summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2010-01-12 22:47:34 +0000
committermharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2010-01-12 22:47:34 +0000
commit7d1532ecb8310c037f54d96364dfdcd54e8e7cc0 (patch)
tree86bd1761488d7df8ea417cf15f7fb60634e82db2
parent39a606a94630a9dfa18b94dd0a19e97ddad451da (diff)
Bugzilla Bug #475895 - Disallow creation of an initial login shell
Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . . Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . . Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . . git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@908 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat
-rw-r--r--pki/base/kra/build.xml30
-rwxr-xr-xpki/base/kra/setup/postinstall69
-rwxr-xr-xpki/base/kra/shared/etc/init.d/pki-krad (renamed from pki/base/kra/shared/etc/init.d/httpd)863
-rw-r--r--pki/base/ocsp/build.xml30
-rwxr-xr-xpki/base/ocsp/setup/postinstall69
-rwxr-xr-xpki/base/ocsp/shared/etc/init.d/pki-ocspd (renamed from pki/base/ocsp/shared/etc/init.d/httpd)863
-rw-r--r--pki/base/selinux/src/pki.fc18
-rw-r--r--pki/base/selinux/src/pki.if9
-rw-r--r--pki/base/selinux/src/pki.te2
-rwxr-xr-xpki/base/setup/pkicommon43
-rwxr-xr-xpki/base/setup/pkicreate65
-rw-r--r--pki/base/tks/build.xml30
-rwxr-xr-xpki/base/tks/setup/postinstall68
-rwxr-xr-xpki/base/tks/shared/etc/init.d/pki-tksd (renamed from pki/base/tks/shared/etc/init.d/httpd)863
14 files changed, 2299 insertions, 723 deletions
diff --git a/pki/base/kra/build.xml b/pki/base/kra/build.xml
index 1887b9efe..abbdbe7ab 100644
--- a/pki/base/kra/build.xml
+++ b/pki/base/kra/build.xml
@@ -184,31 +184,30 @@
<zip destfile="${dist.base.binaries}/${dist.name}.zip">
<zipfileset dir="./build/jars"
filemode="755"
- prefix="usr/share/java/${product.prefix}/${product}">
+ prefix="usr/share/java">
<include name="**"/>
</zipfileset>
<zipfileset dir="./setup"
- filemode="755"
- prefix="usr/share/${product.prefix}/${product}/setup">
- <include name="postinstall"/>
- </zipfileset>
- <zipfileset dir="./setup"
filemode="644"
prefix="usr/share/${product.prefix}/${product}/setup">
<include name="config.desktop"/>
</zipfileset>
+ <zipfileset dir="./shared/etc/init.d"
+ filemode="755"
+ prefix="etc/${init.d}">
+ <include name="pki-krad"/>
+ </zipfileset>
<zipfileset dir="./shared"
filemode="755"
prefix="usr/share/${product.prefix}/${product}">
<include name="conf/dtomcat5"/>
- <include name="etc/init.d/httpd"/>
</zipfileset>
<zipfileset dir="./shared"
filemode="644"
prefix="usr/share/${product.prefix}/${product}">
<include name="**"/>
<exclude name="conf/dtomcat5"/>
- <exclude name="etc/init.d/httpd"/>
+ <exclude name="etc/init.d/pki-krad"/>
</zipfileset>
<zipfileset dir="."
filemode="644"
@@ -224,31 +223,30 @@
destfile="${dist.base.binaries}/${dist.name}.tar">
<tarfileset dir="./build/jars"
mode="755"
- prefix="${dist.name}/usr/share/java/${product.prefix}/${product}">
+ prefix="${dist.name}/usr/share/java">
<include name="**"/>
</tarfileset>
<tarfileset dir="./setup"
- mode="755"
- prefix="${dist.name}/usr/share/${product.prefix}/${product}/setup">
- <include name="postinstall"/>
- </tarfileset>
- <tarfileset dir="./setup"
mode="644"
prefix="${dist.name}/usr/share/${product.prefix}/${product}/setup">
<include name="config.desktop"/>
</tarfileset>
+ <tarfileset dir="./shared/etc/init.d"
+ mode="755"
+ prefix="${dist.name}/etc/${init.d}">
+ <include name="pki-krad"/>
+ </tarfileset>
<tarfileset dir="./shared"
mode="755"
prefix="${dist.name}/usr/share/${product.prefix}/${product}">
<include name="conf/dtomcat5"/>
- <include name="etc/init.d/httpd"/>
</tarfileset>
<tarfileset dir="./shared"
mode="644"
prefix="${dist.name}/usr/share/${product.prefix}/${product}">
<include name="**"/>
<exclude name="conf/dtomcat5"/>
- <exclude name="etc/init.d/httpd"/>
+ <exclude name="etc/init.d/pki-krad"/>
</tarfileset>
<tarfileset dir="."
mode="644"
diff --git a/pki/base/kra/setup/postinstall b/pki/base/kra/setup/postinstall
deleted file mode 100755
index 5af06800a..000000000
--- a/pki/base/kra/setup/postinstall
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/bin/bash
-#
-# --- BEGIN COPYRIGHT BLOCK ---
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2007 Red Hat, Inc.
-# All rights reserved.
-# --- END COPYRIGHT BLOCK ---
-#
-
-###############################################################################
-## (1) Check command line arguments to see how many were passed in. ##
-###############################################################################
-
-if [ $# -eq 4 ]
-then
- PKI_PRODUCT_NAME=$1
- PKI_SUBSYSTEM_NAME=$2
- VERSION=$3
- RELEASE=$4
-else
- echo
- echo "Usage: $0 PKI_product_name PKI_subsystem_name version release"
- echo
-
- exit 255
-fi
-
-
-###############################################################################
-## (2) Specify variables used by this script. ##
-###############################################################################
-
-PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}"
-AGENT_SECURE_PORT=10443
-EE_SECURE_PORT=10444
-ADMIN_SECURE_PORT=10445
-UNSECURE_PORT=10180
-TOMCAT_SERVER_PORT=10701
-
-
-###############################################################################
-## (3) Create the first instance of a Key Recovery Authority (KRA). ##
-## NOTE: This is also called the Data Recovery Manager (DRM). ##
-###############################################################################
-
-if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ]
-then
- /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -agent_secure_port=${AGENT_SECURE_PORT} -ee_secure_port=${EE_SECURE_PORT} -admin_secure_port=${ADMIN_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -tomcat_server_port=${TOMCAT_SERVER_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME}
-fi
-
-
-###############################################################################
-## (4) Successfully exit from this postinstallation script. ##
-###############################################################################
-
-exit 0
-
diff --git a/pki/base/kra/shared/etc/init.d/httpd b/pki/base/kra/shared/etc/init.d/pki-krad
index 5fce4d026..8658b5af9 100755
--- a/pki/base/kra/shared/etc/init.d/httpd
+++ b/pki/base/kra/shared/etc/init.d/pki-krad
@@ -18,14 +18,14 @@
# All rights reserved.
# --- END COPYRIGHT BLOCK ### ---
#
-# [PKI_INSTANCE_ID] Startup script for Tomcat 5.0, the Apache Servlet Engine
+# pki-krad Startup script for Tomcat 5.0 pki-kra, the Apache Servlet Engine
#
# chkconfig: - 82 18
# description: Data Recovery Manager \
# (Tomcat 5.0)
-# processname: [PKI_INSTANCE_ID]
-# pidfile: /var/run/[PKI_INSTANCE_ID].pid
-# config: [PKI_INSTANCE_PATH]/conf/tomcat5.conf
+# processname: pki-krad
+# piddir: /var/run/pki/kra
+# config: ${PKI_INSTANCE_PATH}/conf/tomcat5.conf
#
# Gomez Henri <hgomez@users.sourceforge.net>
# Keith Irwin <keith_irwin@non.hp.com>
@@ -60,23 +60,70 @@
# version 1.20tc5rh - Changed TOMCAT_USER from tomcat4 to tomcat
#
+PKI_INIT_SCRIPT=""
+PKI_PATH="/usr/share/pki/kra"
+PKI_PIDDIR="/var/run/pki/kra"
+PKI_PROCESS="pki-krad"
+PKI_REGISTRY="/etc/sysconfig/pki/kra"
+PKI_TYPE="pki-kra"
+
+# PKI subsystem-level directory and file values for locks
+lockfile="/var/lock/subsys/pki-krad"
+
# Disallow 'others' the ability to 'write' to new files
umask 00002
+default_error=0
+command="$1"
+pki_instance="$2"
+case "${command}" in
+ start|stop|restart|condrestart|force-restart|try-restart)
+ # * 1 generic or unspecified error (current practice)
+ default_error=1
+ ;;
+ reload)
+ default_error=3
+ ;;
+ status)
+ # * 4 program or service status is unknown
+ default_error=4
+ ;;
+ *)
+ # * 2 invalid argument(s)
+ default_error=2
+ ;;
+esac
+
# Check to insure that this script's original invocation directory
# has not been deleted!
CWD=`/bin/pwd > /dev/null 2>&1`
if [ $? -ne 0 ] ; then
echo "Cannot invoke '$0' from non-existent directory!"
- exit 255
+ exit ${default_error}
fi
# Check to insure that this script's associated PKI
# subsystem currently resides on this system.
-PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
-if [ ! -d /usr/share/pki/${PKI_SUBSYSTEM_TYPE} ] ; then
- echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!"
- exit 255
+if [ ! -d ${PKI_PATH} ] ; then
+ echo "This machine is missing the '${PKI_TYPE}' subsystem!"
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
+fi
+
+# Check to insure that this script's associated PKI
+# subsystem instance registry currently resides on this system.
+if [ ! -d ${PKI_REGISTRY} ] ; then
+ echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!"
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
fi
# Obtain the operating system upon which this script is being executed
@@ -86,15 +133,29 @@ ARCHITECTURE=""
# This script must be run as root!
RV=0
if [ ${OS} = "Linux" ] ; then
+ PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}"
if [ `id -u` -ne 0 ] ; then
echo "Must be 'root' to execute '$0'!"
- exit 1
+ if [ "${command}" != "status" ]; then
+ # * 4 user had insufficient privilege
+ exit 4
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
fi
ARCHITECTURE=`uname -i`
elif [ ${OS} = "SunOS" ] ; then
+ PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}"
if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then
echo "Must be 'root' to execute '$0'!"
- exit 1
+ if [ "${command}" != "status" ]; then
+ # * 4 user had insufficient privilege
+ exit 4
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
fi
ARCHITECTURE=`uname -p`
if [ "${ARCHITECTURE}" = "sparc" ] &&
@@ -103,7 +164,7 @@ elif [ ${OS} = "SunOS" ] ; then
fi
else
echo "Unsupported OS '${OS}'!"
- exit 1
+ exit ${default_error}
fi
# Source function library.
@@ -120,25 +181,32 @@ else
for i in $* ; do
ps -p $i > /dev/null 2>&1 ;
if [ $? -ne 0 ] ; then
- rv=`expr $rv + 1`
+ rv=`expr ${rv} + 1`
else
- rv=`expr $rv + 0`
+ rv=`expr ${rv} + 0`
fi
done
- # echo "rv=$rv"
- return $rv
+ # echo "rv=${rv}"
+ return ${rv}
}
# Create the following directories on platforms
# where they do not exist (e. g. - Solaris) . . .
- if [ ! -d /var/lock/subsys ] ; then
+ if [ ! -d "/var/lock" ] ; then
+ mkdir -p /var/lock
+ chown root:sys /var/lock
+ chmod 00755 /var/lock
+ fi
+ if [ ! -d "/var/lock/subsys" ] ; then
mkdir -p /var/lock/subsys
+ chown root:root /var/lock/subsys
+ chmod 00755 /var/lock/subsys
fi
#######################################################################
## NOTE: The following code needs to eventually be moved into the ##
## template used to create the ##
- ## "[PKI_INSTANCE_PATH]/conf/tomcat5.conf" file! ##
+ ## "${PKI_INSTANCE_PATH}/conf/tomcat5.conf" file! ##
#######################################################################
if [ ${OS} = "SunOS" ] ; then
@@ -162,53 +230,129 @@ else
echo -n "at \"${DEFAULT_SOLARIS_JAVA_HOME}\"!"
