From 2d287fdf100b518b382e3008da6d5f572fd71da0 Mon Sep 17 00:00:00 2001
From: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Date: Thu, 20 May 2021 09:05:16 +0200
Subject: [PATCH] [OOM-CERT-SERVICE] Configure EJBCA to handle Key Update
 Request

Change RA response protection from pbe to signature, set HMAC
and End entity certificate authentication in order to enable
Key Update Request in EJBCA. Set default CA, which will sign
Confirmation Response message.

Issue-ID: OOM-2753
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: I1ab13b0a55711291a8c2a1448ae3497747348d67
---
 compose-resources/ejbca-configuration.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/compose-resources/ejbca-configuration.sh b/compose-resources/ejbca-configuration.sh
index 3eb146db..8e6bd038 100755
--- a/compose-resources/ejbca-configuration.sh
+++ b/compose-resources/ejbca-configuration.sh
@@ -4,12 +4,16 @@ configureEjbca() {
     ejbca.sh config cmp addalias --alias cmpRA
     ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra
     ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword
-    ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe
+    ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature
+    ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate'
+    ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true
     ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles
     #Profile name taken from certprofile filename (certprofile_<profile-name>-<id>.xml)
     ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER
     #ID taken from entityprofile filename (entityprofile_<profile-name>-<id>.xml)
     ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849
+    caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p')
+    ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject"
     ejbca.sh config cmp dumpalias --alias cmpRA
     ejbca.sh config cmp addalias --alias cmp
     ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true
-- 
2.16.6