summaryrefslogtreecommitdiffstats
path: root/scripts/ds-setupssl.sh
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2017-07-20 16:34:57 +0200
committerEndi S. Dewata <edewata@redhat.com>2017-07-20 16:34:57 +0200
commit45bb4e6fe8c5502e2c10cc5a428ed512ed3a7962 (patch)
treeef7ebbf6285939b808d5db621cdd1a83772fd7f8 /scripts/ds-setupssl.sh
parenta1461c15fa26a862d9799669024dec025585bebe (diff)
downloadpki-dev-45bb4e6fe8c5502e2c10cc5a428ed512ed3a7962.tar.gz
pki-dev-45bb4e6fe8c5502e2c10cc5a428ed512ed3a7962.tar.xz
pki-dev-45bb4e6fe8c5502e2c10cc5a428ed512ed3a7962.zip
Added various scripts.
Diffstat (limited to 'scripts/ds-setupssl.sh')
-rwxr-xr-xscripts/ds-setupssl.sh350
1 files changed, 350 insertions, 0 deletions
diff --git a/scripts/ds-setupssl.sh b/scripts/ds-setupssl.sh
new file mode 100755
index 0000000..ef16856
--- /dev/null
+++ b/scripts/ds-setupssl.sh
@@ -0,0 +1,350 @@
+#!/bin/sh
+
+if [ "$1" -a -d "$1" ] ; then
+ secdir="$1"
+ echo "Using $1 as sec directory"
+ assecdir=$secdir/../admin-serv
+else
+ secdir=/etc/dirsrv/slapd-localhost
+ assecdir=/etc/dirsrv/admin-serv
+fi
+
+if [ "$2" ] ; then
+ ldapport=$2
+else
+ ldapport=389
+fi
+
+if [ "$3" ] ; then
+ ldapsport=$3
+else
+ ldapsport=636
+fi
+
+me=`whoami`
+if [ "$me" = "root" ] ; then
+ isroot=1
+fi
+
+# see if there are already certs and keys
+if [ -f $secdir/cert8.db ] ; then
+ # look for CA cert
+ if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then
+ echo "Using existing CA certificate"
+ else
+ echo "No CA certificate found - will create new one"
+ needCA=1
+ fi
+
+ # look for server cert
+ if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then
+ echo "Using existing directory Server-Cert"
+ else
+ echo "No Server Cert found - will create new one"
+ needServerCert=1
+ fi
+
+ # look for admin server cert
+ if certutil -L -d $assecdir -n "server-cert" 2> /dev/null ; then
+ echo "Using existing admin server-cert"
+ else
+ echo "No Admin Server Cert found - will create new one"
+ needASCert=1
+ fi
+ prefix="new-"
+ prefixarg="-P $prefix"
+else
+ needCA=1
+ needServerCert=1
+ needASCert=1
+fi
+
+if [ -n "$NO_ADMIN" ] ; then
+ needASCert=
+fi
+
+# get our user and group
+if test -n "$isroot" ; then
+ uid=`/bin/ls -ald $secdir | awk '{print $3}'`
+ gid=`/bin/ls -ald $secdir | awk '{print $4}'`
+fi
+
+# 2. Create a password file for your security token password:
+if [ -n "$needCA" -o -n "$needServerCert" -o -n "$needASCert" ] ; then
+ if [ -f $secdir/pwdfile.txt ] ; then
+ echo "Using existing $secdir/pwdfile.txt"
+ else
+ echo "Creating password file for security token"
+ (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt
+ if test -n "$isroot" ; then
+ chown $uid:$gid $secdir/pwdfile.txt
+ fi
+ chmod 400 $secdir/pwdfile.txt
+ fi
+
+# 3. Create a "noise" file for your encryption mechanism:
+ if [ -f $secdir/noise.txt ] ; then
+ echo "Using existing $secdir/noise.txt file"
+ else
+ echo "Creating noise file"
+ (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt
+ if test -n "$isroot" ; then
+ chown $uid:$gid $secdir/noise.txt
+ fi
+ chmod 400 $secdir/noise.txt
+ fi
+
+# 4. Create the key3.db and cert8.db databases:
+ if [ -z "$prefix" ] ; then
+ echo "Creating initial key and cert db"
+ else
+ echo "Creating new key and cert db"
+ fi
+ certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt
+ if test -n "$isroot" ; then
+ chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
+ fi
+ chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
+fi
+
+getserialno() {
+ SERIALNOFILE=${SERIALNOFILE:-$secdir/serialno.txt}
+ if [ ! -f $SERIALNOFILE ] ; then
+ echo ${BEGINSERIALNO:-1000} > $SERIALNOFILE
+ fi
+ serialno=`cat $SERIALNOFILE`
+ expr $serialno + 1 > $SERIALNOFILE
+ echo $serialno
+}
+
+if test -n "$needCA" ; then
+# 5. Generate the encryption key:
+ echo "Creating encryption key for CA"
+ certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
+# 6. Generate the self-signed certificate:
+ echo "Creating self-signed CA certificate"
+# note - the basic constraints flag (-2) is required to generate a real CA cert
+# it asks 3 questions that cannot be supplied on the command line
+ serialno=`getserialno`
+ ( echo y ; echo ; echo y ) | certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m $serialno -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -2
+# export the CA cert for use with other apps
+ echo Exporting the CA certificate to cacert.asc
+ certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc
+fi
+
+if test -n "$MYHOST" ; then
+ myhost="$MYHOST"
+else
+ myhost=`hostname --fqdn`
+fi
+
+genservercert() {
+ hostname=${1:-`hostname --fqdn`}
+ certname=${2:-"Server-Cert"}
+ serialno=${3:-`getserialno`}
+ ou=${OU:-"389 Directory Server"}
+ certutil -S $prefixarg -n "$certname" -s "cn=$hostname,ou=$ou" -c "CA certificate" -t "u,u,u" -m $serialno -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
+}
+
+remotehost() {
+ # the subdir called $host will contain all of the security files to copy to the remote system
+ mkdir -p $secdir/$1
+ # this is stupid - what we want is that each key/cert db for the remote host has a
+ # cert with nickname "Server-Cert" - however, badness:
+ # 1) pk12util cannot change nick either during import or export
+ # 2) certutil does not have a way to change or rename the nickname
+ # 3) certutil cannot create two certs with the same nick
+ # so we have to copy all of the secdir files to the new server specific secdir
+ # and create everything with copies
+ cp -p $secdir/noise.txt $secdir/pwdfile.txt $secdir/cert8.db $secdir/key3.db $secdir/secmod.db $secdir/$1
+ SERIALNOFILE=$secdir/serialno.txt secdir=$secdir/$1 genservercert $1
+}
+
+if [ -n "$REMOTE" ] ; then
+ for host in $myhost ; do
+ remotehost $host
+ done
+elif test -n "$needServerCert" ; then
+# 7. Generate the server certificate:
+ for host in $myhost ; do
+ echo Generating server certificate for 389 Directory Server on host $host
+ echo Using fully qualified hostname $host for the server name in the server cert subject DN
+ echo Note: If you do not want to use this hostname, export MYHOST="host1 host2 ..." $0 ...
+ genservercert $host
+ done
+fi
+
+if test -n "$needASCert" ; then
+# Generate the admin server certificate
+ for host in $myhost ; do
+ echo Creating the admin server certificate
+ OU="389 Administration Server" genservercert $host server-cert
+ # export the admin server certificate/private key for import into its key/cert db
+ echo Exporting the admin server certificate pk12 file
+ pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
+ if test -n "$isroot" ; then
+ chown $uid:$gid $secdir/adminserver.p12
+ fi
+ chmod 400 $secdir/adminserver.p12
+ done
+fi
+
+# create the pin file
+if [ ! -f $secdir/pin.txt ] ; then
+ echo Creating pin file for directory server
+ pinfile=$secdir/pin.txt
+ echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile
+ if test -n "$isroot" ; then
+ chown $uid:$gid $pinfile
+ fi
+ chmod 400 $pinfile
+else
+ echo Using existing $secdir/pin.txt
+fi
+
+if [ -n "$REMOTE" ] ; then
+ for host in $myhost ; do
+ cp -p $secdir/pin.txt $secdir/$host
+ done
+fi
+
+if [ -n "$needCA" -o -n "$needServerCert" -o -n "$needASCert" ] ; then
+ if [ -n "$prefix" ] ; then
+ # move the old files out of the way
+ mv $secdir/cert8.db $secdir/orig-cert8.db
+ mv $secdir/key3.db $secdir/orig-key3.db
+ # move in the new files - will be used after server restart
+ mv $secdir/${prefix}cert8.db $secdir/cert8.db
+ mv $secdir/${prefix}key3.db $secdir/key3.db
+ fi
+fi
+
+# create the admin server key/cert db
+if [ ! -f $assecdir/cert8.db ] ; then
+ echo Creating key and cert db for admin server
+ certutil -N -d $assecdir -f $secdir/pwdfile.txt
+ if test -n "$isroot" ; then
+ chown $uid:$gid $assecdir/*.db
