diff options
author | jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-19 21:00:40 +0000 |
---|---|---|
committer | jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-19 21:00:40 +0000 |
commit | 2ab4b4058a240143e513db050bbf4170e9115ef1 (patch) | |
tree | a00195c6f63f11ee5e2fd9c4fc5f3c216ef7ace2 /pki/base/tps | |
parent | e73bde97720375973af57a29c5dd62aaec6342f2 (diff) | |
download | pki-2ab4b4058a240143e513db050bbf4170e9115ef1.tar.gz pki-2ab4b4058a240143e513db050bbf4170e9115ef1.tar.xz pki-2ab4b4058a240143e513db050bbf4170e9115ef1.zip |
Merge CA changes into KRA,OCSP & TKS
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1575 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/tps')
-rw-r--r-- | pki/base/tps/Makefile.am | 2 | ||||
-rw-r--r-- | pki/base/tps/Makefile.in | 2 | ||||
-rwxr-xr-x | pki/base/tps/apache/apachectl | 189 | ||||
-rw-r--r-- | pki/base/tps/apache/conf/httpd.conf | 14 | ||||
-rw-r--r-- | pki/base/tps/apache/conf/nss.conf | 4 | ||||
-rw-r--r-- | pki/base/tps/build.xml | 14 | ||||
-rw-r--r-- | pki/base/tps/doc/CS.cfg | 28 | ||||
-rwxr-xr-x | pki/base/tps/etc/init.d/pki-tpsd | 1462 | ||||
-rw-r--r-- | pki/base/tps/setup/config.desktop | 2 | ||||
-rw-r--r-- | pki/base/tps/setup/registry_instance | 117 |
10 files changed, 208 insertions, 1626 deletions
diff --git a/pki/base/tps/Makefile.am b/pki/base/tps/Makefile.am index 16cec1f81..a98fd8971 100644 --- a/pki/base/tps/Makefile.am +++ b/pki/base/tps/Makefile.am @@ -248,7 +248,7 @@ scripts_DATA = $(srcdir)/scripts/schemaMods.ldif \ scripts_SCRIPTS = $(srcdir)/scripts/nss_pcache if LINUX -setup_DATA = $(srcdir)/setup/config.desktop +setup_DATA = $(srcdir)/setup/config.desktop $(srcdir)/setup/registry_instance endif templates_DATA = $(srcdir)/apache/pki_instance_command_wrapper \ diff --git a/pki/base/tps/Makefile.in b/pki/base/tps/Makefile.in index b50254251..090edfeee 100644 --- a/pki/base/tps/Makefile.in +++ b/pki/base/tps/Makefile.in @@ -726,7 +726,7 @@ scripts_DATA = $(srcdir)/scripts/schemaMods.ldif \ $(srcdir)/scripts/addVLVIndexes.ldif scripts_SCRIPTS = $(srcdir)/scripts/nss_pcache -@LINUX_TRUE@setup_DATA = $(srcdir)/setup/config.desktop +@LINUX_TRUE@setup_DATA = $(srcdir)/setup/config.desktop $(srcdir)/setup/registry_instance templates_DATA = $(srcdir)/apache/pki_instance_command_wrapper \ $(srcdir)/apache/pki_subsystem_command_wrapper diff --git a/pki/base/tps/apache/apachectl b/pki/base/tps/apache/apachectl deleted file mode 100755 index 827512ef3..000000000 --- a/pki/base/tps/apache/apachectl +++ /dev/null @@ -1,189 +0,0 @@ -#!/bin/sh -# -# --- BEGIN COPYRIGHT BLOCK --- -# -# Copyright 2000-2004 The Apache Software Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# - -# -# NOTICE: This "apachectl" script has been modified to support the -# Token Processing System (TPS). -# - -# Initialize environment variables -LD_LIBRARY_PATH=[SYSTEM_USER_LIBRARIES]:[SYSTEM_LIBRARIES]:${LD_LIBRARY_PATH} -LD_LIBRARY_PATH=[SECURITY_LIBRARIES]:${LD_LIBRARY_PATH} -export LD_LIBRARY_PATH - -# see if httpd is linked with the openldap libraries - we need to override them -OS=`uname -s` -if [ $OS = "Linux" ]; then - hasopenldap=0 - - /usr/bin/ldd $httpd 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1 - - if [ $hasopenldap -eq 1 ] ; then - LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libldap50.so" - LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libssl3.so ${LD_PRELOAD}" - export LD_PRELOAD - fi -fi - -# -# Apache control script designed to allow an easy command line interface -# to controlling Apache. Written by Marc Slemko, 1997/08/23 -# -# The exit codes returned are: -# XXX this doc is no longer correct now that the interesting -# XXX functions are handled by [INSTANCE_ID] -# 0 - operation completed successfully -# 1 - -# 2 - usage error -# 3 - [INSTANCE_ID] could not be started -# 4 - [INSTANCE_ID] could not be stopped -# 5 - [INSTANCE_ID] could not be started during a restart -# 6 - [INSTANCE_ID] could not be restarted during a restart -# 7 - [INSTANCE_ID] could not be restarted during a graceful restart -# 8 - configuration syntax error -# -# When multiple arguments are given, only the error from the _last_ -# one is reported. Run "apachectl help" for usage info -# -ARGV="$@" -# -# |||||||||||||||||||| START CONFIGURATION SECTION |||||||||||||||||||| -# -------------------- -------------------- -# - -# -# a command that outputs a formatted text version of the HTML at the -# url given on the command line. Designed for lynx, however other -# programs may work. -if [ -x /usr/bin/links ]; then - LYNX="links -dump" -elif [ -x /usr/bin/lynx ]; then - LYNX="lynx -dump" -else - LYNX="none" -fi - -# -# the URL to your server's mod_status status page. If you do not -# have one, then status and fullstatus will not work. -STATUSURL="http://localhost:80/server-status" -# -# Set this variable to a command that increases the maximum -# number of file descriptors allowed per child process. This is -# critical for configurations that use many file descriptors, -# such as mass vhosting, or a multithreaded server. -ULIMIT_MAX_FILES="ulimit -S -n `ulimit -H -n`" - -######################################################################## -# This section contains modified content of "/etc/sysconfig/httpd" # -######################################################################## -# Configuration file for the [INSTANCE_ID] service. - -# -# The default processing model (MPM) is the process-based -# 'prefork' model. A thread-based model, 'worker', is also -# available, but does not work with some modules (such as PHP). -# The service must be stopped before changing this variable. -# -HTTPD=[FORTITUDE_DIR]/sbin/httpd.worker - -# -# To pass additional options (for instance, -D definitions) to the -# httpd binary at startup, set OPTIONS here. -# -OPTIONS="-f [HTTPD_CONF]" - -# -# By default, the httpd process is started in the C locale; to -# change the locale in which the server runs, the HTTPD_LANG -# variable can be set. -# -HTTPD_LANG=C -######################################################################## -# # -######################################################################## - -# Set the maximum number of file descriptors allowed per child process. -if [ "x$ULIMIT_MAX_FILES" != "x" ] ; then - $ULIMIT_MAX_FILES -fi - -ERROR=0 -if [ "x$ARGV" = "x" ] ; then - ARGV="-h" -fi - -function checklynx() { -if [ "$LYNX" = "none" ]; then - echo "The 'links' package is required for this functionality." - exit 8 -fi -} - -function testconfig() { -# [INSTANCE_ID] is denied terminal access in SELinux, so run in the -# current context to get stdout from $HTTPD -t. -if test -x /usr/sbin/selinuxenabled && /usr/sbin/selinuxenabled; then - runcon -- `id -Z` $HTTPD $OPTIONS -t -else - $HTTPD $OPTIONS -t -fi -ERROR=$? -} - -case $ARGV in -restart|graceful) - if $HTTPD -t >&/dev/null; then - $HTTPD $OPTIONS -k $ARGV - ERROR=$? - else - echo "apachectl: Configuration syntax error, will not run \"$ARGV\":" - testconfig - fi - ;; -start|stop) - $HTTPD $OPTIONS -k $ARGV - ERROR=$? - ;; -startssl|sslstart|start-SSL) - $HTTPD $OPTIONS -DSSL -k start - ERROR=$? - ;; -configtest) - testconfig - ;; -status) - checklynx - $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } ' - ;; -fullstatus) - checklynx - $LYNX $STATUSURL - ;; -*) - $HTTPD $OPTIONS $ARGV - ERROR=$? -esac - -exit $ERROR - diff --git a/pki/base/tps/apache/conf/httpd.conf b/pki/base/tps/apache/conf/httpd.conf index 5ad748f55..878a4e655 100644 --- a/pki/base/tps/apache/conf/httpd.conf +++ b/pki/base/tps/apache/conf/httpd.conf @@ -78,7 +78,7 @@ ServerRoot "[SERVER_ROOT]" # identification number when it starts. # <IfModule !mpm_netware.c> -PidFile run/[INSTANCE_ID].pid +PidFile run/[PKI_INSTANCE_ID].pid </IfModule> # @@ -268,7 +268,7 @@ LoadModule tokendb_module [FORTITUDE_MODULE]/mod_tokendb.so </Location> # -# Load config files from the config directory "/etc/[INSTANCE_ID]/conf.d". +# Load config files from the config directory "/etc/[PKI_INSTANCE_ID]/conf.d". # #Include conf.d/*.conf Include [SERVER_ROOT]/conf/perl.conf @@ -295,10 +295,10 @@ Include [SERVER_ROOT]/conf/perl.conf <IfModule !mpm_winnt.c> <IfModule !mpm_netware.c> # -# If you wish [INSTANCE_ID] to run as a different user or group, you must run -# [INSTANCE_ID] as root initially and it will switch. +# If you wish [PKI_INSTANCE_ID] to run as a different user or group, you must run +# [PKI_INSTANCE_ID] as root initially and it will switch. # -# User/Group: The name (or #number) of the user/group to run [INSTANCE_ID] as. +# User/Group: The name (or #number) of the user/group to run [PKI_INSTANCE_ID] as. # . On SCO (ODT 