#!/bin/sh
########################################################################
# 
#   Copyright (C) 2006 Novell, Inc. All Rights Reserved.
# 
#   This library is free software; you can redistribute it and/or
#   modify it under the terms of the GNU Lesser General Public
#   License as published by the Free Software Foundation; version 2.1
#   of the License.
# 
#   This library is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
#   Library Lesser General Public License for more details.
# 
#   You should have received a copy of the GNU Lesser General Public
#   License along with this library; if not, Novell, Inc.
#  
#   To contact Novell about this file by physical or electronic mail, 
#   you may find current contact information at www.novell.com.
#  
#   Author: Juan Carlos Luciani <jluciani@novell.com>
#   
########################################################################

########################################################################
#
# CASA ATS Keystore Setup Script.
#
# An ATS signs tokens and communicates with clients over
# SSL. This scrip sets up the necessary key-pairs and
# certificates for the ATS to perform these functions.
#
# For token signing purposes, this scrip creates a self
# signed certificate that it then exports. At this time it
# is sufficient to utilize self signed certificates because
# they are meant to be consumed by entities of the local
# box.
#
########################################################################

# Source our environment variables file
. /etc/CASA/authtoken/svc/envvars

KEYTOOL_PATH=$JAVA_HOME/bin/keytool
KEYSTORE_PATH=/etc/CASA/authtoken/keys/server/jks-store
TRUSTED_ATS_KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store
LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert


# Perform the operation requested

# Proceed based on whether or not the server keystore has been created
if [ -f $KEYSTORE_PATH ]; then
   echo "The server keystore is already setup"

   # Make sure that the keystore file is owned by our service
   chown casaatsd:casaauth $KEYSTORE_PATH
else
   echo "Setting up the server's keystore"

   # Create the server keystore with the key that will be used for signing tokens
   host=`hostname -f`
   $KEYTOOL_PATH -genkey -alias signingKey -keystore $KEYSTORE_PATH -dname "cn=casaatsd@$host" -validity 3600 -keypass secret -storepass secret

   # Export self-signed certificate for the signing key
   $KEYTOOL_PATH -export -keystore $KEYSTORE_PATH -alias signingKey -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH

   # Print the exported cert
   #$KEYTOOL_PATH -printcert -file $LOCAL_ATS_SIGNING_CERT_PATH

   # Import the signing certificate into the trusted ATS keystore
   $KEYTOOL_PATH -import -noprompt -keystore $TRUSTED_ATS_KEYSTORE_PATH -alias local_signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH

   # Create a key for Tomcat to do SSL communications
   $KEYTOOL_PATH -genkey -alias tomcat -keyalg RSA -keystore $KEYSTORE_PATH -dname "cn=$host" -validity 3600 -keypass secret -storepass secret

   # List the contents of the server's keystore
   #$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -storepass secret

   # Make sure that the server keystore is only accessible by the service
   chown casaatsd:casaauth $KEYSTORE_PATH
   chmod 600 $KEYSTORE_PATH
fi