From b48b8e1bcecd9c49558ccc825de85613a9ba4ddd Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 9 Jun 2016 08:17:14 +0200
Subject: Updated TPS scripts.

---
 scripts/tps-admin-setup.sh    | 15 +++++++++++++++
 scripts/tps-agent-setup.sh    | 15 +++++++++++++++
 scripts/tps-audit.xml         | 34 ++++++++++++++++++++++++++++++++++
 scripts/tps-console.sh        |  3 +++
 scripts/tps-enroll.sh         | 26 +++++++++++++++++++++-----
 scripts/tps-format.sh         | 25 ++++++++++++++++++++-----
 scripts/tps-operator-setup.sh | 17 +++++++++++++++++
 scripts/tps-pin-reset.sh      | 25 +++++++++++++++++++++++++
 scripts/tps-profile-diff.sh   | 10 ++++++++++
 scripts/tps-profile-export.sh | 12 ++++++++++++
 scripts/tps-token-id.sh       |  3 +++
 scripts/tps-update.sh         | 12 ++++++++++++
 scripts/tps-user.sh           | 16 ++++++++++++++++
 scripts/tps-vlv-update.sh     | 20 ++++++++++++++++++++
 14 files changed, 223 insertions(+), 10 deletions(-)
 create mode 100755 scripts/tps-admin-setup.sh
 create mode 100755 scripts/tps-agent-setup.sh
 create mode 100644 scripts/tps-audit.xml
 create mode 100755 scripts/tps-console.sh
 create mode 100755 scripts/tps-operator-setup.sh
 create mode 100755 scripts/tps-pin-reset.sh
 create mode 100755 scripts/tps-profile-diff.sh
 create mode 100755 scripts/tps-profile-export.sh
 create mode 100755 scripts/tps-token-id.sh
 create mode 100755 scripts/tps-update.sh
 create mode 100755 scripts/tps-user.sh
 create mode 100755 scripts/tps-vlv-update.sh

