ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-18 20:47:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #574 from nsacyber/v3_issue_560-db_tls

Browse Source 
[#560] Adds TLS to the hirs DB connector
This commit is contained in:
5B96790E3664F40075A67E6ADF737EDB15B4408DBC91A81228B31537B0CE3E26 2023-09-06 06:31:29 -04:00 committed by GitHub
commit 58b5de3bbb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 883 additions and 690 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
HIRS_AttestationCAPortal/build.gradle
View File

@ -52,7 +52,7 @@ dependencies {
implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:10.1.5'
compileOnly 'org.projectlombok:lombok'
runtimeOnly 'org.mariadb.jdbc:mariadb-java-client'
implementation 'org.mariadb.jdbc:mariadb-java-client:3.1.4'
annotationProcessor 'org.projectlombok:lombok'
providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat'
@ -165,4 +165,5 @@ ospackage {
buildDeb {
arch = 'amd64'
}
}

30
HIRS_AttestationCAPortal/src/main/resources/application.properties
View File

@ -1,16 +1,13 @@
#server.error.path=/error
#spring.mvc.view.prefix=/WEB-INF/jsp/
#spring.mvc.view.suffix=.jsp
# Logging Config (tomcat may have further config)
logging.level.org.springframework=INFO
logging.level.org.apache.catalina=DEBUG
logging.level.org.springframework=TRACE
logging.level.org.apache.catalina=TRACE
logging.level.org.springframework.web: TRACE
logging.level.org.hibernate: ERROR
logging.file.path=/var/log/hirs
logging.file.name=hirs.spring.log
# Database Config
spring.jpa.hibernate.ddl-auto=update
spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
spring.datasource.username=hirs_db
jakarta.persistence.sharedCache.mode = UNSPECIFIED
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
#spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
@ -30,6 +27,19 @@ server.tomcat.accesslog.prefix=Tomcat_accesslog_
server.tomcat.accesslog.suffix=.log
server.tomcat.accesslog.rotate=true
# Tomcat TLS support
server.port=8443
server.ssl.enabled=true
server.ssl.trust-store-type=JKS
server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks
server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384
server.ssl.key-store-type=JKS
server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks
server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
#--server.ssl.key-store-password=123456
#--server.ssl.trust-store-password=123456
#jdbc.driverClassName = com.mysql.cj.jdbc.Driver
#jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
#jdbc.username = root
@ -39,4 +49,4 @@ server.tomcat.accesslog.rotate=true
#spring.jpa.show-sql=true
# DB dfault password.
spring.datasource.password=hirs_db
#spring.datasource.password=hirs_db

6
HIRS_AttestationCAPortal/src/main/resources/hibernate.properties
View File

@ -1,6 +1,6 @@
hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
hibernate.connection.username=hirs_db
hibernate.connection.password=hirs_db
#hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
#hibernate.connection.username=hirs_db
#hibernate.connection.password=hirs_db
hibernate.connection.driver_class=org.mariadb.jdbc.Driver
hibernate.dialect = org.hibernate.dialect.MariaDBDialect
hibernate.show_sql = false

2
HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
View File

@ -26,7 +26,7 @@
<SpringProfile name="!development, !production">
<Logger name="hirs.attestationca" level="trace" />
</SpringProfile>
<Logger name="org.hibernate" level="WARN" />
<Logger name="org.hibernate" level="DEBUG" />
</Loggers>
<!-- prevents an out-of-memory exception caused by the debug logging of very large inserts -->
<category name="org.hibernate.event.def.AbstractFlushingEventListener">

BIN
package/extras/aca/tomcat-mysql-hirs.pp
View File

Binary file not shown.

13
package/extras/aca/tomcat-mysql-hirs.te
View File

@ -1,13 +0,0 @@
module tomcat-mysql-hirs 1.0;
require {
type mysqld_port_t;
type tomcat_t;
class tcp_socket name_connect;
}
#============= tomcat_t ==============
#!!!! This avc is allowed in the current policy
allow tomcat_t mysqld_port_t:tcp_socket name_connect;

75
package/scripts/aca/aca_bootRun.sh Normal file → Executable file
View File

@ -1,13 +1,80 @@
#!/bin/bash
#####################################################################################
#
# Script to run ACA using the gradle spring pluing bootRun command with password set
# Script to run ACA using the gradle spring pluing bootRun command with parameters
# parameters include setting up the DB with TLS and embedded Tomcat with TLS.
#
#
####################################################################################
#####################################################################################
USE_WAR=$1
CONFIG_FILE="/etc/hirs/aca/application.properties"
ALG=RSA
RSA_PATH=rsa_3k_sha384_certs
ECC_PATH=ecc_512_sha384_certs
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
LOG_FILE=/dev/null
GRADLE_WRAPPER="./gradlew"
# Check for sudo or root user
if [ "$EUID" -ne 0 ]
then echo "This script requires root. Please run as root"
exit 1
fi
source $SCRIPT_DIR/../db/start_mysqld.sh
if [ $ALG = "RSA" ]; then
CERT_PATH="/etc/hirs/certificates/HIRS/$RSA_PATH"
CERT_CHAIN="$CERT_PATH/HIRS_rsa_3k_sha384_Cert_Chain.pem"
CLIENT_DB_P12=$CERT_PATH/HIRS_db_client_rsa_3k_sha384.p12
ALIAS="hirs_aca_tls_rsa_3k_sha384"
else
CERT_PATH="/etc/hirs/certificates/HIRS/$ECC_PATH"
CERT_CHAIN="$CERT_PATH/HIRS_ecc_512_sha384_Cert_Chain.pem"
CLIENT_DB_P12=$CERT_PATH/HIRS_db_client_ecc_512_sha384.p12
ALIAS="hirs_aca_tls_ecc_512_sha384"
fi
check_for_container
start_mysqlsd
if [ ! -d "$CERT_PATH" ]; then
echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again."
exit 1;
fi
if [ ! -f "$GRADLE_WRAPPER" ]; then
echo "This script needs to be run from the HIRS top level project directory. Exiting."
exit 1;
fi
echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index"
./gradlew bootRun --args="--spring.config.location=$CONFIG_FILE"
source /etc/hirs/aca/aca.properties;
# Run the embedded tomcat server with Web TLS enabled and database client TLS enabled by overrding critical parameters
# Note "&" is a sub parameter continuation, space represents a new parameter. Spaces and quotes matter.
# hibernate.connection.url is used for the DB connector which established DB TLS connectivity
# server.ssl arguments support the embeded tomcats use of TLS for the ACA Portal
CONNECTOR_PARAMS="--hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&\
user=$hirs_db_username&\
password=$hirs_db_password&\
sslMode=VERIFY_CA&\
serverSslCert=$CERT_CHAIN&\
keyStoreType=PKCS12&\
keyStorePassword=$hirs_pki_password&\
keyStore="$CLIENT_DB_P12" "
WEB_TLS_PARAMS="--server.ssl.key-store-password=$hirs_pki_password \
--server.ssl.trust-store-password=$hirs_pki_password"
# uncomment to show spring boot and hibernate properties used as gradle argumanets
#echo "--args=\"$CONNECTOR_PARAMS $WEB_TLS_PARAMS\""
if [ "$USE_WAR" == "war" ]; then
echo "Booting the ACA from a $USE_WAR file..."
java -jar HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war $CONNECTOR_PARAMS$WEB_TLS_PARAMS
else
echo "Booting the ACA from local build..."
./gradlew bootRun --args="$CONNECTOR_PARAMS$WEB_TLS_PARAMS"
fi

