diff options
| author | jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-19 21:00:40 +0000 |
|---|---|---|
| committer | jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-19 21:00:40 +0000 |
| commit | 2ab4b4058a240143e513db050bbf4170e9115ef1 (patch) | |
| tree | a00195c6f63f11ee5e2fd9c4fc5f3c216ef7ace2 | |
| parent | e73bde97720375973af57a29c5dd62aaec6342f2 (diff) | |
| download | pki-2ab4b4058a240143e513db050bbf4170e9115ef1.tar.gz pki-2ab4b4058a240143e513db050bbf4170e9115ef1.tar.xz pki-2ab4b4058a240143e513db050bbf4170e9115ef1.zip | |
Merge CA changes into KRA,OCSP & TKS
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1575 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
66 files changed, 2500 insertions, 11817 deletions
diff --git a/pki/base/ca/setup/registry_instance b/pki/base/ca/setup/registry_instance index 6acf066f8..7f0e592a1 100644 --- a/pki/base/ca/setup/registry_instance +++ b/pki/base/ca/setup/registry_instance @@ -38,12 +38,6 @@ export TOMCAT_USER TOMCAT_GROUP=$PKI_GROUP export TOMCAT_GROUP - -# Since the daemon function will sandbox $tomcat -# no environment stuff should be defined here anymore. -# Please use the ${PKI_INSTANCE_PATH}/conf/tomcat5.conf -# file instead ; it will be read by the $tomcat script - PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" export PKI_LOCKDIR diff --git a/pki/base/ca/shared/conf/catalina.policy b/pki/base/ca/shared/conf/catalina.policy index b519e602a..cf8302cd0 100644 --- a/pki/base/ca/shared/conf/catalina.policy +++ b/pki/base/ca/shared/conf/catalina.policy @@ -1,3 +1,9 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// Copyright (C) 2006-2010 Red Hat, Inc. +// All rights reserved. +// Modifications: configuration parameters +// --- END COPYRIGHT BLOCK --- + // Licensed to the Apache Software Foundation (ASF) under one or more // contributor license agreements. See the NOTICE file distributed with // this work for additional information regarding copyright ownership. diff --git a/pki/base/ca/shared/conf/catalina.properties b/pki/base/ca/shared/conf/catalina.properties index d6f117cd2..70cb7c05e 100644 --- a/pki/base/ca/shared/conf/catalina.properties +++ b/pki/base/ca/shared/conf/catalina.properties @@ -1,3 +1,9 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006-2010 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. diff --git a/pki/base/ca/shared/conf/context.xml b/pki/base/ca/shared/conf/context.xml index 217458d9a..8b6fe4905 100644 --- a/pki/base/ca/shared/conf/context.xml +++ b/pki/base/ca/shared/conf/context.xml @@ -1,4 +1,9 @@ <?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2006-2010 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with diff --git a/pki/base/ca/shared/conf/logging.properties b/pki/base/ca/shared/conf/logging.properties index 68be2d7f4..796cfc071 100644 --- a/pki/base/ca/shared/conf/logging.properties +++ b/pki/base/ca/shared/conf/logging.properties @@ -1,3 +1,9 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006-2010 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml index d9b10d2e3..6642a58fc 100644 --- a/pki/base/ca/shared/conf/server.xml +++ b/pki/base/ca/shared/conf/server.xml @@ -1,4 +1,9 @@ <?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2006-2010 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with diff --git a/pki/base/ca/shared/conf/tomcat-users.xml b/pki/base/ca/shared/conf/tomcat-users.xml index c0c9964be..daa9260cc 100644 --- a/pki/base/ca/shared/conf/tomcat-users.xml +++ b/pki/base/ca/shared/conf/tomcat-users.xml @@ -1,4 +1,9 @@ <?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2006-2010 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with diff --git a/pki/base/ca/shared/etc/init.d/pki-cad b/pki/base/ca/shared/etc/init.d/pki-cad index 7c00655f0..cf1f1713e 100755 --- a/pki/base/ca/shared/etc/init.d/pki-cad +++ b/pki/base/ca/shared/etc/init.d/pki-cad @@ -14,9 +14,9 @@ # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# Copyright (C) 2007 Red Hat, Inc. +# Copyright (C) 2007-2010 Red Hat, Inc. # All rights reserved. -# --- END COPYRIGHT BLOCK ### --- +# --- END COPYRIGHT BLOCK --- # # pki-cad Startup script for pki-ca with tomcat6 # @@ -47,11 +47,23 @@ pki_instance="$2" . /usr/share/pki/scripts/functions # See how we were called. -case "${command}" in - start|stop|restart|status) - ${command} - exit $? - ;; +case $command in + status) + registry_status + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + stop + exit $? + ;; condrestart|force-restart|try-restart) [ ! -f ${lockfile} ] || restart exit $? @@ -61,13 +73,11 @@ case "${command}" in exit ${default_error} ;; *) - # 3 unimplemented feature (for example, "reload") - # [invalid command - should never be reached] - echo + echo "unknown action ($command)" usage echo "where valid instance names include:" list_instances - exit 3 + exit ${default_error} ;; esac diff --git a/pki/base/common/scripts/functions b/pki/base/common/scripts/functions index 68a15c3dc..db4712d53 100644 --- a/pki/base/common/scripts/functions +++ b/pki/base/common/scripts/functions @@ -35,7 +35,7 @@ lockfile="/var/lock/subsys/${SERVICE_NAME}" default_error=0 -case "${command}" in +case $command in start|stop|restart|condrestart|force-restart|try-restart) # 1 generic or unspecified error (current practice) default_error=1 @@ -53,6 +53,13 @@ case "${command}" in ;; esac +# Enable nullglob, if set then shell pattern globs which do not match any +# file returns the empty string rather than the unmodified glob pattern. +shopt -s nullglob + +OS=`uname -s` +ARCHITECTURE=`uname -i` + # Check to insure that this script's original invocation directory # has not been deleted! CWD=`/bin/pwd > /dev/null 2>&1` @@ -240,6 +247,145 @@ check_pki_configuration_status() get_pki_status_definitions() { + case $PKI_SUBSYSTEM_TYPE in + ca|kra|ocsp|tks) + get_pki_status_definitions_tomcat + return $? + ;; + ra) + get_pki_status_definitions_ra + return $? + ;; + tps) + get_pki_status_definitions_tps + return $? + ;; + *) + echo "Unknown subsystem type ($PKI_SUBSYSTEM_TYPE)" + exit ${default_error} + ;; + esac +} + +get_pki_status_definitions_ra() +{ + # establish well-known strings + total_ports=0 + UNSECURE_PORT="" + CLIENTAUTH_PORT="" + NON_CLIENTAUTH_PORT="" + + # check to see that an instance-specific "httpd.conf" file exists + if [ ! -f ${PKI_HTTPD_CONF} ] ; then + echo "File '${PKI_HTTPD_CONF}' does not exist!" + exit ${default_error} + fi + + # check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 0 ]; then + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + else + echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 1 ]; then + CLIENTAUTH_PORT=$port + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}" + fi + if [ $total_ports -eq 2 ]; then + NON_CLIENTAUTH_PORT=$port + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + if [ ${total_ports} -eq $PKI_TOTAL_PORTS ] ; then + return 0 + else + return ${default_error} + fi +} + +get_pki_status_definitions_tps() +{ + # establish well-known strings + total_ports=0 + UNSECURE_PORT="" + CLIENTAUTH_PORT="" + NON_CLIENTAUTH_PORT="" + + # check to see that an instance-specific "httpd.conf" file exists + if [ ! -f ${PKI_HTTPD_CONF} ] ; then + echo "File '${PKI_HTTPD_CONF}' does not exist!" + exit ${default_error} + fi + + # check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 0 ]; then + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi" + echo " (ESC Security Officer Enrollment)" + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi" + echo " (ESC Phone Home)" + else + echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 1 ]; then + CLIENTAUTH_PORT=$port + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi" + echo " (ESC Security Officer Workstation)" + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus" + echo " (TPS Roles - Operator/Administrator/Agent)" + fi + if [ $total_ports -eq 2 ]; then + NON_CLIENTAUTH_PORT=$port + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi" + echo " (ESC Security Officer Enrollment)" + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi" + echo " (ESC Phone Home)" + fi + total_ports=`expr ${total_ports} + 1` + + done + + if [ ${total_ports} -eq $PKI_TOTAL_PORTS ] ; then + return 0 + else + return ${default_error} + fi +} + +get_pki_status_definitions_tomcat() +{ # establish well-known strings begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->" end_pki_status_comment="<!-- DO NOT REMOVE - End PKI Status Definitions -->" @@ -749,7 +895,7 @@ restart() return $? } -status() +registry_status() { error_rv=0 rv=0 diff --git a/pki/base/common/scripts/pki_apache_initscript b/pki/base/common/scripts/pki_apache_initscript new file mode 100755 index 000000000..3e886a6d6 --- /dev/null +++ b/pki/base/common/scripts/pki_apache_initscript @@ -0,0 +1,248 @@ +#!/bin/bash + +# FIXME: needed to add -r system_r to runcon, not sure why or if it's right + +command="$1" + +# Source function library. +. /etc/init.d/functions + +PKI_REGISTRY_FILE=[PKI_REGISTRY_FILE] + +# Enable nullglob, if set then shell pattern globs which do not match any +# file returns the empty string rather than the unmodified glob pattern. +shopt -s nullglob + +OS=`uname -s` +ARCHITECTURE=`uname -i` + +# Source values associated with this particular PKI instance +if [ -f $PKI_REGISTRY_FILE ]; then + . ${PKI_REGISTRY_FILE} +else + echo "No PKI registry file ($PKI_REGISTRY_FILE)" + case $command in + status) + exit 4 + ;; + *) + exit 1 + ;; + esac +fi + +prog=$PKI_INSTANCE_ID +lockfile=$PKI_LOCK_FILE +pidfile=$PKI_PID_FILE + + +STARTUP_WAIT=30 +SHUTDOWN_WAIT=30 + +start() +{ + rv=0 + + echo -n $"Starting ${prog}: " + + if [ -f ${lockfile} ] ; then + if [ -f ${pidfile} ]; then + read kpid < ${pidfile} + if checkpid $kpid 2>&1; then + echo + echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..." + echo + return 0 + else + echo + echo -n "lock file found but no process " + echo -n "running for pid $kpid, continuing" + echo + echo + rm -f ${lockfile} + fi + fi + fi + + touch ${pidfile} + chown ${PKI_USER}:${PKI_GROUP} ${pidfile} + chmod 00600 ${pidfile} + [ -x /sbin/restorecon ] && /sbin/restorecon ${pidfile} + + # restore context for ncipher hsm + [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast + + /usr/sbin/selinuxenabled + rv=$? + if [ ${rv} = 0 ] ; then + if [ ${ARCHITECTURE} = "i386" ] ; then + LANG=${PKI_HTTPD_LANG} daemon runcon -r system_r -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} + rv=$? + # overwrite output from "daemon" + echo -n $"Starting ${prog}: " + elif [ ${ARCHITECTURE} = "x86_64" ] ; then + # NOTE: "daemon" is incompatible with "httpd" on 64-bit architectures + LANG=${PKI_HTTPD_LANG} runcon -r system_r -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} + rv=$? + fi + else + LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS} + rv=$? + # overwrite output from "daemon" + echo -n $"Starting ${prog}: " + fi + + if [ ${rv} = 0 ] ; then + touch ${lockfile} + chown ${PKI_USER}:${PKI_GROUP} ${lockfile} + chmod 00600 ${lockfile} + + count=0; + + let swait=$STARTUP_WAIT + until [ -s ${pidfile} ] || + [ $count -gt $swait ] + do + echo -n "." + sleep 1 + let count=$count+1; + done + + echo_success + echo + + # Set permissions of log files + for file in ${pki_logs_directory}/*; do + if [ `basename $file` != "signedAudit" ]; then + echo "chown ${PKI_USER}:${PKI_GROUP} ${file}" + echo "chmod 00640 ${file}" + fi + done + + if [ -d ${pki_logs_directory}/signedAudit ]; then + for file in ${pki_logs_directory}/signedAudit/*; do + echo "chown ${PKI_USER} ${file}" + echo "chmod 00640 ${file}" + done + fi + + else + echo_failure + echo + fi + + + return ${rv} +} + +stop() +{ + rv=0 + + echo -n "Stopping ${prog}: " + + if [ -f ${lockfile} ] ; then + ${httpd} ${PKI_OPTIONS} -k stop + rv=$? + + if [ ${rv} = 0 ]; then + count=0; + + if [ -f ${pidfile} ]; then + read kpid < ${pidfile} + let kwait=$SHUTDOWN_WAIT + + until [ `ps -p $kpid | grep -c $kpid` = '0' ] || + [ $count -gt $kwait ] + do + echo -n "." + sleep 1 + let count=$count+1; + done + + if [ $count -gt $kwait ]; then + kill -9 $kpid + fi + fi + + rm -f ${lockfile} + rm -f ${pidfile} + + echo_success + echo + else + echo_failure + echo + rv=${default_error} + fi + else + echo + echo "process already stopped" + rv=0 + fi + + return ${rv} +} + +reload() +{ + rv=0 + + echo -n $"Reloading ${prog}: " + + if ! LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -t >&/dev/null; then + rv=$? + echo $"not reloading due to configuration syntax error" + failure $"not reloading ${httpd} due to configuration syntax error" + else + killproc -p ${pidfile} ${httpd} -HUP + rv=$? + fi + echo + + return ${rv} +} + +instance_status() +{ + status -p ${pidfile} ${prog} + rv=$? + return $rv +} + +# See how we were called. +case $command in + status) + instance_status + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + stop + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + reload) + echo "The 'reload' action is an unimplemented feature." + exit 3 + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + *) + echo "unknown action ($command)" + exit 2 + ;; +esac + diff --git a/pki/base/kra/build.xml b/pki/base/kra/build.xml index abbdbe7ab..eecf414ee 100644 --- a/pki/base/kra/build.xml +++ b/pki/base/kra/build.xml @@ -191,6 +191,7 @@ filemode="644" prefix="usr/share/${product.prefix}/${product}/setup"> <include name="config.desktop"/> + <include name="registry_instance"/> </zipfileset> <zipfileset dir="./shared/etc/init.d" filemode="755" @@ -198,15 +199,9 @@ <include name="pki-krad"/> </zipfileset> <zipfileset dir="./shared" - filemode="755" - prefix="usr/share/${product.prefix}/${product}"> - <include name="conf/dtomcat5"/> - </zipfileset> - <zipfileset dir="./shared" filemode="644" prefix="usr/share/${product.prefix}/${product}"> <include name="**"/> - <exclude name="conf/dtomcat5"/> <exclude name="etc/init.d/pki-krad"/> </zipfileset> <zipfileset dir="." @@ -230,6 +225,7 @@ mode="644" prefix="${dist.name}/usr/share/${product.prefix}/${product}/setup"> <include name="config.desktop"/> + <include name="registry_instance"/> </tarfileset> <tarfileset dir="./shared/etc/init.d" mode="755" @@ -237,15 +233,9 @@ <include name="pki-krad"/> </tarfileset> <tarfileset dir="./shared" - mode="755" - prefix="${dist.name}/usr/share/${product.prefix}/${product}"> - <include name="conf/dtomcat5"/> - </tarfileset> - <tarfileset dir="./shared" mode="644" prefix="${dist.name}/usr/share/${product.prefix}/${product}"> <include name="**"/> - <exclude name="conf/dtomcat5"/> <exclude name="etc/init.d/pki-krad"/> </tarfileset> <tarfileset dir="." diff --git a/pki/base/kra/setup/registry_instance b/pki/base/kra/setup/registry_instance new file mode 100644 index 000000000..7f0e592a1 --- /dev/null +++ b/pki/base/kra/setup/registry_instance @@ -0,0 +1,54 @@ +# Establish PKI Variable "Slot" Substitutions + +PKI_FLAVOR=[PKI_FLAVOR] +export PKI_FLAVOR + +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +export PKI_SUBSYSTEM_TYPE + +PKI_USER=[PKI_USER] +export PKI_USER + +PKI_GROUP=[PKI_GROUP] +export PKI_GROUP + +PKI_INSTANCE_ID=[PKI_INSTANCE_ID] +export PKI_INSTANCE_ID + +PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH] +export PKI_INSTANCE_PATH + +PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] +export PKI_INSTANCE_INITSCRIPT + +PKI_SERVER_XML_CONF=[PKI_SERVER_XML_CONF] +export PKI_SERVER_XML_CONF + +# Use CATALINA_BASE + +CATALINA_BASE=$PKI_INSTANCE_PATH +export CATALINA_BASE + +TOMCAT_PROG=$PKI_INSTANCE_ID +export TOMCAT_PROG + +TOMCAT_USER=$PKI_USER +export TOMCAT_USER + +TOMCAT_GROUP=$PKI_GROUP +export TOMCAT_GROUP + +PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +export PKI_LOCKDIR + +PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}.pid" +export PKI_LOCKFILE + +TOMCAT_PIDFILE=[TOMCAT_PIDFILE] +export TOMCAT_PIDFILE + +pki_instance_configuration_file=${PKI_INSTANCE_PATH}/conf/CS.cfg +export pki_instance_configuration_file + +RESTART_SERVER=${PKI_INSTANCE_PATH}/conf/restart_server_after_configuration +export RESTART_SERVER diff --git a/pki/base/kra/shared/conf/catalina.policy b/pki/base/kra/shared/conf/catalina.policy index 8f481e333..cf8302cd0 100644 --- a/pki/base/kra/shared/conf/catalina.policy +++ b/pki/base/kra/shared/conf/catalina.policy @@ -1,5 +1,26 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// Copyright (C) 2006-2010 Red Hat, Inc. +// All rights reserved. +// Modifications: configuration parameters +// --- END COPYRIGHT BLOCK --- + +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + // ============================================================================ -// catalina.corepolicy - Security Policy Permissions for Tomcat 5 +// catalina.corepolicy - Security Policy Permissions for Tomcat 6 // // This file contains a default set of security policies to be enforced (by the // JVM) when Catalina is executed with the "-security" option. In addition @@ -40,35 +61,16 @@ grant codeBase "file:${java.home}/lib/ext/-" { // ========== CATALINA CODE PERMISSIONS ======================================= -// These permissions apply to the launcher code -grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" { - permission java.security.AllPermission; -}; - // These permissions apply to the daemon code grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { permission java.security.AllPermission; }; -// These permissions apply to the commons-logging API -grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to the server startup code -grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to the JMX server -grant codeBase "file:${catalina.home}/bin/jmx.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to JULI +// These permissions apply to the logging API grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; permission java.util.PropertyPermission "catalina.base", "read"; @@ -82,24 +84,19 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; -// These permissions apply to the servlet API classes -// and those that are shared across all class loaders -// located in the "common" directory -grant codeBase "file:${catalina.home}/common/-" { +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; -// These permissions apply to the container's core code, plus any additional -// libraries installed in the "server" directory -grant codeBase "file:${catalina.home}/server/-" { +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "lib" directory +grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; }; -// The permissions granted to the balancer WEB-INF/classes and WEB-INF/lib directory -grant codeBase "file:${catalina.home}/webapps/balancer/-" { - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester.*"; -}; + // ========== WEB APPLICATION PERMISSIONS ===================================== @@ -147,6 +144,9 @@ grant { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + // Precompiled JSPs need access to this system property. + permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + }; @@ -182,58 +182,3 @@ grant { // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; - - -// These permissions apply to Tomcat5 java -grant codeBase "file:/usr/share/java/tomcat5/-" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/jakarta-commons-modeler.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/jasper5-compiler.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/jasper5-runtime.jar" { - permission java.security.AllPermission; -}; - - - -// These permissions apply to PKI configuration -grant codeBase "file:/usr/share/java/velocity.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/tomcat5-servlet-2.4-api.jar" { - permission java.security.AllPermission; -}; - - - - -// These permissions apply to PKI support -grant codeBase "file:/usr/share/java/ldapjdk.jar" { - permission java.security.AllPermission; -}; - - - -// These permissions apply to PKI -grant codeBase "file:/usr/lib/java/jss4.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/tomcatjss.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/lib/java/osutil.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/lib/java/symkey.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/pki/-" { - permission java.security.AllPermission; -}; - - - diff --git a/pki/base/kra/shared/conf/catalina.properties b/pki/base/kra/shared/conf/catalina.properties index 86334d29f..70cb7c05e 100644 --- a/pki/base/kra/shared/conf/catalina.properties +++ b/pki/base/kra/shared/conf/catalina.properties @@ -1,3 +1,24 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006-2010 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when @@ -29,7 +50,7 @@ package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -common.loader=${catalina.home}/common/classes,${catalina.home}/common/i18n/*.jar,${catalina.home}/common/endorsed/*.jar,${catalina.home}/common/lib/*.jar +common.loader=${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB] # # List of comma-separated paths defining the contents of the "server" @@ -42,7 +63,7 @@ common.loader=${catalina.home}/common/classes,${catalina.home}/common/i18n/*.jar # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar +server.loader= # # List of comma-separated paths defining the contents of the "shared" @@ -54,7 +75,9 @@ server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar +# Please note that for single jars, e.g. bar.jar, you need the URL form +# starting with file:. +shared.loader= # # String cache configuration. diff --git a/pki/base/kra/shared/conf/context.xml b/pki/base/kra/shared/conf/context.xml index 4998ad27d..8b6fe4905 100644 --- a/pki/base/kra/shared/conf/context.xml +++ b/pki/base/kra/shared/conf/context.xml @@ -1,5 +1,27 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2006-2010 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> <!-- The contents of this file will be loaded for each web application --> -<Context crossContext="true"> +<Context crossContext="true" allowLinking="true"> <!-- Default set of monitored resources --> <WatchedResource>WEB-INF/web.xml</WatchedResource> @@ -9,4 +31,10 @@ <Manager pathname="" /> --> + <!-- Uncomment this to enable Comet connection tacking (provides events + on session expiration as well as webapp lifecycle) --> + <!-- + <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" /> + --> + </Context> diff --git a/pki/base/kra/shared/conf/dtomcat5 b/pki/base/kra/shared/conf/dtomcat5 deleted file mode 100755 index 2eeb889e6..000000000 --- a/pki/base/kra/shared/conf/dtomcat5 +++ /dev/null @@ -1,476 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# Copyright (C) 2006 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# ----------------------------------------------------------------------------- -# Start/Stop Script for the CATALINA Server -# -# Environment Variable Prequisites -# -# CATALINA_HOME May point at your Catalina "build" directory. -# -# CATALINA_BASE (Optional) Base directory for resolving dynamic portions -# of a Catalina installation. If not present, resolves to -# the same directory that CATALINA_HOME points to. -# -# CATALINA_OPTS (Optional) Java runtime options used when the "start", -# "stop", or "run" command is executed. -# -# CATALINA_TMPDIR (Optional) Directory path location of temporary directory -# the JVM should use (java.io.tmpdir). Defaults to -# $CATALINA_BASE/temp. -# -# JAVA_HOME Must point at your Java Development Kit installation. -# Required to run the with the "debug" or "javac" argument. -# -# JRE_HOME Must point at your Java Development Kit installation. -# Defaults to JAVA_HOME if empty. -# -# JAVA_OPTS (Optional) Java runtime options used when the "start", -# "stop", or "run" command is executed. -# -# JPDA_TRANSPORT (Optional) JPDA transport used when the "jpda start" -# command is executed. The default is "dt_socket". -# -# JPDA_ADDRESS (Optional) Java runtime options used when the "jpda start" -# command is executed. The default is 8000. -# -# JSSE_HOME (Optional) May point at your Java Secure Sockets Extension -# (JSSE) installation, whose JAR files will be added to the -# system class path used to start Tomcat. -# -# CATALINA_PID (Optional) Path of the file which should contains the pid -# of catalina startup java process, when start (fork) is used -# -# $Id$ -# ----------------------------------------------------------------------------- - -# Disallow 'others' the ability to 'write' to new files -umask 00002 - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit 255 -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] -if [ ! -d /usr/share/pki/${PKI_SUBSYSTEM_TYPE} ] ; then - echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" - exit 255 -fi - -# OS specific support. $var _must_ be set to either true or false. -OS=`uname -s` -cygwin=false -os400=false -case "${OS}" in -CYGWIN*) cygwin=true;; -OS400*) os400=true;; -esac - -TOMCAT_CFG=[PKI_INSTANCE_PATH]/conf/tomcat5.conf -JAVADIR="/usr/share/java" - -# resolve links - $0 may be a softlink -PRG="$0" - -while [ -h "$PRG" ]; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '.*/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`/"$link" - fi -done - -# Get standard environment variables -PRGDIR=`dirname "$PRG"` - -# Only set CATALINA_HOME if not already set -[ -z "$CATALINA_HOME" ] && CATALINA_HOME=`cd "$PRGDIR/.." ; pwd` - -if [ -r "$CATALINA_HOME"/bin/setenv.sh ]; then - . "$CATALINA_HOME"/bin/setenv.sh -fi - -# For Cygwin, ensure paths are in UNIX format before anything is touched -if $cygwin; then - [ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --unix "$JAVA_HOME"` - [ -n "$JRE_HOME" ] && JRE_HOME=`cygpath --unix "$JRE_HOME"` - [ -n "$CATALINA_HOME" ] && CATALINA_HOME=`cygpath --unix "$CATALINA_HOME"` - [ -n "$CATALINA_BASE" ] && CATALINA_BASE=`cygpath --unix "$CATALINA_BASE"` - [ -n "$CLASSPATH" ] && CLASSPATH=`cygpath --path --unix "$CLASSPATH"` - [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --unix "$JSSE_HOME"` -fi - -# For OS400 -if $os400; then - # Set job priority to standard for interactive (interactive - 6) by using - # the interactive priority - 6, the helper threads that respond to requests - # will be running at the same priority as interactive jobs. - COMMAND='chgjob job('$JOBNAME') runpty(6)' - system $COMMAND - - # Enable multi threading - export QIBM_MULTI_THREADED=Y -fi - -[ -r "$TOMCAT_CFG" ] && . "${TOMCAT_CFG}" - -### Set up defaults if they were omitted in TOMCAT_CFG -### JVM lookup -if [ -z "$JAVA_HOME" ]; then - # Search for java in PATH - JAVA=`which java` - if [ -z "$JAVA" ] ; then - JAVA_BINDIR=`dirname ${JAVA}` - JAVA_HOME="${JAVA_BINDIR}/.." - fi - # Default clean JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/usr/lib/java" ] && JAVA_HOME="/usr/lib/java" - # Default IBM JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-13" ] && \ - JAVA_HOME="/opt/IBMJava2-13" - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-131" ] && \ - JAVA_HOME="/opt/IBMJava2-131" - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-14" ] && \ - JAVA_HOME="/opt/IBMJava2-14" - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-141" ] && \ - JAVA_HOME="/opt/IBMJava2-141" - # Another solution - [ -z "$JAVA_HOME" -a -d "/usr/java/jdk" ] && \ - JAVA_HOME="/usr/java/jdk" - # madeinlinux JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/usr/local/jdk1.2.2" ] && \ - JAVA_HOME="/usr/local/jdk1.2.2" - # Kondara JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/usr/lib/java/jdk1.2.2" ] && \ - JAVA_HOME="/usr/lib/java/jdk1.2.2" - # Other commonly found JAVA_HOMEs - [ -z "$JAVA_HOME" -a -d "/usr/jdk1.2" ] && JAVA_HOME="/usr/jdk1.2" - # Default Caldera JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/opt/java-1.3" ] && \ - JAVA_HOME="/opt/java-1.3" - # Add other locations here - if [ -z "$JAVA_HOME" ]; then - echo "No JAVA_HOME specified in ${TOMCAT_CFG} and no java found" - exit 1 - else - echo "Found JAVA_HOME: ${JAVA_HOME}" - echo "Please complete your ${TOMCAT_CFG} so we won't have to look for it next time" - fi -fi - -# Set juli LogManager if it is present -if [ -r "$CATALINA_HOME"/bin/tomcat-juli.jar ]; then - JAVA_OPTS="$JAVA_OPTS "-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -fi - -# Set standard commands for invoking Java. -_RUNJAVA="$JAVA_HOME"/bin/java -_RUNJAVAC="$JAVA_HOME"/bin/javac -_RUNJDB="$JAVA_HOME"/bin/jdb - -# Set standard CLASSPATH -# (always inherit any preset values from the PKI start script) -if [ ${OS} = "Linux" ] ; then - # Checking for OpenJDK JVM - OPENJDK_JVM="`java -version 2>&1 | tail -1 | awk '{print $1};'`" - if [ "${OPENJDK_JVM}" = "OpenJDK" ] || - [ "${OPENJDK_JVM}" = "IcedTea" ]; then - # using OpenJDK - CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar - - # add required classes to the CLASSPATH for OpenJDK - CLASSPATH="$CLASSPATH":"$JAVADIR"/commons-collections.jar - else - # NOT using OpenJDK - CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/tools.jar - fi -elif [ ${OS} = "SunOS" ] ; then - CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar -fi - -# Add on extra jar files to CLASSPATH -if [ -n "$JSSE_HOME" ]; then - CLASSPATH="$CLASSPATH":"$JSSE_HOME"/lib/jcert.jar:"$JSSE_HOME"/lib/jnet.jar:"$JSSE_HOME"/lib/jsse.jar -fi - -# JPackage JSSE location check -if [ -r "$JAVADIR/jsse/jcert.jar" ]; then - CLASSPATH="$CLASSPATH":"$JAVADIR"/jsse/jcert.jar:"$JAVADIR"/jsse/jnet.jar:"$JAVADIR"/jsse/jsse.jar -fi - -if [ ${OS} = "Linux" ] ; then - CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar:"$CATALINA_HOME"/bin/commons-logging-api.jar:`/usr/bin/build-classpath mx4j/mx4j-impl`:`/usr/bin/build-classpath mx4j/mx4j-jmx` - - # add jars in required components for velocity >= 1.6 (just in case) - VELOCITY=`rpm -q velocity|sed 's/velocity-\([0-9]*\)\.\([0-9]*\).*/\1\2/'` - if [ "$VELOCITY" -ge 16 ]; then - CLASSPATH="$CLASSPATH":`/usr/bin/build-classpath bcel hsqldb commons-collections commons-lang commons-logging commons-logging-api jdom junit oro servletapi5 werken.xpath` - fi - -elif [ ${OS} = "SunOS" ] ; then - # The following definitions are provided for Solaris - # platforms since they are unable to execute the - # "/usr/bin/build-classpath" and - # "/usr/share/java-utils/java-functions" files . . . - - CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar - CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/commons-logging-api.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/base.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/certsrv.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cms.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cms72.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cms72_en.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cmsbundle.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cmscore.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cmsutil.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/mcc70.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/mcc70_en.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nmclf70.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nmclf70_en.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nsutil.jar - - if [ -f /usr/share/java/pkitools.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pkitools.jar - elif [ -f /usr/share/java/cstools.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/cstools.jar - elif [ -f /usr/share/java/pki/cstools.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cstools.jar - fi - - if [ -f /usr/share/java/ca.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/ca.jar - elif [ -f /usr/share/java/pki/ca/ca.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/ca/ca.jar - fi - if [ -f /usr/share/java/kra.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/kra.jar - elif [ -f /usr/share/java/pki/kra/kra.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/kra/kra.jar - fi - if [ -f /usr/share/java/ocsp.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/ocsp.jar - elif [ -f /usr/share/java/pki/ocsp/ocsp.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/ocsp/ocsp.jar - fi - if [ -f /usr/share/java/tks.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/tks.jar - elif [ -f /usr/share/java/pki/tks/tks.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/tks/tks.jar - fi - - # add jars for velocity 1.6 (just in case) - CLASSPATH="$CLASSPATH":/usr/share/java/bcel.jar - CLASSPATH="$CLASSPATH":/usr/share/java/hsqldb.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-collections.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-lang.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging-api.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jdom.jar - CLASSPATH="$CLASSPATH":/usr/share/java/junit.jar - CLASSPATH="$CLASSPATH":/usr/share/java/oro.jar - CLASSPATH="$CLASSPATH":/usr/share/java/servletapi5.jar - CLASSPATH="$CLASSPATH":/usr/share/java/werken.xpath.jar - -fi - -if [ -z "$CATALINA_BASE" ] ; then - CATALINA_BASE="$CATALINA_HOME" -fi - -if [ -z "$CATALINA_TMPDIR" ] ; then - # Define the java.io.tmpdir to use for Catalina - CATALINA_TMPDIR="$CATALINA_BASE"/temp -fi - -if [ -z "$CATALINA_PID" ] ; then - export CATALINA_PID=/var/run/tomcat5.pid -fi - -# For Cygwin, switch paths to Windows format before running java -if $cygwin; then - JAVA_HOME=`cygpath --absolute --windows "$JAVA_HOME"` - JRE_HOME=`cygpath --absolute --windows "$JRE_HOME"` - CATALINA_HOME=`cygpath --absolute --windows "$CATALINA_HOME"` - CATALINA_BASE=`cygpath --absolute --windows "$CATALINA_BASE"` - CATALINA_TMPDIR=`cygpath --absolute --windows "$CATALINA_TMPDIR"` - CLASSPATH=`cygpath --path --windows "$CLASSPATH"` - [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --windows "$JSSE_HOME"` - JAVA_ENDORSED_DIRS=`cygpath --path --windows "$JAVA_ENDORSED_DIRS"` -fi - -# ----- Execute The Requested Command ----------------------------------------- -echo "Using CATALINA_PID $CATALINA_PID" -echo "Using CATALINA_BASE: $CATALINA_BASE" -echo "Using CATALINA_HOME: $CATALINA_HOME" -echo "Using CATALINA_TMPDIR: $CATALINA_TMPDIR" -if [ "$1" = "debug" -o "$1" = "javac" ] ; then - echo "Using JAVA_HOME: $JAVA_HOME" -else - echo "Using JRE_HOME: $JRE_HOME" -fi - -if [ "$1" = "jpda" ] ; then - if [ -z "$JPDA_TRANSPORT" ]; then - JPDA_TRANSPORT="dt_socket" - fi - if [ -z "$JPDA_ADDRESS" ]; then - JPDA_ADDRESS="8000" - fi - if [ -z "$JPDA_OPTS" ]; then - JPDA_OPTS="-Xdebug -Xrunjdwp:transport=$JPDA_TRANSPORT,address=$JPDA_ADDRESS,server=y,suspend=n" - fi - CATALINA_OPTS="$CATALINA_OPTS $JPDA_OPTS" - shift -fi - -if [ "$1" = "debug" ] ; then - if $os400; then - echo "Debug command not available on OS400" - exit 1 - else - shift - if [ "$1" = "-security" ] ; then - echo "Using Security Manager" - shift - exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ - -Djava.security.manager \ - -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - else - exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - fi - fi - -elif [ "$1" = "run" ]; then - - shift - if [ "$1" = "-security" ] ; then - echo "Using Security Manager" - shift - exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Djava.security.manager \ - -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - else - exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - fi - -elif [ "$1" = "start" ] ; then - - shift - touch "$CATALINA_BASE"/logs/catalina.out - if [ "$1" = "-security" ] ; then - echo "Using Security Manager" - shift - "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Djava.security.manager \ - -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start \ - >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & - - if [ ! -z "$CATALINA_PID" ]; then - echo $! > $CATALINA_PID - fi - else - "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start \ - >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & - - if [ ! -z "$CATALINA_PID" ]; then - echo $! > $CATALINA_PID - fi - fi - -elif [ "$1" = "stop" ] ; then - - shift - FORCE=0 - if [ "$1" = "-force" ]; then - shift - FORCE=1 - fi - - "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" stop - - if [ $FORCE -eq 1 ]; then - if [ ! -z "$CATALINA_PID" ]; then - echo "Killing: `cat $CATALINA_PID`" - kill -9 `cat $CATALINA_PID` - fi - fi - -elif [ "$1" = "version" ] ; then - - "$_RUNJAVA" \ - -classpath "$CATALINA_HOME/server/lib/catalina.jar" \ - org.apache.catalina.util.ServerInfo - -else - - echo "Usage: dtomcat5 ( commands ... )" - echo "commands:" - if $os400; then - echo " debug Start Catalina in a debugger (not available on OS400)" - echo " debug -security Debug Catalina with a security manager (not available on OS400)" - else - echo " debug Start Catalina in a debugger" - echo " debug -security Debug Catalina with a security manager" - fi - echo " jpda start Start Catalina under JPDA debugger" - echo " run Start Catalina in the current window" - echo " run -security Start in the current window with security manager" - echo " start Start Catalina in a separate window" - echo " start -security Start in a separate window with security manager" - echo " stop Stop Catalina" - echo " stop -force Stop Catalina (followed by kill -KILL)" - echo " version What version of tomcat are you running?" - exit 1 - -fi diff --git a/pki/base/kra/shared/conf/logging.properties b/pki/base/kra/shared/conf/logging.properties new file mode 100644 index 000000000..796cfc071 --- /dev/null +++ b/pki/base/kra/shared/conf/logging.properties @@ -0,0 +1,70 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006-2010 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +############################################################ +# Handler specific properties. +# Describes specific configuration info for Handlers. +############################################################ + +1catalina.org.apache.juli.FileHandler.level = FINE +1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +1catalina.org.apache.juli.FileHandler.prefix = catalina. + +2localhost.org.apache.juli.FileHandler.level = FINE +2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +2localhost.org.apache.juli.FileHandler.prefix = localhost. + +3manager.org.apache.juli.FileHandler.level = FINE +3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +3manager.org.apache.juli.FileHandler.prefix = manager. + +4host-manager.org.apache.juli.FileHandler.level = FINE +4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +4host-manager.org.apache.juli.FileHandler.prefix = host-manager. + +java.util.logging.ConsoleHandler.level = FINE +java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter + + +############################################################ +# Facility specific properties. +# Provides extra control for each logger. +############################################################ + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler + +# For example, set the com.xyz.foo logger to only log SEVERE +# messages: +#org.apache.catalina.startup.ContextConfig.level = FINE +#org.apache.catalina.startup.HostConfig.level = FINE +#org.apache.catalina.session.ManagerBase.level = FINE +#org.apache.catalina.core.AprLifecycleListener.level=FINE diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml index 71b433bef..9a24cfa44 100644 --- a/pki/base/kra/shared/conf/server.xml +++ b/pki/base/kra/shared/conf/server.xml @@ -1,208 +1,196 @@ -<!-- Example Server Configuration File --> -<!-- Note that component elements are nested corresponding to their - parent-child relationships with each other --> - -<!-- A "Server" is a singleton element that represents the entire JVM, - which may contain one or more "Service" instances. The Server - listens for a shutdown command on the indicated port. - - Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" or "Loggers" at this level. +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2006-2010 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!-- Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" at this level. + Documentation at /docs/config/server.html --> <!-- DO NOT REMOVE - Begin PKI Status Definitions --> <!-- -Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] -Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services -PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] -Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) --> <!-- DO NOT REMOVE - End PKI Status Definitions --> <Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> - <!-- Comment these entries out to disable JMX MBeans support used for the - administration web application --> + <!--APR library loader. Documentation at /docs/apr.html --> + <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> + <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> + <Listener className="org.apache.catalina.core.JasperListener" /> + <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> - <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> - <!-- Global JNDI resources --> + <!-- Global JNDI resources + Documentation at /docs/jndi-resources-howto.html + --> <GlobalNamingResources> - - <!-- Test entry for demonstration purposes --> - <Environment name="simpleValue" type="java.lang.Integer" value="30"/> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users --> + UserDatabaseRealm to authenticate users + --> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml" /> - + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" (and therefore the web applications visible - within that Container). Normally, that Container is an "Engine", - but this is not required. - - Note: A "Service" is not itself a "Container", so you may not - define subcomponents such as "Valves" or "Loggers" at this level. + a single "Container" Note: A "Service" is not itself a "Container", + so you may not define subcomponents such as "Valves" at this level. + Documentation at /docs/config/service.html --> - - <!-- Define the Tomcat Stand-Alone Service --> <Service name="Catalina"> - + + <!--The connectors can use a shared executor, you can define one or more named thread pools--> + <!-- + <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" + maxThreads="150" minSpareThreads="4"/> + --> + + <!-- A "Connector" represents an endpoint by which requests are received - and responses are returned. Each Connector passes requests on to the - associated "Container" (normally an Engine) for processing. - - By default, a non-SSL HTTP/1.1 Connector is established on port 8080. - You can also enable an SSL HTTP/1.1 Connector on port 8443 by - following the instructions below and uncommenting the second Connector - entry. SSL support requires the following steps (see the SSL Config - HOWTO in the Tomcat 5 documentation bundle for more detailed - instructions): - * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or - later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". - * Execute: - %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) - $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) - with a password value of "changeit" for both the certificate and - the keystore itself. - - By default, DNS lookups are enabled when a web application calls - request.getRemoteHost(). This can have an adverse impact on - performance, so you can disable it by setting the - "enableLookups" attribute to "false". When DNS lookups are disabled, - request.getRemoteHost() will return the String version of the - IP address of the remote client. + and responses are returned. Documentation at : + Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) + Java AJP Connector: /docs/config/ajp.html + APR (HTTP/AJP) Connector: /docs/apr.html + Define a non-SSL HTTP/1.1 Connector on port 8080 --> -<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> -[PKI_UNSECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true"/> - - -<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> -[PKI_SECURE_PORT_SERVER_COMMENT] -<!-- DO NOT REMOVE - Begin define PKI secure port --> -<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="[PKI_AGENT_CLIENTAUTH]" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -<!-- DO NOT REMOVE - End define PKI secure port --> - -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - <!-- Note : To disable connection timeouts, set connectionTimeout value - to 0 --> - - <!-- Note : To use gzip compression you could set the following properties : - - compression="on" - compressionMinSize="2048" - noCompressionUserAgents="gozilla, traviata" - compressableMimeType="text/html,text/xml" - --> - + [PKI_UNSECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + /> + + <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> + [PKI_SECURE_PORT_SERVER_COMMENT] + <!-- DO NOT REMOVE - Begin define PKI secure port --> + <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="[PKI_AGENT_CLIENTAUTH]" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias" + /> + <!-- DO NOT REMOVE - End define PKI secure port --> + + [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="false" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> + [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + + [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="false" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> + [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + + <!-- A "Connector" using the shared thread pool--> + <!-- + <Connector executor="tomcatThreadPool" + port="8080" protocol="HTTP/1.1" + connectionTimeout="20000" + redirectPort="8443" /> + --> + <!-- Define a SSL HTTP/1.1 Connector on port 8443 + This connector uses the JSSE configuration, when using APR, the + connector should be using the OpenSSL style configuration + described in the APR documentation --> + <!-- + <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" + maxThreads="150" scheme="https" secure="true" + clientAuth="false" sslProtocol="TLS" /> + --> <!-- Define an AJP 1.3 Connector on port 8009 --> <!-- - <Connector port="8009" - enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> + <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> --> - <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> - <!-- See proxy documentation for more information about using this. --> - <!-- - <Connector port="8082" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" acceptCount="100" connectionTimeout="20000" - proxyPort="80" disableUploadTimeout="true" /> - --> <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). --> + on to the appropriate Host (virtual host). + Documentation at /docs/config/engine.html --> <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> + <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> --> - - <!-- Define the top level container in our container hierarchy --> <Engine name="Catalina" defaultHost="localhost"> - <!-- The request dumper valve dumps useful debugging information about - the request headers and cookies that were received, and the response - headers and cookies that were sent, for all requests received by - this instance of Tomcat. If you care only about requests to a - particular virtual host, or a particular application, nest this - element inside the corresponding <Host> or <Context> entry instead. - - For a similar mechanism that is portable to all Servlet 2.4 - containers, check out the "RequestDumperFilter" Filter in the - example application (the source for this filter may be found in - "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). + <!--For clustering, please take a look at documentation at: + /docs/cluster-howto.html (simple how to) + /docs/config/cluster.html (reference documentation) --> + <!-- + <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> + --> - Request dumping is disabled by default. Uncomment the following - element to enable it. --> + <!-- The request dumper valve dumps useful debugging information about + the request and response data received and sent by Tomcat. + Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.valves.RequestDumperValve"/> --> - <!-- Because this Realm is here, an instance will be shared globally --> - <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately @@ -210,229 +198,27 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> - <!-- Comment out the old realm but leave here for now in case we - need to go back quickly --> - <!-- - <Realm className="org.apache.catalina.realm.MemoryRealm" /> - --> - - <!-- Replace the above Realm with one of the following to get a Realm - stored in a database and accessed via JDBC --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="org.gjt.mm.mysql.Driver" - connectionURL="jdbc:mysql://localhost/authority" - connectionName="test" connectionPassword="test" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="oracle.jdbc.driver.OracleDriver" - connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" - connectionName="scott" connectionPassword="tiger" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="sun.jdbc.odbc.JdbcOdbcDriver" - connectionURL="jdbc:odbc:CATALINA" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - <!-- Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- Defines a cluster for this node, - By defining this element, means that every manager will be changed. - So when running a cluster, only make sure that you have webapps in there - that need to be clustered and remove the other ones. - A cluster has the following parameters: - - className = the fully qualified name of the cluster class - - name = a descriptive name for your cluster, can be anything - - mcastAddr = the multicast address, has to be the same for all the nodes - - mcastPort = the multicast port, has to be the same for all the nodes - - mcastBindAddr = bind the multicast socket to a specific address - - mcastTTL = the multicast TTL if you want to limit your broadcast - - mcastSoTimeout = the multicast readtimeout - - mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="false" + xmlValidation="false" xmlNamespaceAware="false"> - mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received - - tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes - - tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, - in case of multiple ethernet cards. - auto means that address becomes - InetAddress.getLocalHost().getHostAddress() - - tcpListenPort = the tcp listen port - - tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS - has a wakup bug in java.nio. Set to 0 for no timeout - - printToScreen = true means that managers will also print to std.out - - expireSessionsOnShutdown = true means that - - useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. - false means to replicate the session after each request. - false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) - <% - HashMap map = (HashMap)session.getAttribute("map"); - map.put("key","value"); - %> - replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. - * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. - * Synchronous means that the thread that executes the request, is also the - thread the replicates the data to the other nodes, and will not return until all - nodes have received the information. - * Asynchronous means that there is a specific 'sender' thread for each cluster node, - so the request thread will queue the replication request into a "smart" queue, - and then return to the client. - The "smart" queue is a queue where when a session is added to the queue, and the same session - already exists in the queue from a previous request, that session will be replaced - in the queue instead of replicating two requests. This almost never happens, unless there is a - large network delay. - --> - <!-- - When configuring for clustering, you also add in a valve to catch all the requests - coming in, at the end of the request, the session may or may not be replicated. - A session is replicated if and only if all the conditions are met: - 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND - 2. a session exists (has been created) - 3. the request is not trapped by the "filter" attribute - - The filter attribute is to filter out requests that could not modify the session, - hence we don't replicate the session after the end of this request. - The filter is negative, ie, anything you put in the filter, you mean to filter out, - ie, no replication will be done on requests that match one of the filters. - The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. - - filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI - ending with .gif and .js are intercepted. - - The deployer element can be used to deploy apps cluster wide. - Currently the deployment only deploys/undeploys to working members in the cluster - so no WARs are copied upons startup of a broken node. - The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" - When a new war file is added the war gets deployed to the local instance, - and then deployed to the other instances in the cluster. - When a war file is deleted from the watchDir the war is undeployed locally - and cluster wide - --> - - <!-- - <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" - managerClassName="org.apache.catalina.cluster.session.DeltaManager" - expireSessionsOnShutdown="false" - useDirtyFlag="true" - notifyListenersOnReplication="true"> - - <Membership - className="org.apache.catalina.cluster.mcast.McastService" - mcastAddr="228.0.0.4" - mcastPort="45564" - mcastFrequency="500" - mcastDropTime="3000"/> - - <Receiver - className="org.apache.catalina.cluster.tcp.ReplicationListener" - tcpListenAddress="auto" - tcpListenPort="4001" - tcpSelectorTimeout="100" - tcpThreadCount="6"/> - - <Sender - className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" - replicationMode="pooled" - ackTimeout="15000"/> - - <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" - filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> - - <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" - tempDir="/tmp/war-temp/" - deployDir="/tmp/war-deploy/" - watchDir="/tmp/war-listen/" - watchEnabled="false"/> - </Cluster> - --> - - - - <!-- Normally, users must authenticate themselves to each web app - individually. Uncomment the following entry if you would like - a user to be authenticated the first time they encounter a - resource protected by a security constraint, and then have that - user identity maintained across *all* web applications contained - in this virtual host. --> + <!-- SingleSignOn valve, share authentication between web applications + Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - --> - <Valve className="org.apache.catalina.valves.AccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - This access log implementation is optimized for maximum performance, - but is hardcoded to support only the "common" and "combined" patterns. - --> + <!-- Access log processes all example. + Documentation at: /docs/config/valve.html --> <!-- - <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> + <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" + prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> --> - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - This access log implementation is optimized for maximum performance, - but is hardcoded to support only the "common" and "combined" patterns. - This valve use NIO direct Byte Buffer to asynchornously store the - log. - --> - <!-- - <Valve className="org.apache.catalina.valves.ByteBufferAccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - --> - - <!-- <Context docBase="webapps" path="/webapps" reloadable="false"/> --> </Host> - </Engine> - </Service> - </Server> diff --git a/pki/base/kra/shared/conf/tomcat-users.xml b/pki/base/kra/shared/conf/tomcat-users.xml index 920e68240..daa9260cc 100644 --- a/pki/base/kra/shared/conf/tomcat-users.xml +++ b/pki/base/kra/shared/conf/tomcat-users.xml @@ -1,13 +1,45 @@ <?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2006-2010 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<!-- + <role rolename="tomcat"/> + <role rolename="role1"/> + <user username="tomcat" password="tomcat" roles="tomcat"/> + <user username="both" password="tomcat" roles="tomcat,role1"/> + <user username="role1" password="tomcat" roles="role1"/> +--> + +<!-- The host manager webapp is restricted to users with role "admin" --> +<!--<user name="tomcat" password="password" roles="admin" />--> +<!-- The manager webapp is restricted to users with role "manager" --> +<!--<user name="tomcat" password="password" roles="manager" />--> <tomcat-users> <role rolename="pkiuser"/> <role rolename="tomcat"/> - <role rolename="role1"/> <role rolename="manager"/> <role rolename="admin"/> + <user username="pkiuser" password="pkiuser" roles="pkiuser"/> <user username="tomcat" password="tomcat" roles="tomcat"/> - <user username="both" password="tomcat" roles="tomcat,role1"/> - <user username="role1" password="tomcat" roles="role1"/> <user username="admin" password="netscape" roles="admin,manager"/> </tomcat-users> diff --git a/pki/base/kra/shared/conf/tomcat5.conf b/pki/base/kra/shared/conf/tomcat5.conf deleted file mode 100644 index 181fb12dc..000000000 --- a/pki/base/kra/shared/conf/tomcat5.conf +++ /dev/null @@ -1,74 +0,0 @@ -# tomcat5 service configuration file - -# Check to insure that this configuration file's associated PKI -# subsystem currently resides on this system. -PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] -if [ ! -d /usr/share/pki/${PKI_SUBSYSTEM_TYPE} ] ; then - echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" - exit 255 -fi - -# you could also override JAVA_HOME here -# Where your java installation lives -JAVA_HOME="/usr/lib/jvm/jre" - -# You can pass some parameters to java -# here if you wish to -#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" - -# Where your tomcat installation lives -# That change from previous RPM where TOMCAT_HOME -# used to be /var/tomcat. -# Now /var/tomcat will be the base for webapps only -CATALINA_HOME="/usr/share/tomcat5" -JASPER_HOME="/usr/share/tomcat5" -CATALINA_TMPDIR="/usr/share/tomcat5/temp" -JAVA_ENDORSED_DIRS="/usr/share/tomcat5/common/endorsed" - -# What user should run tomcat -TOMCAT_USER="[PKI_USER]" -TOMCAT_GROUP="[PKI_GROUP]" - -# You can change your tomcat locale here -#LANG=en_US - -# Time to wait in seconds, while starting process -STARTUP_WAIT=30 - -# Time to wait in seconds, before killing process -SHUTDOWN_WAIT=30 - - -# If you wish to further customize your tomcat environment, -# put your own definitions here -# (i.e. LD_LIBRARY_PATH for some jdbc drivers) -# Just do not forget to export them :) - -OS=`uname -s` -if [ $OS = "Linux" ]; then - PLATFORM=`uname -i` - if [ $PLATFORM = "i386" ]; then - # 32-bit Linux - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib - elif [ $PLATFORM = "x86_64" ]; then - # 64-bit Linux - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64/dirsec:/usr/lib64:/usr/lib - fi - export LD_LIBRARY_PATH -elif [ $PLATFORM = "SunOS" ]; then - PLATFORM=`uname -p` - if [ "${PLATFORM}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - PLATFORM="sparcv9" - fi - if [ $PLATFORM = "sparc" ]; then - # 32-bit Solaris - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib - elif [ $PLATFORM = "sparcv9" ]; then - # 64-bit Solaris - JAVA_OPTS="-d64" - export JAVA_OPTS - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/sparcv9/dirsec:/usr/lib/sparcv9:/usr/lib/dirsec:/usr/lib - fi - export LD_LIBRARY_PATH -fi diff --git a/pki/base/kra/shared/conf/tomcat6.conf b/pki/base/kra/shared/conf/tomcat6.conf new file mode 100644 index 000000000..31385567d --- /dev/null +++ b/pki/base/kra/shared/conf/tomcat6.conf @@ -0,0 +1,55 @@ +# Service-specific configuration file for tomcat6. This will be sourced by +# the SysV init script after the global configuration file +# /etc/tomcat6/tomcat6.conf, thus allowing values to be overridden in +# a per-service manner. +# +# NEVER change the init script itself. To change values for all services make +# your changes in /etc/tomcat6/tomcat6.conf +# +# To change values for a specific service make your edits here. +# To create a new service create a link from /etc/init.d/<your new service> to +# /etc/init.d/tomcat6 (do not copy the init script) and make a copy of the +# /etc/sysconfig/tomcat6 file to /etc/sysconfig/<your new service> and change +# the property values so the two services won't conflict. Register the new +# service in the system as usual (see chkconfig and similars). +# + +# Where your java installation lives +#JAVA_HOME="/usr/lib/jvm/java" + +# Where your tomcat installation lives +CATALINA_BASE="[PKI_INSTANCE_PATH]" +#CATALINA_HOME="/usr/share/tomcat6" +#JASPER_HOME="/usr/share/tomcat6" +#CATALINA_TMPDIR="/var/cache/tomcat6/temp" + +# You can pass some parameters to java here if you wish to +#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" + +# Use JAVA_OPTS to set java.library.path for libtcnative.so +#JAVA_OPTS="-Djava.library.path=/usr/lib64" + +# What user should run tomcat +TOMCAT_USER="[PKI_USER]" + +# You can change your tomcat locale here +#LANG="en_US" + +# Run tomcat under the Java Security Manager +#SECURITY_MANAGER="false" + +# Time to wait in seconds, before killing process +#SHUTDOWN_WAIT="30" + +# Whether to annoy the user with "attempting to shut down" messages or not +#SHUTDOWN_VERBOSE="false" + +# Set the TOMCAT_PID location +CATALINA_PID="[TOMCAT_PIDFILE]" + +# Connector port is 8080 for this tomcat6 instance +#CONNECTOR_PORT="8080" + +# If you wish to further customize your tomcat environment, +# put your own definitions here +# (i.e. LD_LIBRARY_PATH for some jdbc drivers) diff --git a/pki/base/kra/shared/etc/init.d/pki-krad b/pki/base/kra/shared/etc/init.d/pki-krad index 5a3b9be9b..b27dc8c62 100755 --- a/pki/base/kra/shared/etc/init.d/pki-krad +++ b/pki/base/kra/shared/etc/init.d/pki-krad @@ -14,1816 +14,70 @@ # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# Copyright (C) 2007 Red Hat, Inc. +# Copyright (C) 2007-2010 Red Hat, Inc. # All rights reserved. -# --- END COPYRIGHT BLOCK ### --- +# --- END COPYRIGHT BLOCK --- # -# pki-krad Startup script for Tomcat 5.0 pki-kra, the Apache Servlet Engine +# pki-krad Startup script pki-kra with tomcat6 # # chkconfig: - 82 18 -# description: Data Recovery Manager \ -# (Tomcat 5.0) +# description: Data Recovery Manager (Tomcat 6.0) # processname: pki-krad # piddir: /var/run/pki/kra -# config: ${PKI_INSTANCE_PATH}/conf/tomcat5.conf -# -# Gomez Henri <hgomez@users.sourceforge.net> -# Keith Irwin <keith_irwin@non.hp.com> -# Nicolas Mailhot <nicolas.mailhot@one2team.com> -# -# version 1.02 - Removed initlog support -# version 1.03 - Removed config: -# version 1.04 - tomcat will start before httpd and stop after httpd -# version 1.05 - jdk hardcoded to link /usr/java/jdk and tomcat runs -# as "nobody" -# version 1.06 - split up into script and config file -# version 1.07 - Rework from Nicolas ideas -# version 1.08 - Fix work dir permission at start time, switch to use tomcat4 -# version 1.09 - Fix pidfile and config tags -# version 1.10 - Fallback to su direct use on systems without -# Redhat/Mandrake init.d functions -# version 1.11 - Fix webapps dir permissions -# version 1.12 - remove initial start/stop level for chkconfig (- 80 20) -# version 1.13 - remove chown of logs/work/temp/webapps dir, -# owned by tomcat4 at install time -# version 1.14 - correct the start/stop ugly hack by waiting -# all the threads stops -# version 1.15 - ensure we're looking for TOMCAT_USER running catalina -# version 1.16 - Add support for CATALINA_PID env var -# version 1.17 - Remove run files only tomcat started correctl -# in start area, check that tomcat is not allready running -# version 1.18 - Fix kill typo (thanks Kaj J. Niemi) -# version 1.19 - Add jar relinking -# version 1.20 - Check there is no stalling tomcat4.pid -# version 1.20tc5 - Changed all instances of tomcat4 to -# tomcat5 except TOMCAT_USER -# version 1.20tc5rh - Changed TOMCAT_USER from tomcat4 to tomcat # -PKI_INIT_SCRIPT="" +PROG_NAME=`basename $0` +SERVICE_NAME="pki-krad" +SERVICE_PROG="/sbin/service" PKI_PATH="/usr/share/pki/kra" -PKI_PIDDIR="/var/run/pki/kra" -PKI_PROCESS="pki-krad" PKI_REGISTRY="/etc/sysconfig/pki/kra" PKI_TYPE="pki-kra" - -# PKI subsystem-level directory and file values for locks -lockfile="/var/lock/subsys/pki-krad" +PKI_TOTAL_PORTS=6 # Disallow 'others' the ability to 'write' to new files umask 00002 -default_error=0 command="$1" pki_instance="$2" -case "${command}" in - start|stop|restart|condrestart|force-restart|try-restart) - # * 1 generic or unspecified error (current practice) - default_error=1 - ;; - reload) - default_error=3 - ;; - status) - # * 4 program or service status is unknown - default_error=4 - ;; - *) - # * 2 invalid argument(s) - default_error=2 - ;; -esac - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit ${default_error} -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -if [ ! -d ${PKI_PATH} ] ; then - echo "This machine is missing the '${PKI_TYPE}' subsystem!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Check to insure that this script's associated PKI -# subsystem instance registry currently resides on this system. -if [ ! -d ${PKI_REGISTRY} ] ; then - echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Obtain the operating system upon which this script is being executed -OS=`uname -s` -ARCHITECTURE="" - -# This script must be run as root! -RV=0 -if [ ${OS} = "Linux" ] ; then - PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}" - if [ `id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -i` -elif [ ${OS} = "SunOS" ] ; then - PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}" - if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -p` - if [ "${ARCHITECTURE}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - ARCHITECTURE="sparcv9" - fi -else - echo "Unsupported OS '${OS}'!" - exit ${default_error} -fi # Source function library. -if [ -f /etc/init.d/functions ]; then - . /etc/init.d/functions -else - # The checkpid() function is provided for platforms that do not - # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . - - # Check if ${pid} (could be plural) are running (keep count) - checkpid() - { - rv=0 - for i in $* ; do - ps -p $i > /dev/null 2>&1 ; - if [ $? -ne 0 ] ; then - rv=`expr ${rv} + 1` - else - rv=`expr ${rv} + 0` - fi - done - # echo "rv=${rv}" - return ${rv} - } - - # Create the following directories on platforms - # where they do not exist (e. g. - Solaris) . . . - if [ ! -d "/var/lock" ] ; then - mkdir -p /var/lock - chown root:sys /var/lock - chmod 00755 /var/lock - fi - if [ ! -d "/var/lock/subsys" ] ; then - mkdir -p /var/lock/subsys - chown root:root /var/lock/subsys - chmod 00755 /var/lock/subsys - fi - - ####################################################################### - ## NOTE: The following code needs to eventually be moved into the ## - ## template used to create the ## - ## "${PKI_INSTANCE_PATH}/conf/tomcat5.conf" file! ## - ####################################################################### - - if [ ${OS} = "SunOS" ] ; then - DEFAULT_SOLARIS_JAVA_HOME="/usr/jdk/instances/jdk1.5.0/jre" - DEFAULT_LINUX_JAVA_HOME="/usr/lib/jvm/jre" - DEFAULT_LINUX_JAVA_HOME_PATH=`dirname ${DEFAULT_LINUX_JAVA_HOME}` - - # ensure that the Sun JRE 1.5.0 exists at the default location - if [ -d ${DEFAULT_SOLARIS_JAVA_HOME} ] ; then - # create the directory in which the symlink resides (if necessary) - if [ ! -d ${DEFAULT_LINUX_JAVA_HOME_PATH} ] ; then - mkdir -p ${DEFAULT_LINUX_JAVA_HOME_PATH} - fi - # create the actual symlink (if necessary) - if [ ! -h ${DEFAULT_LINUX_JAVA_HOME} ] ; then - ln -s ${DEFAULT_SOLARIS_JAVA_HOME} ${DEFAULT_LINUX_JAVA_HOME} - fi - else - # for now, simply exit with an appropriate error message - echo -n "The Solaris 1.5.0 JRE must be installed " - echo -n "at \"${DEFAULT_SOLARIS_JAVA_HOME}\"!" - echo - echo - exit ${default_error} - fi - fi -fi - -PKI_REGISTRY_ENTRIES="" -TOTAL_PKI_REGISTRY_ENTRIES=0 -TOTAL_UNCONFIGURED_PKI_ENTRIES=0 - -# Gather ALL registered instances of this PKI subsystem type -for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - if [ -f "$FILE" ] ; then - inst=`echo "$FILE"` - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst" - TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` - fi -done - -if [ -n "${pki_instance}" ]; then - for I in ${PKI_REGISTRY_ENTRIES}; do - if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}" - TOTAL_PKI_REGISTRY_ENTRIES=1 - break - fi - done -fi - -usage() -{ - echo -n "Usage: ${PKI_INIT_SCRIPT} " - echo -n "{start" - echo -n "|stop" - echo -n "|restart" - echo -n "|condrestart" - echo -n "|force-restart" - echo -n "|try-restart" - echo -n "|reload" - echo -n "|status} " - echo -n "[instance-name]" - echo - echo -} - -list_instances() -{ - echo - for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - echo " ${FILE}" - done - echo -} - -# Check arguments -if [ $# -lt 1 ] ; then - # * 3 unimplemented feature (for example, "reload") - # [insufficient arguments] - echo "$0: Insufficient arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 -elif [ ${default_error} -eq 2 ] ; then - # * 2 invalid argument - echo "$0: Invalid arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 2 -elif [ $# -gt 2 ] ; then - echo "$0: Excess arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - if [ "${command}" != "status" ]; then - # * 2 excess arguments - exit 2 - else - # * 4 program or service status is unknown - exit 4 - fi -fi - -# If an "instance" was supplied, check that it is a "valid" instance -if [ -n "${pki_instance}" ]; then - if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then - echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance" - echo_failure - echo - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - # * 4 program or service status is unknown - exit 4 - fi - fi -fi - -# On Solaris /var/run is in tmpfs and gets wiped out upon reboot -# we have to recreate the ${PKI_PIDDIR} directory and make sure that -# the directory is writable by the ${PKI_TYPE} server process. -# -# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize -# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the -# "${PKI_PIDDIR}" will end up with the ownership permissions -# of the first instance that executes this function! -# -fix_pid_dir_ownership() -{ - if [ ! -d ${PKI_PIDDIR} ] ; then - mkdir -p ${PKI_PIDDIR} - - chown root:root /var/run/pki - chmod 00755 /var/run/pki - - chown root:root ${PKI_PIDDIR} - chmod 00755 ${PKI_PIDDIR} - fi -} - -check_pki_configuration_status() -{ - rv=0 - - rv=`grep -c ^preop ${pki_instance_configuration_file}` - - rv=`expr ${rv} + 0` - - if [ ${rv} -ne 0 ] ; then - echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" - echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" - if [ "${command}" != "status" ]; then - # * 6 program is not configured - rv=6 - else - # * 4 program or service status is unknown - rv=4 - fi - TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` - elif [ -f ${RESTART_SERVER} ] ; then - echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " - echo -n "it must still be RESTARTED!" - echo - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - fi - - return ${rv} -} - -get_pki_status_definitions() -{ - # establish well-known strings - begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->" - end_pki_status_comment="<!-- DO NOT REMOVE - End PKI Status Definitions -->" - total_ports=0 - unsecure_port_statement="Unsecure Port = " - secure_agent_port_statement="Secure Agent Port = " - secure_ee_port_statement="Secure EE Port = " - secure_admin_port_statement="Secure Admin Port = " - pki_console_port_statement="PKI Console Port = " - tomcat_port_statement="Tomcat Port = " - - # initialize looping variables - pki_status_comment_found=0 - - # first check to see that an instance-specific "server.xml" file exists - if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then - echo "File '${PKI_SERVER_XML_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "server.xml" file line-by-line - # to obtain the current PKI Status Definitions - exec < ${PKI_SERVER_XML_CONF} - while read line; do - # first look for the well-known end PKI Status comment - # (to turn off processing) - if [ "$line" == "$end_pki_status_comment" ] ; then - pki_status_comment_found=0 - break; - fi - - # then look for the well-known begin PKI Status comment - # (to turn on processing) - if [ "$line" == "$begin_pki_status_comment" ] ; then - pki_status_comment_found=1 - fi - - # once the well-known begin PKI Status comment has been found, - # begin processing to obtain all of the PKI Status Definitions - if [ $pki_status_comment_found -eq 1 ] ; then - # look for a PKI Status Definition and print it - head=`echo "$line" | cut -b1-20` - if [ "$head" == "$unsecure_port_statement" ] || - [ "$head" == "$secure_agent_port_statement" ] || - [ "$head" == "$secure_ee_port_statement" ] || - [ "$head" == "$secure_admin_port_statement" ] || - [ "$head" == "$pki_console_port_statement" ] || - [ "$head" == "$tomcat_port_statement" ] ; then - echo " $line" - total_ports=`expr ${total_ports} + 1` - fi - fi - done - - if [ ${total_ports} -eq 6 ] ; then - return 0 - else - return ${default_error} - fi -} - -get_pki_configuration_definitions() -{ - # Obtain the PKI Subsystem Type - line=`grep ^cs.type= ${pki_instance_configuration_file}` - pki_subsystem=`echo "${line}" | cut -b9-` - if [ "${line}" != "" ] ; then - if [ "${pki_subsystem}" != "CA" ] && - [ "${pki_subsystem}" != "KRA" ] && - [ "${pki_subsystem}" != "OCSP" ] && - [ "${pki_subsystem}" != "TKS" ] && - [ "${pki_subsystem}" != "RA" ] && - [ "${pki_subsystem}" != "TPS" ] - then - return ${default_error} - fi - if [ "${pki_subsystem}" == "KRA" ] ; then - # Rename "KRA" to "DRM" - pki_subsystem="DRM" - fi - else - return ${default_error} - fi - - # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, - # check to see if "${pki_subsystem}" is a "Clone" - pki_clone="" - if [ "${pki_subsystem}" == "CA" ] || - [ "${pki_subsystem}" == "DRM" ] || - [ "${pki_subsystem}" == "OCSP" ] || - [ "${pki_subsystem}" == "TKS" ] - then - line=`grep ^subsystem.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_clone=`echo "${line}" | cut -b18-` - if [ "${pki_clone}" != "Clone" ] ; then - # Reset "${pki_clone}" to be empty - pki_clone="" - fi - else - return ${default_error} - fi - fi - - # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to - # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA - pki_hierarchy="" - if [ "${pki_subsystem}" == "CA" ] && - [ "${pki_clone}" != "Clone" ] - then - line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_hierarchy=`echo "${line}" | cut -b18-` - else - return ${default_error} - fi - fi - - # If ${pki_subsystem} is a CA, check to - # see if it is also a Security Domain - pki_security_domain="" - if [ "${pki_subsystem}" == "CA" ] ; then - line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain=`echo "${line}" | cut -b23-` - if [ "${pki_security_domain}" == "new" ] ; then - # Set a fixed value for "${pki_security_domain}" - pki_security_domain="(Security Domain)" - else - # Reset "${pki_security_domain}" to be empty - pki_security_domain="" - fi - else - return ${default_error} - fi - fi - - # Always obtain this PKI instance's "registered" - # security domain information - pki_security_domain_name="" - pki_security_domain_hostname="" - pki_security_domain_https_admin_port="" - - line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_name=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_hostname=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` - else - return ${default_error} - fi - - # Compose the "PKI Instance Name" Status Line - pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" - - # Compose the "PKI Subsystem Type" Status Line - header="PKI Subsystem Type: " - if [ "${pki_clone}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "CA Clone (Security Domain)" - # - data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" - else - # Possible Values: - # - # "CA Clone" - # "DRM Clone" - # "OCSP Clone" - # "TKS Clone" - # - data="${pki_subsystem} ${pki_clone}" - fi - elif [ "${pki_hierarchy}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "Root CA (Security Domain)" - # "Subordinate CA (Security Domain)" - # - data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" - else - # Possible Values: - # - # "Root CA" - # "Subordinate CA" - # - data="${pki_hierarchy} ${pki_subsystem}" - fi - else - # Possible Values: - # - # "DRM" - # "OCSP" - # "RA" - # "TKS" - # "TPS" - # - data="${pki_subsystem}" - fi - pki_subsystem_type="${header} ${data}" - - # Compose the "Registered PKI Security Domain Information" Status Line - header="Name: " - registered_pki_security_domain_name="${header} ${pki_security_domain_name}" - - header="URL: " - if [ "${pki_security_domain_hostname}" != "" ] && - [ "${pki_security_domain_https_admin_port}" != "" ] - then - data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" - else - return ${default_error} - fi - registered_pki_security_domain_url="${header} ${data}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_instance_name}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_subsystem_type}" - - # Print the "Registered PKI Security Domain Information" Status Line - echo - echo " Registered PKI Security Domain Information:" - echo " ==========================================================================" - echo " ${registered_pki_security_domain_name}" - echo " ${registered_pki_security_domain_url}" - echo " ==========================================================================" - - return 0 -} - -get_pki_secure_port() -{ - # establish well-known strings - begin_ssl_comment="<!-- DO NOT REMOVE - Begin define PKI secure port -->" - end_ssl_comment="<!-- DO NOT REMOVE - End define PKI secure port -->" - connector_statement="<Connector name=\"" - - # initialize looping variables - ssl_comment_found=0 - - # first check to see that an instance-specific "server.xml" file exists - if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then - echo "File '${PKI_SERVER_XML_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "server.xml" file line-by-line - # to obtain the current value of the PKI secure port - exec < ${PKI_SERVER_XML_CONF} - while read line; do - # first look for the well-known end SSL comment - # (to turn off processing) - if [ "$line" == "$end_ssl_comment" ] ; then - ssl_comment_found=0 - fi - - # then look for the well-known begin SSL comment - # (to turn on processing) - if [ "$line" == "$begin_ssl_comment" ] ; then - ssl_comment_found=1 - fi - - # once the well-known begin SSL comment has been found, - # begin processing to obtain the numeric port information - if [ $ssl_comment_found -eq 1 ] ; then - # look for the next Connector statement - head=`echo $line | cut -b1-17` - if [ "$head" == "$connector_statement" ] ; then - # once the Connector statement has been found, - tail=`echo $line | cut -b18-` - # extract the name of the connector - name=`echo $tail | cut -d\" -f1` - if [ "$name" == "Agent" ] || - [ "$name" == "Secure" ] ; then - # extract the numeric port information - port=`echo $tail | cut -d\" -f3` - PKI_SECURE_PORT=$port - return 0 - fi - fi - fi - done - - return ${default_error} -} - -display_instance_status() -{ - rv=0 - - if [ -f ${pidfile} ] ; then - pid=`cat ${pidfile}` - if [ "${pid}" == "" ] ; then - echo "${PKI_INSTANCE_ID} pid file exists but is empty" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - elif kill -0 ${pid} > /dev/null 2>&1 ; then - echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} -eq 0 ] ; then - get_pki_status_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Status Definitions not found" - else - get_pki_configuration_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Configuration Definitions not found" - fi - fi - else - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Similarly, from the PKI point of view for a "status" - # action, a returned error code of "4" implies that either - # the program is not "configured", or that the program - # was "configured" but must still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For this reason, when returning from - # 'display_instance_status()', ignore non-zero return codes - # returned from 'check_pki_configuration_status()'. - # - if [ "${command}" != "status" ]; then - # * 0 action was successful - rv=0 - else - # * 0 program is running or service is OK - rv=0 - fi - fi - echo - else - echo "${PKI_INSTANCE_ID} is dead but pid file exists" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 1 program is dead and /var/run pid file exists - rv=1 - fi - fi - else - echo "${PKI_INSTANCE_ID} is stopped" - if [ "${command}" != "status" ]; then - # * 7 program is not running - rv=7 - else - # * 3 program is not running - rv=3 - fi - fi - - return ${rv} -} - -start_instance() -{ - rv=0 - - echo -n "Starting $TOMCAT_PROG: " - - if [ -f ${RESTART_SERVER} ] ; then - rm -f ${RESTART_SERVER} - fi - - if [ -f ${PKI_LOCKFILE} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - echo - echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} != 0 ]; then - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For "non-status" actions, ignore return codes of "1" - # from 'check_pki_configuration_status()'. - # - # However, for "non-status" actions that have a return - # code of "6", return this value unchanged to - # the calling routine so that the total number of - # configuration errors may be counted. - # - - echo - if [ ${rv} = 1 ] ; then - # * 0 action was successful - return 0 - elif [ ${rv} = 6 ] ; then - # * 6 program is not configured - return 6 - else - # should never be reached - return ${rv} - fi - else - return 0 - fi - else - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - rm -f ${PKI_LOCKFILE} - fi - fi - fi - - fix_pid_dir_ownership - - CATALINA_PID=${pidfile} - export CATALINA_PID - touch $CATALINA_PID - chown $TOMCAT_USER:$TOMCAT_GROUP $CATALINA_PID - chmod 00600 $CATALINA_PID - [ -x /sbin/restorecon ] && /sbin/restorecon $CATALINA_PID - - # restore context for ncipher hsm - [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast - - # Always initialize CLASSPATH to start looking - # in the local PKI classes directory . . . - CLASSPATH=/usr/share/pki/classes - - if [ ${OS} = "Linux" ] ; then - $TOMCAT_RELINK_SCRIPT - elif [ ${OS} = "SunOS" ] ; then - # The following definitions are provided for Solaris - # platforms since they are unable to execute the - # "/usr/share/tomcat5/bin/relink", - # "/usr/bin/rebuild-jar-repository", and - # "/usr/share/java-utils/java-functions" files . . . - - ####################################### - ## /var/lib/tomcat5/common/lib: - ####################################### - - # Build the tomcat jar classpath . . . - CLASSPATH="$CLASSPATH":/usr/share/java/ant.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-collections.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-dbcp.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging-api.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-pool.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-ejb-2.1.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-1.4.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-connector-1.5.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-management-1.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2eeschema-1.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jms-1.1.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jsp-2.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jta-1.0.1B.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-servlet-2.4.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jaf.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-collections.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-modeler.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-compiler.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-runtime.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/imap.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/mailapi.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/nntp.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/pop3.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/providers.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/smtp.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar - # CLASSPATH="$CLASSPATH":/usr/share/java/jsp.jar - # END LINUX-SPECIFIC FILE - - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/servlet.jar - # END LINUX-SPECIFIC FILE - - CLASSPATH="$CLASSPATH":/usr/share/java/avalon-logkit.jar - CLASSPATH="$CLASSPATH":/usr/share/java/cmsutil.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/dirsec/jss4.jar - fi - CLASSPATH="$CLASSPATH":/usr/share/java/ldapjdk.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-factory.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-resources.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nsutil.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/osutil.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/osutil.jar - fi - CLASSPATH="$CLASSPATH":/usr/share/java/rhino.jar - CLASSPATH="$CLASSPATH":/usr/share/java/servletapi5.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/symkey.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/symkey.jar - fi - CLASSPATH="$CLASSPATH":/usr/share/java/velocity.jar - CLASSPATH="$CLASSPATH":/usr/share/java/xalan-j2.jar - CLASSPATH="$CLASSPATH":/usr/share/java/xerces-j2.jar - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/common/lib - - if [ ! -e /var/lib/tomcat5/common/lib/\[ant\].jar ]; then - ln -s /usr/share/java/ant.jar [ant].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-collections\].jar ]; then - ln -s /usr/share/java/commons-collections.jar [commons-collections].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-dbcp\].jar ]; then - ln -s /usr/share/java/commons-dbcp.jar [commons-dbcp].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-el\].jar ]; then - ln -s /usr/share/java/commons-el.jar [commons-el].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-logging-api\].jar ]; then - ln -s /usr/share/java/commons-logging-api.jar [commons-logging-api].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-pool\].jar ]; then - ln -s /usr/share/java/commons-pool.jar [commons-pool].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-ejb-2.1-rc2.jar [geronimo]spec-ejb-2.1-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1.jar ]; then - ln -s /usr/share/java/geronimo/spec-ejb-2.1.jar [geronimo]spec-ejb-2.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-1.4-rc2.jar [geronimo]spec-j2ee-1.4-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-1.4.jar [geronimo]spec-j2ee-1.4.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5-rc2.jar [geronimo]spec-j2ee-connector-1.5-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5.jar [geronimo]spec-j2ee-connector-1.5.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1-rc2.jar [geronimo]spec-j2ee-deployment-1.1-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar [geronimo]spec-j2ee-deployment-1.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-jacc-1.0-rc2.jar [geronimo]spec-j2ee-jacc-1.0-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar [geronimo]spec-j2ee-jacc-1.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0-rc2.jar [geronimo]spec-j2ee-management-1.0-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0.jar [geronimo]spec-j2ee-management-1.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0\-M2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0-M2.jar [geronimo]spec-j2eeschema-1.0-M2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0.jar [geronimo]spec-j2eeschema-1.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-jms-1.1-rc2.jar [geronimo]spec-jms-1.1-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1.jar ]; then - ln -s /usr/share/java/geronimo/spec-jms-1.1.jar [geronimo]spec-jms-1.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-jsp-2.0-rc2.jar [geronimo]spec-jsp-2.0-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-jsp-2.0.jar [geronimo]spec-jsp-2.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec-jta-1.0.1B-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-jta-1.0.1B-rc2.jar [geronimo]spec-jta-1.0.1B-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jta\-1.0.1B.jar ]; then - ln -s /usr/share/java/geronimo/spec-jta-1.0.1B.jar [geronimo]spec-jta-1.0.1B.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-servlet-2.4-rc2.jar [geronimo]spec-servlet-2.4-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4.jar ]; then - ln -s /usr/share/java/geronimo/spec-servlet-2.4.jar [geronimo]spec-servlet-2.4.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[jaf\].jar ]; then - ln -s /usr/share/java/jaf.jar [jaf].jar - fi - - ### BEGIN SOLARIS-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-collections.jar\] ]; then - ### ln -s /usr/share/java/jakarta-commons-collections.jar [jakarta-commons-collections.jar] - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-modeler.jar\] ]; then - ### ln -s /usr/share/java/jakarta-commons-modeler.jar [jakarta-commons-modeler.jar] - ### fi - ### END SOLARIS-SPECIFIC LINKS - - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-compiler\].jar ]; then - ### ln -s /usr/share/java/jasper5-compiler.jar [jasper5-compiler].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-runtime\].jar ]; then - ### ln -s /usr/share/java/jasper5-runtime.jar [jasper5-runtime].jar - ### fi - - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/imap-1.3.1.jar [javamail]imap-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap.jar ]; then - ln -s /usr/share/java/javamail/imap.jar [javamail]imap.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/mailapi-1.3.1.jar [javamail]mailapi-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi.jar ]; then - ln -s /usr/share/java/javamail/mailapi.jar [javamail]mailapi.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/nntp-1.3.1.jar [javamail]nntp-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp.jar ]; then - ln -s /usr/share/java/javamail/nntp.jar [javamail]nntp.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/pop3-1.3.1.jar [javamail]pop3-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3.jar ]; then - ln -s /usr/share/java/javamail/pop3.jar [javamail]pop3.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/providers-1.3.1.jar [javamail]providers-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers.jar ]; then - ln -s /usr/share/java/javamail/providers.jar [javamail]providers.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/smtp-1.3.1.jar [javamail]smtp-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp.jar ]; then - ln -s /usr/share/java/javamail/smtp.jar [javamail]smtp.jar - fi - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtCompilerAdapter\].jar ]; then - ### ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtcore\].jar ]; then - ### ln -s /usr/share/java/jdtcore.jar [jdtcore].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jsp\].jar ]; then - ### ln -s /usr/share/java/jsp.jar [jsp].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - if [ ! -e /var/lib/tomcat5/common/lib/\[mx4j\]\[mx4j\].jar ]; then - ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar - fi - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[servlet\].jar ]; then - ### ln -s /usr/share/java/servlet.jar [servlet].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - ### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - if [ ! -e /var/lib/tomcat5/common/lib/avalon\-logkit.jar ]; then - ln -s /usr/share/java/avalon-logkit.jar avalon-logkit.jar - fi - ### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - - ### if [ ! -e /var/lib/tomcat5/common/lib/cmsutil.jar ]; then - ### ln -s /usr/share/java/rphki/cmsutil.jar cmsutil.jar - ### fi - - ### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - if [ ! -e /var/lib/tomcat5/common/lib/commons\-logging.jar ]; then - ln -s /usr/share/java/commons-logging.jar commons-logging.jar - fi - ### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - - ### if [ ! -e /var/lib/tomcat5/common/lib/jss4.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/dirsec/jss4.jar jss4.jar - ### fi - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/ldapjdk.jar ]; then - ### ln -s /usr/share/java/ldapjdk.jar ldapjdk.jar - ### fi - - ### naming-factory.jar - ### naming-resources.jar - - ### if [ ! -e /var/lib/tomcat5/common/lib/nsutil.jar ]; then - ### ln -s /usr/share/java/pki/nsutil.jar nsutil.jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/osutil.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/osutil.jar osutil.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/osutil.jar osutil.jar - ### fi - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/rhino.jar ]; then - ### ln -s /usr/share/java/rhino.jar rhino.jar - ### fi - - ### BEGIN SOLARIS-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[servletapi5.jar\] ]; then - ### ln -s /usr/share/java/servletapi5.jar [servletapi5.jar] - ### fi - ### END SOLARIS-SPECIFIC LINKS - - ### if [ ! -e /var/lib/tomcat5/common/lib/symkey.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/symkey.jar symkey.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/symkey.jar symkey.jar - ### fi - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/velocity.jar ]; then - ### ln -s /usr/share/java/velocity.jar velocity.jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/xalan\-j2.jar ]; then - ### ln -s /usr/share/java/xalan-j2.jar xalan-j2.jar - ### fi - - if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2\-2.6.2.jar ]; then - ln -s /usr/share/java/xerces-j2-2.6.2.jar xerces-j2-2.6.2.jar - fi - - ### if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2.jar ]; then - ### ln -s /usr/share/java/xerces-j2.jar xerces-j2.jar - ### fi +. /etc/init.d/functions - - ####################################### - ## /var/lib/tomcat5/common/endorsed: - ####################################### - - # Build the tomcat jar classpath . . . - CLASSPATH="$CLASSPATH":/usr/share/java/xml-commons-apis.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/jaxp_parser_impl.jar - # END LINUX-SPECIFIC FILE - - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/common/endorsed - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/endorsed/\[jaxp_parser_impl\].jar ]; then - ### ln -s /usr/share/java/jaxp_parser_impl.jar [jaxp_parser_impl].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - if [ ! -e /var/lib/tomcat5/common/endorsed/\[xml\-commons\-apis\].jar ]; then - ln -s /usr/share/java/xml-commons-apis.jar [xml-commons-apis].jar - fi - - - ####################################### - ## /var/lib/tomcat5/server/lib: - ####################################### - - # Build the tomcat jar classpath . . . - CLASSPATH="$CLASSPATH":/usr/share/java/catalina-ant5.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-beanutils.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-digester.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-fileupload.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-modeler.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar - # END LINUX-SPECIFIC FILE - - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar - CLASSPATH="$CLASSPATH":/usr/share/java/regexp.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-cluster.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-optional.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-storeconfig.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/dirsec/jss4.jar - fi - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-cgi.renametojar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-default.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-invoker.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-ssi.renametojar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-webdav.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-ajp.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-coyote.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-http.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-util.jar - CLASSPATH="$CLASSPATH":/usr/share/java/tomcatjss.jar - - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/server/lib - - if [ ! -e /var/lib/tomcat5/server/lib/\[catalina\-ant5\].jar ]; then - ln -s /usr/share/java/catalina-ant5.jar [catalina-ant5].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-beanutils\].jar ]; then - ln -s /usr/share/java/commons-beanutils.jar [commons-beanutils].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-digester\].jar ]; then - ln -s /usr/share/java/commons-digester.jar [commons-digester].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-el\].jar ]; then - ln -s /usr/share/java/commons-el.jar [commons-el].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-fileupload\].jar ]; then - ln -s /usr/share/java/commons-fileupload.jar [commons-fileupload].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-logging\].jar ]; then - ln -s /usr/share/java/commons-logging.jar [commons-logging].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-modeler\].jar ]; then - ln -s /usr/share/java/commons-modeler.jar [commons-modeler].jar - fi - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtCompilerAdapter\].jar ]; then - ### ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtcore\].jar ]; then - ### ln -s /usr/share/java/jdtcore.jar [jdtcore].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - if [ ! -e /var/lib/tomcat5/server/lib/\[mx4j\]\[mx4j\].jar ]; then - ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[regexp\].jar ]; then - ln -s /usr/share/java/regexp.jar [regexp].jar - fi - - ### catalina-cluster.jar - ### catalina-optional.jar - ### catalina-storeconfig.jar - ### catalina.jar - ### if [ ! -e /var/lib/tomcat5/server/lib/jss4.