diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2012-05-23 18:59:06 -0700 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2012-05-25 14:59:48 -0700 |
commit | 4a263b8db27208413acd0f038ea67629d5ee27bb (patch) | |
tree | 8c747215e522100304e9afced96d0720bd49501d /base/common | |
parent | 2408bec41a56378fcf942a68a1ab290464c001d7 (diff) | |
download | pki-4a263b8db27208413acd0f038ea67629d5ee27bb.tar.gz pki-4a263b8db27208413acd0f038ea67629d5ee27bb.tar.xz pki-4a263b8db27208413acd0f038ea67629d5ee27bb.zip |
PKI Deployment Scriptlets
* Integration of Tomcat 7
* Addition of centralized 'pki-tomcatd' systemd functionality to the
PKI Deployment strategy
* Removal of 'pki_flavor' attribute
Diffstat (limited to 'base/common')
-rw-r--r-- | base/common/CMakeLists.txt | 43 | ||||
-rw-r--r-- | base/common/setup/pkidaemon_registry | 59 | ||||
-rw-r--r-- | base/common/shared/conf/catalina.policy | 252 | ||||
-rw-r--r-- | base/common/shared/conf/catalina.properties | 125 | ||||
-rw-r--r-- | base/common/shared/conf/context.xml | 42 | ||||
-rw-r--r-- | base/common/shared/conf/log4j.properties | 17 | ||||
-rw-r--r-- | base/common/shared/conf/logging.properties | 70 | ||||
-rw-r--r-- | base/common/shared/conf/server.xml | 304 | ||||
-rw-r--r-- | base/common/shared/conf/tomcat-users.xml | 62 | ||||
-rw-r--r-- | base/common/shared/conf/tomcat.conf | 58 | ||||
-rw-r--r-- | base/common/shared/lib/systemd/system/pki-tomcatd.target | 8 | ||||
-rw-r--r-- | base/common/shared/lib/systemd/system/pki-tomcatd@.service | 13 |
12 files changed, 1053 insertions, 0 deletions
diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt index 10a7cc0bb..f602ae943 100644 --- a/base/common/CMakeLists.txt +++ b/base/common/CMakeLists.txt @@ -1,9 +1,23 @@ project(common Java) +# install systemd scripts +install( + FILES + shared/lib/systemd/system/pki-tomcatd.target + shared/lib/systemd/system/pki-tomcatd@.service + DESTINATION + ${SYSTEMD_LIB_INSTALL_DIR} + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ +) + install( FILES setup/CertServer.directory setup/menu.xml + setup/pkidaemon_registry DESTINATION ${DATA_INSTALL_DIR}/setup/ PERMISSIONS @@ -12,5 +26,34 @@ install( WORLD_READ ) +# install directories +install( + DIRECTORY + shared/ + DESTINATION + ${DATA_INSTALL_DIR}/shared/ + PATTERN + "lib/" EXCLUDE +) + +# install empty directories +install( + DIRECTORY + DESTINATION + ${VAR_INSTALL_DIR}/lock/pki/tomcat +) + +install( + DIRECTORY + DESTINATION + ${VAR_INSTALL_DIR}/run/pki/tomcat +) + +install( + DIRECTORY + DESTINATION + ${SYSTEMD_ETC_INSTALL_DIR}/pki-tomcatd.target.wants +) + add_subdirectory(src) add_subdirectory(test) diff --git a/base/common/setup/pkidaemon_registry b/base/common/setup/pkidaemon_registry new file mode 100644 index 000000000..5cd1ca9c8 --- /dev/null +++ b/base/common/setup/pkidaemon_registry @@ -0,0 +1,59 @@ +# Establish PKI Variable "Slot" Substitutions + +PKI_WEB_SERVER_TYPE=[PKI_WEB_SERVER_TYPE] +export PKI_WEB_SERVER_TYPE + +PKI_USER=[PKI_USER] +export PKI_USER + +PKI_GROUP=[PKI_GROUP] +export PKI_GROUP + +PKI_INSTANCE_ID=[PKI_INSTANCE_ID] +export PKI_INSTANCE_ID + +PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH] +export PKI_INSTANCE_PATH + +PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] +export PKI_INSTANCE_INITSCRIPT + +PKI_LOCKDIR=[PKI_LOCKDIR] +export PKI_LOCKDIR + +PKI_PIDDIR=[PKI_PIDDIR] +export PKI_PIDDIR + +PKI_UNSECURE_PORT=[PKI_UNSECURE_PORT] +export PKI_UNSECURE_PORT + +TOMCAT_PIDFILE=[TOMCAT_PIDFILE] +export TOMCAT_PIDFILE + +# Use PKI Variable "Slot" Substitutions + +PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}" +export PKI_LOCKFILE + +PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_ID}.pid" +export PKI_PIDFILE + +RESTART_SERVER=${PKI_INSTANCE_PATH}/conf/restart_server_after_configuration +export RESTART_SERVER + +# Use CATALINA_BASE + +CATALINA_BASE=$PKI_INSTANCE_PATH +export CATALINA_BASE + +TOMCAT_PROG=$PKI_INSTANCE_ID +export TOMCAT_PROG + +TOMCAT_USER=$PKI_USER +export TOMCAT_USER + +TOMCAT_GROUP=$PKI_GROUP +export TOMCAT_GROUP + +TOMCAT_LOCKFILE=/var/lock/subsys/${PKI_INSTANCE_ID} +export TOMCAT_LOCKFILE diff --git a/base/common/shared/conf/catalina.policy b/base/common/shared/conf/catalina.policy new file mode 100644 index 000000000..02c1eea0a --- /dev/null +++ b/base/common/shared/conf/catalina.policy @@ -0,0 +1,252 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// Copyright (C) 2012 Red Hat, Inc. +// All