2007-10-26 22:44:33 +00:00
|
|
|
# IBM(c) 2007 EPL license http://www.eclipse.org/legal/epl-v10.html
|
2009-04-28 15:12:53 +00:00
|
|
|
# set up credentials for user to be able to run xCAT commands
|
|
|
|
# Must be run by root
|
|
|
|
# Interface
|
|
|
|
# setup-local-client.sh - setup root credentials
|
|
|
|
# setup-local-client.sh user1 - set up user1 credentials and store in
|
|
|
|
# $HOME/.xcat
|
|
|
|
# setup-local-client.sh user2 /tmp/user2 - setup user2 credentials and
|
|
|
|
# store in /tmp/user2/.xcat. Must later be copied to
|
|
|
|
# $HOME/xcat for user2. Used when root cannot write to
|
|
|
|
# the home directory of user2 (e.g when mounted).
|
2008-01-10 01:14:14 +00:00
|
|
|
umask 0077 #nothing make by this script should be readable by group or others
|
2007-10-26 22:44:33 +00:00
|
|
|
|
|
|
|
|
|
|
|
if [ -z "$XCATDIR" ]; then
|
|
|
|
XCATDIR=/etc/xcat
|
|
|
|
fi
|
|
|
|
if [ -z "$1" ]; then
|
|
|
|
set `whoami`
|
|
|
|
fi
|
2010-03-25 12:05:56 +00:00
|
|
|
# if directory is not supplied then just use home
|
2009-04-28 15:12:53 +00:00
|
|
|
if [ -z "$2" ]; then
|
|
|
|
CNA="$*"
|
2007-12-03 13:21:42 +00:00
|
|
|
# getent doesn't exist on AIX
|
2009-04-28 15:12:53 +00:00
|
|
|
if [ -x /usr/bin/getent ];then
|
|
|
|
USERHOME=`getent passwd $1|awk -F: '{print $6}'`
|
|
|
|
else
|
2010-08-18 11:35:47 +00:00
|
|
|
USERHOME=`grep ^$1: /etc/passwd | cut -d: -f6`
|
2009-04-28 15:12:53 +00:00
|
|
|
fi
|
2007-12-03 13:21:42 +00:00
|
|
|
else
|
2009-04-28 15:12:53 +00:00
|
|
|
CNA="$1"
|
|
|
|
USERHOME=$2
|
2007-12-03 13:21:42 +00:00
|
|
|
fi
|
2007-10-26 22:44:33 +00:00
|
|
|
XCATCADIR=$XCATDIR/ca
|
|
|
|
|
|
|
|
if [ -e $USERHOME/.xcat ]; then
|
2007-12-04 18:01:49 +00:00
|
|
|
# exit 0
|
2007-10-26 22:44:33 +00:00
|
|
|
echo -n "$USERHOME/.xcat already exists, delete and start over (y/n)?"
|
|
|
|
read ANSWER
|
|
|
|
if [ "$ANSWER" != "y" ]; then
|
|
|
|
echo "Aborting at user request"
|
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
rm -rf $USERHOME/.xcat
|
|
|
|
fi
|
2010-03-25 12:05:56 +00:00
|
|
|
# remove user from index
|
|
|
|
index=`grep $CNA /etc/xcat/ca/index | cut -f4 2>&1`
|
|
|
|
for id in $index; do
|
2014-04-11 17:26:31 +00:00
|
|
|
openssl ca -startdate 19600101010101Z -config /etc/xcat/ca/openssl.cnf -revoke /etc/xcat/ca/certs/$id.pem
|
2010-03-25 12:05:56 +00:00
|
|
|
done
|
2007-10-26 22:44:33 +00:00
|
|
|
mkdir -p $USERHOME/.xcat
|
|
|
|
cd $USERHOME/.xcat
|
|
|
|
openssl genrsa -out client-key.pem 2048
|
2013-01-18 14:31:13 +00:00
|
|
|
openssl req -config $XCATCADIR/openssl.cnf -new -key client-key.pem -out client-req.pem -extensions usr_cert -subj "/CN=$CNA"
|
2007-10-26 22:44:33 +00:00
|
|
|
cp client-req.pem $XCATDIR/ca/root.csr
|
|
|
|
cd -
|
|
|
|
cd $XCATDIR/ca
|
|
|
|
|
|
|
|
# - "make sign" doesn't work on my AIX test system????
|
|
|
|
# - seems to be a problem with the use of the wildcard in the Makefile
|
|
|
|
# - calling cmds directly instead - should be safe
|
|
|
|
# make sign
|
2014-04-11 17:26:31 +00:00
|
|
|
openssl ca -startdate 19600101010101Z -config openssl.cnf -in root.csr -out root.cert
|
2007-10-26 22:44:33 +00:00
|
|
|
if [ -f root.cert ]; then
|
|
|
|
rm root.csr
|
|
|
|
fi
|
|
|
|
|
|
|
|
cp root.cert $USERHOME/.xcat/client-cert.pem
|
2008-01-10 01:14:14 +00:00
|
|
|
#Unify certificate and key in one file, console command at least expects it
|
|
|
|
cat $USERHOME/.xcat/client-cert.pem $USERHOME/.xcat/client-key.pem > $USERHOME/.xcat/client-cred.pem
|
2007-10-26 22:44:33 +00:00
|
|
|
cp ca-cert.pem $USERHOME/.xcat/ca.pem
|
2007-12-03 13:21:42 +00:00
|
|
|
chown -R $1 $USERHOME/.xcat
|
2007-10-26 22:44:33 +00:00
|
|
|
find $USERHOME/.xcat -type f -exec chmod 600 {} \;
|
|
|
|
find $USERHOME/.xcat -type d -exec chmod 700 {} \;
|
2008-05-02 20:29:15 +00:00
|
|
|
chmod 644 $USERHOME/.xcat/ca.pem
|
|
|
|
chmod 755 $USERHOME/.xcat
|
2007-10-26 22:44:33 +00:00
|
|
|
cd -
|