Changes to allow for the setup of trust relationships with ATSs.

2007-06-01 15:41:46 +00:00 · 2007-06-01 15:41:46 +00:00 · ef99031e7e
commit ef99031e7e
parent 01978036ef
15 changed files with 284 additions and 82 deletions
--- a/CASA-auth-token/server-java/Jaas/linux/casa_crypto.properties
+++ b/CASA-auth-token/server-java/Jaas/linux/casa_crypto.properties
@ -1,5 +1,4 @@
 com.novell.casa.authtoksvc.crypto.keystore.type=jks
-com.novell.casa.authtoksvc.crypto.keystore.password=secret
-com.novell.casa.authtoksvc.crypto.keystore.alias=signingCert
-com.novell.casa.authtoksvc.crypto.alias.password=secret
-com.novell.casa.authtoksvc.crypto.file=/etc/CASA/authtoken/keys/client/jks-store
+com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password=secret
+com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file=/etc/CASA/authtoken/keys/trusted-ats-jks-store
+
--- a/CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh
+++ b/CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh
@ -48,24 +48,26 @@ else
 fi

 JAVA_HOME=/usr/$LIB/jvm/jre-1.5.0
+KEYTOOL_PATH=$JAVA_HOME/bin/keytool
+KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store
+LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert

 # Do not do anything if the client keystore has already been created
-if [ -f /etc/CASA/authtoken/keys/client/jks-store ]; then
+if [ -f $KEYSTORE_PATH ]; then
   if [ $SILENT == 0 ]; then
      echo "The client keystore is already setup"
   fi
 else
-   if [ -f /etc/CASA/authtoken/keys/casaatsdSigningCert ]; then
+   if [ -f $LOCAL_ATS_SIGNING_CERT_PATH ]; then
      echo "Setting up the clients's keystore"

-      KEYTOOL_PATH=$JAVA_HOME/bin/keytool
-
      # Import the certificate to the client's keystore
-      $KEYTOOL_PATH -import -noprompt -keystore /etc/CASA/authtoken/keys/client/jks-store -alias signingCert -storepass secret -keypass secret -file /etc/CASA/authtoken/keys/casaatsdSigningCert
+      $KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH

      # List the content's of the client's keystore
-      #$KEYTOOL_PATH -list -rfc -keystore client/jks-store -alias signingCert -storepass secret
+      #$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -alias signingCert -storepass secret
   else
-      echo "File /etc/CASA/authtoken/keys/casaatsdSigningCert not found" 
+      echo "File $LOCAL_ATS_SIGNING_CERT_PATH not found" 
   fi
 fi
+
--- a/CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh.zen
+++ b/CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh.zen
@ -42,26 +42,26 @@ if [ "$1" != "" ]; then
   fi
 fi

-# Set JAVA_HOME
 JAVA_HOME="/opt/novell/zenworks/share/java"
+KEYTOOL_PATH=$JAVA_HOME/bin/keytool
+KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store
+LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert

 # Do not do anything if the client keystore has already been created
-if [ -f /etc/CASA/authtoken/keys/client/jks-store ]; then
+if [ -f $KEYSTORE_PATH ]; then
   if [ $SILENT == 0 ]; then
      echo "The client keystore is already setup"
   fi
 else
-   if [ -f /etc/CASA/authtoken/keys/casaatsdSigningCert ]; then
+   if [ -f $LOCAL_ATS_SIGNING_CERT_PATH ]; then
      echo "Setting up the clients's keystore"

-      KEYTOOL_PATH=$JAVA_HOME/bin/keytool
-
      # Import the certificate to the client's keystore
-      $KEYTOOL_PATH -import -noprompt -keystore /etc/CASA/authtoken/keys/client/jks-store -alias signingCert -storepass secret -keypass secret -file /etc/CASA/authtoken/keys/casaatsdSigningCert
+      $KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH

      # List the content's of the client's keystore
-      #$KEYTOOL_PATH -list -rfc -keystore client/jks-store -alias signingCert -storepass secret
+      #$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -alias signingCert -storepass secret
   else
-      echo "File /etc/CASA/authtoken/keys/casaatsdSigningCert not found" 
+      echo "File $LOCAL_ATS_SIGNING_CERT_PATH not found" 
   fi
 fi
--- a/CASA-auth-token/server-java/Jaas/windows/casa_crypto.properties
+++ b/CASA-auth-token/server-java/Jaas/windows/casa_crypto.properties
@ -1,5 +1,4 @@
 com.novell.casa.authtoksvc.crypto.keystore.type=jks
-com.novell.casa.authtoksvc.crypto.keystore.password=secret
-com.novell.casa.authtoksvc.crypto.keystore.alias=signingCert
-com.novell.casa.authtoksvc.crypto.alias.password=secret
-com.novell.casa.authtoksvc.crypto.file=/etc/CASA/authtoken/keys/client/jks-store
+com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password=secret
+com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file=ATS_INSTALL_DIR//etc//keys//trusted-ats-jks-store
+
--- a/CASA-auth-token/server-java/Svc/linux/Makefile.am
+++ b/CASA-auth-token/server-java/Svc/linux/Makefile.am
@ -30,6 +30,7 @@ EXTRA_DIST = CasaAuthtokenSvcD \
 		envvars \
 		envvars.zen \
 		server_keystore_setup.sh \
+		refresh_trusted_ats_keystore.sh \
 		casa_crypto.properties \
 		CasaBasicATSSetup.sh \
 		CasaAuthPolicyEditor.sh \
--- a/CASA-auth-token/server-java/Svc/linux/casa_crypto.properties
+++ b/CASA-auth-token/server-java/Svc/linux/casa_crypto.properties
@ -1,5 +1,8 @@
 com.novell.casa.authtoksvc.crypto.keystore.type=jks
+com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password=secret
+com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file=/etc/CASA/authtoken/keys/trusted-ats-jks-store
 com.novell.casa.authtoksvc.crypto.keystore.password=secret
+com.novell.casa.authtoksvc.crypto.keystore.file=/etc/CASA/authtoken/keys/server/jks-store
 com.novell.casa.authtoksvc.crypto.keystore.alias=signingKey
 com.novell.casa.authtoksvc.crypto.alias.password=secret
-com.novell.casa.authtoksvc.crypto.file=/etc/CASA/authtoken/keys/server/jks-store
+
--- a/CASA-auth-token/server-java/Svc/linux/refresh_trusted_ats_keystore.sh
+++ b/CASA-auth-token/server-java/Svc/linux/refresh_trusted_ats_keystore.sh
@ -0,0 +1,69 @@
+#!/bin/sh
+########################################################################
+# 
+#   Copyright (C) 2006 Novell, Inc. All Rights Reserved.
+# 
+#   This library is free software; you can redistribute it and/or
+#   modify it under the terms of the GNU Lesser General Public
+#   License as published by the Free Software Foundation; version 2.1
+#   of the License.
+# 
+#   This library is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#   Library Lesser General Public License for more details.
+# 
+#   You should have received a copy of the GNU Lesser General Public
+#   License along with this library; if not, Novell, Inc.
+#  
+#   To contact Novell about this file by physical or electronic mail, 
+#   you may find current contact information at www.novell.com.
+#  
+#   Author: Juan Carlos Luciani <jluciani@novell.com>
+#   
+########################################################################
+
+#############################################################
+#                                                           #
+# CASA Authentication Token Script for refreshing the       #
+# trusted ATS keystore.                                     #
+#                                                           #
+# This script sets up the certificate associated with the   #
+# keys used by the ATS to sign authentication tokens in the #
+# keystore utilized by token validating clients.            #
+#                                                           #
+#############################################################
+
+if [ -d /usr/lib64 ]; then
+   LIB=lib64
+else
+   LIB=lib
+fi
+
+JAVA_HOME=/usr/$LIB/jvm/jre-1.5.0
+KEYTOOL_PATH=$JAVA_HOME/bin/keytool
+KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store
+LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert
+NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH=/etc/CASA/authtoken/keys/trustedATSCerts
+
+# Remove the keystore if present
+rm -f $KEYSTORE_PATH
+
+// Import the SigningCert from the local ATS if present
+if [ -f $LOCAL_ATS_SIGNING_CERT_PATH ]; then
+   echo "Importing local ATS cert"
+   $KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias local_signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH
+fi
+
+// Import the SigningCert of the non-local trusted ATSs
+if [ -d $NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH ]; then
+   for ATSCert in `ls $NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH`
+   do
+      echo "Importing $ATSCert cert"
+      $KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias $ATSCert -storepass secret -keypass secret -file $NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH/$ATSCert
+   done
+fi
+
+# List the content's of the trusted ATS keystore
+#$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -storepass secret
+
--- a/CASA-auth-token/server-java/Svc/linux/server_keystore_setup.sh
+++ b/CASA-auth-token/server-java/Svc/linux/server_keystore_setup.sh
@ -42,36 +42,46 @@
 # Source our environment variables file
 . /etc/CASA/authtoken/svc/envvars

