Page Menu
Home
c4science
Search
Configure Global Search
Log In
Files
F92819661
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Subscribers
None
File Metadata
Details
File Info
Storage
Attached
Created
Sat, Nov 23, 23:09
Size
57 KB
Mime Type
text/x-diff
Expires
Mon, Nov 25, 23:09 (1 d, 18 h)
Engine
blob
Format
Raw Data
Handle
22522342
Attached To
R4444 MedCo Deployment
View Options
diff --git a/configuration-profiles/dev-3nodes-samehost/shrine_ca_cert_aliases.conf b/configuration-profiles/dev-3nodes-samehost/shrine_ca_cert_aliases.conf
new file mode 100644
index 0000000..1dbe53a
--- /dev/null
+++ b/configuration-profiles/dev-3nodes-samehost/shrine_ca_cert_aliases.conf
@@ -0,0 +1 @@
+caCertAliases = ["shrine-hub-ca"]
\ No newline at end of file
diff --git a/docker-images/i2b2-web/i2b2-web-writeconfig.sh b/docker-images/i2b2-web/i2b2-web-writeconfig.sh
index 2cddb43..2313472 100644
--- a/docker-images/i2b2-web/i2b2-web-writeconfig.sh
+++ b/docker-images/i2b2-web/i2b2-web-writeconfig.sh
@@ -1,179 +1,179 @@
#!/bin/bash
set -e
# meant to be called by Dockerfile of i2b2-web
# env var used: I2B2_DOMAIN_NAME, LIGHTTPD_WEB_ROOT
cat > "$LIGHTTPD_WEB_ROOT/i2b2-admin/i2b2_config_data.js" <<EOL
{
urlProxy: "index.php",
urlFramework: "js-i2b2/",
lstDomains: [ {
domain: "$I2B2_DOMAIN_NAME",
name: "Domain $I2B2_DOMAIN_NAME",
urlCellPM: "http://i2b2-server:8080/i2b2/services/PMService/",
allowAnalysis: true,
adminOnly: true,
debug: false
} ]
}
EOL
cat > "$LIGHTTPD_WEB_ROOT/i2b2-client/i2b2_config_data.js" <<EOL
{
urlProxy: "index.php",
urlFramework: "js-i2b2/",
lstDomains: [ {
domain: "$I2B2_DOMAIN_NAME",
name: "Domain $I2B2_DOMAIN_NAME",
urlCellPM: "http://i2b2-server:8080/i2b2/services/PMService/",
allowAnalysis: true,
debug: false
} ]
}
EOL
cat > "$LIGHTTPD_WEB_ROOT/index.html" <<EOL
<html><head><title>I2b2-web</title>
<script>
document.addEventListener('click', function(event) {
var target = event.target;
if (target.tagName.toLowerCase() == 'a')
{
var port = target.getAttribute('href').match(/^:(\d+)(.*)/);
if (port)
{
target.href = port[2];
target.port = port[1];
}
}
}, false);
</script>
</head><body>
<div align="center">
<p><a href="/shrine-client">SHRINE client (MedCo)</a></p>
<p><br /><br /></p>
<p><a href="/i2b2-admin">I2b2 admin</a></p>
<p><a href="/i2b2-client">I2b2 client</a></p>
<p><a href="/phppgadmin">PhpPgAdmin</a></p>
<p><a href="/phpmyadmin">PhpMyAdmin</a></p>
<p><a href=":9990">WildFly Management</a></p>
<p><a href=":8080/i2b2">I2b2 Axis2 Management</a></p>
<p><a href=":6443/manager">Tomcat Management</a></p>
<p><a href=":6443/shrine-dashboard">SHRINE Dashboard</a></p>
<p><a href=":6443/steward">SHRINE Data Steward</a></p>
<p><a href="/shrine-webclient-update.php">Pull last MedCo Webclient commits</a></p>
</div>
</body>
</html>
EOL
cat > "$LIGHTTPD_WEB_ROOT/shrine-webclient-update.php" <<EOL
<?php
echo '<html><head><title>Pull last commits?</title></head><body>';
echo '<form><input type="submit" name="btnSubmit" value="Do it" /></form>';
if (isset(\$_GET['btnSubmit']) or isset(\$_POST['btnSubmit'])) {
// all the environment variables used by i2b2-web-writeconfig.sh and shrine-webclient-update.sh must be passed
putenv("LIGHTTPD_WEB_ROOT=$LIGHTTPD_WEB_ROOT");
putenv("SHRINE_SRC_DIR=$SHRINE_SRC_DIR");
putenv("DB_PASSWORD=$DB_PASSWORD");
putenv("I2B2_DOMAIN_NAME=$I2B2_DOMAIN_NAME");
putenv("I2B2_MEDCO_DB_NAME=$I2B2_MEDCO_DB_NAME");
putenv("NODE_IDX=$NODE_IDX");
putenv("CONF_DIR=$CONF_DIR");
\$message=shell_exec("/opt/shrine-webclient-update.sh 2>&1");
echo '<p>';
print_r(\$message);
echo '</p>';
}
echo '</body></html>';
?>
EOL
cat > "$LIGHTTPD_WEB_ROOT/shrine-client/i2b2_config_data.js" <<EOL
{
urlProxy: "index.php",
urlFramework: "js-i2b2/",
loginTimeout: 15, // in seconds
username_label:"MedCo username:",
password_label:"MedCo password:",
lstDomains: [
{
domain: "$I2B2_DOMAIN_NAME",
name: "Domain $I2B2_DOMAIN_NAME",
debug: true,
allowAnalysis: true,
urlCellPM: "http://i2b2-server:8080/i2b2/services/PMService/",
isSHRINE: true
}
]
}
EOL
cat > "$LIGHTTPD_WEB_ROOT/shrine-client/js-i2b2/cells/SHRINE/cell_config_data.js" <<EOL
{
files: [
"SHRINE_ctrl.js",
"i2b2_msgs.js"
],
css: [],
config: {
name: "SHRINE Cell",
description: "SHRINE Cell",
category: ["core","cell","shrine"],
newTopicURL: "/steward/client/index.html",
readApprovedURL:"https://shrine-server:6443/shrine/rest/i2b2/request"
}
}
EOL
cat > "/etc/lighttpd/conf-enabled/10-ssl.conf" <<EOL
\$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
- ssl.ca-file = "$CONF_DIR/cacert.pem"
+ ssl.ca-file = "$CONF_DIR/srv$NODE_IDX-CA/cacert.pem"
ssl.pemfile = "$CONF_DIR/srv$NODE_IDX.pem"
- #todo: names in configuration profiles make more explicit
