Added aca_setup_check.sh

HIRS_AttestationCAPortal/build.gradle

@@ -52,7 +52,7 @@ dependencies {
     implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:10.1.5'
 
     compileOnly 'org.projectlombok:lombok'
-    runtimeOnly 'org.mariadb.jdbc:mariadb-java-client:3.1.0'
+    implementation 'org.mariadb.jdbc:mariadb-java-client:3.1.4'
     annotationProcessor 'org.projectlombok:lombok'
     providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat'
 

package/scripts/aca/aca_bootRun.sh

@@ -13,6 +13,8 @@ RSA_PATH=rsa_3k_sha384_certs
 ECC_PATH=ecc_512_sha384_certs
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
 LOG_FILE=/dev/null
+GRADLE_WRAPPER="./gradlew"
+
 source $SCRIPT_DIR/../db/start_mysqld.sh
 
 if [ $ALG = "RSA" ]; then 
@@ -41,39 +43,37 @@ if [ ! -d "$CERT_PATH" ]; then
      exit 1;
 fi
 
+if [ ! -f "$GRADLE_WRAPPER" ]; then
+    echo "This script needs to be run from the HIRS top level project directory. Exiting."
+    exit 1;
+fi
+
 echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index"
 
 source /etc/hirs/aca/aca.properties;
 
-echo "Client Keystore is $CLIENT_DB_P12"
-echo "DB using $hirs_db_username user and user password $hirs_db_password"
-echo "Server PKI chain is $CERT_CHAIN"
-echo "Server password is $hirs_pki_password"
-echo "Tomcat key alias is $ALIAS"
-
 # Run the embedded tomcat server with Web TLS enabled and database client TLS enabled by overrding critical parameters
 # Note "&" is a sub parameter continuation, space represents a new parameter. Spaces and quotes matter.
 # hibernate.connection.url is used for the DB connector which established DB TLS connectivity
 # server.ssl arguments support the embeded tomcats use of TLS for the ACA Portal
-ARGS="--hibernate.connection.url=\"jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&\
-user=\"$hirs_db_username\"&\
-password=\"$hirs_db_password\"&\
+CONNECTOR_PARAMS="--hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&\
+user=$hirs_db_username&\
+password=$hirs_db_password&\
 sslMode=VERIFY_CA&\
 serverSslCert=$CERT_CHAIN&\
 keyStoreType=PKCS12&\
-keyStorePassword=\"$hirs_pki_password\"&\
-keyStore="$CLIENT_DB_P12" \
---server.ssl.key-store-password=\"$hirs_pki_password\" \
---server.ssl.trust-store-password=\"$hirs_pki_password\"\""
+keyStorePassword=$hirs_pki_password&\
+keyStore="$CLIENT_DB_P12" "
 
-# --hibernate.connection.driver_class=\"org.mariadb.jdbc.Driver\" \
+WEB_TLS_PARAMS="--server.ssl.key-store-password=$hirs_pki_password \
+--server.ssl.trust-store-password=$hirs_pki_password"
 
-echo "--args="$ARGS""
+echo "--args=\"$CONNECTOR_PARAMS $WEB_TLS_PARAMS\""
 
 if [ "$USE_WAR" == "war" ]; then
     echo "Booting the ACA from a $USE_WAR file..."
-    java -jar HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war $ARGS
+    java -jar HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war $CONNECTOR_PARAMS$WEB_TLS_PARAMS
 else 
    echo "Booting the ACA from local build..."
-   ./gradlew bootRun --args="\"$ARGS\""
+ ./gradlew bootRun --args="$CONNECTOR_PARAMS$WEB_TLS_PARAMS"
 fi

