ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-18 20:47:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

cleaned up unused file

Browse Source
This commit is contained in:
iadgovuser26 2023-08-18 16:38:41 +00:00
parent 4766903aad
commit 88aa10010b
20 changed files with 197 additions and 589 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
HIRS_AttestationCA/build.gradle
View File

@ -41,7 +41,7 @@ dependencies {
implementation libs.minimal.json
implementation 'org.apache.logging.log4j:log4j-core:2.19.0'
implementation 'org.apache.logging.log4j:log4j-api:2.19.0'
// spring management
compileOnly libs.lombok
implementation libs.lombok

8
HIRS_AttestationCAPortal/build.gradle
View File

@ -52,7 +52,7 @@ dependencies {
implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:10.1.5'
compileOnly 'org.projectlombok:lombok'
runtimeOnly 'org.mariadb.jdbc:mariadb-java-client'
runtimeOnly 'org.mariadb.jdbc:mariadb-java-client:3.1.0'
annotationProcessor 'org.projectlombok:lombok'
providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat'
@ -166,10 +166,4 @@ ospackage {
arch = 'amd64'
}
bootRun {
if ( project.hasProperty('jvmArgs') ) {
jvmArgs = (project.jvmArgs.split("\\s+") as List)
}
}
}

37
HIRS_AttestationCAPortal/src/main/resources/application.properties
View File

@ -1,29 +1,13 @@
#server.error.path=/error
#spring.mvc.view.prefix=/WEB-INF/jsp/
#spring.mvc.view.suffix=.jsp
# Logging Config (tomcat may have further config)
logging.level.org.springframework=DEBUG
logging.level.org.apache.catalina=DEBUG
logging.level.org.springframework.web: DEBUG
logging.level.org.springframework=TRACE
logging.level.org.apache.catalina=TRACE
logging.level.org.springframework.web: TRACE
logging.level.org.hibernate: ERROR
logging.file.path=/var/log/hirs
logging.file.name=hirs.spring.log
# Database Config
spring.jpa.hibernate.ddl-auto=update
#spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&sslMode=PREFERRED
#spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=true&clientCertificateKeyStoreType=JKS&clientCertificateKeyStorePassword="123456"&clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.jks
#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreType=JKS
#spring.datasource.hikari.data-source-properties.clientCertificateKeyStorePassword="123456"
#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.jks
#spring.datasource.hikari.data-source-properties.autoReconnect=true$useSSL=true
#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreType=PCKS12
#spring.datasource.hikari.data-source-properties.clientCertificateKeyStorePassword="1234"
#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.p12
spring.datasource.username=hirs_db
jakarta.persistence.sharedCache.mode = UNSPECIFIED
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
#spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
@ -43,6 +27,19 @@ server.tomcat.accesslog.prefix=Tomcat_accesslog_
server.tomcat.accesslog.suffix=.log
server.tomcat.accesslog.rotate=true
# Tomcat TLS support
server.port=8443
server.ssl.enabled=true
server.ssl.trust-store-type=JKS
server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks
server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384
server.ssl.key-store-type=JKS
server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks
server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
#--server.ssl.key-store-password=123456
#--server.ssl.trust-store-password=123456
#jdbc.driverClassName = com.mysql.cj.jdbc.Driver
#jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
#jdbc.username = root
@ -52,4 +49,4 @@ server.tomcat.accesslog.rotate=true
#spring.jpa.show-sql=true
# DB dfault password.
spring.datasource.password=hirs_db
#spring.datasource.password=hirs_db

6
HIRS_AttestationCAPortal/src/main/resources/hibernate.properties
View File

@ -1,6 +1,6 @@
hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
hibernate.connection.username=hirs_db
hibernate.connection.password=hirs_db
#hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
#hibernate.connection.username=hirs_db
#hibernate.connection.password=hirs_db
hibernate.connection.driver_class=org.mariadb.jdbc.Driver
hibernate.dialect = org.hibernate.dialect.MariaDBDialect
hibernate.show_sql = false

74
package/scripts/aca/aca_bootRun.sh
View File

@ -1,13 +1,79 @@
#!/bin/bash
#####################################################################################
#
# Script to run ACA using the gradle spring pluing bootRun command with password set
# Script to run ACA using the gradle spring pluing bootRun command with parameters
# parameters include setting up the DB with TLS and embedded Tomcat with TLS.
#
#
####################################################################################
#####################################################################################
USE_WAR=$1
CONFIG_FILE="/etc/hirs/aca/application.properties"
ALG=RSA
RSA_PATH=rsa_3k_sha384_certs
ECC_PATH=ecc_512_sha384_certs
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
LOG_FILE=/dev/null
source $SCRIPT_DIR/../db/start_mysqld.sh
if [ $ALG = "RSA" ]; then
CERT_PATH="/etc/hirs/certificates/HIRS/$RSA_PATH"
CERT_CHAIN="$CERT_PATH/HIRS_rsa_3k_sha384_Cert_Chain.pem"
CLIENT_DB_P12=$CERT_PATH/HIRS_db_client_rsa_3k_sha384.p12
ALIAS="hirs_aca_tls_rsa_3k_sha384"
else
CERT_PATH="/etc/hirs/certificates/HIRS/$ECC_PATH"
CERT_CHAIN="$CERT_PATH/HIRS_ecc_512_sha384_Cert_Chain.pem"
CLIENT_DB_P12=$CERT_PATH/HIRS_db_client_ecc_512_sha384.p12
ALIAS="hirs_aca_tls_ecc_512_sha384"
fi
check_for_container
start_mysqlsd
# Check for sudo or root user
if [ "$EUID" -ne 0 ]
then echo "This script requires root. Please run as root"
exit 1
fi
if [ ! -d "$CERT_PATH" ]; then
echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again."
exit 1;
fi
echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index"
./gradlew bootRun --args="--spring.config.location=$CONFIG_FILE"
source /etc/hirs/aca/aca.properties;
echo "Client Keystore is $CLIENT_DB_P12"
echo "DB using $hirs_db_username user and user password $hirs_db_password"
echo "Server PKI chain is $CERT_CHAIN"
echo "Server password is $hirs_pki_password"
echo "Tomcat key alias is $ALIAS"
# Run the embedded tomcat server with Web TLS enabled and database client TLS enabled by overrding critical parameters
# Note "&" is a sub parameter continuation, space represents a new parameter. Spaces and quotes matter.
# hibernate.connection.url is used for the DB connector which established DB TLS connectivity
# server.ssl arguments support the embeded tomcats use of TLS for the ACA Portal
ARGS="--hibernate.connection.url=\"jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&\
user=\"$hirs_db_username\"&\
password=\"$hirs_db_password\"&\
sslMode=VERIFY_CA&\
serverSslCert=$CERT_CHAIN&\
keyStoreType=PKCS12&\
keyStorePassword=\"$hirs_pki_password\"&\
keyStore="$CLIENT_DB_P12" \
--server.ssl.key-store-password=\"$hirs_pki_password\" \
--server.ssl.trust-store-password=\"$hirs_pki_password\"\""
# --hibernate.connection.driver_class=\"org.mariadb.jdbc.Driver\" \
echo "--args="$ARGS""
if [ "$USE_WAR" == "war" ]; then
echo "Booting the ACA from a $USE_WAR file..."
java -jar HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war $ARGS
else
echo "Booting the ACA from local build..."
./gradlew bootRun --args="\"$ARGS\""
fi

40
package/scripts/aca/aca_setup.sh
View File

@ -12,12 +12,34 @@ LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
echo "LOG_FILE is $LOG_FILE"
if [ "$EUID" -ne 0 ]
then echo "The first time this script is run, this script requires root. Please run as root"
then echo "This script requires root. Please run as root"
exit 1
fi
mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
# Process parameters
# Argument handling https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash
POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do
case $1 in
--skip-db)
ARG_SKIP_DB=YES
shift # past argument
;;
-*|--*)
echo "aca_setup.sh: Unknown option $1"
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift # past argument
;;
esac
done
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
pushd $SCRIPT_DIR &>/dev/null
@ -39,12 +61,15 @@ if [ -f $SPRING_PROP_FILE ]; then
cp -n $VENDOR_TABLE $HIRS_PROP_DIR/.
fi
sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS
if [ $? -eq 0 ]; then
echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
else
echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
exit 1
if [ -z "${ARG_SKIP_DB}" ]; then
sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS
if [ $? -eq 0 ]; then
echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
else
echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
exit 1
fi
echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE"
fi
sh ../db/db_create.sh $LOG_FILE
@ -55,7 +80,6 @@ if [ $? -eq 0 ]; then
exit 1
fi
echo "ACA setup complete" | tee -a "$LOG_FILE"
popd &>/dev/null

