diff options
author | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-01-21 23:17:26 +0000 |
---|---|---|
committer | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-01-21 23:17:26 +0000 |
commit | 67ee705eafd9fb655f61732ba3c8ec2c869a409e (patch) | |
tree | d711e76cbd24198cb1247c2c72bbe72e7f40cb4d /pki/base/ra | |
parent | 77677d528c57e0648ee149176fa87447c25292b0 (diff) | |
download | pki-67ee705eafd9fb655f61732ba3c8ec2c869a409e.tar.gz pki-67ee705eafd9fb655f61732ba3c8ec2c869a409e.tar.xz pki-67ee705eafd9fb655f61732ba3c8ec2c869a409e.zip |
Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model
Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . .
Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . .
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@933 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/ra')
-rw-r--r-- | pki/base/ra/apache/conf/httpd.conf | 2 | ||||
-rw-r--r-- | pki/base/ra/build.xml | 16 | ||||
-rwxr-xr-x | pki/base/ra/etc/init.d/httpd | 758 | ||||
-rwxr-xr-x | pki/base/ra/etc/init.d/pki-rad | 1415 | ||||
-rwxr-xr-x | pki/base/ra/setup/postinstall | 66 |
5 files changed, 1428 insertions, 829 deletions
diff --git a/pki/base/ra/apache/conf/httpd.conf b/pki/base/ra/apache/conf/httpd.conf index 4e6d2151f..1312f0822 100644 --- a/pki/base/ra/apache/conf/httpd.conf +++ b/pki/base/ra/apache/conf/httpd.conf @@ -78,7 +78,7 @@ ServerRoot "[SERVER_ROOT]" # identification number when it starts. # <IfModule !mpm_netware.c> -PidFile logs/[INSTANCE_ID].pid +PidFile run/[INSTANCE_ID].pid </IfModule> # diff --git a/pki/base/ra/build.xml b/pki/base/ra/build.xml index 499ce45af..3a303fecc 100644 --- a/pki/base/ra/build.xml +++ b/pki/base/ra/build.xml @@ -154,12 +154,16 @@ <include name="scripts/schema.sql"/> <include name="setup/config.desktop"/> </zipfileset> + <zipfileset dir="./etc/init.d" + filemode="755" + prefix="etc/${init.d}"> + <include name="pki-rad"/> + </zipfileset> <zipfileset dir="." filemode="755" prefix="usr/share/${product.prefix}/${product}"> - <include name="etc/**"/> <include name="scripts/nss_pcache"/> - <include name="setup/postinstall"/> + <exclude name="etc/init.d/pki-rad"/> </zipfileset> <zipfileset dir="./forms" filemode="755" @@ -202,12 +206,16 @@ <include name="scripts/schema.sql"/> <include name="setup/config.desktop"/> </tarfileset> + <tarfileset dir="./etc/init.d" + mode="755" + prefix="${dist.name}/etc/${init.d}"> + <include name="pki-rad"/> + </tarfileset> <tarfileset dir="." mode="755" prefix="${dist.name}/usr/share/${product.prefix}/${product}"> - <include name="etc/**"/> <include name="scripts/nss_pcache"/> - <include name="setup/postinstall"/> + <exclude name="etc/init.d/pki-rad"/> </tarfileset> <tarfileset dir="./forms" mode="755" diff --git a/pki/base/ra/etc/init.d/httpd b/pki/base/ra/etc/init.d/httpd deleted file mode 100755 index 4f18cd136..000000000 --- a/pki/base/ra/etc/init.d/httpd +++ /dev/null @@ -1,758 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# [INSTANCE_ID] Startup script for the Apache HTTP Server -# -# chkconfig: - 86 14 -# description: Registration Authority \ -# (Apache 2.2) -# processname: [INSTANCE_ID] -# config: [HTTPD_CONF] -# pidfile: [SERVER_ROOT]/logs/[INSTANCE_ID].pid - -# Disallow 'others' the ability to 'write' to new files -umask 00002 - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit 255 -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -SUBSYSTEM_TYPE=[SUBSYSTEM_TYPE] -if [ ! -d /usr/share/pki/${SUBSYSTEM_TYPE} ] ; then - echo "This machine is missing the '${SUBSYSTEM_TYPE}' subsystem!" - exit 255 -fi - -# Obtain the operating system upon which this script is being executed -OS=`uname -s` -ARCHITECTURE="" - -# Time to wait in seconds, before killing process -# -# NOTE: Defined in "tomcat5.conf" for other PKI Subsystems. -# -STARTUP_WAIT=30 -SHUTDOWN_WAIT=30 - -# This script must be run as root! -RV=0 -if [ ${OS} = "Linux" ] ; then - if [ `id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - exit 1 - fi - ARCHITECTURE=`uname -i` -elif [ ${OS} = "SunOS" ] ; then - if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - exit 1 - fi - ARCHITECTURE=`uname -p` - if [ "${ARCHITECTURE}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - ARCHITECTURE="sparcv9" - fi -else - echo "Unsupported OS '${OS}'!" - exit 1 -fi - -# Initialize environment variables -LD_LIBRARY_PATH=[SYSTEM_USER_LIBRARIES]:[SYSTEM_LIBRARIES]:${LD_LIBRARY_PATH} -LD_LIBRARY_PATH=[SECURITY_LIBRARIES]:${LD_LIBRARY_PATH} -export LD_LIBRARY_PATH - -# Source function library. -if [ -f /etc/init.d/functions ]; then - . /etc/init.d/functions -else - # The checkpid() function is provided for platforms that do not - # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . - - # Check if ${pid} (could be plural) are running (keep count) - checkpid() - { - rv=0 - for i in $* ; do - ps -p $i > /dev/null 2>&1 ; - if [ $? -ne 0 ] ; then - rv=`expr $rv + 1` - else - rv=`expr $rv + 0` - fi - done - # echo "rv=$rv" - return $rv - } - - # Create the following directories on platforms - # where they do not exist (e. g. - Solaris) . . . - if [ ! -d /var/lock/subsys ] ; then - mkdir -p /var/lock/subsys - fi -fi - -######################################################################## -# This section contains modified content of "/etc/sysconfig/httpd" # -######################################################################## -# Configuration file for the [INSTANCE_ID] service. - -# -# The default processing model (MPM) is the process-based -# 'prefork' model. A thread-based model, 'worker', is also -# available, but does not work with some modules (such as PHP). -# The service must be stopped before changing this variable. -# -HTTPD=[FORTITUDE_DIR]/sbin/httpd.worker - -# -# To pass additional options (for instance, -D definitions) to the -# httpd binary at startup, set OPTIONS here. -# -OPTIONS="-f [HTTPD_CONF]" - -# -# By default, the httpd process is started in the C locale; to -# change the locale in which the server runs, the HTTPD_LANG -# variable can be set. -# -HTTPD_LANG=C -######################################################################## -# # -######################################################################## - -# This will prevent initlog from swallowing up a pass-phrase prompt if -# mod_ssl needs a pass-phrase from the user. -INITLOG_ARGS="" - -# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server -# with the thread-based "worker" MPM; BE WARNED that some modules may not -# work correctly with a thread-based MPM; notably PHP will refuse to start. - -# Path to the server binary and short-form for messages. -httpd=${HTTPD:-[FORTITUDE_DIR]/sbin/httpd} -prog=[INSTANCE_ID] -pki_instance_configuration_file=[SERVER_ROOT]/conf/CS.cfg -pidfile=${PIDFILE:-[SERVER_ROOT]/logs/[INSTANCE_ID].pid} -lockfile=${LOCKFILE:-/var/lock/subsys/[INSTANCE_ID]} -RESTART_SERVER=[SERVER_ROOT]/conf/restart_server_after_configuration -RETVAL=0 - -# see if httpd is linked with the openldap libraries - we need to override them -if [ ${OS} = "Linux" ]; then - hasopenldap=0 - - /usr/bin/ldd $httpd 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1 - - if [ $hasopenldap -eq 1 ] ; then - LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libldap60.so" - LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libssl3.so:${LD_PRELOAD}" - export LD_PRELOAD - fi -elif [ ${OS} = "SunOS" ] ; then - LD_PRELOAD_64="[SYSTEM_USER_LIBRARIES]/libldap60.so" - LD_PRELOAD_64="[SYSTEM_USER_LIBRARIES]/dirsec/libssl3.so:${LD_PRELOAD_64}" - export LD_PRELOAD_64 -fi - -check_pki_configuration_status() -{ - rv=0 - - rv=`grep -c ^preop ${pki_instance_configuration_file}` - - rv=`expr ${rv} + 0` - - if [ ${rv} -ne 0 ] ; then - echo " '[INSTANCE_ID]' must still be CONFIGURED!" - echo " (see /var/log/[INSTANCE_ID]-install.log)" - elif [ -f ${RESTART_SERVER} ] ; then - echo " Although '[INSTANCE_ID]' has been CONFIGURED, it must still be RESTARTED!" - rv=255 - fi - - return ${rv} -} - -get_pki_status_definitions() -{ - # establish well-known strings - listen_statement="Listen" - total_ports=0 - UNSECURE_PORT="" - CLIENTAUTH_PORT="" - NON_CLIENTAUTH_PORT="" - - # check to see that an instance-specific "httpd.conf" file exists - if [ ! -f [HTTPD_CONF] ] ; then - echo "File '[HTTPD_CONF]' does not exist!" - exit 255 - fi - - # check to see that an instance-specific "nss.conf" file exists - if [ ! -f [NSS_CONF] ] ; then - echo "File '[NSS_CONF]' does not exist!" - exit 255 - fi - - # read this instance-specific "httpd.conf" file line-by-line - # to obtain the current value of the PKI unsecure port - - exec < [HTTPD_CONF] - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] ; then - # once the 'unsecure' listen statement has been found, - # extract the numeric port information - port=`echo $line | cut -b8-` - UNSECURE_PORT=$port - echo " Unsecure Port = http://[SERVER_NAME]:${UNSECURE_PORT}" - total_ports=`expr ${total_ports} + 1` - break; - fi - done - - # read this instance-specific "nss.conf" file line-by-line - # to obtain the current value of the "clientauth" PKI secure port - # AND the current value of the "non-clientauth" PKI secure port - - exec < [NSS_CONF] - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] && - [ ${total_ports} -eq 2 ] ; then - # once the 'non-clientauth' listen statement has been found, - # extract the numeric port information - non_clientauth_port=`echo $line | cut -b8-` - NON_CLIENTAUTH_PORT=$non_clientauth_port - echo " Secure Non-Clientauth Port = https://[SERVER_NAME]:${NON_CLIENTAUTH_PORT}" - total_ports=`expr ${total_ports} + 1` - break - fi - if [ "$head" == "$listen_statement" ] && - [ ${total_ports} -eq 1 ] ; then - # once the 'clientauth' listen statement has been found, - # extract the numeric port information - clientauth_port=`echo $line | cut -b8-` - CLIENTAUTH_PORT=$clientauth_port - echo " Secure Clientauth Port = https://[SERVER_NAME]:${CLIENTAUTH_PORT}" - total_ports=`expr ${total_ports} + 1` - fi - done - - if [ ${total_ports} -eq 3 ] ; then - return 0 - else - return 255 - fi -} - -get_pki_configuration_definitions() -{ - # Obtain the PKI Subsystem Type - line=`grep ^cs.type= ${pki_instance_configuration_file}` - pki_subsystem=`echo "${line}" | cut -b9-` - if [ "${line}" != "" ] ; then - if [ "${pki_subsystem}" != "CA" ] && - [ "${pki_subsystem}" != "KRA" ] && - [ "${pki_subsystem}" != "OCSP" ] && - [ "${pki_subsystem}" != "TKS" ] && - [ "${pki_subsystem}" != "RA" ] && - [ "${pki_subsystem}" != "TPS" ] - then - return 255 - fi - if [ "${pki_subsystem}" == "KRA" ] ; then - # Rename "KRA" to "DRM" - pki_subsystem="DRM" - fi - else - return 255 - fi - - # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, - # check to see if "${pki_subsystem}" is a "Clone" - pki_clone="" - if [ "${pki_subsystem}" == "CA" ] || - [ "${pki_subsystem}" == "DRM" ] || - [ "${pki_subsystem}" == "OCSP" ] || - [ "${pki_subsystem}" == "TKS" ] - then - line=`grep ^subsystem.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_clone=`echo "${line}" | cut -b18-` - if [ "${pki_clone}" != "Clone" ] ; then - # Reset "${pki_clone}" to be empty - pki_clone="" - fi - else - return 255 - fi - fi - - # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to - # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA - pki_hierarchy="" - if [ "${pki_subsystem}" == "CA" ] && - [ "${pki_clone}" != "Clone" ] - then - line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_hierarchy=`echo "${line}" | cut -b18-` - else - return 255 - fi - fi - - # If ${pki_subsystem} is a CA, check to - # see if it is also a Security Domain - pki_security_domain="" - if [ "${pki_subsystem}" == "CA" ] ; then - line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain=`echo "${line}" | cut -b23-` - if [ "${pki_security_domain}" == "new" ] ; then - # Set a fixed value for "${pki_security_domain}" - pki_security_domain="(Security Domain)" - else - # Reset "${pki_security_domain}" to be empty - pki_security_domain="" - fi - else - return 255 - fi - fi - - # Always obtain this PKI instance's "registered" - # security domain information - pki_security_domain_name="" - pki_security_domain_hostname="" - pki_security_domain_https_admin_port="" - - line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_name=`echo "${line}" | cut -b21-` - else - return 255 - fi - - line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_hostname=`echo "${line}" | cut -b21-` - else - return 255 - fi - - line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` - else - return 255 - fi - - # Compose the "PKI Instance Name" Status Line - pki_instance_name="PKI Instance Name: [INSTANCE_ID]" - - # Compose the "PKI Subsystem Type" Status Line - header="PKI Subsystem Type: " - if [ "${pki_clone}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "CA Clone (Security Domain)" - # - data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" - else - # Possible Values: - # - # "CA Clone" - # "DRM Clone" - # "OCSP Clone" - # "TKS Clone" - # - data="${pki_subsystem} ${pki_clone}" - fi - elif [ "${pki_hierarchy}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "Root CA (Security Domain)" - # "Subordinate CA (Security Domain)" - # - data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" - else - # Possible Values: - # - # "Root CA" - # "Subordinate CA" - # - data="${pki_hierarchy} ${pki_subsystem}" - fi - else - # Possible Values: - # - # "DRM" - # "OCSP" - # "RA" - # "TKS" - # "TPS" - # - data="${pki_subsystem}" - fi - pki_subsystem_type="${header} ${data}" - - # Compose the "Registered PKI Security Domain Information" Status Line - header="Name: " - registered_pki_security_domain_name="${header} ${pki_security_domain_name}" - - header="URL: " - if [ "${pki_security_domain_hostname}" != "" ] && - [ "${pki_security_domain_https_admin_port}" != "" ] - then - data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" - else - return 255 - fi - registered_pki_security_domain_url="${header} ${data}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_instance_name}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_subsystem_type}" - - # Print the "Registered PKI Security Domain Information" Status Line - echo - echo " Registered PKI Security Domain Information:" - echo " ==========================================================================" - echo " ${registered_pki_security_domain_name}" - echo " ${registered_pki_security_domain_url}" - echo " ==========================================================================" - - return 0 -} - -get_pki_secure_port() -{ - # establish well-known strings - listen_statement="Listen" - - # first check to see that an instance-specific "nss.conf" file exists - if [ ! -f [NSS_CONF] ] ; then - echo "File '[NSS_CONF]' does not exist!" - exit 255 - fi - - # read this instance-specific "nss.conf" file line-by-line - # to obtain the current value of the "clientauth" PKI secure port - - exec < [NSS_CONF] - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] ; then - # once the 'clientauth' listen statement has been found, - # extract the numeric port information - port=`echo $line | cut -b8-` - SECURE_PORT=$port - return 0 - fi - done - - return 255 -} - -# The semantics of these two functions differ from the way apachectl does -# things -- attempting to start while running is a failure, and shutdown -# when not running is also a failure. So we just do it the way init scripts -# are expected to behave here. -start() -{ - echo -n $"Starting $prog: " - - if [ -f ${RESTART_SERVER} ] ; then - rm -f ${RESTART_SERVER} - fi - - if [ -f ${lockfile} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - echo - echo "process already running" - return 255 - else - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - fi - fi - fi - - # restore context for ncipher hsm - [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast - - - if [ -f /etc/init.d/functions ]; then - /usr/sbin/selinuxenabled - RETVAL=$? - if [ $RETVAL = 0 ] ; then - if [ ${ARCHITECTURE} = "i386" ] ; then - LANG=$HTTPD_LANG daemon runcon -t pki_ra_t -- $httpd $OPTIONS - # overwrite output from "daemon" - echo -n $"Starting $prog: " - elif [ ${ARCHITECTURE} = "x86_64" ] ; then - # NOTE: "daemon" is incompatible with "httpd" - # on 64-bit architectures - LANG=$HTTPD_LANG runcon -t pki_ra_t -- $httpd $OPTIONS - fi - else - LANG=$HTTPD_LANG daemon $httpd $OPTIONS - # overwrite output from "daemon" - echo -n $"Starting $prog: " - fi - else - LANG=$HTTPD_LANG $httpd $OPTIONS -k start - fi - - RETVAL=$? - [ $RETVAL = 0 ] && touch ${lockfile} - - if [ $RETVAL = 0 ] ; then - count=0; - - let swait=$STARTUP_WAIT - until [ -s ${pidfile} ] || - [ $count -gt $swait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ -f /etc/init.d/functions ]; then - echo_success - echo - else - echo " [ OK ]" - fi - - get_pki_secure_port - if [ $? -ne 0 ] ; then - SECURE_PORT="<Port Undefined>" - fi - - # Set permissions of log files - pki_logs_directory=`dirname ${pidfile}` - for file in ${pki_logs_directory}/*; do - if [ "${file}" != "${pidfile}" ]; then - chmod 00660 ${file} - chgrp [GROUPID] ${file} - chown [USERID] ${file} - fi - done - else - if [ -f /etc/init.d/functions ]; then - echo_failure - echo - else - echo " [ FAILED ]" - fi - fi - - if [ ${OS} = "Linux" ] ; then - sleep 10 - elif [ ${OS} = "SunOS" ] ; then - sleep 20 - fi - echo - status - return $RETVAL -} - -stop() -{ - echo -n "Stopping $prog: " - - if [ -f ${lockfile} ] ; then - $httpd $OPTIONS -k stop - - RETVAL=$? - - if [ $RETVAL = 0 ]; then - count=0; - - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - let kwait=$SHUTDOWN_WAIT - - until [ `ps -p $kpid | grep -c $kpid` = '0' ] || - [ $count -gt $kwait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ $count -gt $kwait ]; then - kill -9 $kpid - fi - fi - - rm -f ${lockfile} - rm -f ${pidfile} - - if [ -f /etc/init.d/functions ]; then - echo_success - echo - else - echo " [ OK ]" - fi - else - if [ -f /etc/init.d/functions ]; then - echo_failure - echo - else - echo " [ FAILED ]" - fi - fi - else - echo - echo "process already stopped" - fi -} - -reload() -{ - echo -n $"Reloading $prog: " - - if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then - RETVAL=$? - echo $"not reloading due to configuration syntax error" - if [ -f /etc/init.d/functions ]; then - failure $"not reloading $httpd due to configuration syntax error" - else - echo $"not reloading $httpd due to configuration syntax error" - fi - else - if [ -f /etc/init.d/functions ]; then - killproc $httpd -HUP - # overwrite output from "killproc" - echo -n $"Stopping $prog: " - else - if [ -f ${lockfile} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - kill -HUP $kpid - fi - else - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - fi - fi - fi - fi - echo -} - -status() -{ - if [ -f ${pidfile} ] ; then - pid=`cat ${pidfile}` - if [ "${pid}" == "" ] ; then - echo "[INSTANCE_ID] pid file exists but is empty" - elif kill -0 ${pid} > /dev/null 2>&1 ; then - echo "[INSTANCE_ID] (pid ${pid}) is running ..." - echo - check_pki_configuration_status - if [ $? -eq 