summaryrefslogtreecommitdiffstats
path: root/pki/base/ra
diff options
context:
space:
mode:
authormharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2010-01-21 23:17:26 +0000
committermharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2010-01-21 23:17:26 +0000
commit67ee705eafd9fb655f61732ba3c8ec2c869a409e (patch)
treed711e76cbd24198cb1247c2c72bbe72e7f40cb4d /pki/base/ra
parent77677d528c57e0648ee149176fa87447c25292b0 (diff)
downloadpki-67ee705eafd9fb655f61732ba3c8ec2c869a409e.tar.gz
pki-67ee705eafd9fb655f61732ba3c8ec2c869a409e.tar.xz
pki-67ee705eafd9fb655f61732ba3c8ec2c869a409e.zip
Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . . Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . . git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@933 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/ra')
-rw-r--r--pki/base/ra/apache/conf/httpd.conf2
-rw-r--r--pki/base/ra/build.xml16
-rwxr-xr-xpki/base/ra/etc/init.d/httpd758
-rwxr-xr-xpki/base/ra/etc/init.d/pki-rad1415
-rwxr-xr-xpki/base/ra/setup/postinstall66
5 files changed, 1428 insertions, 829 deletions
diff --git a/pki/base/ra/apache/conf/httpd.conf b/pki/base/ra/apache/conf/httpd.conf
index 4e6d2151f..1312f0822 100644
--- a/pki/base/ra/apache/conf/httpd.conf
+++ b/pki/base/ra/apache/conf/httpd.conf
@@ -78,7 +78,7 @@ ServerRoot "[SERVER_ROOT]"
# identification number when it starts.
#
<IfModule !mpm_netware.c>
-PidFile logs/[INSTANCE_ID].pid
+PidFile run/[INSTANCE_ID].pid
</IfModule>
#
diff --git a/pki/base/ra/build.xml b/pki/base/ra/build.xml
index 499ce45af..3a303fecc 100644
--- a/pki/base/ra/build.xml
+++ b/pki/base/ra/build.xml
@@ -154,12 +154,16 @@
<include name="scripts/schema.sql"/>
<include name="setup/config.desktop"/>
</zipfileset>
+ <zipfileset dir="./etc/init.d"
+ filemode="755"
+ prefix="etc/${init.d}">
+ <include name="pki-rad"/>
+ </zipfileset>
<zipfileset dir="."
filemode="755"
prefix="usr/share/${product.prefix}/${product}">
- <include name="etc/**"/>
<include name="scripts/nss_pcache"/>
- <include name="setup/postinstall"/>
+ <exclude name="etc/init.d/pki-rad"/>
</zipfileset>
<zipfileset dir="./forms"
filemode="755"
@@ -202,12 +206,16 @@
<include name="scripts/schema.sql"/>
<include name="setup/config.desktop"/>
</tarfileset>
+ <tarfileset dir="./etc/init.d"
+ mode="755"
+ prefix="${dist.name}/etc/${init.d}">
+ <include name="pki-rad"/>
+ </tarfileset>
<tarfileset dir="."
mode="755"
prefix="${dist.name}/usr/share/${product.prefix}/${product}">
- <include name="etc/**"/>
<include name="scripts/nss_pcache"/>
- <include name="setup/postinstall"/>
+ <exclude name="etc/init.d/pki-rad"/>
</tarfileset>
<tarfileset dir="./forms"
mode="755"
diff --git a/pki/base/ra/etc/init.d/httpd b/pki/base/ra/etc/init.d/httpd
deleted file mode 100755
index 4f18cd136..000000000
--- a/pki/base/ra/etc/init.d/httpd
+++ /dev/null
@@ -1,758 +0,0 @@
-#!/bin/bash
-#
-# --- BEGIN COPYRIGHT BLOCK ---
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2007 Red Hat, Inc.
-# All rights reserved.
-# --- END COPYRIGHT BLOCK ---
-#
-# [INSTANCE_ID] Startup script for the Apache HTTP Server
-#
-# chkconfig: - 86 14
-# description: Registration Authority \
-# (Apache 2.2)
-# processname: [INSTANCE_ID]
-# config: [HTTPD_CONF]
-# pidfile: [SERVER_ROOT]/logs/[INSTANCE_ID].pid
-
-# Disallow 'others' the ability to 'write' to new files
-umask 00002
-
-# Check to insure that this script's original invocation directory
-# has not been deleted!
-CWD=`/bin/pwd > /dev/null 2>&1`
-if [ $? -ne 0 ] ; then
- echo "Cannot invoke '$0' from non-existent directory!"
- exit 255
-fi
-
-# Check to insure that this script's associated PKI
-# subsystem currently resides on this system.
-SUBSYSTEM_TYPE=[SUBSYSTEM_TYPE]
-if [ ! -d /usr/share/pki/${SUBSYSTEM_TYPE} ] ; then
- echo "This machine is missing the '${SUBSYSTEM_TYPE}' subsystem!"
- exit 255
-fi
-
-# Obtain the operating system upon which this script is being executed
-OS=`uname -s`
-ARCHITECTURE=""
-
-# Time to wait in seconds, before killing process
-#
-# NOTE: Defined in "tomcat5.conf" for other PKI Subsystems.
-#
-STARTUP_WAIT=30
-SHUTDOWN_WAIT=30
-
-# This script must be run as root!
-RV=0
-if [ ${OS} = "Linux" ] ; then
- if [ `id -u` -ne 0 ] ; then
- echo "Must be 'root' to execute '$0'!"
- exit 1
- fi
- ARCHITECTURE=`uname -i`
-elif [ ${OS} = "SunOS" ] ; then
- if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then
- echo "Must be 'root' to execute '$0'!"
- exit 1
- fi
- ARCHITECTURE=`uname -p`
- if [ "${ARCHITECTURE}" = "sparc" ] &&
- [ -d "/usr/lib/sparcv9/" ] ; then
- ARCHITECTURE="sparcv9"
- fi
-else
- echo "Unsupported OS '${OS}'!"
- exit 1
-fi
-
-# Initialize environment variables
-LD_LIBRARY_PATH=[SYSTEM_USER_LIBRARIES]:[SYSTEM_LIBRARIES]:${LD_LIBRARY_PATH}
-LD_LIBRARY_PATH=[SECURITY_LIBRARIES]:${LD_LIBRARY_PATH}
-export LD_LIBRARY_PATH
-
-# Source function library.
-if [ -f /etc/init.d/functions ]; then
- . /etc/init.d/functions
-else
- # The checkpid() function is provided for platforms that do not
- # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . .
-
- # Check if ${pid} (could be plural) are running (keep count)
- checkpid()
- {
- rv=0
- for i in $* ; do
- ps -p $i > /dev/null 2>&1 ;
- if [ $? -ne 0 ] ; then
- rv=`expr $rv + 1`
- else
- rv=`expr $rv + 0`
- fi
- done
- # echo "rv=$rv"
- return $rv
- }
-
- # Create the following directories on platforms
- # where they do not exist (e. g. - Solaris) . . .
- if [ ! -d /var/lock/subsys ] ; then
- mkdir -p /var/lock/subsys
- fi
-fi
-
-########################################################################
-# This section contains modified content of "/etc/sysconfig/httpd" #
-########################################################################
-# Configuration file for the [INSTANCE_ID] service.
