diff options
| author | PKI Team <PKI Team@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2008-03-18 22:36:57 +0000 |
|---|---|---|
| committer | PKI Team <PKI Team@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2008-03-18 22:36:57 +0000 |
| commit | d0f2e4efbd3eb0f1d7f5a28e7f97c1fb4ec027bb (patch) | |
| tree | 7e7473fae8af5ad7e6cda7eabbef787093fc59a7 /pki/base/kra | |
| parent | 273f8d85df5c31293a908185622b378c8f3cf7e8 (diff) | |
| download | pki-d0f2e4efbd3eb0f1d7f5a28e7f97c1fb4ec027bb.tar.gz pki-d0f2e4efbd3eb0f1d7f5a28e7f97c1fb4ec027bb.tar.xz pki-d0f2e4efbd3eb0f1d7f5a28e7f97c1fb4ec027bb.zip | |
Initial open source version based upon proprietary Red Hat Certificate System (RHCS) 7.3.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/kra')
59 files changed, 13637 insertions, 0 deletions
diff --git a/pki/base/kra/LICENSE b/pki/base/kra/LICENSE new file mode 100644 index 000000000..e36f2269a --- /dev/null +++ b/pki/base/kra/LICENSE @@ -0,0 +1,311 @@ +This Program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published +by the Free Software Foundation; version 2 of the License. + +This Program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. + +You should have received a copy of the GNU General Public License +along with this Program; if not, write to the Free Software +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +In addition, as a special exception, Red Hat, Inc. gives You the additional +right to link the code of this Program with code not covered under the GNU +General Public License ("Non-GPL Code") and to distribute linked combinations +including the two, subject to the limitations in this paragraph. Non-GPL +Code permitted under this exception must only link to the code of this +Program through those well defined interfaces identified in the file named +EXCEPTION found in the source code files (the "Approved Interfaces"). + +The files of Non-GPL Code may instantiate templates or use macros or inline +functions from the Approved Interfaces without causing the resulting work to +be covered by the GNU General Public License. Only Red Hat, Inc. may make +changes or additions to the list of Approved Interfaces. You must obey the +GNU General Public License in all respects for all of the Program code and +other code used in conjunction with the Program except the Non-GPL Code +covered by this exception. If you modify this file, you may extend this +exception to your version of the file, but you are not obligated to do so. +If you do not wish to provide this exception without modification, you must +delete this exception statement from your version and license this file +solely under the GPL without exception. + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. diff --git a/pki/base/kra/build.xml b/pki/base/kra/build.xml new file mode 100644 index 000000000..2af6f8347 --- /dev/null +++ b/pki/base/kra/build.xml @@ -0,0 +1,343 @@ +<!-- ### BEGIN COPYRIGHT BLOCK ### + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + ### END COPYRIGHT BLOCK ### --> +<project name="kra" default="main" basedir="."> + + <import file="config/product.xml"/> + <import file="config/product-ext.xml" optional="true"/> + + <property name="jss.home" value="${jni-jar.home}${dirsec}"/> + <property name="jss.jar" value="${jss.home}/jss4.jar"/> + <property name="osutil.jar" value="${jni-jar.home}/osutil.jar"/> + <property name="symkey.jar" value="${jni-jar.home}/symkey.jar"/> + <property name="ldapjdk.jar" value="${jar.home}/ldapjdk.jar"/> + <property name="servlet.jar" value="${jar.home}/servlet.jar"/> + <property name="velocity.jar" value="${jar.home}/velocity.jar"/> + <property name="certsrv.jar" value="${pki-jar.home}/certsrv.jar"/> + <property name="cms.jar" value="${pki-jar.home}/cms.jar"/> + <property name="cmscore.jar" value="${pki-jar.home}/cmscore.jar"/> + <property name="cmsutil.jar" value="${pki-jar.home}/cmsutil.jar"/> + <property name="nsutil.jar" value="${pki-jar.home}/nsutil.jar"/> + + <path id="classpath"> + <pathelement location="${servlet.jar}"/> + <pathelement location="${jss.jar}"/> + <pathelement location="${ldapjdk.jar}"/> + <pathelement location="${nsutil.jar}"/> + <pathelement location="${cmsutil.jar}"/> + <pathelement location="${osutil.jar}"/> + <pathelement location="${symkey.jar}"/> + <pathelement location="${velocity.jar}"/> + <pathelement location="${cms.jar}"/> + <pathelement location="${certsrv.jar}"/> + <pathelement location="${cmscore.jar}"/> + </path> + + <!-- Set up component-specific properties --> + <exec executable="perl" + failonerror="true" + outputproperty="config.desktop.version"> + <arg value="-pi -e"/> + <arg value="s/Version=.*/Version=${version}/"/> + <arg value="setup/config.desktop"/> + </exec> + + + <target name="clean" + depends="" + description="--> remove component directories"> + <echo message="${begin.clean.log.message}"/> + <delete dir="${dist.base}"/> + <delete dir="${build.dir}"/> + <echo message="${end.clean.log.message}"/> + </target> + + + <target name="download" + depends="" + description="--> download dependent components"> + <echo message="${begin.download.log.message}"/> + <echo message="${empty.download.log.message}"/> + <echo message="${end.download.log.message}"/> + </target> + + + <target name="compile_java" + depends="" + description="--> compile java source code into classes"> + <echo message="${begin.compile.java.log.message}"/> + <mkdir dir="${build.classes}"/> + <javac debug="on" + srcdir="${src.dir}/com/netscape/${product}" + destdir="${build.classes}"> + <classpath refid="classpath"/> + </javac> + <echo message="${end.compile.java.log.message}"/> + </target> + + + <target name="build_jars" + depends="compile_java" + description="--> generate jar files"> + <echo message="${begin.build.jars.log.message}"/> + <mkdir dir="${build.jars}"/> + <jar jarfile="${build.jars}/${product}.jar"> + <fileset dir="${build.classes}"> + <include name="com/netscape/${product}/**"/> + </fileset> + </jar> + <echo message="${end.build.jars.log.message}"/> + </target> + + + <target name="build_jni_headers" + depends="compile_java" + description="--> generate jni header files"> + <echo message="${begin.build.jni.headers.log.message}"/> + <echo message="${empty.build.jni.headers.log.message}"/> + <echo message="${end.build.jni.headers.log.message}"/> + </target> + + + <target name="build" + depends="build_jars,build_jni_headers" + description="--> build classes, jars, and jni headers"> + <echo message="${notify.build.log.message}"/> + </target> + + + <target name="compile_junit_tests" + depends="build" + description="--> compile junit test source code"> + <echo message="${begin.compile.junit.tests.log.message}"/> + <echo message="${empty.compile.junit.tests.log.message}"/> + <echo message="${end.compile.junit.tests.log.message}"/> + </target> + + + <target name="run_junit_tests" + depends="compile_junit_tests" + description="--> execute junit tests"> + <echo message="${begin.run.junit.tests.log.message}"/> + <echo message="${empty.run.junit.tests.log.message}"/> + <echo message="${end.run.junit.tests.log.message}"/> + </target> + + + <target name="verify" + depends="run_junit_tests" + description="--> build and execute junit tests"> + <echo message="${notify.verify.log.message}"/> + </target> + + + <target name="clean_javadocs" + depends="" + description="--> remove javadocs directory"> + <echo message="${begin.clean.javadocs.log.message}"/> + <echo message="${empty.clean.javadocs.log.message}"/> + <echo message="${end.clean.javadocs.log.message}"/> + </target> + + + <target name="compose_javadocs" + depends="build" + description="--> generate javadocs"> + <echo message="${begin.compose.javadocs.log.message}"/> + <echo message="${empty.compose.javadocs.log.message}"/> + <echo message="${end.compose.javadocs.log.message}"/> + </target> + + + <target name="document" + depends="clean_javadocs,compose_javadocs" + description="--> remove old javadocs and compose new javadocs"> + <echo message="${notify.document.log.message}"/> + </target> + + + <target name="distribute_binaries" + depends="document" + description="--> create the zip and gzipped tar binary distributions"> + <echo message="${begin.distribute.binaries.log.message}"/> + <mkdir dir="${dist.base.binaries}"/> + + <echo message="${begin.binary.wrappers.log.message}"/> + <echo message="${empty.binary.wrappers.log.message}"/> + <echo message="${end.binary.wrappers.log.message}"/> + + <echo message="${begin.binary.zip.log.message}"/> + <zip destfile="${dist.base.binaries}/${dist.name}.zip"> + <zipfileset dir="./build/jars" + filemode="755" + prefix="usr/share/java/${product.prefix}/${product}"> + <include name="**"/> + </zipfileset> + <zipfileset dir="./setup" + filemode="755" + prefix="usr/share/${product.prefix}/${product}/setup"> + <include name="**"/> + </zipfileset> + <zipfileset dir="./shared" + filemode="755" + prefix="usr/share/${product.prefix}/${product}"> + <include name="**"/> + </zipfileset> + <zipfileset dir="." + filemode="755" + prefix="usr/share/doc/${dist.name}"> + <include name="LICENSE"/> + </zipfileset> + </zip> + <echo message="${end.binary.zip.log.message}"/> + + <echo message="${begin.binary.tar.log.message}"/> + <tar longfile="gnu" + destfile="${dist.base.binaries}/${dist.name}.tar"> + <tarfileset dir="./build/jars" + mode="755" + prefix="${dist.name}/usr/share/java/${product.prefix}/${product}"> + <include name="**"/> + </tarfileset> + <tarfileset dir="./setup" + mode="755" + prefix="${dist.name}/usr/share/${product.prefix}/${product}/setup"> + <include name="**"/> + </tarfileset> + <tarfileset dir="./shared" + mode="755" + prefix="${dist.name}/usr/share/${product.prefix}/${product}"> + <include name="**"/> + </tarfileset> + <tarfileset dir="." + mode="755" + prefix="${dist.name}/usr/share/doc/${dist.name}"> + <include name="LICENSE"/> + </tarfileset> + </tar> + <echo message="${end.binary.tar.log.message}"/> + + <echo message="${begin.binary.gtar.log.message}"/> + <gzip destfile="${dist.base.binaries}/${dist.name}.tar.gz" + src="${dist.base.binaries}/${dist.name}.tar"/> + <delete file="${dist.base.binaries}/${dist.name}.tar"/> + <delete dir="${dist.name}"/> + <checksum fileext=".md5"> + <fileset dir="${dist.base.binaries}/"> + <include name="**/*"/> + <exclude name="**/*.asc"/> + <exclude name="**/*.md5"/> + </fileset> + </checksum> + <checksum fileext=".sha1" + algorithm="SHA"> + <fileset dir="${dist.base.binaries}/"> + <include name="**/*"/> + <exclude name="**/*.asc"/> + <exclude name="**/*.md5"/> + </fileset> + </checksum> + <echo message="${end.binary.gtar.log.message}"/> + + <echo message="${end.distribute.binaries.log.message}"/> + </target> + + + <target name="distribute_source" + depends="" + description="--> create the zip and gzipped tar source distributions"> + <echo message="${begin.distribute.source.log.message}"/> + <mkdir dir="${dist.base.source}"/> + + <echo message="${begin.source.zip.log.message}"/> + <zip destfile="${dist.base.source}/${src.dist.name}.zip"> + <zipfileset dir="." + filemode="755" + prefix="${src.dist.name}"> + <include name="${specfile}"/> + <include name="LICENSE"/> + <include name="build.xml"/> + <include name="config/product*.xml"/> + <include name="config/release*.xml"/> + <include name="release"/> + <include name="setup/**"/> + <include name="shared/**"/> + <include name="src/**"/> + </zipfileset> + </zip> + <echo message="${end.source.zip.log.message}"/> + + <echo message="${begin.source.tar.log.message}"/> + <tar longfile="gnu" + destfile="${dist.base.source}/${src.dist.name}.tar"> + <tarfileset dir="." + mode="755" + prefix="${src.dist.name}"> + <include name="${specfile}"/> + <include name="LICENSE"/> + <include name="build.xml"/> + <include name="config/product*.xml"/> + <include name="config/release*.xml"/> + <include name="release"/> + <include name="setup/**"/> + <include name="shared/**"/> + <include name="src/**"/> + </tarfileset> + </tar> + <echo message="${end.source.tar.log.message}"/> + + <echo message="${begin.source.gtar.log.message}"/> + <gzip destfile="${dist.base.source}/${src.dist.name}.tar.gz" + src="${dist.base.source}/${src.dist.name}.tar"/> + <delete file="${dist.base.source}/${src.dist.name}.tar"/> + <delete dir="${dist.name}"/> + <checksum fileext=".md5"> + <fileset dir="${dist.base.source}/"> + <include name="**/*"/> + <exclude name="**/*.asc"/> + <exclude name="**/*.md5"/> + </fileset> + </checksum> + <checksum fileext=".sha1" + algorithm="SHA"> + <fileset dir="${dist.base.source}/"> + <include name="**/*"/> + <exclude name="**/*.asc"/> + <exclude name="**/*.md5"/> + </fileset> + </checksum> + <echo message="${end.source.gtar.log.message}"/> + + <echo message="${end.distribute.source.log.message}"/> + </target> + + + <target name="distribute" + depends="distribute_binaries,distribute_source" + description="--> create binary and source component distributions"> + <echo message="${notify.distribute.log.message}"/> + </target> + + + <target name="main" + depends="clean,distribute" + description="--> clean, build, verify, document, distribute [default]"> + <echo message="${notify.main.log.message}"/> + </target> + +</project> + diff --git a/pki/base/kra/config/product.xml b/pki/base/kra/config/product.xml new file mode 100644 index 000000000..33caf48ed --- /dev/null +++ b/pki/base/kra/config/product.xml @@ -0,0 +1,305 @@ +<!-- ### BEGIN COPYRIGHT BLOCK ### + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + ### END COPYRIGHT BLOCK ### --> +<project name="product.xml" default="main" basedir="."> + + <!-- Set up properties based upon the user's default Ant configuration --> + <property file=".ant.properties"/> + <property file="${user.home}/.ant.properties"/> + <property environment="env"/> + + + <!-- Check for required properties passed-in via the build scripts --> + <fail message="The '-Dspecfile=SPECFILE' property MUST always be specified!" + unless="specfile"/> + + + <!-- Set up optional properties passed-in via the build scripts --> + <property name="basedir" value=""/> + <property name="dirsec" value=""/> + <property name="target" value=""/> + + + <!-- Set up properties obtained from the spec file --> + <exec executable="perl" + failonerror="true" + outputproperty="Name"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_product\s+(.*)/"/> + <arg value="${specfile}"/> + </exec> + + <exec executable="perl" + failonerror="true" + outputproperty="spec.product.ui.prefix"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_ui_prefix\s+(\S+)/"/> + <arg value="${specfile}"/> + </exec> + + <exec executable="perl" + failonerror="true" + outputproperty="product.prefix"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_prefix\s+(\S+)/"/> + <arg value="${specfile}"/> + </exec> + + <exec executable="perl" + failonerror="true" + outputproperty="product"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_component\s+(\S+)/"/> + <arg value="${specfile}"/> + </exec> + + <!-- if "spec.product.ui.prefix" is "" or "linux", --> + <!-- set "product.ui.prefix" to ""; otherwise --> + <!-- set "product.ui.prefix" to "spec.product.ui.prefix" --> + <condition property="product.ui.prefix" + value="" + else="${spec.product.ui.prefix}"> + <or> + <equals arg1="${spec.product.ui.prefix}" + arg2=""/> + <equals arg1="${spec.product.ui.prefix}" + arg2="linux"/> + </or> + </condition> + + <!-- "product.name" is of the form "x-y-z" --> + <condition property="product.name" + value="${product.ui.prefix}-${product.prefix}-${product}"> + <not> + <equals arg1="${product.ui.prefix}" + arg2=""/> + </not> + </condition> + + <!-- "product.name" is of the form "x-y" --> + <condition property="product.name" + value="${product.prefix}-${product}"> + <and> + <equals arg1="${product.ui.prefix}" + arg2=""/> + <not> + <equals arg1="${product.prefix}" + arg2=""/> + </not> + </and> + </condition> + + <!-- "product.name" is of the form "x" --> + <condition property="product.name" + value="${product}"> + <and> + <equals arg1="${product.ui.prefix}" + arg2=""/> + <equals arg1="${product.prefix}" + arg2=""/> + </and> + </condition> + + <exec executable="perl" + failonerror="true" + outputproperty="version"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_version\s+(\S+)/"/> + <arg value="${specfile}"/> + </exec> + + + <!-- Set up architecture-dependent properties --> + <exec executable="uname" + failonerror="true" + outputproperty="arch"> + <arg line="-i"/> + </exec> + + <!-- Set up architecture-independent properties --> + <property name="jar.home" value="/usr/share/java"/> + <property name="pki-jar.home" value="${jar.home}/${product.prefix}"/> + <property name="jni-jar.home" value="/usr/lib/java"/> + + <!-- Set up properties that control various build options --> + <property name="debug" value="true"/> + <property name="chmod.fail" value="true"/> + <property name="chmod.maxparallel" value="250"/> + <property name="deprecation" value="false"/> + <property name="optimize" value="true"/> + + + <!-- Set up properties related to the source tree --> + <property name="docs.dir" value="docs"/> + <property name="lib.dir" value="lib"/> + <property name="src.dir" value="src"/> + <property name="test.dir" value="test"/> + <property name="etc.dir" value="${src.dir}/etc"/> + <property name="script.dir" value="${src.dir}/script"/> + + + <!-- Set up properties for the release area --> + <property name="release.root" value="."/> + + + <!-- Set up properties for the build area --> + <property name="build.dir" value="build"/> + <property name="bootstrap.dir" value="bootstrap"/> + <property name="build.jars" value="${build.dir}/jars"/> + <property name="build.classes" value="${build.dir}/classes"/> + <property name="build.lib" value="${build.dir}/lib"/> + <property name="build.javadocs" value="${build.dir}/javadocs"/> + <property name="build.tests" value="${build.dir}/testcases"/> + <property name="build.tests.javadocs" value="${build.dir}/javadocs.test/"/> + <property name="manifest.tmp" value="${build.dir}/optional.manifest"/> + + + <!-- Set up properties for the distribution area --> + <property name="dist.name" value="${product.name}-${version}"/> + <property name="dist.base" value="dist"/> + <property name="dist.base.source" value="${dist.base}/source"/> + <property name="dist.base.binaries" value="${dist.base}/binary"/> + <property name="dist.dir" value="dist"/> + <property name="dist.bin" value="${dist.dir}/bin"/> + <property name="dist.lib" value="${dist.dir}/lib"/> + <property name="dist.docs" value="${dist.dir}/docs"/> + <property name="dist.etc" value="${dist.dir}/etc"/> + <property name="src.dist.name" value="${product.name}-${version}"/> + <property name="src.dist.dir" value="dist-src"/> + <property name="src.dist.src" value="${src.dist.dir}/src"/> + <property name="src.dist.docs" value="${src.dist.dir}/docs"/> + <property name="src.dist.lib" value="${src.dist.dir}/lib"/> + + + <!-- Set up properties for log messages --> + <property name="begin.clean.log.message" + value="Removing '${product.name}' component directories ..."/> + <property name="empty.clean.log.message" + value="Nothing to do!"/> + <property name="end.clean.log.message" + value="Completed removing '${product.name}' component directories."/> + <property name="begin.download.log.message" + value="Downloading '${product.name}' dependent components ..."/> + <property name="empty.download.log.message" + value="Nothing to do!"/> + <property name="end.download.log.message" + value="Completed downloading '${product.name}' dependent components."/> + <property name="begin.compile.java.log.message" + value="Compiling '${product.name}' java code from '${src.dir}' into '${build.classes}' ..."/> + <property name="empty.compile.java.log.message" + value="Nothing to do!"/> + <property name="end.compile.java.log.message" + value="Completed compiling '${product.name}' java code from '${src.dir}' into '${build.classes}'."/> + <property name="begin.build.jars.log.message" + value="Generating '${product.name}' jar files ..."/> + <property name="empty.build.jars.log.message" + value="Nothing to do!"/> + <property name="end.build.jars.log.message" + value="Completed generating '${product.name}' jar files."/> + <property name="begin.build.jni.headers.log.message" + value="Generating '${product.name}' java header files ..."/> + <property name="empty.build.jni.headers.log.message" + value="Nothing to do!"/> + <property name="end.build.jni.headers.log.message" + value="Completed generating '${product.name}' java header files."/> + <property name="notify.build.log.message" + value="Built classes, jars, and jni headers for the '${product.name}' component."/> + <property name="begin.compile.junit.tests.log.message" + value="Compiling '${product.name}' junit tests from '${test.dir}' into '${build.tests}' ..."/> + <property name="empty.compile.junit.tests.log.message" + value="Nothing to do!"/> + <property name="end.compile.junit.tests.log.message" + value="Completed compiling '${product.name}' junit tests from '${test.dir}' into '${build.tests}'."/> + <property name="begin.run.junit.tests.log.message" + value="Executing '${product.name}' tests ..."/> + <property name="empty.run.junit.tests.log.message" + value="Nothing to do!"/> + <property name="end.run.junit.tests.log.message" + value="Completed executing '${product.name}' tests."/> + <property name="notify.verify.log.message" + value="Verified the '${product.name}' component."/> + <property name="begin.clean.javadocs.log.message" + value="Removing '${product.name}' javadocs directory ..."/> + <property name="empty.clean.javadocs.log.message" + value="Nothing to do!"/> + <property name="end.clean.javadocs.log.message" + value="Completed removing '${product.name}' javadocs directory."/> + <property name="begin.compose.javadocs.log.message" + value="Composing '${product.name}' javadocs ..."/> + <property name="empty.compose.javadocs.log.message" + value="Nothing to do!"/> + <property name="end.compose.javadocs.log.message" + value="Completed composing '${product.name}' javadocs."/> + <property name="notify.document.log.message" + value="Documented '${product.name}' javadocs."/> + <property name="begin.distribute.binaries.log.message" + value="Creating '${product.name}' binary distributions ..."/> + <property name="begin.binary.wrappers.log.message" + value=" Creating '${product.name}' binary wrappers ..."/> + <property name="empty.binary.wrappers.log.message" + value=" Nothing to do!"/> + <property name="end.binary.wrappers.log.message" + value=" Completed creating '${product.name}' binary wrappers."/> + <property name="begin.binary.zip.log.message" + value=" Creating '${product.name}' binary zip files ..."/> + <property name="empty.binary.zip.log.message" + value=" Nothing to do!"/> + <property name="end.binary.zip.log.message" + value=" Completed creating '${product.name}' binary zip files."/> + <property name="begin.binary.tar.log.message" + value=" Creating '${product.name}' binary tar files ..."/> + <property name="empty.binary.tar.log.message" + value=" Nothing to do!"/> + <property name="end.binary.tar.log.message" + value=" Completed creating '${product.name}' binary tar files."/> + <property name="begin.binary.gtar.log.message" + value=" Creating '${product.name}' binary gzip files ..."/> + <property name="empty.binary.gtar.log.message" + value=" Nothing to do!"/> + <property name="end.binary.gtar.log.message" + value=" Completed creating '${product.name}' binary gzip files."/> + <property name="end.distribute.binaries.log.message" + value="Completed creating '${product.name}' binary distributions."/> + <property name="begin.distribute.source.log.message" + value="Creating '${product.name}' source distributions ..."/> + <property name="begin.source.zip.log.message" + value=" Creating '${product.name}' source zip files ..."/> + <property name="empty.source.zip.log.message" + value=" Nothing to do!"/> + <property name="end.source.zip.log.message" + value=" Completed creating '${product.name}' source zip files."/> + <property name="begin.source.tar.log.message" + value=" Creating '${product.name}' source tar files ..."/> + <property name="empty.source.tar.log.message" + value=" Nothing to do!"/> + <property name="end.source.tar.log.message" + value=" Completed creating '${product.name}' source tar files."/> + <property name="begin.source.gtar.log.message" + value=" Creating '${product.name}' source gzip files ..."/> + <property name="empty.source.gtar.log.message" + value=" Nothing to do!"/> + <property name="end.source.gtar.log.message" + value=" Completed creating '${product.name}' source gzip files."/> + <property name="end.distribute.source.log.message" + value="Completed creating '${product.name}' source distributions."/> + <property name="notify.distribute.log.message" + value="Distributed '${product.name}' distribution packages."/> + <property name="notify.main.log.message" + value="Built, verified, documented, and distributed a fresh '${product.name}' component."/> + +</project> + diff --git a/pki/base/kra/config/release.xml b/pki/base/kra/config/release.xml new file mode 100644 index 000000000..fc43aaeb7 --- /dev/null +++ b/pki/base/kra/config/release.xml @@ -0,0 +1,86 @@ +<!-- ### BEGIN COPYRIGHT BLOCK ### + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + ### END COPYRIGHT BLOCK ### --> +<project name="release.xml" default="main" basedir="${basedir}"> + + <echo message="Importing shared properties ..."/> + <import file="product.xml"/> + <import file="product-ext.xml" optional="true"/> + <import file="release-ext.xml" optional="true"/> + <echo message="Completed importing shared properties."/> + + + <target name="local" + depends="" + description="--> Generate this target locally"> + <echo message="Generating the '${product.name}' target locally ..."/> + <exec executable="ant" dir="${release.root}"> + <arg value="-Dspecfile=${product.name}.spec"/> + <arg value="-Ddirsec=${dirsec}"/> + <arg value="${target}"/> + </exec> + <echo message="Completed generating the '${product.name}' target locally."/> + </target> + + + <target name="main" + depends="" + description="--> Generate component RPMS and SRPMS"> + <echo message="Generating '${product.name}' RPMS and SRPMS ..."/> + + <exec executable="pwd" + failonerror="true" + outputproperty="top.dir"/> + <echo message="Established the '${top.dir}' top-level directory."/> + + <echo message="Creating the '${product.name}' source distribution ..."/> + <exec executable="ant" + dir="${release.root}"> + <arg value="-Dspecfile=${product.name}.spec"/> + <arg value="-Ddirsec=${dirsec}"/> + <arg value="distribute_source"/> + </exec> + <echo message="Completed creating the '${product.name}' source distribution."/> + + <echo message="Creating '${product.name}' RPM directories ..."/> + <mkdir dir="${release.root}/dist/rpmpkg"/> + <mkdir dir="${release.root}/dist/rpmpkg/SOURCES"/> + <mkdir dir="${release.root}/dist/rpmpkg/RPMS"/> + <mkdir dir="${release.root}/dist/rpmpkg/SRPMS"/> + <mkdir dir="${release.root}/dist/rpmpkg/SPECS"/> + <mkdir dir="${release.root}/dist/rpmpkg/BUILD"/> + <echo message="Completed creating '${product.name}' RPM directories."/> + + <echo message="Building '${product.name}' RPMS and SRPMS ..."/> + <exec executable="rpmbuild" + dir="${release.root}"> + <arg value="--define"/> + <arg value="_topdir ${top.dir}/${release.root}/dist/rpmpkg"/> + <arg value="-ta"/> + <arg value="${top.dir}/${release.root}/dist/source/${product.name}-${version}.tar.gz"/> + </exec> + <echo message="Completed building '${product.name}' RPMS and SRPMS."/> + + <echo message="Removing various '${product.name}' RPM directories and files ..."/> + <delete dir="${release.root}/dist/rpmpkg/BUILD"/> + <echo message="Completed removing various '${product.name}' RPM directories and files."/> + + <echo message="Completed generating '${product.name}' RPMS and SRPMS."/> + </target> + +</project> + diff --git a/pki/base/kra/setup/config.desktop b/pki/base/kra/setup/config.desktop new file mode 100644 index 000000000..d03eef27a --- /dev/null +++ b/pki/base/kra/setup/config.desktop @@ -0,0 +1,31 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +[Desktop Entry] +Version=1.0.0 +Encoding=UTF-8 +Name=Data Recovery Manager Configuration - [PKI_INSTANCE_ID] +GenericName=Data Recovery Manager Configuration +Comment=Configure Data Recovery Manager +Exec=firefox https://[PKI_MACHINE_NAME]:[PKI_SECURE_PORT]/kra/admin/console/config/login?pin=[PKI_RANDOM_NUMBER] +Icon=firefox.png +Terminal=false +Type=Application +MimeType=text/html;text/xml;application/xhtml+xml;application/vnd.mozilla.xul+xml;text/mml; +X-Desktop-File-Install-Version=0.9 +Categories=Application;CertServer; diff --git a/pki/base/kra/setup/postinstall b/pki/base/kra/setup/postinstall new file mode 100755 index 000000000..90f091517 --- /dev/null +++ b/pki/base/kra/setup/postinstall @@ -0,0 +1,67 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# + +############################################################################### +## (1) Check command line arguments to see how many were passed in. ## +############################################################################### + +if [ $# -eq 4 ] +then + PKI_PRODUCT_NAME=$1 + PKI_SUBSYSTEM_NAME=$2 + VERSION=$3 + RELEASE=$4 +else + echo + echo "Usage: $0 PKI_product_name PKI_subsystem_name version release" + echo + + exit 255 +fi + + +############################################################################### +## (2) Specify variables used by this script. ## +############################################################################### + +PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}" +SECURE_PORT=10443 +UNSECURE_PORT=10080 +TOMCAT_SERVER_PORT=2701 + + +############################################################################### +## (3) Create the first instance of a Key Recovery Authority (KRA). ## +## NOTE: This is also called the Data Recovery Manager (DRM). ## +############################################################################### + +if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ] +then + /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -tomcat_server_port=${TOMCAT_SERVER_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} +fi + + +############################################################################### +## (4) Successfully exit from this postinstallation script. ## +############################################################################### + +exit 0 + diff --git a/pki/base/kra/shared/acl/cms.acl b/pki/base/kra/shared/acl/cms.acl new file mode 100644 index 000000000..7ed6410fb --- /dev/null +++ b/pki/base/kra/shared/acl/cms.acl @@ -0,0 +1,45 @@ +resourceACLS +certServer.usrgrp.administration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read user and group configuration but only administrators are allowed to modify +certServer.general.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify +certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify +certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify +certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify +certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter +certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter. +certServer.log.content.signedAudit:read:deny (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents":Only auditor is allowed to read the signed audit log +certServer.log.content:read:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors":Administrators, auditors, and agents are allowed to read the log content +certServer.ca.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CA configuration but only administrators allowed to modify +certServer.auth.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read authentication configuration but only administrators allowed to modify +certServer.ocsp.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read ocsp configuration but only administrators allowed to modify +certServer.registry.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":this acl is shared by all admin servlets +certServer.profile.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read profile configuration but only administrators allowed to modify +certServer.job.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read job configuration but only administrators allowed to modify +certServer.publisher.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read publisher configuration but only administrators allowed to modify +certServer.kra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read DRM configuration but only administrators allowed to modify +certServer.ra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read RA configuration but only administrators allowed to modify +certServer.ca.directory:update:allow (update) group="Certificate Manager Agents":Certificate Manager agents may update directory +certServer.ca.certificate:import,unrevoke,revoke,read:allow (import,unrevoke,revoke,read) group="Certificate Manager Agents":Certificate Manager agents may import,unrevoke,revoke,read a certificate +certServer.ca.certificates:revoke,list:allow (revoke,list) group="Certificate Manager Agents":Only certificate manager agents revoke, list certificates +certServer.ca.requests:list:allow (list) group="Certificate Manager Agents":Only certificate manager agents list requests +certServer.ca.request.enrollment:submit,read,execute,assign,unassign:allow (submit) user="anybody";allow (read,execute,assign,unassign) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read,execute,assign or unassign request +certServer.ca.ocsp:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may read ocsp information +certServer.ee.request.ocsp:submit:allow (submit) ipaddress=".*":Any clients can submit ocsp requests +certServer.ca.crl:read,update:allow (read,update) group="Certificate Manager Agents":Certificate Manager agents may read or update crl +certServer.ee.certificate:renew,revoke,read,import:allow (renew,revoke,read,import) user="anybody":Anybody may renew,import,revoke,read a certificate +certServer.ee.certificates:revoke,list:allow (revoke,list) user="anybody":Anybody may revoke, list certificates +certServer.ee.certchain:download,read:allow (download,read) user="anybody":Anybody may download a certificate chain +certServer.ee.crl:read,add:allow (read,add) user="anybody":Anybody may add or retrieve CRL +certServer.ee.request.enrollment:submit:allow (submit) user="anybody":Anybody may submit an enrollment request +certServer.ee.requestStatus:read:allow (read) user="anybody":Anybody may read request status +certServer.ee.request.revocation:submit:allow (submit) user="anybody":Anybody may submit a revocation request +certServer.admin.certificate:import:allow (import) user="anybody":Any user may import a certificate +certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody";allow (read,execute) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read or execute request +certServer.ca.request.profile:approve,read:allow (approve,read) group="Certificate Manager Agents":Certificate Manager agents may approve profile +certServer.ca.profiles:list:allow (list) group="Certificate Manager Agents":Certificate Manager agents may list profiles +certServer.ca.profile:read,approve:allow (read,approve) group="Certificate Manager Agents":Certificate Manager agents may read profile +certServer.ee.profile:submit,read:allow (submit,read) user="anybody":Anybody may submit certificate profiles +certServer.ee.profiles:list:allow (list) user="anybody":Anybody may list certificate profiles +certServer.ca.connector:submit:allow (submit) group="Trusted Managers":Only Trusted Managers submit requests +certServer.ca.clone:submit:allow (submit) group="Certificate Manager Agents":Certificate Manager Agents are allowed to submit request to the master CA +certServer.ca.systemstatus:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may view statistics +certServer.ca.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify users and groups diff --git a/pki/base/kra/shared/conf/CS.cfg b/pki/base/kra/shared/conf/CS.cfg new file mode 100644 index 000000000..7bd887274 --- /dev/null +++ b/pki/base/kra/shared/conf/CS.cfg @@ -0,0 +1,286 @@ +installDate=[INSTALL_TIME] +preop.wizard.name=DRM Setup Wizard +preop.product.name=CS +preop.product.version= +preop.system.name=DRM +preop.system.fullname=Data Recovery Manager +cs.state=0 +cs.type=KRA +admin.interface.uri=kra/admin/console/config/wizard +agent.interface.uri=kra/agent/kra +authType=pwd +preop.securitydomain.url=https://[PKI_MACHINE_NAME]:9443 +instanceRoot=[PKI_INSTANCE_PATH] +machineName=[PKI_MACHINE_NAME] +instanceId=[PKI_INSTANCE_ID] +service.securePort=[PKI_SECURE_PORT] +preop.admin.name=Data Recovery Manager Administrator +preop.admin.group=Data Recovery Manager Agents +preop.admincert.profile=caAdminCert +preop.pin=[PKI_RANDOM_NUMBER] +preop.cert.list=transport,storage,sslserver,subsystem +preop.cert.transport.enable=true +preop.cert.storage.enable=true +preop.cert.sslserver.enable=true +preop.cert.subsystem.enable=true +preop.cert.storage.defaultSigningAlgorithm=SHA1withRSA +preop.cert.storage.dn=CN=DRM Storage Certificate +preop.cert.storage.keysize.custom_size=2048 +preop.cert.storage.keysize.size=2048 +preop.cert.storage.nickname=storageCert cert-[PKI_INSTANCE_ID] +preop.cert.storage.profile=caInternalAuthDRMstorageCert +preop.cert.storage.subsystem=kra +preop.cert.storage.type=remote +preop.cert.storage.userfriendlyname=Storage Certificate +preop.cert.storage.cncomponent.override=true +preop.cert.transport.defaultSigningAlgorithm=SHA1withRSA +preop.cert.transport.dn=CN=DRM Transport Certificate +preop.cert.transport.keysize.custom_size=2048 +preop.cert.transport.keysize.size=2048 +preop.cert.transport.nickname=transportCert cert-[PKI_INSTANCE_ID] +preop.cert.transport.profile=caInternalAuthTransportCert +preop.cert.transport.subsystem=kra +preop.cert.transport.type=remote +preop.cert.transport.userfriendlyname=Transport Certificate +preop.cert.transport.cncomponent.override=true +preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA +preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] +preop.cert.sslserver.keysize.custom_size=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.sslserver.subsystem=kra +preop.cert.sslserver.type=remote +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert.sslserver.cncomponent.override=false +preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA +preop.cert.subsystem.dn=CN=DRM Subsystem Certificate +preop.cert.subsystem.keysize.custom_size=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.subsystem.subsystem=kra +preop.cert.subsystem.type=remote +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.cert.subsystem.cncomponent.override=true +preop.hierarchy.profile=caCert.profile +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=../img/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=../img/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=../img/clearpixel.gif +preop.configModules.count=3 +preop.module.token=Internal Key Storage Token +passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +passwordClass=com.netscape.cmsutil.password.PlainPasswordFile +multiroles=true +CrossCertPair._000=## +CrossCertPair._001=## CrossCertPair Import +CrossCertPair._002=## +CrossCertPair.ldap=internaldb +accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator +accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator +accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +auths._000=## +auths._001=## new authentication +auths._002=## +auths.impl._000=## +auths.impl._001=## authentication manager implementations +auths.impl._002=## +auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication +auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth +auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth +auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication +auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication +auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication +auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents +auths.instance.AgentCertAuth.pluginName=AgentCertAuth +auths.instance.TokenAuth.pluginName=TokenAuth +auths.revocationChecking.bufferSize=50 +auths.revocationChecking.enabled=false +auths.revocationChecking.kra=kra +authz._000=## +authz._001=## new authorizatioin +authz._002=## +authz.evaluateOrder=deny,allow +authz.sourceType=ldap +authz.impl._000=## +authz.impl._001=## authorization manager implementations +authz.impl._002=## +authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz +authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz +authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz +authz.instance.DirAclAuthz.ldap=internaldb +authz.instance.DirAclAuthz.pluginName=DirAclAuthz +authz.instance.DirAclAuthz.ldap._000=## +authz.instance.DirAclAuthz.ldap._001=## Internal Database +authz.instance.DirAclAuthz.ldap._002=## +cmc.cert.confirmRequired=false +cmc.lraPopWitness.verify.allow=true +cmc.revokeCert.verify=true +cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cms.version= +dbs.beginRequestNumber=1 +dbs.endRequestNumber=10000000 +dbs.requestNumber.increment=10000000 +dbs.beginSerialNumber=1 +dbs.endSerialNumber=10000000 +dbs.serialNumber.increment=10000000 +dbs.ldap=internaldb +dbs.newSchemaEntryAdded=true +debug.append=true +debug.enabled=true +debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.hashkeytypes= +debug.level=0 +debug.showcaller=false +internaldb._000=## +internaldb._001=## Internal Database +internaldb._002=## +internaldb.maxConns=15 +internaldb.minConns=3 +internaldb.ldapauth.authtype=BasicAuth +internaldb.ldapauth.bindDN=cn=Directory Manager +internaldb.ldapauth.bindPWPrompt=Internal LDAP Database +internaldb.ldapauth.clientCertNickname= +internaldb.ldapconn.host= +internaldb.ldapconn.port= +internaldb.ldapconn.secureConn=false +preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/schema.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/db.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/acl.ldif +preop.internaldb.index_ldif= +preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/index.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlvtasks.ldif +preop.internaldb.wait_dn=cn=index1160527115, cn=index, cn=tasks, cn=config +internaldb.multipleSuffix.enable=false +jobsScheduler._000=## +jobsScheduler._001=## jobScheduler +jobsScheduler._002=## +jobsScheduler.enabled=false +jobsScheduler.interval=1 +jss._000=## +jss._001=## JSS +jss._002=## +jss.configDir=[PKI_INSTANCE_PATH]/alias/ +jss.enable=true +jss.secmodName=secmod.db +jss.ocspcheck.enable=false +jss.ssl.cipherfortezza=true +jss.ssl.cipherpref= +jss.ssl.cipherversion=cipherdomestic +kra.keySplitting=false +kra.noOfRequiredRecoveryAgents=1 +kra.recoveryAgentGroup=Data Recovery Manager Agents +kra.reqdbInc=20 +kra.entropy.bitsperkeypair=0 +kra.entropy.blockwarnms=0 +kra.storageUnit.nickName=storageCert cert-[PKI_INSTANCE_ID] +kra.transportUnit.nickName=transportCert cert-[PKI_INSTANCE_ID] +log._000=## +log._001=## Logging +log._002=## +log.impl.file.class=com.netscape.cms.logging.RollingLogFile +log.instance.SignedAudit._000=## +log.instance.SignedAudit._001=## Signed Audit Logging +log.instance.SignedAudit._002=## +log.instance.SignedAudit.bufferSize=512 +log.instance.SignedAudit.enable=true +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST +log.instance.SignedAudit.expirationTime=0 +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/kra_cert-kra_audit +log.instance.SignedAudit.flushInterval=5 +log.instance.SignedAudit.level=1 +log.instance.SignedAudit.logSigning=false +log.instance.SignedAudit.maxFileSize=2000 +log.instance.SignedAudit.pluginName=file +log.instance.SignedAudit.rolloverInterval=2592000 +log.instance.SignedAudit.signedAudit:_000=## +log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow KRA audit logs to be signed +log.instance.SignedAudit.signedAudit:_002=## +log.instance.SignedAudit.signedAuditCertNickname= +log.instance.SignedAudit.type=signedAudit +log.instance.System._000=## +log.instance.System._001=## System Logging +log.instance.System._002=## +log.instance.System.bufferSize=512 +log.instance.System.enable=true +log.instance.System.expirationTime=0 +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.flushInterval=5 +log.instance.System.level=3 +log.instance.System.maxFileSize=2000 +log.instance.System.pluginName=file +log.instance.System.rolloverInterval=2592000 +log.instance.System.type=system +log.instance.Transactions._000=## +log.instance.Transactions._001=## Transaction Logging +log.instance.Transactions._002=## +log.instance.Transactions.bufferSize=512 +log.instance.Transactions.enable=true +log.instance.Transactions.expirationTime=0 +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.flushInterval=5 +log.instance.Transactions.level=1 +log.instance.Transactions.maxFileSize=2000 +log.instance.Transactions.pluginName=file +log.instance.Transactions.rolloverInterval=2592000 +log.instance.Transactions.type=transaction +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access +logError.fileName=[PKI_INSTANCE_PATH]/logs/error +oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension +oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 +oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword +oidmap.challenge_password.oid=1.2.840.113549.1.9.7 +oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension +oidmap.extended_key_usage.oid=2.5.29.37 +oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 +oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 +oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension +oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 +oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension +oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 +oidmap.pse.class=netscape.security.extensions.PresenceServerExtension +oidmap.pse.oid=2.16.840.1.113730.1.18 +oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension +oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 +os.serverName=cert-[PKI_INSTANCE_ID] +os.userid=nobody +registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +selftests._000=## +selftests._001=## Self Tests +selftests._002=## +selftests.container.instance.KRAPresence=com.netscape.cms.selftests.kra.KRAPresence +selftests.container.logger.bufferSize=512 +selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile +selftests.container.logger.enable=true +selftests.container.logger.expirationTime=0 +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.flushInterval=5 +selftests.container.logger.level=1 +selftests.container.logger.maxFileSize=2000 +selftests.container.logger.register=false +selftests.container.logger.rolloverInterval=2592000 +selftests.container.logger.type=transaction +selftests.container.order.onDemand=KRAPresence:critical +selftests.container.order.startup= +selftests.plugin.KRAPresence.SubId=kra +smtp.host=localhost +smtp.port=25 +subsystem.0.class=com.netscape.kra.KeyRecoveryAuthority +subsystem.0.id=kra +subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem +subsystem.1.id=selftests +subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem +subsystem.2.id=stats +usrgrp._000=## +usrgrp._001=## User/Group +usrgrp._002=## +usrgrp.ldap=internaldb diff --git a/pki/base/kra/shared/conf/acl.ldif b/pki/base/kra/shared/conf/acl.ldif new file mode 100644 index 000000000..c7ddd909f --- /dev/null +++ b/pki/base/kra/shared/conf/acl.ldif @@ -0,0 +1,32 @@ +dn: cn=aclResources,{rootSuffix} +objectClass: top +objectClass: CertACLS +cn: aclResources +resourceACLS: certServer.usrgrp.administration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read user and group configuration but only administrators are allowed to modify +resourceACLS: certServer.general.