90
package/scripts/aca/certificate_generate.sh
View File

@ -1,90 +0,0 @@
#!/usr/bin/env bash
# Check if we're in a Docker container
if [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true
else
DOCKER_CONTAINER=false
fi
# variables for the CA certificates
CA_PATH=/etc/hirs/certificates
CA_KEYSTORE=${CA_PATH}/TrustStore.jks
# variables for the ACA certificates
ACA_CERTS=/etc/hirs/aca/certificates
ACA_KEY=${ACA_CERTS}/aca.key
ACA_CRT=${ACA_CERTS}/aca.crt
ACA_P12=${ACA_CERTS}/aca.p12
ACA_JKS=${ACA_CERTS}/keyStore.jks
ACA_CONF=${ACA_CERTS}/aca.conf
# generate the OpenSSL conf file
echo "[req]" >> ${ACA_CONF}
echo "req_extensions=aca" >> ${ACA_CONF}
echo "distinguished_name=distname" >> ${ACA_CONF}
echo "" >> ${ACA_CONF}
echo "[aca]" >> ${ACA_CONF}
echo "keyUsage=critical,keyCertSign" >> ${ACA_CONF}
echo "basicConstraints=critical,CA:true" >> ${ACA_CONF}
echo "subjectKeyIdentifier=hash" >> ${ACA_CONF}
echo "" >> ${ACA_CONF}
echo "[distname]" >> ${ACA_CONF}
echo "# empty" >> ${ACA_CONF}
# generate the ACA signing key and self-signed certificate
openssl req -x509 -config ${ACA_CONF} -extensions aca -days 3652 -set_serial 01 -subj "/C=US/O=HIRS/OU=Attestation CA/CN=$HOSTNAME" -newkey rsa:2048 -nodes -keyout ${ACA_KEY} -out ${ACA_CRT}
# if the trust store already has an older HIRS_ACA_KEY in it, remove it
keytool -list -keystore ${CA_KEYSTORE} -storepass password -alias HIRS_ACA_KEY
rc=$?
if [[ $rc = 0 ]]; then
keytool -delete -alias HIRS_ACA_KEY -storepass password -keystore ${CA_KEYSTORE}
fi
# load the generated certificate into the CA trust store
keytool -import -keystore ${CA_KEYSTORE} -storepass password -file ${ACA_CRT} -noprompt -alias HIRS_ACA_KEY
# export the cert and key to a p12 file
openssl pkcs12 -export -in ${ACA_CRT} -inkey ${ACA_KEY} -out ${ACA_P12} -passout pass:password
# create a key store using the p12 file
keytool -importkeystore -srckeystore ${ACA_P12} -destkeystore ${ACA_JKS} -srcstoretype pkcs12 -srcstorepass password -deststoretype jks -deststorepass password -noprompt -alias 1 -destalias HIRS_ACA_KEY
# set the password in the aca properties file
sed -i "s/aca\.keyStore\.password\s*=/aca.keyStore.password=password/" /etc/hirs/aca/aca.properties
# copy the trust store to the ACA
cp ${CA_KEYSTORE} /etc/hirs/aca/client-files/
# start up the tomcat service
# Guess where Tomcat is installed and what it's called:
if [ -d /usr/share/tomcat6 ] ; then
TOMCAT_SERVICE=tomcat6
elif [ -d /usr/share/tomcat ] ; then
TOMCAT_SERVICE=tomcat
else
echo "Can't find Tomcat installation"
exit 1
fi
# restart tomcat after updating the trust store.
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
if [[ $(ss -t -l -n | grep -q LISTEN.*:::8009) -eq 0 ]]; then
echo "Tomcat is running, so we restart it."
/usr/libexec/tomcat/server stop
# Wait for Tomcat to stop completely and prevent port bind collisions
while [ -z "$(tail -n 1 /var/log/tomcat/catalina.$(date +"%Y-%m-%d").log | grep "Destroying ProtocolHandler \[\"http-bio-8443\"\]")" ]; do
:
done
(/usr/libexec/tomcat/server start) &
# Wait for Tomcat to boot completely
until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do
:
done
fi
else
/sbin/service ${TOMCAT_SERVICE} restart;
fi