-
-#
-# The default processing model (MPM) is the process-based
-# 'prefork' model. A thread-based model, 'worker', is also
-# available, but does not work with some modules (such as PHP).
-# The service must be stopped before changing this variable.
-#
-HTTPD=[FORTITUDE_DIR]/sbin/httpd.worker
-
-#
-# To pass additional options (for instance, -D definitions) to the
-# httpd binary at startup, set OPTIONS here.
-#
-OPTIONS="-f [HTTPD_CONF]"
-
-#
-# By default, the httpd process is started in the C locale; to
-# change the locale in which the server runs, the HTTPD_LANG
-# variable can be set.
-#
-HTTPD_LANG=C
-########################################################################
-# #
-########################################################################
-
-# This will prevent initlog from swallowing up a pass-phrase prompt if
-# mod_ssl needs a pass-phrase from the user.
-INITLOG_ARGS=""
-
-# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
-# with the thread-based "worker" MPM; BE WARNED that some modules may not
-# work correctly with a thread-based MPM; notably PHP will refuse to start.
-
-# Path to the server binary and short-form for messages.
-httpd=${HTTPD:-[FORTITUDE_DIR]/sbin/httpd}
-prog=[INSTANCE_ID]
-pki_instance_configuration_file=[SERVER_ROOT]/conf/CS.cfg
-pidfile=${PIDFILE:-[SERVER_ROOT]/logs/[INSTANCE_ID].pid}
-lockfile=${LOCKFILE:-/var/lock/subsys/[INSTANCE_ID]}
-RESTART_SERVER=[SERVER_ROOT]/conf/restart_server_after_configuration
-RETVAL=0
-
-# see if httpd is linked with the openldap libraries - we need to override them
-if [ ${OS} = "Linux" ]; then
- hasopenldap=0
-
- /usr/bin/ldd $httpd 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1
-
- if [ $hasopenldap -eq 1 ] ; then
- LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libldap60.so"
- LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libssl3.so:${LD_PRELOAD}"
- export LD_PRELOAD
- fi
-elif [ ${OS} = "SunOS" ] ; then
- LD_PRELOAD_64="[SYSTEM_USER_LIBRARIES]/libldap60.so"
- LD_PRELOAD_64="[SYSTEM_USER_LIBRARIES]/dirsec/libssl3.so:${LD_PRELOAD_64}"
- export LD_PRELOAD_64
-fi
-
-check_pki_configuration_status()
-{
- rv=0
-
- rv=`grep -c ^preop ${pki_instance_configuration_file}`
-
- rv=`expr ${rv} + 0`
-
- if [ ${rv} -ne 0 ] ; then
- echo " '[INSTANCE_ID]' must still be CONFIGURED!"
- echo " (see /var/log/[INSTANCE_ID]-install.log)"
- elif [ -f ${RESTART_SERVER} ] ; then
- echo " Although '[INSTANCE_ID]' has been CONFIGURED, it must still be RESTARTED!"
- rv=255
- fi
-
- return ${rv}
-}
-
-get_pki_status_definitions()
-{
- # establish well-known strings
- listen_statement="Listen"
- total_ports=0
- UNSECURE_PORT=""
- CLIENTAUTH_PORT=""
- NON_CLIENTAUTH_PORT=""
-
- # check to see that an instance-specific "httpd.conf" file exists
- if [ ! -f [HTTPD_CONF] ] ; then
- echo "File '[HTTPD_CONF]' does not exist!"
- exit 255
- fi
-
- # check to see that an instance-specific "nss.conf" file exists
- if [ ! -f [NSS_CONF] ] ; then
- echo "File '[NSS_CONF]' does not exist!"
- exit 255
- fi
-
- # read this instance-specific "httpd.conf" file line-by-line
- # to obtain the current value of the PKI unsecure port
-
- exec < [HTTPD_CONF]
- while read line; do
- # look for the listen statement
- head=`echo $line | cut -b1-6`
- if [ "$head" == "$listen_statement" ] ; then
- # once the 'unsecure' listen statement has been found,
- # extract the numeric port information
- port=`echo $line | cut -b8-`
- UNSECURE_PORT=$port
- echo " Unsecure Port = http://[SERVER_NAME]:${UNSECURE_PORT}"
- total_ports=`expr ${total_ports} + 1`
- break;
- fi
- done
-
- # read this instance-specific "nss.conf" file line-by-line
- # to obtain the current value of the "clientauth" PKI secure port
- # AND the current value of the "non-clientauth" PKI secure port
-
- exec < [NSS_CONF]
- while read line; do
- # look for the listen statement
- head=`echo $line | cut -b1-6`
- if [ "$head" == "$listen_statement" ] &&
- [ ${total_ports} -eq 2 ] ; then
- # once the 'non-clientauth' listen statement has been found,
- # extract the numeric port information
- non_clientauth_port=`echo $line | cut -b8-`
- NON_CLIENTAUTH_PORT=$non_clientauth_port
- echo " Secure Non-Clientauth Port = https://[SERVER_NAME]:${NON_CLIENTAUTH_PORT}"
- total_ports=`expr ${total_ports} + 1`
- break
- fi
- if [ "$head" == "$listen_statement" ] &&
- [ ${total_ports} -eq 1 ] ; then
- # once the 'clientauth' listen statement has been found,
- # extract the numeric port information
- clientauth_port=`echo $line | cut -b8-`
- CLIENTAUTH_PORT=$clientauth_port
- echo " Secure Clientauth Port = https://[SERVER_NAME]:${CLIENTAUTH_PORT}"
- total_ports=`expr ${total_ports} + 1`
- fi
- done
-
- if [ ${total_ports} -eq 3 ] ; then
- return 0
- else
- return 255
- fi
-}
-
-get_pki_configuration_definitions()
-{
- # Obtain the PKI Subsystem Type
- line=`grep ^cs.type= ${pki_instance_configuration_file}`
- pki_subsystem=`echo "${line}" | cut -b9-`
- if [ "${line}" != "" ] ; then
- if [ "${pki_subsystem}" != "CA" ] &&
- [ "${pki_subsystem}" != "KRA" ] &&
- [ "${pki_subsystem}" != "OCSP" ] &&
- [ "${pki_subsystem}" != "TKS" ] &&
- [ "${pki_subsystem}" != "RA" ] &&
- [ "${pki_subsystem}" != "TPS" ]
- then
- return 255
- fi
- if [ "${pki_subsystem}" == "KRA" ] ; then
- # Rename "KRA" to "DRM"
- pki_subsystem="DRM"
- fi
- else
- return 255
- fi
-
- # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
- # check to see if "${pki_subsystem}" is a "Clone"
- pki_clone=""
- if [ "${pki_subsystem}" == "CA" ] ||
- [ "${pki_subsystem}" == "DRM" ] ||
- [ "${pki_subsystem}" == "OCSP" ] ||
- [ "${pki_subsystem}" == "TKS" ]
- then
- line=`grep ^subsystem.select= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_clone=`echo "${line}" | cut -b18-`
- if [ "${pki_clone}" != "Clone" ] ; then
- # Reset "${pki_clone}" to be empty
- pki_clone=""
- fi
- else
- return 255
- fi
- fi
-
- # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to
- # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA
- pki_hierarchy=""
- if [ "${pki_subsystem}" == "CA" ] &&
- [ "${pki_clone}" != "Clone" ]
- then
- line=`grep ^hierarchy.select= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_hierarchy=`echo "${line}" | cut -b18-`
- else
- return 255
- fi
- fi
-
- # If ${pki_subsystem} is a CA, check to
- # see if it is also a Security Domain
- pki_security_domain=""
- if [ "${pki_subsystem}" == "CA" ] ; then
- line=`grep ^securitydomain.select= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_security_domain=`echo "${line}" | cut -b23-`
- if [ "${pki_security_domain}" == "new" ] ; then
- # Set a fixed value for "${pki_security_domain}"
- pki_security_domain="(Security Domain)"
- else
- # Reset "${pki_security_domain}" to be empty
- pki_security_domain=""
- fi
- else
- return 255
- fi
- fi
-
- # Always obtain this PKI instance's "registered"
- # security domain information
- pki_security_domain_name=""
- pki_security_domain_hostname=""
- pki_security_domain_https_admin_port=""
-
- line=`grep ^securitydomain.name= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_security_domain_name=`echo "${line}" | cut -b21-`
- else
- return 255
- fi
-
- line=`grep ^securitydomain.host= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_security_domain_hostname=`echo "${line}" | cut -b21-`
- else
- return 255
- fi
-
- line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-`
- else
- return 255
- fi
-
- # Compose the "PKI Instance Name" Status Line
- pki_instance_name="PKI Instance Name: [INSTANCE_ID]"
-
- # Compose the "PKI Subsystem Type" Status Line
- header="PKI Subsystem Type: "
- if [ "${pki_clone}" != "" ] ; then
- if [ "${pki_security_domain}" != "" ]; then
- # Possible Values:
- #
- # "CA Clone (Security Domain)"
- #
- data="${pki_subsystem} ${pki_clone} ${pki_security_domain}"
- else
- # Possible Values:
- #
- # "CA Clone"
- # "DRM Clone"
- # "OCSP Clone"
- # "TKS Clone"
- #
- data="${pki_subsystem} ${pki_clone}"
- fi
- elif [ "${pki_hierarchy}" != "" ] ; then
- if [ "${pki_security_domain}" != "" ]; then
- # Possible Values:
- #
- # "Root CA (Security Domain)"
- # "Subordinate CA (Security Domain)"
- #
- data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}"
- else
- # Possible Values:
- #
- # "Root CA"
- # "Subordinate CA"
- #
- data="${pki_hierarchy} ${pki_subsystem}"
- fi
- else
- # Possible Values:
- #
- # "DRM"
- # "OCSP"
- # "RA"
- # "TKS"
- # "TPS"
- #
- data="${pki_subsystem}"
- fi
- pki_subsystem_type="${header} ${data}"
-
- # Compose the "Registered PKI Security Domain Information" Status Line
- header="Name: "
- registered_pki_security_domain_name="${header} ${pki_security_domain_name}"
-
- header="URL: "
- if [ "${pki_security_domain_hostname}" != "" ] &&
- [ "${pki_security_domain_https_admin_port}" != "" ]
- then
- data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
- else
- return 255
- fi
- registered_pki_security_domain_url="${header} ${data}"
-
- # Print the "PKI Subsystem Type" Status Line
- echo
- echo " ${pki_instance_name}"
-
- # Print the "PKI Subsystem Type" Status Line
- echo
- echo " ${pki_subsystem_type}"
-
- # Print the "Registered PKI Security Domain Information" Status Line
- echo
- echo " Registered PKI Security Domain Information:"
- echo " =========================================================================="
- echo " ${registered_pki_security_domain_name}"
- echo " ${registered_pki_security_domain_url}"
- echo " =========================================================================="
-
- return 0
-}
-
-get_pki_secure_port()
-{
- # establish well-known strings
- listen_statement="Listen"
-
- # first check to see that an instance-specific "nss.conf" file exists
- if [ ! -f [NSS_CONF] ] ; then
- echo "File '[NSS_CONF]' does not exist!"
- exit 255
- fi
-
- # read this instance-specific "nss.conf" file line-by-line
- # to obtain the current value of the "clientauth" PKI secure port
-
- exec < [NSS_CONF]
- while read line; do
- # look for the listen statement
- head=`echo $line | cut -b1-6`
- if [ "$head" == "$listen_statement" ] ; then
- # once the 'clientauth' listen statement has been found,
- # extract the numeric port information
- port=`echo $line | cut -b8-`
- SECURE_PORT=$port
- return 0
- fi
- done
-
- return 255
-}
-
-# The semantics of these two functions differ from the way apachectl does
-# things -- attempting to start while running is a failure, and shutdown
-# when not running is also a failure. So we just do it the way init scripts
-# are expected to behave here.
-start()
-{
- echo -n $"Starting $prog: "
-
- if [ -f ${RESTART_SERVER} ] ; then
- rm -f ${RESTART_SERVER}
- fi
-
- if [ -f ${lockfile} ] ; then
- if [ -f ${pidfile} ]; then
- read kpid < ${pidfile}
- if checkpid $kpid 2>&1; then
- echo
- echo "process already running"
- return 255
- else
- echo
- echo -n "lock file found but no process "
- echo -n "running for pid $kpid, continuing"
- echo
- echo
- fi
- fi
- fi
-
- # restore context for ncipher hsm
- [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
-
-
- if [ -f /etc/init.d/functions ]; then
- /usr/sbin/selinuxenabled
- RETVAL=$?
- if [ $RETVAL = 0 ] ; then
- if [ ${ARCHITECTURE} = "i386" ] ; then
- LANG=$HTTPD_LANG daemon runcon -t pki_ra_t -- $httpd $OPTIONS
- # overwrite output from "daemon"
- echo -n $"Starting $prog: "
- elif [ ${ARCHITECTURE} = "x86_64" ] ; then
- # NOTE: "daemon" is incompatible with "httpd"
- # on 64-bit architectures
- LANG=$HTTPD_LANG runcon -t pki_ra_t -- $httpd $OPTIONS
- fi
- else
- LANG=$HTTPD_LANG daemon $httpd $OPTIONS
- # overwrite output from "daemon"
- echo -n $"Starting $prog: "
- fi
- else
- LANG=$HTTPD_LANG $httpd $OPTIONS -k start
- fi
-
- RETVAL=$?
- [ $RETVAL = 0 ] && touch ${lockfile}
-
- if [ $RETVAL = 0 ] ; then
- count=0;
-
- let swait=$STARTUP_WAIT
- until [ -s ${pidfile} ] ||
- [ $count -gt $swait ]
- do
- echo -n "."
