vcenter-cert-install-csript

#!/bin/bash

#VCSA SSO and vSphere Web Client Configuration Script

##
#   THIS PART ADDED BY BENNY SHTARK
#
#   IMPORTANT!
#   Create "A" record for IP of the server for the HOSTNAME first!
#
#   COPY THIS ENTIRE FOLDER WITH 4 CERTIFICATE FILES TO SOMEWHERE ON VCENTER.
#   THEN RUN FOLLOWING
#
#   chmod +x chcert.sh
#   ./chcert.sh <server>.example.com 'vmware@localhost' '1server.crt,2inter.crt,3root.crt' 4private.key <server>.example.com
#
#    of course, change replace <server> with the server actual HOSTNAME
#
#


#CHANGELOG - Version - 2012.10.08-01
# - Fixed logbrowser issue, per http://derek858.blogspot.com/2012/10/vmware-vcenter-51-installation-part-14.html
#CHANGELOG - Version - 2012.10.04-02
# - Fixed a typo in a variable name (again, whoops)
#CHANGELOG - Version - 2012.10.04-01
# - Minor updates to comments and command line output
# - Added toggle variable to disable undesired embedded services or leave them enabled
# - Added code to disable ssh as root
# - Added code to change the root password
# - Added code to set the SSO master password and the admin password (required to successfully add the AD domain as an identity source)
#CHANGELOG - Version - 2012.10.02-02
# - Fixed a typo in a variable name
#CHANGELOG - Version - 2012.10.02-01
# - Added comments in script header
# - Added code to remove dos line feeds from certificate files (typically due to incorrect transfer mode)
# - Added test that exits if the certificate change fails
# - Added test to make sure the private key file exists and was created with rsagen
# - Added test that exits if the the VCSA fails to join Active Directory
# - Added code before each exit to purge the bash history if any passwords are specified at the command line
# - Added code to add the AD domain to SSO as an identity source (sometimes SSO does this on it's own, sometimes it doesn't...)
# CHANGELOG - Version - 2012.10.01-01
# - Initial Release

#FEATURES - this script will
# 1. Accept the EULA
# 2. Configure the fully-qualified hostname
# 3. Join Active Directory (if desired)
# 4. Enable the embedded vCenter SSO service
# 5. Replace the self-signed SSL certs with those provided by a CA
# 6. Re-configure the vSphere Web Client and SSO service to function behind a load-balancer
# 7. Disable undesired embedded services (chkconfig <service> off): vcenter, inventory (for use with an external vCenter Server)
# 8. Set the SSO master password and the admin password
# 9. Add the AD domain as an SSO identity source
#10. Set the root password

# TODO
# - Configure AD domain as a default identity source
# - Configure SSO service with AD admin group
# - Configure Syslog target
# - Init script to fix hostname and search domain issues
# - Disable additional unnecessary/undesired services - logbrowser? netdumper? syslog-collector?

#PREREQUISITES and ASSUMPTIONS
# - Generate a trusted CA certificate for the VCSA. Be sure to include digitalSignature, keyEncipherment, dataEncipherment, serverAuth, and subjectAltName
# - This script requires certificate files for the server, intermediate CAs, and the root CA.
# - Certificate files must be in Base 64-encoded X.509 format. Be sure to use text transfer mode.
# - Configure the load balancer, if one will be used (it must be done before running the script)
# - This script is intended to be run against a VCSA that was just deployed from the OVF.
# - It is assumed that appliance usernames, passwords, services, and ports remain at their defaults.

