From 45edbfb5082cd07b1bfd437d94a6d8f8dd99a74e Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 1 Aug 2017 04:55:58 +0200
Subject: Updated KRA scripts.

---
 scripts/kra-clone-create.sh     | 56 +++++++++++++++++++++++++++++++++++++++--
 scripts/kra-clone-prep.sh       | 16 ++++++++++++
 scripts/kra-create.sh           |  3 +++
 scripts/kra-standalone-step1.sh |  3 +++
 scripts/kra-standalone-step2.sh |  5 +++-
 5 files changed, 80 insertions(+), 3 deletions(-)
 create mode 100755 scripts/kra-clone-prep.sh

diff --git a/scripts/kra-clone-create.sh b/scripts/kra-clone-create.sh
index 9bc4b9c..1e3ef38 100755
--- a/scripts/kra-clone-create.sh
+++ b/scripts/kra-clone-create.sh
@@ -1,5 +1,57 @@
 #!/bin/sh -x
 
-/bin/cp kra_backup_keys.p12 /tmp
+mkdir -p tmp
 
-pkispawn -vvv -f kraclone.cfg -s KRA
+MASTER=`cat tmp/master.txt`
+
+cat > tmp/kra-clone.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+#pki_instance_name=pki-clone
+#pki_http_port=18080
+#pki_https_port=18443
+#pki_ajp_port=18009
+#pki_tomcat_server_port=18005
+
+[KRA]
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
+
+#pki_backup_keys=True
+pki_backup_password=Secret.123
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_database=kra
+pki_ds_password=Secret.123
+#pki_ds_ldap_port=10389
+
+pki_security_domain_hostname=$MASTER
+pki_security_domain_https_port=8443
+pki_security_domain_password=Secret.123
+pki_security_domain_user=caadmin
+
+pki_issuing_ca_hostname=$MASTER
+#pki_issuing_ca_https_port=18443
+
+pki_clone=True
+pki_clone_pkcs12_password=Secret.123
+pki_clone_pkcs12_path=$PWD/tmp/kra-certs.p12
+pki_clone_replicate_schema=True
+pki_clone_uri=https://$MASTER:8443
+
+pki_storage_nickname=kra_storage
+pki_transport_nickname=kra_transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -vvv -f tmp/kra-clone.cfg -s KRA
diff --git a/scripts/kra-clone-prep.sh b/scripts/kra-clone-prep.sh
new file mode 100755
index 0000000..4dd9f1a
--- /dev/null
+++ b/scripts/kra-clone-prep.sh
@@ -0,0 +1,16 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+#echo $HOSTNAME > tmp/master.txt
+
+grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt
+
+PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca_backup_keys.p12
+pki pkcs12-cert-find --pkcs12-file tmp/ca_backup_keys.p12 --pkcs12-password-file password.txt
+
+pki-server kra-clone-prepare --pkcs12-file tmp/kra-certs.p12 --pkcs12-password-file password.txt
+pki pkcs12-cert-find --pkcs12-file tmp/kra-certs.p12 --pkcs12-password-file password.txt
+
+#cp ~/.dogtag/pki-tomcat/ca_admin.cert tmp
+#cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp
diff --git a/scripts/kra-create.sh b/scripts/kra-create.sh
index 7a741e9..939b7eb 100755
--- a/scripts/kra-create.sh
+++ b/scripts/kra-create.sh
@@ -3,6 +3,9 @@
 mkdir -p tmp
 
 cat > tmp/kra.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
 [KRA]
 pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
 #pki_import_admin_cert=False
diff --git a/scripts/kra-standalone-step1.sh b/scripts/kra-standalone-step1.sh
index 71935f4..1c51931 100755
--- a/scripts/kra-standalone-step1.sh
+++ b/scripts/kra-standalone-step1.sh
@@ -3,6 +3,9 @@
 mkdir -p tmp
 
 cat > tmp/kra-standalone-step1.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
 [KRA]
 pki_admin_email=kraadmin@example.com
 pki_admin_name=kraadmin
diff --git a/scripts/kra-standalone-step2.sh b/scripts/kra-standalone-step2.sh
index ac6aaee..f20d8b1 100755
--- a/scripts/kra-standalone-step2.sh
+++ b/scripts/kra-standalone-step2.sh
@@ -6,6 +6,9 @@ mkdir -p tmp
 # cp tmp/ca_signing.crt tmp/cert_chain.p7b
 
 cat > tmp/kra-standalone-step2.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
 [KRA]
 pki_admin_email=kraadmin@example.com
 pki_admin_name=kraadmin
@@ -37,7 +40,7 @@ pki_ssl_server_nickname=sslserver
 pki_subsystem_nickname=subsystem
 pki_cert_chain_nickname=ca_signing
 
-pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b
+#pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b
 pki_external_ca_cert_path=$PWD/tmp/ca_signing.crt
 pki_external_admin_cert_path=$PWD/tmp/kra_admin.crt
 pki_external_storage_cert_path=$PWD/tmp/kra_storage.crt
-- 
cgit