- sleep 1
- let count=$count+1;
- done
-
- if [ -f /etc/init.d/functions ]; then
- echo_success
- echo
- else
- echo " [ OK ]"
- fi
-
- get_pki_secure_port
- if [ $? -ne 0 ] ; then
- SECURE_PORT="<Port Undefined>"
- fi
-
- # Set permissions of log files
- pki_logs_directory=`dirname ${pidfile}`
- for file in ${pki_logs_directory}/*; do
- if [ "${file}" != "${pidfile}" ]; then
- chmod 00660 ${file}
- chgrp [GROUPID] ${file}
- chown [USERID] ${file}
- fi
- done
- else
- if [ -f /etc/init.d/functions ]; then
- echo_failure
- echo
- else
- echo " [ FAILED ]"
- fi
- fi
-
- if [ ${OS} = "Linux" ] ; then
- sleep 10
- elif [ ${OS} = "SunOS" ] ; then
- sleep 20
- fi
- echo
- status
- return $RETVAL
-}
-
-stop()
-{
- echo -n "Stopping $prog: "
-
- if [ -f ${lockfile} ] ; then
- $httpd $OPTIONS -k stop
-
- RETVAL=$?
-
- if [ $RETVAL = 0 ]; then
- count=0;
-
- if [ -f ${pidfile} ]; then
- read kpid < ${pidfile}
- let kwait=$SHUTDOWN_WAIT
-
- until [ `ps -p $kpid | grep -c $kpid` = '0' ] ||
- [ $count -gt $kwait ]
- do
- echo -n "."
- sleep 1
- let count=$count+1;
- done
-
- if [ $count -gt $kwait ]; then
- kill -9 $kpid
- fi
- fi
-
- rm -f ${lockfile}
- rm -f ${pidfile}
-
- if [ -f /etc/init.d/functions ]; then
- echo_success
- echo
- else
- echo " [ OK ]"
- fi
- else
- if [ -f /etc/init.d/functions ]; then
- echo_failure
- echo
- else
- echo " [ FAILED ]"
- fi
- fi
- else
- echo
- echo "process already stopped"
- fi
-}
-
-reload()
-{
- echo -n $"Reloading $prog: "
-
- if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then
- RETVAL=$?
- echo $"not reloading due to configuration syntax error"
- if [ -f /etc/init.d/functions ]; then
- failure $"not reloading $httpd due to configuration syntax error"
- else
- echo $"not reloading $httpd due to configuration syntax error"
- fi
- else
- if [ -f /etc/init.d/functions ]; then
- killproc $httpd -HUP
- # overwrite output from "killproc"
- echo -n $"Stopping $prog: "
- else
- if [ -f ${lockfile} ] ; then
- if [ -f ${pidfile} ]; then
- read kpid < ${pidfile}
- if checkpid $kpid 2>&1; then
- kill -HUP $kpid
- fi
- else
- echo
- echo -n "lock file found but no process "
- echo -n "running for pid $kpid, continuing"
- echo
- echo
- fi
- fi
- fi
- fi
- echo
-}
-
-status()
-{
- if [ -f ${pidfile} ] ; then
- pid=`cat ${pidfile}`
- if [ "${pid}" == "" ] ; then
- echo "[INSTANCE_ID] pid file exists but is empty"
- elif kill -0 ${pid} > /dev/null 2>&1 ; then
- echo "[INSTANCE_ID] (pid ${pid}) is running ..."
- echo
- check_pki_configuration_status
- if [ $? -eq 0 ] ; then
- get_pki_status_definitions
- if [ $? -ne 0 ] ; then
- echo
- echo "[INSTANCE_ID] Status Definitions not found"
- fi
- get_pki_configuration_definitions
- if [ $? -ne 0 ] ; then
- echo
- echo "[INSTANCE_ID] Configuration Definitions not found"
- fi
- fi
- echo
- else
- echo "[INSTANCE_ID] is dead but pid file exists"
- fi
- else
- echo "[INSTANCE_ID] is stopped"
- fi
-}
-
-# See how we were called.
-case "$1" in
- start)
- start
- ;;
- stop)
- stop
- ;;
- restart)
- stop
- sleep 2
- start
- ;;
- condrestart)
- if [ -f ${pidfile} ] ; then
- stop
- sleep 2
- start
- else
- echo -n "Unable to restart process since "
- echo -n "'${pidfile}' does not exist!"
- echo
- fi
- ;;
- reload)
- reload
- ;;
- status)
- status
- ;;
- *)
- echo $"Usage: $prog {start|stop|restart|condrestart|reload|status}"
- exit 1
-esac
-
-exit $RETVAL
-
diff --git a/pki/base/ra/etc/init.d/pki-rad b/pki/base/ra/etc/init.d/pki-rad
new file mode 100755
index 000000000..3ca7d6669
--- /dev/null
+++ b/pki/base/ra/etc/init.d/pki-rad
@@ -0,0 +1,1415 @@
+#!/bin/bash
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+# pki-rad Startup script for the Apache HTTP pki-ra Server
+#
+# chkconfig: - 86 14
+# description: Registration Authority \
+# (Apache 2.2)
+# processname: pki-rad
+# piddir: /var/run/pki/ra
+# config: ${PKI_SERVER_ROOT}/conf/httpd.conf
+
+PKI_INIT_SCRIPT=""
+PKI_PATH="/usr/share/pki/ra"
+PKI_PIDDIR="/var/run/pki/ra"
+PKI_PROCESS="pki-rad"
+PKI_REGISTRY="/etc/sysconfig/pki/ra"
+PKI_SELINUX_TYPE="pki_ra_t"
+PKI_TYPE="pki-ra"
+
+# PKI subsystem-level directory and file values for locks
+lockfile="/var/lock/subsys/pki-rad"
+
+# Disallow 'others' the ability to 'write' to new files
+umask 00002
+
+default_error=0
+command="$1"
+pki_instance="$2"
+case "${command}" in
+ start|stop|restart|condrestart|force-restart|try-restart)
+ # * 1 generic or unspecified error (current practice)
+ default_error=1
+ ;;
+ reload)
+ default_error=3
+ ;;
+ status)
+ # * 4 program or service status is unknown
+ default_error=4
+ ;;
+ *)
+ # * 2 invalid argument(s)
+ default_error=2
+ ;;
+esac
+
+# Check to insure that this script's original invocation directory
+# has not been deleted!
+CWD=`/bin/pwd > /dev/null 2>&1`
+if [ $? -ne 0 ] ; then
+ echo "Cannot invoke '$0' from non-existent directory!"
+ exit ${default_error}
+fi
+
+# Check to insure that this script's associated PKI
+# subsystem currently resides on this system.
+if [ ! -d ${PKI_PATH} ] ; then
+ echo "This machine is missing the '${PKI_TYPE}' subsystem!"
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
+fi
+
+# Check to insure that this script's associated PKI
+# subsystem instance registry currently resides on this system.
+if [ ! -d ${PKI_REGISTRY} ] ; then
+ echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!"
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
+fi
+
+# Obtain the operating system upon which this script is being executed
+# and initialize environment variables
+OS=`uname -s`
+ARCHITECTURE=""
+LD_LIBRARY_PATH=""
+
+# Time to wait in seconds, before killing process
+#
+# NOTE: Defined in "tomcat5.conf" for PKI Java/Tomcat Subsystems.
+#
+STARTUP_WAIT=30
+SHUTDOWN_WAIT=30
+
+# This script must be run as root!
+RV=0
+if [ ${OS} = "Linux" ] ; then
+ PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}"
+ if [ `id -u` -ne 0 ] ; then
+ echo "Must be 'root' to execute '$0'!"