package/scripts/aca/aca_check_setup.sh

@@ -0,0 +1,192 @@
+#!/bin/bash
+############################################################################################
+# Checks the setup for the ACA:
+# 
+############################################################################################
+
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+LOG_FILE=/dev/null
+CERT_PATH="/etc/hirs/certificates/HIRS/"
+RSA_PATH=rsa_3k_sha384_certs
+ECC_PATH=ecc_512_sha384_certs
+
+RSA_HIRS_ROOT="HIRS_root_ca_rsa_3k_sha384.pem"
+RSA_HIRS_INTERMEDIATE="HIRS_intermediate_ca_rsa_3k_sha384.pem"
+RSA_HIRS_CA1="HIRS_leaf_ca1_rsa_3k_sha384.pem"
+RSA_HIRS_CA2="HIRS_leaf_ca2_rsa_3k_sha384.pem"
+RSA_HIRS_CA3="HIRS_leaf_ca3_rsa_3k_sha384.pem"
+RSA_TRUST_STORE="HIRS_rsa_3k_sha384_Cert_Chain.pem"
+RSA_RIM_SIGNER="HIRS_rim_signer_rsa_3k_sha384.pem"
+RSA_DB_CLIENT_CERT="HIRS_db_client_rsa_3k_sha384.pem"
+RSA_DN_SRV_CERT="HIRS_db_srv_rsa_3k_sha384.pem"
+RSA_WEB_TLS_CERT="HIRS_aca_tls_rsa_3k_sha384.pem"
+
+ECC_HIRS_ROOT="HIRS_root_ca_ecc_512_sha384.pem"
+ECC_HIRS_INTERMEDIATE="HIRS_intermediate_ca_ecc_512_sha384.pem"
+ECC_HIRS_CA1="HIRS_leaf_ca1_ecc_512_sha384.pem"
+ECC_HIRS_CA2="HIRS_leaf_ca2_ecc_512_sha384.pem"
+ECC_HIRS_CA3="HIRS_leaf_ca3_ecc_512_sha384.pem"
+
+ECC_TRUST_STORE="HIRS_ecc_512_sha384_Cert_Chain.pem"
+ECC_RIM_SIGNER="HIRS_rim_signer_ecc_512_sha384.pem"
+ECC_DB_CLIENT_CERT="HIRS_db_client_ecc_512_sha384.pem"
+ECC_DN_SRV_CERT="HIRS_db_srv_ecc_512_sha384.pem"
+ECC_WEB_TLS_CERT="HIRS_aca_tls_ecc_512_sha384.pem"
+
+DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
+DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
+ALL_CHECKS_PASSED=true
+
+# Check for Admin privileges
+if [ "$EUID" -ne 0 ]; then
+      echo "This script requires root.  Please run as root"
+      exit 1
+fi
+# Check install setup pki files
+if [ ! -d $CERT_PATH ]; then
+  echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again."
+     exit 1;
+fi
+
+source /etc/hirs/aca/aca.properties;
+
+check_pwds () {
+
+PRESENT=true
+echo "Checking if ACA passwords are in aca.properties"
+ if [ -z $hirs_pki_password ]; then
+   echo "hirs pki password not set" 
+   PRESENT=false 
+ fi
+ if [ -z $hirs_db_username ]; then
+   echo "hirs db username not set"
+   PRESENT=false 
+ fi
+ if [ -z $hirs_db_password ]; then
+   echo "hirs db password not set"
+   PRESENT=false  
+ fi
+ if [ $PRESENT ]; then
+   echo "   HIRS passwords were created"
+  else
+   echo "   ERROR finding HIRS passwords"
+   ALL_CHECKS_PASSED=false
+ fi
+}
+check_mysql () {
+  echo "Checking mysqld status..."
+  if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then
+      echo "   mysql process exists..."
+    else
+      echo "   mysqld process does NOT exist, attempting to restart mysql..."
+    /usr/bin/mysqld_safe &
+  fi
+ 
+ # Wait for mysql to start before continuing.
+
+  while ! mysqladmin ping -h "$localhost" --silent; do
+     sleep 1;
+  done
+
+  echo "   mysqld is running."
+  
+  # Check DB server/client TLS setup.
+  if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
+     echo "   Mysql server is NOT configured for Server Side TLS"
+     ALL_CHECKS_PASSED=false
+   else
+     echo "   Mysql server is configured for Server Side TLS"
+  fi
+  if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then
+      echo "   Mysql client is NOT configured for command line use of TLS without provding key/cert ino the commandline"
+      ALL_CHECKS_PASSED=false
+    else
+       echo "   Mysql client is configured for command line use of TLS"
+  fi
+  
+  if [ ! -z $mysql_admin_password ]; then
