diff options
| author | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-12-14 22:23:31 +0000 |
|---|---|---|
| committer | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-12-14 22:23:31 +0000 |
| commit | ee70d6866360c28335fb2ea61a3e7c3d1c341ae9 (patch) | |
| tree | 63f1da7ff2caeafc2cbd3414225316231eec6c9b | |
| parent | bcc2940ff4068f6f2f19d63b7e935d31d046cf10 (diff) | |
| download | pki-ee70d6866360c28335fb2ea61a3e7c3d1c341ae9.tar.gz pki-ee70d6866360c28335fb2ea61a3e7c3d1c341ae9.tar.xz pki-ee70d6866360c28335fb2ea61a3e7c3d1c341ae9.zip | |
Bugzilla Bug #586073 - Add new 'mod_revocator' runtime dependency to RA and TPS
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1624 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
61 files changed, 3285 insertions, 2108 deletions
diff --git a/pki/CMakeLists.txt b/pki/CMakeLists.txt index 1ec67b764..db633db48 100644 --- a/pki/CMakeLists.txt +++ b/pki/CMakeLists.txt @@ -6,39 +6,61 @@ cmake_minimum_required(VERSION 2.6.0) # global needed variables set(APPLICATION_NAME ${PROJECT_NAME}) if (BUILD_OSUTIL) - set(APPLICATION_FLAVOUR_OSUTIL TRUE) -elseif (BUILD_CORE) - set(APPLICATION_FLAVOUR_CORE TRUE) -elseif (BUILD_DOGTAG) - set(APPLICATION_FLAVOUR_CORE TRUE) - set(APPLICATION_FLAVOUR_DOGTAG TRUE) -elseif (BUILD_REDHAT) - set(APPLICATION_FLAVOUR_CORE TRUE) - set(APPLICATION_FLAVOUR_DOGTAG TRUE) - set(APPLICATION_FLAVOUR_REDHAT TRUE) -elseif (BUILD_NULL_THEME) - set(APPLICATION_FLAVOUR_NULL_THEME TRUE) -elseif (BUILD_DOGTAG_THEME) - set(APPLICATION_FLAVOUR_DOGTAG_THEME TRUE) -elseif (BUILD_REDHAT_THEME) - set(APPLICATION_FLAVOUR_REDHAT_THEME TRUE) -elseif (BUILD_CORE_COMPLETE) - set(APPLICATION_FLAVOUR_CORE TRUE) - set(APPLICATION_FLAVOUR_NULL_THEME TRUE) -elseif (BUILD_DOGTAG_COMPLETE) - set(APPLICATION_FLAVOUR_CORE TRUE) - set(APPLICATION_FLAVOUR_DOGTAG TRUE) - set(APPLICATION_FLAVOUR_DOGTAG_THEME TRUE) -elseif (BUILD_REDHAT_COMPLETE) - set(APPLICATION_FLAVOUR_CORE TRUE) - set(APPLICATION_FLAVOUR_DOGTAG TRUE) - set(APPLICATION_FLAVOUR_REDHAT TRUE) - set(APPLICATION_FLAVOUR_REDHAT_THEME TRUE) + set(APPLICATION_FLAVOR_OSUTIL TRUE) +elseif (BUILD_NULL_PKI_THEME) + set(APPLICATION_FLAVOR_NULL_PKI_THEME TRUE) +elseif (BUILD_DOGTAG_PKI_THEME) + set(APPLICATION_FLAVOR_DOGTAG_PKI_THEME TRUE) +elseif (BUILD_REDHAT_PKI_THEME) + set(APPLICATION_FLAVOR_REDHAT_PKI_THEME TRUE) +elseif (BUILD_PKI_CORE) + set(APPLICATION_FLAVOR_PKI_CORE TRUE) +elseif (BUILD_PKI_KRA) + set(APPLICATION_FLAVOR_PKI_KRA TRUE) +elseif (BUILD_PKI_OCSP) + set(APPLICATION_FLAVOR_PKI_OCSP TRUE) +elseif (BUILD_PKI_RA) + set(APPLICATION_FLAVOR_PKI_RA TRUE) +elseif (BUILD_PKI_TKS) + set(APPLICATION_FLAVOR_PKI_TKS TRUE) +elseif (BUILD_PKI_TPS) + set(APPLICATION_FLAVOR_PKI_TPS TRUE) +elseif (BUILD_PKI_CONSOLE) + set(APPLICATION_FLAVOR_PKI_CONSOLE TRUE) +elseif (BUILD_PKI_MIGRATE) + set(APPLICATION_FLAVOR_PKI_MIGRATE TRUE) +elseif (BUILD_IPA_PKI) + set(APPLICATION_FLAVOR_NULL_PKI_THEME TRUE) + set(APPLICATION_FLAVOR_PKI_CORE TRUE) +elseif (BUILD_DOGTAG_PKI) + set(APPLICATION_FLAVOR_DOGTAG_PKI_THEME TRUE) + set(APPLICATION_FLAVOR_PKI_CORE TRUE) + set(APPLICATION_FLAVOR_PKI_KRA TRUE) + set(APPLICATION_FLAVOR_PKI_OCSP TRUE) + set(APPLICATION_FLAVOR_PKI_RA TRUE) + set(APPLICATION_FLAVOR_PKI_TKS TRUE) + set(APPLICATION_FLAVOR_PKI_TPS TRUE) + set(APPLICATION_FLAVOR_PKI_CONSOLE TRUE) +elseif (BUILD_REDHAT_PKI) + set(APPLICATION_FLAVOR_REDHAT_PKI_THEME TRUE) + set(APPLICATION_FLAVOR_PKI_CORE TRUE) + set(APPLICATION_FLAVOR_PKI_KRA TRUE) + set(APPLICATION_FLAVOR_PKI_OCSP TRUE) + set(APPLICATION_FLAVOR_PKI_RA TRUE) + set(APPLICATION_FLAVOR_PKI_TKS TRUE) + set(APPLICATION_FLAVOR_PKI_TPS TRUE) + set(APPLICATION_FLAVOR_PKI_CONSOLE TRUE) + set(APPLICATION_FLAVOR_PKI_MIGRATE TRUE) else () - # By default, build complete Dogtag - set(APPLICATION_FLAVOUR_CORE TRUE) - set(APPLICATION_FLAVOUR_DOGTAG TRUE) - set(APPLICATION_FLAVOUR_DOGTAG_THEME TRUE) + # By default, build Dogtag PKI + set(APPLICATION_FLAVOR_DOGTAG_PKI_THEME TRUE) + set(APPLICATION_FLAVOR_PKI_CORE TRUE) + set(APPLICATION_FLAVOR_PKI_KRA TRUE) + set(APPLICATION_FLAVOR_PKI_OCSP TRUE) + set(APPLICATION_FLAVOR_PKI_RA TRUE) + set(APPLICATION_FLAVOR_PKI_TKS TRUE) + set(APPLICATION_FLAVOR_PKI_TPS TRUE) + set(APPLICATION_FLAVOR_PKI_CONSOLE TRUE) endif () set(APPLICATION_VERSION_MAJOR "9") @@ -75,6 +97,10 @@ find_package(NSS REQUIRED) find_package(Ldap REQUIRED) find_package(APR REQUIRED) +# required for TPS +find_package(Svrcore REQUIRED) +find_package(MozLDAP REQUIRED) + # Find out if we have threading available set(CMAKE_THREAD_PREFER_PTHREADS ON) find_package(Threads) @@ -86,29 +112,34 @@ configure_file(config.h.cmake ${CMAKE_CURRENT_BINARY_DIR}/config.h) add_definitions(-DHAVE_CONFIG_H) # uninstall target -configure_file( - "${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in" - "${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake" - IMMEDIATE @ONLY) +configure_file("${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in" + "${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake" + IMMEDIATE @ONLY) add_custom_target(uninstall - COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake) + COMMAND ${CMAKE_COMMAND} + -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake) # check subdirectories -if (APPLICATION_FLAVOUR_OSUTIL) - add_subdirectory(base) -endif (APPLICATION_FLAVOUR_OSUTIL) -if (APPLICATION_FLAVOUR_CORE) +if (APPLICATION_FLAVOR_OSUTIL OR + APPLICATION_FLAVOR_PKI_CORE OR + APPLICATION_FLAVOR_PKI_KRA OR + APPLICATION_FLAVOR_PKI_OCSP OR + APPLICATION_FLAVOR_PKI_RA OR + APPLICATION_FLAVOR_PKI_TKS OR + APPLICATION_FLAVOR_PKI_TPS OR + APPLICATION_FLAVOR_PKI_CONSOLE OR + APPLICATION_FLAVOR_PKI_MIGRATE) add_subdirectory(base) -endif (APPLICATION_FLAVOUR_CORE) +endif () -# 'themes' must be mutually exclusive! -if (APPLICATION_FLAVOUR_NULL_THEME) +# 'Themes' MUST be "mutually-exclusive"! +if (APPLICATION_FLAVOR_NULL_PKI_THEME) add_subdirectory(dogtag) -elseif (APPLICATION_FLAVOUR_DOGTAG_THEME) +elseif (APPLICATION_FLAVOR_DOGTAG_PKI_THEME) add_subdirectory(dogtag) -elseif (APPLICATION_FLAVOUR_REDHAT_THEME) +elseif (APPLICATION_FLAVOR_REDHAT_PKI_THEME) add_subdirectory(redhat) -endif (APPLICATION_FLAVOUR_NULL_THEME) +endif () diff --git a/pki/base/CMakeLists.txt b/pki/base/CMakeLists.txt index fc96f785e..9f4131d3b 100644 --- a/pki/base/CMakeLists.txt +++ b/pki/base/CMakeLists.txt @@ -2,10 +2,10 @@ project(base) # The order is important! # add_subdirectory(osutil) -if (APPLICATION_FLAVOUR_OSUTIL) +if (APPLICATION_FLAVOR_OSUTIL) add_subdirectory(osutil) -endif (APPLICATION_FLAVOUR_OSUTIL) -if (APPLICATION_FLAVOUR_CORE) +endif (APPLICATION_FLAVOR_OSUTIL) +if (APPLICATION_FLAVOR_PKI_CORE) add_subdirectory(setup) add_subdirectory(symkey) add_subdirectory(native-tools) @@ -15,15 +15,25 @@ if (APPLICATION_FLAVOUR_CORE) add_subdirectory(selinux) add_subdirectory(ca) add_subdirectory(silent) -endif (APPLICATION_FLAVOUR_CORE) -if (APPLICATION_FLAVOUR_DOGTAG) +endif (APPLICATION_FLAVOR_PKI_CORE) +if (APPLICATION_FLAVOR_PKI_KRA) add_subdirectory(kra) +endif (APPLICATION_FLAVOR_PKI_KRA) +if (APPLICATION_FLAVOR_PKI_OCSP) add_subdirectory(ocsp) +endif (APPLICATION_FLAVOR_PKI_OCSP) +if (APPLICATION_FLAVOR_PKI_RA) + add_subdirectory(ra) +endif (APPLICATION_FLAVOR_PKI_RA) +if (APPLICATION_FLAVOR_PKI_TKS) add_subdirectory(tks) +endif (APPLICATION_FLAVOR_PKI_TKS) +if (APPLICATION_FLAVOR_PKI_TPS) add_subdirectory(tps) - add_subdirectory(ra) +endif (APPLICATION_FLAVOR_PKI_TPS) +if (APPLICATION_FLAVOR_PKI_CONSOLE) add_subdirectory(console) -endif (APPLICATION_FLAVOUR_DOGTAG) -if (APPLICATION_FLAVOUR_REDHAT) +endif (APPLICATION_FLAVOR_PKI_CONSOLE) +if (APPLICATION_FLAVOR_PKI_MIGRATE) add_subdirectory(migrate) -endif (APPLICATION_FLAVOUR_REDHAT) +endif (APPLICATION_FLAVOR_PKI_MIGRATE) diff --git a/pki/base/ca/CMakeLists.txt b/pki/base/ca/CMakeLists.txt index bab50004e..9ad04dadc 100644 --- a/pki/base/ca/CMakeLists.txt +++ b/pki/base/ca/CMakeLists.txt @@ -2,6 +2,7 @@ project(ca Java) add_subdirectory(src) add_subdirectory(setup) +add_subdirectory(shared/conf) # install init script install( @@ -25,6 +26,8 @@ install( "CMakeLists.txt" EXCLUDE PATTERN "etc/*" EXCLUDE + PATTERN + "conf/CS.cfg.in" EXCLUDE ) # install empty directories diff --git a/pki/base/ca/shared/CMakeLists.txt b/pki/base/ca/shared/CMakeLists.txt deleted file mode 100644 index 507395ff2..000000000 --- a/pki/base/ca/shared/CMakeLists.txt +++ /dev/null @@ -1,11 +0,0 @@ -# install init script -install( - FILES - etc/init.d/pki-cad - DESTINATION - ${SYSCONF_INSTALL_DIR}/init.d - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) diff --git a/pki/base/ca/shared/conf/CMakeLists.txt b/pki/base/ca/shared/conf/CMakeLists.txt new file mode 100644 index 000000000..e3cef5915 --- /dev/null +++ b/pki/base/ca/shared/conf/CMakeLists.txt @@ -0,0 +1,12 @@ +set(VERSION ${APPLICATION_VERSION}) +set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR}) +set(MINOR_VERSION ${APPLICATION_VERSION_MINOR}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg.in index 3ebd84d6a..e9b265f76 100644 --- a/pki/base/ca/shared/conf/CS.cfg +++ b/pki/base/ca/shared/conf/CS.cfg.in @@ -18,7 +18,7 @@ pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] installDate=[INSTALL_TIME] preop.wizard.name=CA Setup Wizard preop.product.name=CS -preop.product.version= +preop.product.version=@VERSION@ preop.system.name=CA preop.system.fullname=Certificate Authority cs.state=0 @@ -705,7 +705,7 @@ cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret cms.passwordlist=internaldb,replicationdb cms.password.ignore.publishing.failure=true -cms.version= +cms.version=@MAJOR_VERSION@.@MINOR_VERSION@ cmsgateway._000=## cmsgateway._001=## In the event that all Admin Certificates have been lost cmsgateway._002=## for a given instance, perform the following steps to diff --git a/pki/base/ca/src/CMakeLists.txt b/pki/base/ca/src/CMakeLists.txt index ab40e63b7..f8e68c4f6 100644 --- a/pki/base/ca/src/CMakeLists.txt +++ b/pki/base/ca/src/CMakeLists.txt @@ -1,21 +1,31 @@ project(ca_java Java) +# '/usr/share/java' jars +find_file(LDAPJDK_JAR + NAMES + ldapjdk.jar + PATHS + /usr/share/java +) + + +# '/usr/lib/java' jars find_file(JSS_JAR NAMES jss4.jar PATHS /usr/lib/java - /usr/share/java ) -find_file(LDAPJDK_JAR +find_file(OSUTIL_JAR NAMES - ldapjdk.jar + osutil.jar PATHS /usr/lib/java - /usr/share/java ) + +# identify java sources set(ca_java_SRCS com/netscape/ca/CMSCRLExtensions.java com/netscape/ca/CAService.java @@ -26,13 +36,21 @@ set(ca_java_SRCS com/netscape/ca/CertificateAuthority.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR} - ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR} - ${CERTSRV_JAR}) + ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR} + ${LDAPJDK_JAR} + ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + +# build ca.jar add_jar(ca ${ca_java_SRCS}) -add_dependencies(ca nsutil cmsutil osutil symkey cms cmscore certsrv) +add_dependencies(ca osutil symkey nsutil cmsutil certsrv cms cmscore) install_jar(ca ${JAVA_JAR_INSTALL_DIR}) set(CA_JAR ${ca_JAR_FILE} CACHE INTERNAL "ca jar file") + diff --git a/pki/base/console/src/CMakeLists.txt b/pki/base/console/src/CMakeLists.txt index ff17efc0f..076f18078 100644 --- a/pki/base/console/src/CMakeLists.txt +++ b/pki/base/console/src/CMakeLists.txt @@ -1,24 +1,27 @@ -project(console_java Java) +project(pki_console_java Java) -find_file(JSS_JAR +# '/usr/share/java/pki' jars +find_file(NSUTIL_JAR NAMES - jss4.jar + nsutil.jar PATHS /usr/lib/java - /usr/share/java + /usr/share/java/pki ) -find_file(LDAPJDK_JAR + +# '/usr/share/java' jars +find_file(BASE_JAR NAMES - ldapjdk.jar + idm-console-base.jar PATHS /usr/lib/java /usr/share/java ) -find_file(BASE_JAR +find_file(LDAPJDK_JAR NAMES - idm-console-base.jar + ldapjdk.jar PATHS /usr/lib/java /usr/share/java @@ -56,7 +59,19 @@ find_file(NMCLF_EN_JAR /usr/share/java ) -set(console_java_SRCS + +# '/usr/lib/java' jars +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + /usr/lib/java + /usr/share/java +) + + +# identify java sources +set(pki_console_java_SRCS com/netscape/certsrv/common/TaskId.java com/netscape/certsrv/common/DestDef.java com/netscape/certsrv/common/NameValuePairs.java @@ -578,13 +593,22 @@ set(console_java_SRCS com/netscape/admin/certsrv/IUIMapper.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} - ${BASE_JAR} ${MMC_JAR} ${MMC_EN_JAR} - ${NMCLF_JAR} ${NMCLF_EN_JAR}) + ${BASE_JAR} ${LDAPJDK_JAR} ${MMC_JAR} + ${MMC_EN_JAR} ${NMCLF_JAR} ${NMCLF_EN_JAR} + ${NSUTIL_JAR} + ${JSS_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) -add_jar(console ${console_java_SRCS}) -add_dependencies(console nsutil) -install_jar(console ${JAVA_JAR_INSTALL_DIR}/pki) -set(CONSOLE_JAR ${console_JAR_FILE} CACHE INTERNAL "console jar file") + +# build pki-console.jar +add_jar(pki-console ${pki_console_java_SRCS}) +add_dependencies(pki-console nsutil) +install_jar(pki-console ${JAVA_JAR_INSTALL_DIR}) +set(PKI_CONSOLE_JAR ${pki_console_JAR_FILE} CACHE INTERNAL "pki-console jar file") + diff --git a/pki/base/kra/CMakeLists.txt b/pki/base/kra/CMakeLists.txt index 5155a84ef..dc2564c92 100644 --- a/pki/base/kra/CMakeLists.txt +++ b/pki/base/kra/CMakeLists.txt @@ -2,6 +2,7 @@ project(kra Java) add_subdirectory(src) add_subdirectory(setup) +add_subdirectory(shared/conf) # install init script install( @@ -25,6 +26,8 @@ install( "CMakeLists.txt" EXCLUDE PATTERN "etc/*" EXCLUDE + PATTERN + "conf/CS.cfg.in" EXCLUDE ) # install empty directories diff --git a/pki/base/kra/shared/conf/CMakeLists.txt b/pki/base/kra/shared/conf/CMakeLists.txt new file mode 100644 index 000000000..e3cef5915 --- /dev/null +++ b/pki/base/kra/shared/conf/CMakeLists.txt @@ -0,0 +1,12 @@ +set(VERSION ${APPLICATION_VERSION}) +set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR}) +set(MINOR_VERSION ${APPLICATION_VERSION_MINOR}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/pki/base/kra/shared/conf/CS.cfg b/pki/base/kra/shared/conf/CS.cfg.in index 56944d5fc..05ed8ce09 100644 --- a/pki/base/kra/shared/conf/CS.cfg +++ b/pki/base/kra/shared/conf/CS.cfg.in @@ -13,7 +13,7 @@ pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] installDate=[INSTALL_TIME] preop.wizard.name=DRM Setup Wizard preop.product.name=CS -preop.product.version= +preop.product.version=@VERSION@ preop.system.name=DRM preop.system.fullname=Data Recovery Manager cs.state=0 @@ -161,7 +161,7 @@ cmc.lraPopWitness.verify.allow=true cmc.revokeCert.verify=true cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cms.version= +cms.version=@MAJOR_VERSION@.@MINOR_VERSION@ dbs.enableSerialManagement=false dbs.beginRequestNumber=1 dbs.endRequestNumber=10000000 diff --git a/pki/base/kra/src/CMakeLists.txt b/pki/base/kra/src/CMakeLists.txt index d483a0a3a..6e9734383 100644 --- a/pki/base/kra/src/CMakeLists.txt +++ b/pki/base/kra/src/CMakeLists.txt @@ -1,21 +1,76 @@ project(kra_java Java) -find_file(JSS_JAR +# '/usr/share/java/pki' jars +find_file(CERTSRV_JAR NAMES - jss4.jar + certsrv.jar + PATHS + /usr/share/java/pki +) + +find_file(CMS_JAR + NAMES + cms.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSCORE_JAR + NAMES + cmscore.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSUTIL_JAR + NAMES + cmsutil.jar + PATHS + /usr/share/java/pki +) + +find_file(NSUTIL_JAR + NAMES + nsutil.jar PATHS /usr/lib/java - /usr/share/java + /usr/share/java/pki ) + +# '/usr/share/java' jars find_file(LDAPJDK_JAR NAMES ldapjdk.jar PATHS - /usr/lib/java /usr/share/java ) + +# '/usr/lib/java' jars +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + /usr/lib/java +) + +find_file(OSUTIL_JAR + NAMES + osutil.jar + PATHS + /usr/lib/java +) + +find_file(SYMKEY_JAR + NAMES + symkey.jar + PATHS + /usr/lib/java +) + + +# identify java sources set(kra_java_SRCS com/netscape/kra/KeyRecoveryAuthority.java com/netscape/kra/EnrollmentService.java @@ -30,13 +85,21 @@ set(kra_java_SRCS com/netscape/kra/StorageKeyUnit.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR} - ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR} - ${CERTSRV_JAR}) + ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR} + ${LDAPJDK_JAR} + ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + +# build kra.jar add_jar(kra ${kra_java_SRCS}) -add_dependencies(kra nsutil cmsutil osutil symkey cms cmscore certsrv) +add_dependencies(kra osutil symkey nsutil cmsutil certsrv cms cmscore) install_jar(kra ${JAVA_JAR_INSTALL_DIR}) set(KRA_JAR ${kra_JAR_FILE} CACHE INTERNAL "kra jar file") + diff --git a/pki/base/ocsp/CMakeLists.txt b/pki/base/ocsp/CMakeLists.txt index 373fb4d18..1a7809074 100644 --- a/pki/base/ocsp/CMakeLists.txt +++ b/pki/base/ocsp/CMakeLists.txt @@ -2,6 +2,7 @@ project(ocsp Java) add_subdirectory(src) add_subdirectory(setup) +add_subdirectory(shared/conf) # install init script install( @@ -25,6 +26,8 @@ install( "CMakeLists.txt" EXCLUDE PATTERN "etc/*" EXCLUDE + PATTERN + "CS.cfg.in" EXCLUDE ) # install empty directories diff --git a/pki/base/ocsp/shared/conf/CMakeLists.txt b/pki/base/ocsp/shared/conf/CMakeLists.txt new file mode 100644 index 000000000..e3cef5915 --- /dev/null +++ b/pki/base/ocsp/shared/conf/CMakeLists.txt @@ -0,0 +1,12 @@ +set(VERSION ${APPLICATION_VERSION}) +set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR}) +set(MINOR_VERSION ${APPLICATION_VERSION_MINOR}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/pki/base/ocsp/shared/conf/CS.cfg b/pki/base/ocsp/shared/conf/CS.cfg.in index e4f0d2d7b..84553d3fc 100644 --- a/pki/base/ocsp/shared/conf/CS.cfg +++ b/pki/base/ocsp/shared/conf/CS.cfg.in @@ -25,7 +25,7 @@ preop.admincert.profile=caAdminCert preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 preop.wizard.name=OCSP Setup Wizard preop.product.name=CS -preop.product.version= +preop.product.version=@VERSION@ preop.system.name=OCSP preop.system.fullname=OCSP Responder preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module @@ -151,7 +151,7 @@ cmc.lraPopWitness.verify.allow=true cmc.revokeCert.verify=true cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cms.version= +cms.version=@MAJOR_VERSION@.@MINOR_VERSION@ dbs.ldap=internaldb dbs.newSchemaEntryAdded=true debug.append=true diff --git a/pki/base/ocsp/src/CMakeLists.txt b/pki/base/ocsp/src/CMakeLists.txt index 53f2dc58a..f707654e5 100644 --- a/pki/base/ocsp/src/CMakeLists.txt +++ b/pki/base/ocsp/src/CMakeLists.txt @@ -1,21 +1,76 @@ project(ocsp_java Java) -find_file(JSS_JAR +# '/usr/share/java/pki' jars +find_file(CERTSRV_JAR NAMES - jss4.jar + certsrv.jar + PATHS + /usr/share/java/pki +) + +find_file(CMS_JAR + NAMES + cms.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSCORE_JAR + NAMES + cmscore.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSUTIL_JAR + NAMES + cmsutil.jar + PATHS + /usr/share/java/pki +) + +find_file(NSUTIL_JAR + NAMES + nsutil.jar PATHS /usr/lib/java - /usr/share/java + /usr/share/java/pki ) + +# '/usr/share/java' jars find_file(LDAPJDK_JAR NAMES ldapjdk.jar PATHS - /usr/lib/java /usr/share/java ) + +# '/usr/lib/java' jars +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + /usr/lib/java +) + +find_file(OSUTIL_JAR + NAMES + osutil.jar + PATHS + /usr/lib/java +) + +find_file(SYMKEY_JAR + NAMES + symkey.jar + PATHS + /usr/lib/java +) + + +# identify java sources set(ocsp_java_SRCS com/netscape/ocsp/OCSPResources.java com/netscape/ocsp/OCSPAuthority.java @@ -23,13 +78,21 @@ set(ocsp_java_SRCS com/netscape/ocsp/EOCSPException.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR} - ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR} - ${CERTSRV_JAR}) + ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR} + ${LDAPJDK_JAR} + ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + +# build ocsp.jar add_jar(ocsp ${ocsp_java_SRCS}) -add_dependencies(ocsp nsutil cmsutil osutil symkey cms cmscore certsrv) +add_dependencies(ocsp osutil symkey nsutil cmsutil certsrv cms cmscore) install_jar(ocsp ${JAVA_JAR_INSTALL_DIR}) set(OCSP_JAR ${ocsp_JAR_FILE} CACHE INTERNAL "ocsp jar file") + diff --git a/pki/base/ra/CMakeLists.txt b/pki/base/ra/CMakeLists.txt index f5aaa1479..59910fe95 100644 --- a/pki/base/ra/CMakeLists.txt +++ b/pki/base/ra/CMakeLists.txt @@ -1,7 +1,7 @@ project(ra) -add_subdirectory(setup) add_subdirectory(doc) +add_subdirectory(setup) # install init script install( @@ -13,69 +13,52 @@ install( OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ - PATTERN - "CMakeLists.txt" EXCLUDE -) - -install( - FILES - scripts/nss_pcache - DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - -install( - FILES - scripts/schema.sql - DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} ) -# install directories install( DIRECTORY - alias/ + apache/conf/ DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/alias + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf ) install( DIRECTORY - lib/ + emails/ DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/lib + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf ) install( DIRECTORY - logs/ + forms/ DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/logs + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot ) install( DIRECTORY - forms/ + lib/ DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot/forms + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/lib ) install( - DIRECTORY - emails/ + FILES + scripts/nss_pcache DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/emails + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ ) install( - DIRECTORY - apache/conf/ + FILES + scripts/schema.sql DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/apache/conf + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts ) # install empty directories @@ -90,3 +73,4 @@ install( DESTINATION ${VAR_INSTALL_DIR}/run/pki/ra ) + diff --git a/pki/base/ra/doc/CS.cfg b/pki/base/ra/doc/CS.cfg deleted file mode 100644 index 0fc0efb36..000000000 --- a/pki/base/ra/doc/CS.cfg +++ /dev/null @@ -1,256 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.secure_port=[SECURE_PORT] -pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] -pkicreate.unsecure_port=[PORT] -pkicreate.user=[PKI_USER] -pkicreate.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -request._000=######################################### -request._001=# Request Queue Parameters -request._002=######################################### -agent.authorized_groups=administrators,agents -admin.authorized_groups=administrators -database.dbfile=[SERVER_ROOT]/conf/dbfile -database.lockfile=[SERVER_ROOT]/conf/dblock -request.renewal.approve_request.0.ca=ca1 -request.renewal.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA -request.renewal.approve_request.0.profileId=caDualRAuserCert -request.renewal.approve_request.0.reqType=crmf -request.renewal.approve_request.1.mailTo=$created_by -request.renewal.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.renewal.approve_request.1.templateDir=/usr/share/pki/ra/conf -request.renewal.approve_request.1.templateFile=mail_approve_request.vm -request.renewal.approve_request.num_plugins=2 -request.renewal.reject_request.num_plugins=0 -request.renewal.create_request.0.assignTo=agents -request.renewal.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.renewal.create_request.1.mailTo=$created_by -request.renewal.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.renewal.create_request.1.templateDir=/usr/share/pki/ra/conf -request.renewal.create_request.1.templateFile=mail_create_request.vm -request.renewal.create_request.num_plugins=2 -request.scep.profileId=caRARouterCert -request.scep.reqType=pkcs10 -request.scep.create_request.num_plugins=2 -request.scep.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.scep.create_request.0.assignTo=agents -request.scep.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.scep.create_request.1.mailTo= -request.scep.create_request.1.templateDir=/usr/share/pki/ra/conf -request.scep.create_request.1.templateFile=mail_create_request.vm -request.scep.approve_request.num_plugins=1 -request.scep.approve_request.0.plugin=PKI::Request::Plugin::CreatePin -request.scep.approve_request.0.pinFormat=$site_id -request.scep.reject_request.num_plugins=0 -request.agent.profileId=caRAagentCert -request.agent.reqType=crmf -request.agent.create_request.num_plugins=2 -request.agent.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.agent.create_request.0.assignTo=agents -request.agent.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.agent.create_request.1.mailTo= -request.agent.create_request.1.templateDir=/usr/share/pki/ra/conf -request.agent.create_request.1.templateFile=mail_create_request.vm -request.agent.approve_request.num_plugins=1 -request.agent.approve_request.0.plugin=PKI::Request::Plugin::CreatePin -request.agent.approve_request.0.pinFormat=$uid -request.agent.reject_request.num_plugins=0 -request.user.create_request.num_plugins=2 -request.user.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.user.create_request.0.assignTo=agents -request.user.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.user.create_request.1.templateDir=/usr/share/pki/ra/conf -request.user.create_request.1.templateFile=mail_create_request.vm -request.user.create_request.1.mailTo= -request.user.approve_request.num_plugins=2 -request.user.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA -request.user.approve_request.0.ca=ca1 -request.user.approve_request.0.profileId=caDualRAuserCert -request.user.approve_request.0.reqType=crmf -request.user.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.user.approve_request.1.mailTo=$created_by -request.user.approve_request.1.templateDir=/usr/share/pki/ra/conf -request.user.approve_request.1.templateFile=mail_approve_request.vm -request.user.reject_request.num_plugins=0 -request.server.create_request.num_plugins=2 -request.server.create_request.0.plugin=PKI::Request::Plugin::AutoAssign -request.server.create_request.0.assignTo=agents -request.server.create_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.server.create_request.1.mailTo= -request.server.create_request.1.templateDir=/usr/share/pki/ra/conf -request.server.create_request.1.templateFile=mail_create_request.vm -request.server.approve_request.num_plugins=2 -request.server.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA -request.server.approve_request.0.ca=ca1 -request.server.approve_request.0.profileId=caRAserverCert -request.server.approve_request.0.reqType=pkcs10 -request.server.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification -request.server.approve_request.1.mailTo=$created_by -request.server.approve_request.1.templateDir=/usr/share/pki/ra/conf -request.server.approve_request.1.templateFile=mail_approve_request.vm -request.server.reject_request.num_plugins=0 -cs.type=RA -service.machineName=[SERVER_NAME] -service.instanceDir=[SERVER_ROOT] -service.securePort=[SECURE_PORT] -service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] -service.unsecurePort=[PORT] -service.instanceID=[PKI_INSTANCE_ID] -logging._000=######################################### -logging._001=# RA configuration File -logging._002=# -logging._003=# All <...> must be replaced with -logging._004=# appropriate values. -logging._005=######################################### -logging._006=######################################## -logging._007=# logging -logging._008=# -logging._009=# logging.debug.enable: -logging._010=# logging.audit.enable: -logging._011=# logging.error.enable: -logging._012=# - enable or disable the corresponding logging -logging._013=# logging.debug.filename: -logging._014=# logging.audit.filename: -logging._015=# logging.error.filename: -logging._016=# - name of the log file -logging._017=# logging.debug.level: -logging._018=# logging.audit.level: -logging._019=# logging.error.level: -logging._020=# - level of logging. (0-10) -logging._021=# 0 - no logging, -logging._022=# 4 - LL_PER_SERVER these messages will occur only once -logging._023=# during the entire invocation of the -logging._024=# server, e. g. at startup or shutdown -logging._025=# time., reading the conf parameters. -logging._026=# Perhaps other infrequent events -logging._027=# relating to failing over of CA, TKS, -logging._028=# too -logging._029=# 6 - LL_PER_CONNECTION these messages happen once per -logging._030=# connection - most of the log events -logging._031=# will be at this level -logging._032=# 8 - LL_PER_PDU these messages relate to PDU -logging._033=# processing. If you have something that -logging._034=# is done for every PDU, such as -logging._035=# applying the MAC, it should be logged -logging._036=# at this level -logging._037=# 9 - LL_ALL_DATA_IN_PDU dump all the data in the PDU - a more -logging._038=# chatty version of the above -logging._039=# 10 - all logging -logging._040=######################################### -logging.debug.enable=true -logging.debug.filename=[SERVER_ROOT]/logs/ra-debug.log -logging.debug.level=7 -logging.audit.enable=true -logging.audit.filename=[SERVER_ROOT]/logs/ra-audit.log -logging.audit.level=10 -logging.error.enable=true -logging.error.filename=[SERVER_ROOT]/logs/ra-error.log -logging.error.level=10 -conn.ca1._000=######################################### -conn.ca1._001=# CA connection -conn.ca1._002=# -conn.ca1._003=# conn.ca<n>.hostport: -conn.ca1._004=# - host name and port number of your CA, format is host:port -conn.ca1._005=# conn.ca<n>.clientNickname: -conn.ca1._006=# - nickname of the client certificate for -conn.ca1._007=# authentication -conn.ca1._008=# conn.ca<n>.servlet.enrollment: -conn.ca1._009=# - servlet to contact in CA -conn.ca1._010=# - must be '/ca/ee/ca/profileSubmitSSLClient' -conn.ca1._008=# conn.ca<n>.servlet.addagent: -conn.ca1._009=# - servlet to add ra agent on CA -conn.ca1._010=# - must be '/ca/admin/ca/registerRaUser -conn.ca1._011=# conn.ca<n>.retryConnect: -conn.ca1._012=# - number of reconnection attempts on failure -conn.ca1._013=# conn.ca<n>.timeout: -conn.ca1._014=# - connection timeout -conn.ca1._015=# conn.ca<n>.SSLOn: -conn.ca1._016=# - enable SSL or not -conn.ca1._017=# conn.ca<n>.keepAlive: -conn.ca1._018=# - enable keep alive or not -conn.ca1._019=# -conn.ca1._020=# where -conn.ca1._021=# <n> - CA connection ID -conn.ca1._022=######################################### -failover.pod.enable=false -conn.ca1.hostport=[CA_HOST]:[CA_PORT] -conn.ca1.clientNickname=[HSM_LABEL][NICKNAME] -conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient -conn.ca1.servlet.addagent=/ca/admin/ca/registerRaUser -conn.ca1.servlet.revoke=/ca/subsystem/ca/doRevoke -conn.ca1.servlet.unrevoke=/ca/subsystem/ca/doUnrevoke -conn.ca1.retryConnect=3 -conn.ca1.timeout=100 -conn.ca1.SSLOn=true -conn.ca1.keepAlive=true -preop.pin=[PKI_RANDOM_NUMBER] -preop.product.version= -preop.cert._000=######################################### -preop.cert._001=# Installation configuration "preop" certs parameters -preop.cert._002=######################################### -preop.cert.list=sslserver,subsystem -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] -preop.cert.sslserver.keysize.customsize=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=caInternalAuthServerCert -preop.cert.sslserver.subsystem=ra -preop.cert._003=#preop.cert.sslserver.type=local -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert._004=#preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[PKI_INSTANCE_ID] -preop.cert.subsystem.keysize.customsize=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=caInternalAuthSubsystemCert -preop.cert.subsystem.subsystem=ra -preop.cert._005=#preop.cert.subsystem.type=local -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert._006=#preop.cert.subsystem.cncomponent.override=true -preop.configModules._000=######################################### -preop.configModules._001=# Installation configuration "preop" module parameters -preop.configModules._002=######################################### -preop.configModules.count=3 -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.module.token=NSS Certificate DB -preop.keysize._000=######################################### -preop.keysize._001=# Installation configuration "preop" keysize parameters -preop.keysize._002=######################################### -preop.keysize.customsize=2048 -preop.keysize.select=default -preop.keysize.size=2048 -preop.keysize.ecc.size=256 diff --git a/pki/base/ra/doc/CS.cfg.in b/pki/base/ra/doc/CS.cfg.in index fd564abbc..4fea4674f 100644 --- a/pki/base/ra/doc/CS.cfg.in +++ b/pki/base/ra/doc/CS.cfg.in @@ -16,15 +16,15 @@ # All rights reserved. # --- END COPYRIGHT BLOCK --- # -pkicreate.pki_instance_root=[INSTANCE_ROOT] -pkicreate.pki_instance_name=[INSTANCE_ID] -pkicreate.subsystem_type=[SUBSYSTEM_TYPE] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] pkicreate.secure_port=[SECURE_PORT] pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] pkicreate.unsecure_port=[PORT] -pkicreate.user=[USERID] -pkicreate.group=[GROUPID] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] request._000=######################################### request._001=# Request Queue Parameters request._002=######################################### @@ -115,7 +115,7 @@ service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] -service.instanceID=[INSTANCE_ID] +service.instanceID=[PKI_INSTANCE_ID] logging._000=######################################### logging._001=# RA configuration File logging._002=# @@ -211,23 +211,23 @@ preop.cert._002=######################################### preop.cert.list=sslserver,subsystem preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true -preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[INSTANCE_ID] +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] preop.cert.sslserver.keysize.customsize=2048 preop.cert.sslserver.keysize.size=2048 preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[INSTANCE_ID] +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=caInternalAuthServerCert preop.cert.sslserver.subsystem=ra preop.cert._003=#preop.cert.sslserver.type=local preop.cert.sslserver.userfriendlyname=SSL Server Certificate preop.cert._004=#preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA -preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[INSTANCE_ID] +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[PKI_INSTANCE_ID] preop.cert.subsystem.keysize.customsize=2048 preop.cert.subsystem.keysize.size=2048 preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=caInternalAuthSubsystemCert preop.cert.subsystem.subsystem=ra preop.cert._005=#preop.cert.subsystem.type=local diff --git a/pki/base/tks/CMakeLists.txt b/pki/base/tks/CMakeLists.txt index 023aaa020..0f1221eaa 100644 --- a/pki/base/tks/CMakeLists.txt +++ b/pki/base/tks/CMakeLists.txt @@ -2,6 +2,7 @@ project(tks Java) add_subdirectory(src) add_subdirectory(setup) +add_subdirectory(shared/conf) # install init script install( @@ -25,6 +26,8 @@ install( "CMakeLists.txt" EXCLUDE PATTERN "etc/*" EXCLUDE + PATTERN + "CS.cfg.in" EXCLUDE ) # install empty directories diff --git a/pki/base/tks/shared/conf/CMakeLists.txt b/pki/base/tks/shared/conf/CMakeLists.txt new file mode 100644 index 000000000..e3cef5915 --- /dev/null +++ b/pki/base/tks/shared/conf/CMakeLists.txt @@ -0,0 +1,12 @@ +set(VERSION ${APPLICATION_VERSION}) +set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR}) +set(MINOR_VERSION ${APPLICATION_VERSION_MINOR}) + +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/pki/base/tks/shared/conf/CS.cfg b/pki/base/tks/shared/conf/CS.cfg.in index 55689d701..1b5d89ea3 100644 --- a/pki/base/tks/shared/conf/CS.cfg +++ b/pki/base/tks/shared/conf/CS.cfg.in @@ -28,7 +28,7 @@ preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 preop.wizard.name=TKS Setup Wizard preop.system.name=TKS preop.product.name=CS -preop.product.version= +preop.product.version=@VERSION@ preop.system.fullname=Token Key Service tks.cert.list=sslserver,subsystem,audit_signing preop.cert.list=sslserver,subsystem,audit_signing @@ -148,7 +148,7 @@ cmc.lraPopWitness.verify.allow=true cmc.revokeCert.verify=true cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cms.version= +cms.version=@MAJOR_VERSION@.@MINOR_VERSION@ dbs.ldap=internaldb dbs.newSchemaEntryAdded=true debug.append=true diff --git a/pki/base/tks/src/CMakeLists.txt b/pki/base/tks/src/CMakeLists.txt index ac7acb885..6178dd3f9 100644 --- a/pki/base/tks/src/CMakeLists.txt +++ b/pki/base/tks/src/CMakeLists.txt @@ -1,32 +1,95 @@ project(tks_java Java) -find_file(JSS_JAR +# '/usr/share/java/pki' jars +find_file(CERTSRV_JAR NAMES - jss4.jar + certsrv.jar + PATHS + /usr/share/java/pki +) + +find_file(CMS_JAR + NAMES + cms.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSCORE_JAR + NAMES + cmscore.jar + PATHS + /usr/share/java/pki +) + +find_file(CMSUTIL_JAR + NAMES + cmsutil.jar + PATHS + /usr/share/java/pki +) + +find_file(NSUTIL_JAR + NAMES + nsutil.jar PATHS /usr/lib/java - /usr/share/java + /usr/share/java/pki ) + +# '/usr/share/java' jars find_file(LDAPJDK_JAR NAMES ldapjdk.jar PATHS - /usr/lib/java /usr/share/java ) + +# '/usr/lib/java' jars +find_file(JSS_JAR + NAMES + jss4.jar + PATHS + /usr/lib/java +) + +find_file(OSUTIL_JAR + NAMES + osutil.jar + PATHS + /usr/lib/java +) + +find_file(SYMKEY_JAR + NAMES + symkey.jar + PATHS + /usr/lib/java +) + + +# identify java sources set(tks_java_SRCS com/netscape/tks/TKSAuthority.java ) + +# set classpath set(CMAKE_JAVA_INCLUDE_PATH - ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR} - ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR} - ${CERTSRV_JAR}) + ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR} + ${LDAPJDK_JAR} + ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR}) + + +# set version set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) + +# build tks.jar add_jar(tks ${tks_java_SRCS}) -add_dependencies(tks nsutil cmsutil osutil symkey cms cmscore certsrv) +add_dependencies(tks osutil symkey nsutil cmsutil certsrv cms cmscore) install_jar(tks ${JAVA_JAR_INSTALL_DIR}) set(TKS_JAR ${tks_JAR_FILE} CACHE INTERNAL "tks jar file") + diff --git a/pki/base/tps/CMakeLists.txt b/pki/base/tps/CMakeLists.txt index 05c3a0ac0..0ccce6335 100644 --- a/pki/base/tps/CMakeLists.txt +++ b/pki/base/tps/CMakeLists.txt @@ -12,18 +12,47 @@ install( FILES etc/init.d/pki-tpsd DESTINATION - ${SYSCONF_INSTALL_DIR}/init.d + ${SYSCONF_INSTALL_DIR}/rc.d/init.d PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ - PATTERN - "CMakeLists.txt" EXCLUDE ) install( + FILES + applets/1.3.44724DDE.ijc + applets/1.4.499dc06c.ijc + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/applets +) + +install( + DIRECTORY + forms/esc/cgi-bin + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} +) + +install( + DIRECTORY + apache/conf + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} +) + +install( + FILES + forms/index.html + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot +) + +install( + FILES + forms/index.cgi DESTINATION - ${LIB_INSTALL_DIR}/${APPLICATION_NAME}/${PROJECT_NAME} + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_EXECUTE GROUP_READ @@ -31,44 +60,60 @@ install( ) install( - FILES - forms/index.cgi - forms/index.html + DIRECTORY + forms/esc/demo + forms/esc/home + forms/esc/so + forms/esc/sow + forms/tps DESTINATION ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot + PATTERN + "forms/esc/sow/css" EXCLUDE + PATTERN + "forms/esc/sow/images"EXCLUDE + PATTERN + "forms/esc/sow/js"EXCLUDE + PATTERN + "forms/tps/admin/console/css"EXCLUDE ) install( DIRECTORY - apache/conf DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot/tokendb ) install( DIRECTORY - forms/esc/cgi-bin + lib DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/cgi-bin + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME} ) -# install directories -set(INSTALL_DIRS - alias - applets - lib - logs - scripts +install( + FILES + scripts/nss_pcache + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ ) -foreach(INSTALL_DIR ${INSTALL_DIRS}) - install( - DIRECTORY - ${INSTALL_DIR} - DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/${INSTALL_DIR} - ) -endforeach(INSTALL_DIR ${INSTALL_DIRS}) +install( + FILES + scripts/addAgents.ldif + scripts/addIndexes.ldif + scripts/addTokens.ldif + scripts/addVLVIndexes.ldif + scripts/database.ldif + scripts/schemaMods.ldif + scripts/vlvtasks.ldif + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts +) # install empty directories install( @@ -82,3 +127,4 @@ install( DESTINATION ${VAR_INSTALL_DIR}/run/pki/tps ) + diff --git a/pki/base/tps/Makefile.am b/pki/base/tps/Makefile.am index be1061847..fb97a8a0c 100644 --- a/pki/base/tps/Makefile.am +++ b/pki/base/tps/Makefile.am @@ -163,7 +163,7 @@ conf_DATA = $(srcdir)/apache/conf/httpd.conf \ $(srcdir)/apache/conf/mime.types \ $(srcdir)/apache/conf/nss.conf \ $(srcdir)/apache/conf/perl.conf \ - $(srcdir)/doc/CS.cfg + $(srcdir)/doc/CS.cfg.in docroot_DATA = $(srcdir)/forms/index.cgi \ $(srcdir)/forms/index.html diff --git a/pki/base/tps/Makefile.in b/pki/base/tps/Makefile.in index 0a2581e6f..ec02c5602 100644 --- a/pki/base/tps/Makefile.in +++ b/pki/base/tps/Makefile.in @@ -657,7 +657,7 @@ conf_DATA = $(srcdir)/apache/conf/httpd.conf \ $(srcdir)/apache/conf/mime.types \ $(srcdir)/apache/conf/nss.conf \ $(srcdir)/apache/conf/perl.conf \ - $(srcdir)/doc/CS.cfg + $(srcdir)/doc/CS.cfg.in docroot_DATA = $(srcdir)/forms/index.cgi \ $(srcdir)/forms/index.html diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg deleted file mode 100644 index 0bcf905cc..000000000 --- a/pki/base/tps/doc/CS.cfg +++ /dev/null @@ -1,1577 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; -# version 2.1 of the License. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301 USA -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_ID] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.secure_port=[SECURE_PORT] -pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] -pkicreate.unsecure_port=[PORT] -pkicreate.user=[PKI_USER] -pkicreate.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -cs.type=TPS -selftests._000=## -selftests._001=## Self Tests -selftests._002=## -selftests._003=## The Self-Test plugin TPSSystemCertsVerification uses the -selftests._004=## following parameters (where certusage is optional): -selftests._005=## tps.cert.list = <list of cert tag names deliminated by ","> -selftests._006=## tps.cert.<cert tag name>.nickname -selftests._007=## tps.cert.<cert tag name>.certusage -selftests._008=## -selftests.container.logger.enable=true -selftests.container.logger.expirationTime=0 -selftests.container.logger.file.type=RollingLogFile -selftests.container.logger.fileName=[SERVER_ROOT]/logs/selftests.log -selftests.container.logger.level=10 -selftests.container.logger.maxFileSize=2000 -selftests.container.logger.rolloverInterval=2592000 -selftests.container.order.startup=TPSPresence:critical, TPSSystemCertsVerification:critical -selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical, TPSSystemCertsVerification:critical -selftests.plugin.TPSPresence.nickname=[HSM_LABEL][NICKNAME] -selftests.plugin.TPSValidity.nickname=[HSM_LABEL][NICKNAME] -service.machineName=[SERVER_NAME] -service.instanceDir=[SERVER_ROOT] -service.securePort=[SECURE_PORT] -service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] -service.unsecurePort=[PORT] -service.instanceID=[PKI_INSTANCE_ID] -logging._000=######################################### -logging._001=# RA configuration File -logging._002=# -logging._003=# All <...> must be replaced with -logging._004=# appropriate values. -logging._005=######################################### -logging._006=######################################## -logging._007=# logging -logging._008=# -logging._009=# logging.debug.enable: -logging._010=# logging.audit.enable: -logging._011=# logging.error.enable: -logging._012=# - enable or disable the corresponding logging -logging._013=# logging.debug.filename: -logging._014=# logging.audit.filename: -logging._015=# logging.error.filename: -logging._016=# - name of the log file -logging._017=# logging.debug.level: -logging._018=# logging.audit.level: -logging._019=# logging.error.level: -logging._020=# - level of logging. (0-10) -logging._021=# 0 - no logging, -logging._022=# 4 - LL_PER_SERVER these messages will occur only once -logging._023=# during the entire invocation of the -logging._024=# server, e. g. at startup or shutdown -logging._025=# time., reading the conf parameters. -logging._026=# Perhaps other infrequent events -logging._027=# relating to failing over of CA, TKS, -logging._028=# too -logging._029=# 6 - LL_PER_CONNECTION these messages happen once per -logging._030=# connection - most of the log events -logging._031=# will be at this level -logging._032=# 8 - LL_PER_PDU these messages relate to PDU -logging._033=# processing. If you have something that -logging._034=# is done for every PDU, such as -logging._035=# applying the MAC, it should be logged -logging._036=# at this level -logging._037=# 9 - LL_ALL_DATA_IN_PDU dump all the data in the PDU - a more -logging._038=# chatty version of the above -logging._039=# 10 - all logging -logging._040=# logging.audit.buffer.size: # in bytes -logging._041=# logging.audit.flush.interval: # in seconds, 0 disables flush thread -logging._042=# logging.*.file.type: -logging._043=# - file type: RollingLogFile or LogFile -logging._044=# logging.*.rolloverInterval: -logging._045=# - interval to roll over logs (seconds), 0 to disable rollover -logging._046=# logging.*.maxFileSize: -logging._047=# - size at which file rollover occurs, in kB -logging._048=# logging.