#!/bin/sh 
#
# Copyright 2001 Sun Microsystems, Inc. All Rights Reserved
#
# pragma ident @(#)configure.sh	3.75 01/12/28 Sun Microsystems, Inc.
#
# Install script for bootstrapping SunScreen after a
# fresh installation of SKIP and SunScreen .
#
# For this script to work the following must be completed:
#    1. SKIP packages are installed
#    2. SunScreen packages are installed
#    3. the machine was rebooted (to start SKIP)
#
# Exit Codes:
#    0       success
#    1       configuration directoryy not writable
#    2       missing packages
#    3       bad argument
#    4       invalid security level selected
#    5       error occured during compilation
#    6       error occured activating the configuration
#    7       executed from an NFS mount
#    8       no interfaces with stealth
#    9       error during certificate installation
#

if read SUNSCREEN_BASE </etc/sunscreen/location
then . $SUNSCREEN_BASE/lib/.ssenv.profile
fi

unset SSADM_ISATTY

PATH="$BIN_DIR:$SSADM_DIR:$LIB_DIR:/usr/bin:/bin"
export PATH

CONFIGS=$ETC_DIR/configs

if [ ! -w $CONFIGS ]; then
    echo "`LS 200 "ERROR: "` $CONFIGS `LS 206 " not writable.  If you installing from miniroot, reboot and re-run ssadm configure."`"
  exit 1
fi
OSTYPE=`uname -v | cut -c1-2`
if [ $OSTYPE = TS ]; then
    if [ ! -n "$FIRST_TIME" ] ; then
	FIRST_TIME="COMPLETE"
	export FIRST_TIME
        /usr/bin/pfexec $SSADM_DIR/configure_ts $@ 2>/dev/null
        exit 0
    fi
fi

read SCREENNAME <$ETC_DIR/name 2>/dev/null || {
	SCREENNAME=`uname -n`
	echo $SCREENNAME >$ETC_DIR/name
}

#
# Defaults
#
POLICY="Initial"
SCREEN_TYPE=""
LOAD_CERTS=""
CERT_TYPE="SKIP_UDH"
CERT_CMD=""
LOCAL_ADMIN=""
REMOTE_ADMIN=""
ADMIN_IF=""
SECURITY_LEVEL=""
ROUTING=""
CERT_DISC="CDP"
NAME_SERVICE=""

#
# supress stdin/stdout IO when run from a wizard
#
wizard=false
msg() {
  if [ "$wizard" = "false" ]
  then echo "$*"
  fi
}

set_num=130     # SI18N_INST_SS_INSTALL
LS()		# localize a string
{
	msg_num=$1; shift
        if [ -x ${LIB_DIR}/catgets ]
        then ${LIB_DIR}/catgets $set_num $msg_num "$*"
        else echo "$*"
	fi
}


print_banner() {
  clear
  lmsg=`LS 10 '         SunScreen Installation Script'`
  printf "$lmsg\n\n"
  lmsg=`LS 11 'NOTE: For this script to work, you MUST have already installed \nthe prerequisite Solaris packages; added the SunScreen \npackages and rebooted the machine.'`
  printf "$lmsg\n\n"
  lmsg=`LS 12 'If you have done this, press ENTER to continue;\notherwise, press Control-C to abort.'`
  printf "$lmsg\n" 
  read RETURN
}

usage() {
  msg "$0 [-a LOCAL|REMOTE|BOTH] [-i admin_interface] [-t ROUTING|STEALTH] [-s RESTRICTIVE|SECURE|PERMISSIVE] [-/+l] [-n] [+n DNS|NIS|NIS_DNS] [-/+r] [-/+c] [+/-u]"
  msg `LS 20 "    -a set the admin type: LOCAL, REMOTE, BOTH"`
  msg `LS 31 "    -i set the admin interface"`
  msg `LS 21 "    -t screen type: ROUTING, STEALTH"`
  msg `LS 22 "    -s set the security level: RESTRICTIVE, SECURE, PERMISSIVE"`
  msg `LS 23 "    -l no keys provided in arguments"`
  msg `LS 24 "    +l use keys provided from arguements"`
  msg `LS 25 "    -n turn off name service"`
  msg `LS 26 "    +n turn on name service and use NIS, DNS or NIS_DNS"`
  msg `LS 27 "    +/-r turn on/off routing"`
  msg `LS 28 "    -u use certificates issued by a Certificate Authority(CA)"`
  msg `LS 29 "    +u use self-generated certificates (default)"`
  msg `LS 30 "    +/-c turn on/off certificate discovery"`
}

set_screen_type() {

  # 
  # Ask the user what type of screen to install
  #
  clear
  lmsg=`LS 40 '                           Screen Type'`
  printf "$lmsg\n\n"
  lmsg=`LS 41 'Will this screen be used as a router or will it be used as a bridge\nproviding stealth. This will affect how the interfaces are initialized.\nFor routing Screens, each interface will be set up as an routing interface.  For \na stealth Screen, there should only be one interface available which will be \ndedicated to Screen administration.'`
  printf "$lmsg\n"
 
