install/installer/traf_secure_setup - trafodion - Git at Google

 #!/bin/bash

 # @@@ START COPYRIGHT @@@
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #
 # @@@ END COPYRIGHT @@@

 # KDC attributes
 MAX_LIFETIME="24hours"
 RENEW_LIFETIME="7days"

 # LDAP attributes
 LDAP_AUTH_FILE="traf_authentication_config_${HOSTNAME}"

 HOST_NAME=`hostname -f`

 #==============================================
 #  Setup Trafodion environment for secure Hadoop
 #==============================================

 LOCAL_WORKDIR="$( cd "$( dirname "$0" )" && pwd )"

 TRAF_CONFIG="/etc/trafodion/trafodion_config"
 LOCAL_SECURE_CONFIG="$LOCAL_WORKDIR/trafodion_secure_config"
 rm $LOCAL_SECURE_CONFIG  2>/dev/null
 source $TRAF_CONFIG

 # Get Kerberos key details
 # These differ depending on the distribution
 if [[ $HADOOP_TYPE == "cloudera" ]]; then
   TRAF_KEYTAB_DIR='/etc/trafodion'
   TRAF_KEYTAB="trafodion.keytab"
   HBASE_KEYTAB=`sudo find /var/run/cloudera-scm-agent/process/ -name hbase.keytab | grep 'hbase-MASTER' | head -n 1`
   HDFS_KEYTAB=`sudo find /var/run/cloudera-scm-agent/process/ -name hdfs.keytab | grep 'hdfs-NAMENODE/' | head -n 1`
 else
   TRAF_KEYTAB_DIR='/etc/security/keytabs'
   TRAF_KEYTAB="trafodion.service.keytab"
   HBASE_KEYTAB='/etc/security/keytabs/hbase.service.keytab'
   HDFS_KEYTAB='/etc/security/keytabs/hdfs.headless.keytab'
 fi


 #==============================================
 # Kerberos enabled

 echo "***INFO: Starting Trafodion security configuration setup"

 # Check to see if kerberos is enabled in Hadoop
 cat /etc/hadoop/conf/core-site.xml | while read a; do
   found=`echo $a | grep "hadoop.security.authentication" | wc -l`
   if [[ $found -eq 1 ]]; then
     read b
     enabled=`echo $b | grep kerberos | wc -l`
     if [[ $enabled -eq 1 ]]; then
       exit 1
     else
       exit 0
     fi
   fi
 done

 retcode=$?
 if [[ $retcode -eq 1 ]]; then
    SECURE_HADOOP="Y"
 else
    SECURE_HADOOP="N"
 fi
 sed -i '/SECURE_HADOOP\=/d' $TRAF_CONFIG
 echo "export SECURE_HADOOP=\"$SECURE_HADOOP\"" >> $LOCAL_SECURE_CONFIG


 if [[ "$SECURE_HADOOP" == "Y" ]]; then
    echo -n "Enter KDC server address, default is [$KDC_SERVER]:"
    read answer
    if [[ ! -z $answer ]]; then KDC_SERVER=$answer;  fi
    sed -i '/KDC_SERVER\=/d' $TRAF_CONFIG
    echo "export KDC_SERVER=\"$KDC_SERVER\"" >> $LOCAL_SECURE_CONFIG

    echo -n "Enter admin principal (include realm), default is [$ADMIN_PRINCIPAL]:"
    read answer
    if [[ ! -z $answer ]]; then ADMIN_PRINCIPAL=$answer; fi
    sed -i '/ADMIN_PRINCIPAL\=/d' $TRAF_CONFIG
    echo "export ADMIN_PRINCIPAL=\"$ADMIN_PRINCIPAL\"" >> $LOCAL_SECURE_CONFIG

