From 15c641e527a3a4947c3987b7d39ed1a5a84ba26a Mon Sep 17 00:00:00 2001 From: jbjohnso Date: Wed, 31 Aug 2011 16:07:22 +0000 Subject: [PATCH] -Add a command to get a client certificate. It sets up to authenticate using either privileged port on its IP or validation using LLDP published public key git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@10418 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd --- xCAT-nbroot2/getcert | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100755 xCAT-nbroot2/getcert diff --git a/xCAT-nbroot2/getcert b/xCAT-nbroot2/getcert new file mode 100755 index 000000000..8507b9c7a --- /dev/null +++ b/xCAT-nbroot2/getcert @@ -0,0 +1,42 @@ +#!/bin/bash +allowcred.awk & +CREDPID=$! +if [ -z "$XCATDEST" ]; then + XCATDEST=$1 +fi +#retry in case certkey.pem is not right, yet +while ! openssl req -new -key /etc/xcat/certkey.pem -out /tmp/tls.csr -subj "/CN=`hostname`"; do + sleep 1 +done +echo " +getcredentials +x509cert +300 +" > /tmp/certreq.xml +cat /tmp/tls.csr >> /tmp/certreq.xml +echo " + + +" >> /tmp/certreq.xml +openssl dgst -sha512 -out /tmp/certreq.sha512 -sign /etc/xcat/privkey.pem /tmp/certreq.xml #chain off the switch published key +openssl enc -e -a -in /tmp/certreq.sha512 > /tmp/certreq.b64sig +cat /tmp/certreq.xml |while read line; do + if [ "$line" = "" ]; then + cat /tmp/certreq.b64sig >> /tmp/certreq.xml.new + fi + echo $line >> /tmp/certreq.xml.new +done +mv /tmp/certreq.xml.new /tmp/certreq.xml +rm /tmp/certreq.b64sig /tmp/certreq.sha512 +cat /tmp/certreq.xml | openssl s_client -connect $XCATDEST -quiet 2> /dev/null > /tmp/certresp.xml +if grep 'BEGIN CERTIFICATE' /tmp/certresp.xml > /dev/null; then + awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' < /tmp/certresp.xml > /etc/xcat/cert.pem + #stop transmitting sysDesc, allowing the public key to age out of validity + for iface in `grep '^ e' /var/lib/lldpad/lldpad.conf|awk '{print $1}' `; do + lldptool -T -i $iface -V sysDesc enableTx=no + done +fi +cat /tmp/certreq.xml +rm /tmp/certreq.xml +rm /tmp/certresp.xml +kill $CREDPID