26
package/scripts/common/firewall_configure_tomcat.sh
View File

@ -1,26 +0,0 @@
if ! [ $(id -u) = 0 ]; then
echo "Please run this script as root."
exit 1
fi
if [[ -f /etc/redhat-release ]] ; then
CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh`
elif [[ -f /etc/os-release ]] ; then
AMAZON_VER=`/opt/hirs/scripts/common/get_amazon_linux_major_version.sh`
fi
if [ $CENTOS_VER -eq "6" ] ; then
checkHTTPS=`iptables-save | grep -- "--dport 8443 -j ACCEPT"`
if [[ $checkHTTPS == "" ]]; then
echo "Tomcat HTTPS firewall rule doesn't exist, adding now"
iptables -I INPUT 1 -p tcp -m tcp --dport 8443 -j ACCEPT
service iptables save
fi
elif [ $CENTOS_VER -eq "7" ] || [ $AMAZON_VER -eq "2" ] ; then
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p tcp --dport 8443 -j ACCEPT
firewall-cmd --reload
else
echo "Unsupported Linux detected"
exit 1
fi

1
package/scripts/common/get_centos_major_version.sh
View File

@ -1 +0,0 @@
cat /etc/redhat-release | grep -Eo "release [0-9]" | tail -c 2

8
package/scripts/common/get_db_service.sh
View File

@ -1,8 +0,0 @@
if [[ $(rpm -qa mariadb*) ]]; then
echo "mariadb"
elif [[ $(rpm -qa mysql-server*) ]]; then
echo "mysqld"
else
echo "Could not determine installed database"
exit 1
fi

6
package/scripts/common/jvm_version_check.sh
View File

@ -1,6 +0,0 @@
# only argument to this script is the java command to use in this version check
JAVA_SPEC_VER=`$1 -XshowSettings:properties -version 2>&1 | grep java.specification.version | grep -Eo "[0-9]\.[0-9]+"`
case "$JAVA_SPEC_VER" in
"1.8"|"1.9"|"1.10"|"1.11"|"1.12" ) ;;
* ) echo "HIRS needs to be run with a JVM supporting at least specification 1.8. Found $JAVA_SPEC_VER." && exit 1 ;;
esac

8
package/scripts/common/my.cnf.el7
View File

@ -1,8 +0,0 @@
#begin-hirs-cfg
ssl-ca=/etc/hirs/certificates/mysql/hirs.ca.cert
ssl-cert=/etc/hirs/certificates/mysql/hirs-cert.pem
ssl-key=/etc/hirs/certificates/mysql/hirs-key.pem
innodb_large_prefix=1
innodb_file_format=BARRACUDA
innodb_file_per_table=1
#end-hirs-cfg

5
package/scripts/common/secure_mysql.sql
View File

@ -1,5 +0,0 @@
DELETE FROM mysql.user WHERE User='';
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
DROP DATABASE IF EXISTS test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
FLUSH PRIVILEGES