    # need a secure way to save password, until then ask later
    #echo -n "Enter admin password:"
    #read -s answer
    #if [[ ! -z $answer ]]; then ADMIN_PASSWD=$answer; fi
    #echo ""

    echo -n "Enter fully qualified name for HBase keytab, default is [$HBASE_KEYTAB]:"
    read answer
    if [[ ! -z $answer ]]; then HBASE_KEYTAB=$answer; fi
    sed -i '/HBASE_KEYTAB\=/d' $TRAF_CONFIG
    echo "export HBASE_KEYTAB=\"$HBASE_KEYTAB\"" >> $LOCAL_SECURE_CONFIG

    echo -n "Enter fully qualified name for HDFS keytab, default is [$HDFS_KEYTAB]:"
    read answer
    if [[ ! -z $answer ]]; then HDFS_KEYTAB=$answer; fi
    sed -i '/HDFS_KEYTAB\=/d' $TRAF_CONFIG
    echo "export HDFS_KEYTAB=\"$HDFS_KEYTAB\"" >> $LOCAL_SECURE_CONFIG

    echo -n "Enter max lifetime for Trafodion principal (valid format required), default is [$MAX_LIFETIME]:"
    read answer
    if [[ ! -z $answer ]]; then MAX_LIFETIME=$answer; fi
    sed -i '/MAX_LIFETIME\=/d' $TRAF_CONFIG
    echo "export MAX_LIFETIME=\"$MAX_LIFETIME\"" >> $LOCAL_SECURE_CONFIG

    echo -n "Enter renew lifetime for Trafodion principal (valid format required), default is [$RENEW_LIFETIME]:"
    read answer
    if [[ ! -z $answer ]]; then RENEW_LIFETIME=$answer; fi
    sed -i '/RENEW_LIFETIME\=/d' $TRAF_CONFIG
    echo "export RENEW_LIFETIME=\"$RENEW_LIFETIME\"" >> $LOCAL_SECURE_CONFIG

    echo -n "Enter Trafodion keytab name, default is [$TRAF_KEYTAB]:"
    read answer
    if [[ ! -z $answer ]]; then TRAF_KEYTAB=$answer; fi
    sed -i '/TRAF_KEYTAB\=/d' $TRAF_CONFIG
    echo "export TRAF_KEYTAB=\"$TRAF_KEYTAB\"" >> $LOCAL_SECURE_CONFIG

    echo -n "Enter keytab location, default is [$TRAF_KEYTAB_DIR]:"
    read answer
    if [[ ! -d $TRAF_KEYTAB_DIR ]]; then
      echo -n "**Missing keytab directory $TRAF_KEYTAB_DIR, create it (Y/N), default is [Y]:"
      read answer
      if [[ "${answer}" =~ ^[Yy]$ ]]; then
        if [[ "$all_node_count" -ne "1" ]]; then
          echo "***INFO: creating $TRAF_KEYTAB_DIR"
          $TRAF_PDSH $MY_NODES sudo mkdir -p $TRAF_KEYTAB_DIR 2>/dev/null
          $TRAF_PDSH $MY_NODES sudo chown $TRAF_USER:$TRAF_GROUP $TRAF_KEYTAB_DIR
          $TRAF_PDSH $MY_NODES sudo chmod 700 $TRAF_KEYTAB_DIR
        else
          echo "***INFO: creating $TRAF_KEYTAB_DIR"
          sudo mkdir -p $TRAF_KEYTAB_DIR 2>/dev/null
          sudo chown $TRAF_USER:$TRAF_GROUP $TRAF_KEYTAB_DIR
          sudo chmod 700 $TRAF_KEYTAB_DIR
        fi
      else
         echo "***ERROR: Please create $TRAF_KEYTAB_DIR on all nodes and rerun"
         exit 1
      fi
    fi
    sed -i '/TRAF_KEYTAB_DIR\=/d' $TRAF_CONFIG
    echo "export TRAF_KEYTAB_DIR=\"$TRAF_KEYTAB_DIR\"" >> $LOCAL_SECURE_CONFIG
 fi

