Tuesday, June 18, 2013

Automate Adding Certificates to Datapower from Clearcase

I created a script that will copy the certificates that have been added in the last 2 days to a Clearcase Vob to a local folder.  Then from the local folder the script will verify that these are certificate files using openssl.  If everything verifies then it will build the connection script to Datapower and have DP pull the certificates into the shared certificate folder on the device.   JUST WHAT EVERY DATAPOWER ADMIN NEEDS!

My datapower devices were previously setup for password less login so you don't see the password as Datapower pulls the certificates on the device.  It has the server key for logging in to grab them in the user agent.
Because Datapower has to pull files I could go to Clearcase directly.  Clearcase has to be initialized for each Cron job and Datapower has no ability to access an existing session that has access to Clearcase.  All of this  was easy to work around but that explains my file copy out of clearcase with the certs.  It works nicely as a logging mechanism if something fails.  You know which certs didn't get loaded.

Use the script at your own risk.  It may contain errors so test it first in your environment.

# The program will copy certs from repository into the sharedcert directory
# First the new certificates have to be copied to a local directory
# then the commands are sent to Datapower to pull only the files moved to the new directory
# the files are saved into a time stamp folder to know when they were added to the device

#find $cc_vob/*.cer -mtime -2 -print
dptime=`date  +%m%d%y_%H%M%S`

#Device list for datapowers

#echo|find $cc_vob/*.cer -mtime -2 -print

#Generate list of new certs
certlist=`find $cc_vob/*.cer -mtime -2 -print`

#Test to see if there is any new certs found before building the command file
if [ -n "$certlist" ]; then

#We have a new cert so email the team that it will be uploaded
alert_mess="A new certificate was detected for the SI environment.  A follow up email should confirm or alert to any failures for the certificates.  Prepare for loading..."
echo $alert_mess|mailx -s "NEW CERTIFICATE BEING PROCESSED" $email

#Move the new certs to a local folder
for certificate in $certlist
   cp $certificate $si_folder
   #Verify the certificate is in the right format for the scripts to work nicely
   #Datapower can accept a certificate file in almost any format and read it correctly.
   #Openssl likes certs to be in base64 encoding so we will make the Base64 encoding the standard
   cert_data=echo | openssl x509 -noout -in ${certificate} -issuer -subject -dates -email
   cert_valid=`echo $?`
   echo $cert_valid
   echo $cert_data
   if [ "$cert_valid" -ne "$zero" ]; then
     error_mess="The certificate is not the right format for everything to validate.  Update the $certificate and save it as Base64 binary encoding.  This will make everything consistent.  This script and the certificate will not be uploaded until it is corrected. No devices were updated by this script."
     echo $error_mess|mailx -s "CERTIFICATE FORMAT INCORRECT" $email
   exit 15
   succs_mess="The certificates were validated to be in the Base64 Binary format.  The upload can proceed"
   echo $succs_mess

#Get Datapower to pull the certs to the device


# remove old files to make sure we create new files, instead
# of appending to old ones
rm -f $cert_commands_file
rm -f $cert_commands_execution_output

# create list of commands, in a file. These commands
# will be sent to the DP ssh server
echo bkupadmin >> $cert_commands_file
echo work1234 >> $cert_commands_file

echo default >> $cert_commands_file
echo configure terminal >> $cert_commands_file
mkdir $si_folder/$dptime

#Tell Datapower where to find files on local unix box
for certfile in $si_files
#echo $certfile
        cert=`basename $certfile`
echo copy -f scp://kcastellow@ddweb22$si_loc/${cert} sharedcert:///${cert} >> $cert_commands_file

echo exit >> $cert_commands_file
echo exit >> $cert_commands_file
chmod 777 $cert_commands_file

#Repeat the cert file upload using the same command file for each device in this environment

while IFS=\| read ipaddress servername dp_domain
# redirect the output of the ssh session to a file, so we
ssh $ipaddress < $cert_commands_file > $cert_commands_execution_output
echo $servername
echo $dp_domain
cp $cert_commands_file $si_folder/$dptime/$servername'_'cert_commands.txt
cp $cert_commands_execution_output $si_folder/$dptime/$servername'_'comm_executions.txt

#This will verify there was no error in the upload based on logs created
#Add another word to the or condition to include it as an error
err_count=`egrep -c 'failed' $si_folder/$dptime/$servername'_'comm_executions.txt`
echo $err_count
if [ "$err_count" -ne "$zero" ]; then
echo ERROR has occurred in uploading certificate to $ipaddress $servername at $dptime !
error_mess="An error has occurred in the uploading of a certificate to the $ipaddress device.  Check that the device is operating properly.  The script will shut down and not perform any more uploads until this is corrected to prevent further damage."
echo $error_mess|mailx -s "CERTIFICATE UPLOAD FAILURE" $email
exit 15

succs_mess="Certificates appear to be loaded successfully to the non-prod device at $ipaddress. Certs loaded are: $certlist"
echo $succs_mess
echo $succs_mess|mailx -s "CERTIFICATE UPLOAD SUCCESS" $email

done < "$devices"

#Move the files that were uploaded
mv $si_files $si_folder/$dptime

echo No New Certs Found.

No comments: