mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-28 18:01:23 -06:00
229 lines
6.6 KiB
Bash
229 lines
6.6 KiB
Bash
#!/bin/sh
|
|
|
|
if [ "$1" ] ; then
|
|
password=$1
|
|
else
|
|
echo "password required"
|
|
exit 1
|
|
fi
|
|
|
|
if [ "$2" -a -d "$2" ] ; then
|
|
secdir="$2"
|
|
else
|
|
secdir=/etc/fedora-ds/slapd-localhost
|
|
fi
|
|
|
|
if [ "$3" ] ; then
|
|
myhost=$3
|
|
else
|
|
myhost=`hostname --fqdn`
|
|
fi
|
|
|
|
|
|
if [ "$4" ] ; then
|
|
ldapport=$4
|
|
else
|
|
ldapport=389
|
|
fi
|
|
|
|
me=`whoami`
|
|
if [ "$me" = "root" ] ; then
|
|
isroot=1
|
|
fi
|
|
|
|
# see if there are already certs and keys
|
|
if [ -f $secdir/cert8.db ] ; then
|
|
# look for CA cert
|
|
if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then
|
|
echo "Using existing CA certificate"
|
|
else
|
|
echo "No CA certificate found - will create new one"
|
|
needCA=1
|
|
fi
|
|
|
|
# look for server cert
|
|
if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then
|
|
echo "Using existing directory Server-Cert"
|
|
else
|
|
echo "No Server Cert found - will create new one"
|
|
needServerCert=1
|
|
fi
|
|
|
|
# look for admin server cert
|
|
if certutil -L -d $secdir -n "server-cert" 2> /dev/null ; then
|
|
echo "Using existing admin server-cert"
|
|
else
|
|
echo "No Admin Server Cert found - will create new one"
|
|
needASCert=1
|
|
fi
|
|
prefix="new-"
|
|
prefixarg="-P $prefix"
|
|
else
|
|
needCA=1
|
|
needServerCert=1
|
|
needASCert=1
|
|
fi
|
|
|
|
if test -z "$needCA" -a -z "$needServerCert" -a -z "$needASCert" ; then
|
|
echo "No certs needed - exiting"
|
|
exit 0
|
|
fi
|
|
|
|
# get our user and group
|
|
if test -n "$isroot" ; then
|
|
uid=`/bin/ls -ald $secdir | awk '{print $3}'`
|
|
gid=`/bin/ls -ald $secdir | awk '{print $4}'`
|
|
fi
|
|
|
|
# 2. Create a password file for your security token password:
|
|
if [ -f $secdir/pwdfile.txt ] ; then
|
|
echo "Using existing $secdir/pwdfile.txt"
|
|
else
|
|
(ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt
|
|
if test -n "$isroot" ; then
|
|
chown $uid:$gid $secdir/pwdfile.txt
|
|
fi
|
|
chmod 400 $secdir/pwdfile.txt
|
|
fi
|
|
|
|
# 3. Create a "noise" file for your encryption mechanism:
|
|
if [ -f $secdir/noise.txt ] ; then
|
|
echo "Using existing $secdir/noise.txt file"
|
|
else
|
|
(w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt
|
|
if test -n "$isroot" ; then
|
|
chown $uid:$gid $secdir/noise.txt
|
|
fi
|
|
chmod 400 $secdir/noise.txt
|
|
fi
|
|
|
|
# 4. Create the key3.db and cert8.db databases:
|
|
certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt
|
|
if test -n "$isroot" ; then
|
|
chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
|
|
fi
|
|
chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
|
|
|
|
|
|
if test -n "$needCA" ; then
|
|
# 5. Generate the encryption key:
|
|
certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
|
|
# 6. Generate the self-signed certificate:
|
|
certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
|
|
# export the CA cert for use with other apps
|
|
certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc
|
|
pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
|
|
fi
|
|
|
|
if test -n "$needServerCert" ; then
|
|
# 7. Generate the server certificate:
|
|
certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
|
|
fi
|
|
|
|
if test -n "$needASCert" ; then
|
|
