PKI Deployment Scriptlets

* Integration of Tomcat 7
* Addition of centralized 'pki-tomcatd' systemd functionality to the
  PKI Deployment strategy
* Removal of 'pki_flavor' attribute

12 files changed, 1053 insertions, 0 deletions

diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt
index 10a7cc0bb..f602ae943 100644
--- a/base/common/CMakeLists.txt
+++ b/base/common/CMakeLists.txt
@@ -1,9 +1,23 @@
 project(common Java)
 
+# install systemd scripts
+install(
+    FILES
+        shared/lib/systemd/system/pki-tomcatd.target
+        shared/lib/systemd/system/pki-tomcatd@.service
+    DESTINATION
+        ${SYSTEMD_LIB_INSTALL_DIR}
+    PERMISSIONS
+        OWNER_EXECUTE OWNER_WRITE OWNER_READ
+        GROUP_EXECUTE GROUP_READ
+        WORLD_EXECUTE WORLD_READ
+)
+
 install(
     FILES
         setup/CertServer.directory
         setup/menu.xml
+        setup/pkidaemon_registry
     DESTINATION
         ${DATA_INSTALL_DIR}/setup/
     PERMISSIONS
@@ -12,5 +26,34 @@ install(
         WORLD_READ
 )
 
+# install directories
+install(
+    DIRECTORY
+        shared/
+    DESTINATION
+        ${DATA_INSTALL_DIR}/shared/
+    PATTERN
+        "lib/" EXCLUDE
+)
+
+# install empty directories
+install(
+    DIRECTORY
+    DESTINATION
+        ${VAR_INSTALL_DIR}/lock/pki/tomcat
+)
+
+install(
+    DIRECTORY
+    DESTINATION
+        ${VAR_INSTALL_DIR}/run/pki/tomcat
+)
+
+install(
+    DIRECTORY
+    DESTINATION 
+        ${SYSTEMD_ETC_INSTALL_DIR}/pki-tomcatd.target.wants
+)
+
 add_subdirectory(src)
 add_subdirectory(test)
diff --git a/base/common/setup/pkidaemon_registry b/base/common/setup/pkidaemon_registry
new file mode 100644
index 000000000..5cd1ca9c8
--- /dev/null
+++ b/base/common/setup/pkidaemon_registry
@@ -0,0 +1,59 @@
+# Establish PKI Variable "Slot" Substitutions
+
+PKI_WEB_SERVER_TYPE=[PKI_WEB_SERVER_TYPE]
+export PKI_WEB_SERVER_TYPE
+
+PKI_USER=[PKI_USER]
+export PKI_USER
+
+PKI_GROUP=[PKI_GROUP]
+export PKI_GROUP
+
+PKI_INSTANCE_ID=[PKI_INSTANCE_ID]
+export PKI_INSTANCE_ID
+
+PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH]
+export PKI_INSTANCE_PATH
+
+PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT]
+export PKI_INSTANCE_INITSCRIPT
+
+PKI_LOCKDIR=[PKI_LOCKDIR]
+export PKI_LOCKDIR
+
+PKI_PIDDIR=[PKI_PIDDIR]
+export PKI_PIDDIR
+
+PKI_UNSECURE_PORT=[PKI_UNSECURE_PORT]
+export PKI_UNSECURE_PORT
+
+TOMCAT_PIDFILE=[TOMCAT_PIDFILE]
+export TOMCAT_PIDFILE
+
+# Use PKI Variable "Slot" Substitutions
+
+PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}"
+export PKI_LOCKFILE
+
+PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_ID}.pid"
+export PKI_PIDFILE
+
+RESTART_SERVER=${PKI_INSTANCE_PATH}/conf/restart_server_after_configuration
+export RESTART_SERVER
+
+# Use CATALINA_BASE
+
+CATALINA_BASE=$PKI_INSTANCE_PATH
+export CATALINA_BASE
+
+TOMCAT_PROG=$PKI_INSTANCE_ID
+export TOMCAT_PROG
+
+TOMCAT_USER=$PKI_USER
+export TOMCAT_USER
+
+TOMCAT_GROUP=$PKI_GROUP
+export TOMCAT_GROUP
+
+TOMCAT_LOCKFILE=/var/lock/subsys/${PKI_INSTANCE_ID}
+export TOMCAT_LOCKFILE
diff --git a/base/common/shared/conf/catalina.policy b/base/common/shared/conf/catalina.policy
new file mode 100644
index 000000000..02c1eea0a
--- /dev/null
+++ b/base/common/shared/conf/catalina.policy
@@ -0,0 +1,252 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// Copyright (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// Modifications: configuration parameters
+// --- END COPYRIGHT BLOCK ---
+
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// ============================================================================
+// catalina.policy - Security Policy Permissions for Tomcat 7
+//
+// This file contains a default set of security policies to be enforced (by the
+// JVM) when Catalina is executed with the "-security" option.  In addition
+// to the permissions granted here, the following additional permissions are
+// granted to each web application:
+//
