diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2012-05-23 18:59:06 -0700 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2012-05-25 14:59:48 -0700 |
commit | 4a263b8db27208413acd0f038ea67629d5ee27bb (patch) | |
tree | 8c747215e522100304e9afced96d0720bd49501d /base | |
parent | 2408bec41a56378fcf942a68a1ab290464c001d7 (diff) | |
download | pki-4a263b8db27208413acd0f038ea67629d5ee27bb.tar.gz pki-4a263b8db27208413acd0f038ea67629d5ee27bb.tar.xz pki-4a263b8db27208413acd0f038ea67629d5ee27bb.zip |
PKI Deployment Scriptlets
* Integration of Tomcat 7
* Addition of centralized 'pki-tomcatd' systemd functionality to the
PKI Deployment strategy
* Removal of 'pki_flavor' attribute
Diffstat (limited to 'base')
47 files changed, 2761 insertions, 335 deletions
diff --git a/base/ca/setup/registry_instance b/base/ca/setup/registry_instance index 3210b9131..c97b0c736 100644 --- a/base/ca/setup/registry_instance +++ b/base/ca/setup/registry_instance @@ -1,8 +1,5 @@ # Establish PKI Variable "Slot" Substitutions -PKI_FLAVOR=[PKI_FLAVOR] -export PKI_FLAVOR - PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] export PKI_SUBSYSTEM_TYPE @@ -38,13 +35,13 @@ export TOMCAT_USER TOMCAT_GROUP=$PKI_GROUP export TOMCAT_GROUP -PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +PKI_LOCKDIR="/var/lock/pki/${PKI_SUBSYSTEM_TYPE}" export PKI_LOCKDIR PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}" export PKI_LOCKFILE -PKI_PIDDIR="/var/run/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +PKI_PIDDIR="/var/run/pki/${PKI_SUBSYSTEM_TYPE}" export PKI_PIDDIR PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_ID}.pid" diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in index f62543963..ada97c4fa 100644 --- a/base/ca/shared/conf/CS.cfg.in +++ b/base/ca/shared/conf/CS.cfg.in @@ -814,12 +814,12 @@ internaldb.ldapauth.clientCertNickname= internaldb.ldapconn.host= internaldb.ldapconn.port= internaldb.ldapconn.secureConn=false -preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/schema.ldif -preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/acl.ldif +preop.internaldb.schema.ldif=/usr/share/pki/ca/conf/schema.ldif +preop.internaldb.ldif=/usr/share/pki/ca/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/pki/ca/conf/db.ldif,/usr/share/pki/ca/conf/acl.ldif preop.internaldb.index_ldif= -preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif -preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/index.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlvtasks.ldif +preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif +preop.internaldb.post_ldif=/usr/share/pki/ca/conf/index.ldif,/usr/share/pki/ca/conf/vlv.ldif,/usr/share/pki/ca/conf/vlvtasks.ldif preop.internaldb.wait_dn=cn=index1160589769, cn=index, cn=tasks, cn=config internaldb.multipleSuffix.enable=false jobsScheduler._000=## diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt index 10a7cc0bb..f602ae943 100644 --- a/base/common/CMakeLists.txt +++ b/base/common/CMakeLists.txt @@ -1,9 +1,23 @@ project(common Java) +# install systemd scripts +install( + FILES + shared/lib/systemd/system/pki-tomcatd.target + shared/lib/systemd/system/pki-tomcatd@.service + DESTINATION + ${SYSTEMD_LIB_INSTALL_DIR} + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ +) + install( FILES setup/CertServer.directory setup/menu.xml + setup/pkidaemon_registry DESTINATION ${DATA_INSTALL_DIR}/setup/ PERMISSIONS @@ -12,5 +26,34 @@ install( WORLD_READ ) +# install directories +install( + DIRECTORY + shared/ + DESTINATION + ${DATA_INSTALL_DIR}/shared/ + PATTERN + "lib/" EXCLUDE +) + +# install empty directories +install( + DIRECTORY + DESTINATION + ${VAR_INSTALL_DIR}/lock/pki/tomcat +) + +install( + DIRECTORY + DESTINATION + ${VAR_INSTALL_DIR}/run/pki/tomcat +) + +install( + DIRECTORY + DESTINATION + ${SYSTEMD_ETC_INSTALL_DIR}/pki-tomcatd.target.wants +) + add_subdirectory(src) add_subdirectory(test) diff --git a/base/common/setup/pkidaemon_registry b/base/common/setup/pkidaemon_registry new file mode 100644 index 000000000..5cd1ca9c8 --- /dev/null +++ b/base/common/setup/pkidaemon_registry @@ -0,0 +1,59 @@ +# Establish PKI Variable "Slot" Substitutions + +PKI_WEB_SERVER_TYPE=[PKI_WEB_SERVER_TYPE] +export PKI_WEB_SERVER_TYPE + +PKI_USER=[PKI_USER] +export PKI_USER + +PKI_GROUP=[PKI_GROUP] +export PKI_GROUP + +PKI_INSTANCE_ID=[PKI_INSTANCE_ID] +export PKI_INSTANCE_ID + +PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH] +export PKI_INSTANCE_PATH + +PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] +export PKI_INSTANCE_INITSCRIPT + +PKI_LOCKDIR=[PKI_LOCKDIR] +export PKI_LOCKDIR + +PKI_PIDDIR=[PKI_PIDDIR] +export PKI_PIDDIR + +PKI_UNSECURE_PORT=[PKI_UNSECURE_PORT] +export PKI_UNSECURE_PORT + +TOMCAT_PIDFILE=[TOMCAT_PIDFILE] +export TOMCAT_PIDFILE + +# Use PKI Variable "Slot" Substitutions + +PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}" +export PKI_LOCKFILE + +PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_ID}.pid" +export PKI_PIDFILE + +RESTART_SERVER=${PKI_INSTANCE_PATH}/conf/restart_server_after_configuration +export RESTART_SERVER + +# Use CATALINA_BASE + +CATALINA_BASE=$PKI_INSTANCE_PATH +export CATALINA_BASE + +TOMCAT_PROG=$PKI_INSTANCE_ID +export TOMCAT_PROG + +TOMCAT_USER=$PKI_USER +export TOMCAT_USER + +TOMCAT_GROUP=$PKI_GROUP +export TOMCAT_GROUP + +TOMCAT_LOCKFILE=/var/lock/subsys/${PKI_INSTANCE_ID} +export TOMCAT_LOCKFILE diff --git a/base/common/shared/conf/catalina.policy b/base/common/shared/conf/catalina.policy new file mode 100644 index 000000000..02c1eea0a --- /dev/null +++ b/base/common/shared/conf/catalina.policy @@ -0,0 +1,252 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// Copyright (C) 2012 Red Hat, Inc. +// All rights reserved. +// Modifications: configuration parameters +// --- END COPYRIGHT BLOCK --- + +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// ============================================================================ +// catalina.policy - Security Policy Permissions for Tomcat 7 +// +// This file contains a default set of security policies to be enforced (by the +// JVM) when Catalina is executed with the "-security" option. In addition +// to the permissions granted here, the following additional permissions are +// granted to each web application: +// +// * Read access to the web application's document root directory +// * Read, write and delete access to the web application's working directory +// +// $Id: catalina.policy 1220297 2011-12-17 22:55:28Z markt $ +// ============================================================================ + + +// ========== SYSTEM CODE PERMISSIONS ========================================= + + +// These permissions apply to javac +grant codeBase "file:${java.home}/lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions +grant codeBase "file:${java.home}/jre/lib/ext/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/../lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions when +// ${java.home} points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/lib/ext/-" { + permission java.security.AllPermission; +}; + + +// ========== CATALINA CODE PERMISSIONS ======================================= + + +// These permissions apply to the daemon code +grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the logging API +// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home}, +// update this section accordingly. +// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..} +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.io.FilePermission + "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; + + permission java.io.FilePermission + "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; + permission java.io.FilePermission + "${catalina.base}${file.separator}logs", "read, write"; + permission java.io.FilePermission + "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; + + permission java.lang.RuntimePermission "shutdownHooks"; + permission java.lang.RuntimePermission "getClassLoader"; + permission java.lang.RuntimePermission "setContextClassLoader"; + + permission java.util.logging.LoggingPermission "control"; + + permission java.util.PropertyPermission "java.util.logging.config.class", "read"; + permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.util.PropertyPermission "catalina.base", "read"; + permission java.util.PropertyPermission + "org.apache.juli.logging.UserDataHelper.CONFIG", "read"; + permission java.util.PropertyPermission + "org.apache.juli.logging.UserDataHelper.SUPPRESSION_TIME", "read"; + + // Note: To enable per context logging configuration, permit read access to + // the appropriate file. Be sure that the logging configuration is + // secure before enabling such access. + // E.g. for the examples web application (uncomment and unwrap + // the following to be on a single line): + // permission java.io.FilePermission "${catalina.base}${file.separator} + // webapps${file.separator}examples${file.separator}WEB-INF + // ${file.separator}classes${file.separator}logging.properties", "read"; +}; + +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "lib" directory +grant codeBase "file:${catalina.home}/lib/-" { + permission java.security.AllPermission; +}; + + +// If using a per instance lib directory, i.e. ${catalina.base}/lib, +// then the following permission will need to be uncommented +// grant codeBase "file:${catalina.base}/lib/-" { +// permission java.security.AllPermission; +// }; + + +// ========== WEB APPLICATION PERMISSIONS ===================================== + + +// These permissions are granted by default to all web applications +// In addition, a web application will be given a read FilePermission +// and JndiPermission for all files and directories in its document root. +grant { + // Required for JNDI lookup of named JDBC DataSource's and + // javamail named MimePart DataSource used to send mail + permission java.util.PropertyPermission "java.home", "read"; + permission java.util.PropertyPermission "java.naming.*", "read"; + permission java.util.PropertyPermission "javax.sql.*", "read"; + + // OS Specific properties to allow read access + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.version", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "file.separator", "read"; + permission java.util.PropertyPermission "path.separator", "read"; + permission java.util.PropertyPermission "line.separator", "read"; + + // JVM properties to allow read access + permission java.util.PropertyPermission "java.version", "read"; + permission java.util.PropertyPermission "java.vendor", "read"; + permission java.util.PropertyPermission "java.vendor.url", "read"; + permission java.util.PropertyPermission "java.class.version", "read"; + permission java.util.PropertyPermission "java.specification.version", "read"; + permission java.util.PropertyPermission "java.specification.vendor", "read"; + permission java.util.PropertyPermission "java.specification.name", "read"; + + permission java.util.PropertyPermission "java.vm.specification.version", "read"; + permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; + permission java.util.PropertyPermission "java.vm.specification.name", "read"; + permission java.util.PropertyPermission "java.vm.version", "read"; + permission java.util.PropertyPermission "java.vm.vendor", "read"; + permission java.util.PropertyPermission "java.vm.name", "read"; + + // Required for OpenJMX + permission java.lang.RuntimePermission "getAttribute"; + + // Allow read of JAXP compliant XML parser debug + permission java.util.PropertyPermission "jaxp.debug", "read"; + + // All JSPs need to be able to read this package + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat"; + + // Precompiled JSPs need access to these packages. + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; + permission java.lang.RuntimePermission + "accessClassInPackage.org.apache.jasper.runtime.*"; + + // Precompiled JSPs need access to these system properties. + permission java.util.PropertyPermission + "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + permission java.util.PropertyPermission + "org.apache.el.parser.COERCE_TO_ZERO", "read"; + + // The cookie code needs these. + permission java.util.PropertyPermission + "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read"; + permission java.util.PropertyPermission + "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read"; + permission java.util.PropertyPermission + "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read"; + + // Applications using Comet need to be able to access this package + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet"; +}; + + +// The Manager application needs access to the following packages to support the +// session display functionality. These settings support the following +// configurations: +// - default CATALINA_HOME == CATALINA_BASE +// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE +// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME +grant codeBase "file:${catalina.base}/webapps/manager/-" { + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; +}; +grant codeBase "file:${catalina.home}/webapps/manager/-" { + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; +}; + +// You can assign additional permissions to particular web applications by +// adding additional "grant" entries here, based on the code base for that +// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. +// +// Different permissions can be granted to JSP pages, classes loaded from +// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ +// directory, or even to individual jar files in the /WEB-INF/lib/ directory. +// +// For instance, assume that the standard "examples" application +// included a JDBC driver that needed to establish a network connection to the +// corresponding database and used the scrape taglib to get the weather from +// the NOAA web server. You might create a "grant" entries like this: +// +// The permissions granted to the context root directory apply to JSP pages. +// grant codeBase "file:${catalina.base}/webapps/examples/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; +// +// The permissions granted to the context WEB-INF/classes directory +// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { +// }; +// +// The permission granted to your JDBC driver +// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// }; +// The permission granted to the scrape taglib +// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; + diff --git a/base/common/shared/conf/catalina.properties b/base/common/shared/conf/catalina.properties new file mode 100644 index 000000000..003089a43 --- /dev/null +++ b/base/common/shared/conf/catalina.properties @@ -0,0 +1,125 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageAccess unless the +# corresponding RuntimePermission ("accessClassInPackage."