summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Harmsen <mharmsen@redhat.com>2012-08-27 20:48:34 -0700
committerMatthew Harmsen <mharmsen@redhat.com>2012-08-29 10:08:36 -0700
commit48e68f928f72a782afa6ab165a026901efd53b22 (patch)
tree8389a515af32ef6bb020e573d8cd735439d9de21
parent4549370d8e38d91ca2d89404c6f62f7e6358f328 (diff)
downloadpki-48e68f928f72a782afa6ab165a026901efd53b22.tar.gz
pki-48e68f928f72a782afa6ab165a026901efd53b22.tar.xz
pki-48e68f928f72a782afa6ab165a026901efd53b22.zip
Verify symbolic links and update CS.cfg for Dogtag 10
* TRAC Ticket #301 - Need to modify init scripts to verify needed symlinks in an instance * TRAC Ticket #303 - Dogtag 10: CS.cfg parameters for Dogtag 9 instance running under Dogtag 10 packages . . .
-rw-r--r--base/deploy/scripts/operations413
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py2
-rw-r--r--base/setup/scripts/functions415
3 files changed, 823 insertions, 7 deletions
diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations
index 4f89c1a19..bb573fcaf 100644
--- a/base/deploy/scripts/operations
+++ b/base/deploy/scripts/operations
@@ -767,6 +767,412 @@ display_instance_status()
return $rv
}
+make_symlink()
+{
+ symlink="${1}"
+ target="${2}"
+ user="${3}"
+ group="${4}"
+
+ rv=0
+
+ echo "INFO: Attempting to create '${symlink}' -> '${target}' . . ."
+ # Check to make certain that the expected target exists.
+ #
+ # NOTE: The symbolic link does NOT exist at this point.
+ #
+ if [ -e ${target} ]; then
+ # Check that the expected target is fully resolvable!
+ if [ ! `readlink -qe ${target}` ]; then
+ # Issue an ERROR that the target to which the
+ # symbolic link is expected to point is NOT fully resolvable!
+ echo "ERROR: Failed making '${symlink}' -> '${target}'"\
+ "since target '${target}' is NOT fully resolvable!"
+ rv=1
+ else
+ # Attempt to create a symbolic link and 'chown' it.
+ ln -s ${target} ${symlink}
+ rv=$?
+ if [ $rv -eq 0 ]; then
+ # NOTE: Ignore 'chown' errors.
+ chown -h ${user}:${group} ${symlink}
+ echo "SUCCESS: Created '${symlink}' -> '${target}'"
+ else
+ echo "ERROR: Failed to create '${symlink}' -> '${target}'!"
+ rv=1
+ fi
+ fi
+ else
+ # Issue an ERROR that the target to which the
+ # symbolic link is expected to point does NOT exist.
+ echo "ERROR: Failed making '${symlink}' -> '${target}'"\
+ "since target '${target}' does NOT exist!"
+ rv=1
+ fi
+
+ return $rv
+}
+
+check_symlinks()
+{
+ # declare -p symlinks
+ path="${1}"
+ user="${2}"
+ group="${3}"
+
+ rv=0
+
+ # process key/value pairs (symlink/target) in the associative array
+ for key in "${!symlinks[@]}"
+ do
+ symlink="${path}/${key}"
+ target=${symlinks[${key}]}
+ if [ -e ${symlink} ]; then
+ if [ -h ${symlink} ]; then
+ current_target=`readlink ${symlink}`
+ # Verify that the current target to which the
+ # symlink points is the expected target
+ if [ ${current_target} == ${target} ]; then
+ # Check to make certain that the expected target exists.
+ if [ -e ${target} ]; then
+ # Check that the expected target is fully resolvable!
+ if [ ! `readlink -qe ${target}` ]; then
+ # Issue an ERROR that the target to which the
+ # symbolic link is expected to point is NOT
+ # fully resolvable!
+ echo "WARNING: Symbolic link '${symlink}'"\
+ "exists, but is a dangling symlink!"\
+ echo "ERROR: Unable to create"\
+ "'${symlink}' -> '${target}'"\
+ "since target '${target}' is NOT fully"\
+ "resolvable!"
+ rv=1
+ else
+ # ALWAYS run 'chown' on an existing '${symlink}'
+ # that points to a fully resolvable '${target}'
+ #
+ # NOTE: Ignore 'chown' errors.
+ #
+ chown -h ${user}:${group} ${symlink}
+ # echo "SUCCESS: '${symlink}' -> '${target}'"
+ fi
+ else
+ # Issue an ERROR that the target to which the
+ # symbolic link is expected to point does NOT exist.
+ echo "WARNING: Symbolic link '${symlink}'"\
+ "exists, but is a dangling symlink!"\
+ echo "ERROR: Unable to create"\
+ "'${symlink}' -> '${target}'"\
+ "since target '${target}' does NOT exist!"
+ rv=1
+ fi
+ else
+ # Attempt to remove this symbolic link and
+ # issue a WARNING that a new symbolic link is
+ # being created to point to the expected target
+ # rather than the current target to which it
+ # points.
