summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Harmsen <mharmsen@redhat.com>2012-05-23 18:59:06 -0700
committerMatthew Harmsen <mharmsen@redhat.com>2012-05-25 14:59:48 -0700
commit4a263b8db27208413acd0f038ea67629d5ee27bb (patch)
tree8c747215e522100304e9afced96d0720bd49501d
parent2408bec41a56378fcf942a68a1ab290464c001d7 (diff)
downloadpki-4a263b8db27208413acd0f038ea67629d5ee27bb.tar.gz
pki-4a263b8db27208413acd0f038ea67629d5ee27bb.tar.xz
pki-4a263b8db27208413acd0f038ea67629d5ee27bb.zip
PKI Deployment Scriptlets
* Integration of Tomcat 7 * Addition of centralized 'pki-tomcatd' systemd functionality to the PKI Deployment strategy * Removal of 'pki_flavor' attribute
-rw-r--r--base/ca/setup/registry_instance7
-rw-r--r--base/ca/shared/conf/CS.cfg.in10
-rw-r--r--base/common/CMakeLists.txt43
-rw-r--r--base/common/setup/pkidaemon_registry59
-rw-r--r--base/common/shared/conf/catalina.policy252
-rw-r--r--base/common/shared/conf/catalina.properties125
-rw-r--r--base/common/shared/conf/context.xml42
-rw-r--r--base/common/shared/conf/log4j.properties17
-rw-r--r--base/common/shared/conf/logging.properties70
-rw-r--r--base/common/shared/conf/server.xml304
-rw-r--r--base/common/shared/conf/tomcat-users.xml62
-rw-r--r--base/common/shared/conf/tomcat.conf (renamed from base/ca/shared/conf/tomcat.conf)6
-rw-r--r--base/common/shared/lib/systemd/system/pki-tomcatd.target8
-rw-r--r--base/common/shared/lib/systemd/system/pki-tomcatd@.service13
-rw-r--r--base/deploy/CMakeLists.txt16
-rw-r--r--base/deploy/config/pkideployment.cfg5
-rw-r--r--base/deploy/config/pkislots.cfg3
-rw-r--r--base/deploy/scripts/operations1155
-rwxr-xr-xbase/deploy/scripts/pkidaemon74
-rwxr-xr-xbase/deploy/src/pkidestroy22
-rwxr-xr-xbase/deploy/src/pkispawn22
-rw-r--r--base/deploy/src/scriptlets/configuration.py19
-rw-r--r--base/deploy/src/scriptlets/finalization.py10
-rw-r--r--base/deploy/src/scriptlets/infrastructure_layout.py6
-rw-r--r--base/deploy/src/scriptlets/instance_layout.py12
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py12
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py236
-rw-r--r--base/deploy/src/scriptlets/slot_substitution.py20
-rw-r--r--base/kra/setup/registry_instance7
-rw-r--r--base/kra/shared/conf/CS.cfg.in10
-rw-r--r--base/kra/shared/conf/server.xml2
-rw-r--r--base/kra/shared/conf/tomcat.conf52
-rw-r--r--base/ocsp/setup/registry_instance7
-rw-r--r--base/ocsp/shared/conf/CS.cfg.in10
-rw-r--r--base/ocsp/shared/conf/tomcat.conf52
-rw-r--r--base/ra/setup/CMakeLists.txt1
-rw-r--r--base/ra/setup/pkidaemon_registry116
-rw-r--r--base/ra/setup/registry_instance3
-rwxr-xr-xbase/setup/pkicommon.pm8
-rwxr-xr-xbase/setup/pkicreate7
-rw-r--r--base/setup/scripts/functions2
-rw-r--r--base/tks/setup/registry_instance7
-rw-r--r--base/tks/shared/conf/CS.cfg.in10
-rw-r--r--base/tks/shared/conf/tomcat.conf52
-rw-r--r--base/tps/setup/CMakeLists.txt1
-rw-r--r--base/tps/setup/pkidaemon_registry116
-rw-r--r--base/tps/setup/registry_instance3
-rw-r--r--specs/pki-core.spec81
48 files changed, 2836 insertions, 341 deletions
diff --git a/base/ca/setup/registry_instance b/base/ca/setup/registry_instance
index 3210b9131..c97b0c736 100644
--- a/base/ca/setup/registry_instance
+++ b/base/ca/setup/registry_instance
@@ -1,8 +1,5 @@
# Establish PKI Variable "Slot" Substitutions
-PKI_FLAVOR=[PKI_FLAVOR]
-export PKI_FLAVOR
-
PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
export PKI_SUBSYSTEM_TYPE
@@ -38,13 +35,13 @@ export TOMCAT_USER
TOMCAT_GROUP=$PKI_GROUP
export TOMCAT_GROUP
-PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}"
+PKI_LOCKDIR="/var/lock/pki/${PKI_SUBSYSTEM_TYPE}"
export PKI_LOCKDIR
PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}"
export PKI_LOCKFILE
-PKI_PIDDIR="/var/run/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}"
+PKI_PIDDIR="/var/run/pki/${PKI_SUBSYSTEM_TYPE}"
export PKI_PIDDIR
PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_ID}.pid"
diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
index f62543963..ada97c4fa 100644
--- a/base/ca/shared/conf/CS.cfg.in
+++ b/base/ca/shared/conf/CS.cfg.in
@@ -814,12 +814,12 @@ internaldb.ldapauth.clientCertNickname=
internaldb.ldapconn.host=
internaldb.ldapconn.port=
internaldb.ldapconn.secureConn=false
-preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/schema.ldif
-preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/database.ldif
-preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/acl.ldif
+preop.internaldb.schema.ldif=/usr/share/pki/ca/conf/schema.ldif
+preop.internaldb.ldif=/usr/share/pki/ca/conf/database.ldif
+preop.internaldb.data_ldif=/usr/share/pki/ca/conf/db.ldif,/usr/share/pki/ca/conf/acl.ldif
preop.internaldb.index_ldif=
-preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif
-preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/index.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlvtasks.ldif
+preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif
+preop.internaldb.post_ldif=/usr/share/pki/ca/conf/index.ldif,/usr/share/pki/ca/conf/vlv.ldif,/usr/share/pki/ca/conf/vlvtasks.ldif
preop.internaldb.wait_dn=cn=index1160589769, cn=index, cn=tasks, cn=config
internaldb.multipleSuffix.enable=false
jobsScheduler._000=##
diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt
index 10a7cc0bb..f602ae943 100644
--- a/base/common/CMakeLists.txt
+++ b/base/common/CMakeLists.txt
@@ -1,9 +1,23 @@
project(common Java)
+# install systemd scripts
+install(
+ FILES
+ shared/lib/systemd/system/pki-tomcatd.target
+ shared/lib/systemd/system/pki-tomcatd@.service
+ DESTINATION
+ ${SYSTEMD_LIB_INSTALL_DIR}
+ PERMISSIONS
+ OWNER_EXECUTE OWNER_WRITE OWNER_READ
+ GROUP_EXECUTE GROUP_READ
+ WORLD_EXECUTE WORLD_READ
+)
+
install(
FILES
setup/CertServer.directory
setup/menu.xml
+ setup/pkidaemon_registry
DESTINATION
${DATA_INSTALL_DIR}/setup/
PERMISSIONS
@@ -12,5 +26,34 @@ install(
WORLD_READ
)
+# install directories
+install(
+ DIRECTORY
+ shared/
+ DESTINATION
+ ${DATA_INSTALL_DIR}/shared/
+ PATTERN
+ "lib/" EXCLUDE
+)
+
+# install empty directories
+install(
+ DIRECTORY
+ DESTINATION
+ ${VAR_INSTALL_DIR}/lock/pki/tomcat
+)
+
+install(
+ DIRECTORY
+ DESTINATION
+ ${VAR_INSTALL_DIR}/run/pki/tomcat
+)
+
+install(
+ DIRECTORY
+ DESTINATION
+ ${SYSTEMD_ETC_INSTALL_DIR}/pki-tomcatd.target.wants
+)
+
add_subdirectory(src)
add_subdirectory(test)
diff --git a/base/common/setup/pkidaemon_registry b/base/common/setup/pkidaemon_registry
new file mode 100644
index 000000000..5cd1ca9c8
--- /dev/null
+++ b/base/common/setup/pkidaemon_registry
@@ -0,0 +1,59 @@
+# Establish PKI Variable "Slot" Substitutions
+
+PKI_WEB_SERVER_TYPE=[PKI_WEB_SERVER_TYPE]
+export PKI_WEB_SERVER_TYPE
+
+PKI_USER=[PKI_USER]
+export PKI_USER
+
+PKI_GROUP=[PKI_GROUP]
+export PKI_GROUP
+
+PKI_INSTANCE_ID=[PKI_INSTANCE_ID]
+export PKI_INSTANCE_ID
+
+PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH]
+export PKI_INSTANCE_PATH
+
+PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT]
+export PKI_INSTANCE_INITSCRIPT
+
+PKI_LOCKDIR=[PKI_LOCKDIR]
+export PKI_LOCKDIR
+
+PKI_PIDDIR=[PKI_PIDDIR]
+export PKI_PIDDIR
+
+PKI_UNSECURE_PORT=[PKI_UNSECURE_PORT]
+export PKI_UNSECURE_PORT
+
+TOMCAT_PIDFILE=[TOMCAT_PIDFILE]
+export TOMCAT_PIDFILE
+
+# Use PKI Variable "Slot" Substitutions
+
+PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}"
+export PKI_LOCKFILE
+
+PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_ID}.pid"
+export PKI_PIDFILE
+
+RESTART_SERVER=${PKI_INSTANCE_PATH}/conf/restart_server_after_configuration
+export RESTART_SERVER
+
+# Use CATALINA_BASE
+
+CATALINA_BASE=$PKI_INSTANCE_PATH
+export CATALINA_BASE
+
+TOMCAT_PROG=$PKI_INSTANCE_ID
+export TOMCAT_PROG
+
+TOMCAT_USER=$PKI_USER
+export TOMCAT_USER
+
+TOMCAT_GROUP=$PKI_GROUP
+export TOMCAT_GROUP
+
+TOMCAT_LOCKFILE=/var/lock/subsys/${PKI_INSTANCE_ID}
+export TOMCAT_LOCKFILE
diff --git a/base/common/shared/conf/catalina.policy b/base/common/shared/conf/catalina.policy
new file mode 100644
index 000000000..02c1eea0a
--- /dev/null
+++ b/base/common/shared/conf/catalina.policy
@@ -0,0 +1,252 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// Copyright (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// Modifications: configuration parameters
+// --- END COPYRIGHT BLOCK ---
+
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// ============================================================================
+// catalina.policy - Security Policy Permissions for Tomcat 7
+//
+// This file contains a default set of security policies to be enforced (by the
+// JVM) when Catalina is executed with the "-security" option. In addition
+// to the permissions granted here, the following additional permissions are
+// granted to each web application:
+//
+// * Read access to the web application's document root directory
+// * Read, write and delete access to the web application's working directory
+//
+// $Id: catalina.policy 1220297 2011-12-17 22:55:28Z markt $
+// ============================================================================
+
+
+// ========== SYSTEM CODE PERMISSIONS =========================================
+
+
+// These permissions apply to javac
+grant codeBase "file:${java.home}/lib/-" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to all shared system extensions
+grant codeBase "file:${java.home}/jre/lib/ext/-" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
+grant codeBase "file:${java.home}/../lib/-" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to all shared system extensions when
+// ${java.home} points at $JAVA_HOME/jre
+grant codeBase "file:${java.home}/lib/ext/-" {
+ permission java.security.AllPermission;
+};
+
+
+// ========== CATALINA CODE PERMISSIONS =======================================
+
+
+// These permissions apply to the daemon code
+grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to the logging API
+// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
+// update this section accordingly.
+// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
+grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
+ permission java.io.FilePermission
+ "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
+
+ permission java.io.FilePermission
+ "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
+ permission java.io.FilePermission
+ "${catalina.base}${file.separator}logs", "read, write";
+ permission java.io.FilePermission
+ "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+
+ permission java.lang.RuntimePermission "shutdownHooks";
+ permission java.lang.RuntimePermission "getClassLoader";
+ permission java.lang.RuntimePermission "setContextClassLoader";
+
+ permission java.util.logging.LoggingPermission "control";
+
+ permission java.util.PropertyPermission "java.util.logging.config.class", "read";
+ permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+ permission java.util.PropertyPermission "catalina.base", "read";
+ permission java.util.PropertyPermission
+ "org.apache.juli.logging.UserDataHelper.CONFIG", "read";
+ permission java.util.PropertyPermission
+ "org.apache.juli.logging.UserDataHelper.SUPPRESSION_TIME", "read";
+
+ // Note: To enable per context logging configuration, permit read access to
+ // the appropriate file. Be sure that the logging configuration is
+ // secure before enabling such access.
+ // E.g. for the examples web application (uncomment and unwrap
+ // the following to be on a single line):
+ // permission java.io.FilePermission "${catalina.base}${file.separator}
+ // webapps${file.separator}examples${file.separator}WEB-INF
+ // ${file.separator}classes${file.separator}logging.properties", "read";
+};
+
+// These permissions apply to the server startup code
+grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to the servlet API classes
+// and those that are shared across all class loaders
+// located in the "lib" directory
+grant codeBase "file:${catalina.home}/lib/-" {
+ permission java.security.AllPermission;
+};
+
+
+// If using a per instance lib directory, i.e. ${catalina.base}/lib,
+// then the following permission will need to be uncommented
+// grant codeBase "file:${catalina.base}/lib/-" {
+// permission java.security.AllPermission;
+// };
+
+
+// ========== WEB APPLICATION PERMISSIONS =====================================
+
+
+// These permissions are granted by default to all web applications
+// In addition, a web application will be given a read FilePermission
+// and JndiPermission for all files and directories in its document root.
+grant {
+ // Required for JNDI lookup of named JDBC DataSource's and
+ // javamail named MimePart DataSource used to send mail
+ permission java.util.PropertyPermission "java.home", "read";
+ permission java.util.PropertyPermission "java.naming.*", "read";
+ permission java.util.PropertyPermission "javax.sql.*", "read";
+
+ // OS Specific properties to allow read access
+ permission java.util.PropertyPermission "os.name", "read";
+ permission java.util.PropertyPermission "os.version", "read";
+ permission java.util.PropertyPermission "os.arch", "read";
+ permission java.util.PropertyPermission "file.separator", "read";
+ permission java.util.PropertyPermission "path.separator", "read";
+ permission java.util.PropertyPermission "line.separator", "read";
+
+ // JVM properties to allow read access
+ permission java.util.PropertyPermission "java.version", "read";
+ permission java.util.PropertyPermission "java.vendor", "read";
+ permission java.util.PropertyPermission "java.vendor.url", "read";
+ permission java.util.PropertyPermission "java.class.version", "read";
+ permission java.util.PropertyPermission "java.specification.version", "read";
+ permission java.util.PropertyPermission "java.specification.vendor", "read";
+ permission java.util.PropertyPermission "java.specification.name", "read";
+
+ permission java.util.PropertyPermission "java.vm.specification.version", "read";
+ permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
+ permission java.util.PropertyPermission "java.vm.specification.name", "read";
+ permission java.util.PropertyPermission "java.vm.version", "read";
+ permission java.util.PropertyPermission "java.vm.vendor", "read";
+ permission java.util.PropertyPermission "java.vm.name", "read";
+
+ // Required for OpenJMX
+ permission java.lang.RuntimePermission "getAttribute";
+
+ // Allow read of JAXP compliant XML parser debug
+ permission java.util.PropertyPermission "jaxp.debug", "read";
+
+ // All JSPs need to be able to read this package
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
+
+ // Precompiled JSPs need access to these packages.
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
+ permission java.lang.RuntimePermission
+ "accessClassInPackage.org.apache.jasper.runtime.*";
+
+ // Precompiled JSPs need access to these system properties.
+ permission java.util.PropertyPermission
+ "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
+ permission java.util.PropertyPermission
+ "org.apache.el.parser.COERCE_TO_ZERO", "read";
+
+ // The cookie code needs these.
+ permission java.util.PropertyPermission
+ "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
+ permission java.util.PropertyPermission
+ "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
+ permission java.util.PropertyPermission
+ "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";
+
+ // Applications using Comet need to be able to access this package
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet";
+};
+
+
+// The Manager application needs access to the following packages to support the
+// session display functionality. These settings support the following
+// configurations:
+// - default CATALINA_HOME == CATALINA_BASE
+// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE
+// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
+grant codeBase "file:${catalina.base}/webapps/manager/-" {
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
+};
+grant codeBase "file:${catalina.home}/webapps/manager/-" {
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
+};
+
+// You can assign additional permissions to particular web applications by
+// adding additional "grant" entries here, based on the code base for that
+// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
+//
+// Different permissions can be granted to JSP pages, classes loaded from
+// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
+// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
+//
+// For instance, assume that the standard "examples" application
+// included a JDBC driver that needed to establish a network connection to the
+// corresponding database and used the scrape taglib to get the weather from
+// the NOAA web server. You might create a "grant" entries like this:
+//
+// The permissions granted to the context root directory apply to JSP pages.