+ # todo: names in configuration profiles make more explicit
# todo: enable + get ssl only
# strict configuration from https://cipherli.st/
#ssl.honor-cipher-order = "enable"
#ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
#ssl.use-compression = "disable"
#setenv.add-response-header = (
# "Strict-Transport-Security" => "max-age=15724800; includeSubdomains; preload",
# "X-Frame-Options" => "DENY",
# "X-Content-Type-Options" => "nosniff"
#)
#ssl.use-sslv2 = "disable"
#ssl.use-sslv3 = "disable"
# strict configuration from https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html
#ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
#ssl.ec-curve = "secp384r1"
}
EOL
# webclients whitelist URLs
sed -i "s/\"http:\/\/localhost\"/\"http:\/\/i2b2-server:8080\"/" "$LIGHTTPD_WEB_ROOT/i2b2-admin/index.php"
sed -i "s/\"http:\/\/localhost\"/\"http:\/\/i2b2-server:8080\"/" "$LIGHTTPD_WEB_ROOT/i2b2-client/index.php"
sed -i "s/\"http:\/\/127.0.0.1\"/\"http:\/\/i2b2-server:8080\"/" "$LIGHTTPD_WEB_ROOT/shrine-client/index.php"
sed -i "s/\"http:\/\/localhost\"/\"https:\/\/shrine-server:6443\"/" "$LIGHTTPD_WEB_ROOT/shrine-client/index.php"
# shrine webclient fixes for integration in php environment
sed -i "s#default.htm#index.html#g" "$LIGHTTPD_WEB_ROOT/shrine-client/index.php"
sed -i '/CURLOPT_SSL_VERIFYPEER/i curl_setopt($proxyRequest, CURLOPT_SSL_VERIFYHOST, FALSE);' "$LIGHTTPD_WEB_ROOT/shrine-client/index.php"
sed -i "s#SHRINE_ONT_DB#$I2B2_MEDCO_DB_NAME#g" "$LIGHTTPD_WEB_ROOT/shrine-client/js-i2b2/cells/plugins/MedCo/php/sqlConnection.php"
sed -i "s#SHRINE_ONT_USER#genomic_annotations#g" "$LIGHTTPD_WEB_ROOT/shrine-client/js-i2b2/cells/plugins/MedCo/php/sqlConnection.php"
sed -i "s#SHRINE_ONT_PW#$DB_PASSWORD#g" "$LIGHTTPD_WEB_ROOT/shrine-client/js-i2b2/cells/plugins/MedCo/php/sqlConnection.php"
diff --git a/docker-images/shrine-server/Dockerfile b/docker-images/shrine-server/Dockerfile
index b0d50b9..be65ee1 100644
--- a/docker-images/shrine-server/Dockerfile
+++ b/docker-images/shrine-server/Dockerfile
@@ -1,97 +1,99 @@
FROM tomcat:8.0-jre8
# pre-existing variables: CATALINA_HOME
ENV SHRINE_VERSION="fork/1.22.8-medco" \
SHRINE_SRC_DIR="/opt/shrine-src" \
SHRINE_ADAPTER_MAPPINGS_URL="https://open.med.harvard.edu/svn/shrine-ontology/SHRINE_Demo_Downloads/trunk/AdapterMappings_i2b2_DemoData.xml" \
SHRINE_MYSQL_JAR_URL="http://central.maven.org/maven2/mysql/mysql-connector-java/5.1.40/mysql-connector-java-5.1.40.jar" \
I2B2_DOMAIN_NAME="medcodeployment" \
CONF_DIR="/opt/medco-configuration" \
ADMIN_PASSWORD="prigen2017" \
DB_PASSWORD="pFjy3EjDVwLfT2rB9xkK"
# system and tomcat prerequisites
RUN apt-get -y update && \
apt-get -y install git maven zip wget unzip openjdk-8-jdk-headless && \
apt-get -y clean && \
- echo "<?xml version='1.0' encoding='utf-8'?><tomcat-users><role rolename=\"manager-gui\" /><user username=\"admin\"" \
- "password=\"$ADMIN_PASSWORD\" roles=\"manager-gui\" /></tomcat-users>" > "$CATALINA_HOME/conf/tomcat-users.xml" && \
+ echo "<?xml version='1.0' encoding='utf-8'?><tomcat-users><role rolename=\"manager-gui\" /><role rolename=\"admin-gui\" />" \
+ "<user username=\"admin\" password=\"$ADMIN_PASSWORD\" roles=\"manager-gui,admin-gui\" /></tomcat-users>" > \
+ "$CATALINA_HOME/conf/tomcat-users.xml" && \
echo 'export CATALINA_OPTS=" -Dakka.daemonic=on "' > "$CATALINA_HOME/bin/setenv.sh" && \
echo '{ "allow_root": true }' > /root/.bowerrc
# download sources
WORKDIR "$SHRINE_SRC_DIR"
RUN git clone https://c4science.ch/source/shrine-medco.git . && \
git checkout $SHRINE_VERSION
# compilation and installation
RUN mvn -e -pl commons/test-commons install -DskipTests && \
mvn -e -N install -DskipTests && \
mvn -e -pl commons/util install -DskipTests && \
mvn -e -pl commons/config install -DskipTests && \
mvn -e -pl commons/data-commons install -DskipTests && \
mvn -e -pl commons/protocol-query install -DskipTests && \
mvn -e -pl commons/protocol install -DskipTests && \
mvn -e -pl tools install -DskipTests && \
mvn -e -pl tools/utility-commons install -DskipTests && \
mvn -e -pl apps/meta-app install -DskipTests && \
mvn -e -pl apps/meta-war install -DskipTests && \
mvn -e -pl commons/crypto install -DskipTests && \
mvn -e -pl commons/client install -DskipTests && \
mvn -e -pl tools/batch-querier install -DskipTests && \
mvn -e -pl commons/auth install -DskipTests && \
mvn -e -pl adapter/adapter-api install -DskipTests && \
mvn -e -pl apps/dashboard-app install -DskipTests && \
mvn -e -pl apps/dashboard-war install -DskipTests && \
mvn -e -pl commons/email install -DskipTests && \
mvn -e -pl apps/steward-app install -DskipTests && \
mvn -e -pl apps/steward-war install -DskipTests && \
mvn -e -pl apps/proxy install -DskipTests && \
