#!/bin/bash # ############################################################################### # HIRS DB creation # Environment variables used: # a. HIRS_MYSQL_ROOT_PWD: Set this variable if mysql root password is already set # b. HIRS_DB_PWD: Set the pwd if default password to hirs_db user needs to be changed ################################################################################ LOG_FILE=$1 DB_LOG_FILE="/var/log/mariadb/mariadb.log" PKI_PASS=$2 UNATTENDED=$3 RSA_PATH=rsa_3k_sha384_certs ECC_PATH=ecc_512_sha384_certs # Capture location of the script to allow from invocation from any location SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) SPRING_PROP_FILE="/etc/hirs/aca/application.properties" ACA_PROP_FILE="/etc/hirs/aca/aca.properties" DB_ADMIN_PWD="" # Db Configuration fileis, use RHELpaths as default DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf" DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf" # Default Server Side Certificates SSL_DB_SRV_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem"; SSL_DB_SRV_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.pem"; SSL_DB_SRV_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.key"; # Default Client Side Certificates SSL_DB_CLIENT_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem"; SSL_DB_CLIENT_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem"; SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key"; # Make sure required paths exist mkdir -p /etc/hirs/aca/ mkdir -p /var/log/hirs/ source $ACA_PROP_FILE source $SCRIPT_DIR/mysql_util.sh source /etc/os-release # Setup distro specifc paths and variables if [ $ID = "ubuntu" ]; then DB_SRV_CONF="/etc/mysql/mariadb.conf.d/50-server.cnf" DB_CLIENT_CONF="/etc/mysql/mariadb.conf.d/50-client.cnf" mkdir -p /var/log/mariadb >> /dev/null if [[ $(cat "$DB_SRV_CONF" | grep -c "log-error") < 1 ]]; then echo "log_error=/var/log/mariadb/mariadb.log" >> $DB_SRV_CONF echo "tls_version = TLSv1.2,TLSv1.3" >> $DB_SRV_CONF fi fi touch $ACA_PROP_FILE touch $LOG_FILE touch $DB_SRV_CONF touch $DB_LOG_FILE check_mysql_root_pwd () { # Check if DB root password needs to be obtained via env variable or existing property file if [ -z "$HIRS_MYSQL_ROOT_PWD" ]; then # Check if property file exists and look for properties if [ -f $ACA_PROP_FILE ]; then source $ACA_PROP_FILE if [ ! -z $hirs_pki_password ]; then PKI_PASS=$hirs_pki_password; fi if [ ! -z $mysql_admin_password ]; then HIRS_MYSQL_ROOT_PWD=$mysql_admin_password; fi if [ ! -z $hirs_db_password ]; then HIRS_DB_PWD=$hirs_db_password; fi fi fi if [ -z $HIRS_MYSQL_ROOT_PWD ]; then # Create a 32 character random password echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE" DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') echo "DB Admin will be set to $DB_ADMIN_PWD , please make note for next mysql use." # Check UNATTENDED flag set m if not then prompt user for permission ot store mysql root password if [ -z $UNATTENDED ]; then read -p "Do you wish to save this password to the aca.properties file? " confirm if [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; then echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE echo "Mysql root password saved locally" else echo "Mysql root password not saved locally" fi else echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE echo "Mysql root password has been saved locally." fi mysqladmin --user=root password "$DB_ADMIN_PWD" else DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD echo "Using system variable supplied password" | tee -a "$LOG_FILE" fi # Make sure root password is correct $(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null); if [ $? -eq 0 ]; then echo "Mysql root password verified" | tee -a "$LOG_FILE" else echo "MYSQL root password was not the default, not supplied, or was incorrect" echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry." echo " ********** ACA Mysql setup aborted ********" ; exit 1; fi } set_mysql_server_tls () { # Check DB server setup. If HIRS ssl params dont exist then we need to add them. if [[ $(cat "$DB_SRV_CONF" | grep -c "HIRS") < 1 ]]; then # Add TLS files to my.cnf echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE" echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF" echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF" echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF" echo "tls_version=TLSv1.2,TLSv1.3" >> "$DB_SRV_CONF" echo "require_secure_transport=ON" >> "$DB_SRV_CONF" # Make sure mysql can access them chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY # Make selinux contexts for config files, if selinux is enabled if [[ $ID = "rhel" ]] || [[ $ID = "rocky" ]] ||[[ $ID = "fedora" ]]; then command -v selinuxenabled > /dev/null if [ $? -eq 0 ]; then selinuxenabled if [ $? -eq 0 ]; then #semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF > /dev/null #adds the context type to file restorecon -v -F $DB_SRV_CONF > /dev/null # changes the file's context type fi fi fi else echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE" fi } set_mysql_client_tls () { # Update ACA property file with client cert info, if not there already if [[ $(cat "$DB_CLIENT_CONF" | grep -c "HIRS") < 1 ]]; then echo "Updating $DB_CLIENT_CONF with ssl parameters..." | tee -a "$LOG_FILE" echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY # Make selinux contexts for config files, if selinux is enabled if [[ $ID = "rhel" ]] || [[ $ID = "rocky" ]] ||[[ $ID = "fedora" ]]; then command -v selinuxenabled > /dev/null if [ $? -eq 0 ]; then selinuxenabled if [ $? -eq 0 ]; then #semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONF > /dev/null #adds the context type to file restorecon -F $DB_CLIENT_CONF > /dev/null #changes the file's context type fi fi fi fi } # Process HIRS DB USER set_hirs_db_pwd () { RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" if [ "$RESULT" = 1 ]; then echo "hirs-db user exists" HIRS_DB_PWD=$hirs_db_password else # Check if Mysql HIRS DB password set by system variable or set to random number if [ -z $HIRS_DB_PWD ]; then HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') fi # Add key/values only if they dont exist if [[ $(grep -c "hirs_db_username" $ACA_PROP_FILE) -eq 0 ]]; then echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE fi if [[ $(grep -c "hirs_db_password" $ACA_PROP_FILE) -eq 0 ]]; then echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE fi if [[ $(grep -c "hibernate.connection.username" $SPRING_PROP_FILE) -eq 0 ]]; then echo "hibernate.connection.username=hirs_db" >> $SPRING_PROP_FILE fi if [[ $(grep -c "hibernate.connection.password" $SPRING_PROP_FILE) -eq 0 ]]; then echo "hibernate.connection.password=$HIRS_DB_PWD" >> $SPRING_PROP_FILE fi fi } # Create a hirs_db with client side TLS enabled create_hirs_db_with_tls () { # Check if hirs_db not created and create it if it wasn't mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" >> $LOG_FILE 2>&1 if [ $? -eq 0 ]; then echo "hirs_db exists, skipping hirs_db create" else mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR 'hirs_db'@'localhost' = PASSWORD('"$HIRS_DB_PWD"'); FLUSH PRIVILEGES;"; fi } # Create a JDBC connector used by hibernate and place in Springs application.properties create_hibernate_url () { ALG=$1 db_username=$2 if [ $ALG = "RSA" ]; then CERT_PATH="/etc/hirs/certificates/HIRS/$RSA_PATH" CERT_CHAIN="$CERT_PATH/HIRS_rsa_3k_sha384_Cert_Chain.pem" CLIENT_DB_P12=$CERT_PATH/HIRS_db_client_rsa_3k_sha384.p12 ALIAS="hirs_aca_tls_rsa_3k_sha384" else CERT_PATH="/etc/hirs/certificates/HIRS/$ECC_PATH" CERT_CHAIN="$CERT_PATH/HIRS_ecc_512_sha384_Cert_Chain.pem" CLIENT_DB_P12=$CERT_PATH/HIRS_db_client_ecc_512_sha384.p12 ALIAS="hirs_aca_tls_ecc_512_sha384" fi CONNECTOR_URL="hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&\ user=$db_username&\ password=$HIRS_DB_PWD&\ sslMode=VERIFY_CA&\ serverSslCert=$CERT_CHAIN&\ keyStoreType=PKCS12&\ keyStorePassword=$PKI_PASS&\ keyStore="$CLIENT_DB_P12" " if [[ $(grep -c "hibernate.connection.url" $SPRING_PROP_FILE) -eq 0 ]]; then echo $CONNECTOR_URL >> $SPRING_PROP_FILE fi } # HIRS ACA Mysqld processing ... check_systemd -p check_mariadb_install start_mysqlsd check_mysql check_mysql_root_pwd clear_hirs_user set_hirs_db_pwd set_mysql_server_tls set_mysql_client_tls create_hirs_db_with_tls create_hibernate_url "RSA" "hirs_db" mysqld_reboot