From aef7a2b9acbb8b9ddba17c38486a7e1f5ba5f777 Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Wed, 23 Aug 2023 16:30:06 -0400 Subject: [PATCH] Added aca_setup_check.sh --- HIRS_AttestationCAPortal/build.gradle | 2 +- package/scripts/aca/aca_bootRun.sh | 34 ++-- package/scripts/aca/aca_check_setup.sh | 192 +++++++++++++++++++++++ package/scripts/aca/aca_remove_setup.sh | 27 ++++ package/scripts/aca/aca_setup.sh | 28 +++- package/scripts/db/db_create.sh | 50 +++--- package/scripts/db/db_drop.sh | 57 +++++-- package/scripts/db/reset_hirs_db_user.sh | 45 ++++++ package/scripts/db/start_mysqld.sh | 23 ++- package/scripts/pki/pki_chain_gen.sh | 16 +- package/scripts/pki/pki_setup.sh | 32 ++-- 11 files changed, 420 insertions(+), 86 deletions(-) create mode 100644 package/scripts/aca/aca_check_setup.sh create mode 100644 package/scripts/aca/aca_remove_setup.sh create mode 100644 package/scripts/db/reset_hirs_db_user.sh diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle index 78672323..13b1a08f 100644 --- a/HIRS_AttestationCAPortal/build.gradle +++ b/HIRS_AttestationCAPortal/build.gradle @@ -52,7 +52,7 @@ dependencies { implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:10.1.5' compileOnly 'org.projectlombok:lombok' - runtimeOnly 'org.mariadb.jdbc:mariadb-java-client:3.1.0' + implementation 'org.mariadb.jdbc:mariadb-java-client:3.1.4' annotationProcessor 'org.projectlombok:lombok' providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat' diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh index bbecedd8..8b8b0a59 100644 --- a/package/scripts/aca/aca_bootRun.sh +++ b/package/scripts/aca/aca_bootRun.sh @@ -13,6 +13,8 @@ RSA_PATH=rsa_3k_sha384_certs ECC_PATH=ecc_512_sha384_certs SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) LOG_FILE=/dev/null +GRADLE_WRAPPER="./gradlew" + source $SCRIPT_DIR/../db/start_mysqld.sh if [ $ALG = "RSA" ]; then @@ -41,39 +43,37 @@ if [ ! -d "$CERT_PATH" ]; then exit 1; fi +if [ ! -f "$GRADLE_WRAPPER" ]; then + echo "This script needs to be run from the HIRS top level project directory. Exiting." + exit 1; +fi + echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index" source /etc/hirs/aca/aca.properties; -echo "Client Keystore is $CLIENT_DB_P12" -echo "DB using $hirs_db_username user and user password $hirs_db_password" -echo "Server PKI chain is $CERT_CHAIN" -echo "Server password is $hirs_pki_password" -echo "Tomcat key alias is $ALIAS" - # Run the embedded tomcat server with Web TLS enabled and database client TLS enabled by overrding critical parameters # Note "&" is a sub parameter continuation, space represents a new parameter. Spaces and quotes matter. # hibernate.connection.url is used for the DB connector which established DB TLS connectivity # server.ssl arguments support the embeded tomcats use of TLS for the ACA Portal -ARGS="--hibernate.connection.url=\"jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&\ -user=\"$hirs_db_username\"&\ -password=\"$hirs_db_password\"&\ +CONNECTOR_PARAMS="--hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&\ +user=$hirs_db_username&\ +password=$hirs_db_password&\ sslMode=VERIFY_CA&\ serverSslCert=$CERT_CHAIN&\ keyStoreType=PKCS12&\ -keyStorePassword=\"$hirs_pki_password\"&\ -keyStore="$CLIENT_DB_P12" \ ---server.ssl.key-store-password=\"$hirs_pki_password\" \ ---server.ssl.trust-store-password=\"$hirs_pki_password\"\"" +keyStorePassword=$hirs_pki_password&\ +keyStore="$CLIENT_DB_P12" " -# --hibernate.connection.driver_class=\"org.mariadb.jdbc.Driver\" \ +WEB_TLS_PARAMS="--server.ssl.key-store-password=$hirs_pki_password \ +--server.ssl.trust-store-password=$hirs_pki_password" -echo "--args="$ARGS"" +echo "--args=\"$CONNECTOR_PARAMS $WEB_TLS_PARAMS\"" if [ "$USE_WAR" == "war" ]; then echo "Booting the ACA from a $USE_WAR file..." - java -jar HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war $ARGS + java -jar HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war $CONNECTOR_PARAMS$WEB_TLS_PARAMS else echo "Booting the ACA from local build..." - ./gradlew bootRun --args="\"$ARGS\"" + ./gradlew bootRun --args="$CONNECTOR_PARAMS$WEB_TLS_PARAMS" fi diff --git a/package/scripts/aca/aca_check_setup.sh b/package/scripts/aca/aca_check_setup.sh new file mode 100644 index 00000000..1b10997f --- /dev/null +++ b/package/scripts/aca/aca_check_setup.sh @@ -0,0 +1,192 @@ +#!/bin/bash +############################################################################################ +# Checks the setup for the ACA: +# +############################################################################################ + +SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) +LOG_FILE=/dev/null +CERT_PATH="/etc/hirs/certificates/HIRS/" +RSA_PATH=rsa_3k_sha384_certs +ECC_PATH=ecc_512_sha384_certs + +RSA_HIRS_ROOT="HIRS_root_ca_rsa_3k_sha384.pem" +RSA_HIRS_INTERMEDIATE="HIRS_intermediate_ca_rsa_3k_sha384.pem" +RSA_HIRS_CA1="HIRS_leaf_ca1_rsa_3k_sha384.pem" +RSA_HIRS_CA2="HIRS_leaf_ca2_rsa_3k_sha384.pem" +RSA_HIRS_CA3="HIRS_leaf_ca3_rsa_3k_sha384.pem" +RSA_TRUST_STORE="HIRS_rsa_3k_sha384_Cert_Chain.pem" +RSA_RIM_SIGNER="HIRS_rim_signer_rsa_3k_sha384.pem" +RSA_DB_CLIENT_CERT="HIRS_db_client_rsa_3k_sha384.pem" +RSA_DN_SRV_CERT="HIRS_db_srv_rsa_3k_sha384.pem" +RSA_WEB_TLS_CERT="HIRS_aca_tls_rsa_3k_sha384.pem" + +ECC_HIRS_ROOT="HIRS_root_ca_ecc_512_sha384.pem" +ECC_HIRS_INTERMEDIATE="HIRS_intermediate_ca_ecc_512_sha384.pem" +ECC_HIRS_CA1="HIRS_leaf_ca1_ecc_512_sha384.pem" +ECC_HIRS_CA2="HIRS_leaf_ca2_ecc_512_sha384.pem" +ECC_HIRS_CA3="HIRS_leaf_ca3_ecc_512_sha384.pem" + +ECC_TRUST_STORE="HIRS_ecc_512_sha384_Cert_Chain.pem" +ECC_RIM_SIGNER="HIRS_rim_signer_ecc_512_sha384.pem" +ECC_DB_CLIENT_CERT="HIRS_db_client_ecc_512_sha384.pem" +ECC_DN_SRV_CERT="HIRS_db_srv_ecc_512_sha384.pem" +ECC_WEB_TLS_CERT="HIRS_aca_tls_ecc_512_sha384.pem" + +DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf" +DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf" +ALL_CHECKS_PASSED=true + +# Check for Admin privileges +if [ "$EUID" -ne 0 ]; then + echo "This script requires root. Please run as root" + exit 1 +fi +# Check install setup pki files +if [ ! -d $CERT_PATH ]; then + echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again." + exit 1; +fi + +source /etc/hirs/aca/aca.properties; + +check_pwds () { + +PRESENT=true +echo "Checking if ACA passwords are in aca.properties" + if [ -z $hirs_pki_password ]; then + echo "hirs pki password not set" + PRESENT=false + fi + if [ -z $hirs_db_username ]; then + echo "hirs db username not set" + PRESENT=false + fi + if [ -z $hirs_db_password ]; then + echo "hirs db password not set" + PRESENT=false + fi + if [ $PRESENT ]; then + echo " HIRS passwords were created" + else + echo " ERROR finding HIRS passwords" + ALL_CHECKS_PASSED=false + fi +} +check_mysql () { + echo "Checking mysqld status..." + if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then + echo " mysql process exists..." + else + echo " mysqld process does NOT exist, attempting to restart mysql..." + /usr/bin/mysqld_safe & + fi + + # Wait for mysql to start before continuing. + + while ! mysqladmin ping -h "$localhost" --silent; do + sleep 1; + done + + echo " mysqld is running." + + # Check DB server/client TLS setup. + if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then + echo " Mysql server is NOT configured for Server Side TLS" + ALL_CHECKS_PASSED=false + else + echo " Mysql server is configured for Server Side TLS" + fi + if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then + echo " Mysql client is NOT