Skip to content

Commit

Permalink
takserver rm help scripts added
Browse files Browse the repository at this point in the history
  • Loading branch information
Ari Karhunen authored and rambo committed Nov 3, 2023
1 parent cef0850 commit 2139312
Show file tree
Hide file tree
Showing 3 changed files with 74 additions and 2 deletions.
8 changes: 8 additions & 0 deletions scripts/delete_user.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/usr/bin/env -S /bin/bash
set -e
TR=/opt/tak
CONFIG=${TR}/data/CoreConfig.xml

cd ${TR}
. ./setenv.sh
TAKCL_CORECONFIG_PATH="${CONFIG}" java -jar /opt/tak/utils/UserManager.jar certmod -D "/opt/tak/certs/files/${USER_CERT_NAME}.pem"
8 changes: 8 additions & 0 deletions scripts/enable_user.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/usr/bin/env -S /bin/bash
set -e
TR=/opt/tak
CONFIG=${TR}/data/CoreConfig.xml

cd ${TR}
. ./setenv.sh
TAKCL_CORECONFIG_PATH="${CONFIG}" java -jar /opt/tak/utils/UserManager.jar certmod "/opt/tak/certs/files/${USER_CERT_NAME}.pem"
60 changes: 58 additions & 2 deletions scripts/firstrun_rm.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,15 @@
TR=/opt/tak
CR=${TR}/certs

TAK_SERVER_KEY_FILENAME="${TAK_SERVER_KEY_FILENAME:-/le_certs/rasenmaeher/privkey.pem}"
TAK_SERVER_CERT_FILENAME="${TAK_SERVER_CERT_FILENAME:-/le_certs/rasenmaeher/fullchain.pem}"
TAKSERVER_CERT_PASS="${TAKSERVER_CERT_PASS:-takservercertpass}"

RM_CERT_CHAIN_FILENAME="${RM_CERT_CHAIN_FILENAME:-/ca_public/ca_chain.pem}"

# Secret to trusted certs java keystore
CA_PASS="${CA_PASS:-takcacertpw}"

# Symlink the log directory under data dir
if [[ ! -d "${TR}/data/logs" ]];then
mkdir -p "${TR}/data/logs"
Expand All @@ -20,8 +29,55 @@ if [[ ! -L "${TR}/certs" ]];then
ln -f -s "${TR}/data/certs/" "${TR}/certs"
fi

echo "FIXME: Get CA cert from RASENMAEHER (hint: look in /ca_public)"
echo "FIXME: Get LE (or mkcert) cert from KRAFTWERK (hint: look at /le_certs)"
set -x

TAK_SERVER_HOSTNAME="$(cat /pvarki/kraftwerk-init.json | jq -r .product.dns)"


mkdir -p /opt/tak/data/certs/files
pushd /opt/tak/data/certs/files >> /dev/null

# Create takserver.p12 using certificates from RM
openssl pkcs12 -export -out takserver.p12 \
-inkey "${TAK_SERVER_KEY_FILENAME}" \
-in "${TAK_SERVER_CERT_FILENAME}" \
-name "${TAK_SERVER_HOSTNAME}" \
-passout pass:${TAKSERVER_CERT_PASS}

# Create the Java keystore and import takserver.p12
keytool -importkeystore -srcstoretype PKCS12 \
-destkeystore takserver.jks \
-srckeystore takserver.p12 \
-alias "${TAK_SERVER_HOSTNAME}" \
-srcstorepass "${TAKSERVER_CERT_PASS}" \
-deststorepass "${TAKSERVER_CERT_PASS}" \
-destkeypass "${TAKSERVER_CERT_PASS}"

# Crate trust store, all the trusted CA/root certificates are dumped here. Keytool should accept certs either one by one or as a chain. -alias needs to be unique for all imports
ALIAS=$(openssl x509 -noout -subject -in "${RM_CERT_CHAIN_FILENAME}" |md5sum | cut -d" " -f1)
keytool -noprompt -import -trustcacerts \
-file "${RM_CERT_CHAIN_FILENAME}" \
-alias $ALIAS \
-keystore takserver-truststore.jks \
-storepass ${CA_PASS}

if [[ -f "/ca_public/miniwerk_ca.pem" ]];then
ALIAS=$(openssl x509 -noout -subject -in "/ca_public/miniwerk_ca.pem" |md5sum | cut -d" " -f1)
keytool -noprompt -import -trustcacerts \
-file /ca_public/miniwerk_ca.pem \
-alias $ALIAS \
-keystore takserver-truststore.jks \
-storepass ${CA_PASS}
fi

# fed-truststore.jks is needed, copy takserver-truststore.jks
# TODO what are the names of truststores that we actually need???
cp -v /opt/tak/data/certs/files/takserver-truststore.jks /opt/tak/data/certs/files/fed-truststore.jks
cp -v /opt/tak/data/certs/files/takserver-truststore.jks /opt/tak/data/certs/files/truststore-root.jks

popd >> /dev/null




set -e
Expand Down

0 comments on commit 2139312

Please sign in to comment.