mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-19 04:58:00 +00:00
Merge pull request #558 from nsacyber/v3_issue_550
[#550] Adds TLS to embedded tomcat
This commit is contained in:
commit
9f9ca12429
@ -3,30 +3,33 @@
|
||||
#spring.mvc.view.prefix=/WEB-INF/jsp/
|
||||
#spring.mvc.view.suffix=.jsp
|
||||
|
||||
# Logging Config (tomcat may have further config)
|
||||
logging.level.org.springframework=INFO
|
||||
logging.level.org.apache.catalina=DEBUG
|
||||
|
||||
# Database Config
|
||||
spring.jpa.hibernate.ddl-auto=update
|
||||
spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
|
||||
spring.datasource.username=hirs_db
|
||||
spring.datasource.password=hirs_db
|
||||
jakarta.persistence.sharedCache.mode = UNSPECIFIED
|
||||
|
||||
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
|
||||
#spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
|
||||
#spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
|
||||
|
||||
server.tomcat.accesslog.enabled=true
|
||||
server.tomcat.accesslog.directory=logs
|
||||
server.tomcat.accesslog.file-date-format=yyyy-MM-dd
|
||||
server.tomcat.accesslog.prefix=access_log
|
||||
server.tomcat.accesslog.suffix=.log
|
||||
server.tomcat.accesslog.rotate=true
|
||||
|
||||
# Tomcat Config
|
||||
server.tomcat.additional-tld-skip-patterns=jakarta.persistence-api*.jar, jakarta.xml.bind-api*.jar, txw2*.jar, *commons*.jar, *annotations*.jar, *checker*.jar, *lombok*.jar, *jsr*.jar, *guava*.jar, *access*.jar, *activation*.jar, *bcprov*.jar, *bcmail*.jar, *bcutil*.jar, *bcpkix*.jar, *json*.jar