mvn -e -pl hms-support install -DskipTests && \
mvn -e -pl hub/broadcaster-aggregator install -DskipTests && \
mvn -e -pl tools/monitor install -DskipTests && \
mvn -e -pl hub/broadcaster-service install -DskipTests && \
mvn -e -pl adapter/adapter-service install -DskipTests && \
mvn -e -pl commons/ont-support install -DskipTests && \
mvn -e -pl tools/mapping-automation install -DskipTests && \
mvn -e -pl install install -DskipTests && \
mvn -e -pl shrine-webclient install -DskipTests && \
mvn -e install -Dmaven.test.skip=true
RUN cp "$SHRINE_SRC_DIR/apps/steward-war/target/steward.war" \
"$SHRINE_SRC_DIR/apps/dashboard-war/target/shrine-dashboard.war" \
"$CATALINA_HOME/webapps/" && \
cp "$SHRINE_SRC_DIR/apps/war/target/shrine-cell.war" "$CATALINA_HOME/webapps/shrine.war" && \
cp "$SHRINE_SRC_DIR/apps/meta-war/target/shrine-metadata.war" "$CATALINA_HOME/webapps/shrine-meta.war"
-# webclient [disabled]
+# webclient [disabled: served by lighttpd]
#RUN cp "$SHRINE_SRC_DIR/apps/proxy/target/shrine-proxy.war" "$CATALINA_HOME/webapps/" && \
# cp -r "$SHRINE_SRC_DIR/shrine-webclient/src/main/html" "$CATALINA_HOME/webapps/shrine-client"
#COPY conf/i2b2_config_data.js "$CATALINA_HOME/webapps/shrine-client/"
#COPY conf/cell_config_data.js "$CATALINA_HOME/webapps/shrine-client/js-i2b2/cells/SHRINE/"
#RUN sed -i "s/SHRINE_WEBCLIENT_DOMAIN/$I2B2_DOMAIN_NAME/g" "$CATALINA_HOME/webapps/shrine-client/i2b2_config_data.js" && \
# sed -i "s/SHRINE_WEBCLIENT_NAME/Domain $I2B2_DOMAIN_NAME/g" "$CATALINA_HOME/webapps/shrine-client/i2b2_config_data.js"
# configuration
COPY conf/shrine.conf "$CATALINA_HOME/lib/"
COPY conf/server.xml conf/context.xml "$CATALINA_HOME/conf/"
RUN wget "$SHRINE_MYSQL_JAR_URL" -P "$CATALINA_HOME/lib/" && \
wget "$SHRINE_ADAPTER_MAPPINGS_URL" -O "$CATALINA_HOME/lib/AdapterMappings.xml" && \
sed -i "s#SHRINE_DOWNSTREAM_NODES_FILE_PATH#$CONF_DIR/shrine_downstream_nodes.conf#g" "$CATALINA_HOME/lib/shrine.conf" && \
+ sed -i "s#SHRINE_CA_CERT_ALIASES_FILE_PATH#$CONF_DIR/shrine_ca_cert_aliases.conf#g" "$CATALINA_HOME/lib/shrine.conf" && \
sed -i "s/SHRINE_KEYSTORE_PASSWORD/$ADMIN_PASSWORD/g" "$CATALINA_HOME/conf/server.xml" && \
sed -i "s/SHRINE_DB_PASSWORD/$DB_PASSWORD/g" "$CATALINA_HOME/conf/context.xml"
# configuration bis (dependent on the arguments)
ARG SHRINE_DEBUG_LEVEL_ARG="INFO"
ARG NODE_IDX_ARG="0"
ENV SHRINE_DEBUG_LEVEL="$SHRINE_DEBUG_LEVEL_ARG" \
NODE_IDX="$NODE_IDX_ARG"
RUN sed -i "s/SHRINE_KEYSTORE_PRIVATE_KEY_ALIAS/srv$NODE_IDX-private/g" "$CATALINA_HOME/conf/server.xml" && \
sed -i "s#SHRINE_KEYSTORE_FILE_PATH#$CONF_DIR/srv$NODE_IDX.keystore#g" "$CATALINA_HOME/conf/server.xml" && \
sed -i "s#FINE#$SHRINE_DEBUG_LEVEL#g" "$CATALINA_HOME/conf/logging.properties" && \
sed -i "s#INFO#$SHRINE_DEBUG_LEVEL#g" "$CATALINA_HOME/conf/logging.properties"
EXPOSE 6060 6443
VOLUME $CONF_DIR
WORKDIR $CONF_DIR
diff --git a/docker-images/shrine-server/conf/shrine.conf b/docker-images/shrine-server/conf/shrine.conf
index 7fcf151..3620ff5 100644
--- a/docker-images/shrine-server/conf/shrine.conf
+++ b/docker-images/shrine-server/conf/shrine.conf
@@ -1,198 +1,199 @@
shrine {
pmEndpoint {
url = "http://i2b2-server:8080/i2b2/services/PMService/getServices"
timeout {
seconds = 10
}
}
ontEndpoint {
url = "http://i2b2-server:8080/i2b2/services/OntologyService/"
}
hiveCredentials {
domain = ${I2B2_DOMAIN_NAME}
username = "medcoservice"
password = ${DB_PASSWORD}
crcProjectId = "MedCo"
ontProjectId = "MedCo-SHRINE"
}
queryEntryPoint {
create = true
includeAggregateResults = false
maxQueryWaitTime {
minutes = 5
}
trustModelIsHub = true
attachSigningCert = true
authenticationType = "pm"
#authorizationType = "shrine-steward"
authorizationType = "none"
shrineSteward {
qepUserName = "medcoservice" // name of user the steward will submit queries as
qepPassword = ${DB_PASSWORD}
stewardBaseUrl = "https://shrine-server:6443" // typically hostname+port of Tomcat server running steward.war
}
}
hub {
create = true
shouldQuerySelf = false
maxQueryWaitTime {
minutes = 4.5
}
downstreamNodes {
include file("SHRINE_DOWNSTREAM_NODES_FILE_PATH")
}
}
adapter {
crcEndpoint {
url = "http://i2b2-server:8080/i2b2/services/MedCoQueryService/"
}
setSizeObfuscation = false
adapterMappingsFileName = "AdapterMappings.xml"
# lockout disabled
adapterLockoutAttemptsThreshold = 0
maxSignatureAge {
minutes = 5
}
//obfuscation {
//binSize = 5 //by default. Round to the nearest binSize. Use 1 for no effect (to match SHRINE 1.21 and earlier).
//sigma = 6.5 //by default. Noise to inject. Use 0 for no effect. (Use 1.33 to match SHRINE 1.21 and earlier).
//clamp = 10 //by default. Maximum ammount of noise to inject. (Use 3 to match SHRINE 1.21 and earlier).
