Undo the pre_merge_adjustment

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1576 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

6 files changed, 141 insertions, 17 deletions

diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml
index 6642a58fc..83eaf775e 100644
--- a/pki/base/ca/shared/conf/server.xml
+++ b/pki/base/ca/shared/conf/server.xml
@@ -92,12 +92,43 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
 
     <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
     [PKI_SECURE_PORT_SERVER_COMMENT]
-    <!-- DO NOT REMOVE - Begin define PKI secure port -->
+    <!-- DO NOT REMOVE - Begin define PKI secure port
+	NOTE: The OCSP settings take effect globally, so it should only be set once.
+
+	  In setup where SSL clientAuth="true", OCSP can be turned on by
+	  setting enableOCSP to true like the following:
+	    enableOCSP="true"
+	  along with changes to related settings, especially:
+	    ocspResponderURL=<see example in connector definition below>
+	    ocspResponderCertNickname=<see example in connector definition below>
+	  Here are the definition to all the OCSP-related settings:
+	    enableOCSP - turns on/off the ocsp check
+	    ocspResponderURL - sets the url where the ocsp requests are sent
+	    ocspResponderCertNickname - sets the nickname of the cert that is
+		either CA's signing certificate or the OCSP server's signing
+		certificate.
+		The CA's signing certificate should already be in the db, in
+		case of the same security domain.
+		In case of an ocsp signing certificate, one must import the cert
+		into the subsystem's nss db and set trust. e.g.:
+		  certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64
+	    ocspCacheSize - sets max cache entries
+	    ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
+	    ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
+	    ocspTimeout -sets OCSP timeout in seconds
+    -->
     <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
 	       maxHttpHeaderSize="8192"
 	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
 	       enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
 	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
+	       enableOCSP="false"
+	       ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp"
+	       ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
+	       ocspCacheSize="1000"
+	       ocspMinCacheEntryDuration="60"
+	       ocspMaxCacheEntryDuration="120"
+	       ocspTimeout="10"
 	       clientAuth="[PKI_AGENT_CLIENTAUTH]"
 	       sslOptions="[TOMCAT_SSL_OPTIONS]"
 	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml
index 9a24cfa44..e26d09dc3 100644
--- a/pki/base/kra/shared/conf/server.xml
+++ b/pki/base/kra/shared/conf/server.xml
@@ -91,12 +91,43 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
 
     <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
     [PKI_SECURE_PORT_SERVER_COMMENT]
-    <!-- DO NOT REMOVE - Begin define PKI secure port -->
+    <!-- DO NOT REMOVE - Begin define PKI secure port
+	NOTE: The OCSP settings take effect globally, so it should only be set once.
+
+	  In setup where SSL clientAuth="true", OCSP can be turned on by
+	  setting enableOCSP to true like the following:
+	    enableOCSP="true"
+	  along with changes to related settings, especially:
+	    ocspResponderURL=<see example in connector definition below>
+	    ocspResponderCertNickname=<see example in connector definition below>
+	  Here are the definition to all the OCSP-related settings:
+	    enableOCSP - turns on/off the ocsp check
+	    ocspResponderURL - sets the url where the ocsp requests are sent
+	    ocspResponderCertNickname - sets the nickname of the cert that is
+		either CA's signing certificate or the OCSP server's signing
+		certificate.
+		The CA's signing certificate should already be in the db, in
+		case of the same security domain.
+		In case of an ocsp signing certificate, one must import the cert
+		into the subsystem's nss db and set trust. e.g.:
+		  certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64
+	    ocspCacheSize - sets max cache entries
+	    ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
+	    ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
+	    ocspTimeout -sets OCSP timeout in seconds
+    -->
     <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
 	       maxHttpHeaderSize="8192"
 	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
 	       enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
 	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
+	       enableOCSP="false"
+	       ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp"
+	       ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
+	       ocspCacheSize="1000"
+	       ocspMinCacheEntryDuration="60"
+	       ocspMaxCacheEntryDuration="120"
+	       ocspTimeout="10"
 	       clientAuth="[PKI_AGENT_CLIENTAUTH]"
 	       sslOptions="[TOMCAT_SSL_OPTIONS]"
 	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
diff --git a/pki/base/ocsp/shared/conf/server.xml b/pki/base/ocsp/shared/conf/server.xml
index 9a24cfa44..e26d09dc3 100644
--- a/pki/base/ocsp/shared/conf/server.xml
+++ b/pki/base/ocsp/shared/conf/server.xml
@@ -91,12 +91,43 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
 