rights reserved. +// Modifications: configuration parameters +// --- END COPYRIGHT BLOCK --- + +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// ============================================================================ +// catalina.policy - Security Policy Permissions for Tomcat 7 +// +// This file contains a default set of security policies to be enforced (by the +// JVM) when Catalina is executed with the "-security" option. In addition +// to the permissions granted here, the following additional permissions are +// granted to each web application: +// +// * Read access to the web application's document root directory +// * Read, write and delete access to the web application's working directory +// +// $Id: catalina.policy 1220297 2011-12-17 22:55:28Z markt $ +// ============================================================================ + + +// ========== SYSTEM CODE PERMISSIONS ========================================= + + +// These permissions apply to javac +grant codeBase "file:${java.home}/lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions +grant codeBase "file:${java.home}/jre/lib/ext/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/../lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions when +// ${java.home} points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/lib/ext/-" { + permission java.security.AllPermission; +}; + + +// ========== CATALINA CODE PERMISSIONS ======================================= + + +// These permissions apply to the daemon code +grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the logging API +// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home}, +// update this section accordingly. +// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..} +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.io.FilePermission + "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; + + permission java.io.FilePermission + "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; + permission java.io.FilePermission + "${catalina.base}${file.separator}logs", "read, write"; + permission java.io.FilePermission + "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; + + permission java.lang.RuntimePermission "shutdownHooks"; + permission java.lang.RuntimePermission "getClassLoader"; + permission java.lang.RuntimePermission "setContextClassLoader"; + + permission java.util.logging.LoggingPermission "control"; + + permission java.util.PropertyPermission "java.util.logging.config.class", "read"; + permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.util.PropertyPermission "catalina.base", "read"; + permission java.util.PropertyPermission + "org.apache.juli.logging.UserDataHelper.CONFIG", "read"; + permission java.util.PropertyPermission + "org.apache.juli.logging.UserDataHelper.SUPPRESSION_TIME", "read"; + + // Note: To enable per context logging configuration, permit read access to + // the appropriate file. Be sure that the logging configuration is + // secure before enabling such access. + // E.g. for the examples web application (uncomment and unwrap + // the following to be on a single line): + // permission java.io.FilePermission "${catalina.base}${file.separator} + // webapps${file.separator}examples${file.separator}WEB-INF + // ${file.separator}classes${file.separator}logging.properties", "read"; +}; + +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "lib" directory +grant codeBase "file:${catalina.home}/lib/-" { + permission java.security.AllPermission; +}; + + +// If using a per instance lib directory, i.e. ${catalina.base}/lib, +// then the following permission will need to be uncommented +// grant codeBase "file:${catalina.base}/lib/-" { +// permission java.security.AllPermission; +// }; + + +// ========== WEB APPLICATION PERMISSIONS ===================================== + + +// These permissions are granted by default to all web applications +// In addition, a web application will be given a read FilePermission +// and JndiPermission for all files and directories in its document root. +grant { + // Required for JNDI lookup of named JDBC DataSource's and + // javamail named MimePart DataSource used to send mail + permission java.util.PropertyPermission "java.home", "read"; + permission java.util.PropertyPermission "java.naming.*", "read"; + permission java.util.PropertyPermission "javax.sql.