|
||||
server.tomcat.basedir=/opt/embeddedtomcat
|
||||
server.servlet.register-default-servlet=true
|
||||
server.servlet.context-path=/HIRS_AttestationCAPortal
|
||||
spring.mvc.servlet.path=/portal
|
||||
|
||||
server.tomcat.accesslog.enabled=true
|
||||
server.tomcat.accesslog.directory=/var/log/hirs
|
||||
server.tomcat.accesslog.file-date-format=yyyy-MM-dd
|
||||
server.tomcat.accesslog.prefix=Tomcat_accesslog_
|
||||
server.tomcat.accesslog.suffix=.log
|
||||
server.tomcat.accesslog.rotate=true
|
||||
|
||||
#jdbc.driverClassName = com.mysql.cj.jdbc.Driver
|
||||
#jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
|
||||
#jdbc.username = root
|
||||
@ -34,3 +37,6 @@ spring.mvc.servlet.path=/portal
|
||||
#entitymanager.packagesToScan: hirs.attestationca.portal.page.controllers
|
||||
#spring.jpa.hibernate.ddl-auto=update
|
||||
#spring.jpa.show-sql=true
|
||||
|
||||
# DB dfault password.
|
||||
spring.datasource.password=hirs_db
|
||||
|
@ -4,7 +4,7 @@
|
||||
<Console name="STDOUT" target="SYSTEM_OUT">
|
||||
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n"/>
|
||||
</Console>
|
||||
<RollingFile name="FILE" fileName="./logs/HIRS_AttestationCA_Portal.log"
|
||||
<RollingFile name="FILE" fileName="/var/log/hirs/HIRS_AttestationCA_Portal.log"
|
||||
filePattern="./logs/HIRS_AttestationCA_Portal.log-%d{yyyy-MM-dd}-%i.log" >
|
||||
<PatternLayout>
|
||||
<pattern>%d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n</pattern>
|
||||
|
13
package/scripts/aca/aca_bootRun.sh
Normal file
13
package/scripts/aca/aca_bootRun.sh
Normal file
@ -0,0 +1,13 @@
|
||||
#!/bin/bash
|
||||
#####################################################################################
|
||||
#
|
||||
# Script to run ACA using the gradle spring pluing bootRun command with password set
|
||||
#
|
||||
#
|
||||
####################################################################################
|
||||
|
||||
CONFIG_FILE="/etc/hirs/aca/application.properties"
|
||||
|
||||
echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index"
|
||||
|
||||
./gradlew bootRun --args="--spring.config.location=$CONFIG_FILE"
|
@ -1,27 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Create aca.poperties file
|
||||
|
||||
pki_password=$1
|
||||
|
||||
rm -f /etc/hirs/aca.properties
|
||||
aca_prop_file="/etc/hirs/aca.properties"
|
||||
|
||||
echo '# *** ACA Directories ***
|
||||
aca.directories.root = /etc/hirs/
|
||||
aca.directories.certificates = ${aca.directories.root}/certificates' > $aca_prop_file
|
||||
|
||||
echo '# *** Certificate and Key Properties ***
|
||||
aca.setup.keys.rsa.keySize = 3072
|
||||
aca.setup.keys.ecc.keySize = 512
|
||||
aca.setup.certificates.validity = 3652
|
||||
aca.setup.certificates.subjectName = HIRS_AttestationCA
|
||||
aca.setup.certificates.expiration = ${aca.setup.certificates.validity}' >> $aca_prop_file
|
||||
|
||||
echo '# *** Keystore properties ***
|
||||
aca.keyStore.alias = HIRS_ACA_KEY
|
||||
aca.keyStore.rsa.alias = hirs_leaf_ca1_rsa_3072_sha384
|
||||
aca.keyStore.ecc.alias = hirs_leaf_ca1_ecc_512_sha384
|
||||
aca.keyStore.location = ${aca.directories.certificates}/keyStore.jks
|
||||
aca.keyStore.password = '$pki_password >> $aca_prop_file
|
||||
|
@ -1,23 +1,50 @@
|
||||
#!/bin/bash
|
||||
# Capture location of the script to allow from invocation from any location
|
||||
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
|
||||
SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties'
|
||||
HIRS_CONF_DIR=/etc/hirs/aca
|
||||
LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
|
||||
LOG_DIR="/var/log/hirs/"
|
||||
HIRS_PROP_DIR="/opt/hirs/default-properties"
|
||||
COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json'
|
||||
VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json'
|
||||
LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
|
||||
echo "LOG_FILE is $LOG_FILE"
|
||||
|
||||
pushd $SCRIPT_DIR
|
||||
if [ "$EUID" -ne 0 ]
|
||||
then echo "The first time this script is run, this script requires root. Please run as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
sh ../db/db_create.sh
|
||||
mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
|
||||
|
||||
echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
|
||||
|
||||
pushd $SCRIPT_DIR &>/dev/null
|
||||
|
||||
|
||||
# Copy HIRS configuration and data files if not a package install
|
||||
if [ -f $SPRING_PROP_FILE ]; then
|
||||
cp -n $SPRING_PROP_FILE $HIRS_CONF_DIR/.
|
||||
cp -n $COMP_JSON $HIRS_PROP_DIR/.
|
||||
cp -n $VENDOR_TABLE $HIRS_PROP_DIR/.
