3
# Grid Engine CA framework script
6
##########################################################################
8
# The Contents of this file are made available subject to the terms of
9
# the Sun Industry Standards Source License Version 1.2
11
# Sun Microsystems Inc., March, 2001
14
# Sun Industry Standards Source License Version 1.2
15
# =================================================
16
# The contents of this file are subject to the Sun Industry Standards
17
# Source License Version 1.2 (the "License"); You may not use this file
18
# except in compliance with the License. You may obtain a copy of the
19
# License at http://gridengine.sunsource.net/Gridengine_SISSL_license.html
21
# Software provided under this License is provided on an "AS IS" basis,
22
# WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING,
23
# WITHOUT LIMITATION, WARRANTIES THAT THE SOFTWARE IS FREE OF DEFECTS,
24
# MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE, OR NON-INFRINGING.
25
# See the License for the specific provisions governing your rights and
26
# obligations concerning the Software.
28
# The Initial Developer of the Original Code is: Sun Microsystems, Inc.
30
# Copyright: 2001 by Sun Microsystems, Inc.
32
# All Rights Reserved.
34
##########################################################################
39
# Reset PATH to a safe value
41
PATH=/bin:/usr/bin:/usr/sbin:/usr/bsd:/usr/ucb
43
# Easy way to prevent clearing of screen
49
#-------------------------------------------------------------------------
50
# USEFUL LOCAL SHELL PROCEDURES
52
#-------------------------------------------------------------------------
58
$INFOTEXT -e "$fmt" $*
59
$INFOTEXT -log "$fmt" $*
72
#-------------------------------------------------------------------------
73
# ErrUsage: print usage string, exit
82
"\nUsage: %s <command>\n" \
83
" -adminuser <user> set admin user\n" \
84
" -init initialize CA infrastructure\n" \
85
" -req generate a certificate request and private key\n" \
86
" -sign sign a certificate request\n" \
87
" -copy install user certificate and private key\n" \
88
" -verify <cert> verify a <cert>\n" \
89
" -print <cert> print a <cert>\n" \
90
" -printkey <key> print a <key>\n" \
91
" -printcrl <crl> print a <crl>\n" \
92
" -renew <user> extend the certificate of <user>\n" \
93
" -renew_ca extend the CA certificate\n" \
94
" -renew_sys extend the daemon certificate\n" \
95
" -renew_sdm <g> renew certificate of a SDM daemon with\n" \
96
" g=Common Name of the SDM daemon\n" \
97
" -days <days> days of validity of the certificate\n" \
98
" -sha1 use sha-1 instead of md5 as message digest\n" \
99
" -encryptkey use des to encrypt the generated key with a passphrase\n" \
100
" -outdir <dir> write to directory <dir>\n" \
101
" -cahost <host> define CA hostname (CA master host)\n" \
102
" -cadir <dir> define CALOCALTOP and CATOP settings\n" \
103
" -calocaltop <dir> define CALOCALTOP setting\n" \
104
" -catop <dir> define CATOP setting\n" \
105
" -pkcs12 <user> generate pkcs12 format file for user <user> \n" \
106
" -pkcs12pwf <file> pkcs12 password file\n" \
107
" -pkcs12dir <dir> pkcs12 output directory\n" \
108
" -usercert <file> generate certificates and keys for the users in <file>\n" \
109
" -userks generate keystore for existing users\n" \
110
" -user <u:g:e> generate certificates and keys for <u:g:e>\n" \
111
" with u=Unix User, g=Common Name, e=email\n" \
112
" -sdm_daemon <u:g:e> generate certificate and key for a SDM daemon\n" \
113
" with u=Unix User, g=Common Name, e=email\n" \
114
" -sdm_pkcs12 <g> generate pkcs12 format file for SDM daemon\n" \
115
" with g=Common Name of the SDM daemon\n" \
116
" -sys_pkcs12 <g> generate pkcs12 format file for SGE daemon\n" \
117
" with g=Common Name of the SGE daemon\n" \
118
" -ks <user> generate a keystore file for <user>\n" \
119
" -kspwf <file> keystore pw file\n" \
120
" -ksout <file> keystore output file\n" \
121
" -sysks generate keystore for SGE daemon\n" \
122
" -showCaTop echo caTop path\n" \
123
" -showCaLocalTop echo caLocalTop path\n" \
129
#-------------------------------------------------------------------------
130
# Enter: input is read and returned to stdout. If input is empty echo $1
132
# USES: variable "$autoinst"
136
if [ "$autoinst" = true ]; then
140
if [ "$INP" = "" ]; then
149
#-------------------------------------------------------------------------
150
# Execute command as user $ADMINUSER and exit if exit status != 0
151
# if ADMINUSER = default then execute command unchanged
153
# uses binary "adminrun" form SGE distribution
155
# USES: variables "$verbose" (if set to "true" print arguments)
156
# $ADMINUSER (if set to "default" do not use "adminrun)
157
# "$V5UTILBIN" (path to the binary in utilbin)
161
if [ "$verbose" = true ]; then
165
if [ $ADMINUSER = default ]; then
168
$V5UTILBIN/adminrun $ADMINUSER "$@"
174
#-------------------------------------------------------------------------
175
# Execute command and return exit status
179
if [ "$verbose" = true ]; then
187
Execute $RM -rf $* > /dev/null 2>&1
190
if [ -f $i -o -d $i ]; then
194
if [ "$files" != "" ]; then
197
Execute $RM -rf $i > /dev/null 2>&1
198
if [ $? -ne 0 ]; then
207
ExecuteAsAdmin $RM -rf $* > /dev/null 2>&1
210
if [ -f $i -o -d $i ]; then
214
if [ "$files" != "" ]; then
217
ExecuteAsAdmin $RM -rf $i > /dev/null 2>&1
218
if [ $? -ne 0 ]; then
226
#-------------------------------------------------------------------------
227
# Change the ownership of a file or directory
228
# Is only executed as root
232
if [ $rootinstalls = true ]; then
241
#--------------------------------------------------------------------------
242
# InitCA Init CA directories and get DN info
247
$INFOTEXT -u "\nInitializing Certificate Authority (CA) for OpenSSL security framework"
249
if [ -d $CATOP -a -d $CALOCALTOP ]; then
250
$INFOTEXT -e "\nThere are already directories of the CA infrastructure in\n %s\n or\n %s\n" "$CATOP" "$CALOCALTOP"
251
$INFOTEXT -auto $AUTO -ask "y" "n" -def "y" -n \
252
"Do you want to recreate your SGE CA infrastructure (y/n) [y] >> "
254
$INFOTEXT "We will not reinitialize your SGE CA infrastructure."
261
PrintErrorAndExit 1 "CA initialization failed. Exit."
264
if [ $? -ne 0 ]; then
265
PrintErrorAndExit 1 "CA initialization failed. Exit."
268
MakeCert daemon $ME "SGE Daemon" none
269
if [ $? -ne 0 ]; then
270
PrintErrorAndExit 1 "CA initialization failed. Exit."
273
MakeCert user $ME "SGE install user" none
274
if [ $? -ne 0 ]; then
275
PrintErrorAndExit 1 "CA initialization failed. Exit."
278
if [ "$ADMINUSER" != default ]; then
279
MakeCert user $ADMINUSER "SGE admin user" none
280
if [ $? -ne 0 ]; then
281
PrintErrorAndExit 1 "CA initialization failed. Exit."