+// * Read access to the web application's document root directory
+// * Read, write and delete access to the web application's working directory
+//
+// $Id: catalina.policy 1220297 2011-12-17 22:55:28Z markt $
+// ============================================================================
+
+
+// ========== SYSTEM CODE PERMISSIONS =========================================
+
+
+// These permissions apply to javac
+grant codeBase "file:${java.home}/lib/-" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to all shared system extensions
+grant codeBase "file:${java.home}/jre/lib/ext/-" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
+grant codeBase "file:${java.home}/../lib/-" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to all shared system extensions when
+// ${java.home} points at $JAVA_HOME/jre
+grant codeBase "file:${java.home}/lib/ext/-" {
+        permission java.security.AllPermission;
+};
+
+
+// ========== CATALINA CODE PERMISSIONS =======================================
+
+
+// These permissions apply to the daemon code
+grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to the logging API
+// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
+// update this section accordingly.
+//  grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
+grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
+        permission java.io.FilePermission
+         "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
+
+        permission java.io.FilePermission
+         "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
+        permission java.io.FilePermission
+         "${catalina.base}${file.separator}logs", "read, write";
+        permission java.io.FilePermission
+         "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+
+        permission java.lang.RuntimePermission "shutdownHooks";
+        permission java.lang.RuntimePermission "getClassLoader";
+        permission java.lang.RuntimePermission "setContextClassLoader";
+
+        permission java.util.logging.LoggingPermission "control";
+
+        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
+        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+        permission java.util.PropertyPermission "catalina.base", "read";
+        permission java.util.PropertyPermission
+         "org.apache.juli.logging.UserDataHelper.CONFIG", "read";
+        permission java.util.PropertyPermission
+         "org.apache.juli.logging.UserDataHelper.SUPPRESSION_TIME", "read";
+
+        // Note: To enable per context logging configuration, permit read access to
+        // the appropriate file. Be sure that the logging configuration is
+        // secure before enabling such access.
+        // E.g. for the examples web application (uncomment and unwrap
+        // the following to be on a single line):
+        // permission java.io.FilePermission "${catalina.base}${file.separator}
+        //  webapps${file.separator}examples${file.separator}WEB-INF
+        //  ${file.separator}classes${file.separator}logging.properties", "read";
+};
+
+// These permissions apply to the server startup code
+grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to the servlet API classes
+// and those that are shared across all class loaders
+// located in the "lib" directory
+grant codeBase "file:${catalina.home}/lib/-" {
+        permission java.security.AllPermission;
+};
+
+
+// If using a per instance lib directory, i.e. ${catalina.base}/lib,
+// then the following permission will need to be uncommented
+// grant codeBase "file:${catalina.base}/lib/-" {
+//         permission java.security.AllPermission;
+// };
+
+
+// ========== WEB APPLICATION PERMISSIONS =====================================
+
+
+// These permissions are granted by default to all web applications
+// In addition, a web application will be given a read FilePermission
+// and JndiPermission for all files and directories in its document root.