+ if [ "${command}" != "status" ]; then
+ # * 4 user had insufficient privilege
+ exit 4
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+ ARCHITECTURE=`uname -i`
+ if [ ${ARCHITECTURE} = "i386" ] ; then
+ LD_LIBRARY_PATH="/usr/lib:/lib:${LD_LIBRARY_PATH}"
+ elif [ ${ARCHITECTURE} = "x86_64" ] ; then
+ LD_LIBRARY_PATH="/usr/lib64:/lib64:${LD_LIBRARY_PATH}"
+ else
+ echo "Unsupported architecture '${ARCHITECTURE}'!"
+ exit ${default_error}
+ fi
+elif [ ${OS} = "SunOS" ] ; then
+ PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}"
+ if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then
+ echo "Must be 'root' to execute '$0'!"
+ if [ "${command}" != "status" ]; then
+ # * 4 user had insufficient privilege
+ exit 4
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+ ARCHITECTURE=`uname -p`
+ if [ "${ARCHITECTURE}" = "sparc" ] &&
+ [ -d "/usr/lib/sparcv9/" ] ; then
+ ARCHITECTURE="sparcv9"
+ fi
+ if [ ${ARCHITECTURE} = "sparcv9" ] ; then
+ LD_LIBRARY_PATH="/usr/lib/sparcv9:/lib/sparcv9:${LD_LIBRARY_PATH}"
+ LD_LIBRARY_PATH="/usr/lib/sparcv9/dirsec:${LD_LIBRARY_PATH}"
+ else
+ echo "Unsupported architecture '${ARCHITECTURE}'!"
+ exit ${default_error}
+ fi
+else
+ echo "Unsupported OS '${OS}'!"
+ exit ${default_error}
+fi
+export LD_LIBRARY_PATH
+
+# Source function library.
+if [ -f /etc/init.d/functions ]; then
+ . /etc/init.d/functions
+else
+ # The checkpid() function is provided for platforms that do not
+ # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . .
+
+ # Check if ${pid} (could be plural) are running (keep count)
+ checkpid()
+ {
+ rv=0
+ for i in $* ; do
+ ps -p $i > /dev/null 2>&1 ;
+ if [ $? -ne 0 ] ; then
+ rv=`expr $rv + 1`
+ else
+ rv=`expr $rv + 0`
+ fi
+ done
+ # echo "rv=$rv"
+ return $rv
+ }
+
+ # Create the following directories on platforms
+ # where they do not exist (e. g. - Solaris) . . .
+ if [ ! -d "/var/lock" ] ; then
+ mkdir -p /var/lock
+ chown root:sys /var/lock
+ chmod 00755 /var/lock
+ fi
+ if [ ! -d "/var/lock/subsys" ] ; then
+ mkdir -p /var/lock/subsys
+ chown root:root /var/lock/subsys
+ chmod 00755 /var/lock/subsys
+ fi
+fi
+
+PKI_REGISTRY_ENTRIES=""
+TOTAL_PKI_REGISTRY_ENTRIES=0
+TOTAL_UNCONFIGURED_PKI_ENTRIES=0
+
+# Gather ALL registered instances of this PKI subsystem type
+for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
+ if [ -f "$FILE" ] ; then
+ inst=`echo "$FILE"`
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst"
+ TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1`
+ fi
+done
+
+if [ -n "${pki_instance}" ]; then
+ for I in ${PKI_REGISTRY_ENTRIES}; do
+ if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}"
+ TOTAL_PKI_REGISTRY_ENTRIES=1
+ break
+ fi
+ done
+fi
+
+usage()
+{
+ echo -n "Usage: ${PKI_INIT_SCRIPT} "
+ echo -n "{start"
+ echo -n "|stop"
+ echo -n "|restart"
+ echo -n "|condrestart"
+ echo -n "|force-restart"
+ echo -n "|try-restart"
+ echo -n "|reload"
+ echo -n "|status} "
+ echo -n "[instance-name]"
+ echo
+ echo
+}
+
+list_instances()
+{
+ echo
+ for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
+ echo " ${FILE}"
+ done
+ echo
+}
+
+# Check arguments
+if [ $# -lt 1 ] ; then
+ # * 3 unimplemented feature (for example, "reload")
+ # [insufficient arguments]
+ echo "$0: Insufficient arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+elif [ ${default_error} -eq 2 ] ; then
+ # * 2 invalid argument
+ echo "$0: Invalid arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 2
+elif [ $# -gt 2 ] ; then
+ echo "$0: Excess arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ if [ "${command}" != "status" ]; then
+ # * 2 excess arguments
+ exit 2
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+fi
+
+# If an "instance" was supplied, check that it is a "valid" instance
+if [ -n "${pki_instance}" ]; then
+ if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then
+ echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance"
+ echo_failure
+ echo
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+fi
+
+# On Solaris /var/run is in tmpfs and gets wiped out upon reboot
+# we have to recreate the ${PKI_PIDDIR} directory and make sure that
+# the directory is writable by the ${PKI_TYPE} server process.
+#
+# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize
+# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the
+# "${PKI_PIDDIR}" will end up with the ownership permissions
+# of the first instance that executes this function!
+#
+fix_pid_dir_ownership()
+{
+ if [ ! -d ${PKI_PIDDIR} ] ; then
+ mkdir -p ${PKI_PIDDIR}
+
+ chown root:root /var/run/pki
+ chmod 00755 /var/run/pki
+
+ chown root:root ${PKI_PIDDIR}
+ chmod 00755 ${PKI_PIDDIR}
+ fi
+}
+
+check_pki_configuration_status()
+{
+ rv=0
+
+ rv=`grep -c ^preop ${pki_instance_configuration_file}`
+
+ rv=`expr ${rv} + 0`
+
+ if [ ${rv} -ne 0 ] ; then
+ echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!"
+ echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)"
+ if [ "${command}" != "status" ]; then
+ # * 6 program is not configured
+ rv=6
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1`
+ elif [ -f ${RESTART_SERVER} ] ; then
+ echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, "
+ echo -n "it must still be RESTARTED!"
