diff options
author | Endi S. Dewata <edewata@redhat.com> | 2016-06-09 08:17:14 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2016-06-09 08:17:14 +0200 |
commit | b48b8e1bcecd9c49558ccc825de85613a9ba4ddd (patch) | |
tree | f5e35aad9f5abb52dbd2fbdd53f7f6da6dbb371a | |
parent | 15b6f9859a2906024f27090ea35ca1991af996f6 (diff) | |
download | pki-dev-b48b8e1bcecd9c49558ccc825de85613a9ba4ddd.tar.gz pki-dev-b48b8e1bcecd9c49558ccc825de85613a9ba4ddd.tar.xz pki-dev-b48b8e1bcecd9c49558ccc825de85613a9ba4ddd.zip |
Updated TPS scripts.
-rwxr-xr-x | scripts/tps-admin-setup.sh | 15 | ||||
-rwxr-xr-x | scripts/tps-agent-setup.sh | 15 | ||||
-rw-r--r-- | scripts/tps-audit.xml | 34 | ||||
-rwxr-xr-x | scripts/tps-console.sh | 3 | ||||
-rwxr-xr-x | scripts/tps-enroll.sh | 26 | ||||
-rwxr-xr-x | scripts/tps-format.sh | 25 | ||||
-rwxr-xr-x | scripts/tps-operator-setup.sh | 17 | ||||
-rwxr-xr-x | scripts/tps-pin-reset.sh | 25 | ||||
-rwxr-xr-x | scripts/tps-profile-diff.sh | 10 | ||||
-rwxr-xr-x | scripts/tps-profile-export.sh | 12 | ||||
-rwxr-xr-x | scripts/tps-token-id.sh | 3 | ||||
-rwxr-xr-x | scripts/tps-update.sh | 12 | ||||
-rwxr-xr-x | scripts/tps-user.sh | 16 | ||||
-rwxr-xr-x | scripts/tps-vlv-update.sh | 20 |
14 files changed, 223 insertions, 10 deletions
diff --git a/scripts/tps-admin-setup.sh b/scripts/tps-admin-setup.sh new file mode 100755 index 0000000..daacecd --- /dev/null +++ b/scripts/tps-admin-setup.sh @@ -0,0 +1,15 @@ +#!/bin/sh -x + +#pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-user-add tpsadmin --fullName "TPS Administrator" +#pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-group-member-add "Administrators" tpsadmin + +REQUEST_ID=`pki -c Secret123 client-cert-request uid=tpsadmin | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-user-cert-add tpsadmin --serial $CERT_ID +pki -c Secret123 client-cert-import tpsadmin --serial $CERT_ID + +pki -c Secret123 client-cert-show tpsadmin --pkcs12 tpsadmin.p12 --pkcs12-password Secret123 diff --git a/scripts/tps-agent-setup.sh b/scripts/tps-agent-setup.sh new file mode 100755 index 0000000..49f86b9 --- /dev/null +++ b/scripts/tps-agent-setup.sh @@ -0,0 +1,15 @@ +#!/bin/sh -x + +pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-user-add tpsagent --fullName "TPS Agent" +pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-group-member-add "TPS Agents" tpsagent + +REQUEST_ID=`pki -c Secret123 client-cert-request uid=tpsagent | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-user-cert-add tpsagent --serial $CERT_ID +pki -c Secret123 client-cert-import tpsagent --serial $CERT_ID + +pki -c Secret123 client-cert-show tpsagent --pkcs12 tpsagent.p12 --pkcs12-password Secret123 diff --git a/scripts/tps-audit.xml b/scripts/tps-audit.xml new file mode 100644 index 0000000..5f9dd8d --- /dev/null +++ b/scripts/tps-audit.xml @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<Audit xmlns:ns2="http://www.w3.org/2005/Atom"> + <BufferSize>512</BufferSize> + <Events> + <Event name="AUDIT_LOG_SHUTDOWN">mandatory</Event> + <Event name="AUDIT_LOG_STARTUP">mandatory</Event> + <Event name="AUTHZ_FAIL">disabled</Event> + <Event name="AUTHZ_SUCCESS">enabled</Event> + <Event name="AUTH_FAIL">enabled</Event> + <Event name="AUTH_SUCCESS">enabled</Event> + <Event name="CIMC_CERT_VERIFICATION">enabled</Event> + <Event name="CONFIG_AUTH">enabled</Event> + <Event name="CONFIG_ROLE">enabled</Event> + <Event name="CONFIG_SIGNED_AUDIT">enabled</Event> + <Event name="CONFIG_TOKEN_GENERAL">enabled</Event> + <Event name="CONFIG_TOKEN_PROFILE">enabled</Event> + <Event name="LOGGING_SIGNED_AUDIT_SIGNING">mandatory</Event> + <Event name="ROLE_ASSUME">enabled</Event> + <Event name="SELFTESTS_EXECUTION">enabled</Event> + <Event name="TOKEN_APPLET_UPGRADE">enabled</Event> + <Event name="TOKEN_CERT_ENROLLMENT">enabled</Event> + <Event name="TOKEN_CERT_RENEWAL">enabled</Event> + <Event name="TOKEN_CERT_STATUS_CHANGE_REQUEST">enabled</Event> + <Event name="TOKEN_FORMAT_REQUEST">enabled</Event> + <Event name="TOKEN_KEY_CHANGEOVER">enabled</Event> + <Event name="TOKEN_PIN_RESET_REQUEST">enabled</Event> + <Event name="TOKEN_STATE_CHANGE">enabled</Event> + </Events> + <Interval>5</Interval> + <Link href="https://vm-149.idm.lab.bos.redhat.com:8443/tps/rest/audit" rel="self"/> + <Signed>false</Signed> + <Status>Enabled</Status> +</Audit> + diff --git a/scripts/tps-console.sh b/scripts/tps-console.sh new file mode 100755 index 0000000..d5339e9 --- /dev/null +++ b/scripts/tps-console.