+// grant codeBase "file:${catalina.base}/webapps/examples/-" {
+// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
+//
+// The permissions granted to the context WEB-INF/classes directory
+// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
+// };
+//
+// The permission granted to your JDBC driver
+// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
+// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+// };
+// The permission granted to the scrape taglib
+// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
+// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
+
diff --git a/base/common/shared/conf/catalina.properties b/base/common/shared/conf/catalina.properties
new file mode 100644
index 000000000..003089a43
--- /dev/null
+++ b/base/common/shared/conf/catalina.properties
@@ -0,0 +1,125 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+# Modifications: configuration parameters
+# --- END COPYRIGHT BLOCK ---
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# List of comma-separated packages that start with or equal this string
+# will cause a security exception to be thrown when
+# passed to checkPackageAccess unless the
+# corresponding RuntimePermission ("accessClassInPackage."+package) has
+# been granted.
+package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
+#
+# List of comma-separated packages that start with or equal this string
+# will cause a security exception to be thrown when
+# passed to checkPackageDefinition unless the
+# corresponding RuntimePermission ("defineClassInPackage."+package) has
+# been granted.
+#
+# by default, no packages are restricted for definition, and none of
+# the class loaders supplied with the JDK call checkPackageDefinition.
+#
+package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
+
+#
+#
+# List of comma-separated paths defining the contents of the "common"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
+# If left as blank,the JVM system loader will be used as Catalina's "common"
+# loader.
+# Examples:
+# "foo": Add this folder as a class repository
+# "foo/*.jar": Add all the JARs of the specified folder as class
+# repositories
+# "foo/bar.jar": Add bar.jar as a class repository
+common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB]
+
+#
+# List of comma-separated paths defining the contents of the "server"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
+# If left as blank, the "common" loader will be used as Catalina's "server"
+# loader.
+# Examples:
+# "foo": Add this folder as a class repository
+# "foo/*.jar": Add all the JARs of the specified folder as class
+# repositories
+# "foo/bar.jar": Add bar.jar as a class repository
+server.loader=
+
+#
+# List of comma-separated paths defining the contents of the "shared"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
+# the "common" loader will be used as Catalina's "shared" loader.
+# Examples:
+# "foo": Add this folder as a class repository
+# "foo/*.jar": Add all the JARs of the specified folder as class
+# repositories
+# "foo/bar.jar": Add bar.jar as a class repository
+# Please note that for single jars, e.g. bar.jar, you need the URL form
+# starting with file:.
+shared.loader=
+
+# List of JAR files that should not be scanned for configuration information
+# such as web fragments, TLD files etc. It must be a comma separated list of
+# JAR file names.
+# The JARs listed below include:
+# - Tomcat Bootstrap JARs
+# - Tomcat API JARs
+# - Catalina JARs
+# - Jasper JARs
+# - Tomcat JARs
+# - Common non-Tomcat JARs
+# - Sun JDK JARs
+# - Apple JDK JARs
+tomcat.util.scan.DefaultJarScanner.jarsToSkip=\
+bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\
+annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,\
+catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\
+jasper.jar,jasper-el.jar,ecj-*.jar,\
+tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\
+tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\
+tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\
+tomcat-jdbc.jar,\
+commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\
+commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\
+commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\
+commons-math*.jar,commons-pool*.jar,\
+jstl.jar,\
+geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\
+ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\
+jmx-tools.jar,jta*.jar,log4j*.jar,mail*.jar,slf4j*.jar,\
+xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\
+dnsns.jar,ldapsec.jar,localedata.jar,sunjce_provider.jar,sunmscapi.jar,\
+sunpkcs11.jar,jhall.jar,tools.jar,\
+sunec.jar,zipfs.jar,\
+apple_provider.jar,AppleScriptEngine.jar,CoreAudio.jar,dns_sd.jar,\
+j3daudio.jar,j3dcore.jar,j3dutils.jar,jai_core.jar,jai_codec.jar,\
+mlibwrapper_jai.jar,MRJToolkit.jar,vecmath.jar,\
+junit.jar,junit-*.jar,ant-launcher.jar
+
+#
+# String cache configuration.
+tomcat.util.buf.StringCache.byte.enabled=true
+#tomcat.util.buf.StringCache.char.enabled=true
+#tomcat.util.buf.StringCache.trainThreshold=500000
+#tomcat.util.buf.StringCache.cacheSize=5000
diff --git a/base/common/shared/conf/context.xml b/base/common/shared/conf/context.xml
new file mode 100644
index 000000000..4b00dbe3c
--- /dev/null
+++ b/base/common/shared/conf/context.xml
@@ -0,0 +1,42 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!-- BEGIN COPYRIGHT BLOCK
+ Copyright (C) 2012 Red Hat, Inc.
+ All rights reserved.
+ Modifications: configuration parameters
+ END COPYRIGHT BLOCK
+-->
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!-- The contents of this file will be loaded for each web application -->
+<Context>
+
+ <!-- Default set of monitored resources -->
+ <WatchedResource>WEB-INF/web.xml</WatchedResource>
+
+ <!-- Uncomment this to disable session persistence across Tomcat restarts -->
+ <!--
+ <Manager pathname="" />
+ -->
+
+ <!-- Uncomment this to enable Comet connection tacking (provides events
+ on session expiration as well as webapp lifecycle) -->
+ <!--
+ <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
+ -->
+
+</Context>
diff --git a/base/common/shared/conf/log4j.properties b/base/common/shared/conf/log4j.properties
new file mode 100644
index 000000000..5861ec750
--- /dev/null
+++ b/base/common/shared/conf/log4j.properties
@@ -0,0 +1,17 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+# Modifications: configuration parameters
+# --- END COPYRIGHT BLOCK ---
+
+log4j.rootLogger=debug, R
+log4j.appender.R=org.apache.log4j.RollingFileAppender
+log4j.appender.R.File=${catalina.home}/logs/tomcat.log
+log4j.appender.R.MaxFileSize=10MB
+log4j.appender.R.MaxBackupIndex=10
+log4j.appender.R.layout=org.apache.log4j.PatternLayout
+log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n
+log4j.logger.org.apache.catalina=DEBUG, R
+log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG, R
+log4j.logger.org.apache.catalina.core=DEBUG, R
+log4j.logger.org.apache.catalina.session=DEBUG, R
diff --git a/base/common/shared/conf/logging.properties b/base/common/shared/conf/logging.properties
new file mode 100644
index 000000000..f1fb462aa
--- /dev/null
+++ b/base/common/shared/conf/logging.properties
@@ -0,0 +1,70 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+# Modifications: configuration parameters
+# --- END COPYRIGHT BLOCK ---
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
+
+.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
+
+############################################################
+# Handler specific properties.
+# Describes specific configuration info for Handlers.
+############################################################
+
+1catalina.org.apache.juli.FileHandler.level = FINE
+1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+1catalina.org.apache.juli.FileHandler.prefix = catalina.
+
+2localhost.org.apache.juli.FileHandler.level = FINE
+2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+2localhost.org.apache.juli.FileHandler.prefix = localhost.
+
+3manager.org.apache.juli.FileHandler.level = FINE
+3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+3manager.org.apache.juli.FileHandler.prefix = manager.
+
+4host-manager.org.apache.juli.FileHandler.level = FINE
+4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+4host-manager.org.apache.juli.FileHandler.prefix = host-manager.
+
+java.util.logging.ConsoleHandler.level = FINE
+java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
+
+
+############################################################
+# Facility specific properties.
+# Provides extra control for each logger.
+############################################################
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler
+
+# For example, set the org.apache.catalina.util.LifecycleBase logger to log
+# each component that extends LifecycleBase changing state:
+#org.apache.catalina.util.LifecycleBase.level = FINE
+
+# To see debug messages in TldLocationsCache, uncomment the following line:
+#org.apache.jasper.compiler.TldLocationsCache.level = FINE
diff --git a/base/common/shared/conf/server.xml b/base/common/shared/conf/server.xml
new file mode 100644
index 000000000..d5788552c
--- /dev/null
+++ b/base/common/shared/conf/server.xml
@@ -0,0 +1,304 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!-- BEGIN COPYRIGHT BLOCK
+ Copyright (C) 2012 Red Hat, Inc.
+ All rights reserved.
+ Modifications: configuration parameters
+ END COPYRIGHT BLOCK -->
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!-- Note: A "Server" is not itself a "Container", so you may not
+ define subcomponents such as "Valves" at this level.
+ Documentation at /docs/config/server.html
+-->
+
+<!-- DO NOT REMOVE - Begin PKI Status Definitions -->
+<!-- CA Status Definitions -->
+<!--
+Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/ca/ee/ca
+Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ca/agent/ca
+Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/ca/ee/ca
+Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca/services
+EE Client Auth Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_CLIENT_AUTH_PORT]/ca/eeca/ca
+PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca
+Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
+-->
+<!-- KRA Status Definitions -->
+<!--
+Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/kra/ee/kra
+Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/kra/agent/kra
+Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/kra/ee/kra
+Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/kra/services
+PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/kra
+Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
+-->
+<!-- OCSP Status Definitions -->
+<!--
+Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/ocsp/ee/ocsp
+Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ocsp/agent/ocsp
+Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/ocsp/ee/ocsp
+Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ocsp/services
+PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ocsp
+Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
+-->
+<!-- TKS Status Definitions -->
+<!--
+Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/tks/ee/tks
+Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/tks/agent/tks
+Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/tks/ee/tks
+Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/tks/services
+PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/tks
+Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
+-->
+<!-- DO NOT REMOVE - End PKI Status Definitions -->
+
+<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN">
+
+ <!--APR library loader. Documentation at /docs/apr.html -->
+ <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+ <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
+ <Listener className="org.apache.catalina.core.JasperListener" />
+ <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
+ <!-- The following class has been commented out because it -->
+ <!-- has been EXCLUDED from the Tomcat 7 'tomcat-lib' RPM! -->
+ <!-- Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" -->
+ <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+
+ <!-- Global JNDI resources
+ Documentation at /docs/jndi-resources-howto.html
+ -->
+ <GlobalNamingResources>
+ <!-- Editable user database that can also be used by
+ UserDatabaseRealm to authenticate users
+ -->
+ <Resource name="UserDatabase" auth="Container"
+ type="org.apache.catalina.UserDatabase"
+ description="User database that can be updated and saved"
+ factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+ pathname="conf/tomcat-users.xml" />
+ </GlobalNamingResources>
+
+ <!-- A "Service" is a collection of one or more "Connectors" that share
+ a single "Container" Note: A "Service" is not itself a "Container",
+ so you may not define subcomponents such as "Valves" at this level.
+ Documentation at /docs/config/service.html
+ -->
+ <Service name="Catalina">
+
+ <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+ <!--
+ <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+ maxThreads="150" minSpareThreads="4"/>
+ -->
+
+
+ <!-- A "Connector" represents an endpoint by which requests are received
+ and responses are returned. Documentation at :
+ Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
+ Java AJP Connector: /docs/config/ajp.html
+ APR (HTTP/AJP) Connector: /docs/apr.html
+ Define a non-SSL HTTP/1.1 Connector on port 8080
+ -->
+
+ [PKI_UNSECURE_PORT_SERVER_COMMENT]
+ <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443"
+ maxHttpHeaderSize="8192"
+ acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
+ enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
+ />
+
+ <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
+ [PKI_SECURE_PORT_SERVER_COMMENT]
+ <!-- DO NOT REMOVE - Begin define PKI secure port
+ 1
+ NOTE: The OCSP settings take effect globally, so it should only be set once.
+
+ In setup where SSL clientAuth="true", OCSP can be turned on by
+ setting enableOCSP to true like the following:
+ enableOCSP="true"
+ along with changes to related settings, especially:
+ ocspResponderURL=<see example in connector definition below>
+ ocspResponderCertNickname=<see example in connector definition below>
+ Here are the definition to all the OCSP-related settings:
+ enableOCSP - turns on/off the ocsp check
+ ocspResponderURL - sets the url where the ocsp requests are sent
+ ocspResponderCertNickname - sets the nickname of the cert that is
+ either CA's signing certificate or the OCSP server's signing
+ certificate.
+ The CA's signing certificate should already be in the db, in
+ case of the same security domain.
+ In case of an ocsp signing certificate, one must import the cert
+ into the subsystem's nss db and set trust. e.g.:
+ certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64
+ ocspCacheSize - sets max cache entries
+ ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
+ ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
+ ocspTimeout -sets OCSP timeout in seconds
+ -->
+ <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
+ maxHttpHeaderSize="8192"
+ acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
+ enableLookups="false" disableUploadTimeout="true"
+ SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
+ enableOCSP="false"
+ ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp"
+ ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
+ ocspCacheSize="1000"
+ ocspMinCacheEntryDuration="60"
+ ocspMaxCacheEntryDuration="120"
+ ocspTimeout="10"
+ strictCiphers="false"
+ clientAuth="[PKI_AGENT_CLIENTAUTH]"
+ sslOptions="[TOMCAT_SSL_OPTIONS]"
+ ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
+ ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
+ tlsCiphers="[TOMCAT_TLS_CIPHERS]"
+ serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
+ passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
+ passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
+ certdbDir="[PKI_INSTANCE_PATH]/alias"
+ />
+ <!-- DO NOT REMOVE - End define PKI secure port -->
+
+ <!-- A "Connector" using the shared thread pool-->
+ <!--
+ <Connector executor="tomcatThreadPool"
+ port="8080" protocol="HTTP/1.1"
+ connectionTimeout="20000"
+ redirectPort="8443" />
+ -->
+ <!-- Define a SSL HTTP/1.1 Connector on port 8443
+ This connector uses the JSSE configuration, when using APR, the
+ connector should be using the OpenSSL style configuration
+ described in the APR documentation -->
+ <!--
+ <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
+ maxThreads="150" scheme="https" secure="true"
+ clientAuth="false" sslProtocol="TLS" />
+ -->
+
+ <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
+[PKI_OPEN_AJP_PORT_COMMENT]
+ <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
+[PKI_CLOSE_AJP_PORT_COMMENT]
+
+
+ <!-- An Engine represents the entry point (within Catalina) that processes
+ every request. The Engine implementation for Tomcat stand alone
+ analyzes the HTTP headers included with the request, and passes them
+ on to the appropriate Host (virtual host).
+ Documentation at /docs/config/engine.html -->
+
+ <!-- You should set jvmRoute to support load-balancing via AJP ie :
+ <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+ -->
+ <Engine name="Catalina" defaultHost="localhost">
+
+ <!--For clustering, please take a look at documentation at:
+ /docs/cluster-howto.html (simple how to)
+ /docs/config/cluster.html (reference documentation) -->
+ <!--
+ <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+ -->
+
+ <!-- The request dumper valve dumps useful debugging information about
+ the request and response data received and sent by Tomcat.
+ Documentation at: /docs/config/valve.html -->
+ <!--
+ <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
+ -->
+
+ <!-- This Realm uses the UserDatabase configured in the global JNDI
+ resources under the key "UserDatabase". Any edits
+ that are performed against this UserDatabase are immediately
+ available for use by the Realm. -->
+
+ <!--
+ <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+ resourceName="UserDatabase"/>
+ -->
+
+ <!-- Custom PKIJNDI realm
+
+ Example:
+
+ <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm" : classpath to realm
+ connectionURL="ldap://localhost:389" : standard JNDI connection URL
+ userBase="ou=people,dc=localhost-pki-kra" : standard JNDI userBase property
+ userSearch="(description={0})" : Attribute to search for user of incoming client auth certificate
+ : Use userSearch="(UID={0})" if wanting to search isolate user based on UID
+ : Also set the following: certUIDLabel="UID" or whatever the field containing
+ : the user's UID happens to be. This will cause the incoming's cert dn to be
+ : be searched for <certUIDLabel>=<uid value>
+
+ certAttrName="userCertificate" : Attribute containing user's client auth certificate
+ roleBase="ou=groups,dc=localhost-pki-kra" : Standard JNDI search base for roles or groups
+ roleName="cn" : Standard attribute name containg roles or groups
+ roleSubtree="true" : Standard JNDI roleSubtree property
+ roleSearch="(uniqueMember={0})" : How to search for a user in a specific role or group
+ connectionName="cn=Directory Manager" : Connection name, needs elevated privileges
+ connectionPassword="secret123" : Password for elevated user
+ aclBase ="cn=aclResources,dc=localhost-pki-kra" : Custom base location of PKI ACL's in directory
+ aclAttrName="resourceACLS" : Name of attribute containing PKI ACL's
+ />
+
+ Uncomment and customize below to activate Realm.
+ Also umcomment Security Constraints and login config values
+ in WEB-INF/web.xml as well.
+ -->
+
+ <!--
+ <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm"
+ connectionURL="ldap://localhost:389"
+ userBase="ou=people,dc=localhost-pki-kra"
+ userSearch="(description={0})"
+ certAttrName="userCertificate"
+ roleBase="ou=groups,dc=localhost-pki-kra"
+ roleName="cn"
+ roleSubtree="true"
+ roleSearch="(uniqueMember={0})"
+ connectionName="cn=Directory Manager"
+ connectionPassword="netscape"
+ aclBase ="cn=aclResources,dc=localhost-pki-kra"
+ aclAttrName="resourceACLS"
+ />
+
+ -->
+
+ <!-- Define the default virtual host
+ Note: XML Schema validation will not work with Xerces 2.2.