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/dirsec/jss4.jar jss4.jar - ### fi - ### fi - ### servlets-cgi.renametojar - ### servlets-default.jar - ### servlets-invoker.jar - ### servlets-ssi.renametojar - ### servlets-webdav.jar - ### tomcat-ajp.jar - ### tomcat-coyote.jar - ### tomcat-http.jar - ### tomcat-util.jar - ### if [ ! -e /var/lib/tomcat5/server/lib/tomcatjss.jar ]; then - ### ln -s /usr/share/java/tomcatjss.jar tomcatjss.jar - ### fi - - - ####################################### - ## /var/lib/tomcat5/shared/lib: - ####################################### - - # Build the tomcat jar classpath . . . - - export CLASSPATH - - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/shared/lib - fi - - # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start - if [ ${OS} = "SunOS" ] ; then - su $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null - else - runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null - fi - - rv=$? - if [ ${rv} = 0 ] ; then - touch ${PKI_LOCKFILE} - chown $TOMCAT_USER:$TOMCAT_GROUP $PKI_LOCKFILE - chmod 00600 $PKI_LOCKFILE - fi - - if [ ${rv} = 0 ] ; then - count=0; - - let swait=$STARTUP_WAIT - while [ ! -s ${pidfile} ] && - [ $count -lt $swait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - - get_pki_secure_port - if [ $? -ne 0 ] ; then - PKI_SECURE_PORT="<Port Undefined>" - fi - - # Set permissions of log files - pki_logs_directory=${PKI_INSTANCE_PATH}/logs - pki_signedAudit="${pki_logs_directory}/signedAudit" - for file in ${pki_logs_directory}/*; do - if [ ! -d "${file}" ]; then - chmod 00640 ${file} - chgrp $TOMCAT_GROUP ${file} - chown $TOMCAT_USER ${file} - fi - done - - # Set permissions of signedAudit log files - # do not set the group id, this will be set by the sgid on the directory - pki_signedAudit_files=`ls -1A ${pki_signedAudit} | wc -l` - if [ ${pki_signedAudit_files} -gt 0 ]; then - for file in ${pki_signedAudit}/*; do - chmod 00640 ${file} - chown $TOMCAT_USER ${file} - done - fi - - # ignore "status" return codes - echo - display_instance_status - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - $0 echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - fi - - sleep 5 - return ${rv} -} - -stop_instance() -{ - rv=0 - - echo -n "Stopping $TOMCAT_PROG: " - - if [ -f ${PKI_LOCKFILE} ] ; then - CATALINA_PID=${pidfile} - export CATALINA_PID - - # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT stop - if [ ${OS} = "SunOS" ] ; then - su $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null - else - runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null - fi - - rv=$? - - if [ ${rv} = 0 ]; then - count=0; - - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - let kwait=$SHUTDOWN_WAIT - - until [ `ps -p $kpid | grep -c $kpid` = '0' ] || - [ $count -gt $kwait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ $count -gt $kwait ]; then - kill -9 $kpid - fi - fi - - rm -f ${PKI_LOCKFILE} - rm -f ${pidfile} - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - rv=${default_error} - fi - else - echo - echo "process already stopped" - rv=0 - fi - - return ${rv} -} - -start() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - config_errors=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):" - fi - - # Start every PKI instance of this type that isn't already running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - start_instance - - rv=$? - if [ ${rv} = 6 ] ; then - # Since at least ONE configuration error exists, then there - # is at least ONE unconfigured instance from the PKI point - # of view. - # - # However, it must still be considered that the - # instance is "running" from the point of view of other - # OS programs such as 'chkconfig'. - # - # Therefore, ignore non-zero return codes resulting - # from configuration errors. - # - - config_errors=`expr $config_errors + 1` - rv=0 - elif [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then - touch ${lockfile} - chmod 00600 ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - # NOTE: "bad" return code(s) OVERRIDE configuration errors! - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances failed to start!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -stop() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" - fi - - # Shutdown every PKI instance of this type that is running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - stop_instance - - rv=$? - if [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${errors} -eq 0 ] ; then - rm -f ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances were " - echo -n "unsuccessfully stopped!" - echo - fi - - echo - echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -restart() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - stop - sleep 2 - echo - echo "============================================================" - echo - start - - return $? -} - -status() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 program is running or service is OK - # * 1 program is dead and /var/run pid file exists - # * 2 program is dead and /var/lock lock file exists - # * 3 program is not running - # * 4 program or service status is unknown - # * 5-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" - fi - - # Obtain status of every PKI instance of this type - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - display_instance_status - - rv=$? - if [ ${rv} -ne 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "4 - program or service status is unknown" - rv=4 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances reported status failures!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=4 - fi - - return ${rv} -} +# Source the PKI function library +. /usr/share/pki/scripts/functions # See how we were called. -case "${command}" in - start|stop|restart|status) - ${command} - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - exit $? - ;; - reload) - echo "The 'reload' action is an unimplemented feature." - exit ${default_error} - ;; - *) - # * 3 unimplemented feature (for example, "reload") - # [invalid command - should never be reached] - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 - ;; +case $command in + status) + registry_status + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + stop + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + reload) + echo "The 'reload' action is an unimplemented feature." + exit ${default_error} + ;; + *) + echo "unknown action ($command)" + usage + echo "where valid instance names include:" + list_instances + exit ${default_error} + ;; esac diff --git a/pki/base/ocsp/build.xml b/pki/base/ocsp/build.xml index 27cec54ef..d9b783c1d 100644 --- a/pki/base/ocsp/build.xml +++ b/pki/base/ocsp/build.xml @@ -191,6 +191,7 @@ filemode="644" prefix="usr/share/${product.prefix}/${product}/setup"> <include name="config.desktop"/> + <include name="registry_instance"/> </zipfileset> <zipfileset dir="./shared/etc/init.d" filemode="755" @@ -198,15 +199,9 @@ <include name="pki-ocspd"/> </zipfileset> <zipfileset dir="./shared" - filemode="755" - prefix="usr/share/${product.prefix}/${product}"> - <include name="conf/dtomcat5"/> - </zipfileset> - <zipfileset dir="./shared" filemode="644" prefix="usr/share/${product.prefix}/${product}"> <include name="**"/> - <exclude name="conf/dtomcat5"/> <exclude name="etc/init.d/pki-ocspd"/> </zipfileset> <zipfileset dir="." @@ -230,6 +225,7 @@ mode="644" prefix="${dist.name}/usr/share/${product.prefix}/${product}/setup"> <include name="config.desktop"/> + <include name="registry_instance"/> </tarfileset> <tarfileset dir="./shared/etc/init.d" mode="755" @@ -237,15 +233,9 @@ <include name="pki-ocspd"/> </tarfileset> <tarfileset dir="./shared" - mode="755" - prefix="${dist.name}/usr/share/${product.prefix}/${product}"> - <include name="conf/dtomcat5"/> - </tarfileset> - <tarfileset dir="./shared" mode="644" prefix="${dist.name}/usr/share/${product.prefix}/${product}"> <include name="**"/> - <exclude name="conf/dtomcat5"/> <exclude name="etc/init.d/pki-ocspd"/> </tarfileset> <tarfileset dir="." diff --git a/pki/base/ocsp/setup/registry_instance b/pki/base/ocsp/setup/registry_instance new file mode 100644 index 000000000..7f0e592a1 --- /dev/null +++ b/pki/base/ocsp/setup/registry_instance @@ -0,0 +1,54 @@ +# Establish PKI Variable "Slot" Substitutions + +PKI_FLAVOR=[PKI_FLAVOR] +export PKI_FLAVOR + +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +export PKI_SUBSYSTEM_TYPE + +PKI_USER=[PKI_USER] +export PKI_USER + +PKI_GROUP=[PKI_GROUP] +export PKI_GROUP + +PKI_INSTANCE_ID=[PKI_INSTANCE_ID] +export PKI_INSTANCE_ID + +PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH] +export PKI_INSTANCE_PATH + +PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] +export PKI_INSTANCE_INITSCRIPT + +PKI_SERVER_XML_CONF=[PKI_SERVER_XML_CONF] +export PKI_SERVER_XML_CONF + +# Use CATALINA_BASE + +CATALINA_BASE=$PKI_INSTANCE_PATH +export CATALINA_BASE + +TOMCAT_PROG=$PKI_INSTANCE_ID +export TOMCAT_PROG + +TOMCAT_USER=$PKI_USER +export TOMCAT_USER + +TOMCAT_GROUP=$PKI_GROUP +export TOMCAT_GROUP + +PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +export PKI_LOCKDIR + +PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}.pid" +export PKI_LOCKFILE + +TOMCAT_PIDFILE=[TOMCAT_PIDFILE] +export TOMCAT_PIDFILE + +pki_instance_configuration_file=${PKI_INSTANCE_PATH}/conf/CS.cfg +export pki_instance_configuration_file + +RESTART_SERVER=${PKI_INSTANCE_PATH}/conf/restart_server_after_configuration +export RESTART_SERVER diff --git a/pki/base/ocsp/shared/conf/catalina.policy b/pki/base/ocsp/shared/conf/catalina.policy index 8f481e333..cf8302cd0 100644 --- a/pki/base/ocsp/shared/conf/catalina.policy +++ b/pki/base/ocsp/shared/conf/catalina.policy @@ -1,5 +1,26 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// Copyright (C) 2006-2010 Red Hat, Inc. +// All rights reserved. +// Modifications: configuration parameters +// --- END COPYRIGHT BLOCK --- + +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + // ============================================================================ -// catalina.corepolicy - Security Policy Permissions for Tomcat 5 +// catalina.corepolicy - Security Policy Permissions for Tomcat 6 // // This file contains a default set of security policies to be enforced (by the // JVM) when Catalina is executed with the "-security" option. In addition @@ -40,35 +61,16 @@ grant codeBase "file:${java.home}/lib/ext/-" { // ========== CATALINA CODE PERMISSIONS ======================================= -// These permissions apply to the launcher code -grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" { - permission java.security.AllPermission; -}; - // These permissions apply to the daemon code grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { permission java.security.AllPermission; }; -// These permissions apply to the commons-logging API -grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to the server startup code -grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to the JMX server -grant codeBase "file:${catalina.home}/bin/jmx.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to JULI +// These permissions apply to the logging API grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; permission java.util.PropertyPermission "catalina.base", "read"; @@ -82,24 +84,19 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; -// These permissions apply to the servlet API classes -// and those that are shared across all class loaders -// located in the "common" directory -grant codeBase "file:${catalina.home}/common/-" { +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; -// These permissions apply to the container's core code, plus any additional -// libraries installed in the "server" directory -grant codeBase "file:${catalina.home}/server/-" { +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "lib" directory +grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; }; -// The permissions granted to the balancer WEB-INF/classes and WEB-INF/lib directory -grant codeBase "file:${catalina.home}/webapps/balancer/-" { - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester.*"; -}; + // ========== WEB APPLICATION PERMISSIONS ===================================== @@ -147,6 +144,9 @@ grant { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + // Precompiled JSPs need access to this system property. + permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + }; @@ -182,58 +182,3 @@ grant { // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; - - -// These permissions apply to Tomcat5 java -grant codeBase "file:/usr/share/java/tomcat5/-" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/jakarta-commons-modeler.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/jasper5-compiler.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/jasper5-runtime.jar" { - permission java.security.AllPermission; -}; - - - -// These permissions apply to PKI configuration -grant codeBase "file:/usr/share/java/velocity.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/tomcat5-servlet-2.4-api.jar" { - permission java.security.AllPermission; -}; - - - - -// These permissions apply to PKI support -grant codeBase "file:/usr/share/java/ldapjdk.jar" { - permission java.security.AllPermission; -}; - - - -// These permissions apply to PKI -grant codeBase "file:/usr/lib/java/jss4.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/tomcatjss.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/lib/java/osutil.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/lib/java/symkey.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/pki/-" { - permission java.security.AllPermission; -}; - - - diff --git a/pki/base/ocsp/shared/conf/catalina.properties b/pki/base/ocsp/shared/conf/catalina.properties index 3778ce4f6..70cb7c05e 100644 --- a/pki/base/ocsp/shared/conf/catalina.properties +++ b/pki/base/ocsp/shared/conf/catalina.properties @@ -1,8 +1,24 @@ # --- BEGIN COPYRIGHT BLOCK --- -# Copyright (C) 2006 Red Hat, Inc. +# Copyright (C) 2006-2010 Red Hat, Inc. # All rights reserved. +# Modifications: configuration parameters # --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 # +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when @@ -34,7 +50,7 @@ package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -common.loader=${catalina.home}/common/classes,${catalina.home}/common/i18n/*.jar,${catalina.home}/common/endorsed/*.jar,${catalina.home}/common/lib/*.jar +common.loader=${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB] # # List of comma-separated paths defining the contents of the "server" @@ -47,7 +63,7 @@ common.loader=${catalina.home}/common/classes,${catalina.home}/common/i18n/*.jar # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar +server.loader= # # List of comma-separated paths defining the contents of the "shared" @@ -59,7 +75,9 @@ server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar +# Please note that for single jars, e.g. bar.jar, you need the URL form +# starting with file:. +shared.loader= # # String cache configuration. diff --git a/pki/base/ocsp/shared/conf/context.xml b/pki/base/ocsp/shared/conf/context.xml index 60878b74b..8b6fe4905 100644 --- a/pki/base/ocsp/shared/conf/context.xml +++ b/pki/base/ocsp/shared/conf/context.xml @@ -1,9 +1,27 @@ +<?xml version='1.0' encoding='utf-8'?> <!-- BEGIN COPYRIGHT BLOCK - Copyright (C) 2006 Red Hat, Inc. + Copyright (C) 2006-2010 Red Hat, Inc. All rights reserved. + Modifications: configuration parameters END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> <!-- The contents of this file will be loaded for each web application --> -<Context crossContext="true"> +<Context crossContext="true" allowLinking="true"> <!-- Default set of monitored resources --> <WatchedResource>WEB-INF/web.xml</WatchedResource> @@ -13,4 +31,10 @@ <Manager pathname="" /> --> + <!-- Uncomment this to enable Comet connection tacking (provides events + on session expiration as well as webapp lifecycle) --> + <!-- + <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" /> + --> + </Context> diff --git a/pki/base/ocsp/shared/conf/dtomcat5 b/pki/base/ocsp/shared/conf/dtomcat5 deleted file mode 100755 index 2eeb889e6..000000000 --- a/pki/base/ocsp/shared/conf/dtomcat5 +++ /dev/null @@ -1,476 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# Copyright (C) 2006 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# ----------------------------------------------------------------------------- -# Start/Stop Script for the CATALINA Server -# -# Environment Variable Prequisites -# -# CATALINA_HOME May point at your Catalina "build" directory. -# -# CATALINA_BASE (Optional) Base directory for resolving dynamic portions -# of a Catalina installation. If not present, resolves to -# the same directory that CATALINA_HOME points to. -# -# CATALINA_OPTS (Optional) Java runtime options used when the "start", -# "stop", or "run" command is executed. -# -# CATALINA_TMPDIR (Optional) Directory path location of temporary directory -# the JVM should use (java.io.tmpdir). Defaults to -# $CATALINA_BASE/temp. -# -# JAVA_HOME Must point at your Java Development Kit installation. -# Required to run the with the "debug" or "javac" argument. -# -# JRE_HOME Must point at your Java Development Kit installation. -# Defaults to JAVA_HOME if empty. -# -# JAVA_OPTS (Optional) Java runtime options used when the "start", -# "stop", or "run" command is executed. -# -# JPDA_TRANSPORT (Optional) JPDA transport used when the "jpda start" -# command is executed. The default is "dt_socket". -# -# JPDA_ADDRESS (Optional) Java runtime options used when the "jpda start" -# command is executed. The default is 8000. -# -# JSSE_HOME (Optional) May point at your Java Secure Sockets Extension -# (JSSE) installation, whose JAR files will be added to the -# system class path used to start Tomcat. -# -# CATALINA_PID (Optional) Path of the file which should contains the pid -# of catalina startup java process, when start (fork) is used -# -# $Id$ -# ----------------------------------------------------------------------------- - -# Disallow 'others' the ability to 'write' to new files -umask 00002 - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit 255 -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] -if [ ! -d /usr/share/pki/${PKI_SUBSYSTEM_TYPE} ] ; then - echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" - exit 255 -fi - -# OS specific support. $var _must_ be set to either true or false. -OS=`uname -s` -cygwin=false -os400=false -case "${OS}" in -CYGWIN*) cygwin=true;; -OS400*) os400=true;; -esac - -TOMCAT_CFG=[PKI_INSTANCE_PATH]/conf/tomcat5.conf -JAVADIR="/usr/share/java" - -# resolve links - $0 may be a softlink -PRG="$0" - -while [ -h "$PRG" ]; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '.*/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`/"$link" - fi -done - -# Get standard environment variables -PRGDIR=`dirname "$PRG"` - -# Only set CATALINA_HOME if not already set -[ -z "$CATALINA_HOME" ] && CATALINA_HOME=`cd "$PRGDIR/.." ; pwd` - -if [ -r "$CATALINA_HOME"/bin/setenv.sh ]; then - . "$CATALINA_HOME"/bin/setenv.sh -fi - -# For Cygwin, ensure paths are in UNIX format before anything is touched -if $cygwin; then - [ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --unix "$JAVA_HOME"` - [ -n "$JRE_HOME" ] && JRE_HOME=`cygpath --unix "$JRE_HOME"` - [ -n "$CATALINA_HOME" ] && CATALINA_HOME=`cygpath --unix "$CATALINA_HOME"` - [ -n "$CATALINA_BASE" ] && CATALINA_BASE=`cygpath --unix "$CATALINA_BASE"` - [ -n "$CLASSPATH" ] && CLASSPATH=`cygpath --path --unix "$CLASSPATH"` - [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --unix "$JSSE_HOME"` -fi - -# For OS400 -if $os400; then - # Set job priority to standard for interactive (interactive - 6) by using - # the interactive priority - 6, the helper threads that respond to requests - # will be running at the same priority as interactive jobs. - COMMAND='chgjob job('$JOBNAME') runpty(6)' - system $COMMAND - - # Enable multi threading - export QIBM_MULTI_THREADED=Y -fi - -[ -r "$TOMCAT_CFG" ] && . "${TOMCAT_CFG}" - -### Set up defaults if they were omitted in TOMCAT_CFG -### JVM lookup -if [ -z "$JAVA_HOME" ]; then - # Search for java in PATH - JAVA=`which java` - if [ -z "$JAVA" ] ; then - JAVA_BINDIR=`dirname ${JAVA}` - JAVA_HOME="${JAVA_BINDIR}/.." - fi - # Default clean JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/usr/lib/java" ] && JAVA_HOME="/usr/lib/java" - # Default IBM JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-13" ] && \ - JAVA_HOME="/opt/IBMJava2-13" - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-131" ] && \ - JAVA_HOME="/opt/IBMJava2-131" - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-14" ] && \ - JAVA_HOME="/opt/IBMJava2-14" - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-141" ] && \ - JAVA_HOME="/opt/IBMJava2-141" - # Another solution - [ -z "$JAVA_HOME" -a -d "/usr/java/jdk" ] && \ - JAVA_HOME="/usr/java/jdk" - # madeinlinux JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/usr/local/jdk1.2.2" ] && \ - JAVA_HOME="/usr/local/jdk1.2.2" - # Kondara JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/usr/lib/java/jdk1.2.2" ] && \ - JAVA_HOME="/usr/lib/java/jdk1.2.2" - # Other commonly found JAVA_HOMEs - [ -z "$JAVA_HOME" -a -d "/usr/jdk1.2" ] && JAVA_HOME="/usr/jdk1.2" - # Default Caldera JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/opt/java-1.3" ] && \ - JAVA_HOME="/opt/java-1.3" - # Add other locations here - if [ -z "$JAVA_HOME" ]; then - echo "No JAVA_HOME specified in ${TOMCAT_CFG} and no java found" - exit 1 - else - echo "Found JAVA_HOME: ${JAVA_HOME}" - echo "Please complete your ${TOMCAT_CFG} so we won't have to look for it next time" - fi -fi - -# Set juli LogManager if it is present -if [ -r "$CATALINA_HOME"/bin/tomcat-juli.jar ]; then - JAVA_OPTS="$JAVA_OPTS "-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -fi - -# Set standard commands for invoking Java. -_RUNJAVA="$JAVA_HOME"/bin/java -_RUNJAVAC="$JAVA_HOME"/bin/javac -_RUNJDB="$JAVA_HOME"/bin/jdb - -# Set standard CLASSPATH -# (always inherit any preset values from the PKI start script) -if [ ${OS} = "Linux" ] ; then - # Checking for OpenJDK JVM - OPENJDK_JVM="`java -version 2>&1 | tail -1 | awk '{print $1};'`" - if [ "${OPENJDK_JVM}" = "OpenJDK" ] || - [ "${OPENJDK_JVM}" = "IcedTea" ]; then - # using OpenJDK - CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar - - # add required classes to the CLASSPATH for OpenJDK - CLASSPATH="$CLASSPATH":"$JAVADIR"/commons-collections.jar - else - # NOT using OpenJDK - CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/tools.jar - fi -elif [ ${OS} = "SunOS" ] ; then - CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar -fi - -# Add on extra jar files to CLASSPATH -if [ -n "$JSSE_HOME" ]; then - CLASSPATH="$CLASSPATH":"$JSSE_HOME"/lib/jcert.jar:"$JSSE_HOME"/lib/jnet.jar:"$JSSE_HOME"/lib/jsse.jar -fi - -# JPackage JSSE location check -if [ -r "$JAVADIR/jsse/jcert.jar" ]; then - CLASSPATH="$CLASSPATH":"$JAVADIR"/jsse/jcert.jar:"$JAVADIR"/jsse/jnet.jar:"$JAVADIR"/jsse/jsse.jar -fi - -if [ ${OS} = "Linux" ] ; then - CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar:"$CATALINA_HOME"/bin/commons-logging-api.jar:`/usr/bin/build-classpath mx4j/mx4j-impl`:`/usr/bin/build-classpath mx4j/mx4j-jmx` - - # add jars in required components for velocity >= 1.6 (just in case) - VELOCITY=`rpm -q velocity|sed 's/velocity-\([0-9]*\)\.\([0-9]*\).*/\1\2/'` - if [ "$VELOCITY" -ge 16 ]; then - CLASSPATH="$CLASSPATH":`/usr/bin/build-classpath bcel hsqldb commons-collections commons-lang commons-logging commons-logging-api jdom junit oro servletapi5 werken.xpath` - fi - -elif [ ${OS} = "SunOS" ] ; then - # The following definitions are provided for Solaris - # platforms since they are unable to execute the - # "/usr/bin/build-classpath" and - # "/usr/share/java-utils/java-functions" files . . . - - CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar - CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/commons-logging-api.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/base.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/certsrv.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cms.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cms72.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cms72_en.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cmsbundle.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cmscore.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cmsutil.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/mcc70.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/mcc70_en.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nmclf70.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nmclf70_en.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nsutil.jar - - if [ -f /usr/share/java/pkitools.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pkitools.jar - elif [ -f /usr/share/java/cstools.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/cstools.jar - elif [ -f /usr/share/java/pki/cstools.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cstools.jar - fi - - if [ -f /usr/share/java/ca.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/ca.jar - elif [ -f /usr/share/java/pki/ca/ca.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/ca/ca.jar - fi - if [ -f /usr/share/java/kra.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/kra.jar - elif [ -f /usr/share/java/pki/kra/kra.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/kra/kra.jar - fi - if [ -f /usr/share/java/ocsp.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/ocsp.jar - elif [ -f /usr/share/java/pki/ocsp/ocsp.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/ocsp/ocsp.jar - fi - if [ -f /usr/share/java/tks.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/tks.jar - elif [ -f /usr/share/java/pki/tks/tks.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/tks/tks.jar - fi - - # add jars for velocity 1.6 (just in case) - CLASSPATH="$CLASSPATH":/usr/share/java/bcel.jar - CLASSPATH="$CLASSPATH":/usr/share/java/hsqldb.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-collections.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-lang.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging-api.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jdom.jar - CLASSPATH="$CLASSPATH":/usr/share/java/junit.jar - CLASSPATH="$CLASSPATH":/usr/share/java/oro.jar - CLASSPATH="$CLASSPATH":/usr/share/java/servletapi5.jar - CLASSPATH="$CLASSPATH":/usr/share/java/werken.xpath.jar - -fi - -if [ -z "$CATALINA_BASE" ] ; then - CATALINA_BASE="$CATALINA_HOME" -fi - -if [ -z "$CATALINA_TMPDIR" ] ; then - # Define the java.io.tmpdir to use for Catalina - CATALINA_TMPDIR="$CATALINA_BASE"/temp -fi - -if [ -z "$CATALINA_PID" ] ; then - export CATALINA_PID=/var/run/tomcat5.pid -fi - -# For Cygwin, switch paths to Windows format before running java -if $cygwin; then - JAVA_HOME=`cygpath --absolute --windows "$JAVA_HOME"` - JRE_HOME=`cygpath --absolute --windows "$JRE_HOME"` - CATALINA_HOME=`cygpath --absolute --windows "$CATALINA_HOME"` - CATALINA_BASE=`cygpath --absolute --windows "$CATALINA_BASE"` - CATALINA_TMPDIR=`cygpath --absolute --windows "$CATALINA_TMPDIR"` - CLASSPATH=`cygpath --path --windows "$CLASSPATH"` - [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --windows "$JSSE_HOME"` - JAVA_ENDORSED_DIRS=`cygpath --path --windows "$JAVA_ENDORSED_DIRS"` -fi - -# ----- Execute The Requested Command ----------------------------------------- -echo "Using CATALINA_PID $CATALINA_PID" -echo "Using CATALINA_BASE: $CATALINA_BASE" -echo "Using CATALINA_HOME: $CATALINA_HOME" -echo "Using CATALINA_TMPDIR: $CATALINA_TMPDIR" -if [ "$1" = "debug" -o "$1" = "javac" ] ; then - echo "Using JAVA_HOME: $JAVA_HOME" -else - echo "Using JRE_HOME: $JRE_HOME" -fi - -if [ "$1" = "jpda" ] ; then - if [ -z "$JPDA_TRANSPORT" ]; then - JPDA_TRANSPORT="dt_socket" - fi - if [ -z "$JPDA_ADDRESS" ]; then - JPDA_ADDRESS="8000" - fi - if [ -z "$JPDA_OPTS" ]; then - JPDA_OPTS="-Xdebug -Xrunjdwp:transport=$JPDA_TRANSPORT,address=$JPDA_ADDRESS,server=y,suspend=n" - fi - CATALINA_OPTS="$CATALINA_OPTS $JPDA_OPTS" - shift -fi - -if [ "$1" = "debug" ] ; then - if $os400; then - echo "Debug command not available on OS400" - exit 1 - else - shift - if [ "$1" = "-security" ] ; then - echo "Using Security Manager" - shift - exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ - -Djava.security.manager \ - -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - else - exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - fi - fi - -elif [ "$1" = "run" ]; then - - shift - if [ "$1" = "-security" ] ; then - echo "Using Security Manager" - shift - exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Djava.security.manager \ - -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - else - exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - fi - -elif [ "$1" = "start" ] ; then - - shift - touch "$CATALINA_BASE"/logs/catalina.out - if [ "$1" = "-security" ] ; then - echo "Using Security Manager" - shift - "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Djava.security.manager \ - -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start \ - >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & - - if [ ! -z "$CATALINA_PID" ]; then - echo $! > $CATALINA_PID - fi - else - "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start \ - >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & - - if [ ! -z "$CATALINA_PID" ]; then - echo $! > $CATALINA_PID - fi - fi - -elif [ "$1" = "stop" ] ; then - - shift - FORCE=0 - if [ "$1" = "-force" ]; then - shift - FORCE=1 - fi - - "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" stop - - if [ $FORCE -eq 1 ]; then - if [ ! -z "$CATALINA_PID" ]; then - echo "Killing: `cat $CATALINA_PID`" - kill -9 `cat $CATALINA_PID` - fi - fi - -elif [ "$1" = "version" ] ; then - - "$_RUNJAVA" \ - -classpath "$CATALINA_HOME/server/lib/catalina.jar" \ - org.apache.catalina.util.ServerInfo - -else - - echo "Usage: dtomcat5 ( commands ... )" - echo "commands:" - if $os400; then - echo " debug Start Catalina in a debugger (not available on OS400)" - echo " debug -security Debug Catalina with a security manager (not available on OS400)" - else - echo " debug Start Catalina in a debugger" - echo " debug -security Debug Catalina with a security manager" - fi - echo " jpda start Start Catalina under JPDA debugger" - echo " run Start Catalina in the current window" - echo " run -security Start in the current window with security manager" - echo " start Start Catalina in a separate window" - echo " start -security Start in a separate window with security manager" - echo " stop Stop Catalina" - echo " stop -force Stop Catalina (followed by kill -KILL)" - echo " version What version of tomcat are you running?" - exit 1 - -fi diff --git a/pki/base/ocsp/shared/conf/logging.properties b/pki/base/ocsp/shared/conf/logging.properties new file mode 100644 index 000000000..796cfc071 --- /dev/null +++ b/pki/base/ocsp/shared/conf/logging.properties @@ -0,0 +1,70 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006-2010 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +############################################################ +# Handler specific properties. +# Describes specific configuration info for Handlers. +############################################################ + +1catalina.org.apache.juli.FileHandler.level = FINE +1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +1catalina.org.apache.juli.FileHandler.prefix = catalina. + +2localhost.org.apache.juli.FileHandler.level = FINE +2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +2localhost.org.apache.juli.FileHandler.prefix = localhost. + +3manager.org.apache.juli.FileHandler.level = FINE +3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +3manager.org.apache.juli.FileHandler.prefix = manager. + +4host-manager.org.apache.juli.FileHandler.level = FINE +4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +4host-manager.org.apache.juli.FileHandler.prefix = host-manager. + +java.util.logging.ConsoleHandler.level = FINE +java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter + + +############################################################ +# Facility specific properties. +# Provides extra control for each logger. +############################################################ + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler + +# For example, set the com.xyz.foo logger to only log SEVERE +# messages: +#org.apache.catalina.startup.ContextConfig.level = FINE +#org.apache.catalina.startup.HostConfig.level = FINE +#org.apache.catalina.session.ManagerBase.level = FINE +#org.apache.catalina.core.AprLifecycleListener.level=FINE diff --git a/pki/base/ocsp/shared/conf/server.xml b/pki/base/ocsp/shared/conf/server.xml index 71b433bef..9a24cfa44 100644 --- a/pki/base/ocsp/shared/conf/server.xml +++ b/pki/base/ocsp/shared/conf/server.xml @@ -1,208 +1,196 @@ -<!-- Example Server Configuration File --> -<!-- Note that component elements are nested corresponding to their - parent-child relationships with each other --> - -<!-- A "Server" is a singleton element that represents the entire JVM, - which may contain one or more "Service" instances. The Server - listens for a shutdown command on the indicated port. - - Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" or "Loggers" at this level. +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2006-2010 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!-- Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" at this level. + Documentation at /docs/config/server.html --> <!-- DO NOT REMOVE - Begin PKI Status Definitions --> <!-- -Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] -Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services -PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] -Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) --> <!-- DO NOT REMOVE - End PKI Status Definitions --> <Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> - <!-- Comment these entries out to disable JMX MBeans support used for the - administration web application --> + <!--APR library loader. Documentation at /docs/apr.html --> + <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> + <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> + <Listener className="org.apache.catalina.core.JasperListener" /> + <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> - <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> - <!-- Global JNDI resources --> + <!-- Global JNDI resources + Documentation at /docs/jndi-resources-howto.html + --> <GlobalNamingResources> - - <!-- Test entry for demonstration purposes --> - <Environment name="simpleValue" type="java.lang.Integer" value="30"/> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users --> + UserDatabaseRealm to authenticate users + --> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml" /> - + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" (and therefore the web applications visible - within that Container). Normally, that Container is an "Engine", - but this is not required. - - Note: A "Service" is not itself a "Container", so you may not - define subcomponents such as "Valves" or "Loggers" at this level. + a single "Container" Note: A "Service" is not itself a "Container", + so you may not define subcomponents such as "Valves" at this level. + Documentation at /docs/config/service.html --> - - <!-- Define the Tomcat Stand-Alone Service --> <Service name="Catalina"> - + + <!--The connectors can use a shared executor, you can define one or more named thread pools--> + <!-- + <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" + maxThreads="150" minSpareThreads="4"/> + --> + + <!-- A "Connector" represents an endpoint by which requests are received - and responses are returned. Each Connector passes requests on to the - associated "Container" (normally an Engine) for processing. - - By default, a non-SSL HTTP/1.1 Connector is established on port 8080. - You can also enable an SSL HTTP/1.1 Connector on port 8443 by - following the instructions below and uncommenting the second Connector - entry. SSL support requires the following steps (see the SSL Config - HOWTO in the Tomcat 5 documentation bundle for more detailed - instructions): - * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or - later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". - * Execute: - %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) - $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) - with a password value of "changeit" for both the certificate and - the keystore itself. - - By default, DNS lookups are enabled when a web application calls - request.getRemoteHost(). This can have an adverse impact on - performance, so you can disable it by setting the - "enableLookups" attribute to "false". When DNS lookups are disabled, - request.getRemoteHost() will return the String version of the - IP address of the remote client. + and responses are returned. Documentation at : + Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) + Java AJP Connector: /docs/config/ajp.html + APR (HTTP/AJP) Connector: /docs/apr.html + Define a non-SSL HTTP/1.1 Connector on port 8080 --> -<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> -[PKI_UNSECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true"/> - - -<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> -[PKI_SECURE_PORT_SERVER_COMMENT] -<!-- DO NOT REMOVE - Begin define PKI secure port --> -<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="[PKI_AGENT_CLIENTAUTH]" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -<!-- DO NOT REMOVE - End define PKI secure port --> - -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - <!-- Note : To disable connection timeouts, set connectionTimeout value - to 0 --> - - <!-- Note : To use gzip compression you could set the following properties : - - compression="on" - compressionMinSize="2048" - noCompressionUserAgents="gozilla, traviata" - compressableMimeType="text/html,text/xml" - --> - + [PKI_UNSECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + /> + + <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> + [PKI_SECURE_PORT_SERVER_COMMENT] + <!-- DO NOT REMOVE - Begin define PKI secure port --> + <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="[PKI_AGENT_CLIENTAUTH]" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias" + /> + <!-- DO NOT REMOVE - End define PKI secure port --> + + [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="false" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> + [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + + [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="false" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> + [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + + <!-- A "Connector" using the shared thread pool--> + <!-- + <Connector executor="tomcatThreadPool" + port="8080" protocol="HTTP/1.1" + connectionTimeout="20000" + redirectPort="8443" /> + --> + <!-- Define a SSL HTTP/1.1 Connector on port 8443 + This connector uses the JSSE configuration, when using APR, the + connector should be using the OpenSSL style configuration + described in the APR documentation --> + <!-- + <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" + maxThreads="150" scheme="https" secure="true" + clientAuth="false" sslProtocol="TLS" /> + --> <!-- Define an AJP 1.3 Connector on port 8009 --> <!-- - <Connector port="8009" - enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> + <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> --> - <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> - <!-- See proxy documentation for more information about using this. --> - <!-- - <Connector port="8082" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" acceptCount="100" connectionTimeout="20000" - proxyPort="80" disableUploadTimeout="true" /> - --> <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). --> + on to the appropriate Host (virtual host). + Documentation at /docs/config/engine.html --> <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> + <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> --> - - <!-- Define the top level container in our container hierarchy --> <Engine name="Catalina" defaultHost="localhost"> - <!-- The request dumper valve dumps useful debugging information about - the request headers and cookies that were received, and the response - headers and cookies that were sent, for all requests received by - this instance of Tomcat. If you care only about requests to a - particular virtual host, or a particular application, nest this - element inside the corresponding <Host> or <Context> entry instead. - - For a similar mechanism that is portable to all Servlet 2.4 - containers, check out the "RequestDumperFilter" Filter in the - example application (the source for this filter may be found in - "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). + <!--For clustering, please take a look at documentation at: + /docs/cluster-howto.html (simple how to) + /docs/config/cluster.html (reference documentation) --> + <!-- + <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> + --> - Request dumping is disabled by default. Uncomment the following - element to enable it. --> + <!-- The request dumper valve dumps useful debugging information about + the request and response data received and sent by Tomcat. + Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.valves.RequestDumperValve"/> --> - <!-- Because this Realm is here, an instance will be shared globally --> - <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately @@ -210,229 +198,27 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> - <!-- Comment out the old realm but leave here for now in case we - need to go back quickly --> - <!-- - <Realm className="org.apache.catalina.realm.MemoryRealm" /> - --> - - <!-- Replace the above Realm with one of the following to get a Realm - stored in a database and accessed via JDBC --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="org.gjt.mm.mysql.Driver" - connectionURL="jdbc:mysql://localhost/authority" - connectionName="test" connectionPassword="test" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="oracle.jdbc.driver.OracleDriver" - connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" - connectionName="scott" connectionPassword="tiger" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="sun.jdbc.odbc.JdbcOdbcDriver" - connectionURL="jdbc:odbc:CATALINA" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - <!-- Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- Defines a cluster for this node, - By defining this element, means that every manager will be changed. - So when running a cluster, only make sure that you have webapps in there - that need to be clustered and remove the other ones. - A cluster has the following parameters: - - className = the fully qualified name of the cluster class - - name = a descriptive name for your cluster, can be anything - - mcastAddr = the multicast address, has to be the same for all the nodes - - mcastPort = the multicast port, has to be the same for all the nodes - - mcastBindAddr = bind the multicast socket to a specific address - - mcastTTL = the multicast TTL if you want to limit your broadcast - - mcastSoTimeout = the multicast readtimeout - - mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="false" + xmlValidation="false" xmlNamespaceAware="false"> - mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received - - tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes - - tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, - in case of multiple ethernet cards. - auto means that address becomes - InetAddress.getLocalHost().getHostAddress() - - tcpListenPort = the tcp listen port - - tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS - has a wakup bug in java.nio. Set to 0 for no timeout - - printToScreen = true means that managers will also print to std.out - - expireSessionsOnShutdown = true means that - - useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. - false means to replicate the session after each request. - false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) - <% - HashMap map = (HashMap)session.getAttribute("map"); - map.put("key","value"); - %> - replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. - * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. - * Synchronous means that the thread that executes the request, is also the - thread the replicates the data to the other nodes, and will not return until all - nodes have received the information. - * Asynchronous means that there is a specific 'sender' thread for each cluster node, - so the request thread will queue the replication request into a "smart" queue, - and then return to the client. - The "smart" queue is a queue where when a session is added to the queue, and the same session - already exists in the queue from a previous request, that session will be replaced - in the queue instead of replicating two requests. This almost never happens, unless there is a - large network delay. - --> - <!-- - When configuring for clustering, you also add in a valve to catch all the requests - coming in, at the end of the request, the session may or may not be replicated. - A session is replicated if and only if all the conditions are met: - 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND - 2. a session exists (has been created) - 3. the request is not trapped by the "filter" attribute - - The filter attribute is to filter out requests that could not modify the session, - hence we don't replicate the session after the end of this request. - The filter is negative, ie, anything you put in the filter, you mean to filter out, - ie, no replication will be done on requests that match one of the filters. - The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. - - filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI - ending with .gif and .js are intercepted. - - The deployer element can be used to deploy apps cluster wide. - Currently the deployment only deploys/undeploys to working members in the cluster - so no WARs are copied upons startup of a broken node. - The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" - When a new war file is added the war gets deployed to the local instance, - and then deployed to the other instances in the cluster. - When a war file is deleted from the watchDir the war is undeployed locally - and cluster wide - --> - - <!-- - <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" - managerClassName="org.apache.catalina.cluster.session.DeltaManager" - expireSessionsOnShutdown="false" - useDirtyFlag="true" - notifyListenersOnReplication="true"> - - <Membership - className="org.apache.catalina.cluster.mcast.McastService" - mcastAddr="228.0.0.4" - mcastPort="45564" - mcastFrequency="500" - mcastDropTime="3000"/> - - <Receiver - className="org.apache.catalina.cluster.tcp.ReplicationListener" - tcpListenAddress="auto" - tcpListenPort="4001" - tcpSelectorTimeout="100" - tcpThreadCount="6"/> - - <Sender - className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" - replicationMode="pooled" - ackTimeout="15000"/> - - <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" - filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> - - <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" - tempDir="/tmp/war-temp/" - deployDir="/tmp/war-deploy/" - watchDir="/tmp/war-listen/" - watchEnabled="false"/> - </Cluster> - --> - - - - <!-- Normally, users must authenticate themselves to each web app - individually. Uncomment the following entry if you would like - a user to be authenticated the first time they encounter a - resource protected by a security constraint, and then have that - user identity maintained across *all* web applications contained - in this virtual host. --> + <!-- SingleSignOn valve, share authentication between web applications + Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - --> - <Valve className="org.apache.catalina.valves.AccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - This access log implementation is optimized for maximum performance, - but is hardcoded to support only the "common" and "combined" patterns. - --> + <!-- Access log processes all example. + Documentation at: /docs/config/valve.html --> <!-- - <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> + <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" + prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> --> - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - This access log implementation is optimized for maximum performance, - but is hardcoded to support only the "common" and "combined" patterns. - This valve use NIO direct Byte Buffer to asynchornously store the - log. - --> - <!-- - <Valve className="org.apache.catalina.valves.ByteBufferAccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - --> - - <!-- <Context docBase="webapps" path="/webapps" reloadable="false"/> --> </Host> - </Engine> - </Service> - </Server> diff --git a/pki/base/ocsp/shared/conf/tomcat-users.xml b/pki/base/ocsp/shared/conf/tomcat-users.xml index f986faed3..daa9260cc 100644 --- a/pki/base/ocsp/shared/conf/tomcat-users.xml +++ b/pki/base/ocsp/shared/conf/tomcat-users.xml @@ -1,17 +1,45 @@ <?xml version='1.0' encoding='utf-8'?> <!-- BEGIN COPYRIGHT BLOCK - Copyright (C) 2006 Red Hat, Inc. + Copyright (C) 2006-2010 Red Hat, Inc. All rights reserved. + Modifications: configuration parameters END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<!