+package) has +# been granted. +package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper. +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageDefinition unless the +# corresponding RuntimePermission ("defineClassInPackage."+package) has +# been granted. +# +# by default, no packages are restricted for definition, and none of +# the class loaders supplied with the JDK call checkPackageDefinition. +# +package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper. + +# +# +# List of comma-separated paths defining the contents of the "common" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank,the JVM system loader will be used as Catalina's "common" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB] + +# +# List of comma-separated paths defining the contents of the "server" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank, the "common" loader will be used as Catalina's "server" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +server.loader= + +# +# List of comma-separated paths defining the contents of the "shared" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_BASE path or absolute. If left as blank, +# the "common" loader will be used as Catalina's "shared" loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +# Please note that for single jars, e.g. bar.jar, you need the URL form +# starting with file:. +shared.loader= + +# List of JAR files that should not be scanned for configuration information +# such as web fragments, TLD files etc. It must be a comma separated list of +# JAR file names. +# The JARs listed below include: +# - Tomcat Bootstrap JARs +# - Tomcat API JARs +# - Catalina JARs +# - Jasper JARs +# - Tomcat JARs +# - Common non-Tomcat JARs +# - Sun JDK JARs +# - Apple JDK JARs +tomcat.util.scan.DefaultJarScanner.jarsToSkip=\ +bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\ +annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,\ +catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\ +jasper.jar,jasper-el.jar,ecj-*.jar,\ +tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\ +tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\ +tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\ +tomcat-jdbc.jar,\ +commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\ +commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\ +commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\ +commons-math*.jar,commons-pool*.jar,\ +jstl.jar,\ +geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\ +ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\ +jmx-tools.jar,jta*.jar,log4j*.jar,mail*.jar,slf4j*.jar,\ +xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\ +dnsns.jar,ldapsec.jar,localedata.jar,sunjce_provider.jar,sunmscapi.jar,\ +sunpkcs11.jar,jhall.jar,tools.jar,\ +sunec.jar,zipfs.jar,\ +apple_provider.jar,AppleScriptEngine.jar,CoreAudio.jar,dns_sd.jar,\ +j3daudio.jar,j3dcore.jar,j3dutils.jar,jai_core.jar,jai_codec.jar,\ +mlibwrapper_jai.jar,MRJToolkit.jar,vecmath.jar,\ +junit.jar,junit-*.jar,ant-launcher.jar + +# +# String cache configuration. +tomcat.util.buf.StringCache.byte.enabled=true +#tomcat.util.buf.StringCache.char.enabled=true +#tomcat.util.buf.StringCache.trainThreshold=500000 +#tomcat.util.buf.StringCache.cacheSize=5000 diff --git a/base/common/shared/conf/context.xml b/base/common/shared/conf/context.xml new file mode 100644 index 000000000..4b00dbe3c --- /dev/null +++ b/base/common/shared/conf/context.xml @@ -0,0 +1,42 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK +--> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!-- The contents of this file will be loaded for each web application --> +<Context> + + <!-- Default set of monitored resources --> + <WatchedResource>WEB-INF/web.xml</WatchedResource> + + <!-- Uncomment this to disable session persistence across Tomcat restarts --> + <!-- + <Manager pathname="" /> + --> + + <!-- Uncomment this to enable Comet connection tacking (provides events + on session expiration as well as webapp lifecycle) --> + <!-- + <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" /> + --> + +</Context> diff --git a/base/common/shared/conf/log4j.properties b/base/common/shared/conf/log4j.properties new file mode 100644 index 000000000..5861ec750 --- /dev/null +++ b/base/common/shared/conf/log4j.properties @@ -0,0 +1,17 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +log4j.rootLogger=debug, R +log4j.appender.R=org.apache.log4j.RollingFileAppender +log4j.appender.R.File=${catalina.home}/logs/tomcat.log +log4j.appender.R.MaxFileSize=10MB +log4j.appender.R.MaxBackupIndex=10 +log4j.appender.R.layout=org.apache.log4j.PatternLayout +log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n +log4j.logger.org.apache.catalina=DEBUG, R +log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG, R +log4j.logger.org.apache.catalina.core=DEBUG, R +log4j.logger.org.apache.catalina.session=DEBUG, R diff --git a/base/common/shared/conf/logging.properties b/base/common/shared/conf/logging.properties new file mode 100644 index 000000000..f1fb462aa --- /dev/null +++ b/base/common/shared/conf/logging.properties @@ -0,0 +1,70 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +############################################################ +# Handler specific properties. +# Describes specific configuration info for Handlers. +############################################################ + +1catalina.org.apache.juli.FileHandler.level = FINE +1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +1catalina.org.apache.juli.FileHandler.prefix = catalina. + +2localhost.org.apache.juli.FileHandler.level = FINE +2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +2localhost.org.apache.juli.FileHandler.prefix = localhost. + +3manager.org.apache.juli.FileHandler.level = FINE +3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +3manager.org.apache.juli.FileHandler.prefix = manager. + +4host-manager.org.apache.juli.FileHandler.level = FINE +4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +4host-manager.org.apache.juli.FileHandler.prefix = host-manager. + +java.util.logging.ConsoleHandler.level = FINE +java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter + + +############################################################ +# Facility specific properties. +# Provides extra control for each logger. +############################################################ + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler + +# For example, set the org.apache.catalina.util.LifecycleBase logger to log +# each component that extends LifecycleBase changing state: +#org.apache.catalina.util.LifecycleBase.level = FINE + +# To see debug messages in TldLocationsCache, uncomment the following line: +#org.apache.jasper.compiler.TldLocationsCache.level = FINE diff --git a/base/common/shared/conf/server.xml b/base/common/shared/conf/server.xml new file mode 100644 index 000000000..d5788552c --- /dev/null +++ b/base/common/shared/conf/server.xml @@ -0,0 +1,304 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!-- Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" at this level. + Documentation at /docs/config/server.html +--> + +<!-- DO NOT REMOVE - Begin PKI Status Definitions --> +<!-- CA Status Definitions --> +<!-- +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/ca/ee/ca +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ca/agent/ca +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/ca/ee/ca +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca/services +EE Client Auth Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_CLIENT_AUTH_PORT]/ca/eeca/ca +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ca +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +--> +<!-- KRA Status Definitions --> +<!-- +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/kra/ee/kra +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/kra/agent/kra +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/kra/ee/kra +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/kra/services +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/kra +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +--> +<!-- OCSP Status Definitions --> +<!-- +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/ocsp/ee/ocsp +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/ocsp/agent/ocsp +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/ocsp/ee/ocsp +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ocsp/services +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/ocsp +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +--> +<!-- TKS Status Definitions --> +<!-- +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/tks/ee/tks +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/tks/agent/tks +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/tks/ee/tks +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/tks/services +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/tks +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +--> +<!-- DO NOT REMOVE - End PKI Status Definitions --> + +<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> + + <!--APR library loader. Documentation at /docs/apr.html --> + <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> + <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> + <Listener className="org.apache.catalina.core.JasperListener" /> + <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> + <!-- The following class has been commented out because it --> + <!-- has been EXCLUDED from the Tomcat 7 'tomcat-lib' RPM! --> + <!-- Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" --> + <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> + + <!-- Global JNDI resources + Documentation at /docs/jndi-resources-howto.html + --> + <GlobalNamingResources> + <!-- Editable user database that can also be used by + UserDatabaseRealm to authenticate users + --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + </GlobalNamingResources> + + <!-- A "Service" is a collection of one or more "Connectors" that share + a single "Container" Note: A "Service" is not itself a "Container", + so you may not define subcomponents such as "Valves" at this level. + Documentation at /docs/config/service.html + --> + <Service name="Catalina"> + + <!--The connectors can use a shared executor, you can define one or more named thread pools--> + <!-- + <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" + maxThreads="150" minSpareThreads="4"/> + --> + + + <!-- A "Connector" represents an endpoint by which requests are received + and responses are returned. Documentation at : + Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) + Java AJP Connector: /docs/config/ajp.html + APR (HTTP/AJP) Connector: /docs/apr.html + Define a non-SSL HTTP/1.1 Connector on port 8080 + --> + + [PKI_UNSECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + /> + + <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> + [PKI_SECURE_PORT_SERVER_COMMENT] + <!-- DO NOT REMOVE - Begin define PKI secure port + 1 + NOTE: The OCSP settings take effect globally, so it should only be set once. + + In setup where SSL clientAuth="true", OCSP can be turned on by + setting enableOCSP to true like the following: + enableOCSP="true" + along with changes to related settings, especially: + ocspResponderURL=<see example in connector definition below> + ocspResponderCertNickname=<see example in connector definition below> + Here are the definition to all the OCSP-related settings: + enableOCSP - turns on/off the ocsp check + ocspResponderURL - sets the url where the ocsp requests are sent + ocspResponderCertNickname - sets the nickname of the cert that is + either CA's signing certificate or the OCSP server's signing + certificate. + The CA's signing certificate should already be in the db, in + case of the same security domain. + In case of an ocsp signing certificate, one must import the cert + into the subsystem's nss db and set trust. e.g.: + certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 + ocspCacheSize - sets max cache entries + ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt + ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt + ocspTimeout -sets OCSP timeout in seconds + --> + <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + enableOCSP="false" + ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp" + ocspResponderCertNickname="ocspSigningCert cert-pki-ca" + ocspCacheSize="1000" + ocspMinCacheEntryDuration="60" + ocspMaxCacheEntryDuration="120" + ocspTimeout="10" + strictCiphers="false" + clientAuth="[PKI_AGENT_CLIENTAUTH]" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias" + /> + <!-- DO NOT REMOVE - End define PKI secure port --> + + <!-- A "Connector" using the shared thread pool--> + <!-- + <Connector executor="tomcatThreadPool" + port="8080" protocol="HTTP/1.1" + connectionTimeout="20000" + redirectPort="8443" /> + --> + <!-- Define a SSL HTTP/1.1 Connector on port 8443 + This connector uses the JSSE configuration, when using APR, the + connector should be using the OpenSSL style configuration + described in the APR documentation --> + <!-- + <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" + maxThreads="150" scheme="https" secure="true" + clientAuth="false" sslProtocol="TLS" /> + --> + + <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> +[PKI_OPEN_AJP_PORT_COMMENT] + <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" /> +[PKI_CLOSE_AJP_PORT_COMMENT] + + + <!-- An Engine represents the entry point (within Catalina) that processes + every request. The Engine implementation for Tomcat stand alone + analyzes the HTTP headers included with the request, and passes them + on to the appropriate Host (virtual host). + Documentation at /docs/config/engine.html --> + + <!-- You should set jvmRoute to support load-balancing via AJP ie : + <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> + --> + <Engine name="Catalina" defaultHost="localhost"> + + <!--For clustering, please take a look at documentation at: + /docs/cluster-howto.html (simple how to) + /docs/config/cluster.html (reference documentation) --> + <!-- + <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> + --> + + <!-- The request dumper valve dumps useful debugging information about + the request and response data received and sent by Tomcat. + Documentation at: /docs/config/valve.html --> + <!-- + <Valve className="org.apache.catalina.valves.RequestDumperValve"/> + --> + + <!-- This Realm uses the UserDatabase configured in the global JNDI + resources under the key "UserDatabase". Any edits + that are performed against this UserDatabase are immediately + available for use by the Realm. --> + + <!-- + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase"/> + --> + + <!