echo
echo
- exit 255
+ exit ${default_error}
fi
fi
fi
-#Use CATALINA_BASE
-
-CATALINA_BASE=[PKI_INSTANCE_PATH]
-export CATALINA_BASE
+PKI_REGISTRY_ENTRIES=""
+TOTAL_PKI_REGISTRY_ENTRIES=0
+TOTAL_UNCONFIGURED_PKI_ENTRIES=0
-# Get Tomcat config
+# Gather ALL registered instances of this PKI subsystem type
+for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
+ if [ -f "$FILE" ] ; then
+ inst=`echo "$FILE"`
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst"
+ TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1`
+ fi
+done
-TOMCAT_CFG="[PKI_INSTANCE_PATH]/conf/tomcat5.conf"
+if [ -n "${pki_instance}" ]; then
+ for I in ${PKI_REGISTRY_ENTRIES}; do
+ if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}"
+ TOTAL_PKI_REGISTRY_ENTRIES=1
+ break
+ fi
+ done
+fi
-[ -r "$TOMCAT_CFG" ] && . "${TOMCAT_CFG}"
+usage()
+{
+ echo -n "Usage: ${PKI_INIT_SCRIPT} "
+ echo -n "{start"
+ echo -n "|stop"
+ echo -n "|restart"
+ echo -n "|condrestart"
+ echo -n "|force-restart"
+ echo -n "|try-restart"
+ echo -n "|reload"
+ echo -n "|status} "
+ echo -n "[instance-name]"
+ echo
+ echo
+}
-# Path to the tomcat launch script (direct don't use wrapper)
-TOMCAT_SCRIPT=/usr/bin/dtomcat5-[PKI_INSTANCE_ID]
+list_instances()
+{
+ echo
+ for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
+ echo " ${FILE}"
+ done
+ echo
+}
-# Path to the script that will refresh jar symlinks on startup
-if [ ${OS} = "Linux" ] ; then
- TOMCAT_RELINK_SCRIPT="/usr/share/tomcat5/bin/relink"
+# Check arguments
+if [ $# -lt 1 ] ; then
+ # * 3 unimplemented feature (for example, "reload")
+ # [insufficient arguments]
+ echo "$0: Insufficient arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+elif [ ${default_error} -eq 2 ] ; then
+ # * 2 invalid argument
+ echo "$0: Invalid arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 2
+elif [ $# -gt 2 ] ; then
+ echo "$0: Excess arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ if [ "${command}" != "status" ]; then
+ # * 2 excess arguments
+ exit 2
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
fi
-# Tomcat name :)
-TOMCAT_PROG=[PKI_INSTANCE_ID]
-
-# if TOMCAT_USER is not set, use tomcat5 like Apache HTTP server
-if [ -z "$TOMCAT_USER" ]; then
- TOMCAT_USER="[PKI_USER]"
+# If an "instance" was supplied, check that it is a "valid" instance
+if [ -n "${pki_instance}" ]; then
+ if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then
+ echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance"
+ echo_failure
+ echo
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+ fi
fi
-# if TOMCAT_GROUP is not set, use tomcat5 like Apache HTTP server
-if [ -z "$TOMCAT_GROUP" ]; then
- TOMCAT_GROUP="[PKI_GROUP]"
-fi
+# On Solaris /var/run is in tmpfs and gets wiped out upon reboot
+# we have to recreate the ${PKI_PIDDIR} directory and make sure that
+# the directory is writable by the ${PKI_TYPE} server process.
+#
+# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize
+# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the
+# "${PKI_PIDDIR}" will end up with the ownership permissions
+# of the first instance that executes this function!
+#
+fix_pid_dir_ownership()
+{
+ if [ ! -d ${PKI_PIDDIR} ] ; then
+ mkdir -p ${PKI_PIDDIR}
-# Since the daemon function will sandbox $tomcat
-# no environment stuff should be defined here anymore.
-# Please use the [PKI_INSTANCE_PATH]/conf/tomcat5.conf
-# file instead ; it will be read by the $tomcat script
+ chown root:root /var/run/pki
+ chmod 00755 /var/run/pki
-pidfile=${PIDFILE:-/var/run/[PKI_INSTANCE_ID].pid}
-lockfile=${LOCKFILE:-/var/lock/subsys/[PKI_INSTANCE_ID]}
-pki_instance_configuration_file=[PKI_INSTANCE_PATH]/conf/CS.cfg
-RESTART_SERVER=[PKI_INSTANCE_PATH]/conf/restart_server_after_configuration
-RETVAL=0
+ chown root:root ${PKI_PIDDIR}
+ chmod 00755 ${PKI_PIDDIR}
+ fi
+}
check_pki_configuration_status()
{
@@ -219,11 +363,27 @@ check_pki_configuration_status()
rv=`expr ${rv} + 0`
if [ ${rv} -ne 0 ] ; then
- echo " '[PKI_INSTANCE_ID]' must still be CONFIGURED!"
- echo " (see /var/log/[PKI_INSTANCE_ID]-install.log)"
+ echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!"
+ echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)"
+ if [ "${command}" != "status" ]; then
+ # * 6 program is not configured
+ rv=6
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1`
elif [ -f ${RESTART_SERVER} ] ; then
- echo " Although '[PKI_INSTANCE_ID]' has been CONFIGURED, it must still be RESTARTED!"
- rv=255
+ echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, "
+ echo -n "it must still be RESTARTED!"
+ echo
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
fi
return ${rv}
@@ -246,14 +406,14 @@ get_pki_status_definitions()
pki_status_comment_found=0
# first check to see that an instance-specific "server.xml" file exists
- if [ ! -f [PKI_SERVER_XML_CONF] ] ; then
- echo "File '[PKI_SERVER_XML_CONF]' does not exist!"
- exit 255
+ if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then
+ echo "File '${PKI_SERVER_XML_CONF}' does not exist!"
+ exit ${default_error}
fi
# read this instance-specific "server.xml" file line-by-line
# to obtain the current PKI Status Definitions
- exec < [PKI_SERVER_XML_CONF]
+ exec < ${PKI_SERVER_XML_CONF}
while read line; do
# first look for the well-known end PKI Status comment
# (to turn off processing)
@@ -283,12 +443,12 @@ get_pki_status_definitions()
total_ports=`expr ${total_ports} + 1`
fi
fi
- done
+ done
if [ ${total_ports} -eq 6 ] ; then
return 0
else
- return 255
+ return ${default_error}
fi
}
@@ -305,14 +465,14 @@ get_pki_configuration_definitions()
[ "${pki_subsystem}" != "RA" ] &&
[ "${pki_subsystem}" != "TPS" ]
then
- return 255
+ return ${default_error}
fi
if [ "${pki_subsystem}" == "KRA" ] ; then
# Rename "KRA" to "DRM"
pki_subsystem="DRM"
fi
else
- return 255
+ return ${default_error}
fi
# If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
@@ -331,7 +491,7 @@ get_pki_configuration_definitions()
pki_clone=""
fi
else
- return 255
+ return ${default_error}
fi
fi
@@ -345,7 +505,7 @@ get_pki_configuration_definitions()
if [ "${line}" != "" ] ; then
pki_hierarchy=`echo "${line}" | cut -b18-`
else
- return 255
+ return ${default_error}
fi
fi
@@ -364,7 +524,7 @@ get_pki_configuration_definitions()
pki_security_domain=""
fi
else
- return 255
+ return ${default_error}
fi
fi
@@ -378,25 +538,25 @@ get_pki_configuration_definitions()
if [ "${line}" != "" ] ; then
pki_security_domain_name=`echo "${line}" | cut -b21-`
else
- return 255
+ return ${default_error}
fi
line=`grep ^securitydomain.host= ${pki_instance_configuration_file}`
if [ "${line}" != "" ] ; then
pki_security_domain_hostname=`echo "${line}" | cut -b21-`
else
- return 255
+ return ${default_error}
fi
line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}`
if [ "${line}" != "" ] ; then
pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-`
else
- return 255
+ return ${default_error}
fi
# Compose the "PKI Instance Name" Status Line
- pki_instance_name="PKI Instance Name: [PKI_INSTANCE_ID]"
+ pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}"
# Compose the "PKI Subsystem Type" Status Line
header="PKI Subsystem Type: "
@@ -456,7 +616,7 @@ get_pki_configuration_definitions()
then
data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
else
- return 255
+ return ${default_error}
fi
registered_pki_security_domain_url="${header} ${data}"
@@ -490,14 +650,14 @@ get_pki_secure_port()
ssl_comment_found=0
# first check to see that an instance-specific "server.xml" file exists
- if [ ! -f [PKI_SERVER_XML_CONF] ] ; then
- echo "File '[PKI_SERVER_XML_CONF]' does not exist!"
- exit 255
+ if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then
+ echo "File '${PKI_SERVER_XML_CONF}' does not exist!"
+ exit ${default_error}
fi
# read this instance-specific "server.xml" file line-by-line
# to obtain the current value of the PKI secure port
- exec < [PKI_SERVER_XML_CONF]
+ exec < ${PKI_SERVER_XML_CONF}
while read line; do
# first look for the well-known end SSL comment
# (to turn off processing)
@@ -530,48 +690,177 @@ get_pki_secure_port()
fi
fi
fi
- done
+ done
- return 255
+ return ${default_error}
}
-start()
+display_instance_status()
+{
+ rv=0
+
+ if [ -f ${pidfile} ] ; then
+ pid=`cat ${pidfile}`
+ if [ "${pid}" == "" ] ; then
+ echo "${PKI_INSTANCE_ID} pid file exists but is empty"
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ elif kill -0 ${pid} > /dev/null 2>&1 ; then
+ echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..."
+ echo
+ check_pki_configuration_status
+ rv=$?
+ if [ ${rv} -eq 0 ] ; then
+ get_pki_status_definitions
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ echo
+ echo "${PKI_INSTANCE_ID} Status Definitions not found"
+ else
+ get_pki_configuration_definitions
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ echo
+ echo "${PKI_INSTANCE_ID} Configuration Definitions not found"
+ fi
+ fi
+ else
+ # From the PKI point of view for a "non-status" action,
+ # a returned error code of "6" implies that the program
+ # is not "configured". Similarly, an error code of "1"
+ # implies that the program was "configured" but must
+ # still be restarted.
+ #
+ # Similarly, from the PKI point of view for a "status"
+ # action, a returned error code of "4" implies that either
+ # the program is not "configured", or that the program
+ # was "configured" but must still be restarted.
+ #
+ # Regardless, it must still be considered that the instance
+ # is "running" from the viewpoint of other OS programs such
+ # as 'chkconfig'.
+ #
+ # For this reason, when returning from
+ # 'display_instance_status()', ignore non-zero return codes
+ # returned from 'check_pki_configuration_status()'.
+ #
+ if [ "${command}" != "status" ]; then
+ # * 0 action was successful
+ rv=0
+ else
+ # * 0 program is running or service is OK
+ rv=0
+ fi
+ fi
+ echo
+ else
+ echo "${PKI_INSTANCE_ID} is dead but pid file exists"
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 1 program is dead and /var/run pid file exists
+ rv=1
+ fi
+ fi
+ else
+ echo "${PKI_INSTANCE_ID} is stopped"
+ if [ "${command}" != "status" ]; then
+ # * 7 program is not running
+ rv=7
+ else
+ # * 3 program is not running
+ rv=3
+ fi
+ fi
+
+ return ${rv}
+}
+
+start_instance()
{
+ rv=0
+
echo -n "Starting $TOMCAT_PROG: "
if [ -f ${RESTART_SERVER} ] ; then
rm -f ${RESTART_SERVER}
fi
- if [ -f ${lockfile} ] ; then
+ if [ -f ${PKI_LOCKFILE} ] ; then
if [ -f ${pidfile} ]; then
read kpid < ${pidfile}
if checkpid $kpid 2>&1; then
echo
- echo "process already running"
- return 255
+ echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..."
+ echo
+ check_pki_configuration_status
+ rv=$?
+ if [ ${rv} != 0 ]; then
+ # From the PKI point of view for a "non-status" action,
+ # a returned error code of "6" implies that the program
+ # is not "configured". Similarly, an error code of "1"
+ # implies that the program was "configured" but must
+ # still be restarted.
+ #
+ # Regardless, it must still be considered that the instance
+ # is "running" from the viewpoint of other OS programs such
+ # as 'chkconfig'.
+ #
+ # For "non-status" actions, ignore return codes of "1"
+ # from 'check_pki_configuration_status()'.
+ #
+ # However, for "non-status" actions that have a return
+ # code of "6", return this value unchanged to
+ # the calling routine so that the total number of
+ # configuration errors may be counted.
+ #
+
+ echo
+ if [ ${rv} = 1 ] ; then
+ # * 0 action was successful
+ return 0
+ elif [ ${rv} = 6 ] ; then
+ # * 6 program is not configured
+ return 6
+ else
+ # should never be reached
+ return ${rv}
+ fi
+ else
+ return 0
+ fi
else
echo
echo -n "lock file found but no process "
echo -n "running for pid $kpid, continuing"
echo
echo
+ rm -f ${PKI_LOCKFILE}
fi
fi
fi
+ fix_pid_dir_ownership
+
CATALINA_PID=${pidfile}
export CATALINA_PID
touch $CATALINA_PID
chown $TOMCAT_USER:$TOMCAT_GROUP $CATALINA_PID
- [ -x /sbin/restorecon ] && /sbin/restorecon $CATALINA_PID
+ chmod 00600 $CATALINA_PID
+ [ -x /sbin/restorecon ] && /sbin/restorecon $CATALINA_PID
- # restore context for ncipher hsm
- [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
+ # restore context for ncipher hsm
+ [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
# Always initialize CLASSPATH to start looking
# in the local PKI classes directory . . .
- CLASSPATH=/usr/share/[PKI_FLAVOR]/classes
+ CLASSPATH=/usr/share/pki/classes
if [ ${OS} = "Linux" ] ; then
$TOMCAT_RELINK_SCRIPT
@@ -790,7 +1079,7 @@ start()
if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3\-1.3.1.jar ]; then
ln -s /usr/share/java/javamail/pop3-1.3.1.jar [javamail]pop3-1.3.1.jar
fi
- if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3.jar ]; then
+ if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3.jar ]; then
ln -s /usr/share/java/javamail/pop3.jar [javamail]pop3.jar
fi
if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers\-1.3.1.jar ]; then
@@ -1053,17 +1342,21 @@ start()
cd /var/lib/tomcat5/shared/lib
fi
- # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start
+ # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start
if [ ${OS} = "SunOS" ] ; then
su $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null
- else
+ else
runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null
fi
- RETVAL=$?