+ echo
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ fi
+
+ return ${rv}
+}
+
+get_pki_status_definitions()
+{
+ # establish well-known strings
+ listen_statement="Listen"
+ total_ports=0
+ UNSECURE_PORT=""
+ CLIENTAUTH_PORT=""
+ NON_CLIENTAUTH_PORT=""
+
+ # check to see that an instance-specific "httpd.conf" file exists
+ if [ ! -f ${PKI_HTTPD_CONF} ] ; then
+ echo "File '${PKI_HTTPD_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # check to see that an instance-specific "nss.conf" file exists
+ if [ ! -f ${PKI_NSS_CONF} ] ; then
+ echo "File '${PKI_NSS_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # read this instance-specific "httpd.conf" file line-by-line
+ # to obtain the current value of the PKI unsecure port
+
+ exec < ${PKI_HTTPD_CONF}
+ while read line; do
+ # look for the listen statement
+ head=`echo $line | cut -b1-6`
+ if [ "$head" == "$listen_statement" ] ; then
+ # once the 'unsecure' listen statement has been found,
+ # extract the numeric port information
+ port=`echo $line | cut -b8-`
+ UNSECURE_PORT=$port
+ echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}"
+ total_ports=`expr ${total_ports} + 1`
+ break;
+ fi
+ done
+
+ # read this instance-specific "nss.conf" file line-by-line
+ # to obtain the current value of the "clientauth" PKI secure port
+ # AND the current value of the "non-clientauth" PKI secure port
+
+ exec < ${PKI_NSS_CONF}
+ while read line; do
+ # look for the listen statement
+ head=`echo $line | cut -b1-6`
+ if [ "$head" == "$listen_statement" ] &&
+ [ ${total_ports} -eq 2 ] ; then
+ # once the 'non-clientauth' listen statement has been found,
+ # extract the numeric port information
+ non_clientauth_port=`echo $line | cut -b8-`
+ NON_CLIENTAUTH_PORT=$non_clientauth_port
+ echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}"
+ total_ports=`expr ${total_ports} + 1`
+ break
+ fi
+ if [ "$head" == "$listen_statement" ] &&
+ [ ${total_ports} -eq 1 ] ; then
+ # once the 'clientauth' listen statement has been found,
+ # extract the numeric port information
+ clientauth_port=`echo $line | cut -b8-`
+ CLIENTAUTH_PORT=$clientauth_port
+ echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}"
+ total_ports=`expr ${total_ports} + 1`
+ fi
+ done
+
+ if [ ${total_ports} -eq 3 ] ; then
+ return 0
+ else
+ return ${default_error}
+ fi
+}
+
+get_pki_configuration_definitions()
+{
+ # Obtain the PKI Subsystem Type
+ line=`grep ^cs.type= ${pki_instance_configuration_file}`
+ pki_subsystem=`echo "${line}" | cut -b9-`
+ if [ "${line}" != "" ] ; then
+ if [ "${pki_subsystem}" != "CA" ] &&
+ [ "${pki_subsystem}" != "KRA" ] &&
+ [ "${pki_subsystem}" != "OCSP" ] &&
+ [ "${pki_subsystem}" != "TKS" ] &&
+ [ "${pki_subsystem}" != "RA" ] &&
+ [ "${pki_subsystem}" != "TPS" ]
+ then
+ return ${default_error}
+ fi
+ if [ "${pki_subsystem}" == "KRA" ] ; then
+ # Rename "KRA" to "DRM"
+ pki_subsystem="DRM"
+ fi
+ else
+ return ${default_error}
+ fi
+
+ # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
+ # check to see if "${pki_subsystem}" is a "Clone"
+ pki_clone=""
+ if [ "${pki_subsystem}" == "CA" ] ||
+ [ "${pki_subsystem}" == "DRM" ] ||
+ [ "${pki_subsystem}" == "OCSP" ] ||
+ [ "${pki_subsystem}" == "TKS" ]
+ then
+ line=`grep ^subsystem.select= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_clone=`echo "${line}" | cut -b18-`
+ if [ "${pki_clone}" != "Clone" ] ; then
+ # Reset "${pki_clone}" to be empty
+ pki_clone=""
+ fi
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to
+ # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA
+ pki_hierarchy=""
+ if [ "${pki_subsystem}" == "CA" ] &&
+ [ "${pki_clone}" != "Clone" ]
+ then
+ line=`grep ^hierarchy.select= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_hierarchy=`echo "${line}" | cut -b18-`
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # If ${pki_subsystem} is a CA, check to
+ # see if it is also a Security Domain
+ pki_security_domain=""
+ if [ "${pki_subsystem}" == "CA" ] ; then
+ line=`grep ^securitydomain.select= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain=`echo "${line}" | cut -b23-`
+ if [ "${pki_security_domain}" == "new" ] ; then
+ # Set a fixed value for "${pki_security_domain}"
+ pki_security_domain="(Security Domain)"
+ else
+ # Reset "${pki_security_domain}" to be empty
+ pki_security_domain=""
+ fi
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # Always obtain this PKI instance's "registered"
+ # security domain information
+ pki_security_domain_name=""
+ pki_security_domain_hostname=""
+ pki_security_domain_https_admin_port=""
+
+ line=`grep ^securitydomain.name= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_name=`echo "${line}" | cut -b21-`
+ else
+ return ${default_error}
+ fi
+
+ line=`grep ^securitydomain.host= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_hostname=`echo "${line}" | cut -b21-`
+ else
+ return ${default_error}
+ fi
+
+ line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-`
+ else
+ return ${default_error}
+ fi
+
+ # Compose the "PKI Instance Name" Status Line
+ pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}"
+
+ # Compose the "PKI Subsystem Type" Status Line
+ header="PKI Subsystem Type: "
+ if [ "${pki_clone}" != "" ] ; then
+ if [ "${pki_security_domain}" != "" ]; then
+ # Possible Values:
+ #
+ # "CA Clone (Security Domain)"
+ #
+ data="${pki_subsystem} ${pki_clone} ${pki_security_domain}"
+ else
+ # Possible Values:
+ #
+ # "CA Clone"
+ # "DRM Clone"
+ # "OCSP Clone"
+ # "TKS Clone"
+ #
+ data="${pki_subsystem} ${pki_clone}"
+ fi
+ elif [ "${pki_hierarchy}" != "" ] ; then
+ if [ "${pki_security_domain}" != "" ]; then
+ # Possible Values:
+ #
+ # "Root CA (Security Domain)"
+ # "Subordinate CA (Security Domain)"
+ #
+ data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}"
+ else
+ # Possible Values:
+ #
+ # "Root CA"
+ # "Subordinate CA"
+ #
+ data="${pki_hierarchy} ${pki_subsystem}"
+ fi
+ else
+ # Possible Values:
+ #
+ # "DRM"
+ # "OCSP"
+ # "RA"
+ # "TKS"
+ # "TPS"
+ #
+ data="${pki_subsystem}"
+ fi
+ pki_subsystem_type="${header} ${data}"
+
+ # Compose the "Registered PKI Security Domain Information" Status Line
+ header="Name: "
+ registered_pki_security_domain_name="${header} ${pki_security_domain_name}"
+
+ header="URL: "
+ if [ "${pki_security_domain_hostname}" != "" ] &&
+ [ "${pki_security_domain_https_admin_port}" != "" ]
+ then
+ data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
+ else
+ return ${default_error}
+ fi
+ registered_pki_security_domain_url="${header} ${data}"
+
+ # Print the "PKI Subsystem Type" Status Line
+ echo
+ echo " ${pki_instance_name}"
+
+ # Print the "PKI Subsystem Type" Status Line
+ echo
+ echo " ${pki_subsystem_type}"
+
+ # Print the "Registered PKI Security Domain Information" Status Line
+ echo
+ echo " Registered PKI Security Domain Information:"
+ echo " =========================================================================="
+ echo " ${registered_pki_security_domain_name}"
+ echo " ${registered_pki_security_domain_url}"
+ echo " =========================================================================="
+
+ return 0
+}
+
+get_pki_secure_port()
+{
+ # establish well-known strings
+ listen_statement="Listen"
+
+ # first check to see that an instance-specific "nss.conf" file exists
+ if [ ! -f ${PKI_NSS_CONF} ] ; then
+ echo "File '${PKI_NSS_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # read this instance-specific "nss.conf" file line-by-line
+ # to obtain the current value of the "clientauth" PKI secure port
+ exec < ${PKI_NSS_CONF}
+ while read line; do
+ # look for the listen statement
+ head=`echo $line | cut -b1-6`
+ if [ "$head" == "$listen_statement" ] ; then
+ # once the 'clientauth' listen statement has been found,
+ # extract the numeric port information
+ port=`echo $line | cut -b8-`
+ SECURE_PORT=$port
+ return 0
+ fi
+ done
+
+ return ${default_error}
+}
+
+display_instance_status()
+{
+ rv=0
+
+ if [ -f ${pidfile} ] ; then
+ pid=`cat ${pidfile}`
+ if [ "${pid}" == "" ] ; then
+ echo "${PKI_INSTANCE_ID} pid file exists but is empty"
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ elif kill -0 ${pid} > /dev/null 2>&1 ; then
+ echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..."