     <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
     [PKI_SECURE_PORT_SERVER_COMMENT]
-    <!-- DO NOT REMOVE - Begin define PKI secure port -->
+    <!-- DO NOT REMOVE - Begin define PKI secure port
+	NOTE: The OCSP settings take effect globally, so it should only be set once.
+
+	  In setup where SSL clientAuth="true", OCSP can be turned on by
+	  setting enableOCSP to true like the following:
+	    enableOCSP="true"
+	  along with changes to related settings, especially:
+	    ocspResponderURL=<see example in connector definition below>
+	    ocspResponderCertNickname=<see example in connector definition below>
+	  Here are the definition to all the OCSP-related settings:
+	    enableOCSP - turns on/off the ocsp check
+	    ocspResponderURL - sets the url where the ocsp requests are sent
+	    ocspResponderCertNickname - sets the nickname of the cert that is
+		either CA's signing certificate or the OCSP server's signing
+		certificate.
+		The CA's signing certificate should already be in the db, in
+		case of the same security domain.
+		In case of an ocsp signing certificate, one must import the cert
+		into the subsystem's nss db and set trust. e.g.:
+		  certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64
+	    ocspCacheSize - sets max cache entries
+	    ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
+	    ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
+	    ocspTimeout -sets OCSP timeout in seconds
+    -->
     <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
 	       maxHttpHeaderSize="8192"
 	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
 	       enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
 	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
+	       enableOCSP="false"
+	       ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp"
+	       ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
+	       ocspCacheSize="1000"
+	       ocspMinCacheEntryDuration="60"
+	       ocspMaxCacheEntryDuration="120"
+	       ocspTimeout="10"
 	       clientAuth="[PKI_AGENT_CLIENTAUTH]"
 	       sslOptions="[TOMCAT_SSL_OPTIONS]"
 	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate
index aeb7a311e..f8ba09f89 100755
--- a/pki/base/setup/pkicreate
+++ b/pki/base/setup/pkicreate
@@ -193,7 +193,7 @@ my $xerces_jar_base_name          = "xerces-j2.jar";       # CA, KRA, OCSP, TKS
 my $catalina_properties_base_name = "catalina.properties"; # CA, KRA, OCSP, TKS
 
 my $httpd_conf_base_name          = "httpd.conf";             # RA, TPS
-my $index_html_base_name          = "index.html";             # CA, KRA, OCSP, TKS
+my $index_jsp_base_name           = "index.jsp";              # CA, KRA, OCSP, TKS
 my $logs_base_name                = "logs";                   # CA, KRA, OCSP, TKS,
                                                               # RA, TPS
 my $magic_base_name               = "magic";                  # RA, TPS
@@ -478,8 +478,8 @@ my $velocity_jar_file_path                       = undef;  # CA, KRA, OCSP, TKS
 my $velocity_jar_symlink_path                    = undef;  # CA, KRA, OCSP, TKS
 my $httpd_conf_instance_file_path                = undef;  # RA, TPS
 my $httpd_conf_subsystem_file_path               = undef;  # RA, TPS
-my $index_html_instance_file_path                = undef;  # CA, KRA, OCSP, TKS
-my $index_html_subsystem_file_path               = undef;  # CA, KRA, OCSP, TKS
+my $index_jsp_instance_file_path                 = undef;  # CA, KRA, OCSP, TKS
+my $index_jsp_subsystem_file_path                = undef;  # CA, KRA, OCSP, TKS
 my $java_pki_flavor_jar_path                     = undef;  # CA, KRA, OCSP, TKS
 my $magic_instance_file_path                     = undef;  # RA, TPS
 my $magic_subsystem_file_path                    = undef;  # RA, TPS
@@ -1707,10 +1707,10 @@ sub initialize_subdirectory_paths
                                            . "/" . $cmscore_jar_base_name;
         $cmscore_jar_symlink_path          = $webinf_lib_instance_path
                                            . "/" . $cmscore_jar_base_name;
-        $index_html_instance_file_path     = $webapps_root_instance_path
-                                           . "/" . $index_html_base_name;
-        $index_html_subsystem_file_path    = $webapps_root_subsystem_path
-                                           . "/" . $index_html_base_name;
+        $index_jsp_instance_file_path      = $webapps_root_instance_path
+                                           . "/" . $index_jsp_base_name;
+        $index_jsp_subsystem_file_path     = $webapps_root_subsystem_path
+                                           . "/" . $index_jsp_base_name;
         $osutil_jar_file_path              = $default_system_jni_java_path
                                            . "/" . $osutil_jar_base_name;
         $osutil_jar_symlink_path           = $webinf_lib_instance_path
@@ -2518,10 +2518,10 @@ LoadModule nss_module  /opt/fortitude/modules.local/libmodnss.so
 