 #==============================================
 # LDAP security

 if [[ "$SECURE_HADOOP" == "Y" ]]; then
   LDAP_SECURITY="Y"
 else
    echo -n "Enable LDAP security (Y/N), default is [$LDAP_SECURITY]: "
    read answer

    if [ ! -z $answer ]; then
       if [[ "${answer}" =~ ^[Yy]$ ]]; then
          LDAP_SECURITY="Y"
       else
          LDAP_SECURITY="N"
       fi
    fi
 fi
 sed -i '/LDAP_SECURITY\=/d' $TRAF_CONFIG
 echo "export LDAP_SECURITY=\"$LDAP_SECURITY\"" >> $LOCAL_SECURE_CONFIG

 if [[ "$LDAP_SECURITY" == "N" ]]; then
   cat $LOCAL_SECURE_CONFIG >> $TRAF_CONFIG
   echo "***INFO: Trafodion security configuration setup complete"
   exit 0;
 fi

 #Hostnames
 echo -n "Enter list of LDAP Hostnames (blank separated), default [$LDAP_HOSTS]: "
 read answer
 if [[ -z "$answer" ]]; then
    if [ -z "$LDAP_HOSTS" ]; then
       echo "***ERROR: Must enter list of LDAP Hostnames."
       exit -1
    fi
 else
    LDAP_HOSTS=$answer
 fi
 sed -i '/LDAP_HOSTS\=/d' $TRAF_CONFIG
 echo "export LDAP_HOSTS=\"$LDAP_HOSTS\"" >> $LOCAL_SECURE_CONFIG
 cp -rf traf_authentication_conf_default $LOCAL_WORKDIR/$LDAP_AUTH_FILE
 sed -i '/LDAP_AUTH_FILE\=/d' $TRAF_CONFIG
 echo "export LDAP_AUTH_FILE=\"$LDAP_AUTH_FILE\"" >> $LOCAL_SECURE_CONFIG

 counter=0
 for host in $LDAP_HOSTS
 do
   counter=$[$counter+1]
   if [ $counter -eq "1" ]; then
      list=" LdapHostname: $host"
   elif [ $counter -eq "$node_count" ]; then
      list="LdapHostname: $host\n $list"
   else
      list=" LdapHostname: $host\n $list"
   fi
 done
 sed -i -e "s/LdapHostname:/$list/g" $LDAP_AUTH_FILE

 #Port numbers
 echo -n "Enter LDAP Port number (Example: 389 for no encryption or TLS, 636 for SSL), default [$LDAP_PORT]: "
 read answer
 if [[ -z "$answer" ]]; then
    if [ -z "$LDAP_PORT" ]; then
       echo "***ERROR: Must enter LDAP port."
       exit -1
    fi
 else
    LDAP_PORT=$answer
 fi

 sed -i '/LDAP_PORT\=/d' $TRAF_CONFIG
 echo "export LDAP_PORT=\"$LDAP_PORT\"" >> $LOCAL_SECURE_CONFIG
 port="LdapPort: $LDAP_PORT"
 sed -i -e "s/LdapPort:389/$port/g" $LDAP_AUTH_FILE

 #Unique IDs
 echo -n "Enter all LDAP unique identifiers (blank separated), default [$LDAP_ID]: "
 read answer
 if [[ -z "$answer" ]]; then
    if [ -z "$LDAP_ID" ]; then
       echo "***ERROR: Must enter LDAP unique identifiers."
       exit -1
    fi
 else
    LDAP_ID=$answer
 fi
 sed -i '/LDAP_ID\=/d' $TRAF_CONFIG
 echo "export LDAP_ID=\"$LDAP_ID\"" >> $LOCAL_SECURE_CONFIG

 counter=0
 for id in $LDAP_ID
 do
   counter=$[$counter+1]
   if [ $counter -eq "1" ]; then
      list=" UniqueIdentifier: $id"
   elif [ $counter -eq "$node_count" ]; then
      list="UniqueIdentifier: $id\n $list"
   else
      list=" LdapHostname: $id\n $list"
   fi
 done