253
package/scripts/common/ssl_configure.sh
View File

@ -1,253 +0,0 @@
#!/usr/bin/env bash
# certificates and key stores generated by this script
CERTIFICATES="/etc/hirs/certificates"
CA_CERT=${CERTIFICATES}/hirs.ca.cert
INTERNAL_P12=${CERTIFICATES}/hirs.p12
KEYSTORE_JKS=${CERTIFICATES}/keyStore.jks
TRUSTSTORE_JKS=${CERTIFICATES}/TrustStore.jks
CA_CERT_DIR_ESCAPED=\\/etc\\/hirs\\/certificates
# 'private' data generated by this script
CA_PEM=${CERTIFICATES}/private/hirs.ca.pem
P12_DATA=${CERTIFICATES}/private/p12.data
echo 'Checking SSL configuration for HIRS'
# Check if we're in a Docker container
if [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true
else
DOCKER_CONTAINER=false
fi
#################
# Key Generation
#################
# if the CA PEM file does not exist, generate the HIRS CA file and associated keystore and truststores
if ! [ -f $CA_PEM ]; then
echo 'Generating certificates'
# create directory structure
mkdir -p ${CERTIFICATES}/private
# Generate our random key store password. We need to do this before configuring Tomcat, as we'll
# need to add it to Tomcat's configuration file. Read a block of raw data bytes from /dev/urandom
# and convert it to text characters. Not the greatest, but hey:
echo 'Creating random key material'
P12_PASSWORD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
# generate a key and certificate. The key is the private key used to sign the well known CA cert.
echo 'Creating 2048 bit key'
openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -keyout ${CA_PEM} -out ${CA_CERT} -subj "/C=US/O=HIRS/OU=Common/CN=$(hostname)"
# export the certificate and key as a p12 file
echo 'Exporting key'
openssl pkcs12 -export -in ${CA_CERT} -inkey ${CA_PEM} -out ${INTERNAL_P12} -passout pass:${P12_PASSWORD}
# create a key store using the pk12 file.
echo 'Configuring keystore'
keytool -importkeystore -srckeystore ${INTERNAL_P12} -destkeystore ${KEYSTORE_JKS} -srcstoretype pkcs12 -srcstorepass ${P12_PASSWORD} -deststoretype jks -deststorepass ${P12_PASSWORD} -noprompt
# import the root CA certificate into the trust store.
echo 'Configuring truststore'
keytool -import -keystore ${TRUSTSTORE_JKS} -storepass password -file ${CA_CERT} -noprompt
# write P12 password to file
echo $P12_PASSWORD > $P12_DATA
# set appropriate permissions on certificates
chmod 775 /etc/hirs/certificates/
chmod -R 664 /etc/hirs/certificates/*
chmod 700 /etc/hirs/certificates/private
chmod -R 600 /etc/hirs/certificates/private/*
else
# if the certificate was previously generated, grab the P12 password out of the file
P12_PASSWORD=`cat $P12_DATA`
fi
#################
# ActiveMQ
#################
if [[ $1 = "server" ]]; then
if [ -f "/srv/activemq/current/conf/activemq.xml" ] ; then
if [[ -n `grep -o "keyStorePassword=\"\"" /srv/activemq/current/conf/activemq.xml` ]]; then
echo "Configuring ActiveMQ SSL"
# set the key store password for the messaging service
sed -i -r "s/keyStorePassword=\"\w*\"/keyStorePassword=\"${P12_PASSWORD}\"/g" /srv/activemq/current/conf/activemq.xml
fi
fi
fi
#################
# Tomcat
#################
if [[ $1 = "server" ]]; then
# determine which version of tomcat is installed
rpm -q tomcat6
if [[ $? -eq 0 ]]; then
TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat6`
else
TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat`
fi
TOMCAT_MAJOR_VERSION=`echo $TOMCAT_VERSION | head -c 1`
if [[ $TOMCAT_MAJOR_VERSION = '6' ]]; then
CATALINA_HOME=/usr/share/tomcat6
TOMCAT_SERVICE=tomcat6
TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat6.conf
elif [[ $TOMCAT_MAJOR_VERSION = '7' ]] ; then
CATALINA_HOME=/usr/share/tomcat
TOMCAT_SERVICE=tomcat
TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat.conf
else
echo "Unsupported Tomcat version: ${TOMCAT_MAJOR_VERSION}"
exit 1
fi
if [[ -z `grep -o "keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\"" $CATALINA_HOME/conf/server.xml` ]]; then
echo "Configuring Tomcat SSL"
chown -R root:tomcat /etc/hirs/certificates/
# create an alias in the keystore for tomcat
alias=$(keytool -list -v -keystore ${KEYSTORE_JKS} -storepass ${P12_PASSWORD} | grep -B2 'PrivateKeyEntry' | grep 'Alias name:')
keytool -changealias -alias ${alias#*:} -destalias tomcat -v -keystore ${KEYSTORE_JKS} -storepass ${P12_PASSWORD}
# Set up Tomcat. We need to ensure that Tomcat is running as a service
chkconfig ${TOMCAT_SERVICE} on
