diff options
author | jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-19 21:00:40 +0000 |
---|---|---|
committer | jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-19 21:00:40 +0000 |
commit | 2ab4b4058a240143e513db050bbf4170e9115ef1 (patch) | |
tree | a00195c6f63f11ee5e2fd9c4fc5f3c216ef7ace2 /pki/base/kra | |
parent | e73bde97720375973af57a29c5dd62aaec6342f2 (diff) | |
download | pki-2ab4b4058a240143e513db050bbf4170e9115ef1.tar.gz pki-2ab4b4058a240143e513db050bbf4170e9115ef1.tar.xz pki-2ab4b4058a240143e513db050bbf4170e9115ef1.zip |
Merge CA changes into KRA,OCSP & TKS
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1575 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/kra')
-rw-r--r-- | pki/base/kra/build.xml | 14 | ||||
-rw-r--r-- | pki/base/kra/setup/registry_instance | 54 | ||||
-rw-r--r-- | pki/base/kra/shared/conf/catalina.policy | 123 | ||||
-rw-r--r-- | pki/base/kra/shared/conf/catalina.properties | 29 | ||||
-rw-r--r-- | pki/base/kra/shared/conf/context.xml | 30 | ||||
-rwxr-xr-x | pki/base/kra/shared/conf/dtomcat5 | 476 | ||||
-rw-r--r-- | pki/base/kra/shared/conf/logging.properties | 70 | ||||
-rw-r--r-- | pki/base/kra/shared/conf/server.xml | 532 | ||||
-rw-r--r-- | pki/base/kra/shared/conf/tomcat-users.xml | 38 | ||||
-rw-r--r-- | pki/base/kra/shared/conf/tomcat5.conf | 74 | ||||
-rw-r--r-- | pki/base/kra/shared/conf/tomcat6.conf | 55 | ||||
-rwxr-xr-x | pki/base/kra/shared/etc/init.d/pki-krad | 1832 |
12 files changed, 507 insertions, 2820 deletions
diff --git a/pki/base/kra/build.xml b/pki/base/kra/build.xml index abbdbe7ab..eecf414ee 100644 --- a/pki/base/kra/build.xml +++ b/pki/base/kra/build.xml @@ -191,6 +191,7 @@ filemode="644" prefix="usr/share/${product.prefix}/${product}/setup"> <include name="config.desktop"/> + <include name="registry_instance"/> </zipfileset> <zipfileset dir="./shared/etc/init.d" filemode="755" @@ -198,15 +199,9 @@ <include name="pki-krad"/> </zipfileset> <zipfileset dir="./shared" - filemode="755" - prefix="usr/share/${product.prefix}/${product}"> - <include name="conf/dtomcat5"/> - </zipfileset> - <zipfileset dir="./shared" filemode="644" prefix="usr/share/${product.prefix}/${product}"> <include name="**"/> - <exclude name="conf/dtomcat5"/> <exclude name="etc/init.d/pki-krad"/> </zipfileset> <zipfileset dir="." @@ -230,6 +225,7 @@ mode="644" prefix="${dist.name}/usr/share/${product.prefix}/${product}/setup"> <include name="config.desktop"/> + <include name="registry_instance"/> </tarfileset> <tarfileset dir="./shared/etc/init.d" mode="755" @@ -237,15 +233,9 @@ <include name="pki-krad"/> </tarfileset> <tarfileset dir="./shared" - mode="755" - prefix="${dist.name}/usr/share/${product.prefix}/${product}"> - <include name="conf/dtomcat5"/> - </tarfileset> - <tarfileset dir="./shared" mode="644" prefix="${dist.name}/usr/share/${product.prefix}/${product}"> <include name="**"/> - <exclude name="conf/dtomcat5"/> <exclude name="etc/init.d/pki-krad"/> </tarfileset> <tarfileset dir="." diff --git a/pki/base/kra/setup/registry_instance b/pki/base/kra/setup/registry_instance new file mode 100644 index 000000000..7f0e592a1 --- /dev/null +++ b/pki/base/kra/setup/registry_instance @@ -0,0 +1,54 @@ +# Establish PKI Variable "Slot" Substitutions + +PKI_FLAVOR=[PKI_FLAVOR] +export PKI_FLAVOR + +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +export PKI_SUBSYSTEM_TYPE + +PKI_USER=[PKI_USER] +export PKI_USER + +PKI_GROUP=[PKI_GROUP] +export PKI_GROUP + +PKI_INSTANCE_ID=[PKI_INSTANCE_ID] +export PKI_INSTANCE_ID + +PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH] +export PKI_INSTANCE_PATH + +PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] +export PKI_INSTANCE_INITSCRIPT + +PKI_SERVER_XML_CONF=[PKI_SERVER_XML_CONF] +export PKI_SERVER_XML_CONF + +# Use CATALINA_BASE + +CATALINA_BASE=$PKI_INSTANCE_PATH +export CATALINA_BASE + +TOMCAT_PROG=$PKI_INSTANCE_ID +export TOMCAT_PROG + +TOMCAT_USER=$PKI_USER +export TOMCAT_USER + +TOMCAT_GROUP=$PKI_GROUP +export TOMCAT_GROUP + +PKI_LOCKDIR="/var/lock/${PKI_FLAVOR}/${PKI_SUBSYSTEM_TYPE}" +export PKI_LOCKDIR + +PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_ID}.pid" +export PKI_LOCKFILE + +TOMCAT_PIDFILE=[TOMCAT_PIDFILE] +export TOMCAT_PIDFILE + +pki_instance_configuration_file=${PKI_INSTANCE_PATH}/conf/CS.cfg +export pki_instance_configuration_file + +RESTART_SERVER=${PKI_INSTANCE_PATH}/conf/restart_server_after_configuration +export RESTART_SERVER diff --git a/pki/base/kra/shared/conf/catalina.policy b/pki/base/kra/shared/conf/catalina.policy index 8f481e333..cf8302cd0 100644 --- a/pki/base/kra/shared/conf/catalina.policy +++ b/pki/base/kra/shared/conf/catalina.policy @@ -1,5 +1,26 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// Copyright (C) 2006-2010 Red Hat, Inc. +// All rights reserved. +// Modifications: configuration parameters +// --- END COPYRIGHT BLOCK --- + +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + // ============================================================================ -// catalina.corepolicy - Security Policy Permissions for Tomcat 5 +// catalina.corepolicy - Security Policy Permissions for Tomcat 6 // // This file contains a default set of security policies to be enforced (by the // JVM) when Catalina is executed with the "-security" option. In addition @@ -40,35 +61,16 @@ grant codeBase "file:${java.home}/lib/ext/-" { // ========== CATALINA CODE PERMISSIONS ======================================= -// These permissions apply to the launcher code -grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" { - permission java.security.AllPermission; -}; - // These permissions apply to the daemon code grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { permission java.security.AllPermission; }; -// These permissions apply to the commons-logging API -grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to the server startup code -grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to the JMX server -grant codeBase "file:${catalina.home}/bin/jmx.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to JULI +// These permissions apply to the logging API grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; permission java.util.PropertyPermission "catalina.base", "read"; @@ -82,24 +84,19 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; -// These permissions apply to the servlet API classes -// and those that are shared across all class loaders -// located in the "common" directory -grant codeBase "file:${catalina.home}/common/-" { +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; -// These permissions apply to the container's core code, plus any additional -// libraries installed in the "server" directory -grant codeBase "file:${catalina.home}/server/-" { +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "lib" directory +grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; }; -// The permissions granted to the balancer WEB-INF/classes and WEB-INF/lib directory -grant codeBase "file:${catalina.home}/webapps/balancer/-" { - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester.*"; -}; + // ========== WEB APPLICATION PERMISSIONS ===================================== @@ -147,6 +144,9 @@ grant { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + // Precompiled JSPs need access to this system property. + permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + }; @@ -182,58 +182,3 @@ grant { // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; - - -// These permissions apply to Tomcat5 java -grant codeBase "file:/usr/share/java/tomcat5/-" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/jakarta-commons-modeler.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/jasper5-compiler.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/jasper5-runtime.jar" { - permission java.security.AllPermission; -}; - - - -// These permissions apply to PKI configuration -grant codeBase "file:/usr/share/java/velocity.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/tomcat5-servlet-2.4-api.jar" { - permission java.security.AllPermission; -}; - - - - -// These permissions apply to PKI support -grant codeBase "file:/usr/share/java/ldapjdk.jar" { - permission java.security.AllPermission; -}; - - - -// These permissions apply to PKI -grant codeBase "file:/usr/lib/java/jss4.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/tomcatjss.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/lib/java/osutil.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/lib/java/symkey.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:/usr/share/java/pki/-" { - permission java.security.AllPermission; -}; - - - diff --git a/pki/base/kra/shared/conf/catalina.properties b/pki/base/kra/shared/conf/catalina.properties index 86334d29f..70cb7c05e 100644 --- a/pki/base/kra/shared/conf/catalina.properties +++ b/pki/base/kra/shared/conf/catalina.properties @@ -1,3 +1,24 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006-2010 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when @@ -29,7 +50,7 @@ package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -common.loader=${catalina.home}/common/classes,${catalina.home}/common/i18n/*.jar,${catalina.home}/common/endorsed/*.jar,${catalina.home}/common/lib/*.jar +common.loader=${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB] # # List of comma-separated paths defining the contents of the "server" @@ -42,7 +63,7 @@ common.loader=${catalina.home}/common/classes,${catalina.home}/common/i18n/*.jar # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar +server.loader= # # List of comma-separated paths defining the contents of the "shared" @@ -54,7 +75,9 @@ server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar +# Please note that for single jars, e.g. bar.jar, you need the URL form +# starting with file:. +shared.loader= # # String cache configuration. diff --git a/pki/base/kra/shared/conf/context.xml b/pki/base/kra/shared/conf/context.xml index 4998ad27d..8b6fe4905 100644 --- a/pki/base/kra/shared/conf/context.xml +++ b/pki/base/kra/shared/conf/context.xml @@ -1,5 +1,27 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2006-2010 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> <!-- The contents of this file will be loaded for each web application --> -<Context crossContext="true"> +<Context crossContext="true" allowLinking="true"> <!-- Default set of monitored resources --> <WatchedResource>WEB-INF/web.xml</WatchedResource> @@ -9,4 +31,10 @@ <Manager pathname="" /> --> + <!-- Uncomment this to enable Comet connection tacking (provides events + on session expiration as well as webapp lifecycle) --> + <!-- + <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" /> + --> + </Context> diff --git a/pki/base/kra/shared/conf/dtomcat5 b/pki/base/kra/shared/conf/dtomcat5 deleted file mode 100755 index 2eeb889e6..000000000 --- a/pki/base/kra/shared/conf/dtomcat5 +++ /dev/null @@ -1,476 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# Copyright (C) 2006 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# ----------------------------------------------------------------------------- -# Start/Stop Script for the CATALINA Server -# -# Environment Variable Prequisites -# -# CATALINA_HOME May point at your Catalina "build" directory. -# -# CATALINA_BASE (Optional) Base directory for resolving dynamic portions -# of a Catalina installation. If not present, resolves to -# the same directory that CATALINA_HOME points to. -# -# CATALINA_OPTS (Optional) Java runtime options used when the "start", -# "stop", or "run" command is executed. -# -# CATALINA_TMPDIR (Optional) Directory path location of temporary directory -# the JVM should use (java.io.tmpdir). Defaults to -# $CATALINA_BASE/temp. -# -# JAVA_HOME Must point at your Java Development Kit installation. -# Required to run the with the "debug" or "javac" argument. -# -# JRE_HOME Must point at your Java Development Kit installation. -# Defaults to JAVA_HOME if empty. -# -# JAVA_OPTS (Optional) Java runtime options used when the "start", -# "stop", or "run" command is executed. -# -# JPDA_TRANSPORT (Optional) JPDA transport used when the "jpda start" -# command is executed. The default is "dt_socket". -# -# JPDA_ADDRESS (Optional) Java runtime options used when the "jpda start" -# command is executed. The default is 8000. -# -# JSSE_HOME (Optional) May point at your Java Secure Sockets Extension -# (JSSE) installation, whose JAR files will be added to the -# system class path used to start Tomcat. -# -# CATALINA_PID (Optional) Path of the file which should contains the pid -# of catalina startup java process, when start (fork) is used -# -# $Id$ -# ----------------------------------------------------------------------------- - -# Disallow 'others' the ability to 'write' to new files -umask 00002 - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit 255 -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] -if [ ! -d /usr/share/pki/${PKI_SUBSYSTEM_TYPE} ] ; then - echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" - exit 255 -fi - -# OS specific support. $var _must_ be set to either true or false. -OS=`uname -s` -cygwin=false -os400=false -case "${OS}" in -CYGWIN*) cygwin=true;; -OS400*) os400=true;; -esac - -TOMCAT_CFG=[PKI_INSTANCE_PATH]/conf/tomcat5.conf -JAVADIR="/usr/share/java" - -# resolve links - $0 may be a softlink -PRG="$0" - -while [ -h "$PRG" ]; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '.*/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`/"$link" - fi -done - -# Get standard environment variables -PRGDIR=`dirname "$PRG"` - -# Only set CATALINA_HOME if not already set -[ -z "$CATALINA_HOME" ] && CATALINA_HOME=`cd "$PRGDIR/.." ; pwd` - -if [ -r "$CATALINA_HOME"/bin/setenv.sh ]; then - . "$CATALINA_HOME"/bin/setenv.sh -fi - -# For Cygwin, ensure paths are in UNIX format before anything is touched -if $cygwin; then - [ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --unix "$JAVA_HOME"` - [ -n "$JRE_HOME" ] && JRE_HOME=`cygpath --unix "$JRE_HOME"` - [ -n "$CATALINA_HOME" ] && CATALINA_HOME=`cygpath --unix "$CATALINA_HOME"` - [ -n "$CATALINA_BASE" ] && CATALINA_BASE=`cygpath --unix "$CATALINA_BASE"` - [ -n "$CLASSPATH" ] && CLASSPATH=`cygpath --path --unix "$CLASSPATH"` - [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --unix "$JSSE_HOME"` -fi - -# For OS400 -if $os400; then - # Set job priority to standard for interactive (interactive - 6) by using - # the interactive priority - 6, the helper threads that respond to requests - # will be running at the same priority as interactive jobs. - COMMAND='chgjob job('$JOBNAME') runpty(6)' - system $COMMAND - - # Enable multi threading - export QIBM_MULTI_THREADED=Y -fi - -[ -r "$TOMCAT_CFG" ] && . "${TOMCAT_CFG}" - -### Set up defaults if they were omitted in TOMCAT_CFG -### JVM lookup -if [ -z "$JAVA_HOME" ]; then - # Search for java in PATH - JAVA=`which java` - if [ -z "$JAVA" ] ; then - JAVA_BINDIR=`dirname ${JAVA}` - JAVA_HOME="${JAVA_BINDIR}/.." - fi - # Default clean JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/usr/lib/java" ] && JAVA_HOME="/usr/lib/java" - # Default IBM JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-13" ] && \ - JAVA_HOME="/opt/IBMJava2-13" - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-131" ] && \ - JAVA_HOME="/opt/IBMJava2-131" - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-14" ] && \ - JAVA_HOME="/opt/IBMJava2-14" - [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-141" ] && \ - JAVA_HOME="/opt/IBMJava2-141" - # Another solution - [ -z "$JAVA_HOME" -a -d "/usr/java/jdk" ] && \ - JAVA_HOME="/usr/java/jdk" - # madeinlinux JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/usr/local/jdk1.2.2" ] && \ - JAVA_HOME="/usr/local/jdk1.2.2" - # Kondara JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/usr/lib/java/jdk1.2.2" ] && \ - JAVA_HOME="/usr/lib/java/jdk1.2.2" - # Other commonly found JAVA_HOMEs - [ -z "$JAVA_HOME" -a -d "/usr/jdk1.2" ] && JAVA_HOME="/usr/jdk1.2" - # Default Caldera JAVA_HOME - [ -z "$JAVA_HOME" -a -d "/opt/java-1.3" ] && \ - JAVA_HOME="/opt/java-1.3" - # Add other locations here - if [ -z "$JAVA_HOME" ]; then - echo "No JAVA_HOME specified in ${TOMCAT_CFG} and no java found" - exit 1 - else - echo "Found JAVA_HOME: ${JAVA_HOME}" - echo "Please complete your ${TOMCAT_CFG} so we won't have to look for it next time" - fi -fi - -# Set juli LogManager if it is present -if [ -r "$CATALINA_HOME"/bin/tomcat-juli.jar ]; then - JAVA_OPTS="$JAVA_OPTS "-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -fi - -# Set standard commands for invoking Java. -_RUNJAVA="$JAVA_HOME"/bin/java -_RUNJAVAC="$JAVA_HOME"/bin/javac -_RUNJDB="$JAVA_HOME"/bin/jdb - -# Set standard CLASSPATH -# (always inherit any preset values from the PKI start script) -if [ ${OS} = "Linux" ] ; then - # Checking for OpenJDK JVM - OPENJDK_JVM="`java -version 2>&1 | tail -1 | awk '{print $1};'`" - if [ "${OPENJDK_JVM}" = "OpenJDK" ] || - [ "${OPENJDK_JVM}" = "IcedTea" ]; then - # using OpenJDK - CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar - - # add required classes to the CLASSPATH for OpenJDK - CLASSPATH="$CLASSPATH":"$JAVADIR"/commons-collections.jar - else - # NOT using OpenJDK - CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/tools.jar - fi -elif [ ${OS} = "SunOS" ] ; then - CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar -fi - -# Add on extra jar files to CLASSPATH -if [ -n "$JSSE_HOME" ]; then - CLASSPATH="$CLASSPATH":"$JSSE_HOME"/lib/jcert.jar:"$JSSE_HOME"/lib/jnet.jar:"$JSSE_HOME"/lib/jsse.jar -fi - -# JPackage JSSE location check -if [ -r "$JAVADIR/jsse/jcert.jar" ]; then - CLASSPATH="$CLASSPATH":"$JAVADIR"/jsse/jcert.jar:"$JAVADIR"/jsse/jnet.jar:"$JAVADIR"/jsse/jsse.jar -fi - -if [ ${OS} = "Linux" ] ; then - CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar:"$CATALINA_HOME"/bin/commons-logging-api.jar:`/usr/bin/build-classpath mx4j/mx4j-impl`:`/usr/bin/build-classpath mx4j/mx4j-jmx` - - # add jars in required components for velocity >= 1.6 (just in case) - VELOCITY=`rpm -q velocity|sed 's/velocity-\([0-9]*\)\.\([0-9]*\).*/\1\2/'` - if [ "$VELOCITY" -ge 16 ]; then - CLASSPATH="$CLASSPATH":`/usr/bin/build-classpath bcel hsqldb commons-collections commons-lang commons-logging commons-logging-api jdom junit oro servletapi5 werken.xpath` - fi - -elif [ ${OS} = "SunOS" ] ; then - # The following definitions are provided for Solaris - # platforms since they are unable to execute the - # "/usr/bin/build-classpath" and - # "/usr/share/java-utils/java-functions" files . . . - - CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar - CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/commons-logging-api.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/base.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/certsrv.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cms.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cms72.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cms72_en.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cmsbundle.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cmscore.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cmsutil.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/mcc70.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/mcc70_en.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nmclf70.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nmclf70_en.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nsutil.jar - - if [ -f /usr/share/java/pkitools.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pkitools.jar - elif [ -f /usr/share/java/cstools.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/cstools.jar - elif [ -f /usr/share/java/pki/cstools.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/cstools.jar - fi - - if [ -f /usr/share/java/ca.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/ca.jar - elif [ -f /usr/share/java/pki/ca/ca.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/ca/ca.jar - fi - if [ -f /usr/share/java/kra.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/kra.jar - elif [ -f /usr/share/java/pki/kra/kra.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/kra/kra.jar - fi - if [ -f /usr/share/java/ocsp.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/ocsp.jar - elif [ -f /usr/share/java/pki/ocsp/ocsp.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/ocsp/ocsp.jar - fi - if [ -f /usr/share/java/tks.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/tks.jar - elif [ -f /usr/share/java/pki/tks/tks.jar ]; then - CLASSPATH="$CLASSPATH":/usr/share/java/pki/tks/tks.jar - fi - - # add jars for velocity 1.6 (just in case) - CLASSPATH="$CLASSPATH":/usr/share/java/bcel.jar - CLASSPATH="$CLASSPATH":/usr/share/java/hsqldb.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-collections.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-lang.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging-api.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jdom.jar - CLASSPATH="$CLASSPATH":/usr/share/java/junit.jar - CLASSPATH="$CLASSPATH":/usr/share/java/oro.jar - CLASSPATH="$CLASSPATH":/usr/share/java/servletapi5.jar - CLASSPATH="$CLASSPATH":/usr/share/java/werken.xpath.jar - -fi - -if [ -z "$CATALINA_BASE" ] ; then - CATALINA_BASE="$CATALINA_HOME" -fi - -if [ -z "$CATALINA_TMPDIR" ] ; then - # Define the java.io.tmpdir to use for Catalina - CATALINA_TMPDIR="$CATALINA_BASE"/temp -fi - -if [ -z "$CATALINA_PID" ] ; then - export CATALINA_PID=/var/run/tomcat5.pid -fi - -# For Cygwin, switch paths to Windows format before running java -if $cygwin; then - JAVA_HOME=`cygpath --absolute --windows "$JAVA_HOME"` - JRE_HOME=`cygpath --absolute --windows "$JRE_HOME"` - CATALINA_HOME=`cygpath --absolute --windows "$CATALINA_HOME"` - CATALINA_BASE=`cygpath --absolute --windows "$CATALINA_BASE"` - CATALINA_TMPDIR=`cygpath --absolute --windows "$CATALINA_TMPDIR"` - CLASSPATH=`cygpath --path --windows "$CLASSPATH"` - [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --windows "$JSSE_HOME"` - JAVA_ENDORSED_DIRS=`cygpath --path --windows "$JAVA_ENDORSED_DIRS"` -fi - -# ----- Execute The Requested Command ----------------------------------------- -echo "Using CATALINA_PID $CATALINA_PID" -echo "Using CATALINA_BASE: $CATALINA_BASE" -echo "Using CATALINA_HOME: $CATALINA_HOME" -echo "Using CATALINA_TMPDIR: $CATALINA_TMPDIR" -if [ "$1" = "debug" -o "$1" = "javac" ] ; then - echo "Using JAVA_HOME: $JAVA_HOME" -else - echo "Using JRE_HOME: $JRE_HOME" -fi - -if [ "$1" = "jpda" ] ; then - if [ -z "$JPDA_TRANSPORT" ]; then - JPDA_TRANSPORT="dt_socket" - fi - if [ -z "$JPDA_ADDRESS" ]; then - JPDA_ADDRESS="8000" - fi - if [ -z "$JPDA_OPTS" ]; then - JPDA_OPTS="-Xdebug -Xrunjdwp:transport=$JPDA_TRANSPORT,address=$JPDA_ADDRESS,server=y,suspend=n" - fi - CATALINA_OPTS="$CATALINA_OPTS $JPDA_OPTS" - shift -fi - -if [ "$1" = "debug" ] ; then - if $os400; then - echo "Debug command not available on OS400" - exit 1 - else - shift - if [ "$1" = "-security" ] ; then - echo "Using Security Manager" - shift - exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ - -Djava.security.manager \ - -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - else - exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - fi - fi - -elif [ "$1" = "run" ]; then - - shift - if [ "$1" = "-security" ] ; then - echo "Using Security Manager" - shift - exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Djava.security.manager \ - -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - else - exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start - fi - -elif [ "$1" = "start" ] ; then - - shift - touch "$CATALINA_BASE"/logs/catalina.out - if [ "$1" = "-security" ] ; then - echo "Using Security Manager" - shift - "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Djava.security.manager \ - -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start \ - >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & - - if [ ! -z "$CATALINA_PID" ]; then - echo $! > $CATALINA_PID - fi - else - "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" start \ - >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & - - if [ ! -z "$CATALINA_PID" ]; then - echo $! > $CATALINA_PID - fi - fi - -elif [ "$1" = "stop" ] ; then - - shift - FORCE=0 - if [ "$1" = "-force" ]; then - shift - FORCE=1 - fi - - "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ - -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ - -Dcatalina.base="$CATALINA_BASE" \ - -Dcatalina.home="$CATALINA_HOME" \ - -Djava.io.tmpdir="$CATALINA_TMPDIR" \ - org.apache.catalina.startup.Bootstrap "$@" stop - - if [ $FORCE -eq 1 ]; then - if [ ! -z "$CATALINA_PID" ]; then - echo "Killing: `cat $CATALINA_PID`" - kill -9 `cat $CATALINA_PID` - fi - fi - -elif [ "$1" = "version" ] ; then - - "$_RUNJAVA" \ - -classpath "$CATALINA_HOME/server/lib/catalina.jar" \ - org.apache.catalina.util.ServerInfo - -else - - echo "Usage: dtomcat5 ( commands ... )" - echo "commands:" - if $os400; then - echo " debug Start Catalina in a debugger (not available on OS400)" - echo " debug -security Debug Catalina with a security manager (not available on OS400)" - else - echo " debug Start Catalina in a debugger" - echo " debug -security Debug Catalina with a security manager" - fi - echo " jpda start Start Catalina under JPDA debugger" - echo " run Start Catalina in the current window" - echo " run -security Start in the current window with security manager" - echo " start Start Catalina in a separate window" - echo " start -security Start in a separate window with security manager" - echo " stop Stop Catalina" - echo " stop -force Stop Catalina (followed by kill -KILL)" - echo " version What version of tomcat are you running?" - exit 1 - -fi diff --git a/pki/base/kra/shared/conf/logging.properties b/pki/base/kra/shared/conf/logging.properties new file mode 100644 index 000000000..796cfc071 --- /dev/null +++ b/pki/base/kra/shared/conf/logging.properties @@ -0,0 +1,70 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006-2010 Red Hat, Inc. +# All rights reserved. +# Modifications: configuration parameters +# --- END COPYRIGHT BLOCK --- + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +############################################################ +# Handler specific properties. +# Describes specific configuration info for Handlers. +############################################################ + +1catalina.org.apache.juli.FileHandler.level = FINE +1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +1catalina.org.apache.juli.FileHandler.prefix = catalina. + +2localhost.org.apache.juli.FileHandler.level = FINE +2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +2localhost.org.apache.juli.FileHandler.prefix = localhost. + +3manager.org.apache.juli.FileHandler.level = FINE +3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +3manager.org.apache.juli.FileHandler.prefix = manager. + +4host-manager.org.apache.juli.FileHandler.level = FINE +4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +4host-manager.org.apache.juli.FileHandler.prefix = host-manager. + +java.util.logging.ConsoleHandler.level = FINE +java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter + + +############################################################ +# Facility specific properties. +# Provides extra control for each logger. +############################################################ + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler + +# For example, set the com.xyz.foo logger to only log SEVERE +# messages: +#org.apache.catalina.startup.ContextConfig.level = FINE +#org.apache.catalina.startup.HostConfig.level = FINE +#org.apache.catalina.session.ManagerBase.level = FINE +#org.apache.catalina.core.AprLifecycleListener.level=FINE diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml index 71b433bef..9a24cfa44 100644 --- a/pki/base/kra/shared/conf/server.xml +++ b/pki/base/kra/shared/conf/server.xml @@ -1,208 +1,196 @@ -<!-- Example Server Configuration File --> -<!-- Note that component elements are nested corresponding to their - parent-child relationships with each other --> - -<!-- A "Server" is a singleton element that represents the entire JVM, - which may contain one or more "Service" instances. The Server - listens for a shutdown command on the indicated port. - - Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" or "Loggers" at this level. +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2006-2010 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!-- Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" at this level. + Documentation at /docs/config/server.html --> <!-- DO NOT REMOVE - Begin PKI Status Definitions --> <!-- -Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] -Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services -PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] -Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) --> <!-- DO NOT REMOVE - End PKI Status Definitions --> <Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> - <!-- Comment these entries out to disable JMX MBeans support used for the - administration web application --> + <!--APR library loader. Documentation at /docs/apr.html --> + <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> + <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> + <Listener className="org.apache.catalina.core.JasperListener" /> + <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> - <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> - <!-- Global JNDI resources --> + <!-- Global JNDI resources + Documentation at /docs/jndi-resources-howto.html + --> <GlobalNamingResources> - - <!-- Test entry for demonstration purposes --> - <Environment name="simpleValue" type="java.lang.Integer" value="30"/> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users --> + UserDatabaseRealm to authenticate users + --> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml" /> - + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" (and therefore the web applications visible - within that Container). Normally, that Container is an "Engine", - but this is not required. - - Note: A "Service" is not itself a "Container", so you may not - define subcomponents such as "Valves" or "Loggers" at this level. + a single "Container" Note: A "Service" is not itself a "Container", + so you may not define subcomponents such as "Valves" at this level. + Documentation at /docs/config/service.html --> - - <!-- Define the Tomcat Stand-Alone Service --> <Service name="Catalina"> - + + <!--The connectors can use a shared executor, you can define one or more named thread pools--> + <!-- + <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" + maxThreads="150" minSpareThreads="4"/> + --> + + <!-- A "Connector" represents an endpoint by which requests are received - and responses are returned. Each Connector passes requests on to the - associated "Container" (normally an Engine) for processing. - - By default, a non-SSL HTTP/1.1 Connector is established on port 8080. - You can also enable an SSL HTTP/1.1 Connector on port 8443 by - following the instructions below and uncommenting the second Connector - entry. SSL support requires the following steps (see the SSL Config - HOWTO in the Tomcat 5 documentation bundle for more detailed - instructions): - * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or - later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". - * Execute: - %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) - $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) - with a password value of "changeit" for both the certificate and - the keystore itself. - - By default, DNS lookups are enabled when a web application calls - request.getRemoteHost(). This can have an adverse impact on - performance, so you can disable it by setting the - "enableLookups" attribute to "false". When DNS lookups are disabled, - request.getRemoteHost() will return the String version of the - IP address of the remote client. + and responses are returned. Documentation at : + Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) + Java AJP Connector: /docs/config/ajp.html + APR (HTTP/AJP) Connector: /docs/apr.html + Define a non-SSL HTTP/1.1 Connector on port 8080 --> -<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> -[PKI_UNSECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true"/> - - -<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> -[PKI_SECURE_PORT_SERVER_COMMENT] -<!-- DO NOT REMOVE - Begin define PKI secure port --> -<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="[PKI_AGENT_CLIENTAUTH]" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -<!-- DO NOT REMOVE - End define PKI secure port --> - -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - <!-- Note : To disable connection timeouts, set connectionTimeout value - to 0 --> - - <!-- Note : To use gzip compression you could set the following properties : - - compression="on" - compressionMinSize="2048" - noCompressionUserAgents="gozilla, traviata" - compressableMimeType="text/html,text/xml" - --> - + [PKI_UNSECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + /> + + <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> + [PKI_SECURE_PORT_SERVER_COMMENT] + <!-- DO NOT REMOVE - Begin define PKI secure port --> + <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="[PKI_AGENT_CLIENTAUTH]" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias" + /> + <!-- DO NOT REMOVE - End define PKI secure port --> + + [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="false" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> + [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + + [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="false" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> + [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + + <!-- A "Connector" using the shared thread pool--> + <!-- + <Connector executor="tomcatThreadPool" + port="8080" protocol="HTTP/1.1" + connectionTimeout="20000" + redirectPort="8443" /> + --> + <!-- Define a SSL HTTP/1.1 Connector on port 8443 + This connector uses the JSSE configuration, when using APR, the + connector should be using the OpenSSL style configuration + described in the APR documentation --> + <!-- + <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" + maxThreads="150" scheme="https" secure="true" + clientAuth="false" sslProtocol="TLS" /> + --> <!-- Define an AJP 1.3 Connector on port 8009 --> <!-- - <Connector port="8009" - enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> + <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> --> - <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> - <!-- See proxy documentation for more information about using this. --> - <!-- - <Connector port="8082" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" acceptCount="100" connectionTimeout="20000" - proxyPort="80" disableUploadTimeout="true" /> - --> <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). --> + on to the appropriate Host (virtual host). + Documentation at /docs/config/engine.html --> <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> + <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> --> - - <!