286
#---------------------------------------------------------------------------
287
# create a certificate request
291
# create a certificate request
292
$REQ -new -keyout $outdir/$newkey -out $outdir/$newreq $DAYS
294
if [ $RET = 0 ]; then
295
$INFOTEXT "Request is in %s" $outdir/$newreq
296
$INFOTEXT "Private key is in %s" $outdir/$newkey
298
PrintErrorAndExit 1 "Creating a certificate request failed"
302
#---------------------------------------------------------------------------
307
$CA -config $SGE_ROOT/util/sgeCA/sge_ssl.cnf -policy policy_anything $DAYS $BATCHMODE -notext -out $outdir/$newcert -infiles $indir/$newreq
309
if [ $RET = 0 ]; then
310
$INFOTEXT "Signed certificate is in %s" $outdir/$newcert
312
PrintErrorAndExit 1 "Signing a certificate failed"
316
#---------------------------------------------------------------------------
317
# verify a certificate
321
$VERIFY -CAfile $CATOP/$CACERT $newcert
323
PrintErrorAndExit 1 "Verification of certificate failed"
329
if [ $1 = "cert" ]; then
331
elif [ $1 = "key" ]; then
332
$X509KEY -in $newcert -text
333
elif [ $1 = "crl" ]; then
334
$X509CRL -in $newcert -text
336
PrintErrorAndExit 1 "Can not print %s" $1
340
PrintErrorAndExit 1 "Printing %s failed (%s)" $1 $2
345
#---------------------------------------------------------------------------
347
# If our hostname given in $1 is the same as "CAHOST"
348
# echo "true" else echo "false"
356
if [ "$host" = "$CAHOST" ]; then
363
#--------------------------------------------------------------------------
367
# $2 = $ME ( username )
371
HOST=`$V5UTILBIN/gethostname -aname`
372
result=`CheckIfCaHost $HOST`
373
if [ "$result" != "true" ]; then
374
PrintError "You can install your private key and certificate only on the master host."
378
if [ -d $CALOCALTOP/userkeys ]; then
379
userkeydir=$CALOCALTOP/userkeys
381
PrintError "Can not find local userkey directory."
385
if [ $1 = daemon ]; then
386
keyfile=$CALOCALTOP/private/key.pem
387
certfile=$CATOP/certs/cert.pem
388
randfile=$CALOCALTOP/private/rand.seed
390
keyfile=$userkeydir/$ME/key.pem
391
certfile=$userkeydir/$ME/cert.pem
392
randfile=$userkeydir/$ME/rand.seed
396
basedir=$CAHOMEKEYDIR
397
if [ ! -d $basedir ]; then
398
$V5UTILBIN/adminrun $2 $MKDIR -p $basedir
401
if [ ! -d $basedir/certs ]; then
402
$V5UTILBIN/adminrun $2 $MKDIR $basedir/certs
405
if [ ! -d $basedir/private ]; then
406
$V5UTILBIN/adminrun $2 $MKDIR $basedir/private
409
if [ -f $basedir/private/key.pem ]; then
410
$V5UTILBIN/adminrun $2 rm -f $basedir/private/key.pem
413
if [ -f $basedir/private/rand.seed ]; then
414
$V5UTILBIN/adminrun $2 rm -f $basedir/private/rand.seed
417
if [ -f $basedir/certs/cert.pem ]; then
418
$V5UTILBIN/adminrun $2 rm -f $basedir/certs/cert.pem
421
$V5UTILBIN/adminrun $2 $CP $keyfile $basedir/private
422
if [ $? -ne 0 ]; then
423
PrintError "Could not copy key file (%s -> %s)" $keyfile $basedir/private
426
$V5UTILBIN/adminrun $2 $CP $randfile $basedir/private
427
if [ $? -ne 0 ]; then
428
PrintError "Could not copy rand file (%s -> %s)" $randfile $basedir/private
432
$V5UTILBIN/adminrun $2 $CHMOD 700 $basedir/private
433
if [ $? -ne 0 ]; then
434
PrintError "chmod for %s on private dir failed (%s)" $2 $basedir/private
438
$V5UTILBIN/adminrun $2 $CHMOD 600 $basedir/private/*
439
if [ $? -ne 0 ]; then
440
PrintError "chmod for %s on private files failed (%s/\*)" $2 $basedir/private
444
$V5UTILBIN/adminrun $2 $CP $certfile $basedir/certs
445
if [ $? -ne 0 ]; then
446
PrintError "Could not copy cert file (%s -> %s)" $certfile $basedir/certs
450
$V5UTILBIN/adminrun $2 $CHMOD 755 $basedir/certs
451
if [ $? -ne 0 ]; then
452
PrintError "chmod for %s on certs dir failed (%s)" $2 $basedir/certs
456
$V5UTILBIN/adminrun $2 $CHMOD 644 $basedir/certs/*
457
if [ $? -ne 0 ]; then
458
PrintError "chmod for %s on cert files failed (%s/\*)" $2 $basedir/certs
462
$INFOTEXT "Certificate and private key for user %s have been installed" $ME
468
#--------------------------------------------------------------------------
469
# MakeCAcert create CA certificate and private key
474
$INFOTEXT -u "\nCreating CA certificate and private key"
475
$INFOTEXT -e "Please give some basic parameters to create the distinguished name (DN)\n" \
476
"for the certificates.\n\n" \
477
"We will ask for\n" \
478
" - the two letter country code\n" \
480
" - the location, e.g city or your buildingcode\n" \
481
" - the organization (e.g. your company name)\n" \
482
" - the organizational unit, e.g. your department\n" \
483
" - the email address of the CA administrator (you!)\n"
485
$INFOTEXT -wait -auto $AUTO -n "\nHit <RETURN> to continue >> "
489
while [ $done = false ]; do
491
if [ "$AUTO" = "true" ]; then
492
CA_C=`echo $CSP_COUNTRY_CODE | env LC_ALL=C tr "[a-z]" "[A-Z]"`
496
CA_OU="$CSP_ORGA_UNIT"
497
CA_EMAIL="$CSP_MAIL_ADDRESS"
500
while [ $dndone = false ]; do
501
$INFOTEXT -n "Please enter your two letter country code, e.g. 'US' >> "
503
if [ "$INP != " -a `echo $INP | wc -c` = 3 ]; then
504
CA_C=`echo $INP | env LC_ALL=C tr "[a-z]" "[A-Z]"`
510
while [ $dndone = false ]; do
511
$INFOTEXT -n "Please enter your state >> "
514
if [ "$INP" != "" ]; then
521
while [ $dndone = false ]; do
522
$INFOTEXT -n "Please enter your location, e.g city or buildingcode >> "