-- + <role rolename="tomcat"/> + <role rolename="role1"/> + <user username="tomcat" password="tomcat" roles="tomcat"/> + <user username="both" password="tomcat" roles="tomcat,role1"/> + <user username="role1" password="tomcat" roles="role1"/> +--> + +<!-- The host manager webapp is restricted to users with role "admin" --> +<!--<user name="tomcat" password="password" roles="admin" />--> +<!-- The manager webapp is restricted to users with role "manager" --> +<!--<user name="tomcat" password="password" roles="manager" />--> <tomcat-users> <role rolename="pkiuser"/> <role rolename="tomcat"/> - <role rolename="role1"/> <role rolename="manager"/> <role rolename="admin"/> + <user username="pkiuser" password="pkiuser" roles="pkiuser"/> <user username="tomcat" password="tomcat" roles="tomcat"/> - <user username="both" password="tomcat" roles="tomcat,role1"/> - <user username="role1" password="tomcat" roles="role1"/> <user username="admin" password="netscape" roles="admin,manager"/> </tomcat-users> diff --git a/pki/base/ocsp/shared/conf/tomcat5.conf b/pki/base/ocsp/shared/conf/tomcat5.conf deleted file mode 100644 index c17539431..000000000 --- a/pki/base/ocsp/shared/conf/tomcat5.conf +++ /dev/null @@ -1,81 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# Copyright (C) 2006 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# tomcat5 service configuration file - -# Check to insure that this configuration file's associated PKI -# subsystem currently resides on this system. -PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] -if [ ! -d /usr/share/pki/${PKI_SUBSYSTEM_TYPE} ] ; then - echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" - exit 255 -fi - -# you could also override JAVA_HOME here -# Where your java installation lives -JAVA_HOME="/usr/lib/jvm/jre" - -# You can pass some parameters to java -# here if you wish to -#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" - -# Where your tomcat installation lives -# That change from previous RPM where TOMCAT_HOME -# used to be /var/tomcat. -# Now /var/tomcat will be the base for webapps only -CATALINA_HOME="/usr/share/tomcat5" -JASPER_HOME="/usr/share/tomcat5" -CATALINA_TMPDIR="/usr/share/tomcat5/temp" -JAVA_ENDORSED_DIRS="/usr/share/tomcat5/common/endorsed" - -# What user should run tomcat -TOMCAT_USER="[PKI_USER]" -TOMCAT_GROUP="[PKI_GROUP]" - -# You can change your tomcat locale here -#LANG=en_US - -# Time to wait in seconds, while starting process -STARTUP_WAIT=30 - -# Time to wait in seconds, before killing process -SHUTDOWN_WAIT=30 - - -# If you wish to further customize your tomcat environment, -# put your own definitions here -# (i.e. LD_LIBRARY_PATH for some jdbc drivers) -# Just do not forget to export them :) - -OS=`uname -s` -PLATFORM="" - -if [ $OS = "Linux" ]; then - PLATFORM=`uname -i` - if [ $PLATFORM = "i386" ]; then - # 32-bit Linux - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib - elif [ $PLATFORM = "x86_64" ]; then - # 64-bit Linux - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64/dirsec:/usr/lib64:/usr/lib - fi - export LD_LIBRARY_PATH -elif [ $OS = "SunOS" ]; then - PLATFORM=`uname -p` - if [ "${PLATFORM}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - PLATFORM="sparcv9" - fi - if [ $PLATFORM = "sparc" ]; then - # 32-bit Solaris - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib - elif [ $PLATFORM = "sparcv9" ]; then - # 64-bit Solaris - JAVA_OPTS="-d64" - export JAVA_OPTS - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/sparcv9/dirsec:/usr/lib/sparcv9:/usr/lib/dirsec:/usr/lib - fi - export LD_LIBRARY_PATH -fi diff --git a/pki/base/ocsp/shared/conf/tomcat6.conf b/pki/base/ocsp/shared/conf/tomcat6.conf new file mode 100644 index 000000000..31385567d --- /dev/null +++ b/pki/base/ocsp/shared/conf/tomcat6.conf @@ -0,0 +1,55 @@ +# Service-specific configuration file for tomcat6. This will be sourced by +# the SysV init script after the global configuration file +# /etc/tomcat6/tomcat6.conf, thus allowing values to be overridden in +# a per-service manner. +# +# NEVER change the init script itself. To change values for all services make +# your changes in /etc/tomcat6/tomcat6.conf +# +# To change values for a specific service make your edits here. +# To create a new service create a link from /etc/init.d/<your new service> to +# /etc/init.d/tomcat6 (do not copy the init script) and make a copy of the +# /etc/sysconfig/tomcat6 file to /etc/sysconfig/<your new service> and change +# the property values so the two services won't conflict. Register the new +# service in the system as usual (see chkconfig and similars). +# + +# Where your java installation lives +#JAVA_HOME="/usr/lib/jvm/java" + +# Where your tomcat installation lives +CATALINA_BASE="[PKI_INSTANCE_PATH]" +#CATALINA_HOME="/usr/share/tomcat6" +#JASPER_HOME="/usr/share/tomcat6" +#CATALINA_TMPDIR="/var/cache/tomcat6/temp" + +# You can pass some parameters to java here if you wish to +#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" + +# Use JAVA_OPTS to set java.library.path for libtcnative.so +#JAVA_OPTS="-Djava.library.path=/usr/lib64" + +# What user should run tomcat +TOMCAT_USER="[PKI_USER]" + +# You can change your tomcat locale here +#LANG="en_US" + +# Run tomcat under the Java Security Manager +#SECURITY_MANAGER="false" + +# Time to wait in seconds, before killing process +#SHUTDOWN_WAIT="30" + +# Whether to annoy the user with "attempting to shut down" messages or not +#SHUTDOWN_VERBOSE="false" + +# Set the TOMCAT_PID location +CATALINA_PID="[TOMCAT_PIDFILE]" + +# Connector port is 8080 for this tomcat6 instance +#CONNECTOR_PORT="8080" + +# If you wish to further customize your tomcat environment, +# put your own definitions here +# (i.e. LD_LIBRARY_PATH for some jdbc drivers) diff --git a/pki/base/ocsp/shared/etc/init.d/pki-ocspd b/pki/base/ocsp/shared/etc/init.d/pki-ocspd index 70520dc30..34172a2af 100755 --- a/pki/base/ocsp/shared/etc/init.d/pki-ocspd +++ b/pki/base/ocsp/shared/etc/init.d/pki-ocspd @@ -14,1816 +14,70 @@ # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# Copyright (C) 2007 Red Hat, Inc. +# Copyright (C) 2007-2010 Red Hat, Inc. # All rights reserved. -# --- END COPYRIGHT BLOCK ### --- +# --- END COPYRIGHT BLOCK --- # -# pki-ocspd Startup script for Tomcat 5.0 pki-ocsp, the Apache Servlet Engine +# pki-ocspd Startup script for pki-ocsp with tomcat6 # # chkconfig: - 83 17 -# description: Online Certificate Status Protocol Manager \ -# (Tomcat 5.0) +# description: Online Certificate Status Protocol Manager (Tomcat 6.0) # processname: pki-ocspd # piddir: /var/run/pki/ocsp -# config: ${PKI_INSTANCE_PATH}/conf/tomcat5.conf -# -# Gomez Henri <hgomez@users.sourceforge.net> -# Keith Irwin <keith_irwin@non.hp.com> -# Nicolas Mailhot <nicolas.mailhot@one2team.com> -# -# version 1.02 - Removed initlog support -# version 1.03 - Removed config: -# version 1.04 - tomcat will start before httpd and stop after httpd -# version 1.05 - jdk hardcoded to link /usr/java/jdk and tomcat runs -# as "nobody" -# version 1.06 - split up into script and config file -# version 1.07 - Rework from Nicolas ideas -# version 1.08 - Fix work dir permission at start time, switch to use tomcat4 -# version 1.09 - Fix pidfile and config tags -# version 1.10 - Fallback to su direct use on systems without -# Redhat/Mandrake init.d functions -# version 1.11 - Fix webapps dir permissions -# version 1.12 - remove initial start/stop level for chkconfig (- 80 20) -# version 1.13 - remove chown of logs/work/temp/webapps dir, -# owned by tomcat4 at install time -# version 1.14 - correct the start/stop ugly hack by waiting -# all the threads stops -# version 1.15 - ensure we're looking for TOMCAT_USER running catalina -# version 1.16 - Add support for CATALINA_PID env var -# version 1.17 - Remove run files only tomcat started correctl -# in start area, check that tomcat is not allready running -# version 1.18 - Fix kill typo (thanks Kaj J. Niemi) -# version 1.19 - Add jar relinking -# version 1.20 - Check there is no stalling tomcat4.pid -# version 1.20tc5 - Changed all instances of tomcat4 to -# tomcat5 except TOMCAT_USER -# version 1.20tc5rh - Changed TOMCAT_USER from tomcat4 to tomcat # -PKI_INIT_SCRIPT="" +PROG_NAME=`basename $0` +SERVICE_NAME="pki-ocspd" +SERVICE_PROG="/sbin/service" PKI_PATH="/usr/share/pki/ocsp" -PKI_PIDDIR="/var/run/pki/ocsp" -PKI_PROCESS="pki-ocspd" PKI_REGISTRY="/etc/sysconfig/pki/ocsp" PKI_TYPE="pki-ocsp" - -# PKI subsystem-level directory and file values for locks -lockfile="/var/lock/subsys/pki-ocspd" +PKI_TOTAL_PORTS=6 # Disallow 'others' the ability to 'write' to new files umask 00002 -default_error=0 command="$1" pki_instance="$2" -case "${command}" in - start|stop|restart|condrestart|force-restart|try-restart) - # * 1 generic or unspecified error (current practice) - default_error=1 - ;; - reload) - default_error=3 - ;; - status) - # * 4 program or service status is unknown - default_error=4 - ;; - *) - # * 2 invalid argument(s) - default_error=2 - ;; -esac - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit ${default_error} -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -if [ ! -d ${PKI_PATH} ] ; then - echo "This machine is missing the '${PKI_TYPE}' subsystem!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Check to insure that this script's associated PKI -# subsystem instance registry currently resides on this system. -if [ ! -d ${PKI_REGISTRY} ] ; then - echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Obtain the operating system upon which this script is being executed -OS=`uname -s` -ARCHITECTURE="" - -# This script must be run as root! -RV=0 -if [ ${OS} = "Linux" ] ; then - PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}" - if [ `id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -i` -elif [ ${OS} = "SunOS" ] ; then - PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}" - if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -p` - if [ "${ARCHITECTURE}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - ARCHITECTURE="sparcv9" - fi -else - echo "Unsupported OS '${OS}'!" - exit ${default_error} -fi # Source function library. -if [ -f /etc/init.d/functions ]; then - . /etc/init.d/functions -else - # The checkpid() function is provided for platforms that do not - # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . - - # Check if ${pid} (could be plural) are running (keep count) - checkpid() - { - rv=0 - for i in $* ; do - ps -p $i > /dev/null 2>&1 ; - if [ $? -ne 0 ] ; then - rv=`expr ${rv} + 1` - else - rv=`expr ${rv} + 0` - fi - done - # echo "rv=${rv}" - return ${rv} - } - - # Create the following directories on platforms - # where they do not exist (e. g. - Solaris) . . . - if [ ! -d "/var/lock" ] ; then - mkdir -p /var/lock - chown root:sys /var/lock - chmod 00755 /var/lock - fi - if [ ! -d "/var/lock/subsys" ] ; then - mkdir -p /var/lock/subsys - chown root:root /var/lock/subsys - chmod 00755 /var/lock/subsys - fi - - ####################################################################### - ## NOTE: The following code needs to eventually be moved into the ## - ## template used to create the ## - ## "${PKI_INSTANCE_PATH}/conf/tomcat5.conf" file! ## - ####################################################################### - - if [ ${OS} = "SunOS" ] ; then - DEFAULT_SOLARIS_JAVA_HOME="/usr/jdk/instances/jdk1.5.0/jre" - DEFAULT_LINUX_JAVA_HOME="/usr/lib/jvm/jre" - DEFAULT_LINUX_JAVA_HOME_PATH=`dirname ${DEFAULT_LINUX_JAVA_HOME}` - - # ensure that the Sun JRE 1.5.0 exists at the default location - if [ -d ${DEFAULT_SOLARIS_JAVA_HOME} ] ; then - # create the directory in which the symlink resides (if necessary) - if [ ! -d ${DEFAULT_LINUX_JAVA_HOME_PATH} ] ; then - mkdir -p ${DEFAULT_LINUX_JAVA_HOME_PATH} - fi - # create the actual symlink (if necessary) - if [ ! -h ${DEFAULT_LINUX_JAVA_HOME} ] ; then - ln -s ${DEFAULT_SOLARIS_JAVA_HOME} ${DEFAULT_LINUX_JAVA_HOME} - fi - else - # for now, simply exit with an appropriate error message - echo -n "The Solaris 1.5.0 JRE must be installed " - echo -n "at \"${DEFAULT_SOLARIS_JAVA_HOME}\"!" - echo - echo - exit ${default_error} - fi - fi -fi - -PKI_REGISTRY_ENTRIES="" -TOTAL_PKI_REGISTRY_ENTRIES=0 -TOTAL_UNCONFIGURED_PKI_ENTRIES=0 - -# Gather ALL registered instances of this PKI subsystem type -for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - if [ -f "$FILE" ] ; then - inst=`echo "$FILE"` - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst" - TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` - fi -done - -if [ -n "${pki_instance}" ]; then - for I in ${PKI_REGISTRY_ENTRIES}; do - if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}" - TOTAL_PKI_REGISTRY_ENTRIES=1 - break - fi - done -fi - -usage() -{ - echo -n "Usage: ${PKI_INIT_SCRIPT} " - echo -n "{start" - echo -n "|stop" - echo -n "|restart" - echo -n "|condrestart" - echo -n "|force-restart" - echo -n "|try-restart" - echo -n "|reload" - echo -n "|status} " - echo -n "[instance-name]" - echo - echo -} - -list_instances() -{ - echo - for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - echo " ${FILE}" - done - echo -} - -# Check arguments -if [ $# -lt 1 ] ; then - # * 3 unimplemented feature (for example, "reload") - # [insufficient arguments] - echo "$0: Insufficient arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 -elif [ ${default_error} -eq 2 ] ; then - # * 2 invalid argument - echo "$0: Invalid arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 2 -elif [ $# -gt 2 ] ; then - echo "$0: Excess arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - if [ "${command}" != "status" ]; then - # * 2 excess arguments - exit 2 - else - # * 4 program or service status is unknown - exit 4 - fi -fi - -# If an "instance" was supplied, check that it is a "valid" instance -if [ -n "${pki_instance}" ]; then - if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then - echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance" - echo_failure - echo - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - # * 4 program or service status is unknown - exit 4 - fi - fi -fi - -# On Solaris /var/run is in tmpfs and gets wiped out upon reboot -# we have to recreate the ${PKI_PIDDIR} directory and make sure that -# the directory is writable by the ${PKI_TYPE} server process. -# -# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize -# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the -# "${PKI_PIDDIR}" will end up with the ownership permissions -# of the first instance that executes this function! -# -fix_pid_dir_ownership() -{ - if [ ! -d ${PKI_PIDDIR} ] ; then - mkdir -p ${PKI_PIDDIR} - - chown root:root /var/run/pki - chmod 00755 /var/run/pki - - chown root:root ${PKI_PIDDIR} - chmod 00755 ${PKI_PIDDIR} - fi -} - -check_pki_configuration_status() -{ - rv=0 - - rv=`grep -c ^preop ${pki_instance_configuration_file}` - - rv=`expr ${rv} + 0` - - if [ ${rv} -ne 0 ] ; then - echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" - echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" - if [ "${command}" != "status" ]; then - # * 6 program is not configured - rv=6 - else - # * 4 program or service status is unknown - rv=4 - fi - TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` - elif [ -f ${RESTART_SERVER} ] ; then - echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " - echo -n "it must still be RESTARTED!" - echo - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - fi - - return ${rv} -} - -get_pki_status_definitions() -{ - # establish well-known strings - begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->" - end_pki_status_comment="<!-- DO NOT REMOVE - End PKI Status Definitions -->" - total_ports=0 - unsecure_port_statement="Unsecure Port = " - secure_agent_port_statement="Secure Agent Port = " - secure_ee_port_statement="Secure EE Port = " - secure_admin_port_statement="Secure Admin Port = " - pki_console_port_statement="PKI Console Port = " - tomcat_port_statement="Tomcat Port = " - - # initialize looping variables - pki_status_comment_found=0 - - # first check to see that an instance-specific "server.xml" file exists - if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then - echo "File '${PKI_SERVER_XML_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "server.xml" file line-by-line - # to obtain the current PKI Status Definitions - exec < ${PKI_SERVER_XML_CONF} - while read line; do - # first look for the well-known end PKI Status comment - # (to turn off processing) - if [ "$line" == "$end_pki_status_comment" ] ; then - pki_status_comment_found=0 - break; - fi - - # then look for the well-known begin PKI Status comment - # (to turn on processing) - if [ "$line" == "$begin_pki_status_comment" ] ; then - pki_status_comment_found=1 - fi - - # once the well-known begin PKI Status comment has been found, - # begin processing to obtain all of the PKI Status Definitions - if [ $pki_status_comment_found -eq 1 ] ; then - # look for a PKI Status Definition and print it - head=`echo "$line" | cut -b1-20` - if [ "$head" == "$unsecure_port_statement" ] || - [ "$head" == "$secure_agent_port_statement" ] || - [ "$head" == "$secure_ee_port_statement" ] || - [ "$head" == "$secure_admin_port_statement" ] || - [ "$head" == "$pki_console_port_statement" ] || - [ "$head" == "$tomcat_port_statement" ] ; then - echo " $line" - total_ports=`expr ${total_ports} + 1` - fi - fi - done - - if [ ${total_ports} -eq 6 ] ; then - return 0 - else - return ${default_error} - fi -} - -get_pki_configuration_definitions() -{ - # Obtain the PKI Subsystem Type - line=`grep ^cs.type= ${pki_instance_configuration_file}` - pki_subsystem=`echo "${line}" | cut -b9-` - if [ "${line}" != "" ] ; then - if [ "${pki_subsystem}" != "CA" ] && - [ "${pki_subsystem}" != "KRA" ] && - [ "${pki_subsystem}" != "OCSP" ] && - [ "${pki_subsystem}" != "TKS" ] && - [ "${pki_subsystem}" != "RA" ] && - [ "${pki_subsystem}" != "TPS" ] - then - return ${default_error} - fi - if [ "${pki_subsystem}" == "KRA" ] ; then - # Rename "KRA" to "DRM" - pki_subsystem="DRM" - fi - else - return ${default_error} - fi - - # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, - # check to see if "${pki_subsystem}" is a "Clone" - pki_clone="" - if [ "${pki_subsystem}" == "CA" ] || - [ "${pki_subsystem}" == "DRM" ] || - [ "${pki_subsystem}" == "OCSP" ] || - [ "${pki_subsystem}" == "TKS" ] - then - line=`grep ^subsystem.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_clone=`echo "${line}" | cut -b18-` - if [ "${pki_clone}" != "Clone" ] ; then - # Reset "${pki_clone}" to be empty - pki_clone="" - fi - else - return ${default_error} - fi - fi - - # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to - # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA - pki_hierarchy="" - if [ "${pki_subsystem}" == "CA" ] && - [ "${pki_clone}" != "Clone" ] - then - line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_hierarchy=`echo "${line}" | cut -b18-` - else - return ${default_error} - fi - fi - - # If ${pki_subsystem} is a CA, check to - # see if it is also a Security Domain - pki_security_domain="" - if [ "${pki_subsystem}" == "CA" ] ; then - line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain=`echo "${line}" | cut -b23-` - if [ "${pki_security_domain}" == "new" ] ; then - # Set a fixed value for "${pki_security_domain}" - pki_security_domain="(Security Domain)" - else - # Reset "${pki_security_domain}" to be empty - pki_security_domain="" - fi - else - return ${default_error} - fi - fi - - # Always obtain this PKI instance's "registered" - # security domain information - pki_security_domain_name="" - pki_security_domain_hostname="" - pki_security_domain_https_admin_port="" - - line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_name=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_hostname=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` - else - return ${default_error} - fi - - # Compose the "PKI Instance Name" Status Line - pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" - - # Compose the "PKI Subsystem Type" Status Line - header="PKI Subsystem Type: " - if [ "${pki_clone}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "CA Clone (Security Domain)" - # - data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" - else - # Possible Values: - # - # "CA Clone" - # "DRM Clone" - # "OCSP Clone" - # "TKS Clone" - # - data="${pki_subsystem} ${pki_clone}" - fi - elif [ "${pki_hierarchy}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "Root CA (Security Domain)" - # "Subordinate CA (Security Domain)" - # - data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" - else - # Possible Values: - # - # "Root CA" - # "Subordinate CA" - # - data="${pki_hierarchy} ${pki_subsystem}" - fi - else - # Possible Values: - # - # "DRM" - # "OCSP" - # "RA" - # "TKS" - # "TPS" - # - data="${pki_subsystem}" - fi - pki_subsystem_type="${header} ${data}" - - # Compose the "Registered PKI Security Domain Information" Status Line - header="Name: " - registered_pki_security_domain_name="${header} ${pki_security_domain_name}" - - header="URL: " - if [ "${pki_security_domain_hostname}" != "" ] && - [ "${pki_security_domain_https_admin_port}" != "" ] - then - data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" - else - return ${default_error} - fi - registered_pki_security_domain_url="${header} ${data}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_instance_name}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_subsystem_type}" - - # Print the "Registered PKI Security Domain Information" Status Line - echo - echo " Registered PKI Security Domain Information:" - echo " ==========================================================================" - echo " ${registered_pki_security_domain_name}" - echo " ${registered_pki_security_domain_url}" - echo " ==========================================================================" - - return 0 -} - -get_pki_secure_port() -{ - # establish well-known strings - begin_ssl_comment="<!-- DO NOT REMOVE - Begin define PKI secure port -->" - end_ssl_comment="<!-- DO NOT REMOVE - End define PKI secure port -->" - connector_statement="<Connector name=\"" - - # initialize looping variables - ssl_comment_found=0 - - # first check to see that an instance-specific "server.xml" file exists - if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then - echo "File '${PKI_SERVER_XML_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "server.xml" file line-by-line - # to obtain the current value of the PKI secure port - exec < ${PKI_SERVER_XML_CONF} - while read line; do - # first look for the well-known end SSL comment - # (to turn off processing) - if [ "$line" == "$end_ssl_comment" ] ; then - ssl_comment_found=0 - fi - - # then look for the well-known begin SSL comment - # (to turn on processing) - if [ "$line" == "$begin_ssl_comment" ] ; then - ssl_comment_found=1 - fi - - # once the well-known begin SSL comment has been found, - # begin processing to obtain the numeric port information - if [ $ssl_comment_found -eq 1 ] ; then - # look for the next Connector statement - head=`echo $line | cut -b1-17` - if [ "$head" == "$connector_statement" ] ; then - # once the Connector statement has been found, - tail=`echo $line | cut -b18-` - # extract the name of the connector - name=`echo $tail | cut -d\" -f1` - if [ "$name" == "Agent" ] || - [ "$name" == "Secure" ] ; then - # extract the numeric port information - port=`echo $tail | cut -d\" -f3` - PKI_SECURE_PORT=$port - return 0 - fi - fi - fi - done - - return ${default_error} -} - -display_instance_status() -{ - rv=0 - - if [ -f ${pidfile} ] ; then - pid=`cat ${pidfile}` - if [ "${pid}" == "" ] ; then - echo "${PKI_INSTANCE_ID} pid file exists but is empty" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - elif kill -0 ${pid} > /dev/null 2>&1 ; then - echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} -eq 0 ] ; then - get_pki_status_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Status Definitions not found" - else - get_pki_configuration_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Configuration Definitions not found" - fi - fi - else - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Similarly, from the PKI point of view for a "status" - # action, a returned error code of "4" implies that either - # the program is not "configured", or that the program - # was "configured" but must still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For this reason, when returning from - # 'display_instance_status()', ignore non-zero return codes - # returned from 'check_pki_configuration_status()'. - # - if [ "${command}" != "status" ]; then - # * 0 action was successful - rv=0 - else - # * 0 program is running or service is OK - rv=0 - fi - fi - echo - else - echo "${PKI_INSTANCE_ID} is dead but pid file exists" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 1 program is dead and /var/run pid file exists - rv=1 - fi - fi - else - echo "${PKI_INSTANCE_ID} is stopped" - if [ "${command}" != "status" ]; then - # * 7 program is not running - rv=7 - else - # * 3 program is not running - rv=3 - fi - fi - - return ${rv} -} - -start_instance() -{ - rv=0 - - echo -n "Starting $TOMCAT_PROG: " - - if [ -f ${RESTART_SERVER} ] ; then - rm -f ${RESTART_SERVER} - fi - - if [ -f ${PKI_LOCKFILE} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - echo - echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} != 0 ]; then - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For "non-status" actions, ignore return codes of "1" - # from 'check_pki_configuration_status()'. - # - # However, for "non-status" actions that have a return - # code of "6", return this value unchanged to - # the calling routine so that the total number of - # configuration errors may be counted. - # - - echo - if [ ${rv} = 1 ] ; then - # * 0 action was successful - return 0 - elif [ ${rv} = 6 ] ; then - # * 6 program is not configured - return 6 - else - # should never be reached - return ${rv} - fi - else - return 0 - fi - else - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - rm -f ${PKI_LOCKFILE} - fi - fi - fi - - fix_pid_dir_ownership - - CATALINA_PID=${pidfile} - export CATALINA_PID - touch $CATALINA_PID - chown $TOMCAT_USER:$TOMCAT_GROUP $CATALINA_PID - chmod 00600 $CATALINA_PID - [ -x /sbin/restorecon ] && /sbin/restorecon $CATALINA_PID - - # restore context for ncipher hsm - [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast - - # Always initialize CLASSPATH to start looking - # in the local PKI classes directory . . . - CLASSPATH=/usr/share/pki/classes - - if [ ${OS} = "Linux" ] ; then - $TOMCAT_RELINK_SCRIPT - elif [ ${OS} = "SunOS" ] ; then - # The following definitions are provided for Solaris - # platforms since they are unable to execute the - # "/usr/share/tomcat5/bin/relink", - # "/usr/bin/rebuild-jar-repository", and - # "/usr/share/java-utils/java-functions" files . . . - - ####################################### - ## /var/lib/tomcat5/common/lib: - ####################################### - - # Build the tomcat jar classpath . . . - CLASSPATH="$CLASSPATH":/usr/share/java/ant.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-collections.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-dbcp.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging-api.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-pool.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-ejb-2.1.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-1.4.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-connector-1.5.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-management-1.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2eeschema-1.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jms-1.1.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jsp-2.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jta-1.0.1B.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-servlet-2.4.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jaf.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-collections.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-modeler.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-compiler.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-runtime.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/imap.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/mailapi.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/nntp.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/pop3.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/providers.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/smtp.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar - # CLASSPATH="$CLASSPATH":/usr/share/java/jsp.jar - # END LINUX-SPECIFIC FILE - - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/servlet.jar - # END LINUX-SPECIFIC FILE - - CLASSPATH="$CLASSPATH":/usr/share/java/avalon-logkit.jar - CLASSPATH="$CLASSPATH":/usr/share/java/cmsutil.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/dirsec/jss4.jar - fi - CLASSPATH="$CLASSPATH":/usr/share/java/ldapjdk.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-factory.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-resources.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nsutil.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/osutil.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/osutil.jar - fi - CLASSPATH="$CLASSPATH":/usr/share/java/rhino.jar - CLASSPATH="$CLASSPATH":/usr/share/java/servletapi5.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/symkey.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/symkey.jar - fi - CLASSPATH="$CLASSPATH":/usr/share/java/velocity.jar - CLASSPATH="$CLASSPATH":/usr/share/java/xalan-j2.jar - CLASSPATH="$CLASSPATH":/usr/share/java/xerces-j2.jar - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/common/lib - - if [ ! -e /var/lib/tomcat5/common/lib/\[ant\].jar ]; then - ln -s /usr/share/java/ant.jar [ant].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-collections\].jar ]; then - ln -s /usr/share/java/commons-collections.jar [commons-collections].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-dbcp\].jar ]; then - ln -s /usr/share/java/commons-dbcp.jar [commons-dbcp].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-el\].jar ]; then - ln -s /usr/share/java/commons-el.jar [commons-el].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-logging-api\].jar ]; then - ln -s /usr/share/java/commons-logging-api.jar [commons-logging-api].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-pool\].jar ]; then - ln -s /usr/share/java/commons-pool.jar [commons-pool].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-ejb-2.1-rc2.jar [geronimo]spec-ejb-2.1-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1.jar ]; then - ln -s /usr/share/java/geronimo/spec-ejb-2.1.jar [geronimo]spec-ejb-2.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-1.4-rc2.jar [geronimo]spec-j2ee-1.4-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-1.4.jar [geronimo]spec-j2ee-1.4.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5-rc2.jar [geronimo]spec-j2ee-connector-1.5-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5.jar [geronimo]spec-j2ee-connector-1.5.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1-rc2.jar [geronimo]spec-j2ee-deployment-1.1-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar [geronimo]spec-j2ee-deployment-1.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-jacc-1.0-rc2.jar [geronimo]spec-j2ee-jacc-1.0-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar [geronimo]spec-j2ee-jacc-1.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0-rc2.jar [geronimo]spec-j2ee-management-1.0-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0.jar [geronimo]spec-j2ee-management-1.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0\-M2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0-M2.jar [geronimo]spec-j2eeschema-1.0-M2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0.jar [geronimo]spec-j2eeschema-1.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-jms-1.1-rc2.jar [geronimo]spec-jms-1.1-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1.jar ]; then - ln -s /usr/share/java/geronimo/spec-jms-1.1.jar [geronimo]spec-jms-1.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-jsp-2.0-rc2.jar [geronimo]spec-jsp-2.0-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-jsp-2.0.jar [geronimo]spec-jsp-2.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec-jta-1.0.1B-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-jta-1.0.1B-rc2.jar [geronimo]spec-jta-1.0.1B-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jta\-1.0.1B.jar ]; then - ln -s /usr/share/java/geronimo/spec-jta-1.0.1B.jar [geronimo]spec-jta-1.0.1B.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-servlet-2.4-rc2.jar [geronimo]spec-servlet-2.4-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4.jar ]; then - ln -s /usr/share/java/geronimo/spec-servlet-2.4.jar [geronimo]spec-servlet-2.4.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[jaf\].jar ]; then - ln -s /usr/share/java/jaf.jar [jaf].jar - fi - - ### BEGIN SOLARIS-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-collections.jar\] ]; then - ### ln -s /usr/share/java/jakarta-commons-collections.jar [jakarta-commons-collections.jar] - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-modeler.jar\] ]; then - ### ln -s /usr/share/java/jakarta-commons-modeler.jar [jakarta-commons-modeler.jar] - ### fi - ### END SOLARIS-SPECIFIC LINKS - - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-compiler\].jar ]; then - ### ln -s /usr/share/java/jasper5-compiler.jar [jasper5-compiler].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-runtime\].jar ]; then - ### ln -s /usr/share/java/jasper5-runtime.jar [jasper5-runtime].jar - ### fi - - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/imap-1.3.1.jar [javamail]imap-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap.jar ]; then - ln -s /usr/share/java/javamail/imap.jar [javamail]imap.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/mailapi-1.3.1.jar [javamail]mailapi-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi.jar ]; then - ln -s /usr/share/java/javamail/mailapi.jar [javamail]mailapi.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/nntp-1.3.1.jar [javamail]nntp-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp.jar ]; then - ln -s /usr/share/java/javamail/nntp.jar [javamail]nntp.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/pop3-1.3.1.jar [javamail]pop3-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3.jar ]; then - ln -s /usr/share/java/javamail/pop3.jar [javamail]pop3.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/providers-1.3.1.jar [javamail]providers-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers.jar ]; then - ln -s /usr/share/java/javamail/providers.jar [javamail]providers.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/smtp-1.3.1.jar [javamail]smtp-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp.jar ]; then - ln -s /usr/share/java/javamail/smtp.jar [javamail]smtp.jar - fi - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtCompilerAdapter\].jar ]; then - ### ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtcore\].jar ]; then - ### ln -s /usr/share/java/jdtcore.jar [jdtcore].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jsp\].jar ]; then - ### ln -s /usr/share/java/jsp.jar [jsp].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - if [ ! -e /var/lib/tomcat5/common/lib/\[mx4j\]\[mx4j\].jar ]; then - ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar - fi - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[servlet\].jar ]; then - ### ln -s /usr/share/java/servlet.jar [servlet].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - ### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - if [ ! -e /var/lib/tomcat5/common/lib/avalon\-logkit.jar ]; then - ln -s /usr/share/java/avalon-logkit.jar avalon-logkit.jar - fi - ### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - - ### if [ ! -e /var/lib/tomcat5/common/lib/cmsutil.jar ]; then - ### ln -s /usr/share/java/rphki/cmsutil.jar cmsutil.jar - ### fi - - ### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - if [ ! -e /var/lib/tomcat5/common/lib/commons\-logging.jar ]; then - ln -s /usr/share/java/commons-logging.jar commons-logging.jar - fi - ### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - - ### if [ ! -e /var/lib/tomcat5/common/lib/jss4.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/dirsec/jss4.jar jss4.jar - ### fi - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/ldapjdk.jar ]; then - ### ln -s /usr/share/java/ldapjdk.jar ldapjdk.jar - ### fi - - ### naming-factory.jar - ### naming-resources.jar - - ### if [ ! -e /var/lib/tomcat5/common/lib/nsutil.jar ]; then - ### ln -s /usr/share/java/pki/nsutil.jar nsutil.jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/osutil.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/osutil.jar osutil.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/osutil.jar osutil.jar - ### fi - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/rhino.jar ]; then - ### ln -s /usr/share/java/rhino.jar rhino.jar - ### fi - - ### BEGIN SOLARIS-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[servletapi5.jar\] ]; then - ### ln -s /usr/share/java/servletapi5.jar [servletapi5.jar] - ### fi - ### END SOLARIS-SPECIFIC LINKS - - ### if [ ! -e /var/lib/tomcat5/common/lib/symkey.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/symkey.jar symkey.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/symkey.jar symkey.jar - ### fi - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/velocity.jar ]; then - ### ln -s /usr/share/java/velocity.jar velocity.jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/xalan\-j2.jar ]; then - ### ln -s /usr/share/java/xalan-j2.jar xalan-j2.jar - ### fi - - if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2\-2.6.2.jar ]; then - ln -s /usr/share/java/xerces-j2-2.6.2.jar xerces-j2-2.6.2.jar - fi - - ### if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2.jar ]; then - ### ln -s /usr/share/java/xerces-j2.jar xerces-j2.jar - ### fi +. /etc/init.d/functions - - ####################################### - ## /var/lib/tomcat5/common/endorsed: - ####################################### - - # Build the tomcat jar classpath . . . - CLASSPATH="$CLASSPATH":/usr/share/java/xml-commons-apis.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/jaxp_parser_impl.jar - # END LINUX-SPECIFIC FILE - - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/common/endorsed - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/endorsed/\[jaxp_parser_impl\].jar ]; then - ### ln -s /usr/share/java/jaxp_parser_impl.jar [jaxp_parser_impl].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - if [ ! -e /var/lib/tomcat5/common/endorsed/\[xml\-commons\-apis\].jar ]; then - ln -s /usr/share/java/xml-commons-apis.jar [xml-commons-apis].jar - fi - - - ####################################### - ## /var/lib/tomcat5/server/lib: - ####################################### - - # Build the tomcat jar classpath . . . - CLASSPATH="$CLASSPATH":/usr/share/java/catalina-ant5.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-beanutils.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-digester.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-fileupload.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-modeler.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar - # END LINUX-SPECIFIC FILE - - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar - CLASSPATH="$CLASSPATH":/usr/share/java/regexp.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-cluster.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-optional.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-storeconfig.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/dirsec/jss4.jar - fi - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-cgi.renametojar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-default.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-invoker.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-ssi.renametojar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-webdav.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-ajp.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-coyote.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-http.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-util.jar - CLASSPATH="$CLASSPATH":/usr/share/java/tomcatjss.jar - - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/server/lib - - if [ ! -e /var/lib/tomcat5/server/lib/\[catalina\-ant5\].jar ]; then - ln -s /usr/share/java/catalina-ant5.jar [catalina-ant5].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-beanutils\].jar ]; then - ln -s /usr/share/java/commons-beanutils.jar [commons-beanutils].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-digester\].jar ]; then - ln -s /usr/share/java/commons-digester.jar [commons-digester].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-el\].jar ]; then - ln -s /usr/share/java/commons-el.jar [commons-el].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-fileupload\].jar ]; then - ln -s /usr/share/java/commons-fileupload.jar [commons-fileupload].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-logging\].jar ]; then - ln -s /usr/share/java/commons-logging.jar [commons-logging].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-modeler\].jar ]; then - ln -s /usr/share/java/commons-modeler.jar [commons-modeler].jar - fi - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtCompilerAdapter\].jar ]; then - ### ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtcore\].jar ]; then - ### ln -s /usr/share/java/jdtcore.jar [jdtcore].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - if [ ! -e /var/lib/tomcat5/server/lib/\[mx4j\]\[mx4j\].jar ]; then - ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[regexp\].jar ]; then - ln -s /usr/share/java/regexp.jar [regexp].jar - fi - - ### catalina-cluster.jar - ### catalina-optional.jar - ### catalina-storeconfig.jar - ### catalina.jar - ### if [ ! -e /var/lib/tomcat5/server/lib/jss4.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/dirsec/jss4.jar jss4.jar - ### fi - ### fi - ### servlets-cgi.renametojar - ### servlets-default.jar - ### servlets-invoker.jar - ### servlets-ssi.renametojar - ### servlets-webdav.jar - ### tomcat-ajp.jar - ### tomcat-coyote.jar - ### tomcat-http.jar - ### tomcat-util.jar - ### if [ ! -e /var/lib/tomcat5/server/lib/tomcatjss.jar ]; then - ### ln -s /usr/share/java/tomcatjss.jar tomcatjss.jar - ### fi - - - ####################################### - ## /var/lib/tomcat5/shared/lib: - ####################################### - - # Build the tomcat jar classpath . . . - - export CLASSPATH - - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/shared/lib - fi - - # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start - if [ ${OS} = "SunOS" ] ; then - su $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null - else - runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null - fi - - rv=$? - if [ ${rv} = 0 ] ; then - touch ${PKI_LOCKFILE} - chown $TOMCAT_USER:$TOMCAT_GROUP $PKI_LOCKFILE - chmod 00600 $PKI_LOCKFILE - fi - - if [ ${rv} = 0 ] ; then - count=0; - - let swait=$STARTUP_WAIT - while [ ! -s ${pidfile} ] && - [ $count -lt $swait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - - get_pki_secure_port - if [ $? -ne 0 ] ; then - PKI_SECURE_PORT="<Port Undefined>" - fi - - # Set permissions of log files - pki_logs_directory=${PKI_INSTANCE_PATH}/logs - pki_signedAudit="${pki_logs_directory}/signedAudit" - for file in ${pki_logs_directory}/*; do - if [ ! -d "${file}" ]; then - chmod 00640 ${file} - chgrp $TOMCAT_GROUP ${file} - chown $TOMCAT_USER ${file} - fi - done - - # Set permissions of signedAudit log files - # do not set the group id, this will be set by the sgid on the directory - pki_signedAudit_files=`ls -1A ${pki_signedAudit} | wc -l` - if [ ${pki_signedAudit_files} -gt 0 ]; then - for file in ${pki_signedAudit}/*; do - chmod 00640 ${file} - chown $TOMCAT_USER ${file} - done - fi - - # ignore "status" return codes - echo - display_instance_status - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - $0 echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - fi - - sleep 5 - return ${rv} -} - -stop_instance() -{ - rv=0 - - echo -n "Stopping $TOMCAT_PROG: " - - if [ -f ${PKI_LOCKFILE} ] ; then - CATALINA_PID=${pidfile} - export CATALINA_PID - - # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT stop - if [ ${OS} = "SunOS" ] ; then - su $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null - else - runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null - fi - - rv=$? - - if [ ${rv} = 0 ]; then - count=0; - - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - let kwait=$SHUTDOWN_WAIT - - until [ `ps -p $kpid | grep -c $kpid` = '0' ] || - [ $count -gt $kwait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ $count -gt $kwait ]; then - kill -9 $kpid - fi - fi - - rm -f ${PKI_LOCKFILE} - rm -f ${pidfile} - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - rv=${default_error} - fi - else - echo - echo "process already stopped" - rv=0 - fi - - return ${rv} -} - -start() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - config_errors=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):" - fi - - # Start every PKI instance of this type that isn't already running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - start_instance - - rv=$? - if [ ${rv} = 6 ] ; then - # Since at least ONE configuration error exists, then there - # is at least ONE unconfigured instance from the PKI point - # of view. - # - # However, it must still be considered that the - # instance is "running" from the point of view of other - # OS programs such as 'chkconfig'. - # - # Therefore, ignore non-zero return codes resulting - # from configuration errors. - # - - config_errors=`expr $config_errors + 1` - rv=0 - elif [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then - touch ${lockfile} - chmod 00600 ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - # NOTE: "bad" return code(s) OVERRIDE configuration errors! - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances failed to start!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -stop() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" - fi - - # Shutdown every PKI instance of this type that is running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - stop_instance - - rv=$? - if [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${errors} -eq 0 ] ; then - rm -f ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances were " - echo -n "unsuccessfully stopped!" - echo - fi - - echo - echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -restart() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - stop - sleep 2 - echo - echo "============================================================" - echo - start - - return $? -} - -status() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 program is running or service is OK - # * 1 program is dead and /var/run pid file exists - # * 2 program is dead and /var/lock lock file exists - # * 3 program is not running - # * 4 program or service status is unknown - # * 5-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" - fi - - # Obtain status of every PKI instance of this type - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - display_instance_status - - rv=$? - if [ ${rv} -ne 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "4 - program or service status is unknown" - rv=4 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances reported status failures!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=4 - fi - - return ${rv} -} +# Source the PKI function library +. /usr/share/pki/scripts/functions # See how we were called. -case "${command}" in - start|stop|restart|status) - ${command} - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - exit $? - ;; - reload) - echo "The 'reload' action is an unimplemented feature." - exit ${default_error} - ;; - *) - # * 3 unimplemented feature (for example, "reload") - # [invalid command - should never be reached] - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 - ;; +case $command in + status) + registry_status + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + stop + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + reload) + echo "The 'reload' action is an unimplemented feature." + exit ${default_error} + ;; + *) + echo "unknown action ($command)" + usage + echo "where valid instance names include:" + list_instances + exit ${default_error} + ;; esac diff --git a/pki/base/ra/apache/apachectl b/pki/base/ra/apache/apachectl deleted file mode 100755 index 7d9e24491..000000000 --- a/pki/base/ra/apache/apachectl +++ /dev/null @@ -1,184 +0,0 @@ -#!