geos_one/CASA
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Changes to allow for the setup of trust relationships with ATSs.

Browse Source
This commit is contained in:
Juan Carlos Luciani 2007-06-01 15:41:46 +00:00
parent 01978036ef
commit ef99031e7e
15 changed files with 284 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
CASA-auth-token/server-java/Jaas/linux/casa_crypto.properties
View File

@ -1,5 +1,4 @@
com.novell.casa.authtoksvc.crypto.keystore.type=jks com.novell.casa.authtoksvc.crypto.keystore.type=jks
com.novell.casa.authtoksvc.crypto.keystore.password=secret com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password=secret
com.novell.casa.authtoksvc.crypto.keystore.alias=signingCert com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file=/etc/CASA/authtoken/keys/trusted-ats-jks-store
com.novell.casa.authtoksvc.crypto.alias.password=secret
com.novell.casa.authtoksvc.crypto.file=/etc/CASA/authtoken/keys/client/jks-store

16
CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh
View File

@ -48,24 +48,26 @@ else
fi fi
JAVA_HOME=/usr/$LIB/jvm/jre-1.5.0 JAVA_HOME=/usr/$LIB/jvm/jre-1.5.0
KEYTOOL_PATH=$JAVA_HOME/bin/keytool
KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store
LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert
# Do not do anything if the client keystore has already been created # Do not do anything if the client keystore has already been created
if [ -f /etc/CASA/authtoken/keys/client/jks-store ]; then if [ -f $KEYSTORE_PATH ]; then
if [ $SILENT == 0 ]; then if [ $SILENT == 0 ]; then
echo "The client keystore is already setup" echo "The client keystore is already setup"
fi fi
else else
if [ -f /etc/CASA/authtoken/keys/casaatsdSigningCert ]; then if [ -f $LOCAL_ATS_SIGNING_CERT_PATH ]; then
echo "Setting up the clients's keystore" echo "Setting up the clients's keystore"
KEYTOOL_PATH=$JAVA_HOME/bin/keytool
# Import the certificate to the client's keystore # Import the certificate to the client's keystore
$KEYTOOL_PATH -import -noprompt -keystore /etc/CASA/authtoken/keys/client/jks-store -alias signingCert -storepass secret -keypass secret -file /etc/CASA/authtoken/keys/casaatsdSigningCert $KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH
# List the content's of the client's keystore # List the content's of the client's keystore
#$KEYTOOL_PATH -list -rfc -keystore client/jks-store -alias signingCert -storepass secret #$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -alias signingCert -storepass secret
else else
echo "File /etc/CASA/authtoken/keys/casaatsdSigningCert not found" echo "File $LOCAL_ATS_SIGNING_CERT_PATH not found"
fi fi
fi fi

16
CASA-auth-token/server-java/Jaas/linux/client_keystore_setup.sh.zen
View File

@ -42,26 +42,26 @@ if [ "$1" != "" ]; then
fi fi
fi fi
# Set JAVA_HOME
JAVA_HOME="/opt/novell/zenworks/share/java" JAVA_HOME="/opt/novell/zenworks/share/java"
KEYTOOL_PATH=$JAVA_HOME/bin/keytool
KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store
LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert
# Do not do anything if the client keystore has already been created # Do not do anything if the client keystore has already been created
if [ -f /etc/CASA/authtoken/keys/client/jks-store ]; then if [ -f $KEYSTORE_PATH ]; then
if [ $SILENT == 0 ]; then if [ $SILENT == 0 ]; then
echo "The client keystore is already setup" echo "The client keystore is already setup"
fi fi
else else
if [ -f /etc/CASA/authtoken/keys/casaatsdSigningCert ]; then if [ -f $LOCAL_ATS_SIGNING_CERT_PATH ]; then
echo "Setting up the clients's keystore" echo "Setting up the clients's keystore"
KEYTOOL_PATH=$JAVA_HOME/bin/keytool
# Import the certificate to the client's keystore # Import the certificate to the client's keystore
$KEYTOOL_PATH -import -noprompt -keystore /etc/CASA/authtoken/keys/client/jks-store -alias signingCert -storepass secret -keypass secret -file /etc/CASA/authtoken/keys/casaatsdSigningCert $KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH
# List the content's of the client's keystore # List the content's of the client's keystore
#$KEYTOOL_PATH -list -rfc -keystore client/jks-store -alias signingCert -storepass secret #$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -alias signingCert -storepass secret
else else
echo "File /etc/CASA/authtoken/keys/casaatsdSigningCert not found" echo "File $LOCAL_ATS_SIGNING_CERT_PATH not found"
fi fi
fi fi