-- Define the top level container in our container hierarchy --> <Engine name="Catalina" defaultHost="localhost"> - <!-- The request dumper valve dumps useful debugging information about - the request headers and cookies that were received, and the response - headers and cookies that were sent, for all requests received by - this instance of Tomcat. If you care only about requests to a - particular virtual host, or a particular application, nest this - element inside the corresponding <Host> or <Context> entry instead. - - For a similar mechanism that is portable to all Servlet 2.4 - containers, check out the "RequestDumperFilter" Filter in the - example application (the source for this filter may be found in - "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). + <!--For clustering, please take a look at documentation at: + /docs/cluster-howto.html (simple how to) + /docs/config/cluster.html (reference documentation) --> + <!-- + <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> + --> - Request dumping is disabled by default. Uncomment the following - element to enable it. --> + <!-- The request dumper valve dumps useful debugging information about + the request and response data received and sent by Tomcat. + Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.valves.RequestDumperValve"/> --> - <!-- Because this Realm is here, an instance will be shared globally --> - <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately @@ -210,229 +198,27 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> - <!-- Comment out the old realm but leave here for now in case we - need to go back quickly --> - <!-- - <Realm className="org.apache.catalina.realm.MemoryRealm" /> - --> - - <!-- Replace the above Realm with one of the following to get a Realm - stored in a database and accessed via JDBC --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="org.gjt.mm.mysql.Driver" - connectionURL="jdbc:mysql://localhost/authority" - connectionName="test" connectionPassword="test" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="oracle.jdbc.driver.OracleDriver" - connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" - connectionName="scott" connectionPassword="tiger" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="sun.jdbc.odbc.JdbcOdbcDriver" - connectionURL="jdbc:odbc:CATALINA" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - <!-- Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- Defines a cluster for this node, - By defining this element, means that every manager will be changed. - So when running a cluster, only make sure that you have webapps in there - that need to be clustered and remove the other ones. - A cluster has the following parameters: - - className = the fully qualified name of the cluster class - - name = a descriptive name for your cluster, can be anything - - mcastAddr = the multicast address, has to be the same for all the nodes - - mcastPort = the multicast port, has to be the same for all the nodes - - mcastBindAddr = bind the multicast socket to a specific address - - mcastTTL = the multicast TTL if you want to limit your broadcast - - mcastSoTimeout = the multicast readtimeout - - mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="false" + xmlValidation="false" xmlNamespaceAware="false"> - mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received - - tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes - - tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, - in case of multiple ethernet cards. - auto means that address becomes - InetAddress.getLocalHost().getHostAddress() - - tcpListenPort = the tcp listen port - - tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS - has a wakup bug in java.nio. Set to 0 for no timeout - - printToScreen = true means that managers will also print to std.out - - expireSessionsOnShutdown = true means that - - useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. - false means to replicate the session after each request. - false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) - <% - HashMap map = (HashMap)session.getAttribute("map"); - map.put("key","value"); - %> - replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. - * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. - * Synchronous means that the thread that executes the request, is also the - thread the replicates the data to the other nodes, and will not return until all - nodes have received the information. - * Asynchronous means that there is a specific 'sender' thread for each cluster node, - so the request thread will queue the replication request into a "smart" queue, - and then return to the client. - The "smart" queue is a queue where when a session is added to the queue, and the same session - already exists in the queue from a previous request, that session will be replaced - in the queue instead of replicating two requests. This almost never happens, unless there is a - large network delay. - --> - <!-- - When configuring for clustering, you also add in a valve to catch all the requests - coming in, at the end of the request, the session may or may not be replicated. - A session is replicated if and only if all the conditions are met: - 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND - 2. a session exists (has been created) - 3. the request is not trapped by the "filter" attribute - - The filter attribute is to filter out requests that could not modify the session, - hence we don't replicate the session after the end of this request. - The filter is negative, ie, anything you put in the filter, you mean to filter out, - ie, no replication will be done on requests that match one of the filters. - The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. - - filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI - ending with .gif and .js are intercepted. - - The deployer element can be used to deploy apps cluster wide. - Currently the deployment only deploys/undeploys to working members in the cluster - so no WARs are copied upons startup of a broken node. - The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" - When a new war file is added the war gets deployed to the local instance, - and then deployed to the other instances in the cluster. - When a war file is deleted from the watchDir the war is undeployed locally - and cluster wide - --> - - <!-- - <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" - managerClassName="org.apache.catalina.cluster.session.DeltaManager" - expireSessionsOnShutdown="false" - useDirtyFlag="true" - notifyListenersOnReplication="true"> - - <Membership - className="org.apache.catalina.cluster.mcast.McastService" - mcastAddr="228.0.0.4" - mcastPort="45564" - mcastFrequency="500" - mcastDropTime="3000"/> - - <Receiver - className="org.apache.catalina.cluster.tcp.ReplicationListener" - tcpListenAddress="auto" - tcpListenPort="4001" - tcpSelectorTimeout="100" - tcpThreadCount="6"/> - - <Sender - className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" - replicationMode="pooled" - ackTimeout="15000"/> - - <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" - filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> - - <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" - tempDir="/tmp/war-temp/" - deployDir="/tmp/war-deploy/" - watchDir="/tmp/war-listen/" - watchEnabled="false"/> - </Cluster> - --> - - - - <!-- Normally, users must authenticate themselves to each web app - individually. Uncomment the following entry if you would like - a user to be authenticated the first time they encounter a - resource protected by a security constraint, and then have that - user identity maintained across *all* web applications contained - in this virtual host. --> + <!-- SingleSignOn valve, share authentication between web applications + Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - --> - <Valve className="org.apache.catalina.valves.AccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - This access log implementation is optimized for maximum performance, - but is hardcoded to support only the "common" and "combined" patterns. - --> + <!-- Access log processes all example. + Documentation at: /docs/config/valve.html --> <!-- - <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> + <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" + prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> --> - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - This access log implementation is optimized for maximum performance, - but is hardcoded to support only the "common" and "combined" patterns. - This valve use NIO direct Byte Buffer to asynchornously store the - log. - --> - <!-- - <Valve className="org.apache.catalina.valves.ByteBufferAccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - --> - - <!-- <Context docBase="webapps" path="/webapps" reloadable="false"/> --> </Host> - </Engine> - </Service> - </Server> diff --git a/pki/base/kra/shared/conf/tomcat-users.xml b/pki/base/kra/shared/conf/tomcat-users.xml index 920e68240..daa9260cc 100644 --- a/pki/base/kra/shared/conf/tomcat-users.xml +++ b/pki/base/kra/shared/conf/tomcat-users.xml @@ -1,13 +1,45 @@ <?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2006-2010 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<!-- + <role rolename="tomcat"/> + <role rolename="role1"/> + <user username="tomcat" password="tomcat" roles="tomcat"/> + <user username="both" password="tomcat" roles="tomcat,role1"/> + <user username="role1" password="tomcat" roles="role1"/> +--> + +<!-- The host manager webapp is restricted to users with role "admin" --> +<!--<user name="tomcat" password="password" roles="admin" />--> +<!-- The manager webapp is restricted to users with role "manager" --> +<!--<user name="tomcat" password="password" roles="manager" />--> <tomcat-users> <role rolename="pkiuser"/> <role rolename="tomcat"/> - <role rolename="role1"/> <role rolename="manager"/> <role rolename="admin"/> + <user username="pkiuser" password="pkiuser" roles="pkiuser"/> <user username="tomcat" password="tomcat" roles="tomcat"/> - <user username="both" password="tomcat" roles="tomcat,role1"/> - <user username="role1" password="tomcat" roles="role1"/> <user username="admin" password="netscape" roles="admin,manager"/> </tomcat-users> diff --git a/pki/base/kra/shared/conf/tomcat5.conf b/pki/base/kra/shared/conf/tomcat5.conf deleted file mode 100644 index 181fb12dc..000000000 --- a/pki/base/kra/shared/conf/tomcat5.conf +++ /dev/null @@ -1,74 +0,0 @@ -# tomcat5 service configuration file - -# Check to insure that this configuration file's associated PKI -# subsystem currently resides on this system. -PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] -if [ ! -d /usr/share/pki/${PKI_SUBSYSTEM_TYPE} ] ; then - echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" - exit 255 -fi - -# you could also override JAVA_HOME here -# Where your java installation lives -JAVA_HOME="/usr/lib/jvm/jre" - -# You can pass some parameters to java -# here if you wish to -#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" - -# Where your tomcat installation lives -# That change from previous RPM where TOMCAT_HOME -# used to be /var/tomcat. -# Now /var/tomcat will be the base for webapps only -CATALINA_HOME="/usr/share/tomcat5" -JASPER_HOME="/usr/share/tomcat5" -CATALINA_TMPDIR="/usr/share/tomcat5/temp" -JAVA_ENDORSED_DIRS="/usr/share/tomcat5/common/endorsed" - -# What user should run tomcat -TOMCAT_USER="[PKI_USER]" -TOMCAT_GROUP="[PKI_GROUP]" - -# You can change your tomcat locale here -#LANG=en_US - -# Time to wait in seconds, while starting process -STARTUP_WAIT=30 - -# Time to wait in seconds, before killing process -SHUTDOWN_WAIT=30 - - -# If you wish to further customize your tomcat environment, -# put