+grant {
+    // Required for JNDI lookup of named JDBC DataSource's and
+    // javamail named MimePart DataSource used to send mail
+    permission java.util.PropertyPermission "java.home", "read";
+    permission java.util.PropertyPermission "java.naming.*", "read";
+    permission java.util.PropertyPermission "javax.sql.*", "read";
+
+    // OS Specific properties to allow read access
+    permission java.util.PropertyPermission "os.name", "read";
+    permission java.util.PropertyPermission "os.version", "read";
+    permission java.util.PropertyPermission "os.arch", "read";
+    permission java.util.PropertyPermission "file.separator", "read";
+    permission java.util.PropertyPermission "path.separator", "read";
+    permission java.util.PropertyPermission "line.separator", "read";
+
+    // JVM properties to allow read access
+    permission java.util.PropertyPermission "java.version", "read";
+    permission java.util.PropertyPermission "java.vendor", "read";
+    permission java.util.PropertyPermission "java.vendor.url", "read";
+    permission java.util.PropertyPermission "java.class.version", "read";
+    permission java.util.PropertyPermission "java.specification.version", "read";
+    permission java.util.PropertyPermission "java.specification.vendor", "read";
+    permission java.util.PropertyPermission "java.specification.name", "read";
+
+    permission java.util.PropertyPermission "java.vm.specification.version", "read";
+    permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
+    permission java.util.PropertyPermission "java.vm.specification.name", "read";
+    permission java.util.PropertyPermission "java.vm.version", "read";
+    permission java.util.PropertyPermission "java.vm.vendor", "read";
+    permission java.util.PropertyPermission "java.vm.name", "read";
+
+    // Required for OpenJMX
+    permission java.lang.RuntimePermission "getAttribute";
+
+    // Allow read of JAXP compliant XML parser debug
+    permission java.util.PropertyPermission "jaxp.debug", "read";
+
+    // All JSPs need to be able to read this package
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
+
+    // Precompiled JSPs need access to these packages.
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
+    permission java.lang.RuntimePermission
+     "accessClassInPackage.org.apache.jasper.runtime.*";
+
+    // Precompiled JSPs need access to these system properties.
+    permission java.util.PropertyPermission
+     "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
+    permission java.util.PropertyPermission
+     "org.apache.el.parser.COERCE_TO_ZERO", "read";
+
+    // The cookie code needs these.
+    permission java.util.PropertyPermission
+     "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
+    permission java.util.PropertyPermission
+     "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
+    permission java.util.PropertyPermission
+     "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";
+
+    // Applications using Comet need to be able to access this package
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet";
+};
+
+
+// The Manager application needs access to the following packages to support the
+// session display functionality. These settings support the following
+// configurations:
+// - default CATALINA_HOME == CATALINA_BASE
+// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE
+// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
+grant codeBase "file:${catalina.base}/webapps/manager/-" {
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
+};
+grant codeBase "file:${catalina.home}/webapps/manager/-" {
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
+};
+
+// You can assign additional permissions to particular web applications by
+// adding additional "grant" entries here, based on the code base for that
+// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
+//
+// Different permissions can be granted to JSP pages, classes loaded from
+// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
+// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
+//
+// For instance, assume that the standard "examples" application
+// included a JDBC driver that needed to establish a network connection to the
+// corresponding database and used the scrape taglib to get the weather from
+// the NOAA web server.  You might create a "grant" entries like this:
+//
+// The permissions granted to the context root directory apply to JSP pages.
+// grant codeBase "file:${catalina.base}/webapps/examples/-" {
+//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
+//
+// The permissions granted to the context WEB-INF/classes directory
+// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
+// };
+//
+// The permission granted to your JDBC driver
+// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
+//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+// };
+// The permission granted to the scrape taglib
+// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
+//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
+
diff --git a/base/common/shared/conf/catalina.properties b/base/common/shared/conf/catalina.properties
new file mode 100644
index 000000000..003089a43
--- /dev/null
+++ b/base/common/shared/conf/catalina.properties
@@ -0,0 +1,125 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+# Modifications: configuration parameters
+# --- END COPYRIGHT BLOCK ---
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# List of comma-separated packages that start with or equal this string
+# will cause a security exception to be thrown when
+# passed to checkPackageAccess unless the
+# corresponding RuntimePermission ("accessClassInPackage."+package) has
+# been granted.
+package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
+#
+# List of comma-separated packages that start with or equal this string
+# will cause a security exception to be thrown when
+# passed to checkPackageDefinition unless the
+# corresponding RuntimePermission ("defineClassInPackage."+package) has
+# been granted.
+#
+# by default, no packages are restricted for definition, and none of
+# the class loaders supplied with the JDK call checkPackageDefinition.
+#
+package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
+
+#
+#
+# List of comma-separated paths defining the contents of the "common"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
+# If left as blank,the JVM system loader will be used as Catalina's "common"
+# loader.
+# Examples:
+#     "foo": Add this folder as a class repository
+#     "foo/*.jar": Add all the JARs of the specified folder as class
+#                  repositories
+#     "foo/bar.jar": Add bar.jar as a class repository
+common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB]
+
+#
+# List of comma-separated paths defining the contents of the "server"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
+# If left as blank, the "common" loader will be used as Catalina's "server"
+# loader.
