diff options
author | Endi Sukma Dewata <edewata@redhat.com> | 2012-08-10 17:14:43 -0500 |
---|---|---|
committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-08-14 10:29:40 -0500 |
commit | 4817c081e6bccaee14fcd36462c0a26fc1acbf42 (patch) | |
tree | 3c98a23ba1c7759cc67fba4066135404da632268 /scripts | |
parent | 76097c23f989794266197be3319ac84e1a06f46d (diff) | |
download | pki-dev-4817c081e6bccaee14fcd36462c0a26fc1acbf42.tar.gz pki-dev-4817c081e6bccaee14fcd36462c0a26fc1acbf42.tar.xz pki-dev-4817c081e6bccaee14fcd36462c0a26fc1acbf42.zip |
Added KRA scripts.
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/ca-cert-export.sh | 16 | ||||
-rwxr-xr-x | scripts/ca-certs.sh | 4 | ||||
-rw-r--r-- | scripts/ca-clone.cfg | 28 | ||||
-rw-r--r-- | scripts/ca-master.cfg | 17 | ||||
-rwxr-xr-x | scripts/ca-rebuild.sh | 7 | ||||
-rwxr-xr-x | scripts/ca-remove.sh | 2 | ||||
-rwxr-xr-x | scripts/ca-run.sh | 3 | ||||
-rwxr-xr-x | scripts/ca-start.sh | 2 | ||||
-rwxr-xr-x | scripts/ca-stop.sh | 2 | ||||
-rwxr-xr-x | scripts/ca-test.sh | 27 | ||||
-rwxr-xr-x | scripts/drm-java-test.sh | 5 | ||||
-rwxr-xr-x | scripts/drm-python-test.sh | 27 | ||||
-rwxr-xr-x | scripts/firefox-certs-import.sh | 58 | ||||
-rwxr-xr-x | scripts/firefox-certs-remove.sh | 14 | ||||
-rwxr-xr-x | scripts/firefox-certs.sh (renamed from scripts/firefox-certs-list.sh) | 10 | ||||
-rwxr-xr-x | scripts/kra-certs.sh | 5 | ||||
-rwxr-xr-x | scripts/kra-create.sh | 28 | ||||
-rw-r--r-- | scripts/kra-master.cfg | 232 | ||||
-rwxr-xr-x | scripts/kra-remove.sh | 14 | ||||
-rwxr-xr-x | scripts/kra-restart.sh | 3 | ||||
-rwxr-xr-x | scripts/kra-run.sh | 3 | ||||
-rwxr-xr-x | scripts/kra-start.sh | 2 | ||||
-rwxr-xr-x | scripts/kra-stop.sh | 2 |
23 files changed, 384 insertions, 127 deletions
diff --git a/scripts/ca-cert-export.sh b/scripts/ca-cert-export.sh deleted file mode 100755 index bdfa377..0000000 --- a/scripts/ca-cert-export.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh -x - -. ./ca-include.sh - -SRC_DIR=`cd ../.. ; pwd` -INSTANCE_NAME=pki-master - -FIREFOX_DIR=~/.mozilla/firefox -PROFILE=`grep Path= $FIREFOX_DIR/profiles.ini | awk -F= '{print $2}'` - -CLIENT_CERT_DIR=$SRC_DIR/certs/$INSTANCE_NAME -CLIENT_CERT_PASSWORD=$CLIENT_CERT_DIR/password.txt -CLIENT_CERT_PK12=$CLIENT_CERT_DIR/admin.p12 - -echo $PASSWORD > $CLIENT_CERT_PASSWORD -PKCS12Export -d "$CLIENT_CERT_DIR" -o "$CLIENT_CERT_PK12" -p "$CLIENT_CERT_PASSWORD" -w "$CLIENT_CERT_PASSWORD" diff --git a/scripts/ca-certs.sh b/scripts/ca-certs.sh index a340966..7e5ce68 100755 --- a/scripts/ca-certs.sh +++ b/scripts/ca-certs.sh @@ -1,5 +1,5 @@ #!/bin/sh -x -CLIENT_DIR=/tmp/pki-master_client +INSTANCE_DIR=/var/lib/pki/ca-master -certutil -L -d $CLIENT_DIR/alias -w `cat $CLIENT_DIR/password.conf` +certutil -L -d $INSTANCE_DIR/alias diff --git a/scripts/ca-clone.cfg b/scripts/ca-clone.cfg index 7d0c6eb..9bea41a 100644 --- a/scripts/ca-clone.cfg +++ b/scripts/ca-clone.cfg @@ -30,12 +30,12 @@ pki_token_password=Secret123 pki_admin_cert_request_type=crmf pki_admin_domain_name= pki_admin_dualkey=False -pki_admin_email=admin@example.com +pki_admin_email=caadmin@example.com pki_admin_keysize=2048 -pki_admin_name=admin -pki_admin_nickname=admin +pki_admin_name=caadmin +pki_admin_nickname=caadmin pki_admin_subject_dn= -pki_admin_uid=admin +pki_admin_uid=caadmin pki_audit_group=pkiaudit pki_audit_signing_key_algorithm=SHA256withRSA pki_audit_signing_key_size=2048 @@ -45,15 +45,15 @@ pki_audit_signing_signing_algorithm=SHA256withRSA pki_audit_signing_subject_dn= pki_audit_signing_token= pki_backup_keys=False -pki_client_database_dir=../../certs/pki-clone +pki_client_database_dir=../../certs/ca-clone pki_client_database_purge=False pki_client_dir= -pki_ds_base_dn=dc=pki-clone,dc=example,dc=com +pki_ds_base_dn=dc=ca-clone,dc=example,dc=com pki_ds_bind_dn=cn=Directory Manager pki_ds_database= pki_ds_hostname= -pki_ds_ldap_port=390 -pki_ds_ldaps_port=637 +pki_ds_ldap_port=389 +pki_ds_ldaps_port=636 pki_ds_remove_data=True pki_ds_secure_connection=False pki_group=pkiuser @@ -61,7 +61,7 @@ pki_restart_configured_instance=True pki_security_domain_hostname= pki_security_domain_https_port=8443 pki_security_domain_name=EXAMPLE -pki_security_domain_user=admin +pki_security_domain_user=caadmin pki_ssl_server_key_algorithm=SHA256withRSA pki_ssl_server_key_size=2048 pki_ssl_server_key_type=rsa @@ -103,20 +103,20 @@ pki_https_port=443 ## are MUTUALLY EXCLUSIVE entities!!! ## ############################################################################### [Tomcat] -pki_ajp_port=8010 +pki_ajp_port=9009 pki_clone=False pki_clone_pkcs12_path= pki_clone_replication_security=None pki_clone_uri= pki_enable_java_debugger=False pki_enable_proxy=False -pki_http_port=8013 -pki_https_port=8015 -pki_instance_name=pki-clone +pki_http_port=9080 +pki_https_port=9443 +pki_instance_name=ca-clone pki_proxy_http_port=80 pki_proxy_https_port=443 pki_security_manager=false -pki_tomcat_server_port=8019 +pki_tomcat_server_port=9005 ############################################################################### ## 'CA' Data: ## ## ## diff --git a/scripts/ca-master.cfg b/scripts/ca-master.cfg index 477dd2a..b634c1d 100644 --- a/scripts/ca-master.cfg +++ b/scripts/ca-master.cfg @@ -30,12 +30,12 @@ pki_token_password=Secret123 pki_admin_cert_request_type=crmf pki_admin_domain_name= pki_admin_dualkey=False -pki_admin_email=admin@example.com +pki_admin_email=caadmin@example.com pki_admin_keysize=2048 -pki_admin_name=admin -pki_admin_nickname=admin +pki_admin_name=caadmin +pki_admin_nickname=caadmin pki_admin_subject_dn= -pki_admin_uid=admin +pki_admin_uid=caadmin pki_audit_group=pkiaudit pki_audit_signing_key_algorithm=SHA256withRSA pki_audit_signing_key_size=2048 @@ -45,10 +45,10 @@ pki_audit_signing_signing_algorithm=SHA256withRSA pki_audit_signing_subject_dn= pki_audit_signing_token= pki_backup_keys=False -pki_client_database_dir=../../certs/pki-master +pki_client_database_dir=../../certs/ca-master pki_client_database_purge=False pki_client_dir= -pki_ds_base_dn=dc=pki-master,dc=example,dc=com +pki_ds_base_dn=dc=ca-master,dc=example,dc=com pki_ds_bind_dn=cn=Directory Manager pki_ds_database= pki_ds_hostname= @@ -57,11 +57,12 @@ pki_ds_ldaps_port=636 pki_ds_remove_data=True pki_ds_secure_connection=False pki_group=pkiuser +pki_issuing_ca= pki_restart_configured_instance=True pki_security_domain_hostname= pki_security_domain_https_port=8443 pki_security_domain_name=EXAMPLE -pki_security_domain_user=admin +pki_security_domain_user=caadmin pki_ssl_server_key_algorithm=SHA256withRSA pki_ssl_server_key_size=2048 pki_ssl_server_key_type=rsa @@ -112,7 +113,7 @@ pki_enable_java_debugger=False pki_enable_proxy=False pki_http_port=8080 pki_https_port=8443 -pki_instance_name=pki-master +pki_instance_name=ca-master pki_proxy_http_port=80 pki_proxy_https_port=443 pki_security_manager=false diff --git a/scripts/ca-rebuild.sh b/scripts/ca-rebuild.sh index 82a781c..1824368 100755 --- a/scripts/ca-rebuild.sh +++ b/scripts/ca-rebuild.sh @@ -1,12 +1,7 @@ #!