|
||||
fi
|
||||
|
||||
sh ../db/db_create.sh $LOG_FILE
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "ACA database setup complete"
|
||||
echo "ACA database setup complete" | tee -a "$LOG_FILE"
|
||||
else
|
||||
echo "Error setting up ACA DB"
|
||||
echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
|
||||
exit 1
|
||||
fi
|
||||
sh ../pki/pki_setup.sh
|
||||
sh ../pki/pki_setup.sh $LOG_FILE
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "ACA PKI setup complete"
|
||||
echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
|
||||
else
|
||||
echo "Error setting up ACA PKI"
|
||||
echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
|
||||
exit 1
|
||||
fi
|
||||
echo "ACA setup complete"
|
||||
|
||||
popd
|
||||
echo "ACA setup complete" | tee -a "$LOG_FILE"
|
||||
|
||||
popd &>/dev/null
|
@ -1,9 +0,0 @@
|
||||
# *** ACA Directories ***
|
||||
aca.directories.root = /etc/hirs/
|
||||
aca.directories.certificates = ${aca.directories.root}/certificates
|
||||
# *** Certificate and Key Properties ***
|
||||
aca.setup.keys.rsa.keySize = 3072
|
||||
aca.setup.keys.ecc.keySize = 512
|
||||
aca.setup.certificates.validity = 3652
|
||||
aca.setup.certificates.subjectName = HIRS_AttestationCA
|
||||
aca.setup.certificates.expiration = ${aca.setup.certificates.validity}
|
@ -23,6 +23,11 @@ organizationalUnitName = optional
|
||||
commonName = optional
|
||||
emailAddress = optional
|
||||
|
||||
[ alternate_names ]
|
||||
DNS.1 = localhost
|
||||
DNS.2 = localhost.localdomain
|
||||
DNS.3 = 127.0.0.1
|
||||
|
||||
[ ca_extensions ]
|
||||
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
|
||||
basicConstraints = critical,CA:true,pathlen:1
|
||||
@ -35,19 +40,17 @@ crlDistributionPoints = URI:https://example.com/crl
|
||||
|
||||
[ server_extensions ]
|
||||
keyUsage = critical,digitalSignature,keyEncipherment
|
||||
basicConstraints = CA:false
|
||||
extendedKeyUsage = serverAuth,clientAuth
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always
|
||||
authorityInfoAccess = caIssuers;URI:https://example.com/certs
|
||||
authorityInfoAccess = caIssuers;URI:https://example.com/certs
|
||||
crlDistributionPoints = URI:https://example.com/crl
|
||||
subjectAltName = @alternate_names
|
||||
|
||||
[ signer_extensions ]
|
||||
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer
|
||||
basicConstraints = critical,CA:false
|
||||
keyUsage = critical, digitalSignature
|
||||
authorityInfoAccess = caIssuers;URI:https://example.com/certs/
|
||||
crlDistributionPoints = URI:https://example.com/crl
|
||||
|
||||
crlDistributionPoints = URI:https://example.com/crl
|
@ -20,6 +20,7 @@ ASYM_ALG=$2
|
||||
ASYM_SIZE=$3
|
||||
HASH_ALG=$4
|
||||
PASS=$5
|
||||
LOG_FILE=$6
|
||||
ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test root ca"
|
||||
INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test intermediate ca"
|
||||
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test ca"
|
||||
@ -32,13 +33,17 @@ KEYSTORE=KeyStore.jks
|
||||
|
||||
# Parameter check
|
||||
if [ -z "${ACTOR}" ] || [ -z "${ASYM_ALG}" ] || [ -z "${ASYM_SIZE}" ] || [ -z "${HASH_ALG}" ] || [ "${ACTOR}" == "-h" ] || [ "${ACTOR}" == "--help" ]; then
|
||||
echo "parameter missing to pki_chain_gen.sh, exiting pki setup"
|
||||
echo "parameter missing to pki_chain_gen.sh, exiting pki setup" | tee -a "$LOG_FILE"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
if ! { [ $ASYM_ALG == "rsa" ] || [ $ASYM_ALG == "ecc" ]; }; then
|
||||
echo "$ASYM_ALG is an unsupported assymetric algorithm, exiting pki setup"
|
||||
exit 1
|
||||
echo "$ASYM_ALG is an unsupported assymetric algorithm, exiting pki setup" | tee -a "$LOG_FILE"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
if [ -z ${LOG_FILE} ]; then
|
||||
LOG_FILE="/dev/null"
|
||||
fi
|
||||
|
||||
case $ASYM_SIZE in
|
||||
@ -52,7 +57,7 @@ case $ASYM_SIZE in
|
||||
3072) KSIZE=3k;;
|
||||
4096) KSIZE=4k;;
|
||||
*)
|
||||
echo "$ASYM_SIZE is an unsupported key size, exiting pki setup"
|
||||
echo "$ASYM_SIZE is an unsupported key size, exiting pki setup" | tee -a "$LOG_FILE"
|
||||
exit 1;;
|
||||
esac
|
||||
|
||||
@ -76,21 +81,37 @@ TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
|
||||
|
||||
# Add check for existing folder and halt if it exists
|
||||
if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
|
||||
echo "Folder for $CERT_FOLDER exists, exiting..."