your own definitions here -# (i.e. LD_LIBRARY_PATH for some jdbc drivers) -# Just do not forget to export them :) - -OS=`uname -s` -if [ $OS = "Linux" ]; then - PLATFORM=`uname -i` - if [ $PLATFORM = "i386" ]; then - # 32-bit Linux - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib - elif [ $PLATFORM = "x86_64" ]; then - # 64-bit Linux - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64/dirsec:/usr/lib64:/usr/lib - fi - export LD_LIBRARY_PATH -elif [ $PLATFORM = "SunOS" ]; then - PLATFORM=`uname -p` - if [ "${PLATFORM}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - PLATFORM="sparcv9" - fi - if [ $PLATFORM = "sparc" ]; then - # 32-bit Solaris - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib - elif [ $PLATFORM = "sparcv9" ]; then - # 64-bit Solaris - JAVA_OPTS="-d64" - export JAVA_OPTS - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/sparcv9/dirsec:/usr/lib/sparcv9:/usr/lib/dirsec:/usr/lib - fi - export LD_LIBRARY_PATH -fi diff --git a/pki/base/kra/shared/conf/tomcat6.conf b/pki/base/kra/shared/conf/tomcat6.conf new file mode 100644 index 000000000..31385567d --- /dev/null +++ b/pki/base/kra/shared/conf/tomcat6.conf @@ -0,0 +1,55 @@ +# Service-specific configuration file for tomcat6. This will be sourced by +# the SysV init script after the global configuration file +# /etc/tomcat6/tomcat6.conf, thus allowing values to be overridden in +# a per-service manner. +# +# NEVER change the init script itself. To change values for all services make +# your changes in /etc/tomcat6/tomcat6.conf +# +# To change values for a specific service make your edits here. +# To create a new service create a link from /etc/init.d/<your new service> to +# /etc/init.d/tomcat6 (do not copy the init script) and make a copy of the +# /etc/sysconfig/tomcat6 file to /etc/sysconfig/<your new service> and change +# the property values so the two services won't conflict. Register the new +# service in the system as usual (see chkconfig and similars). +# + +# Where your java installation lives +#JAVA_HOME="/usr/lib/jvm/java" + +# Where your tomcat installation lives +CATALINA_BASE="[PKI_INSTANCE_PATH]" +#CATALINA_HOME="/usr/share/tomcat6" +#JASPER_HOME="/usr/share/tomcat6" +#CATALINA_TMPDIR="/var/cache/tomcat6/temp" + +# You can pass some parameters to java here if you wish to +#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" + +# Use JAVA_OPTS to set java.library.path for libtcnative.so +#JAVA_OPTS="-Djava.library.path=/usr/lib64" + +# What user should run tomcat +TOMCAT_USER="[PKI_USER]" + +# You can change your tomcat locale here +#LANG="en_US" + +# Run tomcat under the Java Security Manager +#SECURITY_MANAGER="false" + +# Time to wait in seconds, before killing process +#SHUTDOWN_WAIT="30" + +# Whether to annoy the user with "attempting to shut down" messages or not +#SHUTDOWN_VERBOSE="false" + +# Set the TOMCAT_PID location +CATALINA_PID="[TOMCAT_PIDFILE]" + +# Connector port is 8080 for this tomcat6 instance +#CONNECTOR_PORT="8080" + +# If you wish to further customize your tomcat environment, +# put your own definitions here +# (i.e. LD_LIBRARY_PATH for some jdbc drivers) diff --git a/pki/base/kra/shared/etc/init.d/pki-krad b/pki/base/kra/shared/etc/init.d/pki-krad index 5a3b9be9b..b27dc8c62 100755 --- a/pki/base/kra/shared/etc/init.d/pki-krad +++ b/pki/base/kra/shared/etc/init.d/pki-krad @@ -14,1816 +14,70 @@ # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# Copyright (C) 2007 Red Hat, Inc. +# Copyright (C) 2007-2010 Red Hat, Inc. # All rights reserved. -# --- END COPYRIGHT BLOCK ### --- +# --- END COPYRIGHT BLOCK --- # -# pki-krad Startup script for Tomcat 5.0 pki-kra, the Apache Servlet Engine +# pki-krad Startup script pki-kra with tomcat6 # # chkconfig: - 82 18 -# description: Data Recovery Manager \ -# (Tomcat 5.0) +# description: Data Recovery Manager (Tomcat 6.0) # processname: pki-krad # piddir: /var/run/pki/kra -# config: ${PKI_INSTANCE_PATH}/conf/tomcat5.conf -# -# Gomez Henri <hgomez@users.sourceforge.net> -# Keith Irwin <keith_irwin@non.hp.com> -# Nicolas Mailhot <nicolas.mailhot@one2team.com> -# -# version 1.02 - Removed initlog support -# version 1.03 - Removed config: -# version 1.04 - tomcat will start before httpd and stop after httpd -# version 1.05 - jdk hardcoded to link /usr/java/jdk and tomcat runs -# as "nobody" -# version 1.06 - split up into script and config file -# version 1.07 - Rework from Nicolas ideas -# version 1.08 - Fix work dir permission at start time, switch to use tomcat4 -# version 1.09 - Fix pidfile and config tags -# version 1.10 - Fallback to su direct use on systems without -# Redhat/Mandrake init.d functions -# version 1.11 - Fix webapps dir permissions -# version 1.12 - remove initial start/stop level for chkconfig (- 80 20) -# version 1.13 - remove chown of logs/work/temp/webapps dir, -# owned by tomcat4 at install time -# version 1.14 - correct the start/stop ugly hack by waiting -# all the threads stops -# version 1.15 - ensure we're looking for TOMCAT_USER running catalina -# version 1.16 - Add support for CATALINA_PID env var -# version 1.17 - Remove run files only tomcat started correctl -# in start area, check that tomcat is not allready running -# version 1.18 - Fix kill typo (thanks Kaj J. Niemi) -# version 1.19 - Add jar relinking -# version 1.20 - Check there is no stalling tomcat4.pid -# version 1.20tc5 - Changed all instances of tomcat4 to -# tomcat5 except TOMCAT_USER -# version 1.20tc5rh - Changed TOMCAT_USER from tomcat4 to tomcat # -PKI_INIT_SCRIPT="" +PROG_NAME=`basename $0` +SERVICE_NAME="pki-krad" +SERVICE_PROG="/sbin/service" PKI_PATH="/usr/share/pki/kra" -PKI_PIDDIR="/var/run/pki/kra" -PKI_PROCESS="pki-krad" PKI_REGISTRY="/etc/sysconfig/pki/kra" PKI_TYPE="pki-kra" - -# PKI subsystem-level directory and file values for locks -lockfile="/var/lock/subsys/pki-krad" +PKI_TOTAL_PORTS=6 # Disallow 'others' the ability to 'write' to new files umask 00002 -default_error=0 command="$1" pki_instance="$2" -case "${command}" in - start|stop|restart|condrestart|force-restart|try-restart) - # * 1 generic or unspecified error (current practice) - default_error=1 - ;; - reload) - default_error=3 - ;; - status) - # * 4 program or service status is unknown - default_error=4 - ;; - *) - # * 2 invalid argument(s) - default_error=2 - ;; -esac - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit ${default_error} -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -if [ ! -d ${PKI_PATH} ] ; then - echo "This machine is missing the '${PKI_TYPE}' subsystem!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Check to insure that this script's associated PKI -# subsystem instance registry currently resides on this system. -if [ ! -d ${PKI_REGISTRY} ] ; then - echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Obtain the operating system upon which this script is being executed -OS=`uname -s` -ARCHITECTURE="" - -# This script must be run as root! -RV=0 -if [ ${OS} = "Linux" ] ; then - PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}" - if [ `id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -i` -elif [ ${OS} = "SunOS" ] ; then - PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}" - if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -p` - if [ "${ARCHITECTURE}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - ARCHITECTURE="sparcv9" - fi -else - echo "Unsupported OS '${OS}'!" - exit ${default_error} -fi # Source function library. -if [ -f /etc/init.d/functions ]; then - . /etc/init.d/functions -else - # The checkpid() function is provided for platforms that do not - # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . - - # Check if ${pid} (could be plural) are running (keep count) - checkpid() - { - rv=0 - for i in $* ; do - ps -p $i > /dev/null 2>&1 ; - if [ $? -ne 0 ] ; then - rv=`expr ${rv} + 1` - else - rv=`expr ${rv} + 0` - fi - done - # echo "rv=${rv}" - return ${rv} - } - - # Create the following directories on platforms - # where they do not exist (e. g. - Solaris) . . . - if [ ! -d "/var/lock" ] ; then - mkdir -p /var/lock - chown root:sys /var/lock - chmod 00755 /var/lock - fi - if [ ! -d "/var/lock/subsys" ] ; then - mkdir -p /var/lock/subsys - chown root:root /var/lock/subsys - chmod 00755 /var/lock/subsys - fi - - ####################################################################### - ## NOTE: The following code needs to eventually be moved into the ## - ## template used to create the ## - ## "${PKI_INSTANCE_PATH}/conf/tomcat5.conf" file! ## - ####################################################################### - - if [ ${OS} = "SunOS" ] ; then - DEFAULT_SOLARIS_JAVA_HOME="/usr/jdk/instances/jdk1.5.0/jre" - DEFAULT_LINUX_JAVA_HOME="/usr/lib/jvm/jre" - DEFAULT_LINUX_JAVA_HOME_PATH=`dirname ${DEFAULT_LINUX_JAVA_HOME}` - - # ensure that the Sun JRE 1.5.0 exists at the default location - if [ -d ${DEFAULT_SOLARIS_JAVA_HOME} ] ; then - # create the directory in which the symlink resides (if necessary) - if [ ! -d ${DEFAULT_LINUX_JAVA_HOME_PATH} ] ; then - mkdir -p ${DEFAULT_LINUX_JAVA_HOME_PATH} - fi - # create the actual symlink (if necessary) - if [ ! -h ${DEFAULT_LINUX_JAVA_HOME} ] ; then - ln -s ${DEFAULT_SOLARIS_JAVA_HOME} ${DEFAULT_LINUX_JAVA_HOME} - fi - else - # for now, simply exit with an appropriate error message - echo -n "The Solaris 1.5.0 JRE must be installed " - echo -n "at \"${DEFAULT_SOLARIS_JAVA_HOME}\"!" - echo - echo - exit ${default_error} - fi - fi -fi - -PKI_REGISTRY_ENTRIES="" -TOTAL_PKI_REGISTRY_ENTRIES=0 -TOTAL_UNCONFIGURED_PKI_ENTRIES=0 - -# Gather ALL registered instances of this PKI subsystem type -for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - if [ -f "$FILE" ] ; then - inst=`echo "$FILE"` - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst" - TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` - fi -done - -if [ -n "${pki_instance}" ]; then - for I in ${PKI_REGISTRY_ENTRIES}; do - if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}" - TOTAL_PKI_REGISTRY_ENTRIES=1 - break - fi - done -fi - -usage() -{ - echo -n "Usage: ${PKI_INIT_SCRIPT} " - echo -n "{start" - echo -n "|stop" - echo -n "|restart" - echo -n "|condrestart" - echo -n "|force-restart" - echo -n "|try-restart" - echo -n "|reload" - echo -n "|status} " - echo -n "[instance-name]" - echo - echo -} - -list_instances() -{ - echo - for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - echo " ${FILE}" - done - echo -} - -# Check arguments -if [ $# -lt 1 ] ; then - # * 3 unimplemented feature (for example, "reload") - # [insufficient arguments] - echo "$0: Insufficient arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 -elif [ ${default_error} -eq 2 ] ; then - # * 2 invalid argument - echo "$0: Invalid arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 2 -elif [ $# -gt 2 ] ; then - echo "$0: Excess arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - if [ "${command}" != "status" ]; then - # * 2 excess arguments - exit 2 - else - # * 4 program or service status is unknown - exit 4 - fi -fi - -# If an "instance" was supplied, check that it is a "valid" instance -if [ -n "${pki_instance}" ]; then - if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then - echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance" - echo_failure - echo - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - # * 4 program or service status is unknown - exit 4 - fi - fi -fi - -# On Solaris /var/run is in tmpfs and gets wiped out upon reboot -# we have to recreate the ${PKI_PIDDIR} directory and make sure that -# the directory is writable by the ${PKI_TYPE} server process. -# -# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize -# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the -# "${PKI_PIDDIR}" will end up with the ownership permissions -# of the first instance that executes this function! -# -fix_pid_dir_ownership() -{ - if [ ! -d ${PKI_PIDDIR} ] ; then - mkdir -p ${PKI_PIDDIR} - - chown root:root /var/run/pki - chmod 00755 /var/run/pki - - chown root:root ${PKI_PIDDIR} - chmod 00755 ${PKI_PIDDIR} - fi -} - -check_pki_configuration_status() -{ - rv=0 - - rv=`grep -c ^preop ${pki_instance_configuration_file}` - - rv=`expr ${rv} + 0` - - if [ ${rv} -ne 0 ] ; then - echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" - echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" - if [ "${command}" != "status" ]; then - # * 6 program is not configured - rv=6 - else - # * 4 program or service status is unknown - rv=4 - fi - TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` - elif [ -f ${RESTART_SERVER} ] ; then - echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " - echo -n "it must still be RESTARTED!" - echo - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - fi - - return ${rv} -} - -get_pki_status_definitions() -{ - # establish well-known strings - begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->" - end_pki_status_comment="<!-- DO NOT REMOVE - End PKI Status Definitions -->" - total_ports=0 - unsecure_port_statement="Unsecure Port = " - secure_agent_port_statement="Secure Agent Port = " - secure_ee_port_statement="Secure EE Port = " - secure_admin_port_statement="Secure Admin Port = " - pki_console_port_statement="PKI Console Port = " - tomcat_port_statement="Tomcat Port = " - - # initialize looping variables - pki_status_comment_found=0 - - # first check to see that an instance-specific "server.xml" file exists - if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then - echo "File '${PKI_SERVER_XML_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "server.xml" file line-by-line - # to obtain the current PKI Status Definitions - exec < ${PKI_SERVER_XML_CONF} - while read line; do - # first look for the well-known end PKI Status comment - # (to turn off processing) - if [ "$line" == "$end_pki_status_comment" ] ; then - pki_status_comment_found=0 - break; - fi - - # then look for the well-known begin PKI Status comment - # (to turn on processing) - if [ "$line" == "$begin_pki_status_comment" ] ; then - pki_status_comment_found=1 - fi - - # once the well-known begin PKI Status comment has been found, - # begin processing to obtain all of the PKI Status Definitions - if [ $pki_status_comment_found -eq 1 ] ; then - # look for a PKI Status Definition and print it - head=`echo "$line" | cut -b1-20` - if [ "$head" == "$unsecure_port_statement" ] || - [ "$head" == "$secure_agent_port_statement" ] || - [ "$head" == "$secure_ee_port_statement" ] || - [ "$head" == "$secure_admin_port_statement" ] || - [ "$head" == "$pki_console_port_statement" ] || - [ "$head" == "$tomcat_port_statement" ] ; then - echo " $line" - total_ports=`expr ${total_ports} + 1` - fi - fi - done - - if [ ${total_ports} -eq 6 ] ; then - return 0 - else - return ${default_error} - fi -} - -get_pki_configuration_definitions() -{ - # Obtain the PKI Subsystem Type - line=`grep ^cs.type= ${pki_instance_configuration_file}` - pki_subsystem=`echo "${line}" | cut -b9-` - if [ "${line}" != "" ] ; then - if [ "${pki_subsystem}" != "CA" ] && - [ "${pki_subsystem}" != "KRA" ] && - [ "${pki_subsystem}" != "OCSP" ] && - [ "${pki_subsystem}" != "TKS" ] && - [ "${pki_subsystem}" != "RA" ] && - [ "${pki_subsystem}" != "TPS" ] - then - return ${default_error} - fi - if [ "${pki_subsystem}" == "KRA" ] ; then - # Rename "KRA" to "DRM" - pki_subsystem="DRM" - fi - else - return ${default_error} - fi - - # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, - # check to see if "${pki_subsystem}" is a "Clone" - pki_clone="" - if [ "${pki_subsystem}" == "CA" ] || - [ "${pki_subsystem}" == "DRM" ] || - [ "${pki_subsystem}" == "OCSP" ] || - [ "${pki_subsystem}" == "TKS" ] - then - line=`grep ^subsystem.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_clone=`echo "${line}" | cut -b18-` - if [ "${pki_clone}" != "Clone" ] ; then - # Reset "${pki_clone}" to be empty - pki_clone="" - fi - else - return ${default_error} - fi - fi - - # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to - # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA - pki_hierarchy="" - if [ "${pki_subsystem}" == "CA" ] && - [ "${pki_clone}" != "Clone" ] - then - line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_hierarchy=`echo "${line}" | cut -b18-` - else - return ${default_error} - fi - fi - - # If ${pki_subsystem} is a CA, check to - # see if it is also a Security Domain - pki_security_domain="" - if [ "${pki_subsystem}" == "CA" ] ; then - line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain=`echo "${line}" | cut -b23-` - if [ "${pki_security_domain}" == "new" ] ; then - # Set a fixed value for "${pki_security_domain}" - pki_security_domain="(Security Domain)" - else - # Reset "${pki_security_domain}" to be empty - pki_security_domain="" - fi - else - return ${default_error} - fi - fi - - # Always obtain this PKI instance's "registered" - # security domain information - pki_security_domain_name="" - pki_security_domain_hostname="" - pki_security_domain_https_admin_port="" - - line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_name=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_hostname=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` - else - return ${default_error} - fi - - # Compose the "PKI Instance Name" Status Line - pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" - - # Compose the "PKI Subsystem Type" Status Line - header="PKI Subsystem Type: " - if [ "${pki_clone}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "CA Clone (Security Domain)" - # - data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" - else - # Possible Values: - # - # "CA Clone" - # "DRM Clone" - # "OCSP Clone" - # "TKS Clone" - # - data="${pki_subsystem} ${pki_clone}" - fi - elif [ "${pki_hierarchy}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "Root CA (Security Domain)" - # "Subordinate CA (Security Domain)" - # - data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" - else - # Possible Values: - # - # "Root CA" - # "Subordinate CA" - # - data="${pki_hierarchy} ${pki_subsystem}" - fi - else - # Possible Values: - # - # "DRM" - # "OCSP" - # "RA" - # "TKS" - # "TPS" - # - data="${pki_subsystem}" - fi - pki_subsystem_type="${header} ${data}" - - # Compose the "Registered PKI Security Domain Information" Status Line - header="Name: " - registered_pki_security_domain_name="${header} ${pki_security_domain_name}" - - header="URL: " - if [ "${pki_security_domain_hostname}" != "" ] && - [ "${pki_security_domain_https_admin_port}" != "" ] - then - data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" - else - return ${default_error} - fi - registered_pki_security_domain_url="${header} ${data}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_instance_name}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_subsystem_type}" - - # Print the "Registered PKI Security Domain Information" Status Line - echo - echo " Registered PKI Security Domain Information:" - echo " ==========================================================================" - echo " ${registered_pki_security_domain_name}" - echo " ${registered_pki_security_domain_url}" - echo " ==========================================================================" - - return 0 -} - -get_pki_secure_port() -{ - # establish well-known strings - begin_ssl_comment="<!-- DO NOT REMOVE - Begin define PKI secure port -->" - end_ssl_comment="<!-- DO NOT REMOVE - End define PKI secure port -->" - connector_statement="<Connector name=\"" - - # initialize looping variables - ssl_comment_found=0 - - # first check to see that an instance-specific "server.xml" file exists - if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then - echo "File '${PKI_SERVER_XML_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "server.xml" file line-by-line - # to obtain the current value of the PKI secure port - exec < ${PKI_SERVER_XML_CONF} - while read line; do - # first look for the well-known end SSL comment - # (to turn off processing) - if [ "$line" == "$end_ssl_comment" ] ; then - ssl_comment_found=0 - fi - - # then look for the well-known begin SSL comment - # (to turn on processing) - if [ "$line" == "$begin_ssl_comment" ] ; then - ssl_comment_found=1 - fi - - # once the well-known begin SSL comment has been found, - # begin processing to obtain the numeric port information - if [ $ssl_comment_found -eq 1 ] ; then - # look for the next Connector statement - head=`echo $line | cut -b1-17` - if [ "$head" == "$connector_statement" ] ; then - # once the Connector statement has been found, - tail=`echo $line | cut -b18-` - # extract the name of the connector - name=`echo $tail | cut -d\" -f1` - if [ "$name" == "Agent" ] || - [ "$name" == "Secure" ] ; then - # extract the numeric port information - port=`echo $tail | cut -d\" -f3` - PKI_SECURE_PORT=$port - return 0 - fi - fi - fi - done - - return ${default_error} -} - -display_instance_status() -{ - rv=0 - - if [ -f ${pidfile} ] ; then - pid=`cat ${pidfile}` - if [ "${pid}" == "" ] ; then - echo "${PKI_INSTANCE_ID} pid file exists but is empty" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - elif kill -0 ${pid} > /dev/null 2>&1 ; then - echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} -eq 0 ] ; then - get_pki_status_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Status Definitions not found" - else - get_pki_configuration_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Configuration Definitions not found" - fi - fi - else - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Similarly, from the PKI point of view for a "status" - # action, a returned error code of "4" implies that either - # the program is not "configured", or that the program - # was "configured" but must still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For this reason, when returning from - # 'display_instance_status()', ignore non-zero return codes - # returned from 'check_pki_configuration_status()'. - # - if [ "${command}" != "status" ]; then - # * 0 action was successful - rv=0 - else - # * 0 program is running or service is OK - rv=0 - fi - fi - echo - else - echo "${PKI_INSTANCE_ID} is dead but pid file exists" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 1 program is dead and /var/run pid file exists - rv=1 - fi - fi - else - echo "${PKI_INSTANCE_ID} is stopped" - if [ "${command}" != "status" ]; then - # * 7 program is not running - rv=7 - else - # * 3 program is not running - rv=3 - fi - fi - - return ${rv} -} - -start_instance() -{ - rv=0 - - echo -n "Starting $TOMCAT_PROG: " - - if [ -f ${RESTART_SERVER} ] ; then - rm -f ${RESTART_SERVER} - fi - - if [ -f ${PKI_LOCKFILE} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - echo - echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} != 0 ]; then - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For "non-status" actions, ignore return codes of "1" - # from 'check_pki_configuration_status()'. - # - # However, for "non-status" actions that have a return - # code of "6", return this value unchanged to - # the calling routine so that the total number of - # configuration errors may be counted. - # - - echo - if [ ${rv} = 1 ] ; then - # * 0 action was successful - return 0 - elif [ ${rv} = 6 ] ; then - # * 6 program is not configured - return 6 - else - # should never be reached - return ${rv} - fi - else - return 0 - fi - else - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - rm -f ${PKI_LOCKFILE} - fi - fi - fi - - fix_pid_dir_ownership - - CATALINA_PID=${pidfile} - export CATALINA_PID - touch $CATALINA_PID - chown $TOMCAT_USER:$TOMCAT_GROUP $CATALINA_PID - chmod 00600 $CATALINA_PID - [ -x /sbin/restorecon ] && /sbin/restorecon $CATALINA_PID - - # restore context for ncipher hsm - [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast - - # Always initialize CLASSPATH to start looking - # in the local PKI classes directory . . . - CLASSPATH=/usr/share/pki/classes - - if [ ${OS} = "Linux" ] ; then - $TOMCAT_RELINK_SCRIPT - elif [ ${OS} = "SunOS" ] ; then - # The following definitions are provided for Solaris - # platforms since they are unable to execute the - # "/usr/share/tomcat5/bin/relink", - # "/usr/bin/rebuild-jar-repository", and - # "/usr/share/java-utils/java-functions" files . . . - - ####################################### - ## /var/lib/tomcat5/common/lib: - ####################################### - - # Build the tomcat jar classpath . . . - CLASSPATH="$CLASSPATH":/usr/share/java/ant.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-collections.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-dbcp.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging-api.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-pool.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-ejb-2.1.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-1.4.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-connector-1.5.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-management-1.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2eeschema-1.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jms-1.1.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jsp-2.0.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jta-1.0.1B.jar - CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-servlet-2.4.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jaf.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-collections.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-modeler.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-compiler.jar - CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-runtime.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/imap.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/mailapi.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/nntp.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/pop3.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/providers.jar - CLASSPATH="$CLASSPATH":/usr/share/java/javamail/smtp.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar - # CLASSPATH="$CLASSPATH":/usr/share/java/jsp.jar - # END LINUX-SPECIFIC FILE - - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/servlet.jar - # END LINUX-SPECIFIC FILE - - CLASSPATH="$CLASSPATH":/usr/share/java/avalon-logkit.jar - CLASSPATH="$CLASSPATH":/usr/share/java/cmsutil.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/dirsec/jss4.jar - fi - CLASSPATH="$CLASSPATH":/usr/share/java/ldapjdk.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-factory.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-resources.jar - CLASSPATH="$CLASSPATH":/usr/share/java/pki/nsutil.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/osutil.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/osutil.jar - fi - CLASSPATH="$CLASSPATH":/usr/share/java/rhino.jar - CLASSPATH="$CLASSPATH":/usr/share/java/servletapi5.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/symkey.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/symkey.jar - fi - CLASSPATH="$CLASSPATH":/usr/share/java/velocity.jar - CLASSPATH="$CLASSPATH":/usr/share/java/xalan-j2.jar - CLASSPATH="$CLASSPATH":/usr/share/java/xerces-j2.jar - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/common/lib - - if [ ! -e /var/lib/tomcat5/common/lib/\[ant\].jar ]; then - ln -s /usr/share/java/ant.jar [ant].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-collections\].jar ]; then - ln -s /usr/share/java/commons-collections.jar [commons-collections].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-dbcp\].jar ]; then - ln -s /usr/share/java/commons-dbcp.jar [commons-dbcp].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-el\].jar ]; then - ln -s /usr/share/java/commons-el.jar [commons-el].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-logging-api\].jar ]; then - ln -s /usr/share/java/commons-logging-api.jar [commons-logging-api].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-pool\].jar ]; then - ln -s /usr/share/java/commons-pool.jar [commons-pool].jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-ejb-2.1-rc2.jar [geronimo]spec-ejb-2.1-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1.jar ]; then - ln -s /usr/share/java/geronimo/spec-ejb-2.1.jar [geronimo]spec-ejb-2.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-1.4-rc2.jar [geronimo]spec-j2ee-1.4-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-1.4.jar [geronimo]spec-j2ee-1.4.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5-rc2.jar [geronimo]spec-j2ee-connector-1.5-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5.jar [geronimo]spec-j2ee-connector-1.5.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1-rc2.jar [geronimo]spec-j2ee-deployment-1.1-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar [geronimo]spec-j2ee-deployment-1.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-jacc-1.0-rc2.jar [geronimo]spec-j2ee-jacc-1.0-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar [geronimo]spec-j2ee-jacc-1.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0-rc2.jar [geronimo]spec-j2ee-management-1.0-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0.jar [geronimo]spec-j2ee-management-1.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0\-M2.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0-M2.jar [geronimo]spec-j2eeschema-1.0-M2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0.jar [geronimo]spec-j2eeschema-1.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-jms-1.1-rc2.jar [geronimo]spec-jms-1.1-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1.jar ]; then - ln -s /usr/share/java/geronimo/spec-jms-1.1.jar [geronimo]spec-jms-1.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-jsp-2.0-rc2.jar [geronimo]spec-jsp-2.0-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0.jar ]; then - ln -s /usr/share/java/geronimo/spec-jsp-2.0.jar [geronimo]spec-jsp-2.0.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec-jta-1.0.1B-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-jta-1.0.1B-rc2.jar [geronimo]spec-jta-1.0.1B-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jta\-1.0.1B.jar ]; then - ln -s /usr/share/java/geronimo/spec-jta-1.0.1B.jar [geronimo]spec-jta-1.0.1B.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4\-rc2.jar ]; then - ln -s /usr/share/java/geronimo/spec-servlet-2.4-rc2.jar [geronimo]spec-servlet-2.4-rc2.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4.jar ]; then - ln -s /usr/share/java/geronimo/spec-servlet-2.4.jar [geronimo]spec-servlet-2.4.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[jaf\].jar ]; then - ln -s /usr/share/java/jaf.jar [jaf].jar - fi - - ### BEGIN SOLARIS-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-collections.jar\] ]; then - ### ln -s /usr/share/java/jakarta-commons-collections.jar [jakarta-commons-collections.jar] - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-modeler.jar\] ]; then - ### ln -s /usr/share/java/jakarta-commons-modeler.jar [jakarta-commons-modeler.jar] - ### fi - ### END SOLARIS-SPECIFIC LINKS - - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-compiler\].jar ]; then - ### ln -s /usr/share/java/jasper5-compiler.jar [jasper5-compiler].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-runtime\].jar ]; then - ### ln -s /usr/share/java/jasper5-runtime.jar [jasper5-runtime].jar - ### fi - - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/imap-1.3.1.jar [javamail]imap-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap.jar ]; then - ln -s /usr/share/java/javamail/imap.jar [javamail]imap.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/mailapi-1.3.1.jar [javamail]mailapi-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi.jar ]; then - ln -s /usr/share/java/javamail/mailapi.jar [javamail]mailapi.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/nntp-1.3.1.jar [javamail]nntp-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp.jar ]; then - ln -s /usr/share/java/javamail/nntp.jar [javamail]nntp.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/pop3-1.3.1.jar [javamail]pop3-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3.jar ]; then - ln -s /usr/share/java/javamail/pop3.jar [javamail]pop3.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/providers-1.3.1.jar [javamail]providers-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers.jar ]; then - ln -s /usr/share/java/javamail/providers.jar [javamail]providers.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp\-1.3.1.jar ]; then - ln -s /usr/share/java/javamail/smtp-1.3.1.jar [javamail]smtp-1.3.1.jar - fi - if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp.jar ]; then - ln -s /usr/share/java/javamail/smtp.jar [javamail]smtp.jar - fi - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtCompilerAdapter\].jar ]; then - ### ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtcore\].jar ]; then - ### ln -s /usr/share/java/jdtcore.jar [jdtcore].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/\[jsp\].jar ]; then - ### ln -s /usr/share/java/jsp.jar [jsp].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - if [ ! -e /var/lib/tomcat5/common/lib/\[mx4j\]\[mx4j\].jar ]; then - ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar - fi - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[servlet\].jar ]; then - ### ln -s /usr/share/java/servlet.jar [servlet].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - ### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - if [ ! -e /var/lib/tomcat5/common/lib/avalon\-logkit.jar ]; then - ln -s /usr/share/java/avalon-logkit.jar avalon-logkit.jar - fi - ### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - - ### if [ ! -e /var/lib/tomcat5/common/lib/cmsutil.jar ]; then - ### ln -s /usr/share/java/rphki/cmsutil.jar cmsutil.jar - ### fi - - ### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - if [ ! -e /var/lib/tomcat5/common/lib/commons\-logging.jar ]; then - ln -s /usr/share/java/commons-logging.jar commons-logging.jar - fi - ### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK - - ### if [ ! -e /var/lib/tomcat5/common/lib/jss4.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/dirsec/jss4.jar jss4.jar - ### fi - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/ldapjdk.jar ]; then - ### ln -s /usr/share/java/ldapjdk.jar ldapjdk.jar - ### fi - - ### naming-factory.jar - ### naming-resources.jar - - ### if [ ! -e /var/lib/tomcat5/common/lib/nsutil.jar ]; then - ### ln -s /usr/share/java/pki/nsutil.jar nsutil.jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/osutil.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/osutil.jar osutil.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/osutil.jar osutil.jar - ### fi - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/rhino.jar ]; then - ### ln -s /usr/share/java/rhino.jar rhino.jar - ### fi - - ### BEGIN SOLARIS-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/lib/\[servletapi5.jar\] ]; then - ### ln -s /usr/share/java/servletapi5.jar [servletapi5.jar] - ### fi - ### END SOLARIS-SPECIFIC LINKS - - ### if [ ! -e /var/lib/tomcat5/common/lib/symkey.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/symkey.jar symkey.