Minor adjustment for RHEL OS with FIPS mode enabled

2025-01-18 02:39:56 +00:00 · 2023-08-31 09:27:58 -04:00 · 2023-08-31 09:27:58 -04:00 · f5ac517814
commit f5ac517814
parent a054995470
2 changed files with 26 additions and 10 deletions
--- a/package/scripts/db/db_create.sh
+++ b/package/scripts/db/db_create.sh
@ -80,9 +80,12 @@ set_mysql_server_tls () {
    echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"
    # Make sure mysql can access them
    chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
-     # Make selinux contexts for configu file
-    semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF  > /dev/null #adds the context type to file
-    restorecon -v -F $DB_SRV_CONF                           # changes the file's context type
+    # Make selinux contexts for config files, if selinux is enabled
+    selinuxenabled
+    if [ $? -eq 0 ]
+       semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF  > /dev/null #adds the context type to file
+       restorecon -v -F $DB_SRV_CONF                           # changes the file's context type
+    fi
  else
       echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE"
  fi
@ -96,9 +99,12 @@ if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then
  echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF
  echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF
  chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY 
-  # Make selinux contexts for configu file
-  semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null  #adds the context type to file
-  restorecon -F $DB_CLIENT_CONF                           #changes the file's context type
+  # Make selinux contexts for config files, if selinux is enabled
+  selinuxenabled
+  if [ $? -eq 0 ]
+      semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null  #adds the context type to file
+      restorecon -F $DB_CLIENT_CONF                                     #changes the file's context type
+  fi                           
 fi
 }

@ -134,6 +140,14 @@ create_hirs_db_with_tls () {
  fi
 }

+set_selinux_context () {
+
+
+
+
+}
+
+
 # HIRS ACA Mysqld processing ...
 check_mariadb_install
 check_for_container
--- a/package/scripts/pki/pki_chain_gen.sh
+++ b/package/scripts/pki/pki_chain_gen.sh
@ -216,8 +216,9 @@ create_cert_chain () {
   openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE"

   # Make JKS files for the mysql DB connector. P12 first then JKS...
-   openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key -aes256 \
-        -passin pass:$PASS -passout pass:$PASS -aes256  \
+   openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key \
+        -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC \
+        -passin pass:$PASS -passout pass:$PASS \
        -name "mysqlclientkey" -out $DB_CLIENT.p12 >> "$LOG_FILE" 2>&1

   keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype PKCS12 \
@ -227,8 +228,9 @@ create_cert_chain () {
 if [ "$ASYM_ALG" == "rsa" ]; then
   # Create Root CA key pair and self signed cert
   echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE"
-   openssl genrsa -out "$PKI_ROOT".key -aes256 -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
-   
+   #openssl genrsa -out "$PKI_ROOT".key -aes256 -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
+   openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes256 --pass "pass:$PASS" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
+    
   # Create a self signed CA certificate
   openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
          -extensions ca_extensions -out "$PKI_ROOT".pem \