X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Fcontrib%2Fcomponents%2Fejbca%2Fresources%2Fejbca-config.sh;h=94c95d6c30a7c60fe28d270162b8f0fd804850ba;hb=85b1492555d765b14864e0d2d59db7a50cdccaf0;hp=ad10240b948b0724865ae188c030b01e3a149dc5;hpb=9a34876ac4f5e2d0d0e4cfe3b46d29233d1c9956;p=oom.git diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh index ad10240b94..94c95d6c30 100755 --- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh +++ b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh waitForEjbcaToStart() { until $(curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth --output /dev/null --silent --head --fail) @@ -8,16 +8,31 @@ waitForEjbcaToStart() { } configureEjbca() { + ejbca.sh ca init \ + --caname ManagementCA \ + --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \ + --tokenType soft \ + --keyspec 3072 \ + --keytype RSA \ + -v 3652 \ + --policy null \ + -s SHA256WithRSA \ + -type "x509" ejbca.sh config cmp addalias --alias cmpRA ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK} - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate' + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA' + ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true #Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth) ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles #Profile name taken from certprofile filename (certprofile_-.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER #ID taken from entityprofile filename (entityprofile_-.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849 + caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p') + ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject" ejbca.sh config cmp dumpalias --alias cmpRA ejbca.sh config cmp addalias --alias cmp ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true @@ -27,6 +42,13 @@ configureEjbca() { ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN ejbca.sh config cmp dumpalias --alias cmp ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem + #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation) + ejbca.sh roles addrole "Certificate Update Admin" + ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT + ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}" }