/bin/sh -# -# --- BEGIN COPYRIGHT BLOCK --- -# -# Copyright 2000-2004 The Apache Software Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# - -# Initialize environment variables -LD_LIBRARY_PATH=[SYSTEM_USER_LIBRARIES]:[SYSTEM_LIBRARIES]:${LD_LIBRARY_PATH} -LD_LIBRARY_PATH=[SECURITY_LIBRARIES]:${LD_LIBRARY_PATH} -export LD_LIBRARY_PATH - -# see if httpd is linked with the openldap libraries - we need to override them -OS=`uname -s` -if [ $OS = "Linux" ]; then - hasopenldap=0 - - /usr/bin/ldd $httpd 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1 - - if [ $hasopenldap -eq 1 ] ; then - LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libldap50.so" - LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/dirsec/libssl3.so ${LD_PRELOAD}" - export LD_PRELOAD - fi -fi - -# -# Apache control script designed to allow an easy command line interface -# to controlling Apache. Written by Marc Slemko, 1997/08/23 -# -# The exit codes returned are: -# XXX this doc is no longer correct now that the interesting -# XXX functions are handled by [INSTANCE_ID] -# 0 - operation completed successfully -# 1 - -# 2 - usage error -# 3 - [INSTANCE_ID] could not be started -# 4 - [INSTANCE_ID] could not be stopped -# 5 - [INSTANCE_ID] could not be started during a restart -# 6 - [INSTANCE_ID] could not be restarted during a restart -# 7 - [INSTANCE_ID] could not be restarted during a graceful restart -# 8 - configuration syntax error -# -# When multiple arguments are given, only the error from the _last_ -# one is reported. Run "apachectl help" for usage info -# -ARGV="$@" -# -# |||||||||||||||||||| START CONFIGURATION SECTION |||||||||||||||||||| -# -------------------- -------------------- -# - -# -# a command that outputs a formatted text version of the HTML at the -# url given on the command line. Designed for lynx, however other -# programs may work. -if [ -x /usr/bin/links ]; then - LYNX="links -dump" -elif [ -x /usr/bin/lynx ]; then - LYNX="lynx -dump" -else - LYNX="none" -fi - -# -# the URL to your server's mod_status status page. If you do not -# have one, then status and fullstatus will not work. -STATUSURL="http://localhost:80/server-status" -# -# Set this variable to a command that increases the maximum -# number of file descriptors allowed per child process. This is -# critical for configurations that use many file descriptors, -# such as mass vhosting, or a multithreaded server. -ULIMIT_MAX_FILES="ulimit -S -n `ulimit -H -n`" - -######################################################################## -# This section contains modified content of "/etc/sysconfig/httpd" # -######################################################################## -# Configuration file for the [INSTANCE_ID] service. - -# -# The default processing model (MPM) is the process-based -# 'prefork' model. A thread-based model, 'worker', is also -# available, but does not work with some modules (such as PHP). -# The service must be stopped before changing this variable. -# -HTTPD=/opt/fortitude/sbin/httpd.worker - -# -# To pass additional options (for instance, -D definitions) to the -# httpd binary at startup, set OPTIONS here. -# -OPTIONS="-f [HTTPD_CONF]" - -# -# By default, the httpd process is started in the C locale; to -# change the locale in which the server runs, the HTTPD_LANG -# variable can be set. -# -HTTPD_LANG=C -######################################################################## -# # -######################################################################## - -# Set the maximum number of file descriptors allowed per child process. -if [ "x$ULIMIT_MAX_FILES" != "x" ] ; then - $ULIMIT_MAX_FILES -fi - -ERROR=0 -if [ "x$ARGV" = "x" ] ; then - ARGV="-h" -fi - -function checklynx() { -if [ "$LYNX" = "none" ]; then - echo "The 'links' package is required for this functionality." - exit 8 -fi -} - -function testconfig() { -# [INSTANCE_ID] is denied terminal access in SELinux, so run in the -# current context to get stdout from $HTTPD -t. -if test -x /usr/sbin/selinuxenabled && /usr/sbin/selinuxenabled; then - runcon -- `id -Z` $HTTPD $OPTIONS -t -else - $HTTPD $OPTIONS -t -fi -ERROR=$? -} - -case $ARGV in -restart|graceful) - if $HTTPD -t >&/dev/null; then - $HTTPD $OPTIONS -k $ARGV - ERROR=$? - else - echo "apachectl: Configuration syntax error, will not run \"$ARGV\":" - testconfig - fi - ;; -start|stop) - $HTTPD $OPTIONS -k $ARGV - ERROR=$? - ;; -startssl|sslstart|start-SSL) - $HTTPD $OPTIONS -DSSL -k start - ERROR=$? - ;; -configtest) - testconfig - ;; -status) - checklynx - $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } ' - ;; -fullstatus) - checklynx - $LYNX $STATUSURL - ;; -*) - $HTTPD $OPTIONS $ARGV - ERROR=$? -esac - -exit $ERROR - diff --git a/pki/base/ra/apache/conf/httpd.conf b/pki/base/ra/apache/conf/httpd.conf index 1312f0822..9f81b646d 100644 --- a/pki/base/ra/apache/conf/httpd.conf +++ b/pki/base/ra/apache/conf/httpd.conf @@ -78,7 +78,7 @@ ServerRoot "[SERVER_ROOT]" # identification number when it starts. # <IfModule !mpm_netware.c> -PidFile run/[INSTANCE_ID].pid +PidFile run/[PKI_INSTANCE_ID].pid </IfModule> # @@ -264,7 +264,7 @@ LoadModule cgi_module [FORTITUDE_LIB_DIR]/modules/mod_cgi.so </Location> # -# Load config files from the config directory "/etc/[INSTANCE_ID]/conf.d". +# Load config files from the config directory "/etc/[PKI_INSTANCE_ID]/conf.d". # #Include conf.d/*.conf Include [SERVER_ROOT]/conf/perl.conf @@ -291,10 +291,10 @@ Include [SERVER_ROOT]/conf/perl.conf <IfModule !mpm_winnt.c> <IfModule !mpm_netware.c> # -# If you wish [INSTANCE_ID] to run as a different user or group, you must run -# [INSTANCE_ID] as root initially and it will switch. +# If you wish [PKI_INSTANCE_ID] to run as a different user or group, you must run +# [PKI_INSTANCE_ID] as root initially and it will switch. # -# User/Group: The name (or #number) of the user/group to run [INSTANCE_ID] as. +# User/Group: The name (or #number) of the user/group to run [PKI_INSTANCE_ID] as. # . On SCO (ODT 3) use "User nouser" and "Group nogroup". # . On HPUX you may not be able to use shared memory as nobody, and the # suggested workaround is to create a user www and use that user. @@ -302,8 +302,8 @@ Include [SERVER_ROOT]/conf/perl.conf # when the value of (unsigned)Group is above 60000; # don't use Group #-1 on these systems! # -User [USERID] -Group [GROUPID] +User [PKI_USER] +Group [PKI_GROUP] #Group #-1 </IfModule> </IfModule> diff --git a/pki/base/ra/apache/conf/nss.conf b/pki/base/ra/apache/conf/nss.conf index 668074e4c..a3e0621ab 100644 --- a/pki/base/ra/apache/conf/nss.conf +++ b/pki/base/ra/apache/conf/nss.conf @@ -100,7 +100,7 @@ NSSProtocol SSLv3,TLSv1 # SSL Certificate Nickname: # The nickname of the server certificate you are going to use. -NSSNickname "Server-Cert cert-[INSTANCE_ID]" +NSSNickname "Server-Cert cert-[PKI_INSTANCE_ID]" # Server Certificate Database: # The NSS security database directory that holds the certificates and @@ -195,7 +195,7 @@ NSSProtocol SSLv3,TLSv1 # SSL Certificate Nickname: # The nickname of the server certificate you are going to use. -NSSNickname "Server-Cert cert-[INSTANCE_ID]" +NSSNickname "Server-Cert cert-[PKI_INSTANCE_ID]" # Server Certificate Database: # The NSS security database directory that holds the certificates and diff --git a/pki/base/ra/build.xml b/pki/base/ra/build.xml index 3a303fecc..a3a3a85a4 100644 --- a/pki/base/ra/build.xml +++ b/pki/base/ra/build.xml @@ -152,7 +152,12 @@ <include name="lib/**"/> <include name="logs/**"/> <include name="scripts/schema.sql"/> - <include name="setup/config.desktop"/> + </zipfileset> + <zipfileset dir="./setup" + filemode="644" + prefix="usr/share/${product.prefix}/${product}/setup"> + <include name="config.desktop"/> + <include name="registry_instance"/> </zipfileset> <zipfileset dir="./etc/init.d" filemode="755" @@ -204,7 +209,12 @@ <include name="lib/**"/> <include name="logs/**"/> <include name="scripts/schema.sql"/> - <include name="setup/config.desktop"/> + </tarfileset> + <tarfileset dir="./setup" + mode="644" + prefix="${dist.name}/usr/share/${product.prefix}/${product}/setup"> + <include name="config.desktop"/> + <include name="registry_instance"/> </tarfileset> <tarfileset dir="./etc/init.d" mode="755" diff --git a/pki/base/ra/doc/CS.cfg b/pki/base/ra/doc/CS.cfg index 5f51a89d2..052d01f7e 100644 --- a/pki/base/ra/doc/CS.cfg +++ b/pki/base/ra/doc/CS.cfg @@ -16,15 +16,15 @@ # All rights reserved. # --- END COPYRIGHT BLOCK --- # -pkicreate.pki_instance_root=[INSTANCE_ROOT] -pkicreate.pki_instance_name=[INSTANCE_ID] -pkicreate.subsystem_type=[SUBSYSTEM_TYPE] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] pkicreate.secure_port=[SECURE_PORT] pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] pkicreate.unsecure_port=[PORT] -pkicreate.user=[USERID] -pkicreate.group=[GROUPID] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] request._000=######################################### request._001=# Request Queue Parameters request._002=######################################### @@ -115,7 +115,7 @@ service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] -service.instanceID=[INSTANCE_ID] +service.instanceID=[PKI_INSTANCE_ID] logging._000=######################################### logging._001=# RA configuration File logging._002=# @@ -212,22 +212,22 @@ preop.cert.list=sslserver,subsystem preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[INSTANCE_ID] +preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] preop.cert.sslserver.keysize.customsize=2048 preop.cert.sslserver.keysize.size=2048 preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[INSTANCE_ID] +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=caInternalAuthServerCert preop.cert.sslserver.subsystem=ra preop.cert._003=#preop.cert.sslserver.type=local preop.cert.sslserver.userfriendlyname=SSL Server Certificate preop.cert._004=#preop.cert.sslserver.cncomponent.override=false preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA -preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[INSTANCE_ID] +preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[PKI_INSTANCE_ID] preop.cert.subsystem.keysize.customsize=2048 preop.cert.subsystem.keysize.size=2048 preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=caInternalAuthSubsystemCert preop.cert.subsystem.subsystem=ra preop.cert._005=#preop.cert.subsystem.type=local diff --git a/pki/base/ra/etc/init.d/pki-rad b/pki/base/ra/etc/init.d/pki-rad index f1e2e9dee..b8ac3a0ac 100755 --- a/pki/base/ra/etc/init.d/pki-rad +++ b/pki/base/ra/etc/init.d/pki-rad @@ -14,1402 +14,70 @@ # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# Copyright (C) 2007 Red Hat, Inc. +# Copyright (C) 2007-2010 Red Hat, Inc. # All rights reserved. # --- END COPYRIGHT BLOCK --- # # pki-rad Startup script for the Apache HTTP pki-ra Server # # chkconfig: - 86 14 -# description: Registration Authority \ -# (Apache 2.2) +# description: Registration Authority (Apache) # processname: pki-rad # piddir: /var/run/pki/ra # config: ${PKI_SERVER_ROOT}/conf/httpd.conf -PKI_INIT_SCRIPT="" +PROG_NAME=`basename $0` +SERVICE_NAME="pki-rad" +SERVICE_PROG="/sbin/service" PKI_PATH="/usr/share/pki/ra" -PKI_PIDDIR="/var/run/pki/ra" -PKI_PROCESS="pki-rad" PKI_REGISTRY="/etc/sysconfig/pki/ra" -PKI_SELINUX_TYPE="pki_ra_t" PKI_TYPE="pki-ra" - -# PKI subsystem-level directory and file values for locks -lockfile="/var/lock/subsys/pki-rad" +PKI_TOTAL_PORTS=3 # Disallow 'others' the ability to 'write' to new files umask 00002 -default_error=0 command="$1" pki_instance="$2" -case "${command}" in - start|stop|restart|condrestart|force-restart|try-restart) - # * 1 generic or unspecified error (current practice) - default_error=1 - ;; - reload) - default_error=3 - ;; - status) - # * 4 program or service status is unknown - default_error=4 - ;; - *) - # * 2 invalid argument(s) - default_error=2 - ;; -esac - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit ${default_error} -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -if [ ! -d ${PKI_PATH} ] ; then - echo "This machine is missing the '${PKI_TYPE}' subsystem!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Check to insure that this script's associated PKI -# subsystem instance registry currently resides on this system. -if [ ! -d ${PKI_REGISTRY} ] ; then - echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Obtain the operating system upon which this script is being executed -# and initialize environment variables -OS=`uname -s` -ARCHITECTURE="" -LD_LIBRARY_PATH="" - -# Time to wait in seconds, before killing process -# -# NOTE: Defined in "tomcat5.conf" for PKI Java/Tomcat Subsystems. -# -STARTUP_WAIT=30 -SHUTDOWN_WAIT=30 - -# This script must be run as root! -RV=0 -if [ ${OS} = "Linux" ] ; then - PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}" - if [ `id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -i` - if [ ${ARCHITECTURE} = "i386" ] ; then - LD_LIBRARY_PATH="/usr/lib:/lib:${LD_LIBRARY_PATH}" - elif [ ${ARCHITECTURE} = "x86_64" ] ; then - LD_LIBRARY_PATH="/usr/lib64:/lib64:${LD_LIBRARY_PATH}" - else - echo "Unsupported architecture '${ARCHITECTURE}'!" - exit ${default_error} - fi -elif [ ${OS} = "SunOS" ] ; then - PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}" - if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -p` - if [ "${ARCHITECTURE}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - ARCHITECTURE="sparcv9" - fi - if [ ${ARCHITECTURE} = "sparcv9" ] ; then - LD_LIBRARY_PATH="/usr/lib/sparcv9:/lib/sparcv9:${LD_LIBRARY_PATH}" - LD_LIBRARY_PATH="/usr/lib/sparcv9/dirsec:${LD_LIBRARY_PATH}" - else - echo "Unsupported architecture '${ARCHITECTURE}'!" - exit ${default_error} - fi -else - echo "Unsupported OS '${OS}'!" - exit ${default_error} -fi -export LD_LIBRARY_PATH # Source function library. -if [ -f /etc/init.d/functions ]; then - . /etc/init.d/functions -else - # The checkpid() function is provided for platforms that do not - # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . - - # Check if ${pid} (could be plural) are running (keep count) - checkpid() - { - rv=0 - for i in $* ; do - ps -p $i > /dev/null 2>&1 ; - if [ $? -ne 0 ] ; then - rv=`expr $rv + 1` - else - rv=`expr $rv + 0` - fi - done - # echo "rv=$rv" - return $rv - } - - # Create the following directories on platforms - # where they do not exist (e. g. - Solaris) . . . - if [ ! -d "/var/lock" ] ; then - mkdir -p /var/lock - chown root:sys /var/lock - chmod 00755 /var/lock - fi - if [ ! -d "/var/lock/subsys" ] ; then - mkdir -p /var/lock/subsys - chown root:root /var/lock/subsys - chmod 00755 /var/lock/subsys - fi -fi - -PKI_REGISTRY_ENTRIES="" -TOTAL_PKI_REGISTRY_ENTRIES=0 -TOTAL_UNCONFIGURED_PKI_ENTRIES=0 - -# Gather ALL registered instances of this PKI subsystem type -for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - if [ -f "$FILE" ] ; then - inst=`echo "$FILE"` - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst" - TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` - fi -done - -if [ -n "${pki_instance}" ]; then - for I in ${PKI_REGISTRY_ENTRIES}; do - if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}" - TOTAL_PKI_REGISTRY_ENTRIES=1 - break - fi - done -fi - -usage() -{ - echo -n "Usage: ${PKI_INIT_SCRIPT} " - echo -n "{start" - echo -n "|stop" - echo -n "|restart" - echo -n "|condrestart" - echo -n "|force-restart" - echo -n "|try-restart" - echo -n "|reload" - echo -n "|status} " - echo -n "[instance-name]" - echo - echo -} - -list_instances() -{ - echo - for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - echo " ${FILE}" - done - echo -} - -# Check arguments -if [ $# -lt 1 ] ; then - # * 3 unimplemented feature (for example, "reload") - # [insufficient arguments] - echo "$0: Insufficient arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 -elif [ ${default_error} -eq 2 ] ; then - # * 2 invalid argument - echo "$0: Invalid arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 2 -elif [ $# -gt 2 ] ; then - echo "$0: Excess arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - if [ "${command}" != "status" ]; then - # * 2 excess arguments - exit 2 - else - # * 4 program or service status is unknown - exit 4 - fi -fi - -# If an "instance" was supplied, check that it is a "valid" instance -if [ -n "${pki_instance}" ]; then - if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then - echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance" - echo_failure - echo - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - # * 4 program or service status is unknown - exit 4 - fi - fi -fi - -# On Solaris /var/run is in tmpfs and gets wiped out upon reboot -# we have to recreate the ${PKI_PIDDIR} directory and make sure that -# the directory is writable by the ${PKI_TYPE} server process. -# -# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize -# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the -# "${PKI_PIDDIR}" will end up with the ownership permissions -# of the first instance that executes this function! -# -fix_pid_dir_ownership() -{ - if [ ! -d ${PKI_PIDDIR} ] ; then - mkdir -p ${PKI_PIDDIR} - - chown root:root /var/run/pki - chmod 00755 /var/run/pki - - chown root:root ${PKI_PIDDIR} - chmod 00755 ${PKI_PIDDIR} - fi -} - -check_pki_configuration_status() -{ - rv=0 - - rv=`grep -c ^preop ${pki_instance_configuration_file}` - - rv=`expr ${rv} + 0` - - if [ ${rv} -ne 0 ] ; then - echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" - echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" - if [ "${command}" != "status" ]; then - # * 6 program is not configured - rv=6 - else - # * 4 program or service status is unknown - rv=4 - fi - TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` - elif [ -f ${RESTART_SERVER} ] ; then - echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " - echo -n "it must still be RESTARTED!" - echo - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - fi - - return ${rv} -} - -get_pki_status_definitions() -{ - # establish well-known strings - listen_statement="Listen" - total_ports=0 - UNSECURE_PORT="" - CLIENTAUTH_PORT="" - NON_CLIENTAUTH_PORT="" - - # check to see that an instance-specific "httpd.conf" file exists - if [ ! -f ${PKI_HTTPD_CONF} ] ; then - echo "File '${PKI_HTTPD_CONF}' does not exist!" - exit ${default_error} - fi - - # check to see that an instance-specific "nss.conf" file exists - if [ ! -f ${PKI_NSS_CONF} ] ; then - echo "File '${PKI_NSS_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "httpd.conf" file line-by-line - # to obtain the current value of the PKI unsecure port - - exec < ${PKI_HTTPD_CONF} - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] ; then - # once the 'unsecure' listen statement has been found, - # extract the numeric port information - port=`echo $line | cut -b8-` - UNSECURE_PORT=$port - echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" - total_ports=`expr ${total_ports} + 1` - break; - fi - done - - # read this instance-specific "nss.conf" file line-by-line - # to obtain the current value of the "clientauth" PKI secure port - # AND the current value of the "non-clientauth" PKI secure port - - exec < ${PKI_NSS_CONF} - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] && - [ ${total_ports} -eq 2 ] ; then - # once the 'non-clientauth' listen statement has been found, - # extract the numeric port information - non_clientauth_port=`echo $line | cut -b8-` - NON_CLIENTAUTH_PORT=$non_clientauth_port - echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}" - total_ports=`expr ${total_ports} + 1` - break - fi - if [ "$head" == "$listen_statement" ] && - [ ${total_ports} -eq 1 ] ; then - # once the 'clientauth' listen statement has been found, - # extract the numeric port information - clientauth_port=`echo $line | cut -b8-` - CLIENTAUTH_PORT=$clientauth_port - echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}" - total_ports=`expr ${total_ports} + 1` - fi - done - - if [ ${total_ports} -eq 3 ] ; then - return 0 - else - return ${default_error} - fi -} - -get_pki_configuration_definitions() -{ - # Obtain the PKI Subsystem Type - line=`grep ^cs.type= ${pki_instance_configuration_file}` - pki_subsystem=`echo "${line}" | cut -b9-` - if [ "${line}" != "" ] ; then - if [ "${pki_subsystem}" != "CA" ] && - [ "${pki_subsystem}" != "KRA" ] && - [ "${pki_subsystem}" != "OCSP" ] && - [ "${pki_subsystem}" != "TKS" ] && - [ "${pki_subsystem}" != "RA" ] && - [ "${pki_subsystem}" != "TPS" ] - then - return ${default_error} - fi - if [ "${pki_subsystem}" == "KRA" ] ; then - # Rename "KRA" to "DRM" - pki_subsystem="DRM" - fi - else - return ${default_error} - fi - - # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, - # check to see if "${pki_subsystem}" is a "Clone" - pki_clone="" - if [ "${pki_subsystem}" == "CA" ] || - [ "${pki_subsystem}" == "DRM" ] || - [ "${pki_subsystem}" == "OCSP" ] || - [ "${pki_subsystem}" == "TKS" ] - then - line=`grep ^subsystem.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_clone=`echo "${line}" | cut -b18-` - if [ "${pki_clone}" != "Clone" ] ; then - # Reset "${pki_clone}" to be empty - pki_clone="" - fi - else - return ${default_error} - fi - fi - - # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to - # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA - pki_hierarchy="" - if [ "${pki_subsystem}" == "CA" ] && - [ "${pki_clone}" != "Clone" ] - then - line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_hierarchy=`echo "${line}" | cut -b18-` - else - return ${default_error} - fi - fi - - # If ${pki_subsystem} is a CA, check to - # see if it is also a Security Domain - pki_security_domain="" - if [ "${pki_subsystem}" == "CA" ] ; then - line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain=`echo "${line}" | cut -b23-` - if [ "${pki_security_domain}" == "new" ] ; then - # Set a fixed value for "${pki_security_domain}" - pki_security_domain="(Security Domain)" - else - # Reset "${pki_security_domain}" to be empty - pki_security_domain="" - fi - else - return ${default_error} - fi - fi - - # Always obtain this PKI instance's "registered" - # security domain information - pki_security_domain_name="" - pki_security_domain_hostname="" - pki_security_domain_https_admin_port="" - - line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_name=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_hostname=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` - else - return ${default_error} - fi - - # Compose the "PKI Instance Name" Status Line - pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" - - # Compose the "PKI Subsystem Type" Status Line - header="PKI Subsystem Type: " - if [ "${pki_clone}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "CA Clone (Security Domain)" - # - data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" - else - # Possible Values: - # - # "CA Clone" - # "DRM Clone" - # "OCSP Clone" - # "TKS Clone" - # - data="${pki_subsystem} ${pki_clone}" - fi - elif [ "${pki_hierarchy}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "Root CA (Security Domain)" - # "Subordinate CA (Security Domain)" - # - data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" - else - # Possible Values: - # - # "Root CA" - # "Subordinate CA" - # - data="${pki_hierarchy} ${pki_subsystem}" - fi - else - # Possible Values: - # - # "DRM" - # "OCSP" - # "RA" - # "TKS" - # "TPS" - # - data="${pki_subsystem}" - fi - pki_subsystem_type="${header} ${data}" - - # Compose the "Registered PKI Security Domain Information" Status Line - header="Name: " - registered_pki_security_domain_name="${header} ${pki_security_domain_name}" - - header="URL: " - if [ "${pki_security_domain_hostname}" != "" ] && - [ "${pki_security_domain_https_admin_port}" != "" ] - then - data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" - else - return ${default_error} - fi - registered_pki_security_domain_url="${header} ${data}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_instance_name}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_subsystem_type}" - - # Print the "Registered PKI Security Domain Information" Status Line - echo - echo " Registered PKI Security Domain Information:" - echo " ==========================================================================" - echo " ${registered_pki_security_domain_name}" - echo " ${registered_pki_security_domain_url}" - echo " ==========================================================================" - - return 0 -} - -get_pki_secure_port() -{ - # establish well-known strings - listen_statement="Listen" - - # first check to see that an instance-specific "nss.conf" file exists - if [ ! -f ${PKI_NSS_CONF} ] ; then - echo "File '${PKI_NSS_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "nss.conf" file line-by-line - # to obtain the current value of the "clientauth" PKI secure port - exec < ${PKI_NSS_CONF} - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] ; then - # once the 'clientauth' listen statement has been found, - # extract the numeric port information - port=`echo $line | cut -b8-` - SECURE_PORT=$port - return 0 - fi - done - - return ${default_error} -} - -display_instance_status() -{ - rv=0 - - if [ -f ${pidfile} ] ; then - pid=`cat ${pidfile}` - if [ "${pid}" == "" ] ; then - echo "${PKI_INSTANCE_ID} pid file exists but is empty" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - elif kill -0 ${pid} > /dev/null 2>&1 ; then - echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} -eq 0 ] ; then - get_pki_status_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Status Definitions not found" - else - get_pki_configuration_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Configuration Definitions not found" - fi - fi - else - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Similarly, from the PKI point of view for a "status" - # action, a returned error code of "4" implies that either - # the program is not "configured", or that the program - # was "configured" but must still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For this reason, when returning from - # 'display_instance_status()', ignore non-zero return codes - # returned from 'check_pki_configuration_status()'. - # - if [ "${command}" != "status" ]; then - # * 0 action was successful - rv=0 - else - # * 0 program is running or service is OK - rv=0 - fi - fi - echo - else - echo "${PKI_INSTANCE_ID} is dead but pid file exists" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 1 program is dead and /var/run pid file exists - rv=1 - fi - fi - else - echo "${PKI_INSTANCE_ID} is stopped" - if [ "${command}" != "status" ]; then - # * 7 program is not running - rv=7 - else - # * 3 program is not running - rv=3 - fi - fi - - return ${rv} -} - -start_instance() -{ - rv=0 - - echo -n $"Starting ${prog}: " - - if [ -f ${RESTART_SERVER} ] ; then - rm -f ${RESTART_SERVER} - fi - - if [ -f ${PKI_LOCKFILE} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - echo - echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} != 0 ]; then - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For "non-status" actions, ignore return codes of "1" - # from 'check_pki_configuration_status()'. - # - # However, for "non-status" actions that have a return - # code of "6", return this value unchanged to - # the calling routine so that the total number of - # configuration errors may be counted. - # - - echo - if [ ${rv} = 1 ] ; then - # * 0 action was successful - return 0 - elif [ ${rv} = 6 ] ; then - # * 6 program is not configured - return 6 - else - # should never be reached - return ${rv} - fi - else - return 0 - fi - else - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - rm -f ${PKI_LOCKFILE} - fi - fi - fi - - fix_pid_dir_ownership - - touch ${pidfile} - chown ${PKI_USER}:${PKI_GROUP} ${pidfile} - chmod 00600 ${pidfile} - [ -x /sbin/restorecon ] && /sbin/restorecon ${pidfile} - - # restore context for ncipher hsm - [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast - - if [ -f /etc/init.d/functions ]; then - /usr/sbin/selinuxenabled - rv=$? - if [ ${rv} = 0 ] ; then - if [ ${ARCHITECTURE} = "i386" ] ; then - LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} - # overwrite output from "daemon" - echo -n $"Starting ${prog}: " - elif [ ${ARCHITECTURE} = "x86_64" ] ; then - # NOTE: "daemon" is incompatible with "httpd" - # on 64-bit architectures - LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} - fi - else - LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS} - # overwrite output from "daemon" - echo -n $"Starting ${prog}: " - fi - else - LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -k start - fi - - rv=$? - if [ ${rv} = 0 ] ; then - touch ${PKI_LOCKFILE} - chown ${PKI_USER}:${PKI_GROUP} ${PKI_LOCKFILE} - chmod 00600 ${PKI_LOCKFILE} - fi - - if [ ${rv} = 0 ] ; then - count=0; - - let swait=$STARTUP_WAIT - until [ -s ${pidfile} ] || - [ $count -gt $swait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - - get_pki_secure_port - if [ $? -ne 0 ] ; then - SECURE_PORT="<Port Undefined>" - fi - - # Set permissions of log files - for file in ${pki_logs_directory}/*; do - chown ${PKI_USER}:${PKI_GROUP} ${file} - chmod 00640 ${file} - done - - # ignore "status" return codes - echo - display_instance_status - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - $0 echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - fi - - if [ ${OS} = "Linux" ] ; then - sleep 10 - elif [ ${OS} = "SunOS" ] ; then - sleep 20 - fi - return ${rv} -} - -stop_instance() -{ - rv=0 +. /etc/init.d/functions - echo -n "Stopping ${prog}: " - - if [ -f ${PKI_LOCKFILE} ] ; then - ${httpd} ${PKI_OPTIONS} -k stop - - rv=$? - - if [ ${rv} = 0 ]; then - count=0; - - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - let kwait=$SHUTDOWN_WAIT - - until [ `ps -p $kpid | grep -c $kpid` = '0' ] || - [ $count -gt $kwait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ $count -gt $kwait ]; then - kill -9 $kpid - fi - fi - - rm -f ${PKI_LOCKFILE} - rm -f ${pidfile} - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - rv=${default_error} - fi - else - echo - echo "process already stopped" - rv=0 - fi - - return ${rv} -} - -reload_instance() -{ - rv=0 - - echo -n $"Reloading ${prog}: " - - if ! LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -t >&/dev/null; then - rv=$? - echo $"not reloading due to configuration syntax error" - if [ -f /etc/init.d/functions ]; then - failure $"not reloading ${httpd} due to configuration syntax error" - else - echo $"not reloading ${httpd} due to configuration syntax error" - fi - else - if [ -f /etc/init.d/functions ]; then - killproc -p ${pidfile} ${httpd} -HUP - rv=$? - else - if [ -f ${PKI_LOCKFILE} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - kill -HUP $kpid - rv=$? - if [ ${rv} != 0 ]; then - rv=${default_error} - fi - fi - else - # * 7 program is not running - rv=7 - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - rm -f ${PKI_LOCKFILE} - fi - fi - fi - fi - echo - - return ${rv} -} - -# The semantics of the 'start()' function differs from the way 'apachectl' -# does things -- attempting to start while running is a failure. -# So we just do it the way init scripts are expected to behave here. -start() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - config_errors=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):" - fi - - # Start every PKI instance of this type that isn't already running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - start_instance - - rv=$? - if [ ${rv} = 6 ] ; then - # Since at least ONE configuration error exists, then there - # is at least ONE unconfigured instance from the PKI point - # of view. - # - # However, it must still be considered that the - # instance is "running" from the point of view of other - # OS programs such as 'chkconfig'. - # - # Therefore, ignore non-zero return codes resulting - # from configuration errors. - # - - config_errors=`expr $config_errors + 1` - rv=0 - elif [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then - touch ${lockfile} - chmod 00600 ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - # NOTE: "bad" return code(s) OVERRIDE configuration errors! - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances failed to start!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -# The semantics of the 'stop()' function differs from the way 'apachectl' -# does things -- attempting to shutdown when not running is a failure. -# So we just do it the way init scripts are expected to behave here. -stop() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" - fi - - # Shutdown every PKI instance of this type that is running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - stop_instance - - rv=$? - if [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${errors} -eq 0 ] ; then - rm -f ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances were " - echo -n "unsuccessfully stopped!" - echo - fi - - echo - echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -restart() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - stop - sleep 2 - echo - echo "============================================================" - echo - start - - return $? -} - -reload() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):" - fi - - # Reload every PKI instance of this type that is running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - reload_instance - - rv=$? - if [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances were " - echo -n "unsuccessfully reloaded!" - echo - fi - - echo - echo "FINISHED RELOADING '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances reloaded!" - rv=5 - fi - - return ${rv} -} - -status() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 program is running or service is OK - # * 1 program is dead and /var/run pid file exists - # * 2 program is dead and /var/lock lock file exists - # * 3 program is not running - # * 4 program or service status is unknown - # * 5-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" - fi - - # Obtain status of every PKI instance of this type - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - display_instance_status - - rv=$? - if [ ${rv} -ne 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "4 - program or service status is unknown" - rv=4 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances reported status failures!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=4 - fi - - return ${rv} -} +# Source the PKI function library +. /usr/share/pki/scripts/functions # See how we were called. -case "${command}" in - start|stop|restart|reload|status) - ${command} - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - exit $? - ;; - *) - # * 3 unimplemented feature (for example, "reload") - # [invalid command - should never be reached] - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 - ;; +case $command in + status) + registry_status + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + stop + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + reload) + echo "The 'reload' action is an unimplemented feature." + exit ${default_error} + ;; + *) + echo "unknown action ($command)" + usage + echo "where valid instance names include:" + list_instances + exit ${default_error} + ;; esac diff --git a/pki/base/ra/setup/config.desktop b/pki/base/ra/setup/config.desktop index 15dbad3b7..30935ef83 100644 --- a/pki/base/ra/setup/config.desktop +++ b/pki/base/ra/setup/config.desktop @@ -19,7 +19,7 @@ [Desktop Entry] Version=1.0.0 Encoding=UTF-8 -Name=Registration Authority Configuration - [INSTANCE_ID] +Name=Registration Authority Configuration - [PKI_INSTANCE_ID] GenericName=Registration Authority Configuration Comment=Configure Registration Authority Exec=firefox https://[SERVER_NAME]:[SECURE_PORT]/ra/admin/console/config/login?pin=[PKI_RANDOM_NUMBER] diff --git a/pki/base/ra/setup/registry_instance b/pki/base/ra/setup/registry_instance new file mode 100644 index 000000000..09ec620cb --- /dev/null +++ b/pki/base/ra/setup/registry_instance @@ -0,0 +1,117 @@ +# Establish PKI Variable "Slot" Substitutions + +PKI_FLAVOR=[PKI_FLAVOR] +export PKI_FLAVOR + +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +export PKI_SUBSYSTEM_TYPE + +PKI_USER=[PKI_USER] +export PKI_USER + +PKI_GROUP=[PKI_GROUP] +export PKI_GROUP + +PKI_INSTANCE_ID=[PKI_INSTANCE_ID] +export PKI_INSTANCE_ID + +PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] +export PKI_INSTANCE_INITSCRIPT + +PKI_HTTPD_CONF=[HTTPD_CONF] +export PKI_HTTPD_CONF + +PKI_SERVER_ROOT=[SERVER_ROOT] +export PKI_SERVER_ROOT + +PKI_SYSTEM_USER_LIBRARIES=[SYSTEM_USER_LIBRARIES] +export PKI_SYSTEM_USER_LIBRARIES + +PKI_FORTITUDE_DIR=[FORTITUDE_DIR] +export PKI_FORTITUDE_DIR + +PKI_NSS_CONF=[NSS_CONF] +export PKI_NSS_CONF + +PKI_SERVER_NAME=[SERVER_NAME] +export PKI_SERVER_NAME + +PKI_LOCK_FILE="[PKI_LOCKDIR]/${PKI_INSTANCE_ID}.pid" +export PKI_LOCK_FILE + +PKI_PID_FILE="[PKI_PIDDIR]/${PKI_INSTANCE_ID}.pid" +export PKI_PID_FILE + +PKI_SELINUX_TYPE="pki_ra_t" +export PKI_SELINUX_TYPE + +pki_instance_configuration_file=${PKI_SERVER_ROOT}/conf/CS.cfg +export pki_instance_configuration_file + +RESTART_SERVER=${PKI_SERVER_ROOT}/conf/restart_server_after_configuration +export RESTART_SERVER + +######################################################################## +# This section contains modified content of "/etc/sysconfig/httpd" # +######################################################################## +# Configuration file for the ${PKI_INSTANCE_ID} service. + +# +# The default processing model (MPM) is the process-based +# 'prefork' model. A thread-based model, 'worker', is also +# available, but does not work with some modules (such as PHP). +# The service must be stopped before changing this variable. +# +PKI_HTTPD=${PKI_FORTITUDE_DIR}/sbin/httpd.worker +export PKI_HTTPD + +# +# To pass additional options (for instance, -D definitions) to the +# httpd binary at startup, set PKI_OPTIONS here. +# +PKI_OPTIONS="-f ${PKI_HTTPD_CONF}" +export PKI_OPTIONS + +# +# By default, the httpd process is started in the C locale; to +# change the locale in which the server runs, the PKI_HTTPD_LANG +# variable can be set. +# +PKI_HTTPD_LANG=C +export PKI_HTTPD_LANG +######################################################################## +# # +######################################################################## + +# This will prevent initlog from swallowing up a pass-phrase prompt if +# mod_ssl needs a pass-phrase from the user. +PKI_INITLOG_ARGS="" +export PKI_INITLOG_ARGS + +# Set PKI_HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server +# with the thread-based "worker" MPM; BE WARNED that some modules may not +# work correctly with a thread-based MPM; notably PHP will refuse to start. + +# Path to the server binary and short-form for messages. +httpd=${PKI_HTTPD} +export httpd + +pki_logs_directory=${PKI_SERVER_ROOT}/logs +export pki_logs_directory + +# see if httpd is linked with the openldap libraries - we need to override them +if [ ${OS} = "Linux" ]; then + hasopenldap=0 + + /usr/bin/ldd ${httpd} 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1 + + if [ ${hasopenldap} -eq 1 ] ; then + LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libldap60.so" + LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libssl3.so:${LD_PRELOAD}" + export LD_PRELOAD + fi +elif [ ${OS} = "SunOS" ]; then + LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/libldap60.so" + LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/dirsec/libssl3.so:${LD_PRELOAD_64}" + export LD_PRELOAD_64 +fi diff --git a/pki/base/setup/pkicommon b/pki/base/setup/pkicommon index 725a84358..d408459f3 100755 --- a/pki/base/setup/pkicommon +++ b/pki/base/setup/pkicommon @@ -29,7 +29,7 @@ our @EXPORT = qw( $lib_prefix $obj_ext $path_sep $tmp_dir $logfile $pki_flavor $pki_registry_path $verbose $dry_run $hostname $default_hardware_platform - $default_system_binaries $default_system_libraries $default_system_user_binaries + $default_system_binaries $default_lockdir $default_system_libraries $default_system_user_binaries $default_system_user_libraries $default_system_jni_java_path $default_security_libraries $default_certutil_command $default_ldapmodify_command $default_modutil_command @@ -69,7 +69,7 @@ our @EXPORT = qw( directory_exists is_directory_empty create_directory copy_directory remove_directory set_owner_group_on_directory_contents symlink_exists create_symlink remove_symlink set_owner_group_on_symlink - run_command get_registry_initscript_name + run_command get_cs_cfg get_registry_initscript_name register_pki_instance_with_chkconfig deregister_pki_instance_with_chkconfig ); @@ -165,6 +165,7 @@ our $pki_registry_path = undef; our $default_hardware_platform = undef; our $default_system_binaries = undef; +our $default_lockdir = undef; our $default_system_libraries = undef; our $default_system_user_binaries = undef; our $default_system_user_libraries = undef; @@ -191,6 +192,7 @@ if ($^O eq "linux") { $default_registry_path = "/etc/sysconfig"; $pki_registry_path = "$default_registry_path/$pki_flavor"; $default_initscripts_path = "/etc/rc.d/init.d"; + $default_lockdir = "/var/lock/$pki_flavor"; $default_hardware_platform = `uname -i`; $default_hardware_platform =~ s/\s+$//g; chomp($default_hardware_platform); @@ -3209,6 +3211,90 @@ sub run_command # Generic PKI Subroutines ############################################################## +# Get parameter value(s) from CS.cfg file +# +# get_cs_cfg(config_path, search) +# +# There are 3 ways the parameters can be returned, as a string, as a +# set of variables, or as a hash table depending on the search +# parameter type. +# +# If search is string then the parameter value is returned as a string +# if it was found, otherwise if it wasn't found then undef is +# returned. +# +# If search is a reference to a hash then each key in the hash will be +# searched for and the key's value will be used as a reference to +# assign the value of the parameter to. If the key was not found then +# the reference will be assigned the value of undef. +# +# If search is reference to an array then every parameter in the +# array will be searched for and a hash will be returned with a key +# for every parameter found, the key's value is the parameter value. +# +# Examples: +# +# my ($subsystem_type, $uri, $table); +# +# # Get a single string: $subsystem_type is assigned the string "CA" +# $subsystem_type = get_cs_cfg("/etc/pki-ca/CS.cfg", "cs.type"); +# +# # Assign a set of variables: $subsystem_type and $uri are assigned +# get_cs_cfg($config_path, {"cs.type" => \$subsystem_type, +# "ee.interface.uri" => \$uri}); +# +# # Get a lookup table: +# $table = get_cs_cfg("/etc/pki-ca/CS.cfg", ["cs.type", "ee.interface.uri"]); +# # returns the hash: +# # {"cs.type" => "CA", +# # "ee.interface.uri" => "ca/ee/ca"} +# +sub get_cs_cfg +{ + my ($config_path, $search) = @_; + my ($text, $key, $value, $num_found); + + $text = read_file($config_path); + + if (ref($search) eq "HASH") { + my $num_found = 0; + while (my ($key, $ref) = each(%$search)) { + if ($text =~ /^\s*\Q$key\E\s*=\s*(.*)/m) { + $value = $1; + $$ref = $value; + $num_found += 1; + } else { + $$ref = undef; + } + } + return $num_found; + } elsif (ref($search) eq "ARRAY") { + my $result = {}; + my $keys = $search; + + foreach $key (@$keys) { + if ($text =~ /^\s*\Q$key\E\s*=\s*(.*)/m) { + $value = $1; + $result->{$key} = $value; + } + } + + return $result; + + } else { + my $result = undef; + $key = $search; + + if ($text =~ /^\s*\Q$key\E\s*=\s*(.*)/m) { + $value = $1; + $result = $value; + } + + return $result; + + } +} + sub get_registry_initscript_name { my ($subsystem_type) = @_; diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index f8d723eb8..aeb7a311e 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -174,7 +174,6 @@ my $addAgents_ldif_base_name = "addAgents.ldif"; # TPS my $addIndexes_ldif_base_name = "addIndexes.ldif"; # TPS my $addTokens_ldif_base_name = "addTokens.ldif"; # TPS my $addVLVIndexes_ldif_base_name = "addVLVIndexes.ldif"; # TPS -my $apachectl_base_name = "apachectl"; # TPS my $nss_pcache_base_name = "nss_pcache"; # RA, TPS my $certsrv_jar_base_name = "certsrv.jar"; # CA, KRA, OCSP, TKS my $nsutil_jar_base_name = "nsutil.jar"; # CA, KRA, OCSP, TKS @@ -220,6 +219,7 @@ my $web_xml_base_name = "web.xml"; # CA, KRA, OCSP, T my $profile_select_base_name = "ProfileSelect.template"; # CA my $registry_template_base_name = "registry_instance"; # CA, KRA, OCSP, TKS, RA, TPS +my $pki_apache_initscript_base_name = "pki_apache_initscript"; # RA, TPS # Subdirectory names my $perl_base_instance_symlink = "perl"; # RA, TPS @@ -247,10 +247,7 @@ my $db_password_low = 100000000000; my $db_password_high = 999999999999; # Template slot constants (RA, TPS) -my $GROUPID = "GROUPID"; my $HTTPD_CONF = "HTTPD_CONF"; -my $INSTANCE_ID = "INSTANCE_ID"; -my $INSTANCE_ROOT = "INSTANCE_ROOT"; my $LIB_PREFIX = "LIB_PREFIX"; my $NSS_CONF = "NSS_CONF"; my $OBJ_EXT = "OBJ_EXT"; @@ -261,12 +258,10 @@ my $NON_CLIENTAUTH_SECURE_PORT = "NON_CLIENTAUTH_SECURE_PORT"; my $SECURITY_LIBRARIES = "SECURITY_LIBRARIES"; my $SERVER_NAME = "SERVER_NAME"; my $SERVER_ROOT = "SERVER_ROOT"; -my $SUBSYSTEM_TYPE = "SUBSYSTEM_TYPE"; my $SYSTEM_LIBRARIES = "SYSTEM_LIBRARIES"; my $SYSTEM_USER_LIBRARIES = "SYSTEM_USER_LIBRARIES"; my $TMP_DIR = "TMP_DIR"; my $TPS_DIR = "TPS_DIR"; -my $USERID = "USERID"; my $FORTITUDE_APACHE = "FORTITUDE_APACHE"; my $FORTITUDE_DIR = "FORTITUDE_DIR"; my $FORTITUDE_MODULE = "FORTITUDE_MODULE"; @@ -274,6 +269,12 @@ my $FORTITUDE_LIB_DIR = "FORTITUDE_LIB_DIR"; my $FORTITUDE_AUTH_MODULES = "FORTITUDE_AUTH_MODULES"; my $FORTITUDE_NSS_MODULES = "FORTITUDE_NSS_MODULES"; my $REQUIRE_CFG_PL = "REQUIRE_CFG_PL"; +my $PKI_PIDDIR = "PKI_PIDDIR"; +my $PKI_LOCKDIR = "PKI_LOCKDIR"; + +# Template slot constants (CA, KRA, OCSP, TKS, RA, TPS) +my $PKI_INSTANCE_ID_SLOT = "PKI_INSTANCE_ID"; +my $PKI_REGISTRY_FILE_SLOT = "PKI_REGISTRY_FILE"; # Template slot constants (CA, KRA, OCSP, TKS) my $INSTALL_TIME = "INSTALL_TIME"; @@ -281,7 +282,6 @@ my $PKI_AGENT_CLIENTAUTH_SLOT = "PKI_AGENT_CLIENTAUTH"; my $PKI_CERT_DB_PASSWORD_SLOT = "PKI_CERT_DB_PASSWORD"; my $PKI_CFG_PATH_NAME_SLOT = "PKI_CFG_PATH_NAME"; my $PKI_GROUP_SLOT = "PKI_GROUP"; -my $PKI_INSTANCE_ID_SLOT = "PKI_INSTANCE_ID"; my $PKI_INSTANCE_PATH_SLOT = "PKI_INSTANCE_PATH"; my $PKI_INSTANCE_ROOT_SLOT = "PKI_INSTANCE_ROOT"; my $PKI_MACHINE_NAME_SLOT = "PKI_MACHINE_NAME"; @@ -397,7 +397,7 @@ my $scripts_subsystem_path = undef; # RA, TPS my $shared_subsystem_path = undef; # CA, KRA, OCSP, TKS (Tomcat) my $temp_subsystem_path = undef; # CA, KRA, OCSP, TKS (Tomcat) my $webapps_subsystem_path = undef; # CA, KRA, OCSP, TKS -my $common_ui_subsystem_path = undef; # CA, KRA, OCSP, TKS, RA, TPS +my $common_ui_subsystem_path = undef; # CA, KRA, OCSP, TKS, RA, TPS my $ui_subsystem_path = undef; # CA, KRA, OCSP, TKS, RA, TPS my $work_subsystem_path = undef; # CA, KRA, OCSP, TKS (Tomcat) @@ -420,6 +420,8 @@ my $temp_instance_path = undef; # CA, KRA, OCSP, TKS (Tomcat) my $webapps_instance_path = undef; # CA, KRA, OCSP, TKS my $webapps_subsystem_instance_path = undef; # CA, KRA, OCSP, TKS my $work_instance_path = undef; # CA, KRA, OCSP, TKS (Tomcat) +my $pki_piddir_path = undef; # RA, TPS +my $pki_lockdir_path = undef; # RA, TPS # Base instance symbolic link paths my $conf_instance_symlink_path = undef; # CA, KRA, OCSP, TKS, RA, TPS @@ -448,8 +450,6 @@ my $addTokens_ldif_instance_file_path = undef; # TPS my $addTokens_ldif_subsystem_file_path = undef; # TPS my $addVLVIndexes_ldif_instance_file_path = undef; # TPS my $addVLVIndexes_ldif_subsystem_file_path = undef; # TPS -my $apachectl_instance_file_path = undef; # TPS -my $apachectl_subsystem_file_path = undef; # TPS my $jakarta_commons_collections_jar_file_path = undef; # CA, KRA, OCSP, TKS my $jakarta_commons_collections_jar_symlink_path = undef; # CA, KRA, OCSP, TKS my $jakarta_commons_logging_jar_file_path = undef; # CA, KRA, OCSP, TKS @@ -499,8 +499,9 @@ my $perl_instance_symlink_path = undef; # RA, TPS my $perl_subsystem_path = undef; # RA, TPS my $pfile_instance_file_path = undef; # CA, KRA, OCSP, TKS, RA, TPS my $pwcache_conf_instance_file_path = undef; # RA, TPS -my $pki_cfg_instance_file_path = undef; # CA, KRA, OCSP, TKS, RA, TPS my $pki_cfg_subsystem_file_path = undef; # CA, KRA, OCSP, TKS, RA, TPS +my $pki_cfg_instance_file_path = undef; # CA, KRA, OCSP, TKS, RA, TPS +my $pki_apache_initscript_file_path = undef; # RA, TPS my $schemaMods_ldif_instance_file_path = undef; # RA, TPS my $schemaMods_ldif_subsystem_file_path = undef; # RA, TPS my $server_xml_instance_file_path = undef; # CA, KRA, OCSP, TKS @@ -1561,14 +1562,19 @@ sub initialize_subdirectory_paths } ## Initialize subdirectory paths (RA, TPS subsystems) + if ($subsystem_type eq $TPS) { + $cgi_sow_subsystem_file_path = $cgibin_subsystem_path + . "/" + . $cgi_sow_dir_name; + $cgi_sow_instance_cfg_pl_path = $cgibin_instance_path + . "/" + . $cgi_sow_cfg_pl_name; + } + if ($subsystem_type eq $RA || $subsystem_type eq $TPS) { if ($subsystem_type eq $TPS) { - $apachectl_instance_file_path = $bin_instance_path - . "/" . $apachectl_base_name; - $apachectl_subsystem_file_path = $bin_subsystem_path - . "/" . $apachectl_base_name; $cgi_home_instance_file_path = $cgibin_instance_path . "/" . $cgi_home_base_name; @@ -1596,12 +1602,6 @@ sub initialize_subdirectory_paths $cgi_sow_instance_file_path = $cgibin_instance_path . "/" . $cgi_sow_dir_name; - $cgi_sow_subsystem_file_path = $cgibin_subsystem_path - . "/" - . $cgi_sow_dir_name; - $cgi_sow_instance_cfg_pl_path = $cgibin_instance_path - . "/" - . $cgi_sow_cfg_pl_name; $addAgents_ldif_instance_file_path = $scripts_instance_path . "/" . $addAgents_ldif_base_name; @@ -1634,6 +1634,13 @@ sub initialize_subdirectory_paths . $schemaMods_ldif_base_name; } + $pki_piddir_path = $default_apache_pids_path + . "/" . $subsystem_type; + $pki_lockdir_path = $default_lockdir + . "/" . $subsystem_type; + $pki_apache_initscript_file_path = $pki_subsystem_common_area + . "/" . $scripts_base_subsystem_dir + . "/" . $pki_apache_initscript_base_name; $nss_pcache_instance_file_path = $scripts_instance_path . "/" . $nss_pcache_base_name; @@ -1834,10 +1841,10 @@ sub process_pki_directories # only copy selected files return 0 if !copy_file($magic_subsystem_file_path, $magic_instance_file_path, - $default_file_permissions); + $default_file_permissions, $pki_user, $pki_group); return 0 if !copy_file($mime_types_subsystem_file_path, $mime_types_instance_file_path, - $default_file_permissions); + $default_file_permissions, $pki_user, $pki_group); } else { $server_xml_instance_file_path = $conf_instance_path @@ -1883,10 +1890,10 @@ sub process_pki_directories # only copy selected files return 0 if !copy_file($magic_subsystem_file_path, $magic_instance_file_path, - $default_file_permissions); + $default_file_permissions, $pki_user, $pki_group); return 0 if !copy_file($mime_types_subsystem_file_path, $mime_types_instance_file_path, - $default_file_permissions); + $default_file_permissions, $pki_user, $pki_group); } else { $server_xml_instance_file_path = $redirected_conf_path @@ -2017,10 +2024,6 @@ sub process_pki_directories set_permissions("${cgibin_instance_path}/sow/*.html", $default_file_permissions); set_permissions("${cgibin_instance_path}/sow/*.pl", $default_exe_permissions); } - - # Apache Specific - set_permissions("${docroot_instance_path}/GenericAuth.html", $default_file_permissions); - set_permissions("${docroot_instance_path}/style.css", $default_file_permissions); } } else { ## Populate instance directory paths (CA, KRA, OCSP, TKS instances) @@ -2098,7 +2101,9 @@ sub process_file_template my $buf = ""; my $num_subs = 0; my $total_subs = 0; - + my @keys; + my $key; + my $value; emit(" Template ($template_name) \"${src_path}\" ==> \"${dst_path}\" ...