//}
// disabled
botDefense {
countsAndMilliseconds = [ //to turn off, use an empty json list
// {count = 10, milliseconds = 60000}, //allow up to 10 queries in one minute by default
// {count = 200, milliseconds = 36000000} //allow up to 200 queries in 10 hours by default
]
}
}
networkStatusQuery = "\\\\ENCRYPTED_KEY\\TESTKEY\\"
humanReadableNodeName = Hospital ${NODE_IDX}
shrineDatabaseType = "mysql"
keystore {
file = ${CONF_DIR}/srv${NODE_IDX}.keystore
password = ${ADMIN_PASSWORD}
privateKeyAlias = srv${NODE_IDX}-private
keyStoreType = "JKS"
- caCertAliases = ["shrine-hub-ca"]
+ include file("SHRINE_CA_CERT_ALIASES_FILE_PATH")
+ #caCertAliases = ["shrine-hub-ca"]
// maps site alias (from downstream nodes) to the keystore alias
#aliasMap = {
# include file("SHRINE_ALIAS_MAP_FILE_PATH")
#}
}
breakdownResultOutputTypes {
PATIENT_AGE_COUNT_XML {
description = "Age patient breakdown"
}
PATIENT_RACE_COUNT_XML {
description = "Race patient breakdown"
}
PATIENT_VITALSTATUS_COUNT_XML {
description = "Vital Status patient breakdown"
}
PATIENT_GENDER_COUNT_XML {
description = "Gender patient breakdown"
}
}
steward {
//Can be Pending, Approved, or TopcisIgnoredJustLog
//Pending - new topics start in the Pending state; researchers must wait for the Steward to approve them
//Approved - new topics start in the Approved state; researchers can use them immediately
//TopicsIgnoredJustLog - all queries are logged and approved; researchers don't need to create topics
createTopicsMode = Approved
database {
dataSourceFrom = "JNDI" // Can be JNDI or testDataSource. Use testDataSource for tests, JNDI everywhere else
jndiDataSourceName = "java:comp/env/jdbc/stewardDB" //leave out for tests
slickProfileClassName = "slick.driver.MySQLDriver$" // Can be scala.slick.driver.H2Driver$
// scala.slick.driver.MySQLDriver$
// scala.slick.driver.PostgresDriver$
// scala.slick.driver.SQLServerDriver$
// scala.slick.driver.JdbcDriver$
// com.typesafe.slick.driver.oracle.OracleDriver$
//
// (Yes, with the $ on the end)
// Note that SQLServerDriver and OracleDriver are not included with
// Slick by default. Either use JdbcDriver, or experiment with the
// closed-source package at:
// http://slick.typesafe.com/doc/2.1.0/extensions.html
}
emailDataSteward {
sendAuditEmails = false
// todo: fill if emails necessary
}
}
authenticate {
usersource {
domain = ${I2B2_DOMAIN_NAME}
}
}
problem {
problemHandler = "net.shrine.problem.LogAndDatabaseProblemHandler$"
}
dashboard {
gruntWatch = false //false for production, true for mvn tomcat7:run . Allows the client javascript and html files to be loaded via gruntWatch .
happyBaseUrl = "https://shrine-server:6443/shrine/rest/happy"
statusBaseUrl = "https://shrine-server:6443/shrine/rest/internalstatus"
database {
dataSourceFrom = "JNDI" //Can be JNDI or testDataSource . Use testDataSource for tests, JNDI everywhere else
jndiDataSourceName = "java:comp/env/jdbc/problemDB" //or leave out for tests
slickProfileClassName = "slick.driver.MySQLDriver$" // Can be
// slick.driver.H2Driver$
// slick.driver.MySQLDriver$
// slick.driver.PostgresDriver$
// slick.driver.SQLServerDriver$
// slick.driver.JdbcDriver$
// freeslick.OracleProfile$
// freeslick.MSSQLServerProfile$
//
// (Yes, with the $ on the end)
createTablesOnStart = false //for testing with H2 in memory, when not running unit tests. Set to false normally
}
}
metaData {
// todo: put appropriate info
siteAdminsContactInfo = ["admin1@example.com", "admin2@example.com"]
dataStewardContactInfo = "data.steward@example.com"
}
email {
// todo: fill if emails necessary
}
status {
permittedHostOfOrigin = "shrine-server"
}
}
diff --git a/resources/config-generation-tool/.gitignore b/resources/config-generation-tool/.gitignore
deleted file mode 100644
index 6016694..0000000
--- a/resources/config-generation-tool/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-# ignore completely the CA folder to "freeze" it
-CA/
diff --git a/resources/config-generation-tool/CA.sh b/resources/config-generation-tool/CA.sh
index 729edb6..0945fe7 100755
--- a/resources/config-generation-tool/CA.sh
+++ b/resources/config-generation-tool/CA.sh
@@ -1,201 +1,201 @@
#!/bin/sh
#
# CA - wrapper around ca to make it easier to use ... basically ca requires
# some setup stuff to be done before you can use it and this makes
# things easier between now and when Eric is convinced to fix it :-)
#
# CA -newca ... will setup the right stuff
# CA -newreq ... will generate a certificate request
# CA -sign ... will sign the generated request and output
#
# At the end of that grab newreq.pem and newcert.pem (one has the key
# and the other the certificate) and cat them together and that is what
# you want/need ... I'll make even this a little cleaner later.
#
#
# 12-Jan-96 tjh Added more things ... including CA -signcert which
# converts a certificate to a request and then signs it.
# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
# environment variable so this can be driven from
# a script.
# 25-Jul-96 eay Cleaned up filenames some more.
# 11-Jun-96 eay Fixed a few filename missmatches.
# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.
# 18-Apr-96 tjh Original hacking
#
# Tim Hudson
# tjh@cryptsoft.com
#
# default openssl.cnf file has setup as per the following
# demoCA ... where everything is stored
cp_pem() {
infile=$1
outfile=$2
bound=$3
flag=0
exec <$infile;
while read line; do
if [ $flag -eq 1 ]; then
echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null
if [ $? -eq 0 ] ; then
echo $line >>$outfile
break
else
echo $line >>$outfile
fi
fi
echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null
if [ $? -eq 0 ]; then
echo $line >$outfile
flag=1
fi
done
}
usage() {
echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
}
PARENT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
CADAYS="-days 1095" # 3 years
SSLEAY_CONFIG="$SSLEAY_CONFIG -config $PARENT_DIR/openssl.cnf"
REQ="$OPENSSL req $SSLEAY_CONFIG"
CA="$OPENSSL ca $SSLEAY_CONFIG"
VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
PKCS12="openssl pkcs12"
if [ -z "$CATOP" ] ; then CATOP="$PARENT_DIR"/CA ; fi
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
RET=0
while [ "$1" != "" ] ; do
case $1 in
-\?|-h|-help)
usage
exit 0
;;
-newcert)
# create a certificate
$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
RET=$?
echo "Certificate is in newcert.pem, private key is in newkey.pem"
;;
-newreq)
# create a certificate request
$REQ -new -keyout newkey.pem -out newreq.pem $DAYS
RET=$?
echo "Request is in newreq.pem, private key is in newkey.pem"
;;
-newreq-nodes)
# create a certificate request
$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
RET=$?
echo "Request (and private key) is in newreq.pem"
;;
-newca)
# if explicitly asked for or it doesn't exist then setup the directory
# structure that Eric likes to manage things
NEW="1"
if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
# create the directory hierarchy
mkdir -p ${CATOP}
mkdir -p ${CATOP}/certs
mkdir -p ${CATOP}/crl
mkdir -p ${CATOP}/newcerts
mkdir -p ${CATOP}/private
touch ${CATOP}/index.txt
fi
if [ ! -f ${CATOP}/private/$CAKEY ]; then
echo "CA certificate filename (or enter to create)"
read FILE
# ask user for existing CA certificate
if [ "$FILE" ]; then
cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
RET=$?
if [ ! -f "${CATOP}/serial" ]; then
$X509 -in ${CATOP}/$CACERT -noout -next_serial \
-out ${CATOP}/serial
fi
else
echo "Making CA certificate ..."
$REQ -new -keyout ${CATOP}/private/$CAKEY \
-out ${CATOP}/$CAREQ
$CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
-keyfile ${CATOP}/private/$CAKEY -selfsign \
-extensions v3_ca \
-infiles ${CATOP}/$CAREQ
RET=$?
fi
fi
;;
-xsign)
$CA -policy policy_anything -infiles newreq.pem
RET=$?
