Updated KRA scripts.

23 files changed, 433 insertions, 4 deletions

diff --git a/scripts/kra-clone-create.sh b/scripts/kra-clone-create.sh
new file mode 100755
index 0000000..9bc4b9c
--- /dev/null
+++ b/scripts/kra-clone-create.sh
@@ -0,0 +1,5 @@
+#!/bin/sh -x
+
+/bin/cp kra_backup_keys.p12 /tmp
+
+pkispawn -vvv -f kraclone.cfg -s KRA
diff --git a/scripts/kra-clone-import.sh b/scripts/kra-clone-import.sh
new file mode 100755
index 0000000..c9fecf2
--- /dev/null
+++ b/scripts/kra-clone-import.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+cp /home/edewata/kra_backup_keys.p12 /tmp
diff --git a/scripts/kra-clone-remove.sh b/scripts/kra-clone-remove.sh
new file mode 100755
index 0000000..41ff7d9
--- /dev/null
+++ b/scripts/kra-clone-remove.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+SRC_DIR=`cd ../.. ; pwd`
+INSTANCE_NAME=pki-clone
+
+pkidestroy -v -s KRA -i $INSTANCE_NAME
diff --git a/scripts/kra-console.sh b/scripts/kra-console.sh
index 7b403c5..082166f 100755
--- a/scripts/kra-console.sh
+++ b/scripts/kra-console.sh
@@ -1,3 +1,3 @@
 #!/bin/sh -x
 
-pkiconsole https://$HOSTNAME:12443/kra
+pkiconsole https://$HOSTNAME:8443/kra
diff --git a/scripts/kra-create.sh b/scripts/kra-create.sh
index 71bd462..488c4b8 100755
--- a/scripts/kra-create.sh
+++ b/scripts/kra-create.sh
@@ -1,3 +1,54 @@
 #!/bin/sh -x
 
-pkispawn -v -f kra.cfg -s KRA 2>&1 | tee build/kra-create.log
+cat > kra.cfg << EOF
+[KRA]
+pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
+#pki_import_admin_cert=False
+#pki_import_admin_pkcs12_file=/root/.dogtag/pki-tomcat/ca_admin_cert.p12
+#pki_import_admin_pkcs12_password=Secret.123
+#pki_import_admin_pkcs12_nickname=caadmin
+
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
+
+#pki_backup_keys=True
+#pki_backup_password=Secret.123
+
+pki_client_database_password=Secret.123
+pki_client_pkcs12_password=Secret.123
+#pki_client_database_purge=False
+
+#pki_clone_pkcs12_password=Secret.123
+
+#pki_ds_ldaps_port=636
+#pki_ds_secure_connection=True
+#pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
+#pki_ds_secure_connection_ca_pem_file=dsca.pem
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+#pki_ds_database=userRoot
+#pki_ds_database=pki
+pki_ds_database=kra
+#pki_ds_create_new_db=False
+#pki_ds_remove_data=False
+
+pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+#pki_token_password=Secret.123
+#pki_share_db=False
+
+pki_storage_nickname=storage
+pki_transport_nickname=transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -vvv -f kra.cfg -s KRA
+
+#/bin/cp /var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12 .
diff --git a/scripts/kra-export.sh b/scripts/kra-export.sh
new file mode 100755
index 0000000..9a0cf68
--- /dev/null
+++ b/scripts/kra-export.sh
@@ -0,0 +1,5 @@
+#!/bin/sh -x
+
+grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > internal.txt
+
+PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p internal.txt -w password.txt -o kra_backup_keys.p12
diff --git a/scripts/kra-lunasa-create.sh b/scripts/kra-lunasa-create.sh
new file mode 100755
index 0000000..3952035
--- /dev/null
+++ b/scripts/kra-lunasa-create.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -vvv -f kra-lunasa.cfg -s KRA
diff --git a/scripts/kra-merged-create.sh b/scripts/kra-merged-create.sh
index efad072..3fe0139 100755
--- a/scripts/kra-merged-create.sh
+++ b/scripts/kra-merged-create.sh
@@ -1,3 +1,3 @@
 #!/bin/sh -x
 