/bin/sh -x -./firefox-certs-remove.sh ./ca-remove.sh -./core-uninstall.sh -./core-remove-rpms.sh -./core-build.sh +./core-rebuild.sh -./core-install.sh ./ca-create.sh -./firefox-certs-import.sh diff --git a/scripts/ca-remove.sh b/scripts/ca-remove.sh index 6c90c78..404767d 100755 --- a/scripts/ca-remove.sh +++ b/scripts/ca-remove.sh @@ -1,7 +1,7 @@ #!/bin/sh -x SRC_DIR=`cd ../.. ; pwd` -INSTANCE_NAME=pki-master +INSTANCE_NAME=ca-master pkidestroy -s CA -i $INSTANCE_NAME diff --git a/scripts/ca-run.sh b/scripts/ca-run.sh new file mode 100755 index 0000000..75603b1 --- /dev/null +++ b/scripts/ca-run.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +java -agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n -classpath :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/ca-master -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/ca-master/temp -Djava.util.logging.config.file=/var/lib/pki/ca-master/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start diff --git a/scripts/ca-start.sh b/scripts/ca-start.sh index e417e03..93f1595 100755 --- a/scripts/ca-start.sh +++ b/scripts/ca-start.sh @@ -1,3 +1,3 @@ #!/bin/sh -x -systemctl start pki-tomcatd@pki-master.service +systemctl start pki-tomcatd@ca-master.service diff --git a/scripts/ca-stop.sh b/scripts/ca-stop.sh index 59be94a..fc7166e 100755 --- a/scripts/ca-stop.sh +++ b/scripts/ca-stop.sh @@ -1,3 +1,3 @@ #!/bin/sh -x -systemctl stop pki-tomcatd@pki-master.service +systemctl stop pki-tomcatd@ca-master.service diff --git a/scripts/ca-test.sh b/scripts/ca-test.sh index 16e8f06..31fc717 100755 --- a/scripts/ca-test.sh +++ b/scripts/ca-test.sh @@ -1,22 +1,22 @@ #!/bin/sh -x SRC_DIR=`cd ../.. ; pwd` +CERTS=$SRC_DIR/certs -INSTANCE_NAME=pki-master -TEST_DIR=/tmp/${INSTANCE_NAME}_client -CLIENT_CERT_DB=$TEST_DIR/alias -SERVER_CERT_DB=/var/lib/pki/$INSTANCE_NAME/alias +INSTANCE_NAME=ca-master +CLIENT_CERT_DIR=$CERTS/$INSTANCE_NAME +SERVER_CERT_DIR=/var/lib/pki/$INSTANCE_NAME/alias CERT_NAME="caSigningCert cert-${INSTANCE_NAME}" -# Add admin to RA agent group -pki -p 8013 -u admin -w Secret123 group-add-member "Registration Manager Agents" admin +# add admin to RA agent group +pki -u caadmin -w Secret123 group-add-member "Registration Manager Agents" caadmin -# Export CA cert -certutil -L -d $SERVER_CERT_DB -n "$CERT_NAME" -a > $TEST_DIR/ca.pem -AtoB $TEST_DIR/ca.pem $TEST_DIR/ca.crt +# export CA cert +certutil -L -d $SERVER_CERT_DIR -n "$CERT_NAME" -a > $CERTS/ca.pem +AtoB $CERTS/ca.pem $CERTS/ca.crt -# Import CA cert -certutil -A -d $CLIENT_CERT_DB -n "$CERT_NAME" -i $TEST_DIR/ca.pem -t CT,c,c +# import CA cert +certutil -A -d $CLIENT_CERT_DIR -n "$CERT_NAME" -i $CERTS/ca.pem -t CT,c,c CLASSPATH=$SRC_DIR/pki/build/classes CLASSPATH=$CLASSPATH:/usr/lib64/java/jss4.jar @@ -34,6 +34,5 @@ CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-jaxrs.jar CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-jaxb-provider.jar CLASSPATH=$CLASSPATH:/usr/share/java/servlet.jar -# Run CA test -CLIENT_CERT_PASSWORD=`cat $TEST_DIR/password.conf` -java -classpath $CLASSPATH com.netscape.cms.servlet.test.CATest -h localhost -p 8015 -s true -d $CLIENT_CERT_DB -w $CLIENT_CERT_PASSWORD -c "admin" +# run