#!/bin/sh
########################################################################
# 
#   Copyright (C) 2006 Novell, Inc. All Rights Reserved.
# 
#   This library is free software; you can redistribute it and/or
#   modify it under the terms of the GNU Lesser General Public
#   License as published by the Free Software Foundation; version 2.1
#   of the License.
# 
#   This library is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
#   Library Lesser General Public License for more details.
# 
#   You should have received a copy of the GNU Lesser General Public
#   License along with this library; if not, Novell, Inc.
#  
#   To contact Novell about this file by physical or electronic mail, 
#   you may find current contact information at www.novell.com.
#  
#   Author: Juan Carlos Luciani <jluciani@novell.com>
#   
########################################################################

########################################################################
#
# CASA ATS Keystore Refresh Script.
#
# An ATS signs tokens and communicates with clients over
# SSL. This scrip tries to update the ATS configuration to leverage
# the server certificate and key if installed for SSL communications.
#
########################################################################

# Source our environment variables file
. /etc/CASA/authtoken/svc/envvars

PKCS12_KEYSTORE_PATH=/etc/ssl/servercerts/keystore.p12
SERVER_CERT_PATH=/etc/ssl/servercerts/servercert.pem
SERVER_KEY_PATH=/etc/ssl/servercerts/serverkey.pem
SERVER_XML_PATH=/srv/www/casaats/conf/server.xml


# Try to leverage server certificate and key 
if [ -f /etc/ssl/servercerts/serverkey.pem ]; then
   # Check if we must create PKCS12 keystore
   if [ ! -f $PKCS12_KEYSTORE_PATH ]; then
      # Create PKCS12 keystore
      openssl pkcs12 -export -in $SERVER_CERT_PATH -inkey $SERVER_KEY_PATH -name tomcat -out $PKCS12_KEYSTORE_PATH -password pass:password

      # Make sure that the PKCS12 keystore is only accessible by the service
      chown casaatsd:casaauth $PKCS12_KEYSTORE_PATH
      chmod 600 $PKCS12_KEYSTORE_PATH
   fi

   // Make sure that the ATS is configured to leverage the server certificate and key
   TEST_IBM_JVM=$($JAVA_HOME/bin/java -version 2>&1 | grep -i ibm)
   rm -f $SERVER_XML_PATH
   if [ -z "${TEST_IBM_JVM}" ]; then
      # Assume Sun JVM
      ln -s /srv/www/casaats/conf/server-pkcs12-sun.xml $SERVER_XML_PATH
   else
     # IBM JVM
     ln -s /srv/www/casaats/conf/server-pkcs12-ibm.xml $SERVER_XML_PATH
   fi
fi