diff options
| author | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-05-19 23:46:49 +0000 |
|---|---|---|
| committer | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-05-19 23:46:49 +0000 |
| commit | 56684457eb66222c968c88b212b2645fd46dc936 (patch) | |
| tree | b9c776bb18aaad1260681b5841332258d2ebb41e | |
| parent | 7bd2ef6e598edb17aa11aef34bbd8024323445a6 (diff) | |
| download | pki-56684457eb66222c968c88b212b2645fd46dc936.tar.gz pki-56684457eb66222c968c88b212b2645fd46dc936.tar.xz pki-56684457eb66222c968c88b212b2645fd46dc936.zip | |
Bugzilla Bug #491517 - pkisilent Configure RA and TPS fail
(port separation changes only)
Bugzilla Bug #495676 - pkisilent ConfigureCA failure on AdminCertImportPanel
Bugzilla Bug #500748 - pki-silent : issues due to port separation changes
(only addressed CA, KRA, OCSP, and TKS)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@461 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
| -rwxr-xr-x | pki/dogtag/scripts/pki_silent.template | 1324 | ||||
| -rw-r--r-- | pki/dogtag/silent/pki-silent.spec | 8 |
2 files changed, 1331 insertions, 1 deletions
diff --git a/pki/dogtag/scripts/pki_silent.template b/pki/dogtag/scripts/pki_silent.template new file mode 100755 index 000000000..304e29ccf --- /dev/null +++ b/pki/dogtag/scripts/pki_silent.template @@ -0,0 +1,1324 @@ +#!/bin/bash +## BEGIN COPYRIGHT BLOCK +## (C) 2009 Red Hat, Inc. +## All rights reserved. +## END COPYRIGHT BLOCK + + +## Always switch into this base directory +## prior to script execution so that all +## of its output is written to this directory + +cd `dirname $0` + + +## Disallow script to be run as the name of this template +pki_silent_script=`basename $0` +if [ "${pki_silent_script}" = "pki_silent.template" ] ; then + printf "\n" + printf "Usage: (1) Install AND configure a directory server instance.\n\n" + printf " (2) Install, but do NOT configure ALL six\n" + printf " 'default' PKI subsystem instances.\n\n" + printf " (3) Install the 'pki-silent' package.\n\n" + printf " (4) Copy '$0' to a new script name\n" + printf " without the '.template' extension.\n" + printf " (e .g. - 'configure_default_pki_instances')\n\n" + printf " (5) Fill in all MANDATORY user-defined variables\n" + printf " in the new script.\n\n" + printf " (6) Change any OPTIONAL user-defined variables\n" + printf " in the new script as desired.\n\n" + printf " (7) Become the 'root' user, and execute the new script to\n" + printf " configure ALL six 'default' PKI subsystem instances.\n\n" + exit 255 +fi + + +## +## This script MUST be run as root! +## + +ROOTUID=0 + +OS=`uname` +if [ "${OS}" = "Linux" ] ; then + MY_EUID=`/usr/bin/id -u` + MY_UID=`/usr/bin/id -ur` + USERNAME=`/usr/bin/id -un` +else + printf "ERROR: Unsupported operating system '${OS}'!\n" + exit 255 +fi + +if [ "${MY_UID}" != "${ROOTUID}" ] && + [ "${MY_EUID}" != "${ROOTUID}" ] ; then + printf "ERROR: The '$0' script must be run as root!\n" + exit 255 +fi + + + +############################################################################## +############################################################################## +## ## +## P K I S I L E N T - V A R I A B L E D E C L A R A T I O N ## +## ## +############################################################################## +############################################################################## + +############################################################################## +## U S E R - D E F I N E D V A R I A B L E S ( M A N D A T O R Y ) ## +############################################################################## + +## +## IMPORTANT: 'Escape' ALL spaces in EACH variable specified below! +## +## For Example: +## +## pki_security_domain_name="My\ Security\ Domain" +## + +## PKI Silent Security Database Variables +## (e. g. - PKI Silent "browser" database) +pki_silent_security_database_repository="/tmp" +pki_silent_security_database_password= + +## PKI Security Domain Variables +## (e. g. - Security Domain Login Panel) +pki_security_domain_name= +pki_security_domain_host=`hostname` +pki_security_domain_admin_name=admin +pki_security_domain_admin_password= + +## PKI Internal LDAP Database Variables +## (e. g. - Database Panel) +pki_ldap_host=localhost +pki_ldap_port=389 +pki_bind_dn="cn=Directory\ Manager" +pki_bind_password= + +## PKI Instance-Specific Token Variables +## (e. g. - Module Panel) +ca_token_name=internal +ca_token_password= + +kra_token_name=internal +kra_token_password= + +ocsp_token_name=internal +ocsp_token_password= + +tks_token_name=internal +tks_token_password= + +ra_token_name=internal +ra_token_password= + +tps_token_name=internal +tps_token_password= + +## PKI Instance-Specific Backup Variables +## (e. g. - Backup Key and Certificates Panel) +ca_backup_password= +kra_backup_password= +ocsp_backup_password= +tks_backup_password= + +## PKI Email Variables +## +## For example, to specify 'pkitest@example.com': +## +## pki_email_name=pkitest +## pki_email_company=example +## pki_email_domain=com +## +pki_email_name= +pki_email_company= +pki_email_domain= + +## PKI Silent Admin Variables +## (e. g. - Import Admin Certificate into PKI Silent "browser" database) +pki_silent_admin_user=admin +pki_silent_admin_password= +pki_silent_admin_email="${pki_email_name}\@${pki_email_company}\.${pki_email_domain}" + + + +############################################################################## +## P R E - D E F I N E D " D E F A U L T " V A R I A B L E S ## +############################################################################## + +## PKI Subsystem Host (computed by default) +pki_host=`hostname` + +## PKI Subsystem Names +ca_subsystem_name="Certificate\ Authority" +kra_subsystem_name="Data\ Recovery\ Manager" +ocsp_subsystem_name="OCSP\ Responder" +tks_subsystem_name="Token\ Key\ Service" +ra_subsystem_name="Registration\ Authority" +tps_subsystem_name="Token\ Processing\ System" + +## PKI Subsystem Instance Names +ca_instance_name="pki-ca" +kra_instance_name="pki-kra" +ocsp_instance_name="pki-ocsp" +tks_instance_name="pki-tks" +ra_instance_name="pki-ra" +tps_instance_name="pki-tps" + +## +## NOTE: Default PKI Instance Ports +## +## CA, DRM, OCSP, TKS: +## +## *180 - non-secure port (not role specific) +## *701 - non-secure Tomcat port +## *443 - secure EE port +## *444 - secure