca_rsa_3k_sha384.pem" +RSA_HIRS_INTERMEDIATE="HIRS_intermediate_ca_rsa_3k_sha384.pem" +RSA_HIRS_CA1="HIRS_leaf_ca1_rsa_3k_sha384.pem" +RSA_HIRS_CA2="HIRS_leaf_ca2_rsa_3k_sha384.pem" +RSA_HIRS_CA3="HIRS_leaf_ca3_rsa_3k_sha384.pem" +RSA_TRUST_STORE="HIRS_rsa_3k_sha384_Cert_Chain.pem" +RSA_RIM_SIGNER="HIRS_rim_signer_rsa_3k_sha384.pem" +RSA_DB_CLIENT_CERT="HIRS_db_client_rsa_3k_sha384.pem" +RSA_DN_SRV_CERT="HIRS_db_srv_rsa_3k_sha384.pem" +RSA_WEB_TLS_CERT="HIRS_aca_tls_rsa_3k_sha384.pem" + +ECC_HIRS_ROOT="HIRS_root_ca_ecc_512_sha384.pem" +ECC_HIRS_INTERMEDIATE="HIRS_intermediate_ca_ecc_512_sha384.pem" +ECC_HIRS_CA1="HIRS_leaf_ca1_ecc_512_sha384.pem" +ECC_HIRS_CA2="HIRS_leaf_ca2_ecc_512_sha384.pem" +ECC_HIRS_CA3="HIRS_leaf_ca3_ecc_512_sha384.pem" + +ECC_TRUST_STORE="HIRS_ecc_512_sha384_Cert_Chain.pem" +ECC_RIM_SIGNER="HIRS_rim_signer_ecc_512_sha384.pem" +ECC_DB_CLIENT_CERT="HIRS_db_client_ecc_512_sha384.pem" +ECC_DN_SRV_CERT="HIRS_db_srv_ecc_512_sha384.pem" +ECC_WEB_TLS_CERT="HIRS_aca_tls_ecc_512_sha384.pem" + +DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf" +DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf" +ALL_CHECKS_PASSED=true + +# Check for Admin privileges +if [ "$EUID" -ne 0 ]; then + echo "This script requires root. Please run as root" + exit 1 +fi +# Check install setup pki files +if [ ! -d $CERT_PATH ]; then + echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again." + exit 1; +fi + +source /etc/hirs/aca/aca.properties; + +check_pwds () { + +PRESENT=true +echo "Checking if ACA passwords are in aca.properties" + if [ -z $hirs_pki_password ]; then + echo "hirs pki password not set" + PRESENT=false + fi + if [ -z $hirs_db_username ]; then + echo "hirs db username not set" + PRESENT=false + fi + if [ -z $hirs_db_password ]; then + echo "hirs db password not set" + PRESENT=false + fi + if [ $PRESENT ]; then + echo " HIRS passwords were created" + else + echo " ERROR finding HIRS passwords" + ALL_CHECKS_PASSED=false + fi +} +check_mysql () { + echo "Checking mysqld status..." + if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then + echo " mysql process exists..." + else + echo " mysqld process does NOT exist, attempting to restart mysql..." + /usr/bin/mysqld_safe & + fi + + # Wait for mysql to start before continuing. + + while ! mysqladmin ping -h "$localhost" --silent; do + sleep 1; + done + + echo " mysqld is running." + + # Check DB server/client TLS setup. + if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then + echo " Mysql server is NOT configured for Server Side TLS" + ALL_CHECKS_PASSED=false + else + echo " Mysql server is configured for Server Side TLS" + fi + if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then + echo " Mysql client is NOT configured for command line use of TLS without provding key/cert ino the commandline" + ALL_CHECKS_PASSED=false + else + echo " Mysql client is configured for command line use of TLS" + fi + + if [ ! -z $mysql_admin_password ]; then + echo "Listing mysql users:" + mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;" + echo "Listing all databses:" + mysql -u root --password=$mysql_admin_password -e "show databases;" + fi +} + +check_pki () { + echo "Checking HIRS PKI certificates" + if [ ! -d "/etc/hirs/certificates" ]; then + echo "/etc/hirs/certificates doesn't exists, was aca_setup.sh run ? / + Skipping PKI Checks." + fi + + pushd $CERT_PATH$RSA_PATH + echo " Checking HIRS RSA certs using trust store..." + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_ROOT) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_INTERMEDIATE) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA1) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA2) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA3) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_RIM_SIGNER) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_DN_SRV_CERT) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_DB_CLIENT_CERT) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_WEB_TLS_CERT) + popd > /dev/null + pushd $CERT_PATH$ECC_PATH + echo " Checking HIRS ECC certs using tust store..." + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_ROOT) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_INTERMEDIATE) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA1) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA2) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA3) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_RIM_SIGNER) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_DN_SRV_CERT) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_DB_CLIENT_CERT) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_WEB_TLS_CERT) + popd > /dev/null + + echo " Checking KeyStore, Keystore aliases, and pki password" + echo " Keystore alias list:" + keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /' + if [ $? -eq 0 ]; then + echo " HIRS pki password is correct" + else + echo " HIRS pki password is NOT correct" + ALL_CHECKS_PASSED=false + fi +} + +check_db () { + echo "Check DB server SSL config..." + RESULT=$(mysql -u hirs_db --password=$hirs_db_password -e "SHOW VARIABLES LIKE '%have_ssl%'" | grep -o YES ) + if [ "$RESULT" == "YES" ]; then + echo " Mysql is configured for Server side TLS:" + else + echo " Mysql is NOT configured for Server side TLS:" + ALL_CHECKS_PASSED=false + fi + mysql -u hirs_db --password=$hirs_db_password -e "SHOW VARIABLES LIKE '%have_ssl%'" + echo " Show hirs_db user config" + mysql -u hirs_db --password=$hirs_db_password -e "SHOW CREATE USER 'hirs_db'@'localhost';" + echo " Show databases accessable to the hirs_db user:" + RESULT=$(mysqlshow --user=hirs_db --password=$hirs_db_password hirs_db| grep -o hirs_db) + if [ "$RESULT" == "hirs_db" ]; then + echo " The hirs_db database is visable by the hirs_db user" + else + echo " The hirs_db database is NOT visable by the hirs_db user" + ALL_CHECKS_PASSED=false + fi + mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;"; + echo "Showing privileges for the hirs_db user" + mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" +} + +check_pwds +check_pki +check_mysql +check_db + +if [ $ALL_CHECKS_PASSED = true ]; then + echo "ACA setup checks passed!" +else + echo "ACA setup checks failed." +fi \ No newline at end of file diff --git a/package/scripts/aca/aca_remove_setup.sh b/package/scripts/aca/aca_remove_setup.sh new file mode 100644 index 00000000..e02b6e73 --- /dev/null +++ b/package/scripts/aca/aca_remove_setup.sh @@ -0,0 +1,27 @@ +#!/bin/bash +##################################################################################### +# +# Script to remove ACA setup files and database items. +# +# +##################################################################################### + +SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) +LOG_FILE=/dev/null + +# Check for Admin privileges +if [ "$EUID" -ne 0 ]; then + echo "This script requires root. ACA setup not removed. Please run as root." + exit 1 +fi + +# remove the hrs-db and hirs_db user +pushd $SCRIPT_DIR/../db/ +sh db_drop.sh +popd + +# remove pki files and config files +echo "Removing certificates and config files..." +rm -rf /etc/hirs + +echo "ACA setup removal complete." \ No newline at end of file diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh index 37266bcb..f1d36dec 100644 --- a/package/scripts/aca/aca_setup.sh +++ b/package/scripts/aca/aca_setup.sh @@ -5,12 +5,15 @@ SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/applicati HIRS_CONF_DIR=/etc/hirs/aca LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log LOG_DIR="/var/log/hirs/" +LOG_FILE="$LOG_DIR$LOG_FILE_NAME" HIRS_PROP_DIR="/opt/hirs/default-properties" COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json' VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json' -LOG_FILE="$LOG_DIR$LOG_FILE_NAME" + echo "LOG_FILE is $LOG_FILE" + echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD" + if [ "$EUID" -ne 0 ] then echo "This script requires root. Please run as root" exit 1 @@ -28,6 +31,10 @@ while [[ $# -gt 0 ]]; do ARG_SKIP_DB=YES shift # past argument ;; + --skip-pki) + ARG_SKIP_PKI=YES + shift # past argument + ;; -*|--*) echo "aca_setup.sh: Unknown option $1" ;; @@ -61,7 +68,7 @@ if [ -f $SPRING_PROP_FILE ]; then cp -n $VENDOR_TABLE $HIRS_PROP_DIR/. fi -if [ -z "${ARG_SKIP_DB}" ]; then +if [ -z "${ARG_SKIP_PKI}" ]; then sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS if [ $? -eq 0 ]; then echo "ACA PKI setup complete" | tee -a "$LOG_FILE" @@ -69,15 +76,20 @@ if [ -z "${ARG_SKIP_DB}" ]; then echo "Error setting up ACA PKI" | tee -a "$LOG_FILE" exit 1 fi - echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE" + else + echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE" fi -sh ../db/db_create.sh $LOG_FILE -if [ $? -eq 0 ]; then - echo "ACA database setup complete" | tee -a "$LOG_FILE" - else - echo "Error setting up ACA DB" | tee -a "$LOG_FILE" +if [ -z "${ARG_SKIP_DB}" ]; then + sh ../db/db_create.sh $LOG_FILE + if [ $? -eq 0 ]; then + echo "ACA database setup complete" | tee -a "$LOG_FILE" + else + echo "Error setting up ACA DB" | tee -a "$LOG_FILE" exit 1 + fi + else + echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE" fi echo "ACA setup complete" | tee -a "$LOG_FILE" diff --git