Skip to content

Instantly share code, notes, and snippets.

@benlk
Created Jul 13, 2018
Embed
What would you like to do?
Poking around the Pulse VPN client required by OSU

From https://cse.osu.edu/computing-services/resources/remote-access, download the Debian 64-bit installer:

$ wget http://web.cse.ohio-state.edu/cs/vpn/ps-pulse-linux-5.3r4.2-b639-ubuntu-debian-64-bit-installer.deb
$ ar vx ps-pulse-linux-5.3r4.2-b639-ubuntu-debian-64-bit-installer.deb 
x - debian-binary
x - control.tar.gz
x - data.tar.gz

Unzip data.tar.gz and receive a directory named usr/:

$ tree usr/
usr/
└── local
    └── pulse
        ├── PulseClient_x86_64.sh
        ├── README
        ├── pulse
        │   ├── html
        │   │   ├── about.html
        │   │   ├── advancedConnDetails.html
        │   │   ├── config.html
        │   │   ├── css
        │   │   │   ├── bootstrap-theme.min.css
        │   │   │   └── bootstrap.min.css
        │   │   ├── fail.html
        │   │   ├── fonts
        │   │   │   ├── glyphicons-halflings-regular.eot
        │   │   │   ├── glyphicons-halflings-regular.svg
        │   │   │   ├── glyphicons-halflings-regular.ttf
        │   │   │   ├── glyphicons-halflings-regular.woff
        │   │   │   └── glyphicons-halflings-regular.woff2
        │   │   ├── images
        │   │   │   ├── Pulse\ Secure.html
        │   │   │   ├── Pulse-Secure-Logo-Small.png
        │   │   │   ├── Pulse-Secure.png
        │   │   │   └── Pulse-Secure128x128.png
        │   │   ├── index.html
        │   │   ├── js
        │   │   │   ├── bootbox.min.js
        │   │   │   ├── bootstrap.min.js
        │   │   │   ├── jquery.min.js
        │   │   │   └── prompt.js
        │   │   ├── manifest.json
        │   │   ├── pulseUi.html
        │   │   ├── schema.json
        │   │   └── showClientCerts.html
        │   ├── libpulseui.so_Ubuntu_16_x86_64
        │   ├── libpulseui.so_centos_6_x86_64
        │   ├── libpulseui.so_centos_7_x86_64
        │   ├── pulse.1.gz
        │   ├── pulseUi.desktop
        │   ├── pulseUi_Ubuntu_16_x86_64
        │   ├── pulseUi_centos_6_x86_64
        │   ├── pulseUi_centos_7_x86_64
        │   ├── pulsesvc
        │   └── pulseutil
        ├── pulse.tgz
        └── version.txt

8 directories, 38 files

Unzip control.tar.gz and receive a directory named control/:

$ tree control/
control/
├── control
├── postinst
└── prerm

0 directories, 3 files
$ cd control
$ file ./*
./control:  ASCII text
./postinst: Bourne-Again shell script text executable
./prerm:    Bourne-Again shell script text executable

Somewhere inside this .deb are the certs you'll need to connect without using the proprietary client.

This README document explains the following:
1) What are the pre-requisites to run the command line client?
2) How to launch the command line client?
3) How to launch the command line client with proxy?
4) How to check the status of the VPN connection?
5) How to terminate the command line client?
6) How to upload the pulse service logs into PCS server?
7) How to launch Pulse secure Linux UI:
8) How to install the dependency packages to run the UI?
9) How to install, remove and list Client Certificates
1) What are the pre-requisites to run the command line client?
- PCS IP address or hostname
- VPN user name and password
- PCS sign-in URL
- Proxy details like IP address/hostname, proxy username and password (If the client proxy is used)
- Realm
2) How to launch the command line client?
- The command line client can be launched using the command below :
For 32 bit client: /usr/local/pulse/PulseClient.sh -h <PCS appliance IP/hostname> -u <vpn username> -p <vpn password> -U <PCS SIGNINURL> -r <realm>
or
For 64 bit client: /usr/local/pulse/PulseClient_x86_64.sh -h <PCS appliance IP/hostname> -u <vpn username> -p <vpn password> -U <PCS SIGNINURL> -r <realm>
eg:
/usr/local/pulse/PulseClient.sh -h 10.209.118.244 -u user1 -p PulseSecure -U https://10.209.118.244 -r mobileusers
Note:
- The PulseClient.sh / PulseClient_x86_64.sh arguments are stored internally and these arguments will be reused later, if no arguments are provided.
Arguments storage will be overwritten if new set of arguments are provided to the script.
- Following command can be used to know the usage of the various options of the command line client.
For 32 bit client: /usr/local/pulse/PulseClient.sh -H
For 64 bit client: /usr/local/pulse/PulseClient_x86_64.sh -H
- In case the user doesn't want the password to be revealed, he can choose not to provide the password as a command line parameter. A prompt will be prompted to read the password.
- The script will install the dependent packages (glibc, zlib, nss) if these packages are not already installed.
- "-f" option is deprecated. CA certificate store is used to verify the PCS certificate.
In RHEL/CentOS/Fedora, "/etc/pki/tls/certs/ca-bundle.crt" is used as CA certificate store.
In Ubuntu, "/etc/ssl/certs/ca-certificates.crt" is used to as CA certificate store.
3) How to launch the command line client with proxy?
- The command line client with proxy can be launched using the command below :
For 32 bit client: /usr/local/pulse/PulseClient.sh -h <PCS appliance IP/hostname> -u <vpn username> -p <vpn password> -U <PCS SIGNINURL> -y <proxy IP/hostname> -z <proxy port> -s <proxy username> -a <proxy password>
or
For 64 bit client: /usr/local/pulse/PulseClient_x86_64.sh -h <PCS appliance IP/hostname> -u <vpn username> -p <vpn password> -U <PCS SIGNINURL> -y <proxy IP/hostname> -z <proxy port> -s <proxy username> -a <proxy password>
Note:
- In case the user doesn't want to reveal the proxy password in the command line arguments, he can pass -I parameter instead of the proxy password parameter i.e -a.
Then a prompt will be given to take the proxy password.
4) How to check the status of the VPN connection?
- The status of the VPN connection can be seen by giving the following command.
For 32 bit client: /usr/local/pulse/PulseClient.sh -S
or
For 64 bit client: /usr/local/pulse/PulseClient_x86_64.sh -S
Note:
- This command could take upto 10s to reflect the current state of the Pulse client.
5) How to terminate the command line client?
- The command line client can be terminated using the following command.
For 32 bit client: /usr/local/pulse/PulseClient.sh -K
or
For 64 bit client: /usr/local/pulse/PulseClient_x86_64.sh -K
6) How to upload the pulse service logs into PCS server?
- The command line client can be launch to upload the logs with below command
For 32 bit client: /usr/local/pulse/PulseClient.sh -h <PCS appliance IP/hostname> -u <vpn username> -p <vpn password> -g
or
For 64 bit client: /usr/local/pulse/PulseClient_x86_64.sh -h <PCS appliance IP/hostname> -u <vpn username> -p <vpn password> -g
Note:
- This command connects to PCS server and uploads the log into the server.
7) How to launch Pulse secure Linux UI:
Launch UI from the applications:
1) The UI launcher is installed in the applications tab.
2) The user has to go to applications and search for the "pulse secure" UI and launch it by clicking the icon.
Launch UI from the terminal:
1) Append /usr/local/pulse to LD_LIBRARY_PATH
example: export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/pulse
3) Launch the UI by executing the below command
/usr/local/pulse/pulseUi
8) How to install the dependency packages to run the UI?
- The dependency packages for UI can be installed using the below command:
For 32 bit client: /usr/local/pulse/PulseClient.sh install_dependency_packages
or
For 64 bit client: /usr/local/pulse/PulseClient_x86_64.sh install_dependency_packages
9) How to install, remove and list client certificates
Below are commands to install, delete and list the client certificates using PulseClient.sh
These commands are only needed if the client certificate authentication is enabled ie PCS
needs end user client certificate for authentication.
For 32 bit client: /usr/local/pulse/PulseClient.sh install_certificates
[-inpfx < PFX file > ]
[-inpriv <private file> -inpub <public file>]
/usr/local/pulse/PulseClient.sh list_installed_certificates
or
For 64 bit client: /usr/local/pulse/PulseClient_x86_64.sh install_certificates
[-inpfx < PFX file > ]
[-inpriv <private file> -inpub <public file>]
/usr/local/pulse/PulseClient_x86_64.sh list_installed_certificates
Please use the list command to get the certName for delete.