*", "read"; + + // OS Specific properties to allow read access + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.version", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "file.separator", "read"; + permission java.util.PropertyPermission "path.separator", "read"; + permission java.util.PropertyPermission "line.separator", "read"; + + // JVM properties to allow read access + permission java.util.PropertyPermission "java.version", "read"; + permission java.util.PropertyPermission "java.vendor", "read"; + permission java.util.PropertyPermission "java.vendor.url", "read"; + permission java.util.PropertyPermission "java.class.version", "read"; + permission java.util.PropertyPermission "java.specification.version", "read"; + permission java.util.PropertyPermission "java.specification.vendor", "read"; + permission java.util.PropertyPermission "java.specification.name", "read"; + + permission java.util.PropertyPermission "java.vm.specification.version", "read"; + permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; + permission java.util.PropertyPermission "java.vm.specification.name", "read"; + permission java.util.PropertyPermission "java.vm.version", "read"; + permission java.util.PropertyPermission "java.vm.vendor", "read"; + permission java.util.PropertyPermission "java.vm.name", "read"; + + // Required for OpenJMX + permission java.lang.RuntimePermission "getAttribute"; + + // Allow read of JAXP compliant XML parser debug + permission java.util.PropertyPermission "jaxp.debug", "read"; + + // All JSPs need to be able to read this package + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat"; + + // Precompiled JSPs need access to these packages. + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; + permission java.lang.RuntimePermission + "accessClassInPackage.org.apache.jasper.runtime.*"; + + // Precompiled JSPs need access to these system properties. + permission java.util.PropertyPermission + "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + permission java.util.PropertyPermission + "org.apache.el.parser.COERCE_TO_ZERO", "read"; + + // The cookie code needs these. + permission java.util.PropertyPermission + "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read"; + permission java.util.PropertyPermission + "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read"; + permission java.util.PropertyPermission + "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read"; + + // Applications using Comet need to be able to access this package + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet"; +}; + + +// The Manager application needs access to the following packages to support the +// session display functionality. These settings support the following +// configurations: +// - default CATALINA_HOME == CATALINA_BASE +// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE +// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME +grant codeBase "file:${catalina.base}/webapps/manager/-" { + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; +}; +grant codeBase "file:${catalina.home}/webapps/manager/-" { + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; +}; + +// You can assign additional permissions to particular web applications by +// adding additional "grant" entries here, based on the code base for that +// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. +// +// Different permissions can be granted to JSP pages, classes loaded from +// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ +// directory, or even to individual jar files in the /WEB-INF/lib/ directory. +// +// For instance, assume that the standard "examples" application +// included a JDBC driver that needed to establish a network connection to the +// corresponding database and used the scrape taglib to get the weather from +// the NOAA web server. You might create a "grant" entries like this: +// +// The permissions granted to the context root directory apply to JSP pages. +// grant codeBase "file:${catalina.base}/webapps/examples/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; +// +// The permissions granted to the context WEB-INF/classes directory +// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { +// }; +// +// The permission granted to your JDBC driver +// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// }; +// The permission granted to the scrape taglib +// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; + diff --git a/base/common/shared/conf/catalina.properties b/base/common/shared/conf/catalina.properties new file mode 100644 index 000000000..003089a43 --- /dev/null +++ b/base/common/shared/conf/catalina.properties @@ -0,0 +1,125 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageAccess unless the +# corresponding RuntimePermission ("accessClassInPackage."