diff --git a/scripts/tps-admin-setup.sh b/scripts/tps-admin-setup.sh
new file mode 100755
index 0000000..daacecd
--- /dev/null
+++ b/scripts/tps-admin-setup.sh
@@ -0,0 +1,15 @@
+#!/bin/sh -x
+
+#pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-user-add tpsadmin --fullName "TPS Administrator"
+#pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-group-member-add "Administrators" tpsadmin
+
+REQUEST_ID=`pki -c Secret123 client-cert-request uid=tpsadmin | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-user-cert-add tpsadmin --serial $CERT_ID
+pki -c Secret123 client-cert-import tpsadmin --serial $CERT_ID
+
+pki -c Secret123 client-cert-show tpsadmin --pkcs12 tpsadmin.p12 --pkcs12-password Secret123
diff --git a/scripts/tps-agent-setup.sh b/scripts/tps-agent-setup.sh
new file mode 100755
index 0000000..49f86b9
--- /dev/null
+++ b/scripts/tps-agent-setup.sh
@@ -0,0 +1,15 @@
+#!/bin/sh -x
+
+pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-user-add tpsagent --fullName "TPS Agent"
+pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-group-member-add "TPS Agents" tpsagent
+
+REQUEST_ID=`pki -c Secret123 client-cert-request uid=tpsagent | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-user-cert-add tpsagent --serial $CERT_ID
+pki -c Secret123 client-cert-import tpsagent --serial $CERT_ID
+
+pki -c Secret123 client-cert-show tpsagent --pkcs12 tpsagent.p12 --pkcs12-password Secret123
diff --git a/scripts/tps-audit.xml b/scripts/tps-audit.xml
new file mode 100644
index 0000000..5f9dd8d
--- /dev/null
+++ b/scripts/tps-audit.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Audit xmlns:ns2="http://www.w3.org/2005/Atom">
+    <BufferSize>512</BufferSize>
+    <Events>
+        <Event name="AUDIT_LOG_SHUTDOWN">mandatory</Event>
+        <Event name="AUDIT_LOG_STARTUP">mandatory</Event>
+        <Event name="AUTHZ_FAIL">disabled</Event>
+        <Event name="AUTHZ_SUCCESS">enabled</Event>
+        <Event name="AUTH_FAIL">enabled</Event>
+        <Event name="AUTH_SUCCESS">enabled</Event>
+        <Event name="CIMC_CERT_VERIFICATION">enabled</Event>
+        <Event name="CONFIG_AUTH">enabled</Event>
+        <Event name="CONFIG_ROLE">enabled</Event>
+        <Event name="CONFIG_SIGNED_AUDIT">enabled</Event>
+        <Event name="CONFIG_TOKEN_GENERAL">enabled</Event>
+        <Event name="CONFIG_TOKEN_PROFILE">enabled</Event>
+        <Event name="LOGGING_SIGNED_AUDIT_SIGNING">mandatory</Event>
+        <Event name="ROLE_ASSUME">enabled</Event>
+        <Event name="SELFTESTS_EXECUTION">enabled</Event>
+        <Event name="TOKEN_APPLET_UPGRADE">enabled</Event>
+        <Event name="TOKEN_CERT_ENROLLMENT">enabled</Event>
+        <Event name="TOKEN_CERT_RENEWAL">enabled</Event>
+        <Event name="TOKEN_CERT_STATUS_CHANGE_REQUEST">enabled</Event>
+        <Event name="TOKEN_FORMAT_REQUEST">enabled</Event>
+        <Event name="TOKEN_KEY_CHANGEOVER">enabled</Event>
+        <Event name="TOKEN_PIN_RESET_REQUEST">enabled</Event>
+        <Event name="TOKEN_STATE_CHANGE">enabled</Event>
+    </Events>
+    <Interval>5</Interval>
+    <Link href="https://vm-149.idm.lab.bos.redhat.com:8443/tps/rest/audit" rel="self"/>
+    <Signed>false</Signed>
+    <Status>Enabled</Status>
+</Audit>
+
diff --git a/scripts/tps-console.sh b/scripts/tps-console.sh
new file mode 100755
index 0000000..d5339e9
--- /dev/null
+++ b/scripts/tps-console.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkiconsole https://$HOSTNAME:8443/tps
diff --git a/scripts/tps-enroll.sh b/scripts/tps-enroll.sh
index 78c9212..73f9d44 100755
--- a/scripts/tps-enroll.sh
+++ b/scripts/tps-enroll.sh
@@ -1,18 +1,34 @@
 #!/bin/sh
 
+uid=$1
+cuid=$2
+
+if [ "$cuid" == "" ]; then
+    #cuid=a00192030405060708c9
+    cuid=`hexdump -v -n "10" -e '1/1 "%02x"' /dev/urandom`
+fi
+
+echo $cuid
+
 tpsclient <<EOF
 op=var_set name=ra_host value=localhost
-op=var_set name=ra_port value=7888
-op=var_set name=ra_uri value=/nk_service
+op=var_set name=ra_port value=8080
+op=var_set name=ra_uri value=/tps/tps
+op=var_list
+
+#op=token_status
+
+op=token_set cuid=$cuid msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0
 
-op=token_set cuid=a00192030405060708c9 msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0
 op=token_set auth_key=404142434445464748494a4b4c4d4e4f
 op=token_set mac_key=404142434445464748494a4b4c4d4e4f
 op=token_set kek_key=404142434445464748494a4b4c4d4e4f
-op=token_status
 
-op=ra_enroll uid=testuser num_threads=1 pwd=Secret123 new_pin=Secret123
 op=token_status
 
+op=ra_enroll uid=$uid pwd=Secret123 new_pin=Secret123 num_threads=1 extensions=tokenType=userKey
+
+#op=token_status
+
 op=exit
 EOF
diff --git a/scripts/tps-format.sh b/scripts/tps-format.sh
index 4e0d971..6f7be24 100755
--- a/scripts/tps-format.sh
+++ b/scripts/tps-format.sh
@@ -1,21 +1,36 @@
 #!/bin/sh
 