+ -->
+ <Host name="localhost" appBase="webapps"
+ unpackWARs="true" autoDeploy="false"
+ xmlValidation="false" xmlNamespaceAware="false">
+
+ <!-- SingleSignOn valve, share authentication between web applications
+ Documentation at: /docs/config/valve.html -->
+ <!--
+ <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+ -->
+
+ <!-- Access log processes all example.
+ Documentation at: /docs/config/valve.html -->
+ <!--
+ <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+ prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
+ -->
+
+ </Host>
+ </Engine>
+ </Service>
+</Server>
diff --git a/base/common/shared/conf/tomcat-users.xml b/base/common/shared/conf/tomcat-users.xml
new file mode 100644
index 000000000..f84711c0b
--- /dev/null
+++ b/base/common/shared/conf/tomcat-users.xml
@@ -0,0 +1,62 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!-- BEGIN COPYRIGHT BLOCK
+ Copyright (C) 2012 Red Hat, Inc.
+ All rights reserved.
+ Modifications: configuration parameters
+ END COPYRIGHT BLOCK
+-->
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<tomcat-users>
+<!--
+ NOTE: By default, no user is included in the "manager-gui" role required
+ to operate the "/manager/html" web application. If you wish to use this app,
+ you must define such a user - the username and password are arbitrary.
+-->
+<!--
+ NOTE: The sample user and role entries below are wrapped in a comment
+ and thus are ignored when reading this file. Do not forget to remove
+ <!.. ..> that surrounds them.
+-->
+<!--
+ <role rolename="tomcat"/>
+ <role rolename="role1"/>
+ <user username="tomcat" password="tomcat" roles="tomcat"/>
+ <user username="both" password="tomcat" roles="tomcat,role1"/>
+ <user username="role1" password="tomcat" roles="role1"/>
+-->
+
+ <role rolename="pkiuser"/>
+ <role rolename="tomcat"/>
+ <role rolename="manager"/>
+ <role rolename="admin"/>
+
+ <user username="pkiuser" password="pkiuser" roles="pkiuser"/>
+ <user username="tomcat" password="tomcat" roles="tomcat"/>
+ <user username="admin" password="netscape" roles="admin,manager"/>
+
+<!-- <role rolename="admin"/> -->
+<!-- <role rolename="admin-gui"/> -->
+<!-- <role rolename="admin-script"/> -->
+<!-- <role rolename="manager"/> -->
+<!-- <role rolename="manager-gui"/> -->
+<!-- <role rolename="manager-script"/> -->
+<!-- <role rolename="manager-jmx"/> -->
+<!-- <role rolename="manager-status"/> -->
+<!-- <user name="admin" password="adminadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> -->
+</tomcat-users>
diff --git a/base/ca/shared/conf/tomcat.conf b/base/common/shared/conf/tomcat.conf
index 92af5f8b9..aa7fefd19 100644
--- a/base/ca/shared/conf/tomcat.conf
+++ b/base/common/shared/conf/tomcat.conf
@@ -1,3 +1,9 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+# Modifications: configuration parameters
+# --- END COPYRIGHT BLOCK ---
+
# System-wide configuration file for tomcat services
# This will be sourced by tomcat and any secondary service
# Values will be overridden by service-specific configuration
diff --git a/base/common/shared/lib/systemd/system/pki-tomcatd.target b/base/common/shared/lib/systemd/system/pki-tomcatd.target
new file mode 100644
index 000000000..633beae71
--- /dev/null
+++ b/base/common/shared/lib/systemd/system/pki-tomcatd.target
@@ -0,0 +1,8 @@
+[Unit]
+Description=PKI Tomcat Server
+After=syslog.target network.target
+
+[Install]
+WantedBy=multi-user.target
+
+
diff --git a/base/common/shared/lib/systemd/system/pki-tomcatd@.service b/base/common/shared/lib/systemd/system/pki-tomcatd@.service
new file mode 100644
index 000000000..12bcf75a0
--- /dev/null
+++ b/base/common/shared/lib/systemd/system/pki-tomcatd@.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=PKI Tomcat Server %i
+After=pki-tomcatd.target
+BindTo=pki-tomcatd.target
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/pkidaemon start tomcat %i
+ExecStop=/usr/bin/pkidaemon stop tomcat %i
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/base/deploy/CMakeLists.txt b/base/deploy/CMakeLists.txt
index 44705818c..c7c4bd19b 100644
--- a/base/deploy/CMakeLists.txt
+++ b/base/deploy/CMakeLists.txt
@@ -23,6 +23,7 @@ set(APACHE_SUBSYSTEMS
install(
FILES
+ scripts/pkidaemon
src/pkispawn
src/pkidestroy
DESTINATION
@@ -35,6 +36,17 @@ install(
install(
FILES
+ scripts/operations
+ DESTINATION
+ ${DATA_INSTALL_DIR}/scripts/
+ PERMISSIONS
+ OWNER_EXECUTE OWNER_WRITE OWNER_READ
+ GROUP_EXECUTE GROUP_READ
+ WORLD_EXECUTE WORLD_READ
+)
+
+install(
+ FILES
config/pkideployment.cfg
config/pkislots.cfg
DESTINATION
@@ -97,8 +109,8 @@ install(
)
# install empty directories
-#install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/lock/pki)")
-#install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/run/pki)")
+install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/lock/pki)")
+install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/run/pki)")
# install subsystem directories for pkispawn and pkidestroy
foreach(PKI_SUBSYSTEM ${PKI_SUBSYSTEMS})
diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
index c9c356043..dd688ed09 100644
--- a/base/deploy/config/pkideployment.cfg
+++ b/base/deploy/config/pkideployment.cfg
@@ -15,23 +15,20 @@ pki_ajp_port=8009
pki_proxy_http_port=80
pki_proxy_https_port=443
pki_security_manager=true
+pki_tomcat_server_port=8005
[CA]
pki_subsystem=CA
pki_war_name=ca.war
-pki_tomcat_server_port=9701
[KRA]
pki_subsystem=KRA
pki_war_name=kra.war
-pki_tomcat_server_port=10701
[OCSP]
pki_subsystem=OCSP
pki_war_name=ocsp.war
-pki_tomcat_server_port=11701
[RA]
pki_subsystem=RA
[TKS]
pki_subsystem=TKS
pki_war_name=tks.war
-pki_tomcat_server_port=13701
[TPS]
pki_subsystem=TPS
diff --git a/base/deploy/config/pkislots.cfg b/base/deploy/config/pkislots.cfg
index b04b8efa0..b6c40ebe3 100644
--- a/base/deploy/config/pkislots.cfg
+++ b/base/deploy/config/pkislots.cfg
@@ -15,6 +15,7 @@ PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT]
PKI_LOCKDIR_SLOT=[PKI_LOCKDIR]
PKI_PIDDIR_SLOT=[PKI_PIDDIR]
PKI_REGISTRY_FILE_SLOT=[PKI_REGISTRY_FILE]
+PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE]
PORT_SLOT=[PORT]
PROCESS_ID_SLOT=[PROCESS_ID]
REQUIRE_CFG_PL_SLOT=[REQUIRE_CFG_PL]
@@ -48,7 +49,6 @@ PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_UI]
PKI_EE_SECURE_PORT_SLOT=[PKI_EE_SECURE_PORT]
PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_PORT_CONNECTOR_NAME]
PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_PORT_SERVER_COMMENT]
-PKI_FLAVOR_SLOT=[PKI_FLAVOR]
PKI_GROUP_SLOT=[PKI_GROUP]
PKI_INSTANCE_ID_SLOT=[PKI_INSTANCE_ID]
PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT]
@@ -76,6 +76,7 @@ PKI_UNSECURE_PORT_SLOT=[PKI_UNSECURE_PORT]
PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_UNSECURE_PORT_CONNECTOR_NAME]
PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT]
PKI_USER_SLOT=[PKI_USER]
+PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE]
PKI_WEBAPPS_NAME_SLOT=[PKI_WEBAPPS_NAME]
TOMCAT_CFG_SLOT=[TOMCAT_CFG]
TOMCAT_INSTANCE_COMMON_LIB_SLOT=[TOMCAT_INSTANCE_COMMON_LIB]
diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations
new file mode 100644
index 000000000..ea7527f31
--- /dev/null
+++ b/base/deploy/scripts/operations
@@ -0,0 +1,1155 @@
+#!/bin/bash -X
+
+# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+#
+# Status Exit Codes
+#
+# 0 program is running or service is OK
+# 1 program is dead and /var/run pid file exists
+# 2 program is dead and /var/lock lock file exists
+# 3 program is not running
+# 4 program or service status is unknown
+# 5-99 reserved for future LSB use
+# 100-149 reserved for distribution use
+# 150-199 reserved for application use
+# 200-254 reserved
+#
+# Non-Status Exit Codes
+#
+# 0 action was successful
+# 1 generic or unspecified error (current practice)
+# 2 invalid or excess argument(s)
+# 3 unimplemented feature (for example, "reload")
+# 4 user had insufficient privilege
+# 5 program is not installed
+# 6 program is not configured
+# 7 program is not running
+# 8-99 reserved for future LSB use
+# 100-149 reserved for distribution use
+# 150-199 reserved for application use
+# 200-254 reserved
+#
+
+# PKI subsystem-level directory and file values for locks
+lockfile="/var/lock/subsys/${SERVICE_NAME}"
+
+default_error=0
+
+case $command in
+ start|stop|restart|condrestart|force-restart|try-restart)
+ # 1 generic or unspecified error (current practice)
+ default_error=1
+ ;;
+ reload)
+ default_error=3
+ ;;
+ status)
+ # 4 program or service status is unknown
+ default_error=4
+ ;;
+ *)
+ # 2 invalid argument(s)
+ default_error=2
+ ;;
+esac
+
+# Enable nullglob, if set then shell pattern globs which do not match any
+# file returns the empty string rather than the unmodified glob pattern.
+shopt -s nullglob
+
+OS=`uname -s`
+ARCHITECTURE=`uname -i`
+
+# Check to insure that this script's original invocation directory
+# has not been deleted!
+CWD=`/bin/pwd > /dev/null 2>&1`
+if [ $? -ne 0 ] ; then
+ echo "Cannot invoke '$PROG_NAME' from non-existent directory!"
+ exit ${default_error}
+fi
+
+# Check to insure that this script's associated PKI
+# subsystem currently resides on this system.
+PKI_CA_PATH="/usr/share/pki/ca"
+PKI_KRA_PATH="/usr/share/pki/kra"
+PKI_OCSP_PATH="/usr/share/pki/ocsp"
+PKI_RA_PATH="/usr/share/pki/ra"
+PKI_TKS_PATH="/usr/share/pki/tks"
+PKI_TPS_PATH="/usr/share/pki/tps"
+if [ '${PKI_TYPE}' == "apache" ] ; then
+ if [ ! -d ${PKI_RA_PATH} ] &&
+ [ ! -d ${PKI_TPS_PATH} ] ; then
+ echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!"
+ if [ "${command}" != "status" ]; then
+ # 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
+ fi
+elif [ '${PKI_TYPE}' == "tomcat" ] ; then
+ if [ ! -d ${PKI_CA_PATH} ] &&
+ [ ! -d ${PKI_KRA_PATH} ] &&
+ [ ! -d ${PKI_OCSP_PATH} ] &&
+ [ ! -d ${PKI_TKS_PATH} ] ; then
+ echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!"
+ if [ "${command}" != "status" ]; then
+ # 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
+ fi
+fi
+
+# This script must be run as root!
+RV=0
+if [ `id -u` -ne 0 ] ; then
+ echo "Must be 'root' to execute '$PROG_NAME'!"
+ if [ "${command}" != "status" ]; then
+ # 4 user had insufficient privilege
+ exit 4
+ else
+ # 4 program or service status is unknown
+ exit 4
+ fi
+fi
+
+PKI_REGISTRY_ENTRIES=""
+TOTAL_PKI_REGISTRY_ENTRIES=0
+TOTAL_UNCONFIGURED_PKI_ENTRIES=0
+
+# Gather ALL registered instances of this PKI web server type
+for INSTANCE in ${PKI_REGISTRY}/*; do
+ if [ -d "$INSTANCE" ] ; then
+ for REGISTRY in ${INSTANCE}/*; do
+ if [ -f "$REGISTRY" ] ; then
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $REGISTRY"
+ TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1`
+ fi
+ done
+ fi
+done
+
+# Execute the specified registered instance of this PKI web server type
+if [ -n "${pki_instance_id}" ]; then
+ for INSTANCE in ${PKI_REGISTRY_ENTRIES}; do
+ if [ "${PKI_REGISTRY}/${pki_instance_id}" = "$INSTANCE" ]; then
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance_id}"
+ TOTAL_PKI_REGISTRY_ENTRIES=1
+ break
+ fi
+ done
+fi
+
+usage()
+{
+ echo -n "Usage: ${SERVICE_PROG} ${SERVICE_NAME}"
+ echo -n "{start"
+ echo -n "|stop"
+ echo -n "|restart"
+ echo -n "|condrestart"
+ echo -n "|force-restart"
+ echo -n "|try-restart"
+ echo -n "|reload"
+ echo -n "|status} "
+ echo -n "[instance-name]"
+ echo
+ echo
+}
+
+usage_systemd()
+{
+ echo -n "Usage: /usr/bin/pkidaemon "
+ echo -n "{start"
+ echo -n "|stop"
+ echo -n "|restart"
+ echo -n "|condrestart"
+ echo -n "|force-restart"
+ echo -n "|try-restart"
+ echo -n "|reload"
+ echo -n "|status} "
+ echo -n "subsystem-type "
+ echo -n "[instance-name]"
+ echo
+ echo
+}
+
+
+list_instances()
+{
+ echo
+ for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do
+ instance_name=`basename $PKI_REGISTRY_ENTRY`
+ echo " $instance_name"
+ done
+ echo
+}
+
+# Check arguments
+if [ $SYSTEMD ]; then
+ if [ $# -lt 2 ] ; then
+ # [insufficient arguments]
+ echo "$PROG_NAME: Insufficient arguments!"
+ echo
+ usage_systemd
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+ elif [ ${default_error} -eq 2 ] ; then
+ # 2 invalid argument
+ echo "$PROG_NAME: Invalid arguments!"
+ echo
+ usage_systemd
+ echo "where valid instance names include:"
+ list_instances
+ exit 2
+ elif [ $# -gt 3 ] ; then
+ echo "$PROG_NAME: Excess arguments!"
+ echo
+ usage_systemd
+ echo "where valid instance names include:"
+ list_instances
+ if [ "${command}" != "status" ]; then
+ # 2 excess arguments
+ exit 2
+ else
+ # 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+else
+ if [ $# -lt 1 ] ; then
+ # 3 unimplemented feature (for example, "reload")
+ # [insufficient arguments]
+ echo "$PROG_NAME: Insufficient arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+ elif [ ${default_error} -eq 2 ] ; then
+ # 2 invalid argument
+ echo "$PROG_NAME: Invalid arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 2
+ elif [ $# -gt 2 ] ; then
+ echo "$PROG_NAME: Excess arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ if [ "${command}" != "status" ]; then
+ # 2 excess arguments
+ exit 2
+ else
+ # 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+fi
+
+# If an "instance" was supplied, check that it is a "valid" instance
+if [ -n "${pki_instance_id}" ]; then
+ valid=0
+ for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do
+ instance_name=`basename $PKI_REGISTRY_ENTRY`
+ if [ "${pki_instance_id}" == "${instance_name}" ]; then
+ valid=1
+ break
+ fi
+ done
+ if [ $valid -eq 0 ]; then
+ echo -n "${pki_instance_id} is an invalid '${PKI_TYPE}' instance"
+ if [ ! $SYSTEMD ]; then
+ echo_failure
+ fi
+ echo
+
+ if [ "${command}" != "status" ]; then
+ # 5 program is not installed
+ exit 5
+ else
+ # 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+fi
+
+check_pki_configuration_status()
+{
+ rv=0
+
+ case ${PKI_WEB_SERVER_TYPE} in
+ tomcat)
+ for SUBSYSTEM in ca kra ocsp tks; do
+ if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then
+ rv=`grep -c ^preop ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg`
+ rv=`expr ${rv} + 0`
+ fi
+ done
+ ;;
+ apache)
+ # TBD
+ ;;
+ *)
+ echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)"
+ exit ${default_error}
+ ;;
+ esac
+
+ if [ $rv -ne 0 ] ; then
+ echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!"
+ echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)"
+ if [ "${command}" != "status" ]; then
+ # 6 program is not configured
+ rv=6
+ else
+ # 4 program or service status is unknown
+ rv=4
+ fi
+ TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1`
+ elif [ -f ${RESTART_SERVER} ] ; then
+ echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, "
+ echo -n "it must still be RESTARTED!"
+ echo
+ if [ "${command}" != "status" ]; then
+ # 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # 4 program or service status is unknown
+ rv=4
+ fi
+ fi
+
+ return $rv
+}
+
+get_pki_status_definitions()
+{
+ case $PKI_WEB_SERVER_TYPE in
+ tomcat)
+ get_pki_status_definitions_tomcat
+ return $?
+ ;;
+ ra)
+ get_pki_status_definitions_ra
+ return $?
+ ;;
+ tps)
+ get_pki_status_definitions_tps
+ return $?
+ ;;
+ *)
+ echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)"
+ exit ${default_error}
+ ;;
+ esac
+}
+
+get_pki_status_definitions_ra()
+{
+ # establish well-known strings
+ total_ports=0
+ UNSECURE_PORT=""
+ CLIENTAUTH_PORT=""
+ NON_CLIENTAUTH_PORT=""
+
+ # check to see that an instance-specific "httpd.conf" file exists
+ if [ ! -f ${PKI_HTTPD_CONF} ] ; then
+ echo "File '${PKI_HTTPD_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # check to see that an instance-specific "nss.conf" file exists
+ if [ ! -f ${PKI_NSS_CONF} ] ; then
+ echo "File '${PKI_NSS_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # Iterate over Listen statements
+ for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do
+ UNSECURE_PORT=$port
+ if [ $total_ports -eq 0 ]; then
+ echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}"
+ else
+ echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}"
+ fi
+ total_ports=`expr ${total_ports} + 1`
+
+ done
+
+ # Iterate over Listen statements
+ for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do
+ UNSECURE_PORT=$port
+ if [ $total_ports -eq 1 ]; then
+ CLIENTAUTH_PORT=$port
+ echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}"
+ fi
+ if [ $total_ports -eq 2 ]; then
+ NON_CLIENTAUTH_PORT=$port
+ echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}"
+ fi
+ total_ports=`expr ${total_ports} + 1`
+
+ done
+
+ return 0;
+}
+
+get_pki_status_definitions_tps()
+{
+ # establish well-known strings
+ total_ports=0
+ UNSECURE_PORT=""
+ CLIENTAUTH_PORT=""
+ NON_CLIENTAUTH_PORT=""
+
+ # check to see that an instance-specific "httpd.conf" file exists
+ if [ ! -f ${PKI_HTTPD_CONF} ] ; then
+ echo "File '${PKI_HTTPD_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # check to see that an instance-specific "nss.conf" file exists
+ if [ ! -f ${PKI_NSS_CONF} ] ; then
+ echo "File '${PKI_NSS_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # Iterate over Listen statements
+ for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do
+ UNSECURE_PORT=$port
+ if [ $total_ports -eq 0 ]; then
+ echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi"
+ echo " (ESC Security Officer Enrollment)"
+ echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi"
+ echo " (ESC Phone Home)"
+ else
+ echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}"
+ fi
+ total_ports=`expr ${total_ports} + 1`
+
+ done
+
+ # Iterate over Listen statements
+ for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do
+ UNSECURE_PORT=$port
+ if [ $total_ports -eq 1 ]; then
+ CLIENTAUTH_PORT=$port
+ echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi"
+ echo " (ESC Security Officer Workstation)"
+ echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus"
+ echo " (TPS Roles - Operator/Administrator/Agent)"
+ fi
+ if [ $total_ports -eq 2 ]; then
+ NON_CLIENTAUTH_PORT=$port
+ echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi"
+ echo " (ESC Security Officer Enrollment)"
+ echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi"
+ echo " (ESC Phone Home)"
+ fi
+ total_ports=`expr ${total_ports} + 1`
+
+ done
+
+ return 0;
+}
+
+get_pki_status_definitions_tomcat()
+{
+ # establish well-known strings
+ begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->"
+ end_pki_status_comment="<!-- DO NOT REMOVE - End PKI Status Definitions -->"
+ total_ports=0
+ unsecure_port_statement="Unsecure Port"
+ secure_agent_port_statement="Secure Agent Port"
+ secure_ee_port_statement="Secure EE Port"
+ secure_ee_client_auth_port_statement="EE Client Auth Port"
+ secure_admin_port_statement="Secure Admin Port"
+ pki_console_port_statement="PKI Console Port"
+ tomcat_port_statement="Tomcat Port"
+
+ # initialize looping variables
+ pki_status_comment_found=0
+
+ # first check to see that an instance-specific "server.xml" file exists
+ if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then
+ echo "File '${PKI_SERVER_XML_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # read this instance-specific "server.xml" file line-by-line
+ # to obtain the current PKI Status Definitions
+ exec < ${PKI_SERVER_XML_CONF}
+ while read line; do
+ # first look for the well-known end PKI Status comment
+ # (to turn off processing)
+ if [ "$line" == "$end_pki_status_comment" ] ; then
+ pki_status_comment_found=0
+ break;
+ fi
+
+ # then look for the well-known begin PKI Status comment
+ # (to turn on processing)
+ if [ "$line" == "$begin_pki_status_comment" ] ; then
+ pki_status_comment_found=1
+ fi
+
+ # once the well-known begin PKI Status comment has been found,
+ # begin processing to obtain all of the PKI Status Definitions
+ if [ $pki_status_comment_found -eq 1 ] ; then
+ # look for a PKI Status Definition and print it
+ head=`echo "$line" | sed -e 's/^\([^=]*\)[ \t]*= .*$/\1/' -e 's/[ \t]*$//'`
+ if [ "$head" == "$unsecure_port_statement" ] ||
+ [ "$head" == "$secure_agent_port_statement" ] ||
+ [ "$head" == "$secure_ee_port_statement" ] ||
+ [ "$head" == "$secure_ee_client_auth_port_statement" ] ||
+ [ "$head" == "$secure_admin_port_statement" ] ||
+ [ "$head" == "$pki_console_port_statement" ] ||
+ [ "$head" == "$tomcat_port_statement" ] ; then
+ echo " $line"
+ total_ports=`expr ${total_ports} + 1`
+ fi
+ fi
+ done
+
+ return 0;
+}
+
+get_pki_configuration_definitions()
+{
+ # Obtain the PKI Subsystem Type
+ line=`grep -e '^[ \t]*cs.type[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ pki_subsystem=`echo "${line}" | sed -e 's/^[^=]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ if [ "${line}" != "" ] ; then
+ if [ "${pki_subsystem}" != "CA" ] &&
+ [ "${pki_subsystem}" != "KRA" ] &&
+ [ "${pki_subsystem}" != "OCSP" ] &&
+ [ "${pki_subsystem}" != "TKS" ] &&
+ [ "${pki_subsystem}" != "RA" ] &&
+ [ "${pki_subsystem}" != "TPS" ]
+ then
+ return ${default_error}
+ fi
+ if [ "${pki_subsystem}" == "KRA" ] ; then
+ # Rename "KRA" to "DRM"
+ pki_subsystem="DRM"
+ fi
+ else
+ return ${default_error}
+ fi
+
+ # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
+ # check to see if "${pki_subsystem}" is a "Clone"
+ pki_clone=""
+ if [ "${pki_subsystem}" == "CA" ] ||
+ [ "${pki_subsystem}" == "DRM" ] ||
+ [ "${pki_subsystem}" == "OCSP" ] ||
+ [ "${pki_subsystem}" == "TKS" ]
+ then
+ line=`grep -e '^[ \t]*subsystem.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_clone=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ if [ "${pki_clone}" != "Clone" ] ; then
+ # Reset "${pki_clone}" to be empty
+ pki_clone=""
+ fi
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to
+ # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA
+ pki_hierarchy=""
+ if [ "${pki_subsystem}" == "CA" ] &&
+ [ "${pki_clone}" != "Clone" ]
+ then
+ line=`grep -e '^[ \t]*hierarchy.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_hierarchy=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # If ${pki_subsystem} is a CA, check to
+ # see if it is also a Security Domain
+ pki_security_domain=""
+ if [ "${pki_subsystem}" == "CA" ] ; then
+ line=`grep -e '^[ \t]*securitydomain.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ if [ "${pki_security_domain}" == "new" ] ; then
+ # Set a fixed value for "${pki_security_domain}"
+ pki_security_domain="(Security Domain)"
+ else
+ # Reset "${pki_security_domain}" to be empty
+ pki_security_domain=""
+ fi
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # Always obtain this PKI instance's "registered"
+ # security domain information
+ pki_security_domain_name=""
+ pki_security_domain_hostname=""
+ pki_security_domain_https_admin_port=""
+
+ line=`grep -e '^[ \t]*securitydomain.name[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_name=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ else
+ return ${default_error}
+ fi
+
+ line=`grep -e '^[ \t]*securitydomain.host[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_hostname=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ else
+ return ${default_error}
+ fi
+
+ line=`grep -e '^[ \t]*securitydomain.httpsadminport[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_https_admin_port=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ else
+ return ${default_error}
+ fi
+
+ # Compose the "PKI Instance Name" Status Line
+ pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}"
+
+ # Compose the "PKI Subsystem Type" Status Line
+ header="PKI Subsystem Type: "
+ if [ "${pki_clone}" != "" ] ; then
+ if [ "${pki_security_domain}" != "" ]; then
+ # Possible Values:
+ #
+ # "CA Clone (Security Domain)"
+ #
+ data="${pki_subsystem} ${pki_clone} ${pki_security_domain}"
+ else
+ # Possible Values:
+ #
+ # "CA Clone"
+ # "DRM Clone"
+ # "OCSP Clone"
+ # "TKS Clone"
+ #
+ data="${pki_subsystem} ${pki_clone}"
+ fi
+ elif [ "${pki_hierarchy}" != "" ] ; then
+ if [ "${pki_security_domain}" != "" ]; then
+ # Possible Values:
+ #
+ # "Root CA (Security Domain)"
+ # "Subordinate CA (Security Domain)"
+ #
+ data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}"
+ else
+ # Possible Values:
+ #
+ # "Root CA"
+ # "Subordinate CA"
+ #
+ data="${pki_hierarchy} ${pki_subsystem}"
+ fi
+ else
+ # Possible Values:
+ #
+ # "DRM"
+ # "OCSP"
+ # "RA"
+ # "TKS"
+ # "TPS"
+ #
+ data="${pki_subsystem}"
+ fi
+ pki_subsystem_type="${header} ${data}"
+
+ # Compose the "Registered PKI Security Domain Information" Status Line
+ header="Name: "
+ registered_pki_security_domain_name="${header} ${pki_security_domain_name}"
+
+ header="URL: "
+ if [ "${pki_security_domain_hostname}" != "" ] &&
+ [ "${pki_security_domain_https_admin_port}" != "" ]
+ then
+ data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
+ else
+ return ${default_error}
+ fi
+ registered_pki_security_domain_url="${header} ${data}"
+
+ # Print the "PKI Subsystem Type" Status Line
+ echo
+ echo " ${pki_instance_name}"
+
+ # Print the "PKI Subsystem Type" Status Line
+ echo
+ echo " ${pki_subsystem_type}"
+
+ # Print the "Registered PKI Security Domain Information" Status Line
+ echo
+ echo " Registered PKI Security Domain Information:"
+ echo " =========================================================================="
+ echo " ${registered_pki_security_domain_name}"
+ echo " ${registered_pki_security_domain_url}"
+ echo " =========================================================================="
+
+ return 0
+}
+
+display_configuration_information()
+{
+ result=0
+ check_pki_configuration_status
+ rv=$?
+ if [ $rv -eq 0 ] ; then
+ get_pki_status_definitions
+ rv=$?
+ if [ $rv -ne 0 ] ; then
+ result=$rv
+ echo
+ echo "${PKI_INSTANCE_ID} Status Definitions not found"
+ else
+ get_pki_configuration_definitions
+ rv=$?
+ if [ $rv -ne 0 ] ; then
+ result=$rv
+ echo
+ echo "${PKI_INSTANCE_ID} Configuration Definitions not found"
+ fi
+ fi
+ fi
+ return $result
+}
+
+display_instance_status_systemd()
+{
+ echo -n "Status for ${PKI_INSTANCE_ID}: "
+ systemctl status "$PKI_SYSTEMD_TARGET@$PKI_INSTANCE_ID.service" > /dev/null 2>&1
+ rv=$?
+
+ if [ $rv -eq 0 ] ; then
+ echo "$PKI_INSTANCE_ID is running .."
+ display_configuration_information
+ else
+ echo "$PKI_INSTANCE_ID is stopped"
+ fi
+
+ return $rv
+}
+
+display_instance_status()
+{
+ # Verify there is an initscript for this instance
+ if [ ! -f $PKI_INSTANCE_INITSCRIPT ]; then
+ # 4 program or service status is unknown
+ return 4
+ fi
+
+ # Invoke the initscript for this instance
+ $PKI_INSTANCE_INITSCRIPT status
+ rv=$?
+
+ if [ $rv -eq 0 ] ; then
+ display_configuration_information
+ fi
+
+ return $rv
+}
+
+start_instance()
+{
+ rv=0
+
+ if [ -f ${RESTART_SERVER} ] ; then
+ rm -f ${RESTART_SERVER}
+ fi
+
+ # Invoke the initscript for this instance
+ case $PKI_WEB_SERVER_TYPE in
+ tomcat)
+
+ # We must export the service name so that the systemd version
+ # of the tomcat init script knows which instance specific
+ # configuration file to source.
+ export SERVICE_NAME=$PKI_INSTANCE_ID
+
+ if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
+ # HACKS:
+ # (1) MUST eventually replace hard-coded 'pki_ca_script_t'
+ # with programmatic replacement of either
+ # 'pki_tomcat_script_t' or 'pki_apache_script_t', AND
+ # (2) MUST currently be run with SELinux in 'Permissive' mode!
+ /usr/bin/runcon -t pki_ca_script_t \
+ $PKI_INSTANCE_INITSCRIPT start
+ rv=$?
+ else
+ $PKI_INSTANCE_INITSCRIPT start
+ rv=$?
+ fi
+ ;;
+ apache)
+ $PKI_INSTANCE_INITSCRIPT start
+ rv=$?
+ ;;
+ esac
+
+ if [ $rv -ne 0 ] ; then
+ return $rv
+ fi
+
+ # On Tomcat subsystems, make certain that the service has started
+ case $PKI_WEB_SERVER_TYPE in
+ tomcat)
+ count=0
+ tries=30
+ port=${PKI_UNSECURE_PORT}
+ while [ $count -lt $tries ]
+ do
+ netstat -antl | grep ${port} > /dev/null
+ netrv=$?
+ if [ $netrv -eq 0 ] ; then
+ break;
+ fi
+ sleep 1
+ let count=$count+1;
+ done
+ if [ $netrv -ne 0 ] ; then
+ return 1
+ fi
+ ;;
+ esac
+
+ if [ $rv -eq 0 ] ; then
+ # From the PKI point of view a returned error code of 6 implies
+ # that the program is not "configured". An error code of 1 implies
+ # that the program was "configured" but must still be restarted.
+ #
+ # If the return code is 6 return this value unchanged to the
+ # calling routine so that the total number of configuration errors
+ # may be counted. Other return codes are ignored.
+ #
+ check_pki_configuration_status
+ rv=$?
+ if [ $rv -eq 6 ]; then
+ # 6 program is not configured
+ return 6
+ else
+ # 0 success
+
+ # Tomcat instances automatically place pid files under
+ # '/var/run' and lock files under '/var/lock/subsys'.
+ #
+ # However, since PKI subsystem instances can have any name,
+ # in order to identify the PKI subsystem type of a particular
+ # PKI instance, we create a separate "pki subsystem identity"
+ # symlink to the PKI instance pid file and place it under
+ # '/var/run/pki/<pki subsystem>', and a separate
+ # "pki subsystem identity" symlink to the PKI instance
+ # lock file and place it under '/var/lock/pki/<pki subsystem>'.
+ #
+ case $PKI_WEB_SERVER_TYPE in
+ tomcat)
+ if [ -h ${PKI_PIDFILE} ]; then
+ rm -f ${PKI_PIDFILE}
+ fi
+ if [ -f ${TOMCAT_PIDFILE} ]; then
+ ln -s ${TOMCAT_PIDFILE} ${PKI_PIDFILE}
+ chown -h ${TOMCAT_USER}:${TOMCAT_GROUP} ${PKI_PIDFILE}
+ fi
+ if [ -h ${PKI_LOCKFILE} ]; then
+ rm -f ${PKI_LOCKFILE}
+ fi
+ if [ -f ${TOMCAT_LOCKFILE} ]; then
+ ln -s ${TOMCAT_LOCKFILE} ${PKI_LOCKFILE}
+ fi
+ ;;
+ esac
+
+ return 0
+ fi
+ fi
+ return $rv
+}
+
+stop_instance()
+{
+ rv=0
+
+ export SERVICE_NAME=$PKI_INSTANCE_ID
+ # Invoke the initscript for this instance
+ $PKI_INSTANCE_INITSCRIPT stop
+ rv=$?
+
+ # On Tomcat subsystems, always remove the "pki subsystem identity" symlinks
+ # that were previously associated with the Tomcat 'pid' and 'lock' files.
+ case $PKI_WEB_SERVER_TYPE in
+ tomcat)
+ if [ -h ${PKI_PIDFILE} ]; then
+ rm -f ${PKI_PIDFILE}
+ fi
+ if [ -h ${PKI_LOCKFILE} ]; then
+ rm -f ${PKI_LOCKFILE}
+ fi
+ ;;
+ esac
+
+ return $rv
+}
+
+start()
+{
+ error_rv=0
+ rv=0
+ config_errors=0
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ # 5 program is not installed
+ return 5
+ fi
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ]; then
+ echo "BEGIN STARTING '${PKI_TYPE}' INSTANCES:"
+ fi
+
+ # Start every PKI instance of this type that isn't already running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ start_instance
+ rv=$?
+ if [ $rv = 6 ] ; then
+ # Since at least ONE configuration error exists, then there
+ # is at least ONE unconfigured instance from the PKI point
+ # of view.
+ #
+ # However, it must still be considered that the
+ # instance is "running" from the point of view of other
+ # OS programs such as 'chkconfig'.
+ #
+ # Therefore, ignore non-zero return codes resulting
+ # from configuration errors.
+ #
+
+ config_errors=`expr $config_errors + 1`
+ rv=0
+ elif [ $rv != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=$rv
+ fi
+ done
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then
+ touch ${lockfile}
+ chmod 00600 ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ # NOTE: "bad" return code(s) OVERRIDE configuration errors!
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances failed to start!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)."
+ fi
+
+ return $rv
+}
+
+stop()
+{
+ error_rv=0
+ rv=0
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ # 5 program is not installed
+ return 5
+ fi
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Shutdown every PKI instance of this type that is running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ stop_instance
+ rv=$?
+ if [ $rv != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=$rv
+ fi
+ done
+
+ if [ ${errors} -eq 0 ] ; then
+ rm -f ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances were "
+ echo -n "unsuccessfully stopped!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)."
+ fi
+
+ return $rv
+}
+
+restart()
+{
+ stop
+ sleep 2
+ start
+
+ return $?
+}
+
+registry_status()
+{
+ error_rv=0
+ rv=0
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ # 4 program or service status is unknown
+ return 4
+ fi
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Obtain status of every PKI instance of this type
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ case $PKI_WEB_SERVER_TYPE in
+ tomcat)
+ if [ $SYSTEMD ]; then
+ display_instance_status_systemd
+ else
+ display_instance_status
+ fi
+ rv=$?
+ ;;
+ apache)
+ display_instance_status
+ rv=$?
+ ;;
+ esac
+ if [ $rv -ne 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=$rv
+ fi
+ done
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "4 - program or service status is unknown"
+ rv=4
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances reported status failures!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)."
+ fi
+
+ return $rv
+}
+
diff --git a/base/deploy/scripts/pkidaemon b/base/deploy/scripts/pkidaemon
new file mode 100755
index 000000000..7be30c9d3
--- /dev/null
+++ b/base/deploy/scripts/pkidaemon
@@ -0,0 +1,74 @@
+#!/bin/bash
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+
+PROG_NAME=`basename $0`
+SERVICE_NAME="pkidaemon"
+SERVICE_PROG="/bin/systemctl"
+
+command="$1"
+pki_instance_type="$2"
+pki_instance_id="$3"
+
+PKI_REGISTRY="/etc/sysconfig/pki/${pki_instance_type}"
+PKI_TYPE="${pki_instance_type}"
+PKI_SYSTEMD_TARGET="pki-${pki_instance_type}d"
+SYSTEMD=1
+
+# Source the PKI function library
+. /usr/share/pki/scripts/operations
+
+# See how we were called.
+case $command in
+ status)
+ # registry_status
+ echo "The 'status' action is TBD."
+ exit $?
+ ;;
+ start)
+ start
+ exit $?
+ ;;
+ restart)
+ restart
+ exit $?
+ ;;
+ stop)
+ stop
+ exit $?
+ ;;
+ condrestart|force-restart|try-restart)
+ [ ! -f ${lockfile} ] || restart
+ echo "The '${command}' action is TBD."
+ exit $?
+ ;;
+ reload)
+ echo "The 'reload' action is an unimplemented feature."
+ exit ${default_error}
+ ;;
+ *)
+ echo "unknown action ($command)"
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit ${default_error}
+ ;;
+esac
+
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index 2d0b5d285..6a2db56b8 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -125,21 +125,21 @@ def main(argv):
extra=config.PKI_INDENTATION_LEVEL_0)
# Override PKI configuration file values with 'custom' command-line values.
- if not config.pki_admin_domain_name is None:
+ if not config.custom_pki_admin_domain_name is None:
config.pki_common_dict['pki_admin_domain_name'] =\
- config.pki_admin_domain_name
- if not config.pki_instance_name is None:
- config.pki_common_dict['pki_instance_name'] =\
- config.pki_instance_name
- if not config.pki_http_port is None:
+ config.custom_pki_admin_domain_name
+ if not config.custom_pki_instance_name is None:
+ config.pki_web_server_dict['pki_instance_name'] =\
+ config.custom_pki_instance_name
+ if not config.custom_pki_http_port is None:
config.pki_web_server_dict['pki_http_port'] =\
- config.pki_http_port
- if not config.pki_https_port is None:
+ config.custom_pki_http_port
+ if not config.custom_pki_https_port is None:
config.pki_web_server_dict['pki_https_port'] =\
- config.pki_https_port
- if not config.pki_ajp_port is None:
+ config.custom_pki_https_port
+ if not config.custom_pki_ajp_port is None:
config.pki_web_server_dict['pki_ajp_port'] =\
- config.pki_ajp_port
+ config.custom_pki_ajp_port
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pp.pformat(config.pki_common_dict),
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index d665f3c9f..66152a334 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -154,21 +154,21 @@ def main(argv):
extra=config.PKI_INDENTATION_LEVEL_0)
# Override PKI configuration file values with 'custom' command-line values.
- if not config.pki_admin_domain_name is None:
+ if not config.custom_pki_admin_domain_name is None:
config.pki_common_dict['pki_admin_domain_name'] =\
- config.pki_admin_domain_name
- if not config.pki_instance_name is None:
- config.pki_common_dict['pki_instance_name'] =\
- config.pki_instance_name
- if not config.pki_http_port is None:
+ config.custom_pki_admin_domain_name
+ if not config.custom_pki_instance_name is None:
+ config.pki_web_server_dict['pki_instance_name'] =\
+ config.custom_pki_instance_name
+ if not config.custom_pki_http_port is None:
config.pki_web_server_dict['pki_http_port'] =\
- config.pki_http_port
- if not config.pki_https_port is None:
+ config.custom_pki_http_port
+ if not config.custom_pki_https_port is None:
config.pki_web_server_dict['pki_https_port'] =\
- config.pki_https_port
- if not config.pki_ajp_port is None:
+ config.custom_pki_https_port
+ if not config.custom_pki_ajp_port is None:
config.pki_web_server_dict['pki_ajp_port'] =\
- config.pki_ajp_port
+ config.custom_pki_ajp_port
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pp.pformat(config.pki_common_dict),
diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py
index 1155e9002..f40573940 100644
--- a/base/deploy/src/scriptlets/configuration.py
+++ b/base/deploy/src/scriptlets/configuration.py
@@ -47,6 +47,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_client_key_database'],
master['pki_client_secmod_database'],
password_file=master['pki_client_password_conf'])
+ util.symlink.create(
+ config.pki_master_dict['pki_systemd_service'],
+ config.pki_master_dict['pki_systemd_service_link'])
else:
util.password.create_password_conf(
master['pki_client_password_conf'],
@@ -71,17 +74,25 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
if not config.pki_dry_run_flag:
if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instances() == 0:
+ util.instance.apache_instances() == 1:
util.directory.delete(master['pki_client_path'])
+ util.symlink.delete(
+ config.pki_master_dict['pki_systemd_service_link'])
elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instances() == 0:
+ util.instance.tomcat_instances() == 1:
util.directory.delete(master['pki_client_path'])
+ util.symlink.delete(
+ config.pki_master_dict['pki_systemd_service_link'])
else:
# ALWAYS display correct information (even during dry_run)
if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instances() == 1:
+ util.instance.apache_instances() == 0:
util.directory.delete(master['pki_client_path'])
+ util.symlink.delete(
+ config.pki_master_dict['pki_systemd_service_link'])
elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instances() == 1:
+ util.instance.tomcat_instances() == 0:
util.directory.delete(master['pki_client_path'])
+ util.symlink.delete(
+ config.pki_master_dict['pki_systemd_service_link'])
return self.rv
diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py
index acf51391a..02c5065cb 100644
--- a/base/deploy/src/scriptlets/finalization.py
+++ b/base/deploy/src/scriptlets/finalization.py
@@ -41,10 +41,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_subsystem_registry_path'] +\
"/" + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE)
# Save a timestamped copy of the installation manifest file
- filename = master['pki_root_prefix'] +\
- config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
- master['pki_instance_id'] + "/" +\
- master['pki_subsystem'].lower() +"/" +\
+ filename = master['pki_subsystem_registry_path'] + "/" +\
"spawn" + "_" + "manifest" + "." +\
master['pki_timestamp'] + "." + "csv"
config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, filename,
@@ -74,10 +71,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
"/" + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE,
overwrite_flag=True)
# Save a timestamped copy of the updated manifest file
- filename = master['pki_root_prefix'] +\
- config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
- master['pki_instance_id'] + "/" +\
- master['pki_subsystem'].lower() +"/" +\
+ filename = master['pki_subsystem_registry_path'] + "/" +\
"respawn" + "_" + "manifest" + "." +\
master['pki_timestamp'] + "." + "csv"
config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, filename,
diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py
index fd94de512..471739700 100644
--- a/base/deploy/src/scriptlets/infrastructure_layout.py
+++ b/base/deploy/src/scriptlets/infrastructure_layout.py
@@ -80,7 +80,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove top-level infrastructure registry
util.directory.delete(master['pki_registry_path'])
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
- util.file.delete(master['pki_target_tomcat_conf'])
+ util.file.delete(
+ master['pki_target_tomcat_conf_instance_id'])
else:
# ALWAYS display correct information (even during dry_run)
@@ -98,5 +99,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove top-level infrastructure registry
util.directory.delete(master['pki_registry_path'])
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
- util.file.delete(master['pki_target_tomcat_conf'])
+ util.file.delete(
+ master['pki_target_tomcat_conf_instance_id'])
return self.rv
diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py
index 60e94d1a1..8a645f029 100644
--- a/base/deploy/src/scriptlets/instance_layout.py
+++ b/base/deploy/src/scriptlets/instance_layout.py
@@ -41,6 +41,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# establish instance configuration
util.directory.create(master['pki_instance_configuration_path'])
# establish instance registry
+ util.directory.create(master['pki_instance_type_registry_path'])
util.directory.create(master['pki_instance_registry_path'])
# establish Apache/Tomcat specific instance
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
@@ -59,6 +60,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.directory.create(master['pki_tomcat_webapps_webinf_lib_path'])
# establish Tomcat instance logs
# establish Tomcat instance configuration
+ util.directory.copy(master['pki_source_shared_path'],
+ master['pki_instance_configuration_path'],
+ overwrite_flag=True)
# establish Tomcat instance registry
# establish Tomcat instance convenience
# symbolic links
@@ -89,6 +93,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# update instance configuration
util.directory.modify(master['pki_instance_configuration_path'])
# update instance registry
+ util.directory.modify(master['pki_instance_type_registry_path'])
util.directory.modify(master['pki_instance_registry_path'])
# update Apache/Tomcat specific instance
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
@@ -116,6 +121,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# update instance convenience symbolic links
util.symlink.modify(master['pki_instance_database_link'])
util.symlink.modify(master['pki_instance_conf_link'])
+ util.directory.copy(master['pki_source_shared_path'],
+ master['pki_instance_configuration_path'],
+ overwrite_flag=True)
util.symlink.modify(master['pki_instance_logs_link'])
return self.rv
@@ -133,6 +141,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove Apache instance configuration
util.directory.delete(master['pki_instance_configuration_path'])
# remove Apache instance registry
+ util.directory.delete(master['pki_instance_type_registry_path'])
elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
util.instance.tomcat_instances() == 0:
# remove Tomcat instance base
@@ -143,6 +152,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove Tomcat instance configuration
util.directory.delete(master['pki_instance_configuration_path'])
# remove Tomcat instance registry
+ util.directory.delete(master['pki_instance_type_registry_path'])
else:
# ALWAYS display correct information (even during dry_run)
if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
@@ -155,6 +165,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove Apache instance configuration
util.directory.delete(master['pki_instance_configuration_path'])
# remove Apache instance registry
+ util.directory.delete(master['pki_instance_type_registry_path'])
elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
util.instance.tomcat_instances() == 1:
# remove Tomcat instance base
@@ -165,4 +176,5 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove Tomcat instance configuration
util.directory.delete(master['pki_instance_configuration_path'])
# remove Tomcat instance registry
+ util.directory.delete(master['pki_instance_type_registry_path'])
return self.rv
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 76d54ad15..2acd37d36 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -40,6 +40,8 @@ PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '}
PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '}
PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki"
+PKI_DEPLOYMENT_SYSTEMD_ROOT = "/lib/systemd/system"
+PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT = "/etc/systemd/system"
PKI_DEPLOYMENT_TOMCAT_ROOT = "/usr/share/tomcat"
PKI_DEPLOYMENT_TOMCAT_SYSTEMD = "/usr/sbin/tomcat-sysd"
PKI_DEPLOYMENT_BASE_ROOT = "/var/lib/pki"
@@ -92,11 +94,11 @@ pki_root_prefix = None
pki_update_flag = False
# PKI Deployment "Custom" Command-Line Variables
-pki_admin_domain_name = None
-pki_instance_name = None
-pki_http_port = None
-pki_https_port = None
-pki_ajp_port = None
+custom_pki_admin_domain_name = None
+custom_pki_instance_name = None
+custom_pki_http_port = None
+custom_pki_https_port = None
+custom_pki_ajp_port = None
# PKI Deployment Logger Variables
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index a9a53dd76..0add192f7 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -79,23 +79,23 @@ def process_command_line_arguments(argv):
custom = parser.add_argument_group('custom arguments '
'(OVERRIDES configuration file values)')
custom.add_argument('-d',
- dest='pki_admin_domain_name', action='store',
+ dest='custom_pki_admin_domain_name', action='store',
nargs=1, metavar='<admin_domain>',
help='PKI admin domain name (instance name prefix)')
custom.add_argument('-i',
- dest='pki_instance_name', action='store',
+ dest='custom_pki_instance_name', action='store',
nargs=1, metavar='<instance>',
help='PKI instance name (MUST specify REQUIRED ports)')
custom.add_argument('--http_port',
- dest='pki_http_port', action='store',
+ dest='custom_pki_http_port', action='store',
nargs=1, metavar='<port>',
help='HTTP port (CA, KRA, OCSP, RA, TKS, TPS)')
custom.add_argument('--https_port',
- dest='pki_https_port', action='store',
+ dest='custom_pki_https_port', action='store',
nargs=1, metavar='<port>',
help='HTTPS port (CA, KRA, OCSP, RA, TKS, TPS)')
custom.add_argument('--ajp_port',
- dest='pki_ajp_port', action='store',
+ dest='custom_pki_ajp_port', action='store',
nargs=1, metavar='<port>',
help='AJP port (CA, KRA, OCSP, TKS)')
args = parser.parse_args()
@@ -141,19 +141,22 @@ def process_command_line_arguments(argv):
config.pki_jython_log_level = config.PKI_JYTHON_WARNING_LOG_LEVEL
config.pki_console_log_level = logging.WARNING
config.pki_log_level = logging.INFO
- if not args.pki_admin_domain_name is None:
- config.pki_admin_domain_name =\
- str(args.pki_admin_domain_name).strip('[\']')
- if not args.pki_instance_name is None:
- config.pki_instance_name =\
- str(args.pki_instance_name).strip('[\']')
- if not args.pki_http_port is None:
- config.pki_http_port = str(args.pki_http_port).strip('[\']')
- if not args.pki_https_port is None:
- config.pki_https_port = str(args.pki_https_port).strip('[\']')
- if not args.pki_ajp_port is None:
+ if not args.custom_pki_admin_domain_name is None:
+ config.custom_pki_admin_domain_name =\
+ str(args.custom_pki_admin_domain_name).strip('[\']')
+ if not args.custom_pki_instance_name is None:
+ config.custom_pki_instance_name =\
+ str(args.custom_pki_instance_name).strip('[\']')
+ if not args.custom_pki_http_port is None:
+ config.custom_pki_http_port =\
+ str(args.custom_pki_http_port).strip('[\']')
+ if not args.custom_pki_https_port is None:
+ config.custom_pki_https_port =\
+ str(args.custom_pki_https_port).strip('[\']')
+ if not args.custom_pki_ajp_port is None:
if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- config.pki_ajp_port = str(args.pki_ajp_port).strip('[\']')
+ config.custom_pki_ajp_port =\
+ str(args.custom_pki_ajp_port).strip('[\']')
else:
print "ERROR: " +\
log.PKI_CUSTOM_TOMCAT_AJP_PORT_1 %\
@@ -161,24 +164,24 @@ def process_command_line_arguments(argv):
print
parser.print_help()
parser.exit(-1);
- if not args.pki_instance_name is None or\
- not args.pki_http_port is None or\
- not args.pki_https_port is None or\
- not args.pki_ajp_port is None:
+ if not args.custom_pki_instance_name is None or\
+ not args.custom_pki_http_port is None or\
+ not args.custom_pki_https_port is None or\
+ not args.custom_pki_ajp_port is None:
if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- if args.pki_instance_name is None or\
- args.pki_http_port is None or\
- args.pki_https_port is None:
+ if args.custom_pki_instance_name is None or\
+ args.custom_pki_http_port is None or\
+ args.custom_pki_https_port is None:
print "ERROR: " + log.PKI_CUSTOM_APACHE_INSTANCE_1 %\
config.pki_subsystem
print
parser.print_help()
parser.exit(-1);
elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if args.pki_instance_name is None or\
- args.pki_http_port is None or\
- args.pki_https_port is None or\
- args.pki_ajp_port is None:
+ if args.custom_pki_instance_name is None or\
+ args.custom_pki_http_port is None or\
+ args.custom_pki_https_port is None or\
+ args.custom_pki_ajp_port is None:
print "ERROR: " + log.PKI_CUSTOM_TOMCAT_INSTANCE_1 %\
config.pki_subsystem
print
@@ -191,16 +194,51 @@ def process_command_line_arguments(argv):