+package) has +# been granted. +package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper. +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageDefinition unless the +# corresponding RuntimePermission ("defineClassInPackage."+package) has +# been granted. +# +# by default, no packages are restricted for definition, and none of +# the class loaders supplied with the JDK call checkPackageDefinition. +# +package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper. + +# +# +# List of comma-separated paths defining the contents of the "common" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank,the JVM system loader will be used as Catalina's "common" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB] + +# +# List of comma-separated paths defining the contents of the "server" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank, the "common" loader will be used as Catalina's "server" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +server.loader= + +# +# List of comma-separated paths defining the contents of the "shared" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_BASE path or absolute. If left as blank, +# the "common" loader will be used as Catalina's "shared" loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +# Please note that for single jars, e.g. bar.jar, you need the URL form +# starting with file:. +shared.loader= + +# List of JAR files that should not be scanned for configuration information +# such as web fragments, TLD files etc. It must be a comma separated list of +# JAR file names. +# The JARs listed below include: +# - Tomcat Bootstrap JARs +# - Tomcat API JARs +# - Catalina JARs +# - Jasper JARs +# - Tomcat JARs +# - Common non-Tomcat JARs +# - Sun JDK JARs +# - Apple JDK JARs +tomcat.util.scan.DefaultJarScanner.jarsToSkip=\ +bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\ +annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,\ +catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\ +jasper.jar,jasper-el.jar,ecj-*.jar,\ +tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\ +tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\ +tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\ +tomcat-jdbc.jar,\ +commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\ +commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\ +commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\ +commons-math*.jar,commons-pool*.jar,\ +jstl.jar,\ +geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\ +ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\ +jmx-tools.jar,jta*.jar,log4j*.jar,mail*.jar,slf4j*.jar,\ +xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\ +dnsns.jar,ldapsec.jar,localedata.jar,sunjce_provider.jar,sunmscapi.jar,\ +sunpkcs11.jar,jhall.jar,tools.jar,\ +sunec.jar,zipfs.jar,\ +apple_provider.jar,AppleScriptEngine.jar,CoreAudio.jar,dns_sd.jar,\ +j3daudio.jar,j3dcore.jar,j3dutils.jar,jai_core.jar,jai_codec.jar,\ +mlibwrapper_jai.jar,MRJToolkit.jar,vecmath.jar,\ +junit.jar,junit-*.jar,ant-launcher.jar + +# +# String cache configuration. +tomcat.util.buf.StringCache.byte.enabled=true +#tomcat.util.buf.StringCache.char.enabled=true +#tomcat.util.buf.StringCache.trainThreshold=500000 +#tomcat.util.buf.StringCache.cacheSize=5000 diff --git a/base/common/shared/conf/context.xml b/base/common/shared/conf/context.xml new file mode 100644 index 000000000..4b00dbe3c --- /dev/null +++ b/base/common/shared/conf/context.xml @@ -0,0 +1,42 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK +--> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!-- The contents of this file will be loaded for each web application --> +<Context> + + <!-- Default set of monitored resources --> + <WatchedResource>WEB-INF/web.xml</WatchedResource> + + <!-- Uncomment this to disable session persistence across Tomcat restarts --> + <!-- + <Manager pathname="" /> + --> + + <!-- Uncomment this to enable Comet connection tacking (provides events + on session expiration as well as webapp lifecycle) --> + <!