\n"); # Check for a valid source file @@ -2118,7 +2123,9 @@ sub process_file_template # Process each line substituting each [KEY] # with its corresponding slot hash value - while(my ($key, $value) = each(%$substitutions)) { + @keys = sort(keys %$substitutions); + foreach $key (@keys) { + $value = $substitutions->{$key}; # Perform global substitution on buffer and # get count of how many substitutions were actually performed. $num_subs = $buf =~ s/\[$key\]/$value/g; @@ -2138,10 +2145,16 @@ sub process_file_template emit(" $total_subs substitutions were made in '$dst_path'\n"); + # Sanity check, are there any strings left in the buffer which look + # like a substitution. + foreach my $match ($buf =~ /\[[A-Z_]+\]/g) { + emit("WARNING: Possible missed substitution \"$match\" in $src_path"); + } + # Record that we've installed this file. add_install_info($dst_path, 'file'); - if ($verbose > 2) { + if ($verbose >= 2) { # For debugging, emit the contents after substitution. emit(sprintf(">> $dst_path\n%s<< $dst_path\n", $buf)); } @@ -2171,12 +2184,21 @@ sub process_pki_templates emit("Processing PKI templates for '$pki_instance_path' ...\n"); + $slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT} = $subsystem_type; + $slot_hash{$PKI_INSTANCE_ID_SLOT} = $pki_instance_name; + $slot_hash{$PKI_INSTANCE_ROOT_SLOT} = $pki_instance_root; + $slot_hash{$PKI_INSTANCE_INITSCRIPT} = $pki_instance_initscript_path; + $slot_hash{$PKI_REGISTRY_FILE_SLOT} = $pki_registry_instance_file_path; + $slot_hash{$PKI_USER_SLOT} = $pki_user; + $slot_hash{$PKI_GROUP_SLOT} = $pki_group; + + if ($subsystem_type eq $TPS) { + $slot_hash{$REQUIRE_CFG_PL} = "require \"${cgi_sow_instance_cfg_pl_path}\";"; + } + if ($subsystem_type eq $RA || $subsystem_type eq $TPS) { # Setup templates (RA, TPS) - $slot_hash{$GROUPID} = $pki_group; $slot_hash{$HTTPD_CONF} = $httpd_conf_instance_file_path; - $slot_hash{$INSTANCE_ID} = $pki_instance_name; - $slot_hash{$INSTANCE_ROOT} = $pki_instance_root; $slot_hash{$LIB_PREFIX} = $lib_prefix; $slot_hash{$NSS_CONF} = $nss_conf_instance_file_path; $slot_hash{$OBJ_EXT} = $obj_ext; @@ -2187,15 +2209,14 @@ sub process_pki_templates $slot_hash{$SECURITY_LIBRARIES} = $default_security_libraries; $slot_hash{$SERVER_NAME} = $host; $slot_hash{$SERVER_ROOT} = $pki_instance_path; - $slot_hash{$SUBSYSTEM_TYPE} = $subsystem_type; $slot_hash{$SYSTEM_LIBRARIES} = $default_system_libraries; $slot_hash{$SYSTEM_USER_LIBRARIES} = $default_system_user_libraries; $slot_hash{$TMP_DIR} = $tmp_dir; $slot_hash{$TPS_DIR} = $pki_subsystem_path; - $slot_hash{$USERID} = $pki_user; $slot_hash{$PKI_FLAVOR_SLOT} = $pki_flavor; $slot_hash{$PKI_RANDOM_NUMBER_SLOT} = $random; - $slot_hash{$REQUIRE_CFG_PL} = "require \"${cgi_sow_instance_cfg_pl_path}\";"; + $slot_hash{$PKI_PIDDIR} = $pki_piddir_path; + $slot_hash{$PKI_LOCKDIR} = $pki_lockdir_path; if (is_Fedora() || (is_RHEL() && (! is_RHEL4()))) { $slot_hash{$FORTITUDE_APACHE} = "Apache2"; $slot_hash{$FORTITUDE_DIR} = "/usr"; @@ -2234,19 +2255,14 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $slot_hash{$INSTALL_TIME} = localtime; $slot_hash{$PKI_CERT_DB_PASSWORD_SLOT} = $db_password; $slot_hash{$PKI_CFG_PATH_NAME_SLOT} = $pki_cfg_instance_file_path; - $slot_hash{$PKI_GROUP_SLOT} = $pki_group; - $slot_hash{$PKI_INSTANCE_ID_SLOT} = $pki_instance_name; $slot_hash{$PKI_INSTANCE_PATH_SLOT} = $pki_instance_path; - $slot_hash{$PKI_INSTANCE_ROOT_SLOT} = $pki_instance_root; $slot_hash{$PKI_MACHINE_NAME_SLOT} = $host; $slot_hash{$PKI_RANDOM_NUMBER_SLOT} = $random; $slot_hash{$PKI_SERVER_XML_CONF} = $server_xml_instance_file_path; - $slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT} = $subsystem_type; $slot_hash{$PKI_UNSECURE_PORT_SLOT} = $unsecure_port; # Define "Port Separation" (default) versus "Shared Ports" (legacy) - if ($use_port_separation) - { + if ($use_port_separation) { # Establish "Port Separation" Connector Names $slot_hash{$PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_UNSECURE_PORT_NAME; $slot_hash{$PKI_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_AGENT_SECURE_PORT_NAME; @@ -2314,7 +2330,6 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so } $slot_hash{$PKI_WEBAPPS_NAME} = $webapps_base_subsystem_dir; - $slot_hash{$PKI_USER_SLOT} = $pki_user; $slot_hash{$PKI_FLAVOR_SLOT} = $pki_flavor; $slot_hash{$TOMCAT_SERVER_PORT_SLOT} = $tomcat_server_port; $slot_hash{$TOMCAT_PIDFILE} = $tomcat6_instance_pid_file_path; @@ -2338,7 +2353,6 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so . "-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA," . "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; $slot_hash{$TOMCAT_INSTANCE_COMMON_LIB} = "$tomcat_instance_common_lib_path/*.jar"; - $slot_hash{$PKI_INSTANCE_INITSCRIPT} = $pki_instance_initscript_path; } ## Process templates (instance independent) @@ -2349,8 +2363,8 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so # process "CS.cfg" template return 0 if !process_file_template("pki_cfg", $pki_cfg_subsystem_file_path, - $pki_cfg_instance_file_path, - \%slot_hash); + $pki_cfg_instance_file_path, + \%slot_hash); return 0 if !set_file_props($pki_cfg_instance_file_path, $default_file_permissions, $pki_user, $pki_group); @@ -2386,14 +2400,6 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so if ($subsystem_type eq $TPS) { - # process "apachectl" template - return 0 if !process_file_template("apachectl", - $apachectl_subsystem_file_path, - $apachectl_instance_file_path, - \%slot_hash); - set_permissions($apachectl_instance_file_path, $default_exe_permissions); - - # process "cgi" template return 0 if !process_file_template("cgi_home", $cgi_home_subsystem_file_path, @@ -2500,6 +2506,15 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so return 0 if !set_permissions($nss_pcache_instance_file_path, $default_exe_permissions); + # process "pki_apache_initscript" template + return 0 if !process_file_template("pki_apache_initscript", + $pki_apache_initscript_file_path, + $pki_instance_initscript_path, + \%slot_hash); + + return 0 if !set_permissions($pki_instance_initscript_path, + $default_exe_permissions); + } else { ## Process templates (CA, KRA, OCSP, TKS instances) diff --git a/pki/base/setup/pkiremove b/pki/base/setup/pkiremove index 272384cb2..bf347e28c 100755 --- a/pki/base/setup/pkiremove +++ b/pki/base/setup/pkiremove @@ -105,6 +105,7 @@ my $pki_instance_root = undef; my $pki_instance_name = undef; my $force = 0; +my $conf_file = undef; my $pki_instance_path = undef; my $subsystem_type = undef; @@ -163,7 +164,6 @@ EOF sub update_domain { - my $conf_file = $pki_instance_path . "/conf/CS.cfg"; my $sport; my $ncsport; my $sechost; @@ -175,32 +175,23 @@ sub update_domain my $agentsport; my $secselect; my $subsystemnick; - my $typeval; my $machinename; my $subsytemnick; my $url; - open(DAT, $conf_file) or die "Could not open CS.cfg file to update security domain"; - my @conf_data=<DAT>; - foreach my $line (@conf_data) { - chomp($line); - (my $varname, my $valname) = split(/=/, $line); - - if ($varname eq "cs.type") { $typeval = $valname; } - if ($varname eq "service.machineName") { $machinename = $valname; } - if ($varname eq "service.securityDomainPort") { $sport = $valname; } - if ($varname eq "service.non_clientauth_securePort") { $ncsport = $valname; } - if ($varname eq "securitydomain.host") { $sechost = $valname; } - if ($varname eq "securitydomain.httpport") { $httpport = $valname; } - if ($varname eq "securitydomain.httpseeport") { $seceeport = $valname; } - if ($varname eq "securitydomain.httpsagentport") { $secagentport = $valname; } - if ($varname eq "securitydomain.httpsadminport") { $secadminport = $valname; } - if ($varname eq "securitydomain.select") { $secselect = $valname; } - if ($varname eq "pkiremove.cert.subsystem.nickname") { $subsystemnick = $valname; } - if ($varname eq "pkicreate.admin_secure_port") { $adminsport = $valname; } - if ($varname eq "pkicreate.agent_secure_port") { $agentsport = $valname; } - } - close(DAT); + get_cs_cfg($conf_file, {"service.machineName" => \$machinename, + "service.securityDomainPort" => \$sport, + "service.non_clientauth_securePort" => \$ncsport, + "securitydomain.host" => \$sechost, + "securitydomain.httpport" => \$httpport, + "securitydomain.httpseeport" => \$seceeport, + "securitydomain.httpsagentport" => \$secagentport, + "securitydomain.httpsadminport" => \$secadminport, + "securitydomain.select" => \$secselect, + "pkiremove.cert.subsystem.nickname" => \$subsystemnick, + "pkicreate.admin_secure_port" => \$adminsport, + "pkicreate.agent_secure_port" => \$agentsport}); + # NOTE: Don't check for the existence of $httpport, as this will # be undefined for a Security Domain that has been migrated! @@ -216,7 +207,7 @@ sub update_domain if ($secselect ne "new") { # This is not a domain master, so we need to update the master print(STDOUT "Contacting the security domain master to update the security domain\n"); - my $listval = $typeval . "List"; + my $listval = $subsystem_type . "List"; my $urlheader = "https://" . $sechost . ":" . $seceeport; my $urlagentheader = "https://" . $sechost . ":" . $secagentport; my $urladminheader = "https://" . $sechost . ":" . $secadminport; @@ -235,10 +226,11 @@ sub update_domain my @pw_data=<DAT>; foreach my $line (@pw_data) { chomp($line); - if (($typeval eq "CA") || - ($typeval eq "KRA") || - ($typeval eq "OCSP") || - ($typeval eq "TKS")) { + + if (($subsystem_type eq $CA) || + ($subsystem_type eq $KRA) || + ($subsystem_type eq $OCSP) || + ($subsystem_type eq $TKS)) { (my $varname, my $valname) = split(/=/, $line); if ($varname eq "internal") { $intpw = $valname; } } else { # TPS, RA @@ -269,7 +261,7 @@ sub update_domain my $response = $browser->post($url, [ 'name' => $pki_instance_name, - 'type' => $typeval, + 'type' => $subsystem_type, 'list' => $listval, 'host' => $machinename, 'sport' => $sport, @@ -317,8 +309,10 @@ sub remove_selinux_fcontexts my $ftype; my $java_component = 0; - if (($subsystem_type eq "ca") || ($subsystem_type eq "kra") || ($subsystem_type eq "ocsp") - || ($subsystem_type eq "tks")) { + if (($subsystem_type eq $CA) || + ($subsystem_type eq $KRA) || + ($subsystem_type eq $OCSP) || + ($subsystem_type eq $TKS)) { $java_component=1; } @@ -373,30 +367,19 @@ sub remove_selinux_ports { my $status; my $semanage = "/usr/sbin/semanage"; - my $conf_file = $pki_instance_path . "/conf/CS.cfg"; - my $typeval; my $secure_port; my $non_clientauth_secure_port; my $unsecure_port; my @ports = (); - # get cs type - open(DAT, $conf_file) or die "Could not open CS.cfg file."; - my @conf_data=<DAT>; - foreach my $line (@conf_data) { - chomp($line); - (my $varname, my $valname) = split(/=/, $line); - if ($varname eq "cs.type") { $typeval = $valname; } - if ($varname eq "service.securePort") { $secure_port = $valname; } - if ($varname eq "service.non_clientauth_securePort") { $non_clientauth_secure_port = $valname; } - if ($varname eq "service.unsecurePort") { $unsecure_port = $valname; } - } - close(DAT); + get_cs_cfg($conf_file, {"service.securePort" => \$secure_port, + "service.non_clientauth_securePort" => \$non_clientauth_secure_port, + "service.unsecurePort" => \$unsecure_port}); - # for use in other routines - $subsystem_type = lc($typeval); - - if (($typeval eq "CA") || ($typeval eq "KRA") || ($typeval eq "OCSP") || ($typeval eq "TKS")) { + if (($subsystem_type eq $CA) || + ($subsystem_type eq $KRA) || + ($subsystem_type eq $OCSP) || + ($subsystem_type eq $TKS)) { use XML::LibXML; my $parser = XML::LibXML->new(); my $config = $parser->parse_file($pki_instance_path . "/conf/server.xml") @@ -427,7 +410,7 @@ sub remove_selinux_ports print(STDOUT "\n"); foreach my $port (@ports) { - my $setype = "pki_" . lc($typeval) . "_port_t"; + my $setype = "pki_" . $subsystem_type . "_port_t"; my $errs; print STDOUT "Removing port $port from selinux policy.\n"; next if $dry_run; @@ -548,11 +531,11 @@ sub main } # Parse command-line arguments. - $result = GetOptions("pki_instance_root=s" => \$pki_instance_root, - "pki_instance_name=s" => \$pki_instance_name, - "verbose+" => \$verbose, - "dry_run" => \$dry_run, - "force" => \$force); + $result = GetOptions("pki_instance_root=s" => \$pki_instance_root, + "pki_instance_name=s" => \$pki_instance_name, + "verbose+" => \$verbose, + "dry_run" => \$dry_run, + "force" => \$force); # Always disallow root to be the pki_instance_root. if ($pki_instance_root eq "/") { @@ -608,6 +591,14 @@ sub main emit(" pki_instance_name $pki_instance_name\n"); emit(" pki_instance_path $pki_instance_path\n"); + $conf_file = $pki_instance_path . "/conf/CS.cfg"; + $subsystem_type = get_cs_cfg($conf_file, "cs.type"); + if (!defined($subsystem_type)) { + emit("Could not determine the subsystem type from the file \"$conf_file\"\n", "error"); + exit 1; + } + $subsystem_type = lc($subsystem_type); + # Remove the specified instance $result = remove_instance(); if ($result != 1) { diff --git a/pki/base/tks/build.xml b/pki/base/tks/build.xml index 6ff2de31e..21ec940b6 100644 --- a/pki/base/tks/build.xml +++ b/pki/base/tks/build.xml @@ -191,6 +191,7 @@ filemode="644" prefix="usr/share/${product.prefix}/${product}/setup"> <include name="config.desktop"/> + <include name="registry_instance"/> </zipfileset> <zipfileset dir="./shared/etc/init.d" filemode="755" @@ -198,15 +199,9 @@ <include name="pki-tksd"/> </zipfileset> <zipfileset dir="./shared" - filemode="755" - prefix="usr/share/${product.prefix}/${product}"> - <include name="conf/dtomcat5"/> - </zipfileset> - <zipfileset dir="./shared" filemode="644" prefix="usr/share/${product.prefix}/${product}"> <include name="**"/> - <exclude name="conf/dtomcat5"/> <exclude name="etc/init.d/pki-tksd"/> </zipfileset> <zipfileset dir="." @@ -230,6 +225,7 @@ mode="644" prefix="${dist.name}/usr/share/${product.prefix}/${product}/setup"> <include name="config.desktop"/> + <include name="registry_instance"/> </tarfileset> <tarfileset dir="./shared/etc/init.d" mode="755" @@ -237,15 +233,9 @@ <include name="pki-tksd"/> </tarfileset> <tarfileset dir="./shared" - mode="755" - prefix="${dist.name}/usr/share/${product.prefix}/${product}"> - <include name="conf/dtomcat5"/> - </tarfileset> - <tarfileset dir="./shared" mode="644" prefix="${dist.name}/usr/share/${product.prefix}/${product}"> <include name="**"/> - <exclude name="conf/dtomcat5"/> <exclude name="etc/init.d/pki-tksd"/> </tarfileset> <tarfileset dir="." diff --git a/pki/base/tks/setup/registry_instance b/pki/base/tks/setup/registry_instance new file mode 100644 index 000000000..7f0e592a1 --- /dev/null +++ b/pki/base/tks/setup/registry_instance @@ -0,0 +1,54 @@ +# Establish PKI Variable "Slot" Substitutions + +PKI_FLAVOR=[PKI_FLAVOR] +export PKI_FLAVOR + +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +export PKI_SUBSYSTEM_TYPE + +PKI_USER=[PKI_USER] +export PKI_USER + +PKI_GROUP=[PKI_GROUP] +export PKI_GROUP + +PKI_INSTANCE_ID=[PKI_INSTANCE_ID] +export PKI_INSTANCE_ID + +PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH] +export PKI_INSTANCE_PATH + +PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] +export PKI_INSTANCE_INITSCRIPT + +PKI_SERVER_XML_CONF=[PKI_SERVER_XML_CONF] +export PKI_SERVER_XML_CONF + +# Use CATALINA_BASE + +CATALINA_BASE=$PKI_INSTANCE_PATH +export CATALINA_BASE + +TOMCAT_PROG=$PKI_INSTANCE_ID +export TOMCAT_PROG + +TOMCAT_USER=$PKI_USER +export TOMCAT_USER + +TOMCAT_GROUP=$PKI_GROUP +export TOMCAT_GROUP + +PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +export PKI_LOCKDIR + +PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}.pid" +export PKI_LOCKFILE + +TOMCAT_PIDFILE=[TOMCAT_PIDFILE] +export TOMCAT_PIDFILE + +pki_instance_configuration_file=${PKI_INSTANCE_PATH}/conf/CS.cfg +export pki_instance_configuration_file + +RESTART_SERVER=${PKI_INSTANCE_PATH}/conf/restart_server_after_configuration +export RESTART_SERVER diff --git a/pki/base/tks/shared/conf/catalina.policy b/pki/base/tks/shared/conf/catalina.policy index 8f481e333..cf8302cd0 100644 --- a/pki/base/tks/shared/conf/catalina.policy +++ b/pki/base/tks/shared/conf/catalina.policy @@ -1,5 +1,26 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// Copyright (C) 2006-2010 Red Hat, Inc. +// All rights reserved. +// Modifications: configuration parameters +// --- END COPYRIGHT BLOCK --- + +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + // ============================================================================ -// catalina.corepolicy - Security Policy Permissions for Tomcat 5 +// catalina.corepolicy - Security Policy Permissions for Tomcat 6 // // This file contains a default set of security policies to be enforced (by the // JVM) when Catalina is executed with the "-security" option. In addition @@ -40,35 +61,16 @@ grant codeBase "file:${java.home}/lib/ext/-" { // ========== CATALINA CODE PERMISSIONS ======================================= -// These permissions apply to the launcher code -grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" { - permission java.security.AllPermission; -}; - // These permissions apply to the daemon code grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { permission java.security.AllPermission; }; -// These permissions apply to the commons-logging API -grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to the server startup code -grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to the JMX server -grant codeBase "file:${catalina.home}/bin/jmx.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to JULI +// These permissions apply to the logging API grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; permission java.util.PropertyPermission "catalina.base", "read"; @@ -82,24 +84,19 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; -// These permissions apply to the servlet API classes -// and those that are shared across all class loaders -// located in the "common" directory -grant codeBase "file:${catalina.home}/common/-" { +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; -// These permissions apply to the container's core code, plus any additional -// libraries installed in the "server" directory -grant codeBase "file:${catalina.home}/server/-" { +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "lib" directory +grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; }; -// The permissions granted to the balancer WEB-INF/classes and WEB-INF/lib directory -grant codeBase "file:${catalina.home}/webapps/balancer/-" { - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester.*"; -}; + // ========== WEB APPLICATION PERMISSIONS ===================================== @@ -147,6 +144,9 @@ grant { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + // Precompiled JSPs need access to this system property. + permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + }; @@ -182,58 +182,3 @@ grant { // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; - - -// These permissions apply to Tomcat5 java -grant codeBase "file:/usr/share/java/tomcat5/-" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/jakarta-commons-modeler.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/jasper5-compiler.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/jasper5-runtime.jar" { - permission java.security.AllPermission; -}; - - - -// These permissions apply to PKI configuration -grant codeBase "file:/usr/share/java/velocity.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/tomcat5-servlet-2.4-api.jar" { - permission java.security.AllPermission; -}; - - - - -// These permissions apply to PKI support -grant codeBase "file:/usr/share/java/ldapjdk.jar" { - permission java.security.AllPermission; -}; - - - -// These permissions apply to PKI -grant codeBase "file:/usr/lib/java/jss4.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/tomcatjss.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/lib/java/osutil.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/lib/java/symkey.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/pki/-" { - permission java.security.AllPermission; -}; - - - diff --git a/pki/base/tks/shared/conf/catalina.properties b/pki/base/tks/shared/conf/catalina.properties index 3778ce4f6..70cb7c05e 100644 --- a/pki/base/tks/shared/conf/catalina.properties +++ b/pki/base/tks/shared/conf/catalina.properties @@ -1,8 +1,24 @@ # --- BEGIN COPYRIGHT BLOCK --- -# Copyright (C) 2006 Red Hat, Inc. +# Copyright (C) 2006-2010 Red Hat, Inc. # All rights reserved. +# Modifications: configuration parameters # --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 # +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when @@ -34,7 +50,7 @@ package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -common.loader=${catalina.home}/common/classes,${catalina.home}/common/i18n/*.jar,${catalina.home}/common/endorsed/*.jar,${catalina.home}/common/lib/*.jar +common.loader=${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB] # # List of comma-separated paths defining the contents of the "server" @@ -47,7 +63,7 @@ common.loader=${catalina.home}/common/classes,${catalina.home}/common/i18n/*.jar # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar +server.loader= # # List of comma-separated paths defining the contents of the "shared" @@ -59,7 +75,9 @@ server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar +# Please note that for single jars, e.g. bar.jar, you need the URL form +# starting with file:. +shared.loader= # # String cache configuration. diff --git a/pki/base/tks/shared/conf/context.xml b/pki/base/tks/shared/conf/context.xml index 60878b74b..8b6fe4905 100644 --- a/pki/base/tks/shared/conf/context.xml +++ b/pki/base/tks/shared/conf/context.xml @@ -1,9 +1,27 @@ +<?xml version='1.0' encoding='utf-8'?> <!-- BEGIN COPYRIGHT BLOCK - Copyright (C) 2006 Red Hat, Inc. + Copyright (C) 2006-2010 Red Hat, Inc. All rights reserved. + Modifications: configuration parameters END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> <!-- The contents of this file will be loaded for each web application --> -<Context crossContext="true"> +<Context crossContext="true" allowLinking="true"> <!-- Default set of monitored resources --> <WatchedResource>WEB-INF/web.xml</WatchedResource> @@ -13,4 +31,10 @@ <Manager pathname="" /> --> + <!-- Uncomment this to enable Comet connection tacking (provides events + on session expiration as well as webapp lifecycle) --> + <!-- + <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" /> + --> + </Context> diff --git a/pki/base/tks/shared/conf/dtomcat5 b/pki/base/tks/shared/conf/dtomcat5 deleted file mode 100755 index 2eeb889e6..000000000 --- a/pki/base/tks/shared/conf/dtomcat5 +++ /dev/null @@ -1,476 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# Copyright (C) 2006 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# ----------------------------------------------------------------------------- -# Start/Stop Script for the CATALINA Server -# -# Environment Variable Prequisites -# -# CATALINA_HOME May point at your Catalina "build" directory. -# -# CATALINA_BASE (Optional) Base directory for resolving dynamic portions -# of a Catalina installation. If not present, resolves to -# the same directory that CATALINA_HOME points to. -# -# CATALINA_OPTS (Optional) Java runtime options used when the "start", -# "stop", or "run" command is executed. -# -# CATALINA_TMPDIR (Optional) Directory path location of temporary directory -# the JVM should use (java.io.tmpdir). Defaults to -# $CATALINA_BASE/temp. -# -# JAVA_HOME Must point at your Java Development Kit installation. -# Required to run the with the "debug" or "javac" argument. -# -# JRE_HOME Must point at your Java Development Kit installation. -# Defaults to JAVA_HOME if empty. -# -# JAVA_OPTS (Optional) Java runtime options used when the "start", -# "stop", or "run" command is executed. -# -# JPDA_TRANSPORT (Optional) JPDA transport used when the "jpda start" -# command is executed. The default is "dt_socket". -# -# JPDA_ADDRESS (Optional) Java runtime options used when the "jpda start" -# command is executed. The default is 8000. -# -# JSSE_HOME (Optional) May point at your Java Secure Sockets Extension -# (JSSE) installation, whose JAR files will be added to the -# system class path used to start Tomcat. -# -# CATALINA_PID (Optional) Path of the file which should contains the pid -# of catalina startup java process, when start (fork) is used -# -# $Id$ -# ----------------------------------------------------------------------------- - -# Disallow 'others' the ability to 'write' to new files -umask 00002 - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit 255 -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] -if [ ! -d /usr/share/pki/${PKI_SUBSYSTEM_TYPE} ] ; then - echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" - exit 255 -fi - -# OS specific support. $var _must_ be set to either true or false. -OS=`uname -s` -cygwin=false -os400=false -case "${OS}" in -CYGWIN*) cygwin=true;; -OS400*) os400=true;; -esac - -TOMCAT_CFG=[PKI_INSTANCE_PATH]/conf/tomcat5.conf -JAVADIR="/usr/share/java" - -# resolve links - $0 may be a softlink -PRG="$0" - -while [ -h "$PRG" ]; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '.*/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`/"$link" - fi -done - -# Get standard environment variables -PRGDIR=`dirname "$PRG"` - -# Only set CATALINA_HOME if not already set -[ -z "$CATALINA_HOME" ] && CATALINA_HOME=`cd "$PRGDIR/.." ; pwd` - -if [ -r "$CATALINA_HOME"/bin/setenv.sh ]; then - . "$CATALINA_HOME"/bin/setenv.sh -fi - -# For Cygwin, ensure paths are in UNIX format before anything is touched -if $cygwin; then - [ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --unix "$JAVA_HOME"` - [ -n "$JRE_HOME" ] && JRE_HOME=`cygpath --unix "$JRE_HOME"` - [ -n "$CATALINA_HOME" ] && CATALINA_HOME=`cygpath --unix "$CATALINA_HOME"` - [ -n "$CATALINA_BASE" ] && CATALINA_BASE=`cygpath --unix "$CATALINA_BASE"` - [ -n "$CLASSPATH" ] && CLASSPATH=`cygpath --path --unix "$CLASSPATH"` - [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --unix "$JSSE_HOME"` -fi - -# For OS400 -if $os400; then - # Set job priority to standard for interactive (interactive - 6) by using - # the interactive priority - 6, the helper threads that respond to requests - # will be running at the same priority as interactive jobs. - COMMAND='chgjob job('$JOBNAME') runpty(6)' - system $COMMAND - - # Enable multi threading - export QIBM_MULTI_THREADED=Y -fi - -[ -r "$TOMCAT_CFG" ] && . "${TOMCAT_CFG}" - -### Set up defaults if they were omitted in TOMCAT_CFG -### JVM lookup -if [ -z "$JAVA_HOME" ]; then - # Search for java in PATH - JAVA=`which java` - if [ -z "$JAVA" ] ; then - JAVA_BINDIR=`dirname ${JAVA}` - JAVA_HOME="${JAVA_BINDIR}/.." - fi - # Default clean JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/usr/lib/java" ] && JAVA_HOME="/usr/lib/java" - # Default IBM JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-13" ] && \ - JAVA_HOME="/opt/IBMJava2-13" - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-131" ] && \ - JAVA_HOME="/opt/IBMJava2-131" - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-14" ] && \ - JAVA_HOME="/opt/IBMJava2-14" - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-141" ] && \ - JAVA_HOME="/opt/IBMJava2-141" - # Another solution - [ -z "$JAVA_HOME" -a -d "/usr/java/jdk" ] && \ - JAVA_HOME="/usr/java/jdk" - # madeinlinux JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/usr/local/jdk1.2.2" ] && \ - JAVA_HOME="/usr/local/jdk1.2.2" - # Kondara JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/usr/lib/java/jdk1.2.2" ] && \ - JAVA_HOME="/usr/lib/java/jdk1.2.2" - # Other commonly found JAVA_HOMEs - [ -z "$JAVA_HOME" -a -d "/usr/jdk1.2" ] && JAVA_HOME="/usr/jdk1.2" - # Default Caldera JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/opt/java-1.3" ] && \ - JAVA_HOME="/opt/java-1.3" - # Add other locations here - if [ -z "$JAVA_HOME" ]; then - echo "No JAVA_HOME specified in ${TOMCAT_CFG} and no java found" - exit 1 - else - echo "Found JAVA_HOME: ${JAVA_HOME}" - echo "Please complete your ${TOMCAT_CFG} so we won't have to look for it next time" - fi -fi - -# Set juli LogManager if it is present -if [ -r "$CATALINA_HOME"/bin/tomcat-juli.jar ]; then - JAVA_OPTS="$JAVA_OPTS "-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -fi - -# Set standard commands for invoking Java. -_RUNJAVA="$JAVA_HOME"/bin/java -_RUNJAVAC="$JAVA_HOME"/bin/javac -_RUNJDB="$JAVA_HOME"/bin/jdb - -# Set standard CLASSPATH -# (always inherit any preset values from the PKI start script) -if [ ${OS} = "Linux" ] ; then - # Checking for OpenJDK JVM - OPENJDK_JVM="`java -version 2>&1 | tail -1 | awk '{print $1};'`" - if [ "${OPENJDK_JVM}" = "OpenJDK" ] || - [ "${OPENJDK_JVM}" = "IcedTea" ]; then - # using OpenJDK - CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar - - # add required classes to the CLASSPATH for OpenJDK - CLASSPATH="$CLASSPATH":"$JAVADIR"/commons-collections.jar - else - # NOT using OpenJDK - CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/tools.jar - fi -elif [ ${OS} = "SunOS" ] ; then - CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar -fi - -# Add on extra jar files to CLASSPATH -if [ -n "$JSSE_HOME" ]; then - CLASSPATH="$CLASSPATH":"$JSSE_HOME"/lib/jcert.jar:"$JSSE_HOME"/lib/jnet.jar:"$JSSE_HOME"/lib/jsse.jar -fi - -# JPackage JSSE location check -if [ -r "$JAVADIR/jsse/jcert.jar" ]; then - CLASSPATH="$CLASSPATH":"$JAVADIR"/jsse/jcert.jar:"$JAVADIR"/jsse/jnet.jar:"$JAVADIR"/jsse/jsse.jar -fi - -if [ ${OS} = "Linux" ] ; then - CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar:"$CATALINA_HOME"/bin/commons-logging-api.jar:`/usr/bin/build-classpath mx4j/mx4j-impl`:`/usr/bin/build-classpath mx4j/mx4j-jmx` - - # add jars in required components for velocity >= 1.6 (just in case) - VELOCITY=`rpm -q velocity|sed 's/velocity-\([0-9]*\)\.\([0-9]*\).*/\1\2/'` - if [ "$VELOCITY" -ge 16 ]; then - CLASSPATH="$CLASSPATH":`/usr/bin/build-classpath bcel hsqldb commons-collections commons-lang commons-logging commons-logging-api jdom junit oro servletapi5 werken.xpath` - fi - -elif [ ${OS} = "SunOS" ] ; then - # The following definitions are provided for Solaris - # platforms since they are unable to execute the - # "/usr/bin/build-classpath" and - # "/usr/share/java-utils/java-functions" files . . . - - CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar - CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/commons-logging-api.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/base.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/certsrv.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cms.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cms72.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cms72_en.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cmsbundle.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cmscore.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cmsutil.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/mcc70.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/mcc70_en.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nmclf70.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nmclf70_en.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nsutil.jar - - if [ -f /usr/share/java/pkitools.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pkitools.jar - elif [ -f /usr/share/java/cstools.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/cstools.jar - elif [ -f /usr/share/java/pki/cstools.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cstools.jar - fi - - if [ -f /usr/share/java/ca.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/ca.jar - elif [ -f /usr/share/java/pki/ca/ca.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/ca/ca.jar - fi - if [ -f /usr/share/java/kra.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/kra.jar - elif [ -f /usr/share/java/pki/kra/kra.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/kra/kra.jar - fi - if [ -f /usr/share/java/ocsp.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/ocsp.jar - elif [ -f /usr/share/java/pki/ocsp/ocsp.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/ocsp/ocsp.jar - fi - if [ -f /usr/share/java/tks.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/tks.jar - elif [ -f /usr/share/java/pki/tks/tks.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/tks/tks.jar - fi - - # add jars for velocity 1.6 (just in case) - CLASSPATH="$CLASSPATH":/usr/share/java/bcel.jar - CLASSPATH="$CLASSPATH":/usr/share/java/hsqldb.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-collections.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-lang.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging-api.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jdom.jar - CLASSPATH="$CLASSPATH":/usr/share/java/junit.jar - CLASSPATH="$CLASSPATH":/usr/share/java/oro.jar - CLASSPATH="$CLASSPATH":/usr/share/java/servletapi5.jar - CLASSPATH="$CLASSPATH":/usr/share/java/werken.xpath.jar - -fi - -if [ -z "$CATALINA_BASE" ] ; then - CATALINA_BASE="$CATALINA_HOME" -fi - -if [ -z "$CATALINA_TMPDIR" ] ; then - # Define the java.io.tmpdir to use for Catalina - CATALINA_TMPDIR="$CATALINA_BASE"/temp -fi - -if [ -z "$CATALINA_PID" ] ; then - export CATALINA_PID=/var/run/tomcat5.pid -fi - -# For Cygwin, switch paths to Windows format before running java -if $cygwin; then - JAVA_HOME=`cygpath --absolute --windows "$JAVA_HOME"` - JRE_HOME=`cygpath --absolute --windows "$JRE_HOME"` - CATALINA_HOME=`cygpath --absolute --windows "$CATALINA_HOME"` - CATALINA_BASE=`cygpath --absolute --windows "$CATALINA_BASE"` - CATALINA_TMPDIR=`cygpath --absolute --windows "$CATALINA_TMPDIR"` - CLASSPATH=`cygpath --path --windows "$CLASSPATH"` - [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --windows "$JSSE_HOME"` - JAVA_ENDORSED_DIRS=`cygpath --path --windows "$JAVA_ENDORSED_DIRS"` -fi - -# ----- Execute The Requested Command ----------------------------------------- -echo "Using CATALINA_PID $CATALINA_PID" -echo "Using CATALINA_BASE: $CATALINA_BASE" -echo "Using CATALINA_HOME: $CATALINA_HOME" -echo "Using CATALINA_TMPDIR: $CATALINA_TMPDIR" -if [ "$1" = "debug" -o "$1" = "javac" ] ; then - echo "Using JAVA_HOME: $JAVA_HOME" -else - echo "Using JRE_HOME: $JRE_HOME" -fi - -if [ "$1" = "jpda" ] ; then - if [ -z "$JPDA_TRANSPORT" ]; then - JPDA_TRANSPORT="dt_socket" - fi - if [ -z "$JPDA_ADDRESS" ]; then - JPDA_ADDRESS="8000" - fi - if [ -z "$JPDA_OPTS" ]; then - JPDA_OPTS="-Xdebug -Xrunjdwp:transport=$JPDA_TRANSPORT,address=$JPDA_ADDRESS,server=y,suspend=n" - fi - CATALINA_OPTS="$CATALINA_OPTS $JPDA_OPTS" - shift -fi - -if [ "$1" = "debug" ] ; then - if $os400; then - echo "Debug command not available on OS400" - exit 1 - else - shift - if [ "$1" = "-security" ] ; then - echo "Using Security Manager" - shift - exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ - -Djava.security.manager \ - -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - else - exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - fi - fi - -elif [ "$1" = "run" ]; then - - shift - if [ "$1" = "-security" ] ; then - echo "Using Security Manager" - shift - exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Djava.security.manager \ - -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - else - exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - fi - -elif [ "$1" = "start" ] ; then - - shift - touch "$CATALINA_BASE"/logs/catalina.out - if [ "$1" = "-security" ] ; then - echo "Using Security Manager" - shift - "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Djava.security.manager \ - -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start \ - >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & - - if [ ! -z "$CATALINA_PID" ]; then - echo $! > $CATALINA_PID - fi - else - "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start \ - >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & - - if [ ! -z "$CATALINA_PID" ]; then - echo $! > $CATALINA_PID - fi - fi - -elif [ "$1" = "stop" ] ; then - - shift - FORCE=0 - if [ "$1" = "-force" ]; then - shift - FORCE=1 - fi - - "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" stop - - if [ $FORCE -eq 1 ]; then - if [ ! -z "$CATALINA_PID" ]; then - echo "Killing: `cat $CATALINA_PID`" - kill -9 `cat $CATALINA_PID` - fi - fi - -elif [ "$1" = "version" ] ; then - - "$_RUNJAVA" \ - -classpath "$CATALINA_HOME/server/lib/catalina.jar" \ - org.apache.catalina.util.ServerInfo - -else - - echo "Usage: dtomcat5 ( commands ... )" - echo "commands:" - if $os400; then - echo " debug Start Catalina in a debugger (not available on OS400)" - echo " debug -security Debug Catalina with a security manager (not available on OS400)" - else - echo " debug Start Catalina in a debugger" - echo " debug -security Debug Catalina with a security manager" - fi - echo " jpda start Start Catalina under JPDA debugger" - echo " run Start Catalina in the current window" - echo " run -security Start in the current window with security manager" - echo " start Start Catalina in a separate window" - echo " start -security Start in a separate window with security manager" - echo " stop Stop Catalina" - echo " stop -force Stop Catalina (followed by kill -KILL)" - echo " version What version of tomcat are you running?" - exit 1 - -fi diff --git a/pki/base/tks/shared/conf/logging.properties b/pki/base/tks/shared/conf/logging.properties new file mode 100644 index 000000000..796cfc071 --- /dev/null +++ b/pki/base/tks/shared/conf/logging.properties @@ -0,0 +1,70 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006-2010 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +############################################################ +# Handler specific properties. +# Describes specific configuration info for Handlers. +############################################################ + +1catalina.org.apache.juli.FileHandler.level = FINE +1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +1catalina.org.apache.juli.FileHandler.prefix = catalina. + +2localhost.org.apache.juli.FileHandler.level = FINE +2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +2localhost.org.apache.juli.FileHandler.prefix = localhost. + +3manager.org.apache.juli.FileHandler.level = FINE +3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +3manager.org.apache.juli.FileHandler.prefix = manager. + +4host-manager.org.apache.juli.FileHandler.level = FINE +4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +4host-manager.org.apache.juli.FileHandler.prefix = host-manager. + +java.util.logging.ConsoleHandler.level = FINE +java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter + + +############################################################ +# Facility specific properties. +# Provides extra control for each logger. +############################################################ + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler + +# For example, set the com.xyz.foo logger to only log SEVERE +# messages: +#org.apache.catalina.startup.ContextConfig.level = FINE +#org.apache.catalina.startup.HostConfig.level = FINE +#org.apache.catalina.session.ManagerBase.level = FINE +#org.apache.catalina.core.AprLifecycleListener.level=FINE diff --git a/pki/base/tks/shared/conf/server.xml b/pki/base/tks/shared/conf/server.xml index 71b433bef..9a24cfa44 100644 --- a/pki/base/tks/shared/conf/server.xml +++ b/pki/base/tks/shared/conf/server.xml @@ -1,208 +1,196 @@ -<!-- Example Server Configuration File --> -<!-- Note that component elements are nested corresponding to their - parent-child relationships with each other --> - -<!-- A "Server" is a singleton element that represents the entire JVM, - which may contain one or more "Service" instances. The Server - listens for a shutdown command on the indicated port. - - Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" or "Loggers" at this level. +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2006-2010 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!-- Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" at this level. + Documentation at /docs/config/server.html --> <!-- DO NOT REMOVE - Begin PKI Status Definitions --> <!-- -Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] -Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services -PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] -Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) --> <!-- DO NOT REMOVE - End PKI Status Definitions --> <Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> - <!-- Comment these entries out to disable JMX MBeans support used for the - administration web application --> + <!--APR library loader. Documentation at /docs/apr.html --> + <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> + <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> + <Listener className="org.apache.catalina.core.JasperListener" /> + <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> - <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> - <!-- Global JNDI resources --> + <!-- Global JNDI resources + Documentation at /docs/jndi-resources-howto.html + --> <GlobalNamingResources> - - <!-- Test entry for demonstration purposes --> - <Environment name="simpleValue" type="java.lang.Integer" value="30"/> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users --> + UserDatabaseRealm to authenticate users + --> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml" /> - + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" (and therefore the web applications visible - within that Container). Normally, that Container is an "Engine", - but this is not required. - - Note: A "Service" is not itself a "Container", so you may not - define subcomponents such as "Valves" or "Loggers" at this level. + a single "Container" Note: A "Service" is not itself a "Container", + so you may not define subcomponents such as "Valves" at this level. + Documentation at /docs/config/service.html --> - - <!-- Define the Tomcat Stand-Alone Service --> <Service name="Catalina"> - + + <!--The connectors can use a shared executor, you can define one or more named thread pools--> + <!-- + <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" + maxThreads="150" minSpareThreads="4"/> + --> + + <!-- A "Connector" represents an endpoint by which requests are received - and responses are returned. Each Connector passes requests on to the - associated "Container" (normally an Engine) for processing. - - By default, a non-SSL HTTP/1.1 Connector is established on port 8080. - You can also enable an SSL HTTP/1.1 Connector on port 8443 by - following the instructions below and uncommenting the second Connector - entry. SSL support requires the following steps (see the SSL Config - HOWTO in the Tomcat 5 documentation bundle for more detailed - instructions): - * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or - later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". - * Execute: - %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) - $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) - with a password value of "changeit" for both the certificate and - the keystore itself. - - By default, DNS lookups are enabled when a web application calls - request.getRemoteHost(). This can have an adverse impact on - performance, so you can disable it by setting the - "enableLookups" attribute to "false". When DNS lookups are disabled, - request.getRemoteHost() will return the String version of the - IP address of the remote client. + and responses are returned. Documentation at : + Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) + Java AJP Connector: /docs/config/ajp.html + APR (HTTP/AJP) Connector: /docs/apr.html + Define a non-SSL HTTP/1.1 Connector on port 8080 --> -<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> -[PKI_UNSECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true"/> - - -<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> -[PKI_SECURE_PORT_SERVER_COMMENT] -<!-- DO NOT REMOVE - Begin define PKI secure port --> -<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="[PKI_AGENT_CLIENTAUTH]" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -<!-- DO NOT REMOVE - End define PKI secure port --> - -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - <!-- Note : To disable connection timeouts, set connectionTimeout value - to 0 --> - - <!-- Note : To use gzip compression you could set the following properties : - - compression="on" - compressionMinSize="2048" - noCompressionUserAgents="gozilla, traviata" - compressableMimeType="text/html,text/xml" - --> - + [PKI_UNSECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + /> + + <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> + [PKI_SECURE_PORT_SERVER_COMMENT] + <!-- DO NOT REMOVE - Begin define PKI secure port --> + <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="[PKI_AGENT_CLIENTAUTH]" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias" + /> + <!-- DO NOT REMOVE - End define PKI secure port --> + + [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="false" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> + [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + + [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="false" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> + [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + + <!-- A "Connector" using the shared thread pool--> + <!-- + <Connector executor="tomcatThreadPool" + port="8080" protocol="HTTP/1.1" + connectionTimeout="20000" + redirectPort="8443" /> + --> + <!-- Define a SSL HTTP/1.1 Connector on port 8443 + This connector uses the JSSE configuration, when using APR, the + connector should be using the OpenSSL style configuration + described in the APR documentation --> + <!-- + <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" + maxThreads="150" scheme="https" secure="true" + clientAuth="false" sslProtocol="TLS" /> + --> <!-- Define an AJP 1.3 Connector on port 8009 --> <!-- - <Connector port="8009" - enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> + <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> --> - <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> - <!-- See proxy documentation for more information about using this. --> - <!-- - <Connector port="8082" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" acceptCount="100" connectionTimeout="20000" - proxyPort="80" disableUploadTimeout="true" /> - --> <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). --> + on to the appropriate Host (virtual host). + Documentation at /docs/config/engine.html --> <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> + <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> --> - - <!-- Define the top level container in our container hierarchy --> <Engine name="Catalina" defaultHost="localhost"> - <!-- The request dumper valve dumps useful debugging information about - the request headers and cookies that were received, and the response - headers and cookies that were sent, for all requests received by - this instance of Tomcat. If you care only about requests to a - particular virtual host, or a particular application, nest this - element inside the corresponding <Host> or <Context> entry instead. - - For a similar mechanism that is portable to all Servlet 2.4 - containers, check out the "RequestDumperFilter" Filter in the - example application (the source for this filter may be found in - "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). + <!--For clustering, please take a look at documentation at: + /docs/cluster-howto.html (simple how to) + /docs/config/cluster.html (reference documentation) --> + <!-- + <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> + --> - Request dumping is disabled by default. Uncomment the following - element to enable it. --> + <!-- The request dumper valve dumps useful debugging information about + the request and response data received and sent by Tomcat. + Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.valves.RequestDumperValve"/> --> - <!-- Because this Realm is here, an instance will be shared globally --> - <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately @@ -210,229 +198,27 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> - <!-- Comment out the old realm but leave here for now in case we - need to go back quickly --> - <!-- - <Realm className="org.apache.catalina.realm.MemoryRealm" /> - --> - - <!-- Replace the above Realm with one of the following to get a Realm - stored in a database and accessed via JDBC --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="org.gjt.mm.mysql.Driver" - connectionURL="jdbc:mysql://localhost/authority" - connectionName="test" connectionPassword="test" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="oracle.jdbc.driver.OracleDriver" - connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" - connectionName="scott" connectionPassword="tiger" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="sun.jdbc.odbc.JdbcOdbcDriver" - connectionURL="jdbc:odbc:CATALINA" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - <!-- Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- Defines a cluster for this node, - By defining this element, means that every manager will be changed. - So when running a cluster, only make sure that you have webapps in there - that need to be clustered and remove the other ones. - A cluster has the following parameters: - - className = the fully qualified name of the cluster class - - name = a descriptive name for your cluster, can be anything - - mcastAddr = the multicast address, has to be the same for all the nodes - - mcastPort = the multicast port, has to be the same for all the nodes - - mcastBindAddr = bind the multicast socket to a specific address - - mcastTTL = the multicast TTL if you want to limit your broadcast - - mcastSoTimeout = the multicast readtimeout - - mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="false" + xmlValidation="false" xmlNamespaceAware="false"> - mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received - - tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes - - tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, - in case of multiple ethernet cards. - auto means that address becomes - InetAddress.getLocalHost().getHostAddress() - - tcpListenPort = the tcp listen port - - tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS - has a wakup bug in java.nio. Set to 0 for no timeout - - printToScreen = true means that managers will also print to std.out - - expireSessionsOnShutdown = true means that - - useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. - false means to replicate the session after each request. - false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) - <% - HashMap map = (HashMap)session.getAttribute("map"); - map.put("key","value"); - %> - replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. - * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. - * Synchronous means that the thread that executes the request, is also the - thread the replicates the data to the other nodes, and will not return until all - nodes have received the information. - * Asynchronous means that there is a specific 'sender' thread for each cluster node, - so the request thread will queue the replication request into a "smart" queue, - and then return to the client. - The "smart" queue is a queue where when a session is added to the queue, and the same session - already exists in the queue from a previous request, that session will be replaced - in the queue instead of replicating two requests. This almost never happens, unless there is a - large network delay. - --> - <!-- - When configuring for clustering, you also add in a valve to catch all the requests - coming in, at the end of the request, the session may or may not be replicated. - A session is replicated if and only if all the conditions are met: - 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND - 2. a session exists (has been created) - 3. the request is not trapped by the "filter" attribute - - The filter attribute is to filter out requests that could not modify the session, - hence we don't replicate the session after the end of this request. - The filter is negative, ie, anything you put in the filter, you mean to filter out, - ie, no replication will be done on requests that match one of the filters. - The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. - - filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI - ending with .gif and .js are intercepted. - - The deployer element can be used to deploy apps cluster wide. - Currently the deployment only deploys/undeploys to working members in the cluster - so no WARs are copied upons startup of a broken node. - The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" - When a new war file is added the war gets deployed to the local instance, - and then deployed to the other instances in the cluster. - When a war file is deleted from the watchDir the war is undeployed locally - and cluster wide - --> - - <!-- - <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" - managerClassName="org.apache.catalina.cluster.session.DeltaManager" - expireSessionsOnShutdown="false" - useDirtyFlag="true" - notifyListenersOnReplication="true"> - - <Membership - className="org.apache.catalina.cluster.mcast.McastService" - mcastAddr="228.0.0.4" - mcastPort="45564" - mcastFrequency="500" - mcastDropTime="3000"/> - - <Receiver - className="org.apache.catalina.cluster.tcp.ReplicationListener" - tcpListenAddress="auto" - tcpListenPort="4001" - tcpSelectorTimeout="100" - tcpThreadCount="6"/> - - <Sender - className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" - replicationMode="pooled" - ackTimeout="15000"/> - - <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" - filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> - - <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" - tempDir="/tmp/war-temp/" - deployDir="/tmp/war-deploy/" - watchDir="/tmp/war-listen/" - watchEnabled="false"/> - </Cluster> - --> - - - - <!-- Normally, users must authenticate themselves to each web app - individually. Uncomment the following entry if you would like - a user to be authenticated the first time they encounter a - resource protected by a security constraint, and then have that - user identity maintained across *all* web applications contained - in this virtual host. --> + <!-- SingleSignOn valve, share authentication between web applications + Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - --> - <Valve className="org.apache.catalina.valves.AccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - This access log implementation is optimized for maximum performance, - but is hardcoded to support only the "common" and "combined" patterns. - --> + <!-- Access log processes all example. + Documentation at: /docs/config/valve.html --> <!-- - <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> + <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" + prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> --> - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - This access log implementation is optimized for maximum performance, - but is hardcoded to support only the "common" and "combined" patterns. - This valve use NIO direct Byte Buffer to asynchornously store the - log. - --> - <!-- - <Valve className="org.apache.catalina.valves.ByteBufferAccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - --> - - <!-- <Context docBase="webapps" path="/webapps" reloadable="false"/> --> </Host> - </Engine> - </Service> - </Server> diff --git a/pki/base/tks/shared/conf/tomcat-users.xml b/pki/base/tks/shared/conf/tomcat-users.xml index f986faed3..daa9260cc 100644 --- a/pki/base/tks/shared/conf/tomcat-users.xml +++ b/pki/base/tks/shared/conf/tomcat-users.xml @@ -1,17 +1,45 @@ <?xml version='1.0' encoding='utf-8'?> <!-- BEGIN COPYRIGHT BLOCK - Copyright (C) 2006 Red Hat, Inc. + Copyright (C) 2006-2010 Red Hat, Inc. All rights reserved. + Modifications: configuration parameters END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<!-- + <role rolename="tomcat"/> + <role rolename="role1"/> + <user username="tomcat" password="tomcat" roles="tomcat"/> + <user username="both" password="tomcat" roles="tomcat,role1"/> + <user username="role1" password="tomcat" roles="role1"/> +--> + +<!-- The host manager webapp is restricted to users with role "admin" --> +<!--<user name="tomcat" password="password" roles="admin" />--> +<!-- The manager webapp is restricted to users with role "manager" --> +<!--<user name="tomcat" password="password" roles="manager" />--> <tomcat-users> <role rolename="pkiuser"/> <role rolename="tomcat"/> - <role rolename="role1"/> <role rolename="manager"/> <role rolename="admin"/> + <user username="pkiuser" password="pkiuser" roles="pkiuser"/> <user username="tomcat" password="tomcat" roles="tomcat"/> - <user username="both" password="tomcat" roles="tomcat,role1"/> - <user username="role1" password="tomcat" roles="role1"/> <user username="admin" password="netscape" roles="admin,manager"/> </tomcat-users> diff --git a/pki/base/tks/shared/conf/tomcat5.conf b/pki/base/tks/shared/conf/tomcat5.conf deleted file mode 100644 index ea1cd1906..000000000 --- a/pki/base/tks/shared/conf/tomcat5.conf +++ /dev/null @@ -1,80 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# Copyright (C) 2006 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# tomcat5 service configuration file - -# Check to insure that this configuration file's associated PKI -# subsystem currently resides on this system. -PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] -if [ ! -d /usr/share/pki/${PKI_SUBSYSTEM_TYPE} ] ; then - echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" - exit 255 -fi - -# you could also override JAVA_HOME here -# Where your java installation lives -JAVA_HOME="/usr/lib/jvm/jre" - -# You can pass some parameters to java -# here if you wish to -#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" - -# Where your tomcat installation lives -# That change from previous RPM where TOMCAT_HOME -# used to be /var/tomcat. -# Now /var/tomcat will be the base for webapps only -CATALINA_HOME="/usr/share/tomcat5" -JASPER_HOME="/usr/share/tomcat5" -CATALINA_TMPDIR="/usr/share/tomcat5/temp" -JAVA_ENDORSED_DIRS="/usr/share/tomcat5/common/endorsed" - -# What user should run tomcat -TOMCAT_USER="[PKI_USER]" -TOMCAT_GROUP="[PKI_GROUP]" - -# You can change your tomcat locale here -#LANG=en_US - -# Time to wait in seconds, while starting process -STARTUP_WAIT=30 - -# Time to wait in seconds, before killing process -SHUTDOWN_WAIT=30 - - -# If you wish to further customize your tomcat environment, -# put your own definitions here -# (i.e. LD_LIBRARY_PATH for some jdbc drivers) -# Just do not forget to export them :) - -OS=`uname -s` - -if [ $OS = "Linux" ]; then - PLATFORM=`uname -i` - if [ $PLATFORM = "i386" ]; then - # 32-bit Linux - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib - elif [ $PLATFORM = "x86_64" ]; then - # 64-bit Linux - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64/dirsec:/usr/lib64:/usr/lib - fi - export LD_LIBRARY_PATH -elif [ $OS = "SunOS" ]; then - PLATFORM=`uname -p` - if [ "${PLATFORM}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - PLATFORM="sparcv9" - fi - if [ $PLATFORM = "sparc" ]; then - # 32-bit Solaris - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib - elif [ $PLATFORM = "sparcv9" ]; then - # 64-bit Solaris - JAVA_OPTS="-d64" - export JAVA_OPTS - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/sparcv9/dirsec:/usr/lib/sparcv9:/usr/lib/dirsec:/usr/lib - fi - export LD_LIBRARY_PATH -fi diff --git a/pki/base/tks/shared/etc/init.d/pki-tksd b/pki/base/tks/shared/etc/init.d/pki-tksd index 7d6bb99a5..d8a23c86d 100755 --- a/pki/base/tks/shared/etc/init.d/pki-tksd +++ b/pki/base/tks/shared/etc/init.d/pki-tksd @@ -14,1816 +14,70 @@ # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# Copyright (C) 2007 Red Hat, Inc. +# Copyright (C) 2007-2010 Red Hat, Inc. # All rights reserved. -# --- END COPYRIGHT BLOCK ### --- +# --- END COPYRIGHT BLOCK --- # -# pki-tksd Startup script for Tomcat 5.0 pki-tks, the Apache Servlet Engine +# pki-tksd Startup script for pki-tks with tomcat6 # # chkconfig: - 84 16 -# description: Token Key Service \ -# (Tomcat 5.0) +# description: Token Key Service (Tomcat 6.0) # processname: pki-tksd # piddir: /var/run/pki/tks -# config: ${PKI_INSTANCE_PATH}/conf/tomcat5.conf -# -# Gomez Henri <hgomez@users.sourceforge.net> -# Keith Irwin <keith_irwin@non.hp.com> -# Nicolas Mailhot <nicolas.mailhot@one2team.com> -# -# version 1.02 - Removed initlog support -# version 1.03 - Removed config: -# version 1.04 - tomcat will start before httpd and stop after httpd -# version 1.05 - jdk hardcoded to link /usr/java/jdk and tomcat runs -# as "nobody" -# version 1.06 - split up into script and config file -# version 1.07 - Rework from Nicolas ideas -# version 1.08 - Fix work dir permission at start time, switch to use tomcat4 -# version 1.09 - Fix pidfile and config tags -# version 1.10 - Fallback to su direct use on systems without -# Redhat/Mandrake init.d functions -# version 1.11 - Fix webapps dir permissions -# version 1.12 - remove initial start/stop level for chkconfig (- 80 20) -# version 1.13 - remove chown of logs/work/temp/webapps dir, -# owned by tomcat4 at install time -# version 1.14 - correct the start/stop ugly hack by waiting -# all the threads stops -# version 1.15 - ensure we're looking for TOMCAT_USER running catalina -# version 1.16 - Add support for CATALINA_PID env var -# version 1.17 - Remove run files only tomcat started correctl -# in start area, check that tomcat is not allready running -# version 1.18 - Fix kill typo (thanks Kaj J. Niemi) -# version 1.19 - Add jar relinking -# version 1.20 - Check there is no stalling tomcat4.pid -# version 1.20tc5 - Changed all instances of tomcat4 to -# tomcat5 except TOMCAT_USER -# version 1.20tc5rh - Changed TOMCAT_USER from tomcat4 to tomcat # -PKI_INIT_SCRIPT="" +PROG_NAME=`basename $0` +SERVICE_NAME="pki-tksd" +SERVICE_PROG="/sbin/service" PKI_PATH="/usr/share/pki/tks" -PKI_PIDDIR="/var/run/pki/tks" -PKI_PROCESS="pki-tksd" PKI_REGISTRY="/etc/sysconfig/pki/tks" PKI_TYPE="pki-tks" - -# PKI subsystem-level directory and file values for locks -lockfile="/var/lock/subsys/pki-tksd" +PKI_TOTAL_PORTS=6 # Disallow 'others' the ability to 'write' to new files umask 00002 -default_error=0 command="$1" pki_instance="$2" -case "${command}" in - start|stop|restart|condrestart|force-restart|try-restart) - # * 1 generic or unspecified error (current practice) - default_error=1 - ;; - reload) - default_error=3 - ;; - status) - # * 4 program or service status is unknown - default_error=4 - ;; - *) - # * 2 invalid argument(s) - default_error=2 - ;; -esac - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit ${default_error} -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -if [ ! -d ${PKI_PATH} ] ; then - echo "This machine is missing the '${PKI_TYPE}' subsystem!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Check to insure that this script's associated PKI -# subsystem instance registry currently resides on this system. -if [ ! -d ${PKI_REGISTRY} ] ; then - echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Obtain the operating system upon which this script is being executed -OS=`uname -s` -ARCHITECTURE="" - -# This script must be run as root! -RV=0 -if [ ${OS} = "Linux" ] ; then - PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}" - if [ `id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -i` -elif [ ${OS} = "SunOS" ] ; then - PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}" - if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -p` - if [ "${ARCHITECTURE}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - ARCHITECTURE="sparcv9" - fi -else - echo "Unsupported OS '${OS}'!" - exit ${default_error} -fi # Source function library. -if [ -f /etc/init.d/functions ]; then - . /etc/init.d/functions -else - # The checkpid() function is provided for platforms that do not - # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . - - # Check if ${pid} (could be plural) are running (keep count) - checkpid() - { - rv=0 - for i in $* ; do - ps -p $i > /dev/null 2>&1 ; - if [ $? -ne 0 ] ; then - rv=`expr ${rv} + 1` - else - rv=`expr ${rv} + 0` - fi - done - # echo "rv=${rv}" - return ${rv} - } - - # Create the following directories on platforms - # where they do not exist (e. g. - Solaris) . . . - if [ ! -d "/var/lock" ] ; then - mkdir -p /var/lock - chown root:sys /var/lock - chmod 00755 /var/lock - fi - if [ ! -d "/var/lock/subsys" ] ; then - mkdir -p /var/lock/subsys - chown root:root /var/lock/subsys - chmod 00755 /var/lock/subsys - fi - - ####################################################################### - ## NOTE: The following code needs to eventually be moved into the ## - ## template used to create the ## - ## "${PKI_INSTANCE_PATH}/conf/tomcat5.conf" file! ## - ####################################################################### - - if [ ${OS} = "SunOS" ] ; then - DEFAULT_SOLARIS_JAVA_HOME="/usr/jdk/instances/jdk1.5.0/jre" - DEFAULT_LINUX_JAVA_HOME="/usr/lib/jvm/jre" - DEFAULT_LINUX_JAVA_HOME_PATH=`dirname ${DEFAULT_LINUX_JAVA_HOME}` - - # ensure that the Sun JRE 1.5.0 exists at the default location - if [ -d ${DEFAULT_SOLARIS_JAVA_HOME} ] ; then - # create the directory in which the symlink resides (if necessary) - if [ ! -d ${DEFAULT_LINUX_JAVA_HOME_PATH} ] ; then - mkdir -p ${DEFAULT_LINUX_JAVA_HOME_PATH} - fi - # create the actual symlink (if necessary) - if [ ! -h ${DEFAULT_LINUX_JAVA_HOME} ] ; then - ln -s ${DEFAULT_SOLARIS_JAVA_HOME} ${DEFAULT_LINUX_JAVA_HOME} - fi - else - # for now, simply exit with an appropriate error message - echo -n "The Solaris 1.5.0 JRE must be installed " - echo -n "at \"${DEFAULT_SOLARIS_JAVA_HOME}\"!" - echo - echo - exit ${default_error} - fi - fi -fi - -PKI_REGISTRY_ENTRIES="" -TOTAL_PKI_REGISTRY_ENTRIES=0 -TOTAL_UNCONFIGURED_PKI_ENTRIES=0 - -# Gather ALL registered instances of this PKI subsystem type -for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - if [ -f "$FILE" ] ; then - inst=`echo "$FILE"` - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst" - TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` - fi -done - -if [ -n "${pki_instance}" ]; then - for I in ${PKI_REGISTRY_ENTRIES}; do - if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}" - TOTAL_PKI_REGISTRY_ENTRIES=1 - break - fi - done -fi - -usage() -{ - echo -n "Usage: ${PKI_INIT_SCRIPT} " - echo -n "{start" - echo -n "|stop" - echo -n "|restart" - echo -n "|condrestart" - echo -n "|force-restart" - echo -n "|try-restart" - echo -n "|reload" - echo -n "|status} " - echo -n "[instance-name]" - echo - echo -} - -list_instances() -{ - echo - for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - echo " ${FILE}" - done - echo -} - -# Check arguments -if [ $# -lt 1 ] ; then - # * 3 unimplemented feature (for example, "reload") - # [insufficient arguments] - echo "$0: Insufficient arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 -elif [ ${default_error} -eq 2 ] ; then - # * 2 invalid argument - echo "$0: Invalid arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 2 -elif [ $# -gt 2 ] ; then - echo "$0: Excess arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - if [ "${command}" != "status" ]; then - # * 2 excess arguments - exit 2 - else - # * 4 program or service status is unknown - exit 4 - fi -fi - -# If an "instance" was supplied, check that it is a "valid" instance -if [ -n "${pki_instance}" ]; then - if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then - echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance" - echo_failure - echo - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - # * 4 program or service status is unknown - exit 4 - fi - fi -fi - -# On Solaris /var/run is in tmpfs and gets wiped out upon reboot -# we have to recreate the ${PKI_PIDDIR} directory and make sure that -# the directory is writable by the ${PKI_TYPE} server process. -# -# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize -# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the -# "${PKI_PIDDIR}" will end up with the ownership permissions -# of the first instance that executes this function! -# -fix_pid_dir_ownership() -{ - if [ ! -d ${PKI_PIDDIR} ] ; then - mkdir -p ${PKI_PIDDIR} - - chown root:root /var/run/pki - chmod 00755 /var/run/pki - - chown root:root ${PKI_PIDDIR} - chmod 00755 ${PKI_PIDDIR} - fi -} - -check_pki_configuration_status() -{ - rv=0 - - rv=`grep -c ^preop ${pki_instance_configuration_file}` - - rv=`expr ${rv} + 0` - - if [ ${rv} -ne 0 ] ; then - echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" - echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" - if [ "${command}" != "status" ]; then - # * 6 program is not configured - rv=6 - else - # * 4 program or service status is unknown - rv=4 - fi - TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` - elif [ -f ${RESTART_SERVER} ] ; then - echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " - echo -n "it must still be RESTARTED!" - echo - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - fi - - return ${rv} -} - -get_pki_status_definitions() -{ - # establish well-known strings - begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->" - end_pki_status_comment="<!-- DO NOT REMOVE - End PKI Status Definitions -->" - total_ports=0 - unsecure_port_statement="Unsecure Port = " - secure_agent_port_statement="Secure Agent Port = " - secure_ee_port_statement="Secure EE Port = " - secure_admin_port_statement="Secure Admin Port = " - pki_console_port_statement="PKI Console Port = " - tomcat_port_statement="Tomcat Port = " - - # initialize looping variables - pki_status_comment_found=0 - - # first check to see that an instance-specific "server.xml" file exists - if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then - echo "File '${PKI_SERVER_XML_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "server.xml" file line-by-line - # to obtain the current PKI Status Definitions - exec < ${PKI_SERVER_XML_CONF} - while read line; do - # first look for the well-known end PKI Status comment - # (to turn off processing) - if [ "$line" == "$end_pki_status_comment" ] ; then - pki_status_comment_found=0 - break; - fi - - # then look for the well-known begin PKI Status comment - # (to turn on processing) - if [ "$line" == "$begin_pki_status_comment" ] ; then - pki_status_comment_found=1 - fi - - # once the well-known begin PKI Status comment has been found, - # begin processing to obtain all of the PKI Status Definitions - if [ $pki_status_comment_found -eq 1 ] ; then - # look for a PKI Status Definition and print it - head=`echo "$line" | cut -b1-20` - if [ "$head" == "$unsecure_port_statement" ] || - [ "$head" == "$secure_agent_port_statement" ] || - [ "$head" == "$secure_ee_port_statement" ] || - [ "$head" == "$secure_admin_port_statement" ] || - [ "$head" == "$pki_console_port_statement" ] || - [ "$head" == "$tomcat_port_statement" ] ; then - echo " $line" - total_ports=`expr ${total_ports} + 1` - fi - fi - done - - if [ ${total_ports} -eq 6 ] ; then - return 0 - else - return ${default_error} - fi -} - -get_pki_configuration_definitions() -{ - # Obtain the PKI Subsystem Type - line=`grep ^cs.type= ${pki_instance_configuration_file}` - pki_subsystem=`echo "${line}" | cut -b9-` - if [ "${line}" != "" ] ; then - if [ "${pki_subsystem}" != "CA" ] && - [ "${pki_subsystem}" != "KRA" ] && - [ "${pki_subsystem}" != "OCSP" ] && - [ "${pki_subsystem}" != "TKS" ] && - [ "${pki_subsystem}" != "RA" ] && - [ "${pki_subsystem}" != "TPS" ] - then - return ${default_error} - fi - if [ "${pki_subsystem}" == "KRA" ] ; then - # Rename "KRA" to "DRM" - pki_subsystem="DRM" - fi - else - return ${default_error} - fi - - # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, - # check to see if "${pki_subsystem}" is a "Clone" - pki_clone="" - if [ "${pki_subsystem}" == "CA" ] || - [ "${pki_subsystem}" == "DRM" ] || - [ "${pki_subsystem}" == "OCSP" ] || - [ "${pki_subsystem}" == "TKS" ] - then - line=`grep ^subsystem.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_clone=`echo "${line}" | cut -b18-` - if [ "${pki_clone}" != "Clone" ] ; then - # Reset "${pki_clone}" to be empty - pki_clone="" - fi - else - return ${default_error} - fi - fi - - # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to - # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA - pki_hierarchy="" - if [ "${pki_subsystem}" == "CA" ] && - [ "${pki_clone}" != "Clone" ] - then - line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_hierarchy=`echo "${line}" | cut -b18-` - else - return ${default_error} - fi - fi - - # If ${pki_subsystem} is a CA, check to - # see if it is also a Security Domain - pki_security_domain="" - if [ "${pki_subsystem}" == "CA" ] ; then - line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain=`echo "${line}" | cut -b23-` - if [ "${pki_security_domain}" == "new" ] ; then - # Set a fixed value for "${pki_security_domain}" - pki_security_domain="(Security Domain)" - else - # Reset "${pki_security_domain}" to be empty - pki_security_domain="" - fi - else - return ${default_error} - fi - fi - - # Always obtain this PKI instance's "registered" - # security domain information - pki_security_domain_name="" - pki_security_domain_hostname="" - pki_security_domain_https_admin_port="" - - line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_name=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_hostname=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` - else - return ${default_error} - fi - - # Compose the "PKI Instance Name" Status Line - pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" - - # Compose the "PKI Subsystem Type" Status Line - header="PKI Subsystem Type: " - if [ "${pki_clone}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "CA Clone (Security Domain)" - # - data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" - else - # Possible Values: - # - # "CA Clone" - # "DRM Clone" - # "OCSP Clone" - # "TKS Clone" - # - data="${pki_subsystem} ${pki_clone}" - fi - elif [ "${pki_hierarchy}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "Root CA (Security Domain)" - # "Subordinate CA (Security Domain)" - # - data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" - else - # Possible Values: - # - # "Root CA" - # "Subordinate CA" - # - data="${pki_hierarchy} ${pki_subsystem}" - fi - else - # Possible Values: - # - # "DRM" - # "OCSP" - # "RA" - # "TKS" - # "TPS" - # - data="${pki_subsystem}" - fi - pki_subsystem_type="${header} ${data}" - - # Compose the "Registered PKI Security Domain Information" Status Line - header="Name: " - registered_pki_security_domain_name="${header} ${pki_security_domain_name}" - - header="URL: " - if [ "${pki_security_domain_hostname}" != "" ] && - [ "${pki_security_domain_https_admin_port}" != "" ] - then - data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" - else - return ${default_error} - fi - registered_pki_security_domain_url="${header} ${data}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_instance_name}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_subsystem_type}" - - # Print the "Registered PKI Security Domain Information" Status Line - echo - echo " Registered PKI Security Domain Information:" - echo " ==========================================================================" - echo " ${registered_pki_security_domain_name}" - echo " ${registered_pki_security_domain_url}" - echo " ==========================================================================" - - return 0 -} - -get_pki_secure_port() -{ - # establish well-known strings - begin_ssl_comment="<!-- DO NOT REMOVE - Begin define PKI secure port -->" - end_ssl_comment="<!-- DO NOT REMOVE - End define PKI secure port -->" - connector_statement="<Connector name=\"" - - # initialize looping variables - ssl_comment_found=0 - - # first check to see that an instance-specific "server.xml" file exists - if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then - echo "File '${PKI_SERVER_XML_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "server.xml" file line-by-line - # to obtain the current value of the PKI secure port - exec < ${PKI_SERVER_XML_CONF} - while read line; do - # first look for the well-known end SSL comment - # (to turn off processing) - if [ "$line" == "$end_ssl_comment" ] ; then - ssl_comment_found=0 - fi - - # then look for the well-known begin SSL comment - # (to turn on processing) - if [ "$line" == "$begin_ssl_comment" ] ; then - ssl_comment_found=1 - fi - - # once the well-known begin SSL comment has been found, - # begin processing to obtain the numeric port information - if [ $ssl_comment_found -eq 1 ] ; then - # look for the next Connector statement - head=`echo $line | cut -b1-17` - if [ "$head" == "$connector_statement" ] ; then - # once the Connector statement has been found, - tail=`echo $line | cut -b18-` - # extract the name of the connector - name=`echo $tail | cut -d\" -f1` - if [ "$name" == "Agent" ] || - [ "$name" == "Secure" ] ; then - # extract the numeric port information - port=`echo $tail | cut -d\" -f3` - PKI_SECURE_PORT=$port - return 0 - fi - fi - fi - done - - return ${default_error} -} - -display_instance_status() -{ - rv=0 - - if [ -f ${pidfile} ] ; then - pid=`cat ${pidfile}` - if [ "${pid}" == "" ] ; then - echo "${PKI_INSTANCE_ID} pid file exists but is empty" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - elif kill -0 ${pid} > /dev/null 2>&1 ; then - echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} -eq 0 ] ; then - get_pki_status_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Status Definitions not found" - else - get_pki_configuration_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Configuration Definitions not found" - fi - fi - else - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Similarly, from the PKI point of view for a "status" - # action, a returned error code of "4" implies that either - # the program is not "configured", or that the program - # was "configured" but must still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For this reason, when returning from - # 'display_instance_status()', ignore non-zero return codes - # returned from 'check_pki_configuration_status()'. - # - if [ "${command}" != "status" ]; then - # * 0 action was successful - rv=0 - else - # * 0 program is running or service is OK - rv=0 - fi - fi - echo - else - echo "${PKI_INSTANCE_ID} is dead but pid file exists" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 1 program is dead and /var/run pid file exists - rv=1 - fi - fi - else - echo "${PKI_INSTANCE_ID} is stopped" - if [ "${command}" != "status" ]; then - # * 7 program is not running - rv=7 - else - # * 3 program is not running - rv=3 - fi - fi - - return ${rv} -} - -start_instance() -{ - rv=0 - - echo -n "Starting $TOMCAT_PROG: " - - if [ -f ${RESTART_SERVER} ] ; then - rm -f ${RESTART_SERVER} - fi - - if [ -f ${PKI_LOCKFILE} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - echo - echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} != 0 ]; then - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For "non-status" actions, ignore return codes of "1" - # from 'check_pki_configuration_status()'. - # - # However, for "non-status" actions that have a return - # code of "6", return this value unchanged to - # the calling routine so that the total number of - # configuration errors may be counted. - # - - echo - if [ ${rv} = 1 ] ; then - # * 0 action was successful - return 0 - elif [ ${rv} = 6 ] ; then - # * 6 program is not configured - return 6 - else - # should never be reached - return ${rv} - fi - else - return 0 - fi - else - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - rm -f ${PKI_LOCKFILE} - fi - fi - fi - - fix_pid_dir_ownership - - CATALINA_PID=${pidfile} - export CATALINA_PID - touch $CATALINA_PID - chown $TOMCAT_USER:$TOMCAT_GROUP $CATALINA_PID - chmod 00600 $CATALINA_PID - [ -x /sbin/restorecon ] && /sbin/restorecon $CATALINA_PID - - # restore context for ncipher hsm - [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast - - # Always initialize CLASSPATH to start looking - # in the local PKI classes directory . . . - CLASSPATH=/usr/share/pki/classes - - if [ ${OS} = "Linux" ] ; then - $TOMCAT_RELINK_SCRIPT - elif [ ${OS} = "SunOS" ] ; then - # The following definitions are provided for Solaris - # platforms since they are unable to execute the - # "/usr/share/tomcat5/bin/relink", - # "/usr/bin/rebuild-jar-repository", and - # "/usr/share/java-utils/java-functions" files . . . - - ####################################### - ## /var/lib/tomcat5/common/lib: - ####################################### - - # Build the tomcat jar classpath . . . - CLASSPATH="$CLASSPATH":/usr/share/java/ant.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-collections.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-dbcp.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging-api.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-pool.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-ejb-2.1.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-1.4.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-connector-1.5.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-management-1.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2eeschema-1.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jms-1.1.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jsp-2.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jta-1.0.1B.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-servlet-2.4.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jaf.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-collections.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-modeler.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-compiler.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-runtime.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/imap.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/mailapi.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/nntp.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/pop3.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/providers.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/smtp.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar - # CLASSPATH="$CLASSPATH":/usr/share/java/jsp.jar - # END LINUX-SPECIFIC FILE - - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/servlet.jar - # END LINUX-SPECIFIC FILE - - CLASSPATH="$CLASSPATH":/usr/share/java/avalon-logkit.jar - CLASSPATH="$CLASSPATH":/usr/share/java/cmsutil.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/dirsec/jss4.jar - fi - CLASSPATH="$CLASSPATH":/usr/share/java/ldapjdk.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-factory.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-resources.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nsutil.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/osutil.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/osutil.jar - fi - CLASSPATH="$CLASSPATH":/usr/share/java/rhino.jar - CLASSPATH="$CLASSPATH":/usr/share/java/servletapi5.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/symkey.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/symkey.jar - fi - CLASSPATH="$CLASSPATH":/usr/share/java/velocity.jar - CLASSPATH="$CLASSPATH":/usr/share/java/xalan-j2.jar - CLASSPATH="$CLASSPATH":/usr/share/java/xerces-j2.jar - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/common/lib - - if [ ! -e /var/lib/tomcat5/common/lib/\[ant\].jar ]; then - ln -s /usr/share/java/ant.jar [ant].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-collections\].jar ]; then - ln -s /usr/share/java/commons-collections.jar [commons-collections].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-dbcp\].jar ]; then - ln -s /usr/share/java/commons-dbcp.jar [commons-dbcp].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-el\].jar ]; then - ln -s /usr/share/java/commons-el.jar [commons-el].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-logging-api\].jar ]; then - ln -s /usr/share/java/commons-logging-api.jar [commons-logging-api].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-pool\].jar ]; then - ln -s /usr/share/java/commons-pool.jar [commons-pool].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-ejb-2.1-rc2.jar [geronimo]spec-ejb-2.1-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1.jar ]; then - ln -s /usr/share/java/geronimo/spec-ejb-2.1.jar [geronimo]spec-ejb-2.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-1.4-rc2.jar [geronimo]spec-j2ee-1.4-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-1.4.jar [geronimo]spec-j2ee-1.4.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5-rc2.jar [geronimo]spec-j2ee-connector-1.5-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5.jar [geronimo]spec-j2ee-connector-1.5.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1-rc2.jar [geronimo]spec-j2ee-deployment-1.1-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar [geronimo]spec-j2ee-deployment-1.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-jacc-1.0-rc2.jar [geronimo]spec-j2ee-jacc-1.0-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar [geronimo]spec-j2ee-jacc-1.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0-rc2.jar [geronimo]spec-j2ee-management-1.0-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0.jar [geronimo]spec-j2ee-management-1.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0\-M2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0-M2.jar [geronimo]spec-j2eeschema-1.0-M2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0.jar [geronimo]spec-j2eeschema-1.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-jms-1.1-rc2.jar [geronimo]spec-jms-1.1-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1.jar ]; then - ln -s /usr/share/java/geronimo/spec-jms-1.1.jar [geronimo]spec-jms-1.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-jsp-2.0-rc2.jar [geronimo]spec-jsp-2.0-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-jsp-2.0.jar [geronimo]spec-jsp-2.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec-jta-1.0.1B-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-jta-1.0.1B-rc2.jar [geronimo]spec-jta-1.0.1B-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jta\-1.0.1B.jar ]; then - ln -s /usr/share/java/geronimo/spec-jta-1.0.1B.jar [geronimo]spec-jta-1.0.1B.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-servlet-2.4-rc2.jar [geronimo]spec-servlet-2.4-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4.jar ]; then - ln -s /usr/share/java/geronimo/spec-servlet-2.4.jar [geronimo]spec-servlet-2.4.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[jaf\].jar ]; then - ln -s /usr/share/java/jaf.jar [jaf].jar - fi - - ### BEGIN SOLARIS-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-collections.jar\] ]; then - ### ln -s /usr/share/java/jakarta-commons-collections.jar [jakarta-commons-collections.jar] - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-modeler.jar\] ]; then - ### ln -s /usr/share/java/jakarta-commons-modeler.jar [jakarta-commons-modeler.jar] - ### fi - ### END SOLARIS-SPECIFIC LINKS - - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-compiler\].jar ]; then - ### ln -s /usr/share/java/jasper5-compiler.jar [jasper5-compiler].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-runtime\].jar ]; then - ### ln -s /usr/share/java/jasper5-runtime.jar [jasper5-runtime].jar - ### fi - - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/imap-1.3.1.jar [javamail]imap-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap.jar ]; then - ln -s /usr/share/java/javamail/imap.jar [javamail]imap.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/mailapi-1.3.1.jar [javamail]mailapi-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi.jar ]; then - ln -s /usr/share/java/javamail/mailapi.jar [javamail]mailapi.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/nntp-1.3.1.jar [javamail]nntp-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp.jar ]; then - ln -s /usr/share/java/javamail/nntp.jar [javamail]nntp.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/pop3-1.3.1.jar [javamail]pop3-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3.jar ]; then - ln -s /usr/share/java/javamail/pop3.jar [javamail]pop3.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/providers-1.3.1.jar [javamail]providers-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers.jar ]; then - ln -s /usr/share/java/javamail/providers.jar [javamail]providers.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/smtp-1.3.1.jar [javamail]smtp-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp.jar ]; then - ln -s /usr/share/java/javamail/smtp.jar [javamail]smtp.jar - fi - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtCompilerAdapter\].jar ]; then - ### ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtcore\].jar ]; then - ### ln -s /usr/share/java/jdtcore.jar [jdtcore].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jsp\].jar ]; then - ### ln -s /usr/share/java/jsp.jar [jsp].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - if [ ! -e /var/lib/tomcat5/common/lib/\[mx4j\]\[mx4j\].jar ]; then - ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar - fi - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[servlet\].jar ]; then - ### ln -s /usr/share/java/servlet.jar [servlet].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - ### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - if [ ! -e /var/lib/tomcat5/common/lib/avalon\-logkit.jar ]; then - ln -s /usr/share/java/avalon-logkit.jar avalon-logkit.jar - fi - ### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - - ### if [ ! -e /var/lib/tomcat5/common/lib/cmsutil.jar ]; then - ### ln -s /usr/share/java/rphki/cmsutil.jar cmsutil.jar - ### fi - - ### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - if [ ! -e /var/lib/tomcat5/common/lib/commons\-logging.jar ]; then - ln -s /usr/share/java/commons-logging.jar commons-logging.jar - fi - ### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - - ### if [ ! -e /var/lib/tomcat5/common/lib/jss4.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/dirsec/jss4.jar jss4.jar - ### fi - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/ldapjdk.jar ]; then - ### ln -s /usr/share/java/ldapjdk.jar ldapjdk.jar - ### fi - - ### naming-factory.jar - ### naming-resources.jar - - ### if [ ! -e /var/lib/tomcat5/common/lib/nsutil.jar ]; then - ### ln -s /usr/share/java/pki/nsutil.jar nsutil.jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/osutil.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/osutil.jar osutil.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/osutil.jar osutil.jar - ### fi - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/rhino.jar ]; then - ### ln -s /usr/share/java/rhino.jar rhino.jar - ### fi - - ### BEGIN SOLARIS-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[servletapi5.jar\] ]; then - ### ln -s /usr/share/java/servletapi5.jar [servletapi5.jar] - ### fi - ### END SOLARIS-SPECIFIC LINKS - - ### if [ ! -e /var/lib/tomcat5/common/lib/symkey.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/symkey.jar symkey.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/symkey.jar symkey.jar - ### fi - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/velocity.jar ]; then - ### ln -s /usr/share/java/velocity.jar velocity.jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/xalan\-j2.jar ]; then - ### ln -s /usr/share/java/xalan-j2.jar xalan-j2.jar - ### fi - - if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2\-2.6.2.jar ]; then - ln -s /usr/share/java/xerces-j2-2.6.2.jar xerces-j2-2.6.2.jar - fi - - ### if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2.jar ]; then - ### ln -s /usr/share/java/xerces-j2.jar xerces-j2.jar - ### fi +. /etc/init.d/functions - - ####################################### - ## /var/lib/tomcat5/common/endorsed: - ####################################### - - # Build the tomcat jar classpath . . . - CLASSPATH="$CLASSPATH":/usr/share/java/xml-commons-apis.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/jaxp_parser_impl.jar - # END LINUX-SPECIFIC FILE - - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/common/endorsed - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/endorsed/\[jaxp_parser_impl\].jar ]; then - ### ln -s /usr/share/java/jaxp_parser_impl.jar [jaxp_parser_impl].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - if [ ! -e /var/lib/tomcat5/common/endorsed/\[xml\-commons\-apis\].jar ]; then - ln -s /usr/share/java/xml-commons-apis.jar [xml-commons-apis].jar - fi - - - ####################################### - ## /var/lib/tomcat5/server/lib: - ####################################### - - # Build the tomcat jar classpath . . . - CLASSPATH="$CLASSPATH":/usr/share/java/catalina-ant5.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-beanutils.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-digester.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-fileupload.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-modeler.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar - # END LINUX-SPECIFIC FILE - - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar - CLASSPATH="$CLASSPATH":/usr/share/java/regexp.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-cluster.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-optional.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-storeconfig.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/dirsec/jss4.jar - fi - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-cgi.renametojar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-default.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-invoker.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-ssi.renametojar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-webdav.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-ajp.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-coyote.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-http.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-util.jar - CLASSPATH="$CLASSPATH":/usr/share/java/tomcatjss.jar - - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/server/lib - - if [ ! -e /var/lib/tomcat5/server/lib/\[catalina\-ant5\].jar ]; then - ln -s /usr/share/java/catalina-ant5.jar [catalina-ant5].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-beanutils\].jar ]; then - ln -s /usr/share/java/commons-beanutils.jar [commons-beanutils].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-digester\].jar ]; then - ln -s /usr/share/java/commons-digester.jar [commons-digester].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-el\].jar ]; then - ln -s /usr/share/java/commons-el.jar [commons-el].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-fileupload\].jar ]; then - ln -s /usr/share/java/commons-fileupload.jar [commons-fileupload].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-logging\].jar ]; then - ln -s /usr/share/java/commons-logging.jar [commons-logging].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-modeler\].jar ]; then - ln -s /usr/share/java/commons-modeler.jar [commons-modeler].jar - fi - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtCompilerAdapter\].jar ]; then - ### ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtcore\].jar ]; then - ### ln -s /usr/share/java/jdtcore.jar [jdtcore].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - if [ ! -e /var/lib/tomcat5/server/lib/\[mx4j\]\[mx4j\].jar ]; then - ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[regexp\].jar ]; then - ln -s /usr/share/java/regexp.jar [regexp].jar - fi - - ### catalina-cluster.jar - ### catalina-optional.jar - ### catalina-storeconfig.jar - ### catalina.jar - ### if [ ! -e /var/lib/tomcat5/server/lib/jss4.