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify +resourceACLS: certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify +resourceACLS: certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify +resourceACLS: certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter +resourceACLS: certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter +resourceACLS: certServer.log.content.signedAudit:read:deny (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents":Only auditor is allowed to read the signed audit log +resourceACLS: certServer.log.content:read:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors":Administrators, auditors, and agents are allowed to read the log content +resourceACLS: certServer.auth.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read authentication configuration but only administrators allowed to modify +resourceACLS: certServer.registry.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":this acl is shared by all admin servlets +resourceACLS: certServer.job.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read job configuration but only administrators allowed to modify +resourceACLS: certServer.kra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read DRM configuration but only administrators allowed to modify +resourceACLS: certServer.kra.key:read,recover,download:allow (read,recover,download) group="Data Recovery Manager Agents":Only data recovery manager agents retrieve key information +resourceACLS: certServer.kra.request:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read request +resourceACLS: certServer.kra.keys:list:allow (list) group="Data Recovery Manager Agents":Only data recovery manager agents list keys +resourceACLS: certServer.kra.requests:list:allow (list) group="Data Recovery Manager Agents":Only data recovery manager agents list key archival requests +resourceACLS: certServer.admin.certificate:import:allow (import) user="anybody":Any user may import a certificate +resourceACLS: certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody";allow (read,execute) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read or execute request +resourceACLS: certServer.kra.connector:submit:allow (submit) group="Trusted Managers":Only Trusted Managers submit requests +resourceACLS: certServer.kra.systemstatus:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager agents may view statistics +resourceACLS: certServer.kra.certificate.transport:read:allow (read) user="anybody":Anybody is allowed to read transport certificate +resourceACLS: certServer.kra.request.status:read:allow (read) group="Data Recovery Manager Agents":Only data recovery manager agents retrieve the remote key recovery approval status +resourceACLS: certServer.kra.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify groups +resourceACLS: certServer.kra.GenerateKeyPair:submit,read:allow (read,submit) group="Data Recovery Manager Agents":Only Data Recovery Manager Agents are allowed to submit requests +resourceACLS: certServer.kra.TokenKeyRecovery:submit,read:allow (read,submit) group="Data Recovery Manager Agents":Only Data Recovery Manager Agents are allowed to submit requests +resourceACLS: certServer.kra.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent +resourceACLS: certServer.kra.getTransportCert:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to retrieve the transport cert +resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. diff --git a/pki/base/kra/shared/conf/catalina.policy b/pki/base/kra/shared/conf/catalina.policy new file mode 100644 index 000000000..3447825b0 --- /dev/null +++ b/pki/base/kra/shared/conf/catalina.policy @@ -0,0 +1,172 @@ +// ============================================================================ +// catalina.corepolicy - Security Policy Permissions for Tomcat 5 +// +// This file contains a default set of security policies to be enforced (by the +// JVM) when Catalina is executed with the "-security" option. In addition +// to the permissions granted here, the following additional permissions are +// granted to the codebase specific to each web application: +// +// * Read access to the document root directory +// +// $Id: catalina.policy,v 1.13 2005/03/03 23:41:14 remm Exp $ +// ============================================================================ + + +// ========== SYSTEM CODE PERMISSIONS ========================================= + + +// These permissions apply to javac +grant codeBase "file:${java.home}/lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions +grant codeBase "file:${java.home}/jre/lib/ext/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/../lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions when +// ${java.home} points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/lib/ext/-" { + permission java.security.AllPermission; +}; + + +// ========== CATALINA CODE PERMISSIONS ======================================= + + +// These permissions apply to the launcher code +grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the daemon code +grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the commons-logging API +grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the JMX server +grant codeBase "file:${catalina.home}/bin/jmx.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to JULI +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "common" directory +grant codeBase "file:${catalina.home}/common/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to the container's core code, plus any additional +// libraries installed in the "server" directory +grant codeBase "file:${catalina.home}/server/-" { + permission java.security.AllPermission; +}; + +// The permissions granted to the balancer WEB-INF/classes directory +grant codeBase "file:${catalina.home}/webapps/balancer/WEB-INF/classes/-" { + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester.*"; +}; +// ========== WEB APPLICATION PERMISSIONS ===================================== + + +// These permissions are granted by default to all web applications +// In addition, a web application will be given a read FilePermission +// and JndiPermission for all files and directories in its document root. +grant { + // Required for JNDI lookup of named JDBC DataSource's and + // javamail named MimePart DataSource used to send mail + permission java.util.PropertyPermission "java.home", "read"; + permission java.util.PropertyPermission "java.naming.*", "read"; + permission java.util.PropertyPermission "javax.sql.*", "read"; + + // OS Specific properties to allow read access + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.version", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "file.separator", "read"; + permission java.util.PropertyPermission "path.separator", "read"; + permission java.util.PropertyPermission "line.separator", "read"; + + // JVM properties to allow read access + permission java.util.PropertyPermission "java.version", "read"; + permission java.util.PropertyPermission "java.vendor", "read"; + permission java.util.PropertyPermission "java.vendor.url", "read"; + permission java.util.PropertyPermission "java.class.version", "read"; + permission java.util.PropertyPermission "java.specification.version", "read"; + permission java.util.PropertyPermission "java.specification.vendor", "read"; + permission java.util.PropertyPermission "java.specification.name", "read"; + + permission java.util.PropertyPermission "java.vm.specification.version", "read"; + permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; + permission java.util.PropertyPermission "java.vm.specification.name", "read"; + permission java.util.PropertyPermission "java.vm.version", "read"; + permission java.util.PropertyPermission "java.vm.vendor", "read"; + permission java.util.PropertyPermission "java.vm.name", "read"; + + // Required for OpenJMX + permission java.lang.RuntimePermission "getAttribute"; + + // Allow read of JAXP compliant XML parser debug + permission java.util.PropertyPermission "jaxp.debug", "read"; + + // Precompiled JSPs need access to this package. + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + +}; + + +// You can assign additional permissions to particular web applications by +// adding additional "grant" entries here, based on the code base for that +// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. +// +// Different permissions can be granted to JSP pages, classes loaded from +// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ +// directory, or even to individual jar files in the /WEB-INF/lib/ directory. +// +// For instance, assume that the standard "examples" application +// included a JDBC driver that needed to establish a network connection to the +// corresponding database and used the scrape taglib to get the weather from +// the NOAA web server. You might create a "grant" entries like this: +// +// The permissions granted to the context root directory apply to JSP pages. +// grant codeBase "file:${catalina.home}/webapps/examples/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; +// +// The permissions granted to the context WEB-INF/classes directory +// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" { +// }; +// +// The permission granted to your JDBC driver +// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// }; +// The permission granted to the scrape taglib +// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; + diff --git a/pki/base/kra/shared/conf/catalina.properties b/pki/base/kra/shared/conf/catalina.properties new file mode 100644 index 000000000..86334d29f --- /dev/null +++ b/pki/base/kra/shared/conf/catalina.properties @@ -0,0 +1,64 @@ +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageAccess unless the +# corresponding RuntimePermission ("accessClassInPackage."+package) has +# been granted. +package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans. +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageDefinition unless the +# corresponding RuntimePermission ("defineClassInPackage."+package) has +# been granted. +# +# by default, no packages are restricted for definition, and none of +# the class loaders supplied with the JDK call checkPackageDefinition. +# +package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper. + +# +# +# List of comma-separated paths defining the contents of the "common" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank,the JVM system loader will be used as Catalina's "common" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +common.loader=${catalina.home}/common/classes,${catalina.home}/common/i18n/*.jar,${catalina.home}/common/endorsed/*.jar,${catalina.home}/common/lib/*.jar + +# +# List of comma-separated paths defining the contents of the "server" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank, the "common" loader will be used as Catalina's "server" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar + +# +# List of comma-separated paths defining the contents of the "shared" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_BASE path or absolute. If left as blank, +# the "common" loader will be used as Catalina's "shared" loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar + +# +# String cache configuration. +tomcat.util.buf.StringCache.byte.enabled=true +#tomcat.util.buf.StringCache.char.enabled=true +#tomcat.util.buf.StringCache.trainThreshold=500000 +#tomcat.util.buf.StringCache.cacheSize=5000 diff --git a/pki/base/kra/shared/conf/context.xml b/pki/base/kra/shared/conf/context.xml new file mode 100644 index 000000000..4998ad27d --- /dev/null +++ b/pki/base/kra/shared/conf/context.xml @@ -0,0 +1,12 @@ +<!-- The contents of this file will be loaded for each web application --> +<Context crossContext="true"> + + <!-- Default set of monitored resources --> + <WatchedResource>WEB-INF/web.xml</WatchedResource> + + <!-- Uncomment this to disable session persistence across Tomcat restarts --> + <!-- + <Manager pathname="" /> + --> + +</Context> diff --git a/pki/base/kra/shared/conf/database.ldif b/pki/base/kra/shared/conf/database.ldif new file mode 100644 index 000000000..99cdf6b79 --- /dev/null +++ b/pki/base/kra/shared/conf/database.ldif @@ -0,0 +1,4 @@ +dn: cn=config +changetype: modify +replace: nsslapd-maxbersize +nsslapd-maxbersize: 52428800 diff --git a/pki/base/kra/shared/conf/db.ldif b/pki/base/kra/shared/conf/db.ldif new file mode 100644 index 000000000..813fc90d1 --- /dev/null +++ b/pki/base/kra/shared/conf/db.ldif @@ -0,0 +1,79 @@ +dn: ou=people,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: people +aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";) + +dn: ou=groups,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: groups + +dn: cn=Data Recovery Manager Agents,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Data Recovery Manager Agents +description: Agents for Data Recovery Manager + +dn: cn=Subsystem Group, ou=groups, {rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Subsystem Group +description: Subsystem Group + +dn: cn=Trusted Managers,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Trusted Managers +description: Managers trusted by this PKI instance + +dn: cn=Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Administrators +description: People who manage the Fedora Certificate System + +dn: cn=Auditors,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Auditors +description: People who can read the signed audits + +dn: cn=ClonedSubsystems,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: ClonedSubsystems +description: People who can clone the master subsystem + +dn: ou=requests,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: requests + +dn: cn=crossCerts,{rootSuffix} +cn: crossCerts +sn: crossCerts +objectClass: top +objectClass: person +objectClass: certificationAuthority +cACertificate;binary: +authorityRevocationList;binary: +certificateRevocationList;binary: +crossCertificatePair;binary: + +dn: ou=kra, {rootSuffix} +objectclass: top +objectclass: organizationalUnit +ou: kra + +dn: ou=keyRepository, ou=kra, {rootSuffix} +objectclass: top +objectclass: repository +ou: keyRepository +serialno: 010 + +dn: ou=kra, ou=requests, {rootSuffix} +objectclass: top +objectclass: repository +ou: kra +serialno: 010 diff --git a/pki/base/kra/shared/conf/dtomcat5 b/pki/base/kra/shared/conf/dtomcat5 new file mode 100755 index 000000000..ba9a5dca8 --- /dev/null +++ b/pki/base/kra/shared/conf/dtomcat5 @@ -0,0 +1,448 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# ----------------------------------------------------------------------------- +# Start/Stop Script for the CATALINA Server +# +# Environment Variable Prequisites +# +# CATALINA_HOME May point at your Catalina "build" directory. +# +# CATALINA_BASE (Optional) Base directory for resolving dynamic portions +# of a Catalina installation. If not present, resolves to +# the same directory that CATALINA_HOME points to. +# +# CATALINA_OPTS (Optional) Java runtime options used when the "start", +# "stop", or "run" command is executed. +# +# CATALINA_TMPDIR (Optional) Directory path location of temporary directory +# the JVM should use (java.io.tmpdir). Defaults to +# $CATALINA_BASE/temp. +# +# JAVA_HOME Must point at your Java Development Kit installation. +# Required to run the with the "debug" or "javac" argument. +# +# JRE_HOME Must point at your Java Development Kit installation. +# Defaults to JAVA_HOME if empty. +# +# JAVA_OPTS (Optional) Java runtime options used when the "start", +# "stop", or "run" command is executed. +# +# JPDA_TRANSPORT (Optional) JPDA transport used when the "jpda start" +# command is executed. The default is "dt_socket". +# +# JPDA_ADDRESS (Optional) Java runtime options used when the "jpda start" +# command is executed. The default is 8000. +# +# JSSE_HOME (Optional) May point at your Java Secure Sockets Extension +# (JSSE) installation, whose JAR files will be added to the +# system class path used to start Tomcat. +# +# CATALINA_PID (Optional) Path of the file which should contains the pid +# of catalina startup java process, when start (fork) is used +# +# $Id: catalina.sh,v 1.19 2005/03/03 15:13:39 remm Exp $ +# ----------------------------------------------------------------------------- + +# Disallow 'others' the ability to 'write' to new files +umask 00002 + +# Check to insure that this script's original invocation directory +# has not been deleted! +CWD=`/bin/pwd > /dev/null 2>&1` +if [ $? -ne 0 ] ; then + echo "Cannot invoke '$0' from non-existent directory!" + exit 255 +fi + +# Check to insure that at least one PKI subsystem +# currently resides on this system. +if [ ! -x /usr/bin/pkiarch ] || + [ ! -x /usr/bin/pkiflavor ] || + [ ! -x /usr/bin/pkiname ]; then + echo "This machine is missing all PKI subsystems!" + exit 255 +fi + +# Check to insure that this script's associated PKI +# subsystem currently resides on this system. +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +if [ ! -d /usr/share/`pkiflavor`/${PKI_SUBSYSTEM_TYPE} ] ; then + echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" + exit 255 +fi + +# OS specific support. $var _must_ be set to either true or false. +OS=`pkiname` +cygwin=false +os400=false +case "${OS}" in +CYGWIN*) cygwin=true;; +OS400*) os400=true;; +esac + +TOMCAT_CFG=[PKI_INSTANCE_PATH]/conf/tomcat5.conf +JAVADIR="/usr/share/java" + +# resolve links - $0 may be a softlink +PRG="$0" + +while [ -h "$PRG" ]; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '.*/.*' > /dev/null; then + PRG="$link" + else + PRG=`dirname "$PRG"`/"$link" + fi +done + +# Get standard environment variables +PRGDIR=`dirname "$PRG"` + +# Only set CATALINA_HOME if not already set +[ -z "$CATALINA_HOME" ] && CATALINA_HOME=`cd "$PRGDIR/.." ; pwd` + +if [ -r "$CATALINA_HOME"/bin/setenv.sh ]; then + . "$CATALINA_HOME"/bin/setenv.sh +fi + +# For Cygwin, ensure paths are in UNIX format before anything is touched +if $cygwin; then + [ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --unix "$JAVA_HOME"` + [ -n "$JRE_HOME" ] && JRE_HOME=`cygpath --unix "$JRE_HOME"` + [ -n "$CATALINA_HOME" ] && CATALINA_HOME=`cygpath --unix "$CATALINA_HOME"` + [ -n "$CATALINA_BASE" ] && CATALINA_BASE=`cygpath --unix "$CATALINA_BASE"` + [ -n "$CLASSPATH" ] && CLASSPATH=`cygpath --path --unix "$CLASSPATH"` + [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --unix "$JSSE_HOME"` +fi + +# For OS400 +if $os400; then + # Set job priority to standard for interactive (interactive - 6) by using + # the interactive priority - 6, the helper threads that respond to requests + # will be running at the same priority as interactive jobs. + COMMAND='chgjob job('$JOBNAME') runpty(6)' + system $COMMAND + + # Enable multi threading + export QIBM_MULTI_THREADED=Y +fi + +[ -r "$TOMCAT_CFG" ] && . "${TOMCAT_CFG}" + +### Set up defaults if they were omitted in TOMCAT_CFG +### JVM lookup +if [ -z "$JAVA_HOME" ]; then + # Search for java in PATH + JAVA=`which java` + if [ -z "$JAVA" ] ; then + JAVA_BINDIR=`dirname ${JAVA}` + JAVA_HOME="${JAVA_BINDIR}/.." + fi + # Default clean JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/usr/lib/java" ] && JAVA_HOME="/usr/lib/java" + # Default IBM JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-13" ] && \ + JAVA_HOME="/opt/IBMJava2-13" + [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-131" ] && \ + JAVA_HOME="/opt/IBMJava2-131" + [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-14" ] && \ + JAVA_HOME="/opt/IBMJava2-14" + [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-141" ] && \ + JAVA_HOME="/opt/IBMJava2-141" + # Another solution + [ -z "$JAVA_HOME" -a -d "/usr/java/jdk" ] && \ + JAVA_HOME="/usr/java/jdk" + # madeinlinux JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/usr/local/jdk1.2.2" ] && \ + JAVA_HOME="/usr/local/jdk1.2.2" + # Kondara JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/usr/lib/java/jdk1.2.2" ] && \ + JAVA_HOME="/usr/lib/java/jdk1.2.2" + # Other commonly found JAVA_HOMEs + [ -z "$JAVA_HOME" -a -d "/usr/jdk1.2" ] && JAVA_HOME="/usr/jdk1.2" + # Default Caldera JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/opt/java-1.3" ] && \ + JAVA_HOME="/opt/java-1.3" + # Add other locations here + if [ -z "$JAVA_HOME" ]; then + echo "No JAVA_HOME specified in ${TOMCAT_CFG} and no java found" + exit 1 + else + echo "Found JAVA_HOME: ${JAVA_HOME}" + echo "Please complete your ${TOMCAT_CFG} so we won't have to look for it next time" + fi +fi + +# Set juli LogManager if it is present +if [ -r "$CATALINA_HOME"/bin/tomcat-juli.jar ]; then + JAVA_OPTS="$JAVA_OPTS "-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager +fi + +# Set standard commands for invoking Java. +_RUNJAVA="$JAVA_HOME"/bin/java +_RUNJAVAC="$JAVA_HOME"/bin/javac +_RUNJDB="$JAVA_HOME"/bin/jdb + +# Set standard CLASSPATH +# (always inherit any preset values from the PKI start script) +if [ ${OS} = "Linux" ] ; then + # Checking for IcedTea JVM + ICEDTEA_JVM="`java -version 2>&1 | tail -1 | awk '{print $1};'`" + if [ "${ICEDTEA_JVM}" = "IcedTea" ]; then + # using OpenJDK + CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar + + # add required classes to the CLASSPATH for OpenJDK + CLASSPATH="$CLASSPATH":"$JAVADIR"/commons-collections.jar + else + # NOT using OpenJDK + CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/tools.jar + fi +elif [ ${OS} = "SunOS" ] ; then + CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar +fi + +# Add on extra jar files to CLASSPATH +if [ -n "$JSSE_HOME" ]; then + CLASSPATH="$CLASSPATH":"$JSSE_HOME"/lib/jcert.jar:"$JSSE_HOME"/lib/jnet.jar:"$JSSE_HOME"/lib/jsse.jar +fi + +# JPackage JSSE location check +if [ -r "$JAVADIR/jsse/jcert.jar" ]; then + CLASSPATH="$CLASSPATH":"$JAVADIR"/jsse/jcert.jar:"$JAVADIR"/jsse/jnet.jar:"$JAVADIR"/jsse/jsse.jar +fi + +if [ ${OS} = "Linux" ] ; then + CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar:"$CATALINA_HOME"/bin/commons-logging-api.jar:`/usr/bin/build-classpath mx4j/mx4j-impl`:`/usr/bin/build-classpath mx4j/mx4j-jmx` +elif [ ${OS} = "SunOS" ] ; then + # The following definitions are provided for Solaris + # platforms since they are unable to execute the + # "/usr/bin/build-classpath" and + # "/usr/share/java-utils/java-functions" files . . . + + CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar + CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/commons-logging-api.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/base.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/certsrv.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cms.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cms72.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cms72_en.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cmsbundle.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cmscore.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cmsutil.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cstools.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/mcc70.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/mcc70_en.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/nmclf70.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/nmclf70_en.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/nsutil.jar + + if [ -d /usr/share/java/`pkiflavor`/ca ]; then + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/ca/ca.jar + fi + if [ -d /usr/share/java/`pkiflavor`/kra ]; then + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/kra/kra.jar + fi + if [ -d /usr/share/java/`pkiflavor`/ocsp ]; then + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/ocsp/ocsp.jar + fi + if [ -d /usr/share/java/`pkiflavor`/tks ]; then + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/tks/tks.jar + fi +fi + +if [ -z "$CATALINA_BASE" ] ; then + CATALINA_BASE="$CATALINA_HOME" +fi + +if [ -z "$CATALINA_TMPDIR" ] ; then + # Define the java.io.tmpdir to use for Catalina + CATALINA_TMPDIR="$CATALINA_BASE"/temp +fi + +if [ -z "$CATALINA_PID" ] ; then + export CATALINA_PID=/var/run/tomcat5.pid +fi + +# For Cygwin, switch paths to Windows format before running java +if $cygwin; then + JAVA_HOME=`cygpath --absolute --windows "$JAVA_HOME"` + JRE_HOME=`cygpath --absolute --windows "$JRE_HOME"` + CATALINA_HOME=`cygpath --absolute --windows "$CATALINA_HOME"` + CATALINA_BASE=`cygpath --absolute --windows "$CATALINA_BASE"` + CATALINA_TMPDIR=`cygpath --absolute --windows "$CATALINA_TMPDIR"` + CLASSPATH=`cygpath --path --windows "$CLASSPATH"` + [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --windows "$JSSE_HOME"` + JAVA_ENDORSED_DIRS=`cygpath --path --windows "$JAVA_ENDORSED_DIRS"` +fi + +# ----- Execute The Requested Command ----------------------------------------- +echo "Using CATALINA_PID $CATALINA_PID" +echo "Using CATALINA_BASE: $CATALINA_BASE" +echo "Using CATALINA_HOME: $CATALINA_HOME" +echo "Using CATALINA_TMPDIR: $CATALINA_TMPDIR" +if [ "$1" = "debug" -o "$1" = "javac" ] ; then + echo "Using JAVA_HOME: $JAVA_HOME" +else + echo "Using JRE_HOME: $JRE_HOME" +fi + +if [ "$1" = "jpda" ] ; then + if [ -z "$JPDA_TRANSPORT" ]; then + JPDA_TRANSPORT="dt_socket" + fi + if [ -z "$JPDA_ADDRESS" ]; then + JPDA_ADDRESS="8000" + fi + if [ -z "$JPDA_OPTS" ]; then + JPDA_OPTS="-Xdebug -Xrunjdwp:transport=$JPDA_TRANSPORT,address=$JPDA_ADDRESS,server=y,suspend=n" + fi + CATALINA_OPTS="$CATALINA_OPTS $JPDA_OPTS" + shift +fi + +if [ "$1" = "debug" ] ; then + if $os400; then + echo "Debug command not available on OS400" + exit 1 + else + shift + if [ "$1" = "-security" ] ; then + echo "Using Security Manager" + shift + exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ + -Djava.security.manager \ + -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start + else + exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start + fi + fi + +elif [ "$1" = "run" ]; then + + shift + if [ "$1" = "-security" ] ; then + echo "Using Security Manager" + shift + exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Djava.security.manager \ + -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start + else + exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start + fi + +elif [ "$1" = "start" ] ; then + + shift + touch "$CATALINA_BASE"/logs/catalina.out + if [ "$1" = "-security" ] ; then + echo "Using Security Manager" + shift + "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Djava.security.manager \ + -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start \ + >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & + + if [ ! -z "$CATALINA_PID" ]; then + echo $! > $CATALINA_PID + fi + else + "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start \ + >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & + + if [ ! -z "$CATALINA_PID" ]; then + echo $! > $CATALINA_PID + fi + fi + +elif [ "$1" = "stop" ] ; then + + shift + FORCE=0 + if [ "$1" = "-force" ]; then + shift + FORCE=1 + fi + + "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" stop + + if [ $FORCE -eq 1 ]; then + if [ ! -z "$CATALINA_PID" ]; then + echo "Killing: `cat $CATALINA_PID`" + kill -9 `cat $CATALINA_PID` + fi + fi + +elif [ "$1" = "version" ] ; then + + "$_RUNJAVA" \ + -classpath "$CATALINA_HOME/server/lib/catalina.jar" \ + org.apache.catalina.util.ServerInfo + +else + + echo "Usage: dtomcat5 ( commands ... )" + echo "commands:" + if $os400; then + echo " debug Start Catalina in a debugger (not available on OS400)" + echo " debug -security Debug Catalina with a security manager (not available on OS400)" + else + echo " debug Start Catalina in a debugger" + echo " debug -security Debug Catalina with a security manager" + fi + echo " jpda start Start Catalina under JPDA debugger" + echo " run Start Catalina in the current window" + echo " run -security Start in the current window with security manager" + echo " start Start Catalina in a separate window" + echo " start -security Start in a separate window with security manager" + echo " stop Stop Catalina" + echo " stop -force Stop Catalina (followed by kill -KILL)" + echo " version What version of tomcat are you running?" + exit 1 + +fi diff --git a/pki/base/kra/shared/conf/index.ldif b/pki/base/kra/shared/conf/index.ldif new file mode 100644 index 000000000..c1eecc19d --- /dev/null +++ b/pki/base/kra/shared/conf/index.ldif @@ -0,0 +1,177 @@ +dn: cn=revokedby,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: revokedby + +dn: cn=issuedby,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: issuedby + +dn: cn=publicKeyData,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: publicKeyData + +dn: cn=description,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: description + +dn: cn=serialno,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: serialno + +dn: cn=metaInfo,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: metaInfo + +dn: cn=certstatus,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: certstatus + +dn: cn=requestid,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requestid + +dn: cn=requesttype,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requesttype + +dn: cn=requeststate,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requeststate + +dn: cn=requestowner,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requestowner + +dn: cn=notbefore,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: notbefore + +dn: cn=notafter,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: notafter + +dn: cn=duration,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: duration + +dn: cn=dateOfCreate,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: dateOfCreate + +dn: cn=revokedOn,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: revokedOn + +dn: cn=archivedBy,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: archivedBy + +dn: cn=ownername,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: ownername + +dn: cn=subjectname,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: subjectname + +dn: cn=requestsourceid,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: requestsourceid + +dn: cn=revInfo,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: revInfo + +dn: cn=extension,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: extension diff --git a/pki/base/kra/shared/conf/jk2.manifest b/pki/base/kra/shared/conf/jk2.manifest new file mode 100644 index 000000000..986d7b874 --- /dev/null +++ b/pki/base/kra/shared/conf/jk2.manifest @@ -0,0 +1,2 @@ +Main-Class: org.apache.jk.apr.TomcatStarter +Class-Path: ../lib/tomcat.jar log4j.jar log4j-core.jar ../lib/common/log4j.jar ../lib/common/log4j-core.jar ../lib/common/classes ../lib/common/commons-logging.jar bootstrap.jar ../server/lib/commons-logging.jar ../server/lib/jmx.jar jmx.jar commons-logging-api.jar diff --git a/pki/base/kra/shared/conf/jk2.properties b/pki/base/kra/shared/conf/jk2.properties new file mode 100644 index 000000000..093bae802 --- /dev/null +++ b/pki/base/kra/shared/conf/jk2.properties @@ -0,0 +1,26 @@ +## THIS FILE MAY BE OVERRIDEN AT RUNTIME. MAKE SURE TOMCAT IS STOPED +## WHEN YOU EDIT THE FILE. + +## COMMENTS WILL BE _LOST_ + +## DOCUMENTATION OF THE FORMAT IN JkMain javadoc. + +# Set the desired handler list +# handler.list=apr,request,channelJni +# +# Override the default port for the socketChannel +# channelSocket.port=8019 +# Default: +# channelUnix.file=${jkHome}/work/jk2.socket +# Just to check if the the config is working +# shm.file=${jkHome}/work/jk2.shm + +# In order to enable jni use any channelJni directive +# channelJni.disabled = 0 +# And one of the following directives: + +# apr.jniModeSo=/opt/apache2/modules/mod_jk2.so + +# If set to inprocess the mod_jk2 will Register natives itself +# This will enable the starting of the Tomcat from mod_jk2 +# apr.jniModeSo=inprocess diff --git a/pki/base/kra/shared/conf/jkconf.ant.xml b/pki/base/kra/shared/conf/jkconf.ant.xml new file mode 100644 index 000000000..245cf98e2 --- /dev/null +++ b/pki/base/kra/shared/conf/jkconf.ant.xml @@ -0,0 +1,51 @@ +<project name="jkconf" default="main" basedir="."> + + <target name="init-3x" if="33.detect"> + <taskdef name="jkconf" + classname="org.apache.jk.config.WebXml2Jk" > + <classpath> + <!-- 3.3 support --> + <pathelement location="/ws/jtc/jk/build/classes" /> + <pathelement location="${tomcat.home}/lib/container/tomcat-jk2.jar" /> + <pathelement location="${tomcat.home}/lib/container/crimson.jar"/> + <pathelement location="${tomcat.home}/lib/common/commons-logging.jar"/> + </classpath> + </taskdef> + </target> + + <target name="init-4x" if="4x.detect" > + <path id="main.classpath"> + <!-- 3.3 support --> + <fileset dir="${tomcat.home}/lib" includes="*.jar" /> + <fileset dir="${tomcat.home}/server/lib" includes="*.jar" /> + <fileset dir="${tomcat.home}/common/lib" includes="*.jar" /> + </path> + + <taskdef name="jkconf" classpathref="main.classpath" + classname="org.apache.jk.config.WebXml2Jk" /> + </target> + + <target name="detect" > + <property file="build.properties"/> + <property file="${user.home}/build.properties"/> + <property file="${user.home}/.build.properties"/> + + <!-- default locations, overrident by properties. + This file must be installed in conf/ --> + <property name="tomcat.home" location=".." /> + + <available property="33.detect" file="${tomcat.home}/lib/container" /> + <available property="4x.detect" file="${tomcat.home}/server/lib" /> + </target> + + <target name="init" depends="detect,init-3x,init-4x" /> + + <!-- ==================== Detection and reports ==================== --> + + + <target name="main" depends="init"> + <jkconf docBase="${tomcat.home}/webapps/examples" + context="/examples" /> + </target> + +</project> diff --git a/pki/base/kra/shared/conf/jkconfig.manifest b/pki/base/kra/shared/conf/jkconfig.manifest new file mode 100644 index 000000000..3ba1f2e3e --- /dev/null +++ b/pki/base/kra/shared/conf/jkconfig.manifest @@ -0,0 +1,2 @@ +Main-Class: org.apache.jk.config.WebXml2Jk +Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xercesImpl.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar diff --git a/pki/base/kra/shared/conf/registry.cfg b/pki/base/kra/shared/conf/registry.cfg new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/pki/base/kra/shared/conf/registry.cfg diff --git a/pki/base/kra/shared/conf/schema.ldif b/pki/base/kra/shared/conf/schema.ldif new file mode 100644 index 000000000..4431a2730 --- /dev/null +++ b/pki/base/kra/shared/conf/schema.ldif @@ -0,0 +1,394 @@ +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( usertype-oid NAME 'usertype' DESC 'Distinguish whether the user is administrator, agent or subsystem.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( userstate-oid NAME 'userstate' DESC 'Distinguish whether the user is administrator, agent or subsystem.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( cmsuser-oid NAME 'cmsuser' DESC 'CMS User' SUP top STRUCTURAL MUST usertype MAY userstate X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( archivedBy-oid NAME 'archivedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( adminMessages-oid NAME 'adminMessages' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( algorithm-oid NAME 'algorithm' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( algorithmId-oid NAME 'algorithmId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( signingAlgorithmId-oid NAME 'signingAlgorithmId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( autoRenew-oid NAME 'autoRenew' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( certStatus-oid NAME 'certStatus' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlName-oid NAME 'crlName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlSize-oid NAME 'crlSize' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( deltaSize-oid NAME 'deltaSize' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlNumber-oid NAME 'crlNumber' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( deltaNumber-oid NAME 'deltaNumber' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( firstUnsaved-oid NAME 'firstUnsaved' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlCache-oid NAME 'crlCache' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revokedCerts-oid NAME 'revokedCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( unrevokedCerts-oid NAME 'unrevokedCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( expiredCerts-oid NAME 'expiredCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( deltaCRL-oid NAME 'deltaCRL' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlExtensions-oid NAME 'crlExtensions' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfArchival-oid NAME 'dateOfArchival' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfRecovery-oid NAME 'dateOfRecovery' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfRevocation-oid NAME 'dateOfRevocation' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfCreate-oid NAME 'dateOfCreate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfModify-oid NAME 'dateOfModify' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( duration-oid NAME 'duration' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( extension-oid NAME 'extension' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( issuedBy-oid NAME 'issuedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( issueInfo-oid NAME 'issueInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( issuerName-oid NAME 'issuerName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( keySize-oid NAME 'keySize' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( keyState-oid NAME 'keyState' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( metaInfo-oid NAME 'metaInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( nextUpdate-oid NAME 'nextUpdate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( notAfter-oid NAME 'notAfter' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( notBefore-oid NAME 'notBefore' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( ownerName-oid NAME 'ownerName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( password-oid NAME 'password' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( p12Expiration-oid NAME 'p12Expiration' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( proofOfArchival-oid NAME 'proofOfArchival' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( publicKeyData-oid NAME 'publicKeyData' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( publicKeyFormat-oid NAME 'publicKeyFormat' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( privateKeyData-oid NAME 'privateKeyData' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestId-oid NAME 'requestId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestInfo-oid NAME 'requestInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestState-oid NAME 'requestState' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestResult-oid NAME 'requestResult' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestOwner-oid NAME 'requestOwner' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestAgentGroup-oid NAME 'requestAgentGroup' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestSourceId-oid NAME 'requestSourceId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestType-oid NAME 'requestType' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestFlag-oid NAME 'requestFlag' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestError-oid NAME 'requestError' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( resourceACLS-oid NAME 'resourceACLS' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revInfo-oid NAME 'revInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revokedBy-oid NAME 'revokedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revokedOn-oid NAME 'revokedOn' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( serialno-oid NAME 'serialno' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( subjectName-oid NAME 'subjectName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( sessionContext-oid NAME 'sessionContext' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( thisUpdate-oid NAME 'thisUpdate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transId-oid NAME 'transId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transStatus-oid NAME 'transStatus' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transName-oid NAME 'transName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transOps-oid NAME 'transOps' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( userDN-oid NAME 'userDN' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( userMessages-oid NAME 'userMessages' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( version-oid NAME 'version' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( CertACLS-oid NAME 'CertACLS' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY resourceACLS X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( repository-oid NAME 'repository' DESC 'CMS defined class' SUP top STRUCTURAL MUST ou MAY ( serialno $ description ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( transaction-oid NAME 'transaction' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( transId $ description $ transName $ transStatus $ transOps ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( pkiCA-oid NAME 'pkiCA' DESC 'CMS defined class' SUP top STRUCTURAL MUST ou MAY certificateRevocationList X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( crlIssuingPointRecord-oid NAME 'crlIssuingPointRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ crlNumber $ crlSize $ thisUpdate $ nextUpdate $ deltaNumber $ deltaSize $ firstUnsaved $ certificateRevocationList $ deltaCRL $ crlCache $ revokedCerts $ unrevokedCerts $ expiredCerts $ cACertificate ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subject $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( userDetails-oid NAME 'userDetails' DESC 'CMS defined class' SUP top STRUCTURAL MUST userDN MAY ( dateOfCreate $ dateOfModify $ password $ p12Expiration ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy ) X-ORIGIN 'user defined' ) diff --git a/pki/base/kra/shared/conf/server-minimal.xml b/pki/base/kra/shared/conf/server-minimal.xml new file mode 100644 index 000000000..7b542b6cf --- /dev/null +++ b/pki/base/kra/shared/conf/server-minimal.xml @@ -0,0 +1,25 @@ +<Server port="8005" shutdown="SHUTDOWN"> + + <GlobalNamingResources> + <!-- Used by Manager webapp --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + </GlobalNamingResources> + + <Service name="Catalina"> + <Connector port="8080" /> + + <!-- This is here for compatibility only, not required --> + <Connector port="8009" protocol="AJP/1.3" /> + + <Engine name="Catalina" defaultHost="localhost"> + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase" /> + <Host name="localhost" appBase="webapps" /> + </Engine> + + </Service> +</Server> diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml new file mode 100644 index 000000000..68730db04 --- /dev/null +++ b/pki/base/kra/shared/conf/server.xml @@ -0,0 +1,396 @@ +<!-- Example Server Configuration File --> +<!-- Note that component elements are nested corresponding to their + parent-child relationships with each other --> + +<!-- A "Server" is a singleton element that represents the entire JVM, + which may contain one or more "Service" instances. The Server + listens for a shutdown command on the indicated port. + + Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" or "Loggers" at this level. + --> + +<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> + + <!-- Comment these entries out to disable JMX MBeans support used for the + administration web application --> + <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> + <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> + <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> + + <!-- Global JNDI resources --> + <GlobalNamingResources> + + <!-- Test entry for demonstration purposes --> + <Environment name="simpleValue" type="java.lang.Integer" value="30"/> + + <!-- Editable user database that can also be used by + UserDatabaseRealm to authenticate users --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + + </GlobalNamingResources> + + <!-- A "Service" is a collection of one or more "Connectors" that share + a single "Container" (and therefore the web applications visible + within that Container). Normally, that Container is an "Engine", + but this is not required. + + Note: A "Service" is not itself a "Container", so you may not + define subcomponents such as "Valves" or "Loggers" at this level. + --> + + <!-- Define the Tomcat Stand-Alone Service --> + <Service name="Catalina"> + + <!-- A "Connector" represents an endpoint by which requests are received + and responses are returned. Each Connector passes requests on to the + associated "Container" (normally an Engine) for processing. + + By default, a non-SSL HTTP/1.1 Connector is established on port 8080. + You can also enable an SSL HTTP/1.1 Connector on port 8443 by + following the instructions below and uncommenting the second Connector + entry. SSL support requires the following steps (see the SSL Config + HOWTO in the Tomcat 5 documentation bundle for more detailed + instructions): + * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or + later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". + * Execute: + %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) + $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) + with a password value of "changeit" for both the certificate and + the keystore itself. + + By default, DNS lookups are enabled when a web application calls + request.getRemoteHost(). This can have an adverse impact on + performance, so you can disable it by setting the + "enableLookups" attribute to "false". When DNS lookups are disabled, + request.getRemoteHost() will return the String version of the + IP address of the remote client. + --> + + <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> + + + + + <Connector port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" redirectPort="8443" acceptCount="100" + connectionTimeout="20000" disableUploadTimeout="true" /> + +<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> + +<!