0 ] ; then - get_pki_status_definitions - if [ $? -ne 0 ] ; then - echo - echo "[INSTANCE_ID] Status Definitions not found" - fi - get_pki_configuration_definitions - if [ $? -ne 0 ] ; then - echo - echo "[INSTANCE_ID] Configuration Definitions not found" - fi - fi - echo - else - echo "[INSTANCE_ID] is dead but pid file exists" - fi - else - echo "[INSTANCE_ID] is stopped" - fi -} - -# See how we were called. -case "$1" in - start) - start - ;; - stop) - stop - ;; - restart) - stop - sleep 2 - start - ;; - condrestart) - if [ -f ${pidfile} ] ; then - stop - sleep 2 - start - else - echo -n "Unable to restart process since " - echo -n "'${pidfile}' does not exist!" - echo - fi - ;; - reload) - reload - ;; - status) - status - ;; - *) - echo $"Usage: $prog {start|stop|restart|condrestart|reload|status}" - exit 1 -esac - -exit $RETVAL - diff --git a/pki/base/ra/etc/init.d/pki-rad b/pki/base/ra/etc/init.d/pki-rad new file mode 100755 index 000000000..3ca7d6669 --- /dev/null +++ b/pki/base/ra/etc/init.d/pki-rad @@ -0,0 +1,1415 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# pki-rad Startup script for the Apache HTTP pki-ra Server +# +# chkconfig: - 86 14 +# description: Registration Authority \ +# (Apache 2.2) +# processname: pki-rad +# piddir: /var/run/pki/ra +# config: ${PKI_SERVER_ROOT}/conf/httpd.conf + +PKI_INIT_SCRIPT="" +PKI_PATH="/usr/share/pki/ra" +PKI_PIDDIR="/var/run/pki/ra" +PKI_PROCESS="pki-rad" +PKI_REGISTRY="/etc/sysconfig/pki/ra" +PKI_SELINUX_TYPE="pki_ra_t" +PKI_TYPE="pki-ra" + +# PKI subsystem-level directory and file values for locks +lockfile="/var/lock/subsys/pki-rad" + +# Disallow 'others' the ability to 'write' to new files +umask 00002 + +default_error=0 +command="$1" +pki_instance="$2" +case "${command}" in + start|stop|restart|condrestart|force-restart|try-restart) + # * 1 generic or unspecified error (current practice) + default_error=1 + ;; + reload) + default_error=3 + ;; + status) + # * 4 program or service status is unknown + default_error=4 + ;; + *) + # * 2 invalid argument(s) + default_error=2 + ;; +esac + +# Check to insure that this script's original invocation directory +# has not been deleted! +CWD=`/bin/pwd > /dev/null 2>&1` +if [ $? -ne 0 ] ; then + echo "Cannot invoke '$0' from non-existent directory!" + exit ${default_error} +fi + +# Check to insure that this script's associated PKI +# subsystem currently resides on this system. +if [ ! -d ${PKI_PATH} ] ; then + echo "This machine is missing the '${PKI_TYPE}' subsystem!" + if [ "${command}" != "status" ]; then + # * 5 program is not installed + exit 5 + else + exit ${default_error} + fi +fi + +# Check to insure that this script's associated PKI +# subsystem instance registry currently resides on this system. +if [ ! -d ${PKI_REGISTRY} ] ; then + echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!" + if [ "${command}" != "status" ]; then + # * 5 program is not installed + exit 5 + else + exit ${default_error} + fi +fi + +# Obtain the operating system upon which this script is being executed +# and initialize environment variables +OS=`uname -s` +ARCHITECTURE="" +LD_LIBRARY_PATH="" + +# Time to wait in seconds, before killing process +# +# NOTE: Defined in "tomcat5.conf" for PKI Java/Tomcat Subsystems. +# +STARTUP_WAIT=30 +SHUTDOWN_WAIT=30 + +# This script must be run as root! +RV=0 +if [ ${OS} = "Linux" ] ; then + PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}" + if [ `id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$0'!" + if [ "${command}" != "status" ]; then + # * 4 user had insufficient privilege + exit 4 + else + # * 4 program or service status is unknown + exit 4 + fi + fi + ARCHITECTURE=`uname -i` + if [ ${ARCHITECTURE} = "i386" ] ; then + LD_LIBRARY_PATH="/usr/lib:/lib:${LD_LIBRARY_PATH}" + elif [ ${ARCHITECTURE} = "x86_64" ] ; then + LD_LIBRARY_PATH="/usr/lib64:/lib64:${LD_LIBRARY_PATH}" + else + echo "Unsupported architecture '${ARCHITECTURE}'!" + exit ${default_error} + fi +elif [ ${OS} = "SunOS" ] ; then + PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}" + if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$0'!" + if [ "${command}" != "status" ]; then + # * 4 user had insufficient privilege + exit 4 + else + # * 4 program or service status is unknown + exit 4 + fi + fi + ARCHITECTURE=`uname -p` + if [ "${ARCHITECTURE}" = "sparc" ] && + [ -d "/usr/lib/sparcv9/" ] ; then + ARCHITECTURE="sparcv9" + fi + if [ ${ARCHITECTURE} = "sparcv9" ] ; then + LD_LIBRARY_PATH="/usr/lib/sparcv9:/lib/sparcv9:${LD_LIBRARY_PATH}" + LD_LIBRARY_PATH="/usr/lib/sparcv9/dirsec:${LD_LIBRARY_PATH}" + else + echo "Unsupported architecture '${ARCHITECTURE}'!" + exit ${default_error} + fi +else + echo "Unsupported OS '${OS}'!" + exit ${default_error} +fi +export LD_LIBRARY_PATH + +# Source function library. +if [ -f /etc/init.d/functions ]; then + . /etc/init.d/functions +else + # The checkpid() function is provided for platforms that do not + # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . + + # Check if ${pid} (could be plural) are running (keep count) + checkpid() + { + rv=0 + for i in $* ; do + ps -p $i > /dev/null 2>&1 ; + if [ $? -ne 0 ] ; then + rv=`expr $rv + 1` + else + rv=`expr $rv + 0` + fi + done + # echo "rv=$rv" + return $rv + } + + # Create the following directories on platforms + # where they do not exist (e. g. - Solaris) . . . + if [ ! -d "/var/lock" ] ; then + mkdir -p /var/lock + chown root:sys /var/lock + chmod 00755 /var/lock + fi + if [ ! -d "/var/lock/subsys" ] ; then + mkdir -p /var/lock/subsys + chown root:root /var/lock/subsys + chmod 00755 /var/lock/subsys + fi +fi + +PKI_REGISTRY_ENTRIES="" +TOTAL_PKI_REGISTRY_ENTRIES=0 +TOTAL_UNCONFIGURED_PKI_ENTRIES=0 + +# Gather ALL registered instances of this PKI subsystem type +for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do + if [ -f "$FILE" ] ; then + inst=`echo "$FILE"` + PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst" + TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` + fi +done + +if [ -n "${pki_instance}" ]; then + for I in ${PKI_REGISTRY_ENTRIES}; do + if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then + PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}" + TOTAL_PKI_REGISTRY_ENTRIES=1 + break + fi + done +fi + +usage() +{ + echo -n "Usage: ${PKI_INIT_SCRIPT} " + echo -n "{start" + echo -n "|stop" + echo -n "|restart" + echo -n "|condrestart" + echo -n "|force-restart" + echo -n "|try-restart" + echo -n "|reload" + echo -n "|status} " + echo -n "[instance-name]" + echo + echo +} + +list_instances() +{ + echo + for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do + echo " ${FILE}" + done + echo +} + +# Check arguments +if [ $# -lt 1 ] ; then + # * 3 unimplemented feature (for example, "reload") + # [insufficient arguments] + echo "$0: Insufficient arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 3 +elif [ ${default_error} -eq 2 ] ; then + # * 2 invalid argument + echo "$0: Invalid arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 2 +elif [ $# -gt 2 ] ; then + echo "$0: Excess arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + if [ "${command}" != "status" ]; then + # * 2 excess arguments + exit 2 + else + # * 4 program or service status is unknown + exit 4 + fi +fi + +# If an "instance" was supplied, check that it is a "valid" instance +if [ -n "${pki_instance}" ]; then + if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then + echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance" + echo_failure + echo + if [ "${command}" != "status" ]; then + # * 5 program is not installed + exit 5 + else + # * 4 program or service status is unknown + exit 4 + fi + fi +fi + +# On Solaris /var/run is in tmpfs and gets wiped out upon reboot +# we have to recreate the ${PKI_PIDDIR} directory and make sure that +# the directory is writable by the ${PKI_TYPE} server process. +# +# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize +# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the +# "${PKI_PIDDIR}" will end up with the ownership permissions +# of the first instance that executes this function! +# +fix_pid_dir_ownership() +{ + if [ ! -d ${PKI_PIDDIR} ] ; then + mkdir -p ${PKI_PIDDIR} + + chown root:root /var/run/pki + chmod 00755 /var/run/pki + + chown root:root ${PKI_PIDDIR} + chmod 00755 ${PKI_PIDDIR} + fi +} + +check_pki_configuration_status() +{ + rv=0 + + rv=`grep -c ^preop ${pki_instance_configuration_file}` + + rv=`expr ${rv} + 0` + + if [ ${rv} -ne 0 ] ; then + echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" + echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" + if [ "${command}" != "status" ]; then + # * 6 program is not configured + rv=6 + else + # * 4 program or service status is unknown + rv=4 + fi + TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` + elif [ -f ${RESTART_SERVER} ] ; then + echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " + echo -n "it must still be RESTARTED!" + echo + if [ "${command}" != "status" ]; then + # * 1 generic or unspecified error (current practice) + rv=1 + else + # * 4 program or service status is unknown + rv=4 + fi + fi + + return ${rv} +} + +get_pki_status_definitions() +{ + # establish well-known strings + listen_statement="Listen" + total_ports=0 + UNSECURE_PORT="" + CLIENTAUTH_PORT="" + NON_CLIENTAUTH_PORT="" + + # check to see that an instance-specific "httpd.conf" file exists + if [ ! -f ${PKI_HTTPD_CONF} ] ; then + echo "File '${PKI_HTTPD_CONF}' does not exist!" + exit ${default_error} + fi + + # check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # read this instance-specific "httpd.conf" file line-by-line + # to obtain the current value of the PKI unsecure port + + exec < ${PKI_HTTPD_CONF} + while read line; do + # look for the listen statement + head=`echo $line | cut -b1-6` + if [ "$head" == "$listen_statement" ] ; then + # once the 'unsecure' listen statement has been found, + # extract the numeric port information + port=`echo $line | cut -b8-` + UNSECURE_PORT=$port + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + total_ports=`expr ${total_ports} + 1` + break; + fi + done + + # read this instance-specific "nss.conf" file line-by-line + # to obtain the current value of the "clientauth" PKI secure port + # AND the current value of the "non-clientauth" PKI secure port + + exec < ${PKI_NSS_CONF} + while read line; do + # look for the listen statement + head=`echo $line | cut -b1-6` + if [ "$head" == "$listen_statement" ] && + [ ${total_ports} -eq 2 ] ; then + # once the 'non-clientauth' listen statement has been found, + # extract the numeric port information + non_clientauth_port=`echo $line | cut -b8-` + NON_CLIENTAUTH_PORT=$non_clientauth_port + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}" + total_ports=`expr ${total_ports} + 1` + break + fi + if [ "$head" == "$listen_statement" ] && + [ ${total_ports} -eq 1 ] ; then + # once the 'clientauth' listen statement has been found, + # extract the numeric port information + clientauth_port=`echo $line | cut -b8-` + CLIENTAUTH_PORT=$clientauth_port + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}" + total_ports=`expr ${total_ports} + 1` + fi + done + + if [ ${total_ports} -eq 3 ] ; then + return 0 + else + return ${default_error} + fi +} + +get_pki_configuration_definitions() +{ + # Obtain the PKI Subsystem Type + line=`grep ^cs.type= ${pki_instance_configuration_file}` + pki_subsystem=`echo "${line}" | cut -b9-` + if [ "${line}" != "" ] ; then + if [ "${pki_subsystem}" != "CA" ] && + [ "${pki_subsystem}" != "KRA" ] && + [ "${pki_subsystem}" != "OCSP" ] && + [ "${pki_subsystem}" != "TKS" ] && + [ "${pki_subsystem}" != "RA" ] && + [ "${pki_subsystem}" != "TPS" ] + then + return ${default_error} + fi + if [ "${pki_subsystem}" == "KRA" ] ; then + # Rename "KRA" to "DRM" + pki_subsystem="DRM" + fi + else + return ${default_error} + fi + + # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, + # check to see if "${pki_subsystem}" is a "Clone" + pki_clone="" + if [ "${pki_subsystem}" == "CA" ] || + [ "${pki_subsystem}" == "DRM" ] || + [ "${pki_subsystem}" == "OCSP" ] || + [ "${pki_subsystem}" == "TKS" ] + then + line=`grep ^subsystem.select= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_clone=`echo "${line}" | cut -b18-` + if [ "${pki_clone}" != "Clone" ] ; then + # Reset "${pki_clone}" to be empty + pki_clone="" + fi + else + return ${default_error} + fi + fi + + # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to + # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA + pki_hierarchy="" + if [ "${pki_subsystem}" == "CA" ] && + [ "${pki_clone}" != "Clone" ] + then + line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_hierarchy=`echo "${line}" | cut -b18-` + else + return ${default_error} + fi + fi + + # If ${pki_subsystem} is a CA, check to + # see if it is also a Security Domain + pki_security_domain="" + if [ "${pki_subsystem}" == "CA" ] ; then + line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_security_domain=`echo "${line}" | cut -b23-` + if [ "${pki_security_domain}" == "new" ] ; then + # Set a fixed value for "${pki_security_domain}" + pki_security_domain="(Security Domain)" + else + # Reset "${pki_security_domain}" to be empty + pki_security_domain="" + fi + else + return ${default_error} + fi + fi + + # Always obtain this PKI instance's "registered" + # security domain information + pki_security_domain_name="" + pki_security_domain_hostname="" + pki_security_domain_https_admin_port="" + + line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_security_domain_name=`echo "${line}" | cut -b21-` + else + return ${default_error} + fi + + line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_security_domain_hostname=`echo "${line}" | cut -b21-` + else + return ${default_error} + fi + + line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` + else + return ${default_error} + fi + + # Compose the "PKI Instance Name" Status Line + pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" + + # Compose the "PKI Subsystem Type" Status Line + header="PKI Subsystem Type: " + if [ "${pki_clone}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "CA Clone (Security Domain)" + # + data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" + else + # Possible Values: + # + # "CA Clone" + # "DRM Clone" + # "OCSP Clone" + # "TKS Clone" + # + data="${pki_subsystem} ${pki_clone}" + fi + elif [ "${pki_hierarchy}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "Root CA (Security Domain)" + # "Subordinate CA (Security Domain)" + # + data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" + else + # Possible Values: + # + # "Root CA" + # "Subordinate CA" + # + data="${pki_hierarchy} ${pki_subsystem}" + fi + else + # Possible Values: + # + # "DRM" + # "OCSP" + # "RA" + # "TKS" + # "TPS" + # + data="${pki_subsystem}" + fi + pki_subsystem_type="${header} ${data}" + + # Compose the "Registered PKI Security Domain Information" Status Line + header="Name: " + registered_pki_security_domain_name="${header} ${pki_security_domain_name}" + + header="URL: " + if [ "${pki_security_domain_hostname}" != "" ] && + [ "${pki_security_domain_https_admin_port}" != "" ] + then + data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" + else + return ${default_error} + fi + registered_pki_security_domain_url="${header} ${data}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " ${pki_instance_name}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " ${pki_subsystem_type}" + + # Print the "Registered PKI Security Domain Information" Status Line + echo + echo " Registered PKI Security Domain Information:" + echo " ==========================================================================" + echo " ${registered_pki_security_domain_name}" + echo " ${registered_pki_security_domain_url}" + echo " ==========================================================================" + + return 0 +} + +get_pki_secure_port() +{ + # establish well-known strings + listen_statement="Listen" + + # first check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # read this instance-specific "nss.conf" file line-by-line + # to obtain the current value of the "clientauth" PKI secure port + exec < ${PKI_NSS_CONF} + while read line; do + # look for the listen statement + head=`echo $line | cut -b1-6` + if [ "$head" == "$listen_statement" ] ; then + # once the 'clientauth' listen statement has been found, + # extract the numeric port information + port=`echo $line | cut -b8-` + SECURE_PORT=$port + return 0 + fi + done + + return ${default_error} +} + +display_instance_status() +{ + rv=0 + + if [ -f ${pidfile} ] ; then + pid=`cat ${pidfile}` + if [ "${pid}" == "" ] ; then + echo "${PKI_INSTANCE_ID} pid file exists but is empty" + if [ "${command}" != "status" ]; then + # * 1 generic or unspecified error (current practice) + rv=1 + else + # * 4 program or service status is unknown + rv=4 + fi + elif kill -0 ${pid} > /dev/null 2>&1 ; then + echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..." + echo + check_pki_configuration_status + rv=$? + if [ ${rv} -eq 0 ] ; then + get_pki_status_definitions + rv=$? + if [ ${rv} -ne 0 ] ; then + echo + echo "${PKI_INSTANCE_ID} Status Definitions not found" + else + get_pki_configuration_definitions + rv=$? + if [ ${rv} -ne 0 ] ; then + echo + echo "${PKI_INSTANCE_ID} Configuration Definitions not found" + fi + fi + else + # From the PKI point of view for a "non-status" action, + # a returned error code of "6" implies that the program + # is not "configured". Similarly, an error code of "1" + # implies that the program was "configured" but must + # still be restarted. + # + # Similarly, from the PKI point of view for a "status" + # action, a returned error code of "4" implies that either + # the program is not "configured", or that the program + # was "configured" but must still be restarted. + # + # Regardless, it must still be considered that the instance + # is "running" from the viewpoint of other OS programs such + # as 'chkconfig'. + # + # For this reason, when returning from + # 'display_instance_status()', ignore non-zero return codes + # returned from 'check_pki_configuration_status()'. + # + if [ "${command}" != "status" ]; then + # * 0 action was successful + rv=0 + else + # * 0 program is running or service is OK + rv=0 + fi + fi + echo + else + echo "${PKI_INSTANCE_ID} is dead but pid file exists" + if [ "${command}" != "status" ]; then + # * 1 generic or unspecified error (current practice) + rv=1 + else + # * 1 program is dead and /var/run pid file exists + rv=1 + fi + fi + else + echo "${PKI_INSTANCE_ID} is stopped" + if [ "${command}" != "status" ]; then + # * 7 program is not running + rv=7 + else + # * 3 program is not running + rv=3 + fi + fi + + return ${rv} +} + +start_instance() +{ + rv=0 + + echo -n $"Starting ${prog}: " + + if [ -f ${RESTART_SERVER} ] ; then + rm -f ${RESTART_SERVER} + fi + + if [ -f ${PKI_LOCKFILE} ] ; then + if [ -f ${pidfile} ]; then + read kpid < ${pidfile} + if checkpid $kpid 2>&1; then + echo + echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..." + echo + check_pki_configuration_status + rv=$? + if [ ${rv} != 0 ]; then + # From the PKI point of view for a "non-status" action, + # a returned error code of "6" implies that the program + # is not "configured". Similarly, an error code of "1" + # implies that the program was "configured" but must + # still be restarted. + # + # Regardless, it must still be considered that the instance + # is "running" from the viewpoint of other OS programs such + # as 'chkconfig'. + # + # For "non-status" actions, ignore return codes of "1" + # from 'check_pki_configuration_status()'. + # + # However, for "non-status" actions that have a return + # code of "6", return this value unchanged to + # the calling routine so that the total number of + # configuration errors may be counted. + # + + echo + if [ ${rv} = 1 ] ; then + # * 0 action was successful + return 0 + elif [ ${rv} = 6 ] ; then + # * 6 program is not configured + return 6 + else + # should never be reached + return ${rv} + fi + else + return 0 + fi + else + echo + echo -n "lock file found but no process " + echo -n "running for pid $kpid, continuing" + echo + echo + rm -f ${PKI_LOCKFILE} + fi + fi + fi + + fix_pid_dir_ownership + + touch ${pidfile} + chown ${PKI_USER}:${PKI_GROUP} ${pidfile} + chmod 00600 ${pidfile} + [ -x /sbin/restorecon ] && /sbin/restorecon ${pidfile} + + # restore context for ncipher hsm + [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast + + if [ -f /etc/init.d/functions ]; then + /usr/sbin/selinuxenabled + rv=$? + if [ ${rv} = 0 ] ; then + if [ ${ARCHITECTURE} = "i386" ] ; then + LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} + # overwrite output from "daemon" + echo -n $"Starting ${prog}: " + elif [ ${ARCHITECTURE} = "x86_64" ] ; then + # NOTE: "daemon" is incompatible with "httpd" + # on 64-bit architectures + LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} + fi + else + LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS} + # overwrite output from "daemon" + echo -n $"Starting ${prog}: " + fi + else + LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -k start + fi + + rv=$? + if [ ${rv} = 0 ] ; then + touch ${PKI_LOCKFILE} + chown ${PKI_USER}:${PKI_GROUP} ${PKI_LOCKFILE} + chmod 00600 ${PKI_LOCKFILE} + fi + + if [ ${rv} = 0 ] ; then + count=0; + + let swait=$STARTUP_WAIT + until [ -s ${pidfile} ] || + [ $count -gt $swait ] + do + echo -n "." + sleep 1 + let count=$count+1; + done + + if [ -f /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_success + echo + else + echo " [ OK ]" + fi + + get_pki_secure_port + if [ $? -ne 0 ] ; then + SECURE_PORT="<Port Undefined>" + fi + + # Set permissions of log files + for file in ${pki_logs_directory}/*; do + chown ${PKI_USER}:${PKI_GROUP} ${file} + chmod 00660 ${file} + done + + # ignore "status" return codes + echo + display_instance_status + else + if [ -f /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + $0 echo -n " " + fi + echo_failure + echo + else + echo " [ FAILED ]" + fi + fi + + if [ ${OS} = "Linux" ] ; then + sleep 10 + elif [ ${OS} = "SunOS" ] ; then + sleep 20 + fi + return ${rv} +} + +stop_instance() +{ + rv=0 + + echo -n "Stopping ${prog}: " + + if [ -f ${PKI_LOCKFILE} ] ; then + ${httpd} ${PKI_OPTIONS} -k stop + + rv=$? + + if [ ${rv} = 0 ]; then + count=0; + + if [ -f ${pidfile} ]; then + read kpid < ${pidfile} + let kwait=$SHUTDOWN_WAIT + + until [ `ps -p $kpid | grep -c $kpid` = '0' ] || + [ $count -gt $kwait ] + do + echo -n "." + sleep 1 + let count=$count+1; + done + + if [ $count -gt $kwait ]; then + kill -9 $kpid + fi + fi + + rm -f ${PKI_LOCKFILE} + rm -f ${pidfile} + + if [ -f /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_success + echo + else + echo " [ OK ]" + fi + else + if [ -f /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_failure + echo + else + echo " [ FAILED ]" + fi + rv=${default_error} + fi + else + echo + echo "process already stopped" + rv=0 + fi + + return ${rv} +} + +reload_instance() +{ + rv=0 + + echo -n $"Reloading ${prog}: " + + if ! LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -t >&/dev/null; then + rv=$? + echo $"not reloading due to configuration syntax error" + if [ -f /etc/init.d/functions ]; then + failure $"not reloading ${httpd} due to configuration syntax error" + else + echo $"not reloading ${httpd} due to configuration syntax error" + fi + else + if [ -f /etc/init.d/functions ]; then + killproc -p ${pidfile} ${httpd} -HUP + rv=$? + else + if [ -f ${PKI_LOCKFILE} ] ; then + if [ -f ${pidfile} ]; then + read kpid < ${pidfile} + if checkpid $kpid 2>&1; then + kill -HUP $kpid + rv=$? + if [ ${rv} != 0 ]; then + rv=${default_error} + fi + fi + else + # * 7 program is not running + rv=7 + echo + echo -n "lock file found but no process " + echo -n "running for pid $kpid, continuing" + echo + echo + rm -f ${PKI_LOCKFILE} + fi + fi + fi + fi + echo + + return ${rv} +} + +# The semantics of the 'start()' function differs from the way 'apachectl' +# does things -- attempting to start while running is a failure. +# So we just do it the way init scripts are expected to behave here. +start() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 action was successful + # * 1 generic or unspecified error (current practice) + # * 2 invalid or excess argument(s) + # * 3 unimplemented feature (for example, "reload") + # * 4 user had insufficient privilege + # * 5 program is not installed + # * 6 program is not configured + # * 7 program is not running + # * 8-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + error_rv=0 + rv=0 + + if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then + config_errors=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):" + fi + + # Start every PKI instance of this type that isn't already running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + start_instance + + rv=$? + if [ ${rv} = 6 ] ; then + # Since at least ONE configuration error exists, then there + # is at least ONE unconfigured instance from the PKI point + # of view. + # + # However, it must still be considered that the + # instance is "running" from the point of view of other + # OS programs such as 'chkconfig'. + # + # Therefore, ignore non-zero return codes resulting + # from configuration errors. + # + + config_errors=`expr $config_errors + 1` + rv=0 + elif [ ${rv} != 0 ] ; then + errors=`expr $errors + 1` + error_rv=${rv} + fi + done + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then + touch ${lockfile} + chmod 00600 ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + # NOTE: "bad" return code(s) OVERRIDE configuration errors! + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances failed to start!