+ echo "WARNING: Attempting to change symbolic link"\
+ "'${symlink}' to point to target '${target}'"\
+ "INSTEAD of current target '${current_target}'!"
+ rm ${symlink}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ echo "ERROR: Failed to remove"\
+ "'${symlink}' -> '${current_target}'!"
+ rv=1
+ else
+ echo "INFO: Removed"\
+ "'${symlink}' -> '${current_target}'!"
+ # Attempt to create the symbolic link and chown it.
+ make_symlink ${symlink} ${target} ${user} ${group}
+ rv=$?
+ fi
+ fi
+ elif [ -f ${symlink} ]; then
+ # Issue a WARNING that the administrator may have replaced
+ # the symbolic link with a file for debugging purposes.
+ echo "WARNING: '${symlink}' exists but is NOT a symbolic link!"
+ else
+ # Issue an ERROR that the symbolic link has been replaced
+ # by something unusable (such as a directory).
+ echo "ERROR: '${symlink}' exists but is NOT a symbolic link!"
+ rv=1
+ fi
+ else
+ # Issue a WARNING that this symbolic link does not exist.
+ echo "WARNING: Symbolic link '${symlink}' does NOT exist!"
+ # Attempt to create the symbolic link and chown it.
+ make_symlink ${symlink} ${target} ${user} ${group}
+ rv=$?
+ fi
+ done
+
+ return $rv
+}
+
+# Detect and correct any missing or incorrect symlinks.
+#
+# Use the following command to locate PKI 'instance' symlinks:
+#
+# find ${PKI_INSTANCE_PATH} -type l | sort | xargs file
+#
+verify_symlinks()
+{
+ # declare associative arrays
+ declare -A base_symlinks
+ declare -A root_symlinks
+ declare -A ca_symlinks
+ declare -A kra_symlinks
+ declare -A ocsp_symlinks
+ declare -A tks_symlinks
+ declare -A common_jar_symlinks
+ declare -A ca_jar_symlinks
+ declare -A kra_jar_symlinks
+ declare -A ocsp_jar_symlinks
+ declare -A tks_jar_symlinks
+ declare -A systemd_symlinks
+
+ # Dogtag 10 Conditional Variables
+ if [ ${ARCHITECTURE} == "x86_64" ]; then
+ jni_dir="/usr/lib64/java"
+ else
+ jni_dir="/usr/lib/java"
+ fi
+
+ # Dogtag 10 Symbolic Link Target Variables
+ java_dir="/usr/share/java"
+ pki_systemd_service="pki-${PKI_WEB_SERVER_TYPE}d@.service"
+ resteasy_java_dir="/usr/share/java/resteasy"
+ systemd_dir="/lib/systemd/system"
+
+ # Dogtag 10 Symbolic Link Variables
+ pki_common_jar_dir="${PKI_INSTANCE_PATH}/common/lib"
+ pki_registry_dir="/etc/sysconfig/pki/${PKI_WEB_SERVER_TYPE}/${PKI_INSTANCE_ID}"
+ pki_systemd_dir="/etc/systemd/system/pki-tomcatd.target.wants"
+ pki_systemd_link="pki-${PKI_WEB_SERVER_TYPE}d@${PKI_INSTANCE_ID}.service"
+ # FUTURE: "pki_<pki_subsystem>_webapps_jar_dir" directories
+ pki_ca_jar_dir="${pki_common_jar_dir}"
+ pki_kra_jar_dir="${pki_common_jar_dir}"
+ pki_ocsp_jar_dir="${pki_common_jar_dir}"
+ pki_tks_jar_dir="${pki_common_jar_dir}"
+
+ # '${PKI_INSTANCE_PATH}' symlinks
+ base_symlinks=(
+ [alias]=/etc/pki/${PKI_INSTANCE_ID}/alias
+ [bin]=/usr/share/tomcat/bin
+ [conf]=/etc/pki/${PKI_INSTANCE_ID}
+ [lib]=/usr/share/tomcat/lib
+ [logs]=/var/log/pki/${PKI_INSTANCE_ID})
+
+ # '${PKI_INSTANCE_PATH}' symlinks (root:root ownership)
+ root_symlinks[${PKI_INSTANCE_ID}]=/usr/sbin/tomcat-sysd
+
+ # '${PKI_INSTANCE_PATH}/ca' symlinks
+ ca_symlinks=(
+ [alias]=${PKI_INSTANCE_PATH}/alias
+ [conf]=/etc/pki/${PKI_INSTANCE_ID}/ca
+ [logs]=/var/log/pki/${PKI_INSTANCE_ID}/ca
+ [registry]=${pki_registry_dir}
+ [webapps]=${PKI_INSTANCE_PATH}/webapps)
+
+ # '${pki_ca_jar_dir}' symlinks
+ ca_jar_symlinks[pki-ca.jar]=/usr/share/java/pki/pki-ca.jar
+
+ # '${PKI_INSTANCE_PATH}/kra' symlinks
+ kra_symlinks=(
+ [alias]=${PKI_INSTANCE_PATH}/alias
+ [conf]=/etc/pki/${PKI_INSTANCE_ID}/kra
+ [logs]=/var/log/pki/${PKI_INSTANCE_ID}/kra
+ [registry]=${pki_registry_dir}
+ [webapps]=${PKI_INSTANCE_PATH}/webapps)
+
+ # '${pki_kra_jar_dir}' symlinks
+ kra_jar_symlinks[pki-kra.jar]=/usr/share/java/pki/pki-kra.jar
+
+ # '${PKI_INSTANCE_PATH}/ocsp' symlinks
+ ocsp_symlinks=(
+ [alias]=${PKI_INSTANCE_PATH}/alias
+ [conf]=/etc/pki/${PKI_INSTANCE_ID}/ocsp
+ [logs]=/var/log/pki/${PKI_INSTANCE_ID}/ocsp
+ [registry]=${pki_registry_dir}
+ [webapps]=${PKI_INSTANCE_PATH}/webapps)
+
+ # '${pki_ocsp_jar_dir}' symlinks
+ ocsp_jar_symlinks[pki-ocsp.jar]=/usr/share/java/pki/pki-ocsp.jar
+
+ # '${PKI_INSTANCE_PATH}/tks' symlinks
+ tks_symlinks=(
+ [alias]=${PKI_INSTANCE_PATH}/alias
+ [conf]=/etc/pki/${PKI_INSTANCE_ID}/tks
+ [logs]=/var/log/pki/${PKI_INSTANCE_ID}/tks
+ [registry]=${pki_registry_dir}
+ [webapps]=${PKI_INSTANCE_PATH}/webapps)
+
+ # '${pki_tks_jar_dir}' symlinks
+ tks_jar_symlinks[pki-tks.jar]=/usr/share/java/pki/pki-tks.jar
+
+ # '${pki_common_jar_dir}' symlinks
+ common_jar_symlinks=(
+ [apache-commons-codec.jar]=${java_dir}/commons-codec.jar
+ [apache-commons-collections.jar]=${java_dir}/apache-commons-collections.jar
+ [apache-commons-lang.jar]=${java_dir}/apache-commons-lang.jar
+ [apache-commons-logging.jar]=${java_dir}/apache-commons-logging.jar
+ [httpclient.jar]=${java_dir}/httpcomponents/httpclient.jar
+ [httpcore.jar]=${java_dir}/httpcomponents/httpcore.jar
+ [javassist.jar]=${java_dir}/javassist.jar
+ [jaxrs-api.jar]=${resteasy_java_dir}/jaxrs-api.jar
+ [jettison.jar]=${java_dir}/jettison.jar
+ [jss4.jar]=${jni_dir}/jss4.jar
+ [ldapjdk.jar]=${java_dir}/ldapjdk.jar
+ [pki-certsrv.jar]=/usr/share/java/pki/pki-certsrv.jar
+ [pki-cms.jar]=/usr/share/java/pki/pki-cms.jar
+ [pki-cmsbundle.jar]=/usr/share/java/pki/pki-cmsbundle.jar
+ [pki-cmscore.jar]=/usr/share/java/pki/pki-cmscore.jar
+ [pki-cmsutil.jar]=/usr/share/java/pki/pki-cmsutil.jar
+ [pki-nsutil.jar]=/usr/share/java/pki/pki-nsutil.jar
+ [resteasy-atom-provider.jar]=${resteasy_java_dir}/resteasy-atom-provider.jar
+ [resteasy-jaxb-provider.jar]=${resteasy_java_dir}/resteasy-jaxb-provider.jar
+ [resteasy-jaxrs.jar]=${resteasy_java_dir}/resteasy-jaxrs.jar
+ [resteasy-jettison-provider.jar]=${resteasy_java_dir}/resteasy-jettison-provider.jar
+ [scannotation.jar]=${java_dir}/scannotation.jar
+ [symkey.jar]=${jni_dir}/symkey.jar
+ [tomcatjss.jar]=${java_dir}/tomcat7jss.jar
+ [velocity.jar]=${java_dir}/velocity.jar
+ [xerces-j2.jar]=${java_dir}/xerces-j2.jar
+ [xml-commons-apis.jar]=${java_dir}/xml-commons-apis.jar
+ [xml-commons-resolver.jar]=${java_dir}/xml-commons-resolver.jar)
+
+ # '${pki_systemd_dir}' symlinks
+ systemd_symlinks[${pki_systemd_link}]=${systemd_dir}/${pki_systemd_service}
+
+ # Detect and correct 'Tomcat' symbolic links
+ #
+ # (1) convert the specified associative array into a string
+ # (2) create a new global 'symlinks' associative array from this
+ # specified string which will be used by the "check_symlinks()"
+ # subroutine
+ # (3) call "check_symlinks()" with the appropriate arguments to
+ # detect and correct this specified associative array;
+ # "check_symlinks()" returns 0 on success and 1 on failure
+ #
+ if [ ${PKI_WEB_SERVER_TYPE} == 'tomcat' ]; then
