#!/bin/sh ######################################################################## # # Copyright (C) 2006 Novell, Inc. All Rights Reserved. # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; version 2.1 # of the License. # # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Library Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, Novell, Inc. # # To contact Novell about this file by physical or electronic mail, # you may find current contact information at www.novell.com. # # Author: Juan Carlos Luciani # ######################################################################## ######################################################################## # # CASA ATS Keystore Setup Script. # # An ATS signs tokens and communicates with clients over # SSL. This scrip sets up the necessary key-pairs and # certificates for the ATS to perform these functions. # # For token signing purposes, this scrip creates a self # signed certificate that it then exports. At this time it # is sufficient to utilize self signed certificates because # they are meant to be consumed by entities of the local # box. # ######################################################################## # Source our environment variables file . /etc/CASA/authtoken/svc/envvars KEYTOOL_PATH=$JAVA_HOME/bin/keytool KEYSTORE_PATH=/etc/CASA/authtoken/keys/server/jks-store TRUSTED_ATS_KEYSTORE_PATH=/etc/CASA/authtoken/keys/trusted-ats-jks-store LOCAL_ATS_SIGNING_CERT_PATH=/etc/CASA/authtoken/keys/localSigningCert # Perform the operation requested # Do not do anything if the server keystore has already been created if [ -f $KEYSTORE_PATH ]; then echo "The server keystore is already setup" # Make sure that the keystore file is owned by our service chown casaatsd:casaauth $KEYSTORE_PATH else echo "Setting up the server's keystore" # Create the server keystore with the key that will be used for signing tokens host=`hostname -f` $KEYTOOL_PATH -genkey -alias signingKey -keystore $KEYSTORE_PATH -dname "cn=casaatsd@$host" -validity 3600 -keypass secret -storepass secret # Export self-signed certificate for the signing key $KEYTOOL_PATH -export -keystore $KEYSTORE_PATH -alias signingKey -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH # Print the exported cert #$KEYTOOL_PATH -printcert -file $LOCAL_ATS_SIGNING_CERT_PATH # Import the signing certificate into the trusted ATS keystore $KEYTOOL_PATH -import -noprompt -keystore $TRUSTED_ATS_KEYSTORE_PATH -alias local_signingCert -storepass secret -keypass secret -file $LOCAL_ATS_SIGNING_CERT_PATH # Create a key for Tomcat to do SSL communications $KEYTOOL_PATH -genkey -alias tomcat -keyalg RSA -keystore $KEYSTORE_PATH -dname "cn=$host" -validity 3600 -keypass secret -storepass secret # List the contents of the server's keystore #$KEYTOOL_PATH -list -rfc -keystore $KEYSTORE_PATH -storepass secret # Make sure that the server keystore is only accessible by the service chown casaatsd:casaauth $KEYSTORE_PATH chmod 600 $KEYSTORE_PATH fi