diff options
| author | Endi Sukma Dewata <edewata@redhat.com> | 2013-04-05 15:20:01 -0400 |
|---|---|---|
| committer | Endi Sukma Dewata <edewata@redhat.com> | 2013-04-09 09:40:09 -0400 |
| commit | 62ccd4ca0addd8a4c74bcbdfca6aea0c9381907f (patch) | |
| tree | ad78a933e29a517bae7876248820c40b9b5db197 /base/deploy/scripts | |
| parent | 2e0194dd7791eaf07d6e9eb26df57e5a4677f426 (diff) | |
| download | pki-62ccd4ca0addd8a4c74bcbdfca6aea0c9381907f.tar.gz pki-62ccd4ca0addd8a4c74bcbdfca6aea0c9381907f.tar.xz pki-62ccd4ca0addd8a4c74bcbdfca6aea0c9381907f.zip | |
Renamed base/deploy to base/server.
The base/deploy folder has been renamed to base/server to match the
package name. The pki.conf has been moved into pki-base package.
Ticket #553, #564
Diffstat (limited to 'base/deploy/scripts')
| -rw-r--r-- | base/deploy/scripts/operations | 1703 | ||||
| -rwxr-xr-x | base/deploy/scripts/pkidaemon | 78 |
2 files changed, 0 insertions, 1781 deletions
diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations deleted file mode 100644 index 50dd4e4fd..000000000 --- a/base/deploy/scripts/operations +++ /dev/null @@ -1,1703 +0,0 @@ -#!/bin/bash -X - -# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": -# -# Status Exit Codes -# -# 0 program is running or service is OK -# 1 program is dead and /var/run pid file exists -# 2 program is dead and /var/lock lock file exists -# 3 program is not running -# 4 program or service status is unknown -# 5-99 reserved for future LSB use -# 100-149 reserved for distribution use -# 150-199 reserved for application use -# 200-254 reserved -# -# Non-Status Exit Codes -# -# 0 action was successful -# 1 generic or unspecified error (current practice) -# 2 invalid or excess argument(s) -# 3 unimplemented feature (for example, "reload") -# 4 user had insufficient privilege -# 5 program is not installed -# 6 program is not configured -# 7 program is not running -# 8-99 reserved for future LSB use -# 100-149 reserved for distribution use -# 150-199 reserved for application use -# 200-254 reserved -# - -if [ -f /etc/pki/pki.conf ] ; then - . /etc/pki/pki.conf -fi - -# PKI subsystem-level directory and file values for locks -lockfile="/var/lock/subsys/${SERVICE_NAME}" - -default_error=0 - -case $command in - start|stop|restart|condrestart|force-restart|try-restart) - # 1 generic or unspecified error (current practice) - default_error=1 - ;; - reload) - default_error=3 - ;; - status) - # 4 program or service status is unknown - default_error=4 - ;; - *) - # 2 invalid argument(s) - default_error=2 - ;; -esac - -# Enable nullglob, if set then shell pattern globs which do not match any -# file returns the empty string rather than the unmodified glob pattern. -shopt -s nullglob - -OS=`uname -s` -ARCHITECTURE=`uname -i` - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$PROG_NAME' from non-existent directory!" - exit ${default_error} -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -PKI_CA_PATH="/usr/share/pki/ca" -PKI_KRA_PATH="/usr/share/pki/kra" -PKI_OCSP_PATH="/usr/share/pki/ocsp" -PKI_RA_PATH="/usr/share/pki/ra" -PKI_TKS_PATH="/usr/share/pki/tks" -PKI_TPS_PATH="/usr/share/pki/tps" -if [ '${PKI_TYPE}' == "apache" ] ; then - if [ ! -d ${PKI_RA_PATH} ] && - [ ! -d ${PKI_TPS_PATH} ] ; then - echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" - if [ "${command}" != "status" ]; then - # 5 program is not installed - exit 5 - else - exit ${default_error} - fi - fi -elif [ '${PKI_TYPE}' == "tomcat" ] ; then - if [ ! -d ${PKI_CA_PATH} ] && - [ ! -d ${PKI_KRA_PATH} ] && - [ ! -d ${PKI_OCSP_PATH} ] && - [ ! -d ${PKI_TKS_PATH} ] ; then - echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" - if [ "${command}" != "status" ]; then - # 5 program is not installed - exit 5 - else - exit ${default_error} - fi - fi -fi - -# This script must be run as root! -RV=0 -if [ `id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$PROG_NAME'!" - if [ "${command}" != "status" ]; then - # 4 user had insufficient privilege - exit 4 - else - # 4 program or service status is unknown - exit 4 - fi -fi - -PKI_INSTANCE_TYPES="apache tomcat" -PKI_REGISTRY_ENTRIES="" -PKI_SUBSYSTEMS="" -TOTAL_PKI_REGISTRY_ENTRIES=0 -TOTAL_UNCONFIGURED_PKI_ENTRIES=0 - -# Gather ALL registered instances of this PKI web server type -for INSTANCE in ${PKI_REGISTRY}/*; do - if [ -d "$INSTANCE" ] ; then - for REGISTRY in ${INSTANCE}/*; do - if [ -f "$REGISTRY" ] ; then - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $REGISTRY" - TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` - fi - done - fi -done - -# Execute the specified registered instance of this PKI web server type -if [ -n "${pki_instance_id}" ]; then - for INSTANCE in ${PKI_REGISTRY_ENTRIES}; do - if [ "`basename ${INSTANCE}`" == "${pki_instance_id}" ]; then - PKI_REGISTRY_ENTRIES="${INSTANCE}" - TOTAL_PKI_REGISTRY_ENTRIES=1 - break - fi - done -fi - -usage() -{ - echo -n "Usage: ${SERVICE_PROG} ${SERVICE_NAME}" - echo -n "{start" - echo -n "|stop" - echo -n "|restart" - echo -n "|condrestart" - echo -n "|force-restart" - echo -n "|try-restart" - echo -n "|reload" - echo -n "|status} " - echo -n "[instance-name]" - echo - echo -} - -usage_systemd() -{ - echo -n "Usage: /usr/bin/pkidaemon " - echo -n "{start" - echo -n "|stop" - echo -n "|restart" - echo -n "|condrestart" - echo -n "|force-restart" - echo -n "|try-restart" - echo -n "|reload" - echo -n "|status} " - echo -n "instance-type " - echo -n "[instance-name]" - echo - echo -} - -list_systemd_instance_types() -{ - echo - for PKI_INSTANCE_TYPE in $PKI_INSTANCE_TYPES; do - echo " $PKI_INSTANCE_TYPE" - done - echo -} - -list_instances() -{ - echo - for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do - instance_name=`basename $PKI_REGISTRY_ENTRY` - echo " $instance_name" - done - echo -} - -list_systemd_instances() -{ - echo - for INSTANCE in /etc/sysconfig/pki/apache/*; do - if [ -d "${INSTANCE}" ] ; then - instance_name=`basename ${INSTANCE}` - echo " $instance_name" - fi - done - for INSTANCE in /etc/sysconfig/pki/tomcat/*; do - if [ -d "${INSTANCE}" ] ; then - instance_name=`basename ${INSTANCE}` - echo " $instance_name" - fi - done - echo -} - -get_subsystems() -{ - # Re-initialize PKI_SUBSYSTEMS for each instance - PKI_SUBSYSTEMS="" - case ${PKI_WEB_SERVER_TYPE} in - tomcat) - for SUBSYSTEM in ca kra ocsp tks; do - if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then - if [ '${PKI_SUBSYSTEMS}' == "" ] ; then - PKI_SUBSYSTEMS="${SUBSYSTEM}" - else - PKI_SUBSYSTEMS="${PKI_SUBSYSTEMS} ${SUBSYSTEM}" - fi - fi - done - ;; - apache) - for SUBSYSTEM in ra tps; do - if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then - if [ '${PKI_SUBSYSTEMS}' == "" ] ; then - PKI_SUBSYSTEMS="${SUBSYSTEM}" - else - PKI_SUBSYSTEMS="${PKI_SUBSYSTEMS} ${SUBSYSTEM}" - fi - fi - done - ;; - *) - echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" - exit ${default_error} - ;; - esac -} - -# Check arguments -if [ $SYSTEMD ]; then - if [ $# -lt 2 ] ; then - # [insufficient arguments] - echo "$PROG_NAME: Insufficient arguments!" - echo - usage_systemd - echo "where valid instance types include:" - list_systemd_instance_types - echo "and where valid instance names include:" - list_systemd_instances - exit 3 - elif [ ${default_error} -eq 2 ] ; then - # 2 invalid argument - echo "$PROG_NAME: Invalid arguments!" - echo - usage_systemd - echo "where valid instance types include:" - list_systemd_instance_types - echo "and where valid instance names include:" - list_systemd_instances - exit 2 - elif [ $# -gt 3 ] ; then - echo "$PROG_NAME: Excess arguments!" - echo - usage_systemd - echo "where valid instance types include:" - list_systemd_instance_types - echo "and where valid instance names include:" - list_systemd_instances - if [ "${command}" != "status" ]; then - # 2 excess arguments - exit 2 - else - # 4 program or service status is unknown - exit 4 - fi - fi -else - if [ $# -lt 1 ] ; then - # 3 unimplemented feature (for example, "reload") - # [insufficient arguments] - echo "$PROG_NAME: Insufficient arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 - elif [ ${default_error} -eq 2 ] ; then - # 2 invalid argument - echo "$PROG_NAME: Invalid arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 2 - elif [ $# -gt 2 ] ; then - echo "$PROG_NAME: Excess arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - if [ "${command}" != "status" ]; then - # 2 excess arguments - exit 2 - else - # 4 program or service status is unknown - exit 4 - fi - fi -fi - -# If an "instance" was supplied, check that it is a "valid" instance -if [ -n "${pki_instance_id}" ]; then - valid=0 - for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do - instance_name=`basename $PKI_REGISTRY_ENTRY` - if [ "${pki_instance_id}" == "${instance_name}" ]; then - valid=1 - break - fi - done - if [ $valid -eq 0 ]; then - if [ "${pki_instance_type}" != "apache" ] && - [ "${pki_instance_type}" != "tomcat" ]; then - echo -n "unknown instance type (${pki_instance_type})" - else - echo -n "${pki_instance_id} is an invalid '${PKI_TYPE}' instance" - fi - if [ ! $SYSTEMD ]; then - echo_failure - fi - echo - - if [ "${command}" != "status" ]; then - # 5 program is not installed - exit 5 - else - # 4 program or service status is unknown - exit 4 - fi - fi -fi - -check_pki_configuration_status() -{ - rv=0 - - case ${PKI_WEB_SERVER_TYPE} in - tomcat) - for SUBSYSTEM in ca kra ocsp tks; do - if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then - rv=`grep -c ^preop ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg` - rv=`expr ${rv} + 0` - fi - done - ;; - apache) - # TBD - ;; - *) - echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" - exit ${default_error} - ;; - esac - - if [ $rv -ne 0 ] ; then - echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" - echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" - if [ "${command}" != "status" ]; then - # 6 program is not configured - rv=6 - else - # 4 program or service status is unknown - rv=4 - fi - TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` - elif [ -f ${RESTART_SERVER} ] ; then - echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " - echo -n "it must still be RESTARTED!" - echo - if [ "${command}" != "status" ]; then - # 1 generic or unspecified error (current practice) - rv=1 - else - # 4 program or service status is unknown - rv=4 - fi - fi - - return $rv -} - -get_pki_status_definitions() -{ - case $PKI_WEB_SERVER_TYPE in - tomcat) - PKI_SERVER_XML_CONF=${PKI_INSTANCE_PATH}/conf/server.xml - get_pki_status_definitions_tomcat - return $? - ;; - ra) - get_pki_status_definitions_ra - return $? - ;; - tps) - get_pki_status_definitions_tps - return $? - ;; - *) - echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" - exit ${default_error} - ;; - esac -} - -get_pki_status_definitions_ra() -{ - # establish well-known strings - total_ports=0 - UNSECURE_PORT="" - CLIENTAUTH_PORT="" - NON_CLIENTAUTH_PORT="" - - # check to see that an instance-specific "httpd.conf" file exists - if [ ! -f ${PKI_HTTPD_CONF} ] ; then - echo "File '${PKI_HTTPD_CONF}' does not exist!" - exit ${default_error} - fi - - # check to see that an instance-specific "nss.conf" file exists - if [ ! -f ${PKI_NSS_CONF} ] ; then - echo "File '${PKI_NSS_CONF}' does not exist!" - exit ${default_error} - fi - - # Iterate over Listen statements - for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do - UNSECURE_PORT=$port - if [ $total_ports -eq 0 ]; then - echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" - else - echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" - fi - total_ports=`expr ${total_ports} + 1` - - done - - # Iterate over Listen statements - for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do - UNSECURE_PORT=$port - if [ $total_ports -eq 1 ]; then - CLIENTAUTH_PORT=$port - echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}" - fi - if [ $total_ports -eq 2 ]; then - NON_CLIENTAUTH_PORT=$port - echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}" - fi - total_ports=`expr ${total_ports} + 1` - - done - - return 0; -} - -get_pki_status_definitions_tps() -{ - # establish well-known strings - total_ports=0 - UNSECURE_PORT="" - CLIENTAUTH_PORT="" - NON_CLIENTAUTH_PORT="" - - # check to see that an instance-specific "httpd.conf" file exists - if [ ! -f ${PKI_HTTPD_CONF} ] ; then - echo "File '${PKI_HTTPD_CONF}' does not exist!" - exit ${default_error} - fi - - # check to see that an instance-specific "nss.conf" file exists - if [ ! -f ${PKI_NSS_CONF} ] ; then - echo "File '${PKI_NSS_CONF}' does not exist!" - exit ${default_error} - fi - - # Iterate over Listen statements - for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do - UNSECURE_PORT=$port - if [ $total_ports -eq 0 ]; then - echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi" - echo " (ESC Security Officer Enrollment)" - echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi" - echo " (ESC Phone Home)" - else - echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" - fi - total_ports=`expr ${total_ports} + 1` - - done - - # Iterate over Listen statements - for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do - UNSECURE_PORT=$port - if [ $total_ports -eq 1 ]; then - CLIENTAUTH_PORT=$port - echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi" - echo " (ESC Security Officer Workstation)" - echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus" - echo " (TPS Roles - Operator/Administrator/Agent)" - fi - if [ $total_ports -eq 2 ]; then - NON_CLIENTAUTH_PORT=$port - echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi" - echo " (ESC Security Officer Enrollment)" - echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi" - echo " (ESC Phone Home)" - fi - total_ports=`expr ${total_ports} + 1` - - done - - return 0; -} - -get_pki_status_definitions_tomcat() -{ - # establish well-known strings - begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->" - begin_ca_status_comment="<!-- CA Status Definitions -->" - begin_kra_status_comment="<!-- KRA Status Definitions -->" - begin_ocsp_status_comment="<!-- OCSP Status Definitions -->" - begin_tks_status_comment="<!-- TKS Status Definitions -->" - end_pki_status_comment="<!-- Begin DO NOT REMOVE - End PKI Status Definitions -->" - total_ports=0 - unsecure_port_statement="Unsecure Port" - secure_agent_port_statement="Secure Agent Port" - secure_ee_port_statement="Secure EE Port" - secure_ee_client_auth_port_statement="EE Client Auth Port" - secure_admin_port_statement="Secure Admin Port" - pki_console_port_statement="PKI Console Port" - tomcat_port_statement="Tomcat Port" - - # initialize looping variables - pki_status_comment_found=0 - display_pki_ca_status_banner=0 - display_pki_kra_status_banner=0 - display_pki_ocsp_status_banner=0 - display_pki_tks_status_banner=0 - process_pki_ca_status=0 - process_pki_kra_status=0 - process_pki_ocsp_status=0 - process_pki_tks_status=0 - - # first check to see that an instance-specific "server.xml" file exists - if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then - echo "File '${PKI_SERVER_XML_CONF}' does not exist!" - exit ${default_error} - fi - - # identify all PKI subsystems present within this PKI instance - if [ -e ${PKI_INSTANCE_PATH}/ca ]; then - display_pki_ca_status_banner=1 - fi - if [ -e ${PKI_INSTANCE_PATH}/kra ]; then - display_pki_kra_status_banner=1 - fi - if [ -e ${PKI_INSTANCE_PATH}/ocsp ]; then - display_pki_ocsp_status_banner=1 - fi - if [ -e ${PKI_INSTANCE_PATH}/tks ]; then - display_pki_tks_status_banner=1 - fi - - # read this instance-specific "server.xml" file line-by-line - # to obtain the current PKI Status Definitions - exec < ${PKI_SERVER_XML_CONF} - while read line; do - # first look for the well-known end PKI Status comment - # (to turn off processing) - if [ "$line" == "$end_pki_status_comment" ] ; then - # always turn off processing TKS status at this point - process_pki_tks_status=0 - pki_status_comment_found=0 - break; - fi - - # then look for the well-known begin PKI Status comment - # (to turn on processing) - if [ "$line" == "$begin_pki_status_comment" ] ; then - pki_status_comment_found=1 - fi - - # once the well-known begin PKI Status comment has been found, - # begin processing to obtain all of the PKI Status Definitions - if [ $pki_status_comment_found -eq 1 ] ; then - head=`echo "$line" | sed -e 's/^\([^=]*\)[ \t]*= .