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +pkiconsole https://$HOSTNAME:8443/tps diff --git a/scripts/tps-enroll.sh b/scripts/tps-enroll.sh index 78c9212..73f9d44 100755 --- a/scripts/tps-enroll.sh +++ b/scripts/tps-enroll.sh @@ -1,18 +1,34 @@ #!/bin/sh +uid=$1 +cuid=$2 + +if [ "$cuid" == "" ]; then + #cuid=a00192030405060708c9 + cuid=`hexdump -v -n "10" -e '1/1 "%02x"' /dev/urandom` +fi + +echo $cuid + tpsclient <<EOF op=var_set name=ra_host value=localhost -op=var_set name=ra_port value=7888 -op=var_set name=ra_uri value=/nk_service +op=var_set name=ra_port value=8080 +op=var_set name=ra_uri value=/tps/tps +op=var_list + +#op=token_status + +op=token_set cuid=$cuid msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0 -op=token_set cuid=a00192030405060708c9 msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0 op=token_set auth_key=404142434445464748494a4b4c4d4e4f op=token_set mac_key=404142434445464748494a4b4c4d4e4f op=token_set kek_key=404142434445464748494a4b4c4d4e4f -op=token_status -op=ra_enroll uid=testuser num_threads=1 pwd=Secret123 new_pin=Secret123 op=token_status +op=ra_enroll uid=$uid pwd=Secret123 new_pin=Secret123 num_threads=1 extensions=tokenType=userKey + +#op=token_status + op=exit EOF diff --git a/scripts/tps-format.sh b/scripts/tps-format.sh index 4e0d971..6f7be24 100755 --- a/scripts/tps-format.sh +++ b/scripts/tps-format.sh @@ -1,21 +1,36 @@ #!/bin/sh +uid=$1 +cuid=$2 + +if [ "$cuid" == "" ]; then + #cuid=a00192030405060708c9 + #cuid=A7D05D2BA7D1AFB4E7C1 + cuid=`hexdump -v -n "10" -e '1/1 "%02x"' /dev/urandom` +fi + +echo $cuid + tpsclient <<EOF op=var_set name=ra_host value=localhost -op=var_set name=ra_port value=16080 +op=var_set name=ra_port value=8080 op=var_set name=ra_uri value=/tps/tps op=var_list -op=token_status +#op=token_status + +op=token_set cuid=$cuid msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0 +#op=token_set cuid=$cuid app_ver=6FBBC105 key_info=0101 -op=token_set cuid=a00192030405060708c9 app_ver=6FBBC105 key_info=0101 op=token_set auth_key=404142434445464748494a4b4c4d4e4f op=token_set mac_key=404142434445464748494a4b4c4d4e4f op=token_set kek_key=404142434445464748494a4b4c4d4e4f + op=token_status -op=ra_format uid=test pwd=password num_threads=1 new_pin=password +op=ra_format uid=$uid pwd=Secret123 new_pin=Secret123 num_threads=1 extensions=tokenType=userKey + +#op=token_status -op=token_status op=exit EOF diff --git a/scripts/tps-operator-setup.sh b/scripts/tps-operator-setup.sh new file mode 100755 index 0000000..60b9b5a --- /dev/null +++ b/scripts/tps-operator-setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh -x + +pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-user-add tpsoperator --fullName "TPS Operator" +pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-group-member-add "TPS Operators" tpsoperator + +pki -c Secret123 client-init --force + +REQUEST_ID=`pki -c Secret123 client-cert-request uid=tpsoperator | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-user-cert-add tpsoperator --serial $CERT_ID +pki -c Secret123 client-cert-import tpsoperator --serial $CERT_ID + +pki -c Secret123 client-cert-show tpsoperator --pkcs12 tpsoperator.p12 --pkcs12-password Secret123 diff --git a/scripts/tps-pin-reset.sh b/scripts/tps-pin-reset.sh new file mode 100755 index 0000000..741104d --- /dev/null +++ b/scripts/tps-pin-reset.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +uid=$1 +cuid=$2 + +tpsclient <<EOF +op=var_set name=ra_host value=localhost +op=var_set name=ra_port value=8080 +op=var_set name=ra_uri value=/tps/tps +op=var_list + +#op=token_status + +op=token_set cuid=$cuid msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0 + +op=token_set auth_key=404142434445464748494a4b4c4d4e4f +op=token_set mac_key=404142434445464748494a4b4c4d4e4f +op=token_set kek_key=404142434445464748494a4b4c4d4e4f + +op=ra_reset_pin uid=$uid pwd=Secret123 new_pin=Secret123 num_threads=1 + +#op=token_status + +op=exit +EOF diff --git a/scripts/tps-profile-diff.sh b/scripts/tps-profile-diff.sh new file mode 100755 index 0000000..8cfb40a --- /dev/null +++ b/scripts/tps-profile-diff.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +ORIG_DIR=~/tps/profiles/orig +NEW_DIR=~/tps/profiles/new + +list=`cd $ORIG_DIR; ls` +for name in $list; do + echo Comparing $name + diff $ORIG_DIR/$name $NEW_DIR/$name +done diff --git a/scripts/tps-profile-export.sh b/scripts/tps-profile-export.sh new file mode 100755 index 0000000..d93b548 --- /dev/null +++ b/scripts/tps-profile-export.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +CS_CFG=/var/lib/pki/pki-tomcat/tps/conf/CS.cfg + +mkdir -p ~/tps/profiles/orig +cd ~/tps/profiles/orig + +list=`grep target.Profiles.list= /var/lib/pki/pki-tomcat/tps/conf/CS.cfg | sed -e 's/.*=//' | sed -e 's/,/ /g'` +for name in $list; do + echo Exporting $name.cfg + cat $CS_CFG | grep "op\..*\.$name\..*" > $name.cfg +done diff --git a/scripts/tps-token-id.sh b/scripts/tps-token-id.sh new file mode 100755 index 0000000..9cee333 --- /dev/null +++ b/scripts/tps-token-id.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +echo `hexdump -v -n "10" -e '1/1 "%02x"' /dev/urandom` | tr '[:lower:]' '[:upper:]' diff --git a/scripts/tps-update.sh b/scripts/tps-update.sh new file mode 100755 index 0000000..1ed5084 --- /dev/null +++ b/scripts/tps-update.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +/bin/cp $HOME/Projects/pki/base/tps/shared/webapps/tps/* /usr/share/pki/tps/webapps/tps/ +/bin/cp $HOME/Projects/pki/base/tps/shared/webapps/tps/ui/* /usr/share/pki/tps/webapps/tps/ui/ +/bin/cp $HOME/Projects/pki/base/tps/shared/webapps/tps/js/* /usr/share/pki/tps/webapps/tps/js/ +/bin/cp $HOME/Projects/pki/base/server/share/webapps/pki/js/* /usr/share/pki/server/webapps/pki/js/ + +/bin/cp $HOME/Projects/pki/dogtag/common-ui/shared/css/* /usr/share/pki/common-ui/css/ + +#/bin/cp $HOME/Projects/pki/base/server/share/webapps/pki/fonts/* /usr/share/pki/common-ui/fonts/ + +/bin/cp $HOME/Projects/pki/base/tps/shared/conf/token-states.properties /usr/share/pki/tps/conf/ diff --git a/scripts/tps-user.sh b/scripts/tps-user.sh new file mode 100755 index 0000000..8fc3b60 --- /dev/null +++ b/scripts/tps-user.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +uid=$1 + +ldapadd -h $HOSTNAME -p 389 -D "cn=Directory Manager" -w Secret123 << EOF +dn: uid=$uid,ou=people,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +uid: $uid +cn: Test User +sn: User +givenName: Test +userPassword: Secret123 +EOF diff --git a/scripts/tps-vlv-update.sh b/scripts/tps-vlv-update.sh new file mode 100755 index 0000000..f05e6d0 --- /dev/null +++ b/scripts/tps-vlv-update.sh @@ -0,0 +1,20 @@ +#!/bin/sh -x + +ldapdelete -x -D "cn=Directory Manager" -w Secret123 << EOF +cn=listTokensIndex,cn=listTokens,cn=tps,cn=ldbm database,cn=plugins,cn=config +cn=listTokens,cn=tps,cn=ldbm database,cn=plugins,cn=config +cn=listActivitiesIndex,cn=listActivities,cn=tps,cn=ldbm database,cn=plugins,cn=config +cn=listActivities,cn=tps,cn=ldbm database,cn=plugins,cn=config +EOF + +/bin/cp /usr/share/pki/tps/conf/vlv.ldif . +sed -i "s/{instanceId}/pki-tomcat/g" vlv.ldif +sed -i "s/{database}/tps/g" vlv.ldif +sed -i "s/{rootSuffix}/dc=tps,dc=example,dc=com/" vlv.ldif +ldapadd -x -D "cn=Directory Manager" -w Secret123 -f vlv.ldif + +systemctl stop dirsrv@pki-tomcat.service +vlvindex -Z pki-tomcat -n tps -T listTokensIndex +vlvindex -Z pki-tomcat -n tps -T listActivitiesIndex +systemctl start dirsrv@pki-tomcat.service + |