7
CASA-auth-token/server-java/Jaas/windows/casa_crypto.properties
View File

@ -1,5 +1,4 @@
com.novell.casa.authtoksvc.crypto.keystore.type=jks com.novell.casa.authtoksvc.crypto.keystore.type=jks
com.novell.casa.authtoksvc.crypto.keystore.password=secret com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password=secret
com.novell.casa.authtoksvc.crypto.keystore.alias=signingCert com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file=ATS_INSTALL_DIR//etc//keys//trusted-ats-jks-store
com.novell.casa.authtoksvc.crypto.alias.password=secret
com.novell.casa.authtoksvc.crypto.file=/etc/CASA/authtoken/keys/client/jks-store

1
CASA-auth-token/server-java/Svc/linux/Makefile.am
View File

@ -30,6 +30,7 @@ EXTRA_DIST = CasaAuthtokenSvcD \
envvars \ envvars \
envvars.zen \ envvars.zen \
server_keystore_setup.sh \ server_keystore_setup.sh \
refresh_trusted_ats_keystore.sh \
casa_crypto.properties \ casa_crypto.properties \
CasaBasicATSSetup.sh \ CasaBasicATSSetup.sh \
CasaAuthPolicyEditor.sh \ CasaAuthPolicyEditor.sh \

5
CASA-auth-token/server-java/Svc/linux/casa_crypto.properties
View File

@ -1,5 +1,8 @@
com.novell.casa.authtoksvc.crypto.keystore.type=jks com.novell.casa.authtoksvc.crypto.keystore.type=jks
com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password=secret
com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file=/etc/CASA/authtoken/keys/trusted-ats-jks-store
com.novell.casa.authtoksvc.crypto.keystore.password=secret com.novell.casa.authtoksvc.crypto.keystore.password=secret
com.novell.casa.authtoksvc.crypto.keystore.file=/etc/CASA/authtoken/keys/server/jks-store
com.novell.casa.authtoksvc.crypto.keystore.alias=signingKey com.novell.casa.authtoksvc.crypto.keystore.alias=signingKey
com.novell.casa.authtoksvc.crypto.alias.password=secret com.novell.casa.authtoksvc.crypto.alias.password=secret
com.novell.casa.authtoksvc.crypto.file=/etc/CASA/authtoken/keys/server/jks-store

69
CASA-auth-token/server-java/Svc/linux/refresh_trusted_ats_keystore.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/sh
########################################################################
#
# Copyright (C) 2006 Novell, Inc. All Rights Reserved.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; version 2.1
# of the License.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Library Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, Novell, Inc.
#
# To contact Novell about this file by physical or electronic mail,
# you may find current contact information at www.novell.com.
#
# Author: Juan Carlos Luciani <jluciani@novell.com>
#
########################################################################
#############################################################
# #
# CASA Authentication Token Script for refreshing the #
# trusted ATS keystore. #
# #
# This script sets up the certificate associated with the #
# keys used by the ATS to sign authentication tokens in the #
# keystore utilized by token validating clients. #
# #
#############################################################
if [ -d /usr/lib64 ]; then
LIB=lib64
else
LIB=lib
fi
JAVA_HOME=/usr/$LIB/jvm/jre-1.5.0
KEYTOOL_PATH=$JAVA_HOME/bin/keytool
KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store
LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert
NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH=/etc/CASA/authtoken/keys/trustedATSCerts
# Remove the keystore if present
rm -f $KEYSTORE_PATH
// Import the SigningCert from the local ATS if present
if [ -f $LOCAL_ATS_SIGNING_CERT_PATH ]; then
echo "Importing local ATS cert"
$KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias local_signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH
fi
// Import the SigningCert of the non-local trusted ATSs
if [ -d $NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH ]; then
for ATSCert in `ls $NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH`
do
echo "Importing $ATSCert cert"
$KEYTOOL_PATH -import -noprompt -keystore $KEYSTORE_PATH -alias $ATSCert -storepass secret -keypass secret -file $NON_LOCAL_ATS_SIGNING_CERT_DIR_PATH/$ATSCert
done
fi
# List the content's of the trusted ATS keystore
#$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -storepass secret