#EXPECTED USAGE
# - Copy this script and the certificate files to the VCSA
# - Login as root
# - chmod +x <scriptname>
# - ./<scriptname> VCSA_HOSTFQDN LOCALOS_ADMIN_PASS CERT_CHAIN CERT_KEY VCENTER_SSO_ALIASFQDN 'AD_PASS' AD_USER AD_DOMAIN 'SSO_MASTER_PASS' 'SSO_ADMIN_PASS'
#
#Required Parameters:
# - VCSA_HOSTFQDN: Fully qualified hostname of the VCSA. i.e. 'hostname.domain.local'
# - LOCALOS_ADMIN_PASS: Password to set for the local root account. Use single quotes around the password. e.g. '\''1mR00t@localos'\'''
# - CERT_CHAIN: Comma-delimited, ordered list of certificate filenames. Files must be in current directory. Provide certificates for: the VCSA, intermediate CA(s), and the root CA. i.e. 'server.crt,intermediate.crt,root.crt'
# - CERT_KEY: Filename containing the private key for the VCSA certificate. i.e. 'rui.key'
# - VCENTER_SSO_ALIASFQDN: Fully-qualified name of the load-balanced alias for the vCenter Single-Sign On service. If no load balancer, just repeat the hostname.fqdn. i.e. 'vcsso.domain.local'
#Optional Parameters:
# - AD_PASS: Password of an Active Directory account that has permissions to join computers to the domain. Be sure to use single quotes around the password. i.e. 'Im@passw0rd.'
# - AD_USER: Username of an Active Directory account that has permissions to join computers to the domain. i.e. 'john.doe'
# - AD_DOMAIN: Domain name in dotted format. i.e. 'domain.local'
# - SSO_MASTER_PASS: Password to set for the SSO master. It is used to recover passwords. DO NOT LOSE THIS PASSWORD. e.g. '1mp0rt@nt'
# - SSO_ADMIN_PASS: Password to set for the SSO admin user. e.g. e.g. '1manSS0@dmin'

#CREDITS
# Scripts compiled and modified by:
# Loren Gordon
# lorenATfleet-it.com
#
# Original scripts by:
# William Lam
# www.virtuallyghetto.com
#
# Logbrowser fix by:
# Derek Seaman and Terafirma
# http://derek858.blogspot.com/2012/10/vmware-vcenter-51-installation-part-14.html

# User Configurations
VCSA_HOSTFQDN=${1:-UNSET}
LOCALOS_ADMIN_PASS=${2:-UNSET}
CERT_CHAIN=${3:-UNSET} # Format: Comma separated, ordered list of the server, intermediate, and root CA certs in Base 64 encoded X.509 format. i.e. server.crt,intermediate.crt,root.crt
CERT_KEY=${4:-UNSET}
VCENTER_SSO_ALIASFQDN=${5:-UNSET}
AD_PASS=${6:-UNSET}
AD_USER=${7:-UNSET}
AD_DOMAIN=${8:-UNSET} # Format: Dotted domain name. i.e. google.com, dodiis.net, etc
SSO_MASTER_PASS=${9:-UNSET}
SSO_ADMIN_PASS=${10:-UNSET}
LOCALOS_ADMIN_USER=root
VCENTER_SSO_PORT=7444 # 7444 is the default SSO port
LDAP_PROTO=ldaps    # ldaps or ldap
LDAP_PORT=3269      # 389 or 3268 for ldap, 636 or 3269 for ldaps
DISABLE_ROOT_SSH=0  # 1 to disable ssh for root; 0 to leave it enabled
DISABLE_UNDESIRED_SERVICES=0 # 1 to disable undesired services; 0 to leave them enabled

## DO NOT EDIT BEYOND HERE ##

VCSA_SHORTNAME=$(echo ${VCSA_HOSTFQDN} | cut -d. -f1)
SSO_SRV=${VCENTER_SSO_ALIASFQDN}:${VCENTER_SSO_PORT}
VI_REGTOOL=/usr/lib/vmware-sso/bin/vi_regtool
CERT_PATH=/root/${VCSA_HOSTFQDN}-certs
SSO_CERT=${CERT_PATH}/${VCENTER_SSO_ALIASFQDN}.crt
VCSA_CERT=${CERT_PATH}/rui.crt
VCSA_CERTKEY=${CERT_PATH}/rui.key
JOIN_AD=0

countdown()
{
#This function will pause while counting down from an input number to 0, displaying the decrementing count
  countdown=${1:-15}
  w=${#countdown}
  while [ ${countdown} -gt 0 ]
  do
    sleep 1 &
    printf " %${w}d\r" "$countdown"
    countdown=$(( $countdown - 1 ))
    wait
  done
  printf "\a"
} 2>/dev/null