-- DO NOT REMOVE - Begin define PKI secure port --> +<Connector port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + sslOptions="ssl2=true,ssl3=true,tls=true" + ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" + ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> +<!-- DO NOT REMOVE - End define PKI secure port --> + + + + <!-- Note : To disable connection timeouts, set connectionTimeout value + to 0 --> + + <!-- Note : To use gzip compression you could set the following properties : + + compression="on" + compressionMinSize="2048" + noCompressionUserAgents="gozilla, traviata" + compressableMimeType="text/html,text/xml" + --> + + + <!-- Define an AJP 1.3 Connector on port 8009 --> +<!-- + <Connector port="8009" + enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> +--> + + <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> + <!-- See proxy documentation for more information about using this. --> + <!-- + <Connector port="8082" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" acceptCount="100" connectionTimeout="20000" + proxyPort="80" disableUploadTimeout="true" /> + --> + + <!-- An Engine represents the entry point (within Catalina) that processes + every request. The Engine implementation for Tomcat stand alone + analyzes the HTTP headers included with the request, and passes them + on to the appropriate Host (virtual host). --> + + <!-- You should set jvmRoute to support load-balancing via AJP ie : + <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> + --> + + <!-- Define the top level container in our container hierarchy --> + <Engine name="Catalina" defaultHost="localhost"> + + <!-- The request dumper valve dumps useful debugging information about + the request headers and cookies that were received, and the response + headers and cookies that were sent, for all requests received by + this instance of Tomcat. If you care only about requests to a + particular virtual host, or a particular application, nest this + element inside the corresponding <Host> or <Context> entry instead. + + For a similar mechanism that is portable to all Servlet 2.4 + containers, check out the "RequestDumperFilter" Filter in the + example application (the source for this filter may be found in + "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). + + Request dumping is disabled by default. Uncomment the following + element to enable it. --> + <!-- + <Valve className="org.apache.catalina.valves.RequestDumperValve"/> + --> + + <!-- Because this Realm is here, an instance will be shared globally --> + + <!-- This Realm uses the UserDatabase configured in the global JNDI + resources under the key "UserDatabase". Any edits + that are performed against this UserDatabase are immediately + available for use by the Realm. --> + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase"/> + + <!-- Comment out the old realm but leave here for now in case we + need to go back quickly --> + <!-- + <Realm className="org.apache.catalina.realm.MemoryRealm" /> + --> + + <!-- Replace the above Realm with one of the following to get a Realm + stored in a database and accessed via JDBC --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="org.gjt.mm.mysql.Driver" + connectionURL="jdbc:mysql://localhost/authority" + connectionName="test" connectionPassword="test" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="oracle.jdbc.driver.OracleDriver" + connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" + connectionName="scott" connectionPassword="tiger" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="sun.jdbc.odbc.JdbcOdbcDriver" + connectionURL="jdbc:odbc:CATALINA" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- Define the default virtual host + Note: XML Schema validation will not work with Xerces 2.2. + --> + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="true" + xmlValidation="false" xmlNamespaceAware="false"> + + <!-- Defines a cluster for this node, + By defining this element, means that every manager will be changed. + So when running a cluster, only make sure that you have webapps in there + that need to be clustered and remove the other ones. + A cluster has the following parameters: + + className = the fully qualified name of the cluster class + + name = a descriptive name for your cluster, can be anything + + mcastAddr = the multicast address, has to be the same for all the nodes + + mcastPort = the multicast port, has to be the same for all the nodes + + mcastBindAddr = bind the multicast socket to a specific address + + mcastTTL = the multicast TTL if you want to limit your broadcast + + mcastSoTimeout = the multicast readtimeout + + mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat + + mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received + + tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes + + tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, + in case of multiple ethernet cards. + auto means that address becomes + InetAddress.getLocalHost().getHostAddress() + + tcpListenPort = the tcp listen port + + tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS + has a wakup bug in java.nio. Set to 0 for no timeout + + printToScreen = true means that managers will also print to std.out + + expireSessionsOnShutdown = true means that + + useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. + false means to replicate the session after each request. + false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) + <% + HashMap map = (HashMap)session.getAttribute("map"); + map.put("key","value"); + %> + replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. + * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. + * Synchronous means that the thread that executes the request, is also the + thread the replicates the data to the other nodes, and will not return until all + nodes have received the information. + * Asynchronous means that there is a specific 'sender' thread for each cluster node, + so the request thread will queue the replication request into a "smart" queue, + and then return to the client. + The "smart" queue is a queue where when a session is added to the queue, and the same session + already exists in the queue from a previous request, that session will be replaced + in the queue instead of replicating two requests. This almost never happens, unless there is a + large network delay. + --> + <!-- + When configuring for clustering, you also add in a valve to catch all the requests + coming in, at the end of the request, the session may or may not be replicated. + A session is replicated if and only if all the conditions are met: + 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND + 2. a session exists (has been created) + 3. the request is not trapped by the "filter" attribute + + The filter attribute is to filter out requests that could not modify the session, + hence we don't replicate the session after the end of this request. + The filter is negative, ie, anything you put in the filter, you mean to filter out, + ie, no replication will be done on requests that match one of the filters. + The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. + + filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI + ending with .gif and .js are intercepted. + + The deployer element can be used to deploy apps cluster wide. + Currently the deployment only deploys/undeploys to working members in the cluster + so no WARs are copied upons startup of a broken node. + The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" + When a new war file is added the war gets deployed to the local instance, + and then deployed to the other instances in the cluster. + When a war file is deleted from the watchDir the war is undeployed locally + and cluster wide + --> + + <!-- + <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" + managerClassName="org.apache.catalina.cluster.session.DeltaManager" + expireSessionsOnShutdown="false" + useDirtyFlag="true" + notifyListenersOnReplication="true"> + + <Membership + className="org.apache.catalina.cluster.mcast.McastService" + mcastAddr="228.0.0.4" + mcastPort="45564" + mcastFrequency="500" + mcastDropTime="3000"/> + + <Receiver + className="org.apache.catalina.cluster.tcp.ReplicationListener" + tcpListenAddress="auto" + tcpListenPort="4001" + tcpSelectorTimeout="100" + tcpThreadCount="6"/> + + <Sender + className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" + replicationMode="pooled" + ackTimeout="15000"/> + + <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" + filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> + + <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" + tempDir="/tmp/war-temp/" + deployDir="/tmp/war-deploy/" + watchDir="/tmp/war-listen/" + watchEnabled="false"/> + </Cluster> + --> + + + + <!-- Normally, users must authenticate themselves to each web app + individually. Uncomment the following entry if you would like + a user to be authenticated the first time they encounter a + resource protected by a security constraint, and then have that + user identity maintained across *all* web applications contained + in this virtual host. --> + <!-- + <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> + --> + + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + --> + <Valve className="org.apache.catalina.valves.AccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + This access log implementation is optimized for maximum performance, + but is hardcoded to support only the "common" and "combined" patterns. + --> + <!-- + <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + This access log implementation is optimized for maximum performance, + but is hardcoded to support only the "common" and "combined" patterns. + + This valve use NIO direct Byte Buffer to asynchornously store the + log. + --> + <!-- + <Valve className="org.apache.catalina.valves.ByteBufferAccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + + </Host> + + </Engine> + + </Service> + +</Server> diff --git a/pki/base/kra/shared/conf/server.xml.good b/pki/base/kra/shared/conf/server.xml.good new file mode 100644 index 000000000..502c05d1d --- /dev/null +++ b/pki/base/kra/shared/conf/server.xml.good @@ -0,0 +1,390 @@ +<!-- Example Server Configuration File --> +<!-- Note that component elements are nested corresponding to their + parent-child relationships with each other --> + +<!-- A "Server" is a singleton element that represents the entire JVM, + which may contain one or more "Service" instances. The Server + listens for a shutdown command on the indicated port. + + Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" or "Loggers" at this level. + --> + +<Server port="8005" shutdown="SHUTDOWN"> + + <!-- Comment these entries out to disable JMX MBeans support used for the + administration web application --> + <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> + <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> + <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> + + <!-- Global JNDI resources --> + <GlobalNamingResources> + + <!-- Test entry for demonstration purposes --> + <Environment name="simpleValue" type="java.lang.Integer" value="30"/> + + <!-- Editable user database that can also be used by + UserDatabaseRealm to authenticate users --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + + </GlobalNamingResources> + + <!-- A "Service" is a collection of one or more "Connectors" that share + a single "Container" (and therefore the web applications visible + within that Container). Normally, that Container is an "Engine", + but this is not required. + + Note: A "Service" is not itself a "Container", so you may not + define subcomponents such as "Valves" or "Loggers" at this level. + --> + + <!-- Define the Tomcat Stand-Alone Service --> + <Service name="Catalina"> + + <!-- A "Connector" represents an endpoint by which requests are received + and responses are returned. Each Connector passes requests on to the + associated "Container" (normally an Engine) for processing. + + By default, a non-SSL HTTP/1.1 Connector is established on port 8080. + You can also enable an SSL HTTP/1.1 Connector on port 8443 by + following the instructions below and uncommenting the second Connector + entry. SSL support requires the following steps (see the SSL Config + HOWTO in the Tomcat 5 documentation bundle for more detailed + instructions): + * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or + later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". + * Execute: + %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) + $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) + with a password value of "changeit" for both the certificate and + the keystore itself. + + By default, DNS lookups are enabled when a web application calls + request.getRemoteHost(). This can have an adverse impact on + performance, so you can disable it by setting the + "enableLookups" attribute to "false". When DNS lookups are disabled, + request.getRemoteHost() will return the String version of the + IP address of the remote client. + --> + + <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> + + + + + <Connector port="<PKI_UNSECURE_PORT>" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" redirectPort="8443" acceptCount="100" + connectionTimeout="20000" disableUploadTimeout="true" /> + +<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> + +<!-- +<Connector port="<PKI_SECURE_PORT>" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCert="Server-Cert cert-<PKI_INSTANCE_ID>" + certdbDir="<PKI_INSTANCE_PATH>/alias" certdbPassword="<PKI_CERT_DB_PASSWORD>"/> +--> + + + + <!-- Note : To disable connection timeouts, set connectionTimeout value + to 0 --> + + <!-- Note : To use gzip compression you could set the following properties : + + compression="on" + compressionMinSize="2048" + noCompressionUserAgents="gozilla, traviata" + compressableMimeType="text/html,text/xml" + --> + + + <!-- Define an AJP 1.3 Connector on port 8009 --> + <Connector port="8009" + enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> + + <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> + <!-- See proxy documentation for more information about using this. --> + <!-- + <Connector port="8082" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" acceptCount="100" connectionTimeout="20000" + proxyPort="80" disableUploadTimeout="true" /> + --> + + <!-- An Engine represents the entry point (within Catalina) that processes + every request. The Engine implementation for Tomcat stand alone + analyzes the HTTP headers included with the request, and passes them + on to the appropriate Host (virtual host). --> + + <!-- You should set jvmRoute to support load-balancing via AJP ie : + <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> + --> + + <!-- Define the top level container in our container hierarchy --> + <Engine name="Catalina" defaultHost="localhost"> + + <!-- The request dumper valve dumps useful debugging information about + the request headers and cookies that were received, and the response + headers and cookies that were sent, for all requests received by + this instance of Tomcat. If you care only about requests to a + particular virtual host, or a particular application, nest this + element inside the corresponding <Host> or <Context> entry instead. + + For a similar mechanism that is portable to all Servlet 2.4 + containers, check out the "RequestDumperFilter" Filter in the + example application (the source for this filter may be found in + "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). + + Request dumping is disabled by default. Uncomment the following + element to enable it. --> + <!-- + <Valve className="org.apache.catalina.valves.RequestDumperValve"/> + --> + + <!-- Because this Realm is here, an instance will be shared globally --> + + <!-- This Realm uses the UserDatabase configured in the global JNDI + resources under the key "UserDatabase". Any edits + that are performed against this UserDatabase are immediately + available for use by the Realm. --> + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase"/> + + <!-- Comment out the old realm but leave here for now in case we + need to go back quickly --> + <!-- + <Realm className="org.apache.catalina.realm.MemoryRealm" /> + --> + + <!-- Replace the above Realm with one of the following to get a Realm + stored in a database and accessed via JDBC --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="org.gjt.mm.mysql.Driver" + connectionURL="jdbc:mysql://localhost/authority" + connectionName="test" connectionPassword="test" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="oracle.jdbc.driver.OracleDriver" + connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" + connectionName="scott" connectionPassword="tiger" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="sun.jdbc.odbc.JdbcOdbcDriver" + connectionURL="jdbc:odbc:CATALINA" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- Define the default virtual host + Note: XML Schema validation will not work with Xerces 2.2. + --> + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="true" + xmlValidation="false" xmlNamespaceAware="false"> + + <!-- Defines a cluster for this node, + By defining this element, means that every manager will be changed. + So when running a cluster, only make sure that you have webapps in there + that need to be clustered and remove the other ones. + A cluster has the following parameters: + + className = the fully qualified name of the cluster class + + name = a descriptive name for your cluster, can be anything + + mcastAddr = the multicast address, has to be the same for all the nodes + + mcastPort = the multicast port, has to be the same for all the nodes + + mcastBindAddr = bind the multicast socket to a specific address + + mcastTTL = the multicast TTL if you want to limit your broadcast + + mcastSoTimeout = the multicast readtimeout + + mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat + + mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received + + tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes + + tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, + in case of multiple ethernet cards. + auto means that address becomes + InetAddress.getLocalHost().getHostAddress() + + tcpListenPort = the tcp listen port + + tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS + has a wakup bug in java.nio. Set to 0 for no timeout + + printToScreen = true means that managers will also print to std.out + + expireSessionsOnShutdown = true means that + + useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. + false means to replicate the session after each request. + false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) + <% + HashMap map = (HashMap)session.getAttribute("map"); + map.put("key","value"); + %> + replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. + * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. + * Synchronous means that the thread that executes the request, is also the + thread the replicates the data to the other nodes, and will not return until all + nodes have received the information. + * Asynchronous means that there is a specific 'sender' thread for each cluster node, + so the request thread will queue the replication request into a "smart" queue, + and then return to the client. + The "smart" queue is a queue where when a session is added to the queue, and the same session + already exists in the queue from a previous request, that session will be replaced + in the queue instead of replicating two requests. This almost never happens, unless there is a + large network delay. + --> + <!-- + When configuring for clustering, you also add in a valve to catch all the requests + coming in, at the end of the request, the session may or may not be replicated. + A session is replicated if and only if all the conditions are met: + 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND + 2. a session exists (has been created) + 3. the request is not trapped by the "filter" attribute + + The filter attribute is to filter out requests that could not modify the session, + hence we don't replicate the session after the end of this request. + The filter is negative, ie, anything you put in the filter, you mean to filter out, + ie, no replication will be done on requests that match one of the filters. + The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. + + filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI + ending with .gif and .js are intercepted. + + The deployer element can be used to deploy apps cluster wide. + Currently the deployment only deploys/undeploys to working members in the cluster + so no WARs are copied upons startup of a broken node. + The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" + When a new war file is added the war gets deployed to the local instance, + and then deployed to the other instances in the cluster. + When a war file is deleted from the watchDir the war is undeployed locally + and cluster wide + --> + + <!-- + <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" + managerClassName="org.apache.catalina.cluster.session.DeltaManager" + expireSessionsOnShutdown="false" + useDirtyFlag="true" + notifyListenersOnReplication="true"> + + <Membership + className="org.apache.catalina.cluster.mcast.McastService" + mcastAddr="228.0.0.4" + mcastPort="45564" + mcastFrequency="500" + mcastDropTime="3000"/> + + <Receiver + className="org.apache.catalina.cluster.tcp.ReplicationListener" + tcpListenAddress="auto" + tcpListenPort="4001" + tcpSelectorTimeout="100" + tcpThreadCount="6"/> + + <Sender + className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" + replicationMode="pooled" + ackTimeout="15000"/> + + <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" + filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> + + <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" + tempDir="/tmp/war-temp/" + deployDir="/tmp/war-deploy/" + watchDir="/tmp/war-listen/" + watchEnabled="false"/> + </Cluster> + --> + + + + <!-- Normally, users must authenticate themselves to each web app + individually. Uncomment the following entry if you would like + a user to be authenticated the first time they encounter a + resource protected by a security constraint, and then have that + user identity maintained across *all* web applications contained + in this virtual host. --> + <!-- + <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> + --> + + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + --> + <!-- + <Valve className="org.apache.catalina.valves.AccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + This access log implementation is optimized for maximum performance, + but is hardcoded to support only the "common" and "combined" patterns. + --> + <!-- + <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + This access log implementation is optimized for maximum performance, + but is hardcoded to support only the "common" and "combined" patterns. + + This valve use NIO direct Byte Buffer to asynchornously store the + log. + --> + <!-- + <Valve className="org.apache.catalina.valves.ByteBufferAccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + + </Host> + + </Engine> + + </Service> + +</Server> diff --git a/pki/base/kra/shared/conf/serverCert.profile b/pki/base/kra/shared/conf/serverCert.profile new file mode 100644 index 000000000..adf6ee4ad --- /dev/null +++ b/pki/base/kra/shared/conf/serverCert.profile @@ -0,0 +1,37 @@ +# +# Server Certificate +# +id=serverCert.profile +name=All Purpose SSL server cert Profile +description=This profile creates an SSL server certificate that is valid for SSL servers +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 diff --git a/pki/base/kra/shared/conf/serverCertNick.conf b/pki/base/kra/shared/conf/serverCertNick.conf new file mode 100644 index 000000000..1b1f4fcad --- /dev/null +++ b/pki/base/kra/shared/conf/serverCertNick.conf @@ -0,0 +1 @@ +Server-Cert cert-[PKI_INSTANCE_ID] diff --git a/pki/base/kra/shared/conf/shm.manifest b/pki/base/kra/shared/conf/shm.manifest new file mode 100644 index 000000000..0505c085b --- /dev/null +++ b/pki/base/kra/shared/conf/shm.manifest @@ -0,0 +1,2 @@ +Main-Class: org.apache.jk.common.Shm +Class-Path: tomcat-jk2.jar commons-logging.jar tomcat-util.jar log4j.jar log4j-core.jar diff --git a/pki/base/kra/shared/conf/storageCert.profile b/pki/base/kra/shared/conf/storageCert.profile new file mode 100644 index 000000000..fe46c19c1 --- /dev/null +++ b/pki/base/kra/shared/conf/storageCert.profile @@ -0,0 +1,37 @@ +# +# DRM Storage Certificate +# +id=storageCert.profile +name=DRM Key Storage Cert profile +description=This profile creates a certificate that is good for DRM to encrypt private key materials in storage +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 diff --git a/pki/base/kra/shared/conf/subsystemCert.profile b/pki/base/kra/shared/conf/subsystemCert.profile new file mode 100644 index 000000000..1fc1a6f71 --- /dev/null +++ b/pki/base/kra/shared/conf/subsystemCert.profile @@ -0,0 +1,37 @@ +# +# Subsystem Certificate +# +id=subsystemCert.profile +name=subsystem cert Profile +description=This profile creates a subsystem certificate that is valid for a CS subsystem +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 diff --git a/pki/base/kra/shared/conf/tomcat-jk2.manifest b/pki/base/kra/shared/conf/tomcat-jk2.manifest new file mode 100644 index 000000000..acfef4a90 --- /dev/null +++ b/pki/base/kra/shared/conf/tomcat-jk2.manifest @@ -0,0 +1,7 @@ +Manifest-version: 1.0 +Extension-Name: org.apache.jk +Specification-Vendor: Apache Software Foundation +Specification-Version: 2.0 +Implementation-Vendor-Id: org.apache +Implementation-Vendor: Apache Software Foundation +Implementation-Version: 2.1 diff --git a/pki/base/kra/shared/conf/tomcat-users.xml b/pki/base/kra/shared/conf/tomcat-users.xml new file mode 100644 index 000000000..920e68240 --- /dev/null +++ b/pki/base/kra/shared/conf/tomcat-users.xml @@ -0,0 +1,13 @@ +<?xml version='1.0' encoding='utf-8'?> +<tomcat-users> + <role rolename="pkiuser"/> + <role rolename="tomcat"/> + <role rolename="role1"/> + <role rolename="manager"/> + <role rolename="admin"/> + <user username="pkiuser" password="pkiuser" roles="pkiuser"/> + <user username="tomcat" password="tomcat" roles="tomcat"/> + <user username="both" password="tomcat" roles="tomcat,role1"/> + <user username="role1" password="tomcat" roles="role1"/> + <user username="admin" password="netscape" roles="admin,manager"/> +</tomcat-users> diff --git a/pki/base/kra/shared/conf/tomcat5.conf b/pki/base/kra/shared/conf/tomcat5.conf new file mode 100644 index 000000000..f82eafd8e --- /dev/null +++ b/pki/base/kra/shared/conf/tomcat5.conf @@ -0,0 +1,73 @@ +# tomcat5 service configuration file + +# Check to insure that at least one PKI subsystem +# currently resides on this system. +if [ ! -x /usr/bin/pkiarch ] || + [ ! -x /usr/bin/pkiflavor ] || + [ ! -x /usr/bin/pkiname ]; then + echo "This machine is missing all PKI subsystems!" + exit 255 +fi + +# Check to insure that this configuration file's associated PKI +# subsystem currently resides on this system. +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +if [ ! -d /usr/share/`pkiflavor`/${PKI_SUBSYSTEM_TYPE} ] ; then + echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" + exit 255 +fi + +# you could also override JAVA_HOME here +# Where your java installation lives +JAVA_HOME="/usr/lib/jvm/jre" + +# You can pass some parameters to java +# here if you wish to +#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" + +# Where your tomcat installation lives +# That change from previous RPM where TOMCAT_HOME +# used to be /var/tomcat. +# Now /var/tomcat will be the base for webapps only +CATALINA_HOME="/usr/share/tomcat5" +JASPER_HOME="/usr/share/tomcat5" +CATALINA_TMPDIR="/usr/share/tomcat5/temp" +JAVA_ENDORSED_DIRS="/usr/share/tomcat5/common/endorsed" + +# What user should run tomcat +TOMCAT_USER="[PKI_USER]" +TOMCAT_GROUP="[PKI_GROUP]" + +# You can change your tomcat locale here +#LANG=en_US + +# Time to wait in seconds, while starting process +STARTUP_WAIT=30 + +# Time to wait in seconds, before killing process +SHUTDOWN_WAIT=30 + + +# If you wish to further customize your tomcat environment, +# put your own definitions here +# (i.e. LD_LIBRARY_PATH for some jdbc drivers) +# Just do not forget to export them :) + +PLATFORM=`pkiarch` + +if [ $PLATFORM = "i386" ]; then + # 32-bit Linux + LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib +elif [ $PLATFORM = "x86_64" ]; then + # 64-bit Linux + LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64/dirsec:/usr/lib64:/usr/lib +elif [ $PLATFORM = "sparc" ]; then + # 32-bit Solaris + LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib +elif [ $PLATFORM = "sparcv9" ]; then + # 64-bit Solaris + JAVA_OPTS="-d64" + export JAVA_OPTS + LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/sparcv9/dirsec:/usr/lib/sparcv9:/usr/lib/dirsec:/usr/lib +fi +export LD_LIBRARY_PATH diff --git a/pki/base/kra/shared/conf/transportCert.profile b/pki/base/kra/shared/conf/transportCert.profile new file mode 100644 index 000000000..aba748bfe --- /dev/null +++ b/pki/base/kra/shared/conf/transportCert.profile @@ -0,0 +1,37 @@ +# +# DRM Transport Certificate +# +id=transportCert.profile +name=DRM Key Transport Cert profile +description=This profile creates a certificate that is good for transporting private key materials +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 diff --git a/pki/base/kra/shared/conf/uriworkermap.properties b/pki/base/kra/shared/conf/uriworkermap.properties new file mode 100644 index 000000000..c65445b10 --- /dev/null +++ b/pki/base/kra/shared/conf/uriworkermap.properties @@ -0,0 +1,13 @@ +# uriworkermap.properties - IIS +# +# This file provides sample mappings for example ajp13w +# worker defined in workermap.properties.minimal +# The general sytax for this file is: +# [URL]=[Worker name] + +/servlet-examples/*=ajp13w + +# Optionally filter out all .jpeg files inside that context +# For no mapping the url has to start with exclamation (!) + +!/servlet-examples/*.jpeg=ajp13w diff --git a/pki/base/kra/shared/conf/vlv.ldif b/pki/base/kra/shared/conf/vlv.ldif new file mode 100644 index 000000000..b619e8657 --- /dev/null +++ b/pki/base/kra/shared/conf/vlv.ldif @@ -0,0 +1,207 @@ +dn: cn=allKeys-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allKeys-{instanceId} +vlvBase: ou=keyRepository,ou=kra,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(&(objectClass=top)(objectClass=keyRecord))(serialno=*)) + +dn: cn=kraAll-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraAll-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=*) + +dn: cn=kraArchival-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraArchival-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requesttype=enrollment) + +dn: cn=kraRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraRecovery-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requesttype=recovery) + +dn: cn=kraCanceled-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraCanceled-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=canceled) + +dn: cn=kraCanceledEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraCanceledEnrollment-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=canceled)(requesttype=enrollment)) + +dn: cn=kraCanceledRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraCanceledRecovery-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=canceled)(requesttype=recovery)) + +dn: cn=kraRejected-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraRejected-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=rejected) + +dn: cn=kraRejectedEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraRejectedEnrollment-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=rejected)(requesttype=enrollment)) + +dn: cn=kraRejectedRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraRejectedRecovery-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=rejected)(requesttype=recovery)) + +dn: cn=kraComplete-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraComplete-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=complete) + +dn: cn=kraCompleteEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraCompleteEnrollment-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=complete)(requesttype=enrollment)) + +dn: cn=kraCompleteRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraCompleteRecovery-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=complete)(requesttype=recovery)) + +dn: cn=allKeys-{instanceId}Index, cn=allKeys-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allKeys-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraAll-{instanceId}Index, cn=kraAll-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraAll-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraArchival-{instanceId}Index, cn=kraArchival-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraArchival-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraRecovery-{instanceId}Index, cn=kraRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraRecovery-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraCanceled-{instanceId}Index, cn=kraCanceled-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraCanceled-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraCanceledEnrollment-{instanceId}Index, cn=kraCanceledEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraCanceledEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraCanceledRecovery-{instanceId}Index, cn=kraCanceledRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraCanceledRecovery-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraRejected-{instanceId}Index, cn=kraRejected-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraRejected-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraRejectedEnrollment-{instanceId}Index, cn=kraRejectedEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraRejectedEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraRejectedRecovery-{instanceId}Index, cn=kraRejectedRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraRejectedRecovery-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraComplete-{instanceId}Index, cn=kraComplete-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraComplete-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraCompleteEnrollment-{instanceId}Index, cn=kraCompleteEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraCompleteEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraCompleteRecovery-{instanceId}Index, cn=kraCompleteRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraCompleteRecovery-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 diff --git a/pki/base/kra/shared/conf/vlvtasks.ldif b/pki/base/kra/shared/conf/vlvtasks.ldif new file mode 100644 index 000000000..014483ac1 --- /dev/null +++ b/pki/base/kra/shared/conf/vlvtasks.ldif @@ -0,0 +1,19 @@ +dn: cn=index1160527115, cn=index, cn=tasks, cn=config +objectclass: top +objectclass: extensibleObject +cn: index1160527115 +ttl: 1 +nsInstance: {database} +nsIndexVLVAttribute: allKeys-{instanceId}Index +nsIndexVLVAttribute: kraAll-{instanceId}Index +nsIndexVLVAttribute: kraArchival-{instanceId}Index +nsIndexVLVAttribute: kraRecovery-{instanceId}Index +nsIndexVLVAttribute: kraCanceled-{instanceId}Index +nsIndexVLVAttribute: kraCanceledEnrollment-{instanceId}Index +nsIndexVLVAttribute: kraCanceledRecovery-{instanceId}Index +nsIndexVLVAttribute: kraRejected-{instanceId}Index +nsIndexVLVAttribute: kraRejectedEnrollment-{instanceId}Index +nsIndexVLVAttribute: kraRejectedRecovery-{instanceId}Index +nsIndexVLVAttribute: kraComplete-{instanceId}Index +nsIndexVLVAttribute: kraCompleteEnrollment-{instanceId}Index +nsIndexVLVAttribute: kraCompleteRecovery-{instanceId}Index diff --git a/pki/base/kra/shared/conf/web.xml b/pki/base/kra/shared/conf/web.xml new file mode 100644 index 000000000..6b14b3b3c --- /dev/null +++ b/pki/base/kra/shared/conf/web.xml @@ -0,0 +1,979 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<web-app xmlns="http://java.sun.com/xml/ns/j2ee" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" + version="2.4"> + + <!-- ======================== Introduction ============================== --> + <!-- This document defines default values for *all* web applications --> + <!-- loaded into this instance of Tomcat. As each application is --> + <!-- deployed, this file is processed, followed by the --> + <!-- "/WEB-INF/web.xml" deployment descriptor from your own --> + <!-- applications. --> + <!-- --> + <!-- WARNING: Do not configure application-specific resources here! --> + <!-- They should go in the "/WEB-INF/web.xml" file in your application. --> + + + <!-- ================== Built In Servlet Definitions ==================== --> + + + <!-- The default servlet for all web applications, that serves static --> + <!-- resources. It processes all requests that are not mapped to other --> + <!-- servlets with servlet mappings (defined either here or in your own --> + <!-- web.xml file. This servlet supports the following initialization --> + <!-- parameters (default values are in square brackets): --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + <!-- --> + <!-- fileEncoding Encoding to be used to read static resources --> + <!-- [platform default] --> + <!-- --> + <!-- input Input buffer size (in bytes) when reading --> + <!-- resources to be served. [2048] --> + <!-- --> + <!-- listings Should directory listings be produced if there --> + <!-- is no welcome file in this directory? [true] --> + <!-- --> + <!-- output Output buffer size (in bytes) when writing --> + <!-- resources to be served. [2048] --> + <!-- --> + <!-- readonly Is this context "read only", so HTTP --> + <!-- commands like PUT and DELETE are --> + <!-- rejected? [true] --> + <!-- --> + <!-- readmeFile File name to display with the directory --> + <!-- contents. [null] --> + <!-- --> + <!-- For directory listing customization. Checks localXsltFile, then --> + <!-- globalXsltFile, then defaults to original behavior. --> + <!-- --> + <!-- localXsltFile Make directory listings an XML doc and --> + <!-- pass the result to this style sheet residing --> + <!-- in that directory. This overrides --> + <!-- globalXsltFile[null] --> + <!-- --> + <!-- globalXsltFile Site wide configuration version of --> + <!-- localXsltFile This argument is expected --> + <!-- to be a physical file. [null] --> + <!-- --> + <!-- --> + + <servlet> + <servlet-name>default</servlet-name> + <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> + <init-param> + <param-name>debug</param-name> + <param-value>0</param-value> + </init-param> + <init-param> + <param-name>listings</param-name> + <param-value>true</param-value> + </init-param> + <load-on-startup>1</load-on-startup> + </servlet> + + + <!-- The "invoker" servlet, which executes anonymous servlet classes --> + <!-- that have not been defined in a web.xml file. Traditionally, this --> + <!-- servlet is mapped to the URL pattern "/servlet/*", but you can map --> + <!-- it to other patterns as well. The extra path info portion of such a --> + <!-- request must be the fully qualified class name of a Java class that --> + <!-- implements Servlet (or extends HttpServlet), or the servlet name --> + <!-- of an existing servlet definition. This servlet supports the --> + <!-- following initialization parameters (default values are in square --> + <!-- brackets): --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + +<!-- + <servlet> + <servlet-name>invoker</servlet-name> + <servlet-class> + org.apache.catalina.servlets.InvokerServlet + </servlet-class> + <init-param> + <param-name>debug</param-name> + <param-value>0</param-value> + </init-param> + <load-on-startup>2</load-on-startup> + </servlet> +--> + + + <!-- The JSP page compiler and execution servlet, which is the mechanism --> + <!-- used by Tomcat to support JSP pages. Traditionally, this servlet --> + <!-- is mapped to the URL pattern "*.jsp". This servlet supports the --> + <!-- following initialization parameters (default values are in square --> + <!-- brackets): --> + <!-- --> + <!-- checkInterval If development is false and checkInterval is --> + <!-- greater than zero, background compilations are --> + <!-- enabled. checkInterval is the time in seconds --> + <!-- between checks to see if a JSP page needs to --> + <!-- be recompiled. [0] --> + <!-- --> + <!-- modificationTestInterval --> + <!-- Causes a JSP (and its dependent files) to not --> + <!-- be checked for modification during the --> + <!-- specified time interval (in seconds) from the --> + <!-- last time the JSP was checked for --> + <!-- modification. A value of 0 will cause the JSP --> + <!-- to be checked on every access. --> + <!-- Used in development mode only. [4] --> + <!-- --> + <!-- compiler Which compiler Ant should use to compile JSP --> + <!-- pages. See the Ant documentation for more --> + <!-- information. [javac] --> + <!-- --> + <!-- classdebuginfo Should the class file be compiled with --> + <!-- debugging information? [true] --> + <!-- --> + <!-- classpath What class path should I use while compiling --> + <!-- generated servlets? [Created dynamically --> + <!-- based on the current web application] --> + <!-- --> + <!-- development Is Jasper used in development mode? If true, --> + <!-- the frequency at which JSPs are checked for --> + <!-- modification may be specified via the --> + <!-- modificationTestInterval parameter. [true] --> + <!-- --> + <!-- enablePooling Determines whether tag handler pooling is --> + <!-- enabled [true] --> + <!-- --> + <!-- fork Tell Ant to fork compiles of JSP pages so that --> + <!-- a separate JVM is used for JSP page compiles --> + <!-- from the one Tomcat is running in. [true] --> + <!-- --> + <!-- ieClassId The class-id value to be sent to Internet --> + <!-- Explorer when using <jsp:plugin> tags. --> + <!-- [clsid:8AD9C840-044E-11D1-B3E9-00805F499D93] --> + <!-- --> + <!-- javaEncoding Java file encoding to use for generating java --> + <!-- source files. [UTF8] --> + <!-- --> + <!-- keepgenerated Should we keep the generated Java source code --> + <!-- for each page instead of deleting it? [true] --> + <!-- --> + <!-- mappedfile Should we generate static content with one --> + <!-- print statement per input line, to ease --> + <!-- debugging? [true] --> + <!-- --> + <!-- trimSpaces Should white spaces in template text between --> + <!-- actions or directives be trimmed? [false] --> + <!-- --> + <!-- suppressSmap Should the generation of SMAP info for JSR45 --> + <!-- debugging be suppressed? [false] --> + <!-- --> + <!-- dumpSmap Should the SMAP info for JSR45 debugging be --> + <!-- dumped to a file? [false] --> + <!-- False if suppressSmap is true --> + <!-- --> + <!-- genStrAsCharArray Should text strings be generated as char --> + <!-- arrays, to improve performance in some cases? --> + <!-- [false] --> + <!-- --> + <!-- errorOnUseBeanInvalidClassAttribute --> + <!-- Should Jasper issue an error when the value of --> + <!-- the class attribute in an useBean action is --> + <!-- not a valid bean class? [true] --> + <!-- --> + <!-- scratchdir What scratch directory should we use when --> + <!-- compiling JSP pages? [default work directory --> + <!-- for the current web application] --> + <!-- --> + <!-- xpoweredBy Determines whether X-Powered-By response --> + <!-- header is added by generated servlet [false] --> + <!-- --> + <!-- If you wish to use Jikes to compile JSP pages: --> + <!-- Please see the "Using Jikes" section of the Jasper-HowTo --> + <!-- page in the Tomcat documentation. --> + + <servlet> + <servlet-name>jsp</servlet-name> + <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class> + <init-param> + <param-name>fork</param-name> + <param-value>false</param-value> + </init-param> + <init-param> + <param-name>xpoweredBy</param-name> + <param-value>false</param-value> + </init-param> + <load-on-startup>3</load-on-startup> + </servlet> + + + <!-- Server Side Includes processing servlet, which processes SSI --> + <!-- directives in HTML pages consistent with similar support in web --> + <!-- servers like Apache. Traditionally, this servlet is mapped to the --> + <!-- URL pattern "*.shtml". This servlet supports the following --> + <!-- initialization parameters (default values are in square brackets): --> + <!-- --> + <!-- buffered Should output from this servlet be buffered? --> + <!-- (0=false, 1=true) [0] --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + <!-- --> + <!-- expires The number of seconds before a page with SSI --> + <!-- directives will expire. [No default] --> + <!-- --> + <!-- isVirtualWebappRelative --> + <!-- Should "virtual" paths be interpreted as --> + <!-- relative to the context root, instead of --> + <!-- the server root? (0=false, 1=true) [0] --> + <!-- --> + <!-- --> + <!-- IMPORTANT: To use the SSI servlet, you also need to rename the --> + <!-- $CATALINA_HOME/server/lib/servlets-ssi.renametojar file --> + <!-- to $CATALINA_HOME/server/lib/servlets-ssi.jar --> + +<!-- + <servlet> + <servlet-name>ssi</servlet-name> + <servlet-class> + org.apache.catalina.ssi.SSIServlet + </servlet-class> + <init-param> + <param-name>buffered</param-name> + <param-value>1</param-value> + </init-param> + <init-param> + <param-name>debug</param-name> + <param-value>0</param-value> + </init-param> + <init-param> + <param-name>expires</param-name> + <param-value>666</param-value> + </init-param> + <init-param> + <param-name>isVirtualWebappRelative</param-name> + <param-value>0</param-value> + </init-param> + <load-on-startup>4</load-on-startup> + </servlet> +--> + + + <!-- Common Gateway Includes (CGI) processing servlet, which supports --> + <!-- execution of external applications that conform to the CGI spec --> + <!-- requirements. Typically, this servlet is mapped to the URL pattern --> + <!-- "/cgi-bin/*", which means that any CGI applications that are --> + <!-- executed must be present within the web application. This servlet --> + <!-- supports the following initialization parameters (default values --> + <!-- are in square brackets): --> + <!-- --> + <!-- cgiPathPrefix The CGI search path will start at --> + <!-- webAppRootDir + File.separator + this prefix. --> + <!-- [WEB-INF/cgi] --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + <!-- --> + <!-- executable Name of the exectuable used to run the --> + <!-- script. [perl] --> + <!-- --> + <!-- parameterEncoding Name of parameter encoding to be used with --> + <!-- CGI servlet. --> + <!-- [System.getProperty("file.encoding","UTF-8")] --> + <!-- --> + <!-- passShellEnvironment Should the shell environment variables (if --> + <!-- any) be passed to the CGI script? [false] --> + <!-- --> + <!-- IMPORTANT: To use the CGI servlet, you also need to rename the --> + <!-- $CATALINA_HOME/server/lib/servlets-cgi.renametojar file --> + <!-- to $CATALINA_HOME/server/lib/servlets-cgi.jar --> + +<!-- + <servlet> + <servlet-name>cgi</servlet-name> + <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class> + <init-param> + <param-name>debug</param-name> + <param-value>6</param-value> + </init-param> + <init-param> + <param-name>cgiPathPrefix</param-name> + <param-value>WEB-INF/cgi</param-value> + </init-param> + <load-on-startup>5</load-on-startup> + </servlet> +--> + + + <!-- ================ Built In Servlet Mappings ========================= --> + + + <!-- The servlet mappings for the built in servlets defined above. Note --> + <!-- that, by default, the CGI and SSI servlets are *not* mapped. You --> + <!-- must uncomment these mappings (or add them to your application's own --> + <!-- web.xml deployment descriptor) to enable these services --> + + <!-- The mapping for the default servlet --> + <servlet-mapping> + <servlet-name>default</servlet-name> + <url-pattern>/</url-pattern> + </servlet-mapping> + + <!-- The mapping for the invoker servlet --> +<!-- + <servlet-mapping> + <servlet-name>invoker</servlet-name> + <url-pattern>/servlet/*</url-pattern> + </servlet-mapping> +--> + + <!-- The mapping for the JSP servlet --> + <servlet-mapping> + <servlet-name>jsp</servlet-name> + <url-pattern>*.jsp</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>jsp</servlet-name> + <url-pattern>*.jspx</url-pattern> + </servlet-mapping> + + <!-- The mapping for the SSI servlet --> +<!-- + <servlet-mapping> + <servlet-name>ssi</servlet-name> + <url-pattern>*.shtml</url-pattern> + </servlet-mapping> +--> + + <!-- The mapping for the CGI Gateway servlet --> + +<!-- + <servlet-mapping> + <servlet-name>cgi</servlet-name> + <url-pattern>/cgi-bin/*</url-pattern> + </servlet-mapping> +--> + + + <!-- ==================== Default Session Configuration ================= --> + <!-- You can set the default session timeout (in minutes) for all newly --> + <!-- created sessions by modifying the value below. --> + + <session-config> + <session-timeout>30</session-timeout> + </session-config> + + + <!-- ===================== Default MIME Type Mappings =================== --> + <!-- When serving static resources, Tomcat will automatically generate --> + <!-- a "Content-Type" header based on the resource's filename extension, --> + <!-- based on these mappings. Additional mappings can be added here (to --> + <!-- apply to all web applications), or in your own application's web.xml --> + <!-- deployment descriptor. --> + + <mime-mapping> + <extension>abs</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ai</extension> + <mime-type>application/postscript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aif</extension> + <mime-type>audio/x-aiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aifc</extension> + <mime-type>audio/x-aiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aiff</extension> + <mime-type>audio/x-aiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aim</extension> + <mime-type>application/x-aim</mime-type> + </mime-mapping> + <mime-mapping> + <extension>art</extension> + <mime-type>image/x-jg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>asf</extension> + <mime-type>video/x-ms-asf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>asx</extension> + <mime-type>video/x-ms-asf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>au</extension> + <mime-type>audio/basic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>avi</extension> + <mime-type>video/x-msvideo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>avx</extension> + <mime-type>video/x-rad-screenplay</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bcpio</extension> + <mime-type>application/x-bcpio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bin</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bmp</extension> + <mime-type>image/bmp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>body</extension> + <mime-type>text/html</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdf</extension> + <mime-type>application/x-cdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cer</extension> + <mime-type>application/x-x509-ca-cert</mime-type> + </mime-mapping> + <mime-mapping> + <extension>class</extension> + <mime-type>application/java</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cpio</extension> + <mime-type>application/x-cpio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>csh</extension> + <mime-type>application/x-csh</mime-type> + </mime-mapping> + <mime-mapping> + <extension>css</extension> + <mime-type>text/css</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dib</extension> + <mime-type>image/bmp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>doc</extension> + <mime-type>application/msword</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dtd</extension> + <mime-type>application/xml-dtd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dv</extension> + <mime-type>video/x-dv</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dvi</extension> + <mime-type>application/x-dvi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>eps</extension> + <mime-type>application/postscript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>etx</extension> + <mime-type>text/x-setext</mime-type> + </mime-mapping> + <mime-mapping> + <extension>exe</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gif</extension> + <mime-type>image/gif</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gtar</extension> + <mime-type>application/x-gtar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gz</extension> + <mime-type>application/x-gzip</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hdf</extension> + <mime-type>application/x-hdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hqx</extension> + <mime-type>application/mac-binhex40</mime-type> + </mime-mapping> + <mime-mapping> + <extension>htc</extension> + <mime-type>text/x-component</mime-type> + </mime-mapping> + <mime-mapping> + <extension>htm</extension> + <mime-type>text/html</mime-type> + </mime-mapping> + <mime-mapping> + <extension>html</extension> + <mime-type>text/html</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hqx</extension> + <mime-type>application/mac-binhex40</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ief</extension> + <mime-type>image/ief</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jad</extension> + <mime-type>text/vnd.sun.j2me.app-descriptor</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jar</extension> + <mime-type>application/java-archive</mime-type> + </mime-mapping> + <mime-mapping> + <extension>java</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jnlp</extension> + <mime-type>application/x-java-jnlp-file</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpe</extension> + <mime-type>image/jpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpeg</extension> + <mime-type>image/jpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpg</extension> + <mime-type>image/jpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>js</extension> + <mime-type>text/javascript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jsf</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jspf</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kar</extension> + <mime-type>audio/x-midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>latex</extension> + <mime-type>application/x-latex</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m3u</extension> + <mime-type>audio/x-mpegurl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mac</extension> + <mime-type>image/x-macpaint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>man</extension> + <mime-type>application/x-troff-man</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mathml</extension> + <mime-type>application/mathml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>me</extension> + <mime-type>application/x-troff-me</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mid</extension> + <mime-type>audio/x-midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>midi</extension> + <mime-type>audio/x-midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mif</extension> + <mime-type>application/x-mif</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mov</extension> + <mime-type>video/quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>movie</extension> + <mime-type>video/x-sgi-movie</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp1</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp2</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp3</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpa</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpe</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpeg</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpega</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpg</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpv2</extension> + <mime-type>video/mpeg2</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ms</extension> + <mime-type>application/x-wais-source</mime-type> + </mime-mapping> + <mime-mapping> + <extension>nc</extension> + <mime-type>application/x-netcdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>oda</extension> + <mime-type>application/oda</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ogg</extension> + <mime-type>application/ogg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pbm</extension> + <mime-type>image/x-portable-bitmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pct</extension> + <mime-type>image/pict</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pdf</extension> + <mime-type>application/pdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pgm</extension> + <mime-type>image/x-portable-graymap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pic</extension> + <mime-type>image/pict</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pict</extension> + <mime-type>image/pict</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pls</extension> + <mime-type>audio/x-scpls</mime-type> + </mime-mapping> + <mime-mapping> + <extension>png</extension> + <mime-type>image/png</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pnm</extension> + <mime-type>image/x-portable-anymap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pnt</extension> + <mime-type>image/x-macpaint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ppm</extension> + <mime-type>image/x-portable-pixmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ppt</extension> + <mime-type>application/powerpoint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ps</extension> + <mime-type>application/postscript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>psd</extension> + <mime-type>image/x-photoshop</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qt</extension> + <mime-type>video/quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qti</extension> + <mime-type>image/x-quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qtif</extension> + <mime-type>image/x-quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ras</extension> + <mime-type>image/x-cmu-raster</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rdf</extension> + <mime-type>application/rdf+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rgb</extension> + <mime-type>image/x-rgb</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rm</extension> + <mime-type>application/vnd.rn-realmedia</mime-type> + </mime-mapping> + <mime-mapping> + <extension>roff</extension> + <mime-type>application/x-troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rtf</extension> + <mime-type>application/rtf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rtx</extension> + <mime-type>text/richtext</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sh</extension> + <mime-type>application/x-sh</mime-type> + </mime-mapping> + <mime-mapping> + <extension>shar</extension> + <mime-type>application/x-shar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>smf</extension> + <mime-type>audio/x-midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sit</extension> + <mime-type>application/x-stuffit</mime-type> + </mime-mapping> + <mime-mapping> + <extension>snd</extension> + <mime-type>audio/basic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>src</extension> + <mime-type>application/x-wais-source</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sv4cpio</extension> + <mime-type>application/x-sv4cpio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sv4crc</extension> + <mime-type>application/x-sv4crc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>svg</extension> + <mime-type>image/svg+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>swf</extension> + <mime-type>application/x-shockwave-flash</mime-type> + </mime-mapping> + <mime-mapping> + <extension>t</extension> + <mime-type>application/x-troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tar</extension> + <mime-type>application/x-tar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tcl</extension> + <mime-type>application/x-tcl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tex</extension> + <mime-type>application/x-tex</mime-type> + </mime-mapping> + <mime-mapping> + <extension>texi</extension> + <mime-type>application/x-texinfo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>texinfo</extension> + <mime-type>application/x-texinfo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tif</extension> + <mime-type>image/tiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tiff</extension> + <mime-type>image/tiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tr</extension> + <mime-type>application/x-troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tsv</extension> + <mime-type>text/tab-separated-values</mime-type> + </mime-mapping> + <mime-mapping> + <extension>txt</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ulw</extension> + <mime-type>audio/basic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ustar</extension> + <mime-type>application/x-ustar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vxml</extension> + <mime-type>application/voicexml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xbm</extension> + <mime-type>image/x-xbitmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xht</extension> + <mime-type>application/xhtml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xhtml</extension> + <mime-type>application/xhtml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xml</extension> + <mime-type>application/xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xpm</extension> + <mime-type>image/x-xpixmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xsl</extension> + <mime-type>application/xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xslt</extension> + <mime-type>application/xslt+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xul</extension> + <mime-type>application/vnd.mozilla.xul+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xwd</extension> + <mime-type>image/x-xwindowdump</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wav</extension> + <mime-type>audio/x-wav</mime-type> + </mime-mapping> + <mime-mapping> + <extension>svg</extension> + <mime-type>image/svg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>svgz</extension> + <mime-type>image/svg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vsd</extension> + <mime-type>application/x-visio</mime-type> + </mime-mapping> + <mime-mapping> + <!-- Wireless Bitmap --> + <extension>wbmp</extension> + <mime-type>image/vnd.wap.wbmp</mime-type> + </mime-mapping> + <mime-mapping> + <!-- WML Source --> + <extension>wml</extension> + <mime-type>text/vnd.wap.wml</mime-type> + </mime-mapping> + <mime-mapping> + <!-- Compiled WML --> + <extension>wmlc</extension> + <mime-type>application/vnd.wap.wmlc</mime-type> + </mime-mapping> + <mime-mapping> + <!-- WML Script Source --> + <extension>wmls</extension> + <mime-type>text/vnd.wap.wmlscript</mime-type> + </mime-mapping> + <mime-mapping> + <!-- Compiled WML Script --> + <extension>wmlscriptc</extension> + <mime-type>application/vnd.wap.wmlscriptc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wrl</extension> + <mime-type>x-world/x-vrml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>Z</extension> + <mime-type>application/x-compress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>z</extension> + <mime-type>application/x-compress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>zip</extension> + <mime-type>application/zip</mime-type> + </mime-mapping> + + + <!-- ==================== Default Welcome File List ===================== --> + <!-- When a request URI refers to a directory, the default servlet looks --> + <!-- for a "welcome file" within that directory and, if present, --> + <!-- to the corresponding resource URI for display. If no welcome file --> + <!-- is present, the default servlet either serves a directory listing, --> + <!-- or returns a 404 status, depending on how it is configured. --> + <!-- --> + <!-- If you define welcome files in your own application's web.xml --> + <!-- deployment descriptor, that list *replaces* the list configured --> + <!-- here, so be sure that you include any of the default values that --> + <!-- you wish to include. --> + + <welcome-file-list> + <welcome-file>index.html</welcome-file> + <welcome-file>index.htm</welcome-file> + <welcome-file>index.jsp</welcome-file> + </welcome-file-list> + +</web-app> diff --git a/pki/base/kra/shared/conf/workers.properties b/pki/base/kra/shared/conf/workers.properties new file mode 100644 index 000000000..50d88557f --- /dev/null +++ b/pki/base/kra/shared/conf/workers.properties @@ -0,0 +1,206 @@ +# workers.properties - +# +# This file provides jk derived plugins with the needed information to +# connect to the different tomcat workers. Note that the distributed +# version of this file requires modification before it is usable by a +# plugin. +# +# As a general note, the characters $( and ) are used internally to define +# macros. Do not use them in your own configuration!!! +# +# Whenever you see a set of lines such as: +# x=value +# y=$(x)\something +# +# the final value for y will be value\something +# +# Normaly all you will need to do is un-comment and modify the first three +# properties, i.e. workers.tomcat_home, workers.java_home and ps. +# Most of the configuration is derived from these. +# +# When you are done updating workers.tomcat_home, workers.java_home and ps +# you should have 3 workers configured: +# +# - An ajp12 worker that connects to localhost:8007 +# - An ajp13 worker that connects to localhost:8009 +# - A jni inprocess worker. +# - A load balancer worker +# +# However by default the plugins will only use the ajp12 worker. To have +# the plugins use other workers you should modify the worker.list property. +# +# + +# OPTIONS ( very important for jni mode ) + +# +# workers.tomcat_home should point to the location where you +# installed tomcat. This is where you have your conf, webapps and lib +# directories. +# +workers.tomcat_home=/var/tomcat3 + +# +# workers.java_home should point to your Java installation. Normally +# you should have a bin and lib directories beneath it. +# +workers.java_home=/opt/IBMJava2-13 + +# +# You should configure your environment slash... ps=\ on NT and / on UNIX +# and maybe something different elsewhere. +# +ps=/ + +# +#------ ADVANCED MODE ------------------------------------------------ +#--------------------------------------------------------------------- +# + +# +#------ DEFAULT worket list ------------------------------------------ +#--------------------------------------------------------------------- +# +# +# The workers that your plugins should create and work with +# +# Add 'inprocess' if you want JNI connector +worker.list=ajp12, ajp13 +# , inprocess + + +# +#------ DEFAULT ajp12 WORKER DEFINITION ------------------------------ +#--------------------------------------------------------------------- +# + +# +# Defining a worker named ajp12 and of type ajp12 +# Note that the name and the type do not have to match. +# +worker.ajp12.port=8007 +worker.ajp12.host=localhost +worker.ajp12.type=ajp12 +# +# Specifies the load balance factor when used with +# a load balancing worker. +# Note: +# ----> lbfactor must be > 0 +# ----> Low lbfactor means less work done by the worker. +worker.ajp12.lbfactor=1 + +# +#------ DEFAULT ajp13 WORKER DEFINITION ------------------------------ +#--------------------------------------------------------------------- +# + +# +# Defining a worker named ajp13 and of type ajp13 +# Note that the name and the type do not have to match. +# +worker.ajp13.port=8009 +worker.ajp13.host=localhost +worker.ajp13.type=ajp13 +# +# Specifies the load balance factor when used with +# a load balancing worker. +# Note: +# ----> lbfactor must be > 0 +# ----> Low lbfactor means less work done by the worker. +worker.ajp13.lbfactor=1 + +# +# Specify the size of the open connection cache. +#worker.ajp13.cachesize + +# +#------ DEFAULT LOAD BALANCER WORKER DEFINITION ---------------------- +#--------------------------------------------------------------------- +# + +# +# The loadbalancer (type lb) workers perform wighted round-robin +# load balancing with sticky sessions. +# Note: +# ----> If a worker dies, the load balancer will check its state +# once in a while. Until then all work is redirected to peer +# workers. +worker.loadbalancer.type=lb +worker.loadbalancer.balanced_workers=ajp12, ajp13 + + +# +#------ DEFAULT JNI WORKER DEFINITION--------------------------------- +#--------------------------------------------------------------------- +# + +# +# Defining a worker named inprocess and of type jni +# Note that the name and the type do not have to match. +# +worker.inprocess.type=jni + +# +#------ CLASSPATH DEFINITION ----------------------------------------- +#--------------------------------------------------------------------- +# + +# +# Additional class path components. +# +worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar + +# +# Setting the command line for tomcat. +# Note: The cmd_line string may not contain spaces. +# +worker.inprocess.cmd_line=start + +# Not needed, but can be customized. +#worker.inprocess.cmd_line=-config +#worker.inprocess.cmd_line=$(workers.tomcat_home)$(ps)conf$(ps)server.xml +#worker.inprocess.cmd_line=-home +#worker.inprocess.cmd_line=$(workers.tomcat_home) + +# +# The JVM that we are about to use +# +# This is for Java2 +# +# Windows +worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)bin$(ps)classic$(ps)jvm.dll +# IBM JDK1.3 +#worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)bin$(ps)classic$(ps)libjvm.so +# Unix - Sun VM or blackdown +#worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)lib$(ps)i386$(ps)classic$(ps)libjvm.so + +# +# And this is for jdk1.1.X +# +#worker.inprocess.jvm_lib=$(workers.java_home)$(ps)bin$(ps)javai.dll + + +# +# Setting the place for the stdout and stderr of tomcat +# +worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout +worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr + +# +# Setting the tomcat.home Java property +# +#worker.inprocess.sysprops=tomcat.home=$(workers.tomcat_home) + +# +# Java system properties +# +# worker.inprocess.sysprops=java.compiler=NONE +# worker.inprocess.sysprops=myprop=mypropvalue + +# +# Additional path components. +# +# worker.inprocess.ld_path=d:$(ps)SQLLIB$(ps)bin +# + + diff --git a/pki/base/kra/shared/conf/workers.properties.minimal b/pki/base/kra/shared/conf/workers.properties.minimal new file mode 100644 index 000000000..e3b5942c2 --- /dev/null +++ b/pki/base/kra/shared/conf/workers.properties.minimal @@ -0,0 +1,17 @@ +# workers.properties.minimal - +# +# This file provides minimal jk configuration properties needed to +# connect to Tomcat. +# +# The workers that jk should create and work with +# +worker.list=ajp13w + + +# +# Defining a worker named ajp13w and of type ajp13 +# Note that the name and the type do not have to match. +# +worker.ajp13w.type=ajp13 +worker.ajp13w.host=localhost +worker.ajp13w.port=8009 diff --git a/pki/base/kra/shared/conf/workers2.properties b/pki/base/kra/shared/conf/workers2.properties new file mode 100644 index 000000000..778118ff2 --- /dev/null +++ b/pki/base/kra/shared/conf/workers2.properties @@ -0,0 +1,132 @@ +[logger] +level=DEBUG + +[config:] +file=${serverRoot}/conf/workers2.properties +debug=0 +debugEnv=0 + +[uriMap:] +info=Maps the requests. Options: debug +debug=0 + +# Alternate file logger +#[logger.file:0] +#level=DEBUG +#file=${serverRoot}/logs/jk2.log + +[shm:] +info=Scoreboard. Required for reconfiguration and status with multiprocess servers +file=${serverRoot}/logs/jk2.shm +size=1000000 +debug=0 +disabled=0 + +[workerEnv:] +info=Global server options +timing=1 +debug=0 +# Default Native Logger (apache2 or win32 ) +# can be overriden to a file logger, useful +# when tracing win32 related issues +#logger=logger.file:0 + +[lb:lb] +info=Default load balancer. +debug=0 + +[lb:lb_1] +info=A second load balancer. +debug=0 + +[channel.socket:localhost:8009] +info=Ajp13 forwarding over socket +debug=0 +tomcatId=localhost:8009 + +[channel.socket:localhost:8019] +info=A second tomcat instance. +debug=0 +tomcatId=localhost:8019 +lb_factor=1 +#group=lb +group:lb:lb +#group=lb_1 +group:lb:lb_1 +disabled=0 + +[channel.un:/opt/33/work/jk2.socket] +info=A second channel connecting to localhost:8019 via unix socket +tomcatId=localhost:8019 +lb_factor=1 +debug=0 + +[channel.jni:jni] +info=The jni channel, used if tomcat is started inprocess + +[status:] +info=Status worker, displays runtime informations + +[vm:] +info=Parameters used to load a JVM in the server process +#JVM=C:\jdk\jre\bin\hotspot\jvm.dll +classpath=${TOMCAT_HOME}/bin/tomcat-jni.jar +classpath=${TOMCAT_HOME}/server/lib/commons-logging.jar +OPT=-Dtomcat.home=${TOMCAT_HOME} +OPT=-Dcatalina.home=${TOMCAT_HOME} +OPT=-Xmx128M +#OPT=-Djava.compiler=NONE +disabled=1 + +[worker.jni:onStartup] +info=Command to be executed by the VM on startup. This one will start tomcat. +class=org/apache/jk/apr/TomcatStarter +ARG=start +# For Tomcat 5 use the 'stard' for startup argument +# ARG=stard +disabled=1 +stdout=${serverRoot}/logs/stdout.log +stderr=${serverRoot}/logs/stderr.log + +[worker.jni:onShutdown] +info=Command to be executed by the VM on shutdown. This one will stop tomcat. +class=org/apache/jk/apr/TomcatStarter +ARG=stop +disabled=1 + +[uri:/jkstatus/*] +info=Display status information and checks the config file for changes. +group=status: + +[uri:127.0.0.1:8003] +info=Example virtual host. Make sure myVirtualHost is in /etc/hosts to test it +alias=myVirtualHost:8003 + +[uri:127.0.0.1:8003/ex] +info=Example webapp in the virtual host. It'll go to lb_1 ( i.e. localhost:8019 ) +context=/ex +group=lb_1 + +[uri:/examples] +info=Example webapp in the default context. +context=/examples +debug=0 + +[uri:/examples1/*] +info=A second webapp, this time going to the second tomcat only. +group=lb_1 +debug=0 + +[uri:/examples/servlet/*] +info=Prefix mapping + +[uri:/examples/*.jsp] +info=Extension mapping + +[uri:/examples/*] +info=Map the whole webapp + +[uri:/examples/servlet/HelloW] +info=Example with debug enabled. +debug=10 + diff --git a/pki/base/kra/shared/conf/workers2.properties.minimal b/pki/base/kra/shared/conf/workers2.properties.minimal new file mode 100644 index 000000000..41a0ba6c1 --- /dev/null +++ b/pki/base/kra/shared/conf/workers2.properties.minimal @@ -0,0 +1,55 @@ +# +# This is the minimal JK2 connector configuration file. +# + +[logger] +info=Native logger +level=ERROR + +[config:] +file=${serverRoot}/conf/workers2.properties +debug=0 +debugEnv=0 + +[uriMap:] +info=Maps the requests. +debug=0 + +[shm:] +info=Scoreboard. Required for reconfiguration and status with multiprocess servers +file=anonymous +debug=0 + +[workerEnv:] +info=Global server options +timing=0 +debug=0 + +[lb:lb] +info=Default load balancer. +debug=0 + +[channel.socket:localhost:8009] +info=Ajp13 forwarding over socket +debug=0 +tomcatId=localhost:8009 + +[uri:/admin] +info=Tomcat HTML based administration web application. +debug=0 + +[uri:/manager] +info=A scriptable management web application for the Tomcat Web Server. +debug=0 + +[uri:/jsp-examples] +info=JSP 2.0 Examples. +debug=0 + +[uri:/servlets-examples] +info=Servlet 2.4 Examples. +debug=0 + +[uri:/*.jsp] +info=JSP Extension mapping. +debug=0 diff --git a/pki/base/kra/shared/etc/init.d/httpd b/pki/base/kra/shared/etc/init.d/httpd new file mode 100755 index 000000000..6ea01c9b9 --- /dev/null +++ b/pki/base/kra/shared/etc/init.d/httpd @@ -0,0 +1,929 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK ### --- +# +# Startup script for Tomcat 5.0, the Apache Servlet Engine +# +# chkconfig: - 80 20 +# description: Tomcat 5.0 is the Apache Servlet Engine RI +# for Servlet 2.4/JSP 2.0 +# processname: tomcat +# pidfile: /var/run/tomcat5.pid +# config: /etc/tomcat5/tomcat5.conf +# +# Gomez Henri <hgomez@users.sourceforge.net> +# Keith Irwin <keith_irwin@non.hp.com> +# Nicolas Mailhot <nicolas.mailhot@one2team.com> +# +# version 1.02 - Removed initlog support +# version 1.03 - Removed config: +# version 1.04 - tomcat will start before httpd and stop after httpd +# version 1.05 - jdk hardcoded to link /usr/java/jdk and tomcat runs +# as "nobody" +# version 1.06 - split up into script and config file +# version 1.07 - Rework from Nicolas ideas +# version 1.08 - Fix work dir permission at start time, switch to use tomcat4 +# version 1.09 - Fix pidfile and config tags +# version 1.10 - Fallback to su direct use on systems without +# Redhat/Mandrake init.d functions +# version 1.11 - Fix webapps dir permissions +# version 1.12 - remove initial start/stop level for chkconfig (- 80 20) +# version 1.13 - remove chown of logs/work/temp/webapps dir, +# owned by tomcat4 at install time +# version 1.14 - correct the start/stop ugly hack by waiting +# all the threads stops +# version 1.15 - ensure we're looking for TOMCAT_USER running catalina +# version 1.16 - Add support for CATALINA_PID env var +# version 1.17 - Remove run files only tomcat started correctl +# in start area, check that tomcat is not allready running +# version 1.18 - Fix kill typo (thanks Kaj J. Niemi) +# version 1.19 - Add jar relinking +# version 1.20 - Check there is no stalling tomcat4.pid +# version 1.20tc5 - Changed all instances of tomcat4 to +# tomcat5 except TOMCAT_USER +# version 1.20tc5rh - Changed TOMCAT_USER from tomcat4 to tomcat +# + +# Check to insure that this script's original invocation directory +# has not been deleted! +CWD=`/bin/pwd > /dev/null 2>&1` +if [ $? -ne 0 ] ; then + echo "Cannot invoke '$0' from non-existent directory!" + exit 255 +fi + +# Check to insure that at least one PKI subsystem +# currently resides on this system. +if [ ! -x /usr/bin/pkiarch ] || + [ ! -x /usr/bin/pkiflavor ] || + [ ! -x /usr/bin/pkiname ]; then + echo "This machine is missing all PKI subsystems!" + exit 255 +fi + +# Check to insure that this script's associated PKI +# subsystem currently resides on this system. +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +if [ ! -d /usr/share/`pkiflavor`/${PKI_SUBSYSTEM_TYPE} ] ; then + echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" + exit 255 +fi + +# Obtain the operating system upon which this script is being executed +OS=`pkiname` + +# This script must be run as root! +RV=0 +if [ ${OS} = "Linux" ] ; then + if [ `id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$0'!" + exit 1 + fi +elif [ ${OS} = "SunOS" ] ; then + if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$0'!" + exit 1 + fi +else + echo "Unsupported OS '${OS}'!" + exit 1 +fi + +# Source function library. +if [ -x /etc/init.d/functions ]; then + . /etc/init.d/functions +else + # The checkpid() function is provided for platforms that do not + # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . + + # Check if $pid (could be plural) are running (keep count) + checkpid() + { + rv=0 + for i in $* ; do + ps -p $i > /dev/null 2>&1 ; + if [ $? -ne 0 ] ; then + rv=`expr $rv + 1` + else + rv=`expr $rv + 0` + fi + done + # echo "rv=$rv" + return $rv + } + + # Create the following directories on platforms + # where they do not exist (e. g. - Solaris) . . . + if [ ! -d /var/lock/subsys ] ; then + mkdir -p /var/lock/subsys + fi + + ####################################################################### + ## NOTE: The following code needs to eventually be moved into the ## + ## template used to create the "/etc/<instance>/tomcat5.conf" ## + ## file! ## + ####################################################################### + + if [ ${OS} = "SunOS" ] ; then + DEFAULT_SOLARIS_JAVA_HOME="/usr/jdk/instances/jdk1.5.0/jre" + DEFAULT_LINUX_JAVA_HOME="/usr/lib/jvm/jre" + DEFAULT_LINUX_JAVA_HOME_PATH=`dirname ${DEFAULT_LINUX_JAVA_HOME}` + + # ensure that the Sun JRE 1.5.0 exists at the default location + if [ -d ${DEFAULT_SOLARIS_JAVA_HOME} ] ; then + # create the directory in which the symlink resides (if necessary) + if [ ! -d ${DEFAULT_LINUX_JAVA_HOME_PATH} ] ; then + mkdir -p ${DEFAULT_LINUX_JAVA_HOME_PATH} + fi + # create the actual symlink (if necessary) + if [ ! -h ${DEFAULT_LINUX_JAVA_HOME} ] ; then + ln -s ${DEFAULT_SOLARIS_JAVA_HOME} ${DEFAULT_LINUX_JAVA_HOME} + fi + else + # for now, simply exit with an appropriate error message + echo -n "The Solaris 1.5.0 JRE must be installed " + echo -n "at \"${DEFAULT_SOLARIS_JAVA_HOME}\"!" + echo + echo + exit 255 + fi + fi +fi + +#Use CATALINA_BASE + +CATALINA_BASE=[PKI_INSTANCE_PATH] +export CATALINA_BASE + +# Get Tomcat config + +TOMCAT_CFG="[PKI_INSTANCE_PATH]/conf/tomcat5.conf" + +[ -r "$TOMCAT_CFG" ] && . "${TOMCAT_CFG}" + +# Path to the tomcat launch script (direct don't use wrapper) +TOMCAT_SCRIPT=/usr/bin/dtomcat5-[PKI_INSTANCE_ID] + +# Path to the script that will refresh jar symlinks on startup +if [ ${OS} = "Linux" ] ; then + TOMCAT_RELINK_SCRIPT="/usr/share/tomcat5/bin/relink" +fi + +# Tomcat name :) +TOMCAT_PROG=[PKI_INSTANCE_ID] + +# if TOMCAT_USER is not set, use tomcat5 like Apache HTTP server +if [ -z "$TOMCAT_USER" ]; then + TOMCAT_USER="[PKI_USER]" +fi + +# if TOMCAT_GROUP is not set, use tomcat5 like Apache HTTP server +if [ -z "$TOMCAT_GROUP" ]; then + TOMCAT_GROUP="[PKI_GROUP]" +fi + +# Since the daemon function will sandbox $tomcat +# no environment stuff should be defined here anymore. +# Please use the /etc/tomcat.conf file instead ; it will +# be read by the $tomcat script + +RETVAL=0 + +get_pki_secure_port() +{ + # establish well-known strings + begin_ssl_comment="<!-- DO NOT REMOVE - Begin define PKI secure port -->" + end_ssl_comment="<!-- DO NOT REMOVE - End define PKI secure port -->" + connector_statement="<Connector port=\"" + + # initialize looping variables + ssl_comment_found=0 + + # first check to see that an instance-specific "server.xml" file exists + if [ ! -f [PKI_SERVER_XML_CONF] ] ; then + echo "File '[PKI_SERVER_XML_CONF]' does not exist!" + exit 255 + fi + + # read this instance-specific "server.xml" file line-by-line + # to obtain the current value of the PKI secure port + exec < [PKI_SERVER_XML_CONF] + while read line; do + # first look for the well-known end SSL comment + # (to turn off processing) + if [ "$line" == "$end_ssl_comment" ] ; then + ssl_comment_found=0 + fi + + # then look for the well-known begin SSL comment + # (to turn on processing) + if [ "$line" == "$begin_ssl_comment" ] ; then + ssl_comment_found=1 + fi + + # once the well-known begin SSL comment has been found, + # begin processing to obtain the numeric port information + if [ $ssl_comment_found -eq 1 ] ; then + # look for the next Connector statement + head=`echo $line | cut -b1-17` + if [ "$head" == "$connector_statement" ] ; then + # once the Connector statement has been found, + tail=`echo $line | cut -b18-` + # extract the numeric port information + port=`echo $tail | cut -d\" -f1` + PKI_SECURE_PORT=$port + return 0 + fi + fi + done + + return 255 +} + +# See how we were called. +start() +{ + echo -n "Starting $TOMCAT_PROG: " + + if [ -f /var/lock/subsys/[PKI_INSTANCE_ID] ] ; then + if [ -f /var/run/[PKI_INSTANCE_ID].pid ]; then + read kpid < /var/run/[PKI_INSTANCE_ID].pid + if checkpid $kpid 2>&1; then + echo + echo "process already running" + return -1 + else + echo + echo -n "lock file found but no process " + echo -n "running for pid $kpid, continuing" + echo + echo + fi + fi + fi + + CATALINA_PID=/var/run/[PKI_INSTANCE_ID].pid + export CATALINA_PID + touch $CATALINA_PID + chown $TOMCAT_USER:$TOMCAT_GROUP $CATALINA_PID + [ -x /sbin/restorecon ] && /sbin/restorecon $CATALINA_PID + + # Always initialize CLASSPATH to start looking + # in the local PKI classes directory . . . + CLASSPATH=/usr/share/[PKI_FLAVOR]/classes + + if [ ${OS} = "Linux" ] ; then + $TOMCAT_RELINK_SCRIPT + elif [ ${OS} = "SunOS" ] ; then + # The following definitions are provided for Solaris + # platforms since they are unable to execute the + # "/usr/share/tomcat5/bin/relink", + # "/usr/bin/rebuild-jar-repository", and + # "/usr/share/java-utils/java-functions" files . . . + + ####################################### + ## /var/lib/tomcat5/common/lib: + ####################################### + + # Build the tomcat jar classpath . . . + CLASSPATH="$CLASSPATH":/usr/share/java/ant.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-collections.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-dbcp.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging-api.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-pool.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-ejb-2.1.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-1.4.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-connector-1.5.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-management-1.0.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2eeschema-1.0.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jms-1.1.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jsp-2.0.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jta-1.0.1B.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-servlet-2.4.jar + CLASSPATH="$CLASSPATH":/usr/share/java/jaf.jar + CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-collections.jar + CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-modeler.jar + CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-compiler.jar + CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-runtime.jar + CLASSPATH="$CLASSPATH":/usr/share/java/javamail/imap.jar + CLASSPATH="$CLASSPATH":/usr/share/java/javamail/mailapi.jar + CLASSPATH="$CLASSPATH":/usr/share/java/javamail/nntp.jar + CLASSPATH="$CLASSPATH":/usr/share/java/javamail/pop3.jar + CLASSPATH="$CLASSPATH":/usr/share/java/javamail/providers.jar + CLASSPATH="$CLASSPATH":/usr/share/java/javamail/smtp.jar + + # BEGIN LINUX-SPECIFIC FILE + # CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar + # CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar + # CLASSPATH="$CLASSPATH":/usr/share/java/jsp.jar + # END LINUX-SPECIFIC FILE + + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar + + # BEGIN LINUX-SPECIFIC FILE + # CLASSPATH="$CLASSPATH":/usr/share/java/servlet.jar + # END LINUX-SPECIFIC FILE + + CLASSPATH="$CLASSPATH":/usr/share/java/avalon-logkit.jar + CLASSPATH="$CLASSPATH":/usr/share/java/cmsutil.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar + if [ `pkiarch` = "sparc" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar + elif [ `pkiarch` = "sparcv9" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/`pkiarch`/java/dirsec/jss4.jar + fi + CLASSPATH="$CLASSPATH":/usr/share/java/ldapjdk.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-factory.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-resources.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/nsutil.jar + if [ `pkiarch` = "sparc" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/java/osutil.jar + elif [ `pkiarch` = "sparcv9" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/`pkiarch`/java/osutil.jar + fi + CLASSPATH="$CLASSPATH":/usr/share/java/rhino.jar + CLASSPATH="$CLASSPATH":/usr/share/java/servletapi5.jar + if [ `pkiarch` = "sparc" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/java/symkey.jar + elif [ `pkiarch` = "sparcv9" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/`pkiarch`/java/symkey.jar + fi + CLASSPATH="$CLASSPATH":/usr/share/java/velocity.jar + CLASSPATH="$CLASSPATH":/usr/share/java/xalan-j2.jar + CLASSPATH="$CLASSPATH":/usr/share/java/xerces-j2.jar + + # Relink tomcat jar repositories . . . + cd /var/lib/tomcat5/common/lib + + if [ ! -e /var/lib/tomcat5/common/lib/\[ant\].jar ]; then + ln -s /usr/share/java/ant.jar [ant].jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-collections\].jar ]; then + ln -s /usr/share/java/commons-collections.jar [commons-collections].jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-dbcp\].jar ]; then + ln -s /usr/share/java/commons-dbcp.jar [commons-dbcp].jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-el\].jar ]; then + ln -s /usr/share/java/commons-el.jar [commons-el].jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-logging-api\].jar ]; then + ln -s /usr/share/java/commons-logging-api.jar [commons-logging-api].jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-pool\].jar ]; then + ln -s /usr/share/java/commons-pool.jar [commons-pool].jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-ejb-2.1-rc2.jar [geronimo]spec-ejb-2.1-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1.jar ]; then + ln -s /usr/share/java/geronimo/spec-ejb-2.1.jar [geronimo]spec-ejb-2.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-1.4-rc2.jar [geronimo]spec-j2ee-1.4-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-1.4.jar [geronimo]spec-j2ee-1.4.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5-rc2.jar [geronimo]spec-j2ee-connector-1.5-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5.jar [geronimo]spec-j2ee-connector-1.5.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1-rc2.jar [geronimo]spec-j2ee-deployment-1.1-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar [geronimo]spec-j2ee-deployment-1.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-jacc-1.0-rc2.jar [geronimo]spec-j2ee-jacc-1.0-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar [geronimo]spec-j2ee-jacc-1.0.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0-rc2.jar [geronimo]spec-j2ee-management-1.0-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0.jar [geronimo]spec-j2ee-management-1.0.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0\-M2.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0-M2.jar [geronimo]spec-j2eeschema-1.0-M2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0.jar [geronimo]spec-j2eeschema-1.0.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-jms-1.1-rc2.jar [geronimo]spec-jms-1.1-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1.jar ]; then + ln -s /usr/share/java/geronimo/spec-jms-1.1.jar [geronimo]spec-jms-1.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-jsp-2.0-rc2.jar [geronimo]spec-jsp-2.0-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0.jar ]; then + ln -s /usr/share/java/geronimo/spec-jsp-2.0.jar [geronimo]spec-jsp-2.0.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec-jta-1.0.1B-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-jta-1.0.1B-rc2.jar [geronimo]spec-jta-1.0.1B-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jta\-1.0.1B.jar ]; then + ln -s /usr/share/java/geronimo/spec-jta-1.0.1B.jar [geronimo]spec-jta-1.0.1B.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-servlet-2.4-rc2.jar [geronimo]spec-servlet-2.4-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4.jar ]; then + ln -s /usr/share/java/geronimo/spec-servlet-2.4.jar [geronimo]spec-servlet-2.4.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[jaf\].jar ]; then + ln -s /usr/share/java/jaf.jar [jaf].jar + fi + + ### BEGIN SOLARIS-SPECIFIC LINKS + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-collections.jar\] ]; then + ### ln -s /usr/share/java/jakarta-commons-collections.jar [jakarta-commons-collections.jar] + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-modeler.jar\] ]; then + ### ln -s /usr/share/java/jakarta-commons-modeler.jar [jakarta-commons-modeler.jar] + ### fi + ### END SOLARIS-SPECIFIC LINKS + + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-compiler\].jar ]; then + ### ln -s /usr/share/java/jasper5-compiler.jar [jasper5-compiler].jar + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-runtime\].jar ]; then + ### ln -s /usr/share/java/jasper5-runtime.jar [jasper5-runtime].jar + ### fi + + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap\-1.3.1.jar ]; then + ln -s /usr/share/java/javamail/imap-1.3.1.jar [javamail]imap-1.3.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap.jar ]; then + ln -s /usr/share/java/javamail/imap.jar [javamail]imap.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi\-1.3.1.jar ]; then + ln -s /usr/share/java/javamail/mailapi-1.3.1.jar [javamail]mailapi-1.3.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi.jar ]; then + ln -s /usr/share/java/javamail/mailapi.jar [javamail]mailapi.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp\-1.3.1.jar ]; then + ln -s /usr/share/java/javamail/nntp-1.3.1.jar [javamail]nntp-1.3.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp.jar ]; then + ln -s /usr/share/java/javamail/nntp.jar [javamail]nntp.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3\-1.3.1.jar ]; then + ln -s /usr/share/java/javamail/pop3-1.3.1.jar [javamail]pop3-1.3.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3.jar ]; then + ln -s /usr/share/java/javamail/pop3.jar [javamail]pop3.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers\-1.3.1.jar ]; then + ln -s /usr/share/java/javamail/providers-1.3.1.jar [javamail]providers-1.3.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers.jar ]; then + ln -s /usr/share/java/javamail/providers.jar [javamail]providers.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp\-1.3.1.jar ]; then + ln -s /usr/share/java/javamail/smtp-1.3.1.jar [javamail]smtp-1.3.