;;
-pkcs12)
if [ -z "$2" ] ; then
CNAME="My Certificate"
else
CNAME="$2"
fi
$PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
-out newcert.p12 -export -name "$CNAME"
RET=$?
exit $RET
;;
-sign|-signreq)
- $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
+ $CA -policy policy_anything -out "$PARENT_DIR"/newcert.pem -infiles "$PARENT_DIR"/newreq.pem
RET=$?
- cat newcert.pem
+ cat "$PARENT_DIR"/newcert.pem
echo "Signed certificate is in newcert.pem"
;;
-signCA)
$CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
RET=$?
echo "Signed CA certificate is in newcert.pem"
;;
-signcert)
echo "Cert passphrase will be requested twice - bug?"
$X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
$CA -policy policy_anything -out newcert.pem -infiles tmp.pem
RET=$?
cat newcert.pem
echo "Signed certificate is in newcert.pem"
;;
-verify)
shift
if [ -z "$1" ]; then
$VERIFY -CAfile $CATOP/$CACERT newcert.pem
RET=$?
else
for j
do
$VERIFY -CAfile $CATOP/$CACERT $j
if [ $? != 0 ]; then
RET=$?
fi
done
fi
exit $RET
;;
*)
echo "Unknown arg $i" >&2
usage
exit 1
;;
esac
shift
done
exit $RET
diff --git a/resources/config-generation-tool/README.md b/resources/config-generation-tool/README.md
new file mode 100644
index 0000000..5dd8cb0
--- /dev/null
+++ b/resources/config-generation-tool/README.md
@@ -0,0 +1,4 @@
+# Configuration generation tool for MedCo deployment
+
+TODO: what is generated, how to use, CA is dev, how to gen CA,
+--> go in medco-documentation
\ No newline at end of file
diff --git a/resources/config-generation-tool/generate-configuration-profile.sh b/resources/config-generation-tool/generate-dev-configuration-profile.sh
similarity index 71%
rename from resources/config-generation-tool/generate-configuration-profile.sh
rename to resources/config-generation-tool/generate-dev-configuration-profile.sh
index 561a7e1..62cd356 100644
--- a/resources/config-generation-tool/generate-configuration-profile.sh
+++ b/resources/config-generation-tool/generate-dev-configuration-profile.sh
@@ -1,106 +1,108 @@
#!/bin/bash
set -e
shopt -s nullglob
# dependencies: openssl, keytool (java), docker
-# usage: bash generate-configuration-profile.sh CONFIGURATION_PROFILE KEYSTORE_PASSWORD NODE_DNS_1 NODE_IP_1 NODE_DNS_2 NODE_IP_2 NODE_DNS_3 NODE_IP_3 ...
+# usage: bash generate-dev-configuration-profile.sh CONFIGURATION_PROFILE KEYSTORE_PASSWORD NODE_DNS_1 NODE_IP_1 NODE_DNS_2 NODE_IP_2 NODE_DNS_3 NODE_IP_3 ...
if [ $# -lt 5 ]
then
- echo "Wrong number of arguments, usage: bash generate-configuration-profile.sh CONFIGURATION_PROFILE KEYSTORE_PASSWORD NODE_DNS_1 NODE_IP_1 NODE_DNS_2 NODE_IP_2 NODE_DNS_3 NODE_IP_3 ..."
+ echo "Wrong number of arguments, usage: bash generate-dev-configuration-profile.sh CONFIGURATION_PROFILE KEYSTORE_PASSWORD NODE_DNS_1 NODE_IP_1 NODE_DNS_2 NODE_IP_2 NODE_DNS_3 NODE_IP_3 ..."
exit
fi
echo "### Dependencies check, script will abort if dependency if not found"
which openssl keytool docker
# variables & arguments
SCRIPT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
CONF_PROFILE="$1"
COMPOSE_FOLDER="$SCRIPT_FOLDER/../../compose-profiles/$CONF_PROFILE"
CONF_FOLDER="$SCRIPT_FOLDER/../../configuration-profiles/$CONF_PROFILE"
KEYSTORE_PW="$2"
shift
shift
# clean up previous entries
-mkdir -p "$CONF_FOLDER"
-mkdir -p "$COMPOSE_FOLDER"
-rm -f "$CONF_FOLDER"/*.keystore "$CONF_FOLDER"/shrine_downstream_nodes.conf "$CONF_FOLDER"/*.pem "$CONF_FOLDER"/*.toml "$CONF_FOLDER"/unlynxMedCo
-
-# set up common things
-echo "### Setting up certificate authority"
-"$SCRIPT_FOLDER"/CA.sh -newca
-cp "$SCRIPT_FOLDER"/CA/cacert.pem "$CONF_FOLDER"/
+mkdir -p "$CONF_FOLDER" "$COMPOSE_FOLDER"
+rm -f "$CONF_FOLDER"/*.keystore "$CONF_FOLDER"/shrine_ca_cert_aliases.conf "$CONF_FOLDER"/shrine_downstream_nodes.conf \
+ "$CONF_FOLDER"/*.pem "$CONF_FOLDER"/*.toml "$CONF_FOLDER"/unlynxMedCo
+rm -rf "$CONF_FOLDER"/srv*-CA
+echo -n "caCertAliases = [" >> "$CONF_FOLDER/shrine_ca_cert_aliases.conf"
echo "### Producing Unlynx binary with Docker"
docker build -t lca1/unlynx:medco-deployment "$SCRIPT_FOLDER"/../../docker-images/unlynx/
docker run -v "$CONF_FOLDER":/opt/medco-configuration --entrypoint sh lca1/unlynx:medco-deployment /copy-unlynx-binary.sh
# generate configuration for each node
NODE_IDX="-1"
while [ $# -gt 0 ]
do
NODE_DNS="$1"
NODE_IP="$2"
shift
shift
NODE_IDX=$((NODE_IDX+1))
KEYSTORE="$CONF_FOLDER/srv$NODE_IDX.keystore"
KEYSTORE_PRIVATE_ALIAS="srv$NODE_IDX-private"
+ echo "### Setting up certificate authority and import it in keystore"
+ CATOP="$CONF_FOLDER/srv$NODE_IDX-CA" "$SCRIPT_FOLDER"/CA.sh -newca
+ echo -n "\"shrine-ca-srv$NODE_IDX\", " >> "$CONF_FOLDER/shrine_ca_cert_aliases.conf"