configured for command line use of TLS without provding key/cert ino the commandline" + ALL_CHECKS_PASSED=false + else + echo " Mysql client is configured for command line use of TLS" + fi + + if [ ! -z $mysql_admin_password ]; then + echo "Listing mysql users:" + mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;" + echo "Listing all databses:" + mysql -u root --password=$mysql_admin_password -e "show databases;" + fi +} + +check_pki () { + echo "Checking HIRS PKI certificates" + if [ ! -d "/etc/hirs/certificates" ]; then + echo "/etc/hirs/certificates doesn't exists, was aca_setup.sh run ? / + Skipping PKI Checks." + fi + + pushd $CERT_PATH$RSA_PATH + echo " Checking HIRS RSA certs using trust store..." + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_ROOT) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_INTERMEDIATE) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA1) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA2) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA3) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_RIM_SIGNER) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_DN_SRV_CERT) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_DB_CLIENT_CERT) + echo " "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_WEB_TLS_CERT) + popd > /dev/null + pushd $CERT_PATH$ECC_PATH + echo " Checking HIRS ECC certs using tust store..." + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_ROOT) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_INTERMEDIATE) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA1) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA2) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA3) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_RIM_SIGNER) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_DN_SRV_CERT) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_DB_CLIENT_CERT) + echo " "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_WEB_TLS_CERT) + popd > /dev/null + + echo " Checking KeyStore, Keystore aliases, and pki password" + echo " Keystore alias list:" + keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /' + if [ $? -eq 0 ]; then + echo " HIRS pki password is correct" + else + echo " HIRS pki password is NOT correct" + ALL_CHECKS_PASSED=false + fi +} + +check_db () { + echo "Check DB server SSL config..." + RESULT=$(mysql -u hirs_db --password=$hirs_db_password -e "SHOW VARIABLES LIKE '%have_ssl%'" | grep -o YES ) + if [ "$RESULT" == "YES" ]; then + echo " Mysql is configured for Server side TLS:" + else + echo " Mysql is NOT configured for Server side TLS:" + ALL_CHECKS_PASSED=false + fi + mysql -u hirs_db --password=$hirs_db_password -e "SHOW VARIABLES LIKE '%have_ssl%'" + echo " Show hirs_db user config" + mysql -u hirs_db --password=$hirs_db_password -e "SHOW CREATE USER 'hirs_db'@'localhost';" + echo " Show databases accessable to the hirs_db user:" + RESULT=$(mysqlshow --user=hirs_db --password=$hirs_db_password hirs_db| grep -o hirs_db) + if [ "$RESULT" == "hirs_db" ]; then + echo " The hirs_db database is visable by the hirs_db user" + else + echo " The hirs_db database is NOT visable by the hirs_db user" + ALL_CHECKS_PASSED=false + fi + mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;"; + echo "Showing privileges for the hirs_db user" + mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" +} + +check_pwds +check_pki +check_mysql +check_db + +if [ $ALL_CHECKS_PASSED = true ]; then + echo "ACA setup checks passed!" +else + echo "ACA setup checks failed." +fi \ No newline at end of file diff --git a/package/scripts/aca/aca_remove_setup.sh b/package/scripts/aca/aca_remove_setup.sh new file mode 100644 index 00000000..e02b6e73 --- /dev/null +++ b/package/scripts/aca/aca_remove_setup.sh @@ -0,0 +1,27 @@ +#!