For 32 bit client: /usr/local/pulse/PulseClient.sh delete_certificates -certName <Certificate Name>
OR
For 64 bit client: /usr/local/pulse/PulseClient_x86_64.sh delete_certificates -certName <Certificate Name>
#!/bin/bash
HOMEDIR=$HOME
INSTALLDIR=/usr/local/pulse
PULSEDIR=$HOME/.pulse_secure/pulse
PULSECERTDIR=$PULSEDIR/certificates
SVCNAME=pulsesvc
UTILNAME=pulseutil
LOG=$PULSEDIR/PulseClient.log
args=""
ive_ip=""
NOARGS=$#
SCRARGS=$@
OPENSSLCMD=openssl
SCRNAME=`basename $0`
SUPPORTED_OSTYPES_LIST=( CENTOS_6 CENTOS_7 UBUNTU_14 UBUNTU_15 UBUNTU_16 FEDORA RHEL_7 DEBIAN_8_9 UNSUPPORTED)
#RPM Based
CENTOS_6_DEPENDENCIES=( glibc \
nss-softokn-freebl \
zlib \
glib-networking \
webkitgtk \
xulrunner\
libproxy \
libXmu \
libproxy-gnome \
libproxy-mozjs)
CENTOS_6_DEPENDENCIES_WITH_VERSION=( glibc \
nss \
zlib \
glib-networking \
webkitgtk \
xulrunner \
libproxy \
libXmu \
libproxy-gnome \
libproxy-mozjs)
FEDORA_DEPENDENCIES=( glibc \
nss-softokn-freebl \
zlib \
glib-networking \
webkitgtk- \
libgnome-keyring \
xulrunner \
libproxy \
mozjs17 \
libproxy-mozjs \
libproxy-gnome)
FEDORA_DEPENDENCIES_WITH_VERSION=( glibc \
nss \
zlib \
glib-networking \
webkitgtk \
libgnome-keyring \
xulrunner \
libproxy \
mozjs17 \
libproxy-mozjs \
libproxy-gnome)
CENTOS_7_DEPENDENCIES=( glibc \
nss-softokn-freebl \
zlib \
glib-networking \
webkitgtk3 \
libgnome-keyring \
libproxy-gnome \
libproxy-mozjs \
libproxy )
CENTOS_7_DEPENDENCIES_WITH_VERSION=( glibc \
nss \
zlib \
glib-networking \
webkitgtk3 \
libgnome-keyring \
libproxy-gnome \
libproxy-mozjs \
libproxy )
RHEL_7_DEPENDENCIES=( glibc \
nss-softokn-freebl \
zlib \
glib-networking \
webkitgtk3 \
libgnome-keyring \
libproxy )
RHEL_7_DEPENDENCIES_WITH_VERSION=( glibc \
nss \
zlib \
glib-networking \
webkitgtk3-2.4.9-5.el7 \
libgnome-keyring \
libproxy )
#Debian Based
UBUNTU_14_DEPENDENCIES=( libc6 \
libwebkitgtk-1 \
libproxy1 \
libproxy1-plugin-gsettings \
libproxy1-plugin-webkit \
libdconf1 \
dconf-gsettings-backend)
UBUNTU_14_DEPENDENCIES_WITH_VERSION=( libc6 \
libwebkitgtk-1.0-0 \
libproxy1 \
libproxy1-plugin-gsettings \
libproxy1-plugin-webkit \
libdconf1 \
dconf-gsettings-backend)
UBUNTU_15_DEPENDENCIES=( libc6 \
libwebkitgtk-1 \
libproxy1 \
libproxy1-plugin-gsettings \
libproxy1-plugin-webkit \
libdconf1 \
libgnome-keyring0 \
dconf-gsettings-backend)
UBUNTU_15_DEPENDENCIES_WITH_VERSION=( libc6 \
libwebkitgtk-1.0-0 \
libproxy1 \
libproxy1-plugin-gsettings \
libproxy1-plugin-webkit \
libdconf1 \
libgnome-keyring0 \
dconf-gsettings-backend)
UBUNTU_16_DEPENDENCIES=( libc6 \
libwebkitgtk \
libproxy1 \
libproxy1-plugin-gsettings \
libproxy1-plugin-webkit \
libdconf1 \
libgnome-keyring0 \
dconf-gsettings-backend)
UBUNTU_16_DEPENDENCIES_WITH_VERSION=( libc6 \
libwebkitgtk-1.0-0 \
libproxy1 \
libproxy1-plugin-gsettings \
libproxy1-plugin-webkit \
libdconf1 \
libgnome-keyring0 \
dconf-gsettings-backend)
DEBIAN_8_9_DEPENDENCIES=( libc6 \
webkitgtk \
libproxy1 \
libproxy1-plugin-gsettings \
libproxy1-plugin-webkit \
libdconf1 \
libgnome-keyring0 \
dconf-gsettings-backend)
DEBIAN_8_9_DEPENDENCIES_WITH_VERSION=( libc6 \
libwebkitgtk-1.0-0 \
libproxy1 \
libproxy1-plugin-gsettings \
libproxy1-plugin-webkit \
libdconf1 \
libgnome-keyring0 \
dconf-gsettings-backend)
tam=${#SUPPORTED_OSTYPES_LIST[@]}
for ((i=0; i < $tam; i++)); do
name=${SUPPORTED_OSTYPES_LIST[i]}
declare -r ${name}=$i
done
install_deb() {
i=$1
sudo -v > /dev/null 2>/dev/null
echo $i
if [ $? -eq 0 ]; then
echo "sudo password : "
sudo apt-get install $i
if [ $? -ne 0 ]; then
echo "Failed to install dependencies.Please execute following command manually."