+ # Detect and correct 'base_symlinks'
+ base_symlinks_string=$(declare -p base_symlinks)
+ eval "declare -A symlinks=${base_symlinks_string#*=}"
+ check_symlinks ${PKI_INSTANCE_PATH} ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+
+ # Detect and correct 'root_symlinks'
+ root_symlinks_string=$(declare -p root_symlinks)
+ eval "declare -A symlinks=${root_symlinks_string#*=}"
+ check_symlinks ${PKI_INSTANCE_PATH} "root" "root"
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+
+ if [ -e ${PKI_INSTANCE_PATH}/ca ]; then
+ # Detect and correct 'ca_symlinks'
+ ca_symlinks_string=$(declare -p ca_symlinks)
+ eval "declare -A symlinks=${ca_symlinks_string#*=}"
+ check_symlinks ${PKI_INSTANCE_PATH}/ca ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+ # Detect and correct 'ca_jar_symlinks'
+ ca_jar_symlinks_string=$(declare -p ca_jar_symlinks)
+ eval "declare -A symlinks=${ca_jar_symlinks_string#*=}"
+ check_symlinks ${pki_ca_jar_dir} ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+ fi
+
+ if [ -e ${PKI_INSTANCE_PATH}/kra ]; then
+ # Detect and correct 'kra_symlinks'
+ kra_symlinks_string=$(declare -p kra_symlinks)
+ eval "declare -A symlinks=${kra_symlinks_string#*=}"
+ check_symlinks ${PKI_INSTANCE_PATH}/kra ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+ # Detect and correct 'kra_jar_symlinks'
+ kra_jar_symlinks_string=$(declare -p kra_jar_symlinks)
+ eval "declare -A symlinks=${kra_jar_symlinks_string#*=}"
+ check_symlinks ${pki_kra_jar_dir} ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+ fi
+
+ if [ -e ${PKI_INSTANCE_PATH}/ocsp ]; then
+ # Detect and correct 'ocsp_symlinks'
+ ocsp_symlinks_string=$(declare -p ocsp_symlinks)
+ eval "declare -A symlinks=${ocsp_symlinks_string#*=}"
+ check_symlinks ${PKI_INSTANCE_PATH}/ocsp ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+ # Detect and correct 'ocsp_jar_symlinks'
+ ocsp_jar_symlinks_string=$(declare -p ocsp_jar_symlinks)
+ eval "declare -A symlinks=${ocsp_jar_symlinks_string#*=}"
+ check_symlinks ${pki_ocsp_jar_dir} ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+ fi
+
+ if [ -e ${PKI_INSTANCE_PATH}/tks ]; then
+ # Detect and correct 'tks_symlinks'
+ tks_symlinks_string=$(declare -p tks_symlinks)
+ eval "declare -A symlinks=${tks_symlinks_string#*=}"
+ check_symlinks ${PKI_INSTANCE_PATH}/tks ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+ # Detect and correct 'tks_jar_symlinks'
+ tks_jar_symlinks_string=$(declare -p tks_jar_symlinks)
+ eval "declare -A symlinks=${tks_jar_symlinks_string#*=}"
+ check_symlinks ${pki_tks_jar_dir} ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+ fi
+
+ # Detect and correct 'common_jar_symlinks'
+ common_jar_symlinks_string=$(declare -p common_jar_symlinks)
+ eval "declare -A symlinks=${common_jar_symlinks_string#*=}"
+ check_symlinks ${pki_common_jar_dir} ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+
+ # Detect and correct 'systemd_symlinks'
+ systemd_symlinks_string=$(declare -p systemd_symlinks)
+ eval "declare -A symlinks=${systemd_symlinks_string#*=}"
+ check_symlinks ${pki_systemd_dir} ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+ fi
+
+ return 0
+}
+
start_instance()
{
rv=0
@@ -775,6 +1181,13 @@ start_instance()
rm -f ${RESTART_SERVER}
fi
+ # Verify symbolic links (detecting and correcting them if possible)
+ verify_symlinks
+ rv=$?