-pkispawn -vvv -f kra-merged.cfg -s KRA -v 2>&1 | tee build/kra-merged-create.log
+pkispawn -vvv -f kra-merged.cfg -s KRA -v
diff --git a/scripts/kra-nfast-create.sh b/scripts/kra-nfast-create.sh
new file mode 100755
index 0000000..42e9699
--- /dev/null
+++ b/scripts/kra-nfast-create.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -vvv -f kra-nfast.cfg -s KRA
diff --git a/scripts/kra-remote-create.sh b/scripts/kra-remote-create.sh
new file mode 100755
index 0000000..a56cb29
--- /dev/null
+++ b/scripts/kra-remote-create.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -x
+
+cp external.crt /tmp
+cp cert_chain.p7b /tmp
+
+pkispawn -vvv -f kra-remote.cfg -s KRA
diff --git a/scripts/kra-remote-nfast-create-step1.sh b/scripts/kra-remote-nfast-create-step1.sh
new file mode 100755
index 0000000..3fa7ce0
--- /dev/null
+++ b/scripts/kra-remote-nfast-create-step1.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -vvv -f kra-remote-nfast-step1.cfg -s KRA
diff --git a/scripts/kra-remote-nfast-create-step2.sh b/scripts/kra-remote-nfast-create-step2.sh
new file mode 100755
index 0000000..dcc35a5
--- /dev/null
+++ b/scripts/kra-remote-nfast-create-step2.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -vvv -f kra-remote-nfast-step2.cfg -s KRA
diff --git a/scripts/kra-remote-remove.sh b/scripts/kra-remote-remove.sh
new file mode 100755
index 0000000..c88b3e5
--- /dev/null
+++ b/scripts/kra-remote-remove.sh
@@ -0,0 +1,4 @@
+#!/bin/sh -x
+
+pkidestroy -v -s KRA -i pki-kra
+#pkidestroy -v -s KRA -i pki-kra -u caadmin -W password
diff --git a/scripts/kra-remove.sh b/scripts/kra-remove.sh
index 2555def..789e141 100755
--- a/scripts/kra-remove.sh
+++ b/scripts/kra-remove.sh
@@ -2,7 +2,6 @@
 