+ echo
+ check_pki_configuration_status
+ rv=$?
+ if [ ${rv} -eq 0 ] ; then
+ get_pki_status_definitions
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ echo
+ echo "${PKI_INSTANCE_ID} Status Definitions not found"
+ else
+ get_pki_configuration_definitions
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ echo
+ echo "${PKI_INSTANCE_ID} Configuration Definitions not found"
+ fi
+ fi
+ else
+ # From the PKI point of view for a "non-status" action,
+ # a returned error code of "6" implies that the program
+ # is not "configured". Similarly, an error code of "1"
+ # implies that the program was "configured" but must
+ # still be restarted.
+ #
+ # Similarly, from the PKI point of view for a "status"
+ # action, a returned error code of "4" implies that either
+ # the program is not "configured", or that the program
+ # was "configured" but must still be restarted.
+ #
+ # Regardless, it must still be considered that the instance
+ # is "running" from the viewpoint of other OS programs such
+ # as 'chkconfig'.
+ #
+ # For this reason, when returning from
+ # 'display_instance_status()', ignore non-zero return codes
+ # returned from 'check_pki_configuration_status()'.
+ #
+ if [ "${command}" != "status" ]; then
+ # * 0 action was successful
+ rv=0
+ else
+ # * 0 program is running or service is OK
+ rv=0
+ fi
+ fi
+ echo
+ else
+ echo "${PKI_INSTANCE_ID} is dead but pid file exists"
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 1 program is dead and /var/run pid file exists
+ rv=1
+ fi
+ fi
+ else
+ echo "${PKI_INSTANCE_ID} is stopped"
+ if [ "${command}" != "status" ]; then
+ # * 7 program is not running
+ rv=7
+ else
+ # * 3 program is not running
+ rv=3
+ fi
+ fi
+
+ return ${rv}
+}
+
+start_instance()
+{
+ rv=0
+
+ echo -n $"Starting ${prog}: "
+
+ if [ -f ${RESTART_SERVER} ] ; then
+ rm -f ${RESTART_SERVER}
+ fi
+
+ if [ -f ${PKI_LOCKFILE} ] ; then
+ if [ -f ${pidfile} ]; then
+ read kpid < ${pidfile}
+ if checkpid $kpid 2>&1; then
+ echo
+ echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..."
+ echo
+ check_pki_configuration_status
+ rv=$?
+ if [ ${rv} != 0 ]; then
+ # From the PKI point of view for a "non-status" action,
+ # a returned error code of "6" implies that the program
+ # is not "configured". Similarly, an error code of "1"
+ # implies that the program was "configured" but must
+ # still be restarted.
+ #
+ # Regardless, it must still be considered that the instance
+ # is "running" from the viewpoint of other OS programs such
+ # as 'chkconfig'.
+ #
+ # For "non-status" actions, ignore return codes of "1"
+ # from 'check_pki_configuration_status()'.
+ #
+ # However, for "non-status" actions that have a return
+ # code of "6", return this value unchanged to
+ # the calling routine so that the total number of
+ # configuration errors may be counted.
+ #
+
+ echo
+ if [ ${rv} = 1 ] ; then
+ # * 0 action was successful
+ return 0
+ elif [ ${rv} = 6 ] ; then
+ # * 6 program is not configured
+ return 6
+ else
+ # should never be reached
+ return ${rv}
+ fi
+ else
+ return 0
+ fi
+ else
+ echo
+ echo -n "lock file found but no process "
+ echo -n "running for pid $kpid, continuing"
+ echo
+ echo
+ rm -f ${PKI_LOCKFILE}
+ fi
+ fi
+ fi
+
+ fix_pid_dir_ownership
+
+ touch ${pidfile}
+ chown ${PKI_USER}:${PKI_GROUP} ${pidfile}
+ chmod 00600 ${pidfile}
+ [ -x /sbin/restorecon ] && /sbin/restorecon ${pidfile}
+
+ # restore context for ncipher hsm
+ [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
+
+ if [ -f /etc/init.d/functions ]; then
+ /usr/sbin/selinuxenabled
+ rv=$?
+ if [ ${rv} = 0 ] ; then
+ if [ ${ARCHITECTURE} = "i386" ] ; then
+ LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS}
+ # overwrite output from "daemon"
+ echo -n $"Starting ${prog}: "
+ elif [ ${ARCHITECTURE} = "x86_64" ] ; then
+ # NOTE: "daemon" is incompatible with "httpd"
+ # on 64-bit architectures
+ LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS}
+ fi
+ else
+ LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS}
+ # overwrite output from "daemon"
+ echo -n $"Starting ${prog}: "
+ fi
+ else
+ LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -k start
+ fi
+
+ rv=$?
+ if [ ${rv} = 0 ] ; then
+ touch ${PKI_LOCKFILE}
+ chown ${PKI_USER}:${PKI_GROUP} ${PKI_LOCKFILE}
+ chmod 00600 ${PKI_LOCKFILE}
+ fi
+
+ if [ ${rv} = 0 ] ; then
+ count=0;
+
+ let swait=$STARTUP_WAIT
+ until [ -s ${pidfile} ] ||
+ [ $count -gt $swait ]
+ do
+ echo -n "."
+ sleep 1
+ let count=$count+1;
+ done
+
+ if [ -f /etc/init.d/functions ]; then
+ if [ "$CONSOLETYPE" = "serial" ]; then
+ echo -n " "
+ fi
+ echo_success
+ echo
+ else
+ echo " [ OK ]"
+ fi
+
+ get_pki_secure_port
+ if [ $? -ne 0 ] ; then
+ SECURE_PORT="<Port Undefined>"
+ fi
+
+ # Set permissions of log files
+ for file in ${pki_logs_directory}/*; do
+ chown ${PKI_USER}:${PKI_GROUP} ${file}
+ chmod 00660 ${file}
+ done
+
+ # ignore "status" return codes
+ echo
+ display_instance_status
+ else
+ if [ -f /etc/init.d/functions ]; then
+ if [ "$CONSOLETYPE" = "serial" ]; then
+ $0 echo -n " "
+ fi
+ echo_failure
+ echo
+ else
+ echo " [ FAILED ]"
+ fi
+ fi
+
+ if [ ${OS} = "Linux" ] ; then
+ sleep 10
+ elif [ ${OS} = "SunOS" ] ; then
+ sleep 20
+ fi
+ return ${rv}
+}
+
+stop_instance()
+{
+ rv=0
+
+ echo -n "Stopping ${prog}: "
+
+ if [ -f ${PKI_LOCKFILE} ] ; then
+ ${httpd} ${PKI_OPTIONS} -k stop
+
+ rv=$?