- [ $RETVAL = 0 ] && touch ${lockfile}
+ rv=$?
+ if [ ${rv} = 0 ] ; then
+ touch ${PKI_LOCKFILE}
+ chown $TOMCAT_USER:$TOMCAT_GROUP $PKI_LOCKFILE
+ chmod 00600 $PKI_LOCKFILE
+ fi
- if [ $RETVAL = 0 ] ; then
+ if [ ${rv} = 0 ] ; then
count=0;
let swait=$STARTUP_WAIT
@@ -1090,12 +1383,13 @@ start()
PKI_SECURE_PORT="<Port Undefined>"
fi
+ # ignore "status" return codes
echo
- status
+ display_instance_status
else
if [ -f /etc/init.d/functions ]; then
if [ "$CONSOLETYPE" = "serial" ]; then
- echo -n " "
+ $0 echo -n " "
fi
echo_failure
echo
@@ -1105,27 +1399,29 @@ start()
fi
sleep 5
- return $RETVAL
+ return ${rv}
}
-stop()
+stop_instance()
{
+ rv=0
+
echo -n "Stopping $TOMCAT_PROG: "
- if [ -f ${lockfile} ] ; then
+ if [ -f ${PKI_LOCKFILE} ] ; then
CATALINA_PID=${pidfile}
export CATALINA_PID
# daemon --user $TOMCAT_USER $TOMCAT_SCRIPT stop
if [ ${OS} = "SunOS" ] ; then
su $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null
- else
+ else
runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null
fi
- RETVAL=$?
+ rv=$?
- if [ $RETVAL = 0 ]; then
+ if [ ${rv} = 0 ]; then
count=0;
if [ -f ${pidfile} ]; then
@@ -1145,7 +1441,7 @@ stop()
fi
fi
- rm -f ${lockfile}
+ rm -f ${PKI_LOCKFILE}
rm -f ${pidfile}
if [ -f /etc/init.d/functions ]; then
@@ -1167,75 +1463,346 @@ stop()
else
echo " [ FAILED ]"
fi
+ rv=${default_error}
fi
else
echo
echo "process already stopped"
+ rv=0
fi
+
+ return ${rv}
}
-status()
+start()
{
- if [ -f ${pidfile} ] ; then
- pid=`cat ${pidfile}`
- if [ "${pid}" == "" ] ; then
- echo "[PKI_INSTANCE_ID] pid file exists but is empty"
- elif kill -0 ${pid} > /dev/null 2>&1 ; then
- echo "[PKI_INSTANCE_ID] (pid ${pid}) is running ..."
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ config_errors=0
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Start every PKI instance of this type that isn't already running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ start_instance
+
+ rv=$?
+ if [ ${rv} = 6 ] ; then
+ # Since at least ONE configuration error exists, then there
+ # is at least ONE unconfigured instance from the PKI point
+ # of view.
+ #
+ # However, it must still be considered that the
+ # instance is "running" from the point of view of other
+ # OS programs such as 'chkconfig'.
+ #
+ # Therefore, ignore non-zero return codes resulting
+ # from configuration errors.
+ #
+
+ config_errors=`expr $config_errors + 1`
+ rv=0
+ elif [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then
+ touch ${lockfile}
+ chmod 00600 ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ # NOTE: "bad" return code(s) OVERRIDE configuration errors!
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances failed to start!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
echo
- check_pki_configuration_status
- if [ $? -eq 0 ] ; then
- get_pki_status_definitions
- if [ $? -ne 0 ] ; then
- echo
- echo "[PKI_INSTANCE_ID] Status Definitions not found"
- fi
- get_pki_configuration_definitions
- if [ $? -ne 0 ] ; then
- echo
- echo "[PKI_INSTANCE_ID] Configuration Definitions not found"
- fi
+ echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=5
+ fi
+
+ return ${rv}
+}
+
+stop()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Shutdown every PKI instance of this type that is running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ stop_instance
+
+ rv=$?
+ if [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ if [ ${errors} -eq 0 ] ; then
+ rm -f ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances were "
+ echo -n "unsuccessfully stopped!"
+ echo
fi
+
echo
- else
- echo "[PKI_INSTANCE_ID] is dead but pid file exists"
+ echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)."
fi
else
- echo "[PKI_INSTANCE_ID] is stopped"
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=5
fi
+
+ return ${rv}
}
-# See how we were called.
-case "$1" in
- start)
- start
- ;;
- stop)
- stop
- ;;
- restart)
- stop
- sleep 2
- start
- ;;
- condrestart)
- if [ -f ${pidfile} ] ; then
- stop
- sleep 2
- start
- else
- echo -n "Unable to restart process since "
- echo -n "'${pidfile}' does not exist!"
+restart()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ stop
+ sleep 2
+ echo
+ echo "============================================================"
+ echo
+ start
+
+ return $?
+}
+
+status()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 program is running or service is OK
+ # * 1 program is dead and /var/run pid file exists
+ # * 2 program is dead and /var/lock lock file exists
+ # * 3 program is not running
+ # * 4 program or service status is unknown
+ # * 5-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Obtain status of every PKI instance of this type
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ display_instance_status
+
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "4 - program or service status is unknown"
+ rv=4
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances reported status failures!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
echo
+ echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)."
fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=4
+ fi
+
+ return ${rv}
+}
+
+# See how we were called.
+case "${command}" in
+ start|stop|restart|status)
+ ${command}
+ exit $?
;;
- status)
- status
+ condrestart|force-restart|try-restart)
+ [ ! -f ${lockfile} ] || restart
+ exit $?
+ ;;
+ reload)
+ echo "The 'reload' action is an unimplemented feature."
+ exit ${default_error}
;;
*)
- echo "Usage: $TOMCAT_PROG {start|stop|restart|condrestart|status}"
- exit 1
+ # * 3 unimplemented feature (for example, "reload")
+ # [invalid command - should never be reached]
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+ ;;
esac
-exit $RETVAL
-
diff --git a/pki/base/ocsp/build.xml b/pki/base/ocsp/build.xml
index b0e970510..27cec54ef 100644
--- a/pki/base/ocsp/build.xml
+++ b/pki/base/ocsp/build.xml
@@ -184,31 +184,30 @@
<zip destfile="${dist.base.binaries}/${dist.name}.zip">
<zipfileset dir="./build/jars"
filemode="755"
- prefix="usr/share/java/${product.prefix}/${product}">
+ prefix="usr/share/java">
<include name="**"/>
</zipfileset>
<zipfileset dir="./setup"
- filemode="755"
- prefix="usr/share/${product.prefix}/${product}/setup">
- <include name="postinstall"/>
- </zipfileset>
- <zipfileset dir="./setup"
filemode="644"
prefix="usr/share/${product.prefix}/${product}/setup">
<include name="config.desktop"/>
</zipfileset>
+ <zipfileset dir="./shared/etc/init.d"
+ filemode="755"
+ prefix="etc/${init.d}">
+ <include name="pki-ocspd"/>
+ </zipfileset>
<zipfileset dir="./shared"
filemode="755"
prefix="usr/share/${product.prefix}/${product}">
<include name="conf/dtomcat5"/>
- <include name="etc/init.d/httpd"/>
</zipfileset>
<zipfileset dir="./shared"
filemode="644"
prefix="usr/share/${product.prefix}/${product}">
<include name="**"/>
<exclude name="conf/dtomcat5"/>
- <exclude name="etc/init.d/httpd"/>
+ <exclude name="etc/init.d/pki-ocspd"/>
</zipfileset>
<zipfileset dir="."
filemode="644"
@@ -224,31 +223,30 @@
destfile="${dist.base.binaries}/${dist.name}.tar">
<tarfileset dir="./build/jars"
mode="755"
- prefix="${dist.name}/usr/share/java/${product.prefix}/${product}">
+ prefix="${dist.name}/usr/share/java">
<include name="**"/>
</tarfileset>
<tarfileset dir="./setup"
- mode="755"
- prefix="${dist.name}/usr/share/${product.prefix}/${product}/setup">
- <include name="postinstall"/>
- </tarfileset>
- <tarfileset dir="./setup"
mode="644"
prefix="${dist.name}/usr/share/${product.prefix}/${product}/setup">
<include name="config.desktop"/>
</tarfileset>
+ <tarfileset dir="./shared/etc/init.d"
+ mode="755"
+ prefix="${dist.name}/etc/${init.d}">
+ <include name="pki-ocspd"/>
+ </tarfileset>
<tarfileset dir="./shared"
mode="755"
prefix="${dist.name}/usr/share/${product.prefix}/${product}">
<include name="conf/dtomcat5"/>
- <include name="etc/init.d/httpd"/>
</tarfileset>
<tarfileset dir="./shared"
mode="644"
prefix="${dist.name}/usr/share/${product.prefix}/${product}">
<include name="**"/>
<exclude name="conf/dtomcat5"/>
- <exclude name="etc/init.d/httpd"/>
+ <exclude name="etc/init.d/pki-ocspd"/>
</tarfileset>
<tarfileset dir="."
mode="644"
diff --git a/pki/base/ocsp/setup/postinstall b/pki/base/ocsp/setup/postinstall
deleted file mode 100755
index adcc35215..000000000
--- a/pki/base/ocsp/setup/postinstall
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/bin/bash
-#
-# --- BEGIN COPYRIGHT BLOCK ---
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2007 Red Hat, Inc.
-# All rights reserved.
-# --- END COPYRIGHT BLOCK ---
-#
-
-###############################################################################
-## (1) Check command line arguments to see how many were passed in. ##
-###############################################################################
-
-if [ $# -eq 4 ]
-then
- PKI_PRODUCT_NAME=$1
- PKI_SUBSYSTEM_NAME=$2
- VERSION=$3
- RELEASE=$4
-else
- echo
- echo "Usage: $0 PKI_product_name PKI_subsystem_name version release"
- echo
-
- exit 255
-fi
-
-
-###############################################################################
-## (2) Specify variables used by this script. ##
-###############################################################################
-
-PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}"
-AGENT_SECURE_PORT=11443
-EE_SECURE_PORT=11444
-ADMIN_SECURE_PORT=11445
-UNSECURE_PORT=11180
-TOMCAT_SERVER_PORT=11701
-
-
-###############################################################################
-## (3) Create the first instance of an Online Certificate Status ##
-## Protocol (OCSP) Manager. ##
-###############################################################################
-
-if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ]
-then
- /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -agent_secure_port=${AGENT_SECURE_PORT} -ee_secure_port=${EE_SECURE_PORT} -admin_secure_port=${ADMIN_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -tomcat_server_port=${TOMCAT_SERVER_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME}
-fi
-
-
-###############################################################################
-## (4) Successfully exit from this postinstallation script. ##
-###############################################################################
-
-exit 0
-
diff --git a/pki/base/ocsp/shared/etc/init.d/httpd b/pki/base/ocsp/shared/etc/init.d/pki-ocspd
index d900c9904..0c3e1c258 100755
--- a/pki/base/ocsp/shared/etc/init.d/httpd
+++ b/pki/base/ocsp/shared/etc/init.d/pki-ocspd
@@ -18,14 +18,14 @@
# All rights reserved.
# --- END COPYRIGHT BLOCK ### ---
#
-# [PKI_INSTANCE_ID] Startup script for Tomcat 5.0, the Apache Servlet Engine
+# pki-ocspd Startup script for Tomcat 5.0 pki-ocsp, the Apache Servlet Engine
#
# chkconfig: - 83 17
# description: Online Certificate Status Protocol Manager \
# (Tomcat 5.0)
-# processname: [PKI_INSTANCE_ID]
-# pidfile: /var/run/[PKI_INSTANCE_ID].pid
-# config: [PKI_INSTANCE_PATH]/conf/tomcat5.conf
+# processname: pki-ocspd
+# piddir: /var/run/pki/ocsp
+# config: ${PKI_INSTANCE_PATH}/conf/tomcat5.conf
#
# Gomez Henri <hgomez@users.sourceforge.net>
# Keith Irwin <keith_irwin@non.hp.com>
@@ -60,23 +60,70 @@
# version 1.20tc5rh - Changed TOMCAT_USER from tomcat4 to tomcat
#
+PKI_INIT_SCRIPT=""
+PKI_PATH="/usr/share/pki/ocsp"
+PKI_PIDDIR="/var/run/pki/ocsp"
+PKI_PROCESS="pki-ocspd"
+PKI_REGISTRY="/etc/sysconfig/pki/ocsp"
+PKI_TYPE="pki-ocsp"
+
+# PKI subsystem-level directory and file values for locks
+lockfile="/var/lock/subsys/pki-ocspd"
+
# Disallow 'others' the ability to 'write' to new files
umask 00002
+default_error=0
+command="$1"
+pki_instance="$2"
+case "${command}" in
+ start|stop|restart|condrestart|force-restart|try-restart)
+ # * 1 generic or unspecified error (current practice)
+ default_error=1
+ ;;
+ reload)
+ default_error=3
+ ;;
+ status)
+ # * 4 program or service status is unknown
+ default_error=4
+ ;;
+ *)
+ # * 2 invalid argument(s)
+ default_error=2
+ ;;
+esac
+
# Check to insure that this script's original invocation directory
# has not been deleted!
CWD=`/bin/pwd > /dev/null 2>&1`
if [ $? -ne 0 ] ; then
echo "Cannot invoke '$0' from non-existent directory!"
- exit 255
+ exit ${default_error}
fi
# Check to insure that this script's associated PKI
# subsystem currently resides on this system.
-PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
-if [ ! -d /usr/share/pki/${PKI_SUBSYSTEM_TYPE} ] ; then
- echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!"
- exit 255
+if [ ! -d ${PKI_PATH} ] ; then
+ echo "This machine is missing the '${PKI_TYPE}' subsystem!"
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
+fi
+
+# Check to insure that this script's associated PKI
+# subsystem instance registry currently resides on this system.
+if [ ! -d ${PKI_REGISTRY} ] ; then
+ echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!"
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
fi
# Obtain the operating system upon which this script is being executed
@@ -86,15 +133,29 @@ ARCHITECTURE=""
# This script must be run as root!
RV=0
if [ ${OS} = "Linux" ] ; then
+ PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}"
if [ `id -u` -ne 0 ] ; then
echo "Must be 'root' to execute '$0'!"
- exit 1
+ if [ "${command}" != "status" ]; then
+ # * 4 user had insufficient privilege
+ exit 4
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
fi
ARCHITECTURE=`uname -i`
elif [ ${OS} = "SunOS" ] ; then
+ PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}"
if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then
echo "Must be 'root' to execute '$0'!"
- exit 1
+ if [ "${command}" != "status" ]; then
+ # * 4 user had insufficient privilege
+ exit 4
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
fi
ARCHITECTURE=`uname -p`
if [ "${ARCHITECTURE}" = "sparc" ] &&
@@ -103,7 +164,7 @@ elif [ ${OS} = "SunOS" ] ; then
fi
else
echo "Unsupported OS '${OS}'!"
- exit 1
+ exit ${default_error}
fi
# Source function library.
@@ -120,25 +181,32 @@ else
for i in $* ; do
ps -p $i > /dev/null 2>&1 ;
if [ $? -ne 0 ] ; then
- rv=`expr $rv + 1`
+ rv=`expr ${rv} + 1`
else
- rv=`expr $rv + 0`
+ rv=`expr ${rv} + 0`
fi
done
- # echo "rv=$rv"
- return $rv
+ # echo "rv=${rv}"
+ return ${rv}
}
# Create the following directories on platforms
# where they do not exist (e. g. - Solaris) . . .
- if [ ! -d /var/lock/subsys ] ; then
+ if [ ! -d "/var/lock" ] ; then
+ mkdir -p /var/lock
+ chown root:sys /var/lock
+ chmod 00755 /var/lock
+ fi
+ if [ ! -d "/var/lock/subsys" ] ; then
mkdir -p /var/lock/subsys
+ chown root:root /var/lock/subsys
+ chmod 00755 /var/lock/subsys
fi
#######################################################################
## NOTE: The following code needs to eventually be moved into the ##
## template used to create the ##
- ## "[PKI_INSTANCE_PATH]/conf/tomcat5.conf" file! ##
+ ## "${PKI_INSTANCE_PATH}/conf/tomcat5.conf" file! ##
#######################################################################
if [ ${OS} = "SunOS" ] ; then
@@ -162,53 +230,129 @@ else
echo -n "at \"${DEFAULT_SOLARIS_JAVA_HOME}\"!"
echo
echo
- exit 255
+ exit ${default_error}
fi
fi
fi
-#Use CATALINA_BASE
-
-CATALINA_BASE=[PKI_INSTANCE_PATH]
-export CATALINA_BASE
+PKI_REGISTRY_ENTRIES=""
+TOTAL_PKI_REGISTRY_ENTRIES=0
+TOTAL_UNCONFIGURED_PKI_ENTRIES=0
-# Get Tomcat config
+# Gather ALL registered instances of this PKI subsystem type
+for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
+ if [ -f "$FILE" ] ; then
+ inst=`echo "$FILE"`
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst"
+ TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1`
+ fi
+done
-TOMCAT_CFG="[PKI_INSTANCE_PATH]/conf/tomcat5.conf"
+if [ -n "${pki_instance}" ]; then
+ for I in ${PKI_REGISTRY_ENTRIES}; do
+ if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}"
+ TOTAL_PKI_REGISTRY_ENTRIES=1
+ break
+ fi
+ done
+fi
-[ -r "$TOMCAT_CFG" ] && . "${TOMCAT_CFG}"
+usage()
+{
+ echo -n "Usage: ${PKI_INIT_SCRIPT} "
+ echo -n "{start"
+ echo -n "|stop"
+ echo -n "|restart"
+ echo -n "|condrestart"
+ echo -n "|force-restart"
+ echo -n "|try-restart"
+ echo -n "|reload"
+ echo -n "|status} "
+ echo -n "[instance-name]"
+ echo
+ echo
+}
-# Path to the tomcat launch script (direct don't use wrapper)
-TOMCAT_SCRIPT=/usr/bin/dtomcat5-[PKI_INSTANCE_ID]
+list_instances()
+{
+ echo
+ for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
+ echo " ${FILE}"
+ done
+ echo
+}
-# Path to the script that will refresh jar symlinks on startup
-if [ ${OS} = "Linux" ] ; then
- TOMCAT_RELINK_SCRIPT="/usr/share/tomcat5/bin/relink"
+# Check arguments
+if [ $# -lt 1 ] ; then
+ # * 3 unimplemented feature (for example, "reload")
+ # [insufficient arguments]
+ echo "$0: Insufficient arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+elif [ ${default_error} -eq 2 ] ; then
+ # * 2 invalid argument
+ echo "$0: Invalid arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 2
+elif [ $# -gt 2 ] ; then
+ echo "$0: Excess arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ if [ "${command}" != "status" ]; then
+ # * 2 excess arguments
+ exit 2
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
fi
-# Tomcat name :)
-TOMCAT_PROG=[PKI_INSTANCE_ID]
-
-# if TOMCAT_USER is not set, use tomcat5 like Apache HTTP server
-if [ -z "$TOMCAT_USER" ]; then
- TOMCAT_USER="[PKI_USER]"
+# If an "instance" was supplied, check that it is a "valid" instance
+if [ -n "${pki_instance}" ]; then
+ if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then
+ echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance"
+ echo_failure
+ echo
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+ fi
fi
-# if TOMCAT_GROUP is not set, use tomcat5 like Apache HTTP server
-if [ -z "$TOMCAT_GROUP" ]; then
- TOMCAT_GROUP="[PKI_GROUP]"
-fi
+# On Solaris /var/run is in tmpfs and gets wiped out upon reboot
+# we have to recreate the ${PKI_PIDDIR} directory and make sure that
+# the directory is writable by the ${PKI_TYPE} server process.
+#
+# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize
+# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the
+# "${PKI_PIDDIR}" will end up with the ownership permissions
+# of the first instance that executes this function!
+#
+fix_pid_dir_ownership()
+{
+ if [ ! -d ${PKI_PIDDIR} ] ; then
+ mkdir -p ${PKI_PIDDIR}
-# Since the daemon function will sandbox $tomcat
-# no environment stuff should be defined here anymore.
-# Please use the [PKI_INSTANCE_PATH]/conf/tomcat5.conf
-# file instead ; it will be read by the $tomcat script
+ chown root:root /var/run/pki
+ chmod 00755 /var/run/pki
-pidfile=${PIDFILE:-/var/run/[PKI_INSTANCE_ID].pid}
-lockfile=${LOCKFILE:-/var/lock/subsys/[PKI_INSTANCE_ID]}
-pki_instance_configuration_file=[PKI_INSTANCE_PATH]/conf/CS.cfg
-RESTART_SERVER=[PKI_INSTANCE_PATH]/conf/restart_server_after_configuration
-RETVAL=0
+ chown root:root ${PKI_PIDDIR}
+ chmod 00755 ${PKI_PIDDIR}
+ fi
+}
check_pki_configuration_status()
{
@@ -219,11 +363,27 @@ check_pki_configuration_status()
rv=`expr ${rv} + 0`
if [ ${rv} -ne 0 ] ; then
- echo " '[PKI_INSTANCE_ID]' must still be CONFIGURED!"
- echo " (see /var/log/[PKI_INSTANCE_ID]-install.log)"
+ echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!"
+ echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)"
+ if [ "${command}" != "status" ]; then
+ # * 6 program is not configured
+ rv=6
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1`
elif [ -f ${RESTART_SERVER} ] ; then
- echo " Although '[PKI_INSTANCE_ID]' has been CONFIGURED, it must still be RESTARTED!"
- rv=255
+ echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, "
+ echo -n "it must still be RESTARTED!"
+ echo
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
fi
return ${rv}
@@ -246,14 +406,14 @@ get_pki_status_definitions()
pki_status_comment_found=0
# first check to see that an instance-specific "server.xml" file exists
- if [ ! -f [PKI_SERVER_XML_CONF] ] ; then
- echo "File '[PKI_SERVER_XML_CONF]' does not exist!"
- exit 255
+ if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then
+ echo "File '${PKI_SERVER_XML_CONF}' does not exist!"
+ exit ${default_error}
fi
# read this instance-specific "server.xml" file line-by-line
# to obtain the current PKI Status Definitions
- exec < [PKI_SERVER_XML_CONF]
+ exec < ${PKI_SERVER_XML_CONF}
while read line; do
# first look for the well-known end PKI Status comment
# (to turn off processing)
@@ -283,12 +443,12 @@ get_pki_status_definitions()
total_ports=`expr ${total_ports} + 1`
fi
fi
- done
+ done
if [ ${total_ports} -eq 6 ] ; then
return 0
else
- return 255
+ return ${default_error}
fi
}
@@ -305,14 +465,14 @@ get_pki_configuration_definitions()
[ "${pki_subsystem}" != "RA" ] &&
[ "${pki_subsystem}" != "TPS" ]
then
- return 255
+ return ${default_error}
fi
if [ "${pki_subsystem}" == "KRA" ] ; then
# Rename "KRA" to "DRM"
pki_subsystem="DRM"
fi
else
- return 255
+ return ${default_error}
fi
# If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
@@ -331,7 +491,7 @@ get_pki_configuration_definitions()
pki_clone=""
fi
else
- return 255
+ return ${default_error}
fi
fi
@@ -345,7 +505,7 @@ get_pki_configuration_definitions()
if [ "${line}" != "" ] ; then
pki_hierarchy=`echo "${line}" | cut -b18-`
else
- return 255
+ return ${default_error}
fi
fi
@@ -364,7 +524,7 @@ get_pki_configuration_definitions()
pki_security_domain=""
fi
else
- return 255
+ return ${default_error}
fi
fi
@@ -378,25 +538,25 @@ get_pki_configuration_definitions()
if [ "${line}" != "" ] ; then
pki_security_domain_name=`echo "${line}" | cut -b21-`
else
- return 255
+ return ${default_error}
fi
line=`grep ^securitydomain.host= ${pki_instance_configuration_file}`
if [ "${line}" != "" ] ; then
pki_security_domain_hostname=`echo "${line}" | cut -b21-`
else
- return 255
+ return ${default_error}
fi
line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}`
if [ "${line}" != "" ] ; then
pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-`
else
- return 255
+ return ${default_error}
fi
# Compose the "PKI Instance Name" Status Line
- pki_instance_name="PKI Instance Name: [PKI_INSTANCE_ID]"
+ pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}"
# Compose the "PKI Subsystem Type" Status Line
header="PKI Subsystem Type: "
@@ -456,7 +616,7 @@ get_pki_configuration_definitions()
then
data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
else
- return 255
+ return ${default_error}
fi
registered_pki_security_domain_url="${header} ${data}"
@@ -490,14 +650,14 @@ get_pki_secure_port()
ssl_comment_found=0
# first check to see that an instance-specific "server.xml" file exists
- if [ ! -f [PKI_SERVER_XML_CONF] ] ; then
- echo "File '[PKI_SERVER_XML_CONF]' does not exist!"
- exit 255
+ if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then
+ echo "File '${PKI_SERVER_XML_CONF}' does not exist!"
+ exit ${default_error}
fi
# read this instance-specific "server.xml" file line-by-line
# to obtain the current value of the PKI secure port
- exec < [PKI_SERVER_XML_CONF]
+ exec < ${PKI_SERVER_XML_CONF}
while read line; do
# first look for the well-known end SSL comment
# (to turn off processing)
@@ -530,48 +690,177 @@ get_pki_secure_port()
fi
fi
fi
- done
+ done
- return 255
+ return ${default_error}
}
-start()
+display_instance_status()
+{
+ rv=0
+
+ if [ -f ${pidfile} ] ; then
+ pid=`cat ${pidfile}`
+ if [ "${pid}" == "" ] ; then
+ echo "${PKI_INSTANCE_ID} pid file exists but is empty"
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ elif kill -0 ${pid} > /dev/null 2>&1 ; then
+ echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..."
+ echo
+ check_pki_configuration_status
+ rv=$?
