path: root/scripts
diff options
Diffstat (limited to 'scripts')
7 files changed, 447 insertions, 1 deletions
diff --git a/scripts/ b/scripts/
new file mode 100755
index 0000000..c4fe9f7
--- /dev/null
+++ b/scripts/
@@ -0,0 +1,21 @@
+PKCS10Client -d ~/.dogtag/pki-tomcat/ca/alias -p Secret.123 \
+ -a rsa -l 1024 \
+ -n "uid=testuser,ou=people,dc=example,dc=com" \
+ -o /tmp/testuser.pem
+cat > cmcrequest.cfg << EOF
+CMCRequest cmcrequest.cfg
diff --git a/scripts/ b/scripts/
new file mode 100755
index 0000000..33445cb
--- /dev/null
+++ b/scripts/
@@ -0,0 +1,15 @@
+#!/bin/sh -x
+cd ../../pki
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/acl.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/database.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/db.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/index.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/manager.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/schema.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/vlv.ldif
+git diff $BRANCH --follow -- base/$SUBSYSTEM/shared/conf/vlvtasks.ldif
diff --git a/scripts/ b/scripts/
new file mode 100755
index 0000000..ef16856
--- /dev/null
+++ b/scripts/
@@ -0,0 +1,350 @@
+if [ "$1" -a -d "$1" ] ; then
+ secdir="$1"
+ echo "Using $1 as sec directory"
+ assecdir=$secdir/../admin-serv
+ secdir=/etc/dirsrv/slapd-localhost
+ assecdir=/etc/dirsrv/admin-serv
+if [ "$2" ] ; then
+ ldapport=$2
+ ldapport=389
+if [ "$3" ] ; then
+ ldapsport=$3
+ ldapsport=636
+if [ "$me" = "root" ] ; then
+ isroot=1
+# see if there are already certs and keys
+if [ -f $secdir/cert8.db ] ; then
+ # look for CA cert
+ if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then
+ echo "Using existing CA certificate"
+ else
+ echo "No CA certificate found - will create new one"
+ needCA=1
+ fi
+ # look for server cert
+ if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then
+ echo "Using existing directory Server-Cert"
+ else
+ echo "No Server Cert found - will create new one"
+ needServerCert=1
+ fi
+ # look for admin server cert
+ if certutil -L -d $assecdir -n "server-cert" 2> /dev/null ; then
+ echo "Using existing admin server-cert"
+ else
+ echo "No Admin Server Cert found - will create new one"
+ needASCert=1
+ fi
+ prefix="new-"
+ prefixarg="-P $prefix"
+ needCA=1
+ needServerCert=1
+ needASCert=1
+if [ -n "$NO_ADMIN" ] ; then
+ needASCert=
+# get our user and group
+if test -n "$isroot" ; then
+ uid=`/bin/ls -ald $secdir | awk '{print $3}'`
+ gid=`/bin/ls -ald $secdir | awk '{print $4}'`
+# 2. Create a password file for your security token password:
+if [ -n "$needCA" -o -n "$needServerCert" -o -n "$needASCert" ] ; then
+ if [ -f $secdir/pwdfile.txt ] ; then
+ echo "Using existing $secdir/pwdfile.txt"
+ else
+ echo "Creating password file for security token"
+ (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt
+ if test -n "$isroot" ; then
+ chown $uid:$gid $secdir/pwdfile.txt
+ fi
+ chmod 400 $secdir/pwdfile.txt
+ fi
+# 3. Create a "noise" file for your encryption mechanism:
+ if [ -f $secdir/noise.txt ] ; then
+ echo "Using existing $secdir/noise.txt file"
+ else
+ echo "Creating noise file"
+ (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt
+ if test -n "$isroot" ; then
+ chown $uid:$gid $secdir/noise.txt
+ fi
+ chmod 400 $secdir/noise.txt
+ fi
+# 4. Create the key3.db and cert8.db databases:
+ if [ -z "$prefix" ] ; then
+ echo "Creating initial key and cert db"
+ else
+ echo "Creating new key and cert db"
+ fi
+ certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt
+ if test -n "$isroot" ; then
+ chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
+ fi
+ chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
+getserialno() {
+ SERIALNOFILE=${SERIALNOFILE:-$secdir/serialno.txt}
+ if [ ! -f $SERIALNOFILE ] ; then
+ fi
+ serialno=`cat $SERIALNOFILE`
+ expr $serialno + 1 > $SERIALNOFILE
+ echo $serialno
+if test -n "$needCA" ; then
+# 5. Generate the encryption key:
+ echo "Creating encryption key for CA"
+ certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
+# 6. Generate the self-signed certificate:
+ echo "Creating self-signed CA certificate"
+# note - the basic constraints flag (-2) is required to generate a real CA cert
+# it asks 3 questions that cannot be supplied on the command line
+ serialno=`getserialno`
+ ( echo y ; echo ; echo y ) | certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m $serialno -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -2
+# export the CA cert for use with other apps
+ echo Exporting the CA certificate to cacert.asc
+ certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc
+if test -n "$MYHOST" ; then
+ myhost="$MYHOST"
+ myhost=`hostname --fqdn`
+genservercert() {
+ hostname=${1:-`hostname --fqdn`}
+ certname=${2:-"Server-Cert"}
+ serialno=${3:-`getserialno`}
+ ou=${OU:-"389 Directory Server"}
+ certutil -S $prefixarg -n "$certname" -s "cn=$hostname,ou=$ou" -c "CA certificate" -t "u,u,u" -m $serialno -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
+remotehost() {
+ # the subdir called $host will contain all of the security files to copy to the remote system
+ mkdir -p $secdir/$1
+ # this is stupid - what we want is that each key/cert db for the remote host has a
+ # cert with nickname "Server-Cert" - however, badness:
+ # 1) pk12util cannot change nick either during import or export
+ # 2) certutil does not have a way to change or rename the nickname
+ # 3) certutil cannot create two certs with the same nick
+ # so we have to copy all of the secdir files to the new server specific secdir
+ # and create everything with copies
+ cp -p $secdir/noise.txt $secdir/pwdfile.txt $secdir/cert8.db $secdir/key3.db $secdir/secmod.db $secdir/$1
+ SERIALNOFILE=$secdir/serialno.txt secdir=$secdir/$1 genservercert $1
+if [ -n "$REMOTE" ] ; then
+ for host in $myhost ; do
+ remotehost $host
+ done
+elif test -n "$needServerCert" ; then
+# 7. Generate the server certificate:
+ for host in $myhost ; do
+ echo Generating server certificate for 389 Directory Server on host $host
+ echo Using fully qualified hostname $host for the server name in the server cert subject DN
+ echo Note: If you do not want to use this hostname, export MYHOST="host1 host2 ..." $0 ...
+ genservercert $host
+ done
+if test -n "$needASCert" ; then
+# Generate the admin server certificate
+ for host in $myhost ; do
+ echo Creating the admin server certificate
+ OU="389 Administration Server" genservercert $host server-cert
+ # export the admin server certificate/private key for import into its key/cert db
+ echo Exporting the admin server certificate pk12 file
+ pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
+ if test -n "$isroot" ; then
