#!/bin/sh certdir=/etc/opt/omi/ssl/ cnffile=/etc/opt/omi/ssl/ssl.cnf keyfile=/etc/opt/omi/ssl/omikey.pem certfile=/etc/opt/omi/ssl/omi.pem omicertmarkerfile=/etc/opt/omi/ssl/.omi_cert_marker OPENSSL_PATH="openssl" ALGORITHM_KEY_IN_CERTIFICATE="Signature Algorithm" SHA1="sha1" is_suse11_platform_with_openssl1(){ if [ -f /etc/SuSE-release ];then VERSION=`cat /etc/SuSE-release|grep "VERSION = 11"|awk 'FS=":"{print $3}'` if [ ! -z "$VERSION" ];then which openssl1>/dev/null 2>&1 if [ $? -eq 0 -a $VERSION -eq 11 ];then return 0 fi fi fi return 1 } is_suse11_platform_with_openssl1 if [ $? -eq 0 ];then OPENSSL_PATH="openssl1" fi WriteSSLconfig() { # Generate ssl.cnf cat > $cnffile < /dev/null 2> /dev/null # if there is no sslCipherSuite defined in omiserver.conf, check the previous omiserver/cimserver OM conf files for an sslCipherSuite defined if [ $? -ne 0 ]; then if [ -f /etc/opt/omi/conf/omiserver.conf.rpmsave ]; then echo `grep sslciphersuite /etc/opt/omi/conf/omiserver.conf.rpmsave` >> /etc/opt/omi/conf/omiserver.conf elif [ -f /etc/opt/omi/conf/omiserver.conf.pkgsave ]; then echo `grep sslciphersuite /etc/opt/omi/conf/omiserver.conf.pkgsave` >> /etc/opt/omi/conf/omiserver.conf elif [ -f /etc/opt/microsoft/scx/conf/omiserver.conf.pkgsave ]; then echo `grep sslciphersuite /etc/opt/microsoft/scx/conf/omiserver.conf.pkgsave` >> /etc/opt/omi/conf/omiserver.conf elif [ -f /etc/opt/microsoft/scx/conf/omiserver.conf ]; then echo `grep sslciphersuite /etc/opt/microsoft/scx/conf/omiserver.conf` >> /etc/opt/omi/conf/omiserver.conf elif [ -f /etc/opt/microsoft/scx/conf/cimserver_current.conf ]; then echo `grep sslCipherSuite /etc/opt/microsoft/scx/conf/cimserver_current.conf` | sed "s@sslCipherSuite@sslciphersuite@" >> /etc/opt/omi/conf/omiserver.conf fi fi grep -q '^httpsport=0$' /etc/opt/omi/conf/omiserver.conf 1> /dev/null 2> /dev/null # If there is no httpsport defined in omiserver.conf, check the previous files if [ $? -eq 0 ]; then HTTPSPORT="" if [ -f /etc/opt/omi/conf/omiserver.conf.rpmsave ]; then HTTPSPORT=`grep '^httpsport=' /etc/opt/omi/conf/omiserver.conf.rpmsave | cut -d= -f2` elif [ -f /etc/opt/omi/conf/omiserver.conf.pkgsave ]; then HTTPSPORT=`grep '^httpsport=' /etc/opt/omi/conf/omiserver.conf.pkgsave | cut -d= -f2` elif [ -f /etc/opt/microsoft/scx/conf/omiserver.conf.pkgsave ]; then HTTPSPORT=`grep '^httpsport=' /etc/opt/microsoft/scx/conf/omiserver.conf.pkgsave | cut -d= -f2` elif [ -f /etc/opt/microsoft/scx/conf/omiserver.conf ]; then HTTPSPORT=`grep '^httpsport=' /etc/opt/microsoft/scx/conf/omiserver.conf | cut -d= -f2` elif [ -f /etc/opt/microsoft/scx/conf/cimserver_current.conf ]; then HTTPSPORT=`grep '^httpsport=' /etc/opt/microsoft/scx/conf/cimserver_current.conf | cut -d= -f2` fi # If we found an HTTSPORT from previous configuration, then restore it now if [ -n "$HTTPSPORT" ]; then # omiconfigeditor requires SSL linkage to be set up properly on Linux # If the file to set these up exists, run it if [ -f /opt/omi/bin/support/installssllinks ]; then /opt/omi/bin/support/installssllinks fi echo "Restoring OMI HTTPSPORT to $HTTPSPORT ..." /opt/omi/bin/omiconfigeditor httpsport -s $HTTPSPORT < /etc/opt/omi/conf/omiserver.conf > /etc/opt/omi/conf/omiserver.conf_temp mv /etc/opt/omi/conf/omiserver.conf_temp /etc/opt/omi/conf/omiserver.conf fi fi } DeleteUnsupportedCertificate() { # This function will delete the unsupported sha1 certificate if [ -f "$keyfile" -a -f "$certfile" ]; then result=`$OPENSSL_PATH x509 -in $certfile -text | grep -i "$ALGORITHM_KEY_IN_CERTIFICATE" | grep -i "$SHA1"` if [ -n "$result" ]; then echo "************************************************************" echo "* Deleting unsupported SHA1 certificate *" echo "************************************************************" rm -rf $certdir* fi if [ `$OPENSSL_PATH x509 -in $certfile -text | grep "Public-Key"| sed 's/[^0-9]*//g'` -lt 3072 ]; then echo "************************************************************" echo "* Deleting certificates whose public key is less than 3072 *" echo "************************************************************" rm -rf $certdir* fi fi } # Handle upgrade from older SCX configurations. This needs to be in OMI since # certain installers (Debian) will delete unused configuration files before # %Pre / %Post see the light of day. For OMI config, do it before SCX install. HandleConfigFiles DeleteUnsupportedCertificate if [ -f "$keyfile" -a -f "$certfile" ]; then echo echo "************************************************************" echo "* Warning: The certificate and keyfile were not generated *" echo "* since they already exist. *" echo "************************************************************" else hostname=`hostname` longhostname="" # Try to get the FQDN with fallbacks: ## ## First try hostname -f (this will fail on some Linux systems) ## hn=`hostname -f 2> /dev/null` if [ "$?" = "0" ]; then longhostname=$hn fi ## ## Attempt to obtain the domain name from /etc/resolve.conf ## if [ -z "$longhostname" -a -f "/etc/resolv.conf" ]; then domain=`cat /etc/resolv.conf | grep '^domain' | awk '{print $2}'` if [ -n "$domain" ]; then longhostname="$hostname.$domain" fi fi ## ## Attempt to obtain long hostname with 'nslookup' command ## if [ -z "$longhostname" -a -n "`which nslookup`" ]; then lhs=`nslookup $hostname | grep '^Name:' | awk '{print $2}' | grep $hostname` if [ -n "$lhs" ]; then longhostname=$lhs fi fi if [ -z "$longhostname" ]; then longhostname="$hostname" fi WriteSSLconfig "$hostname" "$longhostname" # When the FQDN is not RFC compliant, openssl fails to generate a cerificate. # We will try a fallback for the FQDN. GenerateKeyCert if [ $? -ne 0 ]; then echo "Error generating ssl keys. Now trying fallback FQDN : localhost.local" 1>&2 WriteSSLconfig localhost localhost.local GenerateKeyCert fi if [ -f "$keyfile" -a -f "$certfile" ]; then chmod 600 $keyfile chmod 644 $certfile else echo "Unexpected error : $keyfile or $certfile were not generated by $OPENSSL_PATH" 1>&2 echo "Fully qualified domain name likely not RFC compliant" 1>&2 exit 1 fi # Generate a marker that exists to prove that the cert in this directory # was generated by omi (as opposed to OM's cert which will overwrite OMI's # cert when OM is installed) touch $omicertmarkerfile fi GetNewPAMConfig_file() { # # See if we have special marker file to use for PAM # For ease in customer debugging, return bad config if file is bad # if [ -f /etc/opt/omi/conf/pam.conf ]; then # PAM configuration file found; use that omi_conf=`cat /etc/opt/omi/conf/pam.conf` if [ $? -ne 0 ]; then # We had some sort of problem reading file # STDERR should have output; just return failure return 1 fi echo "Used custom PAM configuration from /etc/opt/omi/conf/pam.conf" return 0 fi # # Get configuration for sshd, service modules types auth and account # sshd_conf=`egrep "^[# ]*sshd[ ]+(auth|account)" /etc/pam.conf` if [ $? -ne 0 ]; then # No match found # sshd not explicitly configured. # Check to see if "other" is configured other_conf=`egrep "^[# ]*other[ ]+(auth|account)" /etc/pam.conf` if [ $? -eq 0 ]; then # "other" was found - use that (do not write any sort of new PAM configuraton) return 0 fi # Use passwd if [ -e "/etc/debian_version" ]; then sshd_conf=`printf "omi auth required pam_env.so\nomi auth required pam_unix.so nullok_secure\nomi account required pam_unix.so\nomi session required pam_limits.so"` elif [ ! -e "/etc/sysconfig/networking" ] && [ ! -e"/etc/sysconfig/network-scripts"]; then sshd_conf=`printf "omi auth include common-auth\nomi auth required pam_nologin.so\nomi account include common-account"` else sshd_conf=`printf "omi auth include system-auth\nomi account required pam_nologin.so\nomi account include system-auth"` fi fi # # Substitute sshd with omi. # omi_conf=`echo "$sshd_conf" | sed "s/sshd/omi/g"` if [ $? -ne 0 ]; then echo "can't parse /etc/pam.conf" return 1 fi } GetNewPAMConfig_dir() { # # See if we have special marker file to use for PAM # For ease in customer debugging, return bad config if file is bad # if [ -f /etc/opt/omi/conf/pam.conf ]; then # PAM configuration file found; use that omi_conf=`cat /etc/opt/omi/conf/pam.conf` if [ $? -ne 0 ]; then # We had some sort of problem reading file # STDERR should have output; just return failure return 1 fi echo "Used custom PAM configuration from /etc/opt/omi/conf/pam.conf" return 0 fi # # Get configuration for sshd, service modules types auth and account # sshd_conf=`egrep "(auth|account)" /etc/pam.d/sshd 2> /dev/null` if [ $? -ne 0 ]; then # No match found # sshd not explicitly configured. # Use passwd if [ -e "/etc/debian_version" ]; then sshd_conf=`printf "auth required pam_env.so\n auth required pam_unix.so nullok_secure\n account required pam_unix.so\n session required pam_limits.so"` elif [ ! -e "/etc/sysconfig/networking" ] && [ ! -e"/etc/sysconfig/network-scripts"]; then sshd_conf=`printf "auth include common-auth\n auth required pam_nologin.so\n account include common-account"` else sshd_conf=`printf "auth include system-auth\n account required pam_nologin.so\n account include system-auth"` fi fi omi_conf=$sshd_conf } # # # ConfigurePAM # # ConfigurePAM_file() { # # First check if omi is already configured in pam.conf # grep -s "^[# ]*omi" /etc/pam.conf > /dev/null 2>&1 if [ $? -eq 0 ]; then # Match found # Looks like omi is already configured echo "omi already configured" return 0 fi GetNewPAMConfig_file # # Only update pam.conf if we are returning some new configuration if [ "$omi_conf" ]; then # Write the final configuration to pam.conf # # copy file first and modify this copy, so in case of low disk space we preserve the original file cp /etc/pam.conf /etc/pam.conf.omi-copy && printf "# The configuration of omi is generated by the omi installer.\n$omi_conf\n# End of section generated by the omi installer.