echo " apt-get install $i"
fi
else
echo "super user password : "
su -c "apt-get install $i"
if [ $? -ne 0 ]; then
echo "Failed to install dependencies.Please execute following command manually."
echo " apt-get install $i"
fi
fi
}
install_rpm_dnf() {
i=$1
sudo -v > /dev/null 2>/dev/null
if [ $? -eq 0 ]; then
echo "sudo password "
sudo dnf -y install $i
if [ $? -ne 0 ]; then
echo "Failed to install dependencies.Please execute following command manually."
echo " dnf install $i"
fi
else
echo "super user password "
su -c "dnf -y install $i"
if [ $? -ne 0 ]; then
echo "Failed to install dependencies.Please execute following command manually."
echo " dnf install $i"
fi
fi
}
install_rpm() {
i=$1
sudo -v > /dev/null 2>/dev/null
if [ $? -eq 0 ]; then
echo "sudo password "
sudo yum -y install $i
if [ $? -ne 0 ]; then
echo "Failed to install dependencies.Please execute following command manually."
echo " yum install $i"
fi
else
echo "super user password "
su -c "yum -y install $i"
if [ $? -ne 0 ]; then
echo "Failed to install dependencies.Please execute following command manually."
echo " yum install $i"
fi
fi
}
install_from_repo() {
url=$1
sudo -v > /dev/null 2>/dev/null
if [ $? -eq 0 ]; then
echo "sudo password "
sudo rpm -Uvh $url
if [ $? -ne 0 ]; then
echo "Failed to install dependencies.Please execute following command manually."
echo "rpm -Uvh $url"
fi
else
echo "super user password "
su -c " rpm -Uvh $url"
if [ $? -ne 0 ]; then
echo "Failed to install dependencies.Please execute following command manually."
echo " rpm -Uvh $url"
fi
fi
}
#determine the OS TYPE
determine_os_type() {
if [ -f /etc/centos-release ]; then
OS_MAJOR_VERSION=$(cat /etc/centos-release | grep -o '.[0-9]'| head -1|sed -e 's/ //')
if [ $OS_MAJOR_VERSION = 6 ]; then
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$CENTOS_6]}
elif [ $OS_MAJOR_VERSION = 7 ]; then
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$CENTOS_7]}
else
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$UNSUPPORTED]}
fi
elif [ -f /etc/fedora-release ]; then
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$FEDORA]}
elif [ -f /etc/redhat-release ]; then
OS_MAJOR_VERSION=$(cat /etc/redhat-release | grep -o '.[0-9]'| head -1|sed -e 's/ //')
if [ $OS_MAJOR_VERSION = 7 ]; then
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$RHEL_7]}
else
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$UNSUPPORTED]}
fi
else
OSNAME=$(lsb_release -d | grep -o "Ubuntu")
if [ "X$OSNAME" != "X" ]; then
UBUNTU_VER=$(lsb_release -d | grep -o '.[0-9]*\.'| head -1|sed -e 's/\s*//'|sed -e 's/\.//')
if [ $UBUNTU_VER = 14 ]; then
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$UBUNTU_14]}
elif [ $UBUNTU_VER = 15 ]; then
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$UBUNTU_15]}
elif [ $UBUNTU_VER = 16 ]; then
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$UBUNTU_16]}
else
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$UNSUPPORTED]}
fi
else
if [ -f /etc/debian_version ]; then
DEBIAN_MAJOR_VERSION=$(cat /etc/debian_version | grep -o '[0-9]'| head -1|sed -e 's/ //')
if [ $DEBIAN_MAJOR_VERSION = 8 ]; then
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$DEBIAN_8_9]}
elif [ $DEBIAN_MAJOR_VERSION = 9 ]; then
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$DEBIAN_8_9]}
else
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$UNSUPPORTED]}
fi
else
OS_TYPE=${SUPPORTED_OSTYPES_LIST[$UNSUPPORTED]}
fi
fi
fi
}
check_and_install_missing_dependencies() {
echo "Checking for missing dependency packages ..."