/bin/bash +##################################################################################### +# +# Script to remove ACA setup files and database items. +# +# +##################################################################################### + +SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) +LOG_FILE=/dev/null + +# Check for Admin privileges +if [ "$EUID" -ne 0 ]; then + echo "This script requires root. ACA setup not removed. Please run as root." + exit 1 +fi + +# remove the hrs-db and hirs_db user +pushd $SCRIPT_DIR/../db/ +sh db_drop.sh +popd + +# remove pki files and config files +echo "Removing certificates and config files..." +rm -rf /etc/hirs + +echo "ACA setup removal complete." \ No newline at end of file diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh index 37266bcb..f1d36dec 100644 --- a/package/scripts/aca/aca_setup.sh +++ b/package/scripts/aca/aca_setup.sh @@ -5,12 +5,15 @@ SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/applicati HIRS_CONF_DIR=/etc/hirs/aca LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log LOG_DIR="/var/log/hirs/" +LOG_FILE="$LOG_DIR$LOG_FILE_NAME" HIRS_PROP_DIR="/opt/hirs/default-properties" COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json' VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json' -LOG_FILE="$LOG_DIR$LOG_FILE_NAME" + echo "LOG_FILE is $LOG_FILE" + echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD" + if [ "$EUID" -ne 0 ] then echo "This script requires root. Please run as root" exit 1 @@ -28,6 +31,10 @@ while [[ $# -gt 0 ]]; do ARG_SKIP_DB=YES shift # past argument ;; + --skip-pki) + ARG_SKIP_PKI=YES + shift # past argument + ;; -*|--*) echo "aca_setup.sh: Unknown option $1" ;; @@ -61,7 +68,7 @@ if [ -f $SPRING_PROP_FILE ]; then cp -n $VENDOR_TABLE $HIRS_PROP_DIR/. fi -if [ -z "${ARG_SKIP_DB}" ]; then +if [ -z "${ARG_SKIP_PKI}" ]; then sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS if [ $? -eq 0 ]; then echo "ACA PKI setup complete" | tee -a "$LOG_FILE" @@ -69,15 +76,20 @@ if [ -z "${ARG_SKIP_DB}" ]; then echo "Error setting up ACA PKI" | tee -a "$LOG_FILE" exit 1 fi - echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE" + else + echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE" fi -sh ../db/db_create.sh $LOG_FILE -if [ $? -eq 0 ]; then - echo "ACA database setup complete" | tee -a "$LOG_FILE" - else - echo "Error setting up ACA DB" | tee -a "$LOG_FILE" +if [ -z "${ARG_SKIP_DB}" ]; then + sh ../db/db_create.sh $LOG_FILE + if [ $? -eq 0 ]; then + echo "ACA database setup complete" | tee -a "$LOG_FILE" + else + echo "Error setting up ACA DB" | tee -a "$LOG_FILE" exit 1 + fi + else + echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE" fi echo "ACA setup complete" | tee -a "$LOG_FILE" diff --git a/package/scripts/db/db_create.sh b/package/scripts/db/db_create.sh index 8b5db7bb..9e477d2d 100644 --- a/package/scripts/db/db_create.sh +++ b/package/scripts/db/db_create.sh @@ -29,21 +29,30 @@ SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_clien touch $ACA_PROP_FILE touch $LOG_FILE -#touch /.dockerenv +touch $DB_SRV_CONF # Make sure required paths exist mkdir -p /etc/hirs/aca/ mkdir -p /var/log/hirs/ -source start_mysqld.sh +source $SCRIPT_DIR/start_mysqld.sh +source $ACA_PROP_FILE check_mysql_root_pwd () { # Check if DB root password needs to be obtained + echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD" if [ -z $HIRS_MYSQL_ROOT_PWD ]; then # Create a 32 character random password echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE" DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') - echo "DB Admin will be set to $DB_ADMIN_PWD, please make note for next mysql use." + echo "DB Admin will be set to $DB_ADMIN_PWD , please make note for next