+# Examples:
+#     "foo": Add this folder as a class repository
+#     "foo/*.jar": Add all the JARs of the specified folder as class
+#                  repositories
+#     "foo/bar.jar": Add bar.jar as a class repository
+server.loader=
+
+#
+# List of comma-separated paths defining the contents of the "shared"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
+# the "common" loader will be used as Catalina's "shared" loader.
+# Examples:
+#     "foo": Add this folder as a class repository
+#     "foo/*.jar": Add all the JARs of the specified folder as class
+#                  repositories
+#     "foo/bar.jar": Add bar.jar as a class repository
+# Please note that for single jars, e.g. bar.jar, you need the URL form
+# starting with file:.
+shared.loader=
+
+# List of JAR files that should not be scanned for configuration information
+# such as web fragments, TLD files etc. It must be a comma separated list of
+# JAR file names.
+# The JARs listed below include:
+# - Tomcat Bootstrap JARs
+# - Tomcat API JARs
+# - Catalina JARs
+# - Jasper JARs
+# - Tomcat JARs
+# - Common non-Tomcat JARs
+# - Sun JDK JARs
+# - Apple JDK JARs
+tomcat.util.scan.DefaultJarScanner.jarsToSkip=\
+bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\
+annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,\
+catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\
+jasper.jar,jasper-el.jar,ecj-*.jar,\
+tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\
+tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\
+tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\
+tomcat-jdbc.jar,\
+commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\
+commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\
+commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\
+commons-math*.jar,commons-pool*.jar,\
+jstl.jar,\
+geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\
+ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\
+jmx-tools.jar,jta*.jar,log4j*.jar,mail*.jar,slf4j*.jar,\
+xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\
+dnsns.jar,ldapsec.jar,localedata.jar,sunjce_provider.jar,sunmscapi.jar,\
+sunpkcs11.jar,jhall.jar,tools.jar,\
+sunec.jar,zipfs.jar,\
+apple_provider.jar,AppleScriptEngine.jar,CoreAudio.jar,dns_sd.jar,\
+j3daudio.jar,j3dcore.jar,j3dutils.jar,jai_core.jar,jai_codec.jar,\
+mlibwrapper_jai.jar,MRJToolkit.jar,vecmath.jar,\
+junit.jar,junit-*.jar,ant-launcher.jar
+
+#
+# String cache configuration.
+tomcat.util.buf.StringCache.byte.enabled=true
+#tomcat.util.buf.StringCache.char.enabled=true
+#tomcat.util.buf.StringCache.trainThreshold=500000
+#tomcat.util.buf.StringCache.cacheSize=5000
diff --git a/base/common/shared/conf/context.xml b/base/common/shared/conf/context.xml
new file mode 100644
index 000000000..4b00dbe3c
--- /dev/null
+++ b/base/common/shared/conf/context.xml
@@ -0,0 +1,42 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!-- BEGIN COPYRIGHT BLOCK
+     Copyright (C) 2012 Red Hat, Inc.
+     All rights reserved.
+     Modifications: configuration parameters
+     END COPYRIGHT BLOCK
+-->
+
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!-- The contents of this file will be loaded for each web application -->
+<Context>
+
+    <!-- Default set of monitored resources -->
+    <WatchedResource>WEB-INF/web.xml</WatchedResource>
+
+    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
+    <!--
+    <Manager pathname="" />
+    -->
+
+    <!-- Uncomment this to enable Comet connection tacking (provides events
+         on session expiration as well as webapp lifecycle) -->
+    <!--
+    <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
+    -->
+
+</Context>
diff --git a/base/common/shared/conf/log4j.properties b/base/common/shared/conf/log4j.properties
new file mode 100644
index 000000000..5861ec750
--- /dev/null
+++ b/base/common/shared/conf/log4j.properties
@@ -0,0 +1,17 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+# Modifications: configuration parameters
+# --- END COPYRIGHT BLOCK ---
+
+log4j.rootLogger=debug, R 
+log4j.appender.R=org.apache.log4j.RollingFileAppender 
+log4j.appender.R.File=${catalina.home}/logs/tomcat.log 
+log4j.appender.R.MaxFileSize=10MB 
+log4j.appender.R.MaxBackupIndex=10 
+log4j.appender.R.layout=org.apache.log4j.PatternLayout 
+log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n 
+log4j.logger.org.apache.catalina=DEBUG, R
+log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG, R
+log4j.logger.org.apache.catalina.core=DEBUG, R
+log4j.logger.org.apache.catalina.session=DEBUG, R
diff --git a/base/common/shared/conf/logging.properties b/base/common/shared/conf/logging.properties
new file mode 100644
index 000000000..f1fb462aa
--- /dev/null
+++ b/base/common/shared/conf/logging.properties
@@ -0,0 +1,70 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+# Modifications: configuration parameters
+# --- END COPYRIGHT BLOCK ---
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
+
+.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
+
+############################################################
+# Handler specific properties.