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/dirsec/jss4.jar jss4.jar - ### fi - ### fi - ### servlets-cgi.renametojar - ### servlets-default.jar - ### servlets-invoker.jar - ### servlets-ssi.renametojar - ### servlets-webdav.jar - ### tomcat-ajp.jar - ### tomcat-coyote.jar - ### tomcat-http.jar - ### tomcat-util.jar - ### if [ ! -e /var/lib/tomcat5/server/lib/tomcatjss.jar ]; then - ### ln -s /usr/share/java/tomcatjss.jar tomcatjss.jar - ### fi - - - ####################################### - ## /var/lib/tomcat5/shared/lib: - ####################################### - - # Build the tomcat jar classpath . . . - - export CLASSPATH - - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/shared/lib - fi - - # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start - if [ ${OS} = "SunOS" ] ; then - su $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null - else - runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null - fi - - rv=$? - if [ ${rv} = 0 ] ; then - touch ${PKI_LOCKFILE} - chown $TOMCAT_USER:$TOMCAT_GROUP $PKI_LOCKFILE - chmod 00600 $PKI_LOCKFILE - fi - - if [ ${rv} = 0 ] ; then - count=0; - - let swait=$STARTUP_WAIT - while [ ! -s ${pidfile} ] && - [ $count -lt $swait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - - get_pki_secure_port - if [ $? -ne 0 ] ; then - PKI_SECURE_PORT="<Port Undefined>" - fi - - # Set permissions of log files - pki_logs_directory=${PKI_INSTANCE_PATH}/logs - pki_signedAudit="${pki_logs_directory}/signedAudit" - for file in ${pki_logs_directory}/*; do - if [ ! -d "${file}" ]; then - chmod 00640 ${file} - chgrp $TOMCAT_GROUP ${file} - chown $TOMCAT_USER ${file} - fi - done - - # Set permissions of signedAudit log files - # do not set the group id, this will be set by the sgid on the directory - pki_signedAudit_files=`ls -1A ${pki_signedAudit} | wc -l` - if [ ${pki_signedAudit_files} -gt 0 ]; then - for file in ${pki_signedAudit}/*; do - chmod 00640 ${file} - chown $TOMCAT_USER ${file} - done - fi - - # ignore "status" return codes - echo - display_instance_status - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - $0 echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - fi - - sleep 5 - return ${rv} -} - -stop_instance() -{ - rv=0 - - echo -n "Stopping $TOMCAT_PROG: " - - if [ -f ${PKI_LOCKFILE} ] ; then - CATALINA_PID=${pidfile} - export CATALINA_PID - - # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT stop - if [ ${OS} = "SunOS" ] ; then - su $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null - else - runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null - fi - - rv=$? - - if [ ${rv} = 0 ]; then - count=0; - - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - let kwait=$SHUTDOWN_WAIT - - until [ `ps -p $kpid | grep -c $kpid` = '0' ] || - [ $count -gt $kwait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ $count -gt $kwait ]; then - kill -9 $kpid - fi - fi - - rm -f ${PKI_LOCKFILE} - rm -f ${pidfile} - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - rv=${default_error} - fi - else - echo - echo "process already stopped" - rv=0 - fi - - return ${rv} -} - -start() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - config_errors=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):" - fi - - # Start every PKI instance of this type that isn't already running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - start_instance - - rv=$? - if [ ${rv} = 6 ] ; then - # Since at least ONE configuration error exists, then there - # is at least ONE unconfigured instance from the PKI point - # of view. - # - # However, it must still be considered that the - # instance is "running" from the point of view of other - # OS programs such as 'chkconfig'. - # - # Therefore, ignore non-zero return codes resulting - # from configuration errors. - # - - config_errors=`expr $config_errors + 1` - rv=0 - elif [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then - touch ${lockfile} - chmod 00600 ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - # NOTE: "bad" return code(s) OVERRIDE configuration errors! - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances failed to start!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -stop() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" - fi - - # Shutdown every PKI instance of this type that is running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - stop_instance - - rv=$? - if [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${errors} -eq 0 ] ; then - rm -f ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances were " - echo -n "unsuccessfully stopped!" - echo - fi - - echo - echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -restart() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - stop - sleep 2 - echo - echo "============================================================" - echo - start - - return $? -} - -status() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 program is running or service is OK - # * 1 program is dead and /var/run pid file exists - # * 2 program is dead and /var/lock lock file exists - # * 3 program is not running - # * 4 program or service status is unknown - # * 5-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" - fi - - # Obtain status of every PKI instance of this type - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - display_instance_status - - rv=$? - if [ ${rv} -ne 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "4 - program or service status is unknown" - rv=4 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances reported status failures!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=4 - fi - - return ${rv} -} +# Source the PKI function library +. /usr/share/pki/scripts/functions # See how we were called. -case "${command}" in - start|stop|restart|status) - ${command} - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - exit $? - ;; - reload) - echo "The 'reload' action is an unimplemented feature." - exit ${default_error} - ;; - *) - # * 3 unimplemented feature (for example, "reload") - # [invalid command - should never be reached] - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 - ;; +case $command in + status) + registry_status + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + stop + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + reload) + echo "The 'reload' action is an unimplemented feature." + exit ${default_error} + ;; + *) + echo "unknown action ($command)" + usage + echo "where valid instance names include:" + list_instances + exit ${default_error} + ;; esac diff --git a/pki/base/tps/Makefile.am b/pki/base/tps/Makefile.am index 16cec1f81..a98fd8971 100644 --- a/pki/base/tps/Makefile.am +++ b/pki/base/tps/Makefile.am @@ -248,7 +248,7 @@ scripts_DATA = $(srcdir)/scripts/schemaMods.ldif \ scripts_SCRIPTS = $(srcdir)/scripts/nss_pcache if LINUX -setup_DATA = $(srcdir)/setup/config.desktop +setup_DATA = $(srcdir)/setup/config.desktop $(srcdir)/setup/registry_instance endif templates_DATA = $(srcdir)/apache/pki_instance_command_wrapper \ diff --git a/pki/base/tps/Makefile.in b/pki/base/tps/Makefile.in index b50254251..090edfeee 100644 --- a/pki/base/tps/Makefile.in +++ b/pki/base/tps/Makefile.in @@ -726,7 +726,7 @@ scripts_DATA = $(srcdir)/scripts/schemaMods.ldif \ $(srcdir)/scripts/addVLVIndexes.ldif scripts_SCRIPTS = $(srcdir)/scripts/nss_pcache -@LINUX_TRUE@setup_DATA = $(srcdir)/setup/config.desktop +@LINUX_TRUE@setup_DATA = $(srcdir)/setup/config.desktop $(srcdir)/setup/registry_instance templates_DATA = $(srcdir)/apache/pki_instance_command_wrapper \ $(srcdir)/apache/pki_subsystem_command_wrapper diff --git a/pki/base/tps/apache/apachectl b/pki/base/tps/apache/apachectl deleted file mode 100755 index 827512ef3..000000000 --- a/pki/base/tps/apache/apachectl +++ /dev/null @@ -1,189 +0,0 @@ -#!/bin/sh -# -# --- BEGIN COPYRIGHT BLOCK --- -# -# Copyright 2000-2004 The Apache Software Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# - -# -# NOTICE: This "apachectl" script has been modified to support the -# Token Processing System (TPS). -# - -# Initialize environment variables -LD_LIBRARY_PATH=[SYSTEM_USER_LIBRARIES]:[SYSTEM_LIBRARIES]:${LD_LIBRARY_PATH} -LD_LIBRARY_PATH=[SECURITY_LIBRARIES]:${LD_LIBRARY_PATH} -export LD_LIBRARY_PATH - -# see if httpd is linked with the openldap libraries - we need to override them -OS=`uname -s` -if [ $OS = "Linux" ]; then - hasopenldap=0 - - /usr/bin/ldd $httpd 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1 - - if [ $hasopenldap -eq 1 ] ; then - LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libldap50.so" - LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libssl3.so ${LD_PRELOAD}" - export LD_PRELOAD - fi -fi - -# -# Apache control script designed to allow an easy command line interface -# to controlling Apache. Written by Marc Slemko, 1997/08/23 -# -# The exit codes returned are: -# XXX this doc is no longer correct now that the interesting -# XXX functions are handled by [INSTANCE_ID] -# 0 - operation completed successfully -# 1 - -# 2 - usage error -# 3 - [INSTANCE_ID] could not be started -# 4 - [INSTANCE_ID] could not be stopped -# 5 - [INSTANCE_ID] could not be started during a restart -# 6 - [INSTANCE_ID] could not be restarted during a restart -# 7 - [INSTANCE_ID] could not be restarted during a graceful restart -# 8 - configuration syntax error -# -# When multiple arguments are given, only the error from the _last_ -# one is reported. Run "apachectl help" for usage info -# -ARGV="$@" -# -# |||||||||||||||||||| START CONFIGURATION SECTION |||||||||||||||||||| -# -------------------- -------------------- -# - -# -# a command that outputs a formatted text version of the HTML at the -# url given on the command line. Designed for lynx, however other -# programs may work. -if [ -x /usr/bin/links ]; then - LYNX="links -dump" -elif [ -x /usr/bin/lynx ]; then - LYNX="lynx -dump" -else - LYNX="none" -fi - -# -# the URL to your server's mod_status status page. If you do not -# have one, then status and fullstatus will not work. -STATUSURL="http://localhost:80/server-status" -# -# Set this variable to a command that increases the maximum -# number of file descriptors allowed per child process. This is -# critical for configurations that use many file descriptors, -# such as mass vhosting, or a multithreaded server. -ULIMIT_MAX_FILES="ulimit -S -n `ulimit -H -n`" - -######################################################################## -# This section contains modified content of "/etc/sysconfig/httpd" # -######################################################################## -# Configuration file for the [INSTANCE_ID] service. - -# -# The default processing model (MPM) is the process-based -# 'prefork' model. A thread-based model, 'worker', is also -# available, but does not work with some modules (such as PHP). -# The service must be stopped before changing this variable. -# -HTTPD=[FORTITUDE_DIR]/sbin/httpd.worker - -# -# To pass additional options (for instance, -D definitions) to the -# httpd binary at startup, set OPTIONS here. -# -OPTIONS="-f [HTTPD_CONF]" - -# -# By default, the httpd process is started in the C locale; to -# change the locale in which the server runs, the HTTPD_LANG -# variable can be set. -# -HTTPD_LANG=C -######################################################################## -# # -######################################################################## - -# Set the maximum number of file descriptors allowed per child process. -if [ "x$ULIMIT_MAX_FILES" != "x" ] ; then - $ULIMIT_MAX_FILES -fi - -ERROR=0 -if [ "x$ARGV" = "x" ] ; then - ARGV="-h" -fi - -function checklynx() { -if [ "$LYNX" = "none" ]; then - echo "The 'links' package is required for this functionality." - exit 8 -fi -} - -function testconfig() { -# [INSTANCE_ID] is denied terminal access in SELinux, so run in the -# current context to get stdout from $HTTPD -t. -if test -x /usr/sbin/selinuxenabled && /usr/sbin/selinuxenabled; then - runcon -- `id -Z` $HTTPD $OPTIONS -t -else - $HTTPD $OPTIONS -t -fi -ERROR=$? -} - -case $ARGV in -restart|graceful) - if $HTTPD -t >&/dev/null; then - $HTTPD $OPTIONS -k $ARGV - ERROR=$? - else - echo "apachectl: Configuration syntax error, will not run \"$ARGV\":" - testconfig - fi - ;; -start|stop) - $HTTPD $OPTIONS -k $ARGV - ERROR=$? - ;; -startssl|sslstart|start-SSL) - $HTTPD $OPTIONS -DSSL -k start - ERROR=$? - ;; -configtest) - testconfig - ;; -status) - checklynx - $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } ' - ;; -fullstatus) - checklynx - $LYNX $STATUSURL - ;; -*) - $HTTPD $OPTIONS $ARGV - ERROR=$? -esac - -exit $ERROR - diff --git a/pki/base/tps/apache/conf/httpd.conf b/pki/base/tps/apache/conf/httpd.conf index 5ad748f55..878a4e655 100644 --- a/pki/base/tps/apache/conf/httpd.conf +++ b/pki/base/tps/apache/conf/httpd.conf @@ -78,7 +78,7 @@ ServerRoot "[SERVER_ROOT]" # identification number when it starts. # <IfModule !mpm_netware.c> -PidFile run/[INSTANCE_ID].pid +PidFile run/[PKI_INSTANCE_ID].pid </IfModule> # @@ -268,7 +268,7 @@ LoadModule tokendb_module [FORTITUDE_MODULE]/mod_tokendb.so </Location> # -# Load config files from the config directory "/etc/[INSTANCE_ID]/conf.d". +# Load config files from the config directory "/etc/[PKI_INSTANCE_ID]/conf.d". # #Include conf.d/*.conf Include [SERVER_ROOT]/conf/perl.conf @@ -295,10 +295,10 @@ Include [SERVER_ROOT]/conf/perl.conf <IfModule !mpm_winnt.c> <IfModule !mpm_netware.c> # -# If you wish [INSTANCE_ID] to run as a different user or group, you must run -# [INSTANCE_ID] as root initially and it will switch. +# If you wish [PKI_INSTANCE_ID] to run as a different user or group, you must run +# [PKI_INSTANCE_ID] as root initially and it will switch. # -# User/Group: The name (or #number) of the user/group to run [INSTANCE_ID] as. +# User/Group: The name (or #number) of the user/group to run [PKI_INSTANCE_ID] as. # . On SCO (ODT 3) use "User nouser" and "Group nogroup". # . On HPUX you may not be able to use shared memory as nobody, and the # suggested workaround is to create a user www and use that user. @@ -306,8 +306,8 @@ Include [SERVER_ROOT]/conf/perl.conf # when the value of (unsigned)Group is above 60000; # don't use Group #-1 on these systems! # -User [USERID] -Group [GROUPID] +User [PKI_USER] +Group [PKI_GROUP] #Group #-1 </IfModule> </IfModule> diff --git a/pki/base/tps/apache/conf/nss.conf b/pki/base/tps/apache/conf/nss.conf index 70c64116f..2e0b0ecae 100644 --- a/pki/base/tps/apache/conf/nss.conf +++ b/pki/base/tps/apache/conf/nss.conf @@ -101,7 +101,7 @@ NSSProtocol SSLv3,TLSv1 # SSL Certificate Nickname: # The nickname of the server certificate you are going to use. -NSSNickname "Server-Cert cert-[INSTANCE_ID]" +NSSNickname "Server-Cert cert-[PKI_INSTANCE_ID]" # Server Certificate Database: # The NSS security database directory that holds the certificates and @@ -196,7 +196,7 @@ NSSProtocol SSLv3,TLSv1 # SSL Certificate Nickname: # The nickname of the server certificate you are going to use. -NSSNickname "Server-Cert cert-[INSTANCE_ID]" +NSSNickname "Server-Cert cert-[PKI_INSTANCE_ID]" # Server Certificate Database: # The NSS security database directory that holds the certificates and diff --git a/pki/base/tps/build.xml b/pki/base/tps/build.xml index ebfbeb225..603560b2c 100644 --- a/pki/base/tps/build.xml +++ b/pki/base/tps/build.xml @@ -184,7 +184,12 @@ <include name="lib/**"/> <include name="samples/**"/> <include name="scripts/**"/> - <include name="setup/config.desktop"/> + </zipfileset> + <zipfileset dir="./setup" + filemode="644" + prefix="usr/share/${product.prefix}/${product}/setup"> + <include name="config.desktop"/> + <include name="registry_instance"/> </zipfileset> <zipfileset dir="." filemode="755" @@ -230,7 +235,12 @@ <include name="lib/**"/> <include name="samples/**"/> <include name="scripts/**"/> - <include name="setup/config.desktop"/> + </tarfileset> + <tarfileset dir="./setup" + mode="644" + prefix="usr/share/${product.prefix}/${product}/setup"> + <include name="config.desktop"/> + <include name="registry_instance"/> </tarfileset> <tarfileset dir="." mode="755" diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg index 5e5c7e30c..32a88010d 100644 --- a/pki/base/tps/doc/CS.cfg +++ b/pki/base/tps/doc/CS.cfg @@ -18,15 +18,15 @@ # All rights reserved. # --- END COPYRIGHT BLOCK --- # -pkicreate.pki_instance_root=[INSTANCE_ROOT] -pkicreate.pki_instance_name=[INSTANCE_ID] -pkicreate.subsystem_type=[SUBSYSTEM_TYPE] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] pkicreate.secure_port=[SECURE_PORT] pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] pkicreate.unsecure_port=[PORT] -pkicreate.user=[USERID] -pkicreate.group=[GROUPID] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] cs.type=TPS selftests._000=## selftests._001=## Self Tests @@ -47,7 +47,7 @@ service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] -service.instanceID=[INSTANCE_ID] +service.instanceID=[PKI_INSTANCE_ID] logging._000=######################################### logging._001=# RA configuration File logging._002=# @@ -111,7 +111,7 @@ logging.audit.filename=[SERVER_ROOT]/logs/tps-audit.log logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit logging.audit.level=10 logging.audit.logSigning=false -logging.audit.signedAuditCertNickname=auditSigningCert cert-[INSTANCE_ID] +logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING @@ -371,33 +371,33 @@ preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true preop.cert.audit_signing.enable=false preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[INSTANCE_ID] +preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] preop.cert.sslserver.keysize.customsize=2048 preop.cert.sslserver.keysize.size=2048 preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[INSTANCE_ID] +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=caInternalAuthServerCert preop.cert.sslserver.subsystem=tps preop.cert._003=#preop.cert.sslserver.type=local preop.cert.sslserver.userfriendlyname=SSL Server Certificate preop.cert._004=#preop.cert.sslserver.cncomponent.override=false preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA -preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[INSTANCE_ID] +preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_ID] preop.cert.subsystem.keysize.customsize=2048 preop.cert.subsystem.keysize.size=2048 preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=caInternalAuthSubsystemCert preop.cert.subsystem.subsystem=tps preop.cert._005=#preop.cert.subsystem.type=local preop.cert.subsystem.userfriendlyname=Subsystem Certificate preop.cert._006=#preop.cert.subsystem.cncomponent.override=true preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA -preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[INSTANCE_ID] +preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_ID] preop.cert.audit_signing.keysize.customsize=2048 preop.cert.audit_signing.keysize.size=2048 preop.cert.audit_signing.keysize.select=custom -preop.cert.audit_signing.nickname=auditSigningCert cert-[INSTANCE_ID] +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert preop.cert.audit_signing.subsystem=tps preop.cert._005=#preop.cert.audit_signing.type=local diff --git a/pki/base/tps/etc/init.d/pki-tpsd b/pki/base/tps/etc/init.d/pki-tpsd index ff542a7f2..0631954c2 100755 --- a/pki/base/tps/etc/init.d/pki-tpsd +++ b/pki/base/tps/etc/init.d/pki-tpsd @@ -1,1439 +1,83 @@ #!/bin/bash # # --- BEGIN COPYRIGHT BLOCK --- -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; -# version 2.1 of the License. -# -# This library is distributed in the hope that it will be useful, +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301 USA -# -# Copyright (C) 2007 Red Hat, Inc. +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007-2010 Red Hat, Inc. # All rights reserved. # --- END COPYRIGHT BLOCK --- # -# # pki-tpsd Startup script for the Apache HTTP pki-tps Server # # chkconfig: - 87 13 -# description: Token Processing System \ -# (Apache 2.2) +# description: Token Processing System (Apache) # processname: pki-tpsd # piddir: /var/run/pki/tps # config: ${PKI_SERVER_ROOT}/conf/httpd.conf -PKI_INIT_SCRIPT="" +PROG_NAME=`basename $0` +SERVICE_NAME="pki-tpsd" +SERVICE_PROG="/sbin/service" PKI_PATH="/usr/share/pki/tps" -PKI_PIDDIR="/var/run/pki/tps" -PKI_PROCESS="pki-tpsd" PKI_REGISTRY="/etc/sysconfig/pki/tps" -PKI_SELINUX_TYPE="pki_tps_t" PKI_TYPE="pki-tps" - -# PKI subsystem-level directory and file values for locks -lockfile="/var/lock/subsys/pki-tpsd" +PKI_TOTAL_PORTS=3 # Disallow 'others' the ability to 'write' to new files umask 00002 -default_error=0 command="$1" pki_instance="$2" -case "${command}" in - start|stop|restart|condrestart|force-restart|try-restart) - # * 1 generic or unspecified error (current practice) - default_error=1 - ;; - reload) - default_error=3 - ;; - status) - # * 4 program or service status is unknown - default_error=4 - ;; - *) - # * 2 invalid argument(s) - default_error=2 - ;; -esac - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit ${default_error} -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -if [ ! -d ${PKI_PATH} ] ; then - echo "This machine is missing the '${PKI_TYPE}' subsystem!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Check to insure that this script's associated PKI -# subsystem instance registry currently resides on this system. -if [ ! -d ${PKI_REGISTRY} ] ; then - echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Obtain the operating system upon which this script is being executed -# and initialize environment variables -OS=`uname -s` -ARCHITECTURE="" -LD_LIBRARY_PATH="" - -# Time to wait in seconds, before killing process -# -# NOTE: Defined in "tomcat5.conf" for PKI Java/Tomcat Subsystems. -# -STARTUP_WAIT=30 -SHUTDOWN_WAIT=30 - -# This script must be run as root! -RV=0 -if [ ${OS} = "Linux" ] ; then - PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}" - if [ `id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -i` - if [ ${ARCHITECTURE} = "i386" ] ; then - LD_LIBRARY_PATH="/usr/lib:/lib:${LD_LIBRARY_PATH}" - elif [ ${ARCHITECTURE} = "x86_64" ] ; then - LD_LIBRARY_PATH="/usr/lib64:/lib64:${LD_LIBRARY_PATH}" - else - echo "Unsupported architecture '${ARCHITECTURE}'!" - exit ${default_error} - fi -elif [ ${OS} = "SunOS" ] ; then - PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}" - if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -p` - if [ "${ARCHITECTURE}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - ARCHITECTURE="sparcv9" - fi - if [ ${ARCHITECTURE} = "sparcv9" ] ; then - LD_LIBRARY_PATH="/usr/lib/sparcv9:/lib/sparcv9:${LD_LIBRARY_PATH}" - LD_LIBRARY_PATH="/usr/lib/sparcv9/dirsec:${LD_LIBRARY_PATH}" - else - echo "Unsupported architecture '${ARCHITECTURE}'!" - exit ${default_error} - fi -else - echo "Unsupported OS '${OS}'!" - exit ${default_error} -fi -export LD_LIBRARY_PATH # Source function library. -if [ -f /etc/init.d/functions ]; then - . /etc/init.d/functions -else - # The checkpid() function is provided for platforms that do not - # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . - - # Check if ${pid} (could be plural) are running (keep count) - checkpid() - { - rv=0 - for i in $* ; do - ps -p $i > /dev/null 2>&1 ; - if [ $? -ne 0 ] ; then - rv=`expr $rv + 1` - else - rv=`expr $rv + 0` - fi - done - # echo "rv=$rv" - return $rv - } - - # Create the following directories on platforms - # where they do not exist (e. g. - Solaris) . . . - if [ ! -d "/var/lock" ] ; then - mkdir -p /var/lock - chown root:sys /var/lock - chmod 00755 /var/lock - fi - if [ ! -d "/var/lock/subsys" ] ; then - mkdir -p /var/lock/subsys - chown root:root /var/lock/subsys - chmod 00755 /var/lock/subsys - fi -fi - -PKI_REGISTRY_ENTRIES="" -TOTAL_PKI_REGISTRY_ENTRIES=0 -TOTAL_UNCONFIGURED_PKI_ENTRIES=0 - -# Gather ALL registered instances of this PKI subsystem type -for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - if [ -f "$FILE" ] ; then - inst=`echo "$FILE"` - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst" - TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` - fi -done - -if [ -n "${pki_instance}" ]; then - for I in ${PKI_REGISTRY_ENTRIES}; do - if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}" - TOTAL_PKI_REGISTRY_ENTRIES=1 - break - fi - done -fi - -usage() -{ - echo -n "Usage: ${PKI_INIT_SCRIPT} " - echo -n "{start" - echo -n "|stop" - echo -n "|restart" - echo -n "|condrestart" - echo -n "|force-restart" - echo -n "|try-restart" - echo -n "|reload" - echo -n "|status} " - echo -n "[instance-name]" - echo - echo -} - -list_instances() -{ - echo - for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - echo " ${FILE}" - done - echo -} - -# Check arguments -if [ $# -lt 1 ] ; then - # * 3 unimplemented feature (for example, "reload") - # [insufficient arguments] - echo "$0: Insufficient arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 -elif [ ${default_error} -eq 2 ] ; then - # * 2 invalid argument - echo "$0: Invalid arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 2 -elif [ $# -gt 2 ] ; then - echo "$0: Excess arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - if [ "${command}" != "status" ]; then - # * 2 excess arguments - exit 2 - else - # * 4 program or service status is unknown - exit 4 - fi -fi - -# If an "instance" was supplied, check that it is a "valid" instance -if [ -n "${pki_instance}" ]; then - if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then - echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance" - echo_failure - echo - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - # * 4 program or service status is unknown - exit 4 - fi - fi -fi - -# On Solaris /var/run is in tmpfs and gets wiped out upon reboot -# we have to recreate the ${PKI_PIDDIR} directory and make sure that -# the directory is writable by the ${PKI_TYPE} server process. -# -# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize -# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the -# "${PKI_PIDDIR}" will end up with the ownership permissions -# of the first instance that executes this function! -# -fix_pid_dir_ownership() -{ - if [ ! -d ${PKI_PIDDIR} ] ; then - mkdir -p ${PKI_PIDDIR} - - chown root:root /var/run/pki - chmod 00755 /var/run/pki - - chown root:root ${PKI_PIDDIR} - chmod 00755 ${PKI_PIDDIR} - fi -} - -check_pki_configuration_status() -{ - rv=0 - - rv=`grep -c ^preop ${pki_instance_configuration_file}` - - rv=`expr ${rv} + 0` - - if [ ${rv} -ne 0 ] ; then - echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" - echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" - if [ "${command}" != "status" ]; then - # * 6 program is not configured - rv=6 - else - # * 4 program or service status is unknown - rv=4 - fi - TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` - elif [ -f ${RESTART_SERVER} ] ; then - echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " - echo -n "it must still be RESTARTED!" - echo - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - fi - - return ${rv} -} - -get_pki_status_definitions() -{ - # establish well-known strings - listen_statement="Listen" - total_ports=0 - UNSECURE_PORT="" - CLIENTAUTH_PORT="" - NON_CLIENTAUTH_PORT="" - - # check to see that an instance-specific "httpd.conf" file exists - if [ ! -f ${PKI_HTTPD_CONF} ] ; then - echo "File '${PKI_HTTPD_CONF}' does not exist!" - exit ${default_error} - fi - - # check to see that an instance-specific "nss.conf" file exists - if [ ! -f ${PKI_NSS_CONF} ] ; then - echo "File '${PKI_NSS_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "httpd.conf" file line-by-line - # to obtain the current value of the PKI unsecure port - - exec < ${PKI_HTTPD_CONF} - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] ; then - # once the 'unsecure' listen statement has been found, - # extract the numeric port information - port=`echo $line | cut -b8-` - UNSECURE_PORT=$port - echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi" - echo " (ESC Security Officer Enrollment)" - echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi" - echo " (ESC Phone Home)" - total_ports=`expr ${total_ports} + 1` - break; - fi - done - - # read this instance-specific "nss.conf" file line-by-line - # to obtain the current value of the "clientauth" PKI secure port - # AND the current value of the "non-clientauth" PKI secure port - - exec < ${PKI_NSS_CONF} - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] && - [ ${total_ports} -eq 2 ] ; then - # once the 'non-clientauth' listen statement has been found, - # extract the numeric port information - non_clientauth_port=`echo $line | cut -b8-` - NON_CLIENTAUTH_PORT=$non_clientauth_port - echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi" - echo " (ESC Security Officer Enrollment)" - echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi" - echo " (ESC Phone Home)" - total_ports=`expr ${total_ports} + 1` - break - fi - if [ "$head" == "$listen_statement" ] && - [ ${total_ports} -eq 1 ] ; then - # once the 'clientauth' listen statement has been found, - # extract the numeric port information - clientauth_port=`echo $line | cut -b8-` - CLIENTAUTH_PORT=$clientauth_port - echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi" - echo " (ESC Security Officer Workstation)" - echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus" - echo " (TPS Roles - Operator/Administrator/Agent)" - total_ports=`expr ${total_ports} + 1` - fi - done - - if [ ${total_ports} -eq 3 ] ; then - return 0 - else - return ${default_error} - fi -} - -get_pki_configuration_definitions() -{ - # Obtain the PKI Subsystem Type - line=`grep ^cs.type= ${pki_instance_configuration_file}` - pki_subsystem=`echo "${line}" | cut -b9-` - if [ "${line}" != "" ] ; then - if [ "${pki_subsystem}" != "CA" ] && - [ "${pki_subsystem}" != "KRA" ] && - [ "${pki_subsystem}" != "OCSP" ] && - [ "${pki_subsystem}" != "TKS" ] && - [ "${pki_subsystem}" != "RA" ] && - [ "${pki_subsystem}" != "TPS" ] - then - return ${default_error} - fi - if [ "${pki_subsystem}" == "KRA" ] ; then - # Rename "KRA" to "DRM" - pki_subsystem="DRM" - fi - else - return ${default_error} - fi - - # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, - # check to see if "${pki_subsystem}" is a "Clone" - pki_clone="" - if [ "${pki_subsystem}" == "CA" ] || - [ "${pki_subsystem}" == "DRM" ] || - [ "${pki_subsystem}" == "OCSP" ] || - [ "${pki_subsystem}" == "TKS" ] - then - line=`grep ^subsystem.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_clone=`echo "${line}" | cut -b18-` - if [ "${pki_clone}" != "Clone" ] ; then - # Reset "${pki_clone}" to be empty - pki_clone="" - fi - else - return ${default_error} - fi - fi - - # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to - # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA - pki_hierarchy="" - if [ "${pki_subsystem}" == "CA" ] && - [ "${pki_clone}" != "Clone" ] - then - line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_hierarchy=`echo "${line}" | cut -b18-` - else - return ${default_error} - fi - fi - - # If ${pki_subsystem} is a CA, check to - # see if it is also a Security Domain - pki_security_domain="" - if [ "${pki_subsystem}" == "CA" ] ; then - line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain=`echo "${line}" | cut -b23-` - if [ "${pki_security_domain}" == "new" ] ; then - # Set a fixed value for "${pki_security_domain}" - pki_security_domain="(Security Domain)" - else - # Reset "${pki_security_domain}" to be empty - pki_security_domain="" - fi - else - return ${default_error} - fi - fi - - # Always obtain this PKI instance's "registered" - # security domain information - pki_security_domain_name="" - pki_security_domain_hostname="" - pki_security_domain_https_admin_port="" - - line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_name=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_hostname=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` - else - return ${default_error} - fi - - # Compose the "PKI Instance Name" Status Line - pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" - - # Compose the "PKI Subsystem Type" Status Line - header="PKI Subsystem Type: " - if [ "${pki_clone}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "CA Clone (Security Domain)" - # - data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" - else - # Possible Values: - # - # "CA Clone" - # "DRM Clone" - # "OCSP Clone" - # "TKS Clone" - # - data="${pki_subsystem} ${pki_clone}" - fi - elif [ "${pki_hierarchy}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "Root CA (Security Domain)" - # "Subordinate CA (Security Domain)" - # - data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" - else - # Possible Values: - # - # "Root CA" - # "Subordinate CA" - # - data="${pki_hierarchy} ${pki_subsystem}" - fi - else - # Possible Values: - # - # "DRM" - # "OCSP" - # "RA" - # "TKS" - # "TPS" - # - data="${pki_subsystem}" - fi - pki_subsystem_type="${header} ${data}" - - # Compose the "Registered PKI Security Domain Information" Status Line - header="Name: " - registered_pki_security_domain_name="${header} ${pki_security_domain_name}" - - header="URL: " - if [ "${pki_security_domain_hostname}" != "" ] && - [ "${pki_security_domain_https_admin_port}" != "" ] - then - data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" - else - return ${default_error} - fi - registered_pki_security_domain_url="${header} ${data}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_instance_name}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_subsystem_type}" - - # Print the "Registered PKI Security Domain Information" Status Line - echo - echo " Registered PKI Security Domain Information:" - echo " ==========================================================================" - echo " ${registered_pki_security_domain_name}" - echo " ${registered_pki_security_domain_url}" - echo " ==========================================================================" - - return 0 -} - -get_pki_secure_port() -{ - # establish well-known strings - listen_statement="Listen" - - # first check to see that an instance-specific "nss.conf" file exists - if [ ! -f ${PKI_NSS_CONF} ] ; then - echo "File '${PKI_NSS_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "nss.conf" file line-by-line - # to obtain the current value of the "clientauth" PKI secure port - exec < ${PKI_NSS_CONF} - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] ; then - # once the 'clientauth' listen statement has been found, - # extract the numeric port information - port=`echo $line | cut -b8-` - SECURE_PORT=$port - return 0 - fi - done - - return ${default_error} -} - -display_instance_status() -{ - rv=0 - - if [ -f ${pidfile} ] ; then - pid=`cat ${pidfile}` - if [ "${pid}" == "" ] ; then - echo "${PKI_INSTANCE_ID} pid file exists but is empty" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - elif kill -0 ${pid} > /dev/null 2>&1 ; then - echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} -eq 0 ] ; then - get_pki_status_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Status Definitions not found" - else - get_pki_configuration_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Configuration Definitions not found" - fi - fi - else - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Similarly, from the PKI point of view for a "status" - # action, a returned error code of "4" implies that either - # the program is not "configured", or that the program - # was "configured" but must still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For this reason, when returning from - # 'display_instance_status()', ignore non-zero return codes - # returned from 'check_pki_configuration_status()'. - # - if [ "${command}" != "status" ]; then - # * 0 action was successful - rv=0 - else - # * 0 program is running or service is OK - rv=0 - fi - fi - echo - else - echo "${PKI_INSTANCE_ID} is dead but pid file exists" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 1 program is dead and /var/run pid file exists - rv=1 - fi - fi - else - echo "${PKI_INSTANCE_ID} is stopped" - if [ "${command}" != "status" ]; then - # * 7 program is not running - rv=7 - else - # * 3 program is not running - rv=3 - fi - fi - - return ${rv} -} - -start_instance() -{ - rv=0 - - echo -n $"Starting ${prog}: " - - if [ -f ${RESTART_SERVER} ] ; then - rm -f ${RESTART_SERVER} - fi - - if [ -f ${PKI_LOCKFILE} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - echo - echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} != 0 ]; then - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For "non-status" actions, ignore return codes of "1" - # from 'check_pki_configuration_status()'. - # - # However, for "non-status" actions that have a return - # code of "6", return this value unchanged to - # the calling routine so that the total number of - # configuration errors may be counted. - # - - echo - if [ ${rv} = 1 ] ; then - # * 0 action was successful - return 0 - elif [ ${rv} = 6 ] ; then - # * 6 program is not configured - return 6 - else - # should never be reached - return ${rv} - fi - else - return 0 - fi - else - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - rm -f ${PKI_LOCKFILE} - fi - fi - fi - - fix_pid_dir_ownership - - touch ${pidfile} - chown ${PKI_USER}:${PKI_GROUP} ${pidfile} - chmod 00600 ${pidfile} - [ -x /sbin/restorecon ] && /sbin/restorecon ${pidfile} - - # restore context for ncipher hsm - [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast - - if [ -f /etc/init.d/functions ]; then - /usr/sbin/selinuxenabled - rv=$? - if [ ${rv} = 0 ] ; then - if [ ${ARCHITECTURE} = "i386" ] ; then - LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} - # overwrite output from "daemon" - echo -n $"Starting ${prog}: " - elif [ ${ARCHITECTURE} = "x86_64" ] ; then - # NOTE: "daemon" is incompatible with "httpd" - # on 64-bit architectures - LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} - fi - else - LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS} - # overwrite output from "daemon" - echo -n $"Starting ${prog}: " - fi - else - LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -k start - fi - - rv=$? - if [ ${rv} = 0 ] ; then - touch ${PKI_LOCKFILE} - chown ${PKI_USER}:${PKI_GROUP} ${PKI_LOCKFILE} - chmod 00600 ${PKI_LOCKFILE} - fi - - if [ ${rv} = 0 ] ; then - count=0; - - let swait=$STARTUP_WAIT - until [ -s ${pidfile} ] || - [ $count -gt $swait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - - get_pki_secure_port - if [ $? -ne 0 ] ; then - SECURE_PORT="<Port Undefined>" - fi - - # Set permissions of log files - pki_signedAudit="${pki_logs_directory}/signedAudit" - for file in ${pki_logs_directory}/*; do - if [ "${file}" != "${pki_signedAudit}" ]; then - chown ${PKI_USER}:${PKI_GROUP} ${file} - chmod 00640 ${file} - fi - done - - # Set permissions of signedAudit log files - pki_signedAudit_files=`ls -1A ${pki_signedAudit} | wc -l` - if [ ${pki_signedAudit_files} -gt 0 ]; then - for file in ${pki_signedAudit}/*; do - chown ${PKI_USER} ${file} - chmod 00640 ${file} - done - fi +. /etc/init.d/functions - # ignore "status" return codes - echo - display_instance_status - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - $0 echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - fi - - if [ ${OS} = "Linux" ] ; then - sleep 10 - elif [ ${OS} = "SunOS" ] ; then - sleep 20 - fi - return ${rv} -} - -stop_instance() -{ - rv=0 - - echo -n "Stopping ${prog}: " - - if [ -f ${PKI_LOCKFILE} ] ; then - ${httpd} ${PKI_OPTIONS} -k stop - - rv=$? - - if [ ${rv} = 0 ]; then - count=0; - - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - let kwait=$SHUTDOWN_WAIT - - until [ `ps -p $kpid | grep -c $kpid` = '0' ] || - [ $count -gt $kwait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ $count -gt $kwait ]; then - kill -9 $kpid - fi - fi - - rm -f ${PKI_LOCKFILE} - rm -f ${pidfile} - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - rv=${default_error} - fi - else - echo - echo "process already stopped" - rv=0 - fi - - return ${rv} -} - -reload_instance() -{ - rv=0 - - echo -n $"Reloading ${prog}: " - - if ! LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -t >&/dev/null; then - rv=$? - echo $"not reloading due to configuration syntax error" - if [ -f /etc/init.d/functions ]; then - failure $"not reloading ${httpd} due to configuration syntax error" - else - echo $"not reloading ${httpd} due to configuration syntax error" - fi - else - if [ -f /etc/init.d/functions ]; then - killproc -p ${pidfile} ${httpd} -HUP - rv=$? - else - if [ -f ${PKI_LOCKFILE} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - kill -HUP $kpid - rv=$? - if [ ${rv} != 0 ]; then - rv=${default_error} - fi - fi - else - # * 7 program is not running - rv=7 - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - rm -f ${PKI_LOCKFILE} - fi - fi - fi - fi - echo - - return ${rv} -} - -# The semantics of the 'start()' function differs from the way 'apachectl' -# does things -- attempting to start while running is a failure. -# So we just do it the way init scripts are expected to behave here. -start() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - config_errors=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):" - fi - - # Start every PKI instance of this type that isn't already running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - start_instance - - rv=$? - if [ ${rv} = 6 ] ; then - # Since at least ONE configuration error exists, then there - # is at least ONE unconfigured instance from the PKI point - # of view. - # - # However, it must still be considered that the - # instance is "running" from the point of view of other - # OS programs such as 'chkconfig'. - # - # Therefore, ignore non-zero return codes resulting - # from configuration errors. - # - - config_errors=`expr $config_errors + 1` - rv=0 - elif [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then - touch ${lockfile} - chmod 00600 ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - # NOTE: "bad" return code(s) OVERRIDE configuration errors! - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances failed to start!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -# The semantics of the 'stop()' function differs from the way 'apachectl' -# does things -- attempting to shutdown when not running is a failure. -# So we just do it the way init scripts are expected to behave here. -stop() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" - fi - - # Shutdown every PKI instance of this type that is running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - stop_instance - - rv=$? - if [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${errors} -eq 0 ] ; then - rm -f ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances were " - echo -n "unsuccessfully stopped!" - echo - fi - - echo - echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -restart() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - stop - sleep 2 - echo - echo "============================================================" - echo - start - - return $? -} - -reload() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):" - fi - - # Reload every PKI instance of this type that is running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - reload_instance - - rv=$? - if [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances were " - echo -n "unsuccessfully reloaded!" - echo - fi - - echo - echo "FINISHED RELOADING '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances reloaded!" - rv=5 - fi - - return ${rv} -} - -status() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 program is running or service is OK - # * 1 program is dead and /var/run pid file exists - # * 2 program is dead and /var/lock lock file exists - # * 3 program is not running - # * 4 program or service status is unknown - # * 5-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" - fi - - # Obtain status of every PKI instance of this type - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - display_instance_status - - rv=$? - if [ ${rv} -ne 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "4 - program or service status is unknown" - rv=4 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances reported status failures!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=4 - fi - - return ${rv} -} +# Source the PKI function library +. /usr/share/pki/scripts/functions # See how we were called. -case "${command}" in - start|stop|restart|reload|status) - ${command} - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - exit $? - ;; - *) - # * 3 unimplemented feature (for example, "reload") - # [invalid command - should never be reached] - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 - ;; +case $command in + status) + registry_status + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + stop + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + reload) + echo "The 'reload' action is an unimplemented feature." + exit ${default_error} + ;; + *) + echo "unknown action ($command)" + usage + echo "where valid instance names include:" + list_instances + exit ${default_error} + ;; esac diff --git a/pki/base/tps/setup/config.desktop b/pki/base/tps/setup/config.desktop index f84fadac2..2bfc396e6 100644 --- a/pki/base/tps/setup/config.desktop +++ b/pki/base/tps/setup/config.desktop @@ -21,7 +21,7 @@ [Desktop Entry] Version=1.0.0 Encoding=UTF-8 -Name=Token Processing System Configuration - [INSTANCE_ID] +Name=Token Processing System Configuration - [PKI_INSTANCE_ID] GenericName=Token Processing System Configuration Comment=Configure Token Processing System Exec=firefox https://[SERVER_NAME]:[SECURE_PORT]/tps/admin/console/config/login?pin=[PKI_RANDOM_NUMBER] diff --git a/pki/base/tps/setup/registry_instance b/pki/base/tps/setup/registry_instance new file mode 100644 index 000000000..e02f19011 --- /dev/null +++ b/pki/base/tps/setup/registry_instance @@ -0,0 +1,117 @@ +# Establish PKI Variable "Slot" Substitutions + +PKI_FLAVOR=[PKI_FLAVOR] +export PKI_FLAVOR + +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +export PKI_SUBSYSTEM_TYPE + +PKI_USER=[PKI_USER] +export PKI_USER + +PKI_GROUP=[PKI_GROUP] +export PKI_GROUP + +PKI_INSTANCE_ID=[PKI_INSTANCE_ID] +export PKI_INSTANCE_ID + +PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] +export PKI_INSTANCE_INITSCRIPT + +PKI_HTTPD_CONF=[HTTPD_CONF] +export PKI_HTTPD_CONF + +PKI_SERVER_ROOT=[SERVER_ROOT] +export PKI_SERVER_ROOT + +PKI_SYSTEM_USER_LIBRARIES=[SYSTEM_USER_LIBRARIES] +export PKI_SYSTEM_USER_LIBRARIES + +PKI_FORTITUDE_DIR=[FORTITUDE_DIR] +export PKI_FORTITUDE_DIR + +PKI_NSS_CONF=[NSS_CONF] +export PKI_NSS_CONF + +PKI_SERVER_NAME=[SERVER_NAME] +export PKI_SERVER_NAME + +PKI_LOCK_FILE="[PKI_LOCKDIR]/${PKI_INSTANCE_ID}.pid" +export PKI_LOCK_FILE + +PKI_PID_FILE="[PKI_PIDDIR]/${PKI_INSTANCE_ID}.pid" +export PKI_PID_FILE + +PKI_SELINUX_TYPE="pki_tps_t" +export PKI_SELINUX_TYPE + +pki_instance_configuration_file=${PKI_SERVER_ROOT}/conf/CS.cfg +export pki_instance_configuration_file + +RESTART_SERVER=${PKI_SERVER_ROOT}/conf/restart_server_after_configuration +export RESTART_SERVER + +######################################################################## +# This section contains modified content of "/etc/sysconfig/httpd" # +######################################################################## +# Configuration file for the ${PKI_INSTANCE_ID} service. + +# +# The default processing model (MPM) is the process-based +# 'prefork' model. A thread-based model, 'worker', is also +# available, but does not work with some modules (such as PHP). +# The service must be stopped before changing this variable. +# +PKI_HTTPD=${PKI_FORTITUDE_DIR}/sbin/httpd.worker +export PKI_HTTPD + +# +# To pass additional options (for instance, -D definitions) to the +# httpd binary at startup, set PKI_OPTIONS here. +# +PKI_OPTIONS="-f ${PKI_HTTPD_CONF}" +export PKI_OPTIONS + +# +# By default, the httpd process is started in the C locale; to +# change the locale in which the server runs, the PKI_HTTPD_LANG +# variable can be set. +# +PKI_HTTPD_LANG=C +export PKI_HTTPD_LANG +######################################################################## +# # +######################################################################## + +# This will prevent initlog from swallowing up a pass-phrase prompt if +# mod_ssl needs a pass-phrase from the user. +PKI_INITLOG_ARGS="" +export PKI_INITLOG_ARGS + +# Set PKI_HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server +# with the thread-based "worker" MPM; BE WARNED that some modules may not +# work correctly with a thread-based MPM; notably PHP will refuse to start. + +# Path to the server binary and short-form for messages. +httpd=${PKI_HTTPD} +export httpd + +pki_logs_directory=${PKI_SERVER_ROOT}/logs +export pki_logs_directory + +# see if httpd is linked with the openldap libraries - we need to override them +if [ ${OS} = "Linux" ]; then + hasopenldap=0 + + /usr/bin/ldd ${httpd} 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1 + + if [ ${hasopenldap} -eq 1 ] ; then + LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libldap60.so" + LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libssl3.so:${LD_PRELOAD}" + export LD_PRELOAD + fi +elif [ ${OS} = "SunOS" ]; then + LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/libldap60.so" + LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/dirsec/libssl3.so:${LD_PRELOAD_64}" + export LD_PRELOAD_64 +fi |