MISP2 uuendamine

wget -qO - https://artifactory.niis.org/api/gpg/key/public | apt-key add -
apt-add-repository "https://artifactory.niis.org/xroad-extensions-release-deb main"
apt update
# uuendab kogu tarkvara masinas
apt dist-upgrade

# NB! skript lubatud IP-de määramiseks lehele /misp2/admin
/usr/xtee/app/configure_admin_interface_ip.sh

    <Location "/*/admin/*">
        Order deny,allow
        Deny from all
        Allow from IP_address_or_all
    </Location>

# uue sertifikaadi allalaadmine
wget -O mid_sk_ee_2023.pem https://www.skidsolutions.eu/upload/files/mid_sk_ee_2023.pem.cer

# aliase nimi peab olema unikaalne, vajadusel muutke. 
# mobiil_id_truststore parool on kirjas /var/lib/tomcat8/webapps/misp2/WEB-INF/classes/config.cfg
keytool -importcert -file mid_sk_ee_2023.pem -alias mid_sk_cert_2023 -noprompt -keystore /var/lib/tomcat8/webapps/misp2/WEB-INF/classes/mobiili_id_trust_store.p12

# restart teenusele
service tomcat8 restart

# Muutke /var/lib/tomcat8/webapps/misp2/WEB-INF/classes/config.cfg faili sisu järgmiselt:
	auth.mobileID=true
	mobileID.rest.hostUrl = https://mid.sk.ee/mid-api või https://tsp.demo.sk.ee/mid-api
	mobileID.rest.relyingPartyUUID = SK_MID_UUID
	mobileID.rest.relyingPartyName = MID_DISPLAY_NAME
	mobileID.rest.pollingTimeoutSeconds = 60
	mobileID.rest.trustStore.password = TRUSTSTORE_PASS_default_secret
	mobileID.rest.trustStore.path = /mobiili_id_trust_store.p12


# NB! MID sertifikaadi import. Näide on toodangu Mobiil-ID sertifikaadiga. Vaikimisi on parooliks "secret"
	wget -O mid_sk_ee_2023.pem https://www.skidsolutions.eu/upload/files/mid_sk_ee_2023.pem.cer
	wget -O sk_esteid_2015_crt.pem https://www.sk.ee/upload/files/ESTEID-SK_2015.pem.crt
	wget -O sk_esteid_2016_crt.pem https://www.sk.ee/upload/files/EID-SK_2016.pem.crt
	keytool -importcert -file mid_sk_ee_2023.pem -alias mid_sk_cert_2023 -noprompt -keystore /var/lib/tomcat8/webapps/misp2/WEB-INF/classes/mobiili_id_trust_store.jks
	keytool -importcert -file sk_esteid_2015_crt.pem -alias sk_esteid_2015 -noprompt -keystore /var/lib/tomcat8/webapps/misp2/WEB-INF/classes/mobiili_id_trust_store.jks 
	keytool -importcert -file sk_esteid_2016_crt.pem -alias sk_esteid_2016 -noprompt -keystore /var/lib/tomcat8/webapps/misp2/WEB-INF/classes/mobiili_id_trust_store.jks 

# NB! Konverteerime JKS keystore ümber PKCS12 formaati (eeldusel, et keystore on loodud esmakordselt):
	keytool -importkeystore -srckeystore /var/lib/tomcat8/webapps/misp2/WEB-INF/classes/mobiili_id_trust_store.jks -destkeystore /var/lib/tomcat8/webapps/misp2/WEB-INF/classes/mobiili_id_trust_store.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass secret -deststorepass secret

# Faili õigused paika
	chown tomcat8:tomcat8 /var/lib/tomcat8/webapps/misp2/WEB-INF/classes/mobiili_id_trust_store.p12

# NB! Viimasena restartige MISP2
	service tomcat8 restart

# NB! Failis /etc/apache2/sites-enabled/ssl.conf
# vaja sisse kommenteerida rida 164 ja eemaldada lõpust "1", peab jääma:

SSLCADNRequestPath /etc/apache2/ssl/client_ca/

# NB! taaskäivitus:
service apache2 restart

sudo -i

cd /etc/apache2/ssl

wget -O sk_root_2011_crt.pem https://www.sk.ee/upload/files/EE_Certification_Centre_Root_CA.pem.crt
wget -O sk_root_2018_crt.pem https://c.sk.ee/EE-GovCA2018.pem.crt
wget -O sk_esteid_2011_crt.pem https://www.sk.ee/upload/files/ESTEID-SK_2011.pem.crt
wget -O sk_esteid_2015_crt.pem https://www.sk.ee/upload/files/ESTEID-SK_2015.pem.crt
wget -O sk_esteid_2018_crt.pem https://c.sk.ee/esteid2018.pem.crt
wget -O sk_esteid_2016_crt.pem https://www.sk.ee/upload/files/EID-SK_2016.pem.crt

mkdir client_ca
cp -v sk_esteid_2011_crt.pem sk_esteid_2015_crt.pem sk_esteid_2018_crt.pem client_ca/
openssl x509 -addtrust clientAuth -trustout -in sk_esteid_2011_crt.pem -out sk_esteid_2011_client_auth_trusted_crt.pem
openssl x509 -addtrust clientAuth -trustout -in sk_esteid_2015_crt.pem -out sk_esteid_2015_client_auth_trusted_crt.pem
openssl x509 -addtrust clientAuth -trustout -in sk_esteid_2018_crt.pem -out sk_esteid_2018_client_auth_trusted_crt.pem
openssl x509 -addtrust clientAuth -trustout -in sk_esteid_2016_crt.pem -out sk_esteid_2016_client_auth_trusted_crt.pem
rm sk_esteid_2011_crt.pem sk_esteid_2015_crt.pem sk_esteid_2018_crt.pem sk_esteid_2016_crt.pem

c_rehash client_ca/

openssl x509 -addreject clientAuth -trustout -in sk_root_2011_crt.pem -out sk_root_2011_CA_trusted_crt.pem
openssl x509 -addreject clientAuth -trustout -in sk_root_2018_crt.pem -out sk_root_2018_CA_trusted_crt.pem
rm sk_root_2011_crt.pem sk_root_2018_crt.pem

wget -O sk_esteid_ocsp.pem https://www.sk.ee/upload/files/SK_OCSP_RESPONDER_2011.pem.cer

./updatecrl.sh "norestart"
c_rehash ./

# Failis /etc/apache2/sites-enabled/ssl.conf vaja sisse kommenteerida rida 164 ja eemaldada lõpust "1", peab jääma:
SSLCADNRequestPath /etc/apache2/ssl/client_ca/

service apache2 restart

# Kirjuta ülesse, mis IP aadressitelt on hetkel lubatud külastada MISP2 admin lehte (Allow from...):
grep -A5 /admin /etc/apache2/sites-available/ssl.conf

# Lisa MISP2 repo ja NIISi pakkide võti: 
wget -qO - https://artifactory.niis.org/api/gpg/key/public | apt-key add -
apt-add-repository "https://artifactory.niis.org/xroad-extensions-release-deb main"
apt update

#Esmalt vaja uuendada misp2-base tarkvara (Vali "Yes", kui küsib sertifikaatide ja Apache2 uuendamise kohta) : 
apt-get install xtee-misp2-base

#Seejärel uuendada teised MISP2 komponendid: 
apt install xtee-misp2-postgresql xtee-misp2-application

#Kui vaja, siis käsitsi lisada tagasi admin liidese IP aadressid nagu need olid failis ssl.conf <Location "/*/admin/*"> ploki sees