if [ ! "${AD_PASS}" = "UNSET" ]; then JOIN_AD=1; fi

echo "Validating parameter count..."
CHECK_PARAMS=0
if [ $# -lt 5 ]; then CHECK_PARAMS=1; fi
if [ $# -gt 5 ] && [ ! $# -eq 10 ]; then CHECK_PARAMS=1; fi
if [ ${CHECK_PARAMS} -eq 1 ]; then
    echo 'ERROR: Incorrect parameter count.'
    echo 'This script requires a minimum of 5 parameters:'
    echo '    $1 is the hostname.f.q.d.n for the vCenter Server Appliance that is being configured. e.g. vcsa.domain.local'
    echo '    $2 is the password to set for the local root account. Use single quotes around the password. e.g. '\''1mR00t@localos'\'''
    echo '    $3 is a comma-delimited, ordered list of certificate filenames that form a complete certificate chain.'
    echo '         The certificates must be in Base 64-encoded X.509 format.'
    echo '         The order must be the server certificate, then the intermediate CA certificate(s), then the root CA certificate.'
    echo '         There can be as many intermediate CA certs as needed to complete the chain.'
    echo '         i.e. '\''server.crt,intermediate1.crt,intermediate2,root.crt'\'''
    echo '    $4 is the filename of the private key for the server certificate. Key must be RSA format.'
    echo '    $5 is the load-balanced alias.f.q.d.n for the vCenter Single-Sign On service. If not behind a load balancer, just repeat the hostname.fqdn'
    echo 'This script accepts another 5 optional parameters. These parameters are only required to join the system to Active Directory:'
    echo '    $6 is the password of the active directory user specified in the next parameter. Use single quotes around the password. e.g. '\''1man3X@mple'\'''
    echo '    $7 is the active directory username that will add the server to Active Directory. e.g. imausername'
    echo '    $8 is the Active Directory domain name in dotted format. e.g. google.com, dodiis.net, etc'
    echo '    $9 is the master password the script will set for the SSO service. It is used to recover passwords. DO NOT LOSE THIS PASSWORD. e.g. '\''1mp0rt@nt'\'''
    echo '    $10 is the password the script will set for the SSO admin user. e.g. e.g. '\''1manSS0@dmin'\'''
    echo 'Exiting...'
    echo "Purging .bash_history file to remove any passwords..."
    cat /dev/null > ~/.bash_history
    exit 1
fi

echo "Input parameters:"
echo "   VCSA_HOSTFQDN=${VCSA_HOSTFQDN}"
echo "   LOCALOS_ADMIN_PASS=${LOCALOS_ADMIN_PASS}"
echo "   CERT_CHAIN=${CERT_CHAIN}"
echo "   CERT_KEY=${CERT_KEY}"
echo "   VCENTER_SSO_ALIASFQDN=${VCENTER_SSO_ALIASFQDN}"
echo "   AD_PASS=${AD_PASS}"
echo "   AD_USER=${AD_USER}"
echo "   AD_DOMAIN=${AD_DOMAIN}"
echo "   SSO_MASTER_PASS=${SSO_MASTER_PASS}"
echo "   SSO_ADMIN_PASS=${SSO_ADMIN_PASS}"
echo "   VCENTER_SSO_PORT=${VCENTER_SSO_PORT}"
echo "   LDAP_PROTO=${LDAP_PROTO}"
echo "   LDAP_PORT=${LDAP_PORT}"
echo "Make sure the certificate files listed are in the current directory and all parameter values are correct."
echo "The CERT_CHAIN parameter must be in this order: servercert,intermediateCAcert,rootCAcert."
echo
read -e -p "Is everything ready to proceed [YES|NO]? (NO): " CHECK_VALUES
CHECK_VALUES=${CHECK_VALUES:-NO}

if [ ! "${CHECK_VALUES}" = "YES" ]; then
    echo "Exiting due to user response of NO or unrecognized input. Only a YES response will proceed. Please re-run the script when ready."
    echo "Purging .bash_history file to remove any passwords..."
    cat /dev/null > ~/.bash_history
    exit 1
fi