36
CASA-auth-token/server-java/Svc/linux/server_keystore_setup.sh
View File

@ -42,36 +42,46 @@
# Source our environment variables file # Source our environment variables file
. /etc/CASA/authtoken/svc/envvars . /etc/CASA/authtoken/svc/envvars
KEYTOOL_PATH=$JAVA_HOME/bin/keytool
KEYSTORE_PATH=/etc/CASA/authtoken/keys/server/jks-store
TRUSTED_ATS_KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store
LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert
# Perform the operation requested # Perform the operation requested
# Do not do anything if the server keystore has already been created # Do not do anything if the server keystore has already been created
if [ -f /etc/CASA/authtoken/keys/server/jks-store ]; then if [ -f $KEYSTORE_PATH ]; then
echo "The server keystore is already setup" echo "The server keystore is already setup"
# Make sure that the keystore file is owned by our service # Make sure that the keystore file is owned by our service
chown casaatsd:casaauth /etc/CASA/authtoken/keys/server/jks-store chown casaatsd:casaauth $KEYSTORE_PATH
else else
echo "Setting up the server's keystore" echo "Setting up the server's keystore"
KEYTOOL_PATH=$JAVA_HOME/bin/keytool
# Create the server keystore with the key that will be used for signing tokens # Create the server keystore with the key that will be used for signing tokens
host=`hostname -f` host=`hostname -f`
$KEYTOOL_PATH -genkey -alias signingKey -keystore /etc/CASA/authtoken/keys/server/jks-store -dname "cn=casaatsd@$host" -validity 3600 -keypass secret -storepass secret $KEYTOOL_PATH -genkey -alias signingKey -keystore $KEYSTORE_PATH -dname "cn=casaatsd@$host" -validity 3600 -keypass secret -storepass secret
# Export self-signed certificate for the signing key # Export self-signed certificate for the signing key
$KEYTOOL_PATH -export -keystore /etc/CASA/authtoken/keys/server/jks-store -alias signingKey -storepass secret -keypass secret -file /etc/CASA/authtoken/keys/casaatsdSigningCert $KEYTOOL_PATH -export -keystore $KEYSTORE_PATH -alias signingKey -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH
# Print the exported cert # Print the exported cert
#$KEYTOOL_PATH -printcert -file /etc/CASA/authtoken/keys/casaatsdSigningCert #$KEYTOOL_PATH -printcert -file $LOCAL_ATS_SIGNING_CERT_PATH
# Create a key for Tomcat to do SSL communications # Allow the signing certificate to be downloaded from the ATS
$KEYTOOL_PATH -genkey -alias tomcat -keyalg RSA -keystore /etc/CASA/authtoken/keys/server/jks-store -dname "cn=$host" -validity 3600 -keypass secret -storepass secret cp $LOCAL_ATS_SIGNING_CERT_PATH /srv/www/casaats/webapps/CasaAuthTokenSvc/SigningCert
# Import the signing certificate into the trusted ATS keystore
$KEYTOOL_PATH -import -noprompt -keystore $TRUSTED_ATS_KEYSTORE_PATH -alias local_signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH
# Create a key for Tomcat to do SSL communications
$KEYTOOL_PATH -genkey -alias tomcat -keyalg RSA -keystore $KEYSTORE_PATH -dname "cn=$host" -validity 3600 -keypass secret -storepass secret
# List the contents of the server's keystore # List the contents of the server's keystore
#$KEYTOOL_PATH -list -rfc -keystore /etc/CASA/authtoken/keys/server/jks-store -storepass secret #$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -storepass secret
# Make sure that the keystore is only accessible by the service # Make sure that the server keystore is only accessible by the service
chown casaatsd:casaauth /etc/CASA/authtoken/keys/server/jks-store chown casaatsd:casaauth $KEYSTORE_PATH
chmod 600 /etc/CASA/authtoken/keys/server/jks-store chmod 600 $KEYSTORE_PATH
fi fi

163
CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/SecureTokenUtil.java
View File

@ -65,6 +65,8 @@ public final class SecureTokenUtil
// //
// The map key has the format: "IssuerDN=certissuername SN=certserialnumber" // The map key has the format: "IssuerDN=certissuername SN=certserialnumber"
private Map<String,X509Certificate> m_x509ISNCertMap; private Map<String,X509Certificate> m_x509ISNCertMap;
private Date m_x509ISNCertMapRefreshDate;
private int m_x509ISNCertMapRefreshInterval = 360; // seconds
// SecureToken template // SecureToken template
private static final String m_secureTokenTemplate = private static final String m_secureTokenTemplate =
@ -93,6 +95,90 @@ public final class SecureTokenUtil
*/ */
public SecureTokenUtil(boolean serverMode) throws Exception public SecureTokenUtil(boolean serverMode) throws Exception
{ {
// Start by creating the trusted ATS Cert Map
m_x509ISNCertMap = createTrustedAtsCertMap();
m_x509ISNCertMapRefreshDate = new Date();
m_x509ISNCertMapRefreshDate.setTime(m_x509ISNCertMapRefreshDate.getTime() + (m_x509ISNCertMapRefreshInterval * 1000));
// Obtain the signing key and certificate if we are in server mode
if (serverMode)
{
InputStream inStream = null;
try
{
// Load our crypto properties
Properties cryptoProperties = new Properties();
ClassLoader classLoader = SecureTokenUtil.class.getClassLoader();
inStream = classLoader.getResourceAsStream("casa_crypto.properties");
cryptoProperties.load(inStream);
// Get necessary keystore info from the crypto properties
String keystoreType = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.type", "jks");
String keystoreFile = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.file");
String keystorePass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.password");
if (keystoreType == null
|| keystoreFile == null
|| keystorePass == null)
{
m_log.error("Constructor()- Missing crypto configuration");
throw new Exception("SecureTokenUtil()- Missing crypto configuration");
}
// Instantiate and load the keystore
KeyStore keyStore = KeyStore.getInstance(keystoreType);
FileInputStream fis = new FileInputStream(keystoreFile);
keyStore.load(fis, keystorePass.toCharArray());
// Get signing key and cert if in server mode
if (serverMode)
{
String privateKeyAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias");
String privateKeyPass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.alias.password");
String certificateAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias");
if (privateKeyAlias == null
|| privateKeyPass == null
|| certificateAlias == null)
{
m_log.error("Constructor()- Missing crypto configuration");
throw new Exception("SecureTokenUtil()- Missing crypto configuration");
}
// Get the key that will be used for signing tokens
m_signingKey = (PrivateKey) keyStore.getKey(privateKeyAlias,
privateKeyPass.toCharArray());
if (m_signingKey == null)
{
m_log.error("Constructor()- Signing key not found in keystore");
throw new Exception("SecureTokenUtil()- Signing key not found in keystore");
}
// Get the signing certificate
m_signingCert = (X509Certificate) keyStore.getCertificate(certificateAlias);
if (m_signingCert == null)
{
m_log.error("Constructor()- Signing cert not found in keystore");
throw new Exception("SecureTokenUtil()- Signing cert not found in keystore");
}
}
}
finally
{
// Make sure that the input stream has been closed
if (inStream != null)
inStream.close();
}
}
}
/**
* Static Create Trusted ATS Certificate Map.
* <p/>
* @return Trusted ATS Certificate Map
* @throws Exception
*/
private static Map<String,X509Certificate> createTrustedAtsCertMap() throws Exception
{
Map<String,X509Certificate> x509ISNCertMap;
InputStream inStream = null; InputStream inStream = null;
try try
{ {
@ -104,14 +190,14 @@ public final class SecureTokenUtil
// Get necessary keystore info from the crypto properties // Get necessary keystore info from the crypto properties
String keystoreType = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.type", "jks"); String keystoreType = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.type", "jks");
String keystoreFile = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.file"); String keystoreFile = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file");
String keystorePass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.password"); String keystorePass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password");
if (keystoreType == null if (keystoreType == null
|| keystoreFile == null || keystoreFile == null
|| keystorePass == null) || keystorePass == null)
{ {
m_log.error("Constructor()- Missing crypto configuration"); m_log.error("SecureTokenUtil.createTrustedAtsCertMap()- Missing crypto configuration");
throw new Exception("SecureTokenUtil()- Missing crypto configuration"); throw new Exception("SecureTokenUtil.createTrustedAtsCertMap()- Missing crypto configuration");
} }
// Instantiate and load the keystore // Instantiate and load the keystore
@ -119,40 +205,8 @@ public final class SecureTokenUtil
FileInputStream fis = new FileInputStream(keystoreFile); FileInputStream fis = new FileInputStream(keystoreFile);
keyStore.load(fis, keystorePass.toCharArray()); keyStore.load(fis, keystorePass.toCharArray());
// Get signing key and cert if in server mode
if (serverMode)
{
String privateKeyAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias");
String privateKeyPass = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.alias.password");
String certificateAlias = cryptoProperties.getProperty("com.novell.casa.authtoksvc.crypto.keystore.alias");
if (privateKeyAlias == null
|| privateKeyPass == null
|| certificateAlias == null)
{
m_log.error("Constructor()- Missing crypto configuration");
throw new Exception("SecureTokenUtil()- Missing crypto configuration");
}
// Get the key that will be used for signing tokens
m_signingKey = (PrivateKey) keyStore.getKey(privateKeyAlias,
privateKeyPass.toCharArray());
if (m_signingKey == null)
{
m_log.error("Constructor()- Signing key not found in keystore");
throw new Exception("SecureTokenUtil()- Signing key not found in keystore");
}
// Get the signing certificate
m_signingCert = (X509Certificate) keyStore.getCertificate(certificateAlias);
if (m_signingCert == null)
{
m_log.error("Constructor()- Signing cert not found in keystore");
throw new Exception("SecureTokenUtil()- Signing cert not found in keystore");
}
}
// Create the Certificate issuer:sn map // Create the Certificate issuer:sn map
m_x509ISNCertMap = new HashMap<String,X509Certificate>(); x509ISNCertMap = new HashMap<String,X509Certificate>();
Enumeration<String> aliases = keyStore.aliases(); Enumeration<String> aliases = keyStore.aliases();
while (aliases.hasMoreElements()) while (aliases.hasMoreElements())
{ {
@ -160,7 +214,7 @@ public final class SecureTokenUtil
if (cert != null) if (cert != null)
{ {
// Add this certificate to our map // Add this certificate to our map
m_x509ISNCertMap.put("IssuerDN=" + cert.getIssuerDN().getName() + " SN=" + cert.getSerialNumber().toString(), cert); x509ISNCertMap.put("IssuerDN=" + cert.getIssuerDN().getName() + " SN=" + cert.getSerialNumber().toString(), cert);
} }
} }
} }
@ -170,6 +224,36 @@ public final class SecureTokenUtil
if (inStream != null) if (inStream != null)
inStream.close(); inStream.close();
} }
return x509ISNCertMap;
}
/**
* Check Trusted ATS Certificate Map.
*/
private synchronized Map<String,X509Certificate> checkTrustedAtsCertMap()
{
// Check if we need to refresh the trusted ATS Cert map
Date currDate = new Date();
if (currDate.compareTo(m_x509ISNCertMapRefreshDate) > 0)
{
// It is time to update the trusted ATS certificate map
try
{
// Set up the next refresh date
m_x509ISNCertMapRefreshDate.setTime(currDate.getTime() + (m_x509ISNCertMapRefreshInterval * 1000));
// Re-create the trusted ATS certificate map
Map<String,X509Certificate> newX509ISNCertMap = createTrustedAtsCertMap();
m_x509ISNCertMap = newX509ISNCertMap;
}
catch (Exception e)
{
m_log.error("SecureTokenUtil.checkTrustedAtsCertMap()- Exception caught, msg = " + e.getMessage());
}
}
return m_x509ISNCertMap;
} }
/** /**
@ -181,7 +265,8 @@ public final class SecureTokenUtil
*/ */
private X509Certificate getCertWithX509IssuerSerialData(String issuerName, String serialNumber) private X509Certificate getCertWithX509IssuerSerialData(String issuerName, String serialNumber)
{ {
return m_x509ISNCertMap.get("IssuerDN=" + issuerName + " SN=" + serialNumber); Map<String,X509Certificate> x509ISNCertMap = checkTrustedAtsCertMap();
return x509ISNCertMap.get("IssuerDN=" + issuerName + " SN=" + serialNumber);
} }
/** /**

5
CASA-auth-token/server-java/Svc/windows/casa_crypto.properties
View File

@ -1,5 +1,8 @@
com.novell.casa.authtoksvc.crypto.keystore.type=jks com.novell.casa.authtoksvc.crypto.keystore.type=jks
com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.password=secret
com.novell.casa.authtoksvc.crypto.trusted_ats_keystore.file=ATS_INSTALL_DIR//etc//keys//trusted-ats-jks-store
com.novell.casa.authtoksvc.crypto.keystore.password=secret com.novell.casa.authtoksvc.crypto.keystore.password=secret
com.novell.casa.authtoksvc.crypto.keystore.file=ATS_INSTALL_DIR//etc//keys//server//jks-store
com.novell.casa.authtoksvc.crypto.keystore.alias=signingKey com.novell.casa.authtoksvc.crypto.keystore.alias=signingKey
com.novell.casa.authtoksvc.crypto.alias.password=secret com.novell.casa.authtoksvc.crypto.alias.password=secret
com.novell.casa.authtoksvc.crypto.file=ATS_INSTALL_DIR//etc//keys//server//jks-store

2
CASA-auth-token/server-java/package/linux/CASA_auth_token_svc.spec.in
View File

@ -172,6 +172,7 @@ install -m 700 Svc/linux/log4j.properties %{buildroot}/etc/CASA/authtoken/svc/lo
# Others # Others
install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh
install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh
install -m 700 Svc/linux/CasaBasicATSSetup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh install -m 700 Svc/linux/CasaBasicATSSetup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh
install -m 700 Svc/linux/CasaAuthPolicyEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh install -m 700 Svc/linux/CasaAuthPolicyEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh
install -m 700 Svc/linux/CasaTomcatConnectorEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh install -m 700 Svc/linux/CasaTomcatConnectorEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh
@ -260,6 +261,7 @@ rm -f /srv/www/casaats/conf/server.xml
%{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc-%{bldno}.war %{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc-%{bldno}.war
%{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc.war %{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc.war
%{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh %{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh
%{prefix}/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh
%{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh %{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh
%{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh %{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh
%{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh %{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh

2
CASA-auth-token/server-java/package/linux/CASA_auth_token_svc_4zen.spec.in
View File

@ -172,6 +172,7 @@ install -m 700 Svc/linux/log4j.properties %{buildroot}/etc/CASA/authtoken/svc/lo
# Others # Others
install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh
install -m 700 Svc/linux/server_keystore_setup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh
install -m 700 Svc/linux/CasaBasicATSSetup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh install -m 700 Svc/linux/CasaBasicATSSetup.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh
install -m 700 Svc/linux/CasaAuthPolicyEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh install -m 700 Svc/linux/CasaAuthPolicyEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh
install -m 700 Svc/linux/CasaTomcatConnectorEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh install -m 700 Svc/linux/CasaTomcatConnectorEditor.sh %{buildroot}%{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh
@ -260,6 +261,7 @@ rm -f /srv/www/casaats/conf/server.xml
%{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc-%{bldno}.war %{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc-%{bldno}.war
%{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc.war %{prefix}/share/java/CASA/authtoken/CasaAuthTokenSvc.war
%{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh %{prefix}/share/java/CASA/authtoken/bin/server_keystore_setup.sh
%{prefix}/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh
%{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh %{prefix}/share/java/CASA/authtoken/bin/CasaBasicATSSetup.sh
%{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh %{prefix}/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh
%{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh %{prefix}/share/java/CASA/authtoken/bin/CasaTomcatConnectorEditor.sh

4
CASA-auth-token/server-java/package/windows/AtsConfigurator/src/Configure.java
View File

@ -48,8 +48,8 @@ public class Configure
{ {
// Other constants // Other constants
final static String SERVER_KEY_STORE_RELATIVE_PATH = "\\etc\\keys\\server\\jks-store"; final static String SERVER_KEY_STORE_RELATIVE_PATH = "\\etc\\keys\\server\\jks-store";
final static String CLIENT_KEY_STORE_RELATIVE_PATH = "\\etc\\keys\\client\\jks-store"; final static String CLIENT_KEY_STORE_RELATIVE_PATH = "\\etc\\keys\\trusted-ats-jks-store";
final static String SIGNING_CERT_RELATIVE_PATH = "\\etc\\keys\\casaatsdSigningCert"; final static String SIGNING_CERT_RELATIVE_PATH = "\\etc\\keys\\localSigningCert";
// Configured properties // Configured properties
Properties m_properties; Properties m_properties;