+ keytool -noprompt -import -v -alias "shrine-ca-srv$NODE_IDX" -file "$CONF_FOLDER/srv$NODE_IDX-CA/cacert.pem" -keystore "$KEYSTORE" -storepass "$KEYSTORE_PW"
+
echo "###$NODE_IDX### Generating java keystore pair of keys"
keytool -genkeypair -keysize 2048 -alias "$KEYSTORE_PRIVATE_ALIAS" -validity 7300 \
-dname "CN=$NODE_DNS, OU=LCA1, O=EPFL, L=Lausanne, S=VD, C=CH" \
-ext "SAN=DNS:$NODE_DNS,IP:$NODE_IP" \
-keyalg RSA -keypass "$KEYSTORE_PW" -storepass "$KEYSTORE_PW" -keystore "$KEYSTORE"
echo "###$NODE_IDX### Generating certificate signature request"
keytool -certreq -alias "$KEYSTORE_PRIVATE_ALIAS" -keyalg RSA -file "$SCRIPT_FOLDER/newreq.pem" -keypass "$KEYSTORE_PW" \
-storepass "$KEYSTORE_PW" -keystore "$KEYSTORE" -ext "SAN=DNS:$NODE_DNS,IP:$NODE_IP"
cat > "$SCRIPT_FOLDER/openssl.ext.tmp.cnf" <<EOL
basicConstraints=CA:FALSE
subjectAltName=@alt_names
subjectKeyIdentifier = hash
[ alt_names ]
IP.1 = $NODE_IP
DNS.1 = $NODE_DNS
EOL
echo "###$NODE_IDX### Signing it with the CA"
- SSLEAY_CONFIG="-extfile $SCRIPT_FOLDER/openssl.ext.tmp.cnf" "$SCRIPT_FOLDER"/CA.sh -sign
+ CATOP="$CONF_FOLDER/srv$NODE_IDX-CA" SSLEAY_CONFIG="-extfile $SCRIPT_FOLDER/openssl.ext.tmp.cnf" "$SCRIPT_FOLDER"/CA.sh -sign
- echo "###$NODE_IDX### Importing in keystore the CA certificate and own certificate signed by CA (chained to the private key)"
- keytool -noprompt -import -v -alias shrine-hub-ca -file "$SCRIPT_FOLDER"/CA/cacert.pem -keystore "$KEYSTORE" -storepass "$KEYSTORE_PW"
+ echo "###$NODE_IDX### Importing in keystore own certificate signed by CA (chained to the private key)"
keytool -noprompt -import -v -alias "$KEYSTORE_PRIVATE_ALIAS" -file "$SCRIPT_FOLDER"/newcert.pem -keystore "$KEYSTORE" -storepass "$KEYSTORE_PW" \
-keypass "$KEYSTORE_PW" -trustcacerts
echo "###$NODE_IDX### Generating pem certificates (lighttpd)"
keytool -noprompt -importkeystore -srckeystore "$KEYSTORE" -srcalias "$KEYSTORE_PRIVATE_ALIAS" -destkeystore "$KEYSTORE".p12 \
-deststoretype PKCS12 -srcstorepass "$KEYSTORE_PW" -deststorepass "$KEYSTORE_PW"
openssl pkcs12 -in "$KEYSTORE".p12 -out "$CONF_FOLDER/srv$NODE_IDX.pem" -password pass:"$KEYSTORE_PW" -nodes
echo "###$NODE_IDX### Adding entry in the downstream nodes config file"
echo "\"Hospital $NODE_IDX\" = \"https://$NODE_DNS:6443/shrine/rest/adapter/requests\"" >> "$CONF_FOLDER/shrine_downstream_nodes.conf"
echo "###$NODE_IDX### Generating unlynx keys"
"$CONF_FOLDER"/unlynxMedCo server setupNonInteractive --serverBinding "$NODE_IP:2000" --description "Unlynx Server $NODE_IDX" \
--privateTomlPath "$CONF_FOLDER/srv$NODE_IDX-private.toml" --publicTomlPath "$CONF_FOLDER/srv$NODE_IDX-public.toml"
echo "###$NODE_IDX### Generating docker-compose file"
TARGET_COMPOSE_FILE="$COMPOSE_FOLDER/docker-compose-srv$NODE_IDX.yml"
cp "$SCRIPT_FOLDER/docker-compose-template.yml" "$TARGET_COMPOSE_FILE"
sed -i "s#_NODE_INDEX_#$NODE_IDX#g" "$TARGET_COMPOSE_FILE"
sed -i "s#_CONF_PROFILE_#$CONF_PROFILE#g" "$TARGET_COMPOSE_FILE"
echo "###$NODE_IDX### Cleaning up"
- rm "$SCRIPT_FOLDER/newreq.pem" "$SCRIPT_FOLDER/openssl.ext.tmp.cnf" "$KEYSTORE".p12 "$SCRIPT_FOLDER"/newcert.pem #"$CONF_1FOLDER/srv$NODE_IDX-private.pem"
+ rm "$SCRIPT_FOLDER/newreq.pem" "$SCRIPT_FOLDER/openssl.ext.tmp.cnf" "$KEYSTORE".p12 "$SCRIPT_FOLDER/newcert.pem"
# keytool -list -v -keystore "$KEYSTORE" -storepass "$KEYSTORE_PW" # list content of keystore (disabled)
done
-echo "### Generating group.toml file"
+echo "### Generating group.toml file and finalizing shrine config file"
cat "$CONF_FOLDER"/srv*-public.toml > "$CONF_FOLDER/group.toml"
+echo "]" >> "$CONF_FOLDER/shrine_ca_cert_aliases.conf"
echo "### Configuration generated!"
diff --git a/resources/config-generation-tool/generate-prod-configuration-profile/step1.sh b/resources/config-generation-tool/generate-prod-configuration-profile/step1.sh
new file mode 100644
index 0000000..8496122
--- /dev/null
+++ b/resources/config-generation-tool/generate-prod-configuration-profile/step1.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+##################################################################
+# MedCo configuration generator: step 1
+# init configuration + generate own CA or import CA certificate
+##################################################################
+
+set -e
+shopt -s nullglob
+
+if [ $# != 4 -a $# != 5 ]
+then
+ echo "Usage:"
+ echo "Generate a certificate authority:"
+ echo " bash step1.sh CONFIGURATION_PROFILE NODE_INDEX KEYSTORE_PASSWORD NODE_DNS"
+ echo "Import a certificate authority certificate (PEM file):"
+ echo " bash step1.sh CONFIGURATION_PROFILE NODE_INDEX KEYSTORE_PASSWORD NODE_DNS CA_PUBLIC_KEY_PATH"
+ exit
+fi
+
+SCRIPT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/..