if [ $OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$UNSUPPORTED]} ]; then
return
fi
isRpmBased=0
isDebBased=0
dependencyListName=${OS_TYPE}_DEPENDENCIES
dependencyListNameWithVersion=${OS_TYPE}_DEPENDENCIES_WITH_VERSION
if [[ ($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$CENTOS_6]}) || \
($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$CENTOS_7]}) || \
($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$FEDORA]}) || \
($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$RHEL_7]}) ]]; then
isRpmBased=1
elif [[ ($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$UBUNTU_14]}) || \
($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$UBUNTU_15]}) || \
($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$UBUNTU_16]}) || \
($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$DEBIAN_8_9]}) ]]; then
isDebBased=1
fi
if [ $isRpmBased = 1 ]; then
eval "depListArr=(\${${dependencyListName}[@]})"
eval "depListArrWithVersion=(\${${dependencyListNameWithVersion}[@]})"
tam=${#depListArr[@]}
PKGREQ=""
for ((i=0; i < $tam; i++)); do
depPkgName=${depListArr[i]}
curPkgVar=`rpm -qa | grep -i $depPkgName | grep -i "x86_64"`
if [ "X$curPkgVar" = "X" ]; then
echo "$depPkgName is missing in the machine"
PKGREQ="$PKGREQ ${depListArrWithVersion[i]}"
fi
done
if [ "X" != "X$PKGREQ" ]; then
# Install respective packages based on the current installation
for i in `echo $PKGREQ`
do
if [ $OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$FEDORA]} ]; then
install_rpm_dnf $i
else
install_rpm $i
fi
done
fi
elif [ $isDebBased = 1 ]; then
eval "depListArr=(\${${dependencyListName}[@]})"
eval "depListArrWithVersion=(\${${dependencyListNameWithVersion}[@]})"
tam=${#depListArr[@]}
PKGREQ=""
for ((i=0; i < $tam; i++)); do
depPkgName=${depListArr[i]}
curPkgVar=`dpkg-query -f '${binary:Package}\n' -W | grep -i $depPkgName| grep -i ":amd64" `
if [ "X$curPkgVar" = "X" ]; then
PKGREQ="$PKGREQ ${depListArrWithVersion[i]}"
fi
done
if [ "X$PKGREQ" != "X" ]; then
for i in `echo $PKGREQ`
do
install_deb $i
done
fi
echo ""
fi
}
######################################################################################################
# Function to verify if dependencies are installed
# Args : None
# Return : None
#function check_dep ()
#{
function command_line_client_checks()
{
echo "Checking for missing dependency packages for command line client ..."