|
||||
echo "Folder for $CERT_FOLDER exists, exiting..." | tee -a "$LOG_FILE"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
# Intialize sub folders
|
||||
#echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."
|
||||
echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..." | tee -a "$LOG_FILE"
|
||||
|
||||
mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs
|
||||
cp ca.conf "$ACTOR_ALT"/.
|
||||
pushd "$ACTOR_ALT" &> /dev/null
|
||||
touch ca/db
|
||||
touch openssl-san.cnf
|
||||
if [ ! -f "ca/serial.txt" ]; then
|
||||
echo "01" > ca/serial.txt
|
||||
echo "01" > ca/serial.txt | tee -a "$LOG_FILE"
|
||||
fi
|
||||
|
||||
# Function to add Cert to Truststore and key to Keystore
|
||||
add_to_stores () {
|
||||
CERT_PATH=$1
|
||||
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
|
||||
echo "Addding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE"
|
||||
# Add the cert and key to the key store. make a p12 file to import into te keystore
|
||||
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
|
||||
# Use the p12 file to import into a java keystore via keytool
|
||||
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
|
||||
# Import the cert into a java trust store via keytool
|
||||
keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
|
||||
# Remove the temp p1 file.
|
||||
rm tmpkey.p12
|
||||
}
|
||||
|
||||
# Function to create an Intermediate Key, CSR, and Certificate
|
||||
# PARMS:
|
||||
# 1. Cert Type String
|
||||
@ -101,27 +122,23 @@ create_cert () {
|
||||
CERT_PATH="$1"
|
||||
ISSUER="$2"
|
||||
SUBJ_DN="$3"
|
||||
EXTENSION="$4"
|
||||
ISSUER_KEY="$ISSUER".key
|
||||
ISSUER_CERT="$ISSUER".pem
|
||||
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
|
||||
|
||||
if [ "$CERT_TYPE" == "rim_signer" ]; then
|
||||
EXTENSION="signer_extensions"
|
||||
else
|
||||
EXTENSION="ca_extensions"
|
||||
fi
|
||||
|
||||
echo "Creating cert for "$CERT_TYPE" using $ISSUER_KEY with a DN="$SUBJ_DN"..."
|
||||
echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..." | tee -a "$LOG_FILE"
|
||||
|
||||
if [ "$ASYM_ALG" == "rsa" ]; then
|
||||
openssl req -newkey rsa:"$ASYM_SIZE" \
|
||||
-keyout "$CERT_PATH".key \
|
||||
-out "$CERT_PATH".csr -subj "$SUBJ_DN" \
|
||||
-passout pass:"$PASS" &> /dev/null
|
||||
-passout pass:"$PASS" >> "$LOG_FILE" 2>&1
|
||||
else
|
||||
openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
|
||||
openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" &> /dev/null
|
||||
openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key >> "$LOG_FILE" 2>&1
|
||||
openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
|
||||
fi
|
||||
|
||||
openssl ca -config ca.conf \
|
||||
-keyfile "$ISSUER_KEY" \
|
||||
-md $HASH_ALG \
|
||||
@ -131,17 +148,18 @@ create_cert () {
|
||||
-in "$CERT_PATH".csr \
|
||||
-passin pass:"$PASS" \
|
||||
-batch \
|
||||
-notext &> /dev/null
|
||||
-notext >> "$LOG_FILE" 2>&1
|
||||
# Increment the cert serial number
|
||||
awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt &> /dev/null
|
||||
SERIAL=$(awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt)
|
||||
echo "Cert Serial Number = $SERIAL" >> "$LOG_FILE";