+      echo "Listing mysql users:"
+      mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;"
+      echo "Listing all databses:"
+      mysql -u root --password=$mysql_admin_password -e "show databases;"
+  fi
+}
+
+check_pki () {
+ echo "Checking HIRS PKI certificates"
+  if [ ! -d "/etc/hirs/certificates" ]; then
+     echo "/etc/hirs/certificates doesn't exists, was aca_setup.sh run ? /
+           Skipping PKI Checks." 
+  fi
+
+  pushd $CERT_PATH$RSA_PATH
+   echo "   Checking HIRS RSA certs using trust store..."
+   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_ROOT)
+   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_INTERMEDIATE)
+   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA1)
+   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA2)
+   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA3)
+   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_RIM_SIGNER)
+   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_DN_SRV_CERT)
+   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_DB_CLIENT_CERT)
+   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_WEB_TLS_CERT)
+  popd  > /dev/null
+  pushd $CERT_PATH$ECC_PATH
+   echo "    Checking HIRS ECC certs using tust store..." 
+   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_ROOT)
+   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_INTERMEDIATE)
+   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA1)
+   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA2)
+   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA3)
+   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_RIM_SIGNER)
+   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_DN_SRV_CERT)
+   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_DB_CLIENT_CERT)
+   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_WEB_TLS_CERT)
+  popd  > /dev/null
+
+  echo "   Checking KeyStore, Keystore aliases, and pki password"
+  echo "   Keystore alias list:"
+    keytool -list -keystore  /etc/hirs/certificates/HIRS/TrustStore.jks  -storepass $hirs_pki_password | grep hirs | sed -e 's/^/     /'
+  if [ $? -eq 0 ]; then
+      echo "   HIRS pki password is correct"
+    else
+      echo "   HIRS pki password is NOT correct"
+      ALL_CHECKS_PASSED=false
+  fi
+}
+
+check_db () {
+  echo "Check DB server SSL config..."
+  RESULT=$(mysql -u hirs_db --password=$hirs_db_password -e "SHOW VARIABLES LIKE '%have_ssl%'" |  grep -o YES )
+  if [ "$RESULT" == "YES" ]; then
+      echo "   Mysql is configured for Server side TLS:"
+    else
+      echo "   Mysql is NOT configured for Server side TLS:"
+      ALL_CHECKS_PASSED=false
+  fi
+  mysql -u hirs_db --password=$hirs_db_password -e "SHOW VARIABLES LIKE '%have_ssl%'" 
+  echo "   Show hirs_db user config"
+  mysql -u hirs_db --password=$hirs_db_password -e "SHOW CREATE USER 'hirs_db'@'localhost';"
+  echo "   Show databases accessable to the hirs_db user:"
+  RESULT=$(mysqlshow --user=hirs_db --password=$hirs_db_password hirs_db|  grep -o hirs_db)
+  if [ "$RESULT" == "hirs_db" ]; then
+      echo "   The hirs_db database is visable by the hirs_db user"
+    else
+      echo "   The hirs_db database is NOT visable by the hirs_db user"
+      ALL_CHECKS_PASSED=false
+  fi
+  mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;";
+  echo "Showing privileges for the hirs_db user"
+  mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" 
+}
+
+check_pwds
+check_pki
+check_mysql
+check_db
+
+if [ $ALL_CHECKS_PASSED = true  ]; then
+  echo "ACA setup checks passed!"
+else
+  echo "ACA setup checks failed."
+fi