# explicitly specified if it does not use the default location
# and/or default configuration file name.
if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- default_pki_instance_name =\
- config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME
+ if not config.custom_pki_instance_name is None:
+ default_pki_instance_name = config.custom_pki_instance_name
+ else:
+ default_pki_instance_name =\
+ config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME
+ if not config.custom_pki_admin_domain_name is None:
+ config.pkideployment_cfg =\
+ config.pki_root_prefix +\
+ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME + "/" +\
+ config.custom_pki_admin_domain_name + "-" +\
+ default_pki_instance_name +"/" +\
+ config.pki_subsystem.lower() +"/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
+ else:
+ config.pkideployment_cfg =\
+ config.pki_root_prefix +\
+ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME + "/" +\
+ default_pki_instance_name +"/" +\
+ config.pki_subsystem.lower() +"/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- default_pki_instance_name =\
- config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME
- config.pkideployment_cfg = config.pki_root_prefix +\
- config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
- default_pki_instance_name +"/" +\
- config.pki_subsystem.lower() +"/" +\
- config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
+ if not config.custom_pki_instance_name is None:
+ default_pki_instance_name = config.custom_pki_instance_name
+ else:
+ default_pki_instance_name =\
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME
+ if not config.custom_pki_admin_domain_name is None:
+ config.pkideployment_cfg =\
+ config.pki_root_prefix +\
+ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME + "/" +\
+ config.custom_pki_admin_domain_name + "-" +\
+ default_pki_instance_name +"/" +\
+ config.pki_subsystem.lower() +"/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
+ else:
+ config.pkideployment_cfg =\
+ config.pki_root_prefix +\
+ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME + "/" +\
+ default_pki_instance_name +"/" +\
+ config.pki_subsystem.lower() +"/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
if not os.path.exists(config.pkideployment_cfg) or\
not os.path.isfile(config.pkideployment_cfg):
print "ERROR: " +\
@@ -334,16 +372,47 @@ def compose_pki_master_dictionary():
"conf")
config.pki_master_dict['pki_source_setup_path'] =\
os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
- config.pki_master_dict['pki_subsystem'].lower(),
"setup")
+ config.pki_master_dict['pki_source_shared_path'] =\
+ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
+ "shared",
+ "conf")
config.pki_master_dict['pki_source_cs_cfg'] =\
os.path.join(config.pki_master_dict['pki_source_conf_path'],
"CS.cfg")
config.pki_master_dict['pki_source_registry'] =\
os.path.join(config.pki_master_dict['pki_source_setup_path'],
- "registry_instance")
+ "pkidaemon_registry")
if config.pki_master_dict['pki_subsystem'] in\
- config.PKI_TOMCAT_SUBSYSTEMS:
+ config.PKI_APACHE_SUBSYSTEMS:
+ config.pki_master_dict['pki_systemd_service'] =\
+ config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\
+ "pki-apached" + "@" + ".service"
+ config.pki_master_dict['pki_systemd_target'] =\
+ config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\
+ "pki-apached.target"
+ config.pki_master_dict['pki_systemd_target_wants'] =\
+ config.PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT + "/" +\
+ "pki-apached.target.wants"
+ config.pki_master_dict['pki_systemd_service_link'] =\
+ config.pki_master_dict['pki_systemd_target_wants'] + "/" +\
+ "pki-apached" + "@" +\
+ config.pki_master_dict['pki_instance_id'] + ".service"
+ elif config.pki_master_dict['pki_subsystem'] in\
+ config.PKI_TOMCAT_SUBSYSTEMS:
+ config.pki_master_dict['pki_systemd_service'] =\
+ config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\
+ "pki-tomcatd" + "@" + ".service"
+ config.pki_master_dict['pki_systemd_target'] =\
+ config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\
+ "pki-tomcatd.target"
+ config.pki_master_dict['pki_systemd_target_wants'] =\
+ config.PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT + "/" +\
+ "pki-tomcatd.target.wants"
+ config.pki_master_dict['pki_systemd_service_link'] =\
+ config.pki_master_dict['pki_systemd_target_wants'] + "/" +\
+ "pki-tomcatd" + "@" +\
+ config.pki_master_dict['pki_instance_id'] + ".service"
config.pki_master_dict['pki_tomcat_bin_path'] =\
os.path.join(config.PKI_DEPLOYMENT_TOMCAT_ROOT,
"bin")
@@ -364,16 +433,16 @@ def compose_pki_master_dictionary():
os.path.join(config.pki_master_dict['pki_war_path'],
config.pki_master_dict['pki_war_name'])
config.pki_master_dict['pki_source_catalina_properties'] =\
- os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ os.path.join(config.pki_master_dict['pki_source_shared_path'],
"catalina.properties")
config.pki_master_dict['pki_source_servercertnick_conf'] =\
- os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ os.path.join(config.pki_master_dict['pki_source_shared_path'],
"serverCertNick.conf")
config.pki_master_dict['pki_source_server_xml'] =\
- os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ os.path.join(config.pki_master_dict['pki_source_shared_path'],
"server.xml")
config.pki_master_dict['pki_source_tomcat_conf'] =\
- os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ os.path.join(config.pki_master_dict['pki_source_shared_path'],
"tomcat.conf")
config.pki_master_dict['pki_source_index_jsp'] =\
os.path.join(config.pki_master_dict['pki_source_webapps_path'],
@@ -425,12 +494,24 @@ def compose_pki_master_dictionary():
os.path.join(config.pki_master_dict['pki_configuration_path'],
config.pki_master_dict['pki_instance_id'])
# Apache/Tomcat instance registry name/value pairs
- config.pki_master_dict['pki_instance_registry_path'] =\
- os.path.join(config.pki_master_dict['pki_registry_path'],
- config.pki_master_dict['pki_instance_id'])
- # Tomcat-specific instance name/value pairs
+ # Apache-specific instance name/value pairs
if config.pki_master_dict['pki_subsystem'] in\
- config.PKI_TOMCAT_SUBSYSTEMS:
+ config.PKI_APACHE_SUBSYSTEMS:
+ # Apache instance base name/value pairs
+ # Apache instance log name/value pairs
+ # Apache instance configuration name/value pairs
+ # Apache instance registry name/value pairs
+ config.pki_master_dict['pki_instance_type_registry_path'] =\
+ os.path.join(config.pki_master_dict['pki_registry_path'],
+ "apache")
+ config.pki_master_dict['pki_instance_registry_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_type_registry_path'],
+ config.pki_master_dict['pki_instance_id'])
+ # Apache instance convenience symbolic links
+ # Tomcat-specific instance name/value pairs
+ elif config.pki_master_dict['pki_subsystem'] in\
+ config.PKI_TOMCAT_SUBSYSTEMS:
# Tomcat instance base name/value pairs
config.pki_master_dict['pki_tomcat_common_path'] =\
os.path.join(config.pki_master_dict['pki_instance_path'],
@@ -467,6 +548,13 @@ def compose_pki_master_dictionary():
# Tomcat instance log name/value pairs
# Tomcat instance configuration name/value pairs
# Tomcat instance registry name/value pairs
+ config.pki_master_dict['pki_instance_type_registry_path'] =\
+ os.path.join(config.pki_master_dict['pki_registry_path'],
+ "tomcat")
+ config.pki_master_dict['pki_instance_registry_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_type_registry_path'],
+ config.pki_master_dict['pki_instance_id'])
# Tomcat instance convenience symbolic links
config.pki_master_dict['pki_tomcat_bin_link'] =\
os.path.join(config.pki_master_dict['pki_instance_path'],
@@ -572,26 +660,30 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_subsystem_configuration_path'],
"CS.cfg")
config.pki_master_dict['pki_target_registry'] =\
- os.path.join(config.pki_master_dict['pki_subsystem_registry_path'],
+ os.path.join(config.pki_master_dict['pki_instance_registry_path'],
config.pki_master_dict['pki_instance_id'])
if config.pki_master_dict['pki_subsystem'] in\
config.PKI_TOMCAT_SUBSYSTEMS:
config.pki_master_dict['pki_target_catalina_properties'] =\
os.path.join(
- config.pki_master_dict['pki_subsystem_configuration_path'],
+ config.pki_master_dict['pki_instance_configuration_path'],
"catalina.properties")
config.pki_master_dict['pki_target_servercertnick_conf'] =\
os.path.join(
- config.pki_master_dict['pki_subsystem_configuration_path'],
+ config.pki_master_dict['pki_instance_configuration_path'],
"serverCertNick.conf")
config.pki_master_dict['pki_target_server_xml'] =\
os.path.join(
- config.pki_master_dict['pki_subsystem_configuration_path'],
+ config.pki_master_dict['pki_instance_configuration_path'],
"server.xml")
- config.pki_master_dict['pki_target_tomcat_conf'] =\
+ config.pki_master_dict['pki_target_tomcat_conf_instance_id'] =\
config.pki_master_dict['pki_root_prefix'] +\
"/etc/sysconfig/" +\
config.pki_master_dict['pki_instance_id']
+ config.pki_master_dict['pki_target_tomcat_conf'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_configuration_path'],
+ "tomcat.conf")
config.pki_master_dict['pki_target_index_jsp'] =\
os.path.join(
config.pki_master_dict['pki_tomcat_webapps_root_path'],
@@ -626,14 +718,8 @@ def compose_pki_master_dictionary():
config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\
config.pki_master_dict['pki_instance_id']
config.pki_master_dict['PKI_INSTANCE_INITSCRIPT_SLOT'] =\
- os.path.join(config.pki_master_dict['pki_subsystem_path'],
+ os.path.join(config.pki_master_dict['pki_instance_path'],
config.pki_master_dict['pki_instance_id'])
- config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\
- os.path.join("/var/lock/pki",
- config.pki_master_dict['pki_subsystem'].lower())
- config.pki_master_dict['PKI_PIDDIR_SLOT'] =\
- os.path.join("/var/run/pki",
- config.pki_master_dict['pki_subsystem'].lower())
config.pki_master_dict['PKI_REGISTRY_FILE_SLOT'] =\
os.path.join(config.pki_master_dict['pki_subsystem_registry_path'],
config.pki_master_dict['pki_instance_id'])
@@ -650,6 +736,13 @@ def compose_pki_master_dictionary():
config.pki_master_dict['NON_CLIENTAUTH_SECURE_PORT_SLOT'] = None
config.pki_master_dict['NSS_CONF_SLOT'] = None
config.pki_master_dict['OBJ_EXT_SLOT'] = None
+ config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\
+ os.path.join("/var/lock/pki",
+ "apache")
+ config.pki_master_dict['PKI_PIDDIR_SLOT'] =\
+ os.path.join("/var/run/pki",
+ "apache")
+ config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] = "apache"
config.pki_master_dict['PORT_SLOT'] = None
config.pki_master_dict['PROCESS_ID_SLOT'] = None
config.pki_master_dict['REQUIRE_CFG_PL_SLOT'] = None
@@ -711,14 +804,15 @@ def compose_pki_master_dictionary():
"Unused"
config.pki_master_dict['PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT'] =\
""
- config.pki_master_dict['PKI_FLAVOR_SLOT'] =\
- "pki"
config.pki_master_dict['PKI_GROUP_SLOT'] =\
config.pki_master_dict['pki_group']
config.pki_master_dict['PKI_INSTANCE_PATH_SLOT'] =\
- config.pki_master_dict['pki_subsystem_path']
- config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\
config.pki_master_dict['pki_instance_path']
+ config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\
+ config.pki_master_dict['pki_path']
+ config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\
+ os.path.join("/var/lock/pki",
+ "tomcat")
config.pki_master_dict['PKI_MACHINE_NAME_SLOT'] =\
config.pki_master_dict['pki_hostname']
config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\
@@ -731,6 +825,9 @@ def compose_pki_master_dictionary():
config.pki_master_dict\
['PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\
"<!--"
+ config.pki_master_dict['PKI_PIDDIR_SLOT'] =\
+ os.path.join("/var/run/pki",
+ "tomcat")
config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\
config.pki_master_dict['pki_proxy_https_port']
config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\
@@ -752,9 +849,8 @@ def compose_pki_master_dictionary():
config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\
config.pki_master_dict['pki_subsystem'].lower()
config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\
- "pki-" + config.pki_master_dict['pki_subsystem'].lower() +\
- "d" + "@" + "pki-" +\
- config.pki_master_dict['pki_subsystem'].lower() + ".service"
+ "pki-tomcatd" + "@" +\
+ config.pki_master_dict['pki_instance_id'] + ".service"
config.pki_master_dict['PKI_UNSECURE_PORT_SLOT'] =\
config.pki_master_dict['pki_http_port']
config.pki_master_dict['PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT'] =\
@@ -763,6 +859,8 @@ def compose_pki_master_dictionary():
"<!-- Shared Ports: Unsecure Port Connector -->"
config.pki_master_dict['PKI_USER_SLOT'] =\
config.pki_master_dict['pki_user']
+ config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] =\
+ "tomcat"
config.pki_master_dict['PKI_WEBAPPS_NAME_SLOT'] =\
"webapps"
config.pki_master_dict['TOMCAT_CFG_SLOT'] =\
@@ -772,7 +870,7 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_tomcat_common_lib_path'],
"*.jar")
config.pki_master_dict['TOMCAT_LOG_DIR_SLOT'] =\
- config.pki_master_dict['pki_subsystem_log_path']
+ config.pki_master_dict['pki_instance_log_path']
config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\
"/var/run/" + config.pki_master_dict['pki_instance_id'] + ".pid"
config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\
diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py
index 2e2d94545..93b0ae750 100644