+ if [ ${rv} -eq 0 ] ; then
+ get_pki_status_definitions
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ echo
+ echo "${PKI_INSTANCE_ID} Status Definitions not found"
+ else
+ get_pki_configuration_definitions
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ echo
+ echo "${PKI_INSTANCE_ID} Configuration Definitions not found"
+ fi
+ fi
+ else
+ # From the PKI point of view for a "non-status" action,
+ # a returned error code of "6" implies that the program
+ # is not "configured". Similarly, an error code of "1"
+ # implies that the program was "configured" but must
+ # still be restarted.
+ #
+ # Similarly, from the PKI point of view for a "status"
+ # action, a returned error code of "4" implies that either
+ # the program is not "configured", or that the program
+ # was "configured" but must still be restarted.
+ #
+ # Regardless, it must still be considered that the instance
+ # is "running" from the viewpoint of other OS programs such
+ # as 'chkconfig'.
+ #
+ # For this reason, when returning from
+ # 'display_instance_status()', ignore non-zero return codes
+ # returned from 'check_pki_configuration_status()'.
+ #
+ if [ "${command}" != "status" ]; then
+ # * 0 action was successful
+ rv=0
+ else
+ # * 0 program is running or service is OK
+ rv=0
+ fi
+ fi
+ echo
+ else
+ echo "${PKI_INSTANCE_ID} is dead but pid file exists"
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 1 program is dead and /var/run pid file exists
+ rv=1
+ fi
+ fi
+ else
+ echo "${PKI_INSTANCE_ID} is stopped"
+ if [ "${command}" != "status" ]; then
+ # * 7 program is not running
+ rv=7
+ else
+ # * 3 program is not running
+ rv=3
+ fi
+ fi
+
+ return ${rv}
+}
+
+start_instance()
{
+ rv=0
+
echo -n "Starting $TOMCAT_PROG: "
if [ -f ${RESTART_SERVER} ] ; then
rm -f ${RESTART_SERVER}
fi
- if [ -f ${lockfile} ] ; then
+ if [ -f ${PKI_LOCKFILE} ] ; then
if [ -f ${pidfile} ]; then
read kpid < ${pidfile}
if checkpid $kpid 2>&1; then
echo
- echo "process already running"
- return 255
+ echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..."
+ echo
+ check_pki_configuration_status
+ rv=$?
+ if [ ${rv} != 0 ]; then
+ # From the PKI point of view for a "non-status" action,
+ # a returned error code of "6" implies that the program
+ # is not "configured". Similarly, an error code of "1"
+ # implies that the program was "configured" but must
+ # still be restarted.
+ #
+ # Regardless, it must still be considered that the instance
+ # is "running" from the viewpoint of other OS programs such
+ # as 'chkconfig'.
+ #
+ # For "non-status" actions, ignore return codes of "1"
+ # from 'check_pki_configuration_status()'.
+ #
+ # However, for "non-status" actions that have a return
+ # code of "6", return this value unchanged to
+ # the calling routine so that the total number of
+ # configuration errors may be counted.
+ #
+
+ echo
+ if [ ${rv} = 1 ] ; then
+ # * 0 action was successful
+ return 0
+ elif [ ${rv} = 6 ] ; then
+ # * 6 program is not configured
+ return 6
+ else
+ # should never be reached
+ return ${rv}
+ fi
+ else
+ return 0
+ fi
else
echo
echo -n "lock file found but no process "
echo -n "running for pid $kpid, continuing"
echo
echo
+ rm -f ${PKI_LOCKFILE}
fi
fi
fi
+ fix_pid_dir_ownership
+
CATALINA_PID=${pidfile}
export CATALINA_PID
touch $CATALINA_PID
chown $TOMCAT_USER:$TOMCAT_GROUP $CATALINA_PID
- [ -x /sbin/restorecon ] && /sbin/restorecon $CATALINA_PID
+ chmod 00600 $CATALINA_PID
+ [ -x /sbin/restorecon ] && /sbin/restorecon $CATALINA_PID
- # restore context for ncipher hsm
- [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
+ # restore context for ncipher hsm
+ [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
# Always initialize CLASSPATH to start looking
# in the local PKI classes directory . . .
- CLASSPATH=/usr/share/[PKI_FLAVOR]/classes
+ CLASSPATH=/usr/share/pki/classes
if [ ${OS} = "Linux" ] ; then
$TOMCAT_RELINK_SCRIPT
@@ -790,7 +1079,7 @@ start()
if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3\-1.3.1.jar ]; then
ln -s /usr/share/java/javamail/pop3-1.3.1.jar [javamail]pop3-1.3.1.jar
fi
- if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3.jar ]; then
+ if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3.jar ]; then
ln -s /usr/share/java/javamail/pop3.jar [javamail]pop3.jar
fi
if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers\-1.3.1.jar ]; then
@@ -1053,17 +1342,21 @@ start()
cd /var/lib/tomcat5/shared/lib
fi
- # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start
+ # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start
if [ ${OS} = "SunOS" ] ; then
su $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null
- else
+ else
runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null
fi
- RETVAL=$?
- [ $RETVAL = 0 ] && touch ${lockfile}
+ rv=$?
+ if [ ${rv} = 0 ] ; then
+ touch ${PKI_LOCKFILE}
+ chown $TOMCAT_USER:$TOMCAT_GROUP $PKI_LOCKFILE
+ chmod 00600 $PKI_LOCKFILE
+ fi
- if [ $RETVAL = 0 ] ; then
+ if [ ${rv} = 0 ] ; then
count=0;
let swait=$STARTUP_WAIT
@@ -1090,12 +1383,13 @@ start()
PKI_SECURE_PORT="<Port Undefined>"
fi
+ # ignore "status" return codes
echo
- status
+ display_instance_status
else
if [ -f /etc/init.d/functions ]; then
if [ "$CONSOLETYPE" = "serial" ]; then
- echo -n " "
+ $0 echo -n " "
fi
echo_failure
echo
@@ -1105,27 +1399,29 @@ start()
fi
sleep 5
- return $RETVAL
+ return ${rv}
}
-stop()
+stop_instance()
{
+ rv=0
+
echo -n "Stopping $TOMCAT_PROG: "
- if [ -f ${lockfile} ] ; then
+ if [ -f ${PKI_LOCKFILE} ] ; then
CATALINA_PID=${pidfile}
export CATALINA_PID
# daemon --user $TOMCAT_USER $TOMCAT_SCRIPT stop
if [ ${OS} = "SunOS" ] ; then
su $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null
- else
+ else
runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null
fi
- RETVAL=$?
+ rv=$?
- if [ $RETVAL = 0 ]; then
+ if [ ${rv} = 0 ]; then
count=0;
if [ -f ${pidfile} ]; then
@@ -1145,7 +1441,7 @@ stop()
fi
fi
- rm -f ${lockfile}
+ rm -f ${PKI_LOCKFILE}
rm -f ${pidfile}
if [ -f /etc/init.d/functions ]; then
@@ -1167,75 +1463,346 @@ stop()
else
echo " [ FAILED ]"
fi
+ rv=${default_error}
fi
else
echo
echo "process already stopped"
+ rv=0
fi
+
+ return ${rv}
}
-status()
+start()
{
- if [ -f ${pidfile} ] ; then
- pid=`cat ${pidfile}`
- if [ "${pid}" == "" ] ; then
- echo "[PKI_INSTANCE_ID] pid file exists but is empty"
- elif kill -0 ${pid} > /dev/null 2>&1 ; then
- echo "[PKI_INSTANCE_ID] (pid ${pid}) is running ..."
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ config_errors=0
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Start every PKI instance of this type that isn't already running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ start_instance
+
+ rv=$?
+ if [ ${rv} = 6 ] ; then
+ # Since at least ONE configuration error exists, then there
+ # is at least ONE unconfigured instance from the PKI point
+ # of view.
+ #
+ # However, it must still be considered that the
+ # instance is "running" from the point of view of other
+ # OS programs such as 'chkconfig'.
+ #
+ # Therefore, ignore non-zero return codes resulting
+ # from configuration errors.
+ #
+
+ config_errors=`expr $config_errors + 1`
+ rv=0
+ elif [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then
+ touch ${lockfile}
+ chmod 00600 ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ # NOTE: "bad" return code(s) OVERRIDE configuration errors!
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances failed to start!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
echo
- check_pki_configuration_status
- if [ $? -eq 0 ] ; then
- get_pki_status_definitions
- if [ $? -ne 0 ] ; then
- echo
- echo "[PKI_INSTANCE_ID] Status Definitions not found"
- fi
- get_pki_configuration_definitions
- if [ $? -ne 0 ] ; then
- echo
- echo "[PKI_INSTANCE_ID] Configuration Definitions not found"
- fi
+ echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=5
+ fi
+
+ return ${rv}
+}
+
+stop()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Shutdown every PKI instance of this type that is running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ stop_instance
+
+ rv=$?
+ if [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ if [ ${errors} -eq 0 ] ; then
+ rm -f ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances were "
+ echo -n "unsuccessfully stopped!"
+ echo
fi
+
echo
- else
- echo "[PKI_INSTANCE_ID] is dead but pid file exists"
+ echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)."
fi
else
- echo "[PKI_INSTANCE_ID] is stopped"
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=5
fi
+
+ return ${rv}
}
-# See how we were called.
-case "$1" in
- start)
- start
- ;;
- stop)
- stop
- ;;
- restart)
- stop
- sleep 2
- start
- ;;
- condrestart)
- if [ -f ${pidfile} ] ; then
- stop
- sleep 2
- start
- else
- echo -n "Unable to restart process since "
- echo -n "'${pidfile}' does not exist!"
+restart()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ stop
+ sleep 2
+ echo
+ echo "============================================================"
+ echo
+ start
+
+ return $?
+}
+
+status()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 program is running or service is OK
+ # * 1 program is dead and /var/run pid file exists
+ # * 2 program is dead and /var/lock lock file exists
+ # * 3 program is not running
+ # * 4 program or service status is unknown
+ # * 5-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Obtain status of every PKI instance of this type
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ display_instance_status
+
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "4 - program or service status is unknown"
+ rv=4
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances reported status failures!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
echo
+ echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)."
fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=4
+ fi
+
+ return ${rv}
+}
+
+# See how we were called.
+case "${command}" in
+ start|stop|restart|status)
+ ${command}
+ exit $?
;;
- status)
- status
+ condrestart|force-restart|try-restart)
+ [ ! -f ${lockfile} ] || restart
+ exit $?
+ ;;
+ reload)
+ echo "The 'reload' action is an unimplemented feature."
+ exit ${default_error}
;;
*)
- echo "Usage: $TOMCAT_PROG {start|stop|restart|condrestart|status}"
- exit 1
+ # * 3 unimplemented feature (for example, "reload")
+ # [invalid command - should never be reached]
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+ ;;
esac
-exit $RETVAL
-
diff --git a/pki/base/selinux/src/pki.fc b/pki/base/selinux/src/pki.fc
index 56129164b..21ff9c2e7 100644
--- a/pki/base/selinux/src/pki.fc
+++ b/pki/base/selinux/src/pki.fc
@@ -74,3 +74,21 @@
/var/run/pki/ca(/.*)? gen_context(system_u:object_r:pki_ca_var_run_t,s0)
/etc/init.d/pki-cad gen_context(system_u:object_r:pki_ca_script_exec_t,s0)
/etc/sysconfig/pki/ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
+
+# labeling for new KRA under pki-krad
+
+/var/run/pki/kra(/.*)? gen_context(system_u:object_r:pki_kra_var_run_t,s0)
+/etc/init.d/pki-krad gen_context(system_u:object_r:pki_kra_script_exec_t,s0)
+/etc/sysconfig/pki/kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
+
+# labeling for new OCSP under pki-ocspd
+
+/var/run/pki/ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
+/etc/init.d/pki-ocspd gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0)
+/etc/sysconfig/pki/ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
+
+# labeling for new TKS under pki-tksd
+
+/var/run/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_var_run_t,s0)
+/etc/init.d/pki-tksd gen_context(system_u:object_r:pki_tks_script_exec_t,s0)
+/etc/sysconfig/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
index a9d8c7f16..1364b15ce 100644
--- a/pki/base/selinux/src/pki.if
+++ b/pki/base/selinux/src/pki.if
@@ -38,6 +38,7 @@ template(`pki_ca_template',`
type pki_ca_tomcat_exec_t;
type $1_port_t;
type rpm_var_lib_t;
+ type setfiles_t;
')
########################################
#
@@ -71,6 +72,7 @@ template(`pki_ca_template',`
# Execstack/execmem caused by java app.
allow $1_t self:process { execstack execmem getsched setsched signal};
+ allow initrc_t self:process execstack;