package/scripts/aca/aca_remove_setup.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+#####################################################################################
+#
+# Script to remove ACA setup files and database items.
+# 
+#
+#####################################################################################
+
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+LOG_FILE=/dev/null
+
+# Check for Admin privileges
+if [ "$EUID" -ne 0 ]; then
+      echo "This script requires root.  ACA setup not removed. Please run as root."
+      exit 1
+fi
+
+# remove the hrs-db and hirs_db user
+pushd $SCRIPT_DIR/../db/
+sh db_drop.sh
+popd
+
+# remove pki files and config files
+echo "Removing certificates and config files..."
+rm -rf /etc/hirs
+
+echo "ACA setup removal complete."

package/scripts/aca/aca_setup.sh

@@ -5,12 +5,15 @@ SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/applicati
 HIRS_CONF_DIR=/etc/hirs/aca
 LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log 
 LOG_DIR="/var/log/hirs/"
+LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
 HIRS_PROP_DIR="/opt/hirs/default-properties"
 COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json'
 VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json'
-LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
+
 echo "LOG_FILE is $LOG_FILE"
 
+ echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD"
+ 
 if [ "$EUID" -ne 0 ]
       then echo "This script requires root.  Please run as root"
       exit 1
@@ -28,6 +31,10 @@ while [[ $# -gt 0 ]]; do
       ARG_SKIP_DB=YES
       shift # past argument
       ;;
+    --skip-pki)
+      ARG_SKIP_PKI=YES
+      shift # past argument
+      ;;
     -*|--*)
       echo "aca_setup.sh: Unknown option $1"
       ;;
@@ -61,7 +68,7 @@ if [ -f $SPRING_PROP_FILE ]; then
    cp -n $VENDOR_TABLE $HIRS_PROP_DIR/.
 fi
 
-if [ -z "${ARG_SKIP_DB}" ]; then
+if [ -z "${ARG_SKIP_PKI}" ]; then
    sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS
    if [ $? -eq 0 ]; then 
         echo "ACA PKI  setup complete" | tee -a "$LOG_FILE"
@@ -69,15 +76,20 @@ if [ -z "${ARG_SKIP_DB}" ]; then
         echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
       exit 1
    fi
-   echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE"
+   else
+      echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE"
 fi
 
-sh ../db/db_create.sh $LOG_FILE
-if [ $? -eq 0 ]; then
-    echo "ACA database setup complete" | tee -a "$LOG_FILE"
-  else
-    echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
+if [ -z "${ARG_SKIP_DB}" ]; then
+   sh ../db/db_create.sh $LOG_FILE
+   if [ $? -eq 0 ]; then
+      echo "ACA database setup complete" | tee -a "$LOG_FILE"
+    else
+      echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
     exit 1
+   fi
+   else
+      echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE"
 fi
 
  echo "ACA setup complete" | tee -a "$LOG_FILE"

package/scripts/db/db_create.sh

@@ -29,21 +29,30 @@ SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_clien
 
 touch $ACA_PROP_FILE
 touch $LOG_FILE
-#touch /.dockerenv
+touch $DB_SRV_CONF
 
 # Make sure required paths exist
 mkdir -p /etc/hirs/aca/
 mkdir -p /var/log/hirs/
 
-source start_mysqld.sh
+source $SCRIPT_DIR/start_mysqld.sh
+source $ACA_PROP_FILE 
 
 check_mysql_root_pwd () {
   # Check if DB root password needs to be obtained
+  echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD"
   if [ -z $HIRS_MYSQL_ROOT_PWD ]; then
 	 # Create a 32 character random password
 	 echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE"
 	 DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
-	 echo "DB Admin will be set to $DB_ADMIN_PWD, please make note for next mysql use."
+	 echo "DB Admin will be set to $DB_ADMIN_PWD , please make note for next mysql use."
+	 read -p "Do you wish to save this password to the aca.properties file? " confirm
+	 if [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; then
+	    echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE
+	    echo "Password saved."
+	   else
+	    echo "Password not saved."
+	 fi
 	 mysqladmin --user=root password "$DB_ADMIN_PWD"
   else
     DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD
@@ -83,30 +92,30 @@ if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then
   echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF
   echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF
   echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF
+  chown mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY 
 fi
 }
 