a/package/scripts/db/db_create.sh b/package/scripts/db/db_create.sh index 8b5db7bb..9e477d2d 100644 --- a/package/scripts/db/db_create.sh +++ b/package/scripts/db/db_create.sh @@ -29,21 +29,30 @@ SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_clien touch $ACA_PROP_FILE touch $LOG_FILE -#touch /.dockerenv +touch $DB_SRV_CONF # Make sure required paths exist mkdir -p /etc/hirs/aca/ mkdir -p /var/log/hirs/ -source start_mysqld.sh +source $SCRIPT_DIR/start_mysqld.sh +source $ACA_PROP_FILE check_mysql_root_pwd () { # Check if DB root password needs to be obtained + echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD" if [ -z $HIRS_MYSQL_ROOT_PWD ]; then # Create a 32 character random password echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE" DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') - echo "DB Admin will be set to $DB_ADMIN_PWD, please make note for next mysql use." + echo "DB Admin will be set to $DB_ADMIN_PWD , please make note for next mysql use." + read -p "Do you wish to save this password to the aca.properties file? " confirm + if [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; then + echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE + echo "Password saved." + else + echo "Password not saved." + fi mysqladmin --user=root password "$DB_ADMIN_PWD" else DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD @@ -83,30 +92,30 @@ if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF + chown mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY fi } -# Process HIRS DB USER ... +# Process HIRS DB USER set_hirs_db_pwd () { -# Check if Mysql HIRS DB password set by system variable or set to random number - if [ -z $HIRS_DB_PWD ]; then - HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') + + RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" + if [ "$RESULT" = 1 ]; then + echo "hirs-db user exists" + HIRS_DB_PWD=$hirs_db_password + else + # Check if Mysql HIRS DB password set by system variable or set to random number + if [ -z $HIRS_DB_PWD ]; then + HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') + fi + + echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE + echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE fi - # Remove any existing password for hirs db - if [ -f $ACA_PROP_FILE ];then - sed -i '/hirs_db_username/d' $ACA_PROP_FILE &>/dev/null - sed -i '/hirs_db_password/d' $ACA_PROP_FILE &>/dev/null - fi - - echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE - echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE - - echo "hir_db user password is $HIRS_DB_PWD" - echo "mysql root password is $DB_ADMIN_PWD" } -# Create a hirs_db user with client side TLS enabled +# Create a hirs_db with client side TLS enabled create_hirs_db_with_tls () { # Check if hirs_db not created and create it if it wasn't mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" > /dev/null 2>&1 @@ -120,10 +129,11 @@ create_hirs_db_with_tls () { } # HIRS ACA Mysqld processing ... +check_mariadb_install check_for_container set_mysql_server_tls set_mysql_client_tls -set_hirs_db_pwd start_mysqlsd check_mysql_root_pwd +set_hirs_db_pwd create_hirs_db_with_tls diff --git a/package/scripts/db/db_drop.sh b/package/scripts/db/db_drop.sh index a751cc5f..1979b4eb 100644 --- a/package/scripts/db/db_drop.sh +++ b/package/scripts/db/db_drop.sh @@ -1,21 +1,60 @@ #!/bin/bash -PASS=$1 +SRV_CNF=/etc/my.cnf.d/mariadb-server.cnf +CLIENT_CNF=/etc/my.cnf.d/client.cnf SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )";) +LOG_FILE=/dev/null - if [ -d /opt/hirs/scripts/db ]; then +source /etc/hirs/aca/aca.properties; +source $SCRIPT_DIR/start_mysqld.sh + +# Check for sudo or root user, not actually needed but a good idea +if [ "$EUID" -ne 0 ] + then echo "This script requires root. Please run as root" + exit 1 +fi + +if [ -z $mysql_admin_password ]; then + read -p "Enter mysql root password" DB_ADMIN_PWD + else + DB_ADMIN_PWD=$mysql_admin_password +fi + +if [ -d /opt/hirs/scripts/db ]; then MYSQL_DIR="/opt/hirs/scripts/db" else MYSQL_DIR="$SCRIPT_DIR" fi -echo "dropping hirs database" +echo "dropping hirs_db database" - if pgrep mysqld >/dev/null 2>&1; then - if [ -z ${PASS} ]; then - mysql -u "root" < $MYSQL_DIR/db_drop.sql - else - mysql -u "root" -p$PASS < $MYSQL_DIR/db_drop.sql - fi + mysql -u "root" --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_drop.sql + echo "hirs_db databse and hirs_db user removed" + else + echo "mysql is not running. DB was not removed." fi + +# reset the mysql root if the password was left in the properties fiel +if [ ! -z $mysql_admin_password ]; then + echo "Resetting mysql root password to empty" + mysql -u root --password=$mysql_admin_password -e "SET PASSWORD FOR "root@localhost" = PASSWORD('');" + echo "Current list of databases:" + mysql -u "root" -e "SHOW DATABASES;" + echo "Current list of users:" + mysql -u root -e "Select user from mysql.user;" + else + echo "Note root password was NOT reset" +fi + +# Remove key , cert and truststore entries from client.cnf andf mariadb.cnf + +echo "Removing hirs cert references from mariadb configuration files" +grep -v "hirs" $SRV_CNF > tmpfile && mv tmpfile $SRV_CNF +grep -v "hirs" $CLIENT_CNF > tmpfile && mv tmpfile $CLIENT_CNF + +echo "restarting mariadb" +pkill mysql +sleep 2; +check_for_container +start_mysqlsd diff --git a/package/scripts/db/reset_hirs_db_user.sh b/package/scripts/db/reset_hirs_db_user.sh new file mode 100644 index 00000000..4d58a318 --- /dev/null +++ b/package/scripts/db/reset_hirs_db_user.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) + +source /etc/hirs/aca/aca.properties; + +if [ -z $mysql_admin_password ]; then + read -p "Enter mysql root password" DB_ADMIN_PWD + else + DB_ADMIN_PWD=$mysql_admin_password +fi + +if [ -z $hirs_db_password ]; then + read -p "Enter mysql root password" hirs_db_password + else + HIRS_DB_PWD=$hirs_db_password +fi + +echo "HIRS_DB_PWD is $HIRS_DB_PWD" +echo "DB_ADMIN_PWD is $DB_ADMIN_PWD" + +# check if hirs_db user exists +RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" + +if [ "$RESULT" = 1 ]; then + echo "hirs_db user found, dropping hirs-db user" + mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost'" + if [ $? -ne 0 ]; then + echo "Removing the existing hirs_db user failed" + else + echo "Removing the existing hirs_db was successful" + fi + else + echo "no hirs_db user found, creating one..." +fi + +echo "Creating hirs_db user" +mysql -u root --password=$DB_ADMIN_PWD -e "CREATE USER 'hirs_db'@'localhost' IDENTIFIED BY 'hirs_db';" +mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;" +mysql -u root --password=$DB_ADMIN_PWD -e "GRANT ALL ON hirs_db.* TO 'hirs_db'@'localhost' REQUIRE X509;" +mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH PRIVILEGES;" + +echo "Checking hirs_db user..." +# check user +mysql -u hirs_db --password=$HIRS_DB_PWD -e "SHOW DATABASES;"; \ No newline at end of file diff --git a/package/scripts/db/start_mysqld.sh b/package/scripts/db/start_mysqld.sh index 8e0a2731..3262ef02 100644 --- a/package/scripts/db/start_mysqld.sh +++ b/package/scripts/db/start_mysqld.sh @@ -24,6 +24,16 @@ check_for_container () { echo "Mysql script directory is $MYSQL_DIR" } +check_mariadb_install () { + type mysql >/dev/null 2>&1 && installed=true || installed=false + if [ $installed = true ]; then + echo "mysql has been installed" + else + echo "mysql has NOT been installed, aborting install" + exit 1; + fi +} + start_mysqlsd () { # Check if mysql is already running, if not initialize if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then @@ -40,12 +50,14 @@ start_mysqlsd () { echo "Starting mysql...." chown -R mysql:mysql /var/log/mariadb /usr/bin/mysqld_safe & - else + else #not a container SQL_SERVICE="mariadb" - systemctl $SQL_SERVICE enable - systemctl $SQL_SERVICE start + systemctl enable $SQL_SERVICE + systemctl start $SQL_SERVICE fi - fi # mysql not running + else # mysql running + echo "mysql process running.." + fi # Wait for mysql to start before continuing. echo "Checking mysqld status..."| tee -a "$LOG_FILE" @@ -54,4 +66,5 @@ start_mysqlsd () { done echo "mysqld is running."