Agent port +## *445 - secure Admin port +## +## RA, TPS: +## +## *888 - non-secure port +## *889 - secure port (clientauth) +## *890 - secure port (non-clientauth) +## +## +## For Example: +## +## semanage port -l | grep pki +## +## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445 +## pki_kra_port_t tcp 10180, 10701, 10443, 10444, 10445 +## pki_ocsp_port_t tcp 11180, 11701, 11443, 11444, 11445 +## pki_ra_port_t tcp 12890, 12888, 12889 +## pki_tks_port_t tcp 13180, 13701, 13443, 13444, 13445 +## pki_tps_port_t tcp 7890, 7888, 7889 +## + +## CA ports +ca_nonssl_port=9180 +ca_agent_port=9443 +ca_ee_port=9444 +ca_admin_port=9445 + +## DRM ports +kra_nonssl_port=10180 +kra_agent_port=10443 +kra_ee_port=10444 +kra_admin_port=10445 + +## OCSP ports +ocsp_nonssl_port=11180 +ocsp_agent_port=11443 +ocsp_ee_port=11444 +ocsp_admin_port=11445 + +## TKS ports +tks_nonssl_port=13180 +tks_agent_port=13443 +tks_ee_port=13444 +tks_admin_port=13445 + +## RA ports +ra_nonssl_port=12888 +ra_clientauth_port=12889 +ra_nonclientauth_port=12890 + +## TPS ports +tps_nonssl_port=7888 +tps_clientauth_port=7889 +tps_nonclientauth_port=7890 + + + +############################################################################## +## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## +############################################################################## + +## PKI Silent Log Files +pki_silent_ca_log=/tmp/ca.log +pki_silent_kra_log=/tmp/kra.log +pki_silent_ocsp_log=/tmp/ocsp.log +pki_silent_ra_log=/tmp/ra.log +pki_silent_tks_log=/tmp/tks.log +pki_silent_tps_log=/tmp/tps.log + + +## +## NOTE: For comparison's sake, if the default instances were manually +## configured using a Firefox browser, the content of the corresponding +## Firefox browser's security libraries would be something similar +## to this: +## +## Certificate Nickname Trust Attributes +## SSL,S/MIME,JAR/XPI +## +## Certificate Authority - ${pki_security_domain_name} CT,C,C +## CA Administrator of Instance ${ca_instance_name}'s +## ${pki_security_domain_name} ID u,u,u +## KRA Administrator of Instance ${kra_instance_name}'s +## ${pki_security_domain_name} ID u,u,u +## OCSP Administrator of Instance ${ocsp_instance_name}'s +## ${pki_security_domain_name} ID u,u,u +## TKS Administrator of Instance ${tks_instance_name}'s +## ${pki_security_domain_name} ID u,u,u +## RA Administrator's ${pki_security_domain_name} ID u,u,u +## TPS Administrator's ${pki_security_domain_name} ID u,u,u +## +## where: +## +## Nickname: "Certificate Authority - " +## + "${pki_security_domain_name}" +## Subject Name: "CN=Certificate Authority," +## + "O=${pki_security_domain_name}" +## +## Nickname: "CA Administrator of Instance " +## + "${ca_instance_name}'s " +## + "${pki_security_domain_name} ID" +## Subject Name: "CN=CA Administrator of Instance " +## + "${ca_instance_name}," +## + "UID=admin," +## + "E=${pki_silent_admin_email}," +## + "O=${pki_security_domain_name}" +## +## Nickname: "KRA Administrator of Instance " +## + "${kra_instance_name}'s " +## + "${pki_security_domain_name} ID" +## Subject Name: "CN=KRA Administrator of Instance " +## + "${kra_instance_name}," +## + "UID=admin," +## + "E=${pki_silent_admin_email}," +## + "O=${pki_security_domain_name}" +## +## Nickname: "OCSP Administrator of Instance " +## + "${ocsp_instance_name}'s " +## + "${pki_security_domain_name} ID" +## Subject Name: "CN=OCSP Administrator of Instance " +## + "${ocsp_instance_name}," +## + "UID=admin," +## + "E=${pki_silent_admin_email}," +## + "O=${pki_security_domain_name}" +## +## Nickname: "TKS Administrator of Instance " +## + "${tks_instance_name}'s " +## + "${pki_security_domain_name} ID" +## Subject Name: "CN=TKS Administrator of Instance " +## + "${tks_instance_name}," +## + "UID=admin," +## + "E=${pki_silent_admin_email}," +## + "O=${pki_security_domain_name}" +## +## Nickname: "RA Administrator's " +## + "${pki_security_domain_name} ID" +## Subject Name: "CN=RA Administrator," +## + "UID=admin," +## + "E=${pki_silent_admin_email}," +## + "O=${pki_security_domain_name}" +## +## Nickname: "TPS Administrator's " +## + "${pki_security_domain_name} ID" +## Subject Name: "CN=TPS Administrator," +## + "UID=admin," +## + "E=${pki_silent_admin_email}," +## + "O=${pki_security_domain_name}" +## + + +## Miscellaneous CA Variables +## +## REMINDER: 'Escape' ALL spaces in EACH variable specified below! +## +## NOTE: For comparison's sake, if the default instances were manually +## configured using a Firefox browser, the content of the corresponding +## "/var/lib/${ca_instance_name}/alias/" security libraries would be +## something similar to this: +## +## Certificate Nickname Trust Attributes +## SSL,S/MIME,JAR/XPI +## +## ocspSigningCert cert-${ca_instance_name} u,u,u +## subsystemCert cert-${ca_instance_name} u,u,u +## caSigningCert cert-${ca_instance_name} CTu,Cu,Cu +## Server-Cert cert-${ca_instance_name} u,u,u +## auditSigningCert cert-${ca_instance_name} u,u,u +## +## where: +## +## Nickname: "caSigningCert cert-${ca_instance_name}" +## Subject Name: "CN=Certificate Authority," +## + "O=${pki_security_domain_name}" +## +## Nickname: "subsystemCert cert-${ca_instance_name}" +## Subject Name: "CN=CA Subsystem Certificate," +## + "O=${pki_security_domain_name}" +## +## Nickname: "ocspSigningCert cert-${ca_instance_name}" +## Subject Name: "CN=OCSP Signing Certificate," +## + "O=${pki_security_domain_name}" +## +## Nickname: "Server-Cert cert-${ca_instance_name}" +## Subject Name: "CN=${pki_host}," +## + "O=${pki_security_domain_name}" +## +## Nickname: "auditSigningCert cert-${ca_instance_name}" +## Subject Name: "CN=CA Audit Signing Certificate," +## + "O=${pki_security_domain_name}" +## + +ca_agent_name="CA\ Administrator\ of\ Instance\ ${ca_instance_name}\'s\ ${pki_security_domain_name}\ ID" +ca_agent_key_size=2048 +ca_agent_key_type=rsa +ca_agent_cert_subject="CN=CA\ Administrator\ of\ Instance\ ${ca_instance_name},UID=admin,E=${pki_silent_admin_email},O=${pki_security_domain_name}" +ca_base_dn="dc=${pki_host}-${ca_instance_name}" +ca_db_name="${pki_host}-${ca_instance_name}" +ca_key_size=2048 +ca_key_type=rsa +ca_save_p12=false +ca_sign_cert_subject_name="CN=Certificate\ Authority,O=${pki_security_domain_name}" +ca_subsystem_cert_subject_name="CN=CA\ Subsystem\ Certificate,O=${pki_security_domain_name}" +ca_ocsp_cert_subject_name="CN=OCSP\ Signing\ Certificate,O=${pki_security_domain_name}" +ca_server_cert_subject_name="CN=${pki_host},O=${pki_security_domain_name}" +ca_audit_signing_cert_subject_name="CN=CA\ Audit\ Signing\ Certificate,O=${pki_security_domain_name}" + + +## Miscellaneous DRM Variables +## +## REMINDER: 'Escape' ALL spaces in EACH variable specified below! +## +## NOTE: For comparison's sake, if the default instances were manually +## configured using a Firefox browser, the content of the corresponding +## "/var/lib/${kra_instance_name}/alias/" security libraries would be +## something similar to this: +## +## Certificate Nickname Trust Attributes +## SSL,S/MIME,JAR/XPI +## +## transportCert cert-${kra_instance_name} u,u,u +## Server-Cert cert-${kra_instance_name} u,u,u +## auditSigningCert cert-${kra_instance_name} u,u,u +## Certificate Authority - ${pki_security_domain_name} CT,c, +## storageCert cert-${kra_instance_name} u,u,u +## subsystemCert cert-${kra_instance_name} u,u,u +## +## where: +## +## Nickname: "transportCert cert-${kra_instance_name}" +## Subject Name: "CN=DRM Transport Certificate," +## + "O=${pki_security_domain_name}" +## +## Nickname: "Server-Cert cert-${kra_instance_name}" +## Subject Name: "CN=${pki_host}," +## + "O=${pki_security_domain_name}" +## +## Nickname: "auditSigningCert cert-${kra_instance_name}" +## Subject Name: "CN=DRM Audit Signing Certificate," +## + "O=${pki_security_domain_name}" +## +## Nickname: "Certificate Authority - " +## + "${pki_security_domain_name}" +## Subject Name: "CN=Certificate Authority," +## + "O=${pki_security_domain_name}" +## +## Nickname: "storageCert cert-${kra_instance_name}" +## Subject Name: "CN=DRM Storage Certificate," +## + "O=${pki_security_domain_name}" +## +## Nickname: "subsystemCert cert-${kra_instance_name}" +## Subject Name: "CN=DRM Subsystem Certificate," +## + "O=${pki_security_domain_name}" +## + +kra_agent_name="KRA\ Administrator\ of\ Instance\ ${kra_instance_name}\'s\ ${pki_security_domain_name}\ ID" +kra_agent_key_size=2048 +kra_agent_key_type=rsa +kra_agent_cert_subject="CN=KRA\ Administrator\ of\ Instance\ ${kra_instance_name},UID=admin,E=${pki_silent_admin_email},O=${pki_security_domain_name}" +kra_base_dn="dc=${pki_host}-${kra_instance_name}" +kra_db_name="${pki_host}-${kra_instance_name}" +kra_key_size=2048 +kra_key_type=rsa +kra_transport_cert_subject_name="CN=DRM\ Transport\ Certificate,O=${pki_security_domain_name}" +kra_subsystem_cert_subject_name="CN=DRM\ Subsystem\ Certificate,O=${pki_security_domain_name}" +kra_storage_cert_subject_name="CN=DRM\ Storage\ Certificate,O=${pki_security_domain_name}" +kra_server_cert_subject_name="CN=${pki_host},O=${pki_security_domain_name}" +kra_audit_signing_cert_subject_name="CN=DRM\ Audit\ Signing\ Certificate,O=${pki_security_domain_name}" + + +## Miscellaneous OCSP Variables +## +## REMINDER: 'Escape' ALL spaces in EACH variable specified below! +## +## NOTE: For comparison's sake, if the default instances were manually +## configured using a Firefox browser, the content of the corresponding +## "/var/lib/${ocsp_instance_name}/alias/" security libraries would be +## something similar to this: +## +## Certificate Nickname Trust Attributes +## SSL,S/MIME,JAR/XPI +## +## ocspSigningCert cert-${ocsp_instance_name} CTu,Cu,Cu +## subsystemCert cert-${ocsp_instance_name} u,u,u +## Certificate Authority - ${pki_security_domain_name} CT,c, +## Server-Cert cert-${ocsp_instance_name} u,u,u +## auditSigningCert cert-${ocsp_instance_name} u,u,u +## +## where: +## +## Nickname: "ocspSigningCert cert-${ocsp_instance_name}" +## Subject Name: "CN=OCSP Signing Certificate," +## + "O=${pki_security_domain_name}" +## +## Nickname: "subsystemCert cert-${ocsp_instance_name}" +## Subject Name: "CN=OCSP Subsystem Certificate," +## + "O=${pki_security_domain_name}" +## +## Nickname: "Certificate Authority - " +## + "${pki_security_domain_name}" +## Subject Name: "CN=Certificate Authority," +## + "O=${pki_security_domain_name}" +## +## Nickname: "Server-Cert cert-${ocsp_instance_name}" +## Subject Name: "CN=${pki_host}," +## + "O=${pki_security_domain_name}" +## +## Nickname: "auditSigningCert cert-${ocsp_instance_name}" +## Subject Name: "CN=OCSP Audit Signing Certificate," +## + "O=${pki_security_domain_name}" +## + +ocsp_agent_name="OCSP\ Administrator\ of\ Instance\ ${ocsp_instance_name}\'s\ ${pki_security_domain_name}\ ID" +ocsp_agent_key_size=2048 +ocsp_agent_key_type=rsa +ocsp_agent_cert_subject="CN=OCSP\ Administrator\ of\ Instance\ ${ocsp_instance_name},UID=admin,E=${pki_silent_admin_email},O=${pki_security_domain_name}" +ocsp_base_dn="dc=${pki_host}-${ocsp_instance_name}" +ocsp_db_name="${pki_host}-${ocsp_instance_name}" +ocsp_key_size=2048 +ocsp_key_type=rsa +ocsp_sign_cert_subject_name="CN=OCSP\ Signing\ Certificate,O=${pki_security_domain_name}" +ocsp_subsystem_cert_subject_name="CN=OCSP\ Subsystem\ Certificate,O=${pki_security_domain_name}" +ocsp_server_cert_subject_name="CN=${pki_host},O=${pki_security_domain_name}" +ocsp_audit_signing_cert_subject_name="CN=OCSP\ Audit\ Signing\ Certificate,O=${pki_security_domain_name}" + + +## Miscellaneous TKS Variables +## +## REMINDER: 'Escape' ALL spaces in EACH variable specified below! +## +## NOTE: For comparison's sake, if the default instances were manually +## configured using a Firefox browser, the content of the corresponding +## "/var/lib/${tks_instance_name}/alias/" security libraries would be +## something similar to this: +## +## Certificate Nickname Trust Attributes +## SSL,S/MIME,JAR/XPI +## +## subsystemCert cert-${tks_instance_name} u,u,u +## DRM Transport Certificate - ${pki_security_domain_name} c,c,c +## Certificate Authority - ${pki_security_domain_name} CT,c, +## Server-Cert cert-${tks_instance_name} u,u,u +## auditSigningCert cert-${tks_instance_name} u,u,u +## +## where: +## +## Nickname: "subsystemCert cert-${tks_instance_name}" +## Subject Name: "CN=TKS Subsystem Certificate," +## + "O=${pki_security_domain_name}" +## +## Nickname: "DRM Transport Certificate - " +## + "${pki_security_domain_name}" +## Subject Name: "CN=DRM Transport Certificate," +## + "O=${pki_security_domain_name}" +## +## Nickname: "Certificate Authority - " +## + "${pki_security_domain_name}" +## Subject Name: "CN=Certificate