|
||||
# remove csr file
|
||||
rm -f "$CERT_PATH".csr
|
||||
# Add the cert and key to the key store. make a p12 file to import into te keystore
|
||||
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -passout pass:$PASS
|
||||
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
|
||||
# Use the p12 file to import into a java keystore via keytool
|
||||
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" &> /dev/null
|
||||
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
|
||||
# Import the cert into a java trust store via keytool
|
||||
keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" &> /dev/null
|
||||
keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
|
||||
# Remove the temp p1 file.
|
||||
rm tmpkey.p12
|
||||
}
|
||||
@ -149,53 +167,58 @@ create_cert () {
|
||||
create_cert_chain () {
|
||||
|
||||
# Create an intermediate CA, Sign with Root CA
|
||||
create_cert "$PKI_INT" "$PKI_ROOT" "$INT_DN"
|
||||
create_cert "$PKI_INT" "$PKI_ROOT" "$INT_DN" "ca_extensions"
|
||||
|
||||
# Create a Leaf CA (CA1), Sign with intermediate CA
|
||||
create_cert "$PKI_CA1" "$PKI_INT" "$LEAF_DN"1
|
||||
create_cert "$PKI_CA1" "$PKI_INT" "$LEAF_DN"1 "ca_extensions"
|
||||
|
||||
# Create a Leaf CA (CA2), Sign with intermediate CA
|
||||
|
||||
create_cert "$PKI_CA2" "$PKI_INT" "$LEAF_DN"2
|
||||
create_cert "$PKI_CA2" "$PKI_INT" "$LEAF_DN"2 "ca_extensions"
|
||||
|
||||
# Create a Leaf CA (CA3), Sign with intermediate CA
|
||||
|
||||
create_cert "$PKI_CA3" "$PKI_INT" "$LEAF_DN"3
|
||||
create_cert "$PKI_CA3" "$PKI_INT" "$LEAF_DN"3 "ca_extensions"
|
||||
|
||||
# Create a RIM Signer
|
||||
create_cert "$RIM_SIGNER" "$PKI_CA2" "$SIGNER_DN"
|
||||
create_cert "$RIM_SIGNER" "$PKI_CA2" "$SIGNER_DN" "signer_extensions"
|
||||
|
||||
# Create a ACA Sever Cert for TLS use
|
||||
create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN"
|
||||
create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN" "server_extensions"
|
||||
|
||||
# Create Cert trust store by adding the Intermediate and root certs
|
||||
cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" > "$TRUST_STORE_FILE"
|
||||
|
||||
# echo "Checking signer cert using tust store..."
|
||||
openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem
|
||||
openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE"
|
||||
}
|
||||
|
||||
if [ "$ASYM_ALG" == "rsa" ]; then
|
||||
if [ "$ASYM_ALG" == "rsa" ]; then
|
||||
# Create Root CA key pair and self signed cert
|
||||
openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" &> /dev/null
|
||||
|
||||
echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE"
|
||||
openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
|
||||
|
||||
# Create a self signed CA certificate
|
||||
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
|
||||
-extensions ca_extensions -out "$PKI_ROOT".pem \
|
||||
-passout pass:"$PASS" &> /dev/null
|
||||
-passout pass:"$PASS" >> "$LOG_FILE" 2>&1
|
||||
# Add the CA root cert to the Trust and Key stores
|
||||
add_to_stores $PKI_ROOT
|
||||
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
|
||||
create_cert_chain
|
||||
create_cert_chain
|
||||
fi
|
||||
|
||||
if [ "$ASYM_ALG" == "ecc" ]; then
|
||||
# Create Root CA key pair and self signed cert
|
||||
openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key
|
||||
echo "Generating Ecc Root CA ...." | tee -a "$LOG_FILE"
|
||||
openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
|
||||
|
||||
# Create a self signed CA certificate
|
||||
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
|
||||
-extensions ca_extensions -out "$PKI_ROOT".pem \
|
||||