| tee -a "$LOG_FILE" -} \ No newline at end of file +} + diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh index 386f38be..40ab3708 100644 --- a/package/scripts/pki/pki_chain_gen.sh +++ b/package/scripts/pki/pki_chain_gen.sh @@ -172,7 +172,7 @@ create_cert () { # remove csr file rm -f "$CERT_PATH".csr # Add the cert and key to the key store. make a p12 file to import into te keystore - openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1 + openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:$PASS -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1 # Use the p12 file to import into a java keystore via keytool keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1 # Import the cert into a java trust store via keytool @@ -212,20 +212,16 @@ create_cert_chain () { # Create Cert trust store by adding the Intermediate and root certs cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" > "$TRUST_STORE_FILE" - # echo "Checking signer cert using tust store..." + # echo "Checking signer cert using tust store..." openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE" - + # Make JKS files for the mysql DB connector. P12 first then JKS... openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key -aes256 \ - -passin pass:"$PASS"-passout pass:$PASS -aes256 \ - -name "mysqlclientkey" -out $DB_CLIENT.p12 + -passin pass:$PASS -passout pass:$PASS -aes256 \ + -name "mysqlclientkey" -out $DB_CLIENT.p12 >> "$LOG_FILE" 2>&1 keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype PKCS12 \ - -srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS - - # Make a p12 TrustStore - keytool -importkeystore -srckeystore $TRUSTSTORE -destkeystore $TRUSTSTORE_P12 \ - -srcstoretype JKS -deststoretype PKCS12 -srcstorepass $pass -deststorepass $pass -noprompt + -srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS >> "$LOG_FILE" 2>&1 } if [ "$ASYM_ALG" == "rsa" ]; then diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh index 33b67b75..e71be65f 100644 --- a/package/scripts/pki/pki_setup.sh +++ b/package/scripts/pki/pki_setup.sh @@ -6,7 +6,7 @@ # ############################################################################################ -PROP_FILE=/etc/hirs/aca/application.properties +#PROP_FILE=/etc/hirs/aca/application.properties ACA_PROP=/etc/hirs/aca/aca.properties LOG_FILE=$1 PKI_PASS=$2 @@ -39,10 +39,10 @@ fi if [ ! -d "/etc/hirs/certificates" ]; then if [ -d "/opt/hirs/scripts/pki" ]; then - PKI_SETUP_DIR="/opt/hirs/scripts/pki" - else - PKI_SETUP_DIR="$SCRIPT_DIR" - fi + PKI_SETUP_DIR="/opt/hirs/scripts/pki" + else + PKI_SETUP_DIR="$SCRIPT_DIR" + fi echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | tee -a "$LOG_FILE" mkdir -p /etc/hirs/certificates/ | tee -a "$LOG_FILE" @@ -54,17 +54,17 @@ if [ ! -d "/etc/hirs/certificates" ]; then popd &> /dev/null # Add tomcat TLS support to the application.properties file - echo "# Tomcat TLS support">> $PROP_FILE - echo "server.port=8443">> $PROP_FILE - echo "server.ssl.enabled=true">> $PROP_FILE - echo "server.ssl.trust-store-type=JKS">> $PROP_FILE - echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE - echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE - echo "server.ssl.key-store-type=JKS">> $PROP_FILE - echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE - echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE - echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE - echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE + #echo "# Tomcat TLS support">> $PROP_FILE + #echo "server.port=8443">> $PROP_FILE + #echo "server.ssl.enabled=true">> $PROP_FILE + #echo "server.ssl.trust-store-type=JKS">> $PROP_FILE + #echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE + #echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE + #echo "server.ssl.key-store-type=JKS">> $PROP_FILE + #echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE + #echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE + #echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE + #echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP else echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE" From da3efcb7fa1a130b78a0106b0893fd8467c2a325 Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Mon, 28 Aug 2023 20:18:08 +0000 Subject: [PATCH 04/10] added an aca_check_setup.sh script --- package/scripts/aca/aca_bootRun.sh | 0 package/scripts/aca/aca_check_setup.sh | 165 +++++++++++++++++------ package/scripts/aca/aca_remove_setup.sh | 4 + package/scripts/aca/aca_setup.sh | 2 +- package/scripts/db/db_create.sh | 15 ++- package/scripts/db/db_drop.sh | 17 ++- package/scripts/db/db_drop.sql | 2 +- package/scripts/db/reset_hirs_db_user.sh | 23 +++- 8 files changed, 171 insertions(+), 57 deletions(-) mode change 100644 => 100755 package/scripts/aca/aca_bootRun.sh mode change 100644 => 100755 package/scripts/aca/aca_check_setup.sh diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh old mode 100644 new mode 100755 diff --git a/package/scripts/aca/aca_check_setup.sh b/package/scripts/aca/aca_check_setup.sh old mode 100644 new mode 100755 index 1b10997f..158415ec --- a/package/scripts/aca/aca_check_setup.sh +++ b/package/scripts/aca/aca_check_setup.sh @@ -36,6 +36,7 @@ ECC_WEB_TLS_CERT="HIRS_aca_tls_ecc_512_sha384.pem" DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf" DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf" ALL_CHECKS_PASSED=true +ALL_CERTS_PASSED=true # Check for Admin privileges if [ "$EUID" -ne 0 ]; then @@ -48,6 +49,27 @@ if [ ! -d $CERT_PATH ]; then exit 1; fi +# Argument handling + +while [[ $# -gt 0 ]]; do + case $1 in + -v|--verbose) + ARG_VERBOSE=YES + echo "verbose parameters" + shift # past argument + ;; + -*|--*) + echo "Unknown option $1" + exit 1 + ;; + *) + echo "Unknown argument $1" + exit 1 + shift # past argument + ;; + esac +done + source /etc/hirs/aca/aca.properties; check_pwds () { @@ -73,6 +95,7 @@ echo "Checking if ACA passwords are in aca.properties" ALL_CHECKS_PASSED=false fi } + check_mysql () { echo "Checking mysqld status..." if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then @@ -81,7 +104,7 @@ check_mysql () { echo " mysqld process does NOT exist, attempting to restart mysql..." /usr/bin/mysqld_safe & fi - + # Wait for mysql to start before continuing. while ! mysqladmin ping -h "$localhost" --silent; do @@ -89,29 +112,46 @@ check_mysql () { done echo " mysqld is running." - + # Check DB server/client TLS setup. if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then - echo " Mysql server is NOT configured for Server Side TLS" + echo " Mysql server ($DB_SRV_CONF) is NOT configured for Server Side TLS" ALL_CHECKS_PASSED=false else - echo " Mysql server is configured for Server Side TLS" + echo " Mysql server ($DB_SRV_CONF) is configured for Server Side TLS" fi if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then - echo " Mysql client is NOT configured for command line use of TLS without provding key/cert ino the commandline" + echo " Mysql client ($DB_CLIENT_CONF)is NOT configured for command line use of TLS without provding key/cert ino the commandline" ALL_CHECKS_PASSED=false else - echo " Mysql client is configured for command line use of TLS" + echo " Mysql client ($DB_CLIENT_CONF) is configured for command line use of TLS" fi if [ ! -z $mysql_admin_password ]; then + if [ ! -z "${ARG_VERBOSE}" ]; then + echo "Mysql status:" + mysql -u root --password=$mysql_admin_password -e "STATUS;" echo "Listing mysql users:" mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;" echo "Listing all databses:" mysql -u root --password=$mysql_admin_password -e "show databases;" + fi fi } +check_cert () { +TRUST_STORE=$1 +CERT=$2 +RESULT=$(openssl verify -CAfile "$TRUST_STORE" $CERT) +if [ $? -ne 0 ]; then + ALL_CHECKS_PASSED=false + ALL_CERTS_PASSED=false +fi +if [ ! -z "${ARG_VERBOSE}" ]; then + echo " "$RESULT +fi +} + check_pki () { echo "Checking HIRS PKI certificates" if [ ! -d "/etc/hirs/certificates" ]; then @@ -119,55 +159,61 @@ check_pki () { Skipping PKI Checks." fi - pushd $CERT_PATH$RSA_PATH - echo " Checking HIRS RSA certs using trust store..." - echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_ROOT) - echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_INTERMEDIATE) - echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA1) - echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA2) - echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA3) - echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_RIM_SIGNER) - echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_DN_SRV_CERT) - echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_DB_CLIENT_CERT) - echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_WEB_TLS_CERT) + pushd $CERT_PATH$RSA_PATH > /dev/null + check_cert $RSA_TRUST_STORE $RSA_HIRS_ROOT + check_cert $RSA_TRUST_STORE $RSA_HIRS_INTERMEDIATE + check_cert $RSA_TRUST_STORE $RSA_HIRS_CA1 + check_cert $RSA_TRUST_STORE $RSA_HIRS_CA2 + check_cert $RSA_TRUST_STORE $RSA_HIRS_CA3 + check_cert $RSA_TRUST_STORE $RSA_RIM_SIGNER + check_cert $RSA_TRUST_STORE $RSA_DN_SRV_CERT + check_cert $RSA_TRUST_STORE $RSA_DB_CLIENT_CERT + check_cert $RSA_TRUST_STORE $RSA_WEB_TLS_CERT + popd > /dev/null - pushd $CERT_PATH$ECC_PATH - echo " Checking HIRS ECC certs using tust store..." - echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_ROOT) - echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_INTERMEDIATE) - echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA1) - echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA2) - echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA3) - echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_RIM_SIGNER) - echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_DN_SRV_CERT) - echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_DB_CLIENT_CERT) - echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_WEB_TLS_CERT) + pushd $CERT_PATH$ECC_PATH > /dev/null + check_cert $ECC_TRUST_STORE $ECC_HIRS_ROOT + check_cert $ECC_TRUST_STORE $ECC_HIRS_INTERMEDIATE + check_cert $ECC_TRUST_STORE $ECC_HIRS_CA1 + check_cert $ECC_TRUST_STORE $ECC_HIRS_CA2 + check_cert $ECC_TRUST_STORE $ECC_HIRS_CA3 + check_cert $ECC_TRUST_STORE $ECC_RIM_SIGNER + check_cert $ECC_TRUST_STORE $ECC_DN_SRV_CERT + check_cert $ECC_TRUST_STORE $ECC_DB_CLIENT_CERT + check_cert $ECC_TRUST_STORE $ECC_WEB_TLS_CERT popd > /dev/null - echo " Checking KeyStore, Keystore