+ chown $uid:$gid $secdir/adminserver.p12
+ fi
+ chmod 400 $secdir/adminserver.p12
+ done
+# create the pin file
+if [ ! -f $secdir/pin.txt ] ; then
+ echo Creating pin file for directory server
+ pinfile=$secdir/pin.txt
+ echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile
+ if test -n "$isroot" ; then
+ chown $uid:$gid $pinfile
+ fi
+ chmod 400 $pinfile
+ echo Using existing $secdir/pin.txt
+if [ -n "$REMOTE" ] ; then
+ for host in $myhost ; do
+ cp -p $secdir/pin.txt $secdir/$host
+ done
+if [ -n "$needCA" -o -n "$needServerCert" -o -n "$needASCert" ] ; then
+ if [ -n "$prefix" ] ; then
+ # move the old files out of the way
+ mv $secdir/cert8.db $secdir/orig-cert8.db
+ mv $secdir/key3.db $secdir/orig-key3.db
+ # move in the new files - will be used after server restart
+ mv $secdir/${prefix}cert8.db $secdir/cert8.db
+ mv $secdir/${prefix}key3.db $secdir/key3.db
+ fi
+# create the admin server key/cert db
+if [ ! -f $assecdir/cert8.db ] ; then
+ echo Creating key and cert db for admin server
+ certutil -N -d $assecdir -f $secdir/pwdfile.txt
+ if test -n "$isroot" ; then
+ chown $uid:$gid $assecdir/*.db
+ fi
+ chmod 600 $assecdir/*.db
+if test -n "$needASCert" ; then
+# import the admin server key/cert
+ echo "Importing the admin server key and cert (created above)"
+ pk12util -d $assecdir -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
+# import the CA cert to the admin server cert db
+ echo Importing the CA certificate from cacert.asc
+ certutil -A -d $assecdir -n "CA certificate" -t "CT,," -a -i $secdir/cacert.asc
+ if [ ! -f $assecdir/password.conf ] ; then
+# create the admin server password file
+ echo Creating the admin server password file
+ echo 'internal:'`cat $secdir/pwdfile.txt` > $assecdir/password.conf
+ if test -n "$isroot" ; then
+ chown $uid:$gid $assecdir/password.conf
+ fi
+ chmod 400 $assecdir/password.conf
+ fi
+ if [ -f $assecdir/nss.conf ] ; then
+ cd $assecdir
+ echo Enabling the use of a password file in admin server
+ sed -e "s@^NSSPassPhraseDialog .*@NSSPassPhraseDialog file:`pwd`/password.conf@" nss.conf > /tmp/nss.conf && mv /tmp/nss.conf nss.conf
+ if test -n "$isroot" ; then
+ chown $uid:$gid nss.conf
+ fi
+ chmod 400 nss.conf
+ echo Turning on NSSEngine
+ sed -e "s@^NSSEngine off@NSSEngine on@" console.conf > /tmp/console.conf && mv /tmp/console.conf console.conf
+ if test -n "$isroot" ; then
+ chown $uid:$gid console.conf
+ fi
+ chmod 600 console.conf
+ echo Use ldaps for config ds connections
+ sed -e "s@^ldapurl: ldap://$myhost:$ldapport/o=NetscapeRoot@ldapurl: ldaps://$myhost:$ldapsport/o=NetscapeRoot@" adm.conf > /tmp/adm.conf && mv /tmp/adm.conf adm.conf
+ if test -n "$isroot" ; then
+ chown $uid:$gid adm.conf
+ fi
+ chmod 600 adm.conf
+ cd $secdir
+ fi
+# enable SSL in the directory server
+echo "Enabling SSL in the directory server"
+if [ -z "$DMPWD" ] ; then
+ echo "when prompted, provide the directory manager password"
+ echo -n "Password:"
+ stty -echo
+ read dmpwd
+ stty echo
+ dmpwd="$DMPWD"
+ldapmodify -x -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" <<EOF
+dn: cn=encryption,cn=config
+changetype: modify
+replace: nsSSLClientAuth
+nsSSLClientAuth: allowed
+add: nsSSL3Ciphers
+nsSSL3Ciphers: +all
+dn: cn=config
+changetype: modify
+add: nsslapd-security
+nsslapd-security: on
+replace: nsslapd-ssl-check-hostname
