Changes to allow for the setup of trust relationships with ATSs.
This commit is contained in:
Juan Carlos Luciani
@@ -30,6 +30,7 @@ EXTRA_DIST = CasaAuthtokenSvcD \
|
||||
envvars \
|
||||
envvars.zen \
|
||||
server_keystore_setup.sh \
|
||||
refresh_trusted_ats_keystore.sh \
|
||||
casa_crypto.properties \
|
||||
CasaBasicATSSetup.sh \
|
||||
CasaAuthPolicyEditor.sh \
|
||||
|
||||
@@ -1,5 +1,8 @@
|
||||
com.novell.casa.authtoksvc.crypto.keystore.type=jks
|
||||
com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password=secret
|
||||
com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file=/etc/CASA/authtoken/keys/trusted-ats-jks-store
|
||||
com.novell.casa.authtoksvc.crypto.keystore.password=secret
|
||||
com.novell.casa.authtoksvc.crypto.keystore.file=/etc/CASA/authtoken/keys/server/jks-store
|
||||
com.novell.casa.authtoksvc.crypto.keystore.alias=signingKey
|
||||
com.novell.casa.authtoksvc.crypto.alias.password=secret
|
||||
com.novell.casa.authtoksvc.crypto.file=/etc/CASA/authtoken/keys/server/jks-store
|
||||
|
||||
|
||||
69
CASA-auth-token/server-java/Svc/linux/refresh_trusted_ats_keystore.sh
Executable file
69
CASA-auth-token/server-java/Svc/linux/refresh_trusted_ats_keystore.sh
Executable file
@@ -0,0 +1,69 @@
|
||||
#!/bin/sh
|
||||
########################################################################
|
||||
#
|
||||
# Copyright (C) 2006 Novell, Inc. All Rights Reserved.
|
||||
#
|
||||
# This library is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU Lesser General Public
|
||||
# License as published by the Free Software Foundation; version 2.1
|
||||
# of the License.
|
||||
#
|
||||
# This library is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
# Library Lesser General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU Lesser General Public
|
||||
# License along with this library; if not, Novell, Inc.
|
||||
#
|
||||
# To contact Novell about this file by physical or electronic mail,
|
||||
# you may find current contact information at www.novell.com.
|
||||
#
|
||||
# Author: Juan Carlos Luciani <jluciani@novell.com>
|
||||
#
|
||||
########################################################################
|
||||
|
||||
#############################################################
|
||||
# #
|
||||
# CASA Authentication Token Script for refreshing the #
|
||||
# trusted ATS keystore. #
|
||||
# #
|
||||
# This script sets up the certificate associated with the #
|
||||
# keys used by the ATS to sign authentication tokens in the #
|
||||
# keystore utilized by token validating clients. #
|
||||
# #
|
||||
#############################################################
|
||||
|
||||
if [ -d /usr/lib64 ]; then
|
||||
LIB=lib64
|
||||
else
|
||||
LIB=lib
|
||||
fi
|
||||
|
||||
JAVA_HOME=/usr/$LIB/jvm/jre-1.5.0
|
||||
KEYTOOL_PATH=$JAVA_HOME/bin/keytool
|
||||
KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store
|
||||
LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert
|
||||
NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH=/etc/CASA/authtoken/keys/trustedATSCerts
|
||||
|
||||
# Remove the keystore if present
|
||||
rm -f $KEYSTORE_PATH
|
||||
|
||||
// Import the SigningCert from the local ATS if present
|
||||
if [ -f $LOCAL_ATS_SIGNING_CERT_PATH ]; then
|
||||
echo "Importing local ATS cert"
|
||||
$KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias local_signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH
|
||||
fi
|
||||
|
||||
// Import the SigningCert of the non-local trusted ATSs
|
||||
if [ -d $NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH ]; then
|
||||
for ATSCert in `ls $NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH`
|
||||
do
|
||||
echo "Importing $ATSCert cert"
|
||||
$KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias $ATSCert -storepass secret -keypass secret -file $NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH/$ATSCert
|
||||
done
|
||||
fi
|
||||
|
||||
# List the content's of the trusted ATS keystore
|
||||
#$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -storepass secret
|
||||
|
||||
@@ -42,36 +42,46 @@
|
||||
# Source our environment variables file
|
||||
. /etc/CASA/authtoken/svc/envvars
|
||||
|
||||
KEYTOOL_PATH=$JAVA_HOME/bin/keytool
|
||||
KEYSTORE_PATH=/etc/CASA/authtoken/keys/server/jks-store
|
||||
TRUSTED_ATS_KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store
|
||||
LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert
|
||||
|
||||
|
||||
# Perform the operation requested
|
||||
|
||||
# Do not do anything if the server keystore has already been created
|
||||
if [ -f /etc/CASA/authtoken/keys/server/jks-store ]; then
|
||||
if [ -f $KEYSTORE_PATH ]; then
|
||||
echo "The server keystore is already setup"
|
||||
# Make sure that the keystore file is owned by our service
|
||||
chown casaatsd:casaauth /etc/CASA/authtoken/keys/server/jks-store
|
||||
chown casaatsd:casaauth $KEYSTORE_PATH
|
||||
else
|
||||
echo "Setting up the server's keystore"
|
||||
|
||||
KEYTOOL_PATH=$JAVA_HOME/bin/keytool
|
||||
|
||||
# Create the server keystore with the key that will be used for signing tokens
|
||||
host=`hostname -f`
|
||||
$KEYTOOL_PATH -genkey -alias signingKey -keystore /etc/CASA/authtoken/keys/server/jks-store -dname "cn=casaatsd@$host" -validity 3600 -keypass secret -storepass secret
|
||||
$KEYTOOL_PATH -genkey -alias signingKey -keystore $KEYSTORE_PATH -dname "cn=casaatsd@$host" -validity 3600 -keypass secret -storepass secret
|
||||
|
||||
# Export self-signed certificate for the signing key
|
||||
$KEYTOOL_PATH -export -keystore /etc/CASA/authtoken/keys/server/jks-store -alias signingKey -storepass secret -keypass secret -file /etc/CASA/authtoken/keys/casaatsdSigningCert
|
||||
$KEYTOOL_PATH -export -keystore $KEYSTORE_PATH -alias signingKey -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH
|
||||
|
||||
# Print the exported cert
|
||||
#$KEYTOOL_PATH -printcert -file /etc/CASA/authtoken/keys/casaatsdSigningCert
|
||||
#$KEYTOOL_PATH -printcert -file $LOCAL_ATS_SIGNING_CERT_PATH
|
||||
|
||||
# Create a key for Tomcat to do SSL communications
|
||||
$KEYTOOL_PATH -genkey -alias tomcat -keyalg RSA -keystore /etc/CASA/authtoken/keys/server/jks-store -dname "cn=$host" -validity 3600 -keypass secret -storepass secret
|
||||
# Allow the signing certificate to be downloaded from the ATS
|
||||
cp $LOCAL_ATS_SIGNING_CERT_PATH /srv/www/casaats/webapps/CasaAuthTokenSvc/SigningCert
|
||||
|
||||
# Import the signing certificate into the trusted ATS keystore
|
||||
$KEYTOOL_PATH -import -noprompt -keystore $TRUSTED_ATS_KEYSTORE_PATH -alias local_signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH
|
||||
|
||||
# Create a key for Tomcat to do SSL communications
|
||||
$KEYTOOL_PATH -genkey -alias tomcat -keyalg RSA -keystore $KEYSTORE_PATH -dname "cn=$host" -validity 3600 -keypass secret -storepass secret
|
||||
|
||||
# List the contents of the server's keystore
|
||||
#$KEYTOOL_PATH -list -rfc -keystore /etc/CASA/authtoken/keys/server/jks-store -storepass secret
|
||||
#$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -storepass secret
|
||||
|
||||
# Make sure that the keystore is only accessible by the service
|
||||
chown casaatsd:casaauth /etc/CASA/authtoken/keys/server/jks-store
|
||||
chmod 600 /etc/CASA/authtoken/keys/server/jks-store
|
||||
# Make sure that the server keystore is only accessible by the service
|
||||
chown casaatsd:casaauth $KEYSTORE_PATH
|
||||
chmod 600 $KEYSTORE_PATH
|
||||
fi
|
||||
|
||||
|
||||
Reference in New Issue
Block a user