aliases, and pki password" - echo " Keystore alias list:" - keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /' + if [ -z "${ARG_VERBOSE}" ]; then + if [ $ALL_CERTS_PASSED == true ]; then + echo " All RSA and ECC certificates under $CERT_PATH are valid" + else + echo " There were error in the certificates under $CERT_PATH" + fi + keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /' > /dev/null + else #verbose + echo " Checking KeyStore, Keystore aliases, and pki password" + echo " Keystore alias list:" + keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /' + fi + if [ $? -eq 0 ]; then - echo " HIRS pki password is correct" + echo " JKS Trust Store File (/etc/hirs/certificates/HIRS/TrustStore.jks) is correct: HIRS pki password is correct" else - echo " HIRS pki password is NOT correct" + echo " Error with JKS Trust Store: HIRS pki password is NOT correct" ALL_CHECKS_PASSED=false fi } check_db () { - echo "Check DB server SSL config..." - RESULT=$(mysql -u hirs_db --password=$hirs_db_password -e "SHOW VARIABLES LIKE '%have_ssl%'" | grep -o YES ) + echo "Check DB server TLS config..." + RESULT=$(mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%have_ssl%'" | grep -o YES ) if [ "$RESULT" == "YES" ]; then - echo " Mysql is configured for Server side TLS:" + echo " Mysql Server side TLS is enabled:" else - echo " Mysql is NOT configured for Server side TLS:" + echo " Mysql Sever side TLS is NOT enabled:" ALL_CHECKS_PASSED=false fi - mysql -u hirs_db --password=$hirs_db_password -e "SHOW VARIABLES LIKE '%have_ssl%'" - echo " Show hirs_db user config" - mysql -u hirs_db --password=$hirs_db_password -e "SHOW CREATE USER 'hirs_db'@'localhost';" - echo " Show databases accessable to the hirs_db user:" + RESULT=$(mysqlshow --user=hirs_db --password=$hirs_db_password hirs_db| grep -o hirs_db) if [ "$RESULT" == "hirs_db" ]; then echo " The hirs_db database is visable by the hirs_db user" @@ -175,15 +221,46 @@ check_db () { echo " The hirs_db database is NOT visable by the hirs_db user" ALL_CHECKS_PASSED=false fi - mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;"; - echo "Showing privileges for the hirs_db user" - mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" + if [ ! -z "${ARG_VERBOSE}" ]; then + echo " Show hirs_db user config using hirs_db password" + mysql -u hirs_db --password=$hirs_db_password -e "SHOW CREATE USER 'hirs_db'@'localhost';" \ + --ssl-ca=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem \ + --ssl-cert=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem \ + --ssl-key=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key + echo "Mysql TLS configuration" + mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%ssl%'" + echo "hirs_db user database access:" + mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;"; + echo "Privileges for the hirs_db user:" + mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" + fi + +} + +# Check selinux status and files that require specific contexts +check_selinux () { + SELINUXSTATUS=$(getenforce) + DB_SRV_CONTEXT=$(ls -Z $DB_SRV_CONF) + DB_CLIENT_CONTEXT=$(ls -Z $DB_CLIENT_CONF) + + if [[ "$SELINUXSTATUS" == *"Enforcing"* ]]; then + if [[ "$DB_SRV_CONTEXT" == *"mysqld_etc_t"* && "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then + echo "Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_SRV_CONF contexts are correct" + elif [[ "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then + echo "Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT" + ALL_CHECKS_PASSED=false + else + echo "Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT" + ALL_CHECKS_PASSED=false + fi + fi } check_pwds check_pki check_mysql check_db +check_selinux if [ $ALL_CHECKS_PASSED = true ]; then echo "ACA setup checks passed!" diff --git a/package/scripts/aca/aca_remove_setup.sh b/package/scripts/aca/aca_remove_setup.sh index e02b6e73..dfe800a9 100644 --- a/package/scripts/aca/aca_remove_setup.sh +++ b/package/scripts/aca/aca_remove_setup.sh @@ -14,6 +14,10 @@ if [ "$EUID" -ne 0 ]; then echo "This script requires root. ACA setup not removed. Please run as root." exit 1 fi +if [ ! -f /etc/hirs/aca/aca.properties ]; then + echo "aca.properties does not exist, aborting." + exit 1 +fi # remove the hrs-db and hirs_db user pushd $SCRIPT_DIR/../db/ diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh index f1d36dec..13275848 100644 --- a/package/scripts/aca/aca_setup.sh +++ b/package/scripts/aca/aca_setup.sh @@ -22,7 +22,7 @@ fi mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR # Process parameters -# Argument handling https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash +# Argument handling POSITIONAL_ARGS=() while [[ $# -gt 0 ]]; do diff --git a/package/scripts/db/db_create.sh b/package/scripts/db/db_create.sh index 9e477d2d..06bd648c 100644 --- a/package/scripts/db/db_create.sh +++ b/package/scripts/db/db_create.sh @@ -79,7 +79,10 @@ set_mysql_server_tls () { echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF" echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF" # Make sure mysql can access them - chown mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY + chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY + # Make selinux contexts for configu file + semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF > /dev/null #adds the context type to file + restorecon -v -F $DB_SRV_CONF # changes the file's context type else echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE" fi @@ -92,7 +95,10 @@ if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF - chown mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY + chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY + # Make selinux contexts for configu file + semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null #adds the context type to file + restorecon -F $DB_CLIENT_CONF #changes the file's context type fi } @@ -137,3 +143,8 @@ start_mysqlsd check_mysql_root_pwd set_hirs_db_pwd create_hirs_db_with_tls +# reboot mysql server +mysql -u root --password=$DB_ADMIN_PWD -e "SHUTDOWN" +sleep 2 +check_for_container +start_mysqlsd diff --git a/package/scripts/db/db_drop.sh b/package/scripts/db/db_drop.sh index 1979b4eb..b4537fea 100644 --- a/package/scripts/db/db_drop.sh +++ b/package/scripts/db/db_drop.sh @@ -29,10 +29,13 @@ fi echo "dropping hirs_db database" if pgrep mysqld >/dev/null 2>&1; then - mysql -u "root" --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_drop.sql - echo "hirs_db databse and hirs_db user removed" + # mysql -u "root" --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_drop.sql + mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH HOSTS; FLUSH LOGS; FLUSH STATUS; FLUSH PRIVILEGES; FLUSH USER_RESOURCES" + mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';" + mysql -u root --password=$DB_ADMIN_PWD -e "DROP DATABASE IF EXISTS hirs_db;" + echo "hirs_db database and hirs_db user removed" else - echo "mysql is not running. DB was not removed." + echo "mysql is not running. DB was not removed." fi # reset the mysql root if the password was left in the properties fiel @@ -40,6 +43,7 @@ if [ ! -z $mysql_admin_password ]; then echo "Resetting mysql root password to empty" mysql -u root --password=$mysql_admin_password -e "SET PASSWORD FOR "root@localhost" = PASSWORD('');" echo "Current list of databases:" + mysql -u "root" -e "FLUSH LOGS;" mysql -u "root" -e "SHOW DATABASES;" echo "Current list of users:" mysql -u root -e "Select user from mysql.user;" @@ -54,7 +58,10 @@ grep -v "hirs" $SRV_CNF > tmpfile && mv tmpfile $SRV_CNF grep -v "hirs" $CLIENT_CNF > tmpfile && mv tmpfile $CLIENT_CNF echo "restarting mariadb" -pkill mysql -sleep 2; + +mysql -u root -e "SHUTDOWN" +sleep 2 check_for_container start_mysqlsd + +mysql -u root -e "SHOW VARIABLES LIKE '%ssl%'" diff --git a/package/scripts/db/db_drop.sql b/package/scripts/db/db_drop.sql index 4f0fbe18..6ff66ab5 100644 --- a/package/scripts/db/db_drop.sql +++ b/package/scripts/db/db_drop.sql @@ -1,2 +1,2 @@ -DROP SCHEMA IF EXISTS hirs_db; DROP USER "hirs_db"@"localhost"; +DROP DATABASE IF EXISTS hirs_db; \ No newline at end of file diff --git a/package/scripts/db/reset_hirs_db_user.sh b/package/scripts/db/reset_hirs_db_user.sh index 4d58a318..f1992c13 100644 --- a/package/scripts/db/reset_hirs_db_user.sh +++ b/package/scripts/db/reset_hirs_db_user.sh @@ -21,10 +21,11 @@ echo "DB_ADMIN_PWD is $DB_ADMIN_PWD" # check if hirs_db user exists RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" - if [ "$RESULT" = 1 ]; then echo "hirs_db user found, dropping hirs-db user" - mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost'" + mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR "hirs_db@localhost" = PASSWORD('');" + mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';" + if [ $? -ne 0 ]; then echo "Removing the existing hirs_db user failed" else @@ -34,12 +35,26 @@ if [ "$RESULT" = 1 ]; then echo "no hirs_db user found, creating one..." fi +mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;" echo "Creating hirs_db user" +#mysql -u root --password=$DB_ADMIN_PWD < $SCRIPT_DIR/db_create.sql +#mysql -u root --password=$mysql_admin_password -e "FLUSH PRIVILEGES;" + mysql -u root --password=$DB_ADMIN_PWD -e "CREATE USER 'hirs_db'@'localhost' IDENTIFIED BY 'hirs_db';" -mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;" +mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '$HIRS_DB_PWD'; FLUSH PRIVILEGES;" mysql -u root --password=$DB_ADMIN_PWD -e "GRANT ALL ON hirs_db.