## internal communication is often done using fifo and unix sockets.
allow $1_t self:fifo_file rw_file_perms;
@@ -106,6 +108,9 @@ template(`pki_ca_template',`
manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+ # start/ stop using pki-cad, pki-krad, pki-ocspd, or pki-tksd
+ allow setfiles_t $1_etc_rw_t:file read;
+
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t,$1_var_run_t, { file dir })
@@ -410,7 +415,6 @@ template(`pki_tps_template',`
attribute pki_tps_process;
attribute pki_tps_config, pki_tps_var_lib;
attribute pki_tps_executable, pki_tps_script, pki_tps_var_log;
- type setfiles_t;
')
########################################
#
@@ -452,9 +456,6 @@ template(`pki_tps_template',`
manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
- # start/ stop using pki-cad
- allow setfiles_t $1_etc_rw_t:file read;
-
manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
index 79442a7ea..84da2e54a 100644
--- a/pki/base/selinux/src/pki.te
+++ b/pki/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.15)
+policy_module(pki,1.0.16)
attribute pki_ca_config;
attribute pki_ca_executable;
diff --git a/pki/base/setup/pkicommon b/pki/base/setup/pkicommon
index 7b72a5660..2ff95db4b 100755
--- a/pki/base/setup/pkicommon
+++ b/pki/base/setup/pkicommon
@@ -484,6 +484,49 @@ sub group_exists
# arg0 username
+# return 1 - disallows shell, or
+# return 0 - allows shell
+sub user_disallows_shell
+{
+ my( $username ) = $_[0];
+ my( $groupname ) = $_[1];
+
+ my $result = 0;
+ my $sans_shell = "";
+
+ if( $^O eq "linux" ) {
+ $sans_shell="/sbin/nologin";
+ $result = 0;
+ } elsif( $^O eq "solaris" ) {
+ $sans_shell="";
+ $result = 0;
+ } else {
+ # Don't care
+ return 1;
+ }
+
+ if( !user_exists( $username ) ) {
+ return $result;
+ }
+
+ my( $name, $passwd, $uid, $gid, $quota,
+ $comment, $gcos, $dir, $shell, $expire ) = getpwnam( $username );
+
+ if( $shell eq $sans_shell ) {
+ $result = 1;
+ } else {
+ # issue a warning and continue
+ print( STDERR
+ "WARNING: Potential security hole - user '$username' is\n"
+ . " using '$shell' instead of '$sans_shell'!\n" );
+ print( "\n" );
+ }
+
+ return $result;
+}
+
+
+# arg0 username
# arg1 groupname
# return 1 - is a member, or
# return 0 - is NOT a member
diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate
index 770983985..d65e23715 100755
--- a/pki/base/setup/pkicreate
+++ b/pki/base/setup/pkicreate
@@ -243,8 +243,7 @@ my $cmscore_jar_base_name = "cmscore.jar"; # CA, KRA, OCSP, TKS
my $conf_base_name = "conf"; # CA, KRA, OCSP, TKS,
# RA, TPS
# BEGIN Legacy Start/Stop Implementation
-my $httpd_base_name = "httpd"; # KRA, OCSP, TKS,
- # RA, TPS
+my $httpd_base_name = "httpd"; # RA, TPS
# END Legacy Start/Stop Implementation
my $httpd_conf_base_name = "httpd.conf"; # RA, TPS
my $index_html_base_name = "index.html"; # CA, KRA, OCSP, TKS
@@ -273,7 +272,7 @@ my $web_xml_base_name = "web.xml"; # CA, KRA, OCSP, TKS
# Subdirectory names
# BEGIN Legacy Start/Stop Implementation
-my $initd_base_subsystem_dir = "init.d"; # KRA, OCSP, TKS, RA, TPS
+my $initd_base_subsystem_dir = "init.d"; # RA, TPS
# END Legacy Start/Stop Implementation
my $perl_base_instance_symlink = "perl"; # RA, TPS
my $perl_base_subsystem_dir = "perl"; # RA, TPS
@@ -533,12 +532,9 @@ my $pki_cfg_instance_file_path = ""; # CA, KRA, OCSP, TKS,
my $pki_cfg_subsystem_file_path = ""; # CA, KRA, OCSP, TKS,
# RA, TPS
# BEGIN Legacy Start/Stop Implementation
-my $pki_start_stop_script_instance_file_path = ""; # KRA, OCSP, TKS,
- # RA, TPS
-my $pki_start_stop_script_subsystem_file_path = ""; # KRA, OCSP, TKS,
- # RA, TPS
-my $pki_start_stop_script_symlink_path = ""; # KRA, OCSP, TKS,
- # RA, TPS
+my $pki_start_stop_script_instance_file_path = ""; # RA, TPS
+my $pki_start_stop_script_subsystem_file_path = ""; # RA, TPS
+my $pki_start_stop_script_symlink_path = ""; # RA, TPS
# END Legacy Start/Stop Implementation
my $schemaMods_ldif_instance_file_path = ""; # RA, TPS
my $schemaMods_ldif_subsystem_file_path = ""; # RA, TPS
@@ -1030,7 +1026,7 @@ sub pki_instance_already_exists
my $result = 0;
my $instance = "";
- if( $subsystem_type ne $CA ) {
+ if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
# BEGIN Legacy Start/Stop Implementation
$instance = $default_init_scripts_path
. "/" . $name;
@@ -1335,6 +1331,16 @@ sub parse_arguments()
}
+ # At this point in time, ALWAYS check that "$pki_user" exists!
+ if( !user_exists( $pki_user ) ) {
+ usage();
+ emit( "Please contact your system administrator "
+ . "to create '$pki_user'!\n",
+ "error" );
+ return 0;
+ }
+
+
## Optional "-group=<groupname>" option
if( $groupname ne "" ) {
if( $username eq "" ) {
@@ -1356,6 +1362,25 @@ sub parse_arguments()
}
+ # At this point in time, ALWAYS check that "$pki_group" exists!
+ if( !group_exists( $pki_group ) ) {
+ usage();
+ emit( "Please contact your system administrator "
+ . "to create '$pki_group'!\n",
+ "error" );
+ return 0;
+ }
+
+
+ # At this point in time, ALWAYS check that shell access for "$pki_user" is
+ # disallowed; for now, simply notify the user performing the installation
+ # and continue
+ if( !user_disallows_shell( $pki_user ) ) {
+ emit( "Please contact your system administrator "
+ . "to disallow shell access for '$pki_user'!\n" );
+ }
+
+
# At this point in time, ALWAYS check that "$pki_user"
# is a valid member of "$pki_group"
#
@@ -1786,17 +1811,17 @@ sub initialize_subdirectory_paths()
. "/" . $server_xml_base_name;
$servercertnick_conf_subsystem_file_path = $conf_subsystem_path
. "/" . $servercertnick_conf_base_name;
- if( $subsystem_type eq $CA ) {
+ if( ( $subsystem_type ne $RA && $subsystem_type ne $TPS ) ) {
$subsystem_jar_file_path = $default_java_path
. "/" . $subsystem_type . ".jar";
- } else {
+ } else {
# BEGIN Legacy Start/Stop Implementation
$subsystem_jar_file_path = $default_java_path
. "/" . $pki_flavor
. "/" . $subsystem_type
. "/" . $subsystem_type . ".jar";
# END Legacy Start/Stop Implementation
- }
+ }
$subsystem_jar_symlink_path = $webinf_lib_instance_path
. "/" . $subsystem_type . ".jar";
$tomcat5_conf_subsystem_file_path = $conf_subsystem_path
@@ -2534,7 +2559,7 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so
$pki_cfg_instance_file_path );
# BEGIN Legacy Start/Stop Implementation
- if( $subsystem_type ne $CA ) {
+ if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
# process "httpd" template
#
# NOTE: CA, KRA, OCSP, TKS instances are dependent upon the location
@@ -2904,7 +2929,7 @@ sub process_pki_files_and_symlinks()
$pfile_instance_file_path );
- if( $subsystem_type ne $CA ) {
+ if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
# BEGIN Legacy Start/Stop Implementation
# create instance symlink to actual instance "start/stop" script
$result = create_symbolic_link( $pki_start_stop_script_symlink_path,
@@ -3600,7 +3625,7 @@ sub process_pki_selinux_setup()
}
# BEGIN Legacy Start/Stop Implementation
- if( $subsystem_type ne $CA ) {
+ if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
# set file context for /etc/rc.d/init.d/$pki_instance_name"
if ($pki_instance_name ne $default_inst_name) {
&add_selinux_file_context($setype . "_script_exec_t",
@@ -3740,7 +3765,7 @@ sub install_pki_instance()
return 0;
}
- if( $subsystem_type eq $CA ) {
+ if( ( $subsystem_type ne $RA && $subsystem_type ne $TPS ) ) {
$result = register_pki_instance();
if( !$result ) {
return 0;
@@ -3956,7 +3981,7 @@ ASK_AGAIN:
}
# BEGIN Legacy Start/Stop Implementation
- if( $subsystem_type ne $CA ) {
+ if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
# Register this instance with "chkconfig"
if( $^O eq "linux" ) {
my $runlevel = $DEFAULT_RUNLEVEL;
@@ -3982,7 +4007,7 @@ ASK_AGAIN:
# Activate this instance
if( $^O eq "linux" ) {
- if( $subsystem_type ne $CA ) {
+ if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
# BEGIN Legacy Start/Stop Implementation
$pki_init_script_command = "/sbin/service"
. " " . $pki_instance_name
@@ -3996,7 +4021,7 @@ ASK_AGAIN:
}
} else {
# default case: e. g. - ( $^O eq "solaris" )
- if( $subsystem_type ne $CA ) {
+ if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
# BEGIN Legacy Start/Stop Implementation
$pki_init_script_command = $pki_start_stop_script_instance_file_path
. " " . "restart";
diff --git a/pki/base/tks/build.xml b/pki/base/tks/build.xml
index 96365b0fd..6ff2de31e 100644
--- a/pki/base/tks/build.xml
+++ b/pki/base/tks/build.xml
@@ -184,31 +184,30 @@
<zip destfile="${dist.base.binaries}/${dist.name}.zip">
<zipfileset dir="./build/jars"
filemode="755"
- prefix="usr/share/java/${product.prefix}/${product}">
+ prefix="usr/share/java">
<include name="**"/>
</zipfileset>
<zipfileset dir="./setup"
- filemode="755"
- prefix="usr/share/${product.prefix}/${product}/setup">
- <include name="postinstall"/>
- </zipfileset>
- <zipfileset dir="./setup"
filemode="644"
prefix="usr/share/${product.prefix}/${product}/setup">
<include name="config.desktop"/>
</zipfileset>
+ <zipfileset dir="./shared/etc/init.d"
+ filemode="755"
+ prefix="etc/${init.d}">
+ <include name="pki-tksd"/>
+ </zipfileset>
<zipfileset dir="./shared"
filemode="755"
prefix="usr/share/${product.prefix}/${product}">
<include name="conf/dtomcat5"/>
- <include name="etc/init.d/httpd"/>
</zipfileset>
<zipfileset dir="./shared"
filemode="644"
prefix="usr/share/${product.prefix}/${product}">
<include name="**"/>
<exclude name="conf/dtomcat5"/>
- <exclude name="etc/init.d/httpd"/>
+ <exclude name="etc/init.d/pki-tksd"/>
</zipfileset>
<zipfileset dir="."
filemode="644"
@@ -224,31 +223,30 @@
destfile="${dist.base.binaries}/${dist.name}.tar">
<tarfileset dir="./build/jars"
mode="755"
- prefix="${dist.name}/usr/share/java/${product.prefix}/${product}">
+ prefix="${dist.name}/usr/share/java">
<include name="**"/>
</tarfileset>
<tarfileset dir="./setup"
- mode="755"
- prefix="${dist.name}/usr/share/${product.prefix}/${product}/setup">
- <include name="postinstall"/>
- </tarfileset>
- <tarfileset dir="./setup"
mode="644"
prefix="${dist.name}/usr/share/${product.prefix}/${product}/setup">
<include name="config.desktop"/>
</tarfileset>
+ <tarfileset dir="./shared/etc/init.d"
+ mode="755"
+ prefix="${dist.name}/etc/${init.d}">
+ <include name="pki-tksd"/>
+ </tarfileset>
<tarfileset dir="./shared"
mode="755"
prefix="${dist.name}/usr/share/${product.prefix}/${product}">
<include name="conf/dtomcat5"/>
- <include name="etc/init.d/httpd"/>
</tarfileset>
<tarfileset dir="./shared"
mode="644"
prefix="${dist.name}/usr/share/${product.prefix}/${product}">
<include name="**"/>
<exclude name="conf/dtomcat5"/>
- <exclude name="etc/init.d/httpd"/>
+ <exclude name="etc/init.d/pki-tksd"/>
</tarfileset>
<tarfileset dir="."
mode="644"
diff --git a/pki/base/tks/setup/postinstall b/pki/base/tks/setup/postinstall
deleted file mode 100755
index a9fb5a927..000000000
--- a/pki/base/tks/setup/postinstall
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/bin/bash
-#
-# --- BEGIN COPYRIGHT BLOCK ---
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2007 Red Hat, Inc.
-# All rights reserved.