if [ $OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$UNSUPPORTED]} ]; then
return
fi
RPM_DIST=0
DPKG_DIST=0
if [[ ($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$CENTOS_6]}) || \
($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$CENTOS_7]}) || \
($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$FEDORA]}) || \
($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$RHEL_7]}) ]]; then
RPM_DIST=1
elif [[ ($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$UBUNTU_14]}) || \
($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$UBUNTU_15]}) || \
($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$UBUNTU_16]}) || \
($OS_TYPE = ${SUPPORTED_OSTYPES_LIST[$DEBIAN_8_9]}) ]]; then
DPKG_DIST=1
fi
if [ $RPM_DIST -eq 1 ]; then
PKGREQ=""
glibc=`rpm -qa | grep -i glibc | grep -i "x86_64"`
if [ "X$glibc" = "X" ]; then
echo "glibc is missing in the machine" > $LOG
PKGREQ="glibc"
fi
nss=`rpm -qa | grep -i nss-softokn-freebl | grep -i "x86_64"`
if [ "X$nss" = "X" ]; then
echo "nss is missing in the machine" > $LOG
PKGREQ="$PKGREQ nss"
fi
zlib=`rpm -qa | grep -i zlib | grep -i "x86_64"`
if [ "X$zlib" = "X" ]; then
echo "zlib is missing in the machine" > $LOG
PKGREQ="$PKGREQ zlib"
fi
if [ "X" != "X$PKGREQ" ]; then
sudo -v > /dev/null 2>/dev/null
if [ $? -eq 0 ]; then
echo "sudo password "
sudo yum -y install $PKGREQ
if [ $? -ne 0 ]; then
echo "Failed to install dependencies.Please execute following command manually."
echo " yum install $PKGREQ"
fi
else
echo "super user password "
su -c "yum -y install $PKGREQ"
if [ $? -ne 0 ]; then
echo "Failed to install dependencies.Please execute following command manually."
echo " yum install $PKGREQ"
fi
fi
fi
elif [ $DPKG_DIST -eq 1 ]; then
PKGREQ=""
libc=`dpkg-query -f '${binary:Package}\n' -W | grep -i libc6:amd64`
if [ "X$libc" = "X" ]; then
PKGREQ="libc6"
fi
if [ "X" != "X$PKGREQ" ]; then
sudo -v > /dev/null 2>/dev/null
if [ $? -eq 0 ]; then
echo "sudo password : "
sudo apt-get install $PKGREQ
if [ $? -ne 0 ]; then
echo "Failed to install dependencies.Please execute following command manually."
echo " apt-get install $PKGREQ"
fi
else
echo "super user password : "
su -c "apt-get install $PKGREQ"
if [ $? -ne 0 ]; then
echo "Failed to install dependencies.Please execute following command manually."
echo " apt-get install $PKGREQ"
fi
fi
fi
fi
if [ ! -e $INSTALLDIR ]; then
echo "Pulse is not installed. Please check if Pulse is installed properly"
exit 1
fi
# create $HOME/.pulse_secure/pulse/ directory
if [ ! -d $PULSEDIR ]; then
mkdir -p $PULSEDIR
if [ $? -ne 0 ]; then
echo "Setup is not able to create $PULSEDIR. Please check the permission"
exit 2
fi
fi
if [ $NOARGS -eq 0 ]; then
$INSTALLDIR/$SVCNAME -C -H
keyUsage
exit 0
fi
# LD_LIBRARY_PATH is updated to use /usr/local/pulse/libsoup-2.4.so in CentOS6.4
# This library will be present only in the case of CentOS6.4 but setting
# LD_LIBRARY_PATH for other platforms will not be harmful.
export LD_LIBRARY_PATH=/usr/local/pulse:$LD_LIBRARY_PATH
echo "executing command : $INSTALLDIR/$SVCNAME $args"
# -C option added to indicate service is launched from command line - hidden option
#args="-C $args"
# pass the args to pulsesvc binary
$INSTALLDIR/$SVCNAME -C $SCRARGS
}
function check_error ()
{
errorCode=$1
errorString=$2
if [ $1 != 0 ] && [ "X$errorString" != "X" ]; then
echo "ErrorMessage : $errorString"
exit 3
fi
}
function install_pfx()
{
filename=$1
keyFileBaseName=$(basename $filename)
keyFileName="${keyFileBaseName%.*}"
privKeyFileName="$PULSECERTDIR/$keyFileName-priv.pem"
pubKeyFileName="$PULSECERTDIR/$keyFileName-pub.pem"
# pkcs12 file format support starts here
if [ ! -f $filename ]; then
echo "$filename does not exists. Please check the pfx file location "
exit 2;
fi
warn_user_for_overwrite ${pubKeyFileName}
#$OPENSSLCMD pkcs12 -info -in $filename -passin pass:$password -nodes 2>/dev/null
#$OPENSSLCMD pkcs12 -info -in $filename -nodes 2>/dev/null
#check_error $? "$FUNCNAME: File Extension is .pfx/.p12 but content is not"
echo "Extracting Private Key from $filename"
$OPENSSLCMD pkcs12 -in $filename -nocerts -out $privKeyFileName -nodes
check_error $? "$FUNCNAME: Private key extraction failed"
echo "Extracting Public Key from $filename"
$OPENSSLCMD pkcs12 -in $filename -clcerts -nokeys -out $pubKeyFileName -nodes
check_error $? "$FUNCNAME: Public key extraction failed"
echo "Filename : $filename Password:$password "
$INSTALLDIR/$UTILNAME -K $privKeyFileName -C "${keyFileName}-pub"
if [ $? != 0 ]; then
#Failed to add private keys to gnome-keyring, remove the public certficate.
rm $pubKeyFileName
else
echo "Successfully added certificate to Pulse Certificate store."
fi
if [ "X$privKeyFileName" != "X" ]; then
rm $privKeyFileName
fi
}
function warn_user_for_overwrite()
{
certFile=$1
if [ -f $certFile ]; then
name=$(basename "$certFile" ".pem")
echo
echo "Client certificate with name ${name} already"\
"exists in pulse certficate store. New certificate will "\
"overwrite the exisitng one."
read -e -p "Do you want to continue[y/n]: " choice
if ! [[ "${choice:0:1}" == "Y" || "${choice:0:1}" == "y" ]]; then
echo "Aborting the certificate installation."
exit 0;
fi
fi
}
function check_cert_names_same()
{
priv=$1
pub=$2
priv=$(basename $priv)
priv=${priv%.*}
pub=$(basename $pub)
pub=${pub%.*}
if [ $priv != $pub ]; then
echo "Failed to install certificate. Both Private($priv) and Public($pub) certificate should have same name."
exit 0;
fi
}
function install_keys()
{
FILETYPE=$1
privKeyInFile=$2
privKeyOutFile=$3
FAIL=1
keytype="rsa dsa"
for i in `echo $keytype`
do
$OPENSSLCMD $i -inform $FILETYPE -in $privKeyInFile -out $privKeyOutFile 2>/dev/null
if [ $? == 0 ]; then
FAIL=0
break;
fi
done
check_error $FAIL "Failed to extract private keys. Supported keys are rsa and dsa"
}
function install_priv_pub_keys()
{
privKeyFilePath=$1
privKeyFileBaseName=$(basename $1)
privKeyFileName="${privKeyFileBaseName%.*}"
privKeyFileExt="${privKeyFileBaseName##*.}"
pubKeyFilePath=$2
pubKeyFileBaseName=$(basename $2)
pubKeyFileName="${pubKeyFileBaseName%.*}"
pubKeyFileExt="${pubKeyFileBaseName##*.}"
privKeyPEMFile="${privKeyFileName}_tmp.pem"
pubKeyPEMFile="$PULSECERTDIR/$pubKeyFileName.pem"
warn_user_for_overwrite ${pubKeyPEMFile}
# Public Key Handling
if [[ $pubKeyFileExt == *"p7b" || $pubKeyFileExt == *"p7c" ]]; then
openssl pkcs7 -print_certs -in $pubKeyFilePath -out $pubKeyPEMFile
check_error $? "$FUNCNAME: convert $pubKeyFileName to PEM format failed"
else
# pkcs 8 format should be given as pem/der file here
if [[ $pubKeyFileExt == *"der" || $pubKeyFileExt == *"cer" ]]; then
$OPENSSLCMD x509 -inform der -in $pubKeyFilePath -out $pubKeyPEMFile
check_error $? "$FUNCNAME: convert $pubKeyFileName to PEM format failed"
elif [[ $pubKeyFileExt == *"pem" || $pubKeyFileExt == *"crt" ||
$pubKeyFileExt == *"key" || $pubKeyFileExt == *"pub" ]]; then
cp $pubKeyFilePath $pubKeyPEMFile
else
check_error 1 "$FUNCNAME: Unknown Public Key File Format"
fi
fi
# Private Key Handling
if [[ $privKeyFileExt == *"der" || $privKeyFileExt == *"cer" ]]; then
install_keys "der" $privKeyFilePath $privKeyPEMFile
elif [[ $privKeyFileExt == *"pem" || $privKeyFileExt == *"crt" ||
$privKeyFileExt == *"key" ]]; then
# this command removes the password temporarily to install it in gnome-keyring
install_keys "pem" $privKeyFilePath $privKeyPEMFile
elif [[ $privKeyFileExt == *"pk8" ]]; then
install_keys "pkcs8" $privKeyFilePath $privKeyPEMFile
else
check_error 1 "$FUNCNAME: Unknown Private Key File Format"
fi
echo "Filename : $filename Password:$password "
$INSTALLDIR/$UTILNAME -K $privKeyPEMFile -C $pubKeyFileName
if [ $? != 0 ]; then
#Failed to add private keys to gnome-keyring, remove the public certficate.