525
if [ "$INP" != "" ]; then
532
while [ $dndone = false ]; do
533
$INFOTEXT -n "Please enter the name of your organization >> "
535
if [ "$INP" != "" ]; then
542
while [ $dndone = false ]; do
543
$INFOTEXT -n "Please enter your organizational unit, e.g. your department >> "
546
if [ "$INP" != "" ]; then
553
while [ $dndone = false ]; do
554
$INFOTEXT -n "Please enter the email address of the CA administrator >> "
556
if [ "$INP" != "" ]; then
565
$INFOTEXT -e "\nYou selected the following basic data for the distinguished name of\n" \
566
"your certificates:\n\n" \
567
"Country code: %s=%s\n" \
569
"Location: %s=%s\n" \
570
"Organization: %s=%s\n" \
571
"Organizational unit: %s=%s\n" \
572
"CA email address: %s=%s\n" \
573
C "$CA_C" ST "$CA_ST" L "$CA_L" O "$CA_O" OU "$CA_OU" emailAddress "$CA_EMAIL"
575
$INFOTEXT -auto $AUTO -ask "y" "n" -def "y" -n \
576
"Do you want to use these data (y/n) [y] >> "
580
TMPFILE=/tmp/sge_ca$$.tmp
581
TMPFILE1=/tmp/sge_ca1$$.tmp
582
ExecRm $TMPFILE $TMPFILE1
583
if [ $? -ne 0 ]; then
584
PrintError "Could not delete file %s" $TMPFILE
589
if [ $? -ne 0 ]; then
590
PrintError "Could not delete file %s" $TMPFILE1
595
if [ $? -ne 0 ]; then
596
PrintError "Could not touch file %s" $TMPFILE
600
if [ $? -ne 0 ]; then
601
PrintError "Could not touch file %s" $TMPFILE1
605
echo C="$CA_C" >> $TMPFILE
606
echo ST="$CA_ST" >> $TMPFILE
607
echo L="$CA_L" >> $TMPFILE
608
echo O="$CA_O" >> $TMPFILE
609
echo OU="$CA_OU" >> $TMPFILE
610
ExecuteAsAdmin $CP $TMPFILE $CATOP/dn.info
611
if [ $? -ne 0 ]; then
612
PrintError "Could not copy file (%s -> %s)" $TMPFILE $CATOP/dn.info
616
echo CN="SGE Certificate Authority" >> $TMPFILE
617
echo userId=CA >> $TMPFILE
618
echo emailAddress=$CA_EMAIL >> $TMPFILE
621
Execute cat $CONFIG_DIR/sge_ssl_template.cnf $TMPFILE > $TMPFILE1
622
if [ $? -ne 0 ]; then
623
PrintError "Could not cat file (%s)" $CONFIG_DIR/sge_ssl_template.cnf
627
if [ $ADMINUSER != default -a $rootinstalls = true ]; then
628
# echo +++ $ADMINUSER
629
MakeRandFile $CALOCALTOP/private/rand.seed $ADMINUSER
632
MakeRandFile $CALOCALTOP/private/rand.seed $ME
634
if [ $? -ne 0 ]; then
637
RANDFILE=$CALOCALTOP/private/rand.seed; export RANDFILE
640
$INFOTEXT "Creating CA certificate and private key"
641
ExecuteAsAdmin $REQ -config $TMPFILE1 -new -x509 \
642
-keyout ${CALOCALTOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS
646
ExecuteAsAdmin $CHMOD 644 ${CATOP}/$CACERT
647
if [ $? -ne 0 ]; then
648
PrintError "chmod as %s failed (%s)" $ADMINUSER ${CATOP}/$CACERT
651
rm -f $TMPFILE $TMPFILE1
653
if [ $status != 0 ]; then
654
PrintError "Failed to create CA certificate and private key. Exit"
663
$INFOTEXT -wait -auto $AUTO -n "\nHit <RETURN> to continue >> "
668
#--------------------------------------------------------------------------
669
# MakeRandFile create a random data file
671
# $1 = <randfilename>
677
# OpenSSL uses /dev/urandom by default so if it's there, don't
678
# polute the PRNG with predictable data.
680
if [ ! -r /dev/urandom ]; then
681
if [ -r /dev/random ]; then
683
elif [ -r /bin/vi ]; then
687
# $INFOTEXT "Creating RANDFILE from '%s' in '%s'" $rfile $1
689
RANDFILE=/tmp/.rand.$$; export RANDFILE;
690
$V5UTILBIN/adminrun $2 dd if=$rfile of=$RANDFILE count=2048 > /dev/null 2>&1
691
if [ $? -lt 0 ]; then
692
PrintError "Could not create random number for (%s -> %s)" $rfile $RANDFILE
695
$V5UTILBIN/adminrun $2 $OPENSSL rand -rand $RANDFILE -out $1 2048 > /dev/null 2>&1
696
if [ $? -ne 0 ]; then
697
PrintError "bootstraping of rand command as user %s failed (%s -> %s)" $2 $RANDFILE $1
701
$V5UTILBIN/adminrun $2 $OPENSSL rand -rand $rfile -out $1 2048 > /dev/null 2>&1
702
if [ $? -ne 0 ]; then
703
PrintError "openssl rand command as user %s failed (%s -> %s)" $2 $rfile $1
707
$V5UTILBIN/adminrun $2 $RM $RANDFILE > /dev/null 2>&1
708
if [ $? -ne 0 ]; then
709
PrintError "Could not delete file %s as user %s" $RANDFILE $2
713
$V5UTILBIN/adminrun $2 $CHMOD 644 $1 > /dev/null 2>&1
714
if [ $? -ne 0 ]; then
715
PrintError "chmod as user %s on file %s failed" $2 $1
719
# echo "--------------"
721
# echo "--------------"
726
#--------------------------------------------------------------------------
727
# MakeUserCert create user certificates and keys for Windows Admin user
729
# $1 = certificate type "user" or "sdm_daemon"
730
# $2 = <user:gecos:email>
737
unixuser=`echo $line|cut -d: -f1`
738
gecos=`echo $line|cut -d: -f2`
739
email=`echo $line|cut -d: -f3`
741
# echo $unixuser:$gecos:$email
742
if [ "$unixuser" = "" ]; then
743
PrintErrorAndExit 1 "no Unix user specified. Exit."
746
if [ "$gecos" = "" ]; then
749
if [ "$email" = "" ]; then
753
if [ "$ADMINUSER" = default ]; then
754
entries=`grep "CN=$gecos" $CATOP/index.txt|grep '^V'|wc -l`
756
entries=`$V5UTILBIN/adminrun $ADMINUSER grep "CN=$gecos" $CATOP/index.txt|grep '^V'|wc -l`
758
if [ $entries = 0 ]; then
759
$INFOTEXT "Generating %s certificate and key for '%s' ('%s','%s')." \
760
"$cert_type" "$unixuser" "$gecos" "$email"
761
MakeCert $cert_type "$unixuser" "$gecos" "$email"
762
if [ $? -ne 0 ]; then
766
PrintError "Please renew %s certificate for '%s' ('%s','%s') instead." \
767
"$cert_type" "$unixuser" "$gecos" "$email"
768
# RenewCert user $unixuser
774
#--------------------------------------------------------------------------
775
# MakeUserCerts create user certificates and keys from userfile
776
# userfile contains a list of entries of the following format per user.
778
# <unix username>:<gecos field>:<user's email address>
784
if [ ! -f "$1" ]; then
785
PrintErrorAndExit 1 "no valid userfile '%s'. Exit." $1
790
cat $userfile | while read line; do
791
MakeUserCert user "$line"
795
#--------------------------------------------------------------------------
796
# MakeUserKeystores create keystores for existing users in
797
# $CALOCALTOP/userkeys
801
if [ "$ksoutfile" = "" ]; then
802
ksoutfile_saved=$ksoutfile
805
remove_kspwfile=false
806
if [ "$kspwfile" = "" ]; then
811
for user in `ls $CALOCALTOP/userkeys`; do
812
certfile=$CALOCALTOP/userkeys/$user/cert.pem
813
if [ -r $certfile ]; then
814
ksoutfile=$CALOCALTOP/userkeys/$user/keystore
816
$CHOWN $user $ksoutfile
817
$CHMOD 600 $ksoutfile
818
MakeKeystore user "$user"
821
if [ "$remove_kspwfile" = "true" ]; then
824
ksoutfile=$ksoutfile_saved
827
#--------------------------------------------------------------------------
828
# MakeSysKeystore create keystore for SGE Daemon
829
# $CALOCALTOP/private
833
if [ "$ksoutfile" = "" ]; then
834
ksoutfile_saved=$ksoutfile
837
remove_kspwfile=false
838
if [ "$kspwfile" = "" ]; then
843
certfile=$CATOP/certs/cert.pem
844
if [ -r $certfile ]; then
845
ksoutfile=$CALOCALTOP/private/keystore
846
ExecuteAsAdmin touch $ksoutfile
847
ExecuteAsAdmin chmod 600 $ksoutfile
848
MakeKeystore sge_daemon "SGEDaemon"
850
if [ "$remove_kspwfile" = "true" ]; then
853
ksoutfile=$ksoutfile_saved
858
#--------------------------------------------------------------------------
859
# MakeKeystore create keystore file of user's certificate and key
861
# $1 = user or sge_daemon
867
if [ "$type" != "user" -a "$type" != "sge_daemon" ]; then
868
PrintError "unknown type $type only user or sge_daemon allowed"
872
if [ "$myuser" = "" ]; then
873
PrintError "username is empty"
876
CA_ARGS="-catop $CATOP"
877
CA_ARGS="$CA_ARGS -calocaltop $CALOCALTOP"
878
CA_ARGS="$CA_ARGS -cascript $ROOT_PATH/util/sgeCA/sge_ca"
879
CA_ARGS="$CA_ARGS -cahost $CAHOST -adminuser $ADMINUSER"
880
CA_ARGS="$CA_ARGS initks $type $myuser $ksoutfile"
881
if [ "$kspwfile" != "" ]; then
882
CA_ARGS="$CA_ARGS $kspwfile"
885
if [ "$JAVA_HOME" = "" ]; then
886
PrintError "JAVA_HOME not set"
889
JAVA=$JAVA_HOME/bin/java
892
JVM_ARGS="-cp $ROOT_PATH/lib/juti.jar"
893
JVM_ARGS="$JVM_ARGS -Djava.util.logging.config.file=$ROOT_PATH/util/sgeCA/logging.properties"
895
$JAVA $JVM_ARGS com.sun.grid.ca.Main $CA_ARGS
898
#--------------------------------------------------------------------------
899
# MakePKCS12 create pkcs12 file of user's certificate and key
901
# $1 = "user" or "sdm_daemon" or "sge_daemon"
902
# $2 = <unix user> or <sdm daemon>
906
if [ "$1" = "user" ]; then
907
if [ "$2" = "" ]; then
908
PrintError "no valid user '%s'." $1
913
KEYFILE=$CALOCALTOP/userkeys/$keyowner/key.pem
914
CERTFILE=$CALOCALTOP/userkeys/$keyowner/cert.pem
915
elif [ "$1" = "sdm_daemon" ]; then
916
if [ "$2" = "" ]; then
917
PrintError "no valid sdm daemon '%s'." $1
922
KEYFILE=$CALOCALTOP/daemons/$keyowner/key.pem
923
CERTFILE=$CALOCALTOP/daemons/$keyowner/cert.pem
924
elif [ "$1" = "sge_daemon" ]; then
927
KEYFILE=$CALOCALTOP/private/key.pem
928
CERTFILE=$CATOP/certs/cert.pem
930
PrintError "valid argument: %s" $1
936
if [ "$passinfile" != "" ]; then
937
pwoptions="-passout file:$passinfile"
941
if [ "$pkcs12outdir" != "" ]; then
942
myoutdir="$pkcs12outdir"
945
$INFOTEXT "Generating %s/%s.p12." "$myoutdir" "$keyowner"
946
# create rand.seed file
947
RSFILE=/tmp/rand.seed.$$
948
MakeRandFile $RSFILE $unixuser
949
if [ $? -ne 0 ]; then
952
RANDFILE=$RSFILE; export RANDFILE
954
$P12 $pwoptions -export -nodes -inkey $KEYFILE -out $myoutdir/$keyowner.p12 -in $CERTFILE -certfile $CATOP/cacert.pem -caname "SGE CA"
955
if [ $? -ne 0 ]; then
956
PrintError "openssl pkcs12 command failed"
962
#--------------------------------------------------------------------------
963
# MakePKCS12ForUsers create pkcs12 file of user certificate and keys from userfile
964
# userfile contains a list of entries of the following format per user.
966
# <unix username>:<gecos field>:<user's email address>
972
if [ ! -f "$1" ]; then
973
PrintErrorAndExit 1 "no valid userfile '%s'. Exit." $1
976
cat $1 | while read line; do
977
unixuser=`echo $line|cut -d: -f1`
978
$INFOTEXT "Generating %s/%s.p12." \
979
"$pkcs12outdir" "$unixuser"
980
pkcs12outdir=$CALOCALTOP/userkeys/$unixuser
981
MakePKCS12 user "$unixuser"
985
#--------------------------------------------------------------------------
986
# DumpUsers dump user info
990
CERTDIR=$CALOCALTOP/userkeys
993
# create rand.seed file
994
MakeRandFile $RSFILE $USER
995
if [ $? -ne 0 ]; then
998
RANDFILE=$RSFILE; export RANDFILE
1000
$INFOTEXT "Dumping users to $outdir/dumped_users.txt"
1001
for i in `ls $CERTDIR`; do
1002
$X509 -in $CERTDIR/$i/cert.pem -subject -noout|$AWK -F '/' '{print $8 ":" $7 ":" $9}' | sed -e 's/UID=//' -e 's/CN=//' -e 's/emailAddress=//' >> $outdir/dumped_users.txt
1003
if [ $? -ne 0 ]; then
1004
PrintError "openssl x509 command for user %s failed" $i
1009
#--------------------------------------------------------------------------
1010
# MakeCert create certificate and private key for daemon
1012
# $1 = certificate type ("daemon" or "user" or "sdm_daemon")
1013