+ if [ $rv -ne 0 ] ; then
+ return $rv
+ fi
+
# Invoke the initscript for this instance
case $PKI_WEB_SERVER_TYPE in
tomcat)
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index 1fe74e835..4b6128440 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -69,7 +69,7 @@ def process_command_line_arguments(argv):
mandatory.add_argument('-i',
dest='pki_deployed_instance_name',
action='store',
- nargs=1, metavar='<instance>',
+ nargs=1, required=True, metavar='<instance>',
help='FORMAT: ${pki_instance_name}'
'[.${pki_admin_domain_name}]')
# Establish 'Optional' command-line options
diff --git a/base/setup/scripts/functions b/base/setup/scripts/functions
index a4318efae..20e5dcdff 100644
--- a/base/setup/scripts/functions
+++ b/base/setup/scripts/functions
@@ -1,7 +1,7 @@
#!/bin/bash
# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
-#
+#
# Status Exit Codes
#
# 0 program is running or service is OK
@@ -203,7 +203,7 @@ if [ $SYSTEMD ]; then
exit 4
fi
fi
-else
+else
if [ $# -lt 1 ] ; then
# 3 unimplemented feature (for example, "reload")
# [insufficient arguments]
@@ -738,6 +738,395 @@ display_instance_status()
return $rv
}
+make_symlink()
+{
+ symlink="${1}"
+ target="${2}"
+ user="${3}"
+ group="${4}"
+
+ rv=0
+
+ echo "INFO: Attempting to create '${symlink}' -> '${target}' . . ."
+ # Check to make certain that the expected target exists.
+ #
+ # NOTE: The symbolic link does NOT exist at this point.
+ #
+ if [ -e ${target} ]; then
+ # Check that the expected target is fully resolvable!
+ if [ ! `readlink -qe ${target}` ]; then
+ # Issue an ERROR that the target to which the
+ # symbolic link is expected to point is NOT fully resolvable!
+ echo "ERROR: Failed making '${symlink}' -> '${target}'"\
+ "since target '${target}' is NOT fully resolvable!"
+ rv=1
+ else
+ # Attempt to create a symbolic link and 'chown' it.
+ ln -s ${target} ${symlink}
+ rv=$?
+ if [ $rv -eq 0 ]; then
+ # NOTE: Ignore 'chown' errors.
+ chown -h ${user}:${group} ${symlink}
+ echo "SUCCESS: Created '${symlink}' -> '${target}'"
+ else
+ echo "ERROR: Failed to create '${symlink}' -> '${target}'!"
+ rv=1
+ fi
+ fi
+ else
+ # Issue an ERROR that the target to which the
+ # symbolic link is expected to point does NOT exist.
+ echo "ERROR: Failed making '${symlink}' -> '${target}'"\
+ "since target '${target}' does NOT exist!"
+ rv=1
+ fi
+
+ return $rv
+}
+
+check_symlinks()
+{
+ # declare -p symlinks
+ path="${1}"
+ user="${2}"
+ group="${3}"
+
+ rv=0
+
+ # process key/value pairs (symlink/target) in the associative array
+ for key in "${!symlinks[@]}"
+ do
+ symlink="${path}/${key}"
+ target=${symlinks[${key}]}
+ if [ -e ${symlink} ]; then
+ if [ -h ${symlink} ]; then
+ current_target=`readlink ${symlink}`
+ # Verify that the current target to which the
+ # symlink points is the expected target
+ if [ ${current_target} == ${target} ]; then
+ # Check to make certain that the expected target exists.
+ if [ -e ${target} ]; then
+ # Check that the expected target is fully resolvable!
+ if [ ! `readlink -qe ${target}` ]; then
+ # Issue an ERROR that the target to which the
+ # symbolic link is expected to point is NOT
+ # fully resolvable!
+ echo "WARNING: Symbolic link '${symlink}'"\
+ "exists, but is a dangling symlink!"\
+ echo "ERROR: Unable to create"\
+ "'${symlink}' -> '${target}'"\
+ "since target '${target}' is NOT fully"\
+ "resolvable!"
+ rv=1
+ else
+ # ALWAYS run 'chown' on an existing '${symlink}'
+ # that points to a fully resolvable '${target}'
+ #
+ # NOTE: Ignore 'chown' errors.
+ #
+ chown -h ${user}:${group} ${symlink}
+ # echo "SUCCESS: '${symlink}' -> '${target}'"
+ fi
+ else
+ # Issue an ERROR that the target to which the
+ # symbolic link is expected to point does NOT exist.
+ echo "WARNING: Symbolic link '${symlink}'"\
+ "exists, but is a dangling symlink!"\
+ echo "ERROR: Unable to create"\
+ "'${symlink}' -> '${target}'"\
+ "since target '${target}' does NOT exist!"
+ rv=1
+ fi
+ else
+ # Attempt to remove this symbolic link and
+ # issue a WARNING that a new symbolic link is
+ # being created to point to the expected target
+ # rather than the current target to which it
+ # points.
+ echo "WARNING: Attempting to change symbolic link"\
+ "'${symlink}' to point to target '${target}'"\
+ "INSTEAD of current target '${current_target}'!"
+ rm ${symlink}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ echo "ERROR: Failed to remove"\
+ "'${symlink}' -> '${current_target}'!"
+ rv=1
+ else
+ echo "INFO: Removed"\
+ "'${symlink}' -> '${current_target}'!"
+ # Attempt to create the symbolic link and chown it.
+ make_symlink ${symlink} ${target} ${user} ${group}
+ rv=$?
+ fi
+ fi
+ elif [ -f ${symlink} ]; then
+ # Issue a WARNING that the administrator may have replaced
+ # the symbolic link with a file for debugging purposes.
+ echo "WARNING: '${symlink}' exists but is NOT a symbolic link!"
+ else
+ # Issue an ERROR that the symbolic link has been replaced
+ # by something unusable (such as a directory).
+ echo "ERROR: '${symlink}' exists but is NOT a symbolic link!"
+ rv=1
+ fi
+ else
+ # Issue a WARNING that this symbolic link does not exist.
+ echo "WARNING: Symbolic link '${symlink}' does NOT exist!"
+ # Attempt to create the symbolic link and chown it.
+ make_symlink ${symlink} ${target} ${user} ${group}
+ rv=$?
+ fi
+ done
+
+ return $rv
+}
+
+# Detect and correct any missing or incorrect symlinks.
+#
+# Use the following command to locate PKI 'instance' symlinks:
+#
+# find ${PKI_INSTANCE_PATH} -type l | sort | xargs file
+#
+verify_symlinks()
+{
+ declare -A apache_symlinks
+ declare -A perl_symlinks
+ declare -A base_symlinks
+ declare -A root_symlinks
+ declare -A common_jar_symlinks
+ declare -A webapps_jar_symlinks
+ declare -A systemd_symlinks
+
+ # Dogtag 9 Conditional Variables
+ if [ ${ARCHITECTURE} == "x86_64" ]; then
+ jni_dir="/usr/lib64/java"
+ else
+ jni_dir="/usr/lib/java"
+ fi
+ if [ ${PKI_SUBSYSTEM_TYPE} == "ca" ]; then
+ pki_systemd_link="pki-cad@${PKI_INSTANCE_ID}.service"
+ pki_systemd_service="pki-cad@.service"
+ elif [ ${PKI_SUBSYSTEM_TYPE} == "kra" ]; then
+ pki_systemd_link="pki-krad@${PKI_INSTANCE_ID}.service"
+ pki_systemd_service="pki-krad@.service"
+ elif [ ${PKI_SUBSYSTEM_TYPE} == "ocsp" ]; then
+ pki_systemd_link="pki-ocspd@${PKI_INSTANCE_ID}.service"
+ pki_systemd_service="pki-ocspd@.service"
+ elif [ ${PKI_SUBSYSTEM_TYPE} == "ra" ]; then
+ pki_systemd_link="pki-rad@${PKI_INSTANCE_ID}.service"
+ pki_systemd_service="pki-rad@.service"
+ elif [ ${PKI_SUBSYSTEM_TYPE} == "tks" ]; then
+ pki_systemd_link="pki-tksd@${PKI_INSTANCE_ID}.service"
+ pki_systemd_service="pki-tksd@.service"
+ elif [ ${PKI_SUBSYSTEM_TYPE} == "tps" ]; then
+ pki_systemd_link="pki-tpsd@${PKI_INSTANCE_ID}.service"
+ pki_systemd_service="pki-tpsd@.service"
+ fi
+
+ # Dogtag 9 Symbolic Link Target Variables
+ systemd_dir="/lib/systemd/system"
+
+ # Dogtag 9 Symbolic Link Variables
+ pki_common_jar_dir="${PKI_INSTANCE_PATH}/common/lib"
+ # pki_registry_dir="/etc/sysconfig/pki/${PKI_SUBSYSTEM_TYPE}/${PKI_INSTANCE_ID}"
+ pki_systemd_dir="/etc/systemd/system/pki-cad.target.wants"
+ pki_webapps_jar_dir="${PKI_INSTANCE_PATH}/webapps/${PKI_SUBSYSTEM_TYPE}/WEB-INF/lib"
+
+ # '${PKI_INSTANCE_PATH}' symlinks
+ apache_symlinks=(
+ [conf]=/etc/${PKI_INSTANCE_ID}
+ [logs]=/var/log/${PKI_INSTANCE_ID}
+ [run]=/var/run/pki/${PKI_SUBSYSTEM_TYPE})
+
+ base_symlinks=(
+ [conf]=/etc/${PKI_INSTANCE_ID}
+ [logs]=/var/log/${PKI_INSTANCE_ID})
+
+ # '${PKI_INSTANCE_PATH}' symlinks (root:root ownership)
+ root_symlinks[${PKI_INSTANCE_ID}]=/usr/sbin/tomcat6-sysd
+
+ # '${PKI_INSTANCE_PATH}/lib' symlinks
+ perl_symlinks[perl]=/usr/share/pki/${PKI_SUBSYSTEM_TYPE}/lib/perl
+
+ # '${pki_common_jar_dir}' symlinks
+ common_jar_symlinks=(
+ [apache-commons-logging.jar]=/usr/share/java/apache-commons-logging.jar
+ [jss4.jar]=${jni_dir}/jss4.jar
+ [tomcatjss.jar]=/usr/share/java/tomcatjss.jar
+ # Dogtag 9 -> Dogtag 10
+ [apache-commons-codec.jar]=/usr/share/java/commons-codec.jar)
+
+ # '${pki_webapps_jar_dir}' symlinks
+ webapps_jar_symlinks=(
+ [apache-commons-collections.jar]=/usr/share/java/apache-commons-collections.jar
+ [apache-commons-lang.jar]=/usr/share/java/apache-commons-lang.jar
+ [ldapjdk.jar]=/usr/share/java/ldapjdk.jar
+ # [osutil.jar]=${jni_dir}/osutil.jar
+ [${PKI_INSTANCE_ID}.jar]=/usr/share/java/pki/${PKI_INSTANCE_ID}.jar
+ [pki-certsrv.jar]=/usr/share/java/pki/pki-certsrv.jar
+ [pki-cms.jar]=/usr/share/java/pki/pki-cms.jar
+ [pki-cmsbundle.jar]=/usr/share/java/pki/pki-cmsbundle.jar
+ [pki-cmscore.jar]=/usr/share/java/pki/pki-cmscore.jar
+ [pki-cmsutil.jar]=/usr/share/java/pki/pki-cmsutil.jar
+ [pki-nsutil.jar]=/usr/share/java/pki/pki-nsutil.jar
+ [symkey.jar]=${jni_dir}/symkey.jar
+ [velocity.jar]=/usr/share/java/velocity.jar
+ [xerces-j2.jar]=/usr/share/java/xerces-j2.jar
+ [xml-commons-apis.jar]=/usr/share/java/xml-commons-apis.jar
+ [xml-commons-resolver.jar]=/usr/share/java/xml-commons-resolver.jar)
+
+ # '${pki_systemd_dir}' symlinks
+ systemd_symlinks[${pki_systemd_link}]=${systemd_dir}/${pki_systemd_service}
+
+ # Detect and correct PKI subsystem 'instance' symbolic links
+ #
+ # (1) convert the specified associative array into a string
+ # (2) create a new global 'symlinks' associative array from this
+ # specified string which will be used by the "check_symlinks()"
+ # subroutine
+ # (3) call "check_symlinks()" with the appropriate arguments to
+ # detect and correct this specified associative array;
+ # "check_symlinks()" returns 0 on success and 1 on failure
+ #
+ if [ "${PKI_SUBSYSTEM_TYPE}" == "ra" ] ||
+ [ "${PKI_SUBSYSTEM_TYPE}" == "tps" ]
+ then
+ # Detect and correct 'apache_symlinks'
+ apache_symlinks_string=$(declare -p apache_symlinks)
+ eval "declare -A symlinks=${apache_symlinks_string#*=}"
+ check_symlinks ${PKI_INSTANCE_PATH} ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+
+ # Detect and correct 'perl_symlinks'
+ perl_symlinks_string=$(declare -p perl_symlinks)
+ eval "declare -A symlinks=${perl_symlinks_string#*=}"
+ check_symlinks ${PKI_INSTANCE_PATH}/lib ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+
+ if [ "${PKI_SUBSYSTEM_TYPE}" == "tps" ]; then
+ # ALWAYS recreate this "convenience" link and 'chown' it
+ # NOTE: Ignore 'chown' errors.
+ cd ${PKI_INSTANCE_PATH}/docroot ;
+ ln -s tokendb tus ;
+ rv=$?
+ if [ $rv -eq 0 ]; then
+ chown -h ${PKI_USER}:${PKI_GROUP} tus
+ # echo "SUCCESS: Created 'tus' -> 'tokendb'"
+ else
+ echo "ERROR: Failed to create 'tus' -> 'tokendb' convenience"
+ echo " symbolic link for '${PKI_INSTANCE_ID}'!"
+ return 1
+ fi
+ fi
+ elif [ "${PKI_SUBSYSTEM_TYPE}" == "ca" ] ||
+ [ "${PKI_SUBSYSTEM_TYPE}" == "kra" ] ||
+ [ "${PKI_SUBSYSTEM_TYPE}" == "ocsp" ] ||
+ [ "${PKI_SUBSYSTEM_TYPE}" == "tks" ]
+ then
+ # Detect and correct 'base_symlinks'
+ base_symlinks_string=$(declare -p base_symlinks)
+ eval "declare -A symlinks=${base_symlinks_string#*=}"
+ check_symlinks ${PKI_INSTANCE_PATH} ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+
+ # Detect and correct 'root_symlinks'
+ root_symlinks_string=$(declare -p root_symlinks)
+ eval "declare -A symlinks=${root_symlinks_string#*=}"
+ check_symlinks ${PKI_INSTANCE_PATH} "root" "root"
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+
+ # Detect and correct 'common_jar_symlinks'
+ common_jar_symlinks_string=$(declare -p common_jar_symlinks)
+ eval "declare -A symlinks=${common_jar_symlinks_string#*=}"
+ check_symlinks ${pki_common_jar_dir} ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+
+ # Detect and correct 'webapps_jar_symlinks'
+ webapps_jar_symlinks_string=$(declare -p webapps_jar_symlinks)
+ eval "declare -A symlinks=${webapps_jar_symlinks_string#*=}"
+ check_symlinks ${pki_webapps_jar_dir} ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+
+ # Detect and correct 'systemd_symlinks'
+ systemd_symlinks_string=$(declare -p systemd_symlinks)
+ eval "declare -A symlinks=${systemd_symlinks_string#*=}"
+ check_symlinks ${pki_systemd_dir} ${PKI_USER} ${PKI_GROUP}
+ rv=$?