 sed -i -e "s/UniqueIdentifier:/$list/g" $LDAP_AUTH_FILE

 #Encryption level
 echo -n "Enter LDAP Encryption Level (0: Encryption not used, 1: SSL, 2: TLS), default [$LDAP_LEVEL]: "
 read answer
 if [[ -z "$answer" ]]; then
    if [ -z "$LDAP_LEVEL" ]; then
       echo "***ERROR: Must enter LDAP Encryption level."
       exit -1
    fi
 else
    LDAP_LEVEL=$answer
 fi
 sed -i '/LDAP_LEVEL\=/d' $TRAF_CONFIG
 echo "export LDAP_LEVEL=\"$LDAP_LEVEL\"" >> $LOCAL_SECURE_CONFIG

 level="LDAPSSL: $LDAP_LEVEL"
 sed -i -e "s/LDAPSSL:0/$level/g" $LDAP_AUTH_FILE

 if [[ "$LDAP_LEVEL" -eq "1" ]] || [[ "$LDAP_LEVEL" -eq "2" ]]; then
    echo -n "Enter full path to TLS certificate, default [$LDAP_CERT]: "
    read answer
    if [[ -z "$answer" ]]; then
       if [ -z "$LDAP_CERT" ]; then
          echo "***ERROR: Encryption level 2(TLS) requires a certificate file (*.pem)"
          exit -1
       fi
    else
       LDAP_CERT=$answer
       LDAP_CERT_BASE=$(basename $LDAP_CERT)

       if [[ ! -f $LDAP_CERT ]]; then
          echo "***ERROR: File does not exist."
          echo "***ERROR: Please enter full path or check for errors."
          exit -1
       fi

    fi
    sed -i '/LDAP_CERT\=/d' $TRAF_CONFIG
    echo "export LDAP_CERT=\"$LDAP_CERT\"" >> $LOCAL_SECURE_CONFIG
    sed -i '/LDAP_CERT_BASE\=/d' $TRAF_CONFIG
    echo "export LDAP_CERT_BASE=\"$LDAP_CERT_BASE\"" >> $LOCAL_SECURE_CONFIG

    list="TLS_CACERTFilename: $HOME_DIR/$TRAF_USER/$LDAP_CERT_BASE"

    sed -i -e "s@TLS\_CACERTFilename:@$list@" $LDAP_AUTH_FILE
 fi

 #Search username and password
 echo -n "Enter Search user name (if required), default [$LDAP_USER]: "
 read answer
 if [[ ! -z "$answer" ]]; then
    LDAP_USER=$answer
    sed -i '/LDAP_USER\=/d' $TRAF_CONFIG
    echo "export LDAP_USER=\"$LDAP_USER\"" >> $LOCAL_SECURE_CONFIG

    echo -n "Enter Search password (if required), default [$LDAP_PASSWORD]: "
    read answer
    if [[ ! -z "$answer" ]]; then
       LDAP_PASSWORD=$answer
       sed -i '/LDAP_PASSWORD\=/d' $TRAF_CONFIG
       echo "export LDAP_PASSWORD=\"$LDAP_PASSWORD\"" >> $LOCAL_SECURE_CONFIG
    fi
 fi
 user="LDAPSearchDN: $LDAP_USER"
 sed -i -e "s/LDAPSearchDN:/$user/g" $LDAP_AUTH_FILE
 password="LDAPSearchPwd: $LDAP_PASSWORD"
 sed -i -e "s/LDAPSearchPwd:/$password/g" $LDAP_AUTH_FILE


 #LDAP uid/cn assigned to DB__ROOT
 echo -n "Enter LDAP name to be assigned DB root privileges (DB__ROOT), default [$DB_ROOT_NAME]: "
 read answer
 if [[ ! -z "$answer" ]]; then
    DB_ROOT_NAME=$answer
 fi
 sed -i '/DB_ROOT_NAME\=/d' $TRAF_CONFIG
 echo "export DB_ROOT_NAME=\"$DB_ROOT_NAME\"" >> $LOCAL_SECURE_CONFIG

 cat $LOCAL_SECURE_CONFIG >> $TRAF_CONFIG
 echo "***INFO: Trafodion security configuration setup complete"
	#!/bin/bash