-- Custom PKIJNDI realm + + Example: + + <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm" : classpath to realm + connectionURL="ldap://localhost:389" : standard JNDI connection URL + userBase="ou=people,dc=localhost-pki-kra" : standard JNDI userBase property + userSearch="(description={0})" : Attribute to search for user of incoming client auth certificate + : Use userSearch="(UID={0})" if wanting to search isolate user based on UID + : Also set the following: certUIDLabel="UID" or whatever the field containing + : the user's UID happens to be. This will cause the incoming's cert dn to be + : be searched for <certUIDLabel>=<uid value> + + certAttrName="userCertificate" : Attribute containing user's client auth certificate + roleBase="ou=groups,dc=localhost-pki-kra" : Standard JNDI search base for roles or groups + roleName="cn" : Standard attribute name containg roles or groups + roleSubtree="true" : Standard JNDI roleSubtree property + roleSearch="(uniqueMember={0})" : How to search for a user in a specific role or group + connectionName="cn=Directory Manager" : Connection name, needs elevated privileges + connectionPassword="secret123" : Password for elevated user + aclBase ="cn=aclResources,dc=localhost-pki-kra" : Custom base location of PKI ACL's in directory + aclAttrName="resourceACLS" : Name of attribute containing PKI ACL's + /> + + Uncomment and customize below to activate Realm. + Also umcomment Security Constraints and login config values + in WEB-INF/web.xml as well. + --> + + <!-- + <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm" + connectionURL="ldap://localhost:389" + userBase="ou=people,dc=localhost-pki-kra" + userSearch="(description={0})" + certAttrName="userCertificate" + roleBase="ou=groups,dc=localhost-pki-kra" + roleName="cn" + roleSubtree="true" + roleSearch="(uniqueMember={0})" + connectionName="cn=Directory Manager" + connectionPassword="netscape" + aclBase ="cn=aclResources,dc=localhost-pki-kra" + aclAttrName="resourceACLS" + /> + + --> + + <!-- Define the default virtual host + Note: XML Schema validation will not work with Xerces 2.2. + --> + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="false" + xmlValidation="false" xmlNamespaceAware="false"> + + <!-- SingleSignOn valve, share authentication between web applications + Documentation at: /docs/config/valve.html --> + <!-- + <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> + --> + + <!-- Access log processes all example. + Documentation at: /docs/config/valve.html --> + <!-- + <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" + prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> + --> + + </Host> + </Engine> + </Service> +</Server> diff --git a/base/common/shared/conf/tomcat-users.xml b/base/common/shared/conf/tomcat-users.xml new file mode 100644 index 000000000..f84711c0b --- /dev/null +++ b/base/common/shared/conf/tomcat-users.xml @@ -0,0 +1,62 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2012 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK +--> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<tomcat-users> +<!-- + NOTE: By default, no user is included in the "manager-gui" role required + to operate the "/manager/html" web application. If you wish to use this app, + you must define such a user - the username and password are arbitrary. +--> +<!-- + NOTE: The sample user and role entries below are wrapped in a comment + and thus are ignored when reading this file. Do not forget to remove + <!.. ..> that surrounds them. +--> +<!-- + <role rolename="tomcat"/> + <role rolename="role1"/> + <user username="tomcat" password="tomcat" roles="tomcat"/> + <user username="both" password="tomcat" roles="tomcat,role1"/> + <user username="role1" password="tomcat" roles="role1"/> +--> + + <role rolename="pkiuser"/> + <role rolename="tomcat"/> + <role rolename="manager"/> + <role rolename="admin"/> + + <user username="pkiuser" password="pkiuser" roles="pkiuser"/> + <user username="tomcat" password="tomcat" roles="tomcat"/> + <user username="admin" password="netscape" roles="admin,manager"/> + +<!-- <role rolename="admin"/> --> +<!-- <role rolename="admin-gui"/> --> +<!-- <role rolename="admin-script"/> --> +<!-- <role rolename="manager"/> --> +<!-- <role rolename="manager-gui"/> --> +<!-- <role rolename="manager-script"/> --> +<!-- <role rolename="manager-jmx"/> --> +<!-- <role rolename="manager-status"/> --> +<!-- <user name="admin" password="adminadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> --> +</tomcat-users> diff --git a/base/ca/shared/conf/tomcat.conf b/base/common/shared/conf/tomcat.conf index 92af5f8b9..aa7fefd19 100644 --- a/base/ca/shared/conf/tomcat.conf +++ b/base/common/shared/conf/tomcat.conf @@ -1,3 +1,9 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + # System-wide configuration file for tomcat services # This will be sourced by tomcat and any secondary service # Values will be overridden by service-specific configuration diff --git a/base/common/shared/lib/systemd/system/pki-tomcatd.target b/base/common/shared/lib/systemd/system/pki-tomcatd.target new file mode 100644 index 000000000..633beae71 --- /dev/null +++ b/base/common/shared/lib/systemd/system/pki-tomcatd.target @@ -0,0 +1,8 @@ +[Unit] +Description=PKI Tomcat Server +After=syslog.target network.target + +[Install] +WantedBy=multi-user.target + + diff --git a/base/common/shared/lib/systemd/system/pki-tomcatd@.service b/base/common/shared/lib/systemd/system/pki-tomcatd@.service new file mode 100644 index 000000000..12bcf75a0 --- /dev/null +++ b/base/common/shared/lib/systemd/system/pki-tomcatd@.service @@ -0,0 +1,13 @@ +[Unit] +Description=PKI Tomcat Server %i +After=pki-tomcatd.target +BindTo=pki-tomcatd.target + +[Service] +Type=forking +ExecStart=/usr/bin/pkidaemon start tomcat %i +ExecStop=/usr/bin/pkidaemon stop tomcat %i + +[Install] +WantedBy=multi-user.target + diff --git a/base/deploy/CMakeLists.txt b/base/deploy/CMakeLists.txt index 44705818c..c7c4bd19b 100644 --- a/base/deploy/CMakeLists.txt +++ b/base/deploy/CMakeLists.txt @@ -23,6 +23,7 @@ set(APACHE_SUBSYSTEMS install( FILES + scripts/pkidaemon src/pkispawn src/pkidestroy DESTINATION @@ -35,6 +36,17 @@ install( install( FILES + scripts/operations + DESTINATION + ${DATA_INSTALL_DIR}/scripts/ + PERMISSIONS + OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ + WORLD_EXECUTE WORLD_READ +) + +install( + FILES config/pkideployment.cfg config/pkislots.cfg DESTINATION @@ -97,8 +109,8 @@ install( ) # install empty directories -#install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/lock/pki)") -#install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/run/pki)") +install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/lock/pki)") +install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/run/pki)") # install subsystem directories for pkispawn and pkidestroy foreach(PKI_SUBSYSTEM ${PKI_SUBSYSTEMS}) diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg index c9c356043..dd688ed09 100644 --- a/base/deploy/config/pkideployment.cfg +++ b/base/deploy/config/pkideployment.cfg @@ -15,23 +15,20 @@ pki_ajp_port=8009 pki_proxy_http_port=80 pki_proxy_https_port=443 pki_security_manager=true +pki_tomcat_server_port=8005 [CA] pki_subsystem=CA pki_war_name=ca.war -pki_tomcat_server_port=9701 [KRA] pki_subsystem=KRA pki_war_name=kra.war -pki_tomcat_server_port=10701 [OCSP] pki_subsystem=OCSP pki_war_name=ocsp.war -pki_tomcat_server_port=11701 [RA] pki_subsystem=RA [TKS] pki_subsystem=TKS pki_war_name=tks.war -pki_tomcat_server_port=13701 [TPS] pki_subsystem=TPS diff --git a/base/deploy/config/pkislots.cfg b/base/deploy/config/pkislots.cfg index b04b8efa0..b6c40ebe3 100644 --- a/base/deploy/config/pkislots.cfg +++ b/base/deploy/config/pkislots.cfg @@ -15,6 +15,7 @@ PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT] PKI_LOCKDIR_SLOT=[PKI_LOCKDIR] PKI_PIDDIR_SLOT=[PKI_PIDDIR] PKI_REGISTRY_FILE_SLOT=[PKI_REGISTRY_FILE] +PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE] PORT_SLOT=[PORT] PROCESS_ID_SLOT=[PROCESS_ID] REQUIRE_CFG_PL_SLOT=[REQUIRE_CFG_PL] @@ -48,7 +49,6 @@ PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_UI] PKI_EE_SECURE_PORT_SLOT=[PKI_EE_SECURE_PORT] PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_PORT_CONNECTOR_NAME] PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_PORT_SERVER_COMMENT] -PKI_FLAVOR_SLOT=[PKI_FLAVOR] PKI_GROUP_SLOT=[PKI_GROUP] PKI_INSTANCE_ID_SLOT=[PKI_INSTANCE_ID] PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT] @@ -76,6 +76,7 @@ PKI_UNSECURE_PORT_SLOT=[PKI_UNSECURE_PORT] PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_UNSECURE_PORT_CONNECTOR_NAME] PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT] PKI_USER_SLOT=[PKI_USER] +PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE] PKI_WEBAPPS_NAME_SLOT=[PKI_WEBAPPS_NAME] TOMCAT_CFG_SLOT=[TOMCAT_CFG] TOMCAT_INSTANCE_COMMON_LIB_SLOT=[TOMCAT_INSTANCE_COMMON_LIB] diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations new file mode 100644 index 000000000..ea7527f31 --- /dev/null +++ b/base/deploy/scripts/operations @@ -0,0 +1,1155 @@ +#!/bin/bash -X + +# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": +# +# Status Exit Codes +# +# 0 program is running or service is OK +# 1 program is dead and /var/run pid file exists +# 2 program is dead and /var/lock lock file exists +# 3 program is not running +# 4 program or service status is unknown +# 5-99 reserved for future LSB use +# 100-149 reserved for distribution use +# 150-199 reserved for application use +# 200-254 reserved +# +# Non-Status Exit Codes +# +# 0 action was successful +# 1 generic or unspecified error (current practice) +# 2 invalid or excess argument(s) +# 3 unimplemented feature (for example, "reload") +# 4 user had insufficient privilege +# 5 program is not installed +# 6 program is not configured +# 7 program is not running +# 8-99 reserved for future LSB use +# 100-149 reserved for distribution use +# 150-199 reserved for application use +# 200-254 reserved +# + +# PKI subsystem-level directory and file values for locks +lockfile="/var/lock/subsys/${SERVICE_NAME}" + +default_error=0 + +case $command in + start|stop|restart|condrestart|force-restart|try-restart) + # 1 generic or unspecified error (current practice) + default_error=1 + ;; + reload) + default_error=3 + ;; + status) + # 4 program or service status is unknown + default_error=4 + ;; + *) + # 2 invalid argument(s) + default_error=2 + ;; +esac + +# Enable nullglob, if set then shell pattern globs which do not match any +# file returns the empty string rather than the unmodified glob pattern. +shopt -s nullglob + +OS=`uname -s` +ARCHITECTURE=`uname -i` + +# Check to insure that this script's original invocation directory +# has not been deleted! +CWD=`/bin/pwd > /dev/null 2>&1` +if [ $? -ne 0 ] ; then + echo "Cannot invoke '$PROG_NAME' from non-existent directory!" + exit ${default_error} +fi + +# Check to insure that this script's associated PKI +# subsystem currently resides on this system. +PKI_CA_PATH="/usr/share/pki/ca" +PKI_KRA_PATH="/usr/share/pki/kra" +PKI_OCSP_PATH="/usr/share/pki/ocsp" +PKI_RA_PATH="/usr/share/pki/ra" +PKI_TKS_PATH="/usr/share/pki/tks" +PKI_TPS_PATH="/usr/share/pki/tps" +if [ '${PKI_TYPE}' == "apache" ] ; then + if [ ! -d ${PKI_RA_PATH} ] && + [ ! -d ${PKI_TPS_PATH} ] ; then + echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" + if [ "${command}" != "status" ]; then + # 5 program is not installed + exit 5 + else + exit ${default_error} + fi + fi +elif [ '${PKI_TYPE}' == "tomcat" ] ; then + if [ ! -d ${PKI_CA_PATH} ] && + [ ! -d ${PKI_KRA_PATH} ] && + [ ! -d ${PKI_OCSP_PATH} ] && + [ ! -d ${PKI_TKS_PATH} ] ; then + echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" + if [ "${command}" != "status" ]; then + # 5 program is not installed + exit 5 + else + exit ${default_error} + fi + fi +fi + +# This script must be run as root! +RV=0 +if [ `id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$PROG_NAME'!" + if [ "${command}" != "status" ]; then + # 4 user had insufficient privilege + exit 4 + else + # 4 program or service status is unknown + exit 4 + fi +fi + +PKI_REGISTRY_ENTRIES="" +TOTAL_PKI_REGISTRY_ENTRIES=0 +TOTAL_UNCONFIGURED_PKI_ENTRIES=0 + +# Gather ALL registered instances of this PKI web server type +for INSTANCE in ${PKI_REGISTRY}/*; do + if [ -d "$INSTANCE" ] ; then + for REGISTRY in ${INSTANCE}/*; do + if [ -f "$REGISTRY" ] ; then + PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $REGISTRY" + TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` + fi + done + fi +done + +# Execute the specified registered instance of this PKI web server type +if [ -n "${pki_instance_id}" ]; then + for INSTANCE in ${PKI_REGISTRY_ENTRIES}; do + if [ "${PKI_REGISTRY}/${pki_instance_id}" = "$INSTANCE" ]; then + PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance_id}" + TOTAL_PKI_REGISTRY_ENTRIES=1 + break + fi + done +fi + +usage() +{ + echo -n "Usage: ${SERVICE_PROG} ${SERVICE_NAME}" + echo -n "{start" + echo -n "|stop" + echo -n "|restart" + echo -n "|condrestart" + echo -n "|force-restart" + echo -n "|try-restart" + echo -n "|reload" + echo -n "|status} " + echo -n "[instance-name]" + echo + echo +} + +usage_systemd() +{ + echo -n "Usage: /usr/bin/pkidaemon " + echo -n "{start" + echo -n "|stop" + echo -n "|restart" + echo -n "|condrestart" + echo -n "|force-restart" + echo -n "|try-restart" + echo -n "|reload" + echo -n "|status} " + echo -n "subsystem-type " + echo -n "[instance-name]" + echo + echo +} + + +list_instances() +{ + echo + for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do + instance_name=`basename $PKI_REGISTRY_ENTRY` + echo " $instance_name" + done + echo +} + +# Check arguments +if [ $SYSTEMD ]; then + if [ $# -lt 2 ] ; then + # [insufficient arguments] + echo "$PROG_NAME: Insufficient arguments!" + echo + usage_systemd + echo "where valid instance names include:" + list_instances + exit 3 + elif [ ${default_error} -eq 2 ] ; then + # 2 invalid argument + echo "$PROG_NAME: Invalid arguments!" + echo + usage_systemd + echo "where valid instance names include:" + list_instances + exit 2 + elif [ $# -gt 3 ] ; then + echo "$PROG_NAME: Excess arguments!" + echo + usage_systemd + echo "where valid instance names include:" + list_instances + if [ "${command}" != "status" ]; then + # 2 excess arguments + exit 2 + else + # 4 program or service status is unknown + exit 4 + fi + fi +else + if [ $# -lt 1 ] ; then + # 3 unimplemented feature (for example, "reload") + # [insufficient arguments] + echo "$PROG_NAME: Insufficient arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 3 + elif [ ${default_error} -eq 2 ] ; then + # 2 invalid argument + echo "$PROG_NAME: Invalid arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 2 + elif [ $# -gt 2 ] ; then + echo "$PROG_NAME: Excess arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + if [ "${command}" != "status" ]; then + # 2 excess arguments + exit 2 + else + # 4 program or service status is unknown + exit 4 + fi + fi +fi + +# If an "instance" was supplied, check that it is a "valid" instance +if [ -n "${pki_instance_id}" ]; then + valid=0 + for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do + instance_name=`basename $PKI_REGISTRY_ENTRY` + if [ "${pki_instance_id}" == "${instance_name}" ]; then + valid=1 + break + fi + done + if [ $valid -eq 0 ]; then + echo -n "${pki_instance_id} is an invalid '${PKI_TYPE}' instance" + if [ ! $SYSTEMD ]; then + echo_failure + fi + echo + + if [ "${command}" != "status" ]; then + # 5 program is not installed + exit 5 + else + # 4 program or service status is unknown + exit 4 + fi + fi +fi + +check_pki_configuration_status() +{ + rv=0 + + case ${PKI_WEB_SERVER_TYPE} in + tomcat) + for SUBSYSTEM in ca kra ocsp tks; do + if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then + rv=`grep -c ^preop ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg` + rv=`expr ${rv} + 0` + fi + done + ;; + apache) + # TBD + ;; + *) + echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" + exit ${default_error} + ;; + esac + + if [ $rv -ne 0 ] ; then + echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" + echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" + if [ "${command}" != "status" ]; then + # 6 program is not configured + rv=6 + else + # 4 program or service status is unknown + rv=4 + fi + TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` + elif [ -f ${RESTART_SERVER} ] ; then + echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " + echo -n "it must still be RESTARTED!" + echo + if [ "${command}" != "status" ]; then + # 1 generic or unspecified error (current practice) + rv=1 + else + # 4 program or service status is unknown + rv=4 + fi + fi + + return $rv +} + +get_pki_status_definitions() +{ + case $PKI_WEB_SERVER_TYPE in + tomcat) + get_pki_status_definitions_tomcat + return $? + ;; + ra) + get_pki_status_definitions_ra + return $? + ;; + tps) + get_pki_status_definitions_tps + return $? + ;; + *) + echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" + exit ${default_error} + ;; + esac +} + +get_pki_status_definitions_ra() +{ + # establish well-known strings + total_ports=0 + UNSECURE_PORT="" + CLIENTAUTH_PORT="" + NON_CLIENTAUTH_PORT="" + + # check to see that an instance-specific "httpd.conf" file exists + if [ ! -f ${PKI_HTTPD_CONF} ] ; then + echo "File '${PKI_HTTPD_CONF}' does not exist!" + exit ${default_error} + fi + + # check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 0 ]; then + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + else + echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 1 ]; then + CLIENTAUTH_PORT=$port + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}" + fi + if [ $total_ports -eq 2 ]; then + NON_CLIENTAUTH_PORT=$port + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + return 0; +} + +get_pki_status_definitions_tps() +{ + # establish well-known strings + total_ports=0 + UNSECURE_PORT="" + CLIENTAUTH_PORT="" + NON_CLIENTAUTH_PORT="" + + # check to see that an instance-specific "httpd.conf" file exists + if [ ! -f ${PKI_HTTPD_CONF} ] ; then + echo "File '${PKI_HTTPD_CONF}' does not exist!" + exit ${default_error} + fi + + # check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 0 ]; then + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi" + echo " (ESC Security Officer Enrollment)" + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi" + echo " (ESC Phone Home)" + else + echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 1 ]; then + CLIENTAUTH_PORT=$port + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi" + echo " (ESC Security Officer Workstation)" + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus" + echo " (TPS Roles - Operator/Administrator/Agent)" + fi + if [ $total_ports -eq 2 ]; then + NON_CLIENTAUTH_PORT=$port + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi" + echo " (ESC Security Officer Enrollment)" + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi" + echo " (ESC Phone Home)" + fi + total_ports=`expr ${total_ports} + 1` + + done + + return 0; +} + +get_pki_status_definitions_tomcat() +{ + # establish well-known strings + begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->" + end_pki_status_comment="<!-- DO NOT REMOVE - End PKI Status Definitions -->" + total_ports=0 + unsecure_port_statement="Unsecure Port" + secure_agent_port_statement="Secure Agent Port" + secure_ee_port_statement="Secure EE Port" + secure_ee_client_auth_port_statement="EE Client Auth Port" + secure_admin_port_statement="Secure Admin Port" + pki_console_port_statement="PKI Console Port" + tomcat_port_statement="Tomcat Port" + + # initialize looping variables + pki_status_comment_found=0 + + # first check to see that an instance-specific "server.xml" file exists + if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then + echo "File '${PKI_SERVER_XML_CONF}' does not exist!" + exit ${default_error} + fi + + # read this instance-specific "server.xml" file line-by-line + # to obtain the current PKI Status Definitions + exec < ${PKI_SERVER_XML_CONF} + while read line; do + # first look for the well-known end PKI Status comment + # (to turn off processing) + if [ "$line" == "$end_pki_status_comment" ] ; then + pki_status_comment_found=0 + break; + fi + + # then look for the well-known begin PKI Status comment + # (to turn on processing) + if [ "$line" == "$begin_pki_status_comment" ] ; then + pki_status_comment_found=1 + fi + + # once the well-known begin PKI Status comment has been found, + # begin processing to obtain all of the PKI Status Definitions + if [ $pki_status_comment_found -eq 1 ] ; then + # look for a PKI Status Definition and print it + head=`echo "$line" | sed -e 's/^\([^=]*\)[ \t]*= .*$/\1/' -e 's/[ \t]*$//'` + if [ "$head" == "$unsecure_port_statement" ] || + [ "$head" == "$secure_agent_port_statement" ] || + [ "$head" == "$secure_ee_port_statement" ] || + [ "$head" == "$secure_ee_client_auth_port_statement" ] || + [ "$head" == "$secure_admin_port_statement" ] || + [ "$head" == "$pki_console_port_statement" ] || + [ "$head" == "$tomcat_port_statement" ] ; then + echo " $line" + total_ports=`expr ${total_ports} + 1` + fi + fi + done + + return 0; +} + +get_pki_configuration_definitions() +{ + # Obtain the PKI Subsystem Type + line=`grep -e '^[ \t]*cs.type[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + pki_subsystem=`echo "${line}" | sed -e 's/^[^=]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${line}" != "" ] ; then + if [ "${pki_subsystem}" != "CA" ] && + [ "${pki_subsystem}" != "KRA" ] && + [ "${pki_subsystem}" != "OCSP" ] && + [ "${pki_subsystem}" != "TKS" ] && + [ "${pki_subsystem}" != "RA" ] && + [ "${pki_subsystem}" != "TPS" ] + then + return ${default_error} + fi + if [ "${pki_subsystem}" == "KRA" ] ; then + # Rename "KRA" to "DRM" + pki_subsystem="DRM" + fi + else + return ${default_error} + fi + + # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, + # check to see if "${pki_subsystem}" is a "Clone" + pki_clone="" + if [ "${pki_subsystem}" == "CA" ] || + [ "${pki_subsystem}" == "DRM" ] || + [ "${pki_subsystem}" == "OCSP" ] || + [ "${pki_subsystem}" == "TKS" ] + then + line=`grep -e '^[ \t]*subsystem.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_clone=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${pki_clone}" != "Clone" ] ; then + # Reset "${pki_clone}" to be empty + pki_clone="" + fi + else + return ${default_error} + fi + fi + + # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to + # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA + pki_hierarchy="" + if [ "${pki_subsystem}" == "CA" ] && + [ "${pki_clone}" != "Clone" ] + then + line=`grep -e '^[ \t]*hierarchy.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_hierarchy=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + fi + + # If ${pki_subsystem} is a CA, check to + # see if it is also a Security Domain + pki_security_domain="" + if [ "${pki_subsystem}" == "CA" ] ; then + line=`grep -e '^[ \t]*securitydomain.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${pki_security_domain}" == "new" ] ; then + # Set a fixed value for "${pki_security_domain}" + pki_security_domain="(Security Domain)" + else + # Reset "${pki_security_domain}" to be empty + pki_security_domain="" + fi + else + return ${default_error} + fi + fi + + # Always obtain this PKI instance's "registered" + # security domain information + pki_security_domain_name="" + pki_security_domain_hostname="" + pki_security_domain_https_admin_port="" + + line=`grep -e '^[ \t]*securitydomain.name[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain_name=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + + line=`grep -e '^[ \t]*securitydomain.host[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain_hostname=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + + line=`grep -e '^[ \t]*securitydomain.httpsadminport[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain_https_admin_port=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + + # Compose the "PKI Instance Name" Status Line + pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" + + # Compose the "PKI Subsystem Type" Status Line + header="PKI Subsystem Type: " + if [ "${pki_clone}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "CA Clone (Security Domain)" + # + data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" + else + # Possible Values: + # + # "CA Clone" + # "DRM Clone" + # "OCSP Clone" + # "TKS Clone" + # + data="${pki_subsystem} ${pki_clone}" + fi + elif [ "${pki_hierarchy}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "Root CA (Security Domain)" + # "Subordinate CA (Security Domain)" + # + data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" + else + # Possible Values: + # + # "Root CA" + # "Subordinate CA" + # + data="${pki_hierarchy} ${pki_subsystem}" + fi + else + # Possible Values: + # + # "DRM" + # "OCSP" + # "RA" + # "TKS" + # "TPS" + # + data="${pki_subsystem}" + fi + pki_subsystem_type="${header} ${data}" + + # Compose the "Registered PKI Security Domain Information" Status Line + header="Name: " + registered_pki_security_domain_name="${header} ${pki_security_domain_name}" + + header="URL: " + if [ "${pki_security_domain_hostname}" != "" ] && + [ "${pki_security_domain_https_admin_port}" != "" ] + then + data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" + else + return ${default_error} + fi + registered_pki_security_domain_url="${header} ${data}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " ${pki_instance_name}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " ${pki_subsystem_type}" + + # Print the "Registered PKI Security Domain Information" Status Line + echo + echo " Registered PKI Security Domain Information:" + echo " ==========================================================================" + echo " ${registered_pki_security_domain_name}" + echo " ${registered_pki_security_domain_url}" + echo " ==========================================================================" + + return 0 +} + +display_configuration_information() +{ + result=0 + check_pki_configuration_status + rv=$? + if [ $rv -eq 0 ] ; then + get_pki_status_definitions + rv=$? + if [ $rv -ne 0 ] ; then + result=$rv + echo + echo "${PKI_INSTANCE_ID} Status Definitions not found" + else + get_pki_configuration_definitions + rv=$? + if [ $rv -ne 0 ] ; then + result=$rv + echo + echo "${PKI_INSTANCE_ID} Configuration Definitions not found" + fi + fi + fi + return $result +} + +display_instance_status_systemd() +{ + echo -n "Status for ${PKI_INSTANCE_ID}: " + systemctl status "$PKI_SYSTEMD_TARGET@$PKI_INSTANCE_ID.service" > /dev/null 2>&1 + rv=$? + + if [ $rv -eq 0 ] ; then + echo "$PKI_INSTANCE_ID is running .." + display_configuration_information + else + echo "$PKI_INSTANCE_ID is stopped" + fi + + return $rv +} + +display_instance_status() +{ + # Verify there is an initscript for this instance + if [ ! -f $PKI_INSTANCE_INITSCRIPT ]; then + # 4 program or service status is unknown + return 4 + fi + + # Invoke the initscript for this instance + $PKI_INSTANCE_INITSCRIPT status + rv=$? + + if [ $rv -eq 0 ] ; then + display_configuration_information + fi + + return $rv +} + +start_instance() +{ + rv=0 + + if [ -f ${RESTART_SERVER} ] ; then + rm -f ${RESTART_SERVER} + fi + + # Invoke the initscript for this instance + case $PKI_WEB_SERVER_TYPE in + tomcat) + + # We must export the service name so that the systemd version + # of the tomcat init script knows which instance specific + # configuration file to source. + export SERVICE_NAME=$PKI_INSTANCE_ID + + if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then + # HACKS: + # (1) MUST eventually replace hard-coded 'pki_ca_script_t' + # with programmatic replacement of either + # 'pki_tomcat_script_t' or 'pki_apache_script_t', AND + # (2) MUST currently be run with SELinux in 'Permissive' mode! + /usr/bin/runcon -t pki_ca_script_t \ + $PKI_INSTANCE_INITSCRIPT start + rv=$? + else + $PKI_INSTANCE_INITSCRIPT start + rv=$? + fi + ;; + apache) + $PKI_INSTANCE_INITSCRIPT start + rv=$? + ;; + esac + + if [ $rv -ne 0 ] ; then + return $rv + fi + + # On Tomcat subsystems, make certain that the service has started + case $PKI_WEB_SERVER_TYPE in + tomcat) + count=0 + tries=30 + port=${PKI_UNSECURE_PORT} + while [ $count -lt $tries ] + do + netstat -antl | grep ${port} > /dev/null + netrv=$? + if [ $netrv -eq 0 ] ; then + break; + fi + sleep 1 + let count=$count+1; + done + if [ $netrv -ne 0 ] ; then + return 1 + fi + ;; + esac + + if [ $rv -eq 0 ] ; then + # From the PKI point of view a returned error code of 6 implies + # that the program is not "configured". An error code of 1 implies + # that the program was "configured" but must still be restarted. + # + # If the return code is 6 return this value unchanged to the + # calling routine so that the total number of configuration errors + # may be counted. Other return codes are ignored. + # + check_pki_configuration_status + rv=$? + if [ $rv -eq 6 ]; then + # 6 program is not configured + return 6 + else + # 0 success + + # Tomcat instances automatically place pid files under + # '/var/run' and lock files under '/var/lock/subsys'. + # + # However, since PKI subsystem instances can have any name, + # in order to identify the PKI subsystem type of a particular + # PKI instance, we create a separate "pki subsystem identity" + # symlink to the PKI instance pid file and place it under + # '/var/run/pki/<pki subsystem>', and a separate + # "pki subsystem identity" symlink to the PKI instance + # lock file and place it under '/var/lock/pki/<pki subsystem>'. + # + case $PKI_WEB_SERVER_TYPE in + tomcat) + if [ -h ${PKI_PIDFILE} ]; then + rm -f ${PKI_PIDFILE} + fi + if [ -f ${TOMCAT_PIDFILE} ]; then + ln -s ${TOMCAT_PIDFILE} ${PKI_PIDFILE} + chown -h ${TOMCAT_USER}:${TOMCAT_GROUP} ${PKI_PIDFILE} + fi + if [ -h ${PKI_LOCKFILE} ]; then + rm -f ${PKI_LOCKFILE} + fi + if [ -f ${TOMCAT_LOCKFILE} ]; then + ln -s ${TOMCAT_LOCKFILE} ${PKI_LOCKFILE} + fi + ;; + esac + + return 0 + fi + fi + return $rv +} + +stop_instance() +{ + rv=0 + + export SERVICE_NAME=$PKI_INSTANCE_ID + # Invoke the initscript for this instance + $PKI_INSTANCE_INITSCRIPT stop + rv=$? + + # On Tomcat subsystems, always remove the "pki subsystem identity" symlinks + # that were previously associated with the Tomcat 'pid' and 'lock' files. + case $PKI_WEB_SERVER_TYPE in + tomcat) + if [ -h ${PKI_PIDFILE} ]; then + rm -f ${PKI_PIDFILE} + fi + if [ -h ${PKI_LOCKFILE} ]; then + rm -f ${PKI_LOCKFILE} + fi + ;; + esac + + return $rv +} + +start() +{ + error_rv=0 + rv=0 + config_errors=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + # 5 program is not installed + return 5 + fi + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ]; then + echo "BEGIN STARTING '${PKI_TYPE}' INSTANCES:" + fi + + # Start every PKI instance of this type that isn't already running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + start_instance + rv=$? + if [ $rv = 6 ] ; then + # Since at least ONE configuration error exists, then there + # is at least ONE unconfigured instance from the PKI point + # of view. + # + # However, it must still be considered that the + # instance is "running" from the point of view of other + # OS programs such as 'chkconfig'. + # + # Therefore, ignore non-zero return codes resulting + # from configuration errors. + # + + config_errors=`expr $config_errors + 1` + rv=0 + elif [ $rv != 0 ] ; then + errors=`expr $errors + 1` + error_rv=$rv + fi + done + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then + touch ${lockfile} + chmod 00600 ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + # NOTE: "bad" return code(s) OVERRIDE configuration errors! + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances failed to start!