+# Describes specific configuration info for Handlers.
+############################################################
+
+1catalina.org.apache.juli.FileHandler.level = FINE
+1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+1catalina.org.apache.juli.FileHandler.prefix = catalina.
+
+2localhost.org.apache.juli.FileHandler.level = FINE
+2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+2localhost.org.apache.juli.FileHandler.prefix = localhost.
+
+3manager.org.apache.juli.FileHandler.level = FINE
+3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+3manager.org.apache.juli.FileHandler.prefix = manager.
+
+4host-manager.org.apache.juli.FileHandler.level = FINE
+4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+4host-manager.org.apache.juli.FileHandler.prefix = host-manager.
+
+java.util.logging.ConsoleHandler.level = FINE
+java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
+
+
+############################################################
+# Facility specific properties.
+# Provides extra control for each logger.
+############################################################
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler
+
+# For example, set the org.apache.catalina.util.LifecycleBase logger to log
+# each component that extends LifecycleBase changing state:
+#org.apache.catalina.util.LifecycleBase.level = FINE
+
+# To see debug messages in TldLocationsCache, uncomment the following line:
+#org.apache.jasper.compiler.TldLocationsCache.level = FINE
diff --git a/base/common/shared/conf/server.xml b/base/common/shared/conf/server.xml
new file mode 100644
index 000000000..d5788552c
--- /dev/null
+++ b/base/common/shared/conf/server.xml
@@ -0,0 +1,304 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!-- BEGIN COPYRIGHT BLOCK
+     Copyright (C) 2012 Red Hat, Inc.
+     All rights reserved.
+     Modifications: configuration parameters
+     END COPYRIGHT BLOCK -->
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!-- Note:  A "Server" is not itself a "Container", so you may not
+     define subcomponents such as "Valves" at this level.
+     Documentation at /docs/config/server.html
+-->
+
+<!-- DO NOT REMOVE - Begin PKI Status Definitions -->
+<!-- CA Status Definitions -->
+<!--
+Unsecure Port       = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/ca/ee/ca
+Secure Agent Port   = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ca/agent/ca
+Secure EE Port      = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/ca/ee/ca
+Secure Admin Port   = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca/services
+EE Client Auth Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_CLIENT_AUTH_PORT]/ca/eeca/ca
+PKI Console Port    = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca
+Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+-->
+<!-- KRA Status Definitions -->
+<!--
+Unsecure Port       = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/kra/ee/kra
+Secure Agent Port   = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/kra/agent/kra
+Secure EE Port      = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/kra/ee/kra
+Secure Admin Port   = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/kra/services
+PKI Console Port    = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/kra
+Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+-->
+<!-- OCSP Status Definitions -->
+<!--
+Unsecure Port       = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/ocsp/ee/ocsp
+Secure Agent Port   = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ocsp/agent/ocsp
+Secure EE Port      = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/ocsp/ee/ocsp
+Secure Admin Port   = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ocsp/services
+PKI Console Port    = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ocsp
+Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+-->
+<!-- TKS Status Definitions -->
+<!--
+Unsecure Port       = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/tks/ee/tks
+Secure Agent Port   = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/tks/agent/tks
+Secure EE Port      = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/tks/ee/tks
+Secure Admin Port   = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/tks/services
+PKI Console Port    = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/tks
+Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+-->
+<!-- DO NOT REMOVE - End PKI Status Definitions -->
+
+<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN">
+
+  <!--APR library loader. Documentation at /docs/apr.html -->
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
+  <Listener className="org.apache.catalina.core.JasperListener" />
+  <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
+  <!-- The following class has been commented out because it -->
+  <!-- has been EXCLUDED from the Tomcat 7 'tomcat-lib' RPM! -->
+  <!-- Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" -->
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+
+  <!-- Global JNDI resources
+       Documentation at /docs/jndi-resources-howto.html
+  -->
+  <GlobalNamingResources>
+    <!-- Editable user database that can also be used by
+         UserDatabaseRealm to authenticate users
+    -->
+    <Resource name="UserDatabase" auth="Container"
+              type="org.apache.catalina.UserDatabase"
+              description="User database that can be updated and saved"
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+              pathname="conf/tomcat-users.xml" />
+  </GlobalNamingResources>
+
+  <!-- A "Service" is a collection of one or more "Connectors" that share
+       a single "Container" Note:  A "Service" is not itself a "Container",
+       so you may not define subcomponents such as "Valves" at this level.