# $2 = userId (Unix user name)
1014
# $3 = commonname (e.g. passwd gecos field or name of sdm_daemon)
1015
# $4 = email address
1019
$INFOTEXT -u "\nCreating '%s' certificate and key for %s" "$1" "$3"
1021
TMPFILE=/tmp/sge_ca$$.tmp
1022
TMPFILE1=/tmp/sge_ca1$$.tmp
1023
$RM -f $TMPFILE $TMPFILE1
1024
Execute cp $CATOP/dn.info $TMPFILE
1025
if [ $? -ne 0 ]; then
1026
PrintError "Could not copy file (%s -> %s)" $CATOP/dn.info $TMPFILE
1031
# For SDM daemon the uid is always "sdm_daemon"
1032
# the SdmCATrustManagerLoginModule needs this information
1033
# to distingush between daemon and user certificates
1035
if [ $1 = sdm_daemon ]; then
1036
echo userId=sdm_daemon_$2 >> $TMPFILE
1038
echo userId=$2 >> $TMPFILE
1040
echo CN=$3 >> $TMPFILE
1041
echo emailAddress=$4 >> $TMPFILE
1043
Execute cat $CONFIG_DIR/sge_ssl_template.cnf $TMPFILE > $TMPFILE1
1044
if [ $? -ne 0 ]; then
1045
PrintError "Could not cat file (%s, %s -> %s)" $CONFIG_DIR/sge_ssl_template.cnf $TMPFILE $TMPFILE1
1049
if [ $1 = daemon ]; then
1050
KEYDIR=$CALOCALTOP/private
1051
KEYFILE=$CALOCALTOP/private/key.pem
1052
REQFILE=$CALOCALTOP/private/req.pem
1053
CERTFILE=$CATOP/certs/cert.pem
1054
RSFILE=$CALOCALTOP/private/rand.seed
1055
elif [ $1 = user ]; then
1056
KEYDIR=$CALOCALTOP/userkeys/$2
1057
KEYFILE=$KEYDIR/key.pem
1058
REQFILE=$KEYDIR/req.pem
1059
CERTFILE=$KEYDIR/cert.pem
1060
CERTFILE_PUBLIC_DIR=$CATOP/usercerts/$2
1061
RSFILE=$KEYDIR/rand.seed
1063
ExecuteAsAdmin $MKDIR $KEYDIR
1064
elif [ $1 = sdm_daemon ]; then
1065
KEYDIR=$CALOCALTOP/daemons/$3
1066
KEYFILE=$KEYDIR/key.pem
1067
REQFILE=$KEYDIR/req.pem
1068
CERTFILE=$KEYDIR/cert.pem
1069
RSFILE=$KEYDIR/rand.seed
1071
ExecuteAsAdmin $MKDIR $KEYDIR
1073
PrintError "Unknown certificate type %s" $1
1077
# create rand.seed file
1078
if [ "$ADMINUSER" = default ]; then
1079
MakeRandFile $RSFILE root
1081
MakeRandFile $RSFILE $ADMINUSER
1083
if [ $? -ne 0 ]; then
1087
RANDFILE=$RSFILE; export RANDFILE
1091
# create a certificate request
1092
ExecuteAsAdmin $REQ -config $TMPFILE1 -new -keyout $KEYFILE -out $REQFILE $DAYS
1093
if [ $? != 0 ]; then
1094
PrintError "Can't create %s or %s. Exit." $KEYFILE $REQFILE
1098
# sign certificate request
1099
ExecuteAsAdmin $CA -config $TMPFILE1 -policy policy_anything -batch $DAYS \
1100
-notext -out $CERTFILE -infiles $REQFILE
1101
if [ $? != 0 ]; then
1102
PrintError "Can't sign certificate request %s. Exit." $REQFILE
1105
ExecuteAsAdmin $CHMOD 644 $CERTFILE
1106
if [ $? != 0 ]; then
1107
PrintError "chmod as %s failed (%s)" $ADMINUSER $CERTFILE
1111
if [ "$1" = user ]; then
1112
ExecuteAsAdmin $MKDIR -m 755 -p $CERTFILE_PUBLIC_DIR
1113
ExecuteAsAdmin $CP $CERTFILE $CERTFILE_PUBLIC_DIR
1114
ExecuteAsAdmin $CHMOD 644 $CERTFILE_PUBLIC_DIR/cert.pem
1117
$RM -f $TMPFILE $TMPFILE1
1119
Execute $CHMOD 700 $KEYDIR
1120
if [ $? != 0 ]; then
1121
PrintError "chmod failed (%s)" $KEYDIR
1124
Execute $CHMOD 600 $KEYDIR/*
1125
if [ $? != 0 ]; then
1126
PrintError "chmod failed (%s/\*)" $KEYDIR
1129
Execute $CHMOD 600 $KEYDIR/rand.seed
1130
if [ $? != 0 ]; then
1131
PrintError "chmod failed (%s)" $KEYDIR/rand.seed
1134
if [ $1 = daemon ]; then
1135
$INFOTEXT "created and signed certificate for SGE daemons"
1136
elif [ $1 = sdm_daemon ]; then
1137
$INFOTEXT "created and signed certificate for sdm_daemon '%s' in '%s'" $3 $KEYDIR
1139
# check if user exists and chown if yes
1140
id $2 > /dev/null 2>&1
1142
ExecChown -R $2 $KEYDIR
1143
if [ $? != 0 ]; then
1144
PrintError "chown to %s failed (%s)" $2 $KEYDIR
1148
$INFOTEXT "created and signed certificate for user '%s' in '%s'" $2 $KEYDIR
1155
#--------------------------------------------------------------------------
1156
# RenewCA renew a selfsigned CA certificate
1160
$INFOTEXT -u "\nRenewing CA certificate"
1162
CAKEYDIR=$CALOCALTOP/private
1163
CAKEYFILE=$CALOCALTOP/private/cakey.pem
1164
CACERTFILE=$CATOP/cacert.pem
1165
RSFILE=$CALOCALTOP/private/rand.seed
1166
NEWCACERTFILE=$CATOP/cacert.pem.new
1167
OLDCACERTFILE=$CATOP/cacert.pem.`date | tr " " "_"`
1168
RANDFILE=$RSFILE; export RANDFILE
1170
ExecuteAsAdmin $X509 -in $CACERTFILE -signkey $CAKEYFILE $DAYS -out $NEWCACERTFILE
1171
if [ $? != 0 ]; then
1172
PrintError "openssl x509 as %s failed (RenewCA)" $ADMINUSER
1176
ExecuteAsAdmin $CP $CACERTFILE $OLDCACERTFILE
1177
if [ $? != 0 ]; then
1178
PrintError "Could not copy file as %s (%s -> %s)" $ADMINUSER $CACERTFILE $OLDCACERTFILE
1181
ExecuteAsAdmin $CHMOD 644 $CACERTFILE
1182
if [ $? != 0 ]; then
1183
PrintError "chmod as %s failed (%s)" $ADMINUSER $CACERTFILE
1186
ExecuteAsAdmin $MV $NEWCACERTFILE $CACERTFILE
1187
if [ $? != 0 ]; then
1188
PrintError "Could not move file as %s (%s -> %s)" $ADMINUSER $NEWCACERTFILE $CACERTFILE
1191
ExecuteAsAdmin $CHMOD 644 $CACERTFILE
1192
if [ $? != 0 ]; then
1193
PrintError "chmod as %s failed (%s)" $ADMINUSER $CACERTFILE
1200
#--------------------------------------------------------------------------
1201
# RenewCert renew a certificate
1203
# $1 = certificate type ("daemon" or "user" or "sdm_daemon"
1204
# $2 = userId (Unix user name of common name of sdm_damon)
1208
ADMINRUN_NO_EXIT=true # ExecuteAsAdmin should not exit,
1209
# we need to cleanup the file permissions
1211
# in the gridengine environment only root user is allowed
1212
# to renew certificates
1213
# for haithabu the admin user can also renew certificates
1214
if [ "$rootinstalls" != true -a $SGE_CNF = true ]; then
1215
PrintError "Only root user can renew certificates!"