Authority," +## + "O=${pki_security_domain_name}" +## +## Nickname: "Server-Cert cert-${tks_instance_name}" +## Subject Name: "CN=${pki_host}," +## + "O=${pki_security_domain_name}" +## +## Nickname: "auditSigningCert cert-${tks_instance_name}" +## Subject Name: "CN=TKS Audit Signing Certificate," +## + "O=${pki_security_domain_name}" +## + +tks_agent_name="TKS\ Administrator\ of\ Instance\ ${tks_instance_name}\'s\ ${pki_security_domain_name}\ ID" +tks_agent_key_size=2048 +tks_agent_key_type=rsa +tks_agent_cert_subject="CN=TKS\ Administrator\ of\ Instance\ ${tks_instance_name},UID=admin,E=${pki_silent_admin_email},O=${pki_security_domain_name}" +tks_base_dn="dc=${pki_host}-${tks_instance_name}" +tks_db_name="${pki_host}-${tks_instance_name}" +tks_key_size=2048 +tks_key_type=rsa +tks_subsystem_cert_subject_name="CN=TKS\ Subsystem\ Certificate,O=${pki_security_domain_name}" +tks_server_cert_subject_name="CN=${pki_host},O=${pki_security_domain_name}" +tks_audit_signing_cert_subject_name="CN=TKS\ Audit\ Signing\ Certificate,O=${pki_security_domain_name}" + + +## Miscellaneous RA Variables +## +## REMINDER: 'Escape' ALL spaces in EACH variable specified below! +## +## NOTE: For comparison's sake, if the default instances were manually +## configured using a Firefox browser, the content of the corresponding +## "/var/lib/${ra_instance_name}/alias/" security libraries would be +## something similar to this: +## +## Certificate Nickname Trust Attributes +## SSL,S/MIME,JAR/XPI +## +## subsystemCert cert-${ra_instance_name} u,u,u +## caCert CT,C,C +## Server-Cert cert-${ra_instance_name} u,u,u +## +## where: +## +## Nickname: "subsystemCert cert-${ra_instance_name}" +## Subject Name: "CN=RA Subsystem Certificate," +## + "OU=${ra_instance_name}," +## + "O=${pki_security_domain_name}" +## +## Nickname: "caCert" +## Subject Name: "CN=Certificate Authority," +## + "O=${pki_security_domain_name}" +## +## Nickname: "Server-Cert cert-${ra_instance_name}" +## Subject Name: "CN=${pki_host}," +## + "OU=${ra_instance_name}," +## + "O=${pki_security_domain_name}" +## + +ra_chosen_ca_hostname=${pki_security_domain_host} +ra_chosen_ca_nonssl_port=${ca_nonssl_port} +ra_chosen_ca_ssl_port=${ca_ee_port} +ra_chosen_ca_admin_port=${ca_admin_port} +ra_agent_name="RA\ Administrator\'s\ ${pki_security_domain_name}\ ID" +ra_agent_key_size=2048 +ra_agent_key_type=rsa +ra_agent_cert_subject="CN=RA\ Administrator,UID=admin,E=${pki_silent_admin_email},O=${pki_security_domain_name}" +ra_key_size=2048 +ra_key_type=rsa +ra_subsystem_cert_subject_name="CN=RA\ Subsystem\ Certificate,OU=${ra_instance_name},O=${pki_security_domain_name}" +ra_server_cert_subject_name="CN=${pki_host},OU=${ra_instance_name},O=${pki_security_domain_name}" + + +## Miscellaneous TPS Variables +## +## REMINDER: 'Escape' ALL spaces in EACH variable specified below! +## +## NOTE: For comparison's sake, if the default instances were manually +## configured using a Firefox browser, the content of the corresponding +## "/var/lib/${tps_instance_name}/alias/" security libraries would be +## something similar to this: +## +## Certificate Nickname Trust Attributes +## SSL,S/MIME,JAR/XPI +## +## subsystemCert cert-${tps_instance_name} u,u,u +## caCert CT,C,C +## Server-Cert cert-${tps_instance_name} u,u,u +## auditSigningCert cert-${tps_instance_name} u,u,u +## +## where: +## +## Nickname: "subsystemCert cert-${tps_instance_name}" +## Subject Name: "CN=TPS Subsystem Certificate," +## + "OU=${tps_instance_name}," +## + "O=${pki_security_domain_name}" +## +## Nickname: "caCert" +## Subject Name: "CN=Certificate Authority," +## + "O=${pki_security_domain_name}" +## +## Nickname: "Server-Cert cert-${tps_instance_name}" +## Subject Name: "CN=${pki_host}," +## + "OU=${tps_instance_name}," +## + "O=${pki_security_domain_name}" +## +## Nickname: "auditSigningCert cert-${tps_instance_name}" +## Subject Name: "CN=TPS Audit Signing Certificate," +## + "OU=${tps_instance_name}," +## + "O=${pki_security_domain_name}" +## + +tps_chosen_ca_hostname=${pki_security_domain_host} +tps_chosen_ca_nonssl_port=${ca_nonssl_port} +tps_chosen_ca_ssl_port=${ca_ee_port} +tps_chosen_ca_admin_port=${ca_admin_port} +tps_chosen_tks_hostname=${pki_host} +tps_chosen_tks_ssl_port=${tks_ee_port} +tps_chosen_drm_hostname=${pki_host} +tps_chosen_drm_ssl_port=${kra_ee_port} +tps_agent_name="TPS\ Administrator\'s\ ${pki_security_domain_name}\ ID" +tps_agent_key_size=2048 +tps_agent_key_type=rsa +tps_agent_cert_subject="CN=TPS\ Administrator,UID=admin,E=${pki_silent_admin_email},O=${pki_security_domain_name}" +tps_ldap_auth_host=localhost +tps_ldap_auth_port=389 +tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" +tps_base_dn="dc=${pki_host}-${tps_instance_name}" +tps_db_name="${pki_host}-${tps_instance_name}" +tps_key_size=2048 +tps_key_type=rsa +tps_ss_keygen=true +tps_subsystem_cert_subject_name="CN=TPS\ Subsystem\ Certificate,OU=${tps_instance_name},O=${pki_security_domain_name}" +tps_server_cert_subject_name="CN=${pki_host},OU=${tps_instance_name},O=${pki_security_domain_name}" +tps_audit_signing_cert_subject_name="CN=TPS\ Audit\ Signing\ Certificate,OU=${tps_instance_name},O=${pki_security_domain_name}" + + + +############################################################################## +############################################################################## +## ## +## P K I S I L E N T - S U B S Y S T E M C O N F I G U R A T I O N ## +## ## +############################################################################## +############################################################################## + +############################################################################## +## P K I S I L E N T I N I T I A L I Z A T I O N ## +############################################################################## + +## (1) Make certain that user has defined all MANDATORY user-defined variables! +usage_errors=0 +usage_error_preamble="ERROR: User MUST define a value for" + +if [ "${pki_silent_security_database_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_security_domain_name}" = "" ] ; then + printf "${usage_error_preamble} 'pki_security_domain_name'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_security_domain_admin_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_security_domain_admin_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_bind_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_bind_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${ca_token_password}" = "" ] ; then + printf "${usage_error_preamble} 'ca_token_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${kra_token_password}" = "" ] ; then + printf "${usage_error_preamble} 'kra_token_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${ocsp_token_password}" = "" ] ; then + printf "${usage_error_preamble} 'ocsp_token_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${tks_token_password}" = "" ] ; then + printf "${usage_error_preamble} 'tks_token_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${ra_token_password}" = "" ] ; then + printf "${usage_error_preamble} 'ra_token_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${tps_token_password}" = "" ] ; then + printf "${usage_error_preamble} 'tps_token_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${ca_backup_password}" = "" ] ; then + printf "${usage_error_preamble} 'ca_backup_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${kra_backup_password}" = "" ] ; then + printf "${usage_error_preamble} 'kra_backup_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${ocsp_backup_password}" = "" ] ; then + printf "${usage_error_preamble} 'ocsp_backup_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${tks_backup_password}" = "" ] ; then + printf "${usage_error_preamble} 'tks_backup_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_email_name}" = "" ] ; then + printf "${usage_error_preamble} 'pki_email_name'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_email_company}" = "" ] ; then + printf "${usage_error_preamble} 'pki_email_company'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_email_domain}" = "" ] ; then + printf "${usage_error_preamble} 'pki_email_domain'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_silent_admin_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_silent_admin_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi + + +## (2) Make certain that a PKI instance of the specified name EXISTS, +## but has NOT been previously CONFIGURED! +existence_errors=0 +existence_error_preamble="ERROR: No PKI Instance named" +configuration_errors=0 +configuration_error_preamble="ERROR: A PKI Instance named" +configuration_error_postamble="EXISTS,\n but has PREVIOUSLY been CONFIGURED!" + +if [ ! -f "/var/lib/${ca_instance_name}/conf/CS.cfg" ] ; then + printf "${existence_error_preamble} '${ca_instance_name}' EXISTS!\n" + existence_errors=`expr ${existence_errors} + 1` +else + ca_configuration_check=`grep -c preop /var/lib/${ca_instance_name}/conf/CS.cfg` + if [ ${ca_configuration_check} -eq 0 ] ; then + printf "${configuration_error_preamble} '${ca_instance_name}' " + printf "${configuration_error_postamble}\n" + configuration_errors=`expr ${configuration_errors} + 1` + fi +fi +if [ ! -f "/var/lib/${kra_instance_name}/conf/CS.cfg" ] ; then + printf "${existence_error_preamble} '${kra_instance_name}' EXISTS!\n" + existence_errors=`expr ${existence_errors} + 1` +else + kra_configuration_check=`grep -c preop /var/lib/${kra_instance_name}/conf/CS.cfg` + if [ ${kra_configuration_check} -eq 0 ] ; then + printf "${configuration_error_preamble} '${kra_instance_name}' " + printf "${configuration_error_postamble}\n" + configuration_errors=`expr ${configuration_errors} + 1` + fi +fi +if [ ! -f "/var/lib/${ocsp_instance_name}/conf/CS.cfg" ] ; then + printf "${existence_error_preamble} '${ocsp_instance_name}' EXISTS!\n" + existence_errors=`expr ${existence_errors} + 1` +else + ocsp_configuration_check=`grep -c preop /var/lib/${ocsp_instance_name}/conf/CS.cfg` + if [ ${ocsp_configuration_check} -eq 0 ] ; then + printf "${configuration_error_preamble} '${ocsp_instance_name}' " + printf "${configuration_error_postamble}\n" + configuration_errors=`expr ${configuration_errors} + 1` + fi +fi +if [ ! -f "/var/lib/${tks_instance_name}/conf/CS.cfg" ] ; then + printf "${existence_error_preamble} '${tks_instance_name}' EXISTS!\n" + existence_errors=`expr ${existence_errors} + 1` +else + tks_configuration_check=`grep -c preop /var/lib/${tks_instance_name}/conf/CS.cfg` + if [ ${tks_configuration_check} -eq 0 ] ; then + printf "${configuration_error_preamble} '${tks_instance_name}' " + printf "${configuration_error_postamble}\n" + configuration_errors=`expr ${configuration_errors} + 1` + fi +fi +if [ ! -f "/var/lib/${ra_instance_name}/conf/CS.cfg" ] ; then + printf "${existence_error_preamble} '${ra_instance_name}' EXISTS!\n" + existence_errors=`expr ${existence_errors} + 1` +else + ra_configuration_check=`grep -c preop /var/lib/${ra_instance_name}/conf/CS.cfg` + if [ ${ra_configuration_check} -eq 0 ] ; then + printf "${configuration_error_preamble} '${ra_instance_name}' " + printf "${configuration_error_postamble}\n" + configuration_errors=`expr ${configuration_errors} + 1` + fi +fi +if [ ! -f "/var/lib/${tps_instance_name}/conf/CS.cfg" ] ; then + printf "${existence_error_preamble} '${tps_instance_name}' EXISTS!\n" + existence_errors=`expr ${existence_errors} + 1` +else + tps_configuration_check=`grep -c preop /var/lib/${tps_instance_name}/conf/CS.cfg` + if [ ${tps_configuration_check} -eq 0 ] ; then + printf "${configuration_error_preamble} '${tps_instance_name}' " + printf "${configuration_error_postamble}\n" + configuration_errors=`expr ${configuration_errors} + 1` + fi +fi + + +if [ ${usage_errors} -ne 0 ] || + [ ${existence_errors} -ne 0 ] || + [ ${configuration_errors} -ne 0 ] ; then + printf "\n" + printf "Please correct ALL errors listed above and re-run\n" + printf "the '$0' script!\n\n" + exit 255 +fi + + +## (3) Make certain that 'pkisilent' exists and is executable on this system. +if [ ! -x "/usr/bin/pkisilent" ] ; then + printf "\n" + printf "ERROR: Please install the 'pki-silent' package and re-run\n" + printf "the '$0' script!\n\n" + exit 255 +fi + + +## (4) Check for old PKI Silent Security Databases, but DO NOT remove them! +## Instead, inform the user and exit this script. +if [ -f "${pki_silent_security_database_repository}/cert8.db" ] || + [ -f "${pki_silent_security_database_repository}/key3.db" ] || + [ -f "${pki_silent_security_database_repository}/secmod.db" ] ; then + printf "\n" + printf "WARNING: At least one of the security databases\n" + printf " (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')\n" + printf " required by '${pki_silent_script}' exists at the\n" + printf " specified location '${pki_silent_security_database_repository}'.\n" + printf "\n" + printf " Please MANUALLY move or erase these security database(s),\n" + printf " or specify a different location before re-running this script.\n\n" + exit 255 +fi + + +## (5) Remove ALL old PKI Silent log files +printf "Removing old PKI Silent log files:\n" +if [ -f ${pki_silent_ca_log} ] ; then + printf " Removing old '${pki_silent_ca_log}' . . . " + rm ${pki_silent_ca_log} + printf "done.\n" +fi +if [ -f ${pki_silent_kra_log} ] ; then + printf " Removing old '${pki_silent_kra_log}' . . . " + rm ${pki_silent_kra_log} + printf "done.\n" +fi +if [ -f ${pki_silent_ocsp_log} ] ; then + printf " Removing old '${pki_silent_ocsp_log}' . . . " + rm ${pki_silent_ocsp_log} + printf "done.\n" +fi +if [ -f ${pki_silent_tks_log} ] ; then + printf " Removing old '${pki_silent_tks_log}' . . . " + rm ${pki_silent_tks_log} + printf "done.\n" +fi +if [ -f ${pki_silent_ra_log} ] ; then + printf " Removing old '${pki_silent_ra_log}' . . . " + rm ${pki_silent_ra_log} + printf "done.\n" +fi +if [ -f ${pki_silent_tps_log} ] ; then + printf " Removing old '${pki_silent_tps_log}' . . . " + rm ${pki_silent_tps_log} + printf "done.\n" +fi +printf "Done.\n\n" + + + +############################################################################## +## C A L C U L A T E P K I I N S T A N C E P I N S ## +############################################################################## + +## PKI Subsystem Instance PINS +ca_preop_pin=`cat /var/lib/${ca_instance_name}/conf/CS.cfg \ + | grep preop.pin | grep -v grep | awk -F= '{print $2}'` +kra_preop_pin=`cat /var/lib/${kra_instance_name}/conf/CS.cfg \ + | grep preop.pin | grep -v grep | awk -F= '{print $2}'` +ocsp_preop_pin=`cat /var/lib/${ocsp_instance_name}/conf/CS.cfg \ + | grep preop.pin | grep -v grep | awk -F= '{print $2}'` +tks_preop_pin=`cat /var/lib/${tks_instance_name}/conf/CS.cfg \ + | grep preop.pin | grep -v grep | awk -F= '{print $2}'` +ra_preop_pin=`cat /var/lib/${ra_instance_name}/conf/CS.cfg \ + | grep preop.pin | grep -v grep | awk -F= '{print $2}'` +tps_preop_pin=`cat /var/lib/${tps_instance_name}/conf/CS.cfg \ + | grep preop.pin | grep -v grep | awk -F= '{print $2}'` + + + +############################################################################## +## C E R T I F I C A T E A U T H O R I T Y ## +############################################################################## +## +## For example, upon completion, +## execute '/sbin/service ${ca_instance_name} status': +## +## ${ca_instance_name} (pid 7843) is running ... +## +## Unsecure Port = http://${pki_host}:9180/ca/ee/ca +## Secure Agent Port = https://${pki_host}:9443/ca/agent/ca +## Secure EE Port = https://${pki_host}:9444/ca/ee/ca +## Secure Admin Port = https://${pki_host}:9445/ca/services +## PKI Console Port = pkiconsole https://${pki_host}:9445/ca +## Tomcat Port = 9701 (for shutdown) +## +## +## Security Domain URL: +## ================================================================== +## https://${pki_host}:9445 +## ================================================================== +## + +## Configure CA +printf "'${pki_silent_script}': Configuring '${ca_instance_name}' . . .\n" +pkisilent ConfigureCA \ + -cs_hostname "${pki_host}" \ + -cs_port ${ca_admin_port} \ + -client_certdb_dir ${pki_silent_security_database_repository} \ + -client_certdb_pwd ${pki_silent_security_database_password} \ + -preop_pin ${ca_preop_pin} \ + -domain_name "${pki_security_domain_name}" \ + -admin_user ${pki_silent_admin_user} \ + -admin_password ${pki_silent_admin_password} \ + -admin_email "${pki_silent_admin_email}" \ + -agent_name ${ca_agent_name} \ + -agent_key_size ${ca_agent_key_size} \ + -agent_key_type ${ca_agent_key_type} \ + -agent_cert_subject "${ca_agent_cert_subject}" \ + -ldap_host ${pki_ldap_host} \ + -ldap_port ${pki_ldap_port} \ + -bind_dn "${pki_bind_dn}" \ + -bind_password ${pki_bind_password} \ + -base_dn "${ca_base_dn}" \ + -db_name "${ca_db_name}" \ + -key_size ${ca_key_size} \ + -key_type ${ca_key_type} \ + -save_p12 ${ca_save_p12} \ + -subsystem_name ${ca_subsystem_name} \ + -token_name ${ca_token_name} \ + -token_pwd ${ca_token_password} \ + -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ + -ca_subsystem_cert_subject_name "${ca_subsystem_cert_subject_name}" \ + -ca_ocsp_cert_subject_name "${ca_ocsp_cert_subject_name}" \ + -ca_server_cert_subject_name "${ca_server_cert_subject_name}" \ + -ca_audit_signing_cert_subject_name \ + "${ca_audit_signing_cert_subject_name}" \ + | tee ${pki_silent_ca_log} + +## Restart CA +/sbin/service ${ca_instance_name} restart + + + +############################################################################## +## D A T A R E C O V E R Y M A N A G E R ## +############################################################################## +## +## For example, upon completion, +## execute '/sbin/service ${kra_instance_name} status': +## +## ${kra_instance_name} (pid 11723) is running ... +## +## Unsecure Port = http://${pki_host}:10180/kra/ee/kra +## Secure Agent Port = https://${pki_host}:10443/kra/agent/kra +## Secure EE Port = https://${pki_host}:10444/kra/ee/kra +## Secure Admin Port = https://${pki_host}:10445/kra/services +## PKI Console Port = pkiconsole https://${pki_host}:10445/kra +## Tomcat Port = 10701 (for shutdown) +## + +## Configure DRM +printf "'${pki_silent_script}': Configuring '${kra_instance_name}' . . .\n" +pkisilent ConfigureDRM \ + -cs_hostname "${pki_host}" \ + -cs_port ${kra_admin_port} \ + -sd_hostname "${pki_security_domain_host}" \ + -sd_ssl_port ${ca_ee_port} \ + -sd_agent_port ${ca_agent_port} \ + -sd_admin_port ${ca_admin_port} \ + -sd_admin_name "${pki_security_domain_admin_name}" \ + -sd_admin_password ${pki_security_domain_admin_password} \ + -ca_hostname ${pki_security_domain_host} \ + -ca_port ${ca_nonssl_port} \ + -ca_ssl_port ${ca_ee_port} \ + -client_certdb_dir ${pki_silent_security_database_repository} \ + -client_certdb_pwd ${pki_silent_security_database_password} \ + -preop_pin ${kra_preop_pin} \ + -domain_name "${pki_security_domain_name}" \ + -admin_user ${pki_silent_admin_user} \ + -admin_password ${pki_silent_admin_password} \ + -admin_email "${pki_silent_admin_email}" \ + -agent_name ${kra_agent_name} \ + -ldap_host ${pki_ldap_host} \ + -ldap_port ${pki_ldap_port} \ + -bind_dn "${pki_bind_dn}" \ + -bind_password ${pki_bind_password} \ + -base_dn "${kra_base_dn}" \ + -db_name "${kra_db_name}" \ + -key_size ${kra_key_size} \ + -key_type ${kra_key_type} \ + -token_name ${kra_token_name} \ + -token_pwd ${kra_token_password} \ + -agent_key_size ${kra_agent_key_size} \ + -agent_key_type ${kra_agent_key_type} \ + -agent_cert_subject "${kra_agent_cert_subject}" \ + -subsystem_name ${kra_subsystem_name} \ + -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ + -drm_subsystem_cert_subject_name "${kra_subsystem_cert_subject_name}" \ + -drm_storage_cert_subject_name "${kra_storage_cert_subject_name}" \ + -drm_server_cert_subject_name "${kra_server_cert_subject_name}" \ + -drm_audit_signing_cert_subject_name \ + "${kra_audit_signing_cert_subject_name}" \ + | tee ${pki_silent_kra_log} + +## Restart drm +/sbin/service ${kra_instance_name} restart + + + +############################################################################## +## O N L I N E S T A T U S C E R T I F I C A T E P R O T O C O L ## +############################################################################## +## +## For example, upon completion, +## execute '/sbin/service ${ocsp_instance_name} status': +## +## ${ocsp_instance_name} (pid 13058) is running ... +## +## Unsecure Port = http://${pki_host}:11180/ocsp/ee/ocsp +## Secure Agent Port = https://${pki_host}:11443/ocsp/agent/ocsp +## Secure EE Port = https://${pki_host}:11444/ocsp/ee/ocsp +## Secure Admin Port = https://${pki_host}:11445/ocsp/services +## PKI Console Port = pkiconsole https://${pki_host}:11445/ocsp +## Tomcat Port = 11701 (for shutdown) +## + +## Configure OCSP +printf "'${pki_silent_script}': Configuring '${ocsp_instance_name}' . . .\n" +pkisilent ConfigureOCSP \ + -cs_hostname "${pki_host}" \ + -cs_port ${ocsp_admin_port} \ + -sd_hostname "${pki_security_domain_host}" \ + -sd_ssl_port ${ca_ee_port} \ + -sd_agent_port ${ca_agent_port} \ + -sd_admin_port ${ca_admin_port} \ + -sd_admin_name "${pki_security_domain_admin_name}" \ + -sd_admin_password ${pki_security_domain_admin_password} \ + -ca_hostname ${pki_security_domain_host} \ + -ca_port ${ca_nonssl_port} \ + -ca_ssl_port ${ca_ee_port} \ + -client_certdb_dir ${pki_silent_security_database_repository} \ + -client_certdb_pwd ${pki_silent_security_database_password} \ + -preop_pin ${ocsp_preop_pin} \ + -domain_name "${pki_security_domain_name}" \ + -admin_user ${pki_silent_admin_user} \ + -admin_password ${pki_silent_admin_password} \ + -admin_email "${pki_silent_admin_email}" \ + -agent_name ${ocsp_agent_name} \ + -ldap_host ${pki_ldap_host} \ + -ldap_port ${pki_ldap_port} \ + -bind_dn "${pki_bind_dn}" \ + -bind_password ${pki_bind_password} \ + -base_dn "${ocsp_base_dn}" \ + -db_name "${ocsp_db_name}" \ + -key_size ${ocsp_key_size} \ + -key_type ${ocsp_key_type} \ + -token_name ${ocsp_token_name} \ + -token_pwd ${ocsp_token_password} \ + -agent_key_size ${ocsp_agent_key_size} \ + -agent_key_type ${ocsp_agent_key_type} \ + -agent_cert_subject "${ocsp_agent_cert_subject}" \ + -subsystem_name ${ocsp_subsystem_name} \ + -backup_pwd ${ocsp_backup_password} \ + -ocsp_sign_cert_subject_name "${ocsp_sign_cert_subject_name}" \ + -ocsp_subsystem_cert_subject_name "${ocsp_subsystem_cert_subject_name}" \ + -ocsp_server_cert_subject_name "${ocsp_server_cert_subject_name}" \ + -ocsp_audit_signing_cert_subject_name \ + "${ocsp_audit_signing_cert_subject_name}" \ + | tee ${pki_silent_ocsp_log} + +## Restart OCSP +/sbin/service ${ocsp_instance_name} restart + + + +############################################################################## +## T O K E N K E Y S E R V I C E ## +############################################################################## +## +## For example, upon completion, +## execute '/sbin/service ${tks_instance_name} status': +## +## ${tks_instance_name} (pid 14129) is running ... +## +## Unsecure Port = http://${pki_host}:13180/tks/ee/tks +## Secure Agent Port = https://${pki_host}:13443/tks/agent/tks +## Secure EE Port = https://${pki_host}:13444/tks/ee/tks +## Secure Admin Port = https://${pki_host}:13445/tks/services +## PKI Console Port = pkiconsole https://${pki_host}:13445/tks +## Tomcat Port = 13701 (for shutdown) +## + +## Configure TKS +printf "'${pki_silent_script}': Configuring '${tks_instance_name}' . . .\n" +pkisilent ConfigureTKS \ + -cs_hostname "${pki_host}" \ + -cs_port ${tks_admin_port} \ + -sd_hostname "${pki_security_domain_host}" \ + -sd_ssl_port ${ca_ee_port} \ + -sd_agent_port ${ca_agent_port} \ + -sd_admin_port ${ca_admin_port} \ + -sd_admin_name "${pki_security_domain_admin_name}" \ + -sd_admin_password ${pki_security_domain_admin_password} \ + -ca_hostname ${pki_security_domain_host} \ + -ca_port ${ca_nonssl_port} \ + -ca_ssl_port ${ca_ee_port} \ + -client_certdb_dir ${pki_silent_security_database_repository} \ + -client_certdb_pwd ${pki_silent_security_database_password} \ + -preop_pin ${tks_preop_pin} \ + -domain_name "${pki_security_domain_name}" \ + -admin_user ${pki_silent_admin_user} \ + -admin_password ${pki_silent_admin_password} \ + -admin_email "${pki_silent_admin_email}" \ + -agent_name ${tks_agent_name} \ + -ldap_host ${pki_ldap_host} \ + -ldap_port ${pki_ldap_port} \ + -bind_dn "${pki_bind_dn}" \ + -bind_password ${pki_bind_password} \ + -base_dn "${tks_base_dn}" \ + -db_name "${tks_db_name}" \ + -key_size ${tks_key_size} \ + -key_type ${tks_key_type} \ + -token_name ${tks_token_name} \ + -token_pwd ${tks_token_password} \ + -agent_key_size ${tks_agent_key_size} \ + -agent_key_type ${tks_agent_key_type} \ + -agent_cert_subject "${tks_agent_cert_subject}" \ + -subsystem_name ${tks_subsystem_name} \ + -backup_pwd ${tks_backup_password} \ + -tks_subsystem_cert_subject_name "${tks_subsystem_cert_subject_name}" \ + -tks_server_cert_subject_name "${tks_server_cert_subject_name}" \ + -tks_audit_signing_cert_subject_name \ + "${tks_audit_signing_cert_subject_name}" \ + | tee ${pki_silent_tks_log} + +## restart tks +/sbin/service ${tks_instance_name} restart + + + +############################################################################## +## R E G I S T R A T I O N A U T H O R I T Y ## +############################################################################## +## +## For example, upon completion, +## execute '/sbin/service ${ra_instance_name} status': +## +## ${ra_instance_name} (pid 15769) is running ... +## +## Unsecure Port = http://${pki_host}:12888 +## Secure Clientauth Port = https://${pki_host}:12889 +## Secure Non-Clientauth Port = https://${pki_host}:12890 +## + +## Configure RA +printf "'${pki_silent_script}': Configuring '${ra_instance_name}' . . .\n" +pkisilent ConfigureRA \ + -cs_hostname "${pki_host}" \ + -cs_port ${ra_nonclientauth_port} \ + -cs_clientauth_port ${ra_clientauth_port} \ + -sd_hostname "${pki_security_domain_host}" \ + -sd_ssl_port ${ca_ee_port} \ + -sd_agent_port ${ca_agent_port} \ + -sd_admin_port ${ca_admin_port} \ + -sd_admin_name "${pki_security_domain_admin_name}" \ + -sd_admin_password ${pki_security_domain_admin_password} \ + -ca_hostname ${ra_chosen_ca_hostname} \ + -ca_port ${ra_chosen_ca_nonssl_port} \ + -ca_ssl_port ${ra_chosen_ca_ssl_port} \ + -ca_admin_port ${ra_chosen_ca_admin_port} \ + -client_certdb_dir ${pki_silent_security_database_repository} \ + -client_certdb_pwd ${pki_silent_security_database_password} \ + -preop_pin ${ra_preop_pin} \ + -domain_name "${pki_security_domain_name}" \ + -admin_user ${pki_silent_admin_user} \ + -admin_password ${pki_silent_admin_password} \ + -admin_email "${pki_silent_admin_email}" \ + -agent_name ${ra_agent_name} \ + -key_size ${ra_key_size} \ + -key_type ${ra_key_type} \ + -token_name ${ra_token_name} \ + -token_pwd ${ra_token_password} \ + -agent_key_size ${ra_agent_key_size} \ + -agent_key_type ${ra_agent_key_type} \ + -agent_cert_subject "${ra_agent_cert_subject}" \ + -subsystem_name ${ra_subsystem_name} \ + -ra_subsystem_cert_subject_name "${ra_subsystem_cert_subject_name}" \ + -ra_server_cert_subject_name "${ra_server_cert_subject_name}" \ + | tee ${pki_silent_ra_log} + +## Restart RA +/sbin/service ${ra_instance_name} restart + + +############################################################################## +## T O K E N P R O C E S S I N G S Y S T E M ## +############################################################################## +## +## For example, upon completion, +## execute '/sbin/service ${tps_instance_name} status': +## +## +## ${tps_instance_name} (pid 16241) is running ... +## +## Unsecure Port = http://${pki_host}:7888/cgi-bin/so/enroll.cgi +## (ESC Security Officer Enrollment) +## Unsecure Port = http://${pki_host}:7888/cgi-bin/home/index.cgi +## (ESC Phone Home) +## Secure Clientauth Port = https://${pki_host}:7889/cgi-bin/sow/welcome.cgi +## (ESC Security Officer Workstation) +## Secure Clientauth Port = https://${pki_host}:7889/tus +## (TPS Roles - Operator/Administrator/Agent) +## Secure Non-Clientauth Port = https://${pki_host}:7890/cgi-bin/so/enroll.cgi +## (ESC Security Officer Enrollment) +## Secure Non-Clientauth Port = https://${pki_host}:7890/cgi-bin/home/index.cgi +## (ESC Phone Home) +## + +## Configure TPS +printf "'${pki_silent_script}': Configuring '${tps_instance_name}' . . .\n" +pkisilent ConfigureTPS \ + -cs_hostname "${pki_host}" \ + -cs_port ${tps_nonclientauth_port} \ + -cs_clientauth_port ${tps_clientauth_port} \ + -sd_hostname "${pki_security_domain_host}" \ + -sd_ssl_port ${ca_ee_port} \ + -sd_agent_port ${ca_agent_port} \ + -sd_admin_port ${ca_admin_port} \ + -sd_admin_name "${pki_security_domain_admin_name}" \ + -sd_admin_password ${pki_security_domain_admin_password} \ + -ca_hostname ${tps_chosen_ca_hostname} \ + -ca_port ${tps_chosen_ca_nonssl_port} \ + -ca_ssl_port ${tps_chosen_ca_ssl_port} \ + -ca_admin_port ${tps_chosen_ca_admin_port} \ + -drm_hostname ${tps_chosen_drm_hostname} \ + -drm_ssl_port ${tps_chosen_drm_ssl_port} \ + -ss_keygen ${tps_ss_keygen} \ + -tks_hostname ${tps_chosen_tks_hostname} \ + -tks_ssl_port ${tps_chosen_tks_ssl_port} \ + -client_certdb_dir ${pki_silent_security_database_repository} \ + -client_certdb_pwd ${pki_silent_security_database_password} \ + -preop_pin ${tps_preop_pin} \ + -domain_name "${pki_security_domain_name}" \ + -admin_user ${pki_silent_admin_user} \ + -admin_password ${pki_silent_admin_password} \ + -admin_email "${pki_silent_admin_email}" \ + -agent_name ${tps_agent_name} \ + -ldap_host ${pki_ldap_host} \ + -ldap_port ${pki_ldap_port} \ + -bind_dn "${pki_bind_dn}" \ + -bind_password ${pki_bind_password} \ + -base_dn "${tps_base_dn}" \ + -db_name "${tps_db_name}" \ + -key_size ${tps_key_size} \ + -key_type ${tps_key_type} \ + -token_name ${tps_token_name} \ + -token_pwd ${tps_token_password} \ + -agent_key_size ${tps_agent_key_size} \ + -agent_key_type ${tps_agent_key_type} \ + -agent_cert_subject "${tps_agent_cert_subject}" \ + -subsystem_name ${tps_subsystem_name} \ + -ldap_auth_host ${tps_ldap_auth_host} \ + -ldap_auth_port ${tps_ldap_auth_port} \ + -ldap_auth_base_dn ${tps_ldap_auth_base_dn} \ + -tps_subsystem_cert_subject_name "${tps_subsystem_cert_subject_name}" \ + -tps_server_cert_subject_name "${tps_server_cert_subject_name}" \ + -tps_audit_signing_cert_subject_name \ + "${tps_audit_signing_cert_subject_name}" \ + | tee ${pki_silent_tps_log} + +## Restart TPS +/sbin/service ${tps_instance_name} restart + +exit 0 + diff --git a/pki/dogtag/silent/pki-silent.spec b/pki/dogtag/silent/pki-silent.spec index 982834245..14ee380b7 100644 --- a/pki/dogtag/silent/pki-silent.spec +++ b/pki/dogtag/silent/pki-silent.spec @@ -33,7 +33,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.1.0 -%define base_release 3 +%define base_release 4 %define base_group System Environment/Shells %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -234,6 +234,12 @@ rm -rf ${RPM_BUILD_ROOT} ############################################################################### %changelog +* Sat May 16 2009 Matthew Harmsen <mharmsen@redhat.com> 1.1.0-4 +- Bugzilla Bug #491517 - pkisilent Configure RA and TPS fail + (port separation changes only) +- Bugzilla Bug #495676 - pkisilent ConfigureCA failure on AdminCertImportPanel +- Bugzilla Bug #500748 - pki-silent : issues due to port separation changes + (only addressed CA, KRA, OCSP, and TKS) * Tue May 5 2009 Matthew Harmsen <mharmsen@redhat.com> 1.1.0-3 - Bugzilla Bug #492735 - Configuration wizard stores certain incorrect port values within TPS "CS.cfg" . . . |