<#
.SYNOPSIS
A script to delete and re-create the STS signing certificate and signing chains within VMware Directory on vCenter 6.0.

.NOTES
Author: Vincent Santa Maria [vinny.santa-maria@broadcom.com]
Version: 1.0

.DESCRIPTION
This script will create a new public/private key pair and new STS signing certificate, delete all current STS signing certificates and signing chains, and install the new STS signing certificate and signing chain into VMware Directory.
#>

#generate new certificate and key
Write-Host "Generating new public/private key pair..."
cmd /c '"%VMWARE_CIS_HOME%\vmcad\certool.exe" --genkey --privkey="C:\Windows\temp\new-ssoserverSign.key" --pubkey="C:\Windows\temp\new-ssoserverSign.pub"'
Write-Host "Generating new STS signing certificate..."
cmd /c '"%VMWARE_CIS_HOME%\vmcad\certool.exe" --gencert --priv="C:\Windows\temp\new-ssoserverSign.key" --Name="ssoserverSign" --cert="C:\Windows\temp\new-ssoserverSign.crt" --config="%VMWARE_CFG_DIR%\sso\signcert_vmidentity.cfg" --server="localhost"'


#Load the assemblies
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Net")


#Connects to myopenldap.mikesblog.lan using SSL on a non-standard port
$connection = New-Object System.DirectoryServices.Protocols.LdapConnection "localhost:389"
          
#Set session options
$connection.SessionOptions.SecureSocketLayer = $false
$connection.SessionOptions.ProtocolVersion = 3

# Pick Authentication type:
# Anonymous, Basic, Digest, DPA (Distributed Password Authentication),
# External, Kerberos, Msn, Negotiate, Ntlm, Sicily
$connection.AuthType = [System.DirectoryServices.Protocols.AuthType]::Basic
# Gets username and password.


$sso_domain = &"$Env:VMWARE_CIS_HOME\vmafdd\vmafd-cli.exe" get-domain-name --server-name localhost
$sso_domain_DN = $sso_domain -replace "\.",",dc="

# Gets username and password.
$credential_prompt = Get-Credential -Message "Enter the DN for the Single Sign-On Administrator account: " -UserName "administrator@$sso_domain"

if($credential_prompt) {
   $user = $credential_prompt.Username.split('@')[0]
   $username = "cn=$user,cn=users,dc=$sso_domain_DN"
   Write-Host "`nUser DN is: $username"
   $password = [System.Net.NetworkCredential]::new("", $credential_prompt.Password).Password
   $credentials = New-Object "System.Net.NetworkCredential" -ArgumentList $username,$password

   # Bind with the network credentials. Depending on the type of server,
   # the username will take different forms. Authentication type is controlled
   # above with the AuthType
   $connection.Bind($credentials)

   $search_DN = "cn=Ldus,cn=ComponentManager,dc=$sso_domain_DN"
   $search_filter = "(|(objectclass=vmwSTSTenantCredential)(objectclass=vmwSTSTenantTrustedCertificateChain))"
   $search_scope = [System.DirectoryServices.Protocols.SearchScope]::Subtree
   $search_attribute = @('*')

   $search_request = New-Object System.DirectoryServices.Protocols.SearchRequest -ArgumentList $search_DN,$search_filter,$search_scope,$search_attribute

   #Actually process the request through the server
   $search_request_result = $connection.SendRequest($search_request)

   if ($search_request_result.ResultCode -ne [System.directoryServices.Protocols.ResultCode]::Success) {
      Write-Host "Failed!"
      Write-Host ("ResultCode: " + $search_request_result.ResultCode)
      Write-Host ("Message: " + $search_request_result.ErrorMessage)
   } else {
      $delete_success = $true
      $search_results = @{}
      foreach ($branch in $search_request_result.Entries) {
         $result_DN = $branch.DistinguishedName
         [regex]$regex = 'cn='
         $CN_count = $regex.matches($result_DN).count

         if (! $search_results.ContainsKey($CN_count) ) {
            $search_results[$CN_count] = @()
         }

         $search_results[$CN_count] += $branch.DistinguishedName
      }
      Write-Host "`nRemoving STS signing certificates and signing chains..."
      foreach ($CN_counter in $search_results.GetEnumerator()) {         
         foreach ($dn in $($CN_counter.Value)) {
            $delete_request = New-Object System.DirectoryServices.Protocols.DeleteRequest
            $delete_request.DistinguishedName = $dn

            $delete_request_result = $connection.SendRequest($delete_request)

            if($delete_request_result.ResultCode -ne [System.directoryServices.Protocols.ResultCode]::Success) {
               Write-Host "Failed!"
               Write-Host ("ResultCode: " + $delete_request_result.ResultCode)
               Write-Host ("Message: " + $delete_request_result.ErrorMessage)
               $delete_success = $false
            } else {
               Write-Host "Successfully deleted $dn"
            }
         }
      }
      if($delete_success) {
         Write-Host "All STS Tenant branches deleted!"
         Write-Host "`nRe-creating STS tenant..."
         cmd /c '"%VMWARE_JAVA_HOME%bin\java.exe" -cp "%VMWARE_CIS_HOME%\VMware Identity Services\*;%VMWARE_CIS_HOME%\vmware-sso\commonlib\*;.;*" -Dvmware.log.dir=%VMWARE_LOG_DIR%\sso\ -XX:ErrorFile=%VMWARE_LOG_DIR%\sso\hs_err_stsinstaller_pid%p.log-XX:HeapDumpPath=%VMWARE_LOG_DIR%\sso\ com.vmware.identity.installer.STSInstaller --install --root-cert-path "%VMWARE_DATA_DIR%\vmca\root.cer" --cert-path "C:\Windows\temp\new-ssoserverSign.crt" --private-key-path "C:\Windows\temp\new-ssoserverSign.key" --retry-count 10 --retry-interval 30'
      }
   }
}