\n" >> /etc/pam.conf.omi-copy if [ $? -ne 0 ]; then echo "can't update file /etc/pam.conf.omi-copy" rm -f /etc/pam.conf.omi-copy return 1 fi # verify that complete file was written grep "# End of section generated by the omi installer." /etc/pam.conf.omi-copy > /dev/null 2>&1 if [ $? -ne 0 ]; then echo "can't update file /etc/pam.conf.omi-copy" rm -f /etc/pam.conf.omi-copy return 1 fi # use move to substitute original file with verified copy mv /etc/pam.conf.omi-copy /etc/pam.conf if [ $? -ne 0 ]; then echo "can't replace /etc/pam.conf" return 1 fi fi } ConfigurePAM_dir() { # # First check if omi is already configured # if [ -f /etc/pam.d/omi ]; then # Match found # Looks like omi is already configured echo "omi already configured" return 0 fi GetNewPAMConfig_dir echo "#%%PAM-1.0 # The configuration of omi is generated by the omi installer. $omi_conf" > /etc/pam.d/omi if [ $? -ne 0 ]; then echo "can't create /etc/pam.d/omi" return 1 fi } ConfigurePAM() { # # Check if pam is configured with single # configuration file or with configuration # directory. # if [ -s /etc/pam.conf ]; then ConfigurePAM_file elif [ -d /etc/pam.d ]; then ConfigurePAM_dir else # No pam configuration. echo "PAM does not seem to be configured." echo "Checked both /etc/pam.conf and /etc/pam.d." return 1 fi return 0 } GetCurrentPAMConfig_file() { omi_current_conf=`grep "^[#\t]*omi" /etc/pam.conf` } GetCurrentPAMConfig_dir() { omi_current_conf=`cat /etc/pam.d/omi | grep -v "#%%PAM-1.0" | grep -v "# The configuration of omi is generated by the omi installer."` } # # # UnconfigurePAM # # UnconfigurePAM_file() { # Configured with single file # # Get all lines except omi configuration # pam_configuration=`grep -v "^[# ]*omi" /etc/pam.conf | grep -v "# The configuration of omi is generated by the omi installer." | grep -v "# End of section generated by the omi installer."` if [ $? -ne 0 ]; then # omi not configured in PAM return 0 fi # # Write it back (to the copy first) # cp -p /etc/pam.conf /etc/pam.conf.tmp echo "$pam_configuration" > /etc/pam.conf.tmp if [ $? -ne 0 ]; then echo "can't write to /etc/pam.conf.tmp" return 1 fi mv /etc/pam.conf.tmp /etc/pam.conf if [ $? -ne 0 ]; then echo "can't replace /etc/pam.conf" return 1 fi } UnconfigurePAM_dir() { # Configured with directory if [ -f /etc/pam.d/omi ]; then rm -f /etc/pam.d/omi return 0 fi } UnconfigurePAM() { # # Check if pam is configured with single # configuration file or with configuration # directory. # if [ -s /etc/pam.conf ]; then UnconfigurePAM_file elif [ -d /etc/pam.d ]; then UnconfigurePAM_dir fi } ConfigurePAM chown omi:omi /var/opt/omi/log chown omi:omi /var/opt/omi/run chown omi:omi /etc/opt/omi/ssl/omikey.pem chown omi:omi /etc/opt/omi/creds chmod 500 /etc/opt/omi/creds chown omi:omi /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 chown omi:omi /etc/opt/omi/.creds >/dev/null 2>&1 chown omi:omi /etc/opt/omi/.creds/ntlm >/dev/null 2>&1 chown omi:omi /etc/opt/omi/conf/sockets chmod 700 /etc/opt/omi/conf/sockets rm -f /var/opt/omi/log/omiserver-send.trc >/dev/null 2>&1 rm -f /var/opt/omi/log/omiserver-recv.trc >/dev/null 2>&1 rm -f /var/opt/omi/log/omiclient-send.trc >/dev/null 2>&1 rm -f /var/opt/omi/log/omiclient-recv.trc >/dev/null 2>&1 # Fix potential permissons issue on /etc/opt/omi directory chown root:root /etc/opt/omi # Various distributions have different paths for systemd unit files ... SYSTEMD_UNIT_DIR="" ResolveSystemdPaths() { local UNIT_DIR_LIST="/usr/lib/systemd/system /lib/systemd/system" if [ -d /run/systemd/system ]; then # Find systemd unit directory for i in ${UNIT_DIR_LIST}; do if [ -d $i ]; then SYSTEMD_UNIT_DIR=${i} return 0 fi done # Didn't fine unit directory, that's fatal echo "FATAL: Unable to resolve systemd unit directory!" 