+ fi
+ chmod 600 $assecdir/*.db
+fi
+
+if test -n "$needASCert" ; then
+# import the admin server key/cert
+ echo "Importing the admin server key and cert (created above)"
+ pk12util -d $assecdir -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
+
+# import the CA cert to the admin server cert db
+ echo Importing the CA certificate from cacert.asc
+ certutil -A -d $assecdir -n "CA certificate" -t "CT,," -a -i $secdir/cacert.asc
+ if [ ! -f $assecdir/password.conf ] ; then
+# create the admin server password file
+ echo Creating the admin server password file
+ echo 'internal:'`cat $secdir/pwdfile.txt` > $assecdir/password.conf
+ if test -n "$isroot" ; then
+ chown $uid:$gid $assecdir/password.conf
+ fi
+ chmod 400 $assecdir/password.conf
+ fi
+
+ if [ -f $assecdir/nss.conf ] ; then
+ cd $assecdir
+ echo Enabling the use of a password file in admin server
+ sed -e "s@^NSSPassPhraseDialog .*@NSSPassPhraseDialog file:`pwd`/password.conf@" nss.conf > /tmp/nss.conf && mv /tmp/nss.conf nss.conf
+ if test -n "$isroot" ; then
+ chown $uid:$gid nss.conf
+ fi
+ chmod 400 nss.conf
+ echo Turning on NSSEngine
+ sed -e "s@^NSSEngine off@NSSEngine on@" console.conf > /tmp/console.conf && mv /tmp/console.conf console.conf
+ if test -n "$isroot" ; then
+ chown $uid:$gid console.conf
+ fi
+ chmod 600 console.conf
+ echo Use ldaps for config ds connections
+ sed -e "s@^ldapurl: ldap://$myhost:$ldapport/o=NetscapeRoot@ldapurl: ldaps://$myhost:$ldapsport/o=NetscapeRoot@" adm.conf > /tmp/adm.conf && mv /tmp/adm.conf adm.conf
+ if test -n "$isroot" ; then
+ chown $uid:$gid adm.conf
+ fi
+ chmod 600 adm.conf
+ cd $secdir
+ fi
+fi
+
+# enable SSL in the directory server
+echo "Enabling SSL in the directory server"
+if [ -z "$DMPWD" ] ; then
+ echo "when prompted, provide the directory manager password"
+ echo -n "Password:"
+ stty -echo
+ read dmpwd
+ stty echo
+else
+ dmpwd="$DMPWD"
+fi
+
+ldapmodify -x -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" <<EOF
+dn: cn=encryption,cn=config
+changetype: modify
+replace: nsSSLClientAuth
+nsSSLClientAuth: allowed
+-
+add: nsSSL3Ciphers
+nsSSL3Ciphers: +all
+
+dn: cn=config
+changetype: modify
+add: nsslapd-security
+nsslapd-security: on
+-
+replace: nsslapd-ssl-check-hostname
+nsslapd-ssl-check-hostname: off
+-
+replace: nsslapd-secureport
+nsslapd-secureport: $ldapsport
+
+dn: cn=RSA,cn=encryption,cn=config
+changetype: add
+objectclass: top
+objectclass: nsEncryptionModule
+cn: RSA
+nsSSLPersonalitySSL: Server-Cert
+nsSSLToken: internal (software)
+nsSSLActivation: on
+
+EOF
+
+ldapsearch_attrval()
+{
+ attrname="$1"
+ shift
+ ldapsearch "$@" $attrname | sed -n '/^'$attrname':/,/^$/ { /^'$attrname':/ { s/^'$attrname': *// ; h ; $ !d}; /^ / { H; $ !d}; /^ /! { x; s/\n //g; p; q}; $ { x; s/\n //g; p; q} }'
+}
+
+if [ -n "$needASCert" ] ; then
+ echo "Enabling SSL in the admin server"
+# find the directory server config entry DN
+ dsdn=`ldapsearch_attrval dn -x -LLL -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" -b o=netscaperoot "(&(objectClass=nsDirectoryServer)(serverhostname=$myhost)(nsserverport=$ldapport))"`
+ ldapmodify -x -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" <<EOF
+dn: $dsdn
+changetype: modify
+replace: nsServerSecurity
+nsServerSecurity: on
+-
+replace: nsSecureServerPort
+nsSecureServerPort: $ldapsport
+
+EOF
+
+# find the admin server config entry DN
+ asdn=`ldapsearch_attrval dn -x -LLL -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" -b o=netscaperoot "(&(objectClass=nsAdminServer)(serverhostname=$myhost))"`
+ ldapmodify -x -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" <<EOF
+dn: cn=configuration,$asdn
+changetype: modify
+replace: nsServerSecurity
+nsServerSecurity: on
+
+EOF
+fi
+
+echo "Done. You must restart the directory server and the admin server for the changes to take effect."