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/symkey.jar symkey.jar - ### fi - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/velocity.jar ]; then - ### ln -s /usr/share/java/velocity.jar velocity.jar - ### fi - ### if [ ! -e /var/lib/tomcat5/common/lib/xalan\-j2.jar ]; then - ### ln -s /usr/share/java/xalan-j2.jar xalan-j2.jar - ### fi - - if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2\-2.6.2.jar ]; then - ln -s /usr/share/java/xerces-j2-2.6.2.jar xerces-j2-2.6.2.jar - fi - - ### if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2.jar ]; then - ### ln -s /usr/share/java/xerces-j2.jar xerces-j2.jar - ### fi +. /etc/init.d/functions - - ####################################### - ## /var/lib/tomcat5/common/endorsed: - ####################################### - - # Build the tomcat jar classpath . . . - CLASSPATH="$CLASSPATH":/usr/share/java/xml-commons-apis.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/jaxp_parser_impl.jar - # END LINUX-SPECIFIC FILE - - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/common/endorsed - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/common/endorsed/\[jaxp_parser_impl\].jar ]; then - ### ln -s /usr/share/java/jaxp_parser_impl.jar [jaxp_parser_impl].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - if [ ! -e /var/lib/tomcat5/common/endorsed/\[xml\-commons\-apis\].jar ]; then - ln -s /usr/share/java/xml-commons-apis.jar [xml-commons-apis].jar - fi - - - ####################################### - ## /var/lib/tomcat5/server/lib: - ####################################### - - # Build the tomcat jar classpath . . . - CLASSPATH="$CLASSPATH":/usr/share/java/catalina-ant5.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-beanutils.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-digester.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-fileupload.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar - CLASSPATH="$CLASSPATH":/usr/share/java/commons-modeler.jar - - # BEGIN LINUX-SPECIFIC FILE - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar - # CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar - # END LINUX-SPECIFIC FILE - - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar - CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar - CLASSPATH="$CLASSPATH":/usr/share/java/regexp.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-cluster.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-optional.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-storeconfig.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina.jar - if [ "$ARCHITECTURE" = "sparc" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar - elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - CLASSPATH="$CLASSPATH":/usr/lib/sparcv9/java/dirsec/jss4.jar - fi - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-cgi.renametojar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-default.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-invoker.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-ssi.renametojar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-webdav.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-ajp.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-coyote.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-http.jar - CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-util.jar - CLASSPATH="$CLASSPATH":/usr/share/java/tomcatjss.jar - - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/server/lib - - if [ ! -e /var/lib/tomcat5/server/lib/\[catalina\-ant5\].jar ]; then - ln -s /usr/share/java/catalina-ant5.jar [catalina-ant5].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-beanutils\].jar ]; then - ln -s /usr/share/java/commons-beanutils.jar [commons-beanutils].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-digester\].jar ]; then - ln -s /usr/share/java/commons-digester.jar [commons-digester].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-el\].jar ]; then - ln -s /usr/share/java/commons-el.jar [commons-el].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-fileupload\].jar ]; then - ln -s /usr/share/java/commons-fileupload.jar [commons-fileupload].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-logging\].jar ]; then - ln -s /usr/share/java/commons-logging.jar [commons-logging].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-modeler\].jar ]; then - ln -s /usr/share/java/commons-modeler.jar [commons-modeler].jar - fi - - ### BEGIN LINUX-SPECIFIC LINKS - ### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtCompilerAdapter\].jar ]; then - ### ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar - ### fi - ### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtcore\].jar ]; then - ### ln -s /usr/share/java/jdtcore.jar [jdtcore].jar - ### fi - ### END LINUX-SPECIFIC LINKS - - if [ ! -e /var/lib/tomcat5/server/lib/\[mx4j\]\[mx4j\].jar ]; then - ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar - fi - if [ ! -e /var/lib/tomcat5/server/lib/\[regexp\].jar ]; then - ln -s /usr/share/java/regexp.jar [regexp].jar - fi - - ### catalina-cluster.jar - ### catalina-optional.jar - ### catalina-storeconfig.jar - ### catalina.jar - ### if [ ! -e /var/lib/tomcat5/server/lib/jss4.jar ]; then - ### if [ "$ARCHITECTURE" = "sparc" ] ; then - ### ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar - ### elif [ "$ARCHITECTURE" = "sparcv9" ] ; then - ### ln -s /usr/lib/sparcv9/java/dirsec/jss4.jar jss4.jar - ### fi - ### fi - ### servlets-cgi.renametojar - ### servlets-default.jar - ### servlets-invoker.jar - ### servlets-ssi.renametojar - ### servlets-webdav.jar - ### tomcat-ajp.jar - ### tomcat-coyote.jar - ### tomcat-http.jar - ### tomcat-util.jar - ### if [ ! -e /var/lib/tomcat5/server/lib/tomcatjss.jar ]; then - ### ln -s /usr/share/java/tomcatjss.jar tomcatjss.jar - ### fi - - - ####################################### - ## /var/lib/tomcat5/shared/lib: - ####################################### - - # Build the tomcat jar classpath . . . - - export CLASSPATH - - - # Relink tomcat jar repositories . . . - cd /var/lib/tomcat5/shared/lib - fi - - # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start - if [ ${OS} = "SunOS" ] ; then - su $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null - else - runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null - fi - - rv=$? - if [ ${rv} = 0 ] ; then - touch ${PKI_LOCKFILE} - chown $TOMCAT_USER:$TOMCAT_GROUP $PKI_LOCKFILE - chmod 00600 $PKI_LOCKFILE - fi - - if [ ${rv} = 0 ] ; then - count=0; - - let swait=$STARTUP_WAIT - while [ ! -s ${pidfile} ] && - [ $count -lt $swait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - - get_pki_secure_port - if [ $? -ne 0 ] ; then - PKI_SECURE_PORT="<Port Undefined>" - fi - - # Set permissions of log files - pki_logs_directory=${PKI_INSTANCE_PATH}/logs - pki_signedAudit="${pki_logs_directory}/signedAudit" - for file in ${pki_logs_directory}/*; do - if [ ! -d "${file}" ]; then - chmod 00640 ${file} - chgrp $TOMCAT_GROUP ${file} - chown $TOMCAT_USER ${file} - fi - done - - # Set permissions of signedAudit log files - # do not set the group id, this will be set by the sgid on the directory - pki_signedAudit_files=`ls -1A ${pki_signedAudit} | wc -l` - if [ ${pki_signedAudit_files} -gt 0 ]; then - for file in ${pki_signedAudit}/*; do - chmod 00640 ${file} - chown $TOMCAT_USER ${file} - done - fi - - # ignore "status" return codes - echo - display_instance_status - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - $0 echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - fi - - sleep 5 - return ${rv} -} - -stop_instance() -{ - rv=0 - - echo -n "Stopping $TOMCAT_PROG: " - - if [ -f ${PKI_LOCKFILE} ] ; then - CATALINA_PID=${pidfile} - export CATALINA_PID - - # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT stop - if [ ${OS} = "SunOS" ] ; then - su $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null - else - runuser -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null - fi - - rv=$? - - if [ ${rv} = 0 ]; then - count=0; - - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - let kwait=$SHUTDOWN_WAIT - - until [ `ps -p $kpid | grep -c $kpid` = '0' ] || - [ $count -gt $kwait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ $count -gt $kwait ]; then - kill -9 $kpid - fi - fi - - rm -f ${PKI_LOCKFILE} - rm -f ${pidfile} - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - rv=${default_error} - fi - else - echo - echo "process already stopped" - rv=0 - fi - - return ${rv} -} - -start() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - config_errors=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):" - fi - - # Start every PKI instance of this type that isn't already running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - start_instance - - rv=$? - if [ ${rv} = 6 ] ; then - # Since at least ONE configuration error exists, then there - # is at least ONE unconfigured instance from the PKI point - # of view. - # - # However, it must still be considered that the - # instance is "running" from the point of view of other - # OS programs such as 'chkconfig'. - # - # Therefore, ignore non-zero return codes resulting - # from configuration errors. - # - - config_errors=`expr $config_errors + 1` - rv=0 - elif [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then - touch ${lockfile} - chmod 00600 ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - # NOTE: "bad" return code(s) OVERRIDE configuration errors! - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances failed to start!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -stop() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" - fi - - # Shutdown every PKI instance of this type that is running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - stop_instance - - rv=$? - if [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${errors} -eq 0 ] ; then - rm -f ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances were " - echo -n "unsuccessfully stopped!" - echo - fi - - echo - echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -restart() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - stop - sleep 2 - echo - echo "============================================================" - echo - start - - return $? -} - -status() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 program is running or service is OK - # * 1 program is dead and /var/run pid file exists - # * 2 program is dead and /var/lock lock file exists - # * 3 program is not running - # * 4 program or service status is unknown - # * 5-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" - fi - - # Obtain status of every PKI instance of this type - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - display_instance_status - - rv=$? - if [ ${rv} -ne 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "4 - program or service status is unknown" - rv=4 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances reported status failures!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=4 - fi - - return ${rv} -} +# Source the PKI function library +. /usr/share/pki/scripts/functions # See how we were called. -case "${command}" in - start|stop|restart|status) - ${command} - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - exit $? - ;; - reload) - echo "The 'reload' action is an unimplemented feature." - exit ${default_error} - ;; - *) - # * 3 unimplemented feature (for example, "reload") - # [invalid command - should never be reached] - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 - ;; +case $command in + status) + registry_status + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + stop + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + reload) + echo "The 'reload' action is an unimplemented feature." + exit ${default_error} + ;; + *) + echo "unknown action ($command)" + usage + echo "where valid instance names include:" + list_instances + exit ${default_error} + ;; esac |