1219
if [ "$1" = daemon ]; then
1220
$INFOTEXT -u "\nRenewing daemon certificate"
1221
if [ "$2" = default ]; then
1225
$INFOTEXT -u "\nRenewing '%s' '%s' certificate" "$2" "$1"
1228
TMPFILE=/tmp/sge_ca$$.tmp
1229
TMPFILE1=/tmp/sge_ca1$$.tmp
1230
$RM -f $TMPFILE $TMPFILE1
1231
Execute cp $CATOP/dn.info $TMPFILE
1232
if [ $? != 0 ]; then
1233
PrintError "Could not copy file (%s -> %s)" $CATOP/dn.info $TMPFILE
1236
echo userId=$2 >> $TMPFILE
1237
echo CN="dummy" >> $TMPFILE
1238
echo emailAddress="dummy" >> $TMPFILE
1239
Execute cat $CONFIG_DIR/sge_ssl_template.cnf $TMPFILE > $TMPFILE1
1240
if [ $? != 0 ]; then
1241
PrintError "Could not cat file (%s, %s -> %s)" $CONFIG_DIR/sge_ssl_template.cnf $TMPFILE > $TMPFILE1
1246
if [ "$1" = daemon ]; then
1247
KEYDIR=$CALOCALTOP/private
1248
KEYFILE=$CALOCALTOP/private/key.pem
1249
REQFILE=$CALOCALTOP/private/req.pem
1250
CERTFILE=$CATOP/certs/cert.pem
1251
NEWCERTFILE=$CATOP/certs/cert.pem.new
1252
OLDCERTFILE=$CATOP/certs/cert.pem.old
1253
RSFILE=$CALOCALTOP/private/rand.seed
1254
CRLFILE=$CATOP/ca-crl.pem
1255
elif [ $1 = sdm_daemon ]; then
1256
KEYDIR=$CALOCALTOP/daemons/$2
1257
NEWKEYBASEDIR=/tmp/sge_ca_dir_$$
1258
NEWKEYDIR=$NEWKEYBASEDIR/daemons/$2
1259
KEYFILE=$NEWKEYDIR/key.pem
1260
REQFILE=$NEWKEYDIR/req.pem
1261
CERTFILE=$NEWKEYDIR/cert.pem
1262
NEWCERTFILE=$NEWKEYDIR/cert.pem.new
1263
OLDCERTFILE=$NEWKEYDIR/cert.pem.old
1264
RSFILE=$NEWKEYDIR/rand.seed
1265
CRLFILE=$CATOP/ca-crl.pem
1266
elif [ $1 = user ]; then
1267
KEYDIR=$CALOCALTOP/userkeys/$2
1268
NEWKEYBASEDIR=/tmp/sge_ca_dir_$$
1269
NEWKEYDIR=$NEWKEYBASEDIR/userkeys/$2
1270
KEYFILE=$NEWKEYDIR/key.pem
1271
REQFILE=$NEWKEYDIR/req.pem
1272
CERTFILE=$NEWKEYDIR/cert.pem
1273
NEWCERTFILE=$NEWKEYDIR/cert.pem.new
1274
OLDCERTFILE=$NEWKEYDIR/cert.pem.old
1275
RSFILE=$NEWKEYDIR/rand.seed
1276
CRLFILE=$CATOP/ca-crl.pem
1277
CERTFILE_PUBLIC_DIR=$CATOP/usercerts/$2
1279
PrintError "Unknown certificate type %s" $1
1283
# create rand.seed file
1284
# rand.seed already exists, therefore no MakeRandFile $RSFILE $2
1285
RANDFILE=$RSFILE; export RANDFILE
1287
if [ "$1" = daemon ]; then
1288
Execute $CHMOD 644 $CERTFILE
1289
if [ $? != 0 ]; then
1290
PrintError "chmod failed (%s)" $CERTFILE
1294
Execute $MKDIR -p $NEWKEYDIR
1295
if [ $? != 0 ]; then
1296
PrintError "mkdir failed (%s)" $NEWKEYDIR
1299
Execute $CP $KEYDIR/* $NEWKEYDIR
1300
if [ $? != 0 ]; then
1301
PrintError "Could not copy files (%s/\* -> %s)" $KEYDIR/* $NEWKEYDIR
1304
if [ "$ADMINUSER" = default ]; then
1305
ExecChown -R root $NEWKEYDIR
1307
ExecChown -R $ADMINUSER $NEWKEYDIR
1309
if [ $? != 0 ]; then
1310
PrintError "chown failed (%s)" $NEWKEYDIR
1313
if [ $? != 0 ]; then
1314
PrintError "chown failed (%s)" $NEWKEYDIR
1317
Execute $CHMOD 644 $NEWKEYDIR/*
1318
if [ $? != 0 ]; then
1319
PrintError "chmod failed (%s/\*)" $NEWKEYDIR
1327
# revoke the old certificate and create the certificate revocation list
1328
ExecuteAsAdmin $CA -config $TMPFILE1 -policy policy_anything \
1332
if [ $? != 0 ]; then
1333
PrintError "Can't revoke %s." $CERTFILE
1337
# sign certificate request
1338
ExecuteAsAdmin $CA -config $TMPFILE1 \
1339
-policy policy_anything -batch $DAYS \
1340
-notext -out $NEWCERTFILE -infiles $REQFILE
1342
if [ $? != 0 ]; then
1343
PrintError "Can't renew %s." $CERTFILE
1347
# create the certificate revocation list
1348
ExecuteAsAdmin $CA -config $TMPFILE1 -policy policy_anything \
1350
-gencrl -out ${CRLFILE}.tmp
1352
if [ $? != 0 ]; then
1353
PrintError "Can't generate revocation list %s.." $CRLFILE
1356
if [ $1 = daemon ]; then
1357
$INFOTEXT "renewed certificate for SGE daemons"
1359
$INFOTEXT "renewed certificate for user '%s' in '%s'" $2 $KEYDIR
1363
if [ -f $OLDCERTFILE ]; then
1364
ExecuteAsAdmin $RM -f $OLDCERTFILE
1365
if [ $? != 0 ]; then
1366
PrintError "Can not delete old cert file (%s)" $OLDCERTFILE
1371
ExecuteAsAdmin $CP $CERTFILE $OLDCERTFILE
1372
if [ $? != 0 ]; then
1373
PrintError "Could not copy file (%s -> %s)" $CERTFILE $OLDCERTFILE
1376
ExecuteAsAdmin $MV $NEWCERTFILE $CERTFILE
1377
if [ $? != 0 ]; then
1378
PrintError "Could not move file (%s -> %s)" $NEWCERTFILE $CERTFILE
1381
ExecuteAsAdmin $CHMOD 644 $CERTFILE
1382
if [ $? != 0 ]; then
1383
PrintError "chmod failed (%s)" $CERTFILE
1387
# copy renewed cert.pem to $CERTFILE_PUBLIC_DIR
1388
if [ "$1" = user ]; then
1390
if [ ! -d "$CERTFILE_PUBLIC_DIR" ]; then
1391
ExecuteAsAdmin $MKDIR -m 755 -p $CERTFILE_PUBLIC_DIR
1392
if [ $? != 0 ]; then
1394
PrintError "Could not create %s" $CERTFILE_PUBLIC_DIR
1398
ExecuteAsAdmin $CP $CERTFILE $CERTFILE_PUBLIC_DIR
1399
if [ $? != 0 ]; then
1401
PrintError "Could not copy file (%s -> %s)" $CERTFILE $CERTFILE_PUBLIC_DIR
1404
ExecuteAsAdmin $CHMOD 644 $CERTFILE_PUBLIC_DIR/cert.pem
1405
if [ $? != 0 ]; then
1407
PrintError "Could not chown 644 file %s" $CERTFILE_PUBLIC_DIR/cert.pem
1413
if [ "$1" != daemon ]; then
1414
Execute $CP -f $NEWKEYDIR/* $KEYDIR
1415
if [ $? != 0 ]; then
1416
PrintError "Could not copy files (%s/\* -> %s)" $NEWKEYDIR $KEYDIR
1421
ExecuteAsAdmin $MV ${CRLFILE}.tmp $CRLFILE
1422
if [ $? != 0 ]; then
1423
PrintError "Could not move file (%s -> %s)" ${CRLFILE}.tmp $CRLFILE
1426
ExecuteAsAdmin $CHMOD 644 $CRLFILE
1427
if [ $? != 0 ]; then
1428
PrintError "chmod failed (%s)" $CERTFILE
1435
Execute $RM -f $TMPFILE $TMPFILE1
1437
if [ "$1" != daemon ]; then
1438
ExecRm $NEWKEYBASEDIR
1439
Execute $CHMOD 500 $KEYDIR
1440
if [ $? != 0 ]; then
1441
PrintError "chmod failed (%s)" $KEYDIR
1444
Execute $CHMOD 600 $KEYDIR/*
1445
if [ $? != 0 ]; then
1446
PrintError "chmod failed (%s/\*)" $KEYDIR
1449
# The chown can only be done for user certificates
1450
# sdm_daemon certificate are owned by $ADMINUSER
1451
if [ $1 = "user" ]; then
1452
id $2 > /dev/null 2>&1
1454
ExecChown -R $2 $KEYDIR
1455
if [ $? != 0 ]; then
1456
PrintError "chown to %s failed (%s)" $2 $KEYDIR
1468
#--------------------------------------------------------------------------
1470
# create all directories for CA infrastructure
1477
if [ -f $CATOP -o -f $CALOCALTOP ]; then
1478
$INFOTEXT "The CA directories\n %s or %s\n seem to be regular files" \
1480
$INFOTEXT "CA initialization failed. Exit."