+ if [ $rv -ne 0 ]; then
+ return $rv
+ fi
+ fi
+
+ return 0
+}
+
+# NOTE: This code will NOT be executed if the file called
+# '${PKI_INSTANCE_PATH}/conf/DOGTAG_10_UPDATE_MARKER' exists!
+update_cs_cfg_for_dogtag_10()
+{
+ # declare a simple array (to maintain specified parameter order)
+ # and specify Dogtag 10 'CS.cfg' specific parameters (CA specific)
+ declare -a dogtag_10_cs_cfg_parameters=(
+ processor.caDoRevoke.authorityId=ca
+ processor.caDoRevoke.authzMgr=BasicAclAuthz
+ processor.caDoRevoke.authzResourceName=certServer.ee.certificates
+ processor.caDoRevoke.getClientCert=false
+ processor.caDoRevoke-agent.authMgr=certUserDBAuthMgr
+ processor.caDoRevoke-agent.authorityId=ca
+ processor.caDoRevoke-agent.authzMgr=BasicAclAuthz
+ processor.caDoRevoke-agent.authzResourceName=certServer.ca.certificates
+ processor.caDoRevoke-agent.getClientCert=true
+ processor.caDoUnrevoke.authMgr=certUserDBAuthMgr
+ processor.caDoUnrevoke.authorityId=ca
+ processor.caDoUnrevoke.authzMgr=BasicAclAuthz
+ processor.caDoUnrevoke.authzResourceName=certServer.ca.certificate
+ processor.caDoUnrevoke.getClientCert=true
+ processor.caProfileProcess.authMgr=certUserDBAuthMgr
+ processor.caProfileProcess.authorityId=ca
+ processor.caProfileProcess.authzMgr=BasicAclAuthz
+ processor.caProfileProcess.authzResourceName=certServer.ca.request.profile
+ processor.caProfileProcess.getClientCert=true
+ processor.caProfileSubmit.authorityId=ca
+ processor.caProfileSubmit.authzMgr=BasicAclAuthz
+ processor.caProfileSubmit.authzResourceName=certServer.ee.profile
+ processor.caProfileSubmit.getClientCert=false)
+
+ # Append ANY missing Dogtag 10 CFG parameter to the end of the 'CS.cfg'
+ for key in "${!dogtag_10_cs_cfg_parameters[@]}"
+ do
+ line="${dogtag_10_cs_cfg_parameters[${key}]}"
+ grep -q ${line} ${pki_instance_configuration_file}
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ echo "INFO: Appending '${line}' to"\
+ "'${pki_instance_configuration_file}'"
+ echo ${line} >> ${pki_instance_configuration_file}
+ fi
+ done
+
+ # Create a MARKER to indicate that this update has been completed
+ touch ${PKI_INSTANCE_PATH}/conf/DOGTAG_10_UPDATE_MARKER
+}
+
start_instance()
{
rv=0
@@ -746,11 +1135,25 @@ start_instance()
rm -f ${RESTART_SERVER}
fi
+ # Verify symbolic links (detecting and correcting them if possible)
+ verify_symlinks
+ rv=$?
+ if [ $rv -ne 0 ] ; then
+ return $rv
+ fi
+
# Invoke the initscript for this instance
case $PKI_SUBSYSTEM_TYPE in
ca|kra|ocsp|tks)
- # We must export the service name so that the systemd version
+ # If required, update 'CS.cfg' from Dogtag 9 -> Dogtag 10
+ if [ ${PKI_SUBSYSTEM_TYPE} == "ca" ] &&
+ [ ! -e ${PKI_INSTANCE_PATH}/conf/DOGTAG_10_UPDATE_MARKER ]
+ then
+ update_cs_cfg_for_dogtag_10
+ fi
+
+ # We must export the service name so that the systemd version
# of the tomcat6 init script knows which instance specific
# configuration file to source.
export SERVICE_NAME=$PKI_INSTANCE_ID
@@ -760,7 +1163,7 @@ start_instance()
$PKI_INSTANCE_INITSCRIPT start
rv=$?
else
- $PKI_INSTANCE_INITSCRIPT start
+ $PKI_INSTANCE_INITSCRIPT start
rv=$?
fi
;;
@@ -1065,9 +1468,9 @@ registry_status()
case $PKI_SUBSYSTEM_TYPE in
ca|kra|ocsp|tks)
- if [ $SYSTEMD ]; then
+ if [ $SYSTEMD ]; then
display_instance_status_systemd
- else
+ else
display_instance_status
fi
rv=$?