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp.jar ]; then + ln -s /usr/share/java/javamail/smtp.jar [javamail]smtp.jar + fi + + ### BEGIN LINUX-SPECIFIC LINKS + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtCompilerAdapter\].jar ]; then + ### ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtcore\].jar ]; then + ### ln -s /usr/share/java/jdtcore.jar [jdtcore].jar + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jsp\].jar ]; then + ### ln -s /usr/share/java/jsp.jar [jsp].jar + ### fi + ### END LINUX-SPECIFIC LINKS + + if [ ! -e /var/lib/tomcat5/common/lib/\[mx4j\]\[mx4j\].jar ]; then + ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar + fi + + ### BEGIN LINUX-SPECIFIC LINKS + ### if [ ! -e /var/lib/tomcat5/common/lib/\[servlet\].jar ]; then + ### ln -s /usr/share/java/servlet.jar [servlet].jar + ### fi + ### END LINUX-SPECIFIC LINKS + + ### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK + if [ ! -e /var/lib/tomcat5/common/lib/avalon\-logkit.jar ]; then + ln -s /usr/share/java/avalon-logkit.jar avalon-logkit.jar + fi + ### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK + + ### if [ ! -e /var/lib/tomcat5/common/lib/cmsutil.jar ]; then + ### ln -s /usr/share/java/rphki/cmsutil.jar cmsutil.jar + ### fi + + ### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK + if [ ! -e /var/lib/tomcat5/common/lib/commons\-logging.jar ]; then + ln -s /usr/share/java/commons-logging.jar commons-logging.jar + fi + ### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK + + ### if [ ! -e /var/lib/tomcat5/common/lib/jss4.jar ]; then + ### if [ `pkiarch` = "sparc" ] ; then + ### ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar + ### elif [ `pkiarch` = "sparcv9" ] ; then + ### ln -s /usr/lib/`pkiarch`/java/dirsec/jss4.jar jss4.jar + ### fi + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/ldapjdk.jar ]; then + ### ln -s /usr/share/java/ldapjdk.jar ldapjdk.jar + ### fi + + ### naming-factory.jar + ### naming-resources.jar + + ### if [ ! -e /var/lib/tomcat5/common/lib/nsutil.jar ]; then + ### ln -s /usr/share/java/`pkiflavor`/nsutil.jar nsutil.jar + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/osutil.jar ]; then + ### if [ `pkiarch` = "sparc" ] ; then + ### ln -s /usr/lib/java/osutil.jar osutil.jar + ### elif [ `pkiarch` = "sparcv9" ] ; then + ### ln -s /usr/lib/`pkiarch`/java/osutil.jar osutil.jar + ### fi + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/rhino.jar ]; then + ### ln -s /usr/share/java/rhino.jar rhino.jar + ### fi + + ### BEGIN SOLARIS-SPECIFIC LINKS + ### if [ ! -e /var/lib/tomcat5/common/lib/\[servletapi5.jar\] ]; then + ### ln -s /usr/share/java/servletapi5.jar [servletapi5.jar] + ### fi + ### END SOLARIS-SPECIFIC LINKS + + ### if [ ! -e /var/lib/tomcat5/common/lib/symkey.jar ]; then + ### if [ `pkiarch` = "sparc" ] ; then + ### ln -s /usr/lib/java/symkey.jar symkey.jar + ### elif [ `pkiarch` = "sparcv9" ] ; then + ### ln -s /usr/lib/`pkiarch`/java/symkey.jar symkey.jar + ### fi + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/velocity.jar ]; then + ### ln -s /usr/share/java/velocity.jar velocity.jar + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/xalan\-j2.jar ]; then + ### ln -s /usr/share/java/xalan-j2.jar xalan-j2.jar + ### fi + + if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2\-2.6.2.jar ]; then + ln -s /usr/share/java/xerces-j2-2.6.2.jar xerces-j2-2.6.2.jar + fi + + ### if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2.jar ]; then + ### ln -s /usr/share/java/xerces-j2.jar xerces-j2.jar + ### fi + + + ####################################### + ## /var/lib/tomcat5/common/endorsed: + ####################################### + + # Build the tomcat jar classpath . . . + CLASSPATH="$CLASSPATH":/usr/share/java/xml-commons-apis.jar + + # BEGIN LINUX-SPECIFIC FILE + # CLASSPATH="$CLASSPATH":/usr/share/java/jaxp_parser_impl.jar + # END LINUX-SPECIFIC FILE + + + # Relink tomcat jar repositories . . . + cd /var/lib/tomcat5/common/endorsed + + ### BEGIN LINUX-SPECIFIC LINKS + ### if [ ! -e /var/lib/tomcat5/common/endorsed/\[jaxp_parser_impl\].jar ]; then + ### ln -s /usr/share/java/jaxp_parser_impl.jar [jaxp_parser_impl].jar + ### fi + ### END LINUX-SPECIFIC LINKS + + if [ ! -e /var/lib/tomcat5/common/endorsed/\[xml\-commons\-apis\].jar ]; then + ln -s /usr/share/java/xml-commons-apis.jar [xml-commons-apis].jar + fi + + + ####################################### + ## /var/lib/tomcat5/server/lib: + ####################################### + + # Build the tomcat jar classpath . . . + CLASSPATH="$CLASSPATH":/usr/share/java/catalina-ant5.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-beanutils.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-digester.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-fileupload.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-modeler.jar + + # BEGIN LINUX-SPECIFIC FILE + # CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar + # CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar + # END LINUX-SPECIFIC FILE + + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar + CLASSPATH="$CLASSPATH":/usr/share/java/regexp.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-cluster.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-optional.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-storeconfig.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina.jar + if [ `pkiarch` = "sparc" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar + elif [ `pkiarch` = "sparcv9" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/`pkiarch`/java/dirsec/jss4.jar + fi + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-cgi.renametojar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-default.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-invoker.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-ssi.renametojar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-webdav.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-ajp.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-coyote.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-http.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-util.jar + CLASSPATH="$CLASSPATH":/usr/share/java/tomcatjss.jar + + + # Relink tomcat jar repositories . . . + cd /var/lib/tomcat5/server/lib + + if [ ! -e /var/lib/tomcat5/server/lib/\[catalina\-ant5\].jar ]; then + ln -s /usr/share/java/catalina-ant5.jar [catalina-ant5].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-beanutils\].jar ]; then + ln -s /usr/share/java/commons-beanutils.jar [commons-beanutils].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-digester\].jar ]; then + ln -s /usr/share/java/commons-digester.jar [commons-digester].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-el\].jar ]; then + ln -s /usr/share/java/commons-el.jar [commons-el].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-fileupload\].jar ]; then + ln -s /usr/share/java/commons-fileupload.jar [commons-fileupload].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-logging\].jar ]; then + ln -s /usr/share/java/commons-logging.jar [commons-logging].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-modeler\].jar ]; then + ln -s /usr/share/java/commons-modeler.jar [commons-modeler].jar + fi + + ### BEGIN LINUX-SPECIFIC LINKS + ### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtCompilerAdapter\].jar ]; then + ### ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar + ### fi + ### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtcore\].jar ]; then + ### ln -s /usr/share/java/jdtcore.jar [jdtcore].jar + ### fi + ### END LINUX-SPECIFIC LINKS + + if [ ! -e /var/lib/tomcat5/server/lib/\[mx4j\]\[mx4j\].jar ]; then + ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[regexp\].jar ]; then + ln -s /usr/share/java/regexp.jar [regexp].jar + fi + + ### catalina-cluster.jar + ### catalina-optional.jar + ### catalina-storeconfig.jar + ### catalina.jar + ### if [ ! -e /var/lib/tomcat5/server/lib/jss4.jar ]; then + ### if [ `pkiarch` = "sparc" ] ; then + ### ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar + ### elif [ `pkiarch` = "sparcv9" ] ; then + ### ln -s /usr/lib/`pkiarch`/java/dirsec/jss4.jar jss4.jar + ### fi + ### fi + ### servlets-cgi.renametojar + ### servlets-default.jar + ### servlets-invoker.jar + ### servlets-ssi.renametojar + ### servlets-webdav.jar + ### tomcat-ajp.jar + ### tomcat-coyote.jar + ### tomcat-http.jar + ### tomcat-util.jar + ### if [ ! -e /var/lib/tomcat5/server/lib/tomcatjss.jar ]; then + ### ln -s /usr/share/java/tomcatjss.jar tomcatjss.jar + ### fi + + + ####################################### + ## /var/lib/tomcat5/shared/lib: + ####################################### + + # Build the tomcat jar classpath . . . + + export CLASSPATH + + + # Relink tomcat jar repositories . . . + cd /var/lib/tomcat5/shared/lib + fi + + # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start + if [ ${OS} = "SunOS" ] ; then + su $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null + else + su -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null + fi + + RETVAL=$? + [ $RETVAL = 0 ] && touch /var/lock/subsys/[PKI_INSTANCE_ID] + + if [ $RETVAL = 0 ] ; then + count=0; + + let swait=$STARTUP_WAIT + while [ ! -s /var/run/[PKI_INSTANCE_ID].pid ] && + [ $count -lt $swait ] + do + echo -n "." + sleep 1 + let count=$count+1; + done + + if [ -x /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_success > /etc/rhgb/temp/rhgb-console + cat /etc/rhgb/temp/rhgb-console + echo + else + echo " [ OK ]" + fi + + get_pki_secure_port + if [ $? -ne 0 ] ; then + PKI_SECURE_PORT="<Port Undefined>" + fi + + echo + echo -n "PKI service(s) are available at " + echo -n "https://[PKI_MACHINE_NAME]:$PKI_SECURE_PORT" + echo + echo + else + if [ -x /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_failure > /etc/rhgb/temp/rhgb-console + cat /etc/rhgb/temp/rhgb-console + echo + else + echo " [ FAILED ]" + fi + fi + + sleep 5 + return $RETVAL +} + +stop() +{ + echo -n "Stopping $TOMCAT_PROG: " + + if [ -f /var/lock/subsys/[PKI_INSTANCE_ID] ] ; then + CATALINA_PID=/var/run/[PKI_INSTANCE_ID].pid + export CATALINA_PID + + # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT stop + if [ ${OS} = "SunOS" ] ; then + su $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null + else + su -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null + fi + + RETVAL=$? + + if [ $RETVAL = 0 ]; then + count=0; + + if [ -f /var/run/[PKI_INSTANCE_ID].pid ]; then + read kpid < /var/run/[PKI_INSTANCE_ID].pid + let kwait=$SHUTDOWN_WAIT + + until [ `ps -p $kpid | grep -c $kpid` = '0' ] || + [ $count -gt $kwait ] + do + echo -n "." + sleep 1 + let count=$count+1; + done + + if [ $count -gt $kwait ]; then + kill -9 $kpid + fi + fi + + rm -f /var/lock/subsys/[PKI_INSTANCE_ID] + rm -f /var/run/[PKI_INSTANCE_ID].pid + + if [ -x /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_success > /etc/rhgb/temp/rhgb-console + cat /etc/rhgb/temp/rhgb-console + echo + else + echo " [ OK ]" + fi + else + if [ -x /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_failure > /etc/rhgb/temp/rhgb-console + cat /etc/rhgb/temp/rhgb-console + echo + else + echo " [ FAILED ]" + fi + fi + else + echo + echo "process already stopped" + fi +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + sleep 2 + start + ;; + condrestart) + if [ -f /var/run/[PKI_INSTANCE_ID].pid ] ; then + stop + sleep 2 + start + else + echo -n "Unable to restart process since " + echo -n "'/var/run/[PKI_INSTANCE_ID].pid' does not exist!" + echo + fi + ;; + *) + echo "Usage: $TOMCAT_PROG {start|stop|restart|condrestart}" + exit 1 +esac + +exit $RETVAL + diff --git a/pki/base/kra/shared/webapps/ROOT/WEB-INF/web.xml b/pki/base/kra/shared/webapps/ROOT/WEB-INF/web.xml new file mode 100644 index 000000000..59245836e --- /dev/null +++ b/pki/base/kra/shared/webapps/ROOT/WEB-INF/web.xml @@ -0,0 +1,29 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Copyright 2004 The Apache Software Foundation + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<web-app xmlns="http://java.sun.com/xml/ns/j2ee" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" + version="2.4"> + + <display-name>Welcome to Tomcat</display-name> + <description> + Welcome to Tomcat + </description> + +</web-app> + diff --git a/pki/base/kra/shared/webapps/ROOT/index.html b/pki/base/kra/shared/webapps/ROOT/index.html new file mode 100644 index 000000000..a483baabf --- /dev/null +++ b/pki/base/kra/shared/webapps/ROOT/index.html @@ -0,0 +1,22 @@ +<!-- --- BEGIN COPYRIGHT BLOCK --- + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + --- END COPYRIGHT BLOCK --- --> +<html> +<head> +<meta http-equiv="refresh" content="0; URL=https://[PKI_MACHINE_NAME]:[PKI_SECURE_PORT]/kra/services"> +</head> +</html> diff --git a/pki/base/kra/shared/webapps/ROOT/index.jsp b/pki/base/kra/shared/webapps/ROOT/index.jsp new file mode 100644 index 000000000..3e23e05b0 --- /dev/null +++ b/pki/base/kra/shared/webapps/ROOT/index.jsp @@ -0,0 +1,9 @@ +<% + String op = request.getParameter("op"); + if (op == null || op.equals("")) { + String redirectURL = "/ca/ee/ca"; + response.sendRedirect(redirectURL); + } else if (op.equals("enroll")) { + /* redirect to enrollment servlet */ + } +%> diff --git a/pki/base/kra/shared/webapps/kra/WEB-INF/velocity.properties b/pki/base/kra/shared/webapps/kra/WEB-INF/velocity.properties new file mode 100644 index 000000000..0f4b375f3 --- /dev/null +++ b/pki/base/kra/shared/webapps/kra/WEB-INF/velocity.properties @@ -0,0 +1,8 @@ +resource.loader = file +file.resource.loader.class = org.apache.velocity.runtime.resource.loader.FileResourceLoader +file.resource.loader.path = [PKI_INSTANCE_PATH]/webapps/[PKI_SUBSYSTEM_TYPE] +file.resource.loader.cache = true +file.resource.loader.modificationCheckInterval = 2 +input.encoding=UTF-8 +output.encoding=UTF-8 +runtime.log.logsystem.class=org.apache.velocity.runtime.log.NullLogSystem diff --git a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml new file mode 100644 index 000000000..924ce6aae --- /dev/null +++ b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml @@ -0,0 +1,1103 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE web-app + PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/rhpki/setup/web-app_2_3.dtd"> +<web-app> + + <servlet> + <servlet-name>csadmin-wizard</servlet-name> + <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + <init-param> + <param-name>name</param-name> + <param-value>DRM Setup Wizard</param-value> + </init-param> + <init-param> + <param-name>panels</param-name> + <param-value>welcome=com.netscape.cms.servlet.csadmin.WelcomePanel,securitydomain=com.netscape.cms.servlet.csadmin.SecurityDomainPanel,securitydomain=com.netscape.cms.servlet.csadmin.DisplayCertChainPanel,subsystem=com.netscape.cms.servlet.csadmin.CreateSubsystemPanel,restorekeys=com.netscape.cms.servlet.csadmin.RestoreKeyCertPanel,databasepanel=com.netscape.cms.servlet.csadmin.DatabasePanel,modulepanel=com.netscape.cms.servlet.csadmin.ModulePanel,config_hsmloginpanel=com.netscape.cms.servlet.csadmin.ConfigHSMLoginPanel,sizepanel=com.netscape.cms.servlet.csadmin.SizePanel,namepanel=com.netscape.cms.servlet.csadmin.NamePanel,certrequestpanel=com.netscape.cms.servlet.csadmin.CertRequestPanel,backupkeys=com.netscape.cms.servlet.csadmin.BackupKeyCertPanel,savepk12=com.netscape.cms.servlet.csadmin.SavePKCS12Panel,adminpanel=com.netscape.cms.servlet.csadmin.AdminPanel,importadmincertpanel=com.netscape.cms.servlet.csadmin.ImportAdminCertPanel,donepanel=com.netscape.cms.servlet.csadmin.DonePanel</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-base</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.BaseServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-login</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.LoginServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-welcome</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.WelcomeServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-database</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.DatabaseServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-admin</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.AdministratorServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-module</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ModuleServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-size</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.KeySizeServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-name</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.NameServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-hierarchy</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.HierarchyServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-done</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.DoneServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>config-db</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ConfigDatabaseServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>config-hsm</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ConfigHSMServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>config-rootca</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ConfigRootCAServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>config-join</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ConfigJoinServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>config-clone</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ConfigCloneServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + + + <servlet> + <servlet-name> kraKRADisplayBySerialForRecovery </servlet-name> + <servlet-class> com.netscape.cms.servlet.key.DisplayBySerialForRecovery </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/displayBySerialForRecovery.template </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraKRADisplayBySerialForRecovery </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.key </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraGetConfigEntries </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetConfigEntries </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraGetConfigEntries </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.clone.configuration </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraKRAGrantRecovery </servlet-name> + <servlet-class> com.netscape.cms.servlet.key.GrantRecovery </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/grantRecovery.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraKRAGrantRecovery </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.key </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraports </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.PortsServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> kraports </param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraKRADisplayTransport </servlet-name> + <servlet-class> com.netscape.cms.servlet.key.DisplayTransport </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraKRADisplayTransport </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.certificate.transport </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraRegisterUser </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.RegisterUser </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraRegisterUser </param-value> </init-param> + <init-param><param-name> GroupName </param-name> + <param-value> Data Recovery Manager Agents </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.registerUser </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraGetTransportCert </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetTransportCert </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraGetTransportCert </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.getTransportCert </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraKRARecoverBySerial </servlet-name> + <servlet-class> com.netscape.cms.servlet.key.RecoverBySerial </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/recoverBySerial.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraKRARecoverBySerial </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.key </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraDynamicVariables </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.DynamicVariablesServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> kraDynamicVariables </param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> dynamicVariables </param-name> + <param-value> serverdate=serverdate(),subsystemname=subsystemname(),http=http(),authmgrs=authmgrs(),clacrlurl=clacrlurl() </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraheader </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.IndexServlet </servlet-class> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/header.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraheader </param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> template </param-name> + <param-value> /agent/header.template </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraTokenKeyRecovery </servlet-name> + <servlet-class> com.netscape.cms.servlet.connector.TokenKeyRecoveryServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraTokenKeyRecovery </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.TokenKeyRecovery </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraSrchRecoverKey </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.DisplayHtmlServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> htmlPath </param-name> + <param-value> /agent/kra/SrchRecoverKey.html </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/srchKeyForRecovery.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraSrchRecoverKey </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /agent/kra/GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraConnector </servlet-name> + <servlet-class> com.netscape.cms.servlet.connector.ConnectorServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraConnector </param-value> </init-param> + <init-param><param-name> RequestEncoder </param-name> + <param-value> com.netscape.cmscore.connector.HttpRequestEncoder </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.connector </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraSrchKey </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.DisplayHtmlServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> htmlPath </param-name> + <param-value> /agent/kra/SrchKey.html </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/srchKey.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraSrchKey </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /agent/kra/GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraListRequests </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.DisplayHtmlServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> htmlPath </param-name> + <param-value> /agent/kra/ListRequests.html </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/ListRequests.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraListRequests </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /agent/kra/GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraGenerateKeyPair </servlet-name> + <servlet-class> com.netscape.cms.servlet.connector.GenerateKeyPairServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraGenerateKeyPair </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.GenerateKeyPair </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraindex </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.IndexServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> kraindex </param-value> </init-param> + <init-param><param-name> template </param-name> + <param-value> index.template </param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraMonitor </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.Monitor </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/monitor.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraMonitor </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.systemstatus </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraKRAGetApprovalStatus </servlet-name> + <servlet-class> com.netscape.cms.servlet.key.GetApprovalStatus </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/getApprovalStatus.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraKRAGetApprovalStatus </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.request.status </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraKRAProcessReq </servlet-name> + <servlet-class> com.netscape.cms.servlet.request.ProcessReq </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> parser </param-name> + <param-value> KeyReqParser.PARSER </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/processReq.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraKRAProcessReq </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.request </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraKRAExamineRecovery </servlet-name> + <servlet-class> com.netscape.cms.servlet.key.ExamineRecovery </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/examineRecovery.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraKRAExamineRecovery </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.key </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraKRASrchKey </servlet-name> + <servlet-class> com.netscape.cms.servlet.key.SrchKey </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/srchKey.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraKRASrchKey </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.keys </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraKRAGetPk12 </servlet-name> + <servlet-class> com.netscape.cms.servlet.key.GetPk12 </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraKRAGetPk12 </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.key </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraGrantRecovery </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.DisplayHtmlServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> htmlPath </param-name> + <param-value> /agent/kra/GrantRecovery.html </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/grantRecovery.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraGrantRecovery </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /agent/kra/GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraKRASrchKeyForRecovery </servlet-name> + <servlet-class> com.netscape.cms.servlet.key.SrchKeyForRecovery </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/srchKeyForRecovery.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraKRASrchKeyForRecovery </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.keys </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> krakraqueryReq </servlet-name> + <servlet-class> com.netscape.cms.servlet.request.QueryReq </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> parser </param-name> + <param-value> CertReqParser.NODETAIL_PARSER </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/queryReq.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> krakraqueryReq </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.requests </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraKRADisplayBySerial </servlet-name> + <servlet-class> com.netscape.cms.servlet.key.DisplayBySerial </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/kra/displayBySerial.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraKRADisplayBySerial </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.kra.key </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> krapolicy </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.PolicyAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> krapolicy </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> krajobsScheduler </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.JobsAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> krajobsScheduler </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraauths </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.AuthAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> kraauths </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> krastart </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.CMSStartServlet </servlet-class> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> cfgPath </param-name> + <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> krastart </param-value> </init-param> + <load-on-startup> 1 </load-on-startup> + </servlet> + + <servlet> + <servlet-name> kraacl </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.ACLAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> kraacl </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraug </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.UsrGrpAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> kraug </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + + <servlet> + <servlet-name> kraserver </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.CMSAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> kraserver </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> krakra </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.KRAAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> krakra </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kralog </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.LogAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> kralog </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> services </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.MainPageServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> services </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /services.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraregistry </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.RegistryAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> kraregistry </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraUpdateNumberRange </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.UpdateNumberRange </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraUpdateNumberRange </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.clone.configuration </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraDownloadPKCS12 </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.DownloadPKCS12 </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraDownloadPKCS12 </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.clone.configuration </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> kraGetTokenInfo </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetTokenInfo </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> kra </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> kraGetTokenInfo </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet-mapping> + <servlet-name> kraserver </servlet-name> + <url-pattern> /server </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> krakra </servlet-name> + <url-pattern> /kra </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kralog </servlet-name> + <url-pattern> /log </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraregistry </servlet-name> + <url-pattern> /registry </url-pattern> + </servlet-mapping> + + + <servlet-mapping> + <servlet-name> kraug </servlet-name> + <url-pattern> /ug </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> krastart </servlet-name> + <url-pattern> /start </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraacl </servlet-name> + <url-pattern> /acl </url-pattern> + </servlet-mapping> + + + <servlet-mapping> + <servlet-name> kraauths </servlet-name> + <url-pattern> /auths </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> krajobsScheduler </servlet-name> + <url-pattern> /jobsScheduler </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> krapolicy </servlet-name> + <url-pattern> /krapolicy </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraKRADisplayBySerialForRecovery </servlet-name> + <url-pattern> /agent/kra/displayBySerialForRecovery </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraKRAGrantRecovery </servlet-name> + <url-pattern> /agent/kra/grantRecovery </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraports </servlet-name> + <url-pattern> /ee/kra/ports </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraKRADisplayTransport </servlet-name> + <url-pattern> /agent/kra/displayTransportCert </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraKRARecoverBySerial </servlet-name> + <url-pattern> /agent/kra/recoverBySerial </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraDynamicVariables </servlet-name> + <url-pattern> /dynamicVars.js </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraheader </servlet-name> + <url-pattern> /agent/header </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraTokenKeyRecovery </servlet-name> + <url-pattern> /agent/kra/TokenKeyRecovery </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraSrchRecoverKey </servlet-name> + <url-pattern> /agent/kra/srchRecoverKey.html </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraConnector </servlet-name> + <url-pattern> /agent/kra/connector </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraSrchKey </servlet-name> + <url-pattern> /agent/kra/srchKey.html </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraListRequests </servlet-name> + <url-pattern> /agent/kra/listRequests.html </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraGenerateKeyPair </servlet-name> + <url-pattern> /agent/kra/GenerateKeyPair </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraindex </servlet-name> + <url-pattern> /index </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraMonitor </servlet-name> + <url-pattern> /agent/kra/monitor </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraKRAGetApprovalStatus </servlet-name> + <url-pattern> /agent/kra/getApprovalStatus </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraKRAProcessReq </servlet-name> + <url-pattern> /agent/kra/processReq </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraKRAExamineRecovery </servlet-name> + <url-pattern> /agent/kra/examineRecovery </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraKRASrchKey </servlet-name> + <url-pattern> /agent/kra/srchKey </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraKRAGetPk12 </servlet-name> + <url-pattern> /agent/kra/getPk12 </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraGrantRecovery </servlet-name> + <url-pattern> /agent/kra/grantRecovery.html </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraKRASrchKeyForRecovery </servlet-name> + <url-pattern> /agent/kra/srchKeyForRecovery </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> krakraqueryReq </servlet-name> + <url-pattern> /agent/kra/queryReq </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraKRADisplayBySerial </servlet-name> + <url-pattern> /agent/kra/displayBySerial </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-base</servlet-name> + <url-pattern>/admin/console/config/base</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-login</servlet-name> + <url-pattern>/admin/console/config/login</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>config-db</servlet-name> + <url-pattern>/admin/console/config/config_db</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>config-hsm</servlet-name> + <url-pattern>/admin/console/config/config_hsm</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>config-rootca</servlet-name> + <url-pattern>/admin/console/config/config_rootca</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>config-join</servlet-name> + <url-pattern>/admin/console/config/config_join</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>config-clone</servlet-name> + <url-pattern>/admin/console/config/config_clone</url-pattern> + </servlet-mapping> + + + <servlet-mapping> + <servlet-name>csadmin-welcome</servlet-name> + <url-pattern>/admin/console/config/welcome</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-database</servlet-name> + <url-pattern>/admin/console/config/database</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-admin</servlet-name> + <url-pattern>/admin/console/config/admin</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-module</servlet-name> + <url-pattern>/admin/console/config/module</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-size</servlet-name> + <url-pattern>/admin/console/config/size</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-name</servlet-name> + <url-pattern>/admin/console/config/name</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-hierarchy</servlet-name> + <url-pattern>/admin/console/config/hierarchy</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-done</servlet-name> + <url-pattern>/admin/console/config/done</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraRegisterUser </servlet-name> + <url-pattern> /admin/kra/registerUser </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraGetTransportCert </servlet-name> + <url-pattern> /admin/kra/getTransportCert </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-wizard</servlet-name> + <url-pattern>/admin/console/config/wizard</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraGetConfigEntries </servlet-name> + <url-pattern> /admin/kra/getConfigEntries </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> services </servlet-name> + <url-pattern> /services </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraUpdateNumberRange </servlet-name> + <url-pattern> /ee/kra/updateNumberRange </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraDownloadPKCS12 </servlet-name> + <url-pattern> /admin/console/config/savepkcs12 </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> kraGetTokenInfo </servlet-name> + <url-pattern> /ee/kra/getTokenInfo </url-pattern> + </servlet-mapping> +</web-app> + diff --git a/pki/base/kra/src/com/netscape/kra/EncryptionUnit.java b/pki/base/kra/src/com/netscape/kra/EncryptionUnit.java new file mode 100644 index 000000000..b426259d1 --- /dev/null +++ b/pki/base/kra/src/com/netscape/kra/EncryptionUnit.java @@ -0,0 +1,534 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.kra; + + +import java.util.*; +import java.io.*; +import java.net.*; +import java.security.*; +import java.security.cert.*; +import java.security.cert.X509Certificate; +import netscape.security.x509.*; +import netscape.security.provider.*; +import netscape.security.util.*; +import com.netscape.certsrv.logging.*; +import com.netscape.cmscore.util.*; +import com.netscape.cmscore.util.Debug; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.kra.*; +import com.netscape.certsrv.security.*; +//import com.netscape.cmscore.kra.*; +import com.netscape.cmscore.cert.*; +import com.netscape.certsrv.apps.CMS; +import org.mozilla.jss.util.*; +import org.mozilla.jss.crypto.*; +import org.mozilla.jss.*; +import org.mozilla.jss.crypto.PrivateKey; + + +/** + * A class represents the transport key pair. This key pair + * is used to protected EE's private key in transit. + * + * @author thomask + * @version $Revision: 14563 $, $Date: 2007-05-01 10:35:23 -0700 (Tue, 01 May 2007) $ + */ +public abstract class EncryptionUnit implements IEncryptionUnit { + + private byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; + private IVParameterSpec IV = null; + + public EncryptionUnit() { +/* + org.mozilla.jss.pkcs11.PK11SecureRandom random = + new org.mozilla.jss.pkcs11.PK11SecureRandom(); + random.nextBytes(iv); +*/ + IV = new IVParameterSpec(iv); + } + + public abstract CryptoToken getToken(); + + public abstract CryptoToken getInternalToken(); + + public abstract PublicKey getPublicKey(); + + public abstract PrivateKey getPrivateKey(); + + /** + * Protects the private key so that it can be stored in + * internal database. + */ + public byte[] encryptInternalPrivate(byte priKey[]) + throws EBaseException { + try { + CryptoToken token = getToken(); + CryptoToken internalToken = getInternalToken(); + + // (1) generate session key + org.mozilla.jss.crypto.KeyGenerator kg = + internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); + SymmetricKey sk = kg.generate(); + + // (2) wrap private key with session key + Cipher cipher = internalToken.getCipherContext( + EncryptionAlgorithm.DES3_CBC_PAD); + + cipher.initEncrypt(sk, IV); + byte pri[] = cipher.doFinal(priKey); + + // (3) wrap session with transport public + KeyWrapper rsaWrap = internalToken.getKeyWrapper( + KeyWrapAlgorithm.RSA); + + rsaWrap.initWrap(getPublicKey(), null); + byte session[] = rsaWrap.wrap(sk); + + // use MY own structure for now: + // SEQUENCE { + // encryptedSession OCTET STRING, + // encryptedPrivate OCTET STRING + // } + + DerOutputStream tmp = new DerOutputStream(); + DerOutputStream out = new DerOutputStream(); + + tmp.putOctetString(session); + tmp.putOctetString(pri); + out.write(DerValue.tag_Sequence, tmp); + + return out.toByteArray(); + } catch (TokenException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + return null; + } catch (NoSuchAlgorithmException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + return null; + } catch (CharConversionException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + return null; + } catch (InvalidAlgorithmParameterException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + return null; + } catch (InvalidKeyException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + return null; + } catch (BadPaddingException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + return null; + } catch (IllegalBlockSizeException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + return null; + } catch (IOException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + return null; + } + } + + /** + * Wraps the data using transport public key. + */ + public byte[] wrap(PrivateKey priKey) throws EBaseException { + try { + + CryptoToken token = getToken(); + CryptoToken internalToken = getInternalToken(); + + // (1) generate session key + org.mozilla.jss.crypto.KeyGenerator kg = + token.getKeyGenerator(KeyGenAlgorithm.DES3); + // internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); + SymmetricKey.Usage usages[] = new SymmetricKey.Usage[3]; + usages[0] = SymmetricKey.Usage.ENCRYPT; + usages[1] = SymmetricKey.Usage.WRAP; + usages[2] = SymmetricKey.Usage.UNWRAP; + kg.setKeyUsages(usages); + kg.temporaryKeys(true); + SymmetricKey sk = kg.generate(); + CMS.debug("EncryptionUnit:wrap() session key generated on slot: "+token.getName()); + + // (2) wrap private key with session key + // KeyWrapper wrapper = internalToken.getKeyWrapper( + KeyWrapper wrapper = token.getKeyWrapper( + KeyWrapAlgorithm.DES3_CBC_PAD); + CMS.debug("EncryptionUnit:wrap() got key wrapper"); + + wrapper.initWrap(sk, IV); + CMS.debug("EncryptionUnit:wrap() key wrapper initialized"); + byte pri[] = wrapper.wrap(priKey); + CMS.debug("EncryptionUnit:wrap() privKey wrapped"); + + // (3) wrap session with transport public + KeyWrapper rsaWrap = token.getKeyWrapper( + KeyWrapAlgorithm.RSA); + + rsaWrap.initWrap(getPublicKey(), null); + byte session[] = rsaWrap.wrap(sk); + CMS.debug("EncryptionUnit:wrap() sessin key wrapped"); + + // use MY own structure for now: + // SEQUENCE { + // encryptedSession OCTET STRING, + // encryptedPrivate OCTET STRING + // } + + DerOutputStream tmp = new DerOutputStream(); + DerOutputStream out = new DerOutputStream(); + + tmp.putOctetString(session); + tmp.putOctetString(pri); + out.write(DerValue.tag_Sequence, tmp); + + return out.toByteArray(); + } catch (TokenException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); + Debug.trace("EncryptionUnit::wrap " + e.toString()); + return null; + } catch (NoSuchAlgorithmException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); + Debug.trace("EncryptionUnit::wrap " + e.toString()); + return null; + } catch (CharConversionException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); + Debug.trace("EncryptionUnit::wrap " + e.toString()); + return null; + } catch (InvalidAlgorithmParameterException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); + Debug.trace("EncryptionUnit::wrap " + e.toString()); + return null; + } catch (InvalidKeyException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); + Debug.trace("EncryptionUnit::wrap " + e.toString()); + return null; + } catch (IOException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); + Debug.trace("EncryptionUnit::wrap " + e.toString()); + return null; + } + } + + /** + * External unwrapping. Unwraps the data using + * the transport private key. + */ + public SymmetricKey unwrap_sym(byte encSymmKey[], SymmetricKey.Usage usage) + { + try { + CryptoToken token = getToken(); + CryptoToken internalToken = getInternalToken(); + + // (1) unwrap the session + CMS.debug("EncryptionUnit::unwrap_sym() on slot: "+token.getName()); + PrivateKey priKey = getPrivateKey(); + String priKeyAlgo = priKey.getAlgorithm(); + CMS.debug("EncryptionUnit::unwrap_sym() private key algo: " + priKeyAlgo); + KeyWrapper rsaWrap = null; + if (priKeyAlgo.equals("EC")) { + rsaWrap = token.getKeyWrapper(KeyWrapAlgorithm.AES_CBC); + rsaWrap.initUnwrap(priKey, IV); + } else { + rsaWrap = token.getKeyWrapper(KeyWrapAlgorithm.RSA); + rsaWrap.initUnwrap(priKey, null); + } + SymmetricKey sk = rsaWrap.unwrapSymmetric(encSymmKey, + SymmetricKey.DES3, usage, + 0); + return sk; + } catch (Exception e) { + CMS.debug("EncryptionUnit::unwrap_sym() error:" + + e.toString()); + return null; + } + } + + public SymmetricKey unwrap_sym(byte encSymmKey[]) + { + return unwrap_sym(encSymmKey, SymmetricKey.Usage.WRAP); + } + + public SymmetricKey unwrap_encrypt_sym(byte encSymmKey[]) + { + return unwrap_sym(encSymmKey, SymmetricKey.Usage.ENCRYPT); + } + + /** + * Decrypts the user private key. + */ + public byte[] decryptExternalPrivate(byte encSymmKey[], + String symmAlgOID, byte symmAlgParams[], + byte encValue[]) + throws EBaseException { + try { + + CryptoToken token = getToken(); + CryptoToken internalToken = getInternalToken(); + + // (1) unwrap the session + KeyWrapper rsaWrap = token.getKeyWrapper( + KeyWrapAlgorithm.RSA); + + rsaWrap.initUnwrap(getPrivateKey(), null); + SymmetricKey sk = rsaWrap.unwrapSymmetric(encSymmKey, + SymmetricKey.DES3, SymmetricKey.Usage.DECRYPT, + 0); + + // (2) unwrap the pri + Cipher cipher = token.getCipherContext( + EncryptionAlgorithm.DES3_CBC_PAD // XXX + ); + + cipher.initDecrypt(sk, new IVParameterSpec( + symmAlgParams)); + return cipher.doFinal(encValue); + } catch (IllegalBlockSizeException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); + Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); + return null; + } catch (BadPaddingException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); + Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); + return null; + } catch (TokenException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); + Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); + return null; + } catch (NoSuchAlgorithmException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); + Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); + return null; + } catch (InvalidAlgorithmParameterException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); + Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); + return null; + } catch (InvalidKeyException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); + Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); + return null; + } + } + + /** + * External unwrapping. Unwraps the data using + * the transport private key. + */ + public PrivateKey unwrap(byte encSymmKey[], + String symmAlgOID, byte symmAlgParams[], + byte encValue[], PublicKey pubKey) + throws EBaseException { + try { + CryptoToken token = getToken(); + CryptoToken internalToken = getInternalToken(); + + // (1) unwrap the session + KeyWrapper rsaWrap = token.getKeyWrapper( + KeyWrapAlgorithm.RSA); + + rsaWrap.initUnwrap(getPrivateKey(), null); + SymmetricKey sk = rsaWrap.unwrapSymmetric(encSymmKey, + SymmetricKey.DES3, SymmetricKey.Usage.UNWRAP, + 0); + + // (2) unwrap the pri + KeyWrapper wrapper = token.getKeyWrapper( + KeyWrapAlgorithm.DES3_CBC_PAD // XXX + ); + + wrapper.initUnwrap(sk, new IVParameterSpec( + symmAlgParams)); + PrivateKey pk = wrapper.unwrapPrivate(encValue, + PrivateKey.RSA, pubKey); + + return pk; + } catch (TokenException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + Debug.trace("EncryptionUnit::unwrap " + e.toString()); + return null; + } catch (NoSuchAlgorithmException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + Debug.trace("EncryptionUnit::unwrap " + e.toString()); + return null; + } catch (InvalidAlgorithmParameterException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + Debug.trace("EncryptionUnit::unwrap " + e.toString()); + return null; + } catch (InvalidKeyException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + Debug.trace("EncryptionUnit::unwrap " + e.toString()); + return null; + } + } + + public byte[] decryptInternalPrivate(byte wrappedKeyData[]) + throws EBaseException { + try { + DerValue val = new DerValue(wrappedKeyData); + // val.tag == DerValue.tag_Sequence + DerInputStream in = val.data; + DerValue dSession = in.getDerValue(); + byte session[] = dSession.getOctetString(); + DerValue dPri = in.getDerValue(); + byte pri[] = dPri.getOctetString(); + + CryptoToken token = getToken(); + CryptoToken internalToken = getInternalToken(); + + // (1) unwrap the session + CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:"+ token.getName()); + KeyWrapper rsaWrap = token.getKeyWrapper( + KeyWrapAlgorithm.RSA); + + rsaWrap.initUnwrap(getPrivateKey(), null); + SymmetricKey sk = rsaWrap.unwrapSymmetric(session, + SymmetricKey.DES3, SymmetricKey.Usage.DECRYPT, 0); + + // (2) unwrap the pri + Cipher cipher = token.getCipherContext( + EncryptionAlgorithm.DES3_CBC_PAD); + + cipher.initDecrypt(sk, IV); + return cipher.doFinal(pri); + } catch (IllegalBlockSizeException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + return null; + } catch (BadPaddingException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + return null; + } catch (TokenException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + return null; + } catch (NoSuchAlgorithmException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + return null; + } catch (InvalidAlgorithmParameterException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + return null; + } catch (InvalidKeyException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + return null; + } catch (IOException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + return null; + } + } + + /** + * Internal unwrapping. + */ + public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey pubKey) + throws EBaseException { + return _unwrap(wrappedKeyData, pubKey, true); + } + + /** + * Internal unwrapping. + */ + public PrivateKey unwrap(byte wrappedKeyData[], PublicKey pubKey) + throws EBaseException { + return _unwrap(wrappedKeyData, pubKey, false); + } + + /** + * Internal unwrapping. + */ + private PrivateKey _unwrap(byte wrappedKeyData[], PublicKey + pubKey, boolean temporary) + throws EBaseException { + try { + DerValue val = new DerValue(wrappedKeyData); + // val.tag == DerValue.tag_Sequence + DerInputStream in = val.data; + DerValue dSession = in.getDerValue(); + byte session[] = dSession.getOctetString(); + DerValue dPri = in.getDerValue(); + byte pri[] = dPri.getOctetString(); + + CryptoToken token = getToken(); + // (1) unwrap the session + KeyWrapper rsaWrap = token.getKeyWrapper( + KeyWrapAlgorithm.RSA); + + rsaWrap.initUnwrap(getPrivateKey(), null); + SymmetricKey sk = rsaWrap.unwrapSymmetric(session, + SymmetricKey.DES3, SymmetricKey.Usage.UNWRAP, 0); + + // (2) unwrap the pri + KeyWrapper wrapper = token.getKeyWrapper( + KeyWrapAlgorithm.DES3_CBC_PAD); + + wrapper.initUnwrap(sk, IV); + + PrivateKey pk = null; + if (temporary) { + pk = wrapper.unwrapTemporaryPrivate(pri, + PrivateKey.RSA, pubKey); + } else { + pk = wrapper.unwrapPrivate(pri, + PrivateKey.RSA, pubKey); + } + return pk; + } catch (TokenException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + Debug.trace("EncryptionUnit::unwrap " + e.toString()); + CMS.debug(e); + return null; + } catch (NoSuchAlgorithmException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + Debug.trace("EncryptionUnit::unwrap " + e.toString()); + return null; + } catch (InvalidAlgorithmParameterException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + Debug.trace("EncryptionUnit::unwrap " + e.toString()); + return null; + } catch (InvalidKeyException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + Debug.printStackTrace(e); + return null; + } catch (IOException e) { + CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + Debug.trace("EncryptionUnit::unwrap " + e.toString()); + return null; + } catch (Exception e) { + Debug.printStackTrace(e); + return null; + } + } + + /** + * Verify the given key pair. + */ + public void verify(PublicKey publicKey, PrivateKey privateKey) throws + EBaseException { + } +} + diff --git a/pki/base/kra/src/com/netscape/kra/EnrollmentService.java b/pki/base/kra/src/com/netscape/kra/EnrollmentService.java new file mode 100644 index 000000000..062de3673 --- /dev/null +++ b/pki/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -0,0 +1,951 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.kra; + + +import java.util.StringTokenizer; +import java.util.Vector; +import java.io.IOException; +import java.io.ByteArrayInputStream; +import java.math.BigInteger; +import java.security.