* TO 'hirs_db'@'localhost' REQUIRE X509;" mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH PRIVILEGES;" +mysql -u root --password=$mysql_admin_password -e "show databases;" + +mysql -u root --password=$mysql_admin_password -e "CHECK TABLE mysql.user;" + +mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;" +#mysql -u root --password=$mysql_admin_password -e "SHOW CREATE USER 'hirs_db'@'localhost';" +mysql -u root --password=$mysql_admin_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" + + +echo "HIRS_DB_PWD is $HIRS_DB_PWD" echo "Checking hirs_db user..." # check user -mysql -u hirs_db --password=$HIRS_DB_PWD -e "SHOW DATABASES;"; \ No newline at end of file +mysql -u hirs_db --password=$HIRS_DB_PWD -e "SHOW DATABASES;"; From a054995470fecfb1a508b16ac81c5a2397b22ee3 Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Wed, 30 Aug 2023 13:19:43 -0400 Subject: [PATCH 05/10] fixed admin check on aca_bootRun.sh --- package/scripts/aca/aca_bootRun.sh | 12 +++++++----- package/scripts/aca/aca_remove_setup.sh | 0 package/scripts/aca/aca_setup.sh | 0 3 files changed, 7 insertions(+), 5 deletions(-) mode change 100644 => 100755 package/scripts/aca/aca_remove_setup.sh mode change 100644 => 100755 package/scripts/aca/aca_setup.sh diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh index 8b8b0a59..666d9dac 100755 --- a/package/scripts/aca/aca_bootRun.sh +++ b/package/scripts/aca/aca_bootRun.sh @@ -15,6 +15,12 @@ SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) LOG_FILE=/dev/null GRADLE_WRAPPER="./gradlew" +# Check for sudo or root user +if [ "$EUID" -ne 0 ] + then echo "This script requires root. Please run as root" + exit 1 +fi + source $SCRIPT_DIR/../db/start_mysqld.sh if [ $ALG = "RSA" ]; then @@ -32,11 +38,7 @@ fi check_for_container start_mysqlsd -# Check for sudo or root user -if [ "$EUID" -ne 0 ] - then echo "This script requires root. Please run as root" - exit 1 -fi + if [ ! -d "$CERT_PATH" ]; then echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again." diff --git a/package/scripts/aca/aca_remove_setup.sh b/package/scripts/aca/aca_remove_setup.sh old mode 100644 new mode 100755 diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh old mode 100644 new mode 100755 From f5ac517814b773213ac6e75af0de7d39e1a47c2d Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Thu, 31 Aug 2023 09:27:58 -0400 Subject: [PATCH 06/10] Minor adjustment for RHEL OS with FIPS mode enabled --- package/scripts/db/db_create.sh | 26 ++++++++++++++++++++------ package/scripts/pki/pki_chain_gen.sh | 10 ++++++---- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/package/scripts/db/db_create.sh b/package/scripts/db/db_create.sh index 06bd648c..8cfebc1c 100644 --- a/package/scripts/db/db_create.sh +++ b/package/scripts/db/db_create.sh @@ -80,9 +80,12 @@ set_mysql_server_tls () { echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF" # Make sure mysql can access them chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY - # Make selinux contexts for configu file - semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF > /dev/null #adds the context type to file - restorecon -v -F $DB_SRV_CONF # changes the file's context type + # Make selinux contexts for config files, if selinux is enabled + selinuxenabled + if [ $? -eq 0 ] + semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF > /dev/null #adds the context type to file + restorecon -v -F $DB_SRV_CONF # changes the file's context type + fi else echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE" fi @@ -96,9 +99,12 @@ if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY - # Make selinux contexts for configu file - semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null #adds the context type to file - restorecon -F $DB_CLIENT_CONF #changes the file's context type + # Make selinux contexts for config files, if selinux is enabled + selinuxenabled + if [ $? -eq 0 ] + semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null #adds the context type to file + restorecon -F $DB_CLIENT_CONF #changes the file's context type + fi fi } @@ -134,6 +140,14 @@ create_hirs_db_with_tls () { fi } +set_selinux_context () { + + + + +} + + # HIRS ACA Mysqld processing ... check_mariadb_install check_for_container diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh index 40ab3708..9adbc358 100644 --- a/package/scripts/pki/pki_chain_gen.sh +++ b/package/scripts/pki/pki_chain_gen.sh @@ -216,8 +216,9 @@ create_cert_chain () { openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE" # Make JKS files for the mysql DB connector. P12 first then JKS... - openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key -aes256 \ - -passin pass:$PASS -passout pass:$PASS -aes256 \ + openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key \ + -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC \ + -passin pass:$PASS -passout pass:$PASS \ -name "mysqlclientkey" -out $DB_CLIENT.p12 >> "$LOG_FILE" 2>&1 keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype PKCS12 \ @@ -227,8 +228,9 @@ create_cert_chain () { if [ "$ASYM_ALG" == "rsa" ]; then # Create Root CA key pair and self signed cert echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE" - openssl genrsa -out "$PKI_ROOT".key -aes256 -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1 - + #openssl genrsa -out "$PKI_ROOT".key -aes256 -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1 + openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes256 --pass "pass:$PASS" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1 + # Create a self signed CA certificate openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \ -extensions ca_extensions -out "$PKI_ROOT".pem \ From 410dbc844498fc51807980711da396d796922292 Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Thu, 31 Aug 2023 09:50:11 -0400 Subject: [PATCH 07/10] Added check for selinux, adds context to cnf files --- package/scripts/db/db_create.sh | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/package/scripts/db/db_create.sh b/package/scripts/db/db_create.sh index 8cfebc1c..60ffc0a1 100644 --- a/package/scripts/db/db_create.sh +++ b/package/scripts/db/db_create.sh @@ -82,7 +82,7 @@ set_mysql_server_tls () { chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY # Make selinux contexts for config files, if selinux is enabled selinuxenabled - if [ $? -eq 0 ] + if [ $? -eq 0 ]; then semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF > /dev/null #adds the context type to file restorecon -v -F $DB_SRV_CONF # changes the file's context type fi @@ -101,7 +101,7 @@ if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY # Make selinux contexts for config files, if selinux is enabled selinuxenabled - if [ $? -eq 0 ] + if [ $? -eq 0 ]; then semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null #adds the context type to file restorecon -F $DB_CLIENT_CONF #changes the file's context type fi @@ -138,13 +138,6 @@ create_hirs_db_with_tls () { mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;"; fi -} - -set_selinux_context () { - - - - } From 2ce4264f6e10bfc37caffc4f5fc4f0db67ee3b4e Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Thu, 31 Aug 2023 16:29:40 -0400 Subject: [PATCH 08/10] added a -h|--help and -u|--unattended option for aca_setup.sh --- package/scripts/aca/aca_bootRun.sh | 2 - package/scripts/aca/aca_check_setup.sh | 57 ++++++++-------- package/scripts/aca/aca_setup.sh | 82 ++++++++++++++++-------- package/scripts/db/db_create.sh | 33 +++++----- package/scripts/db/reset_hirs_db_user.sh | 60 ----------------- package/scripts/db/start_mysqld.sh | 65 +++++++++++++++---- package/scripts/pki/pki_chain_gen.sh | 8 +-- package/scripts/pki/pki_setup.sh | 16 +---- 8 files changed, 158 insertions(+), 165 deletions(-) delete mode 100644 package/scripts/db/reset_hirs_db_user.sh diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh index 666d9dac..4d54afda 100755 --- a/package/scripts/aca/aca_bootRun.sh +++ b/package/scripts/aca/aca_bootRun.sh @@ -38,8 +38,6 @@ fi check_for_container start_mysqlsd - - if [ ! -d "$CERT_PATH" ]; then echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again." exit 1; diff --git a/package/scripts/aca/aca_check_setup.sh b/package/scripts/aca/aca_check_setup.sh index 158415ec..0ce26ab9 100755 --- a/package/scripts/aca/aca_check_setup.sh +++ b/package/scripts/aca/aca_check_setup.sh @@ -1,7 +1,7 @@ #!