*.expirationTime: -logging._049=# - maximum age of log, older unmodified logs are deleted( in seconds, 0 to disable) -logging._050=######################################### -logging.debug.enable=true -logging.debug.filename=[SERVER_ROOT]/logs/tps-debug.log -logging.debug.level=10 -logging.debug.file.type=RollingLogFile -logging.debug.maxFileSize=2000 -logging.debug.rolloverInterval=2592000 -logging.debug.expirationTime=0 -logging.audit.enable=true -logging.audit.filename=[SERVER_ROOT]/logs/tps-audit.log -logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit -logging.audit.level=10 -logging.audit.logSigning=false -logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] -logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION -logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION -logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING -logging.audit.buffer.size=512 -logging.audit.flush.interval=5 -logging.audit.file.type=RollingLogFile -logging.audit.maxFileSize=2000 -logging.audit.rolloverInterval=2592000 -logging.audit.expirationTime=0 -logging.error.enable=true -logging.error.filename=[SERVER_ROOT]/logs/tps-error.log -logging.error.level=10 -logging.error.file.type=RollingLogFile -logging.error.maxFileSize=2000 -logging.error.rolloverInterval=2592000 -logging.error.expirationTime=0 -conn.ca1._000=######################################### -conn.ca1._001=# CA connection -conn.ca1._002=# -conn.ca1._003=# conn.ca<n>.hostport: -conn.ca1._004=# - host name and port number of your CA, format is host:port -conn.ca1._005=# conn.ca<n>.clientNickname: -conn.ca1._006=# - nickname of the client certificate for -conn.ca1._007=# authentication -conn.ca1._008=# conn.ca<n>.servlet.enrollment: -conn.ca1._009=# - servlet to contact in CA -conn.ca1._010=# - must be '/ca/profileSubmitSSLClient' -conn.ca1._011=# conn.ca<n>.retryConnect: -conn.ca1._012=# - number of reconnection attempts on failure -conn.ca1._013=# conn.ca<n>.timeout: -conn.ca1._014=# - connection timeout -conn.ca1._015=# conn.ca<n>.SSLOn: -conn.ca1._016=# - enable SSL or not -conn.ca1._017=# conn.ca<n>.keepAlive: -conn.ca1._018=# - enable keep alive or not -conn.ca1._019=# -conn.ca1._020=# where -conn.ca1._021=# <n> - CA connection ID -conn.ca1._022=######################################### -failover.pod.enable=false -conn.ca1.hostport=[CA_HOST]:[CA_PORT] -conn.ca1.clientNickname=[HSM_LABEL][NICKNAME] -conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient -conn.ca1.servlet.renewal=/ca/ee/ca/profileSubmitSSLClient -conn.ca1.servlet.revoke=/ca/ee/subsystem/ca/doRevoke -conn.ca1.servlet.unrevoke=/ca/ee/subsystem/ca/doUnrevoke -conn.ca1.retryConnect=3 -conn.ca1.timeout=100 -conn.ca1.SSLOn=true -conn.ca1.keepAlive=true -conn.tks1._000=######################################### -conn.tks1._001=# TKS connection -conn.tks1._002=# -conn.tks1._003=# conn.tks<n>.hostport: -conn.tks1._004=# - host name and port number of your TKS, the format is host:port -conn.tks1._005=# conn.tks<n>.clientNickname: -conn.tks1._006=# - nickname of the client certificate for -conn.tks1._007=# authentication -conn.tks1._008=# conn.tks<n>.servlet.computeSessionKey: -conn.tks1._009=# - servlet to compute session key -conn.tks1._010=# - must be '/tks/computeSessionKey' -conn.tks1._011=# conn.tks<n>.servlet.encryptData: -conn.tks1._012=# - servlet to encrypt data -conn.tks1._013=# - must be '/tks/encryptData' -conn.tks1._014=# conn.tks<n>.servlet.createKeySetData: -conn.tks1._015=# - servlet to create key set data -conn.tks1._016=# - must be '/tks/createKeySetData' -conn.tks1._017=# conn.tks<n>.retryConnect: -conn.tks1._018=# - number of reconnection attempts on failure -conn.tks1._019=# conn.tks<n>.SSLOn -conn.tks1._020=# - enable SSL or not -conn.tks1._021=# conn.tks<n>.keepAlive: -conn.tks1._022=# - enable keep alive or not -conn.tks1._023=# -conn.tks1._024=# where -conn.tks1._025=# <n> - TKS connection ID -conn.tks1._026=######################################### -conn.tks1.hostport=[TKS_HOST]:[TKS_PORT] -conn.tks1.clientNickname=[HSM_LABEL][NICKNAME] -conn.tks1.servlet.computeSessionKey=/tks/agent/tks/computeSessionKey -conn.tks1.servlet.encryptData=/tks/agent/tks/encryptData -conn.tks1.servlet.createKeySetData=/tks/agent/tks/createKeySetData -conn.tks1.servlet.computeRandomData=/tks/agent/tks/computeRandomData -conn.tks1.retryConnect=3 -conn.tks1.timeout=100 -conn.tks1.generateHostChallenge=true -conn.tks1.SSLOn=true -conn.tks1.keepAlive=false -conn.tks1.keySet=defKeySet -conn.tks1.serverKeygen=[SERVER_KEYGEN] -conn.drm1._000=######################################### -conn.drm1._001=# DRM connection -conn.drm1._002=# -conn.drm1._003=#conn.drm.totalConns -conn.drm1._004=# - # of DRM connections -conn.drm1._005=#conn.drm<n>.hostport -conn.drm1._006=# - host name and port number of your DRM, the format is host:port -conn.drm1._007=#conn.drm<n>.clientNickname -conn.drm1._008=# - nickname of the client certificate for -conn.drm1._009=# authentication -conn.drm1._010=#conn.drm<n>.servlet.GenerateKeyPair -conn.drm1._011=# - servlet to generate key pairs and archive keys on DRM -conn.drm1._012=# - must be '/kra/GenerateKeyPair' -conn.drm1._013=#conn.drm<n>.servlet.TokenKeyRecovery=/kra/TokenKeyRecovery -conn.drm1._014=# - servlet to handle key recovery -conn.drm1._015=# - must be '/kra/TokenKeyRecovery' -conn.drm1._016=#conn.drm<n>.retryConnect=3 -conn.drm1._017=# - number of reconnection attempts on failure -conn.drm1._018=#conn.drm<n>.SSLOn=true -conn.drm1._019=# - enable SSL or not -conn.drm1._020=#conn.drm<n>.keepAlive=false -conn.drm1._021=# - enable keep alive or not -conn.drm1._022=# -conn.drm1._023=# where -conn.drm1._024=# <n> - DRM connection ID -conn.drm1._025=######################################### -conn.drm.totalConns=1 -conn.drm1.hostport=[DRM_HOST]:[DRM_PORT] -conn.drm1.clientNickname=[HSM_LABEL][NICKNAME] -conn.drm1.servlet.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair -conn.drm1.servlet.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery -conn.drm1.retryConnect=3 -conn.drm1.timeout=100 -conn.drm1.SSLOn=true -conn.drm1.keepAlive=false -auth.instance._000=######################################## -auth.instance._001=# publishing -auth.instance._002=# -auth.instance._003=# publisher.instance.<n>.libraryName: -auth.instance._004=# - name of the library specified with a fully qualified path name -auth.instance._005=# publisher.instance.<n>.libraryFactory: -auth.instance._006=# - the name of the function which instantiates the publisher -auth.instance._007=# publisher.instance.<n>.publisherId: -auth.instance._008=# - the publisher ID -auth.instance._009=# -auth.instance._010=# where -auth.instance._011=# <n> - publisher connection ID -auth.instance._012=######################################## -auth.instance._013=######################################### -auth.instance._014=# authentication -auth.instance._015=# -auth.instance._016=# auth.instance.<n>.libraryName: -auth.instance._017=# - name of the library specified with a fully qualified path name -auth.instance._018=# auth.instance.<n>.libraryFactory: -auth.instance._019=# - the name of the function which instantiates the authentication -auth.instance._020=# auth.instance.<n>.authId -auth.instance._021=# - the authentication ID -auth.instance._022=# auth.instance.<n>.hostport -auth.instance._023=# - parameter specific to the given authentication, -auth.instance._024=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._025=# - host name and port number, host:port -auth.instance._026=# - for failover, provide multiple host:port designations -auth.instance._027=# separated by " " -auth.instance._028=# auth.instance.<n>.SSLOn: -auth.instance._029=# - parameter specific to the given authentication, -auth.instance._030=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._031=# - use SSL or not for LDAP service -auth.instance._032=# auth.instance.<n>.retries: -auth.instance._033=# - parameter specific to the given authentication, -auth.instance._034=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._035=# - number of authentication re-attempts when authentication failed -auth.instance._036=# auth.instance.<n>.retryConnect: -auth.instance._037=# - parameter specific to the given authentication, -auth.instance._038=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._039=# - number of connection re-attempts when connection failed -auth.instance._040=# -auth.instance._041=# where -auth.instance._042=# <n> - authentication connection ID -auth.instance._043=######################################### -auth.instance.0.type=LDAP_Authentication -auth.instance.0.libraryName=[SYSTEM_USER_LIBRARIES]/[LIB_PREFIX]ldapauth[OBJ_EXT] -auth.instance.0.libraryFactory=GetAuthentication -auth.instance.0.authId=ldap1 -auth.instance.0.hostport=[LDAP_HOST]:[LDAP_PORT] -auth.instance.0.SSLOn=false -auth.instance.0.retries=1 -auth.instance.0.retryConnect=3 -auth.instance.0.baseDN=[LDAP_ROOT] -auth.instance.0.ssl=false -auth.instance.0.attributes._001=############################################## -auth.instance.0.attributes._002=# attributes will be available -auth.instance.0.attributes._003=# as $auth.<attribute>$ -auth.instance.0.attributes._004=############################################## -auth.instance.0.attributes=mail,cn,uid -auth.instance.0.ui.title.en=LDAP Authentication -auth.instance.0.ui.description.en=This authenticates user against the LDAP directory. -auth.instance.0.ui.id.UID.name.en=LDAP User ID -auth.instance.0.ui.id.PASSWORD.name.en=LDAP Password -auth.instance.0.ui.id.UID.description.en=LDAP User ID -auth.instance.0.ui.id.PASSWORD.description.en=LDAP Password -auth.instance.1.type=LDAP_Authentication -auth.instance.1.libraryName=[SYSTEM_USER_LIBRARIES]/[LIB_PREFIX]ldapauth[OBJ_EXT] -auth.instance.1.libraryFactory=GetAuthentication -auth.instance.1.authId=ldap2 -auth.instance.1.bindDN=cn=Directory Manager -auth.instance.1.bindPWD=[SERVER_ROOT]/conf/password.conf -auth.instance.1.hostport=[TOKENDB_HOST]:[TOKENDB_PORT] -auth.instance.1.SSLOn=false -auth.instance.1.retries=1 -auth.instance.1.retryConnect=3 -auth.instance.1.baseDN=[TOKENDB_ROOT] -auth.instance.1.ssl=false -auth.instance.1.attributes._001=############################################## -auth.instance.1.attributes._002=# attributes will be available -auth.instance.1.attributes._003=# as $auth.<attribute>$ -auth.instance.1.attributes._004=############################################## -auth.instance.1.attributes=mail,cn,uid -auth.instance.1.ui.title.en=LDAP Authentication -auth.instance.1.ui.description.en=This authenticates user against the LDAP directory. -auth.instance.1.ui.id.UID.name.en=LDAP User ID -auth.instance.1.ui.id.PASSWORD.name.en=LDAP Password -auth.instance.1.ui.id.UID.description.en=LDAP User ID -auth.instance.1.ui.id.PASSWORD.description.en=LDAP Password -applet._000=######################################### -applet._001=# applet information -applet._002=# SAF Key: -applet._003=# applet.aid.cardmgr_instance=A0000001510000 -applet._004=######################################### -applet.aid.cardmgr_instance=A0000000030000 -applet.aid.netkey_instance=627601FF000000 -applet.aid.netkey_file=627601FF0000 -applet.aid.netkey_old_instance=A00000000101 -applet.aid.netkey_old_file=A000000001 -applet.so_pin=000000000000 -applet.delete_old=true -general.verifyProof=1 -general.applet_ext=ijc -general.search.sizelimit.max=2000 -general.search.sizelimit.default=100 -general.search.timelimit.max=10 -general.search.timelimit.default=10 -general.pwlength.min=16 -channel._000=######################################### -channel._001=# channel.encryption: -channel._002=# -channel._003=# - enable encryption for all operation commands to token -channel._004=# - default is true -channel._005=# channel.blocksize=242 -channel._006=# channel.defKeyVersion=0 -channel._007=# channel.defKeyIndex=0 -channel._008=######################################### -channel.encryption=true -channel.blocksize=248 -channel.defKeyVersion=0 -channel.defKeyIndex=0 -#Config the size of memory managed memory in the applet -#Default is 5000, try not go get close to the instanceSize -#Which defaults to 18000 -#channel.instanceSize=18000 -#channel.appletMemorySize=5000 -preop.pin=[PKI_RANDOM_NUMBER] -preop.product.version= -preop.cert._000=######################################### -preop.cert._001=# Installation configuration "preop" certs parameters -preop.cert._002=######################################### -preop.cert.list=sslserver,subsystem,audit_signing -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.audit_signing.enable=false -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] -preop.cert.sslserver.keysize.customsize=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] -preop.cert.sslserver.profile=caInternalAuthServerCert -preop.cert.sslserver.subsystem=tps -preop.cert._003=#preop.cert.sslserver.type=local -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert._004=#preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_ID] -preop.cert.subsystem.keysize.customsize=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] -preop.cert.subsystem.profile=caInternalAuthSubsystemCert -preop.cert.subsystem.subsystem=tps -preop.cert._005=#preop.cert.subsystem.type=local -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert._006=#preop.cert.subsystem.cncomponent.override=true -preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_ID] -preop.cert.audit_signing.keysize.customsize=2048 -preop.cert.audit_signing.keysize.size=2048 -preop.cert.audit_signing.keysize.select=custom -preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] -preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert -preop.cert.audit_signing.subsystem=tps -preop.cert._005=#preop.cert.audit_signing.type=local -preop.cert.audit_signing.userfriendlyname=Audit Log Signing Certificate -preop.cert._006=#preop.cert.audit_signing.cncomponent.override=true -preop.configModules._000=######################################### -preop.configModules._001=# Installation configuration "preop" module parameters -preop.configModules._002=######################################### -preop.configModules.count=3 -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=../img/clearpixel.gif -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=../img/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=../img/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.module.token=NSS Certificate DB -preop.keysize._000=######################################### -preop.keysize._001=# Installation configuration "preop" keysize parameters -preop.keysize._002=######################################### -preop.keysize.customsize=2048 -preop.keysize.select=default -preop.keysize.size=2048 -preop.keysize.ecc.size=256 -preop.adminauth.done=false -preop.adminpanel.done=false -preop.agentauth.done=false -preop.authdb.done=false -preop.cainfo.done=false -preop.certprettyprint.done=false -preop.certrequest.done=false -preop.confighsmlogin.done=false -preop.confighsm.done=false -preop.database.done=false -preop.displaycertchain2.done=false -preop.displaycertchain.done=false -preop.donepanel.done=false -preop.drminfo.done=false -preop.importadmincert.done=false -preop.loginpanel.done=false -preop.ModulePanel.done=false -preop.namepanel.done=false -preop.securitydomain.done=false -preop.SizePanel.done=false -preop.subsystemtype.done=false -preop.tksinfo.done=false -preop.welcome.done=false -op.enroll._000=######################################### -op.enroll._001=# Default Operations -op.enroll._002=# -op.enroll._003=# op.<op>.mapping.order=<n>,<n>,<n> -op.enroll._004=# - contains at least one value or a series -op.enroll._005=# of comma-separated mapping values which -op.enroll._006=# are checked in sequential order -op.enroll._007=# op.<op>.mapping.<n>.filter.tokenType=userKey -op.enroll._008=# - can be either empty or token type -op.enroll._009=# specified by the client -op.enroll._010=# op.<op>.mapping.<n>.filter.tokenATR= -op.enroll._011=# - can be either empty or token ATR -op.enroll._012=# specified by the client -op.enroll._013=# op.<op>.mapping.<n>.filter.appletMajorVersion=1 -op.enroll._014=# - can be either empty or applet major version -op.enroll._015=# specified by the client -op.enroll._016=# op.<op>.mapping.<n>.filter.appletMinorVersion= -op.enroll._017=# - can be either empty or applet minor version -op.enroll._018=# specified by the client -op.enroll._019=# - if major and minor versions are both zero, this -op.enroll._020=# indicate there is no applet on the token. -op.enroll._021=# op.<op>.mapping.<n>.target.tokenType=userKey -op.enroll._022=# - if tokenType, tokenATR, appletMajorVersion, -op.enroll._023=# and appletMinorVersion are matched, value in -op.enroll._024=# targetTokenType will be used to locate -op.enroll._025=# the corresponding token profile to -op.enroll._026=# process the request. -op.enroll._027=# -op.enroll._028=# where -op.enroll._029=# <op> - operation; enroll,pinReset,format -op.enroll._030=# <n> - mapping ID; order is specifiable -op.enroll._031=# -op.enroll._032=# Token ATR: -op.enroll._033=# Web Store - 3B759400006202020201 -op.enroll._034=######################################### -op.enroll.mapping.order=0,1,2 -op.enroll.mapping.0.filter.tokenType=userKey -op.enroll.mapping.0.filter.tokenATR= -op.enroll.mapping.0.filter.tokenCUID.start= -op.enroll.mapping.0.filter.tokenCUID.end= -op.enroll.mapping.0.filter.appletMajorVersion=1 -op.enroll.mapping.0.filter.appletMinorVersion= -op.enroll.mapping.0.target.tokenType=userKey -op.enroll.mapping.1.filter.tokenType=soKey -op.enroll.mapping.1.filter.tokenATR= -op.enroll.mapping.1.filter.tokenCUID.start= -op.enroll.mapping.1.filter.tokenCUID.end= -op.enroll.mapping.1.filter.appletMajorVersion= -op.enroll.mapping.1.filter.appletMinorVersion= -op.enroll.mapping.1.target.tokenType=soKey -op.enroll.mapping.2.filter.tokenType= -op.enroll.mapping.2.filter.tokenATR= -op.enroll.mapping.2.filter.tokenCUID.start= -op.enroll.mapping.2.filter.tokenCUID.end= -op.enroll.mapping.2.filter.appletMajorVersion= -op.enroll.mapping.2.filter.appletMinorVersion= -op.enroll.mapping.2.target.tokenType=userKey -op.pinReset.mapping.order=0 -op.pinReset.mapping.0.filter.tokenType= -op.pinReset.mapping.0.filter.tokenATR= -op.pinReset.mapping.0.filter.tokenCUID.start= -op.pinReset.mapping.0.filter.tokenCUID.end= -op.pinReset.mapping.0.filter.appletMajorVersion= -op.pinReset.mapping.0.filter.appletMinorVersion= -op.pinReset.mapping.0.target.tokenType=userKey -op.format.mapping.order=0,1,2,3,4,5,6 -op.format.mapping.0.filter.tokenType=soCleanUserToken -op.format.mapping.0.filter.tokenATR= -op.format.mapping.0.filter.tokenCUID.start= -op.format.mapping.0.filter.tokenCUID.end= -op.format.mapping.0.filter.appletMajorVersion= -op.format.mapping.0.filter.appletMinorVersion= -op.format.mapping.0.target.tokenType=soCleanUserToken -op.format.mapping.1.filter.tokenType=soUserKey -op.format.mapping.1.filter.tokenATR= -op.format.mapping.1.filter.tokenCUID.start= -op.format.mapping.1.filter.tokenCUID.end= -op.format.mapping.1.filter.appletMajorVersion= -op.format.mapping.1.filter.appletMinorVersion= -op.format.mapping.1.target.tokenType=soUserKey -op.format.mapping.2.filter.tokenType=soKey -op.format.mapping.2.filter.tokenATR= -op.format.mapping.2.filter.tokenCUID.start= -op.format.mapping.2.filter.tokenCUID.end= -op.format.mapping.2.filter.appletMajorVersion= -op.format.mapping.2.filter.appletMinorVersion= -op.format.mapping.2.target.tokenType=soKey -op.format.mapping.3.filter.tokenType=userKey -op.format.mapping.3.filter.tokenATR= -op.format.mapping.3.filter.tokenCUID.start= -op.format.mapping.3.filter.tokenCUID.end= -op.format.mapping.3.filter.appletMajorVersion= -op.format.mapping.3.filter.appletMinorVersion= -op.format.mapping.3.target.tokenType=userKey -op.format.mapping.4.filter.tokenType=soCleanSOToken -op.format.mapping.4.filter.tokenATR= -op.format.mapping.4.filter.tokenCUID.start= -op.format.mapping.4.filter.tokenCUID.end= -op.format.mapping.4.filter.appletMajorVersion= -op.format.mapping.4.filter.appletMinorVersion= -op.format.mapping.5.filter.tokenType=cleanToken -op.format.mapping.5.filter.tokenATR= -op.format.mapping.5.filter.tokenCUID.start= -op.format.mapping.5.filter.tokenCUID.end= -op.format.mapping.5.filter.appletMajorVersion= -op.format.mapping.5.filter.appletMinorVersion= -op.format.mapping.5.target.tokenType=cleanToken -op.format.mapping.4.target.tokenType=soCleanSOToken -op.format.mapping.6.filter.tokenATR= -op.format.mapping.6.filter.tokenCUID.start= -op.format.mapping.6.filter.tokenCUID.end= -op.format.mapping.6.filter.appletMajorVersion= -op.format.mapping.6.filter.appletMinorVersion= -op.format.mapping.6.target.tokenType=tokenKey -op.enroll.userKey._000=######################################### -op.enroll.userKey._001=# Enrollment Operation For CoolKey -op.enroll.userKey._002=# -op.enroll.userKey._003=# op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024 -op.enroll.userKey._004=# - size of the key the token should generate -op.enroll.userKey._005=# - max value: 1024 -op.enroll.userKey._006=# -op.enroll.userKey._007=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.encrypt=false -op.enroll.userKey._008=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.sign=true -op.enroll.userKey._009=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.signRecover=true -op.enroll.userKey._010=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.decrypt=false -op.enroll.userKey._011=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.derive=false -op.enroll.userKey._012=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.unwrap=false -op.enroll.userKey._013=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.wrap=false -op.enroll.userKey._014=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.verifyRecover=true -op.enroll.userKey._015=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.verify=true -op.enroll.userKey._016=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.sensitive=true -op.enroll.userKey._017=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.private=true -op.enroll.userKey._018=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.token=true -op.enroll.userKey._019=# - specify the PKCS11 attributes to set on the token -op.enroll.userKey._020=# -op.enroll.userKey._021=# op.enroll.userKey.keyGen.signing.cuid_label -op.enroll.userKey._022=# - specify the CUID shown in the certificate -op.enroll.userKey._023=# -op.enroll.userKey._024=# op.enroll.userKey.keyGen.signing.label -op.enroll.userKey._025=# - specify the token name. all resulting labels for co-existing keys -op.enroll.userKey._026=# on the same token must be unique -op.enroll.userKey._027=# - $pretty_cuid$ - Pretty Print CUID (i.e. 4090-0062-FF02-0000-0B9C) -op.enroll.userKey._028=# - $cuid$ - CUID (i.e. 40900062FF0200000B9C) -op.enroll.userKey._029=# - $msn$ - MSN -op.enroll.userKey._030=# - $userid$ - User ID -op.enroll.userKey._031=# - $profileId$ - Profile ID -op.enroll.userKey._032=# -op.enroll.userKey._033=# op.enroll.