echo "Testing parameter values..."
CERT_CHAIN=$(echo ${CERT_CHAIN} | sed 's/,/ /g')
echo "Checking for certificate files: ${CERT_CHAIN}"
for file in ${CERT_CHAIN}
do
    if [ ! -e "${file}" ]; then
        echo "Certificate file not found: ${file}"
        echo "Check input values and make sure file is in the current directory. It is safe to re-run the script at this exit point."
        echo "Purging .bash_history file to remove any passwords..."
        cat /dev/null > ~/.bash_history
        exit 1
    fi
done
echo "Checking for certificate key: ${CERT_KEY}"
if [ ! -e "${CERT_KEY}" ]; then
    echo "Certificate key file not found: ${CERT_KEY}"
    echo "Check input values and make sure file is in the current directory. It is safe to re-run the script at this exit point."
    echo "Purging .bash_history file to remove any passwords..."
    cat /dev/null > ~/.bash_history
    exit 1
fi
echo "Checking that certificate key was created with rsagen: ${CERT_KEY}"
TEST_KEY=`grep RSA ${CERT_KEY}`
if [ -z "${TEST_KEY}" ]; then
    echo "Certificate key is not RSA format: ${CERT_KEY}"
    echo "Regenerate the key file as an RSA key; then generate a new certificate; then re-run the script."
    echo "Purging .bash_history file to remove any passwords..."
    cat /dev/null > ~/.bash_history
    exit 1
fi
echo "Parameter tests complete. Continuing..."

echo
echo "Accepting EULA ..."
/usr/sbin/vpxd_servicecfg eula accept

# NOTE: Upon reboot, one of the VMware init scripts does something strange to the hostname, so it shows up as 'hostname' rather
# than 'hostname.fqdn' in the lighttp UI (port 5480) and upon ssh login.
# Also, the VMware init scripts will re-write /etc/resolv.conf and wipe the DNS search domain.
# No fixes as of yet, but impact appears to be purely cosmetic.
# Perhaps a S99 init script will work around the problem...
echo "Configuring VCSA hostname (${VCSA_HOSTFQDN})..."
echo ${VCSA_HOSTFQDN} > /etc/HOSTNAME
/bin/hostname --file /etc/HOSTNAME
sed -i "s/localhost.localdom localhost/${VCSA_HOSTFQDN} ${VCSA_SHORTNAME}/g" /etc/hosts
IP_ADDR=`ifconfig eth0 | awk '/inet addr:/{print $2}' | awk -F":" '{print $2}'`

SEARCH_DOM=`hostname -d`
TESTSEARCH=`grep ${SEARCH_DOM} /etc/resolv.conf`
echo "Configuring DNS search suffix (${SEARCH_DOM})..."
if [ -z "${TESTSEARCH}" ]; then
    echo search ${SEARCH_DOM} >> /etc/resolv.conf
else
    echo "DNS search domain already configured. Skipping..."
fi

if [ ${JOIN_AD} -eq 1 ]; then
    echo "Configuring Active Directory ..."
    STATUS_JOINAD=`/usr/sbin/vpxd_servicecfg ad write "${AD_USER}" "${AD_PASS}" "${AD_DOMAIN}"`
    STATUS_JOINAD=`echo ${STATUS_JOINAD} | cut -d= -f2`
    if [ ! ${STATUS_JOINAD} -eq 0 ]; then
        echo "Failed to join Active Directory."
        echo "Command entered: /usr/sbin/vpxd_servicecfg ad write "${AD_USER}" "${AD_PASS}" "${AD_DOMAIN}""
        echo "Exit string: VC_CFG_RESULT=${STATUS_JOINAD}"
        echo "Exit code definition: $(grep ${STATUS_JOINAD} /usr/sbin/vpxd_servicecfg)"
        echo
        echo "Double check the username, password, and domain name; then re-run the script."
        echo "If the script continues failing at this point, re-deploy the VCSA from OVF and try again."
        echo "Purging .bash_history file to remove any passwords..."
        cat /dev/null > ~/.bash_history
        exit 1
    fi
    echo "VCSA joined to AD successfully. Return code is: VC_CFG_RESULT=${STATUS_JOINAD}"
    /opt/likewise/bin/lw-set-default-domain ${AD_DOMAIN}
fi

echo
echo "Enabling SSO and vSphere Web Client. This will take several minutes..."
/usr/sbin/vpxd_servicecfg sso write embedded

echo "Enabling embedded vCenter service. This is required to start the vCenter server and change the SSL certs successfully..."
/usr/sbin/vpxd_servicecfg db write embedded

echo "Starting vCenter service. This service must be started once to change the SSL certs successfully..."
service vmware-vpxd start

echo "Stopping services to update certificates..."
echo "Running 'service vmware-vpxd stop'"
service vmware-vpxd stop
echo "Running 'service vmware-sso stop'"
service vmware-sso stop

echo
### Create .crt chain
mkdir ${CERT_PATH}
cat /dev/null > ${VCSA_CERT} #Make sure the cert chain starts with an empty file
echo "Creating the server certificate chain with certificate files: ${CERT_CHAIN}"
for file in ${CERT_CHAIN}
do
    #Remove line feeds from incorrect transfer mode and append the cert to the chain file
    awk '{sub (/\r$/,"");print}' ${file} >> ${VCSA_CERT}
done

cp ${CERT_KEY} ${VCSA_CERTKEY} #Copy the key file to the expected location

echo "Saving self-signed root CA SSO certificate to /etc/ssl/certs/SSO-STS-Root.pem..."
cp /etc/ssl/certs/Embedded-SSO-Server-Root-CA.pem /etc/ssl/certs/SSO-STS-Root.pem

echo "Updating the SSL certficates. This will take a minute or so..."
STATUS_CERTCHANGE=`/usr/sbin/vpxd_servicecfg certificate change ${VCSA_CERT} ${VCSA_CERTKEY}`
STATUS_CERTCHANGE=`echo ${STATUS_CERTCHANGE} | cut -d= -f2`
if [ ! ${STATUS_CERTCHANGE} -eq 0 ]; then
    echo "Certificate change was unsuccessful."
    echo "Command entered: /usr/sbin/vpxd_servicecfg certificate change ${VCSA_CERT} ${VCSA_CERTKEY}"
    echo "Exit string: VC_CFG_RESULT=${STATUS_CERTCHANGE}"
    echo "Exit code definition: $(grep ${STATUS_CERTCHANGE} /usr/sbin/vpxd_servicecfg)"
    echo
    echo "Double check the certificates and the certificate order; then re-run the script."
    echo "Certificate order must be: server.crt,intermediateCA2.crt, intermediateCA1.crt, rootCA.crt"
    echo "If the script continues failing at this point, re-deploy the VCSA from OVF and try again."
    echo "Purging .bash_history file to remove any passwords..."
    cat /dev/null > ~/.bash_history
    exit 1
fi
echo "Certificate change successful. Return code is: VC_CFG_RESULT=${STATUS_CERTCHANGE}"

echo
echo "Starting services to complete certificate change..."
service vmware-vpxd start
service vmware-sso start
service vami-lighttp restart
service vsphere-client restart

echo "Sleeping 40 seconds to let the vSphere Web Client initialize..."
countdown 40

echo
echo "Setting root password..."
echo "${LOCALOS_ADMIN_PASS}" | passwd --stdin ${LOCALOS_ADMIN_USER}

${VI_REGTOOL} listServices https://${VCSA_HOSTFQDN}:${VCENTER_SSO_PORT}/lookupservice/sdk > /tmp/localservices

echo
echo "Re-configuring SSO to use load-balanced alias..."
#Build the properties files, per VMware KB2033588
cat > /tmp/sts.properties << ENDSTS
[service]
friendlyName=Security Token Service at ${VCENTER_SSO_ALIASFQDN}
version=1.0
type=urn:sso:sts
description=The Security Token Service of the Single Sign On server

[endpoint0]
uri=https://${SSO_SRV}/ims/STSService
ssl=${SSO_CERT}
protocol=wsTrust
ENDSTS
cat > /tmp/gc.properties << ENDGC
[service]
friendlyName=SSO Group Check Service at ${VCENTER_SSO_ALIASFQDN}
version=1.0
type=urn:sso:groupcheck
description=The Group Check interface of the Single Sign On server

[endpoint0]
uri=https://${SSO_SRV}/sso-adminserver/sdk
ssl=${SSO_CERT}
protocol=vmomi
ENDGC
cat > /tmp/admin.properties << ENDADMIN
[service]
friendlyName=SSO Administration Service at ${VCENTER_SSO_ALIASFQDN}
version=1.0
type=urn:sso:admin
description=The Administration Service of the Single Sign On server

[endpoint0]
uri=https://${SSO_SRV}/sso-adminserver/sdk
ssl=${SSO_CERT}
protocol=vmomi
ENDADMIN

#Write files containing the SSO Service IDs
grep -B2 type=urn:sso:sts /tmp/localservices | grep serviceId | cut -d= -f2 > /tmp/sts.id
grep -B2 type=urn:sso:groupcheck /tmp/localservices | grep serviceId | cut -d= -f2 > /tmp/gc.id
grep -B2 type=urn:sso:admin /tmp/localservices | grep serviceId | cut -d= -f2 > /tmp/admin.id

#Get SSL certificate for ${SSO_SRV}
echo "Retrieving ${SSO_SRV} SSL Certificate"
echo "" | openssl s_client -connect ${SSO_SRV} 2> /dev/null 1> /tmp/cert

echo "Storing ${SSO_SRV} SSL Certificate in ${SSO_CERT}"
openssl x509 -in /tmp/cert > ${SSO_CERT}

echo "Adding Lookup Service URL to /etc/vmware/ls_url.txt & /etc/vmware-sso/ls_url.txt"
cp /etc/vmware/ls_url.txt /etc/vmware/ls_url.txt.bak
cp /etc/vmware-sso/ls_url.txt /etc/vmware-sso/ls_url.txt.bak
echo "https://${SSO_SRV}/lookupservice/sdk" > /etc/vmware/ls_url.txt
echo "https://${SSO_SRV}/lookupservice/sdk" > /etc/vmware-sso/ls_url.txt

#Update the SSO services
echo "Updating SSO services...(this won't work behind a load balancer if the SSL certs didn't update successfully)"
${VI_REGTOOL} updateService -d https://${VCSA_HOSTFQDN}:${VCENTER_SSO_PORT}/lookupservice/sdk -u ${LOCALOS_ADMIN_USER} -p ${LOCALOS_ADMIN_PASS} -si /tmp/sts.id -ip /tmp/sts.properties
${VI_REGTOOL} updateService -d https://${VCSA_HOSTFQDN}:${VCENTER_SSO_PORT}/lookupservice/sdk -u ${LOCALOS_ADMIN_USER} -p ${LOCALOS_ADMIN_PASS} -si /tmp/gc.id -ip /tmp/gc.properties
${VI_REGTOOL} updateService -d https://${VCSA_HOSTFQDN}:${VCENTER_SSO_PORT}/lookupservice/sdk -u ${LOCALOS_ADMIN_USER} -p ${LOCALOS_ADMIN_PASS} -si /tmp/admin.id -ip /tmp/admin.properties

#Fix the logbrowser service
#Internally, it seems the logbrowser service needs to trust the self-signed certificate for some yet-unknown reason
echo
echo "Repointing the logbrowser service to the saved self-signed certificate..."
sed -i.bak 's/.*sso-certs=.*/sso-certs=\/etc\/ssl\/certs\/SSO-STS-Root.pem/' /usr/lib/vmware-logbrowser/conf/logbrowser.properties
service vmware-logbrowser restart

#####
#Next section stops, disables, and unregisters the undesired local services and solution users
#If the local vpxd service is stopped but not unregistered, there will be an error when logging into the web client
#####
if [ ${DISABLE_UNDESIRED_SERVICES} -eq 1 ]; then
    echo
    echo "Disabling undesired services..."
    echo "Running 'service vmware-vpxd stop'"
    service vmware-vpxd stop

    echo "Disabling the vCenter service with 'chkconfig vmware-vpxd off'"
    chkconfig vmware-vpxd off

    echo "Removing local vpxd solution user..."
    VPXD_USER=$(grep ownerId=vpxd /tmp/localservices | cut -d= -f2 | cut -d@ -f1)
    ${VI_REGTOOL} unregisterSolution -d https://${SSO_SRV}/lookupservice/sdk -u ${LOCALOS_ADMIN_USER} -p ${LOCALOS_ADMIN_PASS} -su ${VPXD_USER}