/bin/bash ############################################################################################ # Checks the setup for the ACA: -# +# takes a -v option to provide verbose output ############################################################################################ SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) @@ -71,13 +71,14 @@ while [[ $# -gt 0 ]]; do done source /etc/hirs/aca/aca.properties; +source $SCRIPT_DIR/../db/start_mysqld.sh check_pwds () { PRESENT=true -echo "Checking if ACA passwords are in aca.properties" +echo "Checking if ACA passwords are present..." if [ -z $hirs_pki_password ]; then - echo "hirs pki password not set" + echo "ACA pki password not set" PRESENT=false fi if [ -z $hirs_db_username ]; then @@ -85,34 +86,20 @@ echo "Checking if ACA passwords are in aca.properties" PRESENT=false fi if [ -z $hirs_db_password ]; then - echo "hirs db password not set" + echo "hirs db user password not set" PRESENT=false fi if [ $PRESENT ]; then - echo " HIRS passwords were created" + echo " ACA passwords were found" else - echo " ERROR finding HIRS passwords" + echo " ERROR finding ACA passwords" ALL_CHECKS_PASSED=false fi } -check_mysql () { - echo "Checking mysqld status..." - if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then - echo " mysql process exists..." - else - echo " mysqld process does NOT exist, attempting to restart mysql..." - /usr/bin/mysqld_safe & - fi - - # Wait for mysql to start before continuing. - - while ! mysqladmin ping -h "$localhost" --silent; do - sleep 1; - done - - echo " mysqld is running." - +check_mysql_setup () { + # make sure mysql is running and restart if its not... + check_mysql # Check DB server/client TLS setup. if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then echo " Mysql server ($DB_SRV_CONF) is NOT configured for Server Side TLS" @@ -153,7 +140,7 @@ fi } check_pki () { - echo "Checking HIRS PKI certificates" + echo "Checking ACA PKI certificates..." if [ ! -d "/etc/hirs/certificates" ]; then echo "/etc/hirs/certificates doesn't exists, was aca_setup.sh run ? / Skipping PKI Checks." @@ -205,7 +192,7 @@ check_pki () { } check_db () { - echo "Check DB server TLS config..." + echo "Checking DB server TLS configuration..." RESULT=$(mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%have_ssl%'" | grep -o YES ) if [ "$RESULT" == "YES" ]; then echo " Mysql Server side TLS is enabled:" @@ -242,25 +229,35 @@ check_selinux () { SELINUXSTATUS=$(getenforce) DB_SRV_CONTEXT=$(ls -Z $DB_SRV_CONF) DB_CLIENT_CONTEXT=$(ls -Z $DB_CLIENT_CONF) - + echo "Checking device selinux status..." if [[ "$SELINUXSTATUS" == *"Enforcing"* ]]; then + echo " Selinux is in Enforcing mode." if [[ "$DB_SRV_CONTEXT" == *"mysqld_etc_t"* && "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then - echo "Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_SRV_CONF contexts are correct" + echo " Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_CLIENT_CONF contexts are correct" elif [[ "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then - echo "Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT" + echo " Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT" ALL_CHECKS_PASSED=false else - echo "Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT" + echo " Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT" ALL_CHECKS_PASSED=false fi + else + echo " Selinux is in NOT in Enforcing mode." fi } +check_fips () { + echo "Checking FIPS mode on this device..." + echo " "$(sysctl -a | grep crypto.fips_enabled) +} + +check_for_container check_pwds check_pki -check_mysql +check_mysql_setup check_db check_selinux +check_fips if [ $ALL_CHECKS_PASSED = true ]; then echo "ACA setup checks passed!" diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh index 13275848..4c907357 100755 --- a/package/scripts/aca/aca_setup.sh +++ b/package/scripts/aca/aca_setup.sh @@ -1,52 +1,78 @@ #!/bin/bash # Capture location of the script to allow from invocation from any location SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) -SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties' +#SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties' HIRS_CONF_DIR=/etc/hirs/aca LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log LOG_DIR="/var/log/hirs/" LOG_FILE="$LOG_DIR$LOG_FILE_NAME" HIRS_PROP_DIR="/opt/hirs/default-properties" -COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json' -VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json' +#COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json' +#VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json' -echo "LOG_FILE is $LOG_FILE" +help () { + echo " Setup script for the HIRS ACA" + echo " Syntax: sh aca_setup.sh [-u|h|sb|sp|--skip-db|--skip-pki]" + echo " options:" + echo " -u | --unattended Run unattended" + echo " -h | --help Print this Help." + echo " -sp | --skip-pki run the setup without pki setup." + echo " -sb | --skip-db run the setup without databse setup." + echo +} - echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD" - -if [ "$EUID" -ne 0 ] - then echo "This script requires root. Please run as root" - exit 1 -fi - -mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR - -# Process parameters -# Argument handling +# Process parameters Argument handling POSITIONAL_ARGS=() while [[ $# -gt 0 ]]; do case $1 in - --skip-db) + -sd|--skip-db) ARG_SKIP_DB=YES shift # past argument ;; - --skip-pki) + -sp|--skip-pki) ARG_SKIP_PKI=YES shift # past argument ;; + -u|--unattended) + ARG_UNATTEND=YES + shift # past argument + ;; + -h|--help) + help + exit 0 + shift # past argument + ;; -*|--*) echo "aca_setup.sh: Unknown option $1" + help + exit 1 ;; *) - POSITIONAL_ARGS+=("$1") # save positional arg - shift # past argument + POSITIONAL_ARGS+=("$1") # save positional arg + # shift # past argument + break ;; esac done set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters - + +mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR + +echo "ACA setup log file is $LOG_FILE" + +if [ -z $HIRS_MYSQL_ROOT_PWD ]; then + echo "HIRS_MYSQL_ROOT_PWD is not set, using locally generated mysql root password" + else + echo "HIRS_MYSQL_ROOT_PWD is set, using previously set mysql root password" +fi + +if [ "$EUID" -ne 0 ] + then echo "This script requires root. Please run as root" + exit 1 +fi + echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE" pushd $SCRIPT_DIR &>/dev/null @@ -62,14 +88,14 @@ if [ -z $HIRS_PKI_PWD ]; then fi # Copy HIRS configuration and data files if not a package install -if [ -f $SPRING_PROP_FILE ]; then - cp -n $SPRING_PROP_FILE $HIRS_CONF_DIR/. - cp -n $COMP_JSON $HIRS_PROP_DIR/. - cp -n $VENDOR_TABLE $HIRS_PROP_DIR/. -fi +#if [ -f $SPRING_PROP_FILE ]; then +# cp -n $SPRING_PROP_FILE $HIRS_CONF_DIR/. +# cp -n $COMP_JSON $HIRS_PROP_DIR/. +# cp -n $VENDOR_TABLE $HIRS_PROP_DIR/. +#fi if [ -z "${ARG_SKIP_PKI}" ]; then - sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS + sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND if [ $? -eq 0 ]; then echo "ACA PKI setup complete" | tee -a "$LOG_FILE" else @@ -81,7 +107,7 @@ if [ -z "${ARG_SKIP_PKI}" ]; then fi if [ -z "${ARG_SKIP_DB}" ]; then - sh ../db/db_create.sh $LOG_FILE + sh ../db/db_create.sh $LOG_FILE $ARG_UNATTEND if [ $? -eq 0 ]; then echo "ACA database setup complete" | tee -a "$LOG_FILE" else @@ -92,6 +118,6 @@ if [ -z "${ARG_SKIP_DB}" ]; then echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE" fi - echo "ACA setup complete" | tee -a "$LOG_FILE" +echo "ACA setup complete" | tee -a "$LOG_FILE" popd &>/dev/null \ No newline at end of file diff --git a/package/scripts/db/db_create.sh b/package/scripts/db/db_create.sh index 60ffc0a1..e9691b16 100644 --- a/package/scripts/db/db_create.sh +++ b/package/scripts/db/db_create.sh @@ -8,13 +8,13 @@ ################################################################################ LOG_FILE=$1 +UNATTENDED=$2 # LOG_FILE="/var/log/hirs/hirs_aca_install_$(date +%Y-%m-%d).log" # Capture location of the script to allow from invocation from any location SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) SPRING_PROP_FILE="/etc/hirs/aca/application.properties" ACA_PROP_FILE="/etc/hirs/aca/aca.properties" DB_ADMIN_PWD="" -#DB_USER="hirs_db" # Db Configuration files DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf" DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf" @@ -40,18 +40,24 @@ source $ACA_PROP_FILE check_mysql_root_pwd () { # Check if DB root password needs to be obtained - echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD" + if [ -z $HIRS_MYSQL_ROOT_PWD ]; then # Create a 32 character random password echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE" DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') echo "DB Admin will be set to $DB_ADMIN_PWD , please make note for next mysql use." - read -p "Do you wish to save this password to the aca.properties file? " confirm - if [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; then - echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE - echo "Password saved." - else - echo "Password not saved." + # Check i UNATTENDED flag set m if not then prompt user for permission ot store mysql root password + if [ -z $UNATTENDED ]; then + read -p "Do you wish to save this password to the aca.properties file? " confirm + if [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; then + echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE + echo "Mysql root password saved locally" + else + echo "Mysql root password not saved locally" + fi + else + echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE + echo "Mysql root password has been saved locally." fi mysqladmin --user=root password "$DB_ADMIN_PWD" else @@ -84,7 +90,7 @@ set_mysql_server_tls () { selinuxenabled if [ $? -eq 0 ]; then semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF > /dev/null #adds the context type to file - restorecon -v -F $DB_SRV_CONF # changes