266
package/scripts/aca/aca_check_setup.sh Executable file
View File

@ -0,0 +1,266 @@
#!/bin/bash
############################################################################################
# Checks the setup for the ACA:
# takes a -v option to provide verbose output
############################################################################################
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
LOG_FILE=/dev/null
CERT_PATH="/etc/hirs/certificates/HIRS/"
RSA_PATH=rsa_3k_sha384_certs
ECC_PATH=ecc_512_sha384_certs
RSA_HIRS_ROOT="HIRS_root_ca_rsa_3k_sha384.pem"
RSA_HIRS_INTERMEDIATE="HIRS_intermediate_ca_rsa_3k_sha384.pem"
RSA_HIRS_CA1="HIRS_leaf_ca1_rsa_3k_sha384.pem"
RSA_HIRS_CA2="HIRS_leaf_ca2_rsa_3k_sha384.pem"
RSA_HIRS_CA3="HIRS_leaf_ca3_rsa_3k_sha384.pem"
RSA_TRUST_STORE="HIRS_rsa_3k_sha384_Cert_Chain.pem"
RSA_RIM_SIGNER="HIRS_rim_signer_rsa_3k_sha384.pem"
RSA_DB_CLIENT_CERT="HIRS_db_client_rsa_3k_sha384.pem"
RSA_DN_SRV_CERT="HIRS_db_srv_rsa_3k_sha384.pem"
RSA_WEB_TLS_CERT="HIRS_aca_tls_rsa_3k_sha384.pem"
ECC_HIRS_ROOT="HIRS_root_ca_ecc_512_sha384.pem"
ECC_HIRS_INTERMEDIATE="HIRS_intermediate_ca_ecc_512_sha384.pem"
ECC_HIRS_CA1="HIRS_leaf_ca1_ecc_512_sha384.pem"
ECC_HIRS_CA2="HIRS_leaf_ca2_ecc_512_sha384.pem"
ECC_HIRS_CA3="HIRS_leaf_ca3_ecc_512_sha384.pem"
ECC_TRUST_STORE="HIRS_ecc_512_sha384_Cert_Chain.pem"
ECC_RIM_SIGNER="HIRS_rim_signer_ecc_512_sha384.pem"
ECC_DB_CLIENT_CERT="HIRS_db_client_ecc_512_sha384.pem"
ECC_DN_SRV_CERT="HIRS_db_srv_ecc_512_sha384.pem"
ECC_WEB_TLS_CERT="HIRS_aca_tls_ecc_512_sha384.pem"
DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
ALL_CHECKS_PASSED=true
ALL_CERTS_PASSED=true
# Check for Admin privileges
if [ "$EUID" -ne 0 ]; then
echo "This script requires root. Please run as root"
exit 1
fi
# Check install setup pki files
if [ ! -d $CERT_PATH ]; then
echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again."
exit 1;
fi
# Argument handling
while [[ $# -gt 0 ]]; do
case $1 in
-v|--verbose)
ARG_VERBOSE=YES
echo "verbose parameters"
shift # past argument
;;
-*|--*)
echo "Unknown option $1"
exit 1
;;
*)
echo "Unknown argument $1"
exit 1
shift # past argument
;;
esac
done
source /etc/hirs/aca/aca.properties;
source $SCRIPT_DIR/../db/start_mysqld.sh
check_pwds () {
PRESENT=true
echo "Checking if ACA passwords are present..."
if [ -z $hirs_pki_password ]; then
echo "ACA pki password not set"
PRESENT=false
fi
if [ -z $hirs_db_username ]; then
echo "hirs db username not set"
PRESENT=false
fi
if [ -z $hirs_db_password ]; then
echo "hirs db user password not set"
PRESENT=false
fi
if [ $PRESENT ]; then
echo " ACA passwords were found"
else
echo " ERROR finding ACA passwords"
ALL_CHECKS_PASSED=false
fi
}
check_mysql_setup () {
# make sure mysql is running and restart if its not...
check_mysql
# Check DB server/client TLS setup.
if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
echo " Mysql server ($DB_SRV_CONF) is NOT configured for Server Side TLS"
ALL_CHECKS_PASSED=false
else
echo " Mysql server ($DB_SRV_CONF) is configured for Server Side TLS"
fi
if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then
echo " Mysql client ($DB_CLIENT_CONF)is NOT configured for command line use of TLS without provding key/cert ino the commandline"
ALL_CHECKS_PASSED=false
else
echo " Mysql client ($DB_CLIENT_CONF) is configured for command line use of TLS"
fi
if [ ! -z $mysql_admin_password ]; then
if [ ! -z "${ARG_VERBOSE}" ]; then
echo "Mysql status:"
mysql -u root --password=$mysql_admin_password -e "STATUS;"
echo "Listing mysql users:"
mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;"
echo "Listing all databses:"
mysql -u root --password=$mysql_admin_password -e "show databases;"
fi
fi
}
check_cert () {
TRUST_STORE=$1
CERT=$2
RESULT=$(openssl verify -CAfile "$TRUST_STORE" $CERT)
if [ $? -ne 0 ]; then
ALL_CHECKS_PASSED=false
ALL_CERTS_PASSED=false
fi
if [ ! -z "${ARG_VERBOSE}" ]; then
echo " "$RESULT
fi
}
check_pki () {
echo "Checking ACA PKI certificates..."
if [ ! -d "/etc/hirs/certificates" ]; then
echo "/etc/hirs/certificates doesn't exists, was aca_setup.sh run ? /
Skipping PKI Checks."
fi
pushd $CERT_PATH$RSA_PATH > /dev/null
check_cert $RSA_TRUST_STORE $RSA_HIRS_ROOT
check_cert $RSA_TRUST_STORE $RSA_HIRS_INTERMEDIATE
check_cert $RSA_TRUST_STORE $RSA_HIRS_CA1
check_cert $RSA_TRUST_STORE $RSA_HIRS_CA2
check_cert $RSA_TRUST_STORE $RSA_HIRS_CA3
check_cert $RSA_TRUST_STORE $RSA_RIM_SIGNER
check_cert $RSA_TRUST_STORE $RSA_DN_SRV_CERT
check_cert $RSA_TRUST_STORE $RSA_DB_CLIENT_CERT
check_cert $RSA_TRUST_STORE $RSA_WEB_TLS_CERT
popd > /dev/null
pushd $CERT_PATH$ECC_PATH > /dev/null
check_cert $ECC_TRUST_STORE $ECC_HIRS_ROOT
check_cert $ECC_TRUST_STORE $ECC_HIRS_INTERMEDIATE
check_cert $ECC_TRUST_STORE $ECC_HIRS_CA1
check_cert $ECC_TRUST_STORE $ECC_HIRS_CA2
check_cert $ECC_TRUST_STORE $ECC_HIRS_CA3
check_cert $ECC_TRUST_STORE $ECC_RIM_SIGNER
check_cert $ECC_TRUST_STORE $ECC_DN_SRV_CERT
check_cert $ECC_TRUST_STORE $ECC_DB_CLIENT_CERT
check_cert $ECC_TRUST_STORE $ECC_WEB_TLS_CERT
popd > /dev/null
if [ -z "${ARG_VERBOSE}" ]; then
if [ $ALL_CERTS_PASSED == true ]; then
echo " All RSA and ECC certificates under $CERT_PATH are valid"
else
echo " There were error in the certificates under $CERT_PATH"
fi
keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /' > /dev/null
else #verbose
echo " Checking KeyStore, Keystore aliases, and pki password"
echo " Keystore alias list:"
keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /'
fi
if [ $? -eq 0 ]; then
echo " JKS Trust Store File (/etc/hirs/certificates/HIRS/TrustStore.jks) is correct: HIRS pki password is correct"
else
echo " Error with JKS Trust Store: HIRS pki password is NOT correct"
ALL_CHECKS_PASSED=false
fi
}
check_db () {
echo "Checking DB server TLS configuration..."
RESULT=$(mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%have_ssl%'" | grep -o YES )
if [ "$RESULT" == "YES" ]; then
echo " Mysql Server side TLS is enabled:"
else
echo " Mysql Sever side TLS is NOT enabled:"
ALL_CHECKS_PASSED=false
fi
RESULT=$(mysqlshow --user=hirs_db --password=$hirs_db_password hirs_db| grep -o hirs_db)
if [ "$RESULT" == "hirs_db" ]; then
echo " The hirs_db database is visable by the hirs_db user"
else
echo " The hirs_db database is NOT visable by the hirs_db user"
ALL_CHECKS_PASSED=false
fi
if [ ! -z "${ARG_VERBOSE}" ]; then
echo " Show hirs_db user config using hirs_db password"
mysql -u hirs_db --password=$hirs_db_password -e "SHOW CREATE USER 'hirs_db'@'localhost';" \
--ssl-ca=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem \
--ssl-cert=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem \
--ssl-key=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key
echo "Mysql TLS configuration"
mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%ssl%'"
echo "hirs_db user database access:"
mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;";
echo "Privileges for the hirs_db user:"
mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'"
fi
}
# Check selinux status and files that require specific contexts
check_selinux () {
SELINUXSTATUS=$(getenforce)
DB_SRV_CONTEXT=$(ls -Z $DB_SRV_CONF)
DB_CLIENT_CONTEXT=$(ls -Z $DB_CLIENT_CONF)
echo "Checking device selinux status..."
if [[ "$SELINUXSTATUS" == *"Enforcing"* ]]; then
echo " Selinux is in Enforcing mode."
if [[ "$DB_SRV_CONTEXT" == *"mysqld_etc_t"* && "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
echo " Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_CLIENT_CONF contexts are correct"
elif [[ "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
echo " Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT"
ALL_CHECKS_PASSED=false
else
echo " Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT"
ALL_CHECKS_PASSED=false
fi
else
echo " Selinux is in NOT in Enforcing mode."
fi
}
check_fips () {
echo "Checking FIPS mode on this device..."
echo " "$(sysctl -a | grep crypto.fips_enabled)
}
check_for_container
check_pwds
check_pki
check_mysql_setup
check_db
check_selinux
check_fips
if [ $ALL_CHECKS_PASSED = true ]; then
echo "ACA setup checks passed!"
else
echo "ACA setup checks failed."
fi

31
package/scripts/aca/aca_remove_setup.sh Executable file
View File

@ -0,0 +1,31 @@
#!/bin/bash
#####################################################################################
#
# Script to remove ACA setup files and database items.
#
#
#####################################################################################
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
LOG_FILE=/dev/null
# Check for Admin privileges
if [ "$EUID" -ne 0 ]; then
echo "This script requires root. ACA setup not removed. Please run as root."
exit 1
fi
if [ ! -f /etc/hirs/aca/aca.properties ]; then
echo "aca.properties does not exist, aborting."
exit 1
fi
# remove the hrs-db and hirs_db user
pushd $SCRIPT_DIR/../db/
sh db_drop.sh
popd
# remove pki files and config files
echo "Removing certificates and config files..."
rm -rf /etc/hirs
echo "ACA setup removal complete."

118
package/scripts/aca/aca_setup.sh Normal file → Executable file
View File

@ -1,50 +1,108 @@
#!/bin/bash
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties'
HIRS_CONF_DIR=/etc/hirs/aca
LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
LOG_DIR="/var/log/hirs/"
HIRS_PROP_DIR="/opt/hirs/default-properties"
COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json'
VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json'
LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
echo "LOG_FILE is $LOG_FILE"
HIRS_PROP_DIR="/opt/hirs/default-properties"
if [ "$EUID" -ne 0 ]
then echo "The first time this script is run, this script requires root. Please run as root"
help () {
echo " Setup script for the HIRS ACA"
echo " Syntax: sh aca_setup.sh [-u|h|sb|sp|--skip-db|--skip-pki]"
echo " options:"
echo " -u | --unattended Run unattended"
echo " -h | --help Print this Help."
echo " -sp | --skip-pki run the setup without pki setup."
echo " -sb | --skip-db run the setup without databse setup."
echo
}
# Process parameters Argument handling
POSITIONAL_ARGS=()
ORIGINAL_ARGS=("$@")
while [[ $# -gt 0 ]]; do
case $1 in
-sd|--skip-db)
ARG_SKIP_DB=YES
shift # past argument
;;
-sp|--skip-pki)
ARG_SKIP_PKI=YES
shift # past argument
;;
-u|--unattended)
ARG_UNATTEND=YES
shift # past argument
;;
-h|--help)
help
exit 0
shift # past argument
;;
-*|--*)
echo "aca_setup.sh: Unknown option $1"
help
exit 1
fi
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
# shift # past argument
break
;;
esac
done
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
echo "ACA setup log file is $LOG_FILE"
if [ "$EUID" -ne 0 ]
then echo "This script requires root. Please run as root"
exit 1
fi
touch "$LOG_FILE"
echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" >> "$LOG_FILE"
pushd $SCRIPT_DIR &>/dev/null
# Copy HIRS configuration and data files if not a package install
if [ -f $SPRING_PROP_FILE ]; then
cp -n $SPRING_PROP_FILE $HIRS_CONF_DIR/.
cp -n $COMP_JSON $HIRS_PROP_DIR/.
cp -n $VENDOR_TABLE $HIRS_PROP_DIR/.
fi
sh ../db/db_create.sh $LOG_FILE
if [ $? -eq 0 ]; then
echo "ACA database setup complete" | tee -a "$LOG_FILE"
# Set HIRS PKI password
if [ -z $HIRS_PKI_PWD ]; then
# Create a 32 character random password
PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
echo "Using randomly generated password for the PKI key password" | tee -a "$LOG_FILE"
else
echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
exit 1
fi
sh ../pki/pki_setup.sh $LOG_FILE
if [ $? -eq 0 ]; then
echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
else
echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
exit 1
PKI_PASS=$HIRS_PKI_PWD
echo "Using system supplied password for the PKI key password" | tee -a "$LOG_FILE"
fi
echo "ACA setup complete" | tee -a "$LOG_FILE"
if [ -z "${ARG_SKIP_PKI}" ]; then
sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND
if [ $? -eq 0 ]; then
echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
else
echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
exit 1
fi
else
echo "ACA PKI setup not run due to command line argument: $ORIGINAL_ARGS" | tee -a "$LOG_FILE"
fi
if [ -z "${ARG_SKIP_DB}" ]; then
sh ../db/db_create.sh $LOG_FILE $ARG_UNATTEND
if [ $? -eq 0 ]; then
echo "ACA database setup complete" | tee -a "$LOG_FILE"
else
echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
exit 1
fi
else
echo "ACA Database setup not run due to command line argument: $ORIGINAL_ARGS" | tee -a "$LOG_FILE"
fi
echo "ACA setup complete" | tee -a "$LOG_FILE"
popd &>/dev/null

90
package/scripts/aca/certificate_generate.sh
View File

@ -1,90 +0,0 @@
#!/usr/bin/env bash
# Check if we're in a Docker container
if [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true
else
DOCKER_CONTAINER=false
fi
# variables for the CA certificates
CA_PATH=/etc/hirs/certificates
CA_KEYSTORE=${CA_PATH}/TrustStore.jks
# variables for the ACA certificates
ACA_CERTS=/etc/hirs/aca/certificates
ACA_KEY=${ACA_CERTS}/aca.key
ACA_CRT=${ACA_CERTS}/aca.crt
ACA_P12=${ACA_CERTS}/aca.p12
ACA_JKS=${ACA_CERTS}/keyStore.jks
ACA_CONF=${ACA_CERTS}/aca.conf
# generate the OpenSSL conf file
echo "[req]" >> ${ACA_CONF}
echo "req_extensions=aca" >> ${ACA_CONF}
echo "distinguished_name=distname" >> ${ACA_CONF}
echo "" >> ${ACA_CONF}
echo "[aca]" >> ${ACA_CONF}
echo "keyUsage=critical,keyCertSign" >> ${ACA_CONF}
echo "basicConstraints=critical,CA:true" >> ${ACA_CONF}
echo "subjectKeyIdentifier=hash" >> ${ACA_CONF}
echo "" >> ${ACA_CONF}
echo "[distname]" >> ${ACA_CONF}
echo "# empty" >> ${ACA_CONF}
# generate the ACA signing key and self-signed certificate
openssl req -x509 -config ${ACA_CONF} -extensions aca -days 3652 -set_serial 01 -subj "/C=US/O=HIRS/OU=Attestation CA/CN=$HOSTNAME" -newkey rsa:2048 -nodes -keyout ${ACA_KEY} -out ${ACA_CRT}
# if the trust store already has an older HIRS_ACA_KEY in it, remove it
keytool -list -keystore ${CA_KEYSTORE} -storepass password -alias HIRS_ACA_KEY
rc=$?
if [[ $rc = 0 ]]; then
keytool -delete -alias HIRS_ACA_KEY -storepass password -keystore ${CA_KEYSTORE}
fi
# load the generated certificate into the CA trust store
keytool -import -keystore ${CA_KEYSTORE} -storepass password -file ${ACA_CRT} -noprompt -alias HIRS_ACA_KEY
# export the cert and key to a p12 file
openssl pkcs12 -export -in ${ACA_CRT} -inkey ${ACA_KEY} -out ${ACA_P12} -passout pass:password
# create a key store using the p12 file
keytool -importkeystore -srckeystore ${ACA_P12} -destkeystore ${ACA_JKS} -srcstoretype pkcs12 -srcstorepass password -deststoretype jks -deststorepass password -noprompt -alias 1 -destalias HIRS_ACA_KEY
# set the password in the aca properties file
sed -i "s/aca\.keyStore\.password\s*=/aca.keyStore.password=password/" /etc/hirs/aca/aca.properties
# copy the trust store to the ACA
cp ${CA_KEYSTORE} /etc/hirs/aca/client-files/
# start up the tomcat service
# Guess where Tomcat is installed and what it's called:
if [ -d /usr/share/tomcat6 ] ; then
TOMCAT_SERVICE=tomcat6
elif [ -d /usr/share/tomcat ] ; then
TOMCAT_SERVICE=tomcat
else
echo "Can't find Tomcat installation"
exit 1
fi
# restart tomcat after updating the trust store.
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
if [[ $(ss -t -l -n | grep -q LISTEN.*:::8009) -eq 0 ]]; then
echo "Tomcat is running, so we restart it."
/usr/libexec/tomcat/server stop
# Wait for Tomcat to stop completely and prevent port bind collisions
while [ -z "$(tail -n 1 /var/log/tomcat/catalina.$(date +"%Y-%m-%d").log | grep "Destroying ProtocolHandler \[\"http-bio-8443\"\]")" ]; do
:
done
(/usr/libexec/tomcat/server start) &
# Wait for Tomcat to boot completely
until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do
:
done
fi
else
/sbin/service ${TOMCAT_SERVICE} restart;
fi

26
package/scripts/common/firewall_configure_tomcat.sh
View File

@ -1,26 +0,0 @@
if ! [ $(id -u) = 0 ]; then
echo "Please run this script as root."
exit 1
fi
if [[ -f /etc/redhat-release ]] ; then
CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh`
elif [[ -f /etc/os-release ]] ; then
AMAZON_VER=`/opt/hirs/scripts/common/get_amazon_linux_major_version.sh`
fi
if [ $CENTOS_VER -eq "6" ] ; then
checkHTTPS=`iptables-save | grep -- "--dport 8443 -j ACCEPT"`
if [[ $checkHTTPS == "" ]]; then
echo "Tomcat HTTPS firewall rule doesn't exist, adding now"
iptables -I INPUT 1 -p tcp -m tcp --dport 8443 -j ACCEPT
service iptables save
fi
elif [ $CENTOS_VER -eq "7" ] || [ $AMAZON_VER -eq "2" ] ; then
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p tcp --dport 8443 -j ACCEPT
firewall-cmd --reload
else
echo "Unsupported Linux detected"
exit 1
fi

1
package/scripts/common/get_centos_major_version.sh
View File

@ -1 +0,0 @@
cat /etc/redhat-release | grep -Eo "release [0-9]" | tail -c 2

8
package/scripts/common/get_db_service.sh
View File

@ -1,8 +0,0 @@
if [[ $(rpm -qa mariadb*) ]]; then
echo "mariadb"
elif [[ $(rpm -qa mysql-server*) ]]; then
echo "mysqld"
else
echo "Could not determine installed database"
exit 1
fi

6
package/scripts/common/jvm_version_check.sh
View File

@ -1,6 +0,0 @@
# only argument to this script is the java command to use in this version check
JAVA_SPEC_VER=`$1 -XshowSettings:properties -version 2>&1 | grep java.specification.version | grep -Eo "[0-9]\.[0-9]+"`
case "$JAVA_SPEC_VER" in
"1.8"|"1.9"|"1.10"|"1.11"|"1.12" ) ;;
* ) echo "HIRS needs to be run with a JVM supporting at least specification 1.8. Found $JAVA_SPEC_VER." && exit 1 ;;
esac

8
package/scripts/common/my.cnf.el7
View File

@ -1,8 +0,0 @@
#begin-hirs-cfg
ssl-ca=/etc/hirs/certificates/mysql/hirs.ca.cert
ssl-cert=/etc/hirs/certificates/mysql/hirs-cert.pem
ssl-key=/etc/hirs/certificates/mysql/hirs-key.pem
innodb_large_prefix=1
innodb_file_format=BARRACUDA
innodb_file_per_table=1
#end-hirs-cfg

5
package/scripts/common/secure_mysql.sql
View File

@ -1,5 +0,0 @@
DELETE FROM mysql.user WHERE User='';
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
DROP DATABASE IF EXISTS test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
FLUSH PRIVILEGES

253
package/scripts/common/ssl_configure.sh
View File

@ -1,253 +0,0 @@
#!/usr/bin/env bash
# certificates and key stores generated by this script
CERTIFICATES="/etc/hirs/certificates"
CA_CERT=${CERTIFICATES}/hirs.ca.cert
INTERNAL_P12=${CERTIFICATES}/hirs.p12
KEYSTORE_JKS=${CERTIFICATES}/keyStore.jks
TRUSTSTORE_JKS=${CERTIFICATES}/TrustStore.jks
CA_CERT_DIR_ESCAPED=\\/etc\\/hirs\\/certificates
# 'private' data generated by this script
CA_PEM=${CERTIFICATES}/private/hirs.ca.pem
P12_DATA=${CERTIFICATES}/private/p12.data
echo 'Checking SSL configuration for HIRS'
# Check if we're in a Docker container
if [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true
else
DOCKER_CONTAINER=false
fi
#################
# Key Generation
#################
# if the CA PEM file does not exist, generate the HIRS CA file and associated keystore and truststores
if ! [ -f $CA_PEM ]; then
echo 'Generating certificates'
# create directory structure
mkdir -p ${CERTIFICATES}/private
# Generate our random key store password. We need to do this before configuring Tomcat, as we'll
# need to add it to Tomcat's configuration file. Read a block of raw data bytes from /dev/urandom
# and convert it to text characters. Not the greatest, but hey:
echo 'Creating random key material'
P12_PASSWORD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
# generate a key and certificate. The key is the private key used to sign the well known CA cert.
echo 'Creating 2048 bit key'
openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -keyout ${CA_PEM} -out ${CA_CERT} -subj "/C=US/O=HIRS/OU=Common/CN=$(hostname)"
# export the certificate and key as a p12 file
echo 'Exporting key'
openssl pkcs12 -export -in ${CA_CERT} -inkey ${CA_PEM} -out ${INTERNAL_P12} -passout pass:${P12_PASSWORD}
# create a key store using the pk12 file.
echo 'Configuring keystore'
keytool -importkeystore -srckeystore ${INTERNAL_P12} -destkeystore ${KEYSTORE_JKS} -srcstoretype pkcs12 -srcstorepass ${P12_PASSWORD} -deststoretype jks -deststorepass ${P12_PASSWORD} -noprompt
# import the root CA certificate into the trust store.
echo 'Configuring truststore'
keytool -import -keystore ${TRUSTSTORE_JKS} -storepass password -file ${CA_CERT} -noprompt
# write P12 password to file
echo $P12_PASSWORD > $P12_DATA
# set appropriate permissions on certificates
chmod 775 /etc/hirs/certificates/
chmod -R 664 /etc/hirs/certificates/*
chmod 700 /etc/hirs/certificates/private
chmod -R 600 /etc/hirs/certificates/private/*
else
# if the certificate was previously generated, grab the P12 password out of the file
P12_PASSWORD=`cat $P12_DATA`
fi
#################
# ActiveMQ
#################
if [[ $1 = "server" ]]; then
if [ -f "/srv/activemq/current/conf/activemq.xml" ] ; then
if [[ -n `grep -o "keyStorePassword=\"\"" /srv/activemq/current/conf/activemq.xml` ]]; then
echo "Configuring ActiveMQ SSL"
# set the key store password for the messaging service
sed -i -r "s/keyStorePassword=\"\w*\"/keyStorePassword=\"${P12_PASSWORD}\"/g" /srv/activemq/current/conf/activemq.xml
fi
fi
fi
#################
# Tomcat
#################
if [[ $1 = "server" ]]; then
# determine which version of tomcat is installed
rpm -q tomcat6
if [[ $? -eq 0 ]]; then
TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat6`
else
TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat`
fi
TOMCAT_MAJOR_VERSION=`echo $TOMCAT_VERSION | head -c 1`
if [[ $TOMCAT_MAJOR_VERSION = '6' ]]; then
CATALINA_HOME=/usr/share/tomcat6
TOMCAT_SERVICE=tomcat6
TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat6.conf
elif [[ $TOMCAT_MAJOR_VERSION = '7' ]] ; then
CATALINA_HOME=/usr/share/tomcat
TOMCAT_SERVICE=tomcat
TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat.conf
else
echo "Unsupported Tomcat version: ${TOMCAT_MAJOR_VERSION}"
exit 1
fi
if [[ -z `grep -o "keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\"" $CATALINA_HOME/conf/server.xml` ]]; then
echo "Configuring Tomcat SSL"
chown -R root:tomcat /etc/hirs/certificates/
# create an alias in the keystore for tomcat
alias=$(keytool -list -v -keystore ${KEYSTORE_JKS} -storepass ${P12_PASSWORD} | grep -B2 'PrivateKeyEntry' | grep 'Alias name:')
keytool -changealias -alias ${alias#*:} -destalias tomcat -v -keystore ${KEYSTORE_JKS} -storepass ${P12_PASSWORD}
# Set up Tomcat. We need to ensure that Tomcat is running as a service
chkconfig ${TOMCAT_SERVICE} on
# Configure the server.xml file such that it uses our key store and trust store
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
if [[ $(pgrep -c -f /usr/share/tomcat) -ne 0 ]]; then
echo "Tomcat is running, so we stop it."
/usr/libexec/tomcat/server stop
fi
else
service ${TOMCAT_SERVICE} stop
fi
# Configure Tomcat SSL properly. The method for doing this changes from 6.0.38 onward.
rpmdev-vercmp 6.0.38 $TOMCAT_VERSION
VERCMP_STATUS=$?
if [[ $VERCMP_STATUS -eq 0 ]] || [[ $VERCMP_STATUS -eq 12 ]]; then
# Tomcat v 6.0.38 or newer
sed -i "s/.*<\/Service>/<Connector port=\"8443\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" sslEnabledProtocols=\"TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
elif [[ $VERCMP_STATUS -eq 11 ]]; then
# Older than Tomcat 6.0.38
sed -i "s/.*<\/Service>/<Connector port=\"8443\" label=\"HIRS\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" protocols=\"TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\" SSLDisableCompression=\"true\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
else
echo "Unknown rpmdev-vercmp exit code: ${VERCMP_STATUS}"
exit 1
fi
sed -i 's/.*<\/tomcat-users>/<user username="tomcat" password="tomcat" roles="admin,admin-gui,manager,manager-gui"\/> <\/tomcat-users>/' $CATALINA_HOME/conf/tomcat-users.xml
# ensure tomcat is using the trust store and key store for all other SSL operations.
cat << EOF >> ${TOMCAT_CONF}
#begin-hirs-conf
JAVA_OPTS="-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Xmx1536m -Djavax.net.ssl.keyStore=${KEYSTORE_JKS} -Djavax.net.ssl.keyStorePassword=${P12_PASSWORD} -Djavax.net.ssl.trustStore=${TRUSTSTORE_JKS} -Djavax.net.ssl.trustStorePassword=password"
#end-hirs-conf
EOF
# (3) set tomcat user as owner of tomcat installation
chgrp -R tomcat ${CATALINA_HOME}
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
(/usr/libexec/tomcat/server start) &
# Wait for Tomcat to boot completely
until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do
:
done
else
service ${TOMCAT_SERVICE} start
fi
fi
fi
#################
# Appraiser
#################
if [[ $1 = "appraiser" ]]; then
APPRAISER_SCRIPT="/opt/hirs/appraiser/bin/HIRS_Appraiser"
if [[ -z `grep -o "\-Djavax.net.ssl.keyStorePassword" $APPRAISER_SCRIPT` ]]; then
echo "Configuring Appraiser SSL"
# grab the line number of the JVM options for the client script
VM_OPTS=$(awk '/DEFAULT_JVM_OPTS/{print NR; exit }' ${APPRAISER_SCRIPT})
# append the key store password to the client startup script
sed -i "${VM_OPTS}s/'$/ \"-Djavax.net.ssl.keyStorePassword=${P12_PASSWORD}\"\'/" ${APPRAISER_SCRIPT}
fi
fi
#################
# MySQL/MariaDB
#################
if [[ $1 = "server" ]]; then
MYSQL_CERT_DIR=/etc/hirs/certificates/mysql/
if ! [[ -d $MYSQL_CERT_DIR ]]; then
echo "Configuring MySQL SSL"
# apply MySQL SSL configuration:
mkdir -p $MYSQL_CERT_DIR
# copy CA cert over
cp $CA_CERT $MYSQL_CERT_DIR/
# convert p12 key to pem
openssl pkcs12 -in $INTERNAL_P12 -out $MYSQL_CERT_DIR/hirs.pem -nodes -passin pass:${P12_PASSWORD} -passout pass:
# extract cert from pem into its own file
openssl x509 -in $MYSQL_CERT_DIR/hirs.pem -outform PEM -out $MYSQL_CERT_DIR/hirs-cert.pem
# extract key from pem into its own file
openssl pkey -in $MYSQL_CERT_DIR/hirs.pem -outform PEM -out $MYSQL_CERT_DIR/hirs-key.pem
# make readable to user named 'mysql'
chgrp -R mysql $MYSQL_CERT_DIR
chmod -R 770 $MYSQL_CERT_DIR
# update MySQL/MariaDB SSL and index configuration
if [[ -f /etc/redhat-release ]] ; then
CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh`
elif [[ -f /etc/os-release ]] ; then
AMAZON_VER=`/opt/hirs/scripts/common/get_amazon_linux_major_version.sh`
fi
if [ $CENTOS_VER -eq "6" ] ; then
MYSQL_ADDITIONS_FILE=/opt/hirs/scripts/common/my.cnf.el6
elif [ $CENTOS_VER -eq "7" ] || [ $AMAZON_VER -eq "2" ] ; then
MYSQL_ADDITIONS_FILE=/opt/hirs/scripts/common/my.cnf.el7
else
echo "Unsupported Linux detected"
exit 1
fi
sed -i "/\[mysqld\]/r $MYSQL_ADDITIONS_FILE" /etc/my.cnf
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then
echo "MariaDB is running, so we'll need to restart it."
mysqladmin shutdown
/usr/libexec/mariadb-prepare-db-dir
nohup /usr/bin/mysqld_safe --basedir=/usr &>/dev/null &
MYSQLD_PID=$(pgrep -u mysql mysqld)
/usr/libexec/mariadb-wait-ready $MYSQLD_PID
fi
else
SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh`
service $SQL_SERVICE restart
fi
fi
fi

92
package/scripts/common/ssl_deconfigure.sh
View File

@ -1,92 +0,0 @@
#!/usr/bin/env bash
# certificates and key stores generated by this script
CERTIFICATES="/etc/hirs/certificates"
#################
# Key Generation
#################
# leave certificate directory intact on uninstall
#################
# ActiveMQ
#################
# no need to deconfigure, as it will be completely removed during uninstall
#################
# Tomcat
#################
if [[ $1 = "server" ]]; then
# determine which version of tomcat is installed
rpm -q tomcat6
if [[ $? -eq 0 ]]; then
TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat6`
else
TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat`
fi
TOMCAT_MAJOR_VERSION=`echo $TOMCAT_VERSION | head -c 1`
if [[ $TOMCAT_MAJOR_VERSION = '6' ]]; then
CATALINA_HOME=/usr/share/tomcat6
TOMCAT_SERVICE=tomcat6
TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat6.conf
elif [[ $TOMCAT_MAJOR_VERSION = '7' ]] ; then
CATALINA_HOME=/usr/share/tomcat
TOMCAT_SERVICE=tomcat
TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat.conf
else
echo "Unsupported Tomcat version: ${TOMCAT_MAJOR_VERSION}"
exit 1
fi
if [[ -n `grep -o keystorePass $CATALINA_HOME/conf/server.xml` ]]; then
SERVER_CONF=${CATALINA_HOME}/conf/server.xml
TOMCAT_USERS=${CATALINA_HOME}/conf/tomcat-users.xml
echo "Restoring $TOMCAT_CONF"
sed -i "/^#begin-hirs-conf/,/^#end-hirs-conf/d" "$TOMCAT_CONF"
echo "Restoring $SERVER_CONF"
sed -i "s^<Connector port=\"8443\".*/></Service>^</Service>^" "$SERVER_CONF"
echo "Restoring $TOMCAT_USERS"
sed -i "s/<user username=\"tomcat\" password=\"tomcat\" roles=\"admin,admin-gui,manager,manager-gui.*<\/tomcat-users>/<\/tomcat-users>/" "$TOMCAT_USERS"
fi
fi
#################
# Appraiser
#################
# no need to deconfigure, as it will be completely removed during uninstall
#################
# MySQL/MariaDB
#################
if [[ $1 = "server" ]]; then
MYSQL_CERT_DIR=${CERTIFICATES}/mysql/
if [[ -d $MYSQL_CERT_DIR ]]; then
# stop the database
if [[ $(rpm -qa mariadb*) ]]; then
service mariadb stop
else
service mysqld stop
fi
rm -rf $MYSQL_CERT_DIR
sed -i "/^#begin-hirs-conf/,/^#end-hirs-conf/d" /etc/my.cnf
# start the database
if [[ $(rpm -qa mariadb*) ]]; then
service mariadb start
else
service mysqld start
fi
fi
fi

213
package/scripts/db/db_create.sh
View File

@ -5,88 +5,153 @@
# Environment variables used:
# a. HIRS_MYSQL_ROOT_PWD: Set this variable if mysql root password is already set
# b. HIRS_DB_PWD: Set the pwd if default password to hirs_db user needs to be changed
# HIRS_MYSQL_ROOT_NEW_PWD wil be ignored if HIRS_MYSQL_ROOT_EXSITING_PWD is set.
################################################################################
LOG_FILE=$1
UNATTENDED=$2
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
# Set Mysql HIRS DB password
if [ -z $HIRS_DB_PWD ]; then
HIRS_DB_PWD="hirs_db"
fi
# Save hirs_db mysql user password to the properties file
mkdir -p /etc/hirs
echo "hibernate.connection.username="hirs_db"" > /etc/hirs/hibernate.properties
echo "hibernate.connection.password=$HIRS_DB_PWD" >> /etc/hirs/hibernate.properties
SPRING_PROP_FILE="/etc/hirs/aca/application.properties"
ACA_PROP_FILE="/etc/hirs/aca/aca.properties"
DB_ADMIN_PWD=""
# Db Configuration files
DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
# Default Server Side Certificates
SSL_DB_SRV_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";
SSL_DB_SRV_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.pem";
SSL_DB_SRV_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.key";
# Default Client Side Certificates
SSL_DB_CLIENT_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";
SSL_DB_CLIENT_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem";
SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key";
# Check if we're in a Docker container
if [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true
else
DOCKER_CONTAINER=false
fi
touch $ACA_PROP_FILE
touch $LOG_FILE
touch $DB_SRV_CONF
# Check if mysql is already running, if not initialize
if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
# Check if running in a container
if [ $DOCKER_CONTAINER = true ]; then
# if in Docker container, avoid services that invoke the D-Bus
echo "ACA is running in a container..."
# Check if mariadb is setup
if [ ! -d "/var/lib/mysql/mysql/" ]; then
echo "Installing mariadb"
/usr/bin/mysql_install_db
chown -R mysql:mysql /var/lib/mysql/
fi
echo "Starting mysql...."
chown -R mysql:mysql /var/log/mariadb
/usr/bin/mysqld_safe &
# Make sure required paths exist
mkdir -p /etc/hirs/aca/
mkdir -p /var/log/hirs/
source $SCRIPT_DIR/start_mysqld.sh
source $ACA_PROP_FILE
check_mysql_root_pwd () {
# Check if DB root password needs to be obtained
if [ -z $HIRS_MYSQL_ROOT_PWD ]; then
# Create a 32 character random password
echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE"
DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
echo "DB Admin will be set to $DB_ADMIN_PWD , please make note for next mysql use."
# Check UNATTENDED flag set m if not then prompt user for permission ot store mysql root password
if [ -z $UNATTENDED ]; then
read -p "Do you wish to save this password to the aca.properties file? " confirm
if [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; then
echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE
echo "Mysql root password saved locally"
else
echo "Mysql root password not saved locally"
fi
else
echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE
echo "Mysql root password has been saved locally."
fi
mysqladmin --user=root password "$DB_ADMIN_PWD"
else
DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD
echo "Using system variable supplied password" | tee -a "$LOG_FILE"
fi
# Make sure root password is correct
$(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then
echo "root password verified" | tee -a "$LOG_FILE"
else
echo "MYSQL root password was not the default, not supplied, or was incorrect"
echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
echo " ********** ACA Mysql setup aborted ********" ;
exit 1;
fi
}
set_mysql_server_tls () {
# Check DB server setup. If ssl params dont exist then we need to add them.
if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
# Add TLS files to my.cnf
echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE"
echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF"
echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"
# Make sure mysql can access them
chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
# Make selinux contexts for config files, if selinux is enabled
selinuxenabled
if [ $? -eq 0 ]; then
semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF > /dev/null #adds the context type to file
restorecon -v -F $DB_SRV_CONF > /dev/null # changes the file's context type
fi
else
echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE"
fi
}
set_mysql_client_tls () {
# Update ACA property file with client cert info, if not there already
if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then
echo "Updating $DB_CLIENT_CONF with ssl parameters..." | tee -a "$LOG_FILE"
echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF
echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF
echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF
chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY
# Make selinux contexts for config files, if selinux is enabled
selinuxenabled
if [ $? -eq 0 ]; then
semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null #adds the context type to file
restorecon -F $DB_CLIENT_CONF > /dev/null #changes the file's context type
fi
fi
}
# Process HIRS DB USER
set_hirs_db_pwd () {
RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
if [ "$RESULT" = 1 ]; then
echo "hirs-db user exists"
HIRS_DB_PWD=$hirs_db_password
else
SQL_SERVICE="mariadb"
systemctl $SQL_SERVICE enable
systemctl $SQL_SERVICE start
fi
fi
# Check if Mysql HIRS DB password set by system variable or set to random number
if [ -z $HIRS_DB_PWD ]; then
HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
fi
# Wait for mysql to start before continuing.
echo "Checking mysqld status..."
while ! mysqladmin ping -h "$localhost" --silent; do
sleep 1;
done
if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
echo "HIRS_MYSQL_ROOT_PWD environment variable not set"
mysql -fu root -e 'quit' &> /dev/null;
else
echo "Using $HIRS_MYSQL_ROOT_PWD as the mysql root password"
$(mysql -u root -p$HIRS_MYSQL_ROOT_PWD -e 'quit' &> /dev/null);
fi
if [ $? -eq 0 ]; then
echo "root password verified"
else
echo "MYSQL root password was not the default, not supplied, or was incorrect"
echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
echo " ********** ACA Mysql setup aborted ********" ;
exit 1;
fi
echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE
echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE
fi
echo "HIRS_DB_PWD is $HIRS_DB_PWD"
echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD"
}
if [ -d /opt/hirs/scripts/db ]; then
MYSQL_DIR="/opt/hirs/scripts/db"
else
# Create a hirs_db with client side TLS enabled
create_hirs_db_with_tls () {
# Check if hirs_db not created and create it if it wasn't
mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "hirs_db exists, skipping hirs_db create"
else
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql
mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
fi
}
MYSQL_DIR="$SCRIPT_DIR/../db"
fi
echo "MYSQL_DIR is $MYSQL_DIR"
# Check if hirs_db not created and create it if it wasn't
mysqlshow --user=root --password="$HIRS_MYSQL_ROOT_PWD" | grep "hirs_db" > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "hirs_db exists, skipping hirs_db create"
else
mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/db_create.sql
mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/secure_mysql.sql
mysql -u root --password=$HIRS_MYSQL_ROOT_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
fi
# HIRS ACA Mysqld processing ...
check_mariadb_install
check_for_container
set_mysql_server_tls
set_mysql_client_tls
start_mysqlsd
check_mysql_root_pwd
set_hirs_db_pwd
create_hirs_db_with_tls
mysqld_reboot

2
package/scripts/db/db_create.sql
View File

@ -1,2 +1,2 @@
CREATE DATABASE IF NOT EXISTS `hirs_db` CHARACTER SET = 'utf8mb4' COLLATE = 'utf8mb4_general_ci';
GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD";
GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD" REQUIRE X509;

67
package/scripts/db/db_drop.sh
View File

@ -1,11 +1,66 @@
#!/bin/bash
echo "dropping hirs database"
SRV_CNF=/etc/my.cnf.d/mariadb-server.cnf
CLIENT_CNF=/etc/my.cnf.d/client.cnf
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )";)
LOG_FILE=/dev/null
source /etc/hirs/aca/aca.properties;
source $SCRIPT_DIR/start_mysqld.sh
# Check for sudo or root user, not actually needed but a good idea
if [ "$EUID" -ne 0 ]
then echo "This script requires root. Please run as root"
exit 1
fi
if [ -z $mysql_admin_password ]; then
read -p "Enter mysql root password" DB_ADMIN_PWD
else
DB_ADMIN_PWD=$mysql_admin_password
fi
if [ -d /opt/hirs/scripts/db ]; then
MYSQL_DIR="/opt/hirs/scripts/db"
else
MYSQL_DIR="$SCRIPT_DIR"
fi
echo "dropping hirs_db database"
if pgrep mysqld >/dev/null 2>&1; then
if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
mysql -u "root" < /opt/hirs/scripts/db/db_drop.sql
else
mysql -u "root" -p$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/db/db_drop.sq1
fi
mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH HOSTS; FLUSH LOGS; FLUSH STATUS; FLUSH PRIVILEGES; FLUSH USER_RESOURCES"
mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';"
mysql -u root --password=$DB_ADMIN_PWD -e "DROP DATABASE IF EXISTS hirs_db;"
echo "hirs_db database and hirs_db user removed"
else
echo "mysql is not running. DB was not removed."
fi
# reset the mysql root if the password was left in the properties fiel
if [ ! -z $mysql_admin_password ]; then
echo "Resetting mysql root password to empty"
mysql -u root --password=$mysql_admin_password -e "SET PASSWORD FOR "root@localhost" = PASSWORD('');"
echo "Current list of databases:"
mysql -u "root" -e "FLUSH LOGS;"
mysql -u "root" -e "SHOW DATABASES;"
echo "Current list of users:"
mysql -u root -e "Select user from mysql.user;"
else
echo "Note root password was NOT reset"
fi
# Remove key , cert and truststore entries from client.cnf andf mariadb.cnf
echo "Removing hirs cert references from mariadb configuration files"
grep -v "hirs" $SRV_CNF > tmpfile && mv tmpfile $SRV_CNF
grep -v "hirs" $CLIENT_CNF > tmpfile && mv tmpfile $CLIENT_CNF
echo "restarting mariadb"
mysql -u root -e "SHUTDOWN"
sleep 2
check_for_container
start_mysqlsd
mysql -u root -e "SHOW VARIABLES LIKE '%ssl%'"

2
package/scripts/db/db_drop.sql
View File

@ -1,2 +1,2 @@
DROP SCHEMA IF EXISTS hirs_db;
DROP USER "hirs_db"@"localhost";
DROP DATABASE IF EXISTS hirs_db;

111
package/scripts/db/start_mysqld.sh Normal file
View File

@ -0,0 +1,111 @@
#!/bin/bash
#####################################################################################
#
# Functions to check mysql and start if not running.
# Also a function for checking if running in a container
#
#####################################################################################
SQL_SERVICE="mariadb"
check_for_container () {
# Check if we're in a Docker container
if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then
#if [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true
echo "ACA is running in a container..." | tee -a "$LOG_FILE"
else
DOCKER_CONTAINER=false
echo "ACA is not running in a container..." | tee -a "$LOG_FILE"
fi
if [ -d /opt/hirs/scripts/db ]; then
MYSQL_DIR="/opt/hirs/scripts/db"
else
MYSQL_DIR="$SCRIPT_DIR/../db"
fi
}
# Check for mysql command line
check_mariadb_install () {
type mysql >/dev/null 2>&1 && installed=true || installed=false
if [ $installed = true ]; then
echo "mysql has been installed"
else
echo "mysql has NOT been installed, aborting install"
exit 1;
fi
}
# Starts mariadb during intial install
start_mysqlsd () {
# Check if mysql is already running, if not initialize
if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
# Check if running in a container
if [ $DOCKER_CONTAINER = true ]; then
# if in Docker container, avoid services that invoke the D-Bus
echo "ACA is running in a container..."
# Check if mariadb is setup
if [ ! -d "/var/lib/mysql/mysql/" ]; then
echo "Installing mariadb"
/usr/bin/mysql_install_db > "$LOG_FILE"
chown -R mysql:mysql /var/lib/mysql/
fi
echo "Starting mysql...."
chown -R mysql:mysql /var/log/mariadb
/usr/bin/mysqld_safe &
else #not a container
systemctl enable $SQL_SERVICE
systemctl start $SQL_SERVICE
fi
else # mysql process is running
# check if mysql service is running
if [ ! $DOCKER_CONTAINER = true ]; then
DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l )
if [ $DB_STATUS -eq 0 ]; then
echo "mariadb not running , attempting to restart"
systemctl start mariadb
fi
fi
fi
# Wait for mysql to start before continuing.
echo "Checking mysqld status..."| tee -a "$LOG_FILE"
while ! mysqladmin ping -h "$localhost" --silent; do
sleep 1;
done
echo "mysqld is running."| tee -a "$LOG_FILE"
}
# Basic check for marai db status, attempts restart if not running
check_mysql () {
echo "Checking mysqld status..."
if [ $DOCKER_CONTAINER = true ]; then
if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
echo "mariadb not running , attempting to restart"
/usr/bin/mysqld_safe &
fi
else # not in a contianer
DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l )
if [ $DB_STATUS -eq 0 ]; then
echo "mariadb not running , attempting to restart"
systemctl start mariadb
fi
fi
# Wait for mysql to start before continuing.
while ! mysqladmin ping -h "$localhost" --silent; do
sleep 1;
done
echo " Mariadb is running."
}
# restart maraidb
mysqld_reboot () {
# reboot mysql server
mysql -u root --password=$DB_ADMIN_PWD -e "SHUTDOWN"
sleep 2
check_for_container
start_mysqlsd
}

80
package/scripts/pki/pki_chain_gen.sh
View File

@ -29,6 +29,7 @@ SERVER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" aca"
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
TRUSTSTORE=TrustStore.jks
TRUSTSTORE_P12=TrustStore.p12
KEYSTORE=KeyStore.jks
# Parameter check
@ -71,6 +72,8 @@ PKI_CA2="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca2_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
PKI_CA3="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca3_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
RIM_SIGNER="$CERT_FOLDER"/"$ACTOR_ALT"_rim_signer_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
TLS_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_aca_tls_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
DB_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_db_srv_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
DB_CLIENT="$CERT_FOLDER"/"$ACTOR_ALT"_db_client_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
TRUST_STORE_FILE="$CERT_FOLDER"/"$ACTOR_ALT"_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"_Cert_Chain.pem
ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
@ -78,6 +81,8 @@ INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
DB_SRV_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" DB Server"
DB_CLIENT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" DB Client"
# Add check for existing folder and halt if it exists
if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
@ -101,13 +106,13 @@ fi
add_to_stores () {
CERT_PATH=$1
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
echo "Addding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE"
echo "Adding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE"
# Add the cert and key to the key store. make a p12 file to import into te keystore
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC -passout pass:$PASS >> "$LOG_FILE" 2>&1
# Use the p12 file to import into a java keystore via keytool
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1
# Import the cert into a java trust store via keytool
keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" >> "$LOG_FILE" 2>&1
# Remove the temp p1 file.
rm tmpkey.p12
}
@ -129,17 +134,29 @@ create_cert () {
echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..." | tee -a "$LOG_FILE"
if [ "$ASYM_ALG" == "rsa" ]; then
openssl req -newkey rsa:"$ASYM_SIZE" \
-keyout "$CERT_PATH".key \
-out "$CERT_PATH".csr -subj "$SUBJ_DN" \
-passout pass:"$PASS" >> "$LOG_FILE" 2>&1
# Database doesnt support encypted key so create DB without passwords
if [[ "$SUBJ_DN" = *"DB"* ]]; then
if [ "$ASYM_ALG" == "rsa" ]; then
openssl genrsa -out "$CERT_PATH".key "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
openssl req -new -key "$CERT_PATH".key \
-out "$CERT_PATH".csr -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
else
openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key >> "$LOG_FILE" 2>&1
openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
fi
else
openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key >> "$LOG_FILE" 2>&1
openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
fi
if [ "$ASYM_ALG" == "rsa" ]; then
openssl req -newkey rsa:"$ASYM_SIZE" \
-keyout "$CERT_PATH".key \
-out "$CERT_PATH".csr -subj "$SUBJ_DN" \
-passout pass:"$PASS" >> "$LOG_FILE" 2>&1
else
openssl genpkey -algorithm "EC" -pkeyopt ec_paramgen_curve:P-521 -aes256 --pass "pass:$PASS" -out "$CERT_PATH".key
openssl req -new -key "$CERT_PATH".key -passin "pass:$PASS" -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN"
fi
openssl ca -config ca.conf \
fi
openssl ca -config ca.conf \
-keyfile "$ISSUER_KEY" \
-md $HASH_ALG \
-cert "$ISSUER_CERT" \
@ -148,20 +165,20 @@ create_cert () {
-in "$CERT_PATH".csr \
-passin pass:"$PASS" \
-batch \
-notext >> "$LOG_FILE" 2>&1
-notext >> "$LOG_FILE" 2>&1
# Increment the cert serial number
SERIAL=$(awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt)
echo "Cert Serial Number = $SERIAL" >> "$LOG_FILE";
# remove csr file
rm -f "$CERT_PATH".csr
# Add the cert and key to the key store. make a p12 file to import into te keystore
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:$PASS -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC -passout pass:$PASS >> "$LOG_FILE" 2>&1
# Use the p12 file to import into a java keystore via keytool
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1
# Import the cert into a java trust store via keytool
keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" >> "$LOG_FILE" 2>&1
# Remove the temp p1 file.
rm tmpkey.p12
rm -f tmpkey.p12 &>/dev/null
}
create_cert_chain () {
@ -186,22 +203,38 @@ create_cert_chain () {
# Create a ACA Sever Cert for TLS use
create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN" "server_extensions"
# Create a DB Sever Cert for TLS use
create_cert "$DB_SERVER" "$PKI_CA3" "$DB_SRV_DN" "server_extensions"
# Create a ACA Sever Cert for TLS use
create_cert "$DB_CLIENT" "$PKI_CA3" "$DB_CLIENT_DN" "server_extensions"
# Create Cert trust store by adding the Intermediate and root certs
cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" > "$TRUST_STORE_FILE"
# echo "Checking signer cert using tust store..."
# echo "Checking signer cert using tust store..."
openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE"
# Make JKS files for the mysql DB connector. P12 first then JKS...
openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key \
-aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC \
-passin pass:$PASS -passout pass:$PASS \
-name "mysqlclientkey" -out $DB_CLIENT.p12 >> "$LOG_FILE" 2>&1
keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype PKCS12 \
-srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS >> "$LOG_FILE" 2>&1
}
if [ "$ASYM_ALG" == "rsa" ]; then
# Create Root CA key pair and self signed cert
echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE"
openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
#openssl genrsa -out "$PKI_ROOT".key -aes256 -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes256 --pass "pass:$PASS" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
-passout pass:"$PASS" >> "$LOG_FILE" 2>&1
-passin pass:"$PASS" >> "$LOG_FILE" 2>&1
# Add the CA root cert to the Trust and Key stores
add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
@ -211,12 +244,13 @@ fi
if [ "$ASYM_ALG" == "ecc" ]; then
# Create Root CA key pair and self signed cert
echo "Generating Ecc Root CA ...." | tee -a "$LOG_FILE"
openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
#openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
openssl genpkey -algorithm "EC" -pkeyopt ec_paramgen_curve:P-521 -aes256 --pass "pass:$PASS" -out "$PKI_ROOT".key
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
-passout pass:"$PASS" >> "$LOG_FILE" 2>&1
-passin pass:"$PASS" >> "$LOG_FILE" 2>&1
# Add the CA root cert to the Trust and Key stores
add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs

55
package/scripts/pki/pki_setup.sh
View File

@ -6,37 +6,45 @@
#
############################################################################################
PROP_FILE=/etc/hirs/aca/application.properties
#PROP_FILE=/etc/hirs/aca/application.properties
ACA_PROP=/etc/hirs/aca/aca.properties
LOG_FILE=$1
PKI_PASS=$2
UNATTENDED=$3
LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
LOG_DIR="/var/log/hirs/"
HIRS_CONF_DIR=/etc/hirs/aca
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
mkdir -p $HIRS_CONF_DIR $LOG_DIR
echo "SCRIPT_DIR is $SCRIPT_DIR" | tee -a "$LOG_FILE"
if [ -z "$1" ]; then
LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
echo "using log file $LOG_FILE" | tee -a "$LOG_FILE"
fi
if [ -z "$2" ]; then
PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
echo "Using randomly generated password for the PKI key password" | tee -a "$LOG_FILE"
echo "Using pki password=$PKI_PASS"
fi
# Check for sudo or root user
if [ "$EUID" -ne 0 ]
then echo "The first time this script is run, this script requires root. Please run as root" | tee -a "$LOG_FILE"
then echo "This script requires root. Please run as root" | tee -a "$LOG_FILE"
exit 1
fi
# Set HIRS PKI password
if [ -z $HIRS_PKI_PWD ]; then
# Create a 32 character random password
PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
echo "Using randomly generated password" | tee -a "$LOG_FILE"
else
PKI_PASS=$HIRS_PKI_PWD
echo "Using system supplied password" | tee -a "$LOG_FILE"
fi
# Create Cert Chains
if [ ! -d "/etc/hirs/certificates" ]; then
if [ -d "/opt/hirs/scripts/pki" ]; then
PKI_SETUP_DIR="/opt/hirs/scripts/pki"
else
PKI_SETUP_DIR="$SCRIPT_DIR"
fi
PKI_SETUP_DIR="/opt/hirs/scripts/pki"
else
PKI_SETUP_DIR="$SCRIPT_DIR"
fi
echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | tee -a "$LOG_FILE"
mkdir -p /etc/hirs/certificates/ | tee -a "$LOG_FILE"
@ -47,18 +55,7 @@ if [ ! -d "/etc/hirs/certificates" ]; then
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
popd &> /dev/null
# Add tomcat TLS support to the application.properties file
echo "# Tomcat TLS support">> $PROP_FILE
echo "server.port=8443">> $PROP_FILE
echo "server.ssl.enabled=true">> $PROP_FILE
echo "server.ssl.trust-store-type=JKS">> $PROP_FILE
echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE
echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
echo "server.ssl.key-store-type=JKS">> $PROP_FILE
echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE
echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP
else
echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
fi