+nsslapd-ssl-check-hostname: off
+replace: nsslapd-secureport
+nsslapd-secureport: $ldapsport
+dn: cn=RSA,cn=encryption,cn=config
+changetype: add
+objectclass: top
+objectclass: nsEncryptionModule
+cn: RSA
+nsSSLPersonalitySSL: Server-Cert
+nsSSLToken: internal (software)
+nsSSLActivation: on
+ attrname="$1"
+ shift
+ ldapsearch "$@" $attrname | sed -n '/^'$attrname':/,/^$/ { /^'$attrname':/ { s/^'$attrname': *// ; h ; $ !d}; /^ / { H; $ !d}; /^ /! { x; s/\n //g; p; q}; $ { x; s/\n //g; p; q} }'
+if [ -n "$needASCert" ] ; then
+ echo "Enabling SSL in the admin server"
+# find the directory server config entry DN
+ dsdn=`ldapsearch_attrval dn -x -LLL -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" -b o=netscaperoot "(&(objectClass=nsDirectoryServer)(serverhostname=$myhost)(nsserverport=$ldapport))"`
+ ldapmodify -x -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" <<EOF
+dn: $dsdn
+changetype: modify
+replace: nsServerSecurity
+nsServerSecurity: on
+replace: nsSecureServerPort
+nsSecureServerPort: $ldapsport
+# find the admin server config entry DN
+ asdn=`ldapsearch_attrval dn -x -LLL -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" -b o=netscaperoot "(&(objectClass=nsAdminServer)(serverhostname=$myhost))"`
+ ldapmodify -x -h localhost -p $ldapport -D "cn=directory manager" -w "$dmpwd" <<EOF
+dn: cn=configuration,$asdn
+changetype: modify
+replace: nsServerSecurity
+nsServerSecurity: on
+echo "Done. You must restart the directory server and the admin server for the changes to take effect."
diff --git a/scripts/ b/scripts/
new file mode 100755
index 0000000..5454ee9
--- /dev/null
+++ b/scripts/
@@ -0,0 +1,27 @@
+PKCS10Client -d ~/.dogtag/pki-tomcat/ca/alias -p Secret.123 \
+ -a rsa -l 1024 \
+ -n "uid=testuser,ou=people,dc=example,dc=com" \
+ -o /tmp/httpclient.pem
+AtoB /tmp/httpclient.pem /tmp/httpclient.bin
+cat > httpclient.cfg << EOF
+HttpClient httpclient.cfg
diff --git a/scripts/ b/scripts/
new file mode 100755
index 0000000..0922782
--- /dev/null
+++ b/scripts/
@@ -0,0 +1,8 @@
+ldapmodify -x -D "cn=Directory Manager" -w Secret123 -c << EOF
+dn: cn=$TPSHOST:8443,cn=TPSList,ou=Security Domain,dc=ca,dc=pki,dc=example,dc=com
+changetype: delete
diff --git a/scripts/ b/scripts/
index 33c2101..0bc8ef1 100755
--- a/scripts/
+++ b/scripts/
@@ -1,7 +1,22 @@
#!/bin/sh -x
SRC_DIR=`cd ../.. ; pwd`
cd $SRC_DIR/tomcatjss
+git archive --format=tar.gz --prefix tomcatjss-$version/ -o ../tomcatjss-fedora/$archive -v HEAD
+cd $SRC_DIR/tomcatjss-fedora
+checksum=`sha512sum $archive | awk '{print $1;}'`
+sed -ri "s/SHA512 \($archive\) = .*/SHA512 \($archive\) = $checksum/" sources
+#fedpkg local
+#dnf reinstall -y ../tomcatjss-fedora/noarch/tomcatjss-$version-*.rpm
+#ant install
diff --git a/scripts/ b/scripts/
new file mode 100755
index 0000000..4862bb7
--- /dev/null
+++ b/scripts/
@@ -0,0 +1,10 @@
+/bin/cp ../../pki/base/server/share/webapps/ROOT/* /usr/share/pki/server/webapps/ROOT/
+/bin/cp ../../pki/base/server/share/webapps/pki/* /usr/share/pki/server/webapps/pki/
+/bin/cp ../../pki/base/server/share/webapps/pki/ui/* /usr/share/pki/server/webapps/pki/ui/
+/bin/cp ../../pki/base/server/share/webapps/pki/js/* /usr/share/pki/server/webapps/pki/js/
+/bin/cp ../../pki/dogtag/common-ui/shared/css/* /usr/share/pki/common-ui/css/
+/bin/cp ../../pki/base/ca/shared/webapps/ca/* /usr/share/pki/ca/webapps/ca/