CA test +java -classpath $CLASSPATH com.netscape.cms.servlet.test.CATest -h localhost -p 8443 -s true -d $CLIENT_CERT_DIR -w Secret123 -c "caadmin" diff --git a/scripts/drm-java-test.sh b/scripts/drm-java-test.sh index a8cb7b9..80fcef5 100755 --- a/scripts/drm-java-test.sh +++ b/scripts/drm-java-test.sh @@ -2,6 +2,9 @@ SRC_DIR=`cd ../.. ; pwd` +INSTANCE_NAME=kra-master +CLIENT_CERT_DIR=$SRC_DIR/certs/$INSTANCE_NAME + CLASSPATH=$SRC_DIR/pki/build/classes CLASSPATH=$CLASSPATH:/usr/share/java/apache-commons-cli.jar CLASSPATH=$CLASSPATH:/usr/share/java/apache-commons-logging.jar @@ -17,4 +20,4 @@ CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-jaxrs.jar CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-jaxb-provider.jar CLASSPATH=$CLASSPATH:/usr/share/java/servlet.jar -java -classpath $CLASSPATH com.netscape.cms.servlet.test.DRMTest -h localhost -p 10180 -w Secret123 -d /tmp/drmtest +java -classpath $CLASSPATH com.netscape.cms.servlet.test.DRMTest -h localhost -p 12080 -w Secret123 -d $CLIENT_CERT_DIR diff --git a/scripts/drm-python-test.sh b/scripts/drm-python-test.sh index 0a54c9f..873d5d9 100755 --- a/scripts/drm-python-test.sh +++ b/scripts/drm-python-test.sh @@ -2,26 +2,29 @@ SRC_DIR=`cd ../.. ; pwd` -TEST_DIR=/tmp/drmtest -CERT_NAME="transportCert cert-pki-kra" +INSTANCE_NAME=kra-master +CLIENT_CERT_DIR=$SRC_DIR/certs/$INSTANCE_NAME +SERVER_CERT_DIR=/var/lib/pki/$INSTANCE_NAME +CERT_NAME="transportCert cert-$INSTANCE_NAME" CLASSPATH=$SRC_DIR/pki/build/classes CLASSPATH=$CLASSPATH:/usr/share/java/apache-commons-cli.jar CLASSPATH=$CLASSPATH:/usr/lib64/java/jss4.jar CLASSPATH=$CLASSPATH:/usr/share/java/commons-codec.jar -rm -rf $TEST_DIR -mkdir -p $TEST_DIR +#echo Secret123 > $CLIENT_CERT_DIR/password.txt +#certutil -N -d $CLIENT_CERT_DIR -f $CLIENT_CERT_DIR/password.txt -echo Secret123 > $TEST_DIR/pwfile.txt -certutil -N -d $TEST_DIR -f $TEST_DIR/pwfile.txt +# export transport certificate +certutil -L -d $SERVER_CERT_DIR/alias -n "$CERT_NAME" -a > $CLIENT_CERT_DIR/transport.pem +AtoB $CLIENT_CERT_DIR/transport.pem $CLIENT_CERT_DIR/transport.crt -certutil -L -d /var/lib/pki-kra/alias -n "$CERT_NAME" -a > $TEST_DIR/transport.pem -AtoB $TEST_DIR/transport.pem $TEST_DIR/transport.crt +# import transport certificate +certutil -A -d $CLIENT_CERT_DIR -n "$CERT_NAME" -i $CLIENT_CERT_DIR/transport.pem -t u,u,u -certutil -A -d $TEST_DIR -n "$CERT_NAME" -i $TEST_DIR/transport.pem -t u,u,u - -java -classpath $CLASSPATH com.netscape.cms.servlet.test.GeneratePKIArchiveOptions -d $TEST_DIR -k $TEST_DIR/symkey.out -o $TEST_DIR/options.out -t $TEST_DIR/transport.crt -w Secret123 +# generate options +java -classpath $CLASSPATH com.netscape.cms.servlet.test.GeneratePKIArchiveOptions -d $CLIENT_CERT_DIR -k $CLIENT_CERT_DIR/symkey.out -o $CLIENT_CERT_DIR/options.out -t $CLIENT_CERT_DIR/transport.crt -w Secret123 +# run KRA test cd $SRC_DIR/pki/base/kra/functional -python drmclient.py -d $TEST_DIR --options=options.out --symkey=symkey.out -p 10180 -n "$CERT_NAME" +python drmclient.py -d $CLIENT_CERT_DIR --options=options.out --symkey=symkey.out -p 12080 -n "$CERT_NAME" diff --git a/scripts/firefox-certs-import.sh b/scripts/firefox-certs-import.sh index af25540..0ea1984 100755 --- a/scripts/firefox-certs-import.sh +++ b/scripts/firefox-certs-import.sh @@ -1,22 +1,56 @@ #!