diff --git a/Dockerfile b/Dockerfile index 0d34715..75f8632 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,6 +20,7 @@ ENV JAVA_INSTALL_FILENAME='zulu8.38.0.13-ca-jdk8.0.212-win_x64.msi' #ENV JAVA_HOME=c:\\Java\\$JAVA_INSTALL_FOLDER RUN powershell [Environment]::SetEnvironmentVariable('JAVA_HOME', '%JAVA_HOME%', [System.EnvironmentVariableTarget]::Machine ) ENV SHIB_INSTALL_FILE=C:\\shibboleth-identity-provider-$IDP_VERSION-x64.msi +ENV ENABLE_SEALER_KEY_ROTATION=True ###install Zulu Java RUN powershell (new-object System.Net.WebClient).Downloadfile('https://cdn.azul.com/zulu/bin/%JAVA_INSTALL_FILENAME%', 'C:\%JAVA_INSTALL_FILENAME%') @@ -83,6 +84,9 @@ RUN C:/opt/shibboleth-idp/bin/build.bat -noinput -S -q -Didp.target.dir=c:/opt/s #link IdP's war file to Tomcat RUN mklink c:\Tomcat\webapps\idp.war c:\opt\shibboleth-idp\war\idp.war +#copy sealer key rotation script +COPY container_files/rotateSealerKey.ps1 c:\\opt\\shibboleth-idp\\bin\\rotateSealerKey.ps1 + #copy TIER beacon script RUN mkdir c:\util RUN mkdir c:\opt\certs @@ -91,9 +95,11 @@ COPY container_files/sendtierbeacon.ps1 c:\\util #RUN powershell ($tm=((Get-Random -Minimum 0 -Maximum 4) -as [string]) + ":" + ((Get-Random -Minimum 0 -Maximum 60) -as [string]) ; start-process -filepath schtasks -passthru -wait -argumentlist '/create','/tn','\"Send TIER Beacon\"','/tr','c:\util\sendtierbeacon.ps1','/sc','DAILY','/st',"$tm" #The line above is triggering an apprent bug in docker or windows core (essentially invalid XML), the 2 lines below are the workaround COPY container_files/TIER_Beacon_Task.xml c:\\TIER_Beacon_Task.xml +COPY container_files/Sealer_Key_Rotation_Task.xml c:\\Sealer_Key_Rotation_Task.xml RUN powershell schtasks /Create /XML c:\TIER_Beacon_Task.xml /TN 'TIER Beacon' ; $tm=((Get-Random -Minimum 0 -Maximum 4) -as [string]).padleft(2,'0') + ':' + ((Get-Random -Minimum 0 -Maximum 60) -as [string]).padleft(2,'0') ; schtasks /Change /TN 'TIER Beacon' /ST $tm +RUN powershell schtasks /Create /XML c:\Sealer_Key_Rotation_Task.xml /TN 'Rotate IdP Sealer Key' ; $tm=(1 -as [string]).padleft(2,'0') + ':' + (0 -as [string]).padleft(2,'0') ; schtasks /Change /TN 'Rotate IdP Sealer Key' /ST $tm RUN del c:\TIER_Beacon_Task.xml - +RUN del c:\Sealer_Key_Rotation_Task.xml ################################################# ### Settings for a burned-in config (default) ### diff --git a/container_files/Sealer_Key_Rotation_Task.xml b/container_files/Sealer_Key_Rotation_Task.xml new file mode 100644 index 0000000..3c3f101 Binary files /dev/null and b/container_files/Sealer_Key_Rotation_Task.xml differ diff --git a/container_files/rotateSealerKey.ps1 b/container_files/rotateSealerKey.ps1 new file mode 100644 index 0000000..29385da --- /dev/null +++ b/container_files/rotateSealerKey.ps1 @@ -0,0 +1,59 @@ +#this script reads the sealer key configuration from the IdP's idp.properties file and rotates the sealer key +Try { + $runthis = $env:ENABLE_SEALER_KEY_ROTATION + } +Catch { + $runthis = 'True' + } + +If ($runthis -eq 'True') { + #settings + $IDP_HOME="c:\opt\shibboleth-idp" + $IDPPROP=$IDP_HOME + "\conf\idp.properties" + $JAVA_HOME="c:\zulujava\zulu-8" + #item below is only used if you have configured additional hosts to sync your sealer to + $SYNC_CRED="domain\user" + + #get config from properties file + $storefile = (cat $IDPPROP | where { $_ -match "idp.sealer.storeResource"}).Split("=")[1].Trim().Replace("%{idp.home}", $IDP_HOME).Replace("/","\") + $versionfile = (cat $IDPPROP | where { $_ -match "idp.sealer.versionResource"}).Split("=")[1].Trim().Replace("%{idp.home}", $IDP_HOME).Replace("/","\") + $storepass = (cat $IDPPROP | where { $_ -match "idp.sealer.storePassword"}).Split("=")[1].Trim().Replace("{","`{").Replace("}","`}") + $alias = (cat $IDPPROP | where { $_ -match "idp.sealer.aliasBase"}).Split("=")[1].Trim() + try { + $count = (cat $IDPPROP | where { $_ -match "idp.sealer._count"}).Split("=")[1].Trim() + } + catch { + $count = 30 + } + try { + $sync_hosts = (cat $IDPPROP | where { $_ -match "idp.sealer._sync_hosts"}).Split("=")[1].Trim() + } + catch { + $sync_hosts = $env:COMPUTERNAME + } + + + #Write-Host "Keystore:" $storefile + #Write-Host "Version File:" $versionfile + #Write-Host "Store Pass:" $storepass + #Write-Host "Alias:" $alias + #Write-Host "Count:" $count + #Write-Host "Sync Hosts:" $sync_hosts + + #rotate key + $cmd = "${IDP_HOME}\bin\runclass.bat net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool --storefile $storefile --storepass `$storepass --versionfile $versionfile --alias $alias --count $count" + Invoke-Expression $cmd + + #display current/new version + Write-Host "Current Key Version:" (cat $versionfile).split("=")[2].Trim() + + #sync to other hosts + $sync_hosts.split(" ") | ForEach { + If ($_.Trim() = $env:COMPUTERNAME) {Write-Host "***skipping sync to local host"} Else { + Write-Host "Syncing to: $_" + $Session = New-PSSession -ComputerName "$_" -Credential $SYNC_CRED + Copy-Item $versionfile -Destination $IDP_HOME\credentials -ToSession $Session + } + } + +} \ No newline at end of file