3) use "User nouser" and "Group nogroup". # . On HPUX you may not be able to use shared memory as nobody, and the # suggested workaround is to create a user www and use that user. @@ -306,8 +306,8 @@ Include [SERVER_ROOT]/conf/perl.conf # when the value of (unsigned)Group is above 60000; # don't use Group #-1 on these systems! # -User [USERID] -Group [GROUPID] +User [PKI_USER] +Group [PKI_GROUP] #Group #-1 </IfModule> </IfModule> diff --git a/pki/base/tps/apache/conf/nss.conf b/pki/base/tps/apache/conf/nss.conf index 70c64116f..2e0b0ecae 100644 --- a/pki/base/tps/apache/conf/nss.conf +++ b/pki/base/tps/apache/conf/nss.conf @@ -101,7 +101,7 @@ NSSProtocol SSLv3,TLSv1 # SSL Certificate Nickname: # The nickname of the server certificate you are going to use. -NSSNickname "Server-Cert cert-[INSTANCE_ID]" +NSSNickname "Server-Cert cert-[PKI_INSTANCE_ID]" # Server Certificate Database: # The NSS security database directory that holds the certificates and @@ -196,7 +196,7 @@ NSSProtocol SSLv3,TLSv1 # SSL Certificate Nickname: # The nickname of the server certificate you are going to use. -NSSNickname "Server-Cert cert-[INSTANCE_ID]" +NSSNickname "Server-Cert cert-[PKI_INSTANCE_ID]" # Server Certificate Database: # The NSS security database directory that holds the certificates and diff --git a/pki/base/tps/build.xml b/pki/base/tps/build.xml index ebfbeb225..603560b2c 100644 --- a/pki/base/tps/build.xml +++ b/pki/base/tps/build.xml @@ -184,7 +184,12 @@ <include name="lib/**"/> <include name="samples/**"/> <include name="scripts/**"/> - <include name="setup/config.desktop"/> + </zipfileset> + <zipfileset dir="./setup" + filemode="644" + prefix="usr/share/${product.prefix}/${product}/setup"> + <include name="config.desktop"/> + <include name="registry_instance"/> </zipfileset> <zipfileset dir="." filemode="755" @@ -230,7 +235,12 @@ <include name="lib/**"/> <include name="samples/**"/> <include name="scripts/**"/> - <include name="setup/config.desktop"/> + </tarfileset> + <tarfileset dir="./setup" + mode="644" + prefix="usr/share/${product.prefix}/${product}/setup"> + <include name="config.desktop"/> + <include name="registry_instance"/> </tarfileset> <tarfileset dir="." mode="755" diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg index 5e5c7e30c..32a88010d 100644 --- a/pki/base/tps/doc/CS.cfg +++ b/pki/base/tps/doc/CS.cfg @@ -18,15 +18,15 @@ # All rights reserved. # --- END COPYRIGHT BLOCK --- # -pkicreate.pki_instance_root=[INSTANCE_ROOT] -pkicreate.pki_instance_name=[INSTANCE_ID] -pkicreate.subsystem_type=[SUBSYSTEM_TYPE] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.pki_instance_name=[PKI_INSTANCE_ID] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] pkicreate.secure_port=[SECURE_PORT] pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] pkicreate.unsecure_port=[PORT] -pkicreate.user=[USERID] -pkicreate.group=[GROUPID] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +pkicreate.user=[PKI_USER] +pkicreate.group=[PKI_GROUP] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] cs.type=TPS selftests._000=## selftests._001=## Self Tests @@ -47,7 +47,7 @@ service.instanceDir=[SERVER_ROOT] service.securePort=[SECURE_PORT] service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] service.unsecurePort=[PORT] -service.instanceID=[INSTANCE_ID] +service.instanceID=[PKI_INSTANCE_ID] logging._000=######################################### logging._001=# RA configuration File logging._002=# @@ -111,7 +111,7 @@ logging.audit.filename=[SERVER_ROOT]/logs/tps-audit.log logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit logging.audit.level=10 logging.audit.logSigning=false -logging.audit.signedAuditCertNickname=auditSigningCert cert-[INSTANCE_ID] +logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING @@ -371,33 +371,33 @@ preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true preop.cert.audit_signing.enable=false preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA -preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[INSTANCE_ID] +preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID] preop.cert.sslserver.keysize.customsize=2048 preop.cert.sslserver.keysize.size=2048 preop.cert.sslserver.keysize.select=custom -preop.cert.sslserver.nickname=Server-Cert cert-[INSTANCE_ID] +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] preop.cert.sslserver.profile=caInternalAuthServerCert preop.cert.sslserver.subsystem=tps preop.cert._003=#preop.cert.sslserver.type=local preop.cert.sslserver.userfriendlyname=SSL Server Certificate preop.cert._004=#preop.cert.sslserver.cncomponent.override=false preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA -preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[INSTANCE_ID] +preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_ID] preop.cert.subsystem.keysize.customsize=2048 preop.cert.subsystem.keysize.size=2048 preop.cert.subsystem.keysize.select=custom -preop.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID] +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] preop.cert.subsystem.profile=caInternalAuthSubsystemCert preop.cert.subsystem.subsystem=tps preop.cert._005=#preop.cert.subsystem.type=local preop.cert.subsystem.userfriendlyname=Subsystem Certificate preop.cert._006=#preop.cert.subsystem.cncomponent.override=true preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA -preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[INSTANCE_ID] +preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_ID] preop.cert.audit_signing.keysize.customsize=2048 preop.cert.audit_signing.keysize.size=2048 preop.cert.audit_signing.keysize.select=custom -preop.cert.audit_signing.nickname=auditSigningCert cert-[INSTANCE_ID] +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert preop.cert.audit_signing.subsystem=tps preop.cert._005=#preop.cert.audit_signing.type=local diff --git a/pki/base/tps/etc/init.d/pki-tpsd b/pki/base/tps/etc/init.d/pki-tpsd index ff542a7f2..0631954c2 100755 --- a/pki/base/tps/etc/init.d/pki-tpsd +++ b/pki/base/tps/etc/init.d/pki-tpsd @@ -1,1439 +1,83 @@ #!/bin/bash # # --- BEGIN COPYRIGHT BLOCK --- -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; -# version 2.1 of the License. -# -# This library is distributed in the hope that it will be useful, +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301 USA -# -# Copyright (C) 2007 Red Hat, Inc. +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007-2010 Red Hat, Inc. # All rights reserved. # --- END COPYRIGHT BLOCK --- # -# # pki-tpsd Startup script for the Apache HTTP pki-tps Server # # chkconfig: - 87 13 -# description: Token Processing System \ -# (Apache 2.2) +# description: Token Processing System (Apache) # processname: pki-tpsd # piddir: /var/run/pki/tps # config: ${PKI_SERVER_ROOT}/conf/httpd.conf -PKI_INIT_SCRIPT="" +PROG_NAME=`basename $0` +SERVICE_NAME="pki-tpsd" +SERVICE_PROG="/sbin/service" PKI_PATH="/usr/share/pki/tps" -PKI_PIDDIR="/var/run/pki/tps" -PKI_PROCESS="pki-tpsd" PKI_REGISTRY="/etc/sysconfig/pki/tps" -PKI_SELINUX_TYPE="pki_tps_t" PKI_TYPE="pki-tps" - -# PKI subsystem-level directory and file values for locks -lockfile="/var/lock/subsys/pki-tpsd" +PKI_TOTAL_PORTS=3 # Disallow 'others' the ability to 'write' to new files umask 00002 -default_error=0 command="$1" pki_instance="$2" -case "${command}" in - start|stop|restart|condrestart|force-restart|try-restart) - # * 1 generic or unspecified error (current practice) - default_error=1 - ;; - reload) - default_error=3 - ;; - status) - # * 4 program or service status is unknown - default_error=4 - ;; - *) - # * 2 invalid argument(s) - default_error=2 - ;; -esac - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit ${default_error} -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -if [ ! -d ${PKI_PATH} ] ; then - echo "This machine is missing the '${PKI_TYPE}' subsystem!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Check to insure that this script's associated PKI -# subsystem instance registry currently resides on this system. -if [ ! -d ${PKI_REGISTRY} ] ; then - echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!" - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - exit ${default_error} - fi -fi - -# Obtain the operating system upon which this script is being executed -# and initialize environment variables -OS=`uname -s` -ARCHITECTURE="" -LD_LIBRARY_PATH="" - -# Time to wait in seconds, before killing process -# -# NOTE: Defined in "tomcat5.conf" for PKI Java/Tomcat Subsystems. -# -STARTUP_WAIT=30 -SHUTDOWN_WAIT=30 - -# This script must be run as root! -RV=0 -if [ ${OS} = "Linux" ] ; then - PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}" - if [ `id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -i` - if [ ${ARCHITECTURE} = "i386" ] ; then - LD_LIBRARY_PATH="/usr/lib:/lib:${LD_LIBRARY_PATH}" - elif [ ${ARCHITECTURE} = "x86_64" ] ; then - LD_LIBRARY_PATH="/usr/lib64:/lib64:${LD_LIBRARY_PATH}" - else - echo "Unsupported architecture '${ARCHITECTURE}'!" - exit ${default_error} - fi -elif [ ${OS} = "SunOS" ] ; then - PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}" - if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - if [ "${command}" != "status" ]; then - # * 4 user had insufficient privilege - exit 4 - else - # * 4 program or service status is unknown - exit 4 - fi - fi - ARCHITECTURE=`uname -p` - if [ "${ARCHITECTURE}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - ARCHITECTURE="sparcv9" - fi - if [ ${ARCHITECTURE} = "sparcv9" ] ; then - LD_LIBRARY_PATH="/usr/lib/sparcv9:/lib/sparcv9:${LD_LIBRARY_PATH}" - LD_LIBRARY_PATH="/usr/lib/sparcv9/dirsec:${LD_LIBRARY_PATH}" - else - echo "Unsupported architecture '${ARCHITECTURE}'!" - exit ${default_error} - fi -else - echo "Unsupported OS '${OS}'!" - exit ${default_error} -fi -export LD_LIBRARY_PATH # Source function library. -if [ -f /etc/init.d/functions ]; then - . /etc/init.d/functions -else - # The checkpid() function is provided for platforms that do not - # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . - - # Check if ${pid} (could be plural) are running (keep count) - checkpid() - { - rv=0 - for i in $* ; do - ps -p $i > /dev/null 2>&1 ; - if [ $? -ne 0 ] ; then - rv=`expr $rv + 1` - else - rv=`expr $rv + 0` - fi - done - # echo "rv=$rv" - return $rv - } - - # Create the following directories on platforms - # where they do not exist (e. g. - Solaris) . . . - if [ ! -d "/var/lock" ] ; then - mkdir -p /var/lock - chown root:sys /var/lock - chmod 00755 /var/lock - fi - if [ ! -d "/var/lock/subsys" ] ; then - mkdir -p /var/lock/subsys - chown root:root /var/lock/subsys - chmod 00755 /var/lock/subsys - fi -fi - -PKI_REGISTRY_ENTRIES="" -TOTAL_PKI_REGISTRY_ENTRIES=0 -TOTAL_UNCONFIGURED_PKI_ENTRIES=0 - -# Gather ALL registered instances of this PKI subsystem type -for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - if [ -f "$FILE" ] ; then - inst=`echo "$FILE"` - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst" - TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` - fi -done - -if [ -n "${pki_instance}" ]; then - for I in ${PKI_REGISTRY_ENTRIES}; do - if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then - PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}" - TOTAL_PKI_REGISTRY_ENTRIES=1 - break - fi - done -fi - -usage() -{ - echo -n "Usage: ${PKI_INIT_SCRIPT} " - echo -n "{start" - echo -n "|stop" - echo -n "|restart" - echo -n "|condrestart" - echo -n "|force-restart" - echo -n "|try-restart" - echo -n "|reload" - echo -n "|status} " - echo -n "[instance-name]" - echo - echo -} - -list_instances() -{ - echo - for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do - echo " ${FILE}" - done - echo -} - -# Check arguments -if [ $# -lt 1 ] ; then - # * 3 unimplemented feature (for example, "reload") - # [insufficient arguments] - echo "$0: Insufficient arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 -elif [ ${default_error} -eq 2 ] ; then - # * 2 invalid argument - echo "$0: Invalid arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - exit 2 -elif [ $# -gt 2 ] ; then - echo "$0: Excess arguments!" - echo - usage - echo "where valid instance names include:" - list_instances - if [ "${command}" != "status" ]; then - # * 2 excess arguments - exit 2 - else - # * 4 program or service status is unknown - exit 4 - fi -fi - -# If an "instance" was supplied, check that it is a "valid" instance -if [ -n "${pki_instance}" ]; then - if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then - echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance" - echo_failure - echo - if [ "${command}" != "status" ]; then - # * 5 program is not installed - exit 5 - else - # * 4 program or service status is unknown - exit 4 - fi - fi -fi - -# On Solaris /var/run is in tmpfs and gets wiped out upon reboot -# we have to recreate the ${PKI_PIDDIR} directory and make sure that -# the directory is writable by the ${PKI_TYPE} server process. -# -# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize -# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the -# "${PKI_PIDDIR}" will end up with the ownership permissions -# of the first instance that executes this function! -# -fix_pid_dir_ownership() -{ - if [ ! -d ${PKI_PIDDIR} ] ; then - mkdir -p ${PKI_PIDDIR} - - chown root:root /var/run/pki - chmod 00755 /var/run/pki - - chown root:root ${PKI_PIDDIR} - chmod 00755 ${PKI_PIDDIR} - fi -} - -check_pki_configuration_status() -{ - rv=0 - - rv=`grep -c ^preop ${pki_instance_configuration_file}` - - rv=`expr ${rv} + 0` - - if [ ${rv} -ne 0 ] ; then - echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" - echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" - if [ "${command}" != "status" ]; then - # * 6 program is not configured - rv=6 - else - # * 4 program or service status is unknown - rv=4 - fi - TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` - elif [ -f ${RESTART_SERVER} ] ; then - echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " - echo -n "it must still be RESTARTED!" - echo - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - fi - - return ${rv} -} - -get_pki_status_definitions() -{ - # establish well-known strings - listen_statement="Listen" - total_ports=0 - UNSECURE_PORT="" - CLIENTAUTH_PORT="" - NON_CLIENTAUTH_PORT="" - - # check to see that an instance-specific "httpd.conf" file exists - if [ ! -f ${PKI_HTTPD_CONF} ] ; then - echo "File '${PKI_HTTPD_CONF}' does not exist!" - exit ${default_error} - fi - - # check to see that an instance-specific "nss.conf" file exists - if [ ! -f ${PKI_NSS_CONF} ] ; then - echo "File '${PKI_NSS_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "httpd.conf" file line-by-line - # to obtain the current value of the PKI unsecure port - - exec < ${PKI_HTTPD_CONF} - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] ; then - # once the 'unsecure' listen statement has been found, - # extract the numeric port information - port=`echo $line | cut -b8-` - UNSECURE_PORT=$port - echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi" - echo " (ESC Security Officer Enrollment)" - echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi" - echo " (ESC Phone Home)" - total_ports=`expr ${total_ports} + 1` - break; - fi - done - - # read this instance-specific "nss.conf" file line-by-line - # to obtain the current value of the "clientauth" PKI secure port - # AND the current value of the "non-clientauth" PKI secure port - - exec < ${PKI_NSS_CONF} - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] && - [ ${total_ports} -eq 2 ] ; then - # once the 'non-clientauth' listen statement has been found, - # extract the numeric port information - non_clientauth_port=`echo $line | cut -b8-` - NON_CLIENTAUTH_PORT=$non_clientauth_port - echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi" - echo " (ESC Security Officer Enrollment)" - echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi" - echo " (ESC Phone Home)" - total_ports=`expr ${total_ports} + 1` - break - fi - if [ "$head" == "$listen_statement" ] && - [ ${total_ports} -eq 1 ] ; then - # once the 'clientauth' listen statement has been found, - # extract the numeric port information - clientauth_port=`echo $line | cut -b8-` - CLIENTAUTH_PORT=$clientauth_port - echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi" - echo " (ESC Security Officer Workstation)" - echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus" - echo " (TPS Roles - Operator/Administrator/Agent)" - total_ports=`expr ${total_ports} + 1` - fi - done - - if [ ${total_ports} -eq 3 ] ; then - return 0 - else - return ${default_error} - fi -} - -get_pki_configuration_definitions() -{ - # Obtain the PKI Subsystem Type - line=`grep ^cs.type= ${pki_instance_configuration_file}` - pki_subsystem=`echo "${line}" | cut -b9-` - if [ "${line}" != "" ] ; then - if [ "${pki_subsystem}" != "CA" ] && - [ "${pki_subsystem}" != "KRA" ] && - [ "${pki_subsystem}" != "OCSP" ] && - [ "${pki_subsystem}" != "TKS" ] && - [ "${pki_subsystem}" != "RA" ] && - [ "${pki_subsystem}" != "TPS" ] - then - return ${default_error} - fi - if [ "${pki_subsystem}" == "KRA" ] ; then - # Rename "KRA" to "DRM" - pki_subsystem="DRM" - fi - else - return ${default_error} - fi - - # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, - # check to see if "${pki_subsystem}" is a "Clone" - pki_clone="" - if [ "${pki_subsystem}" == "CA" ] || - [ "${pki_subsystem}" == "DRM" ] || - [ "${pki_subsystem}" == "OCSP" ] || - [ "${pki_subsystem}" == "TKS" ] - then - line=`grep ^subsystem.