From ef99031e7e2d5ce62c71d5a9002c093901cf96c2 Mon Sep 17 00:00:00 2001 From: Juan Carlos Luciani Date: Fri, 1 Jun 2007 15:41:46 +0000 Subject: [PATCH] Changes to allow for the setup of trust relationships with ATSs. --- .../Jaas/linux/casa_crypto.properties | 7 +- .../Jaas/linux/client_keystore_setup.sh | 16 +- .../Jaas/linux/client_keystore_setup.sh.zen | 16 +- .../Jaas/windows/casa_crypto.properties | 7 +- .../server-java/Svc/linux/Makefile.am | 1 + .../Svc/linux/casa_crypto.properties | 5 +- .../Svc/linux/refresh_trusted_ats_keystore.sh | 69 ++++++++ .../Svc/linux/server_keystore_setup.sh | 36 ++-- .../casa/authtoksvc/SecureTokenUtil.java | 163 +++++++++++++----- .../Svc/windows/casa_crypto.properties | 5 +- .../package/linux/CASA_auth_token_svc.spec.in | 2 + .../linux/CASA_auth_token_svc_4zen.spec.in | 2 + .../AtsConfigurator/src/Configure.java | 4 +- .../yast2-casa-ats/src/CasaAts.ycp | 29 +++- .../yast2-casa-ats/yast2-casa-ats.spec.in | 4 +- 15 files changed, 284 insertions(+), 82 deletions(-) create mode 100755 CASA-auth-token/server-java/Svc/linux/refresh_trusted_ats_keystore.sh diff --git a/CASA-auth-token/server-java/Jaas/linux/casa_crypto.properties b/CASA-auth-token/server-java/Jaas/linux/casa_crypto.properties index 7b301ae9..484b7d0e 100644 --- a/CASA-auth-token/server-java/Jaas/linux/casa_crypto.properties +++ b/CASA-auth-token/server-java/Jaas/linux/casa_crypto.properties @@ -1,5 +1,4 @@ com.novell.casa.authtoksvc.crypto.keystore.type=jks -com.novell.casa.authtoksvc.crypto.keystore.password=secret -com.novell.casa.authtoksvc.crypto.keystore.alias=signingCert -com.novell.casa.authtoksvc.crypto.alias.password=secret -com.novell.casa.authtoksvc.crypto.file=/etc/CASA/authtoken/keys/client/jks-store +com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password=secret +com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file=/etc/CASA/authtoken/keys/trusted-ats-jks-store + diff --git a/CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh b/CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh index 271e8031..5da21d31 100755 --- a/CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh +++ b/CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh @@ -48,24 +48,26 @@ else fi JAVA_HOME=/usr/$LIB/jvm/jre-1.5.0 +KEYTOOL_PATH=$JAVA_HOME/bin/keytool +KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store +LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert # Do not do anything if the client keystore has already been created -if [ -f /etc/CASA/authtoken/keys/client/jks-store ]; then +if [ -f $KEYSTORE_PATH ]; then if [ $SILENT == 0 ]; then echo "The client keystore is already setup" fi else - if [ -f /etc/CASA/authtoken/keys/casaatsdSigningCert ]; then + if [ -f $LOCAL_ATS_SIGNING_CERT_PATH ]; then echo "Setting up the clients's keystore" - KEYTOOL_PATH=$JAVA_HOME/bin/keytool - # Import the certificate to the client's keystore - $KEYTOOL_PATH -import -noprompt -keystore /etc/CASA/authtoken/keys/client/jks-store -alias signingCert -storepass secret -keypass secret -file /etc/CASA/authtoken/keys/casaatsdSigningCert + $KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH # List the content's of the client's keystore - #$KEYTOOL_PATH -list -rfc -keystore client/jks-store -alias signingCert -storepass secret + #$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -alias signingCert -storepass secret else - echo "File /etc/CASA/authtoken/keys/casaatsdSigningCert not found" + echo "File $LOCAL_ATS_SIGNING_CERT_PATH not found" fi fi + diff --git a/CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh.zen b/CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh.zen index d58287bd..b02ddce2 100644 --- a/CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh.zen +++ b/CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh.zen @@ -42,26 +42,26 @@ if [ "$1" != "" ]; then fi fi -# Set JAVA_HOME JAVA_HOME="/opt/novell/zenworks/share/java" +KEYTOOL_PATH=$JAVA_HOME/bin/keytool +KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store +LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert # Do not do anything if the client keystore has already been created -if [ -f /etc/CASA/authtoken/keys/client/jks-store ]; then +if [ -f $KEYSTORE_PATH ]; then if [ $SILENT == 0 ]; then echo "The client keystore is already setup" fi else - if [ -f /etc/CASA/authtoken/keys/casaatsdSigningCert ]; then + if [ -f $LOCAL_ATS_SIGNING_CERT_PATH ]; then echo "Setting up the clients's keystore" - KEYTOOL_PATH=$JAVA_HOME/bin/keytool - # Import the certificate to the client's keystore - $KEYTOOL_PATH -import -noprompt -keystore /etc/CASA/authtoken/keys/client/jks-store -alias signingCert -storepass secret -keypass secret -file /etc/CASA/authtoken/keys/casaatsdSigningCert + $KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH # List the content's of the client's keystore - #$KEYTOOL_PATH -list -rfc -keystore client/jks-store -alias signingCert -storepass secret + #$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -alias signingCert -storepass secret else - echo "File /etc/CASA/authtoken/keys/casaatsdSigningCert not found" + echo "File $LOCAL_ATS_SIGNING_CERT_PATH not found" fi fi diff --git a/CASA-auth-token/server-java/Jaas/windows/casa_crypto.properties b/CASA-auth-token/server-java/Jaas/windows/casa_crypto.properties index 7b301ae9..fbe436d1 100644 --- a/CASA-auth-token/server-java/Jaas/windows/casa_crypto.properties +++ b/CASA-auth-token/server-java/Jaas/windows/casa_crypto.properties @@ -1,5 +1,4 @@ com.novell.casa.authtoksvc.crypto.keystore.type=jks -com.novell.casa.authtoksvc.crypto.keystore.password=secret -com.novell.casa.authtoksvc.crypto.keystore.alias=signingCert -com.novell.casa.authtoksvc.crypto.alias.password=secret -com.novell.casa.authtoksvc.crypto.file=/etc/CASA/authtoken/keys/client/jks-store +com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password=secret +com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file=ATS_INSTALL_DIR//etc//keys//trusted-ats-jks-store + diff --git a/CASA-auth-token/server-java/Svc/linux/Makefile.am b/CASA-auth-token/server-java/Svc/linux/Makefile.am index 7cbc197c..789217cc 100644 --- a/CASA-auth-token/server-java/Svc/linux/Makefile.am +++ b/CASA-auth-token/server-java/Svc/linux/Makefile.am @@ -30,6 +30,7 @@ EXTRA_DIST = CasaAuthtokenSvcD \ envvars \ envvars.zen \ server_keystore_setup.sh \ + refresh_trusted_ats_keystore.sh \ casa_crypto.properties \ CasaBasicATSSetup.sh \ CasaAuthPolicyEditor.sh \ diff --git a/CASA-auth-token/server-java/Svc/linux/casa_crypto.properties b/CASA-auth-token/server-java/Svc/linux/casa_crypto.properties index 64e5da12..b5a14d0b 100644 --- a/CASA-auth-token/server-java/Svc/linux/casa_crypto.properties +++ b/CASA-auth-token/server-java/Svc/linux/casa_crypto.properties @@ -1,5 +1,8 @@ com.novell.casa.authtoksvc.crypto.keystore.type=jks +com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password=secret +com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file=/etc/CASA/authtoken/keys/trusted-ats-jks-store com.novell.casa.authtoksvc.crypto.keystore.password=secret +com.novell.casa.authtoksvc.crypto.keystore.file=/etc/CASA/authtoken/keys/server/jks-store com.novell.casa.authtoksvc.crypto.keystore.alias=signingKey com.novell.casa.authtoksvc.crypto.alias.password=secret -com.novell.casa.authtoksvc.crypto.file=/etc/CASA/authtoken/keys/server/jks-store + diff --git a/CASA-auth-token/server-java/Svc/linux/refresh_trusted_ats_keystore.sh b/CASA-auth-token/server-java/Svc/linux/refresh_trusted_ats_keystore.sh new file mode 100755 index 00000000..027fd066 --- /dev/null +++ b/CASA-auth-token/server-java/Svc/linux/refresh_trusted_ats_keystore.sh @@ -0,0 +1,69 @@ +#!/bin/sh +######################################################################## +# +# Copyright (C) 2006 Novell, Inc. All Rights Reserved. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; version 2.1 +# of the License. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Library Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, Novell, Inc. +# +# To contact Novell about this file by physical or electronic mail, +# you may find current contact information at www.novell.com. +# +# Author: Juan Carlos Luciani +# +######################################################################## + +############################################################# +# # +# CASA Authentication Token Script for refreshing the # +# trusted ATS keystore. # +# # +# This script sets up the certificate associated with the # +# keys used by the ATS to sign authentication tokens in the # +# keystore utilized by token validating clients. # +# # +############################################################# + +if [ -d /usr/lib64 ]; then + LIB=lib64 +else + LIB=lib +fi + +JAVA_HOME=/usr/$LIB/jvm/jre-1.5.0 +KEYTOOL_PATH=$JAVA_HOME/bin/keytool +KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store +LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert +NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH=/etc/CASA/authtoken/keys/trustedATSCerts + +# Remove the keystore if present +rm -f $KEYSTORE_PATH + +// Import the SigningCert from the local ATS if present +if [ -f $LOCAL_ATS_SIGNING_CERT_PATH ]; then + echo "Importing local ATS cert" + $KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias local_signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH +fi + +// Import the SigningCert of the non-local trusted ATSs +if [ -d $NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH ]; then + for ATSCert in `ls $NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH` + do + echo "Importing $ATSCert cert" + $KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias $ATSCert -storepass secret -keypass secret -file $NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH/$ATSCert + done +fi + +# List the content's of the trusted ATS keystore +#$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -storepass secret + diff --git a/CASA-auth-token/server-java/Svc/linux/server_keystore_setup.sh b/CASA-auth-token/server-java/Svc/linux/server_keystore_setup.sh index ca8679a3..8ed4392c 100755 --- a/CASA-auth-token/server-java/Svc/linux/server_keystore_setup.sh +++ b/CASA-auth-token/server-java/Svc/linux/server_keystore_setup.sh @@ -42,36 +42,46 @@ # Source our environment variables file . /etc/CASA/authtoken/svc/envvars +KEYTOOL_PATH=$JAVA_HOME/bin/keytool +KEYSTORE_PATH=/etc/CASA/authtoken/keys/server/jks-store +TRUSTED_ATS_KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store +LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert + + # Perform the operation requested # Do not do anything if the server keystore has already been created -if [ -f /etc/CASA/authtoken/keys/server/jks-store ]; then +if [ -f $KEYSTORE_PATH ]; then echo "The server keystore is already setup" # Make sure that the keystore file is owned by our service - chown casaatsd:casaauth /etc/CASA/authtoken/keys/server/jks-store + chown casaatsd:casaauth $KEYSTORE_PATH else echo "Setting up the server's keystore" - KEYTOOL_PATH=$JAVA_HOME/bin/keytool - # Create the server keystore with the key that will be used for signing tokens host=`hostname -f` - $KEYTOOL_PATH -genkey -alias signingKey -keystore /etc/CASA/authtoken/keys/server/jks-store -dname "cn=casaatsd@$host" -validity 3600 -keypass secret -storepass secret + $KEYTOOL_PATH -genkey -alias signingKey -keystore $KEYSTORE_PATH -dname "cn=casaatsd@$host" -validity 3600 -keypass secret -storepass secret # Export self-signed certificate for the signing key - $KEYTOOL_PATH -export -keystore /etc/CASA/authtoken/keys/server/jks-store -alias signingKey -storepass secret -keypass secret -file /etc/CASA/authtoken/keys/casaatsdSigningCert + $KEYTOOL_PATH -export -keystore $KEYSTORE_PATH -alias signingKey -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH # Print the exported cert - #$KEYTOOL_PATH -printcert -file /etc/CASA/authtoken/keys/casaatsdSigningCert + #$KEYTOOL_PATH -printcert -file $LOCAL_ATS_SIGNING_CERT_PATH - # Create a key for Tomcat to do SSL communications - $KEYTOOL_PATH -genkey -alias tomcat -keyalg RSA -keystore /etc/CASA/authtoken/keys/server/jks-store -dname "cn=$host" -validity 3600 -keypass secret -storepass secret + # Allow the signing certificate to be downloaded from the ATS + cp $LOCAL_ATS_SIGNING_CERT_PATH /srv/www/casaats/webapps/CasaAuthTokenSvc/SigningCert + + # Import the signing certificate into the trusted ATS keystore + $KEYTOOL_PATH -import -noprompt -keystore $TRUSTED_ATS_KEYSTORE_PATH -alias local_signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH + + # Create a key for Tomcat to do SSL communications + $KEYTOOL_PATH -genkey -alias tomcat -keyalg RSA -keystore $KEYSTORE_PATH -dname "cn=$host" -validity 3600 -keypass secret -storepass secret # List the contents of the server's keystore - #$KEYTOOL_PATH -list -rfc -keystore /etc/CASA/authtoken/keys/server/jks-store -storepass secret + #$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -storepass secret - # Make sure that the keystore is only accessible by the service - chown casaatsd:casaauth /etc/CASA/authtoken/keys/server/jks-store - chmod 600 /etc/CASA/authtoken/keys/server/jks-store + # Make sure that the server keystore is only accessible by the service + chown casaatsd:casaauth $KEYSTORE_PATH + chmod 600 $KEYSTORE_PATH fi diff --git a/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/SecureTokenUtil.java b/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/SecureTokenUtil.java index 8914bc9c..d2f672a8 100644 --- a/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/SecureTokenUtil.java +++ b/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/SecureTokenUtil.java @@ -65,6 +65,8 @@ public final class SecureTokenUtil // // The map key has the format: "IssuerDN=certissuername SN=certserialnumber" private Map m_x509ISNCertMap; + private Date m_x509ISNCertMapRefreshDate; + private int m_x509ISNCertMapRefreshInterval = 360; // seconds // SecureToken template private static final String m_secureTokenTemplate = @@ -93,6 +95,90 @@ public final class SecureTokenUtil */ public SecureTokenUtil(boolean serverMode) throws Exception { + // Start by creating the trusted ATS Cert Map + m_x509ISNCertMap = createTrustedAtsCertMap(); + m_x509ISNCertMapRefreshDate = new Date(); + m_x509ISNCertMapRefreshDate.setTime(m_x509ISNCertMapRefreshDate.getTime() + (m_x509ISNCertMapRefreshInterval * 1000)); + + // Obtain the signing key and certificate if we are in server mode + if (serverMode) + { + InputStream inStream = null; + try + { + // Load our crypto properties + Properties cryptoProperties = new Properties(); + ClassLoader classLoader = SecureTokenUtil.class.getClassLoader(); + inStream = classLoader.getResourceAsStream("casa_crypto.properties"); + cryptoProperties.load(inStream); + + // Get necessary keystore info from the crypto properties + String keystoreType = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.type", "jks"); + String keystoreFile = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.file"); + String keystorePass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.password"); + if (keystoreType == null + || keystoreFile == null + || keystorePass == null) + { + m_log.error("Constructor()- Missing crypto configuration"); + throw new Exception("SecureTokenUtil()- Missing crypto configuration"); + } + + // Instantiate and load the keystore + KeyStore keyStore = KeyStore.getInstance(keystoreType); + FileInputStream fis = new FileInputStream(keystoreFile); + keyStore.load(fis, keystorePass.toCharArray()); + + // Get signing key and cert if in server mode + if (serverMode) + { + String privateKeyAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias"); + String privateKeyPass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.alias.password"); + String certificateAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias"); + if (privateKeyAlias == null + || privateKeyPass == null + || certificateAlias == null) + { + m_log.error("Constructor()- Missing crypto configuration"); + throw new Exception("SecureTokenUtil()- Missing crypto configuration"); + } + + // Get the key that will be used for signing tokens + m_signingKey = (PrivateKey) keyStore.getKey(privateKeyAlias, + privateKeyPass.toCharArray()); + if (m_signingKey == null) + { + m_log.error("Constructor()- Signing key not found in keystore"); + throw new Exception("SecureTokenUtil()- Signing key not found in keystore"); + } + + // Get the signing certificate + m_signingCert = (X509Certificate) keyStore.getCertificate(certificateAlias); + if (m_signingCert == null) + { + m_log.error("Constructor()- Signing cert not found in keystore"); + throw new Exception("SecureTokenUtil()- Signing cert not found in keystore"); + } + } + } + finally + { + // Make sure that the input stream has been closed + if (inStream != null) + inStream.close(); + } + } + } + + /** + * Static Create Trusted ATS Certificate Map. + *