*; +// ADDED next line and COMMENTED out following line by MLH on 1/9/99 +import netscape.security.provider.RSAPublicKey; +// import java.security.interfaces.RSAPublicKey; +import java.security.cert.CertificateException; +import netscape.security.util.*; +import netscape.security.util.BigInt; +import netscape.security.x509.*; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.pkix.crmf.*; +import org.mozilla.jss.pkix.primitive.*; +import org.mozilla.jss.pkix.primitive.AVA; +import com.netscape.certsrv.util.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.security.*; +import com.netscape.cmscore.crmf.*; +import com.netscape.certsrv.kra.*; +import com.netscape.certsrv.base.*; +//import com.netscape.cmscore.ca.*; +import com.netscape.cmscore.dbs.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.dbs.keydb.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.apps.CMS; + + +/** + * A class represents archival request processor. It + * passes the request to the policy processor, and + * process the request according to the policy decision. + * <P> + * If policy returns ACCEPTED, the request will be + * processed immediately. + * <P> + * Upon processing, the incoming user key is unwrapped + * with the transport key of KRA, and then wrapped + * with the storage key. The encrypted key is stored + * in the internal database for long term storage. + * <P> + * + * @author thomask + * @version $Revision: 14563 $, $Date: 2007-05-01 10:35:23 -0700 (Tue, 01 May 2007) $ + */ +public class EnrollmentService implements IService { + + // constants + public static final String CRMF_REQUEST = "CRMFRequest"; + public final static String ATTR_KEY_RECORD = "keyRecord"; + public final static String ATTR_PROOF_OF_ARCHIVAL = + "proofOfArchival"; + + // private + private IKeyRecoveryAuthority mKRA = null; + private ITransportKeyUnit mTransportUnit = null; + private IStorageKeyUnit mStorageUnit = null; + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + + + private final static byte EOL[] = { Character.LINE_SEPARATOR }; + private final static String + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + private final static String + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_PROCESSED = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_PROCESSED_3"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_PROCESSED = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_PROCESSED_4"; + /** + * Constructs request processor. + * <P> + * + * @param kra key recovery authority + */ + public EnrollmentService(IKeyRecoveryAuthority kra) { + mKRA = kra; + mTransportUnit = kra.getTransportKeyUnit(); + mStorageUnit = kra.getStorageKeyUnit(); + } + + public PKIArchiveOptions toPKIArchiveOptions(byte options[]) { + ByteArrayInputStream bis = new ByteArrayInputStream(options); + PKIArchiveOptions archOpts = null; + + try { + archOpts = (PKIArchiveOptions) + (new PKIArchiveOptions.Template()).decode(bis); + } catch (Exception e) { + CMS.debug("EnrollProfile: getPKIArchiveOptions " + e.toString()); + } + return archOpts; + } + + /** + * Services an enrollment/archival request. + * <P> + * + * @param request enrollment request + * @return serving successful or not + * @exception EBaseException failed to serve + */ + public boolean serviceRequest(IRequest request) + throws EBaseException { + + IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + if (statsSub != null) { + statsSub.startTiming("archival", true /* main action */); + } + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(); + String auditArchiveID = ILogger.UNIDENTIFIED; + String auditPublicKey = ILogger.UNIDENTIFIED; + + String id = request.getRequestId().toString(); + if (id != null) { + auditArchiveID = id.trim(); + } + if (CMS.debugOn()) + CMS.debug("EnrollmentServlet: KRA services enrollment request"); + + SessionContext sContext = SessionContext.getContext(); + String agentId = (String) sContext.get(SessionContext.USER_ID); + AuthToken authToken = (AuthToken) sContext.get(SessionContext.AUTH_TOKEN); + + mKRA.log(ILogger.LL_INFO, "KRA services enrollment request"); + // unwrap user key with transport + byte unwrapped[] = null; + PKIArchiveOptionsContainer aOpts[] = null; + + String profileId = request.getExtDataInString("profileId"); + + if (profileId == null || profileId.equals("")) { + try { + aOpts = CRMFParser.getPKIArchiveOptions( + request.getExtDataInString(IRequest.HTTP_PARAMS, CRMF_REQUEST)); + } catch (IOException e) { + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + } + } else { + // profile-based request + PKIArchiveOptions options = (PKIArchiveOptions) + toPKIArchiveOptions( + request.getExtDataInByteArray(IEnrollProfile.REQUEST_ARCHIVE_OPTIONS)); + + aOpts = new PKIArchiveOptionsContainer[1]; + aOpts[0] = new PKIArchiveOptionsContainer(options, + 0/* not matter */); + + request.setExtData("dbStatus", "NOT_UPDATED"); + } + + for (int i = 0; i < aOpts.length; i++) { + ArchiveOptions opts = new ArchiveOptions(aOpts[i].mAO); + + if (statsSub != null) { + statsSub.startTiming("decrypt_user_key"); + } + mKRA.log(ILogger.LL_INFO, "KRA decrypts external private"); + if (CMS.debugOn()) + CMS.debug("EnrollmentService::about to decryptExternalPrivate"); + unwrapped = mTransportUnit.decryptExternalPrivate( + opts.getEncSymmKey(), + opts.getSymmAlgOID(), + opts.getSymmAlgParams(), + opts.getEncValue()); + if (statsSub != null) { + statsSub.endTiming("decrypt_user_key"); + } + if (CMS.debugOn()) + CMS.debug("EnrollmentService::finished decryptExternalPrivate"); + if (unwrapped == null) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + } + + // retrieve pubic key + X509Key publicKey = getPublicKey(request, aOpts[i].mReqPos); + byte publicKeyData[] = publicKey.getEncoded(); + + if (publicKeyData == null) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } + + /* Bugscape #54948 - verify public and private key before archiving key */ + + if (statsSub != null) { + statsSub.startTiming("verify_key"); + } + if (verifyKeyPair(publicKeyData, unwrapped) == false) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } + if (statsSub != null) { + statsSub.endTiming("verify_key"); + } + + /** + mTransportKeyUnit.verify(pKey, unwrapped); + **/ + // retrieve owner name + String owner = getOwnerName(request, aOpts[i].mReqPos); + + if (owner == null) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND")); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); + } + + // + // privateKeyData ::= SEQUENCE { + // sessionKey OCTET_STRING, + // encKey OCTET_STRING, + // } + // + mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private"); + if (statsSub != null) { + statsSub.startTiming("encrypt_user_key"); + } + byte privateKeyData[] = mStorageUnit.encryptInternalPrivate( + unwrapped); + if (statsSub != null) { + statsSub.endTiming("encrypt_user_key"); + } + + if (privateKeyData == null) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + } + + // create key record + KeyRecord rec = new KeyRecord(null, publicKeyData, + privateKeyData, owner, + publicKey.getAlgorithmId().getOID().toString(), agentId); + + if (rec == null) { + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); + } + + // we deal with RSA key only + try { + RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData); + + rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); + } catch (InvalidKeyException e) { + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); + } + + + // if record alreay has a serial number, yell out. + if (rec.getSerialNumber() != null) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER", + rec.getSerialNumber().toString())); + + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + } + IKeyRepository storage = mKRA.getKeyRepository(); + BigInteger serialNo = storage.getNextSerialNumber(); + + if (serialNo == null) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + } + if (i == 0) { + rec.set(KeyRecord.ATTR_ID, serialNo); + request.setExtData(ATTR_KEY_RECORD, serialNo); + } else { + rec.set(KeyRecord.ATTR_ID + i, serialNo); + request.setExtData(ATTR_KEY_RECORD + i, serialNo); + } + + mKRA.log(ILogger.LL_INFO, "KRA adding key record " + serialNo); + if (statsSub != null) { + statsSub.startTiming("store_key"); + } + storage.addKeyRecord(rec); + if (statsSub != null) { + statsSub.endTiming("store_key"); + } + + if (CMS.debugOn()) + CMS.debug("EnrollmentService: key record 0x" + serialNo.toString(16) + + " (" + owner + ") archived"); + + mKRA.log(ILogger.LL_INFO, "key record 0x" + + serialNo.toString(16) + + " (" + owner + ") archived"); + + // for audit log + String authMgr = AuditFormat.NOAUTH; + + if (authToken != null) { + authMgr = + authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + } + CMS.getLogger().log(ILogger.EV_AUDIT, + ILogger.S_KRA, + AuditFormat.LEVEL, + AuditFormat.FORMAT, + new Object[] { + IRequest.KEYARCHIVAL_REQUEST, + request.getRequestId(), + AuditFormat.FROMAGENT + " agentID: " + agentId, + authMgr, + "completed", + owner, + "serial number: 0x" + serialNo.toString(16)} + ); + + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + // store a message in the signed audit log file + auditPublicKey = auditPublicKey(rec); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditPublicKey); + + audit(auditMessage); + + // Xxx - should sign this proof of archival + ProofOfArchival mProof = new ProofOfArchival(serialNo, + owner, mKRA.getX500Name().toString(), + rec.getCreateTime()); + + DerOutputStream mProofOut = new DerOutputStream(); + mProof.encode(mProofOut); + if (i == 0) { + request.setExtData(ATTR_PROOF_OF_ARCHIVAL, + mProofOut.toByteArray()); + } else { + request.setExtData(ATTR_PROOF_OF_ARCHIVAL + i, + mProofOut.toByteArray()); + } + + } // for + + /* + request.delete(IEnrollProfile.REQUEST_SUBJECT_NAME); + request.delete(IEnrollProfile.REQUEST_EXTENSIONS); + request.delete(IEnrollProfile.REQUEST_VALIDITY); + request.delete(IEnrollProfile.REQUEST_KEY); + request.delete(IEnrollProfile.REQUEST_SIGNING_ALGORITHM); + request.delete(IEnrollProfile.REQUEST_LOCALE); + */ + + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + + // update request + mKRA.log(ILogger.LL_INFO, "KRA updating request"); + mKRA.getRequestQueue().updateRequest(request); + + if (statsSub != null) { + statsSub.endTiming("archival"); + } + + return true; + } + + public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) + { + try { + DerValue publicKeyVal = new DerValue(publicKeyData); + DerInputStream publicKeyIn = publicKeyVal.data; + publicKeyIn.getSequence(0); + DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); + DerInputStream publicKeyDerIn = publicKeyDer.data; + BigInt publicKeyModulus = publicKeyDerIn.getInteger(); + BigInt publicKeyExponent = publicKeyDerIn.getInteger(); + + DerValue privateKeyVal = new DerValue(privateKeyData); + if (privateKeyVal.tag != DerValue.tag_Sequence) + return false; + DerInputStream privateKeyIn = privateKeyVal.data; + privateKeyIn.getInteger(); + privateKeyIn.getSequence(0); + DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); + DerInputStream privateKeyDerIn = privateKeyDer.data; + BigInt privateKeyVersion = privateKeyDerIn.getInteger(); + BigInt privateKeyModulus = privateKeyDerIn.getInteger(); + BigInt privateKeyExponent = privateKeyDerIn.getInteger(); + + if (!publicKeyModulus.equals(privateKeyModulus)) { + CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); + return false; + } + + if (!publicKeyExponent.equals(privateKeyExponent)) { + CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); + return false; + } + + return true; + } catch (Exception e) { + CMS.debug("verifyKeyPair error " + e); + return false; + } + } + + private static final OBJECT_IDENTIFIER PKIARCHIVEOPTIONS_OID = + new OBJECT_IDENTIFIER(new long[] {1, 3, 6, 1, 5, 5, 7, 5, 1, 4} + ); + + /** + * Retrieves PKIArchiveOptions from CRMF request. + * + * @param crmfBlob CRMF request + * @return PKIArchiveOptions + * @exception EBaseException failed to extrace option + */ + public static PKIArchiveOptionsContainer[] getPKIArchiveOptions(String crmfBlob) + throws EBaseException { + Vector options = new Vector(); + + if (CMS.debugOn()) + CMS.debug("EnrollmentService::getPKIArchiveOptions> crmfBlob=" + crmfBlob); + byte[] crmfBerBlob = null; + + crmfBerBlob = com.netscape.osutil.OSUtil.AtoB(crmfBlob); + ByteArrayInputStream crmfBerBlobIn = new + ByteArrayInputStream(crmfBerBlob); + SEQUENCE crmfmsgs = null; + + try { + crmfmsgs = (SEQUENCE) new + SEQUENCE.OF_Template(new + CertReqMsg.Template()).decode( + crmfBerBlobIn); + } catch (IOException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString())); + } catch (InvalidBERException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString())); + } + + for (int z = 0; z < crmfmsgs.size(); z++) { + CertReqMsg certReqMsg = (CertReqMsg) + crmfmsgs.elementAt(z); + CertRequest certReq = certReqMsg.getCertReq(); + + // try to locate PKIArchiveOption control + AVA archAva = null; + + try { + for (int i = 0; i < certReq.numControls(); i++) { + AVA ava = certReq.controlAt(i); + OBJECT_IDENTIFIER oid = ava.getOID(); + + if (oid.equals(PKIARCHIVEOPTIONS_OID)) { + archAva = ava; + break; + } + } + } catch (Exception e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "no PKIArchiveOptions found " + e.toString())); + } + if (archAva != null) { + + ASN1Value archVal = archAva.getValue(); + ByteArrayInputStream bis = new ByteArrayInputStream(ASN1Util.encode(archVal)); + PKIArchiveOptions archOpts = null; + + try { + archOpts = (PKIArchiveOptions) + (new PKIArchiveOptions.Template()).decode(bis); + } catch (IOException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + e.toString())); + } catch (InvalidBERException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + e.toString())); + } + options.addElement(new PKIArchiveOptionsContainer(archOpts, z)); + } + } + if (options.size() == 0) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "PKIArchiveOptions found")); + } else { + PKIArchiveOptionsContainer p[] = new PKIArchiveOptionsContainer[options.size()]; + + options.copyInto(p); + return p; + } + } + + /** + * Retrieves public key from request. + * + * @param request CRMF request + * @return JSS public key + * @exception EBaseException failed to retrieve public key + */ + private X509Key getPublicKey(IRequest request, int i) throws EBaseException { + String profileId = request.getExtDataInString("profileId"); + + if (profileId != null && !profileId.equals("")) { + byte[] certKeyData = request.getExtDataInByteArray(IEnrollProfile.REQUEST_KEY); + if (certKeyData != null) { + try { + CertificateX509Key x509key = new CertificateX509Key( + new ByteArrayInputStream(certKeyData)); + + return (X509Key) x509key.get(CertificateX509Key.KEY); + } catch (Exception e1) { + CMS.debug("EnrollService: (Archival) getPublicKey " + + e1.toString()); + } + } + return null; + } + + // retrieve x509 Key from request + X509CertInfo certInfo[] = + request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + CertificateX509Key pX509Key = null; + + try { + pX509Key = (CertificateX509Key) + certInfo[i].get(X509CertInfo.KEY); + } catch (IOException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + e.toString())); + } catch (CertificateException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + e.toString())); + } + X509Key pKey = null; + + try { + pKey = (X509Key) pX509Key.get( + CertificateX509Key.KEY); + } catch (IOException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + CertificateX509Key.KEY + "]" + e.toString())); + } + return pKey; + } + + /** + * Retrieves key's owner name from request. + * + * @param request CRMF request + * @return owner name (subject name) + * @exception EBaseException failed to retrieve public key + */ + private String getOwnerName(IRequest request, int i) + throws EBaseException { + + String profileId = request.getExtDataInString("profileId"); + + if (profileId != null && !profileId.equals("")) { + CertificateSubjectName sub = request.getExtDataInCertSubjectName( + IEnrollProfile.REQUEST_SUBJECT_NAME); + if (sub != null) { + return sub.toString(); + } + } + + X509CertInfo certInfo[] = + request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + CertificateSubjectName pSub = null; + + try { + pSub = (CertificateSubjectName) + certInfo[0].get(X509CertInfo.SUBJECT); + } catch (IOException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + "]" + e.toString())); + } catch (CertificateException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + "]" + e.toString())); + } + String owner = pSub.toString(); + + return owner; + } + + /** + * Signed Audit Log Public Key + * + * This method is called to obtain the public key from the passed in + * "KeyRecord" for a signed audit log message. + * <P> + * + * @param rec a Key Record + * @return key string containing the certificate's public key + */ + private String auditPublicKey(KeyRecord rec) { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + if (rec == null) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + + byte rawData[] = null; + + try { + rawData = rec.getPublicKeyData(); + } catch (EBaseException e) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + + String key = ""; + + // convert "rawData" into "base64Data" + if (rawData != null) { + String base64Data = null; + + base64Data = CMS.BtoA(rawData).trim(); + + // extract all line separators from the "base64Data" + StringTokenizer st = new StringTokenizer(base64Data, "\r\n"); + while (st.hasMoreTokens()) { + key += st.nextToken(); + } + } + + if (key != null) { + key = key.trim(); + + if (key.equals("")) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } else { + return key; + } + } else { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + } + /** + * Signed Audit Log Subject ID + * + * This method is called to obtain the "SubjectID" for + * a signed audit log message. + * <P> + * + * @return id string containing the signed audit log message SubjectID + */ + + private String auditSubjectID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String subjectID = null; + + // Initialize subjectID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + subjectID = (String) + auditContext.get(SessionContext.USER_ID); + + if (subjectID != null) { + subjectID = subjectID.trim(); + } else { + subjectID = ILogger.NONROLEUSER; + } + } else { + subjectID = ILogger.UNIDENTIFIED; + } + + return subjectID; + } + /** + * Signed Audit Log Requester ID + * + * This method is called to obtain the "RequesterID" for + * a signed audit log message. + * <P> + * + * @return id string containing the signed audit log message RequesterID + */ + private String auditRequesterID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String requesterID = null; + + // Initialize requesterID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + requesterID = (String) + auditContext.get(SessionContext.REQUESTER_ID); + + if (requesterID != null) { + requesterID = requesterID.trim(); + } else { + requesterID = ILogger.UNIDENTIFIED; + } + } else { + requesterID = ILogger.UNIDENTIFIED; + } + + return requesterID; + } + + /** + * Signed Audit Log Recovery ID + * + * This method is called to obtain the "RecoveryID" for + * a signed audit log message. + * <P> + * + * @return id string containing the signed audit log message RecoveryID + */ + private String auditRecoveryID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String recoveryID = null; + + // Initialize recoveryID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + recoveryID = (String) + auditContext.get(SessionContext.RECOVERY_ID); + + if (recoveryID != null) { + recoveryID = recoveryID.trim(); + } else { + recoveryID = ILogger.UNIDENTIFIED; + } + } else { + recoveryID = ILogger.UNIDENTIFIED; + } + + return recoveryID; + } + + + /** + * Signed Audit Log + * + * This method is called to store messages to the signed audit log. + * <P> + * + * @param msg signed audit log message + */ + private void audit(String msg) { + // in this case, do NOT strip preceding/trailing whitespace + // from passed-in String parameters + + if (mSignedAuditLogger == null) { + return; + } + + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } +} + + +/** + * Parsed and Flattened structure of PKIArchiveOptions. + */ +class ArchiveOptions { + private String mSymmAlgOID = null; + private byte mSymmAlgParams[] = null; + private byte mEncSymmKey[] = null; + private byte mEncValue[] = null; + public ArchiveOptions(PKIArchiveOptions opts) throws EBaseException { + try { + EncryptedKey key = opts.getEncryptedKey(); + EncryptedValue val = key.getEncryptedValue(); + AlgorithmIdentifier symmAlg = val.getSymmAlg(); + + mSymmAlgOID = symmAlg.getOID().toString(); + mSymmAlgParams = ((OCTET_STRING) ((ANY) symmAlg.getParameters()).decodeWith(OCTET_STRING.getTemplate())).toByteArray(); + BIT_STRING encSymmKey = val.getEncSymmKey(); + + mEncSymmKey = encSymmKey.getBits(); + BIT_STRING encVal = val.getEncValue(); + + mEncValue = encVal.getBits(); + } catch (InvalidBERException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + e.toString())); + } + + } + + public String getSymmAlgOID() { + return mSymmAlgOID; + } + + public byte[] getSymmAlgParams() { + return mSymmAlgParams; + } + + public byte[] getEncSymmKey() { + return mEncSymmKey; + } + + public byte[] getEncValue() { + return mEncValue; + } +} diff --git a/pki/base/kra/src/com/netscape/kra/KRANotify.java b/pki/base/kra/src/com/netscape/kra/KRANotify.java new file mode 100644 index 000000000..5f272be6b --- /dev/null +++ b/pki/base/kra/src/com/netscape/kra/KRANotify.java @@ -0,0 +1,53 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.kra; + + +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.kra.*; + + +/** + * A class represents a KRA request queue notify. This + * object will be invoked by the request subsystem + * when a request is requested for processing. + * + * @author thomask + * @version $Revision: 14563 $, $Date: 2007-05-01 10:35:23 -0700 (Tue, 01 May 2007) $ + */ +public class KRANotify extends ARequestNotifier { + private IKeyRecoveryAuthority mKRA = null; + + /** + * default constructor + */ + public KRANotify() { + super(); + } + + /** + * Creates KRA notify. + */ + public KRANotify(IKeyRecoveryAuthority kra) { + super(); + mKRA = kra; + } + + // XXX may want to do something else with mKRA ? +} diff --git a/pki/base/kra/src/com/netscape/kra/KRAPolicy.java b/pki/base/kra/src/com/netscape/kra/KRAPolicy.java new file mode 100644 index 000000000..1dc7cd13f --- /dev/null +++ b/pki/base/kra/src/com/netscape/kra/KRAPolicy.java @@ -0,0 +1,76 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.kra; + + +import com.netscape.certsrv.policy.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.logging.*; +import com.netscape.cmscore.util.*; +import com.netscape.certsrv.kra.*; +import com.netscape.cmscore.policy.*; + + +/** + * KRA Policy. + * + * @version $Revision: 14563 $, $Date: 2007-05-01 10:35:23 -0700 (Tue, 01 May 2007) $ + */ +public class KRAPolicy implements IPolicy { + IConfigStore mConfig = null; + IKeyRecoveryAuthority mKRA = null; + + public GenericPolicyProcessor mPolicies = new GenericPolicyProcessor(false); + + public KRAPolicy() { + } + + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + mKRA = (IKeyRecoveryAuthority) owner; + mConfig = config; + mPolicies.init(mKRA, mConfig); + } + + public IPolicyProcessor getPolicyProcessor() { + return mPolicies; + } + + /** + */ + public PolicyResult apply(IRequest r) { + if (Debug.ON) + Debug.trace("KRA applies policies"); + mKRA.log(ILogger.LL_INFO, "KRA applies policies"); + PolicyResult result = mPolicies.apply(r); + + if (result.equals(PolicyResult.DEFERRED)) { + // For KRA request, there is deferred + if (Debug.ON) + Debug.trace("KRA policies return DEFERRED"); + return PolicyResult.REJECTED; + } else { + if (Debug.ON) + Debug.trace("KRA policies return ACCEPTED"); + return mPolicies.apply(r); + } + } + +} + diff --git a/pki/base/kra/src/com/netscape/kra/KRAService.java b/pki/base/kra/src/com/netscape/kra/KRAService.java new file mode 100644 index 000000000..f45792bfd --- /dev/null +++ b/pki/base/kra/src/com/netscape/kra/KRAService.java @@ -0,0 +1,98 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.kra; + + +import java.util.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.kra.*; +import com.netscape.certsrv.policy.*; +import com.netscape.cmscore.util.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.apps.CMS; + + +/** + * A class represents a KRA request queue service. This + * is the service object that is registered with + * the request queue. And it acts as a broker to + * distribute request into different KRA specific + * services. This service registration allows us to support + * new request easier. + * <P> + * + * @author thomask + * @version $Revision: 14563 $, $Date: 2007-05-01 10:35:23 -0700 (Tue, 01 May 2007) $ + */ +public class KRAService implements IService { + + public final static String ENROLLMENT = + IRequest.ENROLLMENT_REQUEST; + public final static String RECOVERY = IRequest.KEYRECOVERY_REQUEST; + public final static String NETKEY_KEYGEN = IRequest.NETKEY_KEYGEN_REQUEST; + public final static String NETKEY_KEYRECOVERY = IRequest.NETKEY_KEYRECOVERY_REQUEST; + + // private variables + private IKeyRecoveryAuthority mKRA = null; + private Hashtable mServices = new Hashtable(); + + /** + * Constructs KRA service. + */ + public KRAService(IKeyRecoveryAuthority kra) { + mKRA = kra; + mServices.put(ENROLLMENT, new EnrollmentService(kra)); + mServices.put(RECOVERY, new RecoveryService(kra)); + mServices.put(NETKEY_KEYGEN, new NetkeyKeygenService(kra)); + mServices.put(NETKEY_KEYRECOVERY, new TokenKeyRecoveryService(kra)); + } + + /** + * Processes a KRA request. This method is invoked by + * request subsystem. + * + * @param r request from request subsystem + * @exception EBaseException failed to serve + */ + public boolean serviceRequest(IRequest r) throws EBaseException { + if (Debug.ON) + Debug.trace("KRA services request " + + r.getRequestId().toString()); + mKRA.log(ILogger.LL_INFO, "KRA services request " + + r.getRequestId().toString()); + IService s = (IService) mServices.get( + r.getRequestType()); + + if (s == null) { + r.setExtData(IRequest.RESULT, IRequest.RES_ERROR); + r.setExtData(IRequest.ERROR, new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_OPERATION"))); + return true; + } + try { + return s.serviceRequest(r); + } catch (EBaseException e) { + r.setExtData(IRequest.RESULT, IRequest.RES_ERROR); + r.setExtData(IRequest.ERROR, e); + // return true; + // #546508 + return false; + } + } +} diff --git a/pki/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/pki/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java new file mode 100644 index 000000000..9ca87dd0c --- /dev/null +++ b/pki/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java @@ -0,0 +1,1478 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.kra; + + +import java.lang.*; +import java.util.*; +import java.security.cert.X509Certificate; +import java.security.cert.*; +import java.math.*; +import java.io.ByteArrayOutputStream; +import java.io.IOException; + +import netscape.security.x509.*; +import netscape.security.util.DerOutputStream; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.listeners.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.usrgrp.*; +import com.netscape.certsrv.dbs.keydb.*; +import com.netscape.cmscore.dbs.*; +import com.netscape.certsrv.policy.*; +import com.netscape.certsrv.kra.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.security.*; +import com.netscape.cmscore.request.*; +import com.netscape.certsrv.apps.*; + +import org.mozilla.jss.*; +import org.mozilla.jss.crypto.*; + + +/** + * A class represents an key recovery authority (KRA). A KRA + * is responsible to maintain key pairs that have been + * escrowed. It provides archive and recovery key pairs + * functionalities. + * <P> + * + * @author thomask + * @version $Revision: 14563 $, $Date: 2007-05-01 10:35:23 -0700 (Tue, 01 May 2007) $ + */ +public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecoveryAuthority { + + public final static String OFFICIAL_NAME = "Data Recovery Manager"; + + /** + * Internal Constants + */ + + private static final String PR_INTERNAL_TOKEN_NAME = "internal"; + private static final String PARAM_CREDS = "creds"; + private static final String PARAM_LOCK = "lock"; + private static final String PARAM_PK12 = "pk12"; + private static final String PARAM_ERROR = "error"; + private static final String PARAM_AGENT = "agent"; + + private final static String KEY_RESP_NAME = "keyRepository"; + + private Hashtable mRequestProcessor = new Hashtable(); + + protected boolean mInitialized = false; + protected IConfigStore mConfig = null; + protected ILogger mLogger = CMS.getLogger(); + protected KRAPolicy mPolicy = null; + protected X500Name mName = null; + protected boolean mQueueRequests = false; + protected String mId = null; + protected IRequestQueue mRequestQueue = null; + protected TransportKeyUnit mTransportKeyUnit = null; + protected StorageKeyUnit mStorageKeyUnit = null; + protected Hashtable mAutoRecovery = new Hashtable(); + protected boolean mAutoRecoveryOn = false; + protected KeyRepository mKeyDB = null; + protected IRequestNotifier mNotify = null; + protected IRequestNotifier mPNotify = null; + protected ISubsystem mOwner = null; + protected int mRecoveryIDCounter = 0; + protected Hashtable mRecoveryParams = new Hashtable(); + protected org.mozilla.jss.crypto.X509Certificate mJssCert = null; + protected CryptoToken mKeygenToken = null; + + // holds the number of bits of entropy to collect for each keygen + private int mEntropyBitsPerKeyPair=0; + + // the number of milliseconds which it is acceptable to block while + // getting entropy - anything longer will cause a warning. + // 0 means this warning is disabled + private int mEntropyBlockWarnMilliseconds = 0; + + + + // for the notification listener + public IRequestListener mReqInQListener = null; + + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + private final static byte EOL[] = { Character.LINE_SEPARATOR }; + private final static String SIGNED_AUDIT_AGENT_DELIMITER = ", "; + private final static String + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + private final static String + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_PROCESSED = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_PROCESSED_3"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_PROCESSED = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_PROCESSED_4"; + + /** + * Constructs an escrow authority. + * <P> + */ + public KeyRecoveryAuthority() { + super(); + } + + /** + * Retrieves subsystem identifier. + * + * @return subsystem id + */ + public String getId() { + return mId; + } + + /** + * Sets subsystem identifier. + * + * @param id subsystem id + * @exception EBaseException failed to set id + */ + public void setId(String id) throws EBaseException { + mId = id; + } + + public IPolicyProcessor getPolicyProcessor() { + return mPolicy.getPolicyProcessor(); + } + + // initialize entropy collection parameters + private void initEntropy(IConfigStore config) + { + mEntropyBitsPerKeyPair = 0; + mEntropyBlockWarnMilliseconds = 50; + // initialize entropy collection + IConfigStore ecs = config.getSubStore("entropy"); + if (ecs != null) { + try { + mEntropyBitsPerKeyPair = ecs.getInteger("bitsperkeypair",0); + mEntropyBlockWarnMilliseconds = ecs.getInteger("blockwarnms",50); + } catch (EBaseException eb) { + // ok - we deal with missing parameters above + } + } + CMS.debug("KeyRecoveryAuthority Entropy bits = "+mEntropyBitsPerKeyPair); + if (mEntropyBitsPerKeyPair == 0) { + //log(ILogger.LL_INFO, + //CMS.getLogMessage("CMSCORE_KRA_ENTROPY_COLLECTION_DISABLED")); + } else { + //log(ILogger.LL_INFO, + //CMS.getLogMessage("CMSCORE_KRA_ENTROPY_COLLECTION_ENABLED")); + CMS.debug("KeyRecoveryAuthority about to add Entropy"); + addEntropy(false); + CMS.debug("KeyRecoveryAuthority back from add Entropy"); + } + + } + + + public void addEntropy(boolean logflag) { + CMS.debug("KeyRecoveryAuthority addEntropy()"); + if (mEntropyBitsPerKeyPair == 0) { + CMS.debug("KeyRecoveryAuthority returning - disabled()"); + return; + } + long start = System.currentTimeMillis(); + try { + com.netscape.cmscore.security.JssSubsystem.getInstance(). + addEntropy(mEntropyBitsPerKeyPair); + } catch (Exception e) { + CMS.debug("KeyRecoveryAuthority returning - error - see log file"); + CMS.debug("exception: "+e.getMessage()); + CMS.debug(e); + if (logflag) { + log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_KRA_ENTROPY_ERROR", + e.getMessage())); + } + } + long end = System.currentTimeMillis(); + long duration = end-start; + + if (mEntropyBlockWarnMilliseconds > 0 && + duration > mEntropyBlockWarnMilliseconds) { + + CMS.debug("KeyRecoveryAuthority returning - warning - entropy took too long (ms="+ + duration+")"); + if (logflag) { + log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_KRA_ENTROPY_BLOCKED_WARNING", + ""+(int)duration)); + } + } + CMS.debug("KeyRecoveryAuthority returning "); + } + + + + /** + * Starts this subsystem. It loads and initializes all + * necessary components. This subsystem is started by + * KRASubsystem. + * <P> + * + * @param owner owner of this subsystem + * @param config configuration store for this subsystem + * @exception EBaseException failed to start subsystem + */ + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + CMS.debug("KeyRecoveryAuthority init() begins"); + if (mInitialized) + return; + + mConfig = config; + mOwner = owner; + + // initialize policy processor + mPolicy = new KRAPolicy(); + mPolicy.init(this, mConfig.getSubStore(PROP_POLICY)); + + // create key repository + int keydb_inc = mConfig.getInteger(PROP_KEYDB_INC, 5); + + mKeyDB = new KeyRepository(getDBSubsystem(), + keydb_inc, + "ou=" + KEY_RESP_NAME + ",ou=" + + getId() + "," + + getDBSubsystem().getBaseDN()); + + // read transport key from internal database + mTransportKeyUnit = new TransportKeyUnit(); + try { + mTransportKeyUnit.init(this, mConfig.getSubStore( + PROP_TRANSPORT_KEY)); + } catch (EBaseException e) { + CMS.debug("KeyRecoveryAuthority: transport unit exception " + e.toString()); +//XXX throw e; + return; + } + + // retrieve the authority name from transport cert + try { + mJssCert = mTransportKeyUnit.getCertificate(); + X509CertImpl certImpl = new + X509CertImpl(mJssCert.getEncoded()); + + mName = (X500Name) certImpl.getSubjectDN(); + } catch (CertificateEncodingException e) { + CMS.debug("KeyRecoveryAuthority: " + e.toString()); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_LOAD_FAILED", + "transport cert " + e.toString())); + } catch (CertificateException e) { + CMS.debug("KeyRecoveryAuthority: " + e.toString()); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_LOAD_FAILED", + "transport cert " + e.toString())); + } + + // read transport key from storage key + mStorageKeyUnit = new StorageKeyUnit(); + try { + mStorageKeyUnit.init(this, + mConfig.getSubStore(PROP_STORAGE_KEY)); + } catch (EBaseException e) { + CMS.debug("KeyRecoveryAuthority: storage unit exception " + e.toString()); + throw e; + } + + // setup token for server-side key generation for user enrollments + String serverKeygenTokenName = mConfig.getString("serverKeygenTokenName", null); + if (serverKeygenTokenName == null) { + CMS.debug("serverKeygenTokenName set to nothing"); + if (mStorageKeyUnit.getToken() != null) { + try { + String storageToken = mStorageKeyUnit.getToken().getName(); + if (!storageToken.equals("internal")) { + CMS.debug("Auto set serverKeygenTokenName to " + storageToken); + serverKeygenTokenName = storageToken; + } + } catch (Exception e) { + } + } + } + if (serverKeygenTokenName == null) { + serverKeygenTokenName = "internal"; + } + if (serverKeygenTokenName.equalsIgnoreCase(PR_INTERNAL_TOKEN_NAME)) + serverKeygenTokenName = PR_INTERNAL_TOKEN_NAME; + + try { + if (serverKeygenTokenName.equalsIgnoreCase(PR_INTERNAL_TOKEN_NAME)) { + CMS.debug("KeyRecoveryAuthority: getting internal crypto token for serverkeygen"); + mKeygenToken = CryptoManager.getInstance().getInternalKeyStorageToken(); + } else { + CMS.debug("KeyRecoveryAuthority: getting HSM token for serverkeygen"); + mKeygenToken = CryptoManager.getInstance().getTokenByName(serverKeygenTokenName); + } + CMS.debug("KeyRecoveryAuthority: set up keygenToken"); + } catch (NoSuchTokenException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", serverKeygenTokenName)); + } catch (Exception e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED")); + } + + CMS.debug("KeyRecoveryAuthority: about to init entropy"); + initEntropy(mConfig); + CMS.debug("KeyRecoveryAuthority: completed init of entropy"); + + getLogger().log(ILogger.EV_SYSTEM, ILogger.S_KRA, + ILogger.LL_INFO, mName.toString() + " is started"); + + // setup the KRA request queue + IService service = new KRAService(this); + + mNotify = new KRANotify(this); + mPNotify = new ARequestNotifier(); + IRequestSubsystem reqSub = RequestSubsystem.getInstance(); + int reqdb_inc = mConfig.getInteger("reqdbInc", 5); + + mRequestQueue = reqSub.getRequestQueue(getId(), reqdb_inc, + mPolicy, service, mNotify, mPNotify); + + // init request scheduler if configured + String schedulerClass = + mConfig.getString("requestSchedulerClass", null); + + if (schedulerClass != null) { + try { + IRequestScheduler scheduler = (IRequestScheduler) + Class.forName(schedulerClass).newInstance(); + + mRequestQueue.setRequestScheduler(scheduler); + } catch (Exception e) { + // do nothing here + } + } + initNotificationListeners(); + } + + public CryptoToken getKeygenToken() { + return mKeygenToken; + } + + public IRequestListener getRequestInQListener() { + return mReqInQListener; + } + + public org.mozilla.jss.crypto.X509Certificate getTransportCert() { + return mJssCert; + } + + /** + * Clears up system during garbage collection. + */ + public void finalize() { + shutdown(); + } + + /** + * Starts this service. When this method is called, all + * service + * + * @exception EBaseException failed to startup this subsystem + */ + public void startup() throws EBaseException { + CMS.debug("KeyRecoveryAuthority startup() begins"); + + if (mRequestQueue != null) { + // setup administration operations if everything else is fine + mRequestQueue.recover(); + CMS.debug("KeyRecoveryAuthority startup() call request Q recover"); + + // Note that we use our instance id for registration. + // This helps us to support multiple instances + // of a subsystem within server. + + // register remote admin interface + mInitialized = true; + } else { + CMS.debug("KeyRecoveryAuthority: mRequestQueue is null, could be in preop mode"); + } + } + + /** + * Shutdowns this subsystem. + */ + public void shutdown() { + if (!mInitialized) + return; + + mTransportKeyUnit.shutdown(); + mStorageKeyUnit.shutdown(); + getLogger().log(ILogger.EV_SYSTEM, ILogger.S_KRA, + ILogger.LL_INFO, mName.toString() + " is stopped"); + mInitialized = false; + } + + /** + * Retrieves the configuration store of this subsystem. + * <P> + * + * @return configuration store + */ + public IConfigStore getConfigStore() { + return mConfig; + } + + /** + * Changes the auto recovery state. + * + * @param cs list of recovery agent credentials + * @param on turn of auto recovery or not + * @return operation success or not + */ + public boolean setAutoRecoveryState(Credential cs[], boolean on) { + if (on == true) { + // check credential before enabling it + try { + getStorageKeyUnit().login(cs); + } catch (Exception e) { + return false; + } + } + // maintain in-memory variable; don't store it in config + mAutoRecoveryOn = on; + return true; + } + + /** + * Retrieves the current auto recovery state. + * + * @return enable or not + */ + public boolean getAutoRecoveryState() { + // maintain in-memory variable; don't store it in config + return mAutoRecoveryOn; + } + + /** + * Returns a list of users who are in auto + * recovery mode. + * + * @return list of user IDs that are accepted in the + * auto recovery mode + */ + public Enumeration getAutoRecoveryIDs() { + return mAutoRecovery.keys(); + } + + /** + * Adds auto recovery mode to the given user id. + * + * @param id new identifier to the auto recovery mode + * @param creds list of credentials + */ + public void addAutoRecovery(String id, Credential creds[]) { + mAutoRecovery.put(id, creds); + } + + /** + * Removes auto recovery mode from the given user id. + * + * @param id id of user to be removed from auto + * recovery mode + */ + public void removeAutoRecovery(String