mysql use." + read -p "Do you wish to save this password to the aca.properties file? " confirm + if [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; then + echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE + echo "Password saved." + else + echo "Password not saved." + fi mysqladmin --user=root password "$DB_ADMIN_PWD" else DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD @@ -83,30 +92,30 @@ if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF + chown mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY fi } -# Process HIRS DB USER ... +# Process HIRS DB USER set_hirs_db_pwd () { -# Check if Mysql HIRS DB password set by system variable or set to random number - if [ -z $HIRS_DB_PWD ]; then - HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') + + RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" + if [ "$RESULT" = 1 ]; then + echo "hirs-db user exists" + HIRS_DB_PWD=$hirs_db_password + else + # Check if Mysql HIRS DB password set by system variable or set to random number + if [ -z $HIRS_DB_PWD ]; then + HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') + fi + + echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE + echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE fi - # Remove any existing password for hirs db - if [ -f $ACA_PROP_FILE ];then - sed -i '/hirs_db_username/d' $ACA_PROP_FILE &>/dev/null - sed -i '/hirs_db_password/d' $ACA_PROP_FILE &>/dev/null - fi - - echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE - echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE - - echo "hir_db user password is $HIRS_DB_PWD" - echo "mysql root password is $DB_ADMIN_PWD" } -# Create a hirs_db user with client side TLS enabled +# Create a hirs_db with client side TLS enabled create_hirs_db_with_tls () { # Check if hirs_db not created and create it if it wasn't mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" > /dev/null 2>&1 @@ -120,10 +129,11 @@ create_hirs_db_with_tls () { } # HIRS ACA Mysqld processing ... +check_mariadb_install check_for_container set_mysql_server_tls set_mysql_client_tls -set_hirs_db_pwd start_mysqlsd check_mysql_root_pwd +set_hirs_db_pwd create_hirs_db_with_tls diff --git a/package/scripts/db/db_drop.sh b/package/scripts/db/db_drop.sh index a751cc5f..1979b4eb 100644 --- a/package/scripts/db/db_drop.sh +++ b/package/scripts/db/db_drop.sh @@ -1,21 +1,60 @@ #!/bin/bash -PASS=$1 +SRV_CNF=/etc/my.cnf.d/mariadb-server.cnf +CLIENT_CNF=/etc/my.cnf.d/client.cnf SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )";) +LOG_FILE=/dev/null - if [ -d /opt/hirs/scripts/db ]; then +source /etc/hirs/aca/aca.properties; +source $SCRIPT_DIR/start_mysqld.sh + +# Check for sudo or root user, not actually needed but a good idea +if [ "$EUID" -ne 0 ] + then echo "This script requires root. Please run as root" + exit 1 +fi + +if [ -z $mysql_admin_password ]; then + read -p "Enter mysql root password" DB_ADMIN_PWD + else + DB_ADMIN_PWD=$mysql_admin_password +fi + +if [ -d /opt/hirs/scripts/db ]; then MYSQL_DIR="/opt/hirs/scripts/db" else MYSQL_DIR="$SCRIPT_DIR" fi -echo "dropping hirs database" +echo "dropping hirs_db database" - if pgrep mysqld >/dev/null 2>&1; then - if [ -z ${PASS} ]; then - mysql -u "root" < $MYSQL_DIR/db_drop.sql - else - mysql -u "root" -p$PASS < $MYSQL_DIR/db_drop.sql - fi + mysql -u "root" --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_drop.sql + echo "hirs_db databse and hirs_db user removed" + else + echo "mysql is not running. DB was not removed." fi + +# reset the mysql root if the password was left in the properties fiel +if [ ! -z $mysql_admin_password ]; then + echo "Resetting mysql root password to empty" + mysql -u root --password=$mysql_admin_password -e "SET PASSWORD FOR "root@localhost" = PASSWORD('');" + echo "Current list of databases:" + mysql -u "root" -e "SHOW DATABASES;" + echo "Current list of users:" + mysql -u root -e "Select user from mysql.user;" + else + echo "Note root password was NOT reset" +fi + +# Remove key , cert and truststore entries from client.cnf andf mariadb.cnf + +echo "Removing hirs cert references from mariadb configuration files" +grep -v "hirs" $SRV_CNF > tmpfile && mv tmpfile $SRV_CNF +grep -v "hirs" $CLIENT_CNF > tmpfile && mv tmpfile $CLIENT_CNF + +echo "restarting mariadb" +pkill mysql +sleep 2; +check_for_container +start_mysqlsd diff --git a/package/scripts/db/reset_hirs_db_user.sh b/package/scripts/db/reset_hirs_db_user.sh new file mode 100644 index 00000000..4d58a318 --- /dev/null +++ b/package/scripts/db/reset_hirs_db_user.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) + +source /etc/hirs/aca/aca.properties; + +if [ -z $mysql_admin_password ]; then + read -p "Enter mysql root password" DB_ADMIN_PWD + else + DB_ADMIN_PWD=$mysql_admin_password +fi + +if [ -z $hirs_db_password ]; then + read -p "Enter mysql root password" hirs_db_password + else + HIRS_DB_PWD=$hirs_db_password +fi + +echo "HIRS_DB_PWD is $HIRS_DB_PWD" +echo "DB_ADMIN_PWD is $DB_ADMIN_PWD" + +# check if hirs_db user exists +RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" + +if [ "$RESULT" = 1 ]; then + echo "hirs_db user found, dropping hirs-db user" + mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost'" + if [ $? -ne 0 ]; then + echo "Removing the existing hirs_db user failed" + else + echo "Removing the existing hirs_db was successful" + fi + else + echo "no hirs_db user found, creating one..." +fi + +echo "Creating hirs_db user" +mysql -u root --password=$DB_ADMIN_PWD -e "CREATE USER 'hirs_db'@'localhost' IDENTIFIED BY 'hirs_db';" +mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;" +mysql -u root --password=$DB_ADMIN_PWD -e "GRANT ALL ON hirs_db.* TO 'hirs_db'@'localhost' REQUIRE X509;" +mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH PRIVILEGES;" + +echo "Checking hirs_db user..." +# check user +mysql -u hirs_db --password=$HIRS_DB_PWD -e "SHOW DATABASES;"; \ No newline at end of file diff --git a/package/scripts/db/start_mysqld.sh b/package/scripts/db/start_mysqld.sh index 8e0a2731..3262ef02 100644 --- a/package/scripts/db/start_mysqld.sh +++ b/package/scripts/db/start_mysqld.sh @@ -24,6 +24,16 @@ check_for_container () { echo "Mysql script directory is $MYSQL_DIR" } +check_mariadb_install () { + type mysql >/dev/null 2>&1 && installed=true || installed=false + if [ $installed = true ]; then + echo "mysql has been installed" + else + echo "mysql has NOT been installed, aborting install" + exit 1; + fi +} + start_mysqlsd () { # Check if mysql is already running, if not initialize if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then @@ -40,12 +50,14 @@ start_mysqlsd () { echo "Starting mysql...." chown -R mysql:mysql /var/log/mariadb /usr/bin/mysqld_safe & - else + else #not a container SQL_SERVICE="mariadb" - systemctl $SQL_SERVICE enable - systemctl $SQL_SERVICE start + systemctl enable $SQL_SERVICE + systemctl start $SQL_SERVICE fi - fi # mysql not running + else # mysql running + echo "mysql process running.." + fi # Wait for mysql to start before continuing. echo "Checking mysqld status..."| tee -a "$LOG_FILE" @@ -54,4 +66,5 @@ start_mysqlsd () { done echo "mysqld is running."| tee -a "$LOG_FILE" -} \ No newline at end of file +} + diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh index 386f38be..40ab3708 100644 --- a/package/scripts/pki/pki_chain_gen.sh +++ b/package/scripts/pki/pki_chain_gen.sh @@ -172,7 +172,7 @@ create_cert () { # remove csr file rm -f "$CERT_PATH".csr # Add the cert and key to the key store. make a p12 file to import into te keystore - openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1 + openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:$PASS -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1 # Use the p12 file to import into a java keystore via keytool keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1 # Import the cert into a java trust store via keytool @@ -212,20 +212,16 @@ create_cert_chain () { # Create Cert trust store by adding the Intermediate and root certs cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" > "$TRUST_STORE_FILE" - # echo "Checking signer cert using tust store..." + # echo "Checking signer cert using tust store..." openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE" - + # Make JKS files for the mysql DB connector. P12 first then JKS... openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key -aes256 \ - -passin pass:"$PASS"-passout pass:$PASS -aes256 \ - -name "mysqlclientkey" -out $DB_CLIENT.p12 + -passin pass:$PASS -passout pass:$PASS -aes256 \ + -name "mysqlclientkey" -out $DB_CLIENT.p12 >> "$LOG_FILE" 2>&1 keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype PKCS12 \ - -srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS - - # Make a p12 TrustStore - keytool -importkeystore -srckeystore $TRUSTSTORE -destkeystore $TRUSTSTORE_P12 \ - -srcstoretype JKS -deststoretype PKCS12 -srcstorepass $pass -deststorepass $pass -noprompt + -srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS >> "$LOG_FILE" 2>&1 } if [ "$ASYM_ALG" == "rsa" ]; then diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh index 33b67b75..e71be65f 100644 --- a/package/scripts/pki/pki_setup.sh +++ b/package/scripts/pki/pki_setup.sh @@ -6,7 +6,7 @@ # ############################################################################################ -PROP_FILE=/etc/hirs/aca/application.properties +#PROP_FILE=/etc/hirs/aca/application.properties ACA_PROP=/etc/hirs/aca/aca.properties LOG_FILE=$1 PKI_PASS=$2 @@ -39,10 +39,10 @@ fi if [ ! -d "/etc/hirs/certificates" ]; then if [ -d "/opt/hirs/scripts/pki" ]; then - PKI_SETUP_DIR="/opt/hirs/scripts/pki" - else - PKI_SETUP_DIR="$SCRIPT_DIR" - fi + PKI_SETUP_DIR="/opt/hirs/scripts/pki" + else + PKI_SETUP_DIR="$SCRIPT_DIR" + fi echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | tee -a "$LOG_FILE" mkdir -p /etc/hirs/certificates/ | tee -a "$LOG_FILE" @@ -54,17 +54,17 @@ if [ ! -d "/etc/hirs/certificates" ]; then popd &> /dev/null # Add tomcat TLS support to the application.properties file - echo "# Tomcat TLS support">> $PROP_FILE - echo "server.port=8443">> $PROP_FILE - echo "server.ssl.enabled=true">> $PROP_FILE - echo "server.ssl.trust-store-type=JKS">> $PROP_FILE - echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE - echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE - echo "server.ssl.key-store-type=JKS">> $PROP_FILE - echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE - echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE - echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE - echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE + #echo "# Tomcat TLS support">> $PROP_FILE + #echo "server.port=8443">> $PROP_FILE + #echo "server.ssl.enabled=true">> $PROP_FILE + #echo "server.ssl.trust-store-type=JKS">> $PROP_FILE + #echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE + #echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE + #echo "server.ssl.key-store-type=JKS">> $PROP_FILE + #echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE + #echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE + #echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE + #echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP else echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"