-# Process HIRS DB USER ...
+# Process HIRS DB USER
 set_hirs_db_pwd () {
-# Check if Mysql HIRS DB  password set by system variable or set to random number
-  if [ -z $HIRS_DB_PWD ]; then
-     HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
+
+   RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
+   if [ "$RESULT" = 1 ]; then
+      echo "hirs-db user exists"
+      HIRS_DB_PWD=$hirs_db_password
+   else   
+   # Check if Mysql HIRS DB  password set by system variable or set to random number
+     if [ -z $HIRS_DB_PWD ]; then
+       HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
+     fi
+
+     echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE
+     echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE
   fi
 
-  # Remove any existing password for hirs db
-  if [ -f $ACA_PROP_FILE ];then
-     sed -i '/hirs_db_username/d' $ACA_PROP_FILE &>/dev/null
-     sed -i '/hirs_db_password/d' $ACA_PROP_FILE &>/dev/null
-  fi
-
-  echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE
-  echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE
-
-  echo "hir_db user password is $HIRS_DB_PWD"
-  echo "mysql root password is $DB_ADMIN_PWD"
 }
 
-# Create a hirs_db user with client side TLS enabled
+# Create a hirs_db with client side TLS enabled
 create_hirs_db_with_tls () {
   # Check if hirs_db not created and create it if it wasn't
   mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" > /dev/null 2>&1
@@ -120,10 +129,11 @@ create_hirs_db_with_tls () {
 }
 
 # HIRS ACA Mysqld processing ...
+check_mariadb_install
 check_for_container
 set_mysql_server_tls
 set_mysql_client_tls
-set_hirs_db_pwd
 start_mysqlsd
 check_mysql_root_pwd
+set_hirs_db_pwd
 create_hirs_db_with_tls

package/scripts/db/db_drop.sh

@@ -1,21 +1,60 @@
 #!/bin/bash
 
-PASS=$1
+SRV_CNF=/etc/my.cnf.d/mariadb-server.cnf
+CLIENT_CNF=/etc/my.cnf.d/client.cnf
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )";)
+LOG_FILE=/dev/null
 
- if [ -d /opt/hirs/scripts/db ]; then
+source /etc/hirs/aca/aca.properties;
+source $SCRIPT_DIR/start_mysqld.sh
+
+# Check for sudo or root user, not actually needed but a good idea 
+if [ "$EUID" -ne 0 ]
+     then echo "This script requires root.  Please run as root" 
+     exit 1
+fi
+
+if [ -z $mysql_admin_password ]; then
+  read -p "Enter mysql root password" DB_ADMIN_PWD
+  else 
+      DB_ADMIN_PWD=$mysql_admin_password
+fi
+
+if [ -d /opt/hirs/scripts/db ]; then
     MYSQL_DIR="/opt/hirs/scripts/db"
   else
    MYSQL_DIR="$SCRIPT_DIR"
 fi
 
-echo "dropping hirs database"
+echo "dropping hirs_db database"
 