+KEYTOOL_PATH=$JAVA_HOME/bin/keytool
+KEYSTORE_PATH=/etc/CASA/authtoken/keys/server/jks-store
+TRUSTED_ATS_KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store
+LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert
+
+
 # Perform the operation requested

 # Do not do anything if the server keystore has already been created
-if [ -f /etc/CASA/authtoken/keys/server/jks-store ]; then
+if [ -f $KEYSTORE_PATH ]; then
   echo "The server keystore is already setup"
        # Make sure that the keystore file is owned by our service
-        chown casaatsd:casaauth /etc/CASA/authtoken/keys/server/jks-store
+        chown casaatsd:casaauth $KEYSTORE_PATH
 else
   echo "Setting up the server's keystore"

-   KEYTOOL_PATH=$JAVA_HOME/bin/keytool
-
   # Create the server keystore with the key that will be used for signing tokens
   host=`hostname -f`
-   $KEYTOOL_PATH -genkey -alias signingKey -keystore /etc/CASA/authtoken/keys/server/jks-store -dname "cn=casaatsd@$host" -validity 3600 -keypass secret -storepass secret
+   $KEYTOOL_PATH -genkey -alias signingKey -keystore $KEYSTORE_PATH -dname "cn=casaatsd@$host" -validity 3600 -keypass secret -storepass secret

   # Export self-signed certificate for the signing key
-   $KEYTOOL_PATH -export -keystore /etc/CASA/authtoken/keys/server/jks-store -alias signingKey -storepass secret -keypass secret -file /etc/CASA/authtoken/keys/casaatsdSigningCert
+   $KEYTOOL_PATH -export -keystore $KEYSTORE_PATH -alias signingKey -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH

   # Print the exported cert
-   #$KEYTOOL_PATH -printcert -file /etc/CASA/authtoken/keys/casaatsdSigningCert
+   #$KEYTOOL_PATH -printcert -file $LOCAL_ATS_SIGNING_CERT_PATH

-        # Create a key for Tomcat to do SSL communications
-        $KEYTOOL_PATH -genkey -alias tomcat -keyalg RSA -keystore /etc/CASA/authtoken/keys/server/jks-store -dname "cn=$host" -validity 3600 -keypass secret -storepass secret
+   # Allow the signing certificate to be downloaded from the ATS
+   cp $LOCAL_ATS_SIGNING_CERT_PATH /srv/www/casaats/webapps/CasaAuthTokenSvc/SigningCert
+
+   # Import the signing certificate into the trusted ATS keystore
+   $KEYTOOL_PATH -import -noprompt -keystore $TRUSTED_ATS_KEYSTORE_PATH -alias local_signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH
+
+   # Create a key for Tomcat to do SSL communications
+   $KEYTOOL_PATH -genkey -alias tomcat -keyalg RSA -keystore $KEYSTORE_PATH -dname "cn=$host" -validity 3600 -keypass secret -storepass secret

   # List the contents of the server's keystore
-   #$KEYTOOL_PATH -list -rfc -keystore /etc/CASA/authtoken/keys/server/jks-store -storepass secret
+   #$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -storepass secret