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." + fi + else + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + rv=5 + fi + + return ${rv} +} + +# The semantics of the 'stop()' function differs from the way 'apachectl' +# does things -- attempting to shutdown when not running is a failure. +# So we just do it the way init scripts are expected to behave here. +stop() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 action was successful + # * 1 generic or unspecified error (current practice) + # * 2 invalid or excess argument(s) + # * 3 unimplemented feature (for example, "reload") + # * 4 user had insufficient privilege + # * 5 program is not installed + # * 6 program is not configured + # * 7 program is not running + # * 8-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + error_rv=0 + rv=0 + + if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" + fi + + # Shutdown every PKI instance of this type that is running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + stop_instance + + rv=$? + if [ ${rv} != 0 ] ; then + errors=`expr $errors + 1` + error_rv=${rv} + fi + done + + if [ ${errors} -eq 0 ] ; then + rm -f ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances were " + echo -n "unsuccessfully stopped!" + echo + fi + + echo + echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." + fi + else + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + rv=5 + fi + + return ${rv} +} + +restart() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 action was successful + # * 1 generic or unspecified error (current practice) + # * 2 invalid or excess argument(s) + # * 3 unimplemented feature (for example, "reload") + # * 4 user had insufficient privilege + # * 5 program is not installed + # * 6 program is not configured + # * 7 program is not running + # * 8-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + stop + sleep 2 + echo + echo "============================================================" + echo + start + + return $? +} + +reload() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 action was successful + # * 1 generic or unspecified error (current practice) + # * 2 invalid or excess argument(s) + # * 3 unimplemented feature (for example, "reload") + # * 4 user had insufficient privilege + # * 5 program is not installed + # * 6 program is not configured + # * 7 program is not running + # * 8-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + error_rv=0 + rv=0 + + if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):" + fi + + # Reload every PKI instance of this type that is running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + reload_instance + + rv=$? + if [ ${rv} != 0 ] ; then + errors=`expr $errors + 1` + error_rv=${rv} + fi + done + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances were " + echo -n "unsuccessfully reloaded!" + echo + fi + + echo + echo "FINISHED RELOADING '${PKI_TYPE}' INSTANCE(S)." + fi + else + echo + echo "ERROR: No '${PKI_TYPE}' instances reloaded!" + rv=5 + fi + + return ${rv} +} + +status() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 program is running or service is OK + # * 1 program is dead and /var/run pid file exists + # * 2 program is dead and /var/lock lock file exists + # * 3 program is not running + # * 4 program or service status is unknown + # * 5-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + error_rv=0 + rv=0 + + if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" + fi + + # Obtain status of every PKI instance of this type + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + display_instance_status + + rv=$? + if [ ${rv} -ne 0 ] ; then + errors=`expr $errors + 1` + error_rv=${rv} + fi + done + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "4 - program or service status is unknown" + rv=4 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances reported status failures!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." + fi + else + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + rv=4 + fi + + return ${rv} +} + +# See how we were called. +case "${command}" in + start|stop|restart|reload|status) + ${command} + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + *) + # * 3 unimplemented feature (for example, "reload") + # [invalid command - should never be reached] + echo + usage + echo "where valid instance names include:" + list_instances + exit 3 + ;; +esac + diff --git a/pki/base/ra/setup/postinstall b/pki/base/ra/setup/postinstall deleted file mode 100755 index 517c6e448..000000000 --- a/pki/base/ra/setup/postinstall +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# - -############################################################################### -## (1) Check command line arguments to see how many were passed in. ## -############################################################################### - -if [ $# -eq 4 ] -then - PKI_PRODUCT_NAME=$1 - PKI_SUBSYSTEM_NAME=$2 - VERSION=$3 - RELEASE=$4 -else - echo - echo "Usage: $0 PKI_product_name PKI_subsystem_name version release" - echo - - exit 255 -fi - - -############################################################################### -## (2) Specify variables used by this script. ## -############################################################################### - -PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}" -SECURE_PORT=12889 -NON_CLIENTAUTH_SECURE_PORT=12890 -UNSECURE_PORT=12888 - - -############################################################################### -## (3) Create the first instance of a Registration Authority (RA). ## -############################################################################### - -if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ] -then - /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} -fi - - -############################################################################### -## (4) Successfully exit from this postinstallation script. ## -############################################################################### - -exit 0 - |