/bin/sh -x -. ./ca-include.sh +user=$1 + +if [ "$user" == "" ]; then + home=$HOME +else + home=/home/$user +fi + +echo HOME=$home SRC_DIR=`cd ../.. ; pwd` -INSTANCE_NAME=pki-master +CERTS=$SRC_DIR/certs -FIREFOX_DIR=~/.mozilla/firefox +FIREFOX_DIR=$home/.mozilla/firefox PROFILE=`grep Path= $FIREFOX_DIR/profiles.ini | awk -F= '{print $2}'` -CLIENT_CERT_DIR=$SRC_DIR/certs/$INSTANCE_NAME -CLIENT_CERT_PASSWORD=$CLIENT_CERT_DIR/password.txt -CLIENT_CERT_PK12=$CLIENT_CERT_DIR/admin.p12 +CA_INSTANCE_NAME=ca-master +KRA_INSTANCE_NAME=kra-master + +################################################################################ +# Importing CA certificate +################################################################################ + +CA_CERT_NAME="caSigningCert cert-$CA_INSTANCE_NAME" +CA_CERT_DIR=/var/lib/pki/$CA_INSTANCE_NAME/alias + +# export CA cert +certutil -L -d $CA_CERT_DIR -n "$CA_CERT_NAME" -a > $CERTS/ca.pem +AtoB $CERTS/ca.pem $CERTS/ca.crt + +# import CA cert +certutil -A -d $FIREFOX_DIR/$PROFILE -n "$CA_CERT_NAME" -i $CERTS/ca.pem -t CT,C,C + +################################################################################ +# Importing CA admin certificate +################################################################################ + +CA_CERT_DIR=/var/lib/pki/$CA_INSTANCE_NAME/alias +CA_CERT_P12=$CA_CERT_DIR/ca_admin_cert.p12 + +# import CA admin cert +pk12util -i $CA_CERT_P12 -d $FIREFOX_DIR/$PROFILE -W Secret123 +certutil -M -n caadmin -t u,u,u -d $FIREFOX_DIR/$PROFILE -echo $PASSWORD > $CLIENT_CERT_PASSWORD -PKCS12Export -d "$CLIENT_CERT_DIR" -o "$CLIENT_CERT_PK12" -p "$CLIENT_CERT_PASSWORD" -w "$CLIENT_CERT_PASSWORD" +################################################################################ +# Importing KRA admin certificate +################################################################################ -pk12util -i $CLIENT_CERT_PK12 -d $FIREFOX_DIR/$PROFILE -w $CLIENT_CERT_PASSWORD -certutil -M -n admin -t u,u,u -d $FIREFOX_DIR/$PROFILE +KRA_CERT_DIR=/var/lib/pki/$KRA_INSTANCE_NAME/alias +KRA_CERT_P12=$KRA_CERT_DIR/kra_admin_cert.p12 -#pk12util -i $SRC_DIR/pki-dev/certs/kra/kra-client-certs.p12 -d $FIREFOX_DIR/$PROFILE -W Secret123 -#certutil -M -n kraadmin -t u,u,u -d $FIREFOX_DIR/$PROFILE +# import KRA admin cert +pk12util -i $KRA_CERT_P12 -d $FIREFOX_DIR/$PROFILE -W Secret123 +certutil -M -n kraadmin -t u,u,u -d $FIREFOX_DIR/$PROFILE diff --git a/scripts/firefox-certs-remove.sh b/scripts/firefox-certs-remove.sh index 907e8ed..71a6630 100755 --- a/scripts/firefox-certs-remove.sh +++ b/scripts/firefox-certs-remove.sh @@ -1,16 +1,22 @@ #!/bin/sh -x -. ./ca-include.sh +user=$1 -FIREFOX_DIR=~/.mozilla/firefox +if [ "$user" == "" ]; then + home=$HOME +else + home=/home/$user +fi + +FIREFOX_DIR=$home/.mozilla/firefox PROFILE=`grep Path= $FIREFOX_DIR/profiles.ini | awk -F= '{print $2}'` cd $FIREFOX_DIR/$PROFILE certutil -D -n "admin" -d . -certutil -D -n "$CA_ADMIN_NAME" -d . +certutil -D -n "caadmin" -d . certutil -D -n "kraadmin" -d . -certutil -D -n "$CA_SUBSYSTEM_NAME - $REALM" -d . +certutil -D -n "caSigningCert cert-ca-master" -d . certutil -D -n "$HOSTNAME" -d . certutil -D -n "$HOSTNAME #2" -d . certutil -D -n "$HOSTNAME #3" -d . diff --git a/scripts/firefox-certs-list.sh b/scripts/firefox-certs.sh index bb14fb2..4691a0c 100755 --- a/scripts/firefox-certs-list.sh +++ b/scripts/firefox-certs.sh @@ -1,6 +1,14 @@ #!