# Configure the server.xml file such that it uses our key store and trust store
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
if [[ $(pgrep -c -f /usr/share/tomcat) -ne 0 ]]; then
echo "Tomcat is running, so we stop it."
/usr/libexec/tomcat/server stop
fi
else
service ${TOMCAT_SERVICE} stop
fi
# Configure Tomcat SSL properly. The method for doing this changes from 6.0.38 onward.
rpmdev-vercmp 6.0.38 $TOMCAT_VERSION
VERCMP_STATUS=$?
if [[ $VERCMP_STATUS -eq 0 ]] || [[ $VERCMP_STATUS -eq 12 ]]; then
# Tomcat v 6.0.38 or newer
sed -i "s/.*<\/Service>/<Connector port=\"8443\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" sslEnabledProtocols=\"TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
elif [[ $VERCMP_STATUS -eq 11 ]]; then
# Older than Tomcat 6.0.38
sed -i "s/.*<\/Service>/<Connector port=\"8443\" label=\"HIRS\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" protocols=\"TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\" SSLDisableCompression=\"true\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
else
echo "Unknown rpmdev-vercmp exit code: ${VERCMP_STATUS}"
exit 1
fi
sed -i 's/.*<\/tomcat-users>/<user username="tomcat" password="tomcat" roles="admin,admin-gui,manager,manager-gui"\/> <\/tomcat-users>/' $CATALINA_HOME/conf/tomcat-users.xml
# ensure tomcat is using the trust store and key store for all other SSL operations.
cat << EOF >> ${TOMCAT_CONF}
#begin-hirs-conf
JAVA_OPTS="-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Xmx1536m -Djavax.net.ssl.keyStore=${KEYSTORE_JKS} -Djavax.net.ssl.keyStorePassword=${P12_PASSWORD} -Djavax.net.ssl.trustStore=${TRUSTSTORE_JKS} -Djavax.net.ssl.trustStorePassword=password"
#end-hirs-conf
EOF
# (3) set tomcat user as owner of tomcat installation
chgrp -R tomcat ${CATALINA_HOME}
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
(/usr/libexec/tomcat/server start) &
# Wait for Tomcat to boot completely
until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do
:
done
else
service ${TOMCAT_SERVICE} start
fi
fi
fi
#################
# Appraiser
#################
if [[ $1 = "appraiser" ]]; then
APPRAISER_SCRIPT="/opt/hirs/appraiser/bin/HIRS_Appraiser"
if [[ -z `grep -o "\-Djavax.net.ssl.keyStorePassword" $APPRAISER_SCRIPT` ]]; then
echo "Configuring Appraiser SSL"
# grab the line number of the JVM options for the client script
VM_OPTS=$(awk '/DEFAULT_JVM_OPTS/{print NR; exit }' ${APPRAISER_SCRIPT})
# append the key store password to the client startup script
sed -i "${VM_OPTS}s/'$/ \"-Djavax.net.ssl.keyStorePassword=${P12_PASSWORD}\"\'/" ${APPRAISER_SCRIPT}
fi
fi
#################
# MySQL/MariaDB
#################
if [[ $1 = "server" ]]; then
MYSQL_CERT_DIR=/etc/hirs/certificates/mysql/
if ! [[ -d $MYSQL_CERT_DIR ]]; then
echo "Configuring MySQL SSL"
# apply MySQL SSL configuration:
mkdir -p $MYSQL_CERT_DIR
# copy CA cert over
cp $CA_CERT $MYSQL_CERT_DIR/
# convert p12 key to pem
openssl pkcs12 -in $INTERNAL_P12 -out $MYSQL_CERT_DIR/hirs.pem -nodes -passin pass:${P12_PASSWORD} -passout pass:
# extract cert from pem into its own file
openssl x509 -in $MYSQL_CERT_DIR/hirs.pem -outform PEM -out $MYSQL_CERT_DIR/hirs-cert.pem
# extract key from pem into its own file
openssl pkey -in $MYSQL_CERT_DIR/hirs.pem -outform PEM -out $MYSQL_CERT_DIR/hirs-key.pem
# make readable to user named 'mysql'
chgrp -R mysql $MYSQL_CERT_DIR
chmod -R 770 $MYSQL_CERT_DIR
# update MySQL/MariaDB SSL and index configuration
if [[ -f /etc/redhat-release ]] ; then
CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh`
elif [[ -f /etc/os-release ]] ; then
AMAZON_VER=`/opt/hirs/scripts/common/get_amazon_linux_major_version.sh`
fi
if [ $CENTOS_VER -eq "6" ] ; then
MYSQL_ADDITIONS_FILE=/opt/hirs/scripts/common/my.cnf.el6
elif [ $CENTOS_VER -eq "7" ] || [ $AMAZON_VER -eq "2" ] ; then
MYSQL_ADDITIONS_FILE=/opt/hirs/scripts/common/my.cnf.el7
else
echo "Unsupported Linux detected"
exit 1
fi
sed -i "/\[mysqld\]/r $MYSQL_ADDITIONS_FILE" /etc/my.cnf
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then
echo "MariaDB is running, so we'll need to restart it."
mysqladmin shutdown
/usr/libexec/mariadb-prepare-db-dir
nohup /usr/bin/mysqld_safe --basedir=/usr &>/dev/null &
MYSQLD_PID=$(pgrep -u mysql mysqld)
/usr/libexec/mariadb-wait-ready $MYSQLD_PID
fi
else
SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh`
service $SQL_SERVICE restart
fi
fi
fi