     } else {
         ## Process templates (CA, KRA, OCSP, TKS instances)
-        # process "index.html" template
-        return 0 if !process_file_template("index_html",
-                                           $index_html_subsystem_file_path,
-                                           $index_html_instance_file_path,
+        # process "index.jsp" template
+        return 0 if !process_file_template("index_jsp",
+                                           $index_jsp_subsystem_file_path,
+                                           $index_jsp_instance_file_path,
                                            \%slot_hash);
 
         # process "server.xml" template
diff --git a/pki/base/tks/shared/conf/server.xml b/pki/base/tks/shared/conf/server.xml
index 9a24cfa44..e26d09dc3 100644
--- a/pki/base/tks/shared/conf/server.xml
+++ b/pki/base/tks/shared/conf/server.xml
@@ -91,12 +91,43 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
 
     <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
     [PKI_SECURE_PORT_SERVER_COMMENT]
-    <!-- DO NOT REMOVE - Begin define PKI secure port -->
+    <!-- DO NOT REMOVE - Begin define PKI secure port
+	NOTE: The OCSP settings take effect globally, so it should only be set once.
+
+	  In setup where SSL clientAuth="true", OCSP can be turned on by
+	  setting enableOCSP to true like the following:
+	    enableOCSP="true"
+	  along with changes to related settings, especially:
+	    ocspResponderURL=<see example in connector definition below>
+	    ocspResponderCertNickname=<see example in connector definition below>
+	  Here are the definition to all the OCSP-related settings:
+	    enableOCSP - turns on/off the ocsp check
+	    ocspResponderURL - sets the url where the ocsp requests are sent
+	    ocspResponderCertNickname - sets the nickname of the cert that is
+		either CA's signing certificate or the OCSP server's signing
+		certificate.
+		The CA's signing certificate should already be in the db, in
+		case of the same security domain.
+		In case of an ocsp signing certificate, one must import the cert
+		into the subsystem's nss db and set trust. e.g.:
+		  certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64
+	    ocspCacheSize - sets max cache entries
+	    ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
+	    ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
+	    ocspTimeout -sets OCSP timeout in seconds
+    -->
     <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
 	       maxHttpHeaderSize="8192"
 	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
 	       enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
 	       SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
+	       enableOCSP="false"
+	       ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp"
+	       ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
+	       ocspCacheSize="1000"
+	       ocspMinCacheEntryDuration="60"
+	       ocspMaxCacheEntryDuration="120"
+	       ocspTimeout="10"
 	       clientAuth="[PKI_AGENT_CLIENTAUTH]"
 	       sslOptions="[TOMCAT_SSL_OPTIONS]"
 	       ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg
index 32a88010d..d3edc908f 100644
--- a/pki/base/tps/doc/CS.cfg
+++ b/pki/base/tps/doc/CS.cfg
@@ -112,8 +112,8 @@ logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit
 logging.audit.level=10
 logging.audit.logSigning=false
 logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID]
-logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL
-logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL
+logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION
+logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION
 logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING
 logging.audit.buffer.size=512
 logging.audit.flush.interval=5