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_clone=`echo "${line}" | cut -b18-` - if [ "${pki_clone}" != "Clone" ] ; then - # Reset "${pki_clone}" to be empty - pki_clone="" - fi - else - return ${default_error} - fi - fi - - # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to - # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA - pki_hierarchy="" - if [ "${pki_subsystem}" == "CA" ] && - [ "${pki_clone}" != "Clone" ] - then - line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_hierarchy=`echo "${line}" | cut -b18-` - else - return ${default_error} - fi - fi - - # If ${pki_subsystem} is a CA, check to - # see if it is also a Security Domain - pki_security_domain="" - if [ "${pki_subsystem}" == "CA" ] ; then - line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain=`echo "${line}" | cut -b23-` - if [ "${pki_security_domain}" == "new" ] ; then - # Set a fixed value for "${pki_security_domain}" - pki_security_domain="(Security Domain)" - else - # Reset "${pki_security_domain}" to be empty - pki_security_domain="" - fi - else - return ${default_error} - fi - fi - - # Always obtain this PKI instance's "registered" - # security domain information - pki_security_domain_name="" - pki_security_domain_hostname="" - pki_security_domain_https_admin_port="" - - line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_name=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_hostname=`echo "${line}" | cut -b21-` - else - return ${default_error} - fi - - line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` - else - return ${default_error} - fi - - # Compose the "PKI Instance Name" Status Line - pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" - - # Compose the "PKI Subsystem Type" Status Line - header="PKI Subsystem Type: " - if [ "${pki_clone}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "CA Clone (Security Domain)" - # - data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" - else - # Possible Values: - # - # "CA Clone" - # "DRM Clone" - # "OCSP Clone" - # "TKS Clone" - # - data="${pki_subsystem} ${pki_clone}" - fi - elif [ "${pki_hierarchy}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "Root CA (Security Domain)" - # "Subordinate CA (Security Domain)" - # - data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" - else - # Possible Values: - # - # "Root CA" - # "Subordinate CA" - # - data="${pki_hierarchy} ${pki_subsystem}" - fi - else - # Possible Values: - # - # "DRM" - # "OCSP" - # "RA" - # "TKS" - # "TPS" - # - data="${pki_subsystem}" - fi - pki_subsystem_type="${header} ${data}" - - # Compose the "Registered PKI Security Domain Information" Status Line - header="Name: " - registered_pki_security_domain_name="${header} ${pki_security_domain_name}" - - header="URL: " - if [ "${pki_security_domain_hostname}" != "" ] && - [ "${pki_security_domain_https_admin_port}" != "" ] - then - data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" - else - return ${default_error} - fi - registered_pki_security_domain_url="${header} ${data}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_instance_name}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_subsystem_type}" - - # Print the "Registered PKI Security Domain Information" Status Line - echo - echo " Registered PKI Security Domain Information:" - echo " ==========================================================================" - echo " ${registered_pki_security_domain_name}" - echo " ${registered_pki_security_domain_url}" - echo " ==========================================================================" - - return 0 -} - -get_pki_secure_port() -{ - # establish well-known strings - listen_statement="Listen" - - # first check to see that an instance-specific "nss.conf" file exists - if [ ! -f ${PKI_NSS_CONF} ] ; then - echo "File '${PKI_NSS_CONF}' does not exist!" - exit ${default_error} - fi - - # read this instance-specific "nss.conf" file line-by-line - # to obtain the current value of the "clientauth" PKI secure port - exec < ${PKI_NSS_CONF} - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] ; then - # once the 'clientauth' listen