+uid=$1
+cuid=$2
+
+if [ "$cuid" == "" ]; then
+    #cuid=a00192030405060708c9
+    #cuid=A7D05D2BA7D1AFB4E7C1
+    cuid=`hexdump -v -n "10" -e '1/1 "%02x"' /dev/urandom`
+fi
+
+echo $cuid
+
 tpsclient <<EOF
 op=var_set name=ra_host value=localhost
-op=var_set name=ra_port value=16080
+op=var_set name=ra_port value=8080
 op=var_set name=ra_uri value=/tps/tps
 op=var_list
 
-op=token_status
+#op=token_status
+
+op=token_set cuid=$cuid msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0
+#op=token_set cuid=$cuid app_ver=6FBBC105 key_info=0101
 
-op=token_set cuid=a00192030405060708c9 app_ver=6FBBC105 key_info=0101
 op=token_set auth_key=404142434445464748494a4b4c4d4e4f
 op=token_set mac_key=404142434445464748494a4b4c4d4e4f
 op=token_set kek_key=404142434445464748494a4b4c4d4e4f
+
 op=token_status
 
-op=ra_format uid=test pwd=password num_threads=1 new_pin=password
+op=ra_format uid=$uid pwd=Secret123 new_pin=Secret123 num_threads=1 extensions=tokenType=userKey
+
+#op=token_status
 