29
CASA-auth-token/yast2-casa-ats/src/CasaAts.ycp
View File

@ -57,6 +57,7 @@ string authPolicyFile = "/etc/CASA/authtoken/svc/auth.policy";
string authPolicyEditor = "/usr/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh"; string authPolicyEditor = "/usr/share/java/CASA/authtoken/bin/CasaAuthPolicyEditor.sh";
string iaRealmsFile = "/etc/CASA/authtoken/svc/iaRealms.xml"; string iaRealmsFile = "/etc/CASA/authtoken/svc/iaRealms.xml";
string iaRealmsEditor = "/usr/share/java/CASA/authtoken/bin/CasaIaRealmsEditor.sh"; string iaRealmsEditor = "/usr/share/java/CASA/authtoken/bin/CasaIaRealmsEditor.sh";
string trustedServerCertsFolder = "/etc/CASA/authtoken/keys/trustedATSCerts";
/** /**
* Settings Map * Settings Map
@ -480,6 +481,10 @@ global boolean Write() {
else else
SCR::Execute(.target.bash, "/bin/cp "+trustedServerConfigFile+" "+trustedServerConfigFile+".YaST2save"); SCR::Execute(.target.bash, "/bin/cp "+trustedServerConfigFile+" "+trustedServerConfigFile+".YaST2save");
// Create a fresh folder to hold the Signing Certs of the trusted ATSs
SCR::Execute(.target.bash, "/bin/rm -fr " + trustedServerCertsFolder);
SCR::Execute(.target.bash, "/bin/mkdir " + trustedServerCertsFolder);
// Update the trusted server config // Update the trusted server config
any anyRet = false; any anyRet = false;
list<string> trustedServerList = Settings["CONFIG_CASAATS_TRUSTED"]:[]; list<string> trustedServerList = Settings["CONFIG_CASAATS_TRUSTED"]:[];
@ -487,10 +492,32 @@ global boolean Write() {
if (trustedServerList != []) { if (trustedServerList != []) {
// Merge all of the addresses onto the string // Merge all of the addresses onto the string
trustedServerListString = mergestring(trustedServerList, "\n"); trustedServerListString = mergestring(trustedServerList, "\n");
// Import the Signing Certs from the trusted ATSs
foreach(string trustedATS, trustedServerList, {
if (trustedATS != "")
{
string cmd = sformat("curl -f --capath /etc/ssl/certs -o %1/%2 https://%3:443/CasaAuthTokenSvc/SigningCert", trustedServerCertsFolder, trustedATS, trustedATS);
integer exit = (integer) SCR::Execute(.target.bash, cmd);
if (exit != 0)
{
y2error("SigningCert import from " + trustedATS + "using port 443 failed with Curl error" + tostring(exit) + " trying port 2645");
cmd = sformat("curl -f --capath /etc/ssl/certs -o %1/%2 https://%3:2645/CasaAuthTokenSvc/SigningCert", trustedServerCertsFolder, trustedATS, trustedATS);
exit = (integer) SCR::Execute(.target.bash, cmd);
if (exit != 0)
{
y2error("SigningCert import from " + trustedATS + "using port 2645 failed with Curl error" + tostring(exit));
}
}
}
});
} }
anyRet = SCR::Write(.target.string, trustedServerConfigFile, trustedServerListString); anyRet = SCR::Write(.target.string, trustedServerConfigFile, trustedServerListString);
if (anyRet != true) if (anyRet != true)
y2error("Failed to write to " + trustedServerConfigFile); y2error("Failed to write to " + trustedServerConfigFile);
// Refresh the trusted ATS Keystore
SCR::Execute(.target.bash, "/usr/share/java/CASA/authtoken/bin/refresh_trusted_ats_keystore.sh");
// Write the /etc/sysconfig/casa-ats settings // Write the /etc/sysconfig/casa-ats settings
if(Abort()) return false; if(Abort()) return false;

4
CASA-auth-token/yast2-casa-ats/yast2-casa-ats.spec.in
View File

@ -1,8 +1,8 @@
@HEADER-COMMENT@ @HEADER-COMMENT@
@HEADER@ @HEADER@
Requires: yast2 CASA_auth_token_svc Requires: yast2 CASA_auth_token_svc curl
BuildRequires: perl-XML-Writer update-desktop-files yast2 yast2-devtools yast2-testsuite CASA_auth_token_svc yast2-theme-NLD java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils CASA-devel BuildRequires: perl-XML-Writer update-desktop-files yast2 yast2-devtools yast2-testsuite CASA_auth_token_svc curl yast2-theme-NLD java-sdk-1.5.0 update-alternatives log4j jakarta-commons-logging pwdutils CASA-devel
BuildArchitectures: noarch BuildArchitectures: noarch