id) { + mAutoRecovery.remove(id); + } + + /** + * Retrieves logger from escrow authority. + * + * @return logger + */ + public ILogger getLogger() { + return CMS.getLogger(); + } + + /** + * Retrieves number of required agents for + * recovery operation. + * + * @return number of required agents + * @exception EBaseException failed to retrieve info + */ + public int getNoOfRequiredAgents() throws EBaseException { + if (mConfig.getBoolean("keySplitting")) { + return mStorageKeyUnit.getNoOfRequiredAgents(); + } else { + int ret = -1; + ret = mConfig.getInteger("noOfRequiredRecoveryAgents", 1); + if (ret <= 0) { + throw new EBaseException("Invalid parameter noOfRequiredecoveryAgents"); + } + return ret; + } + } + + /** + * Distributed recovery. + */ + public String getRecoveryID() { + return Integer.toString(mRecoveryIDCounter++); + } + + public Hashtable createRecoveryParams(String recoveryID) + throws EBaseException { + Hashtable h = new Hashtable(); + + h.put(PARAM_CREDS, new Vector()); + h.put(PARAM_LOCK, new Object()); + mRecoveryParams.put(recoveryID, h); + return h; + } + + public void destroyRecoveryParams(String recoveryID) + throws EBaseException { + mRecoveryParams.remove(recoveryID); + } + + public Hashtable getRecoveryParams(String recoveryID) + throws EBaseException { + return (Hashtable) mRecoveryParams.get(recoveryID); + } + + public void createPk12(String recoveryID, byte[] pk12) + throws EBaseException { + Hashtable h = getRecoveryParams(recoveryID); + + h.put(PARAM_PK12, pk12); + } + + public byte[] getPk12(String recoveryID) + throws EBaseException { + return (byte[]) getRecoveryParams(recoveryID).get(PARAM_PK12); + } + + public void createError(String recoveryID, String error) + throws EBaseException { + Hashtable h = getRecoveryParams(recoveryID); + + h.put(PARAM_ERROR, error); + } + + public String getError(String recoveryID) + throws EBaseException { + return (String) getRecoveryParams(recoveryID).get(PARAM_ERROR); + } + + /** + * Retrieve the current approval agents + */ + public Vector getAppAgents( + String recoveryID) throws EBaseException { + Hashtable h = getRecoveryParams(recoveryID); + Vector dc = (Vector) h.get(PARAM_CREDS); + + return dc; + } + + /** + * Retrieves a list credentials. This puts KRA in a waiting + * mode, it never returns until all the necessary passwords + * are collected. + */ + public Credential[] getDistributedCredentials( + String recoveryID) + throws EBaseException { + Hashtable h = getRecoveryParams(recoveryID); + Vector dc = (Vector) h.get(PARAM_CREDS); + Object lock = (Object) h.get(PARAM_LOCK); + + synchronized (lock) { + while (dc.size() < getNoOfRequiredAgents()) { + try { + lock.wait(); + } catch (InterruptedException e) { + } + } + Credential creds[] = new Credential[dc.size()]; + + dc.copyInto(creds); + return creds; + } + } + + /** + * Verifies credential. + */ + private void verifyCredential(Vector creds, String uid, + String pwd) throws EBaseException { + // see if we have the uid already + + if (!mConfig.getBoolean("keySplitting")) { + // check if the uid is in the specified group + IUGSubsystem ug = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); + if (!ug.isMemberOf(uid, mConfig.getString("recoveryAgentGroup"))) { + // invalid group + throw new EBaseException(CMS.getUserMessage("CMS_KRA_CREDENTIALS_NOT_EXIST")); + } + } + + for (int i = 0; i < creds.size(); i++) { + Credential c = (Credential) creds.elementAt(i); + + if (c.getIdentifier().equals(uid)) { + // duplicated uid + throw new EBaseException(CMS.getUserMessage("CMS_KRA_CREDENTIALS_EXIST")); + } + } + if (mConfig.getBoolean("keySplitting")) { + mStorageKeyUnit.checkPassword(uid, pwd); + } + } + + /** + * Adds password. + */ + public void addDistributedCredential(String recoveryID, + String uid, String pwd) throws EBaseException { + Hashtable h = getRecoveryParams(recoveryID); + Vector dc = (Vector) h.get(PARAM_CREDS); + Object lock = (Object) h.get(PARAM_LOCK); + + synchronized (lock) { + verifyCredential(dc, uid, pwd); + // verify password + dc.addElement(new Credential(uid, pwd)); + // modify status object + lock.notify(); + } + } + + /** + * Archives key. This creates a key record in the key + * repository. + * <P> + * + * <ul> + * <li>signed.audit LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST used + * whenever a user private key archive request is made (this is when the + * DRM receives the request) + * <li>signed.audit LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_PROCESSED used + * whenever a user private key archive request is processed (this is when + * the DRM processes the request) + * </ul> + * @param rec key record to be archived + * @return executed request + * @exception EBaseException failed to archive key + * @return the request + * <P> + */ + public IRequest archiveKey(KeyRecord rec) + throws EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(); + String auditPublicKey = auditPublicKey(rec); + String auditArchiveID = ILogger.UNIDENTIFIED; + + IRequestQueue queue = null; + IRequest r = null; + String id = null; + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + queue = getRequestQueue(); + + r = queue.newRequest(KRAService.ENROLLMENT); + + if (r != null) { + // overwrite "auditArchiveID" if and only if "id" != null + id = r.getRequestId().toString(); + if (id != null) { + auditArchiveID = id.trim(); + } + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + throw eAudit1; + } + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + if (r != null) { + r.setExtData(EnrollmentService.ATTR_KEY_RECORD, rec.getSerialNumber()); + queue.processRequest(r); + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditPublicKey); + + audit(auditMessage); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditPublicKey); + + audit(auditMessage); + + throw eAudit1; + } + + return r; + } + + /** + * Recovers key for administrators. This method is + * invoked by the agent operation of the key recovery servlet. + * <P> + * + * <ul> + * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST used whenever + * a user private key recovery request is made (this is when the DRM + * receives the request) + * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_PROCESSED used whenever + * a user private key recovery request is processed (this is when the DRM + * processes the request) + * </ul> + * @param kid key identifier + * @param creds list of recovery agent credentials + * @param password password of the PKCS12 package + * @param cert certficate that will be put in PKCS12 + * @param delivery file, mail or something else + * @param nickname string containing the nickname of the id cert for this + * subsystem + * @exception EBaseException failed to recover key + * @return a byte array containing the key + */ + public byte[] doKeyRecovery(BigInteger kid, + Credential creds[], String password, + X509CertImpl cert, + String delivery, String nickname) + throws EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRecoveryID = auditRecoveryID(); + String auditPublicKey = auditPublicKey(cert); + String auditAgents = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + + IRequestQueue queue = null; + IRequest r = null; + Hashtable params = null; + + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + queue = getRequestQueue(); + r = queue.newRequest(KRAService.RECOVERY); + + // set transient parameters + params = createVolatileRequest(r.getRequestId()); + + if (mConfig.getBoolean("keySplitting")) { + params.put(RecoveryService.ATTR_AGENT_CREDENTIALS, creds); + } + params.put(RecoveryService.ATTR_TRANSPORT_PWD, password); + + r.setExtData(RecoveryService.ATTR_SERIALNO, kid); + r.setExtData(RecoveryService.ATTR_USER_CERT, cert); + if (nickname != null) { + nickname = nickname.trim(); + if (!nickname.equals("")) { + r.setExtData(RecoveryService.ATTR_NICKNAME, nickname); + } + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, + auditPublicKey); + + audit(auditMessage); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + auditPublicKey); + + audit(auditMessage); + + throw eAudit1; + } + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + queue.processRequest(r); + + if (r.getExtDataInString(IRequest.ERROR) == null) { + byte pkcs12[] = (byte[]) params.get( + RecoveryService.ATTR_PKCS12); + + auditAgents = auditAgents(creds); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, + auditAgents); + + audit(auditMessage); + + destroyVolatileRequest(r.getRequestId()); + + return pkcs12; + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + auditAgents); + + audit(auditMessage); + + throw new EBaseException(r.getExtDataInString(IRequest.ERROR)); + } + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + auditAgents); + + audit(auditMessage); + + throw eAudit1; + } + } + + /** + * Constructs a recovery request and submits it + * to the request subsystem for processing. + * + * @param kid key identifier + * @param creds list of recovery agent credentials + * @param password password of the PKCS12 package + * @param cert certficate that will be put in PKCS12 + * @param delivery file, mail or something else + * @return executed request + * @exception EBaseException failed to recover key + */ + public IRequest recoverKey(BigInteger kid, + Credential creds[], String password, + X509CertImpl cert, + String delivery) throws EBaseException { + IRequestQueue queue = getRequestQueue(); + IRequest r = queue.newRequest("recovery"); + + r.setExtData(RecoveryService.ATTR_SERIALNO, kid); + r.setExtData(RecoveryService.ATTR_TRANSPORT_PWD, password); + r.setExtData(RecoveryService.ATTR_USER_CERT, cert); + r.setExtData(RecoveryService.ATTR_DELIVERY, delivery); + queue.processRequest(r); + return r; + } + + /** + * Recovers key for end-entities. + * + * @param creds list of credentials + * @param encryptionChain certificate chain + * @param signingCert signing cert + * @param transportCert certificate to protect in-transit key + * @param ownerName owner name + * @return executed request + * @exception EBaseException failed to recover key + */ + public IRequest recoverKey(Credential creds[], CertificateChain + encryptionChain, X509CertImpl signingCert, + X509CertImpl transportCert, + X500Name ownerName) throws EBaseException { + IRequestQueue queue = getRequestQueue(); + IRequest r = queue.newRequest("recovery"); + + ByteArrayOutputStream certChainOut = new ByteArrayOutputStream(); + try { + encryptionChain.encode(certChainOut); + r.setExtData(RecoveryService.ATTR_ENCRYPTION_CERTS, + certChainOut.toByteArray()); + } catch (IOException e) { + log(ILogger.LL_FAILURE, + "Error encoding certificate chain"); + } + + r.setExtData(RecoveryService.ATTR_SIGNING_CERT, signingCert); + r.setExtData(RecoveryService.ATTR_TRANSPORT_CERT, transportCert); + + DerOutputStream ownerNameOut = new DerOutputStream(); + try { + ownerName.encode(ownerNameOut); + r.setExtData(RecoveryService.ATTR_OWNER_NAME, + ownerNameOut.toByteArray()); + } catch (IOException e) { + log(ILogger.LL_FAILURE, + "Error encoding X500Name for owner name"); + } + + queue.processRequest(r); + return r; + } + + /** + * Retrieves the storage key unit. The storage key + * is used to wrap the user key for long term + * storage. + * + * @return storage key unit. + */ + public IStorageKeyUnit getStorageKeyUnit() { + return mStorageKeyUnit; + } + + /** + * Retrieves the transport key unit. + * + * @return transport key unit + */ + public ITransportKeyUnit getTransportKeyUnit() { + return mTransportKeyUnit; + } + + /** + * Returns the name of this subsystem. This name is + * extracted from the transport certificate. + * + * @return KRA name + */ + public X500Name getX500Name() { + return mName; + } + + public String getNickName() { + return getNickname(); + } + + /** + * Returns the nickname for the id cert of this + * subsystem. + * + * @return nickname of the transport certificate + */ + public String getNickname() { + try { + return mTransportKeyUnit.getNickName(); + } catch (EBaseException e) { + return null; + } + } + + public void setNickname(String str) { + try { + mTransportKeyUnit.setNickName(str); + } catch (EBaseException e) { + } + } + + public String getNewNickName() throws EBaseException { + return mConfig.getString(PROP_NEW_NICKNAME, ""); + } + + public void setNewNickName(String name) { + mConfig.putString(PROP_NEW_NICKNAME, name); + } + + public IPolicy getPolicy() { + return mPolicy; + } + + /** + * Retrieves KRA request repository. + * <P> + * + * @return request repository + */ + public IRequestQueue getRequestQueue() { + return mRequestQueue; + } + + /** + * Retrieves the key repository. The key repository + * stores archived keys. + * <P> + */ + public IKeyRepository getKeyRepository() { + return mKeyDB; + } + + /** + * Retrieves the DN of this escrow authority. + * <P> + * + * @return distinguished name + */ + protected String getDN() { + return getX500Name().toString(); + } + + /** + * Retrieves database connection. + */ + public IDBSubsystem getDBSubsystem() { + return DBSubsystem.getInstance(); + } + + /** + * Logs an event. + * + * @param level log level + * @param msg message to log + */ + public void log(int level, String msg) { + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, + level, msg); + } + + /** + * Registers a request listener. + * + * @param l request listener + */ + public void registerRequestListener(IRequestListener l) { + // it's initialized. + if (mNotify != null) + mNotify.registerListener(l); + } + + public void registerPendingListener(IRequestListener l) { + mPNotify.registerListener(l); + } + + /** + * init notification related listeners - + * right now only RequestInQueue listener is available for KRA + */ + private void initNotificationListeners() { + IConfigStore nc = null; + + try { + nc = mConfig.getSubStore(PROP_NOTIFY_SUBSTORE); + if (nc != null && nc.size() > 0) { + // Initialize Request In Queue notification listener + IConfigStore rq = nc.getSubStore(PROP_REQ_IN_Q_SUBSTORE); + IAuthority cSub = (IAuthority) this; + + String requestInQListenerClassName = nc.getString("certificateIssuedListenerClassName", "com.netscape.cms.listeners.RequestInQListener"); + + try { + mReqInQListener = (IRequestListener) Class.forName(requestInQListenerClassName).newInstance(); + mReqInQListener.init(this, nc); + } catch (Exception e1) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_REGISTER_LISTENER", requestInQListenerClassName)); + } + } else { + log(ILogger.LL_INFO, + "No KRA notification Module configuration found"); + } + } catch (EPropertyNotFound e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); + } catch (EListenersException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); + } + } + + /** + * temporary accepted ras. + */ + /* code no longer used + public X500Name[] getAcceptedRAs() { + // temporary. use usr/grp for real thing. + X500Name radn = null; + String raname = null; + + try { + raname = mConfig.getString("acceptedRA", null); + if (raname != null) { + radn = new X500Name(raname); + } + } catch (IOException e) { + mLogger.log(ILogger.EV_SYSTEM, ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_INVALID_RA_NAME", raname, e.toString())); + } catch (EBaseException e) { + // ignore - set to null. + mLogger.log(ILogger.EV_SYSTEM, ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_INVALID_RA_SETUP", e.toString())); + } + return new X500Name[] { radn }; + } + */ + + public Hashtable mVolatileRequests = new Hashtable(); + + /** + * Creates a request object to store attributes that + * will not be serialized. Currently, request queue + * framework will try to serialize all the attribute into + * persistent storage. Things like passwords are not + * desirable to be stored. + */ + public Hashtable createVolatileRequest(RequestId id) { + Hashtable params = new Hashtable(); + + mVolatileRequests.put(id.toString(), params); + return params; + } + + public Hashtable getVolatileRequest(RequestId id) { + return (Hashtable) mVolatileRequests.get(id.toString()); + } + + public void destroyVolatileRequest(RequestId id) { + mVolatileRequests.remove(id.toString()); + } + + public String getOfficialName() { + return OFFICIAL_NAME; + } + + /** + * Signed Audit Log + * + * This method is called to store messages to the signed audit log. + * <P> + * + * @param msg signed audit log message + */ + private void audit(String msg) { + // in this case, do NOT strip preceding/trailing whitespace + // from passed-in String parameters + + if (mSignedAuditLogger == null) { + return; + } + + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + /** + * Signed Audit Log Subject ID + * + * This method is called to obtain the "SubjectID" for + * a signed audit log message. + * <P> + * + * @return id string containing the signed audit log message SubjectID + */ + private String auditSubjectID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String subjectID = null; + + // Initialize subjectID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + subjectID = (String) + auditContext.get(SessionContext.USER_ID); + + if (subjectID != null) { + subjectID = subjectID.trim(); + } else { + subjectID = ILogger.NONROLEUSER; + } + } else { + subjectID = ILogger.UNIDENTIFIED; + } + + return subjectID; + } + + /** + * Signed Audit Log Requester ID + * + * This method is called to obtain the "RequesterID" for + * a signed audit log message. + * <P> + * + * @return id string containing the signed audit log message RequesterID + */ + private String auditRequesterID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String requesterID = null; + + // Initialize requesterID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + requesterID = (String) + auditContext.get(SessionContext.REQUESTER_ID); + + if (requesterID != null) { + requesterID = requesterID.trim(); + } else { + requesterID = ILogger.UNIDENTIFIED; + } + } else { + requesterID = ILogger.UNIDENTIFIED; + } + + return requesterID; + } + + /** + * Signed Audit Log Recovery ID + * + * This method is called to obtain the "RecoveryID" for + * a signed audit log message. + * <P> + * + * @return id string containing the signed audit log message RecoveryID + */ + private String auditRecoveryID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String recoveryID = null; + + // Initialize recoveryID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + recoveryID = (String) + auditContext.get(SessionContext.RECOVERY_ID); + + if (recoveryID != null) { + recoveryID = recoveryID.trim(); + } else { + recoveryID = ILogger.UNIDENTIFIED; + } + } else { + recoveryID = ILogger.UNIDENTIFIED; + } + + return recoveryID; + } + + /** + * Signed Audit Log Public Key + * + * This method is called to obtain the public key from the passed in + * "X509Certificate" for a signed audit log message. + * <P> + * + * @param cert an X509Certificate + * @return key string containing the certificate's public key + */ + private String auditPublicKey(X509Certificate cert) { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + if (cert == null) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + + byte rawData[] = cert.getPublicKey().getEncoded(); + String key = null; + + // convert "rawData" into "base64Data" + if (rawData != null) { + String base64Data = null; + + base64Data = CMS.BtoA(rawData).trim(); + + // extract all line separators from the "base64Data" + for (int i = 0; i < base64Data.length(); i++) { + if (base64Data.substring(i, i).getBytes() != EOL) { + key += base64Data.substring(i, i); + } + } + } + + if (key != null) { + key = key.trim(); + + if (key.equals("")) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } else { + return key; + } + } else { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + } + + /** + * Signed Audit Log Public Key + * + * This method is called to obtain the public key from the passed in + * "KeyRecord" for a signed audit log message. + * <P> + * + * @param rec a Key Record + * @return key string containing the certificate's public key + */ + private String auditPublicKey(KeyRecord rec) { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + if (rec == null) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + + byte rawData[] = null; + + try { + rawData = rec.getPublicKeyData(); + } catch (EBaseException e) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + + String key = null; + + // convert "rawData" into "base64Data" + if (rawData != null) { + String base64Data = null; + + base64Data = CMS.BtoA(rawData).trim(); + + // extract all line separators from the "base64Data" + for (int i = 0; i < base64Data.length(); i++) { + if (base64Data.substring(i, i).getBytes() != EOL) { + key += base64Data.substring(i, i); + } + } + } + + if (key != null) { + key = key.trim(); + + if (key.equals("")) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } else { + return key; + } + } else { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + } + + /** + * Signed Audit Agents + * + * This method is called to extract agent uids from the passed in + * "Credentials[]" and return a string of comma-separated agent uids. + * <P> + * + * @param creds array of credentials + * @return a comma-separated string of agent uids + */ + private String auditAgents(Credential creds[]) { + if (creds == null) + return null; + + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String agents = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + + String uid = null; + + for (int i = 0; i < creds.length; i++) { + uid = creds[i].getIdentifier(); + + if (uid != null) { + uid = uid.trim(); + } + + if (uid != null && + !uid.equals("")) { + + if (i == 0) { + agents = uid; + } else { + agents += SIGNED_AUDIT_AGENT_DELIMITER + uid; + } + } + } + + return agents; + } +} + diff --git a/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java new file mode 100644 index 000000000..59f3a0a55 --- /dev/null +++ b/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -0,0 +1,556 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.kra; + + +import com.netscape.cmscore.util.Debug; +import java.util.StringTokenizer; +import java.util.Vector; +import java.io.IOException; +import java.io.ByteArrayInputStream; + +import java.math.BigInteger; +import java.security.*; +import java.security.KeyPair; +import java.security.cert.CertificateException; +import netscape.security.util.*; +import netscape.security.util.BigInt; +import netscape.security.pkcs.*; +import netscape.security.x509.*; +import netscape.security.provider.*; +import org.mozilla.jss.*; +import org.mozilla.jss.crypto.*; +import org.mozilla.jss.util.*; +import org.mozilla.jss.crypto.PrivateKey; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.crypto.KeyPairGenerator; +import org.mozilla.jss.pkix.crmf.*; +import org.mozilla.jss.pkix.primitive.*; +import org.mozilla.jss.pkix.primitive.AVA; +import org.mozilla.jss.pkcs11.*; +import com.netscape.certsrv.common.*; +import com.netscape.cmscore.util.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.security.*; +import com.netscape.cmscore.crmf.*; +import com.netscape.certsrv.kra.*; +import com.netscape.certsrv.base.*; +import com.netscape.cmscore.cert.*; +//import com.netscape.cmscore.ca.*; +import com.netscape.cmscore.dbs.*; +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.dbs.repository.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.dbs.keydb.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.policy.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.apps.CMS; + +//for b64 encoding +import org.mozilla.jss.util.Base64OutputStream; +import java.io.ByteArrayOutputStream; +import java.io.PrintStream; +import java.io.*; + +/** + * A class representing keygen/archival request procesor for requests + * from netkey RAs. + * the user private key of the encryption cert is wrapped with a + * session symmetric key. The session symmetric key is wrapped with the + * storage key and stored in the internal database for long term + * storage. + * The user private key of the encryption cert is to be wrapped with the + * DES key which came in in the request wrapped with the KRA + * transport cert. The wrapped user private key is then sent back to + * the caller (netkey RA) ...netkey RA should already has kek-wrapped + * des key from the TKS. They are to be sent together back to + * the token. + * + * @author Christina Fu (cfu) + * @version $Revision: 14563 $, $Date: 2007-05-01 10:35:23 -0700 (Tue, 01 May 2007) $ + */ + +public class NetkeyKeygenService implements IService { + public final static String ATTR_KEY_RECORD = "keyRecord"; + public final static String ATTR_PROOF_OF_ARCHIVAL = + "proofOfArchival"; + + // private + private final static String + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + private final static String + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_PROCESSED = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_PROCESSED_3"; + // these need to be defined in LogMessages_en.properties later when we do this + private final static String + LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST = + "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; + private final static String + LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_PROCESSED = + "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_PROCESSED_3"; + private IKeyRecoveryAuthority mKRA = null; + private ITransportKeyUnit mTransportUnit = null; + private IStorageKeyUnit mStorageUnit = null; + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + + /** + * Constructs request processor. + * <P> + * + * @param kra key recovery authority + */ + public NetkeyKeygenService(IKeyRecoveryAuthority kra) { + mKRA = kra; + mTransportUnit = kra.getTransportKeyUnit(); + mStorageUnit = kra.getStorageKeyUnit(); + } + + public PKIArchiveOptions toPKIArchiveOptions(byte options[]) { + ByteArrayInputStream bis = new ByteArrayInputStream(options); + PKIArchiveOptions archOpts = null; + + try { + archOpts = (PKIArchiveOptions) + (new PKIArchiveOptions.Template()).decode(bis); + } catch (Exception e) { + CMS.debug("NetkeyKeygenService: getPKIArchiveOptions " + e.toString()); + } + return archOpts; + } + + public KeyPair generateKeyPair( + KeyPairAlgorithm kpAlg, int keySize, PQGParams pqg) + throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException, + InvalidParameterException, PQGParamGenException { + + CryptoToken token = mKRA.getKeygenToken(); + + CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: "+token.getName()); + KeyPairGenerator kpGen = token.getKeyPairGenerator(kpAlg); + // make it temporary so can work with HSM + kpGen.temporaryPairs(true); + kpGen.sensitivePairs(true); + kpGen.extractablePairs(true); + + if (kpAlg == KeyPairAlgorithm.DSA) { + if (pqg == null) { + kpGen.initialize(keySize); + } else { + kpGen.initialize(pqg); + } + } else { + kpGen.initialize(keySize); + } + + if (pqg == null) { + KeyPair kp; + synchronized (new Object()) { + kp = kpGen.genKeyPair(); + mKRA.addEntropy(true); + } + return kp; + } else { + // DSA + KeyPair kp = null; + + /* no DSA for now... netkey prototype + do { + // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair + kp = kpGen.genKeyPair(); + } + while (isBadDSAKeyPair(kp)); + */ + return kp; + } + } + + + + public KeyPair generateKeyPair( String alg, + int keySize, PQGParams pqg) throws EBaseException { + + KeyPairAlgorithm kpAlg = null; + + if (alg.equals("RSA")) + kpAlg = KeyPairAlgorithm.RSA; + else + kpAlg = KeyPairAlgorithm.DSA; + + try { + KeyPair kp = generateKeyPair( kpAlg, keySize, pqg); + + return kp; + } catch (InvalidParameterException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEYSIZE_PARAMS", + "" + keySize)); + } catch (PQGParamGenException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_PQG_GEN_FAILED")); + } catch (NoSuchAlgorithmException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", + kpAlg.toString())); + } catch (TokenException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR_1", e.toString())); + } catch (InvalidAlgorithmParameterException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", "DSA")); + } + } + + private static String base64Encode(byte[] bytes) throws IOException { + // All this streaming is lame, but Base64OutputStream needs a + // PrintStream + ByteArrayOutputStream output = new ByteArrayOutputStream(); + Base64OutputStream b64 = new Base64OutputStream(new + PrintStream(new + FilterOutputStream(output) + ) + ); + + b64.write(bytes); + b64.flush(); + + // This is internationally safe because Base64 chars are + // contained within 8859_1 + return output.toString("8859_1"); + } + + // this encrypts bytes with a symmetric key + public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token, + IVParameterSpec IV) + { + try { + Cipher cipher = token.getCipherContext( + EncryptionAlgorithm.DES3_CBC_PAD); + + cipher.initEncrypt(symKey, IV); + byte pri[] = cipher.doFinal(toBeEncrypted); + return pri; + } catch (Exception e) { + CMS.debug("NetkeyKeygenService:initEncrypt() threw exception: "+e.toString()); + return null; + } + + } + + + /** + * Services an archival request from netkey. + * <P> + * + * @param request enrollment request + * @return serving successful or not + * @exception EBaseException failed to serve + */ + public boolean serviceRequest(IRequest request) + throws EBaseException { + String auditMessage = null; + String auditSubjectID = null; + String auditRequesterID = "TPSagent"; + String auditArchiveID = ILogger.UNIDENTIFIED; + String auditPublicKey = ILogger.UNIDENTIFIED; + byte[] wrapped_des_key; + + byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; + String iv_s =""; +/* + org.mozilla.jss.pkcs11.PK11SecureRandom random = + new org.mozilla.jss.pkcs11.PK11SecureRandom(); + random.nextBytes(iv); +*/ + + IVParameterSpec algParam = new IVParameterSpec(iv); + + wrapped_des_key = null; + boolean archive = true; + PK11SymKey sk= null; + byte[] publicKeyData = null;; + String PubKey = ""; + + String id = request.getRequestId().toString(); + if (id != null) { + auditArchiveID = id.trim(); + } + + String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG); + if (rArchive.equals("true")) { + archive = true; + CMS.debug("NetkeyKeygenService: serviceRequest " +"archival requested for serverSideKeyGen"); + } else { + archive = false; + CMS.debug("NetkeyKeygenService: serviceRequest " +"archival not requested for serverSideKeyGen"); + } + + String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); + String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); + String rKeysize = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_SIZE); + int keysize = Integer.parseInt(rKeysize); + auditSubjectID=rCUID+":"+rUserid; + + SessionContext sContext = SessionContext.getContext(); + String agentId=""; + if (sContext != null) { + agentId = + (String) sContext.get(SessionContext.USER_ID); + } + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + agentId); + + audit(auditMessage); + + + String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); + // CMS.debug("NetkeyKeygenService: received DRM-trans-wrapped DES key ="+rWrappedDesKeyString); + wrapped_des_key = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDesKeyString); + CMS.debug("NetkeyKeygenService: wrapped_des_key specialDecoded"); + + // get the token for generating user keys + CryptoToken keygenToken = mKRA.getKeygenToken(); + if (keygenToken == null) { + CMS.debug("NetkeyKeygenService: failed getting keygenToken"); + request.setExtData(IRequest.RESULT, Integer.valueOf(10)); + return false; + } else + CMS.debug("NetkeyKeygenService: got keygenToken"); + + if ((wrapped_des_key != null) && + (wrapped_des_key.length > 0)) { + + // unwrap the DES key + sk= (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key); + + /* XXX could be done in HSM*/ + KeyPair keypair = null; + + CMS.debug("NetkeyKeygenService: about to generate key pair"); + + keypair = generateKeyPair("RSA"/*alg*/, + keysize /*Integer.parseInt(len)*/, null /*pqgParams*/); + + if (keypair == null) { + CMS.debug("NetkeyKeygenService: failed generating key pair for "+rCUID+":"+rUserid); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + agentId); + + audit(auditMessage); + + return false; + } else { + CMS.debug("NetkeyKeygenService: finished generate key pair for " +rCUID+":"+rUserid); + CMS.debug("NetkeyKeygenService: server-side key generated at keysize "+keysize); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + agentId); + + audit(auditMessage); + + } + + //...extract the private key handle (not privatekeydata) + java.security.PrivateKey privKey = + keypair.getPrivate(); + + if (privKey == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: failed getting private key"); + return false; + } else { + CMS.debug("NetkeyKeygenService: got private key"); + } + + try { + + if (sk == null) { + CMS.debug("NetkeyKeygenService: no DES key"); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + return false; + } else { + CMS.debug("NetkeyKeygenService: received DES key"); + } + + // 3 wrapping should be done in HSM + // wrap private key with DES + KeyWrapper symWrap = + keygenToken.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); + CMS.debug("NetkeyKeygenService: wrapper token=" + keygenToken.getName()); + CMS.debug("NetkeyKeygenService: got key wrapper"); + + CMS.debug("NetkeyKeygenService: key transport key is on slot: "+sk.getOwningToken().getName()); + symWrap.initWrap((SymmetricKey)sk, algParam); + byte wrapped[] = symWrap.wrap((PrivateKey)privKey); + /* + CMS.debug("NetkeyKeygenService: wrap called"); + CMS.debug(wrapped); + */ + /* This is for using with my decryption tool and ASN1 + decoder to see if the private key is indeed PKCS#8 format + { // cfu debug + String oFilePath = "/tmp/wrappedPrivKey.bin"; + File file = new File(oFilePath); + FileOutputStream ostream = new FileOutputStream(oFilePath); + ostream.write(wrapped); + ostream.close(); + } + */ + String wrappedPrivKeyString = /*base64Encode(wrapped);*/ + com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped); + if (wrappedPrivKeyString == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: failed generating wrapped private key"); + return false; + } else { + request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); + } + + publicKeyData = keypair.getPublic().getEncoded(); + if (publicKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: failed getting publickey encoded"); + return false; + } else { + //CMS.debug("NetkeyKeygenService: public key binary length ="+ publicKeyData.length); + PubKey = base64Encode(publicKeyData); + + //CMS.debug("NetkeyKeygenService: public key length =" + PubKey.length()); + request.setExtData("public_key", PubKey); + } + + iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); + request.setExtData("iv_s", iv_s); + + + /* + * archival - option flag "archive" controllable by the caller - TPS + */ + if (archive) { + // + // privateKeyData ::= SEQUENCE { + // sessionKey OCTET_STRING, + // encKey OCTET_STRING, + // } + // + // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private"); + + CMS.debug("KRA encrypts private key to put on internal ldap db"); + byte privateKeyData[] = + mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey); + + if (privateKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit failed"); + return false; + } else + CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful"); + + // create key record + KeyRecord rec = new KeyRecord(null, publicKeyData, + privateKeyData, rCUID+":"+rUserid, + keypair.getPublic().getAlgorithm(), + agentId); + + if (rec == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(11)); + CMS.debug("NetkeyKeygenService: privatekey recording failed"); + return false; + } else + CMS.debug("NetkeyKeygenService: got key record"); + + // we deal with RSA key only + try { + RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData); + + rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); + } catch (InvalidKeyException e) { + request.setExtData(IRequest.RESULT, Integer.valueOf(11)); + CMS.debug("NetkeyKeygenService: failed:InvalidKeyException"); + return false; + } + //?? + IKeyRepository storage = mKRA.getKeyRepository(); + BigInteger serialNo = storage.getNextSerialNumber(); + + if (serialNo == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(11)); + CMS.debug("NetkeyKeygenService: serialNo null"); + return false; + } + CMS.debug("NetkeyKeygenService: before addKeyRecord"); + rec.set(KeyRecord.ATTR_ID, serialNo); + request.setExtData(ATTR_KEY_RECORD, serialNo); + storage.addKeyRecord(rec); + CMS.debug("NetkeyKeygenService: key archived for "+rCUID+":"+rUserid); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + PubKey); + + audit(auditMessage); + + } //if archive + + request.setExtData(IRequest.RESULT, Integer.valueOf(1)); + } catch (Exception e) { + CMS.debug("NetKeyKeygenService: " + e.toString()); + Debug.printStackTrace(e); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + + } + } else + request.setExtData(IRequest.RESULT, Integer.valueOf(2)); + + return true; + } //serviceRequest + + /** + * Signed Audit Log + *y + * This method is called to store messages to the signed audit log. + * <P> + * + * @param msg signed audit log message + */ + private void audit(String msg) { + // in this case, do NOT strip preceding/trailing whitespace + // from passed-in String parameters + + if (mSignedAuditLogger == null) { + return; + } + + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } +} diff --git a/pki/base/kra/src/com/netscape/kra/RecoveryService.java b/pki/base/kra/src/com/netscape/kra/RecoveryService.java new file mode 100644 index 000000000..39253ab68 --- /dev/null +++ b/pki/base/kra/src/com/netscape/kra/RecoveryService.java @@ -0,0 +1,476 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.kra; + + +import java.util.*; +import java.io.*; +import java.net.*; +import java.math.*; +import java.security.*; +import java.security.cert.*; +import java.security.KeyPair; +import netscape.security.util.*; +import netscape.security.pkcs.*; +import netscape.security.x509.*; +import com.netscape.cmscore.util.*; +import com.netscape.certsrv.util.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.base.*; + +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.security.*; +import com.netscape.certsrv.kra.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.dbs.repository.*; +import com.netscape.certsrv.dbs.keydb.*; +import com.netscape.cmscore.cert.*; +import com.netscape.cmscore.dbs.*; +import com.netscape.cmscore.dbs.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.authentication.*; + +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.crypto.PBEAlgorithm; +import org.mozilla.jss.pkcs12.*; +import org.mozilla.jss.pkix.primitive.*; + + +/** + * A class represents recovery request processor. There + * are 2 types of recovery modes: (1) administrator or + * (2) end-entity. + * <P> + * Administrator recovery will create a PKCS12 file where + * stores the certificate and the recovered key. + * <P> + * End Entity recovery will send RA or CA a response where + * stores the recovered key. + * + * @author thomask + * @version $Revision: 14563 $, $Date: 2007-05-01 10:35:23 -0700 (Tue, 01 May 2007) $ + */ +public class RecoveryService implements IService { + + public static final String ATTR_NICKNAME = "nickname"; + public static final String ATTR_OWNER_NAME = "ownerName"; + public static final String ATTR_SERIALNO = "serialNumber"; + public static final String ATTR_PUBLIC_KEY_DATA = "publicKeyData"; + public static final String ATTR_PRIVATE_KEY_DATA = "privateKeyData"; + public static final String ATTR_TRANSPORT_CERT = "transportCert"; + public static final String ATTR_TRANSPORT_PWD = "transportPwd"; + public static final String ATTR_SIGNING_CERT = "signingCert"; + public static final String ATTR_PKCS12 = "pkcs12"; + public static final String ATTR_ENCRYPTION_CERTS = + "encryptionCerts"; + public static final String ATTR_AGENT_CREDENTIALS = + "agentCredentials"; + // same as encryption certs + public static final String ATTR_USER_CERT = "cert"; + public static final String ATTR_DELIVERY = "delivery"; + + private IKeyRecoveryAuthority mKRA = null; + private IKeyRepository mStorage = null; + private IStorageKeyUnit mStorageUnit = null; + + /** + * Constructs request processor. + */ + public RecoveryService(IKeyRecoveryAuthority kra) { + mKRA = kra; + mStorage = mKRA.getKeyRepository(); + mStorageUnit = mKRA.getStorageKeyUnit(); + } + + /** + * Processes a recovery request. Based on the recovery mode + * (either Administrator or End-Entity), the method reads + * the key record from the database, and tried to recover the + * key with the storage key unit. + * + * @param request recovery request + * @return operation success or not + * @exception EBaseException failed to serve + */ + public boolean serviceRequest(IRequest request) throws EBaseException { + + IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + if (statsSub != null) { + statsSub.startTiming("recovery", true /* main action */); + } + + if (Debug.ON) + Debug.trace("KRA services recovery request"); + mKRA.log(ILogger.LL_INFO, "KRA services recovery request"); + + // byte publicKey[] = (byte[])request.get(ATTR_PUBLIC_KEY_DATA); + // X500Name owner = (X500Name)request.get(ATTR_OWNER_NAME); + + Hashtable params = mKRA.getVolatileRequest( + request.getRequestId()); + + if (params == null) { + // possibly we are in recovery mode + return true; + } + + // retrieve based on serial no + BigInteger serialno = request.getExtDataInBigInteger(ATTR_SERIALNO); + + mKRA.log(ILogger.LL_INFO, "KRA reading key record"); + if (statsSub != null) { + statsSub.startTiming("get_key"); + } + KeyRecord keyRecord = (KeyRecord) mStorage.readKeyRecord(serialno); + if (statsSub != null) { + statsSub.endTiming("get_key"); + } + + // see if the certificate matches the key + byte pubData[] = keyRecord.getPublicKeyData(); + X509Certificate x509cert = + request.getExtDataInCert(ATTR_USER_CERT); + byte inputPubData[] = x509cert.getPublicKey().getEncoded(); + + if (inputPubData.length != pubData.length) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } + for (int i = 0; i < pubData.length; i++) { + if (pubData[i] != inputPubData[i]) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } + } + + // Unwrap the archived private key + byte privateKeyData[] = null; + X509Certificate transportCert = + request.getExtDataInCert(ATTR_TRANSPORT_CERT); + + if (transportCert == null) { + if (statsSub != null) { + statsSub.startTiming("recover_key"); + } + privateKeyData = recoverKey(params, keyRecord); + if (statsSub != null) { + statsSub.endTiming("recover_key"); + } + + if (statsSub != null) { + statsSub.startTiming("verify_key"); + } + if (verifyKeyPair(pubData, privateKeyData) == false) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } + if (statsSub != null) { + statsSub.endTiming("verify_key"); + } + + if (statsSub != null) { + statsSub.startTiming("create_p12"); + } + createPFX(request, params, privateKeyData); + if (statsSub != null) { + statsSub.endTiming("create_p12"); + } + } else { + + if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { + Credential creds[] = (Credential[]) + params.get(ATTR_AGENT_CREDENTIALS); + mKRA.getStorageKeyUnit().login(creds); + } + if (statsSub != null) { + statsSub.startTiming("unwrap_key"); + } + PrivateKey privateKey = mKRA.getStorageKeyUnit().unwrap( + keyRecord.getPrivateKeyData(), null); + if (statsSub != null) { + statsSub.endTiming("unwrap_key"); + } + + if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { + mKRA.getStorageKeyUnit().logout(); + } + } + mKRA.log(ILogger.LL_INFO, "key " + + serialno.toString() + + " recovered"); + + // for audit log + String authMgr = AuditFormat.NOAUTH; + String initiative = AuditFormat.FROMUSER; + SessionContext sContext = SessionContext.getContext(); + + if (sContext != null) { + String agentId = + (String) sContext.get(SessionContext.USER_ID); + + initiative = AuditFormat.FROMAGENT + " agentID: " + agentId; + AuthToken authToken = (AuthToken) sContext.get(SessionContext.AUTH_TOKEN); + + if (authToken != null) { + authMgr = + authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + } + } + CMS.getLogger().log(ILogger.EV_AUDIT, + ILogger.S_KRA, + AuditFormat.LEVEL, + AuditFormat.FORMAT, + new Object[] { + IRequest.KEYRECOVERY_REQUEST, + request.getRequestId(), + initiative, + authMgr, + "completed", + ((X509CertImpl) x509cert).getSubjectDN(), + "serial number: 0x" + serialno.toString(16)} + ); + + if (statsSub != null) { + statsSub.endTiming("recovery"); + } + + return true; + } + + public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) + { + try { + DerValue publicKeyVal = new DerValue(publicKeyData); + DerInputStream publicKeyIn = publicKeyVal.data; + publicKeyIn.getSequence(0); + DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); + DerInputStream publicKeyDerIn = publicKeyDer.data; + BigInt publicKeyModulus = publicKeyDerIn.getInteger(); + BigInt publicKeyExponent = publicKeyDerIn.getInteger(); + + DerValue privateKeyVal = new DerValue(privateKeyData); + if (privateKeyVal.tag != DerValue.tag_Sequence) + return false; + DerInputStream privateKeyIn = privateKeyVal.data; + privateKeyIn.getInteger(); + privateKeyIn.getSequence(0); + DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); + DerInputStream privateKeyDerIn = privateKeyDer.data; + BigInt privateKeyVersion = privateKeyDerIn.getInteger(); + BigInt privateKeyModulus = privateKeyDerIn.getInteger(); + BigInt privateKeyExponent = privateKeyDerIn.getInteger(); + + if (!publicKeyModulus.equals(privateKeyModulus)) { + CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); + return false; + } + + if (!publicKeyExponent.equals(privateKeyExponent)) { + CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); + return false; + } + + return true; + } catch (Exception e) { + CMS.debug("verifyKeyPair error " + e); + return false; + } + } + + /** + * Recovers key. + */ + public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) + throws EBaseException { + if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { + Credential creds[] = (Credential[]) + request.get(ATTR_AGENT_CREDENTIALS); + + mStorageUnit.login(creds); + } + mKRA.log(ILogger.LL_INFO, "KRA decrypts internal private"); + byte privateKeyData[] = + mStorageUnit.decryptInternalPrivate( + keyRecord.getPrivateKeyData()); + + if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { + mStorageUnit.logout(); + } + if (privateKeyData == null) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key")); + } + return privateKeyData; + } + + /** + * Creates a PFX (PKCS12) file. + * + * @param request CRMF recovery request + * @param priData decrypted private key (PrivateKeyInfo) + * @exception EBaseException failed to create P12 file + */ + public void createPFX(IRequest request, Hashtable params, + byte priData[]) throws EBaseException { + // create p12 + X509Certificate x509cert = + request.getExtDataInCert(ATTR_USER_CERT); + String pwd = (String) params.get(ATTR_TRANSPORT_PWD); + + try { + + // add certificate + mKRA.log(ILogger.LL_INFO, "KRA adds certificate to P12"); + SEQUENCE encSafeContents = new SEQUENCE(); + ASN1Value cert = new OCTET_STRING(x509cert.getEncoded()); + String nickname = request.getExtDataInString(ATTR_NICKNAME); + + if (nickname == null) { + nickname = x509cert.getSubjectDN().toString(); + } + byte localKeyId[] = createLocalKeyId(x509cert); + SET certAttrs = createBagAttrs( + nickname, localKeyId); + // attributes: user friendly name, Local Key ID + SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, + new CertBag(CertBag.X509_CERT_TYPE, cert), + certAttrs); + + encSafeContents.addElement(certBag); + + // add key + mKRA.log(ILogger.LL_INFO, "KRA adds key to P12"); + org.mozilla.jss.util.Password pass = new + org.mozilla.jss.util.Password( + pwd.toCharArray()); + + SEQUENCE safeContents = new SEQUENCE(); + PasswordConverter passConverter = new + PasswordConverter(); + byte salt[] = {0x01, 0x01, 0x01, 0x01}; + PrivateKeyInfo pki = (PrivateKeyInfo) + ASN1Util.decode(PrivateKeyInfo.getTemplate(), + priData); + ASN1Value key = EncryptedPrivateKeyInfo.createPBE( + PBEAlgorithm.PBE_SHA1_DES3_CBC, + pass, salt, 1, passConverter, pki); + SET keyAttrs = createBagAttrs( + x509cert.getSubjectDN().toString(), + localKeyId); + SafeBag keyBag = new SafeBag( + SafeBag.PKCS8_SHROUDED_KEY_BAG, key, + keyAttrs); // ?? + + safeContents.addElement(keyBag); + + // build contents + AuthenticatedSafes authSafes = new + AuthenticatedSafes(); + + authSafes.addSafeContents( + safeContents + ); + authSafes.addSafeContents( + encSafeContents + ); + + // authSafes.addEncryptedSafeContents( + // authSafes.DEFAULT_KEY_GEN_ALG, + // pass, null, 1, + // encSafeContents); + PFX pfx = new PFX(authSafes); + + pfx.computeMacData(pass, null, 5); // ?? + ByteArrayOutputStream fos = new + ByteArrayOutputStream(); + + pfx.encode(fos); + pass.clear(); + + // put final PKCS12 into volatile request + params.put(ATTR_PKCS12, fos.toByteArray()); + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_CONSTRUCT_P12", e.toString())); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_PKCS12_FAILED_1", e.toString())); + } + + // update request + mKRA.getRequestQueue().updateRequest(request); + } + + /** + * Creates local key identifier. + */ + public byte[] createLocalKeyId(X509Certificate cert) + throws EBaseException { + try { + // SHA1 hash of the X509Cert der encoding + byte certDer[] = cert.getEncoded(); + + // XXX - should use JSS + MessageDigest md = MessageDigest.getInstance("SHA"); + + md.update(certDer); + return md.digest(); + } catch (CertificateEncodingException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_KEYID_FAILED_1", e.toString())); + } catch (NoSuchAlgorithmException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_KEYID_FAILED_1", e.toString())); + } + } + + /** + * Creates bag attributes. + */ + public SET createBagAttrs(String nickName, byte localKeyId[]) + throws EBaseException { + try { + SET attrs = new SET(); + SEQUENCE nickNameAttr = new SEQUENCE(); + + nickNameAttr.addElement(SafeBag.FRIENDLY_NAME); + SET nickNameSet = new SET(); + + nickNameSet.addElement(new BMPString(nickName)); + nickNameAttr.addElement(nickNameSet); + attrs.addElement(nickNameAttr); + SEQUENCE localKeyAttr = new SEQUENCE(); + + localKeyAttr.addElement(SafeBag.LOCAL_KEY_ID); + SET localKeySet = new SET(); + + localKeySet.addElement(new OCTET_STRING(localKeyId)); + localKeyAttr.addElement(localKeySet); + attrs.addElement(localKeyAttr); + return attrs; + } catch (CharConversionException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_BAG", e.toString())); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_KEYBAG_FAILED_1", e.toString())); + } + } +} diff --git a/pki/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/pki/base/kra/src/com/netscape/kra/StorageKeyUnit.java new file mode 100644 index 000000000..d037c9be9 --- /dev/null +++ b/pki/base/kra/src/com/netscape/kra/StorageKeyUnit.java @@ -0,0 +1,962 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.kra; + + +import org.mozilla.jss.util.Password; +import java.util.*; +import java.io.*; +import com.netscape.certsrv.security.*; +import java.net.*; +import java.security.*; +import java.security.cert.*; +import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.crypto.TokenCertificate; +import netscape.security.x509.*; +import netscape.security.util.*; +import com.netscape.cmscore.util.*; +//import com.netscape.cmscore.kra.*; +import com.netscape.certsrv.dbs.keydb.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.security.*; +import com.netscape.certsrv.kra.*; +import org.mozilla.jss.crypto.PrivateKey; +import org.mozilla.jss.*; +import org.mozilla.jss.asn1.INTEGER; +import org.mozilla.jss.util.*; +import org.mozilla.jss.util.Password; +import org.mozilla.jss.crypto.*; +import com.netscape.cmscore.cert.*; + + +/** + * A class represents a storage key unit. Currently, this + * is implemented with cryptix, the final implementation + * should be built on JSS/HCL. + * + * @author thomask + * @version $Revision: 14563 $, $Date: 2007-05-01 10:35:23 -0700 (Tue, 01 May 2007) $ + */ +public class StorageKeyUnit extends EncryptionUnit implements + ISubsystem, IStorageKeyUnit { + + private IConfigStore mConfig = null; + + // private RSAPublicKey mPublicKey = null; + // private RSAPrivateKey mPrivateKey = null; + + private IConfigStore mStorageConfig = null; + private IKeyRecoveryAuthority mKRA = null; + private String mTokenFile = null; + private X509Certificate mCert = null; + private CryptoManager mManager = null; + private CryptoToken mToken = null; + private PrivateKey mPrivateKey = null; + private byte mPrivateKeyData[] = null; + private boolean mKeySplitting = false; + + + private static final String PROP_N = "n"; + private static final String PROP_M = "m"; + private static final String PROP_UID = "uid"; + private static final String PROP_SHARE = "share"; + private static final String PROP_HARDWARE = "hardware"; + private static final String PROP_LOGOUT = "logout"; + public static final String PROP_NICKNAME = "nickName"; + public static final String PROP_KEYDB = "keydb"; + public static final String PROP_CERTDB = "certdb"; + public static final String PROP_MN = "mn"; + + /** + * Constructs this token. + */ + public StorageKeyUnit() { + super(); + } + + /** + * Retrieves subsystem identifier. + */ + public String getId() { + return "storageKeyUnit"; + } + + /** + * Sets subsystem identifier. Once the system is + * loaded, system identifier cannot be changed + * dynamically. + */ + public void setId(String id) throws EBaseException { + throw new EBaseException(CMS.getUserMessage("CMS_INVALID_OPERATION")); + } + + /** + * return true if byte arrays are equal, false otherwise + */ + private boolean byteArraysMatch(byte a[], byte b[]) { + if (a==null || b==null) { return false; } + if (a.length != b.length) { return false; } + for (int i=0; i<a.length; i++) { + if (a[i] != b[i]) { return false; } + } + return true; + } + + + /** + * Initializes this subsystem. + */ + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + mKRA = (IKeyRecoveryAuthority) owner; + mConfig = config; + + mKeySplitting = owner.getConfigStore().getBoolean("keySplitting", false); + + try { + mManager = CryptoManager.getInstance(); + mToken = getToken(); + } catch (org.mozilla.jss.CryptoManager.NotInitializedException e) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_STORAGE_INIT", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } + + if (mConfig.getString(PROP_HARDWARE, null) != null) { + System.setProperty("cms.skip_token", mConfig.getString(PROP_HARDWARE)); + +// The strategy here is to read all the certs in the token +// and cycle through them until we find one that matches the +// kra-cert.db file + + if (mKeySplitting) { + + byte certFileData[] = null; + try { + File certFile = new File( + mConfig.getString(PROP_CERTDB)); + + certFileData = new byte[ + (Long.valueOf(certFile.length())).intValue()]; + FileInputStream fi = new FileInputStream(certFile); + + fi.read(certFileData); + fi.close(); + + // pick up cert by nickName + + } catch (IOException e) { + mKRA.log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } + + try { + X509Certificate certs[] = + getToken().getCryptoStore().getCertificates(); + for (int i=0;i <certs.length;i++) { + if (byteArraysMatch(certs[i].getEncoded(),certFileData)) { + mCert = certs[i]; + } + } + if (mCert == null) { + mKRA.log(ILogger.LL_FAILURE, "Storage Cert could not be initialized. No cert in token matched kra-cert file"); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", "mCert == null")); + } else { + mKRA.log(ILogger.LL_INFO, "Using Storage Cert "+mCert.getSubjectDN()); + } + } catch (CertificateEncodingException e) { + mKRA.log(ILogger.LL_FAILURE, "Error encoding cert "); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } catch (TokenException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } + } + + } else { + + // read certificate from file + byte certData[] = null; + + try { + if (mKeySplitting) { + File certFile = new File( + mConfig.getString(PROP_CERTDB)); + + certData = new byte[ + (Long.valueOf(certFile.length())).intValue()]; + FileInputStream fi = new FileInputStream(certFile); + + fi.read(certData); + fi.close(); + + // pick up cert by nickName + mCert = mManager.findCertByNickname( + config.getString(PROP_NICKNAME)); + + } else { + mCert = mManager.findCertByNickname( + config.getString(PROP_NICKNAME)); + } + } catch (IOException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } catch (TokenException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } catch (ObjectNotFoundException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + // XXX - this import wont work + try { + mCert = mManager.importCertPackage(certData, + "kraStorageCert"); + } catch (Exception ex) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_IMPORT_CERT", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", ex.toString())); + } + } + + if (mKeySplitting) { + // read private key from the file + try { + File priFile = new File(mConfig.getString(PROP_KEYDB)); + + mPrivateKeyData = new byte[ + (Long.valueOf(priFile.length())).intValue()]; + FileInputStream fi = new FileInputStream(priFile); + + fi.read(mPrivateKeyData); + fi.close(); + } catch (IOException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_PRIVATE", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", e.toString())); + } + } + + } + + if (mKeySplitting) { + // open internal data storage configuration + mTokenFile = mConfig.getString(PROP_MN); + try { + // read m, n and no of identifier + mStorageConfig = CMS.createFileConfigStore(mTokenFile); + } catch (EBaseException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_MN", + e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); + + } + } + + try { + if (mCert == null) { + CMS.debug("mCert is null...retrieving "+ config.getString(PROP_NICKNAME)); + mCert = mManager.findCertByNickname( + config.getString(PROP_NICKNAME)); + CMS.debug("mCert = "+mCert); + } + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } + + } + + /** + * Starts up this subsystem. + */ + public void startup() throws EBaseException { + } + + /** + * Shutdowns this subsystem. + */ + public void shutdown() { + } + + /** + * Returns the configuration store of this token. + */ + public IConfigStore getConfigStore() { + return mConfig; + } + + public static SymmetricKey buildSymmetricKeyWithInternalStorage( + String pin) throws EBaseException { + try { + return buildSymmetricKey(CryptoManager.getInstance().getInternalKeyStorageToken(), pin); + } catch (Exception e) { + return null; + } + } + + /** + * Builds symmetric key from the given password. + */ + public static SymmetricKey buildSymmetricKey(CryptoToken token, + String pin) throws EBaseException { + try { + + Password pass = new Password(pin.toCharArray()); + KeyGenerator kg = null; + + kg = token.getKeyGenerator( + PBEAlgorithm.PBE_SHA1_DES3_CBC); + byte salt[] = {0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01}; + PBEKeyGenParams kgp = new PBEKeyGenParams(pass, + salt, 5); + + pass.clear(); + kg.initialize(kgp); + return kg.generate(); + } catch (TokenException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + "buildSymmetricKey:" + + e.toString())); + } catch (NoSuchAlgorithmException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + "buildSymmetricKey:" + + e.toString())); + } catch (InvalidAlgorithmParameterException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + "buildSymmetricKey:" + + e.toString())); + } catch (CharConversionException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + "buildSymmetricKey:" + + e.toString())); + } + } + + /** + * Unwraps the storage key with the given symmetric key. + */ + public static PrivateKey unwrapStorageKey(CryptoToken token, + SymmetricKey sk, byte wrapped[], + PublicKey pubKey) + throws EBaseException { + try { + + KeyWrapper wrapper = token.getKeyWrapper( + KeyWrapAlgorithm.DES3_CBC_PAD); + byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; +/* + org.mozilla.jss.pkcs11.PK11SecureRandom random = + new org.mozilla.jss.pkcs11.PK11SecureRandom(); + random.nextBytes(iv); +*/ + + + wrapper.initUnwrap(sk, new IVParameterSpec(iv)); + + // XXX - it does not like the public key that is + // not a crypto X509Certificate + PrivateKey pk = wrapper.unwrapTemporaryPrivate(wrapped, + PrivateKey.RSA, pubKey); + + return pk; + } catch (TokenException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + "unwrapStorageKey:" + + e.toString())); + } catch (NoSuchAlgorithmException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + "unwrapStorageKey:" + + e.toString())); + } catch (InvalidKeyException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + "unwrapStorageKey:" + + e.toString())); + } catch (InvalidAlgorithmParameterException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + "unwrapStorageKey:" + + e.toString())); + } + } + + /** + * Used by config-cert. + */ + public static byte[] wrapStorageKey(CryptoToken token, + SymmetricKey sk, PrivateKey pri) + throws EBaseException { + try { + // move public & private to config/storage.dat + // delete private key + KeyWrapper wrapper = token.getKeyWrapper( + KeyWrapAlgorithm.DES3_CBC_PAD); + + // next to randomly generate a symmetric + // password + byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; + + wrapper.initWrap(sk, new IVParameterSpec(iv)); + return wrapper.wrap(pri); + } catch (TokenException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + "wrapStorageKey:" + + e.toString())); + } catch (NoSuchAlgorithmException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + "wrapStorageKey:" + + e.toString())); + } catch (InvalidKeyException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + "wrapStorageKey:" + + e.toString())); + } catch (InvalidAlgorithmParameterException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + "wrapStorageKey:" + + e.toString())); + } + } + + /** + * Logins to this token. + */ + public void login(String pin) throws EBaseException { + if (mConfig.getString(PROP_HARDWARE, null) != null) { + try { + getToken().login(new Password(pin.toCharArray())); + PrivateKey pk[] = getToken().getCryptoStore().getPrivateKeys(); + + for (int i = 0; i < pk.length; i++) { + if (arraysEqual(pk[i].getUniqueID(), + ((TokenCertificate) mCert).getUniqueID())) { + mPrivateKey = pk[i]; + } + } + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_STORAGE_LOGIN", e.toString())); + } + + } else { + try { + SymmetricKey sk = buildSymmetricKey(mToken, pin); + + mPrivateKey = unwrapStorageKey(mToken, sk, + mPrivateKeyData, getPublicKey()); + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_STORAGE_LOGIN", e.toString())); + } + if (mPrivateKey == null) { + mPrivateKey = getPrivateKey(); + } + } + } + + /** + * Logins to this token. + */ + public void login(Credential creds[]) + throws EBaseException { + String pwd = constructPassword(creds); + + login(pwd); + } + + /** + * Logout from this token. + */ + public void logout() { + try { + if (mConfig.getString(PROP_HARDWARE, null) != null) { + if (mConfig.getBoolean(PROP_LOGOUT, false)) { + getToken().logout(); + } + } + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_STORAGE_LOGOUT", e.toString())); + + } + mPrivateKey = null; + } + + /** + * Returns a list of recovery agent identifiers. + */ + public Enumeration getAgentIdentifiers() { + Vector v = new Vector(); + + for (int i = 0;; i++) { + try { + String uid = + mStorageConfig.getString(PROP_UID + i); + + if (uid == null) + break; + v.addElement(uid); + } catch (EBaseException e) { + break; + } + } + return v.elements(); + } + + /** + * Changes agent password. + */ + public boolean changeAgentPassword(String id, String oldpwd, + String newpwd) throws EBaseException { + // locate the id(s) + for (int i = 0;; i++) { + try { + String uid = + mStorageConfig.getString(PROP_UID + i); + + if (uid == null) + break; + if (id.equals(uid)) { + byte share[] = decryptShareWithInternalStorage(mStorageConfig.getString(PROP_SHARE + i), oldpwd); + + mStorageConfig.putString(PROP_SHARE + i, + encryptShareWithInternalStorage( + share, newpwd)); + mStorageConfig.commit(false); + return true; + } + } catch (Exception e) { + break; + } + } + return false; + } + + /** + * Changes the m out of n recovery schema. + */ + public boolean changeAgentMN(int new_n, int new_m, + Credential oldcreds[], + Credential newcreds[]) + throws EBaseException { + + if (new_n != newcreds.length) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_N")); + } + + // XXX - verify and construct original password + String secret = constructPassword(oldcreds); + + // XXX - remove extra configuration + for (int j = new_n; j < getNoOfAgents(); j++) { + mStorageConfig.remove(PROP_UID + j); + mStorageConfig.remove(PROP_SHARE + j); + } + + // XXX - split pwd into n pieces + byte shares[][] = new byte[newcreds.length][]; + + IShare s = null; + try { + String className = mConfig.getString("share_class", + "com.netscape.cms.shares.OldShare"); + s = (IShare)Class.forName(className).newInstance(); + } catch (Exception e) { + CMS.debug("Loading Shares error " + e); + } + if (s == null) { + CMS.debug("Share plugin is not found"); + return false; + } + + try { + s.initialize(secret.getBytes(), new_m); + } catch (Exception e) { + CMS.debug("Failed to initialize Share plugin"); + return false; + } + + for (int i = 0; i < newcreds.length; i++) { + byte share[] = s.createShare(i + 1); + + shares[i] = share; + } + + // store the new shares into configuration + mStorageConfig.putInteger(PROP_N, new_n); + mStorageConfig.putInteger(PROP_M, new_m); + for (int i = 0; i < newcreds.length; i++) { + mStorageConfig.putString(PROP_UID + i, + newcreds[i].getIdentifier()); + // use password to encrypt shares... + mStorageConfig.putString(PROP_SHARE + i, + encryptShareWithInternalStorage(shares[i], + newcreds[i].getPassword())); + } + + try { + mStorageConfig.commit(false); + return true; + } catch (EBaseException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_CHANGE_MN", e.toString())); + } + return false; + } + + /** + * Returns number of recovery agents. + */ + public int getNoOfAgents() throws EBaseException { + return mStorageConfig.getInteger(PROP_N); + } + + /** + * Returns number of recovery agents required for + * recovery operation. + */ + public int getNoOfRequiredAgents() throws EBaseException { + return mStorageConfig.getInteger(PROP_M); + } + + public CryptoToken getInternalToken() { + try { + return CryptoManager.getInstance().getInternalKeyStorageToken(); + } catch (Exception e) { + return null; + } + } + + public CryptoToken getToken() { + try { + if (mConfig.getString(PROP_HARDWARE, null) != null) { + return mManager.getTokenByName(mConfig.getString(PROP_HARDWARE)); + } else { + return CryptoManager.getInstance().getInternalKeyStorageToken(); + } + } catch (Exception e) { + return null; + } + } + + /** + * Returns the certificate blob. + */ + public PublicKey getPublicKey() { + // NEED to move this key into internal storage token. + return mCert.getPublicKey(); + } + + public PrivateKey getPrivateKey() { + + if (!mKeySplitting) { + try { + PrivateKey pk[] = getToken().getCryptoStore().getPrivateKeys(); + for (int i = 0; i < pk.length; i++) { + if (arraysEqual(pk[i].getUniqueID(), + ((TokenCertificate) mCert).getUniqueID())) { + return pk[i]; + } + } + } catch (TokenException e) { + } + return null; + } else { + return mPrivateKey; + } + } + + /** + * Verifies the integrity of the given key pairs. + */ + public void verify(byte publicKey[], PrivateKey privateKey) + throws EBaseException { + // XXX + } + + public static String encryptShareWithInternalStorage( + byte share[], String pwd) + throws EBaseException { + try { + return encryptShare(CryptoManager.getInstance().getInternalKeyStorageToken(), share, pwd); + } catch (Exception e) { + return null; + } + } + + /** + * Protectes the share with the given password. + */ + public static String encryptShare(CryptoToken token, + byte share[], String pwd) + throws EBaseException { + try { + Cipher cipher = token.getCipherContext( + EncryptionAlgorithm.DES3_CBC_PAD); + SymmetricKey sk = StorageKeyUnit.buildSymmetricKey(token, pwd); + byte iv[] = {0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01}; + + cipher.initEncrypt(sk, new IVParameterSpec(iv)); + byte prev[] = preVerify(share); + byte enc[] = cipher.doFinal(prev); + + // #615387 - cannot use CMS.BtoA because CMS is not present during + // configuration + return com.netscape.osutil.OSUtil.BtoA(enc).trim(); + } catch (NoSuchAlgorithmException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + e.toString())); + } catch (TokenException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + e.toString())); + } catch (InvalidKeyException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + e.toString())); + } catch (InvalidAlgorithmParameterException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + e.toString())); + } catch (BadPaddingException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + e.toString())); + } catch (IllegalBlockSizeException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + e.toString())); + } + } + + public static byte[] preVerify(byte share[]) { + byte data[] = new byte[share.length + 2]; + + data[0] = 0; + data[1] = 0; + for (int i = 0; i < share.length; i++) { + data[2 + i] = share[i]; + } + return data; + } + + public static boolean verifyShare(byte share[]) { + if (share[0] == 0 && share[1] == 0) { + return true; + } else { + return false; + } + } + + public static byte[] postVerify(byte share[]) { + byte data[] = new byte[share.length - 2]; + + for (int i = 2; i < share.length; i++) { + data[i - 2] = share[i]; + } + return data; + } + + public void checkPassword(String userid, String pwd) throws EBaseException { + for (int i = 0;; i++) { + String uid = null; + + try { + uid = mStorageConfig.getString(PROP_UID + i); + if (uid == null) + break; + } catch (Exception e) { + break; + } + if (uid.equals(userid)) { + byte data[] = decryptShareWithInternalStorage( + mStorageConfig.getString(PROP_SHARE + i), + pwd); + if (data == null) { + throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + return; + } + } + throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + + } + + public static byte[] decryptShareWithInternalStorage( + String encoding, String pwd) + throws EBaseException { + try { + return decryptShare(CryptoManager.getInstance().getInternalKeyStorageToken(), encoding, pwd); + } catch (Exception e) { + return null; + } + } + + /** + * Decrypts shares with the given password. + */ + public static byte[] decryptShare(CryptoToken token, + String encoding, String pwd) + throws EBaseException { + try { + byte share[] = CMS.AtoB(encoding); + Cipher cipher = token.getCipherContext( + EncryptionAlgorithm.DES3_CBC_PAD); + SymmetricKey sk = StorageKeyUnit.buildSymmetricKey( + token, pwd); + byte iv[] = {0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01}; + + cipher.initDecrypt(sk, new IVParameterSpec(iv)); + byte dec[] = cipher.doFinal(share); + + if (dec == null || !verifyShare(dec)) { + // invalid passwod + throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + return postVerify(dec); + } catch (OutOfMemoryError e) { + // XXX - this happens in cipher.doFinal when + // the given share is not valid (the password + // given from the agent is not correct). + // Actulla, cipher.doFinal should return + // something better than this! + // + // e.printStackTrace(); + // + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + e.toString())); + } catch (TokenException e) { + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + e.toString())); + } catch (NoSuchAlgorithmException e) { + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + e.toString())); + } catch (InvalidKeyException e) { + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + e.toString())); + } catch (InvalidAlgorithmParameterException e) { + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + e.toString())); + } catch (IllegalBlockSizeException e) { + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + e.toString())); + } catch (BadPaddingException e) { + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + e.toString())); + } + } + + /** + * Reconstructs password from recovery agents. + */ + private String constructPassword(Credential creds[]) + throws EBaseException { + // sort the credential according to the order in + // configuration file + Hashtable v = new Hashtable(); + + for (int i = 0;; i++) { + String uid = null; + + try { + uid = mStorageConfig.getString(PROP_UID + i); + if (uid == null) + break; + } catch (Exception e) { + break; + } + for (int j = 0; j < creds.length; j++) { + if (uid.equals(creds[j].getIdentifier())) { + byte pwd[] = decryptShareWithInternalStorage( + mStorageConfig.getString( + PROP_SHARE + i), + creds[j].getPassword()); + if (pwd == null) { + throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + v.put(Integer.toString(i), pwd); + break; + } + } + } + + if (v.size() < 0) { + throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + + if (v.size() != creds.length) { + throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + + IJoinShares j = null; + try { + String className = mConfig.getString("joinshares_class", + "com.netscape.cms.shares.OldJoinShares"); + j = (IJoinShares)Class.forName(className).newInstance(); + } catch (Exception e) { + CMS.debug("JoinShares error " + e); + } + if (j == null) { + CMS.debug("JoinShares plugin is not found"); + throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + + try { + j.initialize(v.size()); + } catch (Exception e) { + CMS.debug("Failed to initialize JoinShares"); + throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + Enumeration e = v.keys(); + + while (e.hasMoreElements()) { + String next = (String) e.nextElement(); + + j.addShare(Integer.parseInt(next) + 1, + (byte[]) v.get(next)); + } + try { + byte secret[] = j.recoverSecret(); + String pwd = new String(secret); + + return pwd; + } catch (Exception ee) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_RECONSTRUCT", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + ee.toString())); + } + } + + public static boolean arraysEqual(byte[] bytes, byte[] ints) { + if (bytes == null || ints == null) { + return false; + } + + if (bytes.length != ints.length) { + return false; + } + + for (int i = 0; i < bytes.length; i++) { + if (bytes[i] != ints[i]) { + return false; + } + } + return true; + } + +} diff --git a/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java new file mode 100644 index 000000000..daafb8b7f --- /dev/null +++ b/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -0,0 +1,532 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.kra; + + +import java.util.*; +import java.io.*; +import java.net.*; +import java.math.*; +import java.security.*; +import java.security.cert.*; +import java.security.KeyPair; +import netscape.security.util.*; +import netscape.security.pkcs.*; +import netscape.security.x509.*; +import netscape.security.x509.X500Name; + +import com.netscape.cmscore.util.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.base.*; + +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.security.*; +import com.netscape.certsrv.kra.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.dbs.repository.*; +import com.netscape.certsrv.dbs.keydb.*; +import com.netscape.cmscore.cert.*; +import com.netscape.cmscore.dbs.*; +import com.netscape.cmscore.dbs.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.cmsutil.util.*; + +import org.mozilla.jss.*; +import org.mozilla.jss.crypto.*; +import org.mozilla.jss.util.*; +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.crypto.PBEAlgorithm; +import org.mozilla.jss.pkix.primitive.*; +import org.mozilla.jss.pkcs11.*; + + +/** + * A class represents recovery request processor. + * @author Christina Fu (cfu) + * @version $Revision: 14563 $, $Date: 2007-05-01 10:35:23 -0700 (Tue, 01 May 2007) $ + */ +public class TokenKeyRecoveryService implements IService { + + public static final String ATTR_NICKNAME = "nickname"; + public static final String ATTR_OWNER_NAME = "ownerName"; + public static final String ATTR_PUBLIC_KEY_DATA = "publicKeyData"; + public static final String ATTR_PRIVATE_KEY_DATA = "privateKeyData"; + public static final String ATTR_TRANSPORT_CERT = "transportCert"; + public static final String ATTR_TRANSPORT_PWD = "transportPwd"; + public static final String ATTR_SIGNING_CERT = "signingCert"; + public static final String ATTR_PKCS12 = "pkcs12"; + public static final String ATTR_ENCRYPTION_CERTS = + "encryptionCerts"; + public static final String ATTR_AGENT_CREDENTIALS = + "agentCredentials"; + // same as encryption certs + public static final String ATTR_USER_CERT = "cert"; + public static final String ATTR_DELIVERY = "delivery"; + + private IKeyRecoveryAuthority mKRA = null; + private IKeyRepository mStorage = null; + private IStorageKeyUnit mStorageUnit = null; + private ITransportKeyUnit mTransportUnit = null; + + private final static String + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; + + private final static String + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_PROCESSED = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_PROCESSED_4"; + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + + /** + * Constructs request processor. + */ + public TokenKeyRecoveryService(IKeyRecoveryAuthority kra) { + mKRA = kra; + mStorage = mKRA.getKeyRepository(); + mStorageUnit = mKRA.getStorageKeyUnit(); + mTransportUnit = kra.getTransportKeyUnit(); + } + + /** + * Process the HTTP request. + * + * @param s The URL to decode + */ + protected String URLdecode(String s) { + if (s == null) + return null; + ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); + + for (int i = 0; i < s.length(); i++) { + int c = (int) s.charAt(i); + + if (c == '+') { + out.write(' '); + } else if (c == '%') { + int c1 = Character.digit(s.charAt(++i), 16); + int c2 = Character.digit(s.charAt(++i), 16); + + out.write((char) (c1 * 16 + c2)); + } else { + out.write(c); + } + } // end for + return out.toString(); + } + + public static String normalizeCertStr(String s) { + String val = ""; + + for (int i = 0; i < s.length(); i++) { + if (s.charAt(i) == '\\') { + i++; + continue; + } else if (s.charAt(i) == '\\') { + i++; + continue; + } else if (s.charAt(i) == '"') { + continue; + } else if (s.charAt(i) == ' ') { + continue; + } + val += s.charAt(i); + } + return val; + } + + private static String base64Encode(byte[] bytes) throws IOException { + // All this streaming is lame, but Base64OutputStream needs a + // PrintStream + ByteArrayOutputStream output = new ByteArrayOutputStream(); + Base64OutputStream b64 = new Base64OutputStream(new + PrintStream(new + FilterOutputStream(output) + ) + ); + + b64.write(bytes); + b64.flush(); + + // This is internationally safe because Base64 chars are + // contained within 8859_1 + return output.toString("8859_1"); + } + + // this encrypts bytes with a symmetric key + public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token, + IVParameterSpec IV) + { + try { + Cipher cipher = token.getCipherContext( + EncryptionAlgorithm.DES3_CBC_PAD); + + cipher.initEncrypt(symKey, IV); + byte pri[] = cipher.doFinal(toBeEncrypted); + return pri; + } catch (Exception e) { + CMS.debug("initEncrypt() threw exception: "+e.toString()); + return null; + } + + } + + + /** + * Processes a recovery request. The method reads + * the key record from the database, and tries to recover the + * key with the storage key unit. Once recovered, it wraps it + * with desKey + * In the params + * - cert is used for recovery record search + * - cuid may be used for additional validation check + * - userid may be used for additional validation check + * - wrappedDesKey is used for wrapping recovered private key + * + * @param request recovery request + * @return operation success or not + * @exception EBaseException failed to serve + */ + public boolean serviceRequest(IRequest request) throws EBaseException { + String auditMessage = null; + String auditSubjectID = null; + String auditRequesterID = "TPSagent"; + String auditRecoveryID = ILogger.UNIDENTIFIED; + String auditPublicKey = ILogger.UNIDENTIFIED; + + CMS.debug("KRA services token key recovery request"); + + byte[] wrapped_des_key; + + byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; +/* + org.mozilla.jss.pkcs11.PK11SecureRandom random = + new org.mozilla.jss.pkcs11.PK11SecureRandom(); + random.nextBytes(iv); +*/ + String id = request.getRequestId().toString(); + if (id != null) { + auditRecoveryID = id.trim(); + } + SessionContext sContext = SessionContext.getContext(); + String agentId=""; + if (sContext != null) { + agentId = + (String) sContext.get(SessionContext.USER_ID); + } + + Hashtable params = mKRA.getVolatileRequest( + request.getRequestId()); + + + if (params == null) { + // possibly we are in recovery mode + CMS.debug("getVolatileRequest params null"); + // return true; + } + + wrapped_des_key = null; + + PK11SymKey sk= null; + + String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); + String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); + String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); + auditSubjectID=rCUID+":"+rUserid; + + CMS.debug("TokenKeyRecoveryService: received DRM-trans-wrapped des key ="+rWrappedDesKeyString); + wrapped_des_key = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDesKeyString); + CMS.debug("TokenKeyRecoveryService: wrapped_des_key specialDecoded"); + + if ((wrapped_des_key != null) && + (wrapped_des_key.length > 0)) { + + // unwrap the des key + sk = (PK11SymKey) mTransportUnit.unwrap_encrypt_sym(wrapped_des_key); + + if (sk == null) { + CMS.debug("TokenKeyRecoveryService: no des key"); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + } else { + CMS.debug("TokenKeyRecoveryService: received des key"); + } + } else { + CMS.debug("TokenKeyRecoveryService: not receive des key"); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + return false; + } + + // retrieve based on Certificate + String cert_s = request.getExtDataInString(ATTR_USER_CERT); + if (cert_s == null) { + CMS.debug("TokenKeyRecoveryService: not receive cert"); + request.setExtData(IRequest.RESULT, Integer.valueOf(3)); + return false; + } + + String cert = normalizeCertStr(cert_s); + java.security.cert.X509Certificate x509cert = null; + try { + x509cert= (java.security.cert.X509Certificate) Cert.mapCert(cert); + if (x509cert == null) { + CMS.debug("cert mapping failed"); + request.setExtData(IRequest.RESULT, Integer.valueOf(5)); + return false; + } + } catch (IOException e) { + CMS.debug("TokenKeyRecoveryService: mapCert failed"); + request.setExtData(IRequest.RESULT, Integer.valueOf(6)); + return false; + } + + try { + /* + CryptoToken internalToken = + CryptoManager.getInstance().getInternalKeyStorageToken(); + */ + CryptoToken token = mStorageUnit.getToken(); + CMS.debug("NetkeyKeygenService: got token slot:"+token.getName()); + IVParameterSpec algParam = new IVParameterSpec(iv); + + Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); + + + KeyRecord keyRecord = null; + CMS.debug( "KRA reading key record"); + try { + keyRecord = (KeyRecord) mStorage.readKeyRecord(cert); + if (keyRecord != null) + CMS.debug("read key record"); + else { + CMS.debug("key record not found"); + request.setExtData(IRequest.RESULT, Integer.valueOf(8)); + return false; + } + }catch (Exception e) { + com.netscape.cmscore.util.Debug.printStackTrace(e); + request.setExtData(IRequest.RESULT, Integer.valueOf(9)); + return false; + } + + // see if the owner name matches (cuid:userid) -XXX need make this optional + String owner = keyRecord.getOwnerName(); + CMS.debug("TokenKeyRecoveryService: owner name on record =" +owner); + CMS.debug("TokenKeyRecoveryService: owner name from TPS =" +rCUID+":"+rUserid); + if (owner != null) { + if (owner.equals(rCUID+":"+rUserid)) { + CMS.debug("TokenKeyRecoveryService: owner name matches"); + } else { + CMS.debug("TokenKeyRecoveryService: owner name mismatches"); + } + } + + // see if the certificate matches the key + byte pubData[] = keyRecord.getPublicKeyData(); + byte inputPubData[] = x509cert.getPublicKey().getEncoded(); + + if (inputPubData.length != pubData.length) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } + + for (int i = 0; i < pubData.length; i++) { + if (pubData[i] != inputPubData[i]) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } + } + + // Unwrap the archived private key + byte privateKeyData[] = null; + privateKeyData = recoverKey(params, keyRecord); + if (privateKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: failed getting private key"); + return false; + } + CMS.debug("NetkeyKeygenService: got private key...about to verify"); + + /* LunaSA returns data with padding which we need to remove */ + ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData); + DerValue dv = new DerValue(dis); + byte p[] = dv.toByteArray(); + int l = p.length; + CMS.debug("length different data length=" + l + + " real length=" + privateKeyData.length ); + if (l != privateKeyData.length) { + privateKeyData = p; + } + + if (verifyKeyPair(pubData, privateKeyData) == false) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } else { + CMS.debug("NetkeyKeygenService: private key verified with public key"); + } + + //encrypt and put in private key + cipher.initEncrypt(sk, algParam); + byte wrapped[] = cipher.doFinal(privateKeyData); + + String wrappedPrivKeyString = + com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped); + if (wrappedPrivKeyString == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: failed generating wrapped private key"); + return false; + } else { + CMS.debug("NetkeyKeygenService: got private key data wrapped"); + request.setExtData("wrappedUserPrivate", + wrappedPrivKeyString); + request.setExtData(IRequest.RESULT, Integer.valueOf(1)); + CMS.debug( "NetkeyKeygenService: key for " +rCUID+":"+rUserid +" recovered"); + } + + //convert and put in the public key + String b64PKey = base64Encode(pubData); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, + b64PKey); + + audit(auditMessage); + + if (b64PKey == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: failed getting publickey encoded"); + return false; + } else { + CMS.debug("NetkeyKeygenService: got publicKeyData b64 = "+ + b64PKey); + } + request.setExtData("public_key", b64PKey); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, + agentId); + + audit(auditMessage); + + return true; + + } catch (Exception e) { + CMS.debug("TokenKeyRecoveryService: " + e.toString()); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + } + + return true; + } + + public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) + { + try { + DerValue publicKeyVal = new DerValue(publicKeyData); + DerInputStream publicKeyIn = publicKeyVal.data; + publicKeyIn.getSequence(0); + DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); + DerInputStream publicKeyDerIn = publicKeyDer.data; + BigInt publicKeyModulus = publicKeyDerIn.getInteger(); + BigInt publicKeyExponent = publicKeyDerIn.getInteger(); + + DerValue privateKeyVal = new DerValue(privateKeyData); + if (privateKeyVal.tag != DerValue.tag_Sequence) + return false; + DerInputStream privateKeyIn = privateKeyVal.data; + privateKeyIn.getInteger(); + privateKeyIn.getSequence(0); + DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); + DerInputStream privateKeyDerIn = privateKeyDer.data; + BigInt privateKeyVersion = privateKeyDerIn.getInteger(); + BigInt privateKeyModulus = privateKeyDerIn.getInteger(); + BigInt privateKeyExponent = privateKeyDerIn.getInteger(); + + if (!publicKeyModulus.equals(privateKeyModulus)) { + CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); + return false; + } + + if (!publicKeyExponent.equals(privateKeyExponent)) { + CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); + return false; + } + + return true; + } catch (Exception e) { + CMS.debug("verifyKeyPair error " + e); + return false; + } + } + + /** + * Recovers key. + */ + public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) + throws EBaseException { + /* + Credential creds[] = (Credential[]) + request.get(ATTR_AGENT_CREDENTIALS); + + mStorageUnit.login(creds); + */ + CMS.debug( "KRA decrypts internal private"); + byte privateKeyData[] = + mStorageUnit.decryptInternalPrivate( + keyRecord.getPrivateKeyData()); + /* + mStorageUnit.logout(); + */ + if (privateKeyData == null) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key")); + } + return privateKeyData; + } + /** + * Signed Audit Log + *y + * This method is called to store messages to the signed audit log. + * <P> + * + * @param msg signed audit log message + */ + private void audit(String msg) { + // in this case, do NOT strip preceding/trailing whitespace + // from passed-in String parameters + + if (mSignedAuditLogger == null) { + return; + } + + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + +} diff --git a/pki/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/pki/base/kra/src/com/netscape/kra/TransportKeyUnit.java new file mode 100644 index 000000000..2b852a0ca --- /dev/null +++ b/pki/base/kra/src/com/netscape/kra/TransportKeyUnit.java @@ -0,0 +1,201 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.kra; + +import org.mozilla.jss.crypto.Signature; + +import java.util.*; +import com.netscape.certsrv.security.*; +import java.io.*; +import java.net.*; +import java.security.*; +import java.security.cert.*; +import java.security.cert.X509Certificate; +import com.netscape.cmscore.cert.*; +import netscape.security.x509.*; +import netscape.security.provider.*; +import netscape.security.util.*; +import com.netscape.cmscore.util.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.kra.*; +import com.netscape.certsrv.apps.CMS; +import org.mozilla.jss.util.*; +import org.mozilla.jss.crypto.*; +import org.mozilla.jss.*; +import org.mozilla.jss.crypto.PrivateKey; + + +/** + * A class represents the transport key pair. This key pair + * is used to protected EE's private key in transit. + * + * @author thomask + * @version $Revision: 14563 $, $Date: 2007-05-01 10:35:23 -0700 (Tue, 01 May 2007) $ + */ +public class TransportKeyUnit extends EncryptionUnit implements + ISubsystem, ITransportKeyUnit { + + public static final String PROP_NICKNAME = "nickName"; + private byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; + private IVParameterSpec IV = null; + + // private RSAPublicKey mPublicKey = null; + // private RSAPrivateKey mPrivateKey = null; + private IConfigStore mConfig = null; + private org.mozilla.jss.crypto.X509Certificate mCert = null; + private CryptoManager mManager = null; + + /** + * Constructs this token. + */ + public TransportKeyUnit() { + super(); +/* + org.mozilla.jss.pkcs11.PK11SecureRandom random = + new org.mozilla.jss.pkcs11.PK11SecureRandom(); + random.nextBytes(iv); +*/ + IV = new IVParameterSpec(iv); + } + + /** + * Retrieves subsystem identifier. + */ + public String getId() { + return "transportKeyUnit"; + } + + /** + * Sets subsystem identifier. + */ + public void setId(String id) throws EBaseException { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); + } + + /** + * Initializes this subsystem. + */ + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + mConfig = config; + try { + mManager = CryptoManager.getInstance(); + mCert = mManager.findCertByNickname(getNickName()); + + // #613795 - initialize this; otherwise JSS is not happy + CryptoToken token = getToken(); + SignatureAlgorithm sigalg = + SignatureAlgorithm.RSASignatureWithMD5Digest; + Signature signer = token.getSignatureContext(sigalg); + signer.initSign(getPrivateKey()); + + + } catch (org.mozilla.jss.CryptoManager.NotInitializedException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + + } catch (TokenException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + } catch (ObjectNotFoundException e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + } catch (Exception e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + } + } + + public CryptoToken getInternalToken() { + try { + return CryptoManager.getInstance().getInternalKeyStorageToken(); + } catch (Exception e) { + return null; + } + } + + public CryptoToken getToken() { + // 390148: returning the token that owns the private + // key. + return getPrivateKey().getOwningToken(); + } + + /** + * Starts up this subsystem. + */ + public void startup() throws EBaseException { + } + + /** + * Shutdowns this subsystem. + */ + public void shutdown() { + } + + /** + * Returns the configuration store of this token. + */ + public IConfigStore getConfigStore() { + return mConfig; + } + + public String getNickName() throws EBaseException { + return mConfig.getString(PROP_NICKNAME); + } + + public void setNickName(String str) throws EBaseException { + mConfig.putString(PROP_NICKNAME, str); + } + + /** + * Logins to this token. + */ + public void login(String pin) throws EBaseException { + } + + /** + * Logout from this token. + */ + public void logout() { + } + + /** + * Retrieves public key. + */ + public org.mozilla.jss.crypto.X509Certificate getCertificate() { + return mCert; + } + + public PublicKey getPublicKey() { + return mCert.getPublicKey(); + } + + public PrivateKey getPrivateKey() { + try { + return mManager.findPrivKeyByCert(mCert); + } catch (TokenException e) { + return null; + } catch (ObjectNotFoundException e) { + return null; + } + } + + /** + * Verifies the integrity of the given key pair. + */ + public void verify(byte publicKey[], PrivateKey privateKey) + throws EBaseException { + // XXX + } +} |