-op=token_status
 op=exit
 EOF
diff --git a/scripts/tps-operator-setup.sh b/scripts/tps-operator-setup.sh
new file mode 100755
index 0000000..60b9b5a
--- /dev/null
+++ b/scripts/tps-operator-setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh -x
+
+pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-user-add tpsoperator --fullName "TPS Operator"
+pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-group-member-add "TPS Operators" tpsoperator
+
+pki -c Secret123 client-init --force
+
+REQUEST_ID=`pki -c Secret123 client-cert-request uid=tpsoperator | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin tps-user-cert-add tpsoperator --serial $CERT_ID
+pki -c Secret123 client-cert-import tpsoperator --serial $CERT_ID
+
+pki -c Secret123 client-cert-show tpsoperator --pkcs12 tpsoperator.p12 --pkcs12-password Secret123
diff --git a/scripts/tps-pin-reset.sh b/scripts/tps-pin-reset.sh
new file mode 100755
index 0000000..741104d
--- /dev/null
+++ b/scripts/tps-pin-reset.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+uid=$1
+cuid=$2
+
+tpsclient <<EOF
+op=var_set name=ra_host value=localhost
+op=var_set name=ra_port value=8080
+op=var_set name=ra_uri value=/tps/tps
+op=var_list
+
+#op=token_status
+
+op=token_set cuid=$cuid msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0
+
+op=token_set auth_key=404142434445464748494a4b4c4d4e4f
+op=token_set mac_key=404142434445464748494a4b4c4d4e4f
+op=token_set kek_key=404142434445464748494a4b4c4d4e4f
+
+op=ra_reset_pin uid=$uid pwd=Secret123 new_pin=Secret123 num_threads=1
+
+#op=token_status
+
+op=exit
+EOF
diff --git a/scripts/tps-profile-diff.sh b/scripts/tps-profile-diff.sh
new file mode 100755
index 0000000..8cfb40a
--- /dev/null
+++ b/scripts/tps-profile-diff.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+ORIG_DIR=~/tps/profiles/orig
+NEW_DIR=~/tps/profiles/new
+
+list=`cd $ORIG_DIR; ls`
+for name in $list; do
+    echo Comparing $name
+    diff  $ORIG_DIR/$name $NEW_DIR/$name
+done
diff --git a/scripts/tps-profile-export.sh b/scripts/tps-profile-export.sh
new file mode 100755
index 0000000..d93b548
--- /dev/null
+++ b/scripts/tps-profile-export.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+CS_CFG=/var/lib/pki/pki-tomcat/tps/conf/CS.cfg
+
+mkdir -p ~/tps/profiles/orig
+cd ~/tps/profiles/orig
+
+list=`grep target.Profiles.list= /var/lib/pki/pki-tomcat/tps/conf/CS.cfg | sed -e 's/.*=//' | sed -e 's/,/ /g'`
+for name in $list; do
+    echo Exporting $name.cfg
+    cat $CS_CFG | grep "op\..*\.$name\..*" > $name.cfg
+done
diff --git a/scripts/tps-token-id.sh b/scripts/tps-token-id.sh
new file mode 100755
index 0000000..9cee333
--- /dev/null
+++ b/scripts/tps-token-id.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo `hexdump -v -n "10" -e '1/1 "%02x"' /dev/urandom` | tr '[:lower:]'  '[:upper:]'
diff --git a/scripts/tps-update.sh b/scripts/tps-update.sh
new file mode 100755
index 0000000..1ed5084
--- /dev/null
+++ b/scripts/tps-update.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+/bin/cp $HOME/Projects/pki/base/tps/shared/webapps/tps/*    /usr/share/pki/tps/webapps/tps/
+/bin/cp $HOME/Projects/pki/base/tps/shared/webapps/tps/ui/* /usr/share/pki/tps/webapps/tps/ui/
+/bin/cp $HOME/Projects/pki/base/tps/shared/webapps/tps/js/* /usr/share/pki/tps/webapps/tps/js/
+/bin/cp $HOME/Projects/pki/base/server/share/webapps/pki/js/*      /usr/share/pki/server/webapps/pki/js/
+
+/bin/cp $HOME/Projects/pki/dogtag/common-ui/shared/css/*     /usr/share/pki/common-ui/css/
+
+#/bin/cp $HOME/Projects/pki/base/server/share/webapps/pki/fonts/*    /usr/share/pki/common-ui/fonts/
+
+/bin/cp $HOME/Projects/pki/base/tps/shared/conf/token-states.properties     /usr/share/pki/tps/conf/
diff --git a/scripts/tps-user.sh b/scripts/tps-user.sh
new file mode 100755
index 0000000..8fc3b60
--- /dev/null
+++ b/scripts/tps-user.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+uid=$1
+
+ldapadd -h $HOSTNAME -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
+dn: uid=$uid,ou=people,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+uid: $uid
+cn: Test User
+sn: User
+givenName: Test
+userPassword: Secret123
+EOF
diff --git a/scripts/tps-vlv-update.sh b/scripts/tps-vlv-update.sh
new file mode 100755
index 0000000..f05e6d0
--- /dev/null
+++ b/scripts/tps-vlv-update.sh
@@ -0,0 +1,20 @@
+#!/bin/sh -x
+
+ldapdelete -x -D "cn=Directory Manager" -w Secret123 << EOF
+cn=listTokensIndex,cn=listTokens,cn=tps,cn=ldbm database,cn=plugins,cn=config
+cn=listTokens,cn=tps,cn=ldbm database,cn=plugins,cn=config
+cn=listActivitiesIndex,cn=listActivities,cn=tps,cn=ldbm database,cn=plugins,cn=config
+cn=listActivities,cn=tps,cn=ldbm database,cn=plugins,cn=config
+EOF
+
+/bin/cp /usr/share/pki/tps/conf/vlv.ldif .
+sed -i "s/{instanceId}/pki-tomcat/g" vlv.ldif
+sed -i "s/{database}/tps/g" vlv.ldif
+sed -i "s/{rootSuffix}/dc=tps,dc=example,dc=com/" vlv.ldif
+ldapadd -x -D "cn=Directory Manager" -w Secret123 -f vlv.ldif
+
+systemctl stop dirsrv@pki-tomcat.service
+vlvindex -Z pki-tomcat -n tps -T listTokensIndex
+vlvindex -Z pki-tomcat -n tps -T listActivitiesIndex
+systemctl start dirsrv@pki-tomcat.service
+
-- 
cgit