1>&2 exit 1 else return 1 fi } RemoveGenericService() { if [ -f /etc/.omi_disable_service_control ]; then return 0 fi SERVICE=$1 if [ -z "$SERVICE" ]; then echo "FATAL: RemoveGenericService requires parameter (service name)" 1>&2 exit 1 fi # Stop the service in case it's running ResolveSystemdPaths # Does systemd install on this system if [ -d /run/systemd/system ]; then # Do we have a systemd unit file? if [ -f ${SYSTEMD_UNIT_DIR}/${SERVICE}.service ]; then /bin/systemctl stop ${SERVICE} fi fi if [ -f /etc/init/${SERVICE}.conf ]; then initctl stop omid fi if [ -f /etc/init.d/${SERVICE} ]; then if [ -x /bin/systemctl ]; then /bin/systemctl stop ${SERVICE} elif [ -x /sbin/service ]; then /sbin/service ${SERVICE} stop elif [ -x /usr/sbin/service ]; then /usr/sbin/service ${SERVICE} stop elif [ -x /usr/sbin/invoke-rc.d ]; then /usr/sbin/invoke-rc.d ${SERVICE} stop else echo "Unrecognized service controller to stop ${SERVICE} service" 1>&2 exit 1 fi fi # Registered as a systemd service? # # Note: We've never deployed systemd unit files automatically in the %Files # section. Thus, for systemd services, it's safe to remove the file. if [ -f ${SYSTEMD_UNIT_DIR}/${SERVICE}.service ]; then echo "Unconfiguring ${SERVICE} (systemd) service ..." /bin/systemctl disable ${SERVICE} rm -f ${SYSTEMD_UNIT_DIR}/${SERVICE}.service /bin/systemctl daemon-reload fi if [ -f /etc/init/omid.conf ]; then echo "Unconfiguring omid (upstart) service ..." rm -f /usr/init/omid.conf initctl reload-configuration fi if [ -f /etc/init.d/${SERVICE} ]; then echo "Unconfiguring ${SERVICE} service ..." if [ -f /usr/sbin/update-rc.d ]; then /usr/sbin/update-rc.d -f ${SERVICE} remove elif [ -x /usr/lib/lsb/remove_initd ]; then /usr/lib/lsb/remove_initd /etc/init.d/${SERVICE} elif [ -x /sbin/chkconfig ]; then chkconfig --del ${SERVICE} > /dev/null else echo "Unrecognized Service Controller to unregister ${SERVICE} Service." exit 1 fi fi } StopOmiService() { /opt/omi/bin/service_control stop } RemoveOmiService() { if [ -f /etc/.omi_disable_service_control ]; then return 0 fi RemoveGenericService omid [ -f /etc/init.d/omid ] && rm /etc/init.d/omid [ -f /etc/init/omid.conf ] && rm /etc/init/omid.conf } ConfigureOmiService() { # If the marker file /etc/.omi_disable_service_control exists, # OMI will not be configured with service manager. This may be used in a container # environment, where service manager does not work reliably. if [ ! -f /etc/.omi_disable_service_control ]; then echo "Configuring OMI service ..." if [ -d /run/systemd/system ]; then # systemd ResolveSystemdPaths cp /opt/omi/bin/support/omid.systemd ${SYSTEMD_UNIT_DIR}/omid.service /bin/systemctl daemon-reload /bin/systemctl enable omid elif [ -x /sbin/initctl -a -f /etc/init/networking.conf -a ! -z "$(/sbin/initctl list >/dev/null 2>&1 && echo $?)" ]; then # If we have /sbin/initctl, we have upstart. # Note that the upstart script requires networking, # so only use upstart if networking is controlled by upstart (not the case in RedHat 6) cp /opt/omi/bin/support/omid.upstart /etc/init/omid.conf # initctl registers it with upstart initctl reload-configuration else cp /opt/omi/bin/support/omid.initd /etc/init.d/omid if [ -x /usr/sbin/update-rc.d ]; then update-rc.d omid defaults > /dev/null elif [ -x /usr/lib/lsb/install_initd ]; then /usr/lib/lsb/install_initd /etc/init.d/omid elif [ -x /sbin/chkconfig ]; then chkconfig --add omid > /dev/null else echo "Unrecognized Service Controller to configure OMI Service." exit 1 fi fi fi /opt/omi/bin/service_control