-# --- END COPYRIGHT BLOCK ---
-#
-
-###############################################################################
-## (1) Check command line arguments to see how many were passed in. ##
-###############################################################################
-
-if [ $# -eq 4 ]
-then
- PKI_PRODUCT_NAME=$1
- PKI_SUBSYSTEM_NAME=$2
- VERSION=$3
- RELEASE=$4
-else
- echo
- echo "Usage: $0 PKI_product_name PKI_subsystem_name version release"
- echo
-
- exit 255
-fi
-
-
-###############################################################################
-## (2) Specify variables used by this script. ##
-###############################################################################
-
-PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}"
-AGENT_SECURE_PORT=13443
-EE_SECURE_PORT=13444
-ADMIN_SECURE_PORT=13445
-UNSECURE_PORT=13180
-TOMCAT_SERVER_PORT=13701
-
-
-###############################################################################
-## (3) Create the first instance of a Token Key Service (TKS). ##
-###############################################################################
-
-if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ]
-then
- /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -agent_secure_port=${AGENT_SECURE_PORT} -ee_secure_port=${EE_SECURE_PORT} -admin_secure_port=${ADMIN_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -tomcat_server_port=${TOMCAT_SERVER_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME}
-fi
-
-
-###############################################################################
-## (4) Successfully exit from this postinstallation script. ##
-###############################################################################
-
-exit 0
-
diff --git a/pki/base/tks/shared/etc/init.d/httpd b/pki/base/tks/shared/etc/init.d/pki-tksd
index 17e9a985a..b12d47e16 100755
--- a/pki/base/tks/shared/etc/init.d/httpd
+++ b/pki/base/tks/shared/etc/init.d/pki-tksd
@@ -18,14 +18,14 @@
# All rights reserved.
# --- END COPYRIGHT BLOCK ### ---
#
-# [PKI_INSTANCE_ID] Startup script for Tomcat 5.0, the Apache Servlet Engine
+# pki-tksd Startup script for Tomcat 5.0 pki-tks, the Apache Servlet Engine
#
# chkconfig: - 84 16
# description: Token Key Service \
# (Tomcat 5.0)
-# processname: [PKI_INSTANCE_ID]
-# pidfile: /var/run/[PKI_INSTANCE_ID].pid
-# config: [PKI_INSTANCE_PATH]/conf/tomcat5.conf
+# processname: pki-tksd
+# piddir: /var/run/pki/tks
+# config: ${PKI_INSTANCE_PATH}/conf/tomcat5.conf
#
# Gomez Henri <hgomez@users.sourceforge.net>
# Keith Irwin <keith_irwin@non.hp.com>
@@ -60,23 +60,70 @@
# version 1.20tc5rh - Changed TOMCAT_USER from tomcat4 to tomcat
#
+PKI_INIT_SCRIPT=""
+PKI_PATH="/usr/share/pki/tks"
+PKI_PIDDIR="/var/run/pki/tks"
+PKI_PROCESS="pki-tksd"
+PKI_REGISTRY="/etc/sysconfig/pki/tks"
+PKI_TYPE="pki-tks"
+
+# PKI subsystem-level directory and file values for locks
+lockfile="/var/lock/subsys/pki-tksd"
+
# Disallow 'others' the ability to 'write' to new files
umask 00002
+default_error=0
+command="$1"
+pki_instance="$2"
+case "${command}" in
+ start|stop|restart|condrestart|force-restart|try-restart)
+ # * 1 generic or unspecified error (current practice)
+ default_error=1
+ ;;
+ reload)
+ default_error=3
+ ;;
+ status)
+ # * 4 program or service status is unknown
+ default_error=4
+ ;;
+ *)
+ # * 2 invalid argument(s)
+ default_error=2
+ ;;
+esac
+
# Check to insure that this script's original invocation directory
# has not been deleted!
CWD=`/bin/pwd > /dev/null 2>&1`
if [ $? -ne 0 ] ; then
echo "Cannot invoke '$0' from non-existent directory!"
- exit 255
+ exit ${default_error}
fi
# Check to insure that this script's associated PKI
# subsystem currently resides on this system.
-PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
-if [ ! -d /usr/share/pki/${PKI_SUBSYSTEM_TYPE} ] ; then
- echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!"
- exit 255
+if [ ! -d ${PKI_PATH} ] ; then
+ echo "This machine is missing the '${PKI_TYPE}' subsystem!"
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
+fi
+
+# Check to insure that this script's associated PKI
+# subsystem instance registry currently resides on this system.
+if [ ! -d ${PKI_REGISTRY} ] ; then
+ echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!"
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
fi
# Obtain the operating system upon which this script is being executed
@@ -86,15 +133,29 @@ ARCHITECTURE=""
# This script must be run as root!
RV=0
if [ ${OS} = "Linux" ] ; then
+ PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}"
if [ `id -u` -ne 0 ] ; then
echo "Must be 'root' to execute '$0'!"
- exit 1
+ if [ "${command}" != "status" ]; then
+ # * 4 user had insufficient privilege
+ exit 4
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
fi
ARCHITECTURE=`uname -i`
elif [ ${OS} = "SunOS" ] ; then
+ PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}"
if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then
echo "Must be 'root' to execute '$0'!"
- exit 1
+ if [ "${command}" != "status" ]; then
+ # * 4 user had insufficient privilege
+ exit 4
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
fi
ARCHITECTURE=`uname -p`
if [ "${ARCHITECTURE}" = "sparc" ] &&
@@ -103,7 +164,7 @@ elif [ ${OS} = "SunOS" ] ; then
fi
else
echo "Unsupported OS '${OS}'!"
- exit 1
+ exit ${default_error}
fi
# Source function library.
@@ -120,25 +181,32 @@ else
for i in $* ; do
ps -p $i > /dev/null 2>&1 ;
if [ $? -ne 0 ] ; then
- rv=`expr $rv + 1`
+ rv=`expr ${rv} + 1`
else
- rv=`expr $rv + 0`
+ rv=`expr ${rv} + 0`
fi
done
- # echo "rv=$rv"
- return $rv
+ # echo "rv=${rv}"
+ return ${rv}
}
# Create the following directories on platforms
# where they do not exist (e. g. - Solaris) . . .
- if [ ! -d /var/lock/subsys ] ; then
+ if [ ! -d "/var/lock" ] ; then
+ mkdir -p /var/lock
+ chown root:sys /var/lock
+ chmod 00755 /var/lock
+ fi
+ if [ ! -d "/var/lock/subsys" ] ; then
mkdir -p /var/lock/subsys
+ chown root:root /var/lock/subsys
+ chmod 00755 /var/lock/subsys
fi
#######################################################################
## NOTE: The following code needs to eventually be moved into the ##
## template used to create the ##
- ## "[PKI_INSTANCE_PATH]/conf/tomcat5.conf" file! ##
+ ## "${PKI_INSTANCE_PATH}/conf/tomcat5.conf" file! ##
#######################################################################
if [ ${OS} = "SunOS" ] ; then
@@ -162,53 +230,129 @@ else
echo -n "at \"${DEFAULT_SOLARIS_JAVA_HOME}\"!"
echo
echo
- exit 255
+ exit ${default_error}
fi
fi
fi
-#Use CATALINA_BASE
-
-CATALINA_BASE=[PKI_INSTANCE_PATH]
-export CATALINA_BASE
+PKI_REGISTRY_ENTRIES=""
+TOTAL_PKI_REGISTRY_ENTRIES=0
+TOTAL_UNCONFIGURED_PKI_ENTRIES=0
-# Get Tomcat config
+# Gather ALL registered instances of this PKI subsystem type
+for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
+ if [ -f "$FILE" ] ; then
+ inst=`echo "$FILE"`
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst"
+ TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1`
+ fi
+done
-TOMCAT_CFG="[PKI_INSTANCE_PATH]/conf/tomcat5.conf"
+if [ -n "${pki_instance}" ]; then
+ for I in ${PKI_REGISTRY_ENTRIES}; do
+ if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}"
+ TOTAL_PKI_REGISTRY_ENTRIES=1
+ break
+ fi
+ done
+fi
-[ -r "$TOMCAT_CFG" ] && . "${TOMCAT_CFG}"
+usage()
+{
+ echo -n "Usage: ${PKI_INIT_SCRIPT} "
+ echo -n "{start"
+ echo -n "|stop"
+ echo -n "|restart"
+ echo -n "|condrestart"
+ echo -n "|force-restart"
+ echo -n "|try-restart"
+ echo -n "|reload"
+ echo -n "|status} "
+ echo -n "[instance-name]"
+ echo
+ echo
+}
-# Path to the tomcat launch script (direct don't use wrapper)
-TOMCAT_SCRIPT=/usr/bin/dtomcat5-[PKI_INSTANCE_ID]
+list_instances()
+{
+ echo
+ for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
+ echo " ${FILE}"
+ done
+ echo
+}
-# Path to the script that will refresh jar symlinks on startup
-if [ ${OS} = "Linux" ] ; then
- TOMCAT_RELINK_SCRIPT="/usr/share/tomcat5/bin/relink"
+# Check arguments
+if [ $# -lt 1 ] ; then
+ # * 3 unimplemented feature (for example, "reload")
+ # [insufficient arguments]
+ echo "$0: Insufficient arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+elif [ ${default_error} -eq 2 ] ; then
+ # * 2 invalid argument
+ echo "$0: Invalid arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 2
+elif [ $# -gt 2 ] ; then
+ echo "$0: Excess arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ if [ "${command}" != "status" ]; then
+ # * 2 excess arguments
+ exit 2
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
fi
-# Tomcat name :)
-TOMCAT_PROG=[PKI_INSTANCE_ID]
-
-# if TOMCAT_USER is not set, use tomcat5 like Apache HTTP server
-if [ -z "$TOMCAT_USER" ]; then
- TOMCAT_USER="[PKI_USER]"
+# If an "instance" was supplied, check that it is a "valid" instance
+if [ -n "${pki_instance}" ]; then
+ if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then
+ echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance"
+ echo_failure
+ echo
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+ fi
fi
-# if TOMCAT_GROUP is not set, use tomcat5 like Apache HTTP server
-if [ -z "$TOMCAT_GROUP" ]; then
- TOMCAT_GROUP="[PKI_GROUP]"
-fi
+# On Solaris /var/run is in tmpfs and gets wiped out upon reboot
+# we have to recreate the ${PKI_PIDDIR} directory and make sure that
+# the directory is writable by the ${PKI_TYPE} server process.
+#
+# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize
+# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the
+# "${PKI_PIDDIR}" will end up with the ownership permissions
+# of the first instance that executes this function!
+#
+fix_pid_dir_ownership()
+{
+ if [ ! -d ${PKI_PIDDIR} ] ; then
+ mkdir -p ${PKI_PIDDIR}
-# Since the daemon function will sandbox $tomcat
-# no environment stuff should be defined here anymore.
-# Please use the [PKI_INSTANCE_PATH]/conf/tomcat5.conf
-# file instead ; it will be read by the $tomcat script
+ chown root:root /var/run/pki
+ chmod 00755 /var/run/pki
-pidfile=${PIDFILE:-/var/run/[PKI_INSTANCE_ID].pid}
-lockfile=${LOCKFILE:-/var/lock/subsys/[PKI_INSTANCE_ID]}
-pki_instance_configuration_file=[PKI_INSTANCE_PATH]/conf/CS.cfg
-RESTART_SERVER=[PKI_INSTANCE_PATH]/conf/restart_server_after_configuration
-RETVAL=0
+ chown root:root ${PKI_PIDDIR}
+ chmod 00755 ${PKI_PIDDIR}
+ fi
+}
check_pki_configuration_status()
{
@@ -219,11 +363,27 @@ check_pki_configuration_status()
rv=`expr ${rv} + 0`
if [ ${rv} -ne 0 ] ; then
- echo " '[PKI_INSTANCE_ID]' must still be CONFIGURED!"
- echo " (see /var/log/[PKI_INSTANCE_ID]-install.log)"
+ echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!"
+ echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)"
+ if [ "${command}" != "status" ]; then
+ # * 6 program is not configured
+ rv=6
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1`
elif [ -f ${RESTART_SERVER} ] ; then
- echo " Although '[PKI_INSTANCE_ID]' has been CONFIGURED, it must still be RESTARTED!"
- rv=255
+ echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, "
+ echo -n "it must still be RESTARTED!"
+ echo
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
fi
return ${rv}
@@ -246,14 +406,14 @@ get_pki_status_definitions()
pki_status_comment_found=0
# first check to see that an instance-specific "server.xml" file exists
- if [ ! -f [PKI_SERVER_XML_CONF] ] ; then
- echo "File '[PKI_SERVER_XML_CONF]' does not exist!"
- exit 255
+ if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then
+ echo "File '${PKI_SERVER_XML_CONF}' does not exist!"
+ exit ${default_error}
fi
# read this instance-specific "server.xml" file line-by-line
# to obtain the current PKI Status Definitions
- exec < [PKI_SERVER_XML_CONF]
+ exec < ${PKI_SERVER_XML_CONF}
while read line; do
# first look for the well-known end PKI Status comment
# (to turn off processing)
@@ -283,12 +443,12 @@ get_pki_status_definitions()
total_ports=`expr ${total_ports} + 1`
fi
fi
- done
+ done
if [ ${total_ports} -eq 6 ] ; then
return 0
else
- return 255
+ return ${default_error}
fi
}
@@ -305,14 +465,14 @@ get_pki_configuration_definitions()
[ "${pki_subsystem}" != "RA" ] &&
[ "${pki_subsystem}" != "TPS" ]
then
- return 255
+ return ${default_error}
fi
if [ "${pki_subsystem}" == "KRA" ] ; then
# Rename "KRA" to "DRM"
pki_subsystem="DRM"
fi
else
- return 255
+ return ${default_error}
fi
# If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
@@ -331,7 +491,7 @@ get_pki_configuration_definitions()
pki_clone=""
fi
else
- return 255
+ return ${default_error}
fi
fi
@@ -345,7 +505,7 @@ get_pki_configuration_definitions()
if [ "${line}" != "" ] ; then
pki_hierarchy=`echo "${line}" | cut -b18-`
else
- return 255
+ return ${default_error}
fi
fi
@@ -364,7 +524,7 @@ get_pki_configuration_definitions()
pki_security_domain=""
fi
else
- return 255
+ return ${default_error}
fi
fi
@@ -378,25 +538,25 @@ get_pki_configuration_definitions()
if [ "${line}" != "" ] ; then
pki_security_domain_name=`echo "${line}" | cut -b21-`
else
- return 255
+ return ${default_error}
fi
line=`grep ^securitydomain.host= ${pki_instance_configuration_file}`
if [ "${line}" != "" ] ; then
pki_security_domain_hostname=`echo "${line}" | cut -b21-`
else
- return 255
+ return ${default_error}
fi
line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}`
if [ "${line}" != "" ] ; then
pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-`
else
- return 255
+ return ${default_error}
fi
# Compose the "PKI Instance Name" Status Line
- pki_instance_name="PKI Instance Name: [PKI_INSTANCE_ID]"
+ pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}"
# Compose the "PKI Subsystem Type" Status Line
header="PKI Subsystem Type: "
@@ -456,7 +616,7 @@ get_pki_configuration_definitions()
then
data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
else
- return 255
+ return ${default_error}
fi
registered_pki_security_domain_url="${header} ${data}"
@@ -490,14 +650,14 @@ get_pki_secure_port()
ssl_comment_found=0
# first check to see that an instance-specific "server.xml" file exists
- if [ ! -f [PKI_SERVER_XML_CONF] ] ; then
- echo "File '[PKI_SERVER_XML_CONF]' does not exist!"