<tokenType>.keyGen.<keyType>.overwrite=true|false -op.enroll.userKey._034=# - if key and certificate exist, should RA overwrite them -op.enroll.userKey._035=# -op.enroll.userKey._036=# op.enroll.<tokenType>.keyGen.<keyType>.certId=C1 -op.enroll.userKey._037=# op.enroll.<tokenType>.keyGen.<keyType>.certAttrId=c1 -op.enroll.userKey._038=# op.enroll.<tokenType>.keyGen.<keyType>.privateKeyAttrId=k2 -op.enroll.userKey._039=# op.enroll.<tokenType>.keyGen.<keyType>.publicKeyAttrId=k3 -op.enroll.userKey._040=# op.enroll.<tokenType>.keyGen.<keyType>.privateKeyNumber=2 -op.enroll.userKey._041=# op.enroll.<tokenType>.keyGen.<keyType>.publicKeyNumber=3 -op.enroll.userKey._042=# - specify name PKCS11 object IDs -op.enroll.userKey._043=# - Lower case letters signify objects containing PKCS11 object attributes, -op.enroll.userKey._044=# in the format described below. -op.enroll.userKey._045=# 'c' An object containing PKCS11 attributes for a certificate. -op.enroll.userKey._046=# 'k' An object containing PKCS11 attributes for a public or private key -op.enroll.userKey._047=# 'r' An object containing PKCS11 attributes for an "reader". -op.enroll.userKey._048=# - Upper case letters signify objects containing raw data corresponding to -op.enroll.userKey._049=# the lower case letters described above. For example, object "C0" -op.enroll.userKey._050=# contains raw data corresponding to object "c0". -op.enroll.userKey._051=# 'C' This object contains an entire DER cert, and nothing else. -op.enroll.userKey._052=# 'K' This object contains a MUSCLE "key blob". TPS does not use this. -op.enroll.userKey._053=# -op.enroll.userKey._054=# op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0 -op.enroll.userKey._055=# op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0 -op.enroll.userKey._056=# - user specifies which PIN user should be granted -op.enroll.userKey._057=# use privilege of the generated private key, or -op.enroll.userKey._058=# 15 if all users have use privilege for the private key -op.enroll.userKey._059=# - Valid uage: (only specifies the usage for the private key) -op.enroll.userKey._060=# 0 - default usage (Signing only for this APDU) -op.enroll.userKey._061=# 1 - signing only -op.enroll.userKey._062=# 2 - decryption only -op.enroll.userKey._063=# 3 - signing and decryption -op.enroll.userKey._064=# -op.enroll.userKey._065=# op.enroll.<tokenType>.pkcs11obj.enable=true|false -op.enroll.userKey._066=# - enable writing of PKCS11 cache object to the token -op.enroll.userKey._067=# -op.enroll.userKey._068=# op.enroll.<tokenType>.pkcs11obj.compress.enable=true|false -op.enroll.userKey._069=# - enable compression for writing of PKCS11 cache object to the token -op.enroll.userKey._070=# -op.enroll.userKey._071=# op.enroll.<tokenType>.pinReset.pin.maxRetries=127 -op.enroll.userKey._072=# - max number of retries before blocking the token -op.enroll.userKey._073=# - max value: 127 -op.enroll.userKey._074=# -op.enroll.userKey._075=# There is a special case of tokenType userKeyTemporary. -op.enroll.userKey._076=# Make sure the profile specified by the profileId to have -op.enroll.userKey._077=# short validity period (eg, 7 days) for the certificate. -op.enroll.userKey._078=######################################### -op.enroll.allowUnknownToken=true -#The three recovery schemes supported are: -# GenerateNewKey - Generate a new cert for the encryption cert. -# RecoverLast - Recover the most recent cert for the encryption cert. -# GenerateNewKeyandRecoverLast - Generate new cert AND recover last for encryption cert. -op.enroll.userKey.temporaryToken.tokenType=userKeyTemporary -op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=2 -op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=signing -op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey -op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true -op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0 -op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast -op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false -op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 -op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.num=2 -op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.0=signing -op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert=true -op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true -op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.userKey.keyGen.recovery.onHold.keyType.num=2 -op.enroll.userKey.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.userKey.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 -op.enroll.userKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey -op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6 -op.enroll.userKey.keyGen.tokenName=$auth.cn$ -op.enroll.userKey.keyGen.keyType.num=2 -op.enroll.userKey.keyGen.keyType.value.0=signing -op.enroll.userKey.keyGen.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.keySize=1024 -op.enroll.userKey.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.userKey.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.userKey.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.private=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.token=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.private=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.token=true -op.enroll.userKey.keyGen.signing.label=signing key for $userid$ -op.enroll.userKey.keyGen.signing.cuid_label=$cuid$ -op.enroll.userKey.keyGen.signing.overwrite=true -op.enroll.userKey.keyGen.signing.certId=C1 -op.enroll.userKey.keyGen.signing.certAttrId=c1 -op.enroll.userKey.keyGen.signing.privateKeyAttrId=k2 -op.enroll.userKey.keyGen.signing.publicKeyAttrId=k3 -op.enroll.userKey.keyGen.signing.keyUsage=0 -op.enroll.userKey.keyGen.signing.keyUser=0 -op.enroll.userKey.keyGen.signing.privateKeyNumber=2 -op.enroll.userKey.keyGen.signing.publicKeyNumber=3 -op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment -op.enroll.userKey.keyGen.signing.ca.conn=ca1 -op.enroll.userKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher -op.enroll.userKey.keyGen.encryption.keySize=1024 -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.userKey.keyGen.encryption.label=encryption key for $userid$ -op.enroll.userKey.keyGen.encryption.cuid_label=$cuid$ -op.enroll.userKey.keyGen.encryption.overwrite=true -op.enroll.userKey.keyGen.encryption.certId=C2 -op.enroll.userKey.keyGen.encryption.certAttrId=c2 -op.enroll.userKey.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.userKey.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.userKey.keyGen.encryption.keyUsage=0 -op.enroll.userKey.keyGen.encryption.keyUser=0 -op.enroll.userKey.keyGen.encryption.privateKeyNumber=4 -op.enroll.userKey.keyGen.encryption.publicKeyNumber=5 -op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment -op.enroll.userKey.keyGen.encryption.ca.conn=ca1 -op.enroll.userKey.pkcs11obj.enable=true -op.enroll.userKey.pkcs11obj.compress.enable=true -op.enroll.userKey.update.applet.emptyToken.enable=true -op.enroll.userKey.update.applet.enable=true -op.enroll.userKey.update.applet.requiredVersion=1.4.499dc06c -op.enroll.userKey.update.applet.directory=[TPS_DIR]/applets -op.enroll.userKey.update.applet.encryption=true -op.enroll.userKey.update.symmetricKeys.enable=false -op.enroll.userKey.update.symmetricKeys.requiredVersion=1 -op.enroll.userKey.loginRequest.enable=true -op.enroll.userKey.pinReset.enable=true -op.enroll.userKey.pinReset.pin.maxRetries=127 -op.enroll.userKey.pinReset.pin.minLen=4 -op.enroll.userKey.pinReset.pin.maxLen=10 -op.enroll.userKey.cardmgr_instance=A0000000030000 -op.enroll.userKey.tks.conn=tks1 -op.enroll.userKey.auth.id=ldap1 -op.enroll.userKey.auth.enable=true -op.enroll.userKey.issuerinfo.enable=true -op.enroll.userKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi -op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.num=2 -op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 -op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast -op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0 -op.enroll.userKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] -op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=true -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.archive=true -op.enroll.userKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) -op.enroll.userKeyTemporary.keyGen.keyType.num=3 -op.enroll.userKeyTemporary.keyGen.keyType.value.0=auth -op.enroll.userKeyTemporary.keyGen.keyType.value.1=signing -op.enroll.userKeyTemporary.keyGen.keyType.value.2=encryption -op.enroll.userKeyTemporary.keyGen.auth.keySize=1024 -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.auth.label=Temporary Key for $userid$ -op.enroll.userKeyTemporary.keyGen.auth.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.auth.overwrite=false -op.enroll.userKeyTemporary.keyGen.auth.certId=C0 -op.enroll.userKeyTemporary.keyGen.auth.certAttrId=c0 -op.enroll.userKeyTemporary.keyGen.auth.privateKeyAttrId=k0 -op.enroll.userKeyTemporary.keyGen.auth.publicKeyAttrId=k1 -op.enroll.userKeyTemporary.keyGen.auth.keyUsage=0 -op.enroll.userKeyTemporary.keyGen.auth.keyUser=15 -op.enroll.userKeyTemporary.keyGen.auth.privateKeyNumber=0 -op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1 -op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment -op.enroll.userKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.userKeyTemporary.keyGen.signing.keySize=1024 -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.private=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.signing.label=signing key for $userid$ -op.enroll.userKeyTemporary.keyGen.signing.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.signing.overwrite=true -op.enroll.userKeyTemporary.keyGen.signing.certId=C1 -op.enroll.userKeyTemporary.keyGen.signing.certAttrId=c1 -op.enroll.userKeyTemporary.keyGen.signing.privateKeyAttrId=k2 -op.enroll.userKeyTemporary.keyGen.signing.publicKeyAttrId=k3 -op.enroll.userKeyTemporary.keyGen.signing.keyUsage=0 -op.enroll.userKeyTemporary.keyGen.signing.keyUser=0 -op.enroll.userKeyTemporary.keyGen.signing.privateKeyNumber=2 -op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3 -op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment -op.enroll.userKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.userKey._080=#op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher -op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024 -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.encryption.label=encryption key for $userid$ -op.enroll.userKeyTemporary.keyGen.encryption.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.encryption.overwrite=true -op.enroll.userKeyTemporary.keyGen.encryption.certId=C2 -op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2 -op.enroll.userKeyTemporary.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.userKeyTemporary.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.userKeyTemporary.keyGen.encryption.keyUsage=0 -op.enroll.userKeyTemporary.keyGen.encryption.keyUser=0 -op.enroll.userKeyTemporary.keyGen.encryption.privateKeyNumber=4 -op.enroll.userKeyTemporary.keyGen.encryption.publicKeyNumber=5 -op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment -op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.userKeyTemporary.pkcs11obj.enable=true -op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true -op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true -op.enroll.userKeyTemporary.update.applet.enable=true -op.enroll.userKeyTemporary.update.applet.requiredVersion=1.4.499dc06c -op.enroll.userKeyTemporary.update.applet.directory=[TPS_DIR]/applets -op.enroll.userKeyTemporary.update.applet.encryption=true -op.enroll.userKeyTemporary.update.symmetricKeys.enable=false -op.enroll.userKeyTemporary.update.symmetricKeys.requiredVersion=1 -op.enroll.userKeyTemporary.loginRequest.enable=true -op.enroll.userKeyTemporary.pinReset.enable=true -op.enroll.userKeyTemporary.pinReset.pin.maxRetries=127 -op.enroll.userKeyTemporary.pinReset.pin.minLen=4 -op.enroll.userKeyTemporary.pinReset.pin.maxLen=10 -op.enroll.userKeyTemporary.tks.conn=tks1 -op.enroll.userKeyTemporary.cardmgr_instance=A0000000030000 -op.enroll.userKeyTemporary.auth.id=ldap1 -op.enroll.userKeyTemporary.auth.enable=true -# Token Renewal. -# For each token in TPS UI set the following: -# RENEW=YES -# To trigger renewal operations. -op.enroll.userKey.renewal.keyType.num=2 -op.enroll.userKey.renewal.keyType.value.0=signing -op.enroll.userKey.renewal.keyType.value.1=encryption -op.enroll.userKey.renewal.signing.enable=true -#optional grace period enforcement -#must coincide exactly with what the CA enforces -op.enroll.userKey.renewal.signing.gracePeriod.enable=false -op.enroll.userKey.renewal.signing.gracePeriod.before=30 -op.enroll.userKey.renewal.signing.gracePeriod.after=30 -op.enroll.userKey.renewal.signing.certId=C1 -#in case of renewal, encryption certId values for completeness only -#server code calculates actual values used. -op.enroll.userKey.renewal.encryption.certId=C2 -op.enroll.userKey.renewal.signing.certAttrId=c1 -op.enroll.userKey.renewal.encryption.certAttrId=c2 -op.enroll.userKey.renewal.encryption.enable=true -#optional grace period enforcement -#must coincide exactly with what the CA enforces -op.enroll.userKey.renewal.encryption.gracePeriod.enable=false -op.enroll.userKey.renewal.encryption.gracePeriod.before=30 -op.enroll.userKey.renewal.encryption.gracePeriod.after=30 -op.enroll.userKey.renewal.signing.ca.conn=ca1 -op.enroll.userKey.renewal.encryption.ca.conn=ca1 -op.enroll.userKey.renewal.signing.ca.profileId=caTokenUserSigningKeyRenewal -op.enroll.userKey.renewal.encryption.ca.profileId=caTokenUserEncryptionKeyRenewal -op.enroll.soKey.temporaryToken.tokenType=soKeyTemporary -op.enroll.soKey.keyGen.recovery.destroyed.keyType.num=2 -op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.0=signing -op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey -op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert=true -op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0 -op.enroll.soKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast -op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert=false -op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 -op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.num=2 -op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.0=signing -op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert=true -op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true -op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.soKey.keyGen.recovery.onHold.keyType.num=2 -op.enroll.soKey.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.soKey.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 -op.enroll.soKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey -op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6 -op.enroll.soKey.keyGen.tokenName=$auth.cn$ -op.enroll.soKey.keyGen.keyType.num=2 -op.enroll.soKey.keyGen.keyType.value.0=signing -op.enroll.soKey.keyGen.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.keySize=1024 -op.enroll.soKey.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.soKey.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.soKey.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.private=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.token=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.private=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.token=true -op.enroll.soKey.keyGen.signing.label=signing key for $userid$ -op.enroll.soKey.keyGen.signing.cuid_label=$cuid$ -op.enroll.soKey.keyGen.signing.overwrite=true -op.enroll.soKey.keyGen.signing.certId=C1 -op.enroll.soKey.keyGen.signing.certAttrId=c1 -op.enroll.soKey.keyGen.signing.privateKeyAttrId=k2 -op.enroll.soKey.keyGen.signing.publicKeyAttrId=k3 -op.enroll.soKey.keyGen.signing.keyUsage=0 -op.enroll.soKey.keyGen.signing.keyUser=0 -op.enroll.soKey.keyGen.signing.privateKeyNumber=2 -op.enroll.soKey.keyGen.signing.publicKeyNumber=3 -op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment -op.enroll.soKey.keyGen.signing.ca.conn=ca1 -op.enroll.soKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher -op.enroll.soKey.keyGen.encryption.keySize=1024 -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.soKey.keyGen.encryption.label=encryption key for $userid$ -op.enroll.soKey.keyGen.encryption.cuid_label=$cuid$ -op.enroll.soKey.keyGen.encryption.overwrite=true -op.enroll.soKey.keyGen.encryption.certId=C2 -op.enroll.soKey.keyGen.encryption.certAttrId=c2 -op.enroll.soKey.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.soKey.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.soKey.keyGen.encryption.keyUsage=0 -op.enroll.soKey.keyGen.encryption.keyUser=0 -op.enroll.soKey.keyGen.encryption.privateKeyNumber=4 -op.enroll.soKey.keyGen.encryption.publicKeyNumber=5 -op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment -op.enroll.soKey.keyGen.encryption.ca.conn=ca1 -op.enroll.soKey.pkcs11obj.enable=true -op.enroll.soKey.pkcs11obj.compress.enable=true -op.enroll.soKey.update.applet.emptyToken.enable=true -op.enroll.soKey.update.applet.enable=true -op.enroll.soKey.update.applet.requiredVersion=1.4.499dc06c -op.enroll.soKey.update.applet.directory=[TPS_DIR]/applets -op.enroll.soKey.update.applet.encryption=true -op.enroll.soKey.update.symmetricKeys.enable=false -op.enroll.soKey.update.symmetricKeys.requiredVersion=1 -op.enroll.soKey.loginRequest.enable=true -op.enroll.soKey.pinReset.enable=true -op.enroll.soKey.pinReset.pin.maxRetries=127 -op.enroll.soKey.pinReset.pin.minLen=4 -op.enroll.soKey.pinReset.pin.maxLen=10 -op.enroll.soKey.cardmgr_instance=A0000000030000 -op.enroll.soKey.tks.conn=tks1 -op.enroll.soKey.auth.id=ldap2 -op.enroll.soKey.auth.enable=true -op.enroll.soKey.issuerinfo.enable=true -op.enroll.soKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/so/index.cgi -op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.num=2 -op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 -op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast -op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0 -op.enroll.soKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] -op.enroll.soKey.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.soKey.keyGen.encryption.serverKeygen.archive=true -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=true -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.archive=true -op.enroll.soKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) -op.enroll.soKeyTemporary.keyGen.keyType.num=3 -op.enroll.soKeyTemporary.keyGen.keyType.value.0=auth -op.enroll.soKeyTemporary.keyGen.keyType.value.1=signing -op.enroll.soKeyTemporary.keyGen.keyType.value.2=encryption -op.enroll.soKeyTemporary.keyGen.auth.keySize=1024 -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.auth.label=Temporary Key for $userid$ -op.enroll.soKeyTemporary.keyGen.auth.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.auth.overwrite=false -op.enroll.soKeyTemporary.keyGen.auth.certId=C0 -op.enroll.soKeyTemporary.keyGen.auth.certAttrId=c0 -op.enroll.soKeyTemporary.keyGen.auth.privateKeyAttrId=k0 -op.enroll.soKeyTemporary.keyGen.auth.publicKeyAttrId=k1 -op.enroll.soKeyTemporary.keyGen.auth.keyUsage=0 -op.enroll.soKeyTemporary.keyGen.auth.keyUser=15 -op.enroll.soKeyTemporary.keyGen.auth.privateKeyNumber=0 -op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1 -op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment -op.enroll.soKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.signing.keySize=1024 -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.private=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.signing.label=signing key for $userid$ -op.enroll.soKeyTemporary.keyGen.signing.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.signing.overwrite=true -op.enroll.soKeyTemporary.keyGen.signing.certId=C1 -op.enroll.soKeyTemporary.keyGen.signing.certAttrId=c1 -op.enroll.soKeyTemporary.keyGen.signing.privateKeyAttrId=k2 -op.enroll.soKeyTemporary.keyGen.signing.publicKeyAttrId=k3 -op.enroll.soKeyTemporary.keyGen.signing.keyUsage=0 -op.enroll.soKeyTemporary.keyGen.signing.keyUser=0 -op.enroll.soKeyTemporary.keyGen.signing.privateKeyNumber=2 -op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3 -op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment -op.enroll.soKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024 -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.encryption.label=encryption key for $userid$ -op.enroll.soKeyTemporary.keyGen.encryption.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.encryption.overwrite=true -op.enroll.soKeyTemporary.keyGen.encryption.certId=C2 -op.enroll.soKeyTemporary.keyGen.encryption.certAttrId=c2 -op.enroll.soKeyTemporary.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.soKeyTemporary.