/bin/sh -x -FIREFOX_DIR=~/.mozilla/firefox +user=$1 + +if [ "$user" == "" ]; then + home=$HOME +else + home=/home/$user +fi + +FIREFOX_DIR=$home/.mozilla/firefox PROFILE=`grep Path= $FIREFOX_DIR/profiles.ini | awk -F= '{print $2}'` certutil -L -d $FIREFOX_DIR/$PROFILE diff --git a/scripts/kra-certs.sh b/scripts/kra-certs.sh new file mode 100755 index 0000000..e443b22 --- /dev/null +++ b/scripts/kra-certs.sh @@ -0,0 +1,5 @@ +#!/bin/sh -x + +INSTANCE_DIR=/var/lib/pki/kra-master + +certutil -L -d $INSTANCE_DIR/alias diff --git a/scripts/kra-create.sh b/scripts/kra-create.sh index 77a4d86..7bd0686 100755 --- a/scripts/kra-create.sh +++ b/scripts/kra-create.sh @@ -1,29 +1,3 @@ #!/bin/sh -x -SRC_DIR=`cd ../.. ; pwd` - -INSTANCE_NAME=pki-kra - -pkicreate -pki_instance_root=/var/lib \ - -pki_instance_name=$INSTANCE_NAME \ - -subsystem_type=kra \ - -secure_port=10443 \ - -unsecure_port=10180 \ - -tomcat_server_port=10701 \ - -user=pkiuser \ - -group=pkiuser \ - -audit_group=pkiaudit \ - -redirect conf=/etc/$INSTANCE_NAME \ - -redirect logs=/var/log/$INSTANCE_NAME \ - -verbose - -cd /var/lib/$INSTANCE_NAME - -ln -s /usr/share/tomcat6/bin bin -ln -s /usr/share/tomcat6/lib lib -rm -f webapps/kra/WEB-INF/lib/pki-* - -rm -rf webapps/kra/WEB-INF/classes -ln -s $SRC_DIR/pki/build/classes webapps/kra/WEB-INF - -systemctl restart pki-krad@$INSTANCE_NAME.service +pkispawn -f kra-master.cfg -s KRA -v diff --git a/scripts/kra-master.cfg b/scripts/kra-master.cfg new file mode 100644 index 0000000..8fcfb38 --- /dev/null +++ b/scripts/kra-master.cfg @@ -0,0 +1,232 @@ +############################################################################### +## 'Sensitive' Data: ## +## ## +## Values in this section pertain to various PKI subsystems, and contain ## +## required 'sensitive' information which MUST ALWAYS be provided by users. ## +## ## +## IMPORTANT: Sensitive data values must NEVER be displayed to the ## +## console NOR stored in log files!!! ## +############################################################################### +[Sensitive] +pki_admin_password=Secret123 +pki_backup_password=Secret123 +pki_client_database_password=Secret123 +pki_client_pkcs12_password=Secret123 +pki_clone_pkcs12_password=Secret123 +pki_ds_password=Secret123 +pki_security_domain_password=Secret123 +pki_token_password=Secret123 +############################################################################### +## 'Common' Data: ## +## ## +## Values in this section are common to more than one PKI subsystem, and ## +## contain required information which MAY be overridden by users as ## +## necessary. ## +## ## +## NOTE: Default values will be generated for any and all required ## +## 'common' data values which are left undefined. ## +############################################################################### +[Common] +pki_admin_cert_request_type=crmf +pki_admin_domain_name= +pki_admin_dualkey=False +pki_admin_email=kraadmin@example.com +pki_admin_keysize=2048 +pki_admin_name=kraadmin +pki_admin_nickname=kraadmin +pki_admin_subject_dn= +pki_admin_uid=kraadmin +pki_audit_group=pkiaudit +pki_audit_signing_key_algorithm=SHA256withRSA +pki_audit_signing_key_size=2048 +pki_audit_signing_key_type=rsa +pki_audit_signing_nickname= +pki_audit_signing_signing_algorithm=SHA256withRSA +pki_audit_signing_subject_dn= +pki_audit_signing_token= +pki_backup_keys=False +pki_client_database_dir=../../certs/kra-master +pki_client_database_purge=False +pki_client_dir= +pki_ds_base_dn=dc=kra-master,dc=example,dc=com +pki_ds_bind_dn=cn=Directory Manager +pki_ds_database= +pki_ds_hostname= +pki_ds_ldap_port=389 +pki_ds_ldaps_port=636 +pki_ds_remove_data=True +pki_ds_secure_connection=False +pki_group=pkiuser +pki_issuing_ca= +pki_restart_configured_instance=True +pki_security_domain_hostname= +pki_security_domain_https_port=8443 +pki_security_domain_name=EXAMPLE +pki_security_domain_user=caadmin +pki_ssl_server_key_algorithm=SHA256withRSA +pki_ssl_server_key_size=2048 +pki_ssl_server_key_type=rsa +pki_ssl_server_nickname= +pki_ssl_server_subject_dn= +pki_ssl_server_token= +pki_subsystem_key_algorithm=SHA256withRSA +pki_subsystem_key_size=2048 +pki_subsystem_key_type=rsa +pki_subsystem_nickname= +pki_subsystem_subject_dn= +pki_subsystem_token= +pki_token_name=internal +pki_user=pkiuser +############################################################################### +## 'Apache' Data: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Apache' (RA and TPS subsystems), and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[Apache] +pki_instance_name=pki-apache +pki_http_port=80 +pki_https_port=443 +############################################################################### +## 'Tomcat' Data: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## +## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## +## or a 'TKS Clone', change the value of 'pki_clone' ## +## from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[Tomcat] +pki_ajp_port=12009 +pki_clone=False +pki_clone_pkcs12_path= +pki_clone_replication_security=None +pki_clone_uri= +pki_enable_java_debugger=False +pki_enable_proxy=False +pki_http_port=12080 +pki_https_port=12443 +pki_instance_name=kra-master +pki_proxy_http_port=80 +pki_proxy_https_port=443 +pki_security_manager=false +pki_tomcat_server_port=12005 +############################################################################### +## 'CA' Data: ## +## ## +## Values in this section are common to CA subsystems including 'PKI CAs', ## +## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## EXTERNAL CAs: To specify an 'External CA', change the value ## +## of 'pki_external' from 'False' to 'True'. ## +## ## +## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## +## of 'pki_subordinate' from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[CA] +pki_ca_signing_key_algorithm=SHA256withRSA +pki_ca_signing_key_size=2048 +pki_ca_signing_key_type=rsa +pki_ca_signing_nickname= +pki_ca_signing_signing_algorithm=SHA256withRSA +pki_ca_signing_subject_dn= +pki_ca_signing_token= +pki_external=False +pki_external_ca_cert_chain_path= +pki_external_ca_cert_path= +pki_external_csr_path= +pki_external_step_two=False +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname= +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn= +pki_ocsp_signing_token= +pki_subordinate=False +pki_subsystem=CA +pki_subsystem_name= +pki_war_file=ca.war +############################################################################### +## 'KRA' Data: ## +## ## +## Values in this section are common to KRA subsystems ## +## including 'PKI KRAs' and 'Cloned KRAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[KRA] +pki_storage_key_algorithm=SHA256withRSA +pki_storage_key_size=2048 +pki_storage_key_type=rsa +pki_storage_nickname= +pki_storage_signing_algorithm=SHA256withRSA +pki_storage_subject_dn= +pki_storage_token= +pki_subsystem=KRA +pki_subsystem_name= +pki_transport_key_algorithm=SHA256withRSA +pki_transport_key_size=2048 +pki_transport_key_type=rsa +pki_transport_nickname= +pki_transport_signing_algorithm=SHA256withRSA +pki_transport_subject_dn= +pki_transport_token= +pki_war_file=kra.war +############################################################################### +## 'OCSP' Data: ## +## ## +## Values in this section are common to OCSP subsystems ## +## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[OCSP] +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname= +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn= +pki_ocsp_signing_token= +pki_subsystem=OCSP +pki_subsystem_name= +pki_war_file=ocsp.war +############################################################################### +## 'RA' Data: ## +## ## +## Values in this section are common to PKI RA subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[RA] +pki_subsystem=RA +pki_subsystem_name= +############################################################################### +## 'TKS' Data: ## +## ## +## Values in this section are common to TKS subsystems ## +## including 'PKI TKSs' and 'Cloned TKSs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TKS] +pki_subsystem=TKS +pki_subsystem_name= +pki_war_file=tks.war +############################################################################### +## 'TPS' Data: ## +## ## +## Values in this section are common to PKI TPS subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TPS] +pki_subsystem=TPS +pki_subsystem_name= diff --git a/scripts/kra-remove.sh b/scripts/kra-remove.sh index 3ddfa9d..1a08c91 100755 --- a/scripts/kra-remove.sh +++ b/scripts/kra-remove.sh @@ -1,7 +1,13 @@ #!/bin/sh -x -INSTANCE_NAME=pki-kra +SRC_DIR=`cd ../.. ; pwd` +INSTANCE_NAME=kra-master -pkiremove -pki_instance_root=/var/lib\ - -pki_instance_name=$INSTANCE_NAME\ - -force +pkidestroy -s KRA -i $INSTANCE_NAME + +rm -rf /etc/pki/$INSTANCE_NAME +rm -rf /etc/sysconfig/$INSTANCE_NAME +rm -rf /etc/sysconfig/pki/tomcat/$INSTANCE_NAME +rm -rf /var/lib/pki/$INSTANCE_NAME +rm -rf /var/log/pki/$INSTANCE_NAME +rm -rf $SRC_DIR/certs/$INSTANCE_NAME diff --git a/scripts/kra-restart.sh b/scripts/kra-restart.sh index 914945c..e53b6db 100755 --- a/scripts/kra-restart.sh +++ b/scripts/kra-restart.sh @@ -1,3 +1,4 @@ #!/bin/sh -x -systemctl restart pki-krad@pki-kra.service +./kra-stop.sh +./kra-start.sh diff --git a/scripts/kra-run.sh b/scripts/kra-run.sh new file mode 100755 index 0000000..a83b102 --- /dev/null +++ b/scripts/kra-run.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +java -agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n -classpath :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/kra-master -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/kra-master/temp -Djava.util.logging.config.file=/var/lib/pki/kra-master/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start diff --git a/scripts/kra-start.sh b/scripts/kra-start.sh index a66efc5..2776d23 100755 --- a/scripts/kra-start.sh +++ b/scripts/kra-start.sh @@ -1,3 +1,3 @@ #!/bin/sh -x -systemctl start pki-krad@pki-kra.service +systemctl start pki-tomcatd@kra-master.service diff --git a/scripts/kra-stop.sh b/scripts/kra-stop.sh index 1927603..e876dc0 100755 --- a/scripts/kra-stop.sh +++ b/scripts/kra-stop.sh @@ -1,3 +1,3 @@ #!/bin/sh -x -systemctl stop pki-krad@pki-kra.service +systemctl stop pki-tomcatd@kra-master.service |