92
package/scripts/common/ssl_deconfigure.sh
View File

@ -1,92 +0,0 @@
#!/usr/bin/env bash
# certificates and key stores generated by this script
CERTIFICATES="/etc/hirs/certificates"
#################
# Key Generation
#################
# leave certificate directory intact on uninstall
#################
# ActiveMQ
#################
# no need to deconfigure, as it will be completely removed during uninstall
#################
# Tomcat
#################
if [[ $1 = "server" ]]; then
# determine which version of tomcat is installed
rpm -q tomcat6
if [[ $? -eq 0 ]]; then
TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat6`
else
TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat`
fi
TOMCAT_MAJOR_VERSION=`echo $TOMCAT_VERSION | head -c 1`
if [[ $TOMCAT_MAJOR_VERSION = '6' ]]; then
CATALINA_HOME=/usr/share/tomcat6
TOMCAT_SERVICE=tomcat6
TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat6.conf
elif [[ $TOMCAT_MAJOR_VERSION = '7' ]] ; then
CATALINA_HOME=/usr/share/tomcat
TOMCAT_SERVICE=tomcat
TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat.conf
else
echo "Unsupported Tomcat version: ${TOMCAT_MAJOR_VERSION}"
exit 1
fi
if [[ -n `grep -o keystorePass $CATALINA_HOME/conf/server.xml` ]]; then
SERVER_CONF=${CATALINA_HOME}/conf/server.xml
TOMCAT_USERS=${CATALINA_HOME}/conf/tomcat-users.xml
echo "Restoring $TOMCAT_CONF"
sed -i "/^#begin-hirs-conf/,/^#end-hirs-conf/d" "$TOMCAT_CONF"
echo "Restoring $SERVER_CONF"
sed -i "s^<Connector port=\"8443\".*/></Service>^</Service>^" "$SERVER_CONF"
echo "Restoring $TOMCAT_USERS"
sed -i "s/<user username=\"tomcat\" password=\"tomcat\" roles=\"admin,admin-gui,manager,manager-gui.*<\/tomcat-users>/<\/tomcat-users>/" "$TOMCAT_USERS"
fi
fi
#################
# Appraiser
#################
# no need to deconfigure, as it will be completely removed during uninstall
#################
# MySQL/MariaDB
#################
if [[ $1 = "server" ]]; then
MYSQL_CERT_DIR=${CERTIFICATES}/mysql/
if [[ -d $MYSQL_CERT_DIR ]]; then
# stop the database
if [[ $(rpm -qa mariadb*) ]]; then
service mariadb stop
else
service mysqld stop
fi
rm -rf $MYSQL_CERT_DIR
sed -i "/^#begin-hirs-conf/,/^#end-hirs-conf/d" /etc/my.cnf
# start the database
if [[ $(rpm -qa mariadb*) ]]; then
service mariadb start
else
service mysqld start
fi
fi
fi

58
package/scripts/db/db_create.sh
View File

@ -14,7 +14,7 @@ SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
SPRING_PROP_FILE="/etc/hirs/aca/application.properties"
ACA_PROP_FILE="/etc/hirs/aca/aca.properties"
DB_ADMIN_PWD=""
DB_USER="hirs_db"
#DB_USER="hirs_db"
# Db Configuration files
DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
@ -35,55 +35,7 @@ touch $LOG_FILE
mkdir -p /etc/hirs/aca/
mkdir -p /var/log/hirs/
check_for_container () {
# Check if we're in a Docker container
if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then
#if [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true
echo "ACA is running in a container..." | tee -a "$LOG_FILE"
else
DOCKER_CONTAINER=false
echo "ACA is not running in a container..." | tee -a "$LOG_FILE"
fi
if [ -d /opt/hirs/scripts/db ]; then
MYSQL_DIR="/opt/hirs/scripts/db"
else
MYSQL_DIR="$SCRIPT_DIR/../db"
fi
echo "Mysql script directory is $MYSQL_DIR"
}
start_mysqlsd () {
# Check if mysql is already running, if not initialize
if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
# Check if running in a container
if [ $DOCKER_CONTAINER = true ]; then
# if in Docker container, avoid services that invoke the D-Bus
echo "ACA is running in a container..."
# Check if mariadb is setup
if [ ! -d "/var/lib/mysql/mysql/" ]; then
echo "Installing mariadb"
/usr/bin/mysql_install_db > "$LOG_FILE"
chown -R mysql:mysql /var/lib/mysql/
fi
echo "Starting mysql...."
chown -R mysql:mysql /var/log/mariadb
/usr/bin/mysqld_safe &
else
SQL_SERVICE="mariadb"
systemctl $SQL_SERVICE enable
systemctl $SQL_SERVICE start
fi
fi # mysql not running
# Wait for mysql to start before continuing.
echo "Checking mysqld status..."| tee -a "$LOG_FILE"
while ! mysqladmin ping -h "$localhost" --silent; do
sleep 1;
done
echo "mysqld is running."| tee -a "$LOG_FILE"
}
source start_mysqld.sh
check_mysql_root_pwd () {
# Check if DB root password needs to be obtained
@ -111,17 +63,17 @@ check_mysql_root_pwd () {
set_mysql_server_tls () {
# Check DB server setup. If ssl params dont exist then we need to add them.
if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
# Add TLS files to my.cnf
echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE"
echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF"
echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"
# Make sure mysql can access them
# Make sure mysql can access them
chown mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
else
echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE"
fi
fi
}
set_mysql_client_tls () {