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.soKeyTemporary.keyGen.encryption.keyUsage=0 -op.enroll.soKeyTemporary.keyGen.encryption.keyUser=0 -op.enroll.soKeyTemporary.keyGen.encryption.privateKeyNumber=4 -op.enroll.soKeyTemporary.keyGen.encryption.publicKeyNumber=5 -op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment -op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.soKeyTemporary.pkcs11obj.enable=true -op.enroll.soKeyTemporary.pkcs11obj.compress.enable=true -op.enroll.soKeyTemporary.update.applet.emptyToken.enable=true -op.enroll.soKeyTemporary.update.applet.enable=true -op.enroll.soKeyTemporary.update.applet.requiredVersion=1.4.499dc06c -op.enroll.soKeyTemporary.update.applet.directory=[TPS_DIR]/applets -op.enroll.soKeyTemporary.update.applet.encryption=true -op.enroll.soKeyTemporary.update.symmetricKeys.enable=false -op.enroll.soKeyTemporary.update.symmetricKeys.requiredVersion=1 -op.enroll.soKeyTemporary.loginRequest.enable=true -op.enroll.soKeyTemporary.pinReset.enable=true -op.enroll.soKeyTemporary.pinReset.pin.maxRetries=127 -op.enroll.soKeyTemporary.pinReset.pin.minLen=4 -op.enroll.soKeyTemporary.pinReset.pin.maxLen=10 -op.enroll.soKeyTemporary.cardmgr_instance=A0000000030000 -op.enroll.soKeyTemporary.tks.conn=tks1 -op.enroll.soKeyTemporary.tks.keySet=defKeyset -op.enroll.soKeyTemporary.auth.id=ldap2 -op.enroll.soKeyTemporary.auth.enable=true -op.pinReset._000=######################################### -op.pinReset._001=# Certificate Chain Imports -op.pinReset._002=# -op.pinReset._003=# op.enroll.certificates.num=1 -op.pinReset._004=# op.enroll.certificates.value.0=caCert -op.pinReset._005=# op.enroll.certificates.caCert.nickName=caCert0 pki-tps -op.pinReset._006=# op.enroll.certificates.caCert.certId=C5 -op.pinReset._007=# op.enroll.certificates.caCert.certAttrId=c5 -op.pinReset._008=# op.enroll.certificates.caCert.label=caCert Label -op.pinReset._009=######################################### -op.pinReset._010=######################################### -op.pinReset._011=# Pin Reset Operation For CoolKey -op.pinReset._012=# -op.pinReset._013=# op.pinReset.userKey.update.applet.emptyToken.enable=false -op.pinReset._014=# - update applet or not if token is empty -op.pinReset._015=# -op.pinReset._016=# - N/A for HouseKey -op.pinReset._017=# - N/A for HouseKey with Legacy Applet -op.pinReset._018=######################################### -op.pinReset.userKey.update.applet.emptyToken.enable=true -op.pinReset.userKey.update.applet.enable=false -op.pinReset.userKey.update.applet.requiredVersion=1.4.499dc06c -op.pinReset.userKey.update.applet.directory=[TPS_DIR]/applets -op.pinReset.userKey.update.applet.encryption=true -op.pinReset.userKey.update.symmetricKeys.enable=false -op.pinReset.userKey.update.symmetricKeys.requiredVersion=1 -op.pinReset.userKey.loginRequest.enable=true -op.pinReset.userKey.pinReset.pin.minLen=4 -op.pinReset.userKey.pinReset.pin.maxLen=10 -op.pinReset.userKey.tks.conn=tks1 -op.pinReset.userKey.cardmgr_instance=A0000000030000 -op.pinReset.userKey.auth.id=ldap1 -op.pinReset.userKey.auth.enable=true -op.format._000=######################################### -op.format._001=# Format Operation For tokenKey -op.format._002=# -op.format._003=# op.format.tokenKey.update.applet.emptyToken.enable=false -op.format._004=# - update applet or not if token is empty -op.format._005=# -op.format._006=# - applicable to CoolKey -op.format._007=# - applicable to HouseKey -op.format._008=# - applicable to HouseKey with Legacy Applet -op.format._009=######################################### -op.format.allowUnknownToken=true -op.format.soCleanUserToken.update.applet.emptyToken.enable=true -op.format.soCleanUserToken.update.applet.requiredVersion=1.4.499dc06c -op.format.soCleanUserToken.update.applet.directory=[TPS_DIR]/applets -op.format.soCleanUserToken.update.applet.encryption=true -op.format.soCleanUserToken.update.symmetricKeys.enable=false -op.format.soCleanUserToken.update.symmetricKeys.requiredVersion=1 -op.format.soCleanUserToken.revokeCert=true -op.format.soCleanUserToken.ca.conn=ca1 -op.format.soCleanUserToken.loginRequest.enable=false -op.format.soCleanUserToken.cardmgr_instance=A0000000030000 -op.format.soCleanUserToken.tks.conn=tks1 -op.format.soCleanUserToken.auth.id=ldap1 -op.format.soCleanUserToken.auth.enable=false -op.format.soCleanUserToken.issuerinfo.enable=true -op.format.soCleanUserToken.issuerinfo.value= -op.format.soCleanSOToken.update.applet.emptyToken.enable=true -op.format.soCleanSOToken.update.applet.requiredVersion=1.4.499dc06c -op.format.soCleanSOToken.update.applet.directory=[TPS_DIR]/applets -op.format.soCleanSOToken.update.applet.encryption=true -op.format.soCleanSOToken.update.symmetricKeys.enable=false -op.format.soCleanSOToken.update.symmetricKeys.requiredVersion=1 -op.format.soCleanSOToken.revokeCert=true -op.format.soCleanSOToken.ca.conn=ca1 -op.format.soCleanSOToken.loginRequest.enable=false -op.format.soCleanSOToken.cardmgr_instance=A0000000030000 -op.format.soCleanSOToken.tks.conn=tks1 -op.format.soCleanSOToken.auth.id=ldap1 -op.format.soCleanSOToken.auth.enable=false -op.format.soCleanSOToken.issuerinfo.enable=true -op.format.soCleanSOToken.issuerinfo.value= -op.format.cleanToken.update.applet.emptyToken.enable=true -op.format.cleanToken.update.applet.requiredVersion=1.4.499dc06c -op.format.cleanToken.update.applet.directory=[TPS_DIR]/applets -op.format.cleanToken.update.applet.encryption=true -op.format.cleanToken.update.symmetricKeys.enable=false -op.format.cleanToken.update.symmetricKeys.requiredVersion=1 -op.format.cleanToken.revokeCert=true -op.format.cleanToken.ca.conn=ca1 -op.format.cleanToken.loginRequest.enable=true -op.format.cleanToken.cardmgr_instance=A0000000030000 -op.format.cleanToken.tks.conn=tks1 -op.format.cleanToken.auth.id=ldap1 -op.format.cleanToken.auth.enable=false -op.format.cleanToken.issuerinfo.enable=true -op.format.cleanToken.issuerinfo.value= -op.format.soUserKey.update.applet.emptyToken.enable=true -op.format.soUserKey.update.applet.requiredVersion=1.4.499dc06c -op.format.soUserKey.update.applet.directory=[TPS_DIR]/applets -op.format.soUserKey.update.applet.encryption=true -op.format.soUserKey.update.symmetricKeys.enable=false -op.format.soUserKey.update.symmetricKeys.requiredVersion=1 -op.format.soUserKey.revokeCert=true -op.format.soUserKey.ca.conn=ca1 -op.format.soUserKey.loginRequest.enable=false -op.format.soUserKey.cardmgr_instance=A0000000030000 -op.format.soUserKey.tks.conn=tks1 -op.format.soUserKey.auth.id=ldap1 -op.format.soUserKey.auth.enable=false -op.format.soUserKey.issuerinfo.enable=true -op.format.soUserKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi -op.format.soKey.update.applet.emptyToken.enable=true -op.format.soKey.update.applet.requiredVersion=1.4.499dc06c -op.format.soKey.update.applet.directory=[TPS_DIR]/applets -op.format.soKey.update.applet.encryption=true -op.format.soKey.update.symmetricKeys.enable=false -op.format.soKey.update.symmetricKeys.requiredVersion=1 -op.format.soKey.revokeCert=true -op.format.soKey.ca.conn=ca1 -op.format.soKey.loginRequest.enable=true -op.format.soKey.cardmgr_instance=A0000000030000 -op.format.soKey.tks.conn=tks1 -op.format.soKey.auth.id=ldap2 -op.format.soKey.auth.enable=true -op.format.soKey.issuerinfo.enable=true -op.format.soKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/so/index.cgi -op.format.userKey.update.applet.emptyToken.enable=true -op.format.userKey.update.applet.requiredVersion=1.4.499dc06c -op.format.userKey.update.applet.directory=[TPS_DIR]/applets -op.format.userKey.update.applet.encryption=true -op.format.userKey.update.symmetricKeys.enable=false -op.format.userKey.update.symmetricKeys.requiredVersion=1 -op.format.userKey.revokeCert=true -op.format.userKey.ca.conn=ca1 -op.format.userKey.loginRequest.enable=true -op.format.userKey.cardmgr_instance=A0000000030000 -op.format.userKey.tks.conn=tks1 -op.format.userKey.auth.id=ldap1 -op.format.userKey.auth.enable=true -op.format.userKey.issuerinfo.enable=true -op.format.userKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi -op.format.tokenKey.update.applet.emptyToken.enable=true -op.format.tokenKey.update.applet.requiredVersion=1.4.499dc06c -op.format.tokenKey.update.applet.directory=[TPS_DIR]/applets -op.format.tokenKey.update.applet.encryption=true -op.format.tokenKey.update.symmetricKeys.enable=false -op.format.tokenKey.update.symmetricKeys.requiredVersion=1 -op.format.tokenKey.revokeCert=true -op.format.tokenKey.ca.conn=ca1 -op.format.tokenKey.loginRequest.enable=true -op.format.tokenKey.cardmgr_instance=A0000000030000 -op.format.tokenKey.tks.conn=tks1 -op.format.tokenKey.auth.id=ldap1 -op.format.tokenKey.auth.enable=true -op.format.tokenKey.issuerinfo.enable=true -op.format.tokenKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi -tokendb._000=######################################### -tokendb._001=# tokendb.auditLog: -tokendb._002=# - audit log path -tokendb._003=# tokendb.host: -tokendb._004=# - tokendb host name -tokendb._005=# tokendb.port: -tokendb._006=# - tokendb port number -tokendb._007=# tokendb.bindDN: -tokendb._008=# - tokendb administration DN (i.e. cn=Directory Manager) -tokendb._009=# tokendb.bindPassPath: -tokendb._010=# - tokendb administration password file path -tokendb._011=# tokendb.templateDir -tokendb._012=# - directory where all the tokendb templates are located -tokendb._013=# tokendb.userBaseDN: -tokendb._014=# - directory base DN for users and groups -tokendb._015=# tokendb.baseDN: -tokendb._016=# - directory base DN for tokens -tokendb._017=# tokendb.activityBaseDN: -tokendb._018=# - directory base DN for activities -tokendb._019=# tokendb.indexTemplate=index.template -tokendb._020=# - index template -tokendb._021=# tokendb.newTemplate=new.template -tokendb._022=# - add template -tokendb._023=# tokendb.showTemplate=show.template -tokendb._024=# - show template -tokendb._025=# tokendb.errorTemplate=error.template -tokendb._026=# - error template -tokendb._027=# tokendb.searchTemplate=search.template -tokendb._028=# - search template -tokendb._029=# tokendb.searchResultTemplate=searchResults.template -tokendb._030=# - search result template -tokendb._031=# tokendb.editTemplate=edit.template -tokendb._032=# - edit template -tokendb._033=# tokendb.editResultTemplate=editResults.template -tokendb._034=# - edit result template -tokendb._035=# tokendb.addResultTemplate=addResults.template -tokendb._036=# - add result template -tokendb._037=# tokendb.deleteResultTemplate=deleteResults.template -tokendb._038=# - delete result template -tokendb._039=# tokendb.searchActivityTemplate=searchActivity.template -tokendb._040=# - search activity template -tokendb._041=# tokendb.searchActivityResultTemplate=searchActivityResults.template -tokendb._042=# - search activity result template -tokendb._043=# tokendb.showAdminTemplate=showAdmin.template -tokendb._044=# - show admin template -tokendb._045=# tokendb.editAdminTemplate=editAdmin.template -tokendb._046=# - edit admin template -tokendb._047=# tokendb.editAdminResultTemplate=editAdminResults.template -tokendb._048=# - edit admin result template -tokendb._049=# tokendb.searchAdminTemplate=searchAdmin.template -tokendb._050=# - search admin template -tokendb._051=# tokendb.searchAdminResultTemplate=searchAdminResults.template -tokendb._052=# - search admin result template -tokendb._053=# tokendb.defaultPolicy: -tokendb._054=# Supported Policy (Separated by ; [Semicolon]): -tokendb._055=# For example, PIN_RESET=YES|NO;RE_ENROLL=YES|NO -tokendb._056=# PIN_RESET=YES|NO -tokendb._057=# - If not present, pin reset by user is allowed. -tokendb._058=# - If present and agent change PIN_RESET from NO -tokendb._059=# to YES, user is allowed to do pin reset. This -tokendb._060=# policy will be changed back to NO after pin reset. -tokendb._061=# RE_ENROLL=YES|NO -tokendb._062=# - If not present, re-enrollment is allowed. -tokendb._063=# - If present, re-enrollment is allowed when RE_ENROLL -tokendb._064=# is set to YES. Otherwise, re-enrollment is not -tokendb._065=# allowed. -tokendb._066=# tokendb.allowedTransitions: -tokendb._067=# - has transitions between the following states -tokendb._068=# TOKEN_UNINITIALIZED = 0, -tokendb._069=# TOKEN_DAMAGED =1, -tokendb._070=# TOKEN_PERM_LOST=2, -tokendb._071=# TOKEN_TEMP_LOST=3, -tokendb._072=# TOKEN_FOUND =4, -tokendb._073=# TOKEN_TEMP_LOST_PERM_LOST =5, -tokendb._074=# TOKEN_TERMINATED = 6 -tokendb._075=######################################### -tokendb.auditLog=[SERVER_ROOT]/logs/tokendb-audit.log -tokendb.hostport=[TOKENDB_HOST]:[TOKENDB_PORT] -tokendb.ssl=false -tokendb.bindDN=cn=Directory Manager -tokendb.bindPassPath=[SERVER_ROOT]/conf/password.conf -tokendb.templateDir=[SERVER_ROOT]/docroot/tus -tokendb.userBaseDN=[TOKENDB_ROOT] -tokendb.baseDN=ou=Tokens,[TOKENDB_ROOT] -tokendb.activityBaseDN=ou=Activities,[TOKENDB_ROOT] -tokendb.certBaseDN=ou=Certificates,[TOKENDB_ROOT] -tokendb.indexTemplate=index.template -tokendb.indexAdminTemplate=indexAdmin.template -tokendb.newTemplate=new.template -tokendb.showTemplate=show.template -tokendb.showCertTemplate=showCert.template -tokendb.errorTemplate=error.template -tokendb.searchTemplate=search.template -tokendb.searchResultTemplate=searchResults.template -tokendb.searchCertificateResultTemplate=searchCertificateResults.template -tokendb.editTemplate=edit.template -tokendb.editResultTemplate=editResults.template -tokendb.addResultTemplate=addResults.template -tokendb.deleteTemplate=delete.template -tokendb.deleteResultTemplate=deleteResults.template -tokendb.searchActivityTemplate=searchActivity.template -tokendb.searchCertificateTemplate=searchCertificate.template -tokendb.searchActivityResultTemplate=searchActivityResults.template -tokendb.searchActivityAdminTemplate=searchActivityAdmin.template -tokendb.searchActivityAdminResultTemplate=searchActivityAdminResults.template -tokendb.showAdminTemplate=showAdmin.template -tokendb.doTokenTemplate=doToken.template -tokendb.doTokenConfirmTemplate=doTokenConfirm.template -tokendb.revokeTemplate=revoke.template -tokendb.searchAdminTemplate=searchAdmin.template -tokendb.searchAdminResultTemplate=searchAdminResults.template -tokendb.defaultPolicy=RE_ENROLL=YES -tokendb.newUserTemplate=newUser.template -tokendb.userDeleteTemplate=userDelete.template -tokendb.searchUserResultTemplate=searchUserResults.template -tokendb.searchUserTemplate=searchUser.template -tokendb.editUserTemplate=editUser.template -tokendb.indexOperatorTemplate=indexOperator.template -tokendb.selfTestTemplate=selfTest.template -tokendb.selfTestResultsTemplate=selfTestResults.template -tokendb.auditAdminTemplate=auditAdmin.template -tokendb.selectConfigTemplate=selectConfig.template -tokendb.agentSelectConfigTemplate=agentSelectConfig.template -tokendb.editConfigTemplate=editConfig.template -tokendb.agentViewConfigTemplate=agentViewConfig.template -tokendb.addConfigTemplate=addConfig.template -tokendb.confirmConfigChangesTemplate=confirmConfigChanges.template -tokendb.confirmDeleteConfigTemplate=confirmDeleteConfig.template -log.instance.SignedAudit.selected.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL -log.instance.SignedAudit.selectable.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL -log.instance.SignedAudit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST -tokendb.allowedTransitions=0:1,0:2,0:3,0:4,0:5,0:6,3:4,3:5,3:6,4:1,4:2,4:3,4:6 -target._000=######################################### -target._001=# entries to enable configuration of parameter sets through the TPS UI agent and admin tabs -target._002=# -target._003=# target.configure.list = comma separated lists of all parameter sets that can be configured by the admin. -target._004=# Each entry will show up (with underscore replaced by space) under Advanced Configuration on the admin tab. -target._005=# -target._006=# target.agent_approve.list = comma separated subset of above list. Parameter sets in this list -target._007=# will show up in the agent tab (under advanced configuration) and will require agent involvement -target._008=# (enable/ disable) to be edited. -target._009=# -target._010=# For the wording to display correctly, the values in the above list should be plurals. -target._011=# -target._012=# Each parameter set in the lists above requires three parameters: -target._013=# target.<type name>.list : list of choices of this parameter set type (will display in the drop down box) -target._014=# target.<type name>.pattern : the regular expression to select parameters in CS.cfg for this parameter set. -target._015=# target.<type_name>.displayname: used in the UI display text. This should be the singular form of <type_name>. -target._016=# -target._017=# The exception is the parameter set Generals, which has only a pattern and displayname defined. -target._018=# -target._019=######################################## -target.configure.list=Profiles,Subsystem_Connections,Profile_Mappings,Authentication_Sources -target.agent_approve.list=Profiles -target.Profiles.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey -target.Profiles.pattern=op\..*\.$name\..* -target.Profiles.displayname=Profile -target.Subsystem_Connections.list=ca1,drm1,tks1 -target.Subsystem_Connections.pattern=conn\.$name\..* -target.Subsystem_Connections.displayname=Subsystem Connection -target.Profile_Mappings.list=enroll,format,pinReset -target.Profile_Mappings.pattern=op\.$name\.mapping\..* -target.Profile_Mappings.displayname=Profile Mapping -target.Authentication_Sources.list=0,1 -target.Authentication_Sources.pattern=auth\.instance\.$name\..* -target.Authentication_Sources.displayname=Authentication Source -target.Generals.displayname=General -target.Generals.pattern=^applet\..*\|^general\..*\|^failover.pod.enable\|^channel\..* -config.Generals.General.state=Enabled -config.Generals.General.timestamp=1280283607424406 -tps._000=######################################## -tps._001=# For verifying system certificates -tps._002=# tps.cert.list=sslserver,subsystem,audit_signing -tps._003=# tps.cert.sslserver.nickname=xxx -tps._005=# tps.cert.subsystem.nickname=xxx -tps._007=# tps.cert.audit_signing.nickname=xxx -tps._009=######################################## -tps.cert.list=sslserver,subsystem,audit_signing -tps.cert.sslserver.nickname=[HSM_LABEL][NICKNAME] -tps.cert.subsystem.nickname=[HSM_LABEL][NICKNAME] -tps.cert.audit_signing.nickname=[HSM_LABEL][NICKNAME] diff --git a/pki/base/tps/doc/CS.cfg.in b/pki/base/tps/doc/CS.cfg.in index 896bcbc14..2c7ec6020 100644 --- a/pki/base/tps/doc/CS.cfg.in +++ b/pki/base/tps/doc/CS.cfg.in @@ -18,19 +18,25 @@ # All rights reserved. # --- END COPYRIGHT BLOCK --- # -pkicreate.pki_instance_root=[INSTANCE_ROOT] -pkicreate.pki_instance_name=[INSTANCE_ID] -pkicreate.subsystem_type=[SUBSYSTEM_TYPE] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] pkicreate.secure_port=[SECURE_PORT] pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] pkicreate.unsecure_port=[PORT] -pkicreate.user=[USERID] -pkicreate.group=[GROUPID] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] cs.type=TPS selftests._000=## selftests._001=## Self Tests selftests._002=## +selftests._003=## The Self-Test plugin TPSSystemCertsVerification uses the +selftests._004=## following parameters (where certusage is optional): +selftests._005=## tps.cert.list = <list of cert tag names deliminated by ","> +selftests._006=## tps.cert.<cert tag name>.nickname +selftests._007=## tps.cert.<cert tag name>.certusage +selftests._008=## selftests.container.logger.enable=true selftests.container.logger.expirationTime=0 selftests.container.logger.file.type=RollingLogFile @@ -38,8 +44,8 @@ selftests.container.logger.fileName=[SERVER_ROOT]/logs/selftests.log selftests.container.logger.level=10 selftests.container.logger.maxFileSize=2000 selftests.container.logger.rolloverInterval=2592000 -selftests.container.order.startup=TPSPresence:critical, TPSValidity:critical -selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical +selftests.container.order.startup=TPSPresence:critical, TPSSystemCertsVerification:critical +selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical, TPSSystemCertsVerification:critical selftests.plugin.TPSPresence.nickname=[HSM_LABEL][NICKNAME] selftests.plugin.TPSValidity.nickname=[HSM_LABEL][NICKNAME] service.machineName=[SERVER_NAME] @@ -47,7 +53,7 @@ service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] -service.instanceID=[INSTANCE_ID] +service.instanceID=[PKI_INSTANCE_ID] logging._000=######################################### logging._001=# RA configuration File logging._002=# @@ -111,9 +117,9 @@ logging.audit.filename=[SERVER_ROOT]/logs/tps-audit.log logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit logging.audit.level=10 logging.audit.logSigning=false -logging.audit.signedAuditCertNickname=auditSigningCert cert-[INSTANCE_ID] -logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL -logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL +logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] +logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION +logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING logging.audit.buffer.size=512 logging.audit.flush.interval=5 @@ -156,8 +162,8 @@ conn.ca1.hostport=[CA_HOST]:[CA_PORT] conn.ca1.clientNickname=[HSM_LABEL][NICKNAME] conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient conn.ca1.servlet.renewal=/ca/ee/ca/profileSubmitSSLClient -conn.ca1.servlet.revoke=/ca/subsystem/ca/doRevoke -conn.ca1.servlet.unrevoke=/ca/subsystem/ca/doUnrevoke +conn.ca1.servlet.revoke=/ca/ee/subsystem/ca/doRevoke +conn.ca1.servlet.unrevoke=/ca/ee/subsystem/ca/doUnrevoke conn.ca1.retryConnect=3 conn.ca1.timeout=100 conn.ca1.SSLOn=true @@ -343,6 +349,7 @@ general.search.sizelimit.max=2000 general.search.sizelimit.default=100 general.search.timelimit.max=10 general.search.timelimit.default=10 +general.pwlength.min=16 channel._000=######################################### channel._001=# channel.encryption: channel._002=# @@ -370,34 +377,34 @@ preop.cert.list=sslserver,subsystem,audit_signing preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true preop.cert.audit_signing.enable=false -preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[INSTANCE_ID] +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] preop.cert.sslserver.keysize.customsize=2048 preop.cert.sslserver.keysize.size=2048 preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[INSTANCE_ID] +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=caInternalAuthServerCert preop.cert.sslserver.subsystem=tps preop.cert._003=#preop.cert.sslserver.type=local preop.cert.sslserver.userfriendlyname=SSL Server Certificate preop.cert._004=#preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA -preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[INSTANCE_ID] +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_ID] preop.cert.subsystem.keysize.customsize=2048 preop.cert.subsystem.keysize.size=2048 preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=caInternalAuthSubsystemCert preop.cert.subsystem.subsystem=tps preop.cert._005=#preop.cert.subsystem.type=local preop.cert.subsystem.userfriendlyname=Subsystem Certificate preop.cert._006=#preop.cert.subsystem.cncomponent.override=true -preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA -preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[INSTANCE_ID] +preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_ID] preop.cert.audit_signing.keysize.customsize=2048 preop.cert.audit_signing.keysize.size=2048 preop.cert.audit_signing.keysize.select=custom -preop.cert.audit_signing.nickname=auditSigningCert cert-[INSTANCE_ID] +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert preop.cert.audit_signing.subsystem=tps preop.cert._005=#preop.cert.audit_signing.type=local @@ -715,7 +722,6 @@ op.enroll.userKey.keyGen.signing.privateKeyNumber=2 op.enroll.userKey.keyGen.signing.publicKeyNumber=3 op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment op.enroll.userKey.keyGen.signing.ca.conn=ca1 -op.enroll.userKey.keyGen.signing.revokeCert=true op.enroll.userKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher op.enroll.userKey.keyGen.encryption.keySize=1024 op.enroll.userKey.keyGen.encryption.public.keyCapabilities.encrypt=true @@ -755,7 +761,6 @@ op.enroll.userKey.keyGen.encryption.privateKeyNumber=4 op.enroll.userKey.keyGen.encryption.publicKeyNumber=5 op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment op.enroll.userKey.keyGen.encryption.ca.conn=ca1 -op.enroll.userKey.keyGen.encryption.revokeCert=true op.enroll.userKey.pkcs11obj.enable=true op.enroll.userKey.pkcs11obj.compress.enable=true op.enroll.userKey.update.applet.emptyToken.enable=true @@ -834,7 +839,6 @@ op.enroll.userKeyTemporary.keyGen.auth.privateKeyNumber=0 op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1 op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment op.enroll.userKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.userKeyTemporary.keyGen.auth.revokeCert=true op.enroll.userKeyTemporary.keyGen.signing.keySize=1024 op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false @@ -873,7 +877,6 @@ op.enroll.userKeyTemporary.keyGen.signing.privateKeyNumber=2 op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3 op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment op.enroll.userKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.userKeyTemporary.keyGen.signing.revokeCert=true op.enroll.userKey._080=#op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024 op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true @@ -913,7 +916,6 @@ op.enroll.userKeyTemporary.keyGen.encryption.privateKeyNumber=4 op.enroll.userKeyTemporary.keyGen.encryption.publicKeyNumber=5 op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.userKeyTemporary.keyGen.encryption.revokeCert=true op.enroll.userKeyTemporary.pkcs11obj.enable=true op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true @@ -1031,7 +1033,6 @@ op.enroll.soKey.keyGen.signing.privateKeyNumber=2 op.enroll.soKey.keyGen.signing.publicKeyNumber=3 op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment op.enroll.soKey.keyGen.signing.ca.conn=ca1 -op.enroll.soKey.keyGen.signing.revokeCert=true op.enroll.soKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher op.enroll.soKey.keyGen.encryption.keySize=1024 op.enroll.soKey.keyGen.encryption.public.keyCapabilities.encrypt=true @@ -1071,7 +1072,6 @@ op.enroll.soKey.keyGen.encryption.privateKeyNumber=4 op.enroll.soKey.keyGen.encryption.publicKeyNumber=5 op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment op.enroll.soKey.keyGen.encryption.ca.conn=ca1 -op.enroll.soKey.keyGen.encryption.revokeCert=true op.enroll.soKey.pkcs11obj.enable=true op.enroll.soKey.pkcs11obj.compress.enable=true op.enroll.soKey.update.applet.emptyToken.enable=true @@ -1150,7 +1150,6 @@ op.enroll.soKeyTemporary.keyGen.auth.privateKeyNumber=0 op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1 op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment op.enroll.soKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.auth.revokeCert=true op.enroll.soKeyTemporary.keyGen.signing.keySize=1024 op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false @@ -1189,7 +1188,6 @@ op.enroll.soKeyTemporary.keyGen.signing.privateKeyNumber=2 op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3 op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment op.enroll.soKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.signing.revokeCert=true op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024 op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false @@ -1228,7 +1226,6 @@ op.enroll.soKeyTemporary.keyGen.encryption.privateKeyNumber=4 op.enroll.soKeyTemporary.keyGen.encryption.publicKeyNumber=5 op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.encryption.revokeCert=true op.enroll.soKeyTemporary.pkcs11obj.enable=true op.enroll.soKeyTemporary.pkcs11obj.compress.enable=true op.enroll.soKeyTemporary.update.applet.emptyToken.enable=true @@ -1539,23 +1536,42 @@ target._006=# target.agent_approve.list = comma separated subset of above list. target._007=# will show up in the agent tab (under advanced configuration) and will require agent involvement target._008=# (enable/ disable) to be edited. target._009=# -target._010=# Each parameter set in the lists above requires two parameters: -target._011=# target.<type name>.list : list of choices of this parameter set type (will display in the drop down box) -target._012=# target.<type name>.pattern : the regular expression to select parameters in CS.cfg for this parameter set. -target._013=# -target._014=# The exception is the parameter set Generals, which only has a pattern defined. ie. target.Generals.pattern +target._010=# For the wording to display correctly, the values in the above list should be plurals. +target._011=# +target._012=# Each parameter set in the lists above requires three parameters: +target._013=# target.<type name>.list : list of choices of this parameter set type (will display in the drop down box) +target._014=# target.<type name>.pattern : the regular expression to select parameters in CS.cfg for this parameter set. +target._015=# target.<type_name>.displayname: used in the UI display text. This should be the singular form of <type_name>. target._016=# -target._017=######################################## +target._017=# The exception is the parameter set Generals, which has only a pattern and displayname defined. +target._018=# +target._019=######################################## target.configure.list=Profiles,Subsystem_Connections,Profile_Mappings,Authentication_Sources target.agent_approve.list=Profiles target.Profiles.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey target.Profiles.pattern=op\..*\.$name\..* +target.Profiles.displayname=Profile target.Subsystem_Connections.list=ca1,drm1,tks1 target.Subsystem_Connections.pattern=conn\.$name\..* +target.Subsystem_Connections.displayname=Subsystem Connection target.Profile_Mappings.list=enroll,format,pinReset target.Profile_Mappings.pattern=op\.$name\.mapping\..* +target.Profile_Mappings.displayname=Profile Mapping target.Authentication_Sources.list=0,1 target.Authentication_Sources.pattern=auth\.instance\.$name\..* +target.Authentication_Sources.displayname=Authentication Source +target.Generals.displayname=General target.Generals.pattern=^applet\..*\|^general\..*\|^failover.pod.enable\|^channel\..* config.Generals.General.state=Enabled config.Generals.General.timestamp=1280283607424406 +tps._000=######################################## +tps._001=# For verifying system certificates +tps._002=# tps.cert.list=sslserver,subsystem,audit_signing +tps._003=# tps.cert.sslserver.nickname=xxx +tps._005=# tps.cert.subsystem.nickname=xxx +tps._007=# tps.cert.audit_signing.nickname=xxx +tps._009=######################################## +tps.cert.list=sslserver,subsystem,audit_signing +tps.cert.sslserver.nickname=[HSM_LABEL][NICKNAME] +tps.cert.subsystem.nickname=[HSM_LABEL][NICKNAME] +tps.cert.audit_signing.nickname=[HSM_LABEL][NICKNAME] diff --git a/pki/base/tps/src/CMakeLists.txt b/pki/base/tps/src/CMakeLists.txt index fe27b3e63..7f7859ba4 100644 --- a/pki/base/tps/src/CMakeLists.txt +++ b/pki/base/tps/src/CMakeLists.txt @@ -1,10 +1,11 @@ project(tps_library CXX) +set(TPS_LIBRARY_VERSION ${APPLICATION_VERSION}) +set(TPS_LIBRARY_SOVERSION 9) + set(TPS_INCLUDE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/include) -add_subdirectory(authentication) add_subdirectory(tus) -add_subdirectory(modules) set(TPS_PUBLIC_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR} @@ -19,6 +20,7 @@ set(TPS_PRIVATE_INCLUDE_DIRS ${NSS_INCLUDE_DIRS} ${NSPR_INCLUDE_DIRS} ${APR_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -31,6 +33,7 @@ set(TPS_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} ${APR_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} ${TOKENDB_SHARED_LIBRARY} ) @@ -121,6 +124,7 @@ set(tps_library_SRCS processor/RA_Format_Processor.cpp selftests/SelfTest.cpp selftests/TPSPresence.cpp + selftests/TPSSystemCertsVerification.cpp selftests/TPSValidity.cpp ) @@ -144,3 +148,7 @@ install( ${TPS_SHARED_LIBRARY} LIBRARY DESTINATION ${LIB_INSTALL_DIR} ) + +add_subdirectory(authentication) +add_subdirectory(modules) + diff --git a/pki/base/tps/src/authentication/CMakeLists.txt b/pki/base/tps/src/authentication/CMakeLists.txt index 5dec1b5c7..25cb4720b 100644 --- a/pki/base/tps/src/authentication/CMakeLists.txt +++ b/pki/base/tps/src/authentication/CMakeLists.txt @@ -1,7 +1,7 @@ project(ldapauth_library CXX) set(LDAPAUTH_LIBRARY_VERSION ${APPLICATION_VERSION}) -set(LDAPAUTH_LIBRARY_SOVERSION 1) +set(LDAPAUTH_LIBRARY_SOVERSION 9) set(LDAPAUTH_PUBLIC_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR} @@ -15,6 +15,7 @@ set(LDAPAUTH_PRIVATE_INCLUDE_DIRS ${CMAKE_BINARY_DIR} ${NSPR_INCLUDE_DIRS} ${NSS_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -26,7 +27,10 @@ set(LDAPAUTH_SHARED_LIBRARY set(LDAPAUTH_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} + ${TOKENDB_SHARED_LIBRARY} + ${TPS_SHARED_LIBRARY} ) set(ldapauth_library_SRCS diff --git a/pki/base/tps/src/modules/tokendb/CMakeLists.txt b/pki/base/tps/src/modules/tokendb/CMakeLists.txt index 927d2ff7f..c152d80e7 100644 --- a/pki/base/tps/src/modules/tokendb/CMakeLists.txt +++ b/pki/base/tps/src/modules/tokendb/CMakeLists.txt @@ -6,6 +6,7 @@ set(TOKENDB_PRIVATE_INCLUDE_DIRS ${NSPR_INCLUDE_DIRS} ${NSS_INCLUDE_DIRS} ${APR_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -19,6 +20,7 @@ set(TOKENDB_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} ${APR_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} ) @@ -33,7 +35,6 @@ target_link_libraries(${TOKENDB_MODULE} ${TOKENDB_LINK_LIBRARIES}) set_target_properties(${TOKENDB_MODULE} PROPERTIES - ${TOKENDB_LIBRARY_SOVERSION} OUTPUT_NAME mod_tokendb PREFIX "" @@ -43,5 +44,5 @@ install( TARGETS ${TOKENDB_MODULE} DESTINATION - ${SYSCONF_INSTALL_DIR}/httpd/modules + ${LIB_INSTALL_DIR}/httpd/modules ) diff --git a/pki/base/tps/src/modules/tps/CMakeLists.txt b/pki/base/tps/src/modules/tps/CMakeLists.txt index ecc99ff0e..069c87f89 100644 --- a/pki/base/tps/src/modules/tps/CMakeLists.txt +++ b/pki/base/tps/src/modules/tps/CMakeLists.txt @@ -6,6 +6,7 @@ set(TPS_PRIVATE_INCLUDE_DIRS ${NSPR_INCLUDE_DIRS} ${NSS_INCLUDE_DIRS} ${APR_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -19,7 +20,10 @@ set(TPS_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} ${APR_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} + ${TOKENDB_SHARED_LIBRARY} + ${TPS_SHARED_LIBRARY} ) set(tps_module_SRCS @@ -35,7 +39,6 @@ target_link_libraries(${TPS_MODULE} ${TPS_LINK_LIBRARIES}) set_target_properties(${TPS_MODULE} PROPERTIES - ${TPS_LIBRARY_SOVERSION} OUTPUT_NAME mod_tps PREFIX "" @@ -45,5 +48,5 @@ install( TARGETS ${TPS_MODULE} DESTINATION - ${SYSCONF_INSTALL_DIR}/httpd/modules + ${LIB_INSTALL_DIR}/httpd/modules ) diff --git a/pki/base/tps/src/tus/CMakeLists.txt b/pki/base/tps/src/tus/CMakeLists.txt index 6785ed625..7cff9d73b 100644 --- a/pki/base/tps/src/tus/CMakeLists.txt +++ b/pki/base/tps/src/tus/CMakeLists.txt @@ -1,7 +1,7 @@ project(tokendb_library C) set(TOKENDB_LIBRARY_VERSION ${APPLICATION_VERSION}) -set(TOKENDB_LIBRARY_SOVERSION 1) +set(TOKENDB_LIBRARY_SOVERSION 9) set(TOKENDB_PUBLIC_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR} @@ -15,6 +15,7 @@ set(TOKENDB_PRIVATE_INCLUDE_DIRS ${CMAKE_BINARY_DIR} ${NSPR_INCLUDE_DIRS} ${NSS_INCLUDE_DIRS} + ${SVRCORE_INCLUDE_DIRS} ${MOZLDAP_INCLUDE_DIRS} ) @@ -26,6 +27,7 @@ set(TOKENDB_SHARED_LIBRARY set(TOKENDB_LINK_LIBRARIES ${NSPR_LIBRARIES} ${NSS_LIBRARIES} + ${SVRCORE_LIBRARIES} ${MOZLDAP_LIBRARIES} ) diff --git a/pki/base/tps/tools/raclient/CMakeLists.txt b/pki/base/tps/tools/raclient/CMakeLists.txt index e28a40d5d..9f4020b31 100644 --- a/pki/base/tps/tools/raclient/CMakeLists.txt +++ b/pki/base/tps/tools/raclient/CMakeLists.txt @@ -43,5 +43,5 @@ install( format.tps reset_pin.tps DESTINATION - ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/samples + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/tps/samples ) diff --git a/pki/cmake/Modules/FindMozLDAP.cmake b/pki/cmake/Modules/FindMozLDAP.cmake index 4f728c36b..634241ce1 100644 --- a/pki/cmake/Modules/FindMozLDAP.cmake +++ b/pki/cmake/Modules/FindMozLDAP.cmake @@ -26,6 +26,7 @@ else (MOZLDAP_LIBRARIES AND MOZLDAP_INCLUDE_DIRS) find_path(MOZLDAP_INCLUDE_DIR NAMES ldap.h + ldif.h PATHS ${_MOZLDAP_INCLUDEDIR} /usr/include @@ -69,6 +70,17 @@ else (MOZLDAP_LIBRARIES AND MOZLDAP_INCLUDE_DIRS) /sw/lib ) + find_library(LDIF60_LIBRARY + NAMES + ldif60 + PATHS + ${_MOZLDAP_LIBDIR} + /usr/lib + /usr/local/lib + /opt/local/lib + /sw/lib + ) + set(MOZLDAP_INCLUDE_DIRS ${MOZLDAP_INCLUDE_DIR} ) @@ -94,6 +106,13 @@ else (MOZLDAP_LIBRARIES AND MOZLDAP_INCLUDE_DIRS) ) endif (LDAP60_LIBRARY) + if (LDIF60_LIBRARY) + set(MOZLDAP_LIBRARIES + ${MOZLDAP_LIBRARIES} + ${LDIF60_LIBRARY} + ) + endif (LDIF60_LIBRARY) + include(FindPackageHandleStandardArgs) find_package_handle_standard_args(MozLDAP DEFAULT_MSG MOZLDAP_LIBRARIES MOZLDAP_INCLUDE_DIRS) diff --git a/pki/cmake/Modules/FindSvrcore.cmake b/pki/cmake/Modules/FindSvrcore.cmake new file mode 100644 index 000000000..cfb073301 --- /dev/null +++ b/pki/cmake/Modules/FindSvrcore.cmake @@ -0,0 +1,67 @@ +# - Try to find Svrcore +# Once done this will define +# +# SVRCORE_FOUND - system has Svrcore +# SVRCORE_INCLUDE_DIRS - the Svrcore include directory +# SVRCORE_LIBRARIES - Link these to use Svrcore +# SVRCORE_DEFINITIONS - Compiler switches required for using Svrcore +# +# Copyright (c) 2010 Matthew Harmsen <mharmsen@redhat.com> +# +# Redistribution and use is allowed according to the terms of the New +# BSD license. +# For details see the accompanying COPYING-CMAKE-SCRIPTS file. +# + + +if (SVRCORE_LIBRARIES AND SVRCORE_INCLUDE_DIRS) + # in cache already + set(SVRCORE_FOUND TRUE) +else (SVRCORE_LIBRARIES AND SVRCORE_INCLUDE_DIRS) + find_package(PkgConfig) + if (PKG_CONFIG_FOUND) + pkg_check_modules(_SVRCORE svrcore) + endif (PKG_CONFIG_FOUND) + + find_path(SVRCORE_INCLUDE_DIR + NAMES + svrcore.h + PATHS + ${_SVRCORE_INCLUDEDIR} + /usr/include + /usr/local/include + /opt/local/include + /sw/include + PATH_SUFFIXES + svrcore + ) + + find_library(SVRCORE_LIBRARY + NAMES + svrcore + PATHS + ${_SVRCORE_LIBDIR} + /usr/lib + /usr/local/lib + /opt/local/lib + /sw/lib + ) + + set(SVRCORE_INCLUDE_DIRS + ${SVRCORE_INCLUDE_DIR} + ) + + if (SVRCORE_LIBRARY) + set(SVRCORE_LIBRARIES + ${SVRCORE_LIBRARIES} + ${SVRCORE_LIBRARY} + ) + endif (SVRCORE_LIBRARY) + + include(FindPackageHandleStandardArgs) + find_package_handle_standard_args(Svrcore DEFAULT_MSG SVRCORE_LIBRARIES SVRCORE_INCLUDE_DIRS) + + # show the SVRCORE_INCLUDE_DIRS and SVRCORE_LIBRARIES variables only in the advanced view + mark_as_advanced(SVRCORE_INCLUDE_DIRS SVRCORE_LIBRARIES) + +endif (SVRCORE_LIBRARIES AND SVRCORE_INCLUDE_DIRS) diff --git a/pki/dogtag/CMakeLists.txt b/pki/dogtag/CMakeLists.txt index fd04debf9..5e7771de1 100644 --- a/pki/dogtag/CMakeLists.txt +++ b/pki/dogtag/CMakeLists.txt @@ -1,10 +1,10 @@ project(dogtag) -if (APPLICATION_FLAVOUR_NULL_THEME) +if (APPLICATION_FLAVOR_NULL_PKI_THEME) add_subdirectory(common-ui) add_subdirectory(ca-ui) -endif (APPLICATION_FLAVOUR_NULL_THEME) -if (APPLICATION_FLAVOUR_DOGTAG_THEME) +endif (APPLICATION_FLAVOR_NULL_PKI_THEME) +if (APPLICATION_FLAVOR_DOGTAG_PKI_THEME) add_subdirectory(common-ui) add_subdirectory(ca-ui) add_subdirectory(kra-ui) @@ -13,4 +13,4 @@ if (APPLICATION_FLAVOUR_DOGTAG_THEME) add_subdirectory(tks-ui) add_subdirectory(tps-ui) add_subdirectory(console-ui) -endif (APPLICATION_FLAVOUR_DOGTAG_THEME) +endif (APPLICATION_FLAVOR_DOGTAG_PKI_THEME) diff --git a/pki/dogtag/ca/pki-ca.spec b/pki/dogtag/ca/pki-ca.spec index f9f47c23d..000a101d1 100644 --- a/pki/dogtag/ca/pki-ca.spec +++ b/pki/dogtag/ca/pki-ca.spec @@ -60,6 +60,8 @@ ant \ rm -rf %{buildroot} cd dist/binary unzip %{name}-%{version}.zip -d %{buildroot} +cd %{buildroot}%{_datadir}/pki/ca/conf +mv CS.cfg.in CS.cfg sed -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/ca/conf/CS.cfg sed -i 's/^cms.version=.*$/cms.version=%{major_version}.%{minor_version}/' %{buildroot}%{_datadir}/pki/ca/conf/CS.cfg mkdir -p %{buildroot}%{_localstatedir}/lock/pki/ca diff --git a/pki/dogtag/console-ui/src/CMakeLists.txt b/pki/dogtag/console-ui/src/CMakeLists.txt index e13ced8e9..2ff647440 100644 --- a/pki/dogtag/console-ui/src/CMakeLists.txt +++ b/pki/dogtag/console-ui/src/CMakeLists.txt @@ -12,8 +12,8 @@ set(console_ui_java_SRCS set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION}) -add_jar(pki-console-theme ${console_ui_java_SRCS}) -install_jar(pki-console-theme ${JAVA_JAR_INSTALL_DIR}) +add_jar(pki-console-theme_en ${console_ui_java_SRCS}) +install_jar(pki-console-theme_en ${JAVA_JAR_INSTALL_DIR}) -set(CONSOLE_UI_JAR ${pki-console-theme_JAR_FILE} CACHE INTERNAL "console-ui jar file") +set(CONSOLE_UI_JAR ${pki-console-theme_en_JAR_FILE} CACHE INTERNAL "console-ui jar file") diff --git a/pki/dogtag/kra/pki-kra.spec b/pki/dogtag/kra/pki-kra.spec index 808353632..ba9e8b615 100644 --- a/pki/dogtag/kra/pki-kra.spec +++ b/pki/dogtag/kra/pki-kra.spec @@ -69,6 +69,8 @@ ant \ rm -rf %{buildroot} cd dist/binary unzip %{name}-%{version}.zip -d %{buildroot} +cd %{buildroot}%{_datadir}/pki/kra/conf +mv CS.cfg.in CS.cfg sed -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/kra/conf/CS.cfg sed -i 's/^cms.version=.*$/cms.version=%{major_version}.%{minor_version}/' %{buildroot}%{_datadir}/pki/kra/conf/CS.cfg mkdir -p %{buildroot}%{_localstatedir}/lock/pki/kra diff --git a/pki/dogtag/ocsp/pki-ocsp.spec b/pki/dogtag/ocsp/pki-ocsp.spec index 0844d3947..63ab5e225 100644 --- a/pki/dogtag/ocsp/pki-ocsp.spec +++ b/pki/dogtag/ocsp/pki-ocsp.spec @@ -78,6 +78,8 @@ ant \ rm -rf %{buildroot} cd dist/binary unzip %{name}-%{version}.zip -d %{buildroot} +cd %{buildroot}%{_datadir}/pki/ocsp/conf +mv CS.cfg.in CS.cfg sed -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/ocsp/conf/CS.cfg sed -i 's/^cms.version=.*$/cms.version=%{major_version}.%{minor_version}/' %{buildroot}%{_datadir}/pki/ocsp/conf/CS.cfg mkdir -p %{buildroot}%{_localstatedir}/lock/pki/ocsp diff --git a/pki/dogtag/ra/pki-ra.spec b/pki/dogtag/ra/pki-ra.spec index 964d56ef2..d9559d8fc 100644 --- a/pki/dogtag/ra/pki-ra.spec +++ b/pki/dogtag/ra/pki-ra.spec @@ -75,6 +75,8 @@ ant \ rm -rf %{buildroot} cd dist/binary unzip %{name}-%{version}.zip -d %{buildroot} +cd %{buildroot}%{_datadir}/pki/ra/conf +mv CS.cfg.in CS.cfg sed -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/ra/conf/CS.cfg mkdir -p %{buildroot}%{_localstatedir}/lock/pki/ra mkdir -p %{buildroot}%{_localstatedir}/run/pki/ra diff --git a/pki/dogtag/tks/pki-tks.spec b/pki/dogtag/tks/pki-tks.spec index f861dfd5f..4c64da5ef 100644 --- a/pki/dogtag/tks/pki-tks.spec +++ b/pki/dogtag/tks/pki-tks.spec @@ -71,6 +71,8 @@ ant \ rm -rf %{buildroot} cd dist/binary unzip %{name}-%{version}.zip -d %{buildroot} +cd %{buildroot}%{_datadir}/pki/tks/conf +mv CS.cfg.in CS.cfg sed -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/tks/conf/CS.cfg sed -i 's/^cms.version=.*$/cms.version=%{major_version}.%{minor_version}/' %{buildroot}%{_datadir}/pki/tks/conf/CS.cfg mkdir -p %{buildroot}%{_localstatedir}/lock/pki/tks diff --git a/pki/dogtag/tps/pki-tps.spec b/pki/dogtag/tps/pki-tps.spec index 6b00141ca..ee6d65421 100644 --- a/pki/dogtag/tps/pki-tps.spec +++ b/pki/dogtag/tps/pki-tps.spec @@ -156,6 +156,8 @@ cd %{buildroot}%{_datadir}/pki/tps/docroot ln -s tokendb tus # fix version information in primary configuration file +cd %{buildroot}%{_datadir}/pki/tps/conf +mv CS.cfg.in CS.cfg sed -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/tps/conf/CS.cfg # rename config.desktop.in --> config.desktop diff --git a/pki/scripts/compose_pki_console_packages b/pki/scripts/compose_pki_console_packages new file mode 100755 index 000000000..b84c3585e --- /dev/null +++ b/pki/scripts/compose_pki_console_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-console' name and version information +## + +PKI_CONSOLE="pki-console" +PKI_CONSOLE_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-console' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_CONSOLE}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="console" + + +## +## Establish the TARGET files/directories of the 'pki-console' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_CONSOLE_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_CONSOLE_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_CONSOLE_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_CONSOLE_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_CONSOLE_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_CONSOLE_TARBALL="${PKI_CONSOLE}-${PKI_CONSOLE_VERSION}.tar.gz" +PKI_CONSOLE_SPEC_FILE="${PKI_CONSOLE_SPECS_DIR}/${PKI_CONSOLE}.spec" +PKI_CONSOLE_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_CONSOLE}" +PKI_CONSOLE_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_CONSOLE}.spec" + +PKI_CONSOLE_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_CONSOLE_DIR="${PKI_CONSOLE_STAGING_DIR}/${PKI_CONSOLE}-${PKI_CONSOLE_VERSION}" +PKI_CONSOLE_BASE_DIR="${PKI_CONSOLE_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-console' package directories +## + +mkdir -p ${PKI_CONSOLE_BUILD_DIR} +mkdir -p ${PKI_CONSOLE_RPMS_DIR} +mkdir -p ${PKI_CONSOLE_SOURCES_DIR} +mkdir -p ${PKI_CONSOLE_SPECS_DIR} +mkdir -p ${PKI_CONSOLE_SRPMS_DIR} + + +## +## Always start with new 'pki-console' package files +## + +rm -rf ${PKI_CONSOLE_BUILD_DIR}/${PKI_CONSOLE}-${PKI_CONSOLE_VERSION} +rm -f ${PKI_CONSOLE_RPMS_DIR}/${PKI_CONSOLE}-${PKI_CONSOLE_VERSION}*.rpm +rm -f ${PKI_CONSOLE_SOURCES_DIR}/${PKI_CONSOLE_TARBALL} +rm -f ${PKI_CONSOLE_SPEC_FILE} +rm -f ${PKI_CONSOLE_SRPMS_DIR}/${PKI_CONSOLE}-${PKI_CONSOLE_VERSION}*.rpm + + +## +## Copy a new 'pki-console' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_CONSOLE_SPECS_DIR} + + +## +## Always start with a new 'pki-console' staging directory +## + +rm -rf ${PKI_CONSOLE_STAGING_DIR} + + +## +## To generate the 'pki-console' tarball, construct a staging area +## consisting of the 'pki-console' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_CONSOLE_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_CONSOLE_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_CONSOLE_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_CONSOLE_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_CONSOLE_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_CONSOLE_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-console') +## * ./tps/forms/tps/admin/console/config (N/A 'pki-console') +## + +rm -rf ${PKI_CONSOLE_BASE_DIR}/*/config + + +## +## Create the 'pki-console' tarball +## + +mkdir -p ${PKI_CONSOLE_SOURCES_DIR} +cd ${PKI_CONSOLE_STAGING_DIR} +gtar -zcvf ${PKI_CONSOLE_TARBALL} \ + "${PKI_CONSOLE}-${PKI_CONSOLE_VERSION}" > /dev/null 2>&1 +mv ${PKI_CONSOLE_TARBALL} ${PKI_CONSOLE_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_CONSOLE_STAGING_DIR} + + +## +## Always generate a fresh 'pki-console' package script +## + +rm -rf ${PKI_CONSOLE_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_CONSOLE_PACKAGE_SCRIPT} +printf "${PKI_CONSOLE_PACKAGE_COMMAND}\n\n" >> ${PKI_CONSOLE_PACKAGE_SCRIPT} +chmod 775 ${PKI_CONSOLE_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_CONSOLE} package_${PKI_CONSOLE}.log + diff --git a/pki/scripts/compose_pki_kra_packages b/pki/scripts/compose_pki_kra_packages new file mode 