-- + <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" /> + --> + +</Context> diff --git a/base/common/shared/conf/log4j.properties b/base/common/shared/conf/log4j.properties new file mode 100644 index 000000000..5861ec750 --- /dev/null +++ b/base/common/shared/conf/log4j.properties @@ -0,0 +1,17 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +log4j.rootLogger=debug, R +log4j.appender.R=org.apache.log4j.RollingFileAppender +log4j.appender.R.File=${catalina.home}/logs/tomcat.log +log4j.appender.R.MaxFileSize=10MB +log4j.appender.R.MaxBackupIndex=10 +log4j.appender.R.layout=org.apache.log4j.PatternLayout +log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n +log4j.logger.org.apache.catalina=DEBUG, R +log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG, R +log4j.logger.org.apache.catalina.core=DEBUG, R +log4j.logger.org.apache.catalina.session=DEBUG, R diff --git a/base/common/shared/conf/logging.properties b/base/common/shared/conf/logging.properties new file mode 100644 index 000000000..f1fb462aa --- /dev/null +++ b/base/common/shared/conf/logging.properties @@ -0,0 +1,70 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +############################################################ +# Handler specific properties. +# Describes specific configuration info for Handlers. +############################################################ + +1catalina.org.apache.juli.FileHandler.level = FINE +1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +1catalina.org.apache.juli.FileHandler.prefix = catalina. + +2localhost.org.apache.juli.FileHandler.level = FINE +2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +2localhost.org.apache.juli.FileHandler.prefix = localhost. + +3manager.org.apache.juli.FileHandler.level = FINE +3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +3manager.org.apache.juli.FileHandler.prefix = manager. + +4host-manager.org.apache.juli.FileHandler.level = FINE +4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +4host-manager.org.apache.juli.FileHandler.prefix = host-manager. + +java.util.logging.ConsoleHandler.level = FINE +java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter + + +############################################################ +# Facility specific properties. +# Provides extra control for each logger. +############################################################ + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler + +# For example, set the org.apache.catalina.util.LifecycleBase logger to log +# each component that extends LifecycleBase changing state: +#org.apache.catalina.util.LifecycleBase.level = FINE + +# To see debug messages in TldLocationsCache, uncomment the following line: +#org.apache.jasper.compiler.TldLocationsCache.level = FINE diff --git a/base/common/shared/conf/server.xml b/base/common/shared/conf/server.xml new file mode 100644 index 000000000..d5788552c --- /dev/null +++ b/base/common/shared/conf/server.xml @@ -0,0 +1,304 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!-- Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" at this level. + Documentation at /docs/config/server.html +--> + +<!-- DO NOT REMOVE - Begin PKI Status Definitions --> +<!-- CA Status Definitions --> +<!-- +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/ca/ee/ca +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ca/agent/ca +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/ca/ee/ca +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca/services +EE Client Auth Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_CLIENT_AUTH_PORT]/ca/eeca/ca +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +--> +<!-- KRA Status Definitions --> +<!-- +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/kra/ee/kra +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/kra/agent/kra +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/kra/ee/kra +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/kra/services +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/kra +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +--> +<!-- OCSP Status Definitions --> +<!-- +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/ocsp/ee/ocsp +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ocsp/agent/ocsp +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/ocsp/ee/ocsp +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ocsp/services +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ocsp +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +--> +<!-- TKS Status Definitions --> +<!