Share subsystem cert in shared tomcat instances

In shared tomcat instances, we need to share the subsystem cert and
not create a new one for each additional subsystem added to the instance.
In addition, if the instances share the same database, then only one
pkidbuser should be created with the relevant subsystem cert and seeAlso
attribute.

Ticket 893

1 files changed, 13 insertions, 10 deletions

diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index ea9c54019..41b3bd39f 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -114,6 +114,8 @@ pki_ssl_server_token=Internal Key Storage Token
 pki_subsystem_key_algorithm=SHA256withRSA
 pki_subsystem_key_size=2048
 pki_subsystem_key_type=rsa
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
+pki_subsystem_subject_dn=cn=Subsystem Certificate,o=%(pki_security_domain_name)s
 pki_subsystem_token=Internal Key Storage Token
 pki_theme_enable=True
 pki_theme_server_dir=/usr/share/pki/common-ui
@@ -399,8 +401,7 @@ pki_ds_base_dn=o=%(pki_instance_name)s-CA
 pki_ds_database=%(pki_instance_name)s-CA
 pki_ds_hostname=%(pki_hostname)s
 pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s
-pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s CA
-pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s
+pki_share_db=False
 
 # Paths
 # These are used in the processing of pkispawn and are not supposed
@@ -479,8 +480,9 @@ pki_ds_base_dn=o=%(pki_instance_name)s-KRA
 pki_ds_database=%(pki_instance_name)s-KRA
 pki_ds_hostname=%(pki_hostname)s
 pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s
-pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s KRA
-pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s
+pki_share_db=True
+pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA
+
 
 # Paths
 # These are used in the processing of pkispawn and are not supposed
@@ -540,8 +542,9 @@ pki_ds_base_dn=o=%(pki_instance_name)s-OCSP
 pki_ds_database=%(pki_instance_name)s-OCSP
 pki_ds_hostname=%(pki_hostname)s
 pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s
-pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s OCSP
-pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s
+pki_share_db=True
+pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA
+
 
 ###############################################################################
 ##  RA Configuration:                                                        ##
@@ -571,8 +574,8 @@ pki_ds_base_dn=o=%(pki_instance_name)s-TKS
 pki_ds_database=%(pki_instance_name)s-TKS
 pki_ds_hostname=%(pki_hostname)s
 pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s
-pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s TKS
-pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s
+pki_share_db=True
+pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA
 
 ###############################################################################
 ##  TPS Configuration:                                                       ##
@@ -593,8 +596,6 @@ pki_ds_base_dn=o=%(pki_instance_name)s-TPS
 pki_ds_database=%(pki_instance_name)s-TPS
 pki_ds_hostname=%(pki_hostname)s
 pki_subsystem_name=TPS %(pki_hostname)s %(pki_https_port)s
-pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s TPS
-pki_subsystem_subject_dn=cn=TPS Subsystem Certificate,o=%(pki_security_domain_name)s
 pki_authdb_hostname=%(pki_hostname)s
 pki_authdb_port=389
 pki_authdb_secure_conn=False
@@ -603,6 +604,8 @@ pki_kra_uri=https://%(pki_hostname)s:%(pki_https_port)s
 pki_tks_uri=https://%(pki_hostname)s:%(pki_https_port)s
 pki_enable_server_side_keygen=False
 pki_import_shared_secret=False
+pki_share_db=True
+pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA
 
 # Paths
 # These are used in the processing of pkispawn and are not supposed