From f5ac517814b773213ac6e75af0de7d39e1a47c2d Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Thu, 31 Aug 2023 09:27:58 -0400 Subject: [PATCH] Minor adjustment for RHEL OS with FIPS mode enabled --- package/scripts/db/db_create.sh | 26 ++++++++++++++++++++------ package/scripts/pki/pki_chain_gen.sh | 10 ++++++---- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/package/scripts/db/db_create.sh b/package/scripts/db/db_create.sh index 06bd648c..8cfebc1c 100644 --- a/package/scripts/db/db_create.sh +++ b/package/scripts/db/db_create.sh @@ -80,9 +80,12 @@ set_mysql_server_tls () { echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF" # Make sure mysql can access them chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY - # Make selinux contexts for configu file - semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF > /dev/null #adds the context type to file - restorecon -v -F $DB_SRV_CONF # changes the file's context type + # Make selinux contexts for config files, if selinux is enabled + selinuxenabled + if [ $? -eq 0 ] + semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF > /dev/null #adds the context type to file + restorecon -v -F $DB_SRV_CONF # changes the file's context type + fi else echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE" fi @@ -96,9 +99,12 @@ if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY - # Make selinux contexts for configu file - semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null #adds the context type to file - restorecon -F $DB_CLIENT_CONF #changes the file's context type + # Make selinux contexts for config files, if selinux is enabled + selinuxenabled + if [ $? -eq 0 ] + semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null #adds the context type to file + restorecon -F $DB_CLIENT_CONF #changes the file's context type + fi fi } @@ -134,6 +140,14 @@ create_hirs_db_with_tls () { fi } +set_selinux_context () { + + + + +} + + # HIRS ACA Mysqld processing ... check_mariadb_install check_for_container diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh index 40ab3708..9adbc358 100644 --- a/package/scripts/pki/pki_chain_gen.sh +++ b/package/scripts/pki/pki_chain_gen.sh @@ -216,8 +216,9 @@ create_cert_chain () { openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE" # Make JKS files for the mysql DB connector. P12 first then JKS... - openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key -aes256 \ - -passin pass:$PASS -passout pass:$PASS -aes256 \ + openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key \ + -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC \ + -passin pass:$PASS -passout pass:$PASS \ -name "mysqlclientkey" -out $DB_CLIENT.p12 >> "$LOG_FILE" 2>&1 keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype PKCS12 \ @@ -227,8 +228,9 @@ create_cert_chain () { if [ "$ASYM_ALG" == "rsa" ]; then # Create Root CA key pair and self signed cert echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE" - openssl genrsa -out "$PKI_ROOT".key -aes256 -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1 - + #openssl genrsa -out "$PKI_ROOT".key -aes256 -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1 + openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes256 --pass "pass:$PASS" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1 + # Create a self signed CA certificate openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \ -extensions ca_extensions -out "$PKI_ROOT".pem \