--- a/base/deploy/src/scriptlets/slot_substitution.py
+++ b/base/deploy/src/scriptlets/slot_substitution.py
@@ -38,17 +38,25 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.file.copy_with_slot_substitution(master['pki_source_cs_cfg'],
master['pki_target_cs_cfg'])
util.file.copy_with_slot_substitution(master['pki_source_registry'],
- master['pki_target_registry'])
+ master['pki_target_registry'],
+ overwrite_flag=True)
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
util.file.copy_with_slot_substitution(
master['pki_source_catalina_properties'],
- master['pki_target_catalina_properties'])
+ master['pki_target_catalina_properties'],
+ overwrite_flag=True)
util.file.copy_with_slot_substitution(
master['pki_source_servercertnick_conf'],
- master['pki_target_servercertnick_conf'])
+ master['pki_target_servercertnick_conf'],
+ overwrite_flag=True)
util.file.copy_with_slot_substitution(
master['pki_source_server_xml'],
- master['pki_target_server_xml'])
+ master['pki_target_server_xml'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_tomcat_conf'],
+ master['pki_target_tomcat_conf_instance_id'],
+ overwrite_flag=True)
util.file.copy_with_slot_substitution(
master['pki_source_tomcat_conf'],
master['pki_target_tomcat_conf'],
@@ -93,6 +101,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
overwrite_flag=True)
util.file.copy_with_slot_substitution(
master['pki_source_tomcat_conf'],
+ master['pki_target_tomcat_conf_instance_id'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_tomcat_conf'],
master['pki_target_tomcat_conf'],
overwrite_flag=True)
util.file.copy_with_slot_substitution(
diff --git a/base/kra/setup/registry_instance b/base/kra/setup/registry_instance
index 3210b9131..c97b0c736 100644
--- a/base/kra/setup/registry_instance
+++ b/base/kra/setup/registry_instance
@@ -1,8 +1,5 @@
# Establish PKI Variable "Slot" Substitutions
-PKI_FLAVOR=[PKI_FLAVOR]
-export PKI_FLAVOR
-
PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
export PKI_SUBSYSTEM_TYPE
@@ -38,13 +35,13 @@ export TOMCAT_USER
TOMCAT_GROUP=$PKI_GROUP
export TOMCAT_GROUP
-PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}"
+PKI_LOCKDIR="/var/lock/pki/${PKI_SUBSYSTEM_TYPE}"
export PKI_LOCKDIR
PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}"
export PKI_LOCKFILE
-PKI_PIDDIR="/var/run/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}"
+PKI_PIDDIR="/var/run/pki/${PKI_SUBSYSTEM_TYPE}"
export PKI_PIDDIR
PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_ID}.pid"
diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in
index a6d49ceb5..5135e1311 100644
--- a/base/kra/shared/conf/CS.cfg.in
+++ b/base/kra/shared/conf/CS.cfg.in
@@ -221,12 +221,12 @@ internaldb.ldapauth.clientCertNickname=
internaldb.ldapconn.host=
internaldb.ldapconn.port=
internaldb.ldapconn.secureConn=false
-preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/schema.ldif
-preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/database.ldif
-preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/db.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/acl.ldif
+preop.internaldb.schema.ldif=/usr/share/pki/kra/conf/schema.ldif
+preop.internaldb.ldif=/usr/share/pki/kra/conf/database.ldif
+preop.internaldb.data_ldif=/usr/share/pki/kra/conf/db.ldif,/usr/share/pki/kra/conf/acl.ldif
preop.internaldb.index_ldif=
-preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif
-preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/index.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlvtasks.ldif
+preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif
+preop.internaldb.post_ldif=/usr/share/pki/kra/conf/index.ldif,/usr/share/pki/kra/conf/vlv.ldif,/usr/share/pki/kra/conf/vlvtasks.ldif
preop.internaldb.wait_dn=cn=index1160527115, cn=index, cn=tasks, cn=config
internaldb.multipleSuffix.enable=false
jobsScheduler._000=##
diff --git a/base/kra/shared/conf/server.xml b/base/kra/shared/conf/server.xml
index 58121d448..96e396b72 100644
--- a/base/kra/shared/conf/server.xml
+++ b/base/kra/shared/conf/server.xml
@@ -196,7 +196,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
<!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
[PKI_OPEN_AJP_PORT_COMMENT]
- <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="PKI_AJP_REDIRECT_PORT]" />
+ <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
[PKI_CLOSE_AJP_PORT_COMMENT]
diff --git a/base/kra/shared/conf/tomcat.conf b/base/kra/shared/conf/tomcat.conf
deleted file mode 100644
index 92af5f8b9..000000000
--- a/base/kra/shared/conf/tomcat.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-# System-wide configuration file for tomcat services
-# This will be sourced by tomcat and any secondary service
-# Values will be overridden by service-specific configuration
-# files in /etc/sysconfig
-#
-# Use this one to change default values for all services
-# Change the service specific ones to affect only one service
-# (see, for instance, /etc/sysconfig/tomcat)
-#
-
-# Where your java installation lives
-#JAVA_HOME="/usr/lib/jvm/jre"
-
-# Where your tomcat installation lives
-CATALINA_BASE="[PKI_INSTANCE_PATH]"
-#CATALINA_HOME="/usr/share/tomcat"
-#JASPER_HOME="/usr/share/tomcat"
-#CATALINA_TMPDIR="/var/cache/tomcat/temp"
-
-# You can pass some parameters to java here if you wish to
-#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"
-
-# Use JAVA_OPTS to set java.library.path for libtcnative.so
-#JAVA_OPTS="-Djava.library.path=/usr/lib"
-
-# What user should run tomcat
-TOMCAT_USER="[PKI_USER]"
-
-# You can change your tomcat locale here
-#LANG="en_US"
-
-# Run tomcat under the Java Security Manager
-SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
-
-# Time to wait in seconds, before killing process
-#SHUTDOWN_WAIT="30"
-
-# Whether to annoy the user with "attempting to shut down" messages or not
-#SHUTDOWN_VERBOSE="false"
-
-# Set the TOMCAT_PID location
-CATALINA_PID="[TOMCAT_PIDFILE]"
-
-# Set the tomcat log file
-TOMCAT_LOG="[TOMCAT_LOG_DIR]/tomcat-initd.log"
-
-# Connector port is 8080 for this tomcat instance
-#CONNECTOR_PORT="8080"
-
-# If you wish to further customize your tomcat environment,
-# put your own definitions here
-# (i.e. LD_LIBRARY_PATH for some jdbc drivers)
diff --git a/base/ocsp/setup/registry_instance b/base/ocsp/setup/registry_instance
index 3210b9131..c97b0c736 100644
--- a/base/ocsp/setup/registry_instance
+++ b/base/ocsp/setup/registry_instance
@@ -1,8 +1,5 @@
# Establish PKI Variable "Slot" Substitutions
-PKI_FLAVOR=[PKI_FLAVOR]
-export PKI_FLAVOR
-
PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
export PKI_SUBSYSTEM_TYPE
@@ -38,13 +35,13 @@ export TOMCAT_USER
TOMCAT_GROUP=$PKI_GROUP
export TOMCAT_GROUP
-PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}"
+PKI_LOCKDIR="/var/lock/pki/${PKI_SUBSYSTEM_TYPE}"
export PKI_LOCKDIR
PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}"
export PKI_LOCKFILE
-PKI_PIDDIR="/var/run/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}"
+PKI_PIDDIR="/var/run/pki/${PKI_SUBSYSTEM_TYPE}"
export PKI_PIDDIR
PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_ID}.pid"
diff --git a/base/ocsp/shared/conf/CS.cfg.in b/base/ocsp/shared/conf/CS.cfg.in
index 5be916e7c..658a1b6d3 100644
--- a/base/ocsp/shared/conf/CS.cfg.in
+++ b/base/ocsp/shared/conf/CS.cfg.in
@@ -183,11 +183,11 @@ internaldb.ldapauth.clientCertNickname=
internaldb.ldapconn.host=
internaldb.ldapconn.port=
internaldb.ldapconn.secureConn=false
-preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/schema.ldif
-preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/database.ldif
-preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ocsp/conf/acl.ldif
-preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/index.ldif
-preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif
+preop.internaldb.schema.ldif=/usr/share/pki/ocsp/conf/schema.ldif
+preop.internaldb.ldif=/usr/share/pki/ocsp/conf/database.ldif
+preop.internaldb.data_ldif=/usr/share/pki/ocsp/conf/db.ldif,/usr/share/pki/ocsp/conf/acl.ldif
+preop.internaldb.index_ldif=/usr/share/pki/ocsp/conf/index.ldif
+preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif
preop.internaldb.post_ldif=
preop.internaldb.wait_dn=
internaldb.multipleSuffix.enable=false
diff --git a/base/ocsp/shared/conf/tomcat.conf b/base/ocsp/shared/conf/tomcat.conf
deleted file mode 100644
index 92af5f8b9..000000000
--- a/base/ocsp/shared/conf/tomcat.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-# System-wide configuration file for tomcat services
-# This will be sourced by tomcat and any secondary service
-# Values will be overridden by service-specific configuration
-# files in /etc/sysconfig
-#
-# Use this one to change default values for all services
-# Change the service specific ones to affect only one service
-# (see, for instance, /etc/sysconfig/tomcat)
-#
-
-# Where your java installation lives
-#JAVA_HOME="/usr/lib/jvm/jre"
-
-# Where your tomcat installation lives
-CATALINA_BASE="[PKI_INSTANCE_PATH]"
-#CATALINA_HOME="/usr/share/tomcat"
-#JASPER_HOME="/usr/share/tomcat"
-#CATALINA_TMPDIR="/var/cache/tomcat/temp"
-
-# You can pass some parameters to java here if you wish to
-#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"
-
-# Use JAVA_OPTS to set java.library.path for libtcnative.so
-#JAVA_OPTS="-Djava.library.path=/usr/lib"
-
-# What user should run tomcat
-TOMCAT_USER="[PKI_USER]"
-
-# You can change your tomcat locale here
-#LANG="en_US"
-
-# Run tomcat under the Java Security Manager
-SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
-
-# Time to wait in seconds, before killing process
-#SHUTDOWN_WAIT="30"
-
-# Whether to annoy the user with "attempting to shut down" messages or not
-#SHUTDOWN_VERBOSE="false"
-
-# Set the TOMCAT_PID location
-CATALINA_PID="[TOMCAT_PIDFILE]"
-
-# Set the tomcat log file
-TOMCAT_LOG="[TOMCAT_LOG_DIR]/tomcat-initd.log"
-
-# Connector port is 8080 for this tomcat instance
-#CONNECTOR_PORT="8080"
-
-# If you wish to further customize your tomcat environment,
-# put your own definitions here
-# (i.e. LD_LIBRARY_PATH for some jdbc drivers)
diff --git a/base/ra/setup/CMakeLists.txt b/base/ra/setup/CMakeLists.txt
index f5f069cdb..4f9784507 100644
--- a/base/ra/setup/CMakeLists.txt
+++ b/base/ra/setup/CMakeLists.txt
@@ -2,6 +2,7 @@ set(VERSION ${APPLICATION_VERSION})
install(
FILES
+ pkidaemon_registry
registry_instance
DESTINATION
${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/setup
diff --git a/base/ra/setup/pkidaemon_registry b/base/ra/setup/pkidaemon_registry
new file mode 100644
index 000000000..8d23dda05
--- /dev/null
+++ b/base/ra/setup/pkidaemon_registry
@@ -0,0 +1,116 @@
+# Establish PKI Variable "Slot" Substitutions
+
+PKI_WEB_SERVER_TYPE=[PKI_WEB_SERVER_TYPE]
+export PKI_WEB_SERVER_TYPE
+
+PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
+export PKI_SUBSYSTEM_TYPE
+
+PKI_USER=[PKI_USER]
+export PKI_USER
+
+PKI_GROUP=[PKI_GROUP]
+export PKI_GROUP
+
+PKI_INSTANCE_ID=[PKI_INSTANCE_ID]
+export PKI_INSTANCE_ID
+
+PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT]
+export PKI_INSTANCE_INITSCRIPT
+
+PKI_HTTPD_CONF=[HTTPD_CONF]
+export PKI_HTTPD_CONF
+
+PKI_SERVER_ROOT=[SERVER_ROOT]
+export PKI_SERVER_ROOT
+
+PKI_SYSTEM_USER_LIBRARIES=[SYSTEM_USER_LIBRARIES]
+export PKI_SYSTEM_USER_LIBRARIES
+
+PKI_FORTITUDE_DIR=[FORTITUDE_DIR]
+export PKI_FORTITUDE_DIR
+
+PKI_NSS_CONF=[NSS_CONF]
+export PKI_NSS_CONF
+
+PKI_SERVER_NAME=[SERVER_NAME]
+export PKI_SERVER_NAME
+
+PKI_LOCK_FILE="[PKI_LOCKDIR]/${PKI_INSTANCE_ID}.pid"
+export PKI_LOCK_FILE
+
+PKI_PID_FILE="[PKI_PIDDIR]/${PKI_INSTANCE_ID}.pid"
+export PKI_PID_FILE
+
+PKI_SELINUX_TYPE="pki_ra_t"
+export PKI_SELINUX_TYPE
+
+pki_instance_configuration_file=${PKI_SERVER_ROOT}/conf/CS.cfg
+export pki_instance_configuration_file
+
+RESTART_SERVER=${PKI_SERVER_ROOT}/conf/restart_server_after_configuration
+export RESTART_SERVER
+
+########################################################################
+# This section contains modified content of "/etc/sysconfig/httpd" #
+########################################################################
+# Configuration file for the ${PKI_INSTANCE_ID} service.
+
+#
+# The default processing model (MPM) is the process-based
+# 'prefork' model. A thread-based model, 'worker', is also
+# available, but does not work with some modules (such as PHP).
+# The service must be stopped before changing this variable.
+#
+PKI_HTTPD=${PKI_FORTITUDE_DIR}/sbin/httpd.worker
+export PKI_HTTPD
+
+#
+# To pass additional options (for instance, -D definitions) to the
+# httpd binary at startup, set PKI_OPTIONS here.
+#
+PKI_OPTIONS="-f ${PKI_HTTPD_CONF}"
+export PKI_OPTIONS
+
+#
+# By default, the httpd process is started in the C locale; to
+# change the locale in which the server runs, the PKI_HTTPD_LANG
+# variable can be set.
+#
+PKI_HTTPD_LANG=C
+export PKI_HTTPD_LANG
+########################################################################
+# #
+########################################################################
+
+# This will prevent initlog from swallowing up a pass-phrase prompt if
+# mod_ssl needs a pass-phrase from the user.
+PKI_INITLOG_ARGS=""
+export PKI_INITLOG_ARGS
+
+# Set PKI_HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
+# with the thread-based "worker" MPM; BE WARNED that some modules may not
+# work correctly with a thread-based MPM; notably PHP will refuse to start.
+
+# Path to the server binary and short-form for messages.