100755 index 000000000..ef8c37ce6 --- /dev/null +++ b/pki/scripts/compose_pki_kra_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-kra' name and version information +## + +PKI_KRA="pki-kra" +PKI_KRA_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-kra' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_KRA}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="kra" + + +## +## Establish the TARGET files/directories of the 'pki-kra' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_KRA_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_KRA_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_KRA_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_KRA_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_KRA_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_KRA_TARBALL="${PKI_KRA}-${PKI_KRA_VERSION}.tar.gz" +PKI_KRA_SPEC_FILE="${PKI_KRA_SPECS_DIR}/${PKI_KRA}.spec" +PKI_KRA_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_KRA}" +PKI_KRA_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_KRA}.spec" + +PKI_KRA_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_KRA_DIR="${PKI_KRA_STAGING_DIR}/${PKI_KRA}-${PKI_KRA_VERSION}" +PKI_KRA_BASE_DIR="${PKI_KRA_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-kra' package directories +## + +mkdir -p ${PKI_KRA_BUILD_DIR} +mkdir -p ${PKI_KRA_RPMS_DIR} +mkdir -p ${PKI_KRA_SOURCES_DIR} +mkdir -p ${PKI_KRA_SPECS_DIR} +mkdir -p ${PKI_KRA_SRPMS_DIR} + + +## +## Always start with new 'pki-kra' package files +## + +rm -rf ${PKI_KRA_BUILD_DIR}/${PKI_KRA}-${PKI_KRA_VERSION} +rm -f ${PKI_KRA_RPMS_DIR}/${PKI_KRA}-${PKI_KRA_VERSION}*.rpm +rm -f ${PKI_KRA_SOURCES_DIR}/${PKI_KRA_TARBALL} +rm -f ${PKI_KRA_SPEC_FILE} +rm -f ${PKI_KRA_SRPMS_DIR}/${PKI_KRA}-${PKI_KRA_VERSION}*.rpm + + +## +## Copy a new 'pki-kra' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_KRA_SPECS_DIR} + + +## +## Always start with a new 'pki-kra' staging directory +## + +rm -rf ${PKI_KRA_STAGING_DIR} + + +## +## To generate the 'pki-kra' tarball, construct a staging area +## consisting of the 'pki-kra' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_KRA_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_KRA_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_KRA_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_KRA_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_KRA_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_KRA_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-kra') +## * ./tps/forms/tps/admin/console/config (N/A 'pki-kra') +## + +rm -rf ${PKI_KRA_BASE_DIR}/*/config + + +## +## Create the 'pki-kra' tarball +## + +mkdir -p ${PKI_KRA_SOURCES_DIR} +cd ${PKI_KRA_STAGING_DIR} +gtar -zcvf ${PKI_KRA_TARBALL} \ + "${PKI_KRA}-${PKI_KRA_VERSION}" > /dev/null 2>&1 +mv ${PKI_KRA_TARBALL} ${PKI_KRA_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_KRA_STAGING_DIR} + + +## +## Always generate a fresh 'pki-kra' package script +## + +rm -rf ${PKI_KRA_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_KRA_PACKAGE_SCRIPT} +printf "${PKI_KRA_PACKAGE_COMMAND}\n\n" >> ${PKI_KRA_PACKAGE_SCRIPT} +chmod 775 ${PKI_KRA_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_KRA} package_${PKI_KRA}.log + diff --git a/pki/scripts/compose_pki_migrate_packages b/pki/scripts/compose_pki_migrate_packages new file mode 100755 index 000000000..d36b58417 --- /dev/null +++ b/pki/scripts/compose_pki_migrate_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-migrate' name and version information +## + +PKI_MIGRATE="pki-migrate" +PKI_MIGRATE_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-migrate' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_MIGRATE}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="migrate" + + +## +## Establish the TARGET files/directories of the 'pki-migrate' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_MIGRATE_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_MIGRATE_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_MIGRATE_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_MIGRATE_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_MIGRATE_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_MIGRATE_TARBALL="${PKI_MIGRATE}-${PKI_MIGRATE_VERSION}.tar.gz" +PKI_MIGRATE_SPEC_FILE="${PKI_MIGRATE_SPECS_DIR}/${PKI_MIGRATE}.spec" +PKI_MIGRATE_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_MIGRATE}" +PKI_MIGRATE_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_MIGRATE}.spec" + +PKI_MIGRATE_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_MIGRATE_DIR="${PKI_MIGRATE_STAGING_DIR}/${PKI_MIGRATE}-${PKI_MIGRATE_VERSION}" +PKI_MIGRATE_BASE_DIR="${PKI_MIGRATE_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-migrate' package directories +## + +mkdir -p ${PKI_MIGRATE_BUILD_DIR} +mkdir -p ${PKI_MIGRATE_RPMS_DIR} +mkdir -p ${PKI_MIGRATE_SOURCES_DIR} +mkdir -p ${PKI_MIGRATE_SPECS_DIR} +mkdir -p ${PKI_MIGRATE_SRPMS_DIR} + + +## +## Always start with new 'pki-migrate' package files +## + +rm -rf ${PKI_MIGRATE_BUILD_DIR}/${PKI_MIGRATE}-${PKI_MIGRATE_VERSION} +rm -f ${PKI_MIGRATE_RPMS_DIR}/${PKI_MIGRATE}-${PKI_MIGRATE_VERSION}*.rpm +rm -f ${PKI_MIGRATE_SOURCES_DIR}/${PKI_MIGRATE_TARBALL} +rm -f ${PKI_MIGRATE_SPEC_FILE} +rm -f ${PKI_MIGRATE_SRPMS_DIR}/${PKI_MIGRATE}-${PKI_MIGRATE_VERSION}*.rpm + + +## +## Copy a new 'pki-migrate' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_MIGRATE_SPECS_DIR} + + +## +## Always start with a new 'pki-migrate' staging directory +## + +rm -rf ${PKI_MIGRATE_STAGING_DIR} + + +## +## To generate the 'pki-migrate' tarball, construct a staging area +## consisting of the 'pki-migrate' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_MIGRATE_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_MIGRATE_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_MIGRATE_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_MIGRATE_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_MIGRATE_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_MIGRATE_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-migrate') +## * ./tps/forms/tps/admin/console/config (N/A 'pki-migrate') +## + +rm -rf ${PKI_MIGRATE_BASE_DIR}/*/config + + +## +## Create the 'pki-migrate' tarball +## + +mkdir -p ${PKI_MIGRATE_SOURCES_DIR} +cd ${PKI_MIGRATE_STAGING_DIR} +gtar -zcvf ${PKI_MIGRATE_TARBALL} \ + "${PKI_MIGRATE}-${PKI_MIGRATE_VERSION}" > /dev/null 2>&1 +mv ${PKI_MIGRATE_TARBALL} ${PKI_MIGRATE_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_MIGRATE_STAGING_DIR} + + +## +## Always generate a fresh 'pki-migrate' package script +## + +rm -rf ${PKI_MIGRATE_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_MIGRATE_PACKAGE_SCRIPT} +printf "${PKI_MIGRATE_PACKAGE_COMMAND}\n\n" >> ${PKI_MIGRATE_PACKAGE_SCRIPT} +chmod 775 ${PKI_MIGRATE_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_MIGRATE} package_${PKI_MIGRATE}.log + diff --git a/pki/scripts/compose_pki_ocsp_packages b/pki/scripts/compose_pki_ocsp_packages new file mode 100755 index 000000000..44f69bd3a --- /dev/null +++ b/pki/scripts/compose_pki_ocsp_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-ocsp' name and version information +## + +PKI_OCSP="pki-ocsp" +PKI_OCSP_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-ocsp' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_OCSP}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="ocsp" + + +## +## Establish the TARGET files/directories of the 'pki-ocsp' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_OCSP_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_OCSP_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_OCSP_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_OCSP_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_OCSP_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_OCSP_TARBALL="${PKI_OCSP}-${PKI_OCSP_VERSION}.tar.gz" +PKI_OCSP_SPEC_FILE="${PKI_OCSP_SPECS_DIR}/${PKI_OCSP}.spec" +PKI_OCSP_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_OCSP}" +PKI_OCSP_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_OCSP}.spec" + +PKI_OCSP_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_OCSP_DIR="${PKI_OCSP_STAGING_DIR}/${PKI_OCSP}-${PKI_OCSP_VERSION}" +PKI_OCSP_BASE_DIR="${PKI_OCSP_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-ocsp' package directories +## + +mkdir -p ${PKI_OCSP_BUILD_DIR} +mkdir -p ${PKI_OCSP_RPMS_DIR} +mkdir -p ${PKI_OCSP_SOURCES_DIR} +mkdir -p ${PKI_OCSP_SPECS_DIR} +mkdir -p ${PKI_OCSP_SRPMS_DIR} + + +## +## Always start with new 'pki-ocsp' package files +## + +rm -rf ${PKI_OCSP_BUILD_DIR}/${PKI_OCSP}-${PKI_OCSP_VERSION} +rm -f ${PKI_OCSP_RPMS_DIR}/${PKI_OCSP}-${PKI_OCSP_VERSION}*.rpm +rm -f ${PKI_OCSP_SOURCES_DIR}/${PKI_OCSP_TARBALL} +rm -f ${PKI_OCSP_SPEC_FILE} +rm -f ${PKI_OCSP_SRPMS_DIR}/${PKI_OCSP}-${PKI_OCSP_VERSION}*.rpm + + +## +## Copy a new 'pki-ocsp' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_OCSP_SPECS_DIR} + + +## +## Always start with a new 'pki-ocsp' staging directory +## + +rm -rf ${PKI_OCSP_STAGING_DIR} + + +## +## To generate the 'pki-ocsp' tarball, construct a staging area +## consisting of the 'pki-ocsp' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_OCSP_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_OCSP_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_OCSP_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_OCSP_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_OCSP_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_OCSP_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-ocsp') +## * ./tps/forms/tps/admin/console/config (N/A 'pki-ocsp') +## + +rm -rf ${PKI_OCSP_BASE_DIR}/*/config + + +## +## Create the 'pki-ocsp' tarball +## + +mkdir -p ${PKI_OCSP_SOURCES_DIR} +cd ${PKI_OCSP_STAGING_DIR} +gtar -zcvf ${PKI_OCSP_TARBALL} \ + "${PKI_OCSP}-${PKI_OCSP_VERSION}" > /dev/null 2>&1 +mv ${PKI_OCSP_TARBALL} ${PKI_OCSP_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_OCSP_STAGING_DIR} + + +## +## Always generate a fresh 'pki-ocsp' package script +## + +rm -rf ${PKI_OCSP_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_OCSP_PACKAGE_SCRIPT} +printf "${PKI_OCSP_PACKAGE_COMMAND}\n\n" >> ${PKI_OCSP_PACKAGE_SCRIPT} +chmod 775 ${PKI_OCSP_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_OCSP} package_${PKI_OCSP}.log + diff --git a/pki/scripts/compose_pki_ra_packages b/pki/scripts/compose_pki_ra_packages new file mode 100755 index 000000000..10fd1790c --- /dev/null +++ b/pki/scripts/compose_pki_ra_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-ra' name and version information +## + +PKI_RA="pki-ra" +PKI_RA_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-ra' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_RA}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="ra" + + +## +## Establish the TARGET files/directories of the 'pki-ra' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_RA_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_RA_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_RA_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_RA_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_RA_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_RA_TARBALL="${PKI_RA}-${PKI_RA_VERSION}.tar.gz" +PKI_RA_SPEC_FILE="${PKI_RA_SPECS_DIR}/${PKI_RA}.spec" +PKI_RA_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_RA}" +PKI_RA_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_RA}.spec" + +PKI_RA_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_RA_DIR="${PKI_RA_STAGING_DIR}/${PKI_RA}-${PKI_RA_VERSION}" +PKI_RA_BASE_DIR="${PKI_RA_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-ra' package directories +## + +mkdir -p ${PKI_RA_BUILD_DIR} +mkdir -p ${PKI_RA_RPMS_DIR} +mkdir -p ${PKI_RA_SOURCES_DIR} +mkdir -p ${PKI_RA_SPECS_DIR} +mkdir -p ${PKI_RA_SRPMS_DIR} + + +## +## Always start with new 'pki-ra' package files +## + +rm -rf ${PKI_RA_BUILD_DIR}/${PKI_RA}-${PKI_RA_VERSION} +rm -f ${PKI_RA_RPMS_DIR}/${PKI_RA}-${PKI_RA_VERSION}*.rpm +rm -f ${PKI_RA_SOURCES_DIR}/${PKI_RA_TARBALL} +rm -f ${PKI_RA_SPEC_FILE} +rm -f ${PKI_RA_SRPMS_DIR}/${PKI_RA}-${PKI_RA_VERSION}*.rpm + + +## +## Copy a new 'pki-ra' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_RA_SPECS_DIR} + + +## +## Always start with a new 'pki-ra' staging directory +## + +rm -rf ${PKI_RA_STAGING_DIR} + + +## +## To generate the 'pki-ra' tarball, construct a staging area +## consisting of the 'pki-ra' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_RA_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_RA_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_RA_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_RA_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_RA_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_RA_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-ra') +## * ./tps/forms/tps/admin/console/config (N/A 'pki-ra') +## + +rm -rf ${PKI_RA_BASE_DIR}/*/config + + +## +## Create the 'pki-ra' tarball +## + +mkdir -p ${PKI_RA_SOURCES_DIR} +cd ${PKI_RA_STAGING_DIR} +gtar -zcvf ${PKI_RA_TARBALL} \ + "${PKI_RA}-${PKI_RA_VERSION}" > /dev/null 2>&1 +mv ${PKI_RA_TARBALL} ${PKI_RA_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_RA_STAGING_DIR} + + +## +## Always generate a fresh 'pki-ra' package script +## + +rm -rf ${PKI_RA_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_RA_PACKAGE_SCRIPT} +printf "${PKI_RA_PACKAGE_COMMAND}\n\n" >> ${PKI_RA_PACKAGE_SCRIPT} +chmod 775 ${PKI_RA_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_RA} package_${PKI_RA}.log + diff --git a/pki/scripts/compose_pki_tks_packages b/pki/scripts/compose_pki_tks_packages new file mode 100755 index 000000000..c6e900b98 --- /dev/null +++ b/pki/scripts/compose_pki_tks_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-tks' name and version information +## + +PKI_TKS="pki-tks" +PKI_TKS_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-tks' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_TKS}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="tks" + + +## +## Establish the TARGET files/directories of the 'pki-tks' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_TKS_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_TKS_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_TKS_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_TKS_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_TKS_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_TKS_TARBALL="${PKI_TKS}-${PKI_TKS_VERSION}.tar.gz" +PKI_TKS_SPEC_FILE="${PKI_TKS_SPECS_DIR}/${PKI_TKS}.spec" +PKI_TKS_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_TKS}" +PKI_TKS_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_TKS}.spec" + +PKI_TKS_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_TKS_DIR="${PKI_TKS_STAGING_DIR}/${PKI_TKS}-${PKI_TKS_VERSION}" +PKI_TKS_BASE_DIR="${PKI_TKS_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-tks' package directories +## + +mkdir -p ${PKI_TKS_BUILD_DIR} +mkdir -p ${PKI_TKS_RPMS_DIR} +mkdir -p ${PKI_TKS_SOURCES_DIR} +mkdir -p ${PKI_TKS_SPECS_DIR} +mkdir -p ${PKI_TKS_SRPMS_DIR} + + +## +## Always start with new 'pki-tks' package files +## + +rm -rf ${PKI_TKS_BUILD_DIR}/${PKI_TKS}-${PKI_TKS_VERSION} +rm -f ${PKI_TKS_RPMS_DIR}/${PKI_TKS}-${PKI_TKS_VERSION}*.rpm +rm -f ${PKI_TKS_SOURCES_DIR}/${PKI_TKS_TARBALL} +rm -f ${PKI_TKS_SPEC_FILE} +rm -f ${PKI_TKS_SRPMS_DIR}/${PKI_TKS}-${PKI_TKS_VERSION}*.rpm + + +## +## Copy a new 'pki-tks' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_TKS_SPECS_DIR} + + +## +## Always start with a new 'pki-tks' staging directory +## + +rm -rf ${PKI_TKS_STAGING_DIR} + + +## +## To generate the 'pki-tks' tarball, construct a staging area +## consisting of the 'pki-tks' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_TKS_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_TKS_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_TKS_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_TKS_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_TKS_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_TKS_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-tks') +## * ./tps/forms/tps/admin/console/config (N/A 'pki-tks') +## + +rm -rf ${PKI_TKS_BASE_DIR}/*/config + + +## +## Create the 'pki-tks' tarball +## + +mkdir -p ${PKI_TKS_SOURCES_DIR} +cd ${PKI_TKS_STAGING_DIR} +gtar -zcvf ${PKI_TKS_TARBALL} \ + "${PKI_TKS}-${PKI_TKS_VERSION}" > /dev/null 2>&1 +mv ${PKI_TKS_TARBALL} ${PKI_TKS_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_TKS_STAGING_DIR} + + +## +## Always generate a fresh 'pki-tks' package script +## + +rm -rf ${PKI_TKS_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_TKS_PACKAGE_SCRIPT} +printf "${PKI_TKS_PACKAGE_COMMAND}\n\n" >> ${PKI_TKS_PACKAGE_SCRIPT} +chmod 775 ${PKI_TKS_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_TKS} package_${PKI_TKS}.log + diff --git a/pki/scripts/compose_pki_tps_packages b/pki/scripts/compose_pki_tps_packages new file mode 100755 index 000000000..66dd30cd2 --- /dev/null +++ b/pki/scripts/compose_pki_tps_packages @@ -0,0 +1,201 @@ +#!/bin/bash +# BEGIN COPYRIGHT BLOCK +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + +## Always switch into the base directory three levels +## above this shell script prior to executing it so +## that all of its output is written to this directory + +cd `dirname $0`/../.. + + +## +## Retrieve the name of this base directory +## + +PKI_PWD=`pwd` + + +## +## Establish the 'pki-tps' name and version information +## + +PKI_TPS="pki-tps" +PKI_TPS_VERSION="9.0.0" + + +## +## Establish the SOURCE files/directories of the 'pki-tps' source directory +## + +PKI_DIR="pki" +PKI_BASE_DIR="${PKI_DIR}/base" +PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_TPS}.spec" +PKI_FILE_LIST="CMakeLists.txt COPYING CPackConfig.cmake ConfigureChecks.cmake DefineOptions.cmake README cmake_uninstall.cmake.in config.h.cmake" +PKI_CMAKE_DIR="cmake" +PKI_BASE_MANIFEST="CMakeLists.txt" +PKI_COMPONENT_LIST="tps" + + +## +## Establish the TARGET files/directories of the 'pki-tps' source/spec files +## + +PKI_PACKAGES="${PKI_PWD}/packages" +PKI_TPS_BUILD_DIR="${PKI_PACKAGES}/BUILD" +PKI_TPS_RPMS_DIR="${PKI_PACKAGES}/RPMS" +PKI_TPS_SOURCES_DIR="${PKI_PACKAGES}/SOURCES" +PKI_TPS_SPECS_DIR="${PKI_PACKAGES}/SPECS" +PKI_TPS_SRPMS_DIR="${PKI_PACKAGES}/SRPMS" + +PKI_TPS_TARBALL="${PKI_TPS}-${PKI_TPS_VERSION}.tar.gz" +PKI_TPS_SPEC_FILE="${PKI_TPS_SPECS_DIR}/${PKI_TPS}.spec" +PKI_TPS_PACKAGE_SCRIPT="${PKI_PACKAGES}/package_${PKI_TPS}" +PKI_TPS_PACKAGE_COMMAND="rpmbuild --define \"_topdir \`pwd\`\" -ba SPECS/${PKI_TPS}.spec" + +PKI_TPS_STAGING_DIR="${PKI_PACKAGES}/staging" +PKI_TPS_DIR="${PKI_TPS_STAGING_DIR}/${PKI_TPS}-${PKI_TPS_VERSION}" +PKI_TPS_BASE_DIR="${PKI_TPS_DIR}/base" + + +## +## Always create a top-level 'packages' directory +## + +mkdir -p ${PKI_PACKAGES} + + +## +## Always create 'pki-tps' package directories +## + +mkdir -p ${PKI_TPS_BUILD_DIR} +mkdir -p ${PKI_TPS_RPMS_DIR} +mkdir -p ${PKI_TPS_SOURCES_DIR} +mkdir -p ${PKI_TPS_SPECS_DIR} +mkdir -p ${PKI_TPS_SRPMS_DIR} + + +## +## Always start with new 'pki-tps' package files +## + +rm -rf ${PKI_TPS_BUILD_DIR}/${PKI_TPS}-${PKI_TPS_VERSION} +rm -f ${PKI_TPS_RPMS_DIR}/${PKI_TPS}-${PKI_TPS_VERSION}*.rpm +rm -f ${PKI_TPS_SOURCES_DIR}/${PKI_TPS_TARBALL} +rm -f ${PKI_TPS_SPEC_FILE} +rm -f ${PKI_TPS_SRPMS_DIR}/${PKI_TPS}-${PKI_TPS_VERSION}*.rpm + + +## +## Copy a new 'pki-tps' spec file from the +## current contents of the PKI working repository +## + +cp -p ${PKI_SPECS_FILE} ${PKI_TPS_SPECS_DIR} + + +## +## Always start with a new 'pki-tps' staging directory +## + +rm -rf ${PKI_TPS_STAGING_DIR} + + +## +## To generate the 'pki-tps' tarball, construct a staging area +## consisting of the 'pki-tps' source components from the +## current contents of the PKI working repository +## + +mkdir -p ${PKI_TPS_DIR} +cd ${PKI_DIR} +for file in "${PKI_FILE_LIST}" ; +do + cp -p ${file} ${PKI_TPS_DIR} +done +find ${PKI_CMAKE_DIR} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -print | cpio -pdum ${PKI_TPS_DIR} > /dev/null 2>&1 +cd - > /dev/null 2>&1 + +mkdir -p ${PKI_TPS_BASE_DIR} +cd ${PKI_BASE_DIR} +cp -p ${PKI_BASE_MANIFEST} ${PKI_TPS_BASE_DIR} +for component in "${PKI_COMPONENT_LIST}" ; +do + find ${component} \ + -name .svn -prune -o \ + -name *.swp -prune -o \ + -name Makefile.am -prune -o \ + -name Makefile.in -prune -o \ + -name aclocal.m4 -prune -o \ + -name autogen.sh -prune -o \ + -name build.xml -prune -o \ + -name compile -prune -o \ + -name config.guess -prune -o \ + -name config.h.in -prune -o \ + -name config.sub -prune -o \ + -name configure -prune -o \ + -name configure.ac -prune -o \ + -name depcomp -prune -o \ + -name install-sh -prune -o \ + -name ltmain.sh -prune -o \ + -name m4 -prune -o \ + -name missing -prune -o \ + -name setup_package -prune -o \ + -print | cpio -pdum ${PKI_TPS_BASE_DIR} > /dev/null 2>&1 +done +cd - > /dev/null 2>&1 + + +## +## Due to the following lower-level 'config' subdirectories, +## INDEPENDENTLY remove ALL top-level 'config' directories: +## +## * ./console/src/com/netscape/admin/certsrv/config (N/A 'pki-tps') +## * ./tps/forms/tps/admin/console/config +## + +rm -rf ${PKI_TPS_BASE_DIR}/*/config + + +## +## Create the 'pki-tps' tarball +## + +mkdir -p ${PKI_TPS_SOURCES_DIR} +cd ${PKI_TPS_STAGING_DIR} +gtar -zcvf ${PKI_TPS_TARBALL} \ + "${PKI_TPS}-${PKI_TPS_VERSION}" > /dev/null 2>&1 +mv ${PKI_TPS_TARBALL} ${PKI_TPS_SOURCES_DIR} +cd - > /dev/null 2>&1 + + +## +## Always remove the PKI staging area +## + +rm -rf ${PKI_TPS_STAGING_DIR} + + +## +## Always generate a fresh 'pki-tps' package script +## + +rm -rf ${PKI_TPS_PACKAGE_SCRIPT} +printf "#!/bin/bash\n\n" > ${PKI_TPS_PACKAGE_SCRIPT} +printf "${PKI_TPS_PACKAGE_COMMAND}\n\n" >> ${PKI_TPS_PACKAGE_SCRIPT} +chmod 775 ${PKI_TPS_PACKAGE_SCRIPT} + + +## +## Automatically invoke RPM/SRPM creation +## + +cd ${PKI_PACKAGES} ; +script -c package_${PKI_TPS} package_${PKI_TPS}.log + diff --git a/pki/specs/dogtag-pki-theme.spec b/pki/specs/dogtag-pki-theme.spec index 9c5cf0ecd..d1c89dc37 100644 --- a/pki/specs/dogtag-pki-theme.spec +++ b/pki/specs/dogtag-pki-theme.spec @@ -36,7 +36,7 @@ BuildRequires: cmake Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz -%define overview \ +%global overview \ ========================================= \ || ABOUT "DOGTAG CERTIFICATE SYSTEM" || \ ========================================= \ @@ -379,7 +379,7 @@ This package is used by the Dogtag Certificate System. %build %{__mkdir_p} build cd build -%cmake -DBUILD_DOGTAG_THEME:BOOL=ON .. +%cmake -DBUILD_DOGTAG_PKI_THEME:BOOL=ON .. %{__make} VERBOSE=1 %{?