Changes to allow for the setup of trust relationships with ATSs.

CASA-auth-token/server-java/Svc/linux/server_keystore_setup.sh

@@ -42,36 +42,46 @@
 # Source our environment variables file
 . /etc/CASA/authtoken/svc/envvars
 
+KEYTOOL_PATH=$JAVA_HOME/bin/keytool
+KEYSTORE_PATH=/etc/CASA/authtoken/keys/server/jks-store
+TRUSTED_ATS_KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store
+LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert
+
+
 # Perform the operation requested
 
 # Do not do anything if the server keystore has already been created
-if [ -f /etc/CASA/authtoken/keys/server/jks-store ]; then
+if [ -f $KEYSTORE_PATH ]; then
    echo "The server keystore is already setup"
         # Make sure that the keystore file is owned by our service
-        chown casaatsd:casaauth /etc/CASA/authtoken/keys/server/jks-store
+        chown casaatsd:casaauth $KEYSTORE_PATH
 else
    echo "Setting up the server's keystore"
 
-   KEYTOOL_PATH=$JAVA_HOME/bin/keytool
-
    # Create the server keystore with the key that will be used for signing tokens
    host=`hostname -f`
-   $KEYTOOL_PATH -genkey -alias signingKey -keystore /etc/CASA/authtoken/keys/server/jks-store -dname "cn=casaatsd@$host" -validity 3600 -keypass secret -storepass secret
+   $KEYTOOL_PATH -genkey -alias signingKey -keystore $KEYSTORE_PATH -dname "cn=casaatsd@$host" -validity 3600 -keypass secret -storepass secret
 
    # Export self-signed certificate for the signing key
-   $KEYTOOL_PATH -export -keystore /etc/CASA/authtoken/keys/server/jks-store -alias signingKey -storepass secret -keypass secret -file /etc/CASA/authtoken/keys/casaatsdSigningCert
+   $KEYTOOL_PATH -export -keystore $KEYSTORE_PATH -alias signingKey -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH
 
    # Print the exported cert
-   #$KEYTOOL_PATH -printcert -file /etc/CASA/authtoken/keys/casaatsdSigningCert
+   #$KEYTOOL_PATH -printcert -file $LOCAL_ATS_SIGNING_CERT_PATH
 
-        # Create a key for Tomcat to do SSL communications
-        $KEYTOOL_PATH -genkey -alias tomcat -keyalg RSA -keystore /etc/CASA/authtoken/keys/server/jks-store -dname "cn=$host" -validity 3600 -keypass secret -storepass secret
+   # Allow the signing certificate to be downloaded from the ATS
+   cp $LOCAL_ATS_SIGNING_CERT_PATH /srv/www/casaats/webapps/CasaAuthTokenSvc/SigningCert
+
+   # Import the signing certificate into the trusted ATS keystore
+   $KEYTOOL_PATH -import -noprompt -keystore $TRUSTED_ATS_KEYSTORE_PATH -alias local_signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH
+
+   # Create a key for Tomcat to do SSL communications
+   $KEYTOOL_PATH -genkey -alias tomcat -keyalg RSA -keystore $KEYSTORE_PATH -dname "cn=$host" -validity 3600 -keypass secret -storepass secret
 
    # List the contents of the server's keystore
-   #$KEYTOOL_PATH -list -rfc -keystore /etc/CASA/authtoken/keys/server/jks-store -storepass secret
+   #$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -storepass secret
 
-   # Make sure that the keystore is only accessible by the service
-   chown casaatsd:casaauth /etc/CASA/authtoken/keys/server/jks-store
-   chmod 600 /etc/CASA/authtoken/keys/server/jks-store
+   # Make sure that the server keystore is only accessible by the service
+   chown casaatsd:casaauth $KEYSTORE_PATH
+   chmod 600 $KEYSTORE_PATH
 fi