- 
 if pgrep  mysqld >/dev/null 2>&1; then
-  if [ -z ${PASS} ]; then
-    mysql -u "root" < $MYSQL_DIR/db_drop.sql
-  else
-    mysql -u "root" -p$PASS  < $MYSQL_DIR/db_drop.sql
-  fi
+    mysql -u "root" --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_drop.sql
+    echo "hirs_db databse and hirs_db user removed"
+   else
+ echo "mysql is not running. DB was not removed." 
 fi
+
+# reset the mysql root if the password was left in the properties fiel
+if [ ! -z $mysql_admin_password ]; then
+     echo "Resetting mysql root password to empty"
+     mysql -u root --password=$mysql_admin_password -e "SET PASSWORD FOR "root@localhost" = PASSWORD('');"
+     echo "Current list of databases:"
+     mysql -u "root" -e "SHOW DATABASES;"
+     echo "Current list of users:"
+     mysql -u root -e "Select user from mysql.user;"
+   else
+     echo "Note root password was NOT reset"
+fi
+
+# Remove key , cert and truststore entries from client.cnf andf mariadb.cnf
+
+echo "Removing hirs cert references from mariadb configuration files"
+grep -v "hirs" $SRV_CNF > tmpfile && mv tmpfile $SRV_CNF
+grep -v "hirs" $CLIENT_CNF > tmpfile && mv tmpfile $CLIENT_CNF
+
+echo "restarting mariadb"
+pkill mysql
+sleep 2;
+check_for_container
+start_mysqlsd

package/scripts/db/reset_hirs_db_user.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+
+source /etc/hirs/aca/aca.properties;
+
+if [ -z $mysql_admin_password ]; then
+  read -p "Enter mysql root password" DB_ADMIN_PWD
+  else 
+      DB_ADMIN_PWD=$mysql_admin_password
+fi
+
+if [ -z $hirs_db_password ]; then
+  read -p "Enter mysql root password" hirs_db_password
+  else 
+      HIRS_DB_PWD=$hirs_db_password
+fi
+
+echo "HIRS_DB_PWD is $HIRS_DB_PWD"
+echo "DB_ADMIN_PWD is $DB_ADMIN_PWD"
+
+# check if hirs_db user exists
+RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
+
+if [ "$RESULT" = 1 ]; then
+  echo "hirs_db user found, dropping hirs-db user"
+  mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost'"
+  if [ $? -ne 0 ]; then
+     echo "Removing the existing hirs_db user failed"
+     else
+     echo "Removing the existing hirs_db was successful"
+  fi
+  else
+  echo "no hirs_db user found, creating one..."
+fi
+
+echo "Creating hirs_db user"
+mysql -u root --password=$DB_ADMIN_PWD -e "CREATE USER 'hirs_db'@'localhost' IDENTIFIED BY 'hirs_db';" 
+mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;"
+mysql -u root --password=$DB_ADMIN_PWD -e "GRANT ALL ON hirs_db.* TO 'hirs_db'@'localhost' REQUIRE X509;"
+mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH PRIVILEGES;"
+
+echo "Checking hirs_db user..."
+# check user
+mysql -u hirs_db --password=$HIRS_DB_PWD -e "SHOW DATABASES;";

package/scripts/db/start_mysqld.sh

@@ -24,6 +24,16 @@ check_for_container () {
   echo "Mysql script directory is $MYSQL_DIR"
 }
 
+check_mariadb_install () {
+   type mysql >/dev/null 2>&1 && installed=true || installed=false
+   if [ $installed = true ]; then
+      echo "mysql has been installed"
+    else
+      echo "mysql has NOT been installed, aborting install"
+      exit 1;
+   fi 
+}
+
 start_mysqlsd () {
    # Check if mysql is already running, if not initialize
    if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
@@ -40,12 +50,14 @@ start_mysqlsd () {
        echo "Starting mysql...."
        chown -R mysql:mysql /var/log/mariadb
        /usr/bin/mysqld_safe &
-     else
+     else #not a container
        SQL_SERVICE="mariadb"
-       systemctl $SQL_SERVICE enable
-       systemctl $SQL_SERVICE start
+       systemctl enable $SQL_SERVICE 
+       systemctl start $SQL_SERVICE 
      fi
-   fi  # mysql not running 
+     else # mysql running
+     echo "mysql process running.."
+   fi   
 
   # Wait for mysql to start before continuing.
   echo "Checking mysqld status..."| tee -a "$LOG_FILE"
@@ -54,4 +66,5 @@ start_mysqlsd () {
   done
 
   echo "mysqld is running."| tee -a "$LOG_FILE"
-}
+}
+

package/scripts/pki/pki_chain_gen.sh

@@ -172,7 +172,7 @@ create_cert () {
    # remove csr file
    rm -f "$CERT_PATH".csr
    # Add the cert and key to the key store. make a p12 file to import into te keystore
-   openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS  >> "$LOG_FILE" 2>&1
+   openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:$PASS -aes256 -passout pass:$PASS  >> "$LOG_FILE" 2>&1
    # Use the p12 file to import into a java keystore via keytool
    keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1 
    # Import the cert into a java trust store via keytool
@@ -212,20 +212,16 @@ create_cert_chain () {
    # Create Cert trust store by adding the Intermediate and root certs 
    cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" >  "$TRUST_STORE_FILE"
 
- # echo "Checking signer cert using tust store..." 
+   # echo "Checking signer cert using tust store..." 
    openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE"
-   
+
    # Make JKS files for the mysql DB connector. P12 first then JKS...
    openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key -aes256 \
-        -passin pass:"$PASS"-passout pass:$PASS -aes256  \
-        -name "mysqlclientkey" -out $DB_CLIENT.p12
+        -passin pass:$PASS -passout pass:$PASS -aes256  \
+        -name "mysqlclientkey" -out $DB_CLIENT.p12 >> "$LOG_FILE" 2>&1
 
    keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype PKCS12 \
-         -srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS
-         
-   # Make a p12 TrustStore 
-   keytool -importkeystore -srckeystore $TRUSTSTORE -destkeystore $TRUSTSTORE_P12 \
-         -srcstoretype JKS -deststoretype PKCS12 -srcstorepass $pass -deststorepass $pass -noprompt
+         -srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS >> "$LOG_FILE" 2>&1
 }
 
 if [ "$ASYM_ALG" == "rsa" ]; then

package/scripts/pki/pki_setup.sh

@@ -6,7 +6,7 @@
 #
 ############################################################################################
 
-PROP_FILE=/etc/hirs/aca/application.properties
+#PROP_FILE=/etc/hirs/aca/application.properties
 ACA_PROP=/etc/hirs/aca/aca.properties
 LOG_FILE=$1
 PKI_PASS=$2
@@ -39,10 +39,10 @@ fi
 if [ ! -d "/etc/hirs/certificates" ]; then
   
    if [ -d "/opt/hirs/scripts/pki" ]; then
-            PKI_SETUP_DIR="/opt/hirs/scripts/pki"
-         else
-            PKI_SETUP_DIR="$SCRIPT_DIR"
-      fi
+         PKI_SETUP_DIR="/opt/hirs/scripts/pki"
+      else
+         PKI_SETUP_DIR="$SCRIPT_DIR"
+   fi
       echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | tee -a "$LOG_FILE"
 
   mkdir -p /etc/hirs/certificates/ | tee -a "$LOG_FILE"
@@ -54,17 +54,17 @@ if [ ! -d "/etc/hirs/certificates" ]; then
   popd &> /dev/null
 
   # Add tomcat TLS support to the application.properties file 
-  echo "# Tomcat TLS support">> $PROP_FILE
-  echo "server.port=8443">> $PROP_FILE
-  echo "server.ssl.enabled=true">> $PROP_FILE
-  echo "server.ssl.trust-store-type=JKS">> $PROP_FILE
-  echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE
-  echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
-  echo "server.ssl.key-store-type=JKS">> $PROP_FILE
-  echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE
-  echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
-  echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
-  echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
+  #echo "# Tomcat TLS support">> $PROP_FILE
+  #echo "server.port=8443">> $PROP_FILE
+  #echo "server.ssl.enabled=true">> $PROP_FILE
+  #echo "server.ssl.trust-store-type=JKS">> $PROP_FILE
+  #echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE
+  #echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
+  #echo "server.ssl.key-store-type=JKS">> $PROP_FILE
+  #echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE
+  #echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
+  #echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
+  #echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
   echo "hirs_pki_password="$PKI_PASS >>  $ACA_PROP
 else 
   echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"