 SRC_DIR=`cd ../.. ; pwd`
 INSTANCE_NAME=pki-tomcat
-#INSTANCE_NAME=kra-master
 
 pkidestroy -v -s KRA -i $INSTANCE_NAME
 #pkidestroy -v -s KRA -i $INSTANCE_NAME -u caadmin -W password
diff --git a/scripts/kra-separate-create.sh b/scripts/kra-separate-create.sh
new file mode 100755
index 0000000..30cf6a0
--- /dev/null
+++ b/scripts/kra-separate-create.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -v -f kra-separate.cfg -s KRA
diff --git a/scripts/kra-standalone-sign.sh b/scripts/kra-standalone-sign.sh
new file mode 100755
index 0000000..0c6a569
--- /dev/null
+++ b/scripts/kra-standalone-sign.sh
@@ -0,0 +1,75 @@
+#!/bin/sh
+
+rm -f external_ca.cert
+rm -f kra_admin.cert
+rm -f kra_transport.cert
+rm -f kra_storage.cert
+rm -f kra_sslserver.cert
+rm -f kra_subsystem.cert
+rm -f kra_audit_signing.cert
+
+#### CA Cert ####
+
+pki cert-show --output external_ca.cert 0x1
+#pki cert-show --output external_ca_chain.cert 0x1
+
+#### Admin Cert ####
+
+REQUEST_ID=`pki ca-cert-request-submit --profile caUserCert --csr-file kra_admin.csr --subject uid=kraadmin | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output kra_admin.cert $CERT_ID
+
+#### Transport Cert ####
+
+REQUEST_ID=`pki ca-cert-request-submit --profile caTransportCert --csr-file kra_transport.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output kra_transport.cert $CERT_ID
+
+#### Storage Cert ####
+
+REQUEST_ID=`pki ca-cert-request-submit --profile caStorageCert --csr-file kra_storage.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output kra_storage.cert $CERT_ID
+
+#### Server Cert ####
+
+REQUEST_ID=`pki ca-cert-request-submit --profile caServerCert --csr-file kra_sslserver.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output kra_sslserver.cert $CERT_ID
+
+#### Subsystem Cert ####
+
+REQUEST_ID=`pki ca-cert-request-submit --profile caSubsystemCert --csr-file kra_subsystem.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output kra_subsystem.cert $CERT_ID
+
+#### Audit Signing Cert ####
+
+REQUEST_ID=`pki ca-cert-request-submit --profile caSignedLogCert --csr-file kra_audit_signing.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output kra_audit_signing.cert $CERT_ID
+
diff --git a/scripts/kra-standalone-step1.sh b/scripts/kra-standalone-step1.sh
new file mode 100755
index 0000000..073f9d4
--- /dev/null
+++ b/scripts/kra-standalone-step1.sh
@@ -0,0 +1,10 @@
+#!/bin/sh -x
+
+pkispawn -v -f kra-standalone-step1.cfg -s KRA
+
+cp /etc/pki/pki-tomcat/kra_admin.csr .
+cp /etc/pki/pki-tomcat/kra_transport.csr .
+cp /etc/pki/pki-tomcat/kra_storage.csr .
+cp /etc/pki/pki-tomcat/kra_sslserver.csr .
+cp /etc/pki/pki-tomcat/kra_subsystem.csr .
+cp /etc/pki/pki-tomcat/kra_audit_signing.csr .
diff --git a/scripts/kra-standalone-step2.sh b/scripts/kra-standalone-step2.sh
new file mode 100755
index 0000000..e58bbfe
--- /dev/null
+++ b/scripts/kra-standalone-step2.sh
@@ -0,0 +1,15 @@
+#!/bin/sh -x
+
+cp external_ca.cert /etc/pki/pki-tomcat
+
+# TODO: should not be required
+cp external_ca_chain.cert /etc/pki/pki-tomcat
+
+cp kra_admin.cert /etc/pki/pki-tomcat
+cp kra_transport.cert /etc/pki/pki-tomcat
+cp kra_storage.cert /etc/pki/pki-tomcat
+cp kra_sslserver.cert /etc/pki/pki-tomcat
+cp kra_subsystem.cert /etc/pki/pki-tomcat
+cp kra_audit_signing.cert /etc/pki/pki-tomcat
+
+pkispawn -v -f kra-standalone-step2.cfg -s KRA
diff --git a/scripts/kra-step1.sh b/scripts/kra-step1.sh
new file mode 100755
index 0000000..486c9e0
--- /dev/null
+++ b/scripts/kra-step1.sh
@@ -0,0 +1,54 @@
+#!/bin/sh -x
+
+cat > kra.cfg << EOF
+[KRA]
+pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
+#pki_import_admin_cert=False
+#pki_import_admin_pkcs12_file=/root/.dogtag/pki-tomcat/ca_admin_cert.p12
+#pki_import_admin_pkcs12_password=Secret.123
+#pki_import_admin_pkcs12_nickname=caadmin
+
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
+
+#pki_backup_keys=True
+#pki_backup_password=Secret.123
+
+pki_client_database_password=Secret.123
+pki_client_pkcs12_password=Secret.123
+#pki_client_database_purge=False
+
+#pki_clone_pkcs12_password=Secret.123
+
+#pki_ds_ldaps_port=636
+#pki_ds_secure_connection=True
+#pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
+#pki_ds_secure_connection_ca_pem_file=dsca.pem
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+#pki_ds_database=userRoot
+#pki_ds_database=pki
+pki_ds_database=kra
+#pki_ds_create_new_db=False
+#pki_ds_remove_data=False
+
+pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+#pki_token_password=Secret.123
+#pki_share_db=False
+
+pki_storage_nickname=storage
+pki_transport_nickname=transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -vvv -f kra.cfg -s KRA --skip-configuration
+
+#/bin/cp /var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12 .
diff --git a/scripts/kra-step2.sh b/scripts/kra-step2.sh
new file mode 100755
index 0000000..60c00e0