+ * @return Trusted ATS Certificate Map + * @throws Exception + */ + private static Map createTrustedAtsCertMap() throws Exception + { + Map x509ISNCertMap; InputStream inStream = null; try { @@ -104,14 +190,14 @@ public final class SecureTokenUtil // Get necessary keystore info from the crypto properties String keystoreType = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.type", "jks"); - String keystoreFile = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.file"); - String keystorePass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.password"); + String keystoreFile = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file"); + String keystorePass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password"); if (keystoreType == null || keystoreFile == null || keystorePass == null) { - m_log.error("Constructor()- Missing crypto configuration"); - throw new Exception("SecureTokenUtil()- Missing crypto configuration"); + m_log.error("SecureTokenUtil.createTrustedAtsCertMap()- Missing crypto configuration"); + throw new Exception("SecureTokenUtil.createTrustedAtsCertMap()- Missing crypto configuration"); } // Instantiate and load the keystore @@ -119,40 +205,8 @@ public final class SecureTokenUtil FileInputStream fis = new FileInputStream(keystoreFile); keyStore.load(fis, keystorePass.toCharArray()); - // Get signing key and cert if in server mode - if (serverMode) - { - String privateKeyAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias"); - String privateKeyPass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.alias.password"); - String certificateAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias"); - if (privateKeyAlias == null - || privateKeyPass == null - || certificateAlias == null) - { - m_log.error("Constructor()- Missing crypto configuration"); - throw new Exception("SecureTokenUtil()- Missing crypto configuration"); - } - - // Get the key that will be used for signing tokens - m_signingKey = (PrivateKey) keyStore.getKey(privateKeyAlias, - privateKeyPass.toCharArray()); - if (m_signingKey == null) - { - m_log.error("Constructor()- Signing key not found in keystore"); - throw new Exception("SecureTokenUtil()- Signing key not found in keystore"); - } - - // Get the signing certificate - m_signingCert = (X509Certificate) keyStore.getCertificate(certificateAlias); - if (m_signingCert == null) - { - m_log.error("Constructor()- Signing cert not found in keystore"); - throw new Exception("SecureTokenUtil()- Signing cert not found in keystore"); - } - } - // Create the Certificate issuer:sn map - m_x509ISNCertMap = new HashMap(); + x509ISNCertMap = new HashMap(); Enumeration aliases = keyStore.aliases(); while (aliases.hasMoreElements()) { @@ -160,7 +214,7 @@ public final class SecureTokenUtil if (cert != null) { // Add this certificate to our map - m_x509ISNCertMap.put("IssuerDN=" + cert.getIssuerDN().getName() + " SN=" + cert.getSerialNumber().toString(), cert); + x509ISNCertMap.put("IssuerDN=" + cert.getIssuerDN().getName() + " SN=" + cert.getSerialNumber().toString(), cert); } } } @@ -170,6 +224,36 @@ public final class SecureTokenUtil if (inStream != null) inStream.close(); } + + return x509ISNCertMap; + } + + /** + * Check Trusted ATS Certificate Map. + */ + private synchronized Map checkTrustedAtsCertMap() + { + // Check if we need to refresh the trusted ATS Cert map + Date currDate = new Date(); + if (currDate.compareTo(m_x509ISNCertMapRefreshDate) > 0) + { + // It is time to update the trusted ATS certificate map + try + { + // Set up the next refresh date + m_x509ISNCertMapRefreshDate.setTime(currDate.getTime() + (m_x509ISNCertMapRefreshInterval * 1000)); + + // Re-create the trusted ATS certificate map + Map newX509ISNCertMap = createTrustedAtsCertMap(); + m_x509ISNCertMap = newX509ISNCertMap; + } + catch (Exception e) + { + m_log.error("SecureTokenUtil.checkTrustedAtsCertMap()- Exception caught, msg = " + e.getMessage()); + } + } + + return