rm $pubKeyPEMFile
else
echo "Successfully added certificate to Pulse Certificate store."
fi
if [ "X$privKeyPEMFile" != "X" ]; then
rm $privKeyPEMFile
fi
}
function keyUsage()
{
echo "Client Certificate Options:"
echo " $SCRNAME install_certificates "
echo " [-inpfx < PFX file > ]"
echo " [-inpriv <private file> -inpub <public file>]"
echo " Note: password is required for installing private and public keys separately."
echo " "
echo " $SCRNAME delete_certificates "
echo " [-certName <Certificate Name>]"
echo " $SCRNAME list_installed_certificates "
exit 1
}
######################################################################################################
# Function to install certificates
# Args : certificate details
# Return : None
# function install_certificate ()
function install_certificate()
{
echo
echo "Certficate is installing by user: \"$USER\" "\
"Please make sure that client certificates to be installed by logged in DESKTOP user only."
read -e -p "Do you want to continue[y/n]: " choice
if ! [[ "${choice:0:1}" == "Y" || "${choice:0:1}" == "y" ]]; then
echo "Aborting the certificate installation."
exit 0;
fi
privKeyFileName=""
pubKeyFileName=""
echo "install_certificate : $@"
while [ $# -gt 0 ]
do
case "$1" in
-inpfx) filename="$2"; shift;;
-inpriv) privKeyFileName="$2"; shift;;
-inpub) pubKeyFileName="$2"; shift;;
-*) keyUsage
esac
shift
done
if [ ! -d $PULSECERTDIR ]; then
echo "$PULSECERTDIR does not exists. Creating.."
mkdir -p $PULSECERTDIR
fi
if [[ $filename == *".pfx" || $filename == *".p12" ]]
then
install_pfx $filename
elif [ "X$privKeyFileName" != "X" ] && [ "X$pubKeyFileName" != "X" ]; then
echo "Private Key: $privKeyFileName and Public Key: $pubKeyFileName"
check_cert_names_same $privKeyFileName $pubKeyFileName
install_priv_pub_keys $privKeyFileName $pubKeyFileName
else
keyUsage
fi
}
# End of function install_certificate ()
######################################################################################################
######################################################################################################
# Function to delete certificates
# Args : certificate name
# Return : None
# function delete_certificate ()
function delete_certificate()
{
cert_name=""
echo "delete_certificate : $@"
while [ $# -gt 0 ]
do
case "$1" in
-certName) cert_name="$2"; shift;;
-*) keyUsage
esac
shift
done
if [ "X$cert_name" != "X" ]; then
echo "Certificate Name :$cert_name "
#Remove Private Key from Gnome-Keyring
$INSTALLDIR/$UTILNAME -D $cert_name
if [ -e $PULSECERTDIR/$cert_name.pem ]; then
rm -rf $PULSECERTDIR/$cert_name.pem
else
echo -e "Public key file $PULSECERTDIR/$cert_name.pem doesn't exists"
fi
else
keyUsage
fi
}
# End of function delete_certificate ()
#List the installed certificate in pulse certficate store.
function list_certificates()
{
for i in `ls $PULSECERTDIR/*.pem`;
do
name=$(basename "$i" ".pem")
echo -e "\nCertificate Name:" $name;
$OPENSSLCMD x509 -in $i -text | grep -i "Subject:\|Issuer:\|Validity\|Not Before\|Not After";
done
}
######################################################################################################
if [ "X$1" = "Xinstall_dependency_packages" ] ; then
determine_os_type
check_and_install_missing_dependencies
elif [ "X$1" = "Xinstall_certificates" ] ; then
install_certificate $SCRARGS
elif [ "X$1" = "Xdelete_certificates" ] ; then
delete_certificate $SCRARGS
elif [ "X$1" = "Xlist_installed_certificates" ] ; then
list_certificates
else
determine_os_type
command_line_client_checks
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment