diff options
author | jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-19 21:01:57 +0000 |
---|---|---|
committer | jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-19 21:01:57 +0000 |
commit | 7ff1a2d86491e3ae8bc653e2ab2cc261d10fda36 (patch) | |
tree | e8e8193351dba480d76df0b6273f0158a7772da6 | |
parent | 2ab4b4058a240143e513db050bbf4170e9115ef1 (diff) | |
download | pki-7ff1a2d86491e3ae8bc653e2ab2cc261d10fda36.tar.gz pki-7ff1a2d86491e3ae8bc653e2ab2cc261d10fda36.tar.xz pki-7ff1a2d86491e3ae8bc653e2ab2cc261d10fda36.zip |
Undo the pre_merge_adjustment
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1576 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
-rw-r--r-- | pki/base/ca/shared/conf/server.xml | 33 | ||||
-rw-r--r-- | pki/base/kra/shared/conf/server.xml | 33 | ||||
-rw-r--r-- | pki/base/ocsp/shared/conf/server.xml | 33 | ||||
-rwxr-xr-x | pki/base/setup/pkicreate | 22 | ||||
-rw-r--r-- | pki/base/tks/shared/conf/server.xml | 33 | ||||
-rw-r--r-- | pki/base/tps/doc/CS.cfg | 4 |
6 files changed, 141 insertions, 17 deletions
diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml index 6642a58fc..83eaf775e 100644 --- a/pki/base/ca/shared/conf/server.xml +++ b/pki/base/ca/shared/conf/server.xml @@ -92,12 +92,43 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> [PKI_SECURE_PORT_SERVER_COMMENT] - <!-- DO NOT REMOVE - Begin define PKI secure port --> + <!-- DO NOT REMOVE - Begin define PKI secure port + NOTE: The OCSP settings take effect globally, so it should only be set once. + + In setup where SSL clientAuth="true", OCSP can be turned on by + setting enableOCSP to true like the following: + enableOCSP="true" + along with changes to related settings, especially: + ocspResponderURL=<see example in connector definition below> + ocspResponderCertNickname=<see example in connector definition below> + Here are the definition to all the OCSP-related settings: + enableOCSP - turns on/off the ocsp check + ocspResponderURL - sets the url where the ocsp requests are sent + ocspResponderCertNickname - sets the nickname of the cert that is + either CA's signing certificate or the OCSP server's signing + certificate. + The CA's signing certificate should already be in the db, in + case of the same security domain. + In case of an ocsp signing certificate, one must import the cert + into the subsystem's nss db and set trust. e.g.: + certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 + ocspCacheSize - sets max cache entries + ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt + ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt + ocspTimeout -sets OCSP timeout in seconds + --> <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + enableOCSP="false" + ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp" + ocspResponderCertNickname="ocspSigningCert cert-pki-ca" + ocspCacheSize="1000" + ocspMinCacheEntryDuration="60" + ocspMaxCacheEntryDuration="120" + ocspTimeout="10" clientAuth="[PKI_AGENT_CLIENTAUTH]" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml index 9a24cfa44..e26d09dc3 100644 --- a/pki/base/kra/shared/conf/server.xml +++ b/pki/base/kra/shared/conf/server.xml @@ -91,12 +91,43 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> [PKI_SECURE_PORT_SERVER_COMMENT] - <!-- DO NOT REMOVE - Begin define PKI secure port --> + <!-- DO NOT REMOVE - Begin define PKI secure port + NOTE: The OCSP settings take effect globally, so it should only be set once. + + In setup where SSL clientAuth="true", OCSP can be turned on by + setting enableOCSP to true like the following: + enableOCSP="true" + along with changes to related settings, especially: + ocspResponderURL=<see example in connector definition below> + ocspResponderCertNickname=<see example in connector definition below> + Here are the definition to all the OCSP-related settings: + enableOCSP - turns on/off the ocsp check + ocspResponderURL - sets the url where the ocsp requests are sent + ocspResponderCertNickname - sets the nickname of the cert that is + either CA's signing certificate or the OCSP server's signing + certificate. + The CA's signing certificate should already be in the db, in + case of the same security domain. + In case of an ocsp signing certificate, one must import the cert + into the subsystem's nss db and set trust. e.g.: + certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 + ocspCacheSize - sets max cache entries + ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt + ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt + ocspTimeout -sets OCSP timeout in seconds + --> <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + enableOCSP="false" + ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp" + ocspResponderCertNickname="ocspSigningCert cert-pki-ca" + ocspCacheSize="1000" + ocspMinCacheEntryDuration="60" + ocspMaxCacheEntryDuration="120" + ocspTimeout="10" clientAuth="[PKI_AGENT_CLIENTAUTH]" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" diff --git a/pki/base/ocsp/shared/conf/server.xml b/pki/base/ocsp/shared/conf/server.xml index 9a24cfa44..e26d09dc3 100644 --- a/pki/base/ocsp/shared/conf/server.xml +++ b/pki/base/ocsp/shared/conf/server.xml @@ -91,12 +91,43 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> [PKI_SECURE_PORT_SERVER_COMMENT] - <!-- DO NOT REMOVE - Begin define PKI secure port --> + <!-- DO NOT REMOVE - Begin define PKI secure port + NOTE: The OCSP settings take effect globally, so it should only be set once. + + In setup where SSL clientAuth="true", OCSP can be turned on by + setting enableOCSP to true like the following: + enableOCSP="true" + along with changes to related settings, especially: + ocspResponderURL=<see example in connector definition below> + ocspResponderCertNickname=<see example in connector definition below> + Here are the definition to all the OCSP-related settings: + enableOCSP - turns on/off the ocsp check + ocspResponderURL - sets the url where the ocsp requests are sent + ocspResponderCertNickname - sets the nickname of the cert that is + either CA's signing certificate or the OCSP server's signing + certificate. + The CA's signing certificate should already be in the db, in + case of the same security domain. + In case of an ocsp signing certificate, one must import the cert + into the subsystem's nss db and set trust. e.g.: + certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 + ocspCacheSize - sets max cache entries + ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt + ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt + ocspTimeout -sets OCSP timeout in seconds + --> <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + enableOCSP="false" + ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp" + ocspResponderCertNickname="ocspSigningCert cert-pki-ca" + ocspCacheSize="1000" + ocspMinCacheEntryDuration="60" + ocspMaxCacheEntryDuration="120" + ocspTimeout="10" clientAuth="[PKI_AGENT_CLIENTAUTH]" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index aeb7a311e..f8ba09f89 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -193,7 +193,7 @@ my $xerces_jar_base_name = "xerces-j2.jar"; # CA, KRA, OCSP, TKS my $catalina_properties_base_name = "catalina.properties"; # CA, KRA, OCSP, TKS my $httpd_conf_base_name = "httpd.conf"; # RA, TPS -my $index_html_base_name = "index.html"; # CA, KRA, OCSP, TKS +my $index_jsp_base_name = "index.jsp"; # CA, KRA, OCSP, TKS my $logs_base_name = "logs"; # CA, KRA, OCSP, TKS, # RA, TPS my $magic_base_name = "magic"; # RA, TPS @@ -478,8 +478,8 @@ my $velocity_jar_file_path = undef; # CA, KRA, OCSP, TKS my $velocity_jar_symlink_path = undef; # CA, KRA, OCSP, TKS my $httpd_conf_instance_file_path = undef; # RA, TPS my $httpd_conf_subsystem_file_path = undef; # RA, TPS -my $index_html_instance_file_path = undef; # CA, KRA, OCSP, TKS -my $index_html_subsystem_file_path = undef; # CA, KRA, OCSP, TKS +my $index_jsp_instance_file_path = undef; # CA, KRA, OCSP, TKS +my $index_jsp_subsystem_file_path = undef; # CA, KRA, OCSP, TKS my $java_pki_flavor_jar_path = undef; # CA, KRA, OCSP, TKS my $magic_instance_file_path = undef; # RA, TPS my $magic_subsystem_file_path = undef; # RA, TPS @@ -1707,10 +1707,10 @@ sub initialize_subdirectory_paths . "/" . $cmscore_jar_base_name; $cmscore_jar_symlink_path = $webinf_lib_instance_path . "/" . $cmscore_jar_base_name; - $index_html_instance_file_path = $webapps_root_instance_path - . "/" . $index_html_base_name; - $index_html_subsystem_file_path = $webapps_root_subsystem_path - . "/" . $index_html_base_name; + $index_jsp_instance_file_path = $webapps_root_instance_path + . "/" . $index_jsp_base_name; + $index_jsp_subsystem_file_path = $webapps_root_subsystem_path + . "/" . $index_jsp_base_name; $osutil_jar_file_path = $default_system_jni_java_path . "/" . $osutil_jar_base_name; $osutil_jar_symlink_path = $webinf_lib_instance_path @@ -2518,10 +2518,10 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so } else { ## Process templates (CA, KRA, OCSP, TKS instances) - # process "index.html" template - return 0 if !process_file_template("index_html", - $index_html_subsystem_file_path, - $index_html_instance_file_path, + # process "index.jsp" template + return 0 if !process_file_template("index_jsp", + $index_jsp_subsystem_file_path, + $index_jsp_instance_file_path, \%slot_hash); # process "server.xml" template diff --git a/pki/base/tks/shared/conf/server.xml b/pki/base/tks/shared/conf/server.xml index 9a24cfa44..e26d09dc3 100644 --- a/pki/base/tks/shared/conf/server.xml +++ b/pki/base/tks/shared/conf/server.xml @@ -91,12 +91,43 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> [PKI_SECURE_PORT_SERVER_COMMENT] - <!-- DO NOT REMOVE - Begin define PKI secure port --> + <!-- DO NOT REMOVE - Begin define PKI secure port + NOTE: The OCSP settings take effect globally, so it should only be set once. + + In setup where SSL clientAuth="true", OCSP can be turned on by + setting enableOCSP to true like the following: + enableOCSP="true" + along with changes to related settings, especially: + ocspResponderURL=<see example in connector definition below> + ocspResponderCertNickname=<see example in connector definition below> + Here are the definition to all the OCSP-related settings: + enableOCSP - turns on/off the ocsp check + ocspResponderURL - sets the url where the ocsp requests are sent + ocspResponderCertNickname - sets the nickname of the cert that is + either CA's signing certificate or the OCSP server's signing + certificate. + The CA's signing certificate should already be in the db, in + case of the same security domain. + In case of an ocsp signing certificate, one must import the cert + into the subsystem's nss db and set trust. e.g.: + certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 + ocspCacheSize - sets max cache entries + ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt + ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt + ocspTimeout -sets OCSP timeout in seconds + --> <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + enableOCSP="false" + ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp" + ocspResponderCertNickname="ocspSigningCert cert-pki-ca" + ocspCacheSize="1000" + ocspMinCacheEntryDuration="60" + ocspMaxCacheEntryDuration="120" + ocspTimeout="10" clientAuth="[PKI_AGENT_CLIENTAUTH]" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg index 32a88010d..d3edc908f 100644 --- a/pki/base/tps/doc/CS.cfg +++ b/pki/base/tps/doc/CS.cfg @@ -112,8 +112,8 @@ logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit logging.audit.level=10 logging.audit.logSigning=false logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] -logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL -logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL +logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION +logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING logging.audit.buffer.size=512 logging.audit.flush.interval=5 |