+CONF_PROFILE="$1"
+CONF_FOLDER="$SCRIPT_FOLDER/../../configuration-profiles/$CONF_PROFILE"
+COMPOSE_FOLDER="$SCRIPT_FOLDER/../../compose-profiles/$CONF_PROFILE"
+NODE_IDX="$2"
+KEYSTORE="$CONF_FOLDER/srv$NODE_IDX.keystore"
+KEYSTORE_PW="$3"
+NODE_DNS="$4"
+
+# check dependency
+which keytool
+
+
+##################################################################
+# execute step 1
+##################################################################
+
+
+echo "### Init configuration"
+mkdir "$CONF_FOLDER" "$COMPOSE_FOLDER"
+echo "\"Hospital $NODE_IDX\" = \"https://$NODE_DNS:6443/shrine/rest/adapter/requests\"" >> "$CONF_FOLDER/srv$NODE_IDX-shrine_downstream_nodes.conf"
+
+TARGET_COMPOSE_FILE="$COMPOSE_FOLDER/docker-compose-srv$NODE_IDX.yml"
+cp "$SCRIPT_FOLDER/docker-compose-template.yml" "$TARGET_COMPOSE_FILE"
+sed -i "s#_NODE_INDEX_#$NODE_IDX#g" "$TARGET_COMPOSE_FILE"
+sed -i "s#_CONF_PROFILE_#$CONF_PROFILE#g" "$TARGET_COMPOSE_FILE"
+
+if [ $# == 4 ]
+then
+ echo "### Generating certificate authority"
+
+ # execute CA.sh with -newca, user has the option to import existing CA certificate (with the priv. key only though)
+ CATOP="$CONF_FOLDER/srv$NODE_IDX-CA" "$SCRIPT_FOLDER"/CA.sh -newca
+
+ # import CA into the keystore
+ keytool -noprompt -import -v -alias "shrine-ca-srv$NODE_IDX" -file "$CONF_FOLDER/srv$NODE_IDX-CA/cacert.pem" \
+ -keystore "$KEYSTORE" -storepass "$KEYSTORE_PW"
+
+elif [ $# == 5 ]
+then
+ echo "### Importing certificate authority certificate"
+ cp "$5" "$CONF_FOLDER/srv$NODE_IDX-CA/cacert.pem"
+
+fi
diff --git a/resources/config-generation-tool/generate-prod-configuration-profile/step2.sh b/resources/config-generation-tool/generate-prod-configuration-profile/step2.sh
new file mode 100644
index 0000000..a7e22f6
--- /dev/null
+++ b/resources/config-generation-tool/generate-prod-configuration-profile/step2.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+##################################################################
+# MedCo configuration generator: step 2
+# generate keypair of the node or import it
+##################################################################
+
+set -e
+shopt -s nullglob
+
+if [ $# != 4 -a $# != 5 ]
+then
+ echo "Usage:"
+ echo "Generate pair of keys:"
+ echo " bash step2.sh CONFIGURATION_PROFILE NODE_INDEX KEYSTORE_PASSWORD NODE_DNS NODE_IP"
+ echo "Import pair of keys:"
+ echo " bash step2.sh CONFIGURATION_PROFILE NODE_INDEX KEYSTORE_PASSWORD KEY_FILE_PATH"
+ exit
+fi
+
+SCRIPT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/..
+CONF_PROFILE="$1"
+CONF_FOLDER="$SCRIPT_FOLDER/../../configuration-profiles/$CONF_PROFILE"
+COMPOSE_FOLDER="$SCRIPT_FOLDER/../../compose-profiles/$CONF_PROFILE"
+NODE_IDX="$2"
+KEYSTORE_PW="$3"
+
+# check dependency
+which keytool
+
+
+##################################################################
+# execute step 2
+##################################################################
+
+KEYSTORE="$CONF_FOLDER/srv$NODE_IDX.keystore"
+KEYSTORE_PRIVATE_ALIAS="srv$NODE_IDX-private"
+
+if [ $# == 5 ]
+then
+ NODE_DNS="$4"
+ NODE_IP="$5"
+
+ echo "### Generating java keystore pair of keys"
+ keytool -genkeypair -keysize 2048 -alias "$KEYSTORE_PRIVATE_ALIAS" -validity 7300 \
+ -dname "CN=$NODE_DNS" -ext "SAN=DNS:$NODE_DNS,IP:$NODE_IP" \
+ -keyalg RSA -keypass "$KEYSTORE_PW" -storepass "$KEYSTORE_PW" -keystore "$KEYSTORE"
+
+elif [ $# == 4 ]
+then
+ echo "### Importing pair of keys"
+ echo "NOT IMPLEMENTED"
+ exit
+ # todo
+fi
diff --git a/resources/config-generation-tool/generate-prod-configuration-profile/step3.sh b/resources/config-generation-tool/generate-prod-configuration-profile/step3.sh
new file mode 100644
index 0000000..27c82ff
--- /dev/null
+++ b/resources/config-generation-tool/generate-prod-configuration-profile/step3.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+##################################################################
+# MedCo configuration generator: step 3
+# generate certificate of the node or import it
+##################################################################
+
+set -e
+shopt -s nullglob
+
+if [ $# != 4 -a $# != 5 ]
+then
+ echo "Usage:"
+ echo "Generate certificate with the generated CA:"
+ echo " bash step3.sh CONFIGURATION_PROFILE NODE_INDEX KEYSTORE_PASSWORD NODE_DNS NODE_IP"
+ echo "Import certificate of previously imported keypair:"
+ echo " bash step3.sh CONFIGURATION_PROFILE NODE_INDEX KEYSTORE_PASSWORD CERT_FILE_PATH"
+ exit
+fi
+
+SCRIPT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/..
+CONF_PROFILE="$1"
+CONF_FOLDER="$SCRIPT_FOLDER/../../configuration-profiles/$CONF_PROFILE"
+COMPOSE_FOLDER="$SCRIPT_FOLDER/../../compose-profiles/$CONF_PROFILE"
+NODE_IDX="$2"
+KEYSTORE_PW="$3"
+
+# check dependency
+which keytool openssl
+
+
+##################################################################
+# execute step 3
+##################################################################
+
+KEYSTORE="$CONF_FOLDER/srv$NODE_IDX.keystore"
+KEYSTORE_PRIVATE_ALIAS="srv$NODE_IDX-private"
+
+if [ $# == 5 ]
+then
+ NODE_DNS="$4"
+ NODE_IP="$5"
+
+ echo "### Generating certificate signature request"
+ keytool -certreq -alias "$KEYSTORE_PRIVATE_ALIAS" -keyalg RSA -file "$SCRIPT_FOLDER/newreq.pem" -keypass "$KEYSTORE_PW" \
+ -storepass "$KEYSTORE_PW" -keystore "$KEYSTORE" -ext "SAN=DNS:$NODE_DNS,IP:$NODE_IP"
+
+ # openssl additional configuration
+ cat > "$SCRIPT_FOLDER/openssl.ext.tmp.cnf" <<EOL
+ basicConstraints=CA:FALSE
+ subjectAltName=@alt_names
+ subjectKeyIdentifier = hash
+
+ [ alt_names ]
+ IP.1 = $NODE_IP
+ DNS.1 = $NODE_DNS
+EOL
+
+ echo "###$NODE_IDX### Signing it with the CA"
+ CATOP="$CONF_FOLDER/srv$NODE_IDX-CA" SSLEAY_CONFIG="-extfile $SCRIPT_FOLDER/openssl.ext.tmp.cnf" "$SCRIPT_FOLDER"/CA.sh -sign
+
+ echo "###$NODE_IDX### Importing in keystore own certificate signed by CA (chained to the private key)"
+ keytool -noprompt -import -v -alias "$KEYSTORE_PRIVATE_ALIAS" -file "$SCRIPT_FOLDER"/newcert.pem -keystore "$KEYSTORE" \
+ -storepass "$KEYSTORE_PW" -keypass "$KEYSTORE_PW" -trustcacerts
+
+ echo "###$NODE_IDX### Generating pem certificates (lighttpd)"
+ keytool -noprompt -importkeystore -srckeystore "$KEYSTORE" -srcalias "$KEYSTORE_PRIVATE_ALIAS" -destkeystore "$KEYSTORE".p12 \
+ -deststoretype PKCS12 -srcstorepass "$KEYSTORE_PW" -deststorepass "$KEYSTORE_PW"
+ openssl pkcs12 -in "$KEYSTORE".p12 -out "$CONF_FOLDER/srv$NODE_IDX.pem" -password pass:"$KEYSTORE_PW" -nodes
+
+ # cleanup
+ rm "$SCRIPT_FOLDER/newreq.pem" "$SCRIPT_FOLDER/openssl.ext.tmp.cnf" "$KEYSTORE.p12" "$SCRIPT_FOLDER/newcert.pem"
+
+elif [ $# == 4 ]
+then
+ echo "### Importing certificate"
+ echo "NOT IMPLEMENTED"
+ exit
+ # todo
+fi
diff --git a/resources/config-generation-tool/generate-prod-configuration-profile/step4.sh b/resources/config-generation-tool/generate-prod-configuration-profile/step4.sh
new file mode 100644
index 0000000..d5c043e
--- /dev/null
+++ b/resources/config-generation-tool/generate-prod-configuration-profile/step4.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+##################################################################
+# MedCo configuration generator: step 4
+# generate unlynx keys & package files to share
+##################################################################
+
+set -e
+shopt -s nullglob
+
+if [ $# != 3 ]
+then
+ echo "Usage:"
+ echo "Generate certificate with the generated CA:"
+ echo " bash step4.sh CONFIGURATION_PROFILE NODE_INDEX NODE_IP"
+ exit
+fi
+
+SCRIPT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/..
+CONF_PROFILE="$1"
+CONF_FOLDER="$SCRIPT_FOLDER/../../configuration-profiles/$CONF_PROFILE"
+COMPOSE_FOLDER="$SCRIPT_FOLDER/../../compose-profiles/$CONF_PROFILE"
+NODE_IDX="$2"
+NODE_IP="$3"
+
+# check dependency
+which docker
+
+
+##################################################################
+# execute step 4
+##################################################################
+
+echo "### Producing Unlynx binary with Docker"
+docker build -t lca1/unlynx:medco-deployment "$SCRIPT_FOLDER"/../../docker-images/unlynx/
+docker run -v "$CONF_FOLDER":/opt/medco-configuration --entrypoint sh lca1/unlynx:medco-deployment /copy-unlynx-binary.sh
+
+echo "### Generating unlynx keys"
+"$CONF_FOLDER"/unlynxMedCo server setupNonInteractive --serverBinding "$NODE_IP:2000" --description "Unlynx Server $NODE_IDX" \
+ --privateTomlPath "$CONF_FOLDER/srv$NODE_IDX-private.toml" --publicTomlPath "$CONF_FOLDER/srv$NODE_IDX-public.toml"
+
+echo "### Packaging files to share"
+tar -cvzf "$CONF_FOLDER/srv$NODE_IDX-publicdata.tar.gz" \
+ -C "$CONF_FOLDER" \
+ "srv$NODE_IDX-public.toml" \
+ "srv$NODE_IDX-shrine_downstream_nodes.conf" \
+ "srv$NODE_IDX-CA/cacert.pem"
+
+echo "### Done! Share the archive srv$NODE_IDX-publicdata.tar.gz with the responsible of the other nodes"
diff --git a/resources/config-generation-tool/generate-prod-configuration-profile/step5.sh b/resources/config-generation-tool/generate-prod-configuration-profile/step5.sh
new file mode 100644
index 0000000..5876d28
--- /dev/null
+++ b/resources/config-generation-tool/generate-prod-configuration-profile/step5.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+##################################################################
+# MedCo configuration generator: step 5
+# aggregation of the files
+##################################################################
+
+set -e
+shopt -s nullglob
+
+if [ $# -lt 4 ]
+then
+ echo "Usage:"
+ echo "Aggregation of the configuration:"
+ echo " bash step5.sh CONFIGURATION_PROFILE NODE_INDEX KEYSTORE_PASSWORD PUBLIC_DATA_ARCHIVE..."
+ exit
+fi
+
+SCRIPT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/..
+CONF_PROFILE="$1"
+CONF_FOLDER="$SCRIPT_FOLDER/../../configuration-profiles/$CONF_PROFILE"
+COMPOSE_FOLDER="$SCRIPT_FOLDER/../../compose-profiles/$CONF_PROFILE"
+NODE_IDX="$2"
+KEYSTORE="$CONF_FOLDER/srv$NODE_IDX.keystore"
+KEYSTORE_PW="$3"
+
+# check dependency
+which keytool
+
+
+##################################################################
+# execute step 5
+##################################################################
+
+echo "### Extracting public data of other nodes"
+shift
+shift
+shift
+while [ $# -gt 0 ]
+do
+ tar -xvzf "$1" "$CONF_FOLDER"/
+ shift
+done
+
+echo "### Aggregating files"
+cat "$CONF_FOLDER"/srv*-shrine_downstream_nodes.conf > "$CONF_FOLDER/shrine_downstream_nodes.conf"
+cat "$CONF_FOLDER"/srv*-public.toml > "$CONF_FOLDER/group.toml"
+
+echo -n "caCertAliases = [" > "$CONF_FOLDER/shrine_ca_cert_aliases.conf"
+I="-1"
+for CA_FOLDER in "$CONF_FOLDER"/srv*-CA
+do
+ I=$((I+1))
+ echo -n "\"shrine-ca-srv$I\", " >> "$CONF_FOLDER/shrine_ca_cert_aliases.conf"
+ keytool -noprompt -import -v -alias "shrine-ca-srv$I" -file "$CA_FOLDER/cacert.pem" -keystore "$KEYSTORE" -storepass "$KEYSTORE_PW"
+
+done
+echo "]" >> "$CONF_FOLDER/shrine_ca_cert_aliases.conf"
+
+echo "### Configuration generated! MedCo is ready to run."
diff --git a/resources/config-generation-tool/openssl.cnf b/resources/config-generation-tool/openssl.cnf
index 145a27b..51cbc94 100644
--- a/resources/config-generation-tool/openssl.cnf
+++ b/resources/config-generation-tool/openssl.cnf
@@ -1,356 +1,356 @@
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
-dir = ./CA # Where everything is kept
+dir = $ENV::CATOP # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
#req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = XX
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
#stateOrProvinceName_default = Default Province
localityName = Locality Name (eg, city)
localityName_default = Default City
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Default Company Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#subjectAltName = @alt_names
#[ alt_names ]
#IP.1 = CERTS.PUBLIC.IP.ADDRESS
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
Event Timeline
Log In to Comment