	# @@@ START COPYRIGHT @@@
	#
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	#
	# @@@ END COPYRIGHT @@@

	# KDC attributes
	MAX_LIFETIME="24hours"
	RENEW_LIFETIME="7days"

	# LDAP attributes
	LDAP_AUTH_FILE="traf_authentication_config_${HOSTNAME}"

	HOST_NAME=`hostname -f`

	#==============================================
	# Setup Trafodion environment for secure Hadoop
	#==============================================

	LOCAL_WORKDIR="$( cd "$( dirname "$0" )" && pwd )"

	TRAF_CONFIG="/etc/trafodion/trafodion_config"
	LOCAL_SECURE_CONFIG="$LOCAL_WORKDIR/trafodion_secure_config"
	rm $LOCAL_SECURE_CONFIG 2>/dev/null
	source $TRAF_CONFIG

	# Get Kerberos key details
	# These differ depending on the distribution
	if [[ $HADOOP_TYPE == "cloudera" ]]; then
	TRAF_KEYTAB_DIR='/etc/trafodion'
	TRAF_KEYTAB="trafodion.keytab"
	HBASE_KEYTAB=`sudo find /var/run/cloudera-scm-agent/process/ -name hbase.keytab \| grep 'hbase-MASTER' \| head -n 1`
	HDFS_KEYTAB=`sudo find /var/run/cloudera-scm-agent/process/ -name hdfs.keytab \| grep 'hdfs-NAMENODE/' \| head -n 1`
	else
	TRAF_KEYTAB_DIR='/etc/security/keytabs'
	TRAF_KEYTAB="trafodion.service.keytab"
	HBASE_KEYTAB='/etc/security/keytabs/hbase.service.keytab'
	HDFS_KEYTAB='/etc/security/keytabs/hdfs.headless.keytab'
	fi


	#==============================================
	# Kerberos enabled

	echo "***INFO: Starting Trafodion security configuration setup"

	# Check to see if kerberos is enabled in Hadoop
	cat /etc/hadoop/conf/core-site.xml \| while read a; do
	found=`echo $a \| grep "hadoop.security.authentication" \| wc -l`
	if [[ $found -eq 1 ]]; then
	read b
	enabled=`echo $b \| grep kerberos \| wc -l`
	if [[ $enabled -eq 1 ]]; then
	exit 1
	else
	exit 0
	fi
	fi
	done

	retcode=$?
	if [[ $retcode -eq 1 ]]; then
	SECURE_HADOOP="Y"
	else
	SECURE_HADOOP="N"
	fi
	sed -i '/SECURE_HADOOP\=/d' $TRAF_CONFIG
	echo "export SECURE_HADOOP=\"$SECURE_HADOOP\"" >> $LOCAL_SECURE_CONFIG


	if [[ "$SECURE_HADOOP" == "Y" ]]; then
	echo -n "Enter KDC server address, default is [$KDC_SERVER]:"
	read answer
	if [[ ! -z $answer ]]; then KDC_SERVER=$answer; fi
	sed -i '/KDC_SERVER\=/d' $TRAF_CONFIG
	echo "export KDC_SERVER=\"$KDC_SERVER\"" >> $LOCAL_SECURE_CONFIG

	echo -n "Enter admin principal (include realm), default is [$ADMIN_PRINCIPAL]:"
	read answer
	if [[ ! -z $answer ]]; then ADMIN_PRINCIPAL=$answer; fi
	sed -i '/ADMIN_PRINCIPAL\=/d' $TRAF_CONFIG
	echo "export ADMIN_PRINCIPAL=\"$ADMIN_PRINCIPAL\"" >> $LOCAL_SECURE_CONFIG

	# need a secure way to save password, until then ask later
	#echo -n "Enter admin password:"
	#read -s answer
	#if [[ ! -z $answer ]]; then ADMIN_PASSWD=$answer; fi
	#echo ""

	echo -n "Enter fully qualified name for HBase keytab, default is [$HBASE_KEYTAB]:"
	read answer
	if [[ ! -z $answer ]]; then HBASE_KEYTAB=$answer; fi
	sed -i '/HBASE_KEYTAB\=/d' $TRAF_CONFIG
	echo "export HBASE_KEYTAB=\"$HBASE_KEYTAB\"" >> $LOCAL_SECURE_CONFIG

	echo -n "Enter fully qualified name for HDFS keytab, default is [$HDFS_KEYTAB]:"
	read answer
	if [[ ! -z $answer ]]; then HDFS_KEYTAB=$answer; fi
	sed -i '/HDFS_KEYTAB\=/d' $TRAF_CONFIG
	echo "export HDFS_KEYTAB=\"$HDFS_KEYTAB\"" >> $LOCAL_SECURE_CONFIG

	echo -n "Enter max lifetime for Trafodion principal (valid format required), default is [$MAX_LIFETIME]:"
	read answer
	if [[ ! -z $answer ]]; then MAX_LIFETIME=$answer; fi
	sed -i '/MAX_LIFETIME\=/d' $TRAF_CONFIG
	echo "export MAX_LIFETIME=\"$MAX_LIFETIME\"" >> $LOCAL_SECURE_CONFIG

	echo -n "Enter renew lifetime for Trafodion principal (valid format required), default is [$RENEW_LIFETIME]:"
	read answer
	if [[ ! -z $answer ]]; then RENEW_LIFETIME=$answer; fi
	sed -i '/RENEW_LIFETIME\=/d' $TRAF_CONFIG
	echo "export RENEW_LIFETIME=\"$RENEW_LIFETIME\"" >> $LOCAL_SECURE_CONFIG

	echo -n "Enter Trafodion keytab name, default is [$TRAF_KEYTAB]:"
	read answer
	if [[ ! -z $answer ]]; then TRAF_KEYTAB=$answer; fi
	sed -i '/TRAF_KEYTAB\=/d' $TRAF_CONFIG
	echo "export TRAF_KEYTAB=\"$TRAF_KEYTAB\"" >> $LOCAL_SECURE_CONFIG

	echo -n "Enter keytab location, default is [$TRAF_KEYTAB_DIR]:"
	read answer
	if [[ ! -d $TRAF_KEYTAB_DIR ]]; then
	echo -n "**Missing keytab directory $TRAF_KEYTAB_DIR, create it (Y/N), default is [Y]:"
	read answer
	if [[ "${answer}" =~ ^[Yy]$ ]]; then
	if [[ "$all_node_count" -ne "1" ]]; then
	echo "***INFO: creating $TRAF_KEYTAB_DIR"
	$TRAF_PDSH $MY_NODES sudo mkdir -p $TRAF_KEYTAB_DIR 2>/dev/null
	$TRAF_PDSH $MY_NODES sudo chown $TRAF_USER:$TRAF_GROUP $TRAF_KEYTAB_DIR
	$TRAF_PDSH $MY_NODES sudo chmod 700 $TRAF_KEYTAB_DIR
	else
	echo "***INFO: creating $TRAF_KEYTAB_DIR"
	sudo mkdir -p $TRAF_KEYTAB_DIR 2>/dev/null
	sudo chown $TRAF_USER:$TRAF_GROUP $TRAF_KEYTAB_DIR
	sudo chmod 700 $TRAF_KEYTAB_DIR
	fi
	else
	echo "***ERROR: Please create $TRAF_KEYTAB_DIR on all nodes and rerun"
	exit 1
	fi
	fi
	sed -i '/TRAF_KEYTAB_DIR\=/d' $TRAF_CONFIG
	echo "export TRAF_KEYTAB_DIR=\"$TRAF_KEYTAB_DIR\"" >> $LOCAL_SECURE_CONFIG
	fi

	#==============================================
	# LDAP security

	if [[ "$SECURE_HADOOP" == "Y" ]]; then
	LDAP_SECURITY="Y"
	else
	echo -n "Enable LDAP security (Y/N), default is [$LDAP_SECURITY]: "
	read answer

	if [ ! -z $answer ]; then
	if [[ "${answer}" =~ ^[Yy]$ ]]; then
	LDAP_SECURITY="Y"
	else
	LDAP_SECURITY="N"
	fi
	fi
	fi
	sed -i '/LDAP_SECURITY\=/d' $TRAF_CONFIG
	echo "export LDAP_SECURITY=\"$LDAP_SECURITY\"" >> $LOCAL_SECURE_CONFIG

	if [[ "$LDAP_SECURITY" == "N" ]]; then
	cat $LOCAL_SECURE_CONFIG >> $TRAF_CONFIG
	echo "***INFO: Trafodion security configuration setup complete"
	exit 0;
	fi

	#Hostnames
	echo -n "Enter list of LDAP Hostnames (blank separated), default [$LDAP_HOSTS]: "
	read answer
	if [[ -z "$answer" ]]; then
	if [ -z "$LDAP_HOSTS" ]; then
	echo "***ERROR: Must enter list of LDAP Hostnames."
	exit -1
	fi
	else
	LDAP_HOSTS=$answer
	fi
	sed -i '/LDAP_HOSTS\=/d' $TRAF_CONFIG
	echo "export LDAP_HOSTS=\"$LDAP_HOSTS\"" >> $LOCAL_SECURE_CONFIG
	cp -rf traf_authentication_conf_default $LOCAL_WORKDIR/$LDAP_AUTH_FILE
	sed -i '/LDAP_AUTH_FILE\=/d' $TRAF_CONFIG
	echo "export LDAP_AUTH_FILE=\"$LDAP_AUTH_FILE\"" >> $LOCAL_SECURE_CONFIG

	counter=0
	for host in $LDAP_HOSTS
	do
	counter=$[$counter+1]
	if [ $counter -eq "1" ]; then
	list=" LdapHostname: $host"
	elif [ $counter -eq "$node_count" ]; then
	list="LdapHostname: $host\n $list"
	else
	list=" LdapHostname: $host\n $list"
	fi
	done
	sed -i -e "s/LdapHostname:/$list/g" $LDAP_AUTH_FILE

	#Port numbers
	echo -n "Enter LDAP Port number (Example: 389 for no encryption or TLS, 636 for SSL), default [$LDAP_PORT]: "
	read answer
	if [[ -z "$answer" ]]; then
	if [ -z "$LDAP_PORT" ]; then
	echo "***ERROR: Must enter LDAP port."
	exit -1
	fi
	else
	LDAP_PORT=$answer
	fi

	sed -i '/LDAP_PORT\=/d' $TRAF_CONFIG
	echo "export LDAP_PORT=\"$LDAP_PORT\"" >> $LOCAL_SECURE_CONFIG
	port="LdapPort: $LDAP_PORT"
	sed -i -e "s/LdapPort:389/$port/g" $LDAP_AUTH_FILE

	#Unique IDs
	echo -n "Enter all LDAP unique identifiers (blank separated), default [$LDAP_ID]: "
	read answer
	if [[ -z "$answer" ]]; then
	if [ -z "$LDAP_ID" ]; then
	echo "***ERROR: Must enter LDAP unique identifiers."
	exit -1
	fi
	else
	LDAP_ID=$answer
	fi
	sed -i '/LDAP_ID\=/d' $TRAF_CONFIG
	echo "export LDAP_ID=\"$LDAP_ID\"" >> $LOCAL_SECURE_CONFIG

	counter=0
	for id in $LDAP_ID
	do
	counter=$[$counter+1]
	if [ $counter -eq "1" ]; then
	list=" UniqueIdentifier: $id"
	elif [ $counter -eq "$node_count" ]; then
	list="UniqueIdentifier: $id\n $list"
	else
	list=" LdapHostname: $id\n $list"
	fi
	done

	sed -i -e "s/UniqueIdentifier:/$list/g" $LDAP_AUTH_FILE

	#Encryption level
	echo -n "Enter LDAP Encryption Level (0: Encryption not used, 1: SSL, 2: TLS), default [$LDAP_LEVEL]: "
	read answer
	if [[ -z "$answer" ]]; then
	if [ -z "$LDAP_LEVEL" ]; then
	echo "***ERROR: Must enter LDAP Encryption level."
	exit -1
	fi
	else
	LDAP_LEVEL=$answer
	fi
	sed -i '/LDAP_LEVEL\=/d' $TRAF_CONFIG
	echo "export LDAP_LEVEL=\"$LDAP_LEVEL\"" >> $LOCAL_SECURE_CONFIG

	level="LDAPSSL: $LDAP_LEVEL"
	sed -i -e "s/LDAPSSL:0/$level/g" $LDAP_AUTH_FILE

	if [[ "$LDAP_LEVEL" -eq "1" ]] \|\| [[ "$LDAP_LEVEL" -eq "2" ]]; then
	echo -n "Enter full path to TLS certificate, default [$LDAP_CERT]: "
	read answer
	if [[ -z "$answer" ]]; then
	if [ -z "$LDAP_CERT" ]; then
	echo "**ERROR: Encryption level 2(TLS) requires a certificate file (.pem)"
	exit -1
	fi
	else
	LDAP_CERT=$answer
	LDAP_CERT_BASE=$(basename $LDAP_CERT)

	if [[ ! -f $LDAP_CERT ]]; then
	echo "***ERROR: File does not exist."
	echo "***ERROR: Please enter full path or check for errors."
	exit -1
	fi

	fi
	sed -i '/LDAP_CERT\=/d' $TRAF_CONFIG
	echo "export LDAP_CERT=\"$LDAP_CERT\"" >> $LOCAL_SECURE_CONFIG
	sed -i '/LDAP_CERT_BASE\=/d' $TRAF_CONFIG
	echo "export LDAP_CERT_BASE=\"$LDAP_CERT_BASE\"" >> $LOCAL_SECURE_CONFIG

	list="TLS_CACERTFilename: $HOME_DIR/$TRAF_USER/$LDAP_CERT_BASE"

	sed -i -e "s@TLS\_CACERTFilename:@$list@" $LDAP_AUTH_FILE
	fi

	#Search username and password
	echo -n "Enter Search user name (if required), default [$LDAP_USER]: "
	read answer
	if [[ ! -z "$answer" ]]; then
	LDAP_USER=$answer
	sed -i '/LDAP_USER\=/d' $TRAF_CONFIG
	echo "export LDAP_USER=\"$LDAP_USER\"" >> $LOCAL_SECURE_CONFIG

	echo -n "Enter Search password (if required), default [$LDAP_PASSWORD]: "
	read answer
	if [[ ! -z "$answer" ]]; then
	LDAP_PASSWORD=$answer
	sed -i '/LDAP_PASSWORD\=/d' $TRAF_CONFIG
	echo "export LDAP_PASSWORD=\"$LDAP_PASSWORD\"" >> $LOCAL_SECURE_CONFIG
	fi
	fi
	user="LDAPSearchDN: $LDAP_USER"
	sed -i -e "s/LDAPSearchDN:/$user/g" $LDAP_AUTH_FILE
	password="LDAPSearchPwd: $LDAP_PASSWORD"
	sed -i -e "s/LDAPSearchPwd:/$password/g" $LDAP_AUTH_FILE


	#LDAP uid/cn assigned to DB__ROOT
	echo -n "Enter LDAP name to be assigned DB root privileges (DB__ROOT), default [$DB_ROOT_NAME]: "
	read answer
	if [[ ! -z "$answer" ]]; then
	DB_ROOT_NAME=$answer
	fi
	sed -i '/DB_ROOT_NAME\=/d' $TRAF_CONFIG
	echo "export DB_ROOT_NAME=\"$DB_ROOT_NAME\"" >> $LOCAL_SECURE_CONFIG

	cat $LOCAL_SECURE_CONFIG >> $TRAF_CONFIG
	echo "***INFO: Trafodion security configuration setup complete"