# Generate the admin server certificate
|
|
certutil -S $prefixarg -n "server-cert" -s "cn=$myhost,ou=Fedora Administration Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
|
|
|
|
# export the admin server certificate/private key for import into its key/cert db
|
|
pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
|
|
if test -n "$isroot" ; then
|
|
chown $uid:$gid $secdir/adminserver.p12
|
|
fi
|
|
chmod 400 $secdir/adminserver.p12
|
|
fi
|
|
|
|
# create the pin file
|
|
if [ ! -f $secdir/pin.txt ] ; then
|
|
pinfile=$secdir/pin.txt
|
|
echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile
|
|
if test -n "$isroot" ; then
|
|
chown $uid:$gid $pinfile
|
|
fi
|
|
chmod 400 $pinfile
|
|
else
|
|
echo Using existing $secdir/pin.txt
|
|
fi
|
|
|
|
if [ -n "$prefix" ] ; then
|
|
# move the old files out of the way
|
|
mv $secdir/cert8.db $secdir/orig-cert8.db
|
|
mv $secdir/key3.db $secdir/orig-key3.db
|
|
# move in the new files - will be used after server restart
|
|
mv $secdir/${prefix}cert8.db $secdir/cert8.db
|
|
mv $secdir/${prefix}key3.db $secdir/key3.db
|
|
fi
|
|
|
|
# create the admin server key/cert db
|
|
asprefix=admin-serv-
|
|
if [ ! -f ${asprefix}cert8.db ] ; then
|
|
certutil -N -d $secdir -P $asprefix -f $secdir/pwdfile.txt
|
|
if test -n "$isroot" ; then
|
|
chown $uid:$gid $secdir/admin-serv-*.db
|
|
fi
|
|
chmod 600 $secdir/admin-serv-*.db
|
|
fi
|
|
|
|
if test -n "$needASCert" ; then
|
|
# import the admin server key/cert
|
|
pk12util -d $secdir -P $asprefix -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
|
|
|
|
# import the CA cert to the admin server cert db
|
|
certutil -A -d $secdir -P $asprefix -n "CA certificate" -t "CT,," -a -i $secdir/cacert.asc
|
|
fi
|
|
|
|
if [ ! -f $secdir/password.conf ] ; then
|
|
# create the admin server password file
|
|
echo 'internal:'`cat $secdir/pwdfile.txt` > $secdir/password.conf
|
|
if test -n "$isroot" ; then
|
|
chown $uid:$gid $secdir/password.conf
|
|
fi
|
|
chmod 400 $secdir/password.conf
|
|
fi
|
|
|
|
# tell admin server to use the password file
|
|
if [ -f ../admin-serv/config/nss.conf ] ; then
|
|
sed -e "s@^NSSPassPhraseDialog .*@NSSPassPhraseDialog file:`pwd`/password.conf@" ../admin-serv/config/nss.conf > /tmp/nss.conf && mv /tmp/nss.conf ../admin-serv/config/nss.conf
|
|
if test -n "$isroot" ; then
|
|
chown $uid:$gid ../admin-serv/config/nss.conf
|
|
fi
|
|
chmod 400 ../admin-serv/config/nss.conf
|
|
fi
|
|
|
|
# enable SSL in the directory server
|
|
|
|
ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF
|
|
dn: cn=encryption,cn=config
|
|
changetype: modify
|
|
replace: nsSSL3
|
|
nsSSL3: on
|
|
-
|
|
replace: nsSSLClientAuth
|
|
nsSSLClientAuth: allowed
|
|
-
|
|
add: nsSSL3Ciphers
|
|
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
|
|
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
|
|
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
|
|
+tls_rsa_export1024_with_des_cbc_sha
|
|
|
|
dn: cn=config
|
|
changetype: modify
|
|
add: nsslapd-security
|
|
nsslapd-security: on
|
|
-
|
|
replace: nsslapd-ssl-check-hostname
|
|
nsslapd-ssl-check-hostname: off
|
|
|
|
dn: cn=RSA,cn=encryption,cn=config
|
|
changetype: add
|
|
objectclass: top
|
|
objectclass: nsEncryptionModule
|
|
cn: RSA
|
|
nsSSLPersonalitySSL: Server-Cert
|
|
nsSSLToken: internal (software)
|
|
nsSSLActivation: on
|
|
|
|
EOF
|
|
|
|
|