-   # Make sure that the keystore is only accessible by the service
-   chown casaatsd:casaauth /etc/CASA/authtoken/keys/server/jks-store
-   chmod 600 /etc/CASA/authtoken/keys/server/jks-store
+   # Make sure that the server keystore is only accessible by the service
+   chown casaatsd:casaauth $KEYSTORE_PATH
+   chmod 600 $KEYSTORE_PATH
 fi

--- a/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/SecureTokenUtil.java
+++ b/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/SecureTokenUtil.java
@ -65,6 +65,8 @@ public final class SecureTokenUtil
   //
   // The map key has the format: "IssuerDN=certissuername SN=certserialnumber"
   private Map<String,X509Certificate> m_x509ISNCertMap;
+   private Date m_x509ISNCertMapRefreshDate;
+   private int m_x509ISNCertMapRefreshInterval = 360; // seconds

   // SecureToken template
   private static final String m_secureTokenTemplate =
@ -93,6 +95,90 @@ public final class SecureTokenUtil
    */
   public SecureTokenUtil(boolean serverMode) throws Exception
   {
+      // Start by creating the trusted ATS Cert Map
+      m_x509ISNCertMap = createTrustedAtsCertMap();
+      m_x509ISNCertMapRefreshDate = new Date();
+      m_x509ISNCertMapRefreshDate.setTime(m_x509ISNCertMapRefreshDate.getTime() + (m_x509ISNCertMapRefreshInterval * 1000));
+
+      // Obtain the signing key and certificate if we are in server mode
+      if (serverMode)
+      {
+         InputStream inStream = null;
+         try
+         {
+            // Load our crypto properties
+            Properties cryptoProperties = new Properties();
+            ClassLoader classLoader = SecureTokenUtil.class.getClassLoader();
+            inStream = classLoader.getResourceAsStream("casa_crypto.properties");
+            cryptoProperties.load(inStream);
+
+            // Get necessary keystore info from the crypto properties
+            String keystoreType = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.type", "jks");
+            String keystoreFile = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.file");
+            String keystorePass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.password");
+            if (keystoreType == null
+                || keystoreFile == null
+                || keystorePass == null)
+            {
+               m_log.error("Constructor()- Missing crypto configuration");
+               throw new Exception("SecureTokenUtil()- Missing crypto configuration");
+            }
+
+            // Instantiate and load the keystore
+            KeyStore keyStore = KeyStore.getInstance(keystoreType);
+            FileInputStream fis = new FileInputStream(keystoreFile);
+            keyStore.load(fis, keystorePass.toCharArray());
+
+            // Get signing key and cert if in server mode
+            if (serverMode)
+            {
+               String privateKeyAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias");
+               String privateKeyPass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.alias.password");
+               String certificateAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias");
+               if (privateKeyAlias == null
+                   || privateKeyPass == null
+                   || certificateAlias == null)
+               {
+                  m_log.error("Constructor()- Missing crypto configuration");
+                  throw new Exception("SecureTokenUtil()- Missing crypto configuration");
+               }
+
+               // Get the key that will be used for signing tokens
+               m_signingKey = (PrivateKey) keyStore.getKey(privateKeyAlias,
+                                                           privateKeyPass.toCharArray());
+               if (m_signingKey == null)
+               {
+                  m_log.error("Constructor()- Signing key not found in keystore");
+                  throw new Exception("SecureTokenUtil()- Signing key not found in keystore");
+               }
+
+               // Get the signing certificate
+               m_signingCert = (X509Certificate) keyStore.getCertificate(certificateAlias);
+               if (m_signingCert == null)
+               {
+                  m_log.error("Constructor()- Signing cert not found in keystore");
+                  throw new Exception("SecureTokenUtil()- Signing cert not found in keystore");
+               }
+            }
+         }
+         finally
+         {
+            // Make sure that the input stream has been closed
+            if (inStream != null)
+               inStream.close();
+         }
+      }
+   }
+
+   /**
+    * Static Create Trusted ATS Certificate Map.
+    * <p/>
+    * @return Trusted ATS Certificate Map
+    * @throws Exception
+    */
+   private static Map<String,X509Certificate> createTrustedAtsCertMap() throws Exception
+   {
+      Map<String,X509Certificate> x509ISNCertMap;
      InputStream inStream = null;
      try
      {
@ -104,14 +190,14 @@ public final class SecureTokenUtil