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." + fi + + return $rv +} + +stop() +{ + error_rv=0 + rv=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + # 5 program is not installed + return 5 + fi + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" + fi + + # Shutdown every PKI instance of this type that is running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + stop_instance + rv=$? + if [ $rv != 0 ] ; then + errors=`expr $errors + 1` + error_rv=$rv + fi + done + + if [ ${errors} -eq 0 ] ; then + rm -f ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances were " + echo -n "unsuccessfully stopped!" + echo + fi + + echo + echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." + fi + + return $rv +} + +restart() +{ + stop + sleep 2 + start + + return $? +} + +registry_status() +{ + error_rv=0 + rv=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + # 4 program or service status is unknown + return 4 + fi + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" + fi + + # Obtain status of every PKI instance of this type + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + case $PKI_WEB_SERVER_TYPE in + tomcat) + if [ $SYSTEMD ]; then + display_instance_status_systemd + else + display_instance_status + fi + rv=$? + ;; + apache) + display_instance_status + rv=$? + ;; + esac + if [ $rv -ne 0 ] ; then + errors=`expr $errors + 1` + error_rv=$rv + fi + done + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "4 - program or service status is unknown" + rv=4 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances reported status failures!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." + fi + + return $rv +} + diff --git a/base/deploy/scripts/pkidaemon b/base/deploy/scripts/pkidaemon new file mode 100755 index 000000000..7be30c9d3 --- /dev/null +++ b/base/deploy/scripts/pkidaemon @@ -0,0 +1,74 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# + +PROG_NAME=`basename $0` +SERVICE_NAME="pkidaemon" +SERVICE_PROG="/bin/systemctl" + +command="$1" +pki_instance_type="$2" +pki_instance_id="$3" + +PKI_REGISTRY="/etc/sysconfig/pki/${pki_instance_type}" +PKI_TYPE="${pki_instance_type}" +PKI_SYSTEMD_TARGET="pki-${pki_instance_type}d" +SYSTEMD=1 + +# Source the PKI function library +. /usr/share/pki/scripts/operations + +# See how we were called. +case $command in + status) + # registry_status + echo "The 'status' action is TBD." + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + stop + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + echo "The '${command}' action is TBD." + exit $? + ;; + reload) + echo "The 'reload' action is an unimplemented feature." + exit ${default_error} + ;; + *) + echo "unknown action ($command)" + usage + echo "where valid instance names include:" + list_instances + exit ${default_error} + ;; +esac + diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy index 2d0b5d285..6a2db56b8 100755 --- a/base/deploy/src/pkidestroy +++ b/base/deploy/src/pkidestroy @@ -125,21 +125,21 @@ def main(argv): extra=config.PKI_INDENTATION_LEVEL_0) # Override PKI configuration file values with 'custom' command-line values. - if not config.pki_admin_domain_name is None: + if not config.custom_pki_admin_domain_name is None: config.pki_common_dict['pki_admin_domain_name'] =\ - config.pki_admin_domain_name - if not config.pki_instance_name is None: - config.pki_common_dict['pki_instance_name'] =\ - config.pki_instance_name - if not config.pki_http_port is None: + config.custom_pki_admin_domain_name + if not config.custom_pki_instance_name is None: + config.pki_web_server_dict['pki_instance_name'] =\ + config.custom_pki_instance_name + if not config.custom_pki_http_port is None: config.pki_web_server_dict['pki_http_port'] =\ - config.pki_http_port - if not config.pki_https_port is None: + config.custom_pki_http_port + if not config.custom_pki_https_port is None: config.pki_web_server_dict['pki_https_port'] =\ - config.pki_https_port - if not config.pki_ajp_port is None: + config.custom_pki_https_port + if not config.custom_pki_ajp_port is None: config.pki_web_server_dict['pki_ajp_port'] =\ - config.pki_ajp_port + config.custom_pki_ajp_port config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn index d665f3c9f..66152a334 100755 --- a/base/deploy/src/pkispawn +++ b/base/deploy/src/pkispawn @@ -154,21 +154,21 @@ def main(argv): extra=config.PKI_INDENTATION_LEVEL_0) # Override PKI configuration file values with 'custom' command-line values. - if not config.pki_admin_domain_name is None: + if not config.custom_pki_admin_domain_name is None: config.pki_common_dict['pki_admin_domain_name'] =\ - config.pki_admin_domain_name - if not config.pki_instance_name is None: - config.pki_common_dict['pki_instance_name'] =\ - config.pki_instance_name - if not config.pki_http_port is None: + config.custom_pki_admin_domain_name + if not config.custom_pki_instance_name is None: + config.pki_web_server_dict['pki_instance_name'] =\ + config.custom_pki_instance_name + if not config.custom_pki_http_port is None: config.pki_web_server_dict['pki_http_port'] =\ - config.pki_http_port - if not config.pki_https_port is None: + config.custom_pki_http_port + if not config.custom_pki_https_port is None: config.pki_web_server_dict['pki_https_port'] =\ - config.pki_https_port - if not config.pki_ajp_port is None: + config.custom_pki_https_port + if not config.custom_pki_ajp_port is None: config.pki_web_server_dict['pki_ajp_port'] =\ - config.pki_ajp_port + config.custom_pki_ajp_port config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py index 1155e9002..f40573940 100644 --- a/base/deploy/src/scriptlets/configuration.py +++ b/base/deploy/src/scriptlets/configuration.py @@ -47,6 +47,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_client_key_database'], master['pki_client_secmod_database'], password_file=master['pki_client_password_conf']) + util.symlink.create( + config.pki_master_dict['pki_systemd_service'], + config.pki_master_dict['pki_systemd_service_link']) else: util.password.create_password_conf( master['pki_client_password_conf'], @@ -71,17 +74,25 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) if not config.pki_dry_run_flag: if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instances() == 0: + util.instance.apache_instances() == 1: util.directory.delete(master['pki_client_path']) + util.symlink.delete( + config.pki_master_dict['pki_systemd_service_link']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instances() == 0: + util.instance.tomcat_instances() == 1: util.directory.delete(master['pki_client_path']) + util.symlink.delete( + config.pki_master_dict['pki_systemd_service_link']) else: # ALWAYS display correct information (even during dry_run) if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instances() == 1: + util.instance.apache_instances() == 0: util.directory.delete(master['pki_client_path']) + util.symlink.delete( + config.pki_master_dict['pki_systemd_service_link']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instances() == 1: + util.instance.tomcat_instances() == 0: util.directory.delete(master['pki_client_path']) + util.symlink.delete( + config.pki_master_dict['pki_systemd_service_link']) return self.rv diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py index acf51391a..02c5065cb 100644 --- a/base/deploy/src/scriptlets/finalization.py +++ b/base/deploy/src/scriptlets/finalization.py @@ -41,10 +41,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_subsystem_registry_path'] +\ "/" + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE) # Save a timestamped copy of the installation manifest file - filename = master['pki_root_prefix'] +\ - config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ - master['pki_instance_id'] + "/" +\ - master['pki_subsystem'].lower() +"/" +\ + filename = master['pki_subsystem_registry_path'] + "/" +\ "spawn" + "_" + "manifest" + "." +\ master['pki_timestamp'] + "." + "csv" config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, filename, @@ -74,10 +71,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): "/" + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE, overwrite_flag=True) # Save a timestamped copy of the updated manifest file - filename = master['pki_root_prefix'] +\ - config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ - master['pki_instance_id'] + "/" +\ - master['pki_subsystem'].lower() +"/" +\ + filename = master['pki_subsystem_registry_path'] + "/" +\ "respawn" + "_" + "manifest" + "." +\ master['pki_timestamp'] + "." + "csv" config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, filename, diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py index fd94de512..471739700 100644 --- a/base/deploy/src/scriptlets/infrastructure_layout.py +++ b/base/deploy/src/scriptlets/infrastructure_layout.py @@ -80,7 +80,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove top-level infrastructure registry util.directory.delete(master['pki_registry_path']) if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - util.file.delete(master['pki_target_tomcat_conf']) + util.file.delete( + master['pki_target_tomcat_conf_instance_id']) else: # ALWAYS display correct information (even during dry_run) @@ -98,5 +99,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove top-level infrastructure registry util.directory.delete(master['pki_registry_path']) if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - util.file.delete(master['pki_target_tomcat_conf']) + util.file.delete( + master['pki_target_tomcat_conf_instance_id']) return self.rv diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py index 60e94d1a1..8a645f029 100644 --- a/base/deploy/src/scriptlets/instance_layout.py +++ b/base/deploy/src/scriptlets/instance_layout.py @@ -41,6 +41,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # establish instance configuration util.directory.create(master['pki_instance_configuration_path']) # establish instance registry + util.directory.create(master['pki_instance_type_registry_path']) util.directory.create(master['pki_instance_registry_path']) # establish Apache/Tomcat specific instance if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: @@ -59,6 +60,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.directory.create(master['pki_tomcat_webapps_webinf_lib_path']) # establish Tomcat instance logs # establish Tomcat instance configuration + util.directory.copy(master['pki_source_shared_path'], + master['pki_instance_configuration_path'], + overwrite_flag=True) # establish Tomcat instance registry # establish Tomcat instance convenience # symbolic links @@ -89,6 +93,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # update instance configuration util.directory.modify(master['pki_instance_configuration_path']) # update instance registry + util.directory.modify(master['pki_instance_type_registry_path']) util.directory.modify(master['pki_instance_registry_path']) # update Apache/Tomcat specific instance if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: @@ -116,6 +121,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # update instance convenience symbolic links util.symlink.modify(master['pki_instance_database_link']) util.symlink.modify(master['pki_instance_conf_link']) + util.directory.copy(master['pki_source_shared_path'], + master['pki_instance_configuration_path'], + overwrite_flag=True) util.symlink.modify(master['pki_instance_logs_link']) return self.rv @@ -133,6 +141,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove Apache instance configuration util.directory.delete(master['pki_instance_configuration_path']) # remove Apache instance registry + util.directory.delete(master['pki_instance_type_registry_path']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ util.instance.tomcat_instances() == 0: # remove Tomcat instance base @@ -143,6 +152,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove Tomcat instance configuration util.directory.delete(master['pki_instance_configuration_path']) # remove Tomcat instance registry + util.directory.delete(master['pki_instance_type_registry_path']) else: # ALWAYS display correct information (even during dry_run) if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ @@ -155,6 +165,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove Apache instance configuration util.directory.delete(master['pki_instance_configuration_path']) # remove Apache instance registry + util.directory.delete(master['pki_instance_type_registry_path']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ util.instance.tomcat_instances() == 1: # remove Tomcat instance base @@ -165,4 +176,5 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove Tomcat instance configuration util.directory.delete(master['pki_instance_configuration_path']) # remove Tomcat instance registry + util.directory.delete(master['pki_instance_type_registry_path']) return self.rv diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 76d54ad15..2acd37d36 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -40,6 +40,8 @@ PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '} PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '} PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki" +PKI_DEPLOYMENT_SYSTEMD_ROOT = "/lib/systemd/system" +PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT = "/etc/systemd/system" PKI_DEPLOYMENT_TOMCAT_ROOT = "/usr/share/tomcat" PKI_DEPLOYMENT_TOMCAT_SYSTEMD = "/usr/sbin/tomcat-sysd" PKI_DEPLOYMENT_BASE_ROOT = "/var/lib/pki" @@ -92,11 +94,11 @@ pki_root_prefix = None pki_update_flag = False # PKI Deployment "Custom" Command-Line Variables -pki_admin_domain_name = None -pki_instance_name = None -pki_http_port = None -pki_https_port = None -pki_ajp_port = None +custom_pki_admin_domain_name = None +custom_pki_instance_name = None +custom_pki_http_port = None +custom_pki_https_port = None +custom_pki_ajp_port = None # PKI Deployment Logger Variables diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index a9a53dd76..0add192f7 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -79,23 +79,23 @@ def process_command_line_arguments(argv): custom = parser.add_argument_group('custom arguments ' '(OVERRIDES configuration file values)') custom.add_argument('-d', - dest='pki_admin_domain_name', action='store', + dest='custom_pki_admin_domain_name', action='store', nargs=1, metavar='<admin_domain>', help='PKI admin domain name (instance name prefix)') custom.add_argument('-i', - dest='pki_instance_name', action='store', + dest='custom_pki_instance_name', action='store', nargs=1, metavar='<instance>', help='PKI instance name (MUST specify REQUIRED ports)') custom.add_argument('--http_port', - dest='pki_http_port', action='store', + dest='custom_pki_http_port', action='store', nargs=1, metavar='<port>', help='HTTP port (CA, KRA, OCSP, RA, TKS, TPS)') custom.add_argument('--https_port', - dest='pki_https_port', action='store', + dest='custom_pki_https_port', action='store', nargs=1, metavar='<port>', help='HTTPS port (CA, KRA, OCSP, RA, TKS, TPS)') custom.add_argument('--ajp_port', - dest='pki_ajp_port', action='store', + dest='custom_pki_ajp_port', action='store', nargs=1, metavar='<port>', help='AJP port (CA, KRA, OCSP, TKS)') args = parser.parse_args() @@ -141,19 +141,22 @@ def process_command_line_arguments(argv): config.pki_jython_log_level = config.PKI_JYTHON_WARNING_LOG_LEVEL config.pki_console_log_level = logging.WARNING config.pki_log_level = logging.INFO - if not args.pki_admin_domain_name is None: - config.pki_admin_domain_name =\ - str(args.pki_admin_domain_name).strip('[\']') - if not args.pki_instance_name is None: - config.pki_instance_name =\ - str(args.pki_instance_name).strip('[\']') - if not args.pki_http_port is None: - config.pki_http_port = str(args.pki_http_port).strip('[\']') - if not args.pki_https_port is None: - config.pki_https_port = str(args.pki_https_port).strip('[\']') - if not args.pki_ajp_port is None: + if not args.custom_pki_admin_domain_name is None: + config.custom_pki_admin_domain_name =\ + str(args.custom_pki_admin_domain_name).strip('[\']') + if not args.custom_pki_instance_name is None: + config.custom_pki_instance_name =\ + str(args.custom_pki_instance_name).strip('[\']') + if not args.custom_pki_http_port is None: + config.custom_pki_http_port =\ + str(args.custom_pki_http_port).strip('[\']') + if not args.custom_pki_https_port is None: + config.custom_pki_https_port =\ + str(args.custom_pki_https_port).strip('[\']') + if not args.custom_pki_ajp_port is None: if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_ajp_port = str(args.pki_ajp_port).strip('[\']') + config.custom_pki_ajp_port =\ + str(args.custom_pki_ajp_port).strip('[\']') else: print "ERROR: " +\ log.PKI_CUSTOM_TOMCAT_AJP_PORT_1 %\ @@ -161,24 +164,24 @@ def process_command_line_arguments(argv): print parser.print_help() parser.exit(-1); - if not args.pki_instance_name is None or\ - not args.pki_http_port is None or\ - not args.pki_https_port is None or\ - not args.pki_ajp_port is None: + if not args.custom_pki_instance_name is None or\ + not args.custom_pki_http_port is None or\ + not args.custom_pki_https_port is None or\ + not args.custom_pki_ajp_port is None: if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - if args.pki_instance_name is None or\ - args.pki_http_port is None or\ - args.pki_https_port is None: + if args.custom_pki_instance_name is None or\ + args.custom_pki_http_port is None or\ + args.custom_pki_https_port is None: print "ERROR: " + log.PKI_CUSTOM_APACHE_INSTANCE_1 %\ config.pki_subsystem print parser.print_help() parser.exit(-1); elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if args.pki_instance_name is None or\ - args.pki_http_port is None or\ - args.pki_https_port is None or\ - args.pki_ajp_port is None: + if args.custom_pki_instance_name is None or\ + args.custom_pki_http_port is None or\ + args.custom_pki_https_port is None or\ + args.custom_pki_ajp_port is None: print "ERROR: " + log.PKI_CUSTOM_TOMCAT_INSTANCE_1 %\ config.pki_subsystem print @@ -191,16 +194,51 @@ def process_command_line_arguments(argv): # explicitly specified if it does not use the default location # and/or default configuration file name. if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - default_pki_instance_name =\ - config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME + if not config.custom_pki_instance_name is None: + default_pki_instance_name = config.custom_pki_instance_name + else: + default_pki_instance_name =\ + config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME + if not config.custom_pki_admin_domain_name is None: + config.pkideployment_cfg =\ + config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ + config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME + "/" +\ + config.custom_pki_admin_domain_name + "-" +\ + default_pki_instance_name +"/" +\ + config.pki_subsystem.lower() +"/" +\ + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + else: + config.pkideployment_cfg =\ + config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ + config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME + "/" +\ + default_pki_instance_name +"/" +\ + config.pki_subsystem.lower() +"/" +\ + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - default_pki_instance_name =\ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME - config.pkideployment_cfg = config.pki_root_prefix +\ - config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ - default_pki_instance_name +"/" +\ - config.pki_subsystem.lower() +"/" +\ - config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + if not config.custom_pki_instance_name is None: + default_pki_instance_name = config.custom_pki_instance_name + else: + default_pki_instance_name =\ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME + if not config.custom_pki_admin_domain_name is None: + config.pkideployment_cfg =\ + config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME + "/" +\ + config.custom_pki_admin_domain_name + "-" +\ + default_pki_instance_name +"/" +\ + config.pki_subsystem.lower() +"/" +\ + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + else: + config.pkideployment_cfg =\ + config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME + "/" +\ + default_pki_instance_name +"/" +\ + config.pki_subsystem.lower() +"/" +\ + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE if not os.path.exists(config.pkideployment_cfg) or\ not os.path.isfile(config.pkideployment_cfg): print "ERROR: " +\ @@ -334,16 +372,47 @@ def compose_pki_master_dictionary(): "conf") config.pki_master_dict['pki_source_setup_path'] =\ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, - config.pki_master_dict['pki_subsystem'].lower(), "setup") + config.pki_master_dict['pki_source_shared_path'] =\ + os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, + "shared", + "conf") config.pki_master_dict['pki_source_cs_cfg'] =\ os.path.join(config.pki_master_dict['pki_source_conf_path'], "CS.cfg") config.pki_master_dict['pki_source_registry'] =\ os.path.join(config.pki_master_dict['pki_source_setup_path'], - "registry_instance") + "pkidaemon_registry") if config.pki_master_dict['pki_subsystem'] in\ - config.PKI_TOMCAT_SUBSYSTEMS: + config.PKI_APACHE_SUBSYSTEMS: + config.pki_master_dict['pki_systemd_service'] =\ + config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\ + "pki-apached" + "@" + ".service" + config.pki_master_dict['pki_systemd_target'] =\ + config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\ + "pki-apached.target" + config.pki_master_dict['pki_systemd_target_wants'] =\ + config.PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT + "/" +\ + "pki-apached.target.wants" + config.pki_master_dict['pki_systemd_service_link'] =\ + config.pki_master_dict['pki_systemd_target_wants'] + "/" +\ + "pki-apached" + "@" +\ + config.pki_master_dict['pki_instance_id'] + ".service" + elif config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['pki_systemd_service'] =\ + config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\ + "pki-tomcatd" + "@" + ".service" + config.pki_master_dict['pki_systemd_target'] =\ + config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\ + "pki-tomcatd.target" + config.pki_master_dict['pki_systemd_target_wants'] =\ + config.PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT + "/" +\ + "pki-tomcatd.target.wants" + config.pki_master_dict['pki_systemd_service_link'] =\ + config.pki_master_dict['pki_systemd_target_wants'] + "/" +\ + "pki-tomcatd" + "@" +\ + config.pki_master_dict['pki_instance_id'] + ".service" config.pki_master_dict['pki_tomcat_bin_path'] =\ os.path.join(config.PKI_DEPLOYMENT_TOMCAT_ROOT, "bin") @@ -364,16 +433,16 @@ def compose_pki_master_dictionary(): os.path.join(config.pki_master_dict['pki_war_path'], config.pki_master_dict['pki_war_name']) config.pki_master_dict['pki_source_catalina_properties'] =\ - os.path.join(config.pki_master_dict['pki_source_conf_path'], + os.path.join(config.pki_master_dict['pki_source_shared_path'], "catalina.properties") config.pki_master_dict['pki_source_servercertnick_conf'] =\ - os.path.join(config.pki_master_dict['pki_source_conf_path'], + os.path.join(config.pki_master_dict['pki_source_shared_path'], "serverCertNick.conf") config.pki_master_dict['pki_source_server_xml'] =\ - os.path.join(config.pki_master_dict['pki_source_conf_path'], + os.path.join(config.pki_master_dict['pki_source_shared_path'], "server.xml") config.pki_master_dict['pki_source_tomcat_conf'] =\ - os.path.join(config.pki_master_dict['pki_source_conf_path'], + os.path.join(config.pki_master_dict['pki_source_shared_path'], "tomcat.conf") config.pki_master_dict['pki_source_index_jsp'] =\ os.path.join(config.pki_master_dict['pki_source_webapps_path'], @@ -425,12 +494,24 @@ def compose_pki_master_dictionary(): os.path.join(config.pki_master_dict['pki_configuration_path'], config.pki_master_dict['pki_instance_id']) # Apache/Tomcat instance registry name/value pairs - config.pki_master_dict['pki_instance_registry_path'] =\ - os.path.join(config.pki_master_dict['pki_registry_path'], - config.pki_master_dict['pki_instance_id']) - # Tomcat-specific instance name/value pairs + # Apache-specific instance name/value pairs if config.pki_master_dict['pki_subsystem'] in\ - config.PKI_TOMCAT_SUBSYSTEMS: + config.PKI_APACHE_SUBSYSTEMS: + # Apache instance base name/value pairs + # Apache instance log name/value pairs + # Apache instance configuration name/value pairs + # Apache instance registry name/value pairs + config.pki_master_dict['pki_instance_type_registry_path'] =\ + os.path.join(config.pki_master_dict['pki_registry_path'], + "apache") + config.pki_master_dict['pki_instance_registry_path'] =\ + os.path.join( + config.pki_master_dict['pki_instance_type_registry_path'], + config.pki_master_dict['pki_instance_id']) + # Apache instance convenience symbolic links + # Tomcat-specific instance name/value pairs + elif config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: # Tomcat instance base name/value pairs config.pki_master_dict['pki_tomcat_common_path'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], @@ -467,6 +548,13 @@ def compose_pki_master_dictionary(): # Tomcat instance log name/value pairs # Tomcat instance configuration name/value pairs # Tomcat instance registry name/value pairs + config.pki_master_dict['pki_instance_type_registry_path'] =\ + os.path.join(config.pki_master_dict['pki_registry_path'], + "tomcat") + config.pki_master_dict['pki_instance_registry_path'] =\ + os.path.join( + config.pki_master_dict['pki_instance_type_registry_path'], + config.pki_master_dict['pki_instance_id']) # Tomcat instance convenience symbolic links config.pki_master_dict['pki_tomcat_bin_link'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], @@ -572,26 +660,30 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_subsystem_configuration_path'], "CS.cfg") config.pki_master_dict['pki_target_registry'] =\ - os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], + os.path.join(config.pki_master_dict['pki_instance_registry_path'], config.pki_master_dict['pki_instance_id']) if config.pki_master_dict['pki_subsystem'] in\ config.PKI_TOMCAT_SUBSYSTEMS: config.pki_master_dict['pki_target_catalina_properties'] =\ os.path.join( - config.pki_master_dict['pki_subsystem_configuration_path'], + config.pki_master_dict['pki_instance_configuration_path'], "catalina.properties") config.pki_master_dict['pki_target_servercertnick_conf'] =\ os.path.join( - config.pki_master_dict['pki_subsystem_configuration_path'], + config.pki_master_dict['pki_instance_configuration_path'], "serverCertNick.conf") config.pki_master_dict['pki_target_server_xml'] =\ os.path.join( - config.pki_master_dict['pki_subsystem_configuration_path'], + config.pki_master_dict['pki_instance_configuration_path'], "server.xml") - config.pki_master_dict['pki_target_tomcat_conf'] =\ + config.pki_master_dict['pki_target_tomcat_conf_instance_id'] =\ config.pki_master_dict['pki_root_prefix'] +\ "/etc/sysconfig/" +\ config.pki_master_dict['pki_instance_id'] + config.pki_master_dict['pki_target_tomcat_conf'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "tomcat.conf") config.pki_master_dict['pki_target_index_jsp'] =\ os.path.join( config.pki_master_dict['pki_tomcat_webapps_root_path'], @@ -626,14 +718,8 @@ def compose_pki_master_dictionary(): config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\ config.pki_master_dict['pki_instance_id'] config.pki_master_dict['PKI_INSTANCE_INITSCRIPT_SLOT'] =\ - os.path.join(config.pki_master_dict['pki_subsystem_path'], + os.path.join(config.pki_master_dict['pki_instance_path'], config.pki_master_dict['pki_instance_id']) - config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ - os.path.join("/var/lock/pki", - config.pki_master_dict['pki_subsystem'].lower()) - config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ - os.path.join("/var/run/pki", - config.pki_master_dict['pki_subsystem'].lower()) config.pki_master_dict['PKI_REGISTRY_FILE_SLOT'] =\ os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], config.pki_master_dict['pki_instance_id']) @@ -650,6 +736,13 @@ def compose_pki_master_dictionary(): config.pki_master_dict['NON_CLIENTAUTH_SECURE_PORT_SLOT'] = None config.pki_master_dict['NSS_CONF_SLOT'] = None config.pki_master_dict['OBJ_EXT_SLOT'] = None + config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ + os.path.join("/var/lock/pki", + "apache") + config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ + os.path.join("/var/run/pki", + "apache") + config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] = "apache" config.pki_master_dict['PORT_SLOT'] = None config.pki_master_dict['PROCESS_ID_SLOT'] = None config.pki_master_dict['REQUIRE_CFG_PL_SLOT'] = None @@ -711,14 +804,15 @@ def compose_pki_master_dictionary(): "Unused" config.pki_master_dict['PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ "" - config.pki_master_dict['PKI_FLAVOR_SLOT'] =\ - "pki" config.pki_master_dict['PKI_GROUP_SLOT'] =\ config.pki_master_dict['pki_group'] config.pki_master_dict['PKI_INSTANCE_PATH_SLOT'] =\ - config.pki_master_dict['pki_subsystem_path'] - config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\ config.pki_master_dict['pki_instance_path'] + config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\ + config.pki_master_dict['pki_path'] + config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ + os.path.join("/var/lock/pki", + "tomcat") config.pki_master_dict['PKI_MACHINE_NAME_SLOT'] =\ config.pki_master_dict['pki_hostname'] config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\ @@ -731,6 +825,9 @@ def compose_pki_master_dictionary(): config.pki_master_dict\ ['PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\ "<!