start } ConfigureCronForLogRotate() { echo "Checking if cron is installed..." # warn user that he need to install cron if cron doesn't install which cron >/dev/null 2>&1 if [ $? -ne 0 ]; then which crond >/dev/null 2>&1 if [ $? -ne 0 ]; then echo "WARNING: LogRotate can't be enabled, please install cron at first!" return fi fi echo "Checking if cron/crond service is started..." # warn user that he need to start cron/crond service if cron doesn't start cronid=$(pidof cron > /dev/null 2>&1) crondid=$(pidof crond > /dev/null 2>&1) if [ ! -z "$cronid" -a ! -z "$crondid" ]; then echo "WARNING: LogRotate can be enabled, but please start cron/crond service!" fi echo "Set up a cron job to OMI logrotate every 15 minutes" # create the cron file if it doesn't exist if [ ! -f /etc/cron.d/omilogrotate ]; then (echo "*/15 * * * * root /usr/sbin/logrotate /etc/logrotate.d/omi --state /var/opt/omi/log/omi-logrotate.status >/dev/null 2>&1" > /etc/cron.d/omilogrotate) > /dev/null 2>&1 fi } # Fix permissions for new directories chgrp omiusers /opt/omi/lib /etc/opt/omi/conf/omiregister /var/opt/omi/omiusers chmod 775 /opt/omi/lib /etc/opt/omi/conf/omiregister /var/opt/omi/omiusers chmod 500 /opt/omi/bin/support/ktstrip chmod 500 /opt/omi/bin/support/config_keytab_update.sh # Be certain that SSL linkages exist for OMI utilities /opt/omi/bin/support/installssllinks # Set up the cron job to update the omi.keytab /opt/omi/bin/support/config_keytab_update.sh --unconfigure /opt/omi/bin/support/config_keytab_update.sh --configure ConfigureCronForLogRotate # Special handling for Red Hat 5 don't have open selinux permission # return 0, means is redhat 5; 1 means others. is_redhat5(){ if [ -e /usr/bin/lsb_release ];then distro=`lsb_release -i | grep RedHat` if [ ! -z "${distro}" ]; then distro_version=`lsb_release -r | awk 'FS=":"{print $2}'` if [ "${distro_version}" = "5" ]; then return 0 fi fi fi return 1 } if [ -e /usr/sbin/semodule ]; then echo "System appears to have SELinux installed, attempting to install selinux policy module for logrotate" echo " Trying /usr/share/selinux/packages/omi-selinux/omi-logrotate.pp ..." sestatus=`sestatus|grep status|awk '{print $3}'` if [ "$sestatus" = "disabled" ]; then echo "INFO: omi-logrotate selinux policy module has not yet installed due to selinux is disabled." echo "When enabling selinux, load omi-logrotate module manually with following commands for logrotate feature to work properly for omi logs." echo "/usr/sbin/semodule -i $SEPKG_DIR_OMI/omi-logrotate.pp >/dev/null 2>&1" echo "/sbin/restorecon -R /var/opt/omi/log/ > /dev/null 2>&1" else /usr/sbin/semodule -i /usr/share/selinux/packages/omi-selinux/omi-logrotate.pp >/dev/null 2>&1 if [ $? -ne 0 ]; then echo "ERROR: omi-logrotate selinux policy module versions could not be installed" exit 0 fi is_redhat5 if [ $? -eq 0 ];then echo " Trying /usr/share/selinux/packages/omi-selinux/omi-selinux.el5.pp ..." /usr/sbin/semodule -i /usr/share/selinux/packages/omi-selinux/omi-selinux.el5.pp >/dev/null 2>&1 else echo " Trying /usr/share/selinux/packages/omi-selinux/omi-selinux.pp ..." /usr/sbin/semodule -i /usr/share/selinux/packages/omi-selinux/omi-selinux.pp >/dev/null 2>&1 fi if [ $? -ne 0 ]; then echo "ERROR: omi-selinux selinux policy module versions could not be installed" exit 0 fi echo " Labeling omi log files ..." /sbin/restorecon -R /var/opt/omi/log/ > /dev/null 2>&1 fi fi ConfigureOmiService exit 0