m_x509ISNCertMap; } /** @@ -181,7 +265,8 @@ public final class SecureTokenUtil */ private X509Certificate getCertWithX509IssuerSerialData(String issuerName, String serialNumber) { - return m_x509ISNCertMap.get("IssuerDN=" + issuerName + " SN=" + serialNumber); + Map x509ISNCertMap = checkTrustedAtsCertMap(); + return x509ISNCertMap.get("IssuerDN=" + issuerName + " SN=" + serialNumber); } /** diff --git a/CASA-auth-token/server-java/Svc/windows/casa_crypto.properties b/CASA-auth-token/server-java/Svc/windows/casa_crypto.properties index 2e10ed52..92fb8e3d 100644 --- a/CASA-auth-token/server-java/Svc/windows/casa_crypto.properties +++ b/CASA-auth-token/server-java/Svc/windows/casa_crypto.properties @@ -1,5 +1,8 @@ com.novell.casa.authtoksvc.crypto.keystore.type=jks +com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password=secret +com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file=ATS_INSTALL_DIR//etc//keys//trusted-ats-jks-store com.novell.casa.authtoksvc.crypto.keystore.password=secret +com.novell.casa.authtoksvc.crypto.keystore.file=ATS_INSTALL_DIR//etc//keys//server//jks-store com.novell.casa.authtoksvc.crypto.keystore.alias=signingKey com.novell.casa.authtoksvc.crypto.alias.password=secret -com.novell.casa.authtoksvc.crypto.file=ATS_INSTALL_DIR//etc//keys//server//jks-store + diff --git a/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc.spec.in b/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc.spec.in index ed80001c..f4535fcd 100644 --- a/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc.spec.in +++ b/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc.spec.in @@ -172,6 +172,7 @@ install -m 700 Svc/linux/log4j.properties %{buildroot}/etc/CASA/authtoken/svc/lo # Others install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh +install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh install -m 700 Svc/linux/CasaBasicATSSetup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh install -m 700 Svc/linux/CasaAuthPolicyEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh install -m 700 Svc/linux/CasaTomcatConnectorEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh @@ -260,6 +261,7 @@ rm -f /srv/www/casaats/conf/server.xml %{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc-%{bldno}.war %{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc.war %{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh +%{prefix}/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh %{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh %{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh %{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh diff --git a/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc_4zen.spec.in b/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc_4zen.spec.in index fafc3311..db43d019 100644 --- a/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc_4zen.spec.in +++ b/CASA-auth-token/server-java/package/linux/CASA_auth_token_svc_4zen.spec.in @@ -172,6 +172,7 @@ install -m 700 Svc/linux/log4j.properties %{buildroot}/etc/CASA/authtoken/svc/lo # Others install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh +install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh install -m 700 Svc/linux/CasaBasicATSSetup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh install -m 700 Svc/linux/CasaAuthPolicyEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh install -m 700 Svc/linux/CasaTomcatConnectorEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh @@ -260,6 +261,7 @@ rm -f /srv/www/casaats/conf/server.xml %{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc-%{bldno}.war %{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc.war %{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh +%{prefix}/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh %{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh %{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh %{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh diff --git a/CASA-auth-token/server-java/package/windows/AtsConfigurator/src/Configure.java b/CASA-auth-token/server-java/package/windows/AtsConfigurator/src/Configure.java index 61c32497..e47362a0 100644 --- a/CASA-auth-token/server-java/package/windows/AtsConfigurator/src/Configure.java +++ b/CASA-auth-token/server-java/package/windows/AtsConfigurator/src/Configure.java @@ -48,8 +48,8 @@ public class Configure { // Other constants final static String SERVER_KEY_STORE_RELATIVE_PATH = "\\etc\\keys\\server\\jks-store"; - final static String CLIENT_KEY_STORE_RELATIVE_PATH = "\\etc\\keys\\client\\jks-store"; - final static String SIGNING_CERT_RELATIVE_PATH = "\\etc\\keys\\casaatsdSigningCert"; + final static String CLIENT_KEY_STORE_RELATIVE_PATH = "\\etc\\keys\\trusted-ats-jks-store"; + final static String SIGNING_CERT_RELATIVE_PATH = "\\etc\\keys\\localSigningCert"; // Configured properties Properties m_properties; diff --git a/CASA-auth-token/yast2-casa-ats/src/CasaAts.ycp b/CASA-auth-token/yast2-casa-ats/src/CasaAts.ycp index 0c524839..0918d0f0 100644 --- a/CASA-auth-token/yast2-casa-ats/src/CasaAts.ycp +++ b/CASA-auth-token/yast2-casa-ats/src/CasaAts.ycp @@ -57,6 +57,7 @@ string authPolicyFile = "/etc/CASA/authtoken/svc/auth.policy"; string authPolicyEditor = "/usr/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh"; string iaRealmsFile = "/etc/CASA/authtoken/svc/iaRealms.xml"; string iaRealmsEditor = "/usr/share/java/CASA/authtoken/bin/CasaIaRealmsEditor.sh"; +string trustedServerCertsFolder = "/etc/CASA/authtoken/keys/trustedATSCerts"; /** * Settings Map @@ -480,6 +481,10 @@ global boolean Write() { else SCR::Execute(.target.bash, "/bin/cp "+trustedServerConfigFile+" "+trustedServerConfigFile+".YaST2save"); + // Create a fresh folder to hold the Signing Certs of the trusted ATSs + SCR::Execute(.target.bash, "/bin/rm -fr " + trustedServerCertsFolder); + SCR::Execute(.target.bash, "/bin/mkdir " + trustedServerCertsFolder); + // Update the trusted server config any anyRet = false; list trustedServerList = Settings["CONFIG_CASAATS_TRUSTED"]:[]; @@ -487,10 +492,32 @@ global boolean Write() { if (trustedServerList != []) { // Merge all of the addresses onto the string trustedServerListString = mergestring(trustedServerList, "\n"); + + // Import the Signing Certs from the trusted ATSs + foreach(string trustedATS, trustedServerList, { + if (trustedATS != "") + { + string cmd = sformat("curl -f --capath /etc/ssl/certs -o %1/%2 https://%3:443/CasaAuthTokenSvc/SigningCert", trustedServerCertsFolder, trustedATS, trustedATS); + integer exit = (integer) SCR::Execute(.target.bash, cmd); + if (exit != 0) + { + y2error("SigningCert import from " + trustedATS + "using port 443 failed with Curl error" + tostring(exit) + " trying port 2645"); + cmd = sformat("curl -f --capath /etc/ssl/certs -o %1/%2 https://%3:2645/CasaAuthTokenSvc/SigningCert", trustedServerCertsFolder, trustedATS, trustedATS); + exit = (integer) SCR::Execute(.target.bash, cmd); + if (exit != 0) + { + y2error("SigningCert import from " + trustedATS + "using port 2645 failed with Curl error" + tostring(exit)); + } + } + } + }); } anyRet = SCR::Write(.target.string, trustedServerConfigFile, trustedServerListString); if (anyRet != true) - y2error("Failed to write to " + trustedServerConfigFile); + y2error("Failed to write to " + trustedServerConfigFile); + + // Refresh the trusted ATS Keystore + SCR::Execute(.target.bash, "/usr/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh"); // Write the /etc/sysconfig/casa-ats settings if(Abort()) return false; diff --git a/CASA-auth-token/yast2-casa-ats/yast2-casa-ats.spec.in b/CASA-auth-token/yast2-casa-ats/yast2-casa-ats.spec.in index ad6bcfb0..4ea84b95 100644 --- a/CASA-auth-token/yast2-casa-ats/yast2-casa-ats.spec.in +++ b/CASA-auth-token/yast2-casa-ats/yast2-casa-ats.spec.in @@ -1,8 +1,8 @@ @HEADER-COMMENT@ @HEADER@ -Requires: yast2 CASA_auth_token_svc -BuildRequires: perl-XML-Writer update-desktop-files yast2 yast2-devtools yast2-testsuite CASA_auth_token_svc yast2-theme-NLD java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils CASA-devel +Requires: yast2 CASA_auth_token_svc curl +BuildRequires: perl-XML-Writer update-desktop-files yast2 yast2-devtools yast2-testsuite CASA_auth_token_svc curl yast2-theme-NLD java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils CASA-devel BuildArchitectures: noarch