+       Documentation at /docs/config/service.html
+  -->
+  <Service name="Catalina">
+
+    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+    <!--
+    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+        maxThreads="150" minSpareThreads="4"/>
+    -->
+
+
+    <!-- A "Connector" represents an endpoint by which requests are received
+         and responses are returned. Documentation at :
+         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
+         Java AJP  Connector: /docs/config/ajp.html
+         APR (HTTP/AJP) Connector: /docs/apr.html
+         Define a non-SSL HTTP/1.1 Connector on port 8080
+    -->
+
+    [PKI_UNSECURE_PORT_SERVER_COMMENT]
+    <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443"
+           maxHttpHeaderSize="8192"
+           acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
+           enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
+           />
+
+    <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
+    [PKI_SECURE_PORT_SERVER_COMMENT]
+    <!-- DO NOT REMOVE - Begin define PKI secure port
+    1
+    NOTE: The OCSP settings take effect globally, so it should only be set once.
+
+      In setup where SSL clientAuth="true", OCSP can be turned on by
+      setting enableOCSP to true like the following:
+        enableOCSP="true"
+      along with changes to related settings, especially:
+        ocspResponderURL=<see example in connector definition below>
+        ocspResponderCertNickname=<see example in connector definition below>
+      Here are the definition to all the OCSP-related settings:
+        enableOCSP - turns on/off the ocsp check
+        ocspResponderURL - sets the url where the ocsp requests are sent
+        ocspResponderCertNickname - sets the nickname of the cert that is
+        either CA's signing certificate or the OCSP server's signing
+        certificate.
+        The CA's signing certificate should already be in the db, in
+        case of the same security domain.
+        In case of an ocsp signing certificate, one must import the cert
+        into the subsystem's nss db and set trust. e.g.:
+          certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64
+        ocspCacheSize - sets max cache entries
+        ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
+        ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
+        ocspTimeout -sets OCSP timeout in seconds
+    -->
+    <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
+           maxHttpHeaderSize="8192"
+           acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
+           enableLookups="false" disableUploadTimeout="true"
+           SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
+           enableOCSP="false"
+           ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp"
+           ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
+           ocspCacheSize="1000"
+           ocspMinCacheEntryDuration="60"
+           ocspMaxCacheEntryDuration="120"
+           ocspTimeout="10"
+           strictCiphers="false"
+           clientAuth="[PKI_AGENT_CLIENTAUTH]"
+           sslOptions="[TOMCAT_SSL_OPTIONS]"
+           ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
+           ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
+           tlsCiphers="[TOMCAT_TLS_CIPHERS]"
+           serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
+           passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
+           passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
+           certdbDir="[PKI_INSTANCE_PATH]/alias"
+           />
+    <!-- DO NOT REMOVE - End define PKI secure port -->
+
+    <!-- A "Connector" using the shared thread pool-->
+    <!--
+    <Connector executor="tomcatThreadPool"
+               port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443" />
+    -->
+    <!-- Define a SSL HTTP/1.1 Connector on port 8443
+         This connector uses the JSSE configuration, when using APR, the
+         connector should be using the OpenSSL style configuration
+         described in the APR documentation -->
+    <!--
+    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
+               maxThreads="150" scheme="https" secure="true"
+               clientAuth="false" sslProtocol="TLS" />
+    -->
+
+    <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
+[PKI_OPEN_AJP_PORT_COMMENT]
+    <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
+[PKI_CLOSE_AJP_PORT_COMMENT]
+
+
+    <!-- An Engine represents the entry point (within Catalina) that processes
+         every request.  The Engine implementation for Tomcat stand alone
+         analyzes the HTTP headers included with the request, and passes them
+         on to the appropriate Host (virtual host).
