ATS changes to allow it to leverage installed server certificate and

server key (/etc/ssl/servercerts/serverkey.pem and
/etc/ssl/servercerts/servercert.pem) for SSL communications.

CASA-auth-token/server-java/Svc/linux/CasaAuthtokenSvcD

@@ -100,10 +100,20 @@ StartDAEMON()
       # file for the JVM version that we are using.
       if [ -z "${TEST_IBM_JVM}" ]; then
         # Assume Sun JVM
-        ln -s /srv/www/casaats/conf/server-sun.xml /srv/www/casaats/conf/server.xml
+        # Use PKCS12 version if PKCS12 store exists
+        if [ -f /etc/ssl/servercerts/keystore.p12 ]; then
+          ln -s /srv/www/casaats/conf/server-pkcs12-sun.xml /srv/www/casaats/conf/server.xml
+        else
+          ln -s /srv/www/casaats/conf/server-sun.xml /srv/www/casaats/conf/server.xml
+        fi
       else
         # IBM JVM
-        ln -s /srv/www/casaats/conf/server-ibm.xml /srv/www/casaats/conf/server.xml
+        # Use PKCS12 version if PKCS12 store exists
+        if [ -f /etc/ssl/servercerts/keystore.p12 ]; then
+          ln -s /srv/www/casaats/conf/server-pkcs12-ibm.xml /srv/www/casaats/conf/server.xml
+        else
+          ln -s /srv/www/casaats/conf/server-ibm.xml /srv/www/casaats/conf/server.xml
+        fi
       fi
 
       # Make sure that our service has rights to the file

CASA-auth-token/server-java/Svc/linux/Makefile.am

@@ -31,6 +31,7 @@ EXTRA_DIST = CasaAuthtokenSvcD \
 		envvars.zen \
 		server_keystore_setup.sh \
 		refresh_trusted_ats_keystore.sh \
+		refresh_server_keystore.sh \
 		casa_crypto.properties \
 		CasaBasicATSSetup.sh \
 		CasaAuthPolicyEditor.sh \

CASA-auth-token/server-java/Svc/linux/refresh_server_keystore.sh

@@ -0,0 +1,68 @@
+#!/bin/sh
+########################################################################
+# 
+#   Copyright (C) 2006 Novell, Inc. All Rights Reserved.
+# 
+#   This library is free software; you can redistribute it and/or
+#   modify it under the terms of the GNU Lesser General Public
+#   License as published by the Free Software Foundation; version 2.1
+#   of the License.
+# 
+#   This library is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#   Library Lesser General Public License for more details.
+# 
+#   You should have received a copy of the GNU Lesser General Public
+#   License along with this library; if not, Novell, Inc.
+#  
+#   To contact Novell about this file by physical or electronic mail, 
+#   you may find current contact information at www.novell.com.
+#  
+#   Author: Juan Carlos Luciani <jluciani@novell.com>
+#   
+########################################################################
+
+########################################################################
+#
+# CASA ATS Keystore Refresh Script.
+#
+# An ATS signs tokens and communicates with clients over
+# SSL. This scrip tries to update the ATS configuration to leverage
+# the server certificate and key if installed for SSL communications.
+#
+########################################################################
+
+# Source our environment variables file
+. /etc/CASA/authtoken/svc/envvars
+
+PKCS12_KEYSTORE_PATH=/etc/ssl/servercerts/keystore.p12
+SERVER_CERT_PATH=/etc/ssl/servercerts/servercert.pem
+SERVER_KEY_PATH=/etc/ssl/servercerts/serverkey.pem
+SERVER_XML_PATH=/srv/www/casaats/conf/server.xml
+
+
+# Try to leverage server certificate and key 
+if [ -f /etc/ssl/servercerts/serverkey.pem ]; then
+   # Check if we must create PKCS12 keystore
+   if [ ! -f $PKCS12_KEYSTORE_PATH ]; then
+      # Create PKCS12 keystore
+      openssl pkcs12 -export -in $SERVER_CERT_PATH -inkey $SERVER_KEY_PATH -name tomcat -out PKCS12_KEYSTORE_PATH -password pass:password
+
+      # Make sure that the PKCS12 keystore is only accessible by the service
+      chown casaatsd:casaauth $PKCS12_KEYSTORE_PATH
+      chmod 600 $PKCS12_KEYSTORE_PATH
+   fi
+
+   // Make sure that the ATS is configured to leverage the server certificate and key
+   TEST_IBM_JVM=$($JAVA_HOME/bin/java -version 2>&1 | grep -i ibm)
+   rm -f $SERVER_XML_PATH
+   if [ -z "${TEST_IBM_JVM}" ]; then
+      # Assume Sun JVM
+      ln -s /srv/www/casaats/conf/server-pkcs12-sun.xml $SERVER_XML_PATH
+   else
+     # IBM JVM
+     ln -s /srv/www/casaats/conf/server-pkcs12-ibm.xml $SERVER_XML_PATH
+   fi
+fi
+

CASA-auth-token/server-java/Svc/linux/server_keystore_setup.sh

@@ -50,11 +50,12 @@ LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert
 
 # Perform the operation requested
 
-# Do not do anything if the server keystore has already been created
+# Proceed based on whether or not the server keystore has been created
 if [ -f $KEYSTORE_PATH ]; then
    echo "The server keystore is already setup"
-        # Make sure that the keystore file is owned by our service
-        chown casaatsd:casaauth $KEYSTORE_PATH
+
+   # Make sure that the keystore file is owned by our service
+   chown casaatsd:casaauth $KEYSTORE_PATH
 else
    echo "Setting up the server's keystore"
 
@@ -82,3 +83,5 @@ else
    chmod 600 $KEYSTORE_PATH
 fi
 
+
+