Skip to content
This repository has been archived by the owner on Dec 7, 2022. It is now read-only.
Permalink
pulp-2.8.2-1
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
executable file 284 lines (241 sloc) 6.21 KB
#!/bin/bash
# Copyright (c) 2012 Red Hat, Inc.
#
# This software is licensed to you under the GNU General Public License,
# version 2 (GPLv2). There is NO WARRANTY for this software, express or
# implied, including the implied warranties of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
# along with this software; if not, see
# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
#
# Red Hat trademarks are not licensed under GPLv2. No permission is
# granted to use or replicate Red Hat trademarks that are incorporated
# in this software or its documentation.
#
DIR="/tmp/tmp$RANDOM"
HOST=`hostname -f`
if [ -z "$HOST" ]
then
HOST=`hostname`
fi
PWDFILE="password"
SEEDFILE="seed"
INST_DIR='/etc/pki/pulp/qpid'
DB_PASSWORD=$RANDOM
VALID="12"
CA_PATH=""
CA_KEY_PATH=""
echo ""
echo "Working in: $DIR"
echo ""
#
# ========== SETUP ============
#
# prompt user for install directory
echo ""
echo "Please specify a directory into which the created NSS database
and associated certificates will be installed."
echo ""
read -p "Enter a directory [$INST_DIR]:" ans
if [ "${#ans}" -gt 0 ]
then
INST_DIR=`readlink -f "$ans"`
fi
echo $INST_DIR
# prompt user for the DB password
echo ""
echo "Please enter a password for the NSS database. Generated if not specified."
echo ""
read -sp "Enter a password:" ans
if [ "${#ans}" -gt 0 ]
then
DB_PASSWORD=$ans
fi
echo ""
echo "Using password: [$DB_PASSWORD]"
# prompt user for existing CA.
# may contain both key & certificate
echo ""
echo "Please specify a CA. Generated if not specified."
echo ""
read -p "Enter a path: " ans
if [ "${#ans}" -gt 0 ]
then
CA_PATH=$ans
echo "Using CA: $CA_PATH"
echo ""
echo "Please specify the CA key"
while [ "${#CA_KEY_PATH}" -eq 0 ]; do
read -p "Enter a path: " ans
CA_KEY_PATH=$ans
done
echo "Using CA key: $CA_KEY_PATH"
fi
# prompt user for this server's hostname, defaulting to the local fqdn
echo ""
echo "Please enter the hostname clients will use to connect to the qpid server."
echo "If not specified, '$HOST' will be used."
echo ""
read -p "Enter a hostname:" ans
if [ "${#ans}" -gt 0 ]
then
HOST=$ans
fi
echo ""
echo "Using hostname: [$HOST]"
# create temporary db directory
rm -rf $DIR
mkdir $DIR
cd $DIR
#
# ========== KEY SEED ===========
#
touch $SEEDFILE
i=0
while [ $i -lt 20 ]; do
echo $RANDOM >> $SEEDFILE
i=`expr $i + 1`
done
#
# ========== PASSWORD ===========
#
# create the password file
echo "$DB_PASSWORD" > $PWDFILE
echo ""
echo "Password file created."
#
# ========== DATABASE ============
#
# create the nss db
certutil -N -d . -f $PWDFILE
echo ""
echo "Database created."
#
# =========== CA =================
#
# create/import the CA cert
echo ""
if [ "${#CA_PATH}" -eq 0 ]
then
echo "Creating CA certificate:"
SUBJECT="CN=redhat,O=pulp,ST=Alabama,C=US"
certutil -S -d . -n "ca" -s $SUBJECT -t "TC,," -f $PWDFILE -z $SEEDFILE -x -v $VALID
echo "CA created"
else
openssl pkcs12 -export -in $CA_PATH -inkey $CA_KEY_PATH -out ca.p12 -name "ca" -passout file:$PWDFILE
pk12util -d . -n "ca" -i ca.p12 -w $PWDFILE -k $PWDFILE
certutil -d . -n "ca" -M -t "TCu,Cu,Tuw" -f $PWDFILE
echo "CA certificate: $CA_PATH, imported"
fi
certutil -L -d . -n "ca" -a -o ca.crt -f $PWDFILE
#
# =========== BROKER =============
#
# create broker cert signing request
echo ""
echo "Creating BROKER certificate:"
SUBJECT="CN=$HOST,O=pulp,ST=Alabama,C=US"
certutil -R -d . -s $SUBJECT -a -o broker.req -f $PWDFILE -z $SEEDFILE
# sign the broker cert w/ CA
certutil -C -d . -c "ca" -v $VALID -uV -m1 -a -i broker.req -f $PWDFILE -o broker.crt
# import the broker cert
certutil -A -d . -n "broker" -t ",," -a -i broker.crt
echo "Broker certificate created."
