#!/bin/sh ######################################################################## # # Copyright (C) 2006 Novell, Inc. All Rights Reserved. # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; version 2.1 # of the License. # # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Library Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, Novell, Inc. # # To contact Novell about this file by physical or electronic mail, # you may find current contact information at www.novell.com. # # Author: Juan Carlos Luciani # ######################################################################## ######################################################################## # # CASA ATS Keystore Setup Script. # # An ATS signs tokens and communicates with clients over # SSL. This scrip sets up the necessary key-pairs and # certificates for the ATS to perform these functions. # # For token signing purposes, this scrip creates a self # signed certificate that it then exports. At this time it # is sufficient to utilize self signed certificates because # they are meant to be consumed by entities of the local # box. # ######################################################################## # Source our environment variables file . /etc/CASA/authtoken/svc/envvars # Perform the operation requested # Do not do anything if the server keystore has already been created if [ -f /etc/CASA/authtoken/keys/server/jks-store ]; then echo "The server keystore is already setup" # Make sure that the keystore file is owned by our service chown casaatsd:casaauth /etc/CASA/authtoken/keys/server/jks-store else echo "Setting up the server's keystore" KEYTOOL_PATH=$JAVA_HOME/bin/keytool # Create the server keystore with the key that will be used for signing tokens host=`hostname -f` $KEYTOOL_PATH -genkey -alias signingKey -keystore /etc/CASA/authtoken/keys/server/jks-store -dname "cn=casaatsd@$host" -validity 3600 -keypass secret -storepass secret # Export self-signed certificate for the signing key $KEYTOOL_PATH -export -keystore /etc/CASA/authtoken/keys/server/jks-store -alias signingKey -storepass secret -keypass secret -file /etc/CASA/authtoken/keys/casaatsdSigningCert # Print the exported cert #$KEYTOOL_PATH -printcert -file /etc/CASA/authtoken/keys/casaatsdSigningCert # Create a key for Tomcat to do SSL communications $KEYTOOL_PATH -genkey -alias tomcat -keyalg RSA -keystore /etc/CASA/authtoken/keys/server/jks-store -dname "cn=$host" -validity 3600 -keypass secret -storepass secret # List the contents of the server's keystore #$KEYTOOL_PATH -list -rfc -keystore /etc/CASA/authtoken/keys/server/jks-store -storepass secret # Make sure that the keystore is only accessible by the service chown casaatsd:casaauth /etc/CASA/authtoken/keys/server/jks-store chmod 600 /etc/CASA/authtoken/keys/server/jks-store fi