--" + config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ + os.path.join("/var/run/pki", + "tomcat") config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_proxy_https_port'] config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\ @@ -752,9 +849,8 @@ def compose_pki_master_dictionary(): config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\ config.pki_master_dict['pki_subsystem'].lower() config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\ - "pki-" + config.pki_master_dict['pki_subsystem'].lower() +\ - "d" + "@" + "pki-" +\ - config.pki_master_dict['pki_subsystem'].lower() + ".service" + "pki-tomcatd" + "@" +\ + config.pki_master_dict['pki_instance_id'] + ".service" config.pki_master_dict['PKI_UNSECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_http_port'] config.pki_master_dict['PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT'] =\ @@ -763,6 +859,8 @@ def compose_pki_master_dictionary(): "<!-- Shared Ports: Unsecure Port Connector -->" config.pki_master_dict['PKI_USER_SLOT'] =\ config.pki_master_dict['pki_user'] + config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] =\ + "tomcat" config.pki_master_dict['PKI_WEBAPPS_NAME_SLOT'] =\ "webapps" config.pki_master_dict['TOMCAT_CFG_SLOT'] =\ @@ -772,7 +870,7 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_tomcat_common_lib_path'], "*.jar") config.pki_master_dict['TOMCAT_LOG_DIR_SLOT'] =\ - config.pki_master_dict['pki_subsystem_log_path'] + config.pki_master_dict['pki_instance_log_path'] config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\ "/var/run/" + config.pki_master_dict['pki_instance_id'] + ".pid" config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\ diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py index 2e2d94545..93b0ae750 100644 --- a/base/deploy/src/scriptlets/slot_substitution.py +++ b/base/deploy/src/scriptlets/slot_substitution.py @@ -38,17 +38,25 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.copy_with_slot_substitution(master['pki_source_cs_cfg'], master['pki_target_cs_cfg']) util.file.copy_with_slot_substitution(master['pki_source_registry'], - master['pki_target_registry']) + master['pki_target_registry'], + overwrite_flag=True) if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: util.file.copy_with_slot_substitution( master['pki_source_catalina_properties'], - master['pki_target_catalina_properties']) + master['pki_target_catalina_properties'], + overwrite_flag=True) util.file.copy_with_slot_substitution( master['pki_source_servercertnick_conf'], - master['pki_target_servercertnick_conf']) + master['pki_target_servercertnick_conf'], + overwrite_flag=True) util.file.copy_with_slot_substitution( master['pki_source_server_xml'], - master['pki_target_server_xml']) + master['pki_target_server_xml'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_tomcat_conf'], + master['pki_target_tomcat_conf_instance_id'], + overwrite_flag=True) util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf'], @@ -93,6 +101,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): overwrite_flag=True) util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], + master['pki_target_tomcat_conf_instance_id'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf'], overwrite_flag=True) util.file.copy_with_slot_substitution( diff --git a/base/kra/setup/registry_instance b/base/kra/setup/registry_instance index 3210b9131..c97b0c736 100644 --- a/base/kra/setup/registry_instance +++ b/base/kra/setup/registry_instance @@ -1,8 +1,5 @@ # Establish PKI Variable "Slot" Substitutions -PKI_FLAVOR=[PKI_FLAVOR] -export PKI_FLAVOR - PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] export PKI_SUBSYSTEM_TYPE @@ -38,13 +35,13 @@ export TOMCAT_USER TOMCAT_GROUP=$PKI_GROUP export TOMCAT_GROUP -PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +PKI_LOCKDIR="/var/lock/pki/${PKI_SUBSYSTEM_TYPE}" export PKI_LOCKDIR PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}" export PKI_LOCKFILE -PKI_PIDDIR="/var/run/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +PKI_PIDDIR="/var/run/pki/${PKI_SUBSYSTEM_TYPE}" export PKI_PIDDIR PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_ID}.pid" diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in index a6d49ceb5..5135e1311 100644 --- a/base/kra/shared/conf/CS.cfg.in +++ b/base/kra/shared/conf/CS.cfg.in @@ -221,12 +221,12 @@ internaldb.ldapauth.clientCertNickname= internaldb.ldapconn.host= internaldb.ldapconn.port= internaldb.ldapconn.secureConn=false -preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/schema.ldif -preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/db.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/acl.ldif +preop.internaldb.schema.ldif=/usr/share/pki/kra/conf/schema.ldif +preop.internaldb.ldif=/usr/share/pki/kra/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/pki/kra/conf/db.ldif,/usr/share/pki/kra/conf/acl.ldif preop.internaldb.index_ldif= -preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif -preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/index.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlvtasks.ldif +preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif +preop.internaldb.post_ldif=/usr/share/pki/kra/conf/index.ldif,/usr/share/pki/kra/conf/vlv.ldif,/usr/share/pki/kra/conf/vlvtasks.ldif preop.internaldb.wait_dn=cn=index1160527115, cn=index, cn=tasks, cn=config internaldb.multipleSuffix.enable=false jobsScheduler._000=## diff --git a/base/kra/shared/conf/server.xml b/base/kra/shared/conf/server.xml index 58121d448..96e396b72 100644 --- a/base/kra/shared/conf/server.xml +++ b/base/kra/shared/conf/server.xml @@ -196,7 +196,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> [PKI_OPEN_AJP_PORT_COMMENT] - <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="PKI_AJP_REDIRECT_PORT]" /> + <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" /> [PKI_CLOSE_AJP_PORT_COMMENT] diff --git a/base/kra/shared/conf/tomcat.conf b/base/kra/shared/conf/tomcat.conf deleted file mode 100644 index 92af5f8b9..000000000 --- a/base/kra/shared/conf/tomcat.conf +++ /dev/null @@ -1,52 +0,0 @@ -# System-wide configuration file for tomcat services -# This will be sourced by tomcat and any secondary service -# Values will be overridden by service-specific configuration -# files in /etc/sysconfig -# -# Use this one to change default values for all services -# Change the service specific ones to affect only one service -# (see, for instance, /etc/sysconfig/tomcat) -# - -# Where your java installation lives -#JAVA_HOME="/usr/lib/jvm/jre" - -# Where your tomcat installation lives -CATALINA_BASE="[PKI_INSTANCE_PATH]" -#CATALINA_HOME="/usr/share/tomcat" -#JASPER_HOME="/usr/share/tomcat" -#CATALINA_TMPDIR="/var/cache/tomcat/temp" - -# You can pass some parameters to java here if you wish to -#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" - -# Use JAVA_OPTS to set java.library.path for libtcnative.so -#JAVA_OPTS="-Djava.library.path=/usr/lib" - -# What user should run tomcat -TOMCAT_USER="[PKI_USER]" - -# You can change your tomcat locale here -#LANG="en_US" - -# Run tomcat under the Java Security Manager -SECURITY_MANAGER="[PKI_SECURITY_MANAGER]" - -# Time to wait in seconds, before killing process -#SHUTDOWN_WAIT="30" - -# Whether to annoy the user with "attempting to shut down" messages or not -#SHUTDOWN_VERBOSE="false" - -# Set the TOMCAT_PID location -CATALINA_PID="[TOMCAT_PIDFILE]" - -# Set the tomcat log file -TOMCAT_LOG="[TOMCAT_LOG_DIR]/tomcat-initd.log" - -# Connector port is 8080 for this tomcat instance -#CONNECTOR_PORT="8080" - -# If you wish to further customize your tomcat environment, -# put your own definitions here -# (i.e. LD_LIBRARY_PATH for some jdbc drivers) diff --git a/base/ocsp/setup/registry_instance b/base/ocsp/setup/registry_instance index 3210b9131..c97b0c736 100644 --- a/base/ocsp/setup/registry_instance +++ b/base/ocsp/setup/registry_instance @@ -1,8 +1,5 @@ # Establish PKI Variable "Slot" Substitutions -PKI_FLAVOR=[PKI_FLAVOR] -export PKI_FLAVOR - PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] export PKI_SUBSYSTEM_TYPE @@ -38,13 +35,13 @@ export TOMCAT_USER TOMCAT_GROUP=$PKI_GROUP export TOMCAT_GROUP -PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +PKI_LOCKDIR="/var/lock/pki/${PKI_SUBSYSTEM_TYPE}" export PKI_LOCKDIR PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}" export PKI_LOCKFILE -PKI_PIDDIR="/var/run/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +PKI_PIDDIR="/var/run/pki/${PKI_SUBSYSTEM_TYPE}" export PKI_PIDDIR PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_ID}.pid" diff --git a/base/ocsp/shared/conf/CS.cfg.in b/base/ocsp/shared/conf/CS.cfg.in index 5be916e7c..658a1b6d3 100644 --- a/base/ocsp/shared/conf/CS.cfg.in +++ b/base/ocsp/shared/conf/CS.cfg.in @@ -183,11 +183,11 @@ internaldb.ldapauth.clientCertNickname= internaldb.ldapconn.host= internaldb.ldapconn.port= internaldb.ldapconn.secureConn=false -preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/schema.ldif -preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ocsp/conf/acl.ldif -preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/index.ldif -preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif +preop.internaldb.schema.ldif=/usr/share/pki/ocsp/conf/schema.ldif +preop.internaldb.ldif=/usr/share/pki/ocsp/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/pki/ocsp/conf/db.ldif,/usr/share/pki/ocsp/conf/acl.ldif +preop.internaldb.index_ldif=/usr/share/pki/ocsp/conf/index.ldif +preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif preop.internaldb.post_ldif= preop.internaldb.wait_dn= internaldb.multipleSuffix.enable=false diff --git a/base/ocsp/shared/conf/tomcat.conf b/base/ocsp/shared/conf/tomcat.conf deleted file mode 100644 index 92af5f8b9..000000000 --- a/base/ocsp/shared/conf/tomcat.conf +++ /dev/null @@ -1,52 +0,0 @@ -# System-wide configuration file for tomcat services -# This will be sourced by tomcat and any secondary service -# Values will be overridden by service-specific configuration -# files in /etc/sysconfig -# -# Use this one to change default values for all services -# Change the service specific ones to affect only one service -# (see, for instance, /etc/sysconfig/tomcat) -# - -# Where your java installation lives -#JAVA_HOME="/usr/lib/jvm/jre" - -# Where your tomcat installation lives -CATALINA_BASE="[PKI_INSTANCE_PATH]" -#CATALINA_HOME="/usr/share/tomcat" -#JASPER_HOME="/usr/share/tomcat" -#CATALINA_TMPDIR="/var/cache/tomcat/temp" - -# You can pass some parameters to java here if you wish to -#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" - -# Use JAVA_OPTS to set java.library.path for libtcnative.so -#JAVA_OPTS="-Djava.library.path=/usr/lib" - -# What user should run tomcat -TOMCAT_USER="[PKI_USER]" - -# You can change your tomcat locale here -#LANG="en_US" - -# Run tomcat under the Java Security Manager -SECURITY_MANAGER="[PKI_SECURITY_MANAGER]" - -# Time to wait in seconds, before killing process -#SHUTDOWN_WAIT="30" - -# Whether to annoy the user with "attempting to shut down" messages or not -#SHUTDOWN_VERBOSE="false" - -# Set the TOMCAT_PID location -CATALINA_PID="[TOMCAT_PIDFILE]" - -# Set the tomcat log file -TOMCAT_LOG="[TOMCAT_LOG_DIR]/tomcat-initd.log" - -# Connector port is 8080 for this tomcat instance -#CONNECTOR_PORT="8080" - -# If you wish to further customize your tomcat environment, -# put your own definitions here -# (i.e. LD_LIBRARY_PATH for some jdbc drivers) diff --git a/base/ra/setup/CMakeLists.txt b/base/ra/setup/CMakeLists.txt index f5f069cdb..4f9784507 100644 --- a/base/ra/setup/CMakeLists.txt +++ b/base/ra/setup/CMakeLists.txt @@ -2,6 +2,7 @@ set(VERSION ${APPLICATION_VERSION}) install( FILES + pkidaemon_registry registry_instance DESTINATION ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/setup diff --git a/base/ra/setup/pkidaemon_registry b/base/ra/setup/pkidaemon_registry new file mode 100644 index 000000000..8d23dda05 --- /dev/null +++ b/base/ra/setup/pkidaemon_registry @@ -0,0 +1,116 @@ +# Establish PKI Variable "Slot" Substitutions + +PKI_WEB_SERVER_TYPE=[PKI_WEB_SERVER_TYPE] +export PKI_WEB_SERVER_TYPE + +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +export PKI_SUBSYSTEM_TYPE + +PKI_USER=[PKI_USER] +export PKI_USER + +PKI_GROUP=[PKI_GROUP] +export PKI_GROUP + +PKI_INSTANCE_ID=[PKI_INSTANCE_ID] +export PKI_INSTANCE_ID + +PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] +export PKI_INSTANCE_INITSCRIPT + +PKI_HTTPD_CONF=[HTTPD_CONF] +export PKI_HTTPD_CONF + +PKI_SERVER_ROOT=[SERVER_ROOT] +export PKI_SERVER_ROOT + +PKI_SYSTEM_USER_LIBRARIES=[SYSTEM_USER_LIBRARIES] +export PKI_SYSTEM_USER_LIBRARIES + +PKI_FORTITUDE_DIR=[FORTITUDE_DIR] +export PKI_FORTITUDE_DIR + +PKI_NSS_CONF=[NSS_CONF] +export PKI_NSS_CONF + +PKI_SERVER_NAME=[SERVER_NAME] +export PKI_SERVER_NAME + +PKI_LOCK_FILE="[PKI_LOCKDIR]/${PKI_INSTANCE_ID}.pid" +export PKI_LOCK_FILE + +PKI_PID_FILE="[PKI_PIDDIR]/${PKI_INSTANCE_ID}.pid" +export PKI_PID_FILE + +PKI_SELINUX_TYPE="pki_ra_t" +export PKI_SELINUX_TYPE + +pki_instance_configuration_file=${PKI_SERVER_ROOT}/conf/CS.cfg +export pki_instance_configuration_file + +RESTART_SERVER=${PKI_SERVER_ROOT}/conf/restart_server_after_configuration +export RESTART_SERVER + +######################################################################## +# This section contains modified content of "/etc/sysconfig/httpd" # +######################################################################## +# Configuration file for the ${PKI_INSTANCE_ID} service. + +# +# The default processing model (MPM) is the process-based +# 'prefork' model. A thread-based model, 'worker', is also +# available, but does not work with some modules (such as PHP). +# The service must be stopped before changing this variable. +# +PKI_HTTPD=${PKI_FORTITUDE_DIR}/sbin/httpd.worker +export PKI_HTTPD + +# +# To pass additional options (for instance, -D definitions) to the +# httpd binary at startup, set PKI_OPTIONS here. +# +PKI_OPTIONS="-f ${PKI_HTTPD_CONF}" +export PKI_OPTIONS + +# +# By default, the httpd process is started in the C locale; to +# change the locale in which the server runs, the PKI_HTTPD_LANG +# variable can be set. +# +PKI_HTTPD_LANG=C +export PKI_HTTPD_LANG +######################################################################## +# # +######################################################################## + +# This will prevent initlog from swallowing up a pass-phrase prompt if +# mod_ssl needs a pass-phrase from the user. +PKI_INITLOG_ARGS="" +export PKI_INITLOG_ARGS + +# Set PKI_HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server +# with the thread-based "worker" MPM; BE WARNED that some modules may not +# work correctly with a thread-based MPM; notably PHP will refuse to start. + +# Path to the server binary and short-form for messages. +httpd=${PKI_HTTPD} +export httpd + +pki_logs_directory=${PKI_SERVER_ROOT}/logs +export pki_logs_directory + +# see if httpd is linked with the openldap libraries - we need to override +# their use of OpenSSL +if [ ${OS} = "Linux" ]; then + hasopenldap=0 + + /usr/bin/ldd ${httpd} 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1 + + if [ ${hasopenldap} -eq 1 ] ; then + LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libssl3.so:${LD_PRELOAD}" + export LD_PRELOAD + fi +elif [ ${OS} = "SunOS" ]; then + LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/dirsec/libssl3.so:${LD_PRELOAD_64}" + export LD_PRELOAD_64 +fi diff --git a/base/ra/setup/registry_instance b/base/ra/setup/registry_instance index 64a73197f..f8cae5a43 100644 --- a/base/ra/setup/registry_instance +++ b/base/ra/setup/registry_instance @@ -1,8 +1,5 @@ # Establish PKI Variable "Slot" Substitutions -PKI_FLAVOR=[PKI_FLAVOR] -export PKI_FLAVOR - PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] export PKI_SUBSYSTEM_TYPE diff --git a/base/setup/pkicommon.pm b/base/setup/pkicommon.pm index b5ef8e140..4b68ffa7e 100755 --- a/base/setup/pkicommon.pm +++ b/base/setup/pkicommon.pm @@ -27,7 +27,7 @@ use Exporter; our @ISA = qw(Exporter); our @EXPORT = qw( $lib_prefix $obj_ext $path_sep $tmp_dir - $pki_flavor $pki_registry_path + $pki_registry_path $verbose $dry_run $hostname $default_hardware_platform $default_system_binaries $default_lockdir $default_system_libraries $default_system_user_binaries $default_system_user_libraries @@ -164,7 +164,6 @@ our %selinux_ports = (); # Shared Default Values ############################################################## -our $pki_flavor = undef; our $pki_registry_path = undef; our $default_hardware_platform = undef; @@ -204,11 +203,10 @@ my $is_IPv6 = 0; # Compute "hardware platform" of Operating System if ($^O eq "linux") { - $pki_flavor = "pki"; $default_registry_path = "/etc/sysconfig"; - $pki_registry_path = "$default_registry_path/$pki_flavor"; + $pki_registry_path = "$default_registry_path/pki"; $default_initscripts_path = "/etc/rc.d/init.d"; - $default_lockdir = "/var/lock/$pki_flavor"; + $default_lockdir = "/var/lock/pki"; $default_hardware_platform = `uname -i`; $default_hardware_platform =~ s/\s+$//g; chomp($default_hardware_platform); diff --git a/base/setup/pkicreate b/base/setup/pkicreate index b5453f2f6..b5568f01c 100755 --- a/base/setup/pkicreate +++ b/base/setup/pkicreate @@ -102,7 +102,7 @@ use lib "/usr/share/pki/scripts"; use pkicommon; # Establish path to scripts -my $pki_subsystem_common_area = "/usr/share/$pki_flavor"; +my $pki_subsystem_common_area = "/usr/share/pki"; # make -w happy by suppressing warnings of Global variables used only once my $suppress = ""; @@ -319,7 +319,6 @@ my $TOMCAT_TLS_CIPHERS = "TOMCAT_TLS_CIPHERS"; my $TOMCAT_INSTANCE_COMMON_LIB = "TOMCAT_INSTANCE_COMMON_LIB"; my $TOMCAT_LOG_DIR = "TOMCAT_LOG_DIR"; my $PKI_INSTANCE_INITSCRIPT = "PKI_INSTANCE_INITSCRIPT"; -my $PKI_FLAVOR_SLOT = "PKI_FLAVOR"; my $PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_UNSECURE_PORT_CONNECTOR_NAME"; my $PKI_SECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_SECURE_PORT_CONNECTOR_NAME"; my $PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT = "PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME"; @@ -1480,7 +1479,7 @@ sub initialize_subsystem_paths $applets_subsystem_path = $pki_subsystem_path . "/" . $applets_base_subsystem_dir; $bin_subsystem_path = $default_system_user_libraries - . "/" . $pki_flavor + . "/" . "pki" . "/" . $subsystem_type; $samples_subsystem_path = $pki_subsystem_path . "/" . $samples_base_subsystem_dir; @@ -2438,7 +2437,6 @@ sub process_pki_templates $slot_hash{$SYSTEM_USER_LIBRARIES} = $default_system_user_libraries; $slot_hash{$TMP_DIR} = $tmp_dir; $slot_hash{$TPS_DIR} = $pki_subsystem_path; - $slot_hash{$PKI_FLAVOR_SLOT} = $pki_flavor; $slot_hash{$PKI_RANDOM_NUMBER_SLOT} = $random; $slot_hash{$PKI_LOCKDIR} = $pki_lockdir_path; if (is_Fedora() || (is_RHEL() && (! is_RHEL4()))) { @@ -2586,7 +2584,6 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $proxy_unsecure_port : ""; $slot_hash{$PKI_WEBAPPS_NAME} = $webapps_base_subsystem_dir; - $slot_hash{$PKI_FLAVOR_SLOT} = $pki_flavor; $slot_hash{$TOMCAT_SERVER_PORT_SLOT} = $tomcat_server_port; $slot_hash{$TOMCAT_PIDFILE} = $tomcat6_instance_pid_file_path; $slot_hash{$TOMCAT_CFG} = $tomcat6_conf_instance_file_path; diff --git a/base/setup/scripts/functions b/base/setup/scripts/functions index 516bf32e2..62dc20694 100644 --- a/base/setup/scripts/functions +++ b/base/setup/scripts/functions @@ -154,7 +154,7 @@ usage_systemd() echo -n "|try-restart" echo -n "|reload" echo -n "|status} " - echo -n "subsytem-type " + echo -n "subsystem-type " echo -n "[instance-name]" echo echo diff --git a/base/tks/setup/registry_instance b/base/tks/setup/registry_instance index 3210b9131..c97b0c736 100644 --- a/base/tks/setup/registry_instance +++ b/base/tks/setup/registry_instance @@ -1,8 +1,5 @@ # Establish PKI Variable "Slot" Substitutions -PKI_FLAVOR=[PKI_FLAVOR] -export PKI_FLAVOR - PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] export PKI_SUBSYSTEM_TYPE @@ -38,13 +35,13 @@ export TOMCAT_USER TOMCAT_GROUP=$PKI_GROUP export TOMCAT_GROUP -PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +PKI_LOCKDIR="/var/lock/pki/${PKI_SUBSYSTEM_TYPE}" export PKI_LOCKDIR PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}" export PKI_LOCKFILE -PKI_PIDDIR="/var/run/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +PKI_PIDDIR="/var/run/pki/${PKI_SUBSYSTEM_TYPE}" export PKI_PIDDIR PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_ID}.pid" diff --git a/base/tks/shared/conf/CS.cfg.in b/base/tks/shared/conf/CS.cfg.in index 195201e4d..740baf61e 100644 --- a/base/tks/shared/conf/CS.cfg.in +++ b/base/tks/shared/conf/CS.cfg.in @@ -176,11 +176,11 @@ internaldb.ldapauth.clientCertNickname= internaldb.ldapconn.host= internaldb.ldapconn.port= internaldb.ldapconn.secureConn=false -preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/schema.ldif -preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/db.ldif,/usr/share/[PKI_FLAVOR]/tks/conf/acl.ldif -preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/index.ldif -preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif +preop.internaldb.schema.ldif=/usr/share/pki/tks/conf/schema.ldif +preop.internaldb.ldif=/usr/share/pki/tks/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/pki/tks/conf/db.ldif,/usr/share/pki/tks/conf/acl.ldif +preop.internaldb.index_ldif=/usr/share/pki/tks/conf/index.ldif +preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif preop.internaldb.post_ldif= preop.internaldb.wait_dn= internaldb.multipleSuffix.enable=false diff --git a/base/tks/shared/conf/tomcat.conf b/base/tks/shared/conf/tomcat.conf deleted file mode 100644 index 92af5f8b9..000000000 --- a/base/tks/shared/conf/tomcat.conf +++ /dev/null @@ -1,52 +0,0 @@ -# System-wide configuration file for tomcat services -# This will be sourced by tomcat and any secondary service -# Values will be overridden by service-specific configuration -# files in /etc/sysconfig -# -# Use this one to change default values for all services -# Change the service specific ones to affect only one service -# (see, for instance, /etc/sysconfig/tomcat) -# - -# Where your java installation lives -#JAVA_HOME="/usr/lib/jvm/jre" - -# Where your tomcat installation lives -CATALINA_BASE="[PKI_INSTANCE_PATH]" -#CATALINA_HOME="/usr/share/tomcat" -#JASPER_HOME="/usr/share/tomcat" -#CATALINA_TMPDIR="/var/cache/tomcat/temp" - -# You can pass some parameters to java here if you wish to -#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" - -# Use JAVA_OPTS to set java.library.path for libtcnative.so -#JAVA_OPTS="-Djava.library.path=/usr/lib" - -# What user should run tomcat -TOMCAT_USER="[PKI_USER]" - -# You can change your tomcat locale here -#LANG="en_US" - -# Run tomcat under the Java Security Manager -SECURITY_MANAGER="[PKI_SECURITY_MANAGER]" - -# Time to wait in seconds, before killing process -#SHUTDOWN_WAIT="30" - -# Whether to annoy the user with "attempting to shut down" messages or not -#SHUTDOWN_VERBOSE="false" - -# Set the TOMCAT_PID location -CATALINA_PID="[TOMCAT_PIDFILE]" - -# Set the tomcat log file -TOMCAT_LOG="[TOMCAT_LOG_DIR]/tomcat-initd.log" - -# Connector port is 8080 for this tomcat instance -#CONNECTOR_PORT="8080" - -# If you wish to further customize your tomcat environment, -# put your own definitions here -# (i.e. LD_LIBRARY_PATH for some jdbc drivers) diff --git a/base/tps/setup/CMakeLists.txt b/base/tps/setup/CMakeLists.txt index f5f069cdb..4f9784507 100644 --- a/base/tps/setup/CMakeLists.txt +++ b/base/tps/setup/CMakeLists.txt @@ -2,6 +2,7 @@ set(VERSION ${APPLICATION_VERSION}) install( FILES + pkidaemon_registry registry_instance DESTINATION ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/setup diff --git a/base/tps/setup/pkidaemon_registry b/base/tps/setup/pkidaemon_registry new file mode 100644 index 000000000..6c13a4955 --- /dev/null +++ b/base/tps/setup/pkidaemon_registry @@ -0,0 +1,116 @@ +# Establish PKI Variable "Slot" Substitutions + +PKI_WEB_SERVER_TYPE=[PKI_WEB_SERVER_TYPE] +export PKI_WEB_SERVER_TYPE + +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +export PKI_SUBSYSTEM_TYPE + +PKI_USER=[PKI_USER] +export PKI_USER + +PKI_GROUP=[PKI_GROUP] +export PKI_GROUP + +PKI_INSTANCE_ID=[PKI_INSTANCE_ID] +export PKI_INSTANCE_ID + +PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] +export PKI_INSTANCE_INITSCRIPT + +PKI_HTTPD_CONF=[HTTPD_CONF] +export PKI_HTTPD_CONF + +PKI_SERVER_ROOT=[SERVER_ROOT] +export PKI_SERVER_ROOT + +PKI_SYSTEM_USER_LIBRARIES=[SYSTEM_USER_LIBRARIES] +export PKI_SYSTEM_USER_LIBRARIES + +PKI_FORTITUDE_DIR=[FORTITUDE_DIR] +export PKI_FORTITUDE_DIR + +PKI_NSS_CONF=[NSS_CONF] +export PKI_NSS_CONF + +PKI_SERVER_NAME=[SERVER_NAME] +export PKI_SERVER_NAME + +PKI_LOCK_FILE="[PKI_LOCKDIR]/${PKI_INSTANCE_ID}.pid" +export PKI_LOCK_FILE + +PKI_PID_FILE="[PKI_PIDDIR]/${PKI_INSTANCE_ID}.pid" +export PKI_PID_FILE + +PKI_SELINUX_TYPE="pki_tps_t" +export PKI_SELINUX_TYPE + +pki_instance_configuration_file=${PKI_SERVER_ROOT}/conf/CS.cfg +export pki_instance_configuration_file + +RESTART_SERVER=${PKI_SERVER_ROOT}/conf/restart_server_after_configuration +export RESTART_SERVER + +######################################################################## +# This section contains modified content of "/etc/sysconfig/httpd" # +######################################################################## +# Configuration file for the ${PKI_INSTANCE_ID} service. + +# +# The default processing model (MPM) is the process-based +# 'prefork' model. A thread-based model, 'worker', is also +# available, but does not work with some modules (such as PHP). +# The service must be stopped before changing this variable. +# +PKI_HTTPD=${PKI_FORTITUDE_DIR}/sbin/httpd.worker +export PKI_HTTPD + +# +# To pass additional options (for instance, -D definitions) to the +# httpd binary at startup, set PKI_OPTIONS here. +# +PKI_OPTIONS="-f ${PKI_HTTPD_CONF}" +export PKI_OPTIONS + +# +# By default, the httpd process is started in the C locale; to +# change the locale in which the server runs, the PKI_HTTPD_LANG +# variable can be set. +# +PKI_HTTPD_LANG=C +export PKI_HTTPD_LANG +######################################################################## +# # +######################################################################## + +# This will prevent initlog from swallowing up a pass-phrase prompt if +# mod_ssl needs a pass-phrase from the user. +PKI_INITLOG_ARGS="" +export PKI_INITLOG_ARGS + +# Set PKI_HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server +# with the thread-based "worker" MPM; BE WARNED that some modules may not +# work correctly with a thread-based MPM; notably PHP will refuse to start. + +# Path to the server binary and short-form for messages. +httpd=${PKI_HTTPD} +export httpd + +pki_logs_directory=${PKI_SERVER_ROOT}/logs +export pki_logs_directory + +# see if httpd is linked with the openldap libraries - we need to override +# their use of OpenSSL +if [ ${OS} = "Linux" ]; then + hasopenldap=0 + + /usr/bin/ldd ${httpd} 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1 + + if [ ${hasopenldap} -eq 1 ] ; then + LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libssl3.so:${LD_PRELOAD}" + export LD_PRELOAD + fi +elif [ ${OS} = "SunOS" ]; then + LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/dirsec/libssl3.so:${LD_PRELOAD_64}" + export LD_PRELOAD_64 +fi diff --git a/base/tps/setup/registry_instance b/base/tps/setup/registry_instance index cb1c4b344..a77b75f4f 100644 --- a/base/tps/setup/registry_instance +++ b/base/tps/setup/registry_instance @@ -1,8 +1,5 @@ # Establish PKI Variable "Slot" Substitutions -PKI_FLAVOR=[PKI_FLAVOR] -export PKI_FLAVOR - PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] export PKI_SUBSYSTEM_TYPE |