- exit 255
+ if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then
+ echo "File '${PKI_SERVER_XML_CONF}' does not exist!"
+ exit ${default_error}
fi
# read this instance-specific "server.xml" file line-by-line
# to obtain the current value of the PKI secure port
- exec < [PKI_SERVER_XML_CONF]
+ exec < ${PKI_SERVER_XML_CONF}
while read line; do
# first look for the well-known end SSL comment
# (to turn off processing)
@@ -530,48 +690,177 @@ get_pki_secure_port()
fi
fi
fi
- done
+ done
- return 255
+ return ${default_error}
}
-start()
+display_instance_status()
+{
+ rv=0
+
+ if [ -f ${pidfile} ] ; then
+ pid=`cat ${pidfile}`
+ if [ "${pid}" == "" ] ; then
+ echo "${PKI_INSTANCE_ID} pid file exists but is empty"
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ elif kill -0 ${pid} > /dev/null 2>&1 ; then
+ echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..."
+ echo
+ check_pki_configuration_status
+ rv=$?
+ if [ ${rv} -eq 0 ] ; then
+ get_pki_status_definitions
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ echo
+ echo "${PKI_INSTANCE_ID} Status Definitions not found"
+ else
+ get_pki_configuration_definitions
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ echo
+ echo "${PKI_INSTANCE_ID} Configuration Definitions not found"
+ fi
+ fi
+ else
+ # From the PKI point of view for a "non-status" action,
+ # a returned error code of "6" implies that the program
+ # is not "configured". Similarly, an error code of "1"
+ # implies that the program was "configured" but must
+ # still be restarted.
+ #
+ # Similarly, from the PKI point of view for a "status"
+ # action, a returned error code of "4" implies that either
+ # the program is not "configured", or that the program
+ # was "configured" but must still be restarted.
+ #
+ # Regardless, it must still be considered that the instance
+ # is "running" from the viewpoint of other OS programs such
+ # as 'chkconfig'.
+ #
+ # For this reason, when returning from
+ # 'display_instance_status()', ignore non-zero return codes
+ # returned from 'check_pki_configuration_status()'.
+ #
+ if [ "${command}" != "status" ]; then
+ # * 0 action was successful
+ rv=0
+ else
+ # * 0 program is running or service is OK
+ rv=0
+ fi
+ fi
+ echo
+ else
+ echo "${PKI_INSTANCE_ID} is dead but pid file exists"
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 1 program is dead and /var/run pid file exists
+ rv=1
+ fi
+ fi
+ else
+ echo "${PKI_INSTANCE_ID} is stopped"
+ if [ "${command}" != "status" ]; then
+ # * 7 program is not running
+ rv=7
+ else
+ # * 3 program is not running
+ rv=3
+ fi
+ fi
+
+ return ${rv}
+}
+
+start_instance()
{
+ rv=0
+
echo -n "Starting $TOMCAT_PROG: "
if [ -f ${RESTART_SERVER} ] ; then
rm -f ${RESTART_SERVER}
fi
- if [ -f ${lockfile} ] ; then
+ if [ -f ${PKI_LOCKFILE} ] ; then
if [ -f ${pidfile} ]; then
read kpid < ${pidfile}
if checkpid $kpid 2>&1; then
echo
- echo "process already running"
- return 255
+ echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..."
+ echo
+ check_pki_configuration_status
+ rv=$?
+ if [ ${rv} != 0 ]; then
+ # From the PKI point of view for a "non-status" action,
+ # a returned error code of "6" implies that the program
+ # is not "configured". Similarly, an error code of "1"
+ # implies that the program was "configured" but must
+ # still be restarted.
+ #
+ # Regardless, it must still be considered that the instance
+ # is "running" from the viewpoint of other OS programs such
+ # as 'chkconfig'.
+ #
+ # For "non-status" actions, ignore return codes of "1"
+ # from 'check_pki_configuration_status()'.
+ #
+ # However, for "non-status" actions that have a return
+ # code of "6", return this value unchanged to
+ # the calling routine so that the total number of
+ # configuration errors may be counted.
+ #
+
+ echo
+ if [ ${rv} = 1 ] ; then
+ # * 0 action was successful
+ return 0
+ elif [ ${rv} = 6 ] ; then
+ # * 6 program is not configured
+ return 6
+ else
+ # should never be reached
+ return ${rv}
+ fi
+ else
+ return 0
+ fi
else
echo
echo -n "lock file found but no process "
echo -n "running for pid $kpid, continuing"
echo
echo
+ rm -f ${PKI_LOCKFILE}
fi
fi
fi
+ fix_pid_dir_ownership
+
CATALINA_PID=${pidfile}
export CATALINA_PID
touch $CATALINA_PID
chown $TOMCAT_USER:$TOMCAT_GROUP $CATALINA_PID
- [ -x /sbin/restorecon ] && /sbin/restorecon $CATALINA_PID
+ chmod 00600 $CATALINA_PID
+ [ -x /sbin/restorecon ] && /sbin/restorecon $CATALINA_PID
- # restore context for ncipher hsm
- [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
+ # restore context for ncipher hsm
+ [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
# Always initialize CLASSPATH to start looking
# in the local PKI classes directory . . .
- CLASSPATH=/usr/share/[PKI_FLAVOR]/classes
+ CLASSPATH=/usr/share/pki/classes
if [ ${OS} = "Linux" ] ; then
$TOMCAT_RELINK_SCRIPT
@@ -790,7 +1079,7 @@ start()
if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3\-1.3.1.jar ]; then
ln -s /usr/share/java/javamail/pop3-1.3.1.jar [javamail]pop3-1.3.1.jar
fi
- if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3.jar ]; then
+ if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3.jar ]; then
ln -s /usr/share/java/javamail/pop3.jar [javamail]pop3.jar
fi
if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers\-1.3.1.jar ]; then
@@ -1053,17 +1342,21 @@ start()
cd /var/lib/tomcat5/shared/lib
fi
- # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start
+ # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start
if [ ${OS} = "SunOS" ] ; then
su $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null
- else
+ else
runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null
fi
- RETVAL=$?
- [ $RETVAL = 0 ] && touch ${lockfile}
+ rv=$?
+ if [ ${rv} = 0 ] ; then
+ touch ${PKI_LOCKFILE}
+ chown $TOMCAT_USER:$TOMCAT_GROUP $PKI_LOCKFILE
+ chmod 00600 $PKI_LOCKFILE
+ fi
- if [ $RETVAL = 0 ] ; then
+ if [ ${rv} = 0 ] ; then
count=0;
let swait=$STARTUP_WAIT
@@ -1090,12 +1383,13 @@ start()
PKI_SECURE_PORT="<Port Undefined>"
fi
+ # ignore "status" return codes
echo
- status
+ display_instance_status
else
if [ -f /etc/init.d/functions ]; then
if [ "$CONSOLETYPE" = "serial" ]; then
- echo -n " "
+ $0 echo -n " "
fi
echo_failure
echo
@@ -1105,27 +1399,29 @@ start()
fi
sleep 5
- return $RETVAL
+ return ${rv}
}
-stop()
+stop_instance()
{
+ rv=0
+
echo -n "Stopping $TOMCAT_PROG: "
- if [ -f ${lockfile} ] ; then
+ if [ -f ${PKI_LOCKFILE} ] ; then
CATALINA_PID=${pidfile}
export CATALINA_PID
# daemon --user $TOMCAT_USER $TOMCAT_SCRIPT stop
if [ ${OS} = "SunOS" ] ; then
su $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null
- else
+ else
runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null
fi
- RETVAL=$?
+ rv=$?
- if [ $RETVAL = 0 ]; then
+ if [ ${rv} = 0 ]; then
count=0;
if [ -f ${pidfile} ]; then
@@ -1145,7 +1441,7 @@ stop()
fi
fi
- rm -f ${lockfile}
+ rm -f ${PKI_LOCKFILE}
rm -f ${pidfile}
if [ -f /etc/init.d/functions ]; then
@@ -1167,75 +1463,346 @@ stop()
else
echo " [ FAILED ]"
fi
+ rv=${default_error}
fi
else
echo
echo "process already stopped"
+ rv=0
fi
+
+ return ${rv}
}
-status()
+start()
{
- if [ -f ${pidfile} ] ; then
- pid=`cat ${pidfile}`
- if [ "${pid}" == "" ] ; then
- echo "[PKI_INSTANCE_ID] pid file exists but is empty"
- elif kill -0 ${pid} > /dev/null 2>&1 ; then
- echo "[PKI_INSTANCE_ID] (pid ${pid}) is running ..."
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ config_errors=0
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Start every PKI instance of this type that isn't already running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ start_instance
+
+ rv=$?
+ if [ ${rv} = 6 ] ; then
+ # Since at least ONE configuration error exists, then there
+ # is at least ONE unconfigured instance from the PKI point
+ # of view.
+ #
+ # However, it must still be considered that the
+ # instance is "running" from the point of view of other
+ # OS programs such as 'chkconfig'.
+ #
+ # Therefore, ignore non-zero return codes resulting
+ # from configuration errors.
+ #
+
+ config_errors=`expr $config_errors + 1`
+ rv=0
+ elif [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then
+ touch ${lockfile}
+ chmod 00600 ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ # NOTE: "bad" return code(s) OVERRIDE configuration errors!
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances failed to start!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
echo
- check_pki_configuration_status
- if [ $? -eq 0 ] ; then
- get_pki_status_definitions
- if [ $? -ne 0 ] ; then
- echo
- echo "[PKI_INSTANCE_ID] Status Definitions not found"
- fi
- get_pki_configuration_definitions
- if [ $? -ne 0 ] ; then
- echo
- echo "[PKI_INSTANCE_ID] Configuration Definitions not found"
- fi
+ echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=5
+ fi
+
+ return ${rv}
+}
+
+stop()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Shutdown every PKI instance of this type that is running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ stop_instance
+
+ rv=$?
+ if [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ if [ ${errors} -eq 0 ] ; then
+ rm -f ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances were "
+ echo -n "unsuccessfully stopped!"
+ echo
fi
+
echo
- else
- echo "[PKI_INSTANCE_ID] is dead but pid file exists"
+ echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)."
fi
else
- echo "[PKI_INSTANCE_ID] is stopped"
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=5
fi
+
+ return ${rv}
}
-# See how we were called.
-case "$1" in
- start)
- start
- ;;
- stop)
- stop
- ;;
- restart)
- stop
- sleep 2
- start
- ;;
- condrestart)
- if [ -f ${pidfile} ] ; then
- stop
- sleep 2
- start
- else
- echo -n "Unable to restart process since "
- echo -n "'${pidfile}' does not exist!"
+restart()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ stop
+ sleep 2
+ echo
+ echo "============================================================"
+ echo
+ start
+
+ return $?
+}
+
+status()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 program is running or service is OK
+ # * 1 program is dead and /var/run pid file exists
+ # * 2 program is dead and /var/lock lock file exists
+ # * 3 program is not running
+ # * 4 program or service status is unknown
+ # * 5-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Obtain status of every PKI instance of this type
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ display_instance_status
+
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "4 - program or service status is unknown"
+ rv=4
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances reported status failures!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
echo
+ echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)."
fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=4
+ fi
+
+ return ${rv}
+}
+
+# See how we were called.
+case "${command}" in
+ start|stop|restart|status)
+ ${command}
+ exit $?
;;
- status)
- status
+ condrestart|force-restart|try-restart)
+ [ ! -f ${lockfile} ] || restart
+ exit $?
+ ;;
+ reload)
+ echo "The 'reload' action is an unimplemented feature."
+ exit ${default_error}
;;
*)
- echo "Usage: $TOMCAT_PROG {start|stop|restart|condrestart|status}"
- exit 1
+ # * 3 unimplemented feature (for example, "reload")
+ # [invalid command - should never be reached]
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+ ;;
esac
-exit $RETVAL
-
generated by cgit (git 2.34.1) at 2026-04-14 00:42:08 +0000