-passout pass:"$PASS"
|
||||
-passout pass:"$PASS" >> "$LOG_FILE" 2>&1
|
||||
# Add the CA root cert to the Trust and Key stores
|
||||
add_to_stores $PKI_ROOT
|
||||
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
|
||||
create_cert_chain
|
||||
fi
|
||||
|
||||
fi
|
@ -6,48 +6,59 @@
|
||||
#
|
||||
############################################################################################
|
||||
|
||||
PROP_FILE=/etc/hirs/aca/application.properties
|
||||
LOG_FILE=$1
|
||||
|
||||
# Capture location of the script to allow from invocation from any location
|
||||
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
|
||||
echo "SCRIPT_DIR is $SCRIPT_DIR" | tee -a "$LOG_FILE"
|
||||
|
||||
# Check for sudo or root user
|
||||
if [ "$EUID" -ne 0 ]
|
||||
then echo "The first time this script is run, this script requires root. Please run as root" | tee -a "$LOG_FILE"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Set HIRS PKI password
|
||||
if [ -z $HIRS_PKI_PWD ]; then
|
||||
# Create a 32 character random password
|
||||
PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
|
||||
#PKI_PASS="xrb204k"
|
||||
fi
|
||||
|
||||
# Create an ACA properties file using the new password
|
||||
pushd $SCRIPT_DIR &> /dev/null
|
||||
if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
|
||||
if [ -d /opt/hirs/scripts/aca ]; then
|
||||
ACA_SETUP_DIR="/opt/hirs/scripts/aca"
|
||||
else
|
||||
ACA_SETUP_DIR=="$SCRIPT_DIR/../aca"
|
||||
fi
|
||||
echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
|
||||
sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
|
||||
echo "Using randomly generated password" | tee -a "$LOG_FILE"
|
||||
else
|
||||
echo "aca property file exists, skipping"
|
||||
fi
|
||||
|
||||
popd &> /dev/null
|
||||
PKI_PASS=$HIRS_PKI_PWD
|
||||
echo "Using system supplied password" | tee -a "$LOG_FILE"
|
||||
fi
|
||||
|
||||
# Create Cert Chains
|
||||
if [ ! -d "/etc/hirs/certificates" ]; then
|
||||
|
||||
if [ -d /opt/hirs/scripts/pki ]; then
|
||||
if [ -d "/opt/hirs/scripts/pki" ]; then
|
||||
PKI_SETUP_DIR="/opt/hirs/scripts/pki"
|
||||
else
|
||||
PKI_SETUP_DIR=="$SCRIPT_DIR/../pki"
|
||||
PKI_SETUP_DIR="$SCRIPT_DIR"
|
||||
fi
|
||||
echo "PKI_SETUP_DIR is $PKI_SETUP_DIR"
|
||||
echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | tee -a "$LOG_FILE"
|
||||
|
||||
mkdir -p /etc/hirs/certificates/ | tee -a "$LOG_FILE"
|
||||
|
||||
mkdir -p /etc/hirs/certificates/
|
||||
|
||||
pushd /etc/hirs/certificates/ &> /dev/null
|
||||
cp $PKI_SETUP_DIR/ca.conf .
|
||||
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS"
|
||||
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS"
|
||||
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE"
|
||||
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
|
||||
popd &> /dev/null
|
||||
|
||||
# Add tomcat TLS support to the application.properties file
|
||||
echo "# Tomcat TLS support">> $PROP_FILE
|
||||
echo "server.port=8443">> $PROP_FILE
|
||||
echo "server.ssl.enabled=true">> $PROP_FILE
|
||||
echo "server.ssl.trust-store-type=JKS">> $PROP_FILE
|
||||
echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE
|
||||
echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
|
||||
echo "server.ssl.key-store-type=JKS">> $PROP_FILE
|
||||
echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE
|
||||
echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
|
||||
echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
|
||||
echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
|
||||
else
|
||||
echo "/etc/hirs/certificates exists, skipping"
|
||||
echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user