1485
if [ -f $CALOCALTOP -o -d $CALOCALTOP ]; then
1486
PrintError "Can't delete the CA local directories\n %s" \
1491
ExecRmAsAdmin $CATOP
1492
if [ -f $CATOP -o -d $CATOP ]; then
1493
PrintError "Can't delete the CA directories\n %s" \
1499
$INFOTEXT "Creating %s" $CATOP
1500
ExecuteAsAdmin $MKDIR $CATOP
1501
if [ $? != 0 ]; then
1502
PrintError "mkdir failed (%s)" $CATOP
1505
$INFOTEXT "Creating %s" $CALOCALTOP
1506
Execute $MKDIR -p $CALOCALTOP
1507
if [ $? != 0 ]; then
1508
PrintError "mkdir failed (%s)" $CALOCALTOP
1512
if [ $ADMINUSER != default -a $rootinstalls = true ]; then
1513
ExecChown $ADMINUSER $CALOCALTOP
1514
if [ $? != 0 ]; then
1515
PrintError "chown to %s failed (%s)" $ADMINUSER $CALOCALTOP
1520
$INFOTEXT "Creating %s" ${CATOP}/certs
1521
ExecuteAsAdmin $MKDIR ${CATOP}/certs
1522
if [ $? != 0 ]; then
1523
PrintError "mkdir failed (%s)" ${CATOP}/certs
1527
$INFOTEXT "Creating %s" ${CATOP}/crl
1528
$INFOTEXT -log "Creating %s" ${CATOP}/crl
1529
ExecuteAsAdmin $MKDIR ${CATOP}/crl
1530
if [ $? != 0 ]; then
1531
PrintError "mkdir failed (%s)" ${CATOP}/crl
1535
$INFOTEXT "Creating %s" ${CATOP}/newcerts
1536
$INFOTEXT -log "Creating %s" ${CATOP}/newcerts
1537
ExecuteAsAdmin $MKDIR ${CATOP}/newcerts
1538
if [ $? != 0 ]; then
1539
PrintError "mkdir failed (%s)" ${CATOP}/newcerts
1543
$INFOTEXT "Creating %s" ${CATOP}/serial
1544
$INFOTEXT -log "Creating %s" ${CATOP}/serial
1545
# TruncCreateAndMakeWriteable ${CATOP}/serial
1546
ExecuteAsAdmin $TOUCH ${CATOP}/serial
1547
ExecuteAsAdmin $CHMOD 666 ${CATOP}/serial
1548
if [ $? != 0 ]; then
1549
PrintError "Could not touch file as %s (%s)" $ADMINUSER ${CATOP}/serial
1553
echo 01 > ${CATOP}/serial
1554
ExecuteAsAdmin $CHMOD 644 ${CATOP}/serial
1555
if [ $? != 0 ]; then
1556
PrintError "chmod failed (%s)" ${CATOP}/serial
1560
$INFOTEXT "Creating %s" ${CATOP}/index.txt
1561
$INFOTEXT -log "Creating %s" ${CATOP}/index.txt
1562
ExecuteAsAdmin $TOUCH ${CATOP}/index.txt
1563
if [ $? != 0 ]; then
1564
PrintError "Could not touch file as %s (%s)" $ADMINUSER ${CATOP}/index.txt
1568
$INFOTEXT "Creating %s" ${CATOP}/usercerts
1569
$INFOTEXT -log "Creating %s" ${CATOP}/usercerts
1570
ExecuteAsAdmin $MKDIR -m 755 -p ${CATOP}/usercerts
1571
if [ $? != 0 ]; then
1572
PrintError "mkdir failed (%s)" ${CATOP}/usercerts
1576
$INFOTEXT "Creating %s" ${CALOCALTOP}/userkeys
1577
$INFOTEXT -log "Creating %s" ${CALOCALTOP}/userkeys
1578
ExecuteAsAdmin $MKDIR ${CALOCALTOP}/userkeys
1579
if [ $? != 0 ]; then
1580
PrintError "mkdir failed (%s)" ${CALOCALTOP}/userkeys
1584
if [ $SGE_CNF = false ]; then
1585
# haithabu store the daemon certificates in a seperate
1587
$INFOTEXT "Creating %s" ${CALOCALTOP}/daemons
1588
$INFOTEXT -log "Creating %s" ${CALOCALTOP}/daemons
1589
ExecuteAsAdmin $MKDIR ${CALOCALTOP}/daemons
1590
if [ $? != 0 ]; then
1591
PrintError "mkdir failed (%s)" ${CATOP}/daemons
1597
$INFOTEXT "Creating %s" ${CALOCALTOP}/private
1598
$INFOTEXT -log "Creating %s" ${CALOCALTOP}/private
1599
ExecuteAsAdmin $MKDIR ${CALOCALTOP}/private
1600
if [ $? != 0 ]; then
1601
PrintError "mkdir failed (%s)" ${CATOP}/private
1606
$INFOTEXT -wait -auto $AUTO -n "\nHit <RETURN> to continue >> "
1613
#--------------------------------------------------------------------------
1615
# sources the sge_ca.conf file, if the -nosge option is not set
1622
while [ $# -gt 0 ]; do
1623
if [ "$1" = "-nosge" ]; then
1629
if [ "$read_it" = "true" ]; then
1630
if [ -f $ROOT_PATH/util/sgeCA/sge_ca.cnf ]; then
1631
. $ROOT_PATH/util/sgeCA/sge_ca.cnf
1639
#--------------------------------------------------------------------------
1640
# THE MAIN PROCEDURE
1641
#--------------------------------------------------------------------------
1653
ROOT_PATH=`dirname $0`/../..
1654
ROOT_PATH=`cd $ROOT_PATH; pwd`
1661
CONFIG_DIR=$ROOT_PATH/util/sgeCA
1662
ARCHSCRIPT=$ROOT_PATH/util/arch
1663
if [ ! -f "$ARCHSCRIPT" ]; then
1665
echo Error: The shell script \"$ARCHSCRIPT\" does not exist.
1666
echo Please verify your setup and restart this script. Exit.
1672
V5UTILBIN=$ROOT_PATH/utilbin/$ARCH # adminrun, infotext, openssl, uidgid
1674
if [ ! -d "$V5UTILBIN" ]; then
1676
echo "Error: The utilbin directory "$V5UTILBIN" does not exist"
1677
echo "Please verify your setup and restart this script. Exit."
1681
if [ ! -d "$ROOT_PATH/lib/$ARCH" ]; then
1683
echo "Error: The lib directory \"$ROOT_PATH/lib/$ARCH\" does not exist"
1684
echo "Please verify your setup and restart this script. Exit."
1688
if [ "$LD_LIBRARY_PATH" = "" ]; then
1689
LD_LIBRARY_PATH=$ROOT_PATH/lib/$ARCH
1691
LD_LIBRARY_PATH="$ROOT_PATH/lib/${ARCH}:${LD_LIBRARY_PATH}"
1693
export LD_LIBRARY_PATH
1695
#---------------------------------------
1696
# setup INFOTEXT begin
1697
#---------------------------------------
1699
# INFOTXT_DUMMY is needed by message parsing script
1700
# which is looking for $INFOTEXT and would report
1701
# errors in the next command. Please use INFOTXT_DUMMY
1702
# instead of using $INFOTEXT
1704
INFOTXT_DUMMY=$V5UTILBIN/infotext
1705
INFOTEXT=$INFOTXT_DUMMY
1706
if [ ! -x $INFOTXT_DUMMY ]; then
1707
echo "Error: Can't find binary \"$INFOTXT_DUMMY\""
1708
echo "Please verify your setup and restart this script. Exit."
1712
# Test the infotext binary
1713
tmp=`$INFOTEXT test 2>&1`
1714
if [ $? -ne 0 ]; then
1715
echo "Error: Execution of $INFOTEXT failed: $tmp"
1716
echo "Please verify your setup and restart this script. Exit."
1721
# From now on we can use PrintError methods to write error messages
1724
SGE_INFOTEXT_MAX_COLUMN=5000; export SGE_INFOTEXT_MAX_COLUMN
1726
#---------------------------------------
1727
# setup INFOTEXT end
1728
#---------------------------------------
1731
# Check wether all needed binaries are exists
1733
for i in adminrun openssl uidgid; do
1734
if [ ! -x $V5UTILBIN/$i ]; then
1735
PrintErrorAndExit 1 "Error: Can't find binary \"%s\"" $V5UTILBIN/$i
1739
euid=`$V5UTILBIN/uidgid -euid 2>&1`
1740
if [ $? -ne 0 ]; then
1741
PrintErrorAndExit 1 "Execution of $V5UTILBIN/uidgid failed: $euid"
1743
if [ $euid = 0 ]; then
1751
#--------------------------------------------------------------------------
1752
# SGE specific settings to keep previous behavior
1753
#--------------------------------------------------------------------------
1756
if [ "$ME" = "" ]; then
1757
PrintErrorAndExit 1 "Can't determine your username with \"%s\" command. Exit" whoami
1762
OPENSSL=$V5UTILBIN/openssl
1765
#-----------------------------
1766
# CommandLine Argument Parsing
1784
while [ $ARGC != 0 ]; do
1789
ARGC=`expr $ARGC - 1`
1795
ARGC=`expr $ARGC - 1`
1813
if [ $ARGC -lt 2 ]; then
1814
PrintError "-verify needs argument"
1820
ARGC=`expr $ARGC - 1`
1823
if [ $ARGC -lt 2 ]; then
1824
PrintError "-print needs argument"
1830
ARGC=`expr $ARGC - 1`
1836
WHICH="showCaLocalTop"
1839
if [ $ARGC -lt 2 ]; then
1840
PrintError "-printkey needs argument"
1846
ARGC=`expr $ARGC - 1`
1849
if [ $ARGC -lt 2 ]; then
1850
PrintError "-printcrl needs argument"
1856
ARGC=`expr $ARGC - 1`
1859
if [ $ARGC -lt 2 ]; then
1860
PrintError "-days needs argument"
1865
ARGC=`expr $ARGC - 1`
1868
if [ $ARGC -lt 2 ]; then
1869
PrintError "-outdir needs argument"
1874
ARGC=`expr $ARGC - 1`
1877
if [ $ARGC -lt 2 ]; then
1878
PrintError "-cahost needs argument"
1883
ARGC=`expr $ARGC - 1`
1886
if [ $ARGC -lt 2 ]; then
1887
PrintError "-cadir needs argument"
1893
ARGC=`expr $ARGC - 1`
1896
if [ $ARGC -lt 2 ]; then
1897
PrintError "-calocaltop needs argument"
1902
ARGC=`expr $ARGC - 1`
1905
if [ $ARGC -lt 2 ]; then
1906
PrintError "-catop needs argument"
1911
ARGC=`expr $ARGC - 1`
1915
if [ $ARGC -lt 2 ]; then
1916
PrintError "-pkcs12 needs argument"
1921
ARGC=`expr $ARGC - 1`
1925
if [ $ARGC -lt 2 ]; then
1926
PrintError "-sdm_pkcs12 needs argument"
1931
ARGC=`expr $ARGC - 1`
1935
if [ $ARGC -lt 2 ]; then
1936
PrintError "-sys_pkcs12 needs argument"
1941
ARGC=`expr $ARGC - 1`
1945
if [ $ARGC -lt 2 ]; then
1946
PrintError "-ks needs argument"
1951
ARGC=`expr $ARGC - 1`
1954
if [ $ARGC -lt 2 ]; then
1955
PrintError "-ksout needs argument"
1960
ARGC=`expr $ARGC - 1`
1963
if [ $ARGC -lt 2 ]; then
1964
PrintError "-kspwf needs argument"
1969
ARGC=`expr $ARGC - 1`
1972
if [ $ARGC -lt 2 ]; then
1973
PrintError "-pkcs12pwf needs argument"
1978
ARGC=`expr $ARGC - 1`
1981
if [ $ARGC -lt 2 ]; then
1982
PrintError "-pkcs12dir needs argument"
1987
ARGC=`expr $ARGC - 1`
1997
if [ $ARGC -lt 2 ]; then
1998
PrintError "-usercert needs argument"
2003
ARGC=`expr $ARGC - 1`
2013
if [ $ARGC -lt 2 ]; then
2014
PrintError "-user needs argument"
2019
ARGC=`expr $ARGC - 1`
2023
if [ $ARGC -lt 2 ]; then
2024
PrintError "-sdm_daemon needs argument"
2029
ARGC=`expr $ARGC - 1`
2032
if [ $ARGC -lt 2 ]; then
2033
PrintError "-renew needs argument"
2039
ARGC=`expr $ARGC - 1`
2042
if [ $ARGC -lt 2 ]; then
2043
PrintError "-renew_sdm needs argument"
2049
ARGC=`expr $ARGC - 1`
2064
PrintError "Unknown option %s" "$1"
2069
ARGC=`expr $ARGC - 1`
2072
if [ "$WHICH" = "undef" ]; then
2076
#echo "ADMINUSER: $ADMINUSER"
2077
#echo "CATOP: $CATOP"
2078
#echo "CALOCALTOP: $CALOCALTOP"
2079
#echo "CAHOST: $CAHOST"
2081
if [ "$CATOP" = "" ]; then
2082
ErrUsage "catop not set"
2084
if [ "$CALOCALTOP" = "" ]; then
2085
ErrUsage "calocaltop not set"
2087
if [ "$ADMINUSER" = "" ]; then
2088
ErrUsage "adminuser not set"
2090
if [ "$CAHOST" = "" ]; then
2091
ErrUsage "cahost not set"
2095
export ADMINUSER CATOP CALOCALTOP CAHOST
2097
REQ="$OPENSSL req $nodes"
2099
CA="$OPENSSL ca $md -keyfile $CALOCALTOP/private/$CAKEY -cert $CATOP/$CACERT \
2100
-outdir $CATOP/newcerts"
2102
VERIFY="$OPENSSL verify"
2104
X509="$OPENSSL x509"
2105
X509KEY="$OPENSSL rsa"
2106
X509CRL="$OPENSSL crl"
2108
P12="$OPENSSL pkcs12"
2124
MakeUserCerts $userfile
2133
MakeUserCert user "$user"
2134
if [ $? != 0 ]; then
2139
MakeUserCert sdm_daemon $user
2140
if [ $? != 0 ]; then
2148
PrintX509 cert $newcert
2151
PrintX509 key $newcert
2154
PrintX509 crl $newcert
2157
RenewCert user $user
2158
if [ $? != 0 ]; then
2163
RenewCert sdm_daemon $user
2164
if [ $? != 0 ]; then
2169
RenewCert daemon $ADMINUSER
2170
if [ $? != 0 ]; then
2176
if [ $? != 0 ]; then
2181
MakePKCS12 user $user
2182
if [ $? != 0 ]; then
2187
MakeKeystore user $user
2188
if [ $? != 0 ]; then
2193
MakePKCS12 sdm_daemon $user
2194
if [ $? != 0 ]; then
2199
MakePKCS12 sge_daemon $user
2200
if [ $? != 0 ]; then