+httpd=${PKI_HTTPD}
+export httpd
+
+pki_logs_directory=${PKI_SERVER_ROOT}/logs
+export pki_logs_directory
+
+# see if httpd is linked with the openldap libraries - we need to override
+# their use of OpenSSL
+if [ ${OS} = "Linux" ]; then
+ hasopenldap=0
+
+ /usr/bin/ldd ${httpd} 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1
+
+ if [ ${hasopenldap} -eq 1 ] ; then
+ LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libssl3.so:${LD_PRELOAD}"
+ export LD_PRELOAD
+ fi
+elif [ ${OS} = "SunOS" ]; then
+ LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/dirsec/libssl3.so:${LD_PRELOAD_64}"
+ export LD_PRELOAD_64
+fi
diff --git a/base/ra/setup/registry_instance b/base/ra/setup/registry_instance
index 64a73197f..f8cae5a43 100644
--- a/base/ra/setup/registry_instance
+++ b/base/ra/setup/registry_instance
@@ -1,8 +1,5 @@
# Establish PKI Variable "Slot" Substitutions
-PKI_FLAVOR=[PKI_FLAVOR]
-export PKI_FLAVOR
-
PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
export PKI_SUBSYSTEM_TYPE
diff --git a/base/setup/pkicommon.pm b/base/setup/pkicommon.pm
index b5ef8e140..4b68ffa7e 100755
--- a/base/setup/pkicommon.pm
+++ b/base/setup/pkicommon.pm
@@ -27,7 +27,7 @@ use Exporter;
our @ISA = qw(Exporter);
our @EXPORT = qw(
$lib_prefix $obj_ext $path_sep $tmp_dir
- $pki_flavor $pki_registry_path
+ $pki_registry_path
$verbose $dry_run $hostname $default_hardware_platform
$default_system_binaries $default_lockdir $default_system_libraries $default_system_user_binaries
$default_system_user_libraries
@@ -164,7 +164,6 @@ our %selinux_ports = ();
# Shared Default Values
##############################################################
-our $pki_flavor = undef;
our $pki_registry_path = undef;
our $default_hardware_platform = undef;
@@ -204,11 +203,10 @@ my $is_IPv6 = 0;
# Compute "hardware platform" of Operating System
if ($^O eq "linux") {
- $pki_flavor = "pki";
$default_registry_path = "/etc/sysconfig";
- $pki_registry_path = "$default_registry_path/$pki_flavor";
+ $pki_registry_path = "$default_registry_path/pki";
$default_initscripts_path = "/etc/rc.d/init.d";
- $default_lockdir = "/var/lock/$pki_flavor";
+ $default_lockdir = "/var/lock/pki";
$default_hardware_platform = `uname -i`;
$default_hardware_platform =~ s/\s+$//g;
chomp($default_hardware_platform);
diff --git a/base/setup/pkicreate b/base/setup/pkicreate
index b5453f2f6..b5568f01c 100755
--- a/base/setup/pkicreate
+++ b/base/setup/pkicreate
@@ -102,7 +102,7 @@ use lib "/usr/share/pki/scripts";
use pkicommon;
# Establish path to scripts
-my $pki_subsystem_common_area = "/usr/share/$pki_flavor";
+my $pki_subsystem_common_area = "/usr/share/pki";
# make -w happy by suppressing warnings of Global variables used only once
my $suppress = "";
@@ -319,7 +319,6 @@ my $TOMCAT_TLS_CIPHERS = "TOMCAT_TLS_CIPHERS";
my $TOMCAT_INSTANCE_COMMON_LIB = "TOMCAT_INSTANCE_COMMON_LIB";
my $TOMCAT_LOG_DIR = "TOMCAT_LOG_DIR";
my $PKI_INSTANCE_INITSCRIPT = "PKI_INSTANCE_INITSCRIPT";
-my $PKI_FLAVOR_SLOT = "PKI_FLAVOR";
my $PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_UNSECURE_PORT_CONNECTOR_NAME";
my $PKI_SECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_SECURE_PORT_CONNECTOR_NAME";
my $PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME";
@@ -1480,7 +1479,7 @@ sub initialize_subsystem_paths
$applets_subsystem_path = $pki_subsystem_path
. "/" . $applets_base_subsystem_dir;
$bin_subsystem_path = $default_system_user_libraries
- . "/" . $pki_flavor
+ . "/" . "pki"
. "/" . $subsystem_type;
$samples_subsystem_path = $pki_subsystem_path
. "/" . $samples_base_subsystem_dir;
@@ -2438,7 +2437,6 @@ sub process_pki_templates
$slot_hash{$SYSTEM_USER_LIBRARIES} = $default_system_user_libraries;
$slot_hash{$TMP_DIR} = $tmp_dir;
$slot_hash{$TPS_DIR} = $pki_subsystem_path;
- $slot_hash{$PKI_FLAVOR_SLOT} = $pki_flavor;
$slot_hash{$PKI_RANDOM_NUMBER_SLOT} = $random;
$slot_hash{$PKI_LOCKDIR} = $pki_lockdir_path;
if (is_Fedora() || (is_RHEL() && (! is_RHEL4()))) {
@@ -2586,7 +2584,6 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so
$proxy_unsecure_port : "";
$slot_hash{$PKI_WEBAPPS_NAME} = $webapps_base_subsystem_dir;
- $slot_hash{$PKI_FLAVOR_SLOT} = $pki_flavor;
$slot_hash{$TOMCAT_SERVER_PORT_SLOT} = $tomcat_server_port;
$slot_hash{$TOMCAT_PIDFILE} = $tomcat6_instance_pid_file_path;
$slot_hash{$TOMCAT_CFG} = $tomcat6_conf_instance_file_path;
diff --git a/base/setup/scripts/functions b/base/setup/scripts/functions
index 516bf32e2..62dc20694 100644
--- a/base/setup/scripts/functions
+++ b/base/setup/scripts/functions
@@ -154,7 +154,7 @@ usage_systemd()
echo -n "|try-restart"
echo -n "|reload"
echo -n "|status} "
- echo -n "subsytem-type "
+ echo -n "subsystem-type "
echo -n "[instance-name]"
echo
echo
diff --git a/base/tks/setup/registry_instance b/base/tks/setup/registry_instance
index 3210b9131..c97b0c736 100644
--- a/base/tks/setup/registry_instance
+++ b/base/tks/setup/registry_instance
@@ -1,8 +1,5 @@
# Establish PKI Variable "Slot" Substitutions
-PKI_FLAVOR=[PKI_FLAVOR]
-export PKI_FLAVOR
-
PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
export PKI_SUBSYSTEM_TYPE
@@ -38,13 +35,13 @@ export TOMCAT_USER
TOMCAT_GROUP=$PKI_GROUP
export TOMCAT_GROUP
-PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}"
+PKI_LOCKDIR="/var/lock/pki/${PKI_SUBSYSTEM_TYPE}"
export PKI_LOCKDIR
PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}"
export PKI_LOCKFILE
-PKI_PIDDIR="/var/run/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}"
+PKI_PIDDIR="/var/run/pki/${PKI_SUBSYSTEM_TYPE}"
export PKI_PIDDIR
PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_ID}.pid"
diff --git a/base/tks/shared/conf/CS.cfg.in b/base/tks/shared/conf/CS.cfg.in
index 195201e4d..740baf61e 100644
--- a/base/tks/shared/conf/CS.cfg.in
+++ b/base/tks/shared/conf/CS.cfg.in
@@ -176,11 +176,11 @@ internaldb.ldapauth.clientCertNickname=
internaldb.ldapconn.host=
internaldb.ldapconn.port=
internaldb.ldapconn.secureConn=false
-preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/schema.ldif
-preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/database.ldif
-preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/db.ldif,/usr/share/[PKI_FLAVOR]/tks/conf/acl.ldif
-preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/index.ldif
-preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif
+preop.internaldb.schema.ldif=/usr/share/pki/tks/conf/schema.ldif
+preop.internaldb.ldif=/usr/share/pki/tks/conf/database.ldif
+preop.internaldb.data_ldif=/usr/share/pki/tks/conf/db.ldif,/usr/share/pki/tks/conf/acl.ldif
+preop.internaldb.index_ldif=/usr/share/pki/tks/conf/index.ldif
+preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif
preop.internaldb.post_ldif=
preop.internaldb.wait_dn=
internaldb.multipleSuffix.enable=false
diff --git a/base/tks/shared/conf/tomcat.conf b/base/tks/shared/conf/tomcat.conf
deleted file mode 100644
index 92af5f8b9..000000000
--- a/base/tks/shared/conf/tomcat.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-# System-wide configuration file for tomcat services
-# This will be sourced by tomcat and any secondary service
-# Values will be overridden by service-specific configuration
-# files in /etc/sysconfig
-#
-# Use this one to change default values for all services
-# Change the service specific ones to affect only one service
-# (see, for instance, /etc/sysconfig/tomcat)
-#
-
-# Where your java installation lives
-#JAVA_HOME="/usr/lib/jvm/jre"
-
-# Where your tomcat installation lives
-CATALINA_BASE="[PKI_INSTANCE_PATH]"
-#CATALINA_HOME="/usr/share/tomcat"
-#JASPER_HOME="/usr/share/tomcat"
-#CATALINA_TMPDIR="/var/cache/tomcat/temp"
-
-# You can pass some parameters to java here if you wish to
-#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"
-
-# Use JAVA_OPTS to set java.library.path for libtcnative.so
-#JAVA_OPTS="-Djava.library.path=/usr/lib"
-
-# What user should run tomcat
-TOMCAT_USER="[PKI_USER]"
-
-# You can change your tomcat locale here
-#LANG="en_US"
-
-# Run tomcat under the Java Security Manager
-SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
-
-# Time to wait in seconds, before killing process
-#SHUTDOWN_WAIT="30"
-
-# Whether to annoy the user with "attempting to shut down" messages or not
-#SHUTDOWN_VERBOSE="false"
-
-# Set the TOMCAT_PID location
-CATALINA_PID="[TOMCAT_PIDFILE]"
-
-# Set the tomcat log file
-TOMCAT_LOG="[TOMCAT_LOG_DIR]/tomcat-initd.log"
-
-# Connector port is 8080 for this tomcat instance
-#CONNECTOR_PORT="8080"
-
-# If you wish to further customize your tomcat environment,
-# put your own definitions here
-# (i.e. LD_LIBRARY_PATH for some jdbc drivers)
diff --git a/base/tps/setup/CMakeLists.txt b/base/tps/setup/CMakeLists.txt
index f5f069cdb..4f9784507 100644
--- a/base/tps/setup/CMakeLists.txt
+++ b/base/tps/setup/CMakeLists.txt
@@ -2,6 +2,7 @@ set(VERSION ${APPLICATION_VERSION})
install(
FILES
+ pkidaemon_registry
registry_instance
DESTINATION
${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/setup
diff --git a/base/tps/setup/pkidaemon_registry b/base/tps/setup/pkidaemon_registry
new file mode 100644
index 000000000..6c13a4955
--- /dev/null
+++ b/base/tps/setup/pkidaemon_registry
@@ -0,0 +1,116 @@
+# Establish PKI Variable "Slot" Substitutions
+
+PKI_WEB_SERVER_TYPE=[PKI_WEB_SERVER_TYPE]
+export PKI_WEB_SERVER_TYPE
+
+PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
+export PKI_SUBSYSTEM_TYPE
+
+PKI_USER=[PKI_USER]
+export PKI_USER
+
+PKI_GROUP=[PKI_GROUP]
+export PKI_GROUP
+
+PKI_INSTANCE_ID=[PKI_INSTANCE_ID]
+export PKI_INSTANCE_ID
+
+PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT]
+export PKI_INSTANCE_INITSCRIPT
+
+PKI_HTTPD_CONF=[HTTPD_CONF]
+export PKI_HTTPD_CONF
+
+PKI_SERVER_ROOT=[SERVER_ROOT]
+export PKI_SERVER_ROOT
+
+PKI_SYSTEM_USER_LIBRARIES=[SYSTEM_USER_LIBRARIES]
+export PKI_SYSTEM_USER_LIBRARIES
+
+PKI_FORTITUDE_DIR=[FORTITUDE_DIR]
+export PKI_FORTITUDE_DIR
+
+PKI_NSS_CONF=[NSS_CONF]
+export PKI_NSS_CONF
+
+PKI_SERVER_NAME=[SERVER_NAME]
+export PKI_SERVER_NAME
+
+PKI_LOCK_FILE="[PKI_LOCKDIR]/${PKI_INSTANCE_ID}.pid"
+export PKI_LOCK_FILE
+
+PKI_PID_FILE="[PKI_PIDDIR]/${PKI_INSTANCE_ID}.pid"
+export PKI_PID_FILE
+
+PKI_SELINUX_TYPE="pki_tps_t"
+export PKI_SELINUX_TYPE
+
+pki_instance_configuration_file=${PKI_SERVER_ROOT}/conf/CS.cfg
+export pki_instance_configuration_file
+
+RESTART_SERVER=${PKI_SERVER_ROOT}/conf/restart_server_after_configuration
+export RESTART_SERVER
+
+########################################################################
+# This section contains modified content of "/etc/sysconfig/httpd" #
+########################################################################
+# Configuration file for the ${PKI_INSTANCE_ID} service.
+
+#
+# The default processing model (MPM) is the process-based
+# 'prefork' model. A thread-based model, 'worker', is also
+# available, but does not work with some modules (such as PHP).
+# The service must be stopped before changing this variable.
+#
+PKI_HTTPD=${PKI_FORTITUDE_DIR}/sbin/httpd.worker
+export PKI_HTTPD
+
+#
+# To pass additional options (for instance, -D definitions) to the
+# httpd binary at startup, set PKI_OPTIONS here.
+#
+PKI_OPTIONS="-f ${PKI_HTTPD_CONF}"
+export PKI_OPTIONS
+
+#
+# By default, the httpd process is started in the C locale; to
+# change the locale in which the server runs, the PKI_HTTPD_LANG
+# variable can be set.
+#
+PKI_HTTPD_LANG=C
+export PKI_HTTPD_LANG
+########################################################################
+# #
+########################################################################
+
+# This will prevent initlog from swallowing up a pass-phrase prompt if
+# mod_ssl needs a pass-phrase from the user.
+PKI_INITLOG_ARGS=""
+export PKI_INITLOG_ARGS
+
+# Set PKI_HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
+# with the thread-based "worker" MPM; BE WARNED that some modules may not
+# work correctly with a thread-based MPM; notably PHP will refuse to start.
+
+# Path to the server binary and short-form for messages.
+httpd=${PKI_HTTPD}
+export httpd
+
+pki_logs_directory=${PKI_SERVER_ROOT}/logs
+export pki_logs_directory
+
+# see if httpd is linked with the openldap libraries - we need to override
+# their use of OpenSSL
+if [ ${OS} = "Linux" ]; then
+ hasopenldap=0
+
+ /usr/bin/ldd ${httpd} 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1
+
+ if [ ${hasopenldap} -eq 1 ] ; then
+ LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libssl3.so:${LD_PRELOAD}"
+ export LD_PRELOAD
+ fi
+elif [ ${OS} = "SunOS" ]; then
+ LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/dirsec/libssl3.so:${LD_PRELOAD_64}"
+ export LD_PRELOAD_64
+fi
diff --git a/base/tps/setup/registry_instance b/base/tps/setup/registry_instance
index cb1c4b344..a77b75f4f 100644
--- a/base/tps/setup/registry_instance
+++ b/base/tps/setup/registry_instance
@@ -1,8 +1,5 @@
# Establish PKI Variable "Slot" Substitutions
-PKI_FLAVOR=[PKI_FLAVOR]
-export PKI_FLAVOR
-
PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
export PKI_SUBSYSTEM_TYPE
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index a38b90497..cd172a887 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
Name: pki-core
Version: 10.0.0
-Release: %{?relprefix}15%{?prerel}%{?dist}
+Release: %{?relprefix}16%{?prerel}%{?dist}
Summary: Certificate System - PKI Core Components
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -364,11 +364,24 @@ Requires: resteasy >= 2.3.2-1
Requires: apache-commons-lang
Requires: apache-commons-logging
Requires: jss >= 4.2.6-24
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
Requires: tomcatjss >= 6.0.2
%else
%if 0%{?fedora} >= 15
Requires: apache-commons-lang
Requires: apache-commons-logging
+Requires(post): chkconfig
+Requires(preun): chkconfig
+Requires(preun): initscripts
+Requires(postun): initscripts
+# Details:
+#
+# * https://fedoraproject.org/wiki/Features/var-run-tmpfs
+# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
+#
+Requires: initscripts
Requires: jss >= 4.2.6-24
Requires: tomcatjss >= 6.0.0
%else
@@ -754,6 +767,11 @@ echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfi
echo "D /var/lock/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf
echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf
echo "D /var/run/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf
+# generate 'pki-tomcat.conf' under the 'tmpfiles.d' directory
+echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf
+echo "D /var/lock/pki/tomcat 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf
+echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf
+echo "D /var/run/pki/tomcat 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf
# generate 'pki-tks.conf' under the 'tmpfiles.d' directory
echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf
echo "D /var/lock/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf
@@ -771,13 +789,17 @@ echo "D /var/run/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfil
%{__ln_s} -f %{_javadir}/pki/pki-jndi-realm.jar %{buildroot}%{_javadir}/tomcat6/pki-jndi-realm.jar
%else
%{__rm} %{buildroot}%{_bindir}/pkicontrol
+%{__rm} %{buildroot}%{_bindir}/pkidaemon
%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-cad.target.wants
%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-krad.target.wants
%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-ocspd.target.wants
%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-tksd.target.wants
+%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-tomcatd.target.wants
%{__rm} -rf %{buildroot}%{_unitdir}
%endif
+%{__rm} -rf %{buildroot}%{_datadir}/pki/shared/lib
+
# tomcat6 has changed how TOMCAT_LOG is used.
# Need to adjust accordingly
# This macro will be executed in the postinstall scripts
@@ -1012,6 +1034,13 @@ fi
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
%fix_tomcat_log tks
+
+## %post -n pki-common
+## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem
+## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
+## PKI deployment process
+
+
%preun -n pki-ca
if [ $1 = 0 ] ; then
/bin/systemctl --no-reload disable pki-cad.target > /dev/null 2>&1 || :
@@ -1040,6 +1069,12 @@ if [ $1 = 0 ] ; then
fi
+## %preun -n pki-common
+## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem
+## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
+## PKI deployment process
+
+
%postun -n pki-ca
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
if [ "$1" -ge "1" ] ; then
@@ -1066,6 +1101,12 @@ fi
if [ "$1" -ge "1" ] ; then
/bin/systemctl try-restart pki-tksd.target >/dev/null 2>&1 || :
fi
+
+
+## %postun -n pki-common
+## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem
+## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
+## PKI deployment process
%endif
%files -n pki-deploy
@@ -1094,11 +1135,13 @@ fi
%{_datadir}/pki/deployment/destroy/ra/
%{_datadir}/pki/deployment/destroy/tks/
%{_datadir}/pki/deployment/destroy/tps/
-#%dir %{_localstatedir}/lock/pki
-#%dir %{_localstatedir}/run/pki
-#%if 0%{?fedora} >= 16
-#%{_bindir}/pkicontrol
-#%endif
+%dir %{_datadir}/pki/scripts
+%{_datadir}/pki/scripts/operations
+%dir %{_localstatedir}/lock/pki
+%dir %{_localstatedir}/run/pki
+%if 0%{?fedora} >= 16
+%{_bindir}/pkidaemon
+%endif
%files -n pki-setup
@@ -1125,6 +1168,7 @@ fi
%{_jnidir}/symkey.jar
%{_libdir}/symkey/
+
%files -n pki-native-tools
%defattr(-,root,root,-)
%doc base/native-tools/LICENSE base/native-tools/doc/README
@@ -1186,9 +1230,15 @@ fi
%{_javadocdir}/pki-java-tools-%{version}/
%endif
+
%files -n pki-common
%defattr(-,root,root,-)
%doc base/common/LICENSE
+%if 0%{?fedora} >= 16
+%dir %{_sysconfdir}/systemd/system/pki-tomcatd.target.wants
+%{_unitdir}/pki-tomcatd@.service
+%{_unitdir}/pki-tomcatd.target
+%endif
%{_javadir}/pki/pki-certsrv-%{version}.jar
%{_javadir}/pki/pki-certsrv.jar
%{_javadir}/pki/pki-cms-%{version}.jar
@@ -1197,16 +1247,28 @@ fi
%{_javadir}/pki/pki-cmsbundle.jar
%{_javadir}/pki/pki-cmscore-%{version}.jar
%{_javadir}/pki/pki-cmscore.jar
+%dir %{_localstatedir}/lock/pki/tomcat
+%dir %{_localstatedir}/run/pki/tomcat
%if 0%{?fedora} >= 16
# Create symlink to the pki-jndi-realm jar
%{_javadir}/tomcat6/pki-jndi-realm.jar
%endif
+%if 0%{?fedora} >= 15
+# Details:
+#
+# * https://fedoraproject.org/wiki/Features/var-run-tmpfs
+# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
+#
+%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tomcat.conf
+%endif
%{_javadir}/pki/pki-jndi-realm-%{version}.jar
%{_javadir}/pki/pki-jndi-realm.jar
%{_datadir}/pki/setup/
+%dir %{_datadir}/pki/shared
+%{_datadir}/pki/shared/conf/
%if %{?_without_javadoc:0}%{!?_without_javadoc:1}
%files -n pki-common-javadoc
@@ -1214,6 +1276,7 @@ fi
%{_javadocdir}/pki-common-%{version}/
%endif
+
%files -n pki-selinux
%defattr(-,root,root,-)
%doc base/selinux/LICENSE
@@ -1349,6 +1412,12 @@ fi
%changelog
+* Fri May 18 2012 Matthew Harmsen <mharmsen@redhat.com> 10.0.0-0.16.a1
+- Integration of Tomcat 7
+- Addition of centralized 'pki-tomcatd' systemd functionality to the
+ PKI Deployment strategy
+- Removal of 'pki_flavor' attribute
+
* Mon Apr 16 2012 Ade Lee <alee@redhat.com> 10.0.0-0.15.a1
- BZ 813075 - selinux denial for file size access