1*12720SWyllys.Ingersoll@Sun.COM#!/usr/perl5/bin/perl 2*12720SWyllys.Ingersoll@Sun.COM# 3*12720SWyllys.Ingersoll@Sun.COM# CDDL HEADER START 4*12720SWyllys.Ingersoll@Sun.COM# 5*12720SWyllys.Ingersoll@Sun.COM# The contents of this file are subject to the terms of the 6*12720SWyllys.Ingersoll@Sun.COM# Common Development and Distribution License (the "License"). 7*12720SWyllys.Ingersoll@Sun.COM# You may not use this file except in compliance with the License. 8*12720SWyllys.Ingersoll@Sun.COM# 9*12720SWyllys.Ingersoll@Sun.COM# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*12720SWyllys.Ingersoll@Sun.COM# or http://www.opensolaris.org/os/licensing. 11*12720SWyllys.Ingersoll@Sun.COM# See the License for the specific language governing permissions 12*12720SWyllys.Ingersoll@Sun.COM# and limitations under the License. 13*12720SWyllys.Ingersoll@Sun.COM# 14*12720SWyllys.Ingersoll@Sun.COM# When distributing Covered Code, include this CDDL HEADER in each 15*12720SWyllys.Ingersoll@Sun.COM# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*12720SWyllys.Ingersoll@Sun.COM# If applicable, add the following below this CDDL HEADER, with the 17*12720SWyllys.Ingersoll@Sun.COM# fields enclosed by brackets "[]" replaced with your own identifying 18*12720SWyllys.Ingersoll@Sun.COM# information: Portions Copyright [yyyy] [name of copyright owner] 19*12720SWyllys.Ingersoll@Sun.COM# 20*12720SWyllys.Ingersoll@Sun.COM# CDDL HEADER END 21*12720SWyllys.Ingersoll@Sun.COM# 22*12720SWyllys.Ingersoll@Sun.COM# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. 23*12720SWyllys.Ingersoll@Sun.COM# 24*12720SWyllys.Ingersoll@Sun.COM# This program initializes the private data needed to initialize 25*12720SWyllys.Ingersoll@Sun.COM# the PKCS#11 KMS provider (/usr/lib/security/pkcs11_kms.so.1) in 26*12720SWyllys.Ingersoll@Sun.COM# the Solaris Cryptographic Framework. 27*12720SWyllys.Ingersoll@Sun.COM# 28*12720SWyllys.Ingersoll@Sun.COM# It takes the following options: 29*12720SWyllys.Ingersoll@Sun.COM# [-p Profile Name] 30*12720SWyllys.Ingersoll@Sun.COM# [-a Agent ID] 31*12720SWyllys.Ingersoll@Sun.COM# [-i Agent Address] 32*12720SWyllys.Ingersoll@Sun.COM# [-t Transaction Timeout] 33*12720SWyllys.Ingersoll@Sun.COM# [-f Failover Limit] 34*12720SWyllys.Ingersoll@Sun.COM# [-d Discovery Frequency] 35*12720SWyllys.Ingersoll@Sun.COM# [-?] 36*12720SWyllys.Ingersoll@Sun.COM# 37*12720SWyllys.Ingersoll@Sun.COM 38*12720SWyllys.Ingersoll@Sun.COMuse strict; 39*12720SWyllys.Ingersoll@Sun.COMuse warnings; 40*12720SWyllys.Ingersoll@Sun.COMuse locale; 41*12720SWyllys.Ingersoll@Sun.COMuse Getopt::Std; 42*12720SWyllys.Ingersoll@Sun.COMuse POSIX qw(locale_h); 43*12720SWyllys.Ingersoll@Sun.COMuse File::Basename; 44*12720SWyllys.Ingersoll@Sun.COMuse Sun::Solaris::Utils qw(textdomain gettext gmatch); 45*12720SWyllys.Ingersoll@Sun.COM 46*12720SWyllys.Ingersoll@Sun.COMmy $cmd = basename($0); 47*12720SWyllys.Ingersoll@Sun.COM 48*12720SWyllys.Ingersoll@Sun.COMsub fatal { 49*12720SWyllys.Ingersoll@Sun.COM print STDERR @_; 50*12720SWyllys.Ingersoll@Sun.COM exit(1); 51*12720SWyllys.Ingersoll@Sun.COM} 52*12720SWyllys.Ingersoll@Sun.COM 53*12720SWyllys.Ingersoll@Sun.COMsub usage { 54*12720SWyllys.Ingersoll@Sun.COM print STDERR gettext("Usage:") . " $cmd\n" . 55*12720SWyllys.Ingersoll@Sun.COM gettext( 56*12720SWyllys.Ingersoll@Sun.COM "\t[-p[rofile] Profile Name] The name of the KMA profile to use.\n" . 57*12720SWyllys.Ingersoll@Sun.COM "\t[-a[gent] Agent ID] The KMA agent ID.\n" . 58*12720SWyllys.Ingersoll@Sun.COM "\t[-i[paddr] Agent Address] Address of the KMA\n" . 59*12720SWyllys.Ingersoll@Sun.COM "\t[-t[imeout] Transaction Timeout] Transaction timeout period (integer)\n" . 60*12720SWyllys.Ingersoll@Sun.COM "\t[-f[ailover] Failover Limit] Maximum failover limit (integer)\n" . 61*12720SWyllys.Ingersoll@Sun.COM "\t[-d[iscovery] Discovery Freq] Frequency to attempt KMA discovery\n"); 62*12720SWyllys.Ingersoll@Sun.COM exit(1); 63*12720SWyllys.Ingersoll@Sun.COM} 64*12720SWyllys.Ingersoll@Sun.COM 65*12720SWyllys.Ingersoll@Sun.COMsub get_input { 66*12720SWyllys.Ingersoll@Sun.COM my($prompt, $default) = @_; 67*12720SWyllys.Ingersoll@Sun.COM my $resp; 68*12720SWyllys.Ingersoll@Sun.COM if (length($default)) { 69*12720SWyllys.Ingersoll@Sun.COM print "$prompt [$default]: "; 70*12720SWyllys.Ingersoll@Sun.COM } else { 71*12720SWyllys.Ingersoll@Sun.COM print "$prompt: "; 72*12720SWyllys.Ingersoll@Sun.COM } 73*12720SWyllys.Ingersoll@Sun.COM chop ($resp = <STDIN>); 74*12720SWyllys.Ingersoll@Sun.COM if (length($default)) { 75*12720SWyllys.Ingersoll@Sun.COM return $resp ? $resp : $default; 76*12720SWyllys.Ingersoll@Sun.COM } 77*12720SWyllys.Ingersoll@Sun.COM return $resp; 78*12720SWyllys.Ingersoll@Sun.COM} 79*12720SWyllys.Ingersoll@Sun.COM 80*12720SWyllys.Ingersoll@Sun.COMsetlocale(LC_ALL, ""); 81*12720SWyllys.Ingersoll@Sun.COMtextdomain(TEXT_DOMAIN); 82*12720SWyllys.Ingersoll@Sun.COM 83*12720SWyllys.Ingersoll@Sun.COMmy($profile, $agentid, $address, $timeout, $failover, $discovery, $help); 84*12720SWyllys.Ingersoll@Sun.COM 85*12720SWyllys.Ingersoll@Sun.COMmy (%opt); 86*12720SWyllys.Ingersoll@Sun.COMgetopts('?p:a:i:t:f:d:', \%opt) || usage(); 87*12720SWyllys.Ingersoll@Sun.COMusage() if exists ($opt{'?'}); 88*12720SWyllys.Ingersoll@Sun.COM 89*12720SWyllys.Ingersoll@Sun.COMmy $TOKENDIR; 90*12720SWyllys.Ingersoll@Sun.COM 91*12720SWyllys.Ingersoll@Sun.COMif (exists($ENV{KMSTOKEN_DIR})) { 92*12720SWyllys.Ingersoll@Sun.COM $TOKENDIR= $ENV{KMSTOKEN_DIR}; 93*12720SWyllys.Ingersoll@Sun.COM} else { 94*12720SWyllys.Ingersoll@Sun.COM my $name = getpwuid($<); 95*12720SWyllys.Ingersoll@Sun.COM $TOKENDIR= "/var/kms/$name"; 96*12720SWyllys.Ingersoll@Sun.COM} 97*12720SWyllys.Ingersoll@Sun.COM 98*12720SWyllys.Ingersoll@Sun.COMmy $cfgfile = "$TOKENDIR/kmstoken.cfg"; 99*12720SWyllys.Ingersoll@Sun.COM 100*12720SWyllys.Ingersoll@Sun.COMif ( ! -d $TOKENDIR ) { 101*12720SWyllys.Ingersoll@Sun.COM mkdir ($TOKENDIR, 0700) || die "mkdir $TOKENDIR error: $!\n"; 102*12720SWyllys.Ingersoll@Sun.COM} 103*12720SWyllys.Ingersoll@Sun.COM 104*12720SWyllys.Ingersoll@Sun.COMif (-f $cfgfile) { 105*12720SWyllys.Ingersoll@Sun.COM my $ans; 106*12720SWyllys.Ingersoll@Sun.COM print gettext("KMS Token config file ") . "($cfgfile) " . 107*12720SWyllys.Ingersoll@Sun.COM gettext("already exists,\n" . 108*12720SWyllys.Ingersoll@Sun.COM "do you want to overwrite it (Y/n)? "); 109*12720SWyllys.Ingersoll@Sun.COM chop ($ans = <STDIN>); 110*12720SWyllys.Ingersoll@Sun.COM if (length($ans)) { 111*12720SWyllys.Ingersoll@Sun.COM if ($ans !~ /^[yY].*/) { 112*12720SWyllys.Ingersoll@Sun.COM exit(0); 113*12720SWyllys.Ingersoll@Sun.COM } 114*12720SWyllys.Ingersoll@Sun.COM } 115*12720SWyllys.Ingersoll@Sun.COM} 116*12720SWyllys.Ingersoll@Sun.COM 117*12720SWyllys.Ingersoll@Sun.COMif (!exists($opt{'p'})) { 118*12720SWyllys.Ingersoll@Sun.COM $profile = get_input("Profile Name", ""); 119*12720SWyllys.Ingersoll@Sun.COM if (!length($profile)) { 120*12720SWyllys.Ingersoll@Sun.COM fatal(gettext("You must enter a KMA Profile Name.\n")); 121*12720SWyllys.Ingersoll@Sun.COM } 122*12720SWyllys.Ingersoll@Sun.COM} else { 123*12720SWyllys.Ingersoll@Sun.COM $profile = $opt{'p'}; 124*12720SWyllys.Ingersoll@Sun.COM} 125*12720SWyllys.Ingersoll@Sun.COM 126*12720SWyllys.Ingersoll@Sun.COMif (!exists($opt{'a'})) { 127*12720SWyllys.Ingersoll@Sun.COM $agentid = get_input("Agent ID", ""); 128*12720SWyllys.Ingersoll@Sun.COM if (!length($agentid)) { 129*12720SWyllys.Ingersoll@Sun.COM fatal(gettext("You must enter a KMA Profile ID.\n")); 130*12720SWyllys.Ingersoll@Sun.COM } 131*12720SWyllys.Ingersoll@Sun.COM} else { 132*12720SWyllys.Ingersoll@Sun.COM $agentid = $opt{'a'}; 133*12720SWyllys.Ingersoll@Sun.COM} 134*12720SWyllys.Ingersoll@Sun.COM 135*12720SWyllys.Ingersoll@Sun.COMif (!exists($opt{'i'})) { 136*12720SWyllys.Ingersoll@Sun.COM $address = get_input("KMA IP Address", ""); 137*12720SWyllys.Ingersoll@Sun.COM if (!length($address)) { 138*12720SWyllys.Ingersoll@Sun.COM fatal(gettext("You must enter a KMA IP Address.\n")); 139*12720SWyllys.Ingersoll@Sun.COM } 140*12720SWyllys.Ingersoll@Sun.COM} else { 141*12720SWyllys.Ingersoll@Sun.COM $address = $opt{'i'}; 142*12720SWyllys.Ingersoll@Sun.COM} 143*12720SWyllys.Ingersoll@Sun.COM 144*12720SWyllys.Ingersoll@Sun.COMif (!exists($opt{'t'})) { 145*12720SWyllys.Ingersoll@Sun.COM $timeout = 10; 146*12720SWyllys.Ingersoll@Sun.COM} else { 147*12720SWyllys.Ingersoll@Sun.COM $timeout = $opt{'t'}; 148*12720SWyllys.Ingersoll@Sun.COM} 149*12720SWyllys.Ingersoll@Sun.COM 150*12720SWyllys.Ingersoll@Sun.COMif (!exists($opt{'f'})) { 151*12720SWyllys.Ingersoll@Sun.COM $failover = 3; 152*12720SWyllys.Ingersoll@Sun.COM} else { 153*12720SWyllys.Ingersoll@Sun.COM $failover = $opt{'f'}; 154*12720SWyllys.Ingersoll@Sun.COM} 155*12720SWyllys.Ingersoll@Sun.COM 156*12720SWyllys.Ingersoll@Sun.COMif (!exists($opt{'d'})) { 157*12720SWyllys.Ingersoll@Sun.COM $discovery = 10; 158*12720SWyllys.Ingersoll@Sun.COM} else { 159*12720SWyllys.Ingersoll@Sun.COM $discovery = $opt{'d'}; 160*12720SWyllys.Ingersoll@Sun.COM} 161*12720SWyllys.Ingersoll@Sun.COM 162*12720SWyllys.Ingersoll@Sun.COM# Save the old one 163*12720SWyllys.Ingersoll@Sun.COMif (-f $cfgfile) { 164*12720SWyllys.Ingersoll@Sun.COM rename($cfgfile, "$cfgfile.old"); 165*12720SWyllys.Ingersoll@Sun.COM} 166*12720SWyllys.Ingersoll@Sun.COM 167*12720SWyllys.Ingersoll@Sun.COMmy $FH; 168*12720SWyllys.Ingersoll@Sun.COM 169*12720SWyllys.Ingersoll@Sun.COMopen($FH, ">$cfgfile"); 170*12720SWyllys.Ingersoll@Sun.COMprint $FH "#\n# Profile Name\n#\n$profile\n"; 171*12720SWyllys.Ingersoll@Sun.COMprint $FH "#\n# Agent ID\n#\n$agentid\n"; 172*12720SWyllys.Ingersoll@Sun.COMprint $FH "#\n# KMA Address\n#\n$address\n"; 173*12720SWyllys.Ingersoll@Sun.COMprint $FH "#\n# Transaction Timeout\n#\n$timeout\n"; 174*12720SWyllys.Ingersoll@Sun.COMprint $FH "#\n# Failover Limit\n#\n$failover\n"; 175*12720SWyllys.Ingersoll@Sun.COMprint $FH "#\n# Discovery Frequency\n#\n$discovery\n"; 176*12720SWyllys.Ingersoll@Sun.COMprint $FH "#\n# Security Mode\n#\n1\n"; 177*12720SWyllys.Ingersoll@Sun.COMclose ($FH); 178*12720SWyllys.Ingersoll@Sun.COM 179*12720SWyllys.Ingersoll@Sun.COMexit(0); 180