-- +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/tks/ee/tks +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/tks/agent/tks +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/tks/ee/tks +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/tks/services +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/tks +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +--> +<!-- DO NOT REMOVE - End PKI Status Definitions --> + +<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> + + <!--APR library loader. Documentation at /docs/apr.html --> + <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> + <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> + <Listener className="org.apache.catalina.core.JasperListener" /> + <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> + <!-- The following class has been commented out because it --> + <!-- has been EXCLUDED from the Tomcat 7 'tomcat-lib' RPM! --> + <!-- Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" --> + <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> + + <!-- Global JNDI resources + Documentation at /docs/jndi-resources-howto.html + --> + <GlobalNamingResources> + <!-- Editable user database that can also be used by + UserDatabaseRealm to authenticate users + --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + </GlobalNamingResources> + + <!-- A "Service" is a collection of one or more "Connectors" that share + a single "Container" Note: A "Service" is not itself a "Container", + so you may not define subcomponents such as "Valves" at this level. + Documentation at /docs/config/service.html + --> + <Service name="Catalina"> + + <!--The connectors can use a shared executor, you can define one or more named thread pools--> + <!-- + <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" + maxThreads="150" minSpareThreads="4"/> + --> + + + <!-- A "Connector" represents an endpoint by which requests are received + and responses are returned. Documentation at : + Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) + Java AJP Connector: /docs/config/ajp.html + APR (HTTP/AJP) Connector: /docs/apr.html + Define a non-SSL HTTP/1.1 Connector on port 8080 + --> + + [PKI_UNSECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + /> + + <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> + [PKI_SECURE_PORT_SERVER_COMMENT] + <!-- DO NOT REMOVE - Begin define PKI secure port + 1 + NOTE: The OCSP settings take effect globally, so it should only be set once. + + In setup where SSL clientAuth="true", OCSP can be turned on by + setting enableOCSP to true like the following: + enableOCSP="true" + along with changes to related settings, especially: + ocspResponderURL=<see example in connector definition below> + ocspResponderCertNickname=<see example in connector definition below> + Here are the definition to all the OCSP-related settings: + enableOCSP - turns on/off the ocsp check + ocspResponderURL - sets the url where the ocsp requests are sent + ocspResponderCertNickname - sets the nickname of the cert that is + either CA's signing certificate or the OCSP server's signing + certificate. + The CA's signing certificate should already be in the db, in + case of the same security domain. + In case of an ocsp signing certificate, one must import the cert + into the subsystem's nss db and set trust. e.g.: + certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 + ocspCacheSize - sets max cache entries + ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt + ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt + ocspTimeout -sets OCSP timeout in seconds + --> + <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + enableOCSP="false" + ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp" + ocspResponderCertNickname="ocspSigningCert cert-pki-ca" + ocspCacheSize="1000" + ocspMinCacheEntryDuration="60" + ocspMaxCacheEntryDuration="120" + ocspTimeout="10" + strictCiphers="false" + clientAuth="[PKI_AGENT_CLIENTAUTH]" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias" + /> + <!-- DO NOT REMOVE - End define PKI secure port --> + + <!-- A "Connector" using the shared thread pool--> + <!-- + <Connector executor="tomcatThreadPool" + port="8080" protocol="HTTP/1.1" + connectionTimeout="20000" + redirectPort="8443" /> + --> + <!-- Define a SSL HTTP/1.1 Connector on port 8443 + This connector uses the JSSE configuration, when using APR, the + connector should be using the OpenSSL style configuration + described in the APR documentation --> + <!-- + <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" + maxThreads="150" scheme="https" secure="true" + clientAuth="false" sslProtocol="TLS" /> + --> + + <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> +[PKI_OPEN_AJP_PORT_COMMENT] + <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" /> +[PKI_CLOSE_AJP_PORT_COMMENT] + + + <!-- An Engine represents the entry point (within Catalina) that processes + every request. The Engine implementation for Tomcat stand alone + analyzes the HTTP headers included with the request, and passes them + on to the appropriate Host (virtual host). + Documentation at /docs/config/engine.html --> + + <!-- You should set jvmRoute to support load-balancing via AJP ie : + <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> + --> + <Engine name="Catalina" defaultHost="localhost"> + + <!--For clustering, please take a look at documentation at: + /docs/cluster-howto.html (simple how to) + /docs/config/cluster.html (reference documentation) --> + <!-- + <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> + --> + + <!-- The request dumper valve dumps useful debugging information about + the request and response data received and sent by Tomcat. + Documentation at: /docs/config/valve.html --> + <!-- + <Valve className="org.apache.catalina.valves.RequestDumperValve"/> + --> + + <!-- This Realm uses the UserDatabase configured in the global JNDI + resources under the key "UserDatabase". Any edits + that are performed against this UserDatabase are immediately + available for use by the Realm. --> + + <!-- + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase"/> + --> + + <!-- Custom PKIJNDI realm + + Example: + + <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm" : classpath to realm + connectionURL="ldap://localhost:389" : standard JNDI connection URL + userBase="ou=people,dc=localhost-pki-kra" : standard JNDI userBase property + userSearch="(description={0})" : Attribute to search for user of incoming client auth certificate + : Use userSearch="(UID={0})" if wanting to search isolate user based on UID + : Also set the following: certUIDLabel="UID" or whatever the field containing + : the user's UID happens to be. This will cause the incoming's cert dn to be + : be searched for <certUIDLabel>=<uid value> + + certAttrName="userCertificate" : Attribute containing user's client auth certificate + roleBase="ou=groups,dc=localhost-pki-kra" : Standard JNDI search base for roles or groups + roleName="cn" : Standard attribute name containg roles or groups + roleSubtree="true" : Standard JNDI roleSubtree property + roleSearch="(uniqueMember={0})" : How to search for a user in a specific role or group + connectionName="cn=Directory Manager" : Connection name, needs elevated privileges + connectionPassword="secret123" : Password for elevated user + aclBase ="cn=aclResources,dc=localhost-pki-kra" : Custom base location of PKI ACL's in directory + aclAttrName="resourceACLS" : Name of attribute containing PKI ACL's + /> + + Uncomment and customize below to activate Realm. + Also umcomment Security Constraints and login config values + in WEB-INF/web.xml as well. + --> + + <!-- + <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm" + connectionURL="ldap://localhost:389" + userBase="ou=people,dc=localhost-pki-kra" + userSearch="(description={0})" + certAttrName="userCertificate" + roleBase="ou=groups,dc=localhost-pki-kra" + roleName="cn" + roleSubtree="true" + roleSearch="(uniqueMember={0})" + connectionName="cn=Directory Manager" + connectionPassword="netscape" + aclBase ="cn=aclResources,dc=localhost-pki-kra" + aclAttrName="resourceACLS" + /> + + --> + + <!-- Define the default virtual host + Note: XML Schema validation will not work with Xerces 2.2. + --> + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="false" + xmlValidation="false" xmlNamespaceAware="false"> + + <!-- SingleSignOn valve, share authentication between web applications + Documentation at: /docs/config/valve.html --> + <!-- + <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> + --> + + <!-- Access log processes all example. + Documentation at: /docs/config/valve.html --> + <!-- + <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" + prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> + --> + + </Host> + </Engine> + </Service> +</Server> diff --git a/base/common/shared/conf/tomcat-users.xml b/base/common/shared/conf/tomcat-users.xml new file mode 100644 index 000000000..f84711c0b --- /dev/null +++ b/base/common/shared/conf/tomcat-users.xml @@ -0,0 +1,62 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK +--> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<tomcat-users> +<!-- + NOTE: By default, no user is included in the "manager-gui" role required + to operate the "/manager/html" web application. If you wish to use this app, + you must define such a user - the username and password are arbitrary. +--> +<!-- + NOTE: The sample user and role entries below are wrapped in a comment + and thus are ignored when reading this file. Do not forget to remove + <!.. ..> that surrounds them. +--> +<!-- + <role rolename="tomcat"/> + <role rolename="role1"/> + <user username="tomcat" password="tomcat" roles="tomcat"/> + <user username="both" password="tomcat" roles="tomcat,role1"/> + <user username="role1" password="tomcat" roles="role1"/> +--> + + <role rolename="pkiuser"/> + <role rolename="tomcat"/> + <role rolename="manager"/> + <role rolename="admin"/> + + <user username="pkiuser" password="pkiuser" roles="pkiuser"/> + <user username="tomcat" password="tomcat" roles="tomcat"/> + <user username="admin" password="netscape" roles="admin,manager"/> + +<!-- <role rolename="admin"/> --> +<!-- <role rolename="admin-gui"/> --> +<!-- <role rolename="admin-script"/> --> +<!-- <role rolename="manager"/> --> +<!-- <role rolename="manager-gui"/> --> +<!-- <role rolename="manager-script"/> --> +<!-- <role rolename="manager-jmx"/> --> +<!-- <role rolename="manager-status"/> --> +<!-- <user name="admin" password="adminadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> --> +</tomcat-users> diff --git a/base/common/shared/conf/tomcat.conf b/base/common/shared/conf/tomcat.conf new file mode 100644 index 000000000..aa7fefd19 --- /dev/null +++ b/base/common/shared/conf/tomcat.conf @@ -0,0 +1,58 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +# System-wide configuration file for tomcat services +# This will be sourced by tomcat and any secondary service +# Values will be overridden by service-specific configuration +# files in /etc/sysconfig +# +# Use this one to change default values for all services +# Change the service specific ones to affect only one service +# (see, for instance, /etc/sysconfig/tomcat) +# + +# Where your java installation lives +#JAVA_HOME="/usr/lib/jvm/jre" + +# Where your tomcat installation lives +CATALINA_BASE="[PKI_INSTANCE_PATH]" +#CATALINA_HOME="/usr/share/tomcat" +#JASPER_HOME="/usr/share/tomcat" +#CATALINA_TMPDIR="/var/cache/tomcat/temp" + +# You can pass some parameters to java here if you wish to +#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" + +# Use JAVA_OPTS to set java.library.path for libtcnative.so +#JAVA_OPTS="-Djava.library.path=/usr/lib" + +# What user should run tomcat +TOMCAT_USER="[PKI_USER]" + +# You can change your tomcat locale here +#LANG="en_US" + +# Run tomcat under the Java Security Manager +SECURITY_MANAGER="[PKI_SECURITY_MANAGER]" + +# Time to wait in seconds, before killing process +#SHUTDOWN_WAIT="30" + +# Whether to annoy the user with "attempting to shut down" messages or not +#SHUTDOWN_VERBOSE="false" + +# Set the TOMCAT_PID location +CATALINA_PID="[TOMCAT_PIDFILE]" + +# Set the tomcat log file +TOMCAT_LOG="[TOMCAT_LOG_DIR]/tomcat-initd.log" + +# Connector port is 8080 for this tomcat instance +#CONNECTOR_PORT="8080" + +# If you wish to further customize your tomcat environment, +# put your own definitions here +# (i.e. LD_LIBRARY_PATH for some jdbc drivers) diff --git a/base/common/shared/lib/systemd/system/pki-tomcatd.target b/base/common/shared/lib/systemd/system/pki-tomcatd.target new file mode 100644 index 000000000..633beae71 --- /dev/null +++ b/base/common/shared/lib/systemd/system/pki-tomcatd.target @@ -0,0 +1,8 @@ +[Unit] +Description=PKI Tomcat Server +After=syslog.target network.target + +[Install] +WantedBy=multi-user.target + + diff --git a/base/common/shared/lib/systemd/system/pki-tomcatd@.service b/base/common/shared/lib/systemd/system/pki-tomcatd@.service new file mode 100644 index 000000000..12bcf75a0 --- /dev/null +++ b/base/common/shared/lib/systemd/system/pki-tomcatd@.service @@ -0,0 +1,13 @@ +[Unit] +Description=PKI Tomcat Server %i +After=pki-tomcatd.target +BindTo=pki-tomcatd.target + +[Service] +Type=forking +ExecStart=/usr/bin/pkidaemon start tomcat %i +ExecStop=/usr/bin/pkidaemon stop tomcat %i + +[Install] +WantedBy=multi-user.target + |