  SCREEN_TYPE=""
  while [ "$SCREEN_TYPE" = "" ]
  do echo ""
     echo "1. `LS 42 'ROUTING'`"
     echo "2. `LS 43 'STEALTH'`"
     echo ""
     echo "`LS 44 'Screen Type?'` (1|2)"
     read S_TYPE
     case $S_TYPE in
     1|R|r|ROUTING|Routing|routing)
	SCREEN_TYPE="ROUTING" ;;
     2|S|s|STEALTH|Stealth|stealth)
	SCREEN_TYPE="STEALTH"
        ROUTING="ROUTING"
        SECURITY_LEVEL=0;;
     *)
	;;
     esac
  done
}

set_admin() {

  #
  # Ask the user how the screen is to be administered
  #

  if [ "$wizard" = "false" ]
  then
    clear
  fi

  lmsg=`LS 50 '                           Remote Administration'`
  printf "$lmsg\n\n"
  lmsg=`LS 51 'Do you plan to administer this Screen from a remote administration station?\nTo do so, you will need to install the SunScreen administration packages,\nSKIP, and a local key onto the administration station before continuing this\nscript.  If you choose local administration, all administration of this\nScreen will be done locally.'`
  printf "$lmsg\n"

  LOCAL_ADMIN=""
  while [ "$LOCAL_ADMIN" = "" ]
  do echo ""
     echo "1. `LS 52 'LOCAL'`"
     echo "2. `LS 53 'REMOTE'`"
     echo "3. `LS 54 'BOTH'`"
     echo ""
     echo "`LS 55 'Local, remote or both methods of administration?'` (1|2|3)"
       read ADMIN
     case $ADMIN in
     1|L|l|LOCAL|local)
        LOAD_CERTS="NO"
	LOCAL_ADMIN="YES"
	REMOTE_ADMIN="NO" ;;
     2|R|r|REMOTE|remote)
        LOAD_CERTS="YES"
	LOCAL_ADMIN="NO"
	REMOTE_ADMIN="YES" ;;
     3|B|b|BOTH|both)
        LOAD_CERTS="YES"
	LOCAL_ADMIN="YES"
	REMOTE_ADMIN="YES" ;;
     *)
	;;
     esac
  done
}

set_admin_if() {

  #
  # Ask the user which interface is to be used as the admin interface
  #

  if [ "$wizard" = "false" ]
  then
    clear
  fi

  lmsg=`LS 56 '                           Administration Interface'`
  printf "$lmsg\n\n"
  lmsg=`LS 57 'Select the network interface to be used as the remote\n administration interface'`
  printf "$lmsg\n"

  ADMIN_IF=""
  while [ "$ADMIN_IF" = "" ]
  do echo ""
     echo `LS 58 'Select Administration Interface from the following list:'`
     for INTERFACE in $INTERFACE_LIST ; do
       interfaces="$interfaces $INTERFACE"
     done
     printf "$interfaces\n"

     read ADMIN_IF_IN

     for INTERFACE in $INTERFACE_LIST ; do
       if [ "$INTERFACE" = "$ADMIN_IF_IN" ] ; then
          ADMIN_IF="$ADMIN_IF_IN"
       fi
     done
  done
}

set_security_level() {
  #
  # Ask the user what security level they want
  #
  # 1) restrictive - no services allowed
  # 2) secure - routing, name services are allowed to and from the screen, and
  #             other common services are allowed from the screen (routing only)
  # 3) permissive - allows common network services to and from all machines

  clear
  lmsg=`LS 60 '                          Security Level'`
  printf "$lmsg\n\n"
  lmsg=`LS 61 'There are three possible security levels for installing the SunScreen\nin routing mode.  Each security level corresponds to different set of\npermitted services to, from and through the Screen . This security\nlevel is only for the initial configuration and can be changed at any\ntime after installation.'`
  printf "$lmsg\n\n"
  lmsg=`LS 62 'The security levels are as follow:'`
  printf "$lmsg\n"
  lmsg=`LS 63 '1. Restrictive - This level of security disallows all traffic to, from, and\n   through the Screen except encrypted administration traffic.\n   This level is best for deploying the Screen in an unsecured network\n   environment. It requires that static routing and name resolution\n   have been configured on the host.'`
  printf "$lmsg\n\n"
  lmsg=`LS 64 '2. Secure (routing screens only) - This level disallows all traffic to\n   and through the Screen, except allows encrypted administration traffic,\n   common services from the Screen, name server resolution traffic (like\n   DNS and NIS), and routing (RIP). This level is a good starting point to\n   get a Screen up and running on a secure network, where the Screen may\n   not be a stand-alone machine and depends on NIS, DNS, or NFS to function\n   properly.'`
  printf "$lmsg\n\n"
  lmsg=`LS 65 '3. Permissive - This level allows most traffic including inbound\n   connections to the Screen itself and all traffic through the Screen.\n   This security level is for installing the Screen onto a host that\n   has multiple network interfaces and that acts as a router, or on a\n   host that is acting as a server (for example for NFS, NIS, or WWW).'`
  printf "$lmsg\n\n"
  lmsg=`LS 66 'NOTE: With the exception of the Restrictive security level, no IP spoofing  \n      protection is provided until the system has been properly configured.'`
  printf "$lmsg\n"

  LEVEL=0
  while [ $LEVEL -eq 0 ] ; do
    echo ""
    echo "`LS 67 'Select the initial security level for this Screen:'` (1|2|3)"
    read LEVEL
    case $LEVEL in
      1)
	 SECURITY_LEVEL=1;
	 ;;
      2)
	 SECURITY_LEVEL=2;
	 ;;
      3)
	 SECURITY_LEVEL=3;
	 ;;
      *)
	 LEVEL=0
	 ;;
    esac
  done
    
}

set_cert_type() {
  #
  # Ask the user what certificate type she wants: SKIP UDH, SKIP issued or 
  # IKE self-signed
  #
  clear
  lmsg=`LS 70 '                           Certificate Type'`
  printf "$lmsg\n\n"
  lmsg=`LS 71 'There are two types of certificates that you can use:\n         SKIP UDH Certificates\n         SKIP Certificates Issued by a Certificated Authority'`
  printf "$lmsg"

  CERT_TYPE=""
  while [ "$CERT_TYPE" = "" ] ; do
    echo ""
    echo "1. `LS 72 'SELF'`"
    echo "2. `LS 73 'ISSUED'`"
    echo ""
    echo "`LS 75 'Select the certificate type you want'` (1|2|3)"
    read CERT_TYPE_ENTRY
    case $CERT_TYPE_ENTRY in
      1|U|u|UDH|udh)
	 CERT_TYPE="SKIP_UDH"
	 ;;
      2|I|i|ISSUED|Issued|issued)
	 CERT_TYPE="SKIP_Issued"
	 ;;
      *)
	 CERT_TYPE="";
	 ;;
    esac
  done
    
}

set_name_service() {
  #
  # figure out the name service type from /etc/nsswitch.conf
  #
  if [ -r /etc/nsswitch.conf ] ; then 
    SERVICES=`grep "^hosts:" /etc/nsswitch.conf | awk '{ print $2,$3,$4,$5 }'`
    NAME_SERVICE=""
    for NS in $SERVICES ; do
      if [ "$NAME_SERVICE" != "NIS_DNS" ] ; then
	case $NS in
	  DNS|dns)
		   if [ "$NAME_SERVICE" = "NIS" ] ; then
		     NAME_SERVICE="NIS_DNS"
		   else
		     NAME_SERVICE="DNS"
		   fi
		   ;;
	  NIS|nis)
		   if [ "$NAME_SERVICE" = "DNS" ] ; then
		     NAME_SERVICE="NIS_DNS"
		   else
		     NAME_SERVICE="NIS"
		   fi
		   ;;
	  *)
	           # skip bogus nsswitch entries
	           ;;
	esac
      fi
    done
    if [ "$NAME_SERVICE" = "" ] ; then
      NAME_SERVICE="OFF"
    fi
  fi

  #
  # Ask the user if this is OK
  #
  clear
  lmsg=`LS 80 '                          Name Resolution'`
  printf "$lmsg\n\n"
  lmsg=`LS 81 'The following name resolution method was detected on this machine:'`
  printf "$lmsg"

  case $NAME_SERVICE in
    NIS)
	 echo `LS 82 "  NIS - Network Information Service, name resolution."`
	 ;;
    DNS)
	 echo `LS 83 "  DNS - Domain Name Service."`
	 ;;
    NIS_DNS)
	 echo `LS 84 "  NIS and DNS - Both methods of name resolution."`
	 ;;		   
    *)
         echo `LS 85 "  None or Static name resolution from /etc/hosts."`
	 ;;
  esac
  CHANGE_NAME_SERVICE=""
  while [ "$CHANGE_NAME_SERVICE" = "" ] ; do

    echo ""
    echo "1. `LS 86 'YES'`"
    echo "2. `LS 87 'NO'`"
    echo ""
    echo "` LS 88 'Is this is the name service that you want to use on this machine?'` (1|2)"
    read ANSWER
    case $ANSWER in
      1|Y|y|Yes|YES|yes)
		       CHANGE_NAME_SERVICE="NO"
		       ;;
      2|N|n|No|NO|no)
		       CHANGE_NAME_SERVICE="YES"
		       ;;
      *)
	 ;;
    esac
  done

  if [ "$CHANGE_NAME_SERVICE" = "YES" ] ; then
    #
    # ask the user what to use 
    #
    echo ""
    echo `LS 90 "Choose one of the following name service options:"`
    echo "1. `LS 91 'NIS'`"
    echo "2. `LS 92 'DNS'`"
    echo "3. `LS 93 'NIS and DNS'`"
    echo "4. `LS 94 'None'`"

    NAME_SERVICE=""
    while [ "$NAME_SERVICE" = "" ] ; do
      echo ""
      echo "`LS 95 'Choose the name service option you want to use on this machine?'` (1|2|3|4)"
      read ANSWER
      case $ANSWER in
	1)
	   NAME_SERVICE="NIS"
	   ;;
	2)
	   NAME_SERVICE="DNS"
	   ;;
	3)
	   NAME_SERVICE="NIS_DNS"
	   ;;
	4)
	   NAME_SERVICE="NIS_DNS"
	   ;;
	*)
	   echo "`LS 96 "That is not a valid choice, please choose one of"` (1 2 3 4)."
	   ;;
      esac
    done
  fi
  
}

harden_os() {
  # 
  # Ask the user if they want the screen to be hardened
  #
  clear
  lmsg=`LS 100 '                           Harden Screen'`
  printf "$lmsg\n\n"
  lmsg=`LS 101 'The hardening of the Solaris OS on the Screen removes unnecessary files \nand services which might otherwise make the Screen vulnerable.  This should \nonly be performed Screens in the stealth configuration which do not route or \nprovide any external services.  Hardening is irreversible'`
  printf "$lmsg"

  HARDEN_OS=""
  while [ "$HARDEN_OS" = "" ] ; do
    echo ""
    echo "1. `LS 86 'YES'`"
    echo "2. `LS 87 'NO'`"
    echo ""
    echo "`LS 102 'Do you want to harden the Solaris OS?'` (1|2)"
    read ANSWER
    case $ANSWER in
      1|Y|y|Yes|YES|yes)
		       HARDEN_OS="YES"
		       ;;
      2|N|n|No|NO|no)
		       HARDEN_OS="NO"
		       ;;
      *)
	 ;;
    esac
  done

  if [ "$HARDEN_OS" = "YES" ]
  then
     echo `LS 103 "Hardening Solaris OS on the screen"`
     if [ "LOCAL_ADMIN" = "YES" ]
     then
        harden_os >/dev/null 2>&1
     else
        harden_os >/dev/null 2>&1
     fi
  fi
}

interface_address_range() {
	set -- `/usr/sbin/ifconfig $1 inet | /bin/tail +2`
	# e.g.: inet 199.190.177.82 netmask ffffff00 broadcast 199.190.177.255

	if [ "$1" = inet ] && [ "$3" = netmask ] && [ "$5" = broadcast ]
	then
	    addr=$2
	    netmask=$4
	    {
		# dc program to compute beginning and ending address of the
		# range described by the local address and netmask.
		# dc registers used:
		# a : local address
		# m : netmask
		# b : beginning of range
		# e : end of range
		echo "[RANGE ]P"
		echo "0 $addr +sa" | sed 's/\./+256*/g'
		echo "16i $netmask sm" | tr '[a-f]' '[A-F]'
		echo "lad 100000000lm-%- sb"
		echo "FFFFFFFFlm- lb+ se"
		echo "lb1000000/p[.]Plb10000/100%p[.]Plb100/100%p[.]Plb100%p"
		echo "[ ]P"
		echo "le1000000/p[.]Ple10000/100%p[.]Ple100/100%p[.]Ple100%p"
	    } | dc | tr -d '\012'
	else
	    echo "LIST { } { }"
	fi
}

#
# --- Main---
#
# parse args
#
while [ "$1" != "" ]
do  case $1 in
    -h)
	usage
	exit 0
	;;
    -a)
	case $2 in
	    LOCAL|Local|local)
	    LOCAL_ADMIN="YES"
	    REMOTE_ADMIN="NO" ;;

	    REMOTE|Remote|remote)
	    LOCAL_ADMIN="NO"
	    REMOTE_ADMIN="YES" ;;
	    
	    BOTH|Both|both)
	    LOCAL_ADMIN="YES"
	    REMOTE_ADMIN="YES" ;;
	    
