X-Git-Url: https://gerrit.onap.org/r/gitweb?p=aaf%2Fauthz.git;a=blobdiff_plain;f=conf%2FCA%2Fbootstrap.sh;h=8454a3a9f7a49c11f11f223900e489ec7278f3f2;hp=fba4d6a8465a2230fe803e248b9189d083d27314;hb=HEAD;hpb=c3ca46e074d73b7aca3fb6331203552968119070 diff --git a/conf/CA/bootstrap.sh b/conf/CA/bootstrap.sh index fba4d6a8..8454a3a9 100644 --- a/conf/CA/bootstrap.sh +++ b/conf/CA/bootstrap.sh @@ -1,3 +1,22 @@ +#!/bin/bash +######### +# ============LICENSE_START==================================================== +# org.onap.aaf +# =========================================================================== +# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. +# =========================================================================== +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END==================================================== # # Streamlined AAF Bootstrap initial Cert # Removed Variables so it can be run for AutoDeployments @@ -9,11 +28,13 @@ chmod 755 certs newcerts touch index.txt echo "unique_subject = no" > index.txt.attr if [ ! -e ./serial ]; then - echo $(date +%s) > ./serial + echo $(date +%s)_$(shuf -i 0-1000000 -n 1) > ./serial fi NAME=aaf.bootstrap -FQDN="${HOSTNAME:=$(hostname -f)}" +HOSTNAME="${HOSTNAME:=$(hostname -)}" +PUBLIC_FQDN="${aaf_locator_public_fqdn:=$HOSTNAME}" +FQDN="${aaf_locator_fqdn:=$PUBLIC_FQDN}" FQI=aaf@aaf.osaaf.org SUBJECT="/CN=$FQDN/OU=$FQI`cat subject.aaf`" SIGNER_P12=$1 @@ -64,8 +85,25 @@ fi # SANS cp san.conf $BOOTSTRAP_SAN +SANS=$FQDN +if [ "$FQDN" -ne "$HOSTNAME" ]; then + SANS="$SANS $HOSTNAME" +fi + +for ROOT in $(cat san_root.aaf); do + SANS="$SANS $ROOT" + for C in service locate oauth token introspect gui cm hello; do + SANS="$SANS $C.$ROOT" + done +done + +for C in service locate oauth token introspect gui cm hello; do + SANS="$SANS aaf-$C" + SANS="$SANS aaf-$C.onap" +done + NUM=1 -for D in $FQDN aaf.osaaf.org service.aaf.osaaf.org locate.aaf.osaaf.org oauth.aaf.osaaf.org gui.aaf.osaaf.org cm.aaf.osaaf.org hello.aaf.osaaf.org; do +for D in $SANS; do echo "DNS.$NUM = $D" >> $BOOTSTRAP_SAN NUM=$((NUM+1)) done @@ -81,7 +119,7 @@ echo Sign it openssl ca -batch -config openssl.conf -extensions server_cert \ -cert $SIGNER_CRT -keyfile $SIGNER_KEY \ -policy policy_loose \ - -days 90 \ + -days 365 \ -passin stdin \ -out $BOOTSTRAP_CRT \ -extfile $BOOTSTRAP_SAN \ @@ -94,8 +132,10 @@ EOF cat $BOOTSTRAP_CRT cp $BOOTSTRAP_CRT $BOOTSTRAP_CHAIN cat $SIGNER_CRT >> $BOOTSTRAP_CHAIN +cat $BOOTSTRAP_CHAIN # Note: Openssl will pickup and load all Certs in the Chain file +#openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CRT -inkey $BOOTSTRAP_KEY -CAfile $SIGNER_CRT -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CHAIN -inkey $BOOTSTRAP_KEY -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF $PASSPHRASE $PASSPHRASE @@ -103,14 +143,15 @@ $PASSPHRASE EOF # Make Issuer name -ISSUER=$(openssl x509 -subject -noout -in $SIGNER_CRT | cut -c 10-) -for I in ${ISSUER//\// }; do - if [ -n "$CADI_X509_ISSUER" ]; then - CADI_X509_ISSUER=", $CADI_X509_ISSUER" +ISSUER=$(openssl x509 -subject -noout -in $SIGNER_CRT | cut -c 9- | sed -e 's/ = /=/g' -e 's/\//, /g') +for I in $ISSUER; do + if [ -z "$REVERSE" ]; then + REVERSE="${I%,}" + else + REVERSE="${I%,}, ${REVERSE}" fi - CADI_X509_ISSUER="$I$CADI_X509_ISSUER" done -echo $CADI_X509_ISSUER > $BOOTSTRAP_ISSUER +echo "$REVERSE" > $BOOTSTRAP_ISSUER # Cleanup -rm -f $BOOTSTRAP_SAN $BOOTSTRAP_KEY $BOOTSTRAP_CSR $BOOTSTRAP_CRT $BOOTSTRAP_CHAIN $SIGNER_KEY $SIGNER_CRT +rm -f $BOOTSTRAP_SAN $BOOTSTRAP_KEY $BOOTSTRAP_CSR $BOOTSTRAP_CRT $SIGNER_KEY $SIGNER_CRT $BOOTSTRAP_CHAIN