*$/\1/' -e 's/[ \t]*$//'` - if [ "$line" == "$begin_ca_status_comment" ] ; then - if [ $display_pki_ca_status_banner -eq 1 ] ; then - # print CA Status Definition banner - echo - echo " [CA Status Definitions]" - # turn on processing CA status at this point - process_pki_ca_status=1 - fi - elif [ "$line" == "$begin_kra_status_comment" ] ; then - # always turn off processing CA status at this point - process_pki_ca_status=0 - if [ $display_pki_kra_status_banner -eq 1 ] ; then - # print DRM Status Definition banner - echo - echo " [DRM Status Definitions]" - # turn on processing DRM status at this point - process_pki_kra_status=1 - fi - elif [ "$line" == "$begin_ocsp_status_comment" ] ; then - # always turn off processing DRM status at this point - process_pki_kra_status=0 - if [ $display_pki_ocsp_status_banner -eq 1 ] ; then - # print OCSP Status Definition banner - echo - echo " [OCSP Status Definitions]" - # turn on processing OCSP status at this point - process_pki_ocsp_status=1 - fi - elif [ "$line" == "$begin_tks_status_comment" ] ; then - # always turn off processing OCSP status at this point - process_pki_ocsp_status=0 - if [ $display_pki_tks_status_banner -eq 1 ] ; then - # print TKS Status Definition banner - echo - echo " [TKS Status Definitions]" - # turn on processing TKS status at this point - process_pki_tks_status=1 - fi - elif [ $process_pki_ca_status -eq 1 ] || - [ $process_pki_kra_status -eq 1 ] || - [ $process_pki_ocsp_status -eq 1 ] || - [ $process_pki_tks_status -eq 1 ] ; then - # look for a PKI Status Definition and print it - if [ "$head" == "$unsecure_port_statement" ] || - [ "$head" == "$secure_agent_port_statement" ] || - [ "$head" == "$secure_ee_port_statement" ] || - [ "$head" == "$secure_admin_port_statement" ] || - [ "$head" == "$secure_ee_client_auth_port_statement" ] || - [ "$head" == "$pki_console_port_statement" ] || - [ "$head" == "$tomcat_port_statement" ] ; then - echo " $line" - total_ports=`expr ${total_ports} + 1` - fi - fi - fi - done - - return 0; -} - -get_pki_configuration_definitions() -{ - # Obtain the PKI Subsystem Type - line=`grep -e '^[ \t]*cs.type[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - pki_subsystem=`echo "${line}" | sed -e 's/^[^=]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - if [ "${line}" != "" ] ; then - if [ "${pki_subsystem}" != "CA" ] && - [ "${pki_subsystem}" != "KRA" ] && - [ "${pki_subsystem}" != "OCSP" ] && - [ "${pki_subsystem}" != "TKS" ] && - [ "${pki_subsystem}" != "RA" ] && - [ "${pki_subsystem}" != "TPS" ] - then - return ${default_error} - fi - if [ "${pki_subsystem}" == "KRA" ] ; then - # Rename "KRA" to "DRM" - pki_subsystem="DRM" - fi - else - return ${default_error} - fi - - # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, - # check to see if "${pki_subsystem}" is a "Clone" - pki_clone="" - if [ "${pki_subsystem}" == "CA" ] || - [ "${pki_subsystem}" == "DRM" ] || - [ "${pki_subsystem}" == "OCSP" ] || - [ "${pki_subsystem}" == "TKS" ] - then - line=`grep -e '^[ \t]*subsystem.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - if [ "${line}" != "" ] ; then - pki_clone=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - if [ "${pki_clone}" != "Clone" ] ; then - # Reset "${pki_clone}" to be empty - pki_clone="" - fi - else - return ${default_error} - fi - fi - - # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to - # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA - pki_hierarchy="" - if [ "${pki_subsystem}" == "CA" ] && - [ "${pki_clone}" != "Clone" ] - then - line=`grep -e '^[ \t]*hierarchy.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - if [ "${line}" != "" ] ; then - pki_hierarchy=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - else - return ${default_error} - fi - fi - - # If ${pki_subsystem} is a CA, check to - # see if it is also a Security Domain - pki_security_domain="" - if [ "${pki_subsystem}" == "CA" ] ; then - line=`grep -e '^[ \t]*securitydomain.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - if [ "${line}" != "" ] ; then - pki_security_domain=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - if [ "${pki_security_domain}" == "new" ] ; then - # Set a fixed value for "${pki_security_domain}" - pki_security_domain="(Security Domain)" - else - # Reset "${pki_security_domain}" to be empty - pki_security_domain="" - fi - else - return ${default_error} - fi - fi - - # Always obtain this PKI instance's "registered" - # security domain information - pki_security_domain_name="" - pki_security_domain_hostname="" - pki_security_domain_https_admin_port="" - - line=`grep -e '^[ \t]*securitydomain.name[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - if [ "${line}" != "" ] ; then - pki_security_domain_name=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - else - return ${default_error} - fi - - line=`grep -e '^[ \t]*securitydomain.host[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - if [ "${line}" != "" ] ; then - pki_security_domain_hostname=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - else - return ${default_error} - fi - - line=`grep -e '^[ \t]*securitydomain.httpsadminport[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` - if [ "${line}" != "" ] ; then - pki_security_domain_https_admin_port=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` - else - return ${default_error} - fi - - # Compose the "PKI Instance Name" Status Line - pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" - - # Compose the "PKI Subsystem Type" Status Line - header="PKI Subsystem Type: " - if [ "${pki_clone}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "CA Clone (Security Domain)" - # - data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" - else - # Possible Values: - # - # "CA Clone" - # "DRM Clone" - # "OCSP Clone" - # "TKS Clone" - # - data="${pki_subsystem} ${pki_clone}" - fi - elif [ "${pki_hierarchy}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "Root CA (Security Domain)" - # "Subordinate CA (Security Domain)" - # - data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" - else - # Possible Values: - # - # "Root CA" - # "Subordinate CA" - # - data="${pki_hierarchy} ${pki_subsystem}" - fi - else - # Possible Values: - # - # "DRM" - # "OCSP" - # "RA" - # "TKS" - # "TPS" - # - data="${pki_subsystem}" - fi - pki_subsystem_type="${header} ${data}" - - # Compose the "Registered PKI Security Domain Information" Status Line - header="Name: " - registered_pki_security_domain_name="${header} ${pki_security_domain_name}" - - header="URL: " - if [ "${pki_security_domain_hostname}" != "" ] && - [ "${pki_security_domain_https_admin_port}" != "" ] - then - data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" - else - return ${default_error} - fi - registered_pki_security_domain_url="${header} ${data}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " [${pki_subsystem} Configuration Definitions]" - echo " ${pki_instance_name}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_subsystem_type}" - - # Print the "Registered PKI Security Domain Information" Status Line - echo - echo " Registered PKI Security Domain Information:" - echo " ==========================================================================" - echo " ${registered_pki_security_domain_name}" - echo " ${registered_pki_security_domain_url}" - echo " ==========================================================================" - - return 0 -} - -display_configuration_information() -{ - result=0 - check_pki_configuration_status - rv=$? - if [ $rv -eq 0 ] ; then - get_pki_status_definitions - rv=$? - if [ $rv -ne 0 ] ; then - result=$rv - echo - echo "${PKI_INSTANCE_ID} Status Definitions not found" - else - get_subsystems - for SUBSYSTEM in ${PKI_SUBSYSTEMS}; do - PKI_SUBSYSTEM_CONFIGURATION_FILE="${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg" - get_pki_configuration_definitions - rv=$? - if [ $rv -ne 0 ] ; then - result=$rv - echo - echo "${PKI_INSTANCE_ID} Configuration Definitions not found for ${SUBSYSTEM}" - fi - done - fi - fi - return $result -} - -display_instance_status_systemd() -{ - echo -n "Status for ${PKI_INSTANCE_ID}: " - systemctl status "$PKI_SYSTEMD_TARGET@$PKI_INSTANCE_ID.service" > /dev/null 2>&1 - rv=$? - - if [ $rv -eq 0 ] ; then - echo "$PKI_INSTANCE_ID is running .." - display_configuration_information - else - echo "$PKI_INSTANCE_ID is stopped" - fi - - return $rv -} - -display_instance_status() -{ - # Verify there is an initscript for this instance - if [ ! -f $PKI_INSTANCE_INITSCRIPT ]; then - # 4 program or service status is unknown - return 4 - fi - - # Invoke the initscript for this instance - $PKI_INSTANCE_INITSCRIPT status - rv=$? - - if [ $rv -eq 0 ] ; then - display_configuration_information - fi - - return $rv -} - -make_symlink() -{ - symlink="${1}" - target="${2}" - user="${3}" - group="${4}" - - rv=0 - - echo "INFO: Attempting to create '${symlink}' -> '${target}' . . ." - # Check to make certain that the expected target exists. - # - # NOTE: The symbolic link does NOT exist at this point. - # - if [ -e ${target} ]; then - # Check that the expected target is fully resolvable! - if [ ! `readlink -qe ${target}` ]; then - # Issue an ERROR that the target to which the - # symbolic link is expected to point is NOT fully resolvable! - echo "ERROR: Failed making '${symlink}' -> '${target}'"\ - "since target '${target}' is NOT fully resolvable!" - rv=1 - else - # Attempt to create a symbolic link and 'chown' it. - ln -s ${target} ${symlink} - rv=$? - if [ $rv -eq 0 ]; then - # NOTE: Ignore 'chown' errors. - chown -h ${user}:${group} ${symlink} - echo "SUCCESS: Created '${symlink}' -> '${target}'" - else - echo "ERROR: Failed to create '${symlink}' -> '${target}'!" - rv=1 - fi - fi - else - # Issue an ERROR that the target to which the - # symbolic link is expected to point does NOT exist. - echo "ERROR: Failed making '${symlink}' -> '${target}'"\ - "since target '${target}' does NOT exist!" - rv=1 - fi - - return $rv -} - -check_symlinks() -{ - # declare -p symlinks - path="${1}" - user="${2}" - group="${3}" - - rv=0 - - # process key/value pairs (symlink/target) in the associative array - for key in "${!symlinks[@]}" - do - symlink="${path}/${key}" - target=${symlinks[${key}]} - if [ -e ${symlink} ]; then - if [ -h ${symlink} ]; then - current_target=`readlink ${symlink}` - # Verify that the current target to which the - # symlink points is the expected target - if [ ${current_target} == ${target} ]; then - # Check to make certain that the expected target exists. - if [ -e ${target} ]; then - # Check that the expected target is fully resolvable! - if [ ! `readlink -qe ${target}` ]; then - # Issue an ERROR that the target to which the - # symbolic link is expected to point is NOT - # fully resolvable! - echo "WARNING: Symbolic link '${symlink}'"\ - "exists, but is a dangling symlink!"\ - echo "ERROR: Unable to create"\ - "'${symlink}' -> '${target}'"\ - "since target '${target}' is NOT fully"\ - "resolvable!" - rv=1 - else - # ALWAYS run 'chown' on an existing '${symlink}' - # that points to a fully resolvable '${target}' - # - # NOTE: Ignore 'chown' errors. - # - chown -h ${user}:${group} ${symlink} - # echo "SUCCESS: '${symlink}' -> '${target}'" - fi - else - # Issue an ERROR that the target to which the - # symbolic link is expected to point does NOT exist. - echo "WARNING: Symbolic link '${symlink}'"\ - "exists, but is a dangling symlink!"