_smp_mflags} diff --git a/pki/specs/ipa-pki-theme.spec b/pki/specs/ipa-pki-theme.spec index 12ad3947b..9e874eb09 100644 --- a/pki/specs/ipa-pki-theme.spec +++ b/pki/specs/ipa-pki-theme.spec @@ -36,7 +36,7 @@ BuildRequires: cmake Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz -%define overview \ +%global overview \ ================================== \ || ABOUT "CERTIFICATE SYSTEM" || \ ================================== \ @@ -160,7 +160,7 @@ This package is used by the Certificate System utilized by IPA. %build %{__mkdir_p} build cd build -%cmake -DBUILD_NULL_THEME:BOOL=ON .. +%cmake -DBUILD_NULL_PKI_THEME:BOOL=ON .. %{__make} VERBOSE=1 %{?_smp_mflags} diff --git a/pki/specs/pki-console.spec b/pki/specs/pki-console.spec new file mode 100644 index 000000000..ed9e57b1a --- /dev/null +++ b/pki/specs/pki-console.spec @@ -0,0 +1,100 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-console +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - PKI Console +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Base + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: idm-console-framework +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6 +BuildRequires: ldapjdk +BuildRequires: pki-util + +Requires: idm-console-framework +Requires: java >= 1:1.6.0 +Requires: jss >= 4.2.6 +Requires: ldapjdk +Requires: pki-console-theme + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The PKI Console is a java application used to administer CS. + +For deployment purposes, a PKI Console requires ONE AND ONLY ONE of the +following "Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_CONSOLE:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} + + +%files +%defattr(-,root,root,-) +%doc base/console/LICENSE +%{_bindir}/pkiconsole +%{_javadir}/pki-console-%{version}.jar +%{_javadir}/pki-console.jar +#%{_javadir}/pki/pki-console-%{version}.jar +#%{_javadir}/pki/pki-console.jar + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-core.spec b/pki/specs/pki-core.spec index 613115bb0..333460f59 100644 --- a/pki/specs/pki-core.spec +++ b/pki/specs/pki-core.spec @@ -39,11 +39,25 @@ BuildRequires: osutil Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz -%define major_version %(echo `echo %{version} | awk -F. '{ print $1 }'`) -%define minor_version %(echo `echo %{version} | awk -F. '{ print $2 }'`) -%define patch_version %(echo `echo %{version} | awk -F. '{ print $3 }'`) - -%define overview \ +%global saveFileContext() \ +if [ -s /etc/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \ + cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \ + fi \ +fi; + +%global relabel() \ +. %{_sysconfdir}/selinux/config; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ +selinuxenabled; \ +if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \ + fixfiles -C ${FILE_CONTEXT}.%{name} restore; \ + rm -f ${FILE_CONTEXT}.%name; \ +fi; + +%global overview \ ================================== \ || ABOUT "CERTIFICATE SYSTEM" || \ ================================== \ @@ -328,6 +342,7 @@ Requires: java >= 1:1.6.0 Requires: pki-ca-theme Requires: pki-common = %{version}-%{release} Requires: pki-selinux = %{version}-%{release} +Requires: pki-setup = %{version}-%{release} Requires(post): chkconfig Requires(preun): chkconfig Requires(preun): initscripts @@ -394,7 +409,7 @@ This package is a part of the PKI Core used by the Certificate System. %build %{__mkdir_p} build cd build -%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_CORE:BOOL=ON .. +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_CORE:BOOL=ON .. %{__make} VERBOSE=1 %{?_smp_mflags} @@ -444,13 +459,6 @@ cd %{buildroot}%{_libdir}/symkey ## pki-java-tools ## ######################## -#cd %{buildroot}%{_javadir} -#%{__ln_s} pkitools.jar cstools.jar -#cd %{buildroot}%{_javadir}/pki -#%{__ln_s} pkitools.jar cstools.jar -#cd %{buildroot}%{_javadir}/pki -#%{__ln_s} ../pkitools.jar cstools.jar - ######################## ## pki-common ## @@ -466,9 +474,6 @@ cd %{buildroot}%{_libdir}/symkey ## pki-ca ## ######################## -%{__sed} -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/ca/conf/CS.cfg -%{__sed} -i 's/^cms.version=.*$/cms.version=%{major_version}.%{minor_version}/' %{buildroot}%{_datadir}/pki/ca/conf/CS.cfg - ######################## ## pki-silent ## @@ -513,6 +518,27 @@ cd %{buildroot}%{_libdir}/symkey ## pki-selinux ## ######################## +%pre -n pki-selinux +%saveFileContext targeted + + +%post -n pki-selinux +semodule -s targeted -i %{_datadir}/selinux/modules/pki.pp +%relabel targeted + + +%preun -n pki-selinux +if [ $1 = 0 ]; then + %saveFileContext targeted +fi + + +%postun -n pki-selinux +if [ $1 = 0 ]; then + semodule -s targeted -r pki + %relabel targeted +fi + ######################## ## pki-ca ## diff --git a/pki/specs/pki-kra.spec b/pki/specs/pki-kra.spec new file mode 100644 index 000000000..34ae27eed --- /dev/null +++ b/pki/specs/pki-kra.spec @@ -0,0 +1,165 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-kra +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - Data Recovery Manager +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6 +BuildRequires: pki-common +BuildRequires: pki-util +BuildRequires: tomcatjss + +Requires: java >= 1:1.6.0 +Requires: pki-common +Requires: pki-kra-theme +Requires: pki-selinux +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The Data Recovery Manager (DRM) is an optional PKI subsystem that can act +as a Key Recovery Authority (KRA). When configured in conjunction with the +Certificate Authority (CA), the DRM stores private encryption keys as part of +the certificate enrollment process. The key archival mechanism is triggered +when a user enrolls in the PKI and creates the certificate request. Using the +Certificate Request Message Format (CRMF) request format, a request is +generated for the user's private encryption key. This key is then stored in +the DRM which is configured to store keys in an encrypted format that can only +be decrypted by several agents requesting the key at one time, providing for +protection of the public encryption keys for the users in the PKI deployment. + +Note that the DRM archives encryption keys; it does NOT archive signing keys, +since such archival would undermine non-repudiation properties of signing keys. + +For deployment purposes, a DRM requires the following components from the PKI +Core package: + + * pki-setup + * pki-native-tools + * pki-util + * pki-java-tools + * pki-common + * pki-selinux + +and can also make use of the following optional components from the PKI Core +package: + + * pki-util-javadoc + * pki-java-tools-javadoc + * pki-common-javadoc + * pki-silent + +Additionally, Certificate System requires ONE AND ONLY ONE of the following +"Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_KRA:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} + + +%pre + + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-krad || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-krad stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-krad || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-krad condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/kra/LICENSE +%{_initrddir}/pki-krad +%{_javadir}/kra-%{version}.jar +%{_javadir}/kra.jar +#%{_javadir}/pki/kra-%{version}.jar +#%{_javadir}/pki/kra/kra.jar +%dir %{_datadir}/pki/kra +%dir %{_datadir}/pki/kra/acl +%{_datadir}/pki/kra/acl/* +%dir %{_datadir}/pki/kra/conf +%{_datadir}/pki/kra/conf/* +%dir %{_datadir}/pki/kra/setup +%{_datadir}/pki/kra/setup/* +%dir %{_datadir}/pki/kra/webapps +%{_datadir}/pki/kra/webapps/* +%dir %{_localstatedir}/lock/pki/kra +%dir %{_localstatedir}/run/pki/kra + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-migrate.spec b/pki/specs/pki-migrate.spec new file mode 100644 index 000000000..e02539434 --- /dev/null +++ b/pki/specs/pki-migrate.spec @@ -0,0 +1,95 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-migrate +Version: 9.0.0 +Release: 1%{?dist} +Summary: Red Hat Certificate System - PKI Migration Scripts +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Base + +# Suppress automatic 'requires' and 'provisions' of multi-platform 'binaries' +AutoReqProv: no + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils + +Requires: java >= 1:1.6.0 + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%global _binaries_in_noarch_packages_terminate_build 0 + +%description +Red Hat Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +PKI Migration Scripts are used to export data from previous versions of +Netscape Certificate Management Systems, iPlanet Certificate Management +Systems, and Red Hat Certificate Systems into a flat-file which may then +be imported into this release of Red Hat Certificate System. + +Note that since this utility is platform-independent, it is generally possible +to migrate data from previous PKI deployments originally stored on other +hardware platforms as well as earlier versions of this operating system. + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_MIGRATE:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} + + +%files +%defattr(-,root,root,-) +%doc base/migrate/LICENSE +%dir %{_datadir}/pki/migrate +%{_datadir}/pki/migrate/* + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-ocsp.spec b/pki/specs/pki-ocsp.spec new file mode 100644 index 000000000..ece867975 --- /dev/null +++ b/pki/specs/pki-ocsp.spec @@ -0,0 +1,172 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-ocsp +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - Online Certificate Status Protocol Manager +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6 +BuildRequires: pki-common +BuildRequires: pki-util +BuildRequires: tomcatjss + +Requires: java >= 1:1.6.0 +Requires: pki-common +Requires: pki-ocsp-theme +Requires: pki-selinux +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The Online Certificate Status Protocol (OCSP) Manager is an optional PKI +subsystem that can act as a stand-alone OCSP service. The OCSP Manager +performs the task of an online certificate validation authority by enabling +OCSP-compliant clients to do real-time verification of certificates. Note +that an online certificate-validation authority is often referred to as an +OCSP Responder. + +Although the Certificate Authority (CA) is already configured with an +internal OCSP service. An external OCSP Responder is offered as a separate +subsystem in case the user wants the OCSP service provided outside of a +firewall while the CA resides inside of a firewall, or to take the load of +requests off of the CA. + +The OCSP Manager can receive Certificate Revocation Lists (CRLs) from +multiple CA servers, and clients can query the OCSP Manager for the +revocation status of certificates issued by all of these CA servers. + +When an instance of OCSP Manager is set up with an instance of CA, and +publishing is set up to this OCSP Manager, CRLs are published to it +whenever they are issued or updated. + +For deployment purposes, an OCSP Manager requires the following components +from the PKI Core package: + + * pki-setup + * pki-native-tools + * pki-util + * pki-java-tools + * pki-common + * pki-selinux + +and can also make use of the following optional components from the PKI Core +package: + + * pki-util-javadoc + * pki-java-tools-javadoc + * pki-common-javadoc + * pki-silent + +Additionally, Certificate System requires ONE AND ONLY ONE of the following +"Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_OCSP:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} + + +%pre + + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-ocspd || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-ocspd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-ocspd || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-ocspd condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/ocsp/LICENSE +%{_initrddir}/pki-ocspd +%{_javadir}/ocsp-%{version}.jar +%{_javadir}/ocsp.jar +#%{_javadir}/pki/ocsp-%{version}.jar +#%{_javadir}/pki/ocsp/ocsp.jar +%dir %{_datadir}/pki/ocsp +%dir %{_datadir}/pki/ocsp/acl +%{_datadir}/pki/ocsp/acl/* +%dir %{_datadir}/pki/ocsp/conf +%{_datadir}/pki/ocsp/conf/* +%dir %{_datadir}/pki/ocsp/setup +%{_datadir}/pki/ocsp/setup/* +%dir %{_datadir}/pki/ocsp/webapps +%{_datadir}/pki/ocsp/webapps/* +%dir %{_localstatedir}/lock/pki/ocsp +%dir %{_localstatedir}/run/pki/ocsp + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-ra.spec b/pki/specs/pki-ra.spec new file mode 100644 index 000000000..de9060c73 --- /dev/null +++ b/pki/specs/pki-ra.spec @@ -0,0 +1,171 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-ra +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - Registration Authority +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake + +Requires: mod_nss >= 1.0.8 +Requires: mod_perl >= 1.99_16 +Requires: mod_revocator >= 1.0.3 +Requires: mozldap >= 6.0.2 +Requires: pki-native-tools +Requires: pki-ra-theme +Requires: pki-selinux +Requires: pki-setup +Requires: perl-DBD-SQLite +Requires: sqlite +Requires: /usr/sbin/sendmail +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The Registration Authority (RA) is an optional PKI subsystem that acts as a +front-end for authenticating and processing enrollment requests, PIN reset +requests, and formatting requests. + +An RA communicates over SSL with a Certificate Authority (CA) to fulfill +the user's requests. An RA may often be located outside an organization's +firewall to allow external users the ability to communicate with that +organization's PKI deployment. + +For deployment purposes, an RA requires the following components from the PKI +Core package: + + * pki-setup + * pki-native-tools + * pki-selinux + +and can also make use of the following optional components from the PKI Core +package: + + * pki-silent + +Additionally, Certificate System requires ONE AND ONLY ONE of the following +"Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + +cat << \EOF > %{name}-prov +#!/bin/sh +%{__perl_provides} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_provides %{_builddir}/%{name}-%{version}/%{name}-prov +chmod +x %{__perl_provides} + +cat << \EOF > %{name}-req +#!/bin/sh +%{__perl_requires} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_requires %{_builddir}/%{name}-%{version}/%{name}-req +chmod +x %{__perl_requires} + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_RA:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} + + +%pre + + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-rad || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-rad stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-rad || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-rad condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/ra/LICENSE +%{_initrddir}/pki-rad +%dir %{_datadir}/pki/ra +%dir %{_datadir}/pki/ra/conf +%{_datadir}/pki/ra/conf/* +%dir %{_datadir}/pki/ra/docroot +%{_datadir}/pki/ra/docroot/* +%dir %{_datadir}/pki/ra/lib +%{_datadir}/pki/ra/lib/* +%dir %{_datadir}/pki/ra/scripts +%{_datadir}/pki/ra/scripts/* +%dir %{_datadir}/pki/ra/setup +%{_datadir}/pki/ra/setup/* +%dir %{_localstatedir}/lock/pki/ra +%dir %{_localstatedir}/run/pki/ra + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-tks.spec b/pki/specs/pki-tks.spec new file mode 100644 index 000000000..19f87f842 --- /dev/null +++ b/pki/specs/pki-tks.spec @@ -0,0 +1,166 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-tks +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - Token Key Service +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6 +BuildRequires: pki-common +BuildRequires: pki-util +BuildRequires: tomcatjss + +Requires: java >= 1:1.6.0 +Requires: pki-common +Requires: pki-selinux +Requires: pki-tks-theme +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The Token Key Service (TKS) is an optional PKI subsystem that manages the +master key(s) and the transport key(s) required to generate and distribute +keys for hardware tokens. TKS provides the security between tokens and an +instance of Token Processing System (TPS), where the security relies upon the +relationship between the master key and the token keys. A TPS communicates +with a TKS over SSL using client authentication. + +TKS helps establish a secure channel (signed and encrypted) between the token +and the TPS, provides proof of presence of the security token during +enrollment, and supports key changeover when the master key changes on the +TKS. Tokens with older keys will get new token keys. + +Because of the sensitivity of the data that TKS manages, TKS should be set up +behind the firewall with restricted access. + +For deployment purposes, a TKS requires the following components from the PKI +Core package: + + * pki-setup + * pki-native-tools + * pki-util + * pki-java-tools + * pki-common + * pki-selinux + +and can also make use of the following optional components from the PKI Core +package: + + * pki-util-javadoc + * pki-java-tools-javadoc + * pki-common-javadoc + * pki-silent + +Additionally, Certificate System requires ONE AND ONLY ONE of the following +"Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_TKS:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} + + +%pre + + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-tksd || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-tksd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-tksd || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-tksd condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/tks/LICENSE +%{_initrddir}/pki-tksd +%{_javadir}/tks-%{version}.jar +%{_javadir}/tks.jar +#%{_javadir}/pki/tks-%{version}.jar +#%{_javadir}/pki/tks/tks.jar +%dir %{_datadir}/pki/tks +%dir %{_datadir}/pki/tks/acl +%{_datadir}/pki/tks/acl/* +%dir %{_datadir}/pki/tks/conf +%{_datadir}/pki/tks/conf/* +%dir %{_datadir}/pki/tks/setup +%{_datadir}/pki/tks/setup/* +%dir %{_datadir}/pki/tks/webapps +%{_datadir}/pki/tks/webapps/* +%dir %{_localstatedir}/lock/pki/tks +%dir %{_localstatedir}/run/pki/tks + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/pki/specs/pki-tps.spec b/pki/specs/pki-tps.spec new file mode 100644 index 000000000..c1aa2fd46 --- /dev/null +++ b/pki/specs/pki-tps.spec @@ -0,0 +1,225 @@ +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# (C) 2010 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK + + +############################################################################### +### P A C K A G E H E A D E R ### +############################################################################### + +Name: pki-tps +Version: 9.0.0 +Release: 1%{?dist} +Summary: Certificate System - Token Processing System +URL: http://pki.fedoraproject.org/ +License: LGPLv2 +Group: System Environment/Daemons + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: apr-devel +BuildRequires: apr-util-devel +BuildRequires: cyrus-sasl-devel +BuildRequires: httpd-devel >= 2.2.3 +BuildRequires: mozldap-devel +BuildRequires: nspr-devel >= 4.6.99 +BuildRequires: nss-devel >= 3.12.3.99 +BuildRequires: pcre-devel +BuildRequires: svrcore-devel +BuildRequires: zlib +BuildRequires: zlib-devel + +Requires: mod_nss >= 1.0.8 +Requires: mod_perl >= 1.99_16 +Requires: mod_revocator >= 1.0.3 +Requires: mozldap >= 6.0.2 +Requires: pki-native-tools +Requires: pki-selinux +Requires: pki-setup +Requires: pki-tps-theme +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +%global overview \ +Certificate System (CS) is an enterprise software system designed \ +to manage enterprise Public Key Infrastructure (PKI) deployments. \ + \ +The Token Processing System (TPS) is an optional PKI subsystem that acts \ +as a Registration Authority (RA) for authenticating and processing \ +enrollment requests, PIN reset requests, and formatting requests from \ +the Enterprise Security Client (ESC). \ + \ +TPS is designed to communicate with tokens that conform to \ +Global Platform's Open Platform Specification. \ + \ +TPS communicates over SSL with various PKI backend subsystems (including \ +the Certificate Authority (CA), the Data Recovery Manager (DRM), and the \ +Token Key Service (TKS)) to fulfill the user's requests. \ + \ +TPS also interacts with the token database, an LDAP server that stores \ +information about individual tokens. \ + \ +For deployment purposes, a TPS requires the following components from the \ +PKI Core package: \ + \ + * pki-setup \ + * pki-native-tools \ + * pki-selinux \ + \ +and can also make use of the following optional components from the \ +PKI CORE package: \ + \ + * pki-silent \ + \ +Additionally, Certificate System requires ONE AND ONLY ONE of the \ +following "Mutually-Exclusive" PKI Theme packages: \ + \ + * dogtag-pki-theme (Dogtag Certificate System deployments) \ + * redhat-pki-theme (Red Hat Certificate System deployments) \ + \ +%{nil} + +%description %{overview} + + +%package devel +Group: Development/Libraries +Summary: Dogtag Certificate System - Token Processing System Library Symlinks + +Requires: %{name} = %{version}-%{release} + +%description devel +This package contains symlinks to the Certificate System (CS) +Token Processing System (TPS) library files required to link executables. + + +================================== +|| ABOUT "CERTIFICATE SYSTEM" || +================================== +${overview} + + +%prep + + +%setup -q -n %{name}-%{version} + +cat << \EOF > %{name}-prov +#!/bin/sh +%{__perl_provides} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_provides %{_builddir}/%{name}-%{version}/%{name}-prov +chmod +x %{__perl_provides} + +cat << \EOF > %{name}-req +#!/bin/sh +%{__perl_requires} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_requires %{_builddir}/%{name}-%{version}/%{name}-req +chmod +x %{__perl_requires} + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_TPS:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +# This should be done in CMAKE +cd %{buildroot}/%{_datadir}/pki/tps/docroot +%{__ln_s} tokendb tus + + +%pre + + +%post +/sbin/ldconfig +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-tpsd || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-tpsd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-tpsd || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-tpsd condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/tps/LICENSE +%{_initrddir}/pki-tpsd +%{_bindir}/tpsclient +%{_libdir}/httpd/modules/* +%{_libdir}/lib* +%dir %{_datadir}/pki/tps +%dir %{_datadir}/pki/tps/applets +%{_datadir}/pki/tps/applets/* +%dir %{_datadir}/pki/tps/cgi-bin +%{_datadir}/pki/tps/cgi-bin/* +%dir %{_datadir}/pki/tps/conf +%{_datadir}/pki/tps/conf/* +%dir %{_datadir}/pki/tps/docroot +%{_datadir}/pki/tps/docroot/* +%dir %{_datadir}/pki/tps/lib +%{_datadir}/pki/tps/lib/* +%dir %{_datadir}/pki/tps/samples +%{_datadir}/pki/tps/samples/* +%dir %{_datadir}/pki/tps/scripts +%{_datadir}/pki/tps/scripts/* +%dir %{_datadir}/pki/tps/setup +%{_datadir}/pki/tps/setup/* +%dir %{_localstatedir}/lock/pki/tps +%dir %{_localstatedir}/run/pki/tps + + +%files devel +%defattr(-,root,root,-) +%{_libdir}/libldapauth.so +%{_libdir}/libtokendb.so +%{_libdir}/libtps.so + + +%changelog +* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + |