Hola Amig@s,
Si necesitamos crear una wallet de Oracle para resolver un dominio https con oracle y no usar el proxy reverse de Apache, podemos utilizar el siguiente script. El script necesitará como parámetro la ruta de creación de la wallet y aparte, necesitará también que le indiquemos el nombre del dominio, esto último lo pedirá en el prompt.
Nota: Para utilizar este script, deberemos ejecutarlo en Linux y aparte la maquina tendrá que tener salida a internet.
##################################################################################
# Command: certs_to_wallet.sh <wallet path>
#
# The script will create a _new_ auto login orapki wallet from a list of sites
# and puts the certificates of the chain the trusted certificates of the wallet.
# It will create a backup of the current wallet and auto login.
# Will ask for a password for a new wallet.
# On creation or password issue, backup will be restored.
# Sites can be added to wallet_sites.lst, either in the script dir or wallet dir.
# The wallet_sites.lst in the wallet dir will take preference, you can have
# seperate sites per wallet.
# Each site must be on a single line followed by a colon ':' and port number: <site:port>
# and comments starting with a # are accepted.
# If there is no port number specified, 443 will be used and the site list must
# end with a \n character (last line empty).
#
#
# Author: Ian Hoogeboom, please feel free to ajust script to own needs
# v.1 - ianh - original version 2020-11-28
# v.2 - ianh - skip site own certificate (ORA-29024 - user certificate should not be in Wallet
# v.3 - ianh - skiiping user certificate based on hash, not 'first' certificate
# v.4 - earana - added the -servername parameter because some domain names require that to resolve the information.
##################################################################################
WALLET_LOCATION=${1}
NOW=$(date '+%Y%m%d%H%M%S')
if [ "${WALLET_LOCATION}" == "" ]; then
echo "No wallet location specified!"
echo "Command:> certs_to_wallet.sh <wallet path>"
exit 1
fi
SITE_LIST=${WALLET_LOCATION}/wallet_sites.lst
if [ ! -f "${SITE_LIST}" ]; then
SITE_LIST=wallet_sites.lst
fi
if [ ! -f "${SITE_LIST}" ]; then
echo "Site list not found!"
echo "Place wallet_sites.lst in current directory or in [${WALLET_LOCATION}]"
exit 1
fi
echo "Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters"
echo -n "Password for new wallet: "
read -s PASSWORD
echo
if [ -f "${WALLET_LOCATION}/ewallet.p12" ]; then
echo "Backing-up wallet to ${WALLET_LOCATION}/ewallet.p12.${NOW}"
mv ${WALLET_LOCATION}/ewallet.p12 ${WALLET_LOCATION}/ewallet.p12.${NOW}
fi
if [ -f "${WALLET_LOCATION}/cwallet.sso" ]; then
echo "Backing-up auto_login to ${WALLET_LOCATION}/cwallet.sso.${NOW}"
mv ${WALLET_LOCATION}/cwallet.sso ${WALLET_LOCATION}/cwallet.sso.${NOW}
fi
echo "Creating new wallet"
orapki wallet create -wallet ${WALLET_LOCATION} -pwd ${PASSWORD} -auto_login >/dev/null
ERROR=${?}
# if there is an error creating the new wallet (password error maybe), restore teh wallet
# TODO move to function for reuse on other errors
if [ ${ERROR} != 0 ]; then
echo "Error creating new wallet, permissions or password issues?!"
if [ -f "${WALLET_LOCATION}/ewallet.p12.${NOW}" ]; then
echo "Old wallet restored!"
cp ${WALLET_LOCATION}/ewallet.p12.${NOW} ${WALLET_LOCATION}/ewallet.p12
fi
if [ -f "${WALLET_LOCATION}/cwallet.sso.${NOW}" ]; then
echo "Old auto login restored!"
cp ${WALLET_LOCATION}/cwallet.sso.${NOW} ${WALLET_LOCATION}/cwallet.sso
fi
exit
fi
# read all the lines from wallet_sites.lst
while read SITE; do
COMMENT=$(echo ${SITE} | grep -e "^#.*")
if [[ "${COMMENT}" = "" ]]; then
HOST=$(echo ${SITE} | awk -F':' '{print $1}')
PORT=$(echo ${SITE} | awk -F':' '{print $2}')
if [ "${PORT}" == "" ]; then
PORT=443
fi
echo "Getting certificate chain from: ${HOST}:${PORT}"
# get MD5 of site certificate
SITE_CERT_MD5=$(openssl s_client -host ${HOST} -port ${PORT} -trusted_first -servername ${HOST} 2>/dev/null <<< "q" | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' | md5sum | awk {'print $1'})
# get certificate chain for site
openssl s_client -host ${HOST} -port ${PORT} -showcerts -no_alt_chains -trusted_first -servername ${HOST} 2>/dev/null <<< "q" | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' > ${HOST}.certs
csplit --digits=2 --quiet --prefix=${HOST}.certs. ${HOST}.certs "/-----END CERTIFICATE-----/+1" "{*}"
for CERT in $(ls ./${HOST}.certs.*); do
# get the MD5 of the current cert in the chain
CHAIN_CERT_MD5=$(md5sum ${CERT} | awk {'print $1'})
# skip the cert of the site itself, user cerificates should not be the wallet
if [ -s "${CERT}" ] && [ "${CHAIN_CERT_MD5}" != "${SITE_CERT_MD5}" ]; then
echo "Adding ${CERT}"
orapki wallet add -wallet ${WALLET_LOCATION} -pwd ${PASSWORD} -trusted_cert -cert ${CERT} >/dev/null
fi
done
fi
done < ${SITE_LIST}
orapki wallet display -wallet ${WALLET_LOCATION}
echo "Done"
0 comentarios:
Publicar un comentario