+         Documentation at /docs/config/engine.html -->
+
+    <!-- You should set jvmRoute to support load-balancing via AJP ie :
+    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+    -->
+    <Engine name="Catalina" defaultHost="localhost">
+
+      <!--For clustering, please take a look at documentation at:
+          /docs/cluster-howto.html  (simple how to)
+          /docs/config/cluster.html (reference documentation) -->
+      <!--
+      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+      -->
+
+      <!-- The request dumper valve dumps useful debugging information about
+           the request and response data received and sent by Tomcat.
+           Documentation at: /docs/config/valve.html -->
+      <!--
+      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
+      -->
+
+      <!-- This Realm uses the UserDatabase configured in the global JNDI
+           resources under the key "UserDatabase".  Any edits
+           that are performed against this UserDatabase are immediately
+           available for use by the Realm.  -->
+
+      <!--
+      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+             resourceName="UserDatabase"/>
+      -->
+
+      <!-- Custom PKIJNDI realm
+
+          Example:
+
+          <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm" : classpath to realm
+          connectionURL="ldap://localhost:389" : standard JNDI connection URL
+          userBase="ou=people,dc=localhost-pki-kra" : standard JNDI userBase property
+          userSearch="(description={0})" : Attribute to search for user of incoming client auth certificate
+                                         : Use userSearch="(UID={0})" if wanting to search isolate user based on UID
+                                         : Also set the following: certUIDLabel="UID" or whatever the field containing
+                                         : the user's UID happens to be. This will cause the incoming's cert dn to be
+                                         : be searched for <certUIDLabel>=<uid value>
+
+          certAttrName="userCertificate" : Attribute containing user's client auth certificate
+          roleBase="ou=groups,dc=localhost-pki-kra" : Standard JNDI search base for roles or groups
+          roleName="cn" : Standard attribute name containg roles or groups
+          roleSubtree="true" : Standard JNDI roleSubtree property
+          roleSearch="(uniqueMember={0})" : How to search for a user in a specific role or group
+          connectionName="cn=Directory Manager" : Connection name, needs elevated privileges
+          connectionPassword="secret123" : Password for elevated user
+          aclBase ="cn=aclResources,dc=localhost-pki-kra" : Custom base location of PKI ACL's in directory
+          aclAttrName="resourceACLS" : Name of attribute containing PKI ACL's
+          />
+
+          Uncomment and customize  below to activate Realm.
+          Also umcomment Security Constraints and login config  values
+          in WEB-INF/web.xml as well.
+      -->
+
+      <!--
+      <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm"
+          connectionURL="ldap://localhost:389"
+          userBase="ou=people,dc=localhost-pki-kra"
+          userSearch="(description={0})"
+          certAttrName="userCertificate"
+          roleBase="ou=groups,dc=localhost-pki-kra"
+          roleName="cn"
+          roleSubtree="true"
+          roleSearch="(uniqueMember={0})"
+          connectionName="cn=Directory Manager"
+          connectionPassword="netscape"
+          aclBase ="cn=aclResources,dc=localhost-pki-kra"
+          aclAttrName="resourceACLS"
+          />
+
+      -->
+
+      <!-- Define the default virtual host
+           Note: XML Schema validation will not work with Xerces 2.2.
+      -->
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="true" autoDeploy="false"
+            xmlValidation="false" xmlNamespaceAware="false">
+
+        <!-- SingleSignOn valve, share authentication between web applications
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+        -->
+
+        <!-- Access log processes all example.
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
+        -->
+
+      </Host>
+    </Engine>
+  </Service>
+</Server>
diff --git a/base/common/shared/conf/tomcat-users.xml b/base/common/shared/conf/tomcat-users.xml
new file mode 100644
index 000000000..f84711c0b
--- /dev/null
+++ b/base/common/shared/conf/tomcat-users.xml
@@ -0,0 +1,62 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!-- BEGIN COPYRIGHT BLOCK
+     Copyright (C) 2012 Red Hat, Inc.
+     All rights reserved.
+     Modifications: configuration parameters
+     END COPYRIGHT BLOCK
+-->
+
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<tomcat-users>
+<!--
+  NOTE:  By default, no user is included in the "manager-gui" role required
+  to operate the "/manager/html" web application.  If you wish to use this app,
+  you must define such a user - the username and password are arbitrary.
+-->
+<!--
+  NOTE:  The sample user and role entries below are wrapped in a comment
+  and thus are ignored when reading this file. Do not forget to remove
+  <!.. ..> that surrounds them.
+-->
+<!--
+  <role rolename="tomcat"/>
+  <role rolename="role1"/>
+  <user username="tomcat" password="tomcat" roles="tomcat"/>
+  <user username="both" password="tomcat" roles="tomcat,role1"/>
+  <user username="role1" password="tomcat" roles="role1"/>
+-->
+
+  <role rolename="pkiuser"/>
+  <role rolename="tomcat"/>
+  <role rolename="manager"/>
+  <role rolename="admin"/>
+
+  <user username="pkiuser" password="pkiuser" roles="pkiuser"/>
+  <user username="tomcat" password="tomcat" roles="tomcat"/>
+  <user username="admin" password="netscape" roles="admin,manager"/>
+
+<!-- <role rolename="admin"/> -->
+<!-- <role rolename="admin-gui"/> -->
+<!-- <role rolename="admin-script"/> -->
+<!-- <role rolename="manager"/> -->
+<!-- <role rolename="manager-gui"/> -->
+<!-- <role rolename="manager-script"/> -->
+<!-- <role rolename="manager-jmx"/> -->
+<!-- <role rolename="manager-status"/> -->
+<!-- <user name="admin" password="adminadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> -->
+</tomcat-users>
diff --git a/base/common/shared/conf/tomcat.conf b/base/common/shared/conf/tomcat.conf
new file mode 100644
index 000000000..aa7fefd19
--- /dev/null
+++ b/base/common/shared/conf/tomcat.conf
@@ -0,0 +1,58 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+# Modifications: configuration parameters
+# --- END COPYRIGHT BLOCK ---
+
+# System-wide configuration file for tomcat services
+# This will be sourced by tomcat and any secondary service
+# Values will be overridden by service-specific configuration
+# files in /etc/sysconfig
+#
+# Use this one to change default values for all services
+# Change the service specific ones to affect only one service
+# (see, for instance, /etc/sysconfig/tomcat)
+#
+
+# Where your java installation lives
+#JAVA_HOME="/usr/lib/jvm/jre"
+
+# Where your tomcat installation lives
+CATALINA_BASE="[PKI_INSTANCE_PATH]"
+#CATALINA_HOME="/usr/share/tomcat"
+#JASPER_HOME="/usr/share/tomcat"
+#CATALINA_TMPDIR="/var/cache/tomcat/temp"
+
+# You can pass some parameters to java here if you wish to
+#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"
+
+# Use JAVA_OPTS to set java.library.path for libtcnative.so
+#JAVA_OPTS="-Djava.library.path=/usr/lib"
+
+# What user should run tomcat
+TOMCAT_USER="[PKI_USER]"
+
+# You can change your tomcat locale here
+#LANG="en_US"
+
+# Run tomcat under the Java Security Manager
+SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
+
+# Time to wait in seconds, before killing process
+#SHUTDOWN_WAIT="30"
+
+# Whether to annoy the user with "attempting to shut down" messages or not
+#SHUTDOWN_VERBOSE="false"
+
+# Set the TOMCAT_PID location
+CATALINA_PID="[TOMCAT_PIDFILE]"
+
+# Set the tomcat log file
+TOMCAT_LOG="[TOMCAT_LOG_DIR]/tomcat-initd.log"
+
+# Connector port is 8080 for this tomcat instance
+#CONNECTOR_PORT="8080"
+
+# If you wish to further customize your tomcat environment,
+# put your own definitions here
+# (i.e. LD_LIBRARY_PATH for some jdbc drivers)
diff --git a/base/common/shared/lib/systemd/system/pki-tomcatd.target b/base/common/shared/lib/systemd/system/pki-tomcatd.target
new file mode 100644
index 000000000..633beae71
--- /dev/null
+++ b/base/common/shared/lib/systemd/system/pki-tomcatd.target
@@ -0,0 +1,8 @@
+[Unit]
+Description=PKI Tomcat Server
+After=syslog.target network.target
+
+[Install]
+WantedBy=multi-user.target
+
+
diff --git a/base/common/shared/lib/systemd/system/pki-tomcatd@.service b/base/common/shared/lib/systemd/system/pki-tomcatd@.service
new file mode 100644
index 000000000..12bcf75a0
--- /dev/null
+++ b/base/common/shared/lib/systemd/system/pki-tomcatd@.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=PKI Tomcat Server %i
+After=pki-tomcatd.target
+BindTo=pki-tomcatd.target
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/pkidaemon start tomcat %i
+ExecStop=/usr/bin/pkidaemon stop tomcat %i
+
+[Install]
+WantedBy=multi-user.target
+