	  *)
	       echo "`LS 200 "Error:"` $2 `LS 201 "is not a valid administration option."`"
	       usage
	       exit 3
	       ;;
	esac
	shift
	;;
    -i)
        ADMIN_IF="$2"    
        shift
        ;;
    +c)
	CERT_DISC="CDP"
	;;
    -c)
	CERT_DISC=""
	;;
    -n)
	NAME_SERVICE="OFF"
	;;
    +n)
	case $2 in
	  DNS|dns)
	       NAME_SERVICE="DNS"
	       ;;
	  NIS|nis)
	       NAME_SERVICE="NIS"
	       ;;
	  BOTH|NIS_DNS|DNS_NIS|both|nis_dns|dns_nis)	
	       NAME_SERVICE="NIS_DNS"
	       ;;
	  *)
	       echo "`LS 200 "Error:" `$2 `LS 202 "is not a valid name service option."`"
	       usage
	       exit 3
	       ;;
	esac
	shift
	;;
    -u)
	CERT_TYPE="SKIP_Issued"
	CERT_CMD="YES"
	;;
    +u)
	CERT_TYPE="SKIP_UDH"
	CERT_CMD="YES"
	;;
    +k)
	CERT_TYPE="IKE_Self_Signed"
	CERT_CMD="YES"
	;;
    +r)
	ROUTING="ROUTING"
	;;
    -r)
	ROUTING=""
	;;
    -s)
	case $2 in
	  RESTRICTIVE|restrictive)
		    SECURITY_LEVEL=1
		    ;;
	  SECURE|secure)
		    SECURITY_LEVEL=2
		    ;;
	  PERMISSIVE|permissive)
		    SECURITY_LEVEL=3
		    ;;
	  *)
	            echo "`LS 200 "Error:"` $2 `LS 203 "is not a valid security level."`"
		    usage
		    exit 3
		    ;;
	esac
	shift
	;;
    -t)
        case $2 in
          STEALTH|Stealth|stealth)
            SCREEN_TYPE="STEALTH"
            ROUTING="ROUTING"
            SECURITY_LEVEL=0
	    ;;
          ROUTING|Routing|routing)
            SCREEN_TYPE="ROUTING"
	    ;;
          *)
            msg "`LS 200 "Error:"` $2 `LS 204 "is not a valid screen type."`"
            usage
            exit 3
            ;;
        esac
        shift
        ;;
    -w)
	wizard=true
	;;
    -l) 
        LOAD_CERTS="NO"
        ;;
    +l) 
        LOAD_CERTS="YES"
        ;;
    -A)
        ADMIN_CERT="0x$2"    
        shift
        ;;
    -S)
        SCREEN_CERT="0x$2"    
        shift
        ;;
    *)
       usage
       exit 3
       ;;
    esac
    shift
done

if [ "$SCREEN_CERT" != "" ] && [ "$ADMIN_CERT" = "" ] ; then
   msg `LS 210 "WARNING: If Screen Cert is entered, Admin Cert must be entered"`
fi

if [ "$SCREEN_CERT" = "" ] && [ "$ADMIN_CERT" != "" ] ; then
   msg `LS 211 "WARNING: If Admin Cert is entered, Screen Cert must be entered"`
fi

#
# Clear edit script 
#
EDITFILE=/tmp/initialEdits
rm -f $EDITFILE
touch $EDITFILE

ADMINREADME=$ETC_DIR/AdminSetup.readme
rm -f $ADMINREADME
touch $ADMINREADME

#
# Find the valid interface names
#
INTERFACE_LIST=`interfaces`

if [ "$INTERFACE_LIST" = "" ] && [ "SCREEN_TYPE" = "STEALTH" ] ; then
  echo "`LS 224 "ERROR: stealth configuration requires one interface"`"
  exit 8 
fi

#
# check for required packages
#
chkpkg  

#
# BugID 4323662: Exit if missing packages
#
if [ $? -ne 0 ] ; then
  exit 2
fi

if [ "$wizard" = "false" ] ; then

#
# Banner & prompt the user for info
#
  print_banner

  if [ "$SCREEN_TYPE" = "" ] ; then
    set_screen_type
  fi

  if [ "$LOCAL_ADMIN" = "" ] ; then
    if [ "$SCREEN_TYPE" = "ROUTING" ] ; then
      set_admin
    fi
    if [ "$SCREEN_TYPE" = "STEALTH" ] ; then
      LOCAL_ADMIN="NO"
      REMOTE_ADMIN="YES"
      LOAD_CERTS="YES"
    fi
  fi

  if [ "$ADMIN_IF" = "" ] && [ "$SCREEN_TYPE" = "STEALTH" ] ; then
    set_admin_if
  fi

  if [ "$SECURITY_LEVEL" = "" ] ; then
    set_security_level
  fi

  if [ $SECURITY_LEVEL -eq 1 ] ; then
    CERT_DISC=""
    if [ "$NAME_SERVICE" = "" ] ; then
      NAME_SERVICE="OFF"
    fi
  elif [ $SECURITY_LEVEL -eq 2 ] ; then
    if [ "$NAME_SERVICE" = "" ] ; then
      set_name_service
    fi
    if [ "$ROUTING" = "" ] ; then
      ROUTING="ROUTING"
    fi
  elif [ $SECURITY_LEVEL -eq 3 ] ; then
    if [ "$NAME_SERVICE" = "" ] ; then
      set_name_service
    fi
    if [ "$ROUTING" = "" ] ; then
      ROUTING="ROUTING"
    fi
  elif [ $SECURITY_LEVEL -ne 0 ] ; then
    echo ""
    echo "`LS 200 "ERROR: "` `LS 204 "security level"` $SECURITY_LEVEL `LS 205 "not supported."`"
    exit 4
  fi
fi

#
# If this is a locally administered SunScreen we don't need to install keys
#
if [ "$LOAD_CERTS" = "YES" ] ; then
  # 
  # Set up files for subordinate scripts to write into
  #
  if [ "$SCREEN_CERT" = "" ] ; then
    ADMINCERTFILE=/tmp/admincert
    SCREENCERTFILE=/tmp/screencert
    rm -f $SCREENCERTFILE
    touch $SCREENCERTFILE
    rm -f $ADMINCERTFILE
    touch $ADMINCERTFILE
  fi
  #
  # Install keys for local host and the remote admin
  #
  if [ "$CERT_CMD" != "YES" ] ; then
    set_cert_type
  fi
  
  if [ "$CERT_TYPE" = "SKIP_UDH" ] ; then
    if [ "$SCREEN_CERT" = "" ] ; then
       install_UDH_keys
    fi
    NSID_TYPE=8
  elif [ "$CERT_TYPE" = "SKIP_Issued" ] ; then
    if [ "$SCREEN_CERT" = "" ] ; then
       install_remote_SKIP_issued_cert
       install_local_SKIP_issued_cert
    fi
    NSID_TYPE=1
  elif [ "$CERT_TYPE" = "IKE_Self_Signed" ] ; then
    if [ "$SCREEN_CERT" = "" ] ; then
       install_IKE_keys
    fi
  fi

  if [ $? -ne 0 ] ; then
    echo "`LS 225 "ERROR: loading or generating certificates"`"
    exit 9 
  fi

  if [ "$SCREEN_CERT" = "" ] ; then
    #
    # read cert information from temp files
    #
    read ADMIN_CERT < $ADMINCERTFILE 2>/dev/null
    read SCREEN_CERT < $SCREENCERTFILE 2>/dev/null
    if [ "$CERT_TYPE" = "SKIP_UDH" ] || [ "$CERT_TYPE" = "SKIP_Issued" ]; then
       ADMIN_CERT=0x$ADMIN_CERT
       SCREEN_CERT=0x$SCREEN_CERT
    fi
  fi
  #
  # Add certificates to the registry
  #
  msg `LS 120 "--Add certs & admin group"`
  if [ "$CERT_TYPE" = "SKIP_UDH" ] || [ "$CERT_TYPE" = "SKIP_Issued" ] ; then
    echo "add Certificate \"$SCREENNAME.admin\" SINGLE NSID $NSID_TYPE MKID $SCREEN_CERT"  >> $EDITFILE
    echo "add Certificate \"remote\" SINGLE NSID $NSID_TYPE MKID $ADMIN_CERT" >> $EDITFILE
  elif [ "$CERT_TYPE" = "IKE_Self_Signed" ] ; then
    echo "add Certificate \"$SCREENNAME.admin\" SINGLE IKE \"$SCREEN_CERT\" "  >> $EDITFILE
    echo "add Certificate \"remote\" SINGLE IKE \"$ADMIN_CERT\" " >> $EDITFILE
  fi
  echo "add Certificate \"admin-group\" GROUP \"remote\" " >> $EDITFILE
fi

#
#	Add addresses for each interface, and for smtp-server (smtp proxy)
#
# BugID 4217939: make interfaces and interface addresses unique
#
msg `LS 121 "--Adding interfaces & interface addresses"`
if [ "$SCREEN_TYPE" = "STEALTH" ] ; then
  screenifaddr=$SCREENNAME'_'$ADMIN_IF
  echo "add Address $screenifaddr LIST { \"*\" } { }" >> $EDITFILE
  echo "add_nocheck Interface $ADMIN_IF ADMIN $screenifaddr" >> $EDITFILE
else
  for INTERFACE in $INTERFACE_LIST
  do 
    range=`interface_address_range $INTERFACE`
    echo "add Address $INTERFACE.net $range" >> $EDITFILE
    screenifaddr=$SCREENNAME'_'$INTERFACE
    echo "add Address $screenifaddr LIST { } { }" >> $EDITFILE
    echo "add_nocheck Interface $INTERFACE ROUTING $screenifaddr SCREEN $SCREENNAME" >> $EDITFILE
  done
fi

#
# Set Access control 
#
if [ "$LOAD_CERTS" = "YES" ] ; then
  if [ "$CERT_TYPE" = "SKIP_UDH" ] || [ "$CERT_TYPE" = "SKIP_Issued" ]; then
    KEY_ALG="DES-CBC"
    DATA_ALG="DES-CBC"
    MAC_ALG="MD5"
    msg  `LS 130 'SKIP parameters used for administration traffic.'`
    msg "`LS 131 'Admin certificate ID:      '`$ADMIN_CERT"
    msg "`LS 132 'Screen certificate ID:     '`$SCREEN_CERT"
    msg "`LS 133 'Key encryption algoritm:   '`$KEY_ALG"
    msg "`LS 134 'Data encryption algorithm: '`$DATA_ALG"
    msg "`LS 135 'MAC algorithm:             '`$MAC_ALG"
    msg ""
    echo  `LS 136 "This file is automatically generated during installation"`  >> $ADMINREADME
    echo  `LS 130 'SKIP parameters used for administration traffic.'` >> $ADMINREADME
    echo "`LS 131 'Admin certificate ID:      '`$ADMIN_CERT" >> $ADMINREADME
    echo "`LS 132 'Screen certificate ID:     '`$SCREEN_CERT" >> $ADMINREADME
    echo "`LS 133 'Key encryption algoritm:   '`$KEY_ALG" >> $ADMINREADME
    echo "`LS 134 'Data encryption algorithm: '`$DATA_ALG" >> $ADMINREADME
    echo "`LS 135 'MAC algorithm:             '`$MAC_ALG" >> $ADMINREADME
    echo"" >> $ADMINREADME
  elif [ "$CERT_TYPE" = "IKE_Self_Signed" ] ; then
    ESP_ALG="DES-CBC"
    ESP_AUTH="MD5"
    AH_ALG="SHA1"
    IKE_ALG="DES-CBC"
    IKE_AUTH="MD5"
    msg  `LS 150 'IKE parameters used for administration traffic.'`
    msg "`LS 151 'Admin certificate DN:      '`$ADMIN_CERT"
    msg "`LS 152 'Screen certificate DN:     '`$SCREEN_CERT"
    msg "`LS 153 'ESP encryption algorithm:  '`$ESP_ALG"
    msg "`LS 154 'ESP authentication:        '`$ESP_AUTH"
    msg "`LS 155 'AH encryption algorithm:   '`$AH_ALG"
    msg "`LS 156 'IKE encryption algorithm:  '`$IKE_ALG"
    msg "`LS 157 'IKE authentication:        '`$IKE_AUTH"
    msg ""
    echo  `LS 136 "This file is automatically generated during installation"`  >> $ADMINREADME
    echo  `LS 150 'IKE parameters used for administration traffic.'` >> $ADMINREADME
    echo "`LS 151 'Admin certificate DN:      '`$ADMIN_CERT" >> $ADMINREADME
    echo "`LS 152 'Screen certificate DN:     '`$SCREEN_CERT" >> $ADMINREADME
    echo "`LS 153 'ESP encryption algorithm:  '`$ESP_ALG" >> $ADMINREADME
    echo "`LS 154 'ESP authentication:        '`$ESPAH_AUTH" >> $ADMINREADME
    echo "`LS 155 'AH encryption algorithm:   '`$AH_ALG" >> $ADMINREADME
    echo "`LS 156 'IKE encryption algorithm:  '`$IKE_ALG" >> $ADMINREADME
    echo "`LS 157 'IKE authentication:        '`$IKE_AUTH" >> $ADMINREADME
  fi
fi

if [ "$LOAD_CERTS" = "YES" ] ; then
    #
    # Set up Remote Administration rule
    #
    if [ "$CERT_TYPE" = "SKIP_UDH" ] || [ "$CERT_TYPE" = "SKIP_Issued" ]; then
	echo "add AccessRemote USER \"admin\" \"*\" SKIP_VERSION_2 \"admin-group\" \"$KEY_ALG\" \"$DATA_ALG\" \"$MAC_ALG\" \"NONE\" PERMISSION ALL" >> $EDITFILE
	if [ ! "`expr "$ADMIN_CERT" : "\(0x.*\)"`" ] ;then
	    AOX="0x"
	else
	    AOX=""
	fi
	if [ ! "`expr "$SCREEN_CERT" : "\(0x.*\)"`" ] ;then
	    EOX="0x"
	else
	    EOX=""
	fi
	msg `LS 140 "Run the following command on the administration station to configure skip:"`
	msg "skiphost -a $SCREENNAME -r $NSID_TYPE -R $EOX$SCREEN_CERT -s $NSID_TYPE -S $AOX$ADMIN_CERT -k $KEY_ALG -t $DATA_ALG -m $MAC_ALG"
	msg ""

	echo `LS 140 "Run the following command on the administration station to configure skip:"` >> $ADMINREADME
	echo "skiphost -a $SCREENNAME -r $NSID_TYPE -R $EOX$SCREEN_CERT -s $NSID_TYPE -S $AOX$ADMIN_CERT -k $KEY_ALG -t $DATA_ALG -m $MAC_ALG" >> $ADMINREADME
	echo "" >> $ADMINREADME
    elif [ "$CERT_TYPE" = "IKE_Self_Signed" ]; then
	echo "add AccessRemote USER \"admin\" \"*\" IPSEC ESP(\"$ESP_ALG\",  \"$ESP_AUTH\") AH(\"$AH_ALG\") IKE(\"$IKE_ALG\", \"$IKE_AUTH\", 1, RSA-ENCRYPTION, \"$SCREENNAME.admin\") PERMISSION ALL" >> $EDITFILE
    fi
  echo "`LS 141 'Read the file '` $ADMINREADME `LS 142 'for information about setting up the Remote Administration Station.'`"
fi

#
# Add screen object
#
#   start with screen name, routing, CDP and name service
#
SCREENEDIT="add Screen \"$SCREENNAME\" "
SCREENEDIT="$SCREENEDIT $ROUTING $CERT_DISC"
if [ "$NAME_SERVICE" = "NIS_DNS" ] ; then
  SCREENEDIT="$SCREENEDIT NIS DNS"
elif [ "$NAME_SERVICE" != "OFF" ] ; then
  SCREENEDIT="$SCREENEDIT $NAME_SERVICE"
fi

#
# Add screen's admin IP and certificate name 
#
if [ "$LOAD_CERTS" = "YES" ] ; then
  if [ "$SCREEN_TYPE" = "STEALTH" ] ; then
    set -- `ifconfig $ADMIN_IF inet | tail +2`
    ADMIN_IP=$2
    SCREENEDIT="$SCREENEDIT ADMIN_IP \"$ADMIN_IP\""
  else
    SCREENEDIT="$SCREENEDIT ADMIN_IP \"*\""
  fi
  if [ "$CERT_TYPE" = "SKIP_UDH" ] || [ "$CERT_TYPE" = "SKIP_Issued" ] ; then
    SCREENEDIT="$SCREENEDIT ADMIN_CERTIFICATE \"$SCREENNAME.admin\""
  elif [ "$CERT_TYPE" = "IKE_Self_Signed" ] ; then
    SCREENEDIT="$SCREENEDIT IKE(\"$SCREENNAME.admin\")"
  fi
fi

echo "$SCREENEDIT" >> $EDITFILE

#
# Add ALL access for local GUI administration for user admin
#
echo "add AccessLocal USER \"admin\" PERMISSION ALL" >> $EDITFILE

#
# Add common service rule
#
if [ $SECURITY_LEVEL -eq 2 ] ; then
  echo "add Rule \"common\" \"localhost\" \"*\" ALLOW" >> $EDITFILE
  echo "add Rule \"rip\" \"*\" \"*\" ALLOW" >> $EDITFILE
elif [ $SECURITY_LEVEL -eq 3 ] ; then
  echo "add Rule \"common\" \"*\" \"*\" ALLOW" >> $EDITFILE
fi

echo "save" >> $EDITFILE

#
# Create registry
#
if [ ! -r $CONFIGS/default/Registry ]
then
    domain -a default
    msg `LS 123 "--Initialize 'vars' databases"`
    $LIB_DIR/init_vars
    msg `LS 124 "--Initialize 'authuser' & 'proxyuser' databases"`
    $LIB_DIR/init_users
    msg `LS 125 "--Initialize 'logmacro' database"`
    $LIB_DIR/init_logmacro
fi

#
# Create policy
#
[ -r $CONFIGS/default/$POLICY ] ||
policy -a $POLICY

#
# Apply edits from file
#
msg `LS 126 "--Applying edits"`
edit $POLICY < $EDITFILE ||
{
    echo "`LS 220 'An error occurred while creating the configuration.'`"
    echo "`LS 221 'The editor commands used are in'` $EDITFILE."
    exit 5
}

#
# Activate the configuration we just created
#
# For TS, privileges inherited from parent process.
#
msg `LS 127 "--Activating configuration"`
activate $POLICY 

if [ $? -ne 0 ] ; then 
    lmsg=`LS 222 'An error occurred while activating the configuration.\n The configuration has not been activated.'`
    printf "$lmsg\n"
    exit 6
fi

filter -f PASSALL

cp $EDITFILE $VAR_DIR/initialEdits

if [ "$wizard" = "false" ] && [ "$SCREEN_TYPE" = "STEALTH" ]
then
  harden_os
fi

msg ""
msg `LS 223 "Reboot the machine now for changes to take effect."`
msg ""