#
# =========== CLIENT =============
#
# create the nss db
mkdir client
certutil -N -d client -f $PWDFILE
# create client cert signing request
echo ""
echo "Creating CLIENT certificate:"
SUBJECT="CN=client,O=pulp,ST=Alabama,C=US"
certutil -R -d client -s $SUBJECT -a -o client.req -f $PWDFILE -z $SEEDFILE
# sign the client cert w/ CA
certutil -C -d . -c "ca" -v $VALID -uC -m2 -a -i client.req -f $PWDFILE -o client.crt
# import the client cert
certutil -A -d client -n "client" -t ",," -a -i client.crt
echo "Client certificate created."
# export client p12 bundle
pk12util -d client -n "client" -o client.p12 -w $PWDFILE -W $DB_PASSWORD -k $PWDFILE -K $DB_PASSWORD
# using openssl, generate a key & cert using the p12.
openssl pkcs12 -in client.p12 -nodes -out client.crt -password file:$PWDFILE
echo "Client key & certificate exported"
#
# =========== INSTALL =============
#
# clean unused artifacts
rm -f *.req
rm -f *.p12
rm -rf client
# create target directory and install files
mkdir -p $INST_DIR
mkdir -p $INST_DIR/nss
cp $DIR/*.crt $INST_DIR
cp $DIR/*.db $INST_DIR/nss
cp $DIR/$PWDFILE $INST_DIR/nss
# update perms
chmod 640 $INST_DIR/*.crt
chgrp apache $INST_DIR/*.crt
chmod 640 $INST_DIR/nss/*
chgrp qpidd $INST_DIR/nss/*
echo ""
echo "Artifacts copied to: $INST_DIR."
echo ""
#
# =========== CLEANUP =============
#
cd /tmp
rm -rf $DIR
#
# =========== POST =============
#
echo "Recommended properties in qpidd.conf:"
echo "
auth=no
# SSL
require-encryption=yes
ssl-require-client-authentication=yes
ssl-cert-db=$INST_DIR/nss
ssl-cert-password-file=$INST_DIR/nss/password
ssl-cert-name=broker
ssl-port=5671
...
"
echo ""
echo "Recommended properties in /etc/pulp/server.conf:"
echo "
...
[messaging]
url: ssl://$HOST:5671
cacert: $INST_DIR/ca.crt
clientcert: $INST_DIR/client.crt
[tasks]
broker_url: qpid://$HOST:5671/
celery_require_ssl: true
cacert: /etc/pki/pulp/qpid/ca.crt
keyfile: /etc/pki/pulp/qpid/client.crt
certfile: /etc/pki/pulp/qpid/client.crt
# login_method:
"
echo ""
echo "Recommended properties in /etc/pulp/consumer/consumer.conf:"
echo "
...
[messaging]
scheme=ssl
port=5671
cacert=$INST_DIR/ca.crt
clientcert=$INST_DIR/client.crt
"
echo "
NOTES:
[1] The location for qpidd.conf depends on the version of Qpid installed.
For 0.24+: /etc/qpid/qpidd.conf.
For all earlier versions: /etc/qpidd.conf.
[2] The $INST_DIR/ca.crt and $INST_DIR/client.crt certificates will
need to be manually copied to each consumer.
[3] The $INST_DIR/ca.crt and $INST_DIR/client.crt certificates will
need to be manually copied to each worker.
"