         // Get necessary keystore info from the crypto properties
         String keystoreType = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.type", "jks");
-         String keystoreFile = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.file");
-         String keystorePass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.password");
+         String keystoreFile = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file");
+         String keystorePass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password");
         if (keystoreType == null
             || keystoreFile == null
             || keystorePass == null)
         {
-            m_log.error("Constructor()- Missing crypto configuration");
-            throw new Exception("SecureTokenUtil()- Missing crypto configuration");
+            m_log.error("SecureTokenUtil.createTrustedAtsCertMap()- Missing crypto configuration");
+            throw new Exception("SecureTokenUtil.createTrustedAtsCertMap()- Missing crypto configuration");
         }

         // Instantiate and load the keystore
@ -119,40 +205,8 @@ public final class SecureTokenUtil
         FileInputStream fis = new FileInputStream(keystoreFile);
         keyStore.load(fis, keystorePass.toCharArray());

-         // Get signing key and cert if in server mode
-         if (serverMode)
-         {
-            String privateKeyAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias");
-            String privateKeyPass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.alias.password");
-            String certificateAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias");
-            if (privateKeyAlias == null
-                || privateKeyPass == null
-                || certificateAlias == null)
-            {
-               m_log.error("Constructor()- Missing crypto configuration");
-               throw new Exception("SecureTokenUtil()- Missing crypto configuration");
-            }
-
-            // Get the key that will be used for signing tokens
-            m_signingKey = (PrivateKey) keyStore.getKey(privateKeyAlias,
-                                                        privateKeyPass.toCharArray());
-            if (m_signingKey == null)
-            {
-               m_log.error("Constructor()- Signing key not found in keystore");
-               throw new Exception("SecureTokenUtil()- Signing key not found in keystore");
-            }
-
-            // Get the signing certificate
-            m_signingCert = (X509Certificate) keyStore.getCertificate(certificateAlias);
-            if (m_signingCert == null)
-            {
-               m_log.error("Constructor()- Signing cert not found in keystore");
-               throw new Exception("SecureTokenUtil()- Signing cert not found in keystore");
-            }
-         }
-
         // Create the Certificate issuer:sn map
-         m_x509ISNCertMap = new HashMap<String,X509Certificate>();
+         x509ISNCertMap = new HashMap<String,X509Certificate>();
         Enumeration<String> aliases = keyStore.aliases();
         while (aliases.hasMoreElements())
         {
@ -160,7 +214,7 @@ public final class SecureTokenUtil
            if (cert != null)
            {
               // Add this certificate to our map
-               m_x509ISNCertMap.put("IssuerDN=" + cert.getIssuerDN().getName() + " SN=" + cert.getSerialNumber().toString(), cert);
+               x509ISNCertMap.put("IssuerDN=" + cert.getIssuerDN().getName() + " SN=" + cert.getSerialNumber().toString(), cert);
            }
         }
      }
@ -170,6 +224,36 @@ public final class SecureTokenUtil
         if (inStream != null)
            inStream.close();
      }
+
+      return x509ISNCertMap;
+   }
+
+   /**
+    * Check Trusted ATS Certificate Map.
+    */
+   private synchronized Map<String,X509Certificate> checkTrustedAtsCertMap()
+   {
+      // Check if we need to refresh the trusted ATS Cert map
+      Date currDate = new Date();
+      if (currDate.compareTo(m_x509ISNCertMapRefreshDate) > 0)
+      {
+         // It is time to update the trusted ATS certificate map
+         try
+         {
+            // Set up the next refresh date
+            m_x509ISNCertMapRefreshDate.setTime(currDate.getTime() + (m_x509ISNCertMapRefreshInterval * 1000));
+
+            // Re-create the trusted ATS certificate map
+            Map<String,X509Certificate> newX509ISNCertMap = createTrustedAtsCertMap();
+            m_x509ISNCertMap = newX509ISNCertMap;
+         }
+         catch (Exception e)
+         {
+            m_log.error("SecureTokenUtil.checkTrustedAtsCertMap()- Exception caught, msg = " + e.getMessage());
+         }
+      }
+
+      return m_x509ISNCertMap;
   }

   /**
@ -181,7 +265,8 @@ public final class SecureTokenUtil
    */
   private X509Certificate getCertWithX509IssuerSerialData(String issuerName, String serialNumber)
   {
-      return m_x509ISNCertMap.get("IssuerDN=" + issuerName + " SN=" + serialNumber);
+      Map<String,X509Certificate> x509ISNCertMap = checkTrustedAtsCertMap();
+      return x509ISNCertMap.get("IssuerDN=" + issuerName + " SN=" + serialNumber);
   }

   /**
--- a/CASA-auth-token/server-java/Svc/windows/casa_crypto.properties
+++ b/CASA-auth-token/server-java/Svc/windows/casa_crypto.properties
@ -1,5 +1,8 @@
 com.novell.casa.authtoksvc.crypto.keystore.type=jks
+com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password=secret
+com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file=ATS_INSTALL_DIR//etc//keys//trusted-ats-jks-store
 com.novell.casa.authtoksvc.crypto.keystore.password=secret
+com.novell.casa.authtoksvc.crypto.keystore.file=ATS_INSTALL_DIR//etc//keys//server//jks-store
 com.novell.casa.authtoksvc.crypto.keystore.alias=signingKey
 com.novell.casa.authtoksvc.crypto.alias.password=secret
-com.novell.casa.authtoksvc.crypto.file=ATS_INSTALL_DIR//etc//keys//server//jks-store
+
--- a/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc.spec.in
+++ b/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc.spec.in
@ -172,6 +172,7 @@ install -m 700 Svc/linux/log4j.properties %{buildroot}/etc/CASA/authtoken/svc/lo

 # Others
 install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh
+install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh
 install -m 700 Svc/linux/CasaBasicATSSetup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh
 install -m 700 Svc/linux/CasaAuthPolicyEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh
 install -m 700 Svc/linux/CasaTomcatConnectorEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh
@ -260,6 +261,7 @@ rm -f /srv/www/casaats/conf/server.xml
 %{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc-%{bldno}.war
 %{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc.war
 %{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh
+%{prefix}/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh
 %{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh
 %{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh
 %{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh
--- a/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc_4zen.spec.in
+++ b/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc_4zen.spec.in
@ -172,6 +172,7 @@ install -m 700 Svc/linux/log4j.properties %{buildroot}/etc/CASA/authtoken/svc/lo

 # Others
 install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh
+install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh
 install -m 700 Svc/linux/CasaBasicATSSetup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh
 install -m 700 Svc/linux/CasaAuthPolicyEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh
 install -m 700 Svc/linux/CasaTomcatConnectorEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh
@ -260,6 +261,7 @@ rm -f /srv/www/casaats/conf/server.xml
 %{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc-%{bldno}.war
 %{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc.war
 %{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh
+%{prefix}/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh
 %{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh
 %{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh
 %{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh
--- a/CASA-auth-token/server-java/package/windows/AtsConfigurator/src/Configure.java
+++ b/CASA-auth-token/server-java/package/windows/AtsConfigurator/src/Configure.java
@ -48,8 +48,8 @@ public class Configure
 {
   // Other constants
   final static String SERVER_KEY_STORE_RELATIVE_PATH = "\\etc\\keys\\server\\jks-store";
-   final static String CLIENT_KEY_STORE_RELATIVE_PATH = "\\etc\\keys\\client\\jks-store";
-   final static String SIGNING_CERT_RELATIVE_PATH = "\\etc\\keys\\casaatsdSigningCert";
+   final static String CLIENT_KEY_STORE_RELATIVE_PATH = "\\etc\\keys\\trusted-ats-jks-store";
+   final static String SIGNING_CERT_RELATIVE_PATH = "\\etc\\keys\\localSigningCert";

