source: TI12-security/trunk/esg_pki_provisioning/update_trust_roots.sh @ 6485

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/esg_pki_provisioning/update_trust_roots.sh@6734
Revision 6485, 2.8 KB checked in by pjkersha, 10 years ago (diff)
Line 
1#!/bin/bash
2#
3# Script to update/create a Java key store and add certificates via MyProxy
4# provisioning
5#
6# $ update_trust_roots --config-file=./update_trust_roots
7#
8# A configuration file is required of the form:
9#
10# # List of MyProxy servers - quote the list
11# myproxy_servers="myproxy.somewhere.ac.uk myproxy.somewhere-else.ac.uk"
12#
13# # file path for Java Key store to be created/updated
14# keystore="./keystore"
15#
16# # Java Key store password
17# keystore_passwd=123456
18#
19# @author P J Kershaw 03/02/2010
20#
21# @copyright: (C) 2010 STFC
22#
23# @license: BSD
24#
25# $Id:$
26
27cmdline_opt=`getopt -o hc:: --long help,config-file:: -n "$0" -- "$@"`
28
29usage="Usage: $(basename $0) [-h|--help] [-c|--config-file filename]"
30if [ $? != 0 ] ; then
31    echo $usage >&2 ;
32    exit 1 ;
33fi
34
35# Note the quotes around `$cmdline_opt': they are essential!
36eval set -- "$cmdline_opt"
37
38while true ; do
39    case "$1" in
40        -h|--help) echo $usage ; exit 0 ;;
41        -c|--config-file) config_filepath=$2 ; shift 2 ;;
42        --) shift ; break ;;
43        *) echo "Internal error!" ; exit 1 ;;
44    esac
45done
46
47if [ -z $config_filepath ]; then
48    echo "Missing config file path setting." >&2;
49    echo $usage >&2 ;
50    exit 1;
51fi
52
53# Read config file settings
54. $config_filepath
55for server in $myproxy_servers; do
56    echo Retrieving trust roots from $server ...;
57    myproxy-get-trustroots -s $server;
58done
59
60if [ -z $keystore ]; then
61    echo "Missing 'keystore' setting from config file." >&2;
62    echo $usage >&2 ;
63    exit 1;
64fi
65
66# Keystore password may be retrieved from stdin
67if [ -z $keystore_passwd ]; then
68    # Read from stdin
69    read -t 60 -p "Keystore password: " -s keystore_passwd ;
70    echo ;
71fi
72
73
74if [ -z $keystore_passwd ]; then
75    echo "No keystore password set: exiting ..." >&2 ;
76    exit 1;
77   
78elif [ ${#keystore_passwd} -lt 6 ]; then
79    echo "keystore password must be longer than 6 characters." >&2 ;
80        exit 1;
81fi
82
83
84# Set the location of the trust root directory from which certificates will
85# be retrieved
86username=$(whoami)
87if [ $username = "root" ]; then
88    trust_roots_dir=/etc/grid-security/certificates
89else
90    trust_roots_dir=${HOME}/.globus/certificates
91fi
92
93# Get certificates from updated trust roots directory
94cert_files=$(find $trust_roots_dir -name "*.0" -print)
95
96for cert_file in $cert_files; do
97    cert_hash=$(echo $(basename $cert_file)|awk -F'.' '{print $1}') ;
98    der_file="$tmp_dir$cert_hash.der" ;
99   
100    # Convert to DER format for ingest into keystore
101    openssl x509 -inform pem -in $cert_file -outform der -out $der_file ;
102    if [ -f $keystore ]; then
103        keytool -delete -alias $cert_hash -keystore $keystore \
104            -storepass $keystore_passwd 2>&1 > /dev/null ;
105    fi
106   
107    keytool -import -alias $cert_hash -file $der_file -keystore $keystore \
108        -storepass $keystore_passwd -noprompt ;
109    rm -f $der_file ;
110done
Note: See TracBrowser for help on using the repository browser.