\ - echo "ERROR: Unable to create"\ - "'${symlink}' -> '${target}'"\ - "since target '${target}' does NOT exist!" - rv=1 - fi - else - # Attempt to remove this symbolic link and - # issue a WARNING that a new symbolic link is - # being created to point to the expected target - # rather than the current target to which it - # points. - echo "WARNING: Attempting to change symbolic link"\ - "'${symlink}' to point to target '${target}'"\ - "INSTEAD of current target '${current_target}'!" - rm ${symlink} - rv=$? - if [ $rv -ne 0 ]; then - echo "ERROR: Failed to remove"\ - "'${symlink}' -> '${current_target}'!" - rv=1 - else - echo "INFO: Removed"\ - "'${symlink}' -> '${current_target}'!" - # Attempt to create the symbolic link and chown it. - make_symlink ${symlink} ${target} ${user} ${group} - rv=$? - fi - fi - elif [ -f ${symlink} ]; then - # Issue a WARNING that the administrator may have replaced - # the symbolic link with a file for debugging purposes. - echo "WARNING: '${symlink}' exists but is NOT a symbolic link!" - else - # Issue an ERROR that the symbolic link has been replaced - # by something unusable (such as a directory). - echo "ERROR: '${symlink}' exists but is NOT a symbolic link!" - rv=1 - fi - else - # Issue a WARNING that this symbolic link does not exist. - echo "WARNING: Symbolic link '${symlink}' does NOT exist!" - # Attempt to create the symbolic link and chown it. - make_symlink ${symlink} ${target} ${user} ${group} - rv=$? - fi - done - - return $rv -} - -# Detect and correct any missing or incorrect symlinks. -# -# Use the following command to locate PKI 'instance' symlinks: -# -# find ${PKI_INSTANCE_PATH} -type l | sort | xargs file -# -verify_symlinks() -{ - # declare associative arrays - declare -A base_symlinks - declare -A root_symlinks - declare -A ca_symlinks - declare -A kra_symlinks - declare -A ocsp_symlinks - declare -A tks_symlinks - declare -A common_jar_symlinks - declare -A ca_jar_symlinks - declare -A kra_jar_symlinks - declare -A ocsp_jar_symlinks - declare -A tks_jar_symlinks - declare -A systemd_symlinks - - # Dogtag 10 Conditional Variables - jni_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` - - # Dogtag 10 Symbolic Link Target Variables - java_dir="/usr/share/java" - pki_systemd_service="pki-${PKI_WEB_SERVER_TYPE}d@.service" - systemd_dir="/lib/systemd/system" - - # Dogtag 10 Symbolic Link Variables - pki_common_jar_dir="${PKI_INSTANCE_PATH}/common/lib" - pki_registry_dir="/etc/sysconfig/pki/${PKI_WEB_SERVER_TYPE}/${PKI_INSTANCE_ID}" - pki_systemd_dir="/etc/systemd/system/pki-tomcatd.target.wants" - pki_systemd_link="pki-${PKI_WEB_SERVER_TYPE}d@${PKI_INSTANCE_ID}.service" - pki_ca_jar_dir="${PKI_INSTANCE_PATH}/webapps/ca/WEB-INF/lib" - pki_kra_jar_dir="${PKI_INSTANCE_PATH}/webapps/kra/WEB-INF/lib" - pki_ocsp_jar_dir="${PKI_INSTANCE_PATH}/webapps/ocsp/WEB-INF/lib" - pki_tks_jar_dir="${PKI_INSTANCE_PATH}/webapps/tks/WEB-INF/lib" - - # '${PKI_INSTANCE_PATH}' symlinks - base_symlinks=( - [alias]=/etc/pki/${PKI_INSTANCE_ID}/alias - [bin]=/usr/share/tomcat/bin - [conf]=/etc/pki/${PKI_INSTANCE_ID} - [logs]=/var/log/pki/${PKI_INSTANCE_ID}) - - # '${PKI_INSTANCE_PATH}' symlinks (root:root ownership) - root_symlinks[${PKI_INSTANCE_ID}]=/usr/sbin/tomcat-sysd - - # '${PKI_INSTANCE_PATH}/ca' symlinks - ca_symlinks=( - [alias]=${PKI_INSTANCE_PATH}/alias - [conf]=/etc/pki/${PKI_INSTANCE_ID}/ca - [logs]=/var/log/pki/${PKI_INSTANCE_ID}/ca - [registry]=${pki_registry_dir} - [webapps]=${PKI_INSTANCE_PATH}/webapps) - - # '${pki_ca_jar_dir}' symlinks - ca_jar_symlinks=( - [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar - [pki-cms.jar]=${java_dir}/pki/pki-cms.jar - [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar - [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar - [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar - [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar - [pki-ca.jar]=${java_dir}/pki/pki-ca.jar) - - # '${PKI_INSTANCE_PATH}/kra' symlinks - kra_symlinks=( - [alias]=${PKI_INSTANCE_PATH}/alias - [conf]=/etc/pki/${PKI_INSTANCE_ID}/kra - [logs]=/var/log/pki/${PKI_INSTANCE_ID}/kra - [registry]=${pki_registry_dir} - [webapps]=${PKI_INSTANCE_PATH}/webapps) - - # '${pki_kra_jar_dir}' symlinks - kra_jar_symlinks=( - [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar - [pki-cms.jar]=${java_dir}/pki/pki-cms.jar - [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar - [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar - [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar - [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar - [pki-kra.jar]=${java_dir}/pki/pki-kra.jar) - - # '${PKI_INSTANCE_PATH}/ocsp' symlinks - ocsp_symlinks=( - [alias]=${PKI_INSTANCE_PATH}/alias - [conf]=/etc/pki/${PKI_INSTANCE_ID}/ocsp - [logs]=/var/log/pki/${PKI_INSTANCE_ID}/ocsp - [registry]=${pki_registry_dir} - [webapps]=${PKI_INSTANCE_PATH}/webapps) - - # '${pki_ocsp_jar_dir}' symlinks - ocsp_jar_symlinks=( - [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar - [pki-cms.jar]=${java_dir}/pki/pki-cms.jar - [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar - [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar - [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar - [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar - [pki-ocsp.jar]=${java_dir}/pki/pki-ocsp.jar) - - # '${PKI_INSTANCE_PATH}/tks' symlinks - tks_symlinks=( - [alias]=${PKI_INSTANCE_PATH}/alias - [conf]=/etc/pki/${PKI_INSTANCE_ID}/tks - [logs]=/var/log/pki/${PKI_INSTANCE_ID}/tks - [registry]=${pki_registry_dir} - [webapps]=${PKI_INSTANCE_PATH}/webapps) - - # '${pki_tks_jar_dir}' symlinks - tks_jar_symlinks=( - [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar - [pki-cms.jar]=${java_dir}/pki/pki-cms.jar - [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar - [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar - [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar - [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar - [pki-tks.jar]=${java_dir}/pki/pki-tks.jar) - - # '${pki_common_jar_dir}' symlinks - common_jar_symlinks=( - [apache-commons-codec.jar]=${java_dir}/commons-codec.jar - [apache-commons-collections.jar]=${java_dir}/apache-commons-collections.jar - [apache-commons-lang.jar]=${java_dir}/apache-commons-lang.jar - [apache-commons-logging.jar]=${java_dir}/apache-commons-logging.jar - [httpclient.jar]=${java_dir}/httpcomponents/httpclient.jar - [httpcore.jar]=${java_dir}/httpcomponents/httpcore.jar - [javassist.jar]=${java_dir}/javassist.jar - [jaxrs-api.jar]=${RESTEASY_LIB}/jaxrs-api.jar - [jettison.jar]=${java_dir}/jettison.jar - [jss4.jar]=${jni_dir}/jss4.jar - [ldapjdk.jar]=${java_dir}/ldapjdk.jar - [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar - [resteasy-atom-provider.jar]=${RESTEASY_LIB}/resteasy-atom-provider.jar - [resteasy-jaxb-provider.jar]=${RESTEASY_LIB}/resteasy-jaxb-provider.jar - [resteasy-jaxrs.jar]=${RESTEASY_LIB}/resteasy-jaxrs.jar - [resteasy-jettison-provider.jar]=${RESTEASY_LIB}/resteasy-jettison-provider.jar - [scannotation.jar]=${java_dir}/scannotation.jar - [tomcatjss.jar]=${java_dir}/tomcatjss.jar - [velocity.jar]=${java_dir}/velocity.jar - [xerces-j2.jar]=${java_dir}/xerces-j2.jar - [xml-commons-apis.jar]=${java_dir}/xml-commons-apis.jar - [xml-commons-resolver.jar]=${java_dir}/xml-commons-resolver.jar) - - if [ -e ${PKI_INSTANCE_PATH}/tks ]; then - common_jar_symlinks[symkey.jar]=${jni_dir}/symkey.jar - fi - - # '${pki_systemd_dir}' symlinks - systemd_symlinks[${pki_systemd_link}]=${systemd_dir}/${pki_systemd_service} - - # Detect and correct 'Tomcat' symbolic links - # - # (1) convert the specified associative array into a string - # (2) create a new global 'symlinks' associative array from this - # specified string which will be used by the "check_symlinks()" - # subroutine - # (3) call "check_symlinks()" with the appropriate arguments to - # detect and correct this specified associative array; - # "check_symlinks()" returns 0 on success and 1 on failure - # - if [ ${PKI_WEB_SERVER_TYPE} == 'tomcat' ]; then - # Detect and correct 'base_symlinks' - base_symlinks_string=$(declare -p base_symlinks) - eval "declare -A symlinks=${base_symlinks_string#*=}" - check_symlinks ${PKI_INSTANCE_PATH} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - - # Detect and correct 'root_symlinks' - root_symlinks_string=$(declare -p root_symlinks) - eval "declare -A symlinks=${root_symlinks_string#*=}" - check_symlinks ${PKI_INSTANCE_PATH} "root" "root" - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - - if [ -e ${PKI_INSTANCE_PATH}/ca ]; then - # Detect and correct 'ca_symlinks' - ca_symlinks_string=$(declare -p ca_symlinks) - eval "declare -A symlinks=${ca_symlinks_string#*=}" - check_symlinks ${PKI_INSTANCE_PATH}/ca ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - # Detect and correct 'ca_jar_symlinks' - ca_jar_symlinks_string=$(declare -p ca_jar_symlinks) - eval "declare -A symlinks=${ca_jar_symlinks_string#*=}" - check_symlinks ${pki_ca_jar_dir} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - fi - - if [ -e ${PKI_INSTANCE_PATH}/kra ]; then - # Detect and correct 'kra_symlinks' - kra_symlinks_string=$(declare -p kra_symlinks) - eval "declare -A symlinks=${kra_symlinks_string#*=}" - check_symlinks ${PKI_INSTANCE_PATH}/kra ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - # Detect and correct 'kra_jar_symlinks' - kra_jar_symlinks_string=$(declare -p kra_jar_symlinks) - eval "declare -A symlinks=${kra_jar_symlinks_string#*=}" - check_symlinks ${pki_kra_jar_dir} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - fi - - if [ -e ${PKI_INSTANCE_PATH}/ocsp ]; then - # Detect and correct 'ocsp_symlinks' - ocsp_symlinks_string=$(declare -p ocsp_symlinks) - eval "declare -A symlinks=${ocsp_symlinks_string#*=}" - check_symlinks ${PKI_INSTANCE_PATH}/ocsp ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - # Detect and correct 'ocsp_jar_symlinks' - ocsp_jar_symlinks_string=$(declare -p ocsp_jar_symlinks) - eval "declare -A symlinks=${ocsp_jar_symlinks_string#*=}" - check_symlinks ${pki_ocsp_jar_dir} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - fi - - if [ -e ${PKI_INSTANCE_PATH}/tks ]; then - # Detect and correct 'tks_symlinks' - tks_symlinks_string=$(declare -p tks_symlinks) - eval "declare -A symlinks=${tks_symlinks_string#*=}" - check_symlinks ${PKI_INSTANCE_PATH}/tks ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - # Detect and correct 'tks_jar_symlinks' - tks_jar_symlinks_string=$(declare -p tks_jar_symlinks) - eval "declare -A symlinks=${tks_jar_symlinks_string#*=}" - check_symlinks ${pki_tks_jar_dir} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - fi - - # Detect and correct 'common_jar_symlinks' - common_jar_symlinks_string=$(declare -p common_jar_symlinks) - eval "declare -A symlinks=${common_jar_symlinks_string#*=}" - check_symlinks ${pki_common_jar_dir} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - - # Detect and correct 'systemd_symlinks' - systemd_symlinks_string=$(declare -p systemd_symlinks) - eval "declare -A symlinks=${systemd_symlinks_string#*=}" - check_symlinks ${pki_systemd_dir} ${PKI_USER} ${PKI_GROUP} - rv=$? - if [ $rv -ne 0 ]; then - return $rv - fi - fi - - return 0 -} - -start_instance() -{ - rv=0 - - if [ -f ${RESTART_SERVER} ] ; then - rm -f ${RESTART_SERVER} - fi - - # Verify symbolic links (detecting and correcting them if possible) - verify_symlinks - rv=$? - if [ $rv -ne 0 ] ; then - return $rv - fi - - # Invoke the initscript for this instance - case $PKI_WEB_SERVER_TYPE in - tomcat) - - # Generate catalina.policy dynamically. - cat /usr/share/pki/server/conf/catalina.policy \ - /usr/share/tomcat/conf/catalina.policy \ - /usr/share/pki/server/conf/pki.policy \ - /var/lib/pki/$PKI_INSTANCE_ID/conf/custom.policy > \ - /var/lib/pki/$PKI_INSTANCE_ID/conf/catalina.policy - - # We must export the service name so that the systemd version - # of the tomcat init script knows which instance specific - # configuration file to source. - export SERVICE_NAME=$PKI_INSTANCE_ID - $PKI_INSTANCE_INITSCRIPT start - rv=$? - ;; - apache) - $PKI_INSTANCE_INITSCRIPT start - rv=$? - ;; - esac - - if [ $rv -ne 0 ] ; then - return $rv - fi - - # On Tomcat subsystems, make certain that the service has started - case $PKI_WEB_SERVER_TYPE in - tomcat) - count=0 - tries=30 - port=${PKI_UNSECURE_PORT} - while [ $count -lt $tries ] - do - netstat -antl | grep ${port} > /dev/null - netrv=$? - if [ $netrv -eq 0 ] ; then - break; - fi - sleep 1 - let count=$count+1; - done - if [ $netrv -ne 0 ] ; then - return 1 - fi - ;; - esac - - if [ $rv -eq 0 ] ; then - # From the PKI point of view a returned error code of 6 implies - # that the program is not "configured". An error code of 1 implies - # that the program was "configured" but must still be restarted. - # - # If the return code is 6 return this value unchanged to the - # calling routine so that the total number of configuration errors - # may be counted. Other return codes are ignored. - # - check_pki_configuration_status - rv=$? - if [ $rv -eq 6 ]; then - # 6 program is not configured - return 6 - else - # 0 success - return 0 - fi - fi - return $rv -} - -stop_instance() -{ - rv=0 - - export SERVICE_NAME=$PKI_INSTANCE_ID - # Invoke the initscript for this instance - $PKI_INSTANCE_INITSCRIPT stop - rv=$? - - # On Tomcat subsystems, always remove the "pki subsystem identity" symlinks - # that were previously associated with the Tomcat 'pid' and 'lock' files. - case $PKI_WEB_SERVER_TYPE in - tomcat) - if [ -f ${PKI_PIDFILE} ]; then - rm -f ${PKI_PIDFILE} - fi - ;; - esac - - return $rv -} - -start() -{ - error_rv=0 - rv=0 - config_errors=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - # 5 program is not installed - return 5 - fi - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ]; then - echo "BEGIN STARTING '${PKI_TYPE}' INSTANCES:" - fi - - # Start every PKI instance of this type that isn't already running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - start_instance - rv=$? - if [ $rv = 6 ] ; then - # Since at least ONE configuration error exists, then there - # is at least ONE unconfigured instance from the PKI point - # of view. - # - # However, it must still be considered that the - # instance is "running" from the point of view of other - # OS programs such as 'chkconfig'. - # - # Therefore, ignore non-zero return codes resulting - # from configuration errors. - # - - config_errors=`expr $config_errors + 1` - rv=0 - elif [ $rv != 0 ] ; then - errors=`expr $errors + 1` - error_rv=$rv - fi - done - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then - touch ${lockfile} - chmod 00600 ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - # NOTE: "bad" return code(s) OVERRIDE configuration errors! - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances failed to start!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." - fi - - return $rv -} - -stop() -{ - error_rv=0 - rv=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - # 5 program is not installed - return 5 - fi - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" - fi - - # Shutdown every PKI instance of this type that is running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - stop_instance - rv=$? - if [ $rv != 0 ] ; then - errors=`expr $errors + 1` - error_rv=$rv - fi - done - - if [ ${errors} -eq 0 ] ; then - rm -f ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances were " - echo -n "unsuccessfully stopped!" - echo - fi - - echo - echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." - fi - - return $rv -} - -restart() -{ - stop - sleep 2 - start - - return $? -} - -registry_status() -{ - error_rv=0 - rv=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - # 4 program or service status is unknown - return 4 - fi - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" - fi - - # Obtain status of every PKI instance of this type - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - case $PKI_WEB_SERVER_TYPE in - tomcat) - if [ $SYSTEMD ]; then - display_instance_status_systemd - else - display_instance_status - fi - rv=$? - ;; - apache) - display_instance_status - rv=$? - ;; - esac - if [ $rv -ne 0 ] ; then - errors=`expr $errors + 1` - error_rv=$rv - fi - done - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "4 - program or service status is unknown" - rv=4 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances reported status failures!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." - fi - - return $rv -} - diff --git a/base/deploy/scripts/pkidaemon b/base/deploy/scripts/pkidaemon deleted file mode 100755 index 3e1d27a40..000000000 --- a/base/deploy/scripts/pkidaemon +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# - -PROG_NAME=`basename $0` -SERVICE_NAME="pkidaemon" -SERVICE_PROG="/bin/systemctl" - -command="$1" -pki_instance_type="$2" -pki_instance_id="$3" - -PKI_REGISTRY="/etc/sysconfig/pki/${pki_instance_type}" -PKI_TYPE="${pki_instance_type}" -PKI_SYSTEMD_TARGET="pki-${pki_instance_type}d" -SYSTEMD=1 - -# Source the PKI function library -. /usr/share/pki/scripts/operations - -# See how we were called. -case $command in - status) - registry_status - exit $? - ;; - start) - start - exit $? - ;; - restart) - restart - exit $? - ;; - stop) - echo "An exit status of '143' refers to the 'systemd' method of using"\ - "'SIGTERM' to shutdown a Java process and can safely be ignored." - stop - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - echo "The '${command}' action is TBD." - exit $? - ;; - reload) - echo "The 'reload' action is an unimplemented feature." - exit ${default_error} - ;; - *) - echo "unknown action ($command)" - echo - usage_systemd - echo "where valid instance types include:" - list_instance_types - echo "and where valid instance names include:" - list_systemd_instances - exit ${default_error} - ;; -esac - |