diff options
author | jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-19 19:56:12 +0000 |
---|---|---|
committer | jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-19 19:56:12 +0000 |
commit | 033f7839aae5df7073ff5dc34512b18451a33ca3 (patch) | |
tree | 0fa80ce67d7acd23c19daa0f17d082612ac88db1 /pki/base/kra | |
parent | 0fc8b79ef4c5694c5eb2396bfc750f44ceb0f8ef (diff) | |
download | pki-033f7839aae5df7073ff5dc34512b18451a33ca3.tar.gz pki-033f7839aae5df7073ff5dc34512b18451a33ca3.tar.xz pki-033f7839aae5df7073ff5dc34512b18451a33ca3.zip |
Adjust current files so patches merge, will adjust after merge complete
pkicreate: index.jsp -> index.html
server.xml: remove ocsp
base/tps/doc/CS.cfg: CIMC_CERT_VERIFICATION
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1531 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/kra')
-rw-r--r-- | pki/base/kra/shared/conf/server.xml | 33 |
1 files changed, 1 insertions, 32 deletions
diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml index 7218c4d0c..71b433bef 100644 --- a/pki/base/kra/shared/conf/server.xml +++ b/pki/base/kra/shared/conf/server.xml @@ -93,31 +93,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> [PKI_SECURE_PORT_SERVER_COMMENT] -<!-- DO NOT REMOVE - Begin define PKI secure port - NOTE: The OCSP settings take effect globally, so it should only be set once. - - In setup where SSL clientAuth="true", OCSP can be turned on by - setting enableOCSP to true like the following: - enableOCSP="true" - along with changes to related settings, especially: - ocspResponderURL=<see example in connector definition below> - ocspResponderCertNickname=<see example in connector definition below> - Here are the definition to all the OCSP-related settings: - enableOCSP - turns on/off the ocsp check - ocspResponderURL - sets the url where the ocsp requests are sent - ocspResponderCertNickname - sets the nickname of the cert that is - either CA's signing certificate or the OCSP server's signing - certificate. - The CA's signing certificate should already be in the db, in - case of the same security domain. - In case of an ocsp signing certificate, one must import the cert - into the subsystem's nss db and set trust. e.g.: - certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 - ocspCacheSize - sets max cache entries - ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt - ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt - ocspTimeout -sets OCSP timeout in seconds ---> +<!-- DO NOT REMOVE - Begin define PKI secure port --> <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" @@ -128,13 +104,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - enableOCSP="false" - ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp" - ocspResponderCertNickname="ocspSigningCert cert-pki-ca" - ocspCacheSize="1000" - ocspMinCacheEntryDuration="60" - ocspMaxCacheEntryDuration="120" - ocspTimeout="10" serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" |