2
package/scripts/db/db_create.sql
View File

@ -1,2 +1,2 @@
CREATE DATABASE IF NOT EXISTS `hirs_db` CHARACTER SET = 'utf8mb4' COLLATE = 'utf8mb4_general_ci';
GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD" REQUIRE SSL;
GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD" REQUIRE X509;

57
package/scripts/db/start_mysqld.sh Normal file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#####################################################################################
#
# Function to check mysql and start if not running.
# Also a function for checking if running in a container
#
#####################################################################################
check_for_container () {
# Check if we're in a Docker container
if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then
#if [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true
echo "ACA is running in a container..." | tee -a "$LOG_FILE"
else
DOCKER_CONTAINER=false
echo "ACA is not running in a container..." | tee -a "$LOG_FILE"
fi
if [ -d /opt/hirs/scripts/db ]; then
MYSQL_DIR="/opt/hirs/scripts/db"
else
MYSQL_DIR="$SCRIPT_DIR/../db"
fi
echo "Mysql script directory is $MYSQL_DIR"
}
start_mysqlsd () {
# Check if mysql is already running, if not initialize
if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
# Check if running in a container
if [ $DOCKER_CONTAINER = true ]; then
# if in Docker container, avoid services that invoke the D-Bus
echo "ACA is running in a container..."
# Check if mariadb is setup
if [ ! -d "/var/lib/mysql/mysql/" ]; then
echo "Installing mariadb"
/usr/bin/mysql_install_db > "$LOG_FILE"
chown -R mysql:mysql /var/lib/mysql/
fi
echo "Starting mysql...."
chown -R mysql:mysql /var/log/mariadb
/usr/bin/mysqld_safe &
else
SQL_SERVICE="mariadb"
systemctl $SQL_SERVICE enable
systemctl $SQL_SERVICE start
fi
fi # mysql not running
# Wait for mysql to start before continuing.
echo "Checking mysqld status..."| tee -a "$LOG_FILE"
while ! mysqladmin ping -h "$localhost" --silent; do
sleep 1;
done
echo "mysqld is running."| tee -a "$LOG_FILE"
}

9
package/scripts/pki/pki_chain_gen.sh
View File

@ -29,6 +29,7 @@ SERVER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" aca"
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
TRUSTSTORE=TrustStore.jks
TRUSTSTORE_P12=TrustStore.p12
KEYSTORE=KeyStore.jks
# Parameter check
@ -216,11 +217,15 @@ create_cert_chain () {
# Make JKS files for the mysql DB connector. P12 first then JKS...
openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key -aes256 \
-passin pass:"$PASS" -aes256 -passout pass:$PASS \
-passin pass:"$PASS"-passout pass:$PASS -aes256 \
-name "mysqlclientkey" -out $DB_CLIENT.p12
keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype pkcs12 \
keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype PKCS12 \
-srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS
# Make a p12 TrustStore
keytool -importkeystore -srckeystore $TRUSTSTORE -destkeystore $TRUSTSTORE_P12 \
-srcstoretype JKS -deststoretype PKCS12 -srcstorepass $pass -deststorepass $pass -noprompt
}
if [ "$ASYM_ALG" == "rsa" ]; then

4
package/scripts/pki/pki_setup.sh
View File

@ -7,6 +7,7 @@
############################################################################################
PROP_FILE=/etc/hirs/aca/application.properties
ACA_PROP=/etc/hirs/aca/aca.properties
LOG_FILE=$1
PKI_PASS=$2
LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
@ -30,7 +31,7 @@ fi
# Check for sudo or root user
if [ "$EUID" -ne 0 ]
then echo "The first time this script is run, this script requires root. Please run as root" | tee -a "$LOG_FILE"
then echo "This script requires root. Please run as root" | tee -a "$LOG_FILE"
exit 1
fi
@ -64,6 +65,7 @@ if [ ! -d "/etc/hirs/certificates" ]; then
echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP
else
echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
fi