the file's context type + restorecon -v -F $DB_SRV_CONF > /dev/null # changes the file's context type fi else echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE" @@ -103,7 +109,7 @@ if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then selinuxenabled if [ $? -eq 0 ]; then semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null #adds the context type to file - restorecon -F $DB_CLIENT_CONF #changes the file's context type + restorecon -F $DB_CLIENT_CONF > /dev/null #changes the file's context type fi fi } @@ -140,7 +146,6 @@ create_hirs_db_with_tls () { fi } - # HIRS ACA Mysqld processing ... check_mariadb_install check_for_container @@ -150,8 +155,4 @@ start_mysqlsd check_mysql_root_pwd set_hirs_db_pwd create_hirs_db_with_tls -# reboot mysql server -mysql -u root --password=$DB_ADMIN_PWD -e "SHUTDOWN" -sleep 2 -check_for_container -start_mysqlsd +mysqld_reboot diff --git a/package/scripts/db/reset_hirs_db_user.sh b/package/scripts/db/reset_hirs_db_user.sh deleted file mode 100644 index f1992c13..00000000 --- a/package/scripts/db/reset_hirs_db_user.sh +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash - -SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) - -source /etc/hirs/aca/aca.properties; - -if [ -z $mysql_admin_password ]; then - read -p "Enter mysql root password" DB_ADMIN_PWD - else - DB_ADMIN_PWD=$mysql_admin_password -fi - -if [ -z $hirs_db_password ]; then - read -p "Enter mysql root password" hirs_db_password - else - HIRS_DB_PWD=$hirs_db_password -fi - -echo "HIRS_DB_PWD is $HIRS_DB_PWD" -echo "DB_ADMIN_PWD is $DB_ADMIN_PWD" - -# check if hirs_db user exists -RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" -if [ "$RESULT" = 1 ]; then - echo "hirs_db user found, dropping hirs-db user" - mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR "hirs_db@localhost" = PASSWORD('');" - mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';" - - if [ $? -ne 0 ]; then - echo "Removing the existing hirs_db user failed" - else - echo "Removing the existing hirs_db was successful" - fi - else - echo "no hirs_db user found, creating one..." -fi - -mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;" -echo "Creating hirs_db user" -#mysql -u root --password=$DB_ADMIN_PWD < $SCRIPT_DIR/db_create.sql -#mysql -u root --password=$mysql_admin_password -e "FLUSH PRIVILEGES;" - -mysql -u root --password=$DB_ADMIN_PWD -e "CREATE USER 'hirs_db'@'localhost' IDENTIFIED BY 'hirs_db';" -mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '$HIRS_DB_PWD'; FLUSH PRIVILEGES;" -mysql -u root --password=$DB_ADMIN_PWD -e "GRANT ALL ON hirs_db.* TO 'hirs_db'@'localhost' REQUIRE X509;" -mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH PRIVILEGES;" - -mysql -u root --password=$mysql_admin_password -e "show databases;" - -mysql -u root --password=$mysql_admin_password -e "CHECK TABLE mysql.user;" - -mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;" -#mysql -u root --password=$mysql_admin_password -e "SHOW CREATE USER 'hirs_db'@'localhost';" -mysql -u root --password=$mysql_admin_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" - - -echo "HIRS_DB_PWD is $HIRS_DB_PWD" -echo "Checking hirs_db user..." -# check user -mysql -u hirs_db --password=$HIRS_DB_PWD -e "SHOW DATABASES;"; diff --git a/package/scripts/db/start_mysqld.sh b/package/scripts/db/start_mysqld.sh index 3262ef02..7d39fa79 100644 --- a/package/scripts/db/start_mysqld.sh +++ b/package/scripts/db/start_mysqld.sh @@ -1,10 +1,11 @@ #!/bin/bash ##################################################################################### # -# Function to check mysql and start if not running. +# Functions to check mysql and start if not running. # Also a function for checking if running in a container # ##################################################################################### +SQL_SERVICE="mariadb" check_for_container () { # Check if we're in a Docker container @@ -21,9 +22,9 @@ check_for_container () { else MYSQL_DIR="$SCRIPT_DIR/../db" fi - echo "Mysql script directory is $MYSQL_DIR" } +# Check for mysql command line check_mariadb_install () { type mysql >/dev/null 2>&1 && installed=true || installed=false if [ $installed = true ]; then @@ -33,7 +34,7 @@ check_mariadb_install () { exit 1; fi } - +# Starts mariadb during intial install start_mysqlsd () { # Check if mysql is already running, if not initialize if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then @@ -47,16 +48,22 @@ start_mysqlsd () { /usr/bin/mysql_install_db > "$LOG_FILE" chown -R mysql:mysql /var/lib/mysql/ fi - echo "Starting mysql...." - chown -R mysql:mysql /var/log/mariadb - /usr/bin/mysqld_safe & - else #not a container - SQL_SERVICE="mariadb" - systemctl enable $SQL_SERVICE - systemctl start $SQL_SERVICE + echo "Starting mysql...." + chown -R mysql:mysql /var/log/mariadb + /usr/bin/mysqld_safe & + else #not a container + systemctl enable $SQL_SERVICE + systemctl start $SQL_SERVICE + fi + else # mysql process is running + # check if mysql service is running + if [ ! $DOCKER_CONTAINER = true ]; then + DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l ) + if [ $DB_STATUS -eq 0 ]; then + echo "mariadb not running , attempting to restart" + systemctl start mariadb + fi fi - else # mysql running - echo "mysql process running.." fi # Wait for mysql to start before continuing. @@ -68,3 +75,37 @@ start_mysqlsd () { echo "mysqld is running."| tee -a "$LOG_FILE" } +# Basic check for marai db status, attempts restart if not running +check_mysql () { + echo "Checking mysqld status..." + if [ $DOCKER_CONTAINER = true ]; then + if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then + echo "mariadb not running , attempting to restart" + /usr/bin/mysqld_safe & + fi + else # not in a contianer + DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l ) + if [ $DB_STATUS -eq 0 ]; then + echo "mariadb not running , attempting to restart" + systemctl start mariadb + fi + fi + + # Wait for mysql to start before continuing. + + while ! mysqladmin ping -h "$localhost" --silent; do + sleep 1; + done + + echo " Mariadb is running." + +} + +# restart maraidb +mysqld_reboot () { + # reboot mysql server + mysql -u root --password=$DB_ADMIN_PWD -e "SHUTDOWN" + sleep 2 + check_for_container + start_mysqlsd +} \ No newline at end of file diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh index 9adbc358..7578f034 100644 --- a/package/scripts/pki/pki_chain_gen.sh +++ b/package/scripts/pki/pki_chain_gen.sh @@ -110,9 +110,9 @@ add_to_stores () { # Add the cert and key to the key store. make a p12 file to import into te keystore openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1 # Use the p12 file to import into a java keystore via keytool - keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1 + keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1 # Import the cert into a java trust store via keytool - keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1 + keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" >> "$LOG_FILE" 2>&1 # Remove the temp p1 file. rm tmpkey.p12 } @@ -174,9 +174,9 @@ create_cert () { # Add the cert and key to the key store. make a p12 file to import into te keystore openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:$PASS -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1 # Use the p12 file to import into a java keystore via keytool - keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1 + keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1 # Import the cert into a java trust store via keytool - keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1 + keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" >> "$LOG_FILE" 2>&1 # Remove the temp p1 file. rm -f tmpkey.p12 &>/dev/null } diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh index e71be65f..db16f0a1 100644 --- a/package/scripts/pki/pki_setup.sh +++ b/package/scripts/pki/pki_setup.sh @@ -3,13 +3,14 @@ # Creates 2 Certificate Chains for the ACA: # 1 RSA 3K SHA 384 # 2 ECC 512 SHA 384 -# +# ############################################################################################ #PROP_FILE=/etc/hirs/aca/application.properties ACA_PROP=/etc/hirs/aca/aca.properties LOG_FILE=$1 PKI_PASS=$2 +UNATTENDED=$3 LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log LOG_DIR="/var/log/hirs/" HIRS_CONF_DIR=/etc/hirs/aca @@ -23,6 +24,7 @@ if [ -z "$1" ]; then LOG_FILE="$LOG_DIR$LOG_FILE_NAME" echo "using log file $LOG_FILE" | tee -a "$LOG_FILE" fi + if [ -z "$2" ]; then PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') echo "Using randomly generated password for the PKI key password" | tee -a "$LOG_FILE" @@ -53,18 +55,6 @@ if [ ! -d "/etc/hirs/certificates" ]; then sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE" popd &> /dev/null - # Add tomcat TLS support to the application.properties file - #echo "# Tomcat TLS support">> $PROP_FILE - #echo "server.port=8443">> $PROP_FILE - #echo "server.ssl.enabled=true">> $PROP_FILE - #echo "server.ssl.trust-store-type=JKS">> $PROP_FILE - #echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE - #echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE - #echo "server.ssl.key-store-type=JKS">> $PROP_FILE - #echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE - #echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE - #echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE - #echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP else echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE" From 0b065e22c6692f782341b13d8d454ea4c6a71780 Mon Sep 17 00:00:00 2001 From: iadgovuser29 <33426478+iadgovuser29@users.noreply.github.com> Date: Fri, 1 Sep 2023 07:11:52 -0400 Subject: [PATCH 09/10] Cipher options on openssl pkcs12 export cmds. [no ci] --- package/scripts/aca/aca_setup.sh | 19 ++++++++++--------- package/scripts/pki/pki_chain_gen.sh | 6 +++--- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh index 4c907357..5a32b53e 100755 --- a/package/scripts/aca/aca_setup.sh +++ b/package/scripts/aca/aca_setup.sh @@ -23,7 +23,7 @@ help () { # Process parameters Argument handling POSITIONAL_ARGS=() - +ORIGINAL_ARGS=("$@") while [[ $# -gt 0 ]]; do case $1 in -sd|--skip-db) @@ -62,18 +62,19 @@ mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR echo "ACA setup log file is $LOG_FILE" -if [ -z $HIRS_MYSQL_ROOT_PWD ]; then - echo "HIRS_MYSQL_ROOT_PWD is not set, using locally generated mysql root password" - else - echo "HIRS_MYSQL_ROOT_PWD is set, using previously set mysql root password" -fi +#if [ -z $HIRS_MYSQL_ROOT_PWD ]; then +# echo "HIRS_MYSQL_ROOT_PWD is not set, using locally generated mysql root password" +# else +# echo "HIRS_MYSQL_ROOT_PWD is set, using previously set mysql root password" +#fi if [ "$EUID" -ne 0 ] then echo "This script requires root. Please run as root" exit 1 fi -echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE" +touch "$LOG_FILE" +echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" >> "$LOG_FILE" pushd $SCRIPT_DIR &>/dev/null @@ -103,7 +104,7 @@ if [ -z "${ARG_SKIP_PKI}" ]; then exit 1 fi else - echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE" + echo "ACA PKI setup not run due to command line argument: $ORIGINAL_ARGS" | tee -a "$LOG_FILE" fi if [ -z "${ARG_SKIP_DB}" ]; then @@ -115,7 +116,7 @@ if [ -z "${ARG_SKIP_DB}" ]; then exit 1 fi else - echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE" + echo "ACA Database setup not run due to command line argument: $ORIGINAL_ARGS" | tee -a "$LOG_FILE" fi echo "ACA setup complete" | tee -a "$LOG_FILE" diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh index 7578f034..c2e08893 100644 --- a/package/scripts/pki/pki_chain_gen.sh +++ b/package/scripts/pki/pki_chain_gen.sh @@ -106,9 +106,9 @@ fi add_to_stores () { CERT_PATH=$1 ALIAS=${CERT_PATH#*/} # Use filename without path as an alias - echo "Addding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE" + echo "Adding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE" # Add the cert and key to the key store. make a p12 file to import into te keystore - openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1 + openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC -passout pass:$PASS >> "$LOG_FILE" 2>&1 # Use the p12 file to import into a java keystore via keytool keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1 # Import the cert into a java trust store via keytool @@ -172,7 +172,7 @@ create_cert () { # remove csr file rm -f "$CERT_PATH".csr # Add the cert and key to the key store. make a p12 file to import into te keystore - openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:$PASS -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1 + openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:$PASS -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC -passout pass:$PASS >> "$LOG_FILE" 2>&1 # Use the p12 file to import into a java keystore via keytool keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1 # Import the cert into a java trust store via keytool From 3e5b76dda47ac013b30a8f72b2847e493cc4fea9 Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Fri, 1 Sep 2023 11:15:49 -0400 Subject: [PATCH 10/10] cleaned up commented out code and unsused files --- package/extras/aca/tomcat-mysql-hirs.pp | Bin 969 -> 0 bytes package/extras/aca/tomcat-mysql-hirs.te | 13 ------------- package/scripts/aca/aca_bootRun.sh | 3 ++- package/scripts/aca/aca_setup.sh | 16 ---------------- package/scripts/db/db_create.sh | 3 +-- package/scripts/db/db_drop.sh | 1 - 6 files changed, 3 insertions(+), 33 deletions(-) delete mode 100755 package/extras/aca/tomcat-mysql-hirs.pp delete mode 100644 package/extras/aca/tomcat-mysql-hirs.te diff --git a/package/extras/aca/tomcat-mysql-hirs.pp b/package/extras/aca/tomcat-mysql-hirs.pp deleted file mode 100755 index 601ca53eb5f91a179089bd26c171c0ed36e763e0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 969 zcmb`FO-chn5QWFM5mD3|#6%W#`%UBxmrO;u)fbGvq=y9cYpHkc;_ z35#CK_8wmaIg_Y6Om6L6e`U5PkB{VW8?f5QKi+ zEaXsqig+G6TXkOxEeFMrYOrw{5ZMLZ!$SlpF%NB&FlUPgK| czBrzYmqvBuYG`U2FTaOT+ZrcdwAv4R0VNkfh5!Hn diff --git a/package/extras/aca/tomcat-mysql-hirs.te b/package/extras/aca/tomcat-mysql-hirs.te deleted file mode 100644 index 0b611f44..00000000 --- a/package/extras/aca/tomcat-mysql-hirs.te +++ /dev/null @@ -1,13 +0,0 @@ - -module tomcat-mysql-hirs 1.0; - -require { - type mysqld_port_t; - type tomcat_t; - class tcp_socket name_connect; -} - -#============= tomcat_t ============== - -#!!!! This avc is allowed in the current policy -allow tomcat_t mysqld_port_t:tcp_socket name_connect; diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh index 4d54afda..f98b85aa 100755 --- a/package/scripts/aca/aca_bootRun.sh +++ b/package/scripts/aca/aca_bootRun.sh @@ -68,7 +68,8 @@ keyStore="$CLIENT_DB_P12" " WEB_TLS_PARAMS="--server.ssl.key-store-password=$hirs_pki_password \ --server.ssl.trust-store-password=$hirs_pki_password" -echo "--args=\"$CONNECTOR_PARAMS $WEB_TLS_PARAMS\"" +# uncomment to show spring boot and hibernate properties used as gradle argumanets +#echo "--args=\"$CONNECTOR_PARAMS $WEB_TLS_PARAMS\"" if [ "$USE_WAR" == "war" ]; then echo "Booting the ACA from a $USE_WAR file..." diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh index 5a32b53e..9cb7483b 100755 --- a/package/scripts/aca/aca_setup.sh +++ b/package/scripts/aca/aca_setup.sh @@ -1,14 +1,11 @@ #!/bin/bash # Capture location of the script to allow from invocation from any location SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) -#SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties' HIRS_CONF_DIR=/etc/hirs/aca LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log LOG_DIR="/var/log/hirs/" LOG_FILE="$LOG_DIR$LOG_FILE_NAME" HIRS_PROP_DIR="/opt/hirs/default-properties" -#COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json' -#VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json' help () { echo " Setup script for the HIRS ACA" @@ -62,12 +59,6 @@ mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR echo "ACA setup log file is $LOG_FILE" -#if [ -z $HIRS_MYSQL_ROOT_PWD ]; then -# echo "HIRS_MYSQL_ROOT_PWD is not set, using locally generated mysql root password" -# else -# echo "HIRS_MYSQL_ROOT_PWD is set, using previously set mysql root password" -#fi - if [ "$EUID" -ne 0 ] then echo "This script requires root. Please run as root" exit 1 @@ -88,13 +79,6 @@ if [ -z $HIRS_PKI_PWD ]; then echo "Using system supplied password for the PKI key password" | tee -a "$LOG_FILE" fi -# Copy HIRS configuration and data files if not a package install -#if [ -f $SPRING_PROP_FILE ]; then -# cp -n $SPRING_PROP_FILE $HIRS_CONF_DIR/. -# cp -n $COMP_JSON $HIRS_PROP_DIR/. -# cp -n $VENDOR_TABLE $HIRS_PROP_DIR/. -#fi - if [ -z "${ARG_SKIP_PKI}" ]; then sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND if [ $? -eq 0 ]; then diff --git a/package/scripts/db/db_create.sh b/package/scripts/db/db_create.sh index e9691b16..8cee8db8 100644 --- a/package/scripts/db/db_create.sh +++ b/package/scripts/db/db_create.sh @@ -9,7 +9,6 @@ LOG_FILE=$1 UNATTENDED=$2 -# LOG_FILE="/var/log/hirs/hirs_aca_install_$(date +%Y-%m-%d).log" # Capture location of the script to allow from invocation from any location SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) SPRING_PROP_FILE="/etc/hirs/aca/application.properties" @@ -46,7 +45,7 @@ check_mysql_root_pwd () { echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE" DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') echo "DB Admin will be set to $DB_ADMIN_PWD , please make note for next mysql use." - # Check i UNATTENDED flag set m if not then prompt user for permission ot store mysql root password + # Check UNATTENDED flag set m if not then prompt user for permission ot store mysql root password if [ -z $UNATTENDED ]; then read -p "Do you wish to save this password to the aca.properties file? " confirm if [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; then diff --git a/package/scripts/db/db_drop.sh b/package/scripts/db/db_drop.sh index b4537fea..a994d505 100644 --- a/package/scripts/db/db_drop.sh +++ b/package/scripts/db/db_drop.sh @@ -29,7 +29,6 @@ fi echo "dropping hirs_db database" if pgrep mysqld >/dev/null 2>&1; then - # mysql -u "root" --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_drop.sql mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH HOSTS; FLUSH LOGS; FLUSH STATUS; FLUSH PRIVILEGES; FLUSH USER_RESOURCES" mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';" mysql -u root --password=$DB_ADMIN_PWD -e "DROP DATABASE IF EXISTS hirs_db;"