   // Configured properties
   Properties  m_properties;
--- a/CASA-auth-token/yast2-casa-ats/src/CasaAts.ycp
+++ b/CASA-auth-token/yast2-casa-ats/src/CasaAts.ycp
@ -57,6 +57,7 @@ string authPolicyFile = "/etc/CASA/authtoken/svc/auth.policy";
 string authPolicyEditor = "/usr/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh";
 string iaRealmsFile = "/etc/CASA/authtoken/svc/iaRealms.xml";
 string iaRealmsEditor = "/usr/share/java/CASA/authtoken/bin/CasaIaRealmsEditor.sh";
+string trustedServerCertsFolder = "/etc/CASA/authtoken/keys/trustedATSCerts";

 /**
 * Settings Map
@ -480,6 +481,10 @@ global boolean Write() {
    else
 		SCR::Execute(.target.bash, "/bin/cp "+trustedServerConfigFile+" "+trustedServerConfigFile+".YaST2save");

+	// Create a fresh folder to hold the Signing Certs of the trusted ATSs
+	SCR::Execute(.target.bash, "/bin/rm -fr " + trustedServerCertsFolder);
+	SCR::Execute(.target.bash, "/bin/mkdir " + trustedServerCertsFolder);
+
 	// Update the trusted server config 
    any anyRet = false;
 	list<string> trustedServerList = Settings["CONFIG_CASAATS_TRUSTED"]:[];
@ -487,10 +492,32 @@ global boolean Write() {
    if (trustedServerList != []) {
 		// Merge all of the addresses onto the string
 		trustedServerListString = mergestring(trustedServerList, "\n");
+
+		// Import the Signing Certs from the trusted ATSs
+		foreach(string trustedATS, trustedServerList, {
+			if (trustedATS != "")
+			{
+				string cmd = sformat("curl -f --capath /etc/ssl/certs -o %1/%2 https://%3:443/CasaAuthTokenSvc/SigningCert", trustedServerCertsFolder, trustedATS, trustedATS);
+				integer exit = (integer) SCR::Execute(.target.bash, cmd);
+				if (exit != 0)
+				{
+					y2error("SigningCert import from " + trustedATS + "using port 443 failed with Curl error" + tostring(exit) + " trying port 2645");
+				    cmd = sformat("curl -f --capath /etc/ssl/certs -o %1/%2 https://%3:2645/CasaAuthTokenSvc/SigningCert", trustedServerCertsFolder, trustedATS, trustedATS);
+					exit = (integer) SCR::Execute(.target.bash, cmd);
+					if (exit != 0)
+					{
+						y2error("SigningCert import from " + trustedATS + "using port 2645 failed with Curl error" + tostring(exit));
+					}
+				}
+			}
+		});
 	}
 	anyRet = SCR::Write(.target.string, trustedServerConfigFile, trustedServerListString);
    if (anyRet != true)
-      y2error("Failed to write to " + trustedServerConfigFile);
+		y2error("Failed to write to " + trustedServerConfigFile);
+
+	// Refresh the trusted ATS Keystore
+	SCR::Execute(.target.bash, "/usr/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh");

    // Write the /etc/sysconfig/casa-ats settings
    if(Abort()) return false;
--- a/CASA-auth-token/yast2-casa-ats/yast2-casa-ats.spec.in
+++ b/CASA-auth-token/yast2-casa-ats/yast2-casa-ats.spec.in
@ -1,8 +1,8 @@
@HEADER-COMMENT@

@HEADER@
-Requires:	yast2 CASA_auth_token_svc
-BuildRequires:	perl-XML-Writer update-desktop-files yast2 yast2-devtools yast2-testsuite CASA_auth_token_svc yast2-theme-NLD java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils CASA-devel
+Requires:	yast2 CASA_auth_token_svc curl
+BuildRequires:	perl-XML-Writer update-desktop-files yast2 yast2-devtools yast2-testsuite CASA_auth_token_svc curl yast2-theme-NLD java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils CASA-devel

 BuildArchitectures:	noarch