+
+ if [ ${rv} = 0 ]; then
+ count=0;
+
+ if [ -f ${pidfile} ]; then
+ read kpid < ${pidfile}
+ let kwait=$SHUTDOWN_WAIT
+
+ until [ `ps -p $kpid | grep -c $kpid` = '0' ] ||
+ [ $count -gt $kwait ]
+ do
+ echo -n "."
+ sleep 1
+ let count=$count+1;
+ done
+
+ if [ $count -gt $kwait ]; then
+ kill -9 $kpid
+ fi
+ fi
+
+ rm -f ${PKI_LOCKFILE}
+ rm -f ${pidfile}
+
+ if [ -f /etc/init.d/functions ]; then
+ if [ "$CONSOLETYPE" = "serial" ]; then
+ echo -n " "
+ fi
+ echo_success
+ echo
+ else
+ echo " [ OK ]"
+ fi
+ else
+ if [ -f /etc/init.d/functions ]; then
+ if [ "$CONSOLETYPE" = "serial" ]; then
+ echo -n " "
+ fi
+ echo_failure
+ echo
+ else
+ echo " [ FAILED ]"
+ fi
+ rv=${default_error}
+ fi
+ else
+ echo
+ echo "process already stopped"
+ rv=0
+ fi
+
+ return ${rv}
+}
+
+reload_instance()
+{
+ rv=0
+
+ echo -n $"Reloading ${prog}: "
+
+ if ! LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -t >&/dev/null; then
+ rv=$?
+ echo $"not reloading due to configuration syntax error"
+ if [ -f /etc/init.d/functions ]; then
+ failure $"not reloading ${httpd} due to configuration syntax error"
+ else
+ echo $"not reloading ${httpd} due to configuration syntax error"
+ fi
+ else
+ if [ -f /etc/init.d/functions ]; then
+ killproc -p ${pidfile} ${httpd} -HUP
+ rv=$?
+ else
+ if [ -f ${PKI_LOCKFILE} ] ; then
+ if [ -f ${pidfile} ]; then
+ read kpid < ${pidfile}
+ if checkpid $kpid 2>&1; then
+ kill -HUP $kpid
+ rv=$?
+ if [ ${rv} != 0 ]; then
+ rv=${default_error}
+ fi
+ fi
+ else
+ # * 7 program is not running
+ rv=7
+ echo
+ echo -n "lock file found but no process "
+ echo -n "running for pid $kpid, continuing"
+ echo
+ echo
+ rm -f ${PKI_LOCKFILE}
+ fi
+ fi
+ fi
+ fi
+ echo
+
+ return ${rv}
+}
+
+# The semantics of the 'start()' function differs from the way 'apachectl'
+# does things -- attempting to start while running is a failure.
+# So we just do it the way init scripts are expected to behave here.
+start()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ config_errors=0
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Start every PKI instance of this type that isn't already running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ start_instance
+
+ rv=$?
+ if [ ${rv} = 6 ] ; then
+ # Since at least ONE configuration error exists, then there
+ # is at least ONE unconfigured instance from the PKI point
+ # of view.
+ #
+ # However, it must still be considered that the
+ # instance is "running" from the point of view of other
+ # OS programs such as 'chkconfig'.
+ #
+ # Therefore, ignore non-zero return codes resulting
+ # from configuration errors.
+ #
+
+ config_errors=`expr $config_errors + 1`
+ rv=0
+ elif [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then
+ touch ${lockfile}
+ chmod 00600 ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ # NOTE: "bad" return code(s) OVERRIDE configuration errors!
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances failed to start!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=5
+ fi
+
+ return ${rv}
+}
+
+# The semantics of the 'stop()' function differs from the way 'apachectl'
+# does things -- attempting to shutdown when not running is a failure.
+# So we just do it the way init scripts are expected to behave here.
+stop()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Shutdown every PKI instance of this type that is running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ stop_instance
+
+ rv=$?
+ if [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ if [ ${errors} -eq 0 ] ; then
+ rm -f ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances were "
+ echo -n "unsuccessfully stopped!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=5
+ fi
+
+ return ${rv}
+}
+
+restart()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ stop
+ sleep 2
+ echo
+ echo "============================================================"
+ echo
+ start
+
+ return $?
+}
+
+reload()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Reload every PKI instance of this type that is running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ reload_instance
+
+ rv=$?
+ if [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances were "
+ echo -n "unsuccessfully reloaded!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED RELOADING '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances reloaded!"
+ rv=5
+ fi
+
+ return ${rv}
+}
+
+status()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 program is running or service is OK
+ # * 1 program is dead and /var/run pid file exists
+ # * 2 program is dead and /var/lock lock file exists
+ # * 3 program is not running
+ # * 4 program or service status is unknown
+ # * 5-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Obtain status of every PKI instance of this type
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ display_instance_status
+
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "4 - program or service status is unknown"
+ rv=4
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances reported status failures!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=4
+ fi
+
+ return ${rv}
+}
+
+# See how we were called.
+case "${command}" in
+ start|stop|restart|reload|status)
+ ${command}
+ exit $?
+ ;;
+ condrestart|force-restart|try-restart)
+ [ ! -f ${lockfile} ] || restart
+ exit $?
+ ;;
+ *)
+ # * 3 unimplemented feature (for example, "reload")
+ # [invalid command - should never be reached]
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+ ;;
+esac
+
diff --git a/pki/base/ra/setup/postinstall b/pki/base/ra/setup/postinstall
deleted file mode 100755
index 517c6e448..000000000
--- a/pki/base/ra/setup/postinstall
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/bin/bash
-#
-# --- BEGIN COPYRIGHT BLOCK ---
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2007 Red Hat, Inc.
-# All rights reserved.
-# --- END COPYRIGHT BLOCK ---
-#
-
-###############################################################################
-## (1) Check command line arguments to see how many were passed in. ##
-###############################################################################
-
-if [ $# -eq 4 ]
-then
- PKI_PRODUCT_NAME=$1
- PKI_SUBSYSTEM_NAME=$2
- VERSION=$3
- RELEASE=$4
-else
- echo
- echo "Usage: $0 PKI_product_name PKI_subsystem_name version release"
- echo
-
- exit 255
-fi
-
-
-###############################################################################
-## (2) Specify variables used by this script. ##
-###############################################################################
-
-PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}"
-SECURE_PORT=12889
-NON_CLIENTAUTH_SECURE_PORT=12890
-UNSECURE_PORT=12888
-
-
-###############################################################################
-## (3) Create the first instance of a Registration Authority (RA). ##
-###############################################################################
-
-if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ]
-then
- /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME}
-fi
-
-
-###############################################################################
-## (4) Successfully exit from this postinstallation script. ##
-###############################################################################
-
-exit 0
-
generated by cgit (git 2.34.1) at 2024-07-07 21:25:17 +0000