    echo "Removing local vpxd service registration..."
    grep -B1 serviceName="vpxd" /tmp/localservices | grep serviceId | cut -d= -f2 > /tmp/vpxd.id
    ${VI_REGTOOL} unregisterService -d https://${SSO_SRV}/lookupservice/sdk -u ${LOCALOS_ADMIN_USER} -p ${LOCALOS_ADMIN_PASS} -si /tmp/vpxd.id
    rm /tmp/vpxd.id

    echo "Running 'service vmware-inventoryservice stop'"
    service vmware-inventoryservice stop

    echo "Disabling the Inventory service with 'chkconfig vmware-inventoryservice off'"
    chkconfig vmware-inventoryservice off
fi
####

#
# Add AD domain as an SSO identity source
# Command may fail if there are certificate or SSL problems with the DC
#
if [ ${JOIN_AD} -eq 1 ]; then
    echo
    echo "Resetting the SSO master password..."
    source /etc/vmware-sso/keys/recovery.cfg
    /usr/lib/vmware-sso/utils/ssowrench manage-secrets -a change -u "${SSO_RECOVERY_USERNAME}" -p "${SSO_RECOVERY_PASSWORD}" -N "${SSO_MASTER_PASS}"

    echo "Resetting the SSO admin password..."
    /usr/lib/vmware-sso/utils/ssowrench reset-admin-password -u admin -p "${SSO_ADMIN_PASS}" -m "${SSO_MASTER_PASS}"

    echo "Attempting to identify two domain controllers..."
    DC1=`dig any _gc._tcp.${AD_DOMAIN} | grep -A2 ";; ADDITIONAL" | grep IN | awk -F". " 'NR==1{print $1}'`
    DC2=`dig any _gc._tcp.${AD_DOMAIN} | grep -A2 ";; ADDITIONAL" | grep IN | awk -F". " 'NR==2{print $1}'`
    AD_ALIAS=`/opt/likewise/bin/lw-get-status |awk '/Netbios name:/{print $3}'`
    if [ ! -z "${DC1}" ] && [ ! -z "${DC2}" ]; then
        echo "Found ${DC1} and ${DC2}."
        echo "Attempting to add ${AD_DOMAIN} as an SSO identity source..."
        echo "Running command: /usr/lib/vmware-sso/utils/ssowrench manage-identity-sources -a create -u admin -p ${SSO_ADMIN_PASS} -S -X -r ${LDAP_PROTO}://${DC1}:${LDAP_PORT} -f ${LDAP_PROTO}://${DC2}:${LDAP_PORT} -L ${AD_USER}@${AD_DOMAIN} -P ${AD_PASS} -d ${AD_DOMAIN} -l ${AD_ALIAS} --use-gssapi"
        /usr/lib/vmware-sso/utils/ssowrench manage-identity-sources -a create -u admin -p "${SSO_ADMIN_PASS}" -S -X -r ${LDAP_PROTO}://${DC1}:${LDAP_PORT} -f ${LDAP_PROTO}://${DC2}:${LDAP_PORT} -L ${AD_USER}@${AD_DOMAIN} -P "${AD_PASS}" -d ${AD_DOMAIN} -l ${AD_ALIAS} --use-gssapi
        echo
        echo "Sometimes there's a problem with the VCSA when adding the domain as an identity source. "
        echo "If there is an error message, try adding the identity source manually via the vSphere Web Client."
        echo "If that fails, try resetting the computer account in active directory and re-deploying the VCSA."
    else
        echo "Couldn't identify domain controllers. Manually add the domain as an SSO identity source."
    fi
fi

if [ "${DISABLE_ROOT_SSH}" -eq 1 ]; then
    echo
    echo "Disabling ssh as root..."
    sed -i.bak 's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
    service sshd restart
fi

#Purge passwords from bash history
#Technically, this shouldn't do anything since the history file is written on exit and this *should* be a newly deployed VCSA... :)"
echo
echo "Purging .bash_history file to remove passwords..."
cat /dev/null > ~/.bash_history

echo
echo "VCSA configuration completed. Run 'history -c' to remove "
echo "passwords from the command line history of the current "
echo "shell session or they will be written to the history file. "
echo "Then run 'reboot' to restart the VCSA."