--- /dev/null
+++ b/scripts/kra-step2.sh
@@ -0,0 +1,54 @@
+#!/bin/sh -x
+
+cat > kra.cfg << EOF
+[KRA]
+pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
+#pki_import_admin_cert=False
+#pki_import_admin_pkcs12_file=/root/.dogtag/pki-tomcat/ca_admin_cert.p12
+#pki_import_admin_pkcs12_password=Secret.123
+#pki_import_admin_pkcs12_nickname=caadmin
+
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
+
+#pki_backup_keys=True
+#pki_backup_password=Secret.123
+
+pki_client_database_password=Secret.123
+pki_client_pkcs12_password=Secret.123
+#pki_client_database_purge=False
+
+#pki_clone_pkcs12_password=Secret.123
+
+#pki_ds_ldaps_port=636
+#pki_ds_secure_connection=True
+#pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
+#pki_ds_secure_connection_ca_pem_file=dsca.pem
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+#pki_ds_database=userRoot
+#pki_ds_database=pki
+pki_ds_database=kra
+#pki_ds_create_new_db=False
+#pki_ds_remove_data=False
+
+pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+#pki_token_password=Secret.123
+#pki_share_db=False
+
+pki_storage_nickname=storage
+pki_transport_nickname=transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -vvv -f kra.cfg -s KRA --skip-installation
+
+#/bin/cp /var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12 .
diff --git a/scripts/kra-tomcat7-create.sh b/scripts/kra-tomcat7-create.sh
new file mode 100755
index 0000000..f5a38e6
--- /dev/null
+++ b/scripts/kra-tomcat7-create.sh
@@ -0,0 +1,57 @@
+#!/bin/sh -x
+
+cat > kra-tomcat7.cfg << EOF
+[Tomcat]
+tomcat_home=/usr/share/tomcat70
+
+[KRA]
+pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
+#pki_import_admin_cert=False
+#pki_import_admin_pkcs12_file=/root/.dogtag/pki-tomcat/ca_admin_cert.p12
+#pki_import_admin_pkcs12_password=Secret.123
+#pki_import_admin_pkcs12_nickname=caadmin
+
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
+
+#pki_backup_keys=True
+#pki_backup_password=Secret.123
+
+pki_client_database_password=Secret.123
+pki_client_pkcs12_password=Secret.123
+#pki_client_database_purge=False
+
+#pki_clone_pkcs12_password=Secret.123
+
+#pki_ds_ldaps_port=636
+#pki_ds_secure_connection=True
+#pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
+#pki_ds_secure_connection_ca_pem_file=dsca.pem
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+#pki_ds_database=userRoot
+#pki_ds_database=pki
+pki_ds_database=kra
+#pki_ds_create_new_db=False
+#pki_ds_remove_data=False
+
+pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+#pki_token_password=Secret.123
+#pki_share_db=False
+
+pki_storage_nickname=storage
+pki_transport_nickname=transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -vvv -f kra-tomcat7.cfg -s KRA
+
+#/bin/cp /var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12 .
diff --git a/scripts/kra-tomcat8-create.sh b/scripts/kra-tomcat8-create.sh
new file mode 100755
index 0000000..f9ef538
--- /dev/null
+++ b/scripts/kra-tomcat8-create.sh
@@ -0,0 +1,57 @@
+#!/bin/sh -x
+
+cat > kra-tomcat8.cfg << EOF
+[Tomcat]
+tomcat_home=/usr/share/tomcat80
+
+[KRA]
+pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
+#pki_import_admin_cert=False
+#pki_import_admin_pkcs12_file=/root/.dogtag/pki-tomcat/ca_admin_cert.p12
+#pki_import_admin_pkcs12_password=Secret.123
+#pki_import_admin_pkcs12_nickname=caadmin
+
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
+
+#pki_backup_keys=True
+#pki_backup_password=Secret.123
+
+pki_client_database_password=Secret.123
+pki_client_pkcs12_password=Secret.123
+#pki_client_database_purge=False
+
+#pki_clone_pkcs12_password=Secret.123
+
+#pki_ds_ldaps_port=636
+#pki_ds_secure_connection=True
+#pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
+#pki_ds_secure_connection_ca_pem_file=dsca.pem
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+#pki_ds_database=userRoot
+#pki_ds_database=pki
+pki_ds_database=kra
+#pki_ds_create_new_db=False
+#pki_ds_remove_data=False
+
+pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+#pki_token_password=Secret.123
+#pki_share_db=False
+
+pki_storage_nickname=storage
+pki_transport_nickname=transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -vvv -f kra-tomcat8.cfg -s KRA
+
+#/bin/cp /var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12 .
diff --git a/scripts/kra-tps-remove.sh b/scripts/kra-tps-remove.sh
new file mode 100755
index 0000000..9089ab9
--- /dev/null
+++ b/scripts/kra-tps-remove.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+TPSHOST=`cat tps.host`
+
+ldapmodify -x -D "cn=Directory Manager" -w Secret123 -c << EOF
+dn: cn=Data Recovery Manager Agents,ou=groups,dc=kra,dc=pki,dc=example,dc=com
+changetype: modify
+delete: uniqueMember
+uniqueMember: uid=TPS-$TPSHOST-8443,ou=people,dc=kra,dc=pki,dc=example,dc=com
+
+dn: uid=TPS-$TPSHOST-8443,ou=people,dc=kra,dc=pki,dc=example,dc=com
+changetype: delete
+EOF