statement has been found, - # extract the numeric port information - port=`echo $line | cut -b8-` - SECURE_PORT=$port - return 0 - fi - done - - return ${default_error} -} - -display_instance_status() -{ - rv=0 - - if [ -f ${pidfile} ] ; then - pid=`cat ${pidfile}` - if [ "${pid}" == "" ] ; then - echo "${PKI_INSTANCE_ID} pid file exists but is empty" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 4 program or service status is unknown - rv=4 - fi - elif kill -0 ${pid} > /dev/null 2>&1 ; then - echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} -eq 0 ] ; then - get_pki_status_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Status Definitions not found" - else - get_pki_configuration_definitions - rv=$? - if [ ${rv} -ne 0 ] ; then - echo - echo "${PKI_INSTANCE_ID} Configuration Definitions not found" - fi - fi - else - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Similarly, from the PKI point of view for a "status" - # action, a returned error code of "4" implies that either - # the program is not "configured", or that the program - # was "configured" but must still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For this reason, when returning from - # 'display_instance_status()', ignore non-zero return codes - # returned from 'check_pki_configuration_status()'. - # - if [ "${command}" != "status" ]; then - # * 0 action was successful - rv=0 - else - # * 0 program is running or service is OK - rv=0 - fi - fi - echo - else - echo "${PKI_INSTANCE_ID} is dead but pid file exists" - if [ "${command}" != "status" ]; then - # * 1 generic or unspecified error (current practice) - rv=1 - else - # * 1 program is dead and /var/run pid file exists - rv=1 - fi - fi - else - echo "${PKI_INSTANCE_ID} is stopped" - if [ "${command}" != "status" ]; then - # * 7 program is not running - rv=7 - else - # * 3 program is not running - rv=3 - fi - fi - - return ${rv} -} - -start_instance() -{ - rv=0 - - echo -n $"Starting ${prog}: " - - if [ -f ${RESTART_SERVER} ] ; then - rm -f ${RESTART_SERVER} - fi - - if [ -f ${PKI_LOCKFILE} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - echo - echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..." - echo - check_pki_configuration_status - rv=$? - if [ ${rv} != 0 ]; then - # From the PKI point of view for a "non-status" action, - # a returned error code of "6" implies that the program - # is not "configured". Similarly, an error code of "1" - # implies that the program was "configured" but must - # still be restarted. - # - # Regardless, it must still be considered that the instance - # is "running" from the viewpoint of other OS programs such - # as 'chkconfig'. - # - # For "non-status" actions, ignore return codes of "1" - # from 'check_pki_configuration_status()'. - # - # However, for "non-status" actions that have a return - # code of "6", return this value unchanged to - # the calling routine so that the total number of - # configuration errors may be counted. - # - - echo - if [ ${rv} = 1 ] ; then - # * 0 action was successful - return 0 - elif [ ${rv} = 6 ] ; then - # * 6 program is not configured - return 6 - else - # should never be reached - return ${rv} - fi - else - return 0 - fi - else - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - rm -f ${PKI_LOCKFILE} - fi - fi - fi - - fix_pid_dir_ownership - - touch ${pidfile} - chown ${PKI_USER}:${PKI_GROUP} ${pidfile} - chmod 00600 ${pidfile} - [ -x /sbin/restorecon ] && /sbin/restorecon ${pidfile} - - # restore context for ncipher hsm - [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast - - if [ -f /etc/init.d/functions ]; then - /usr/sbin/selinuxenabled - rv=$? - if [ ${rv} = 0 ] ; then - if [ ${ARCHITECTURE} = "i386" ] ; then - LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} - # overwrite output from "daemon" - echo -n $"Starting ${prog}: " - elif [ ${ARCHITECTURE} = "x86_64" ] ; then - # NOTE: "daemon" is incompatible with "httpd" - # on 64-bit architectures - LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} - fi - else - LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS} - # overwrite output from "daemon" - echo -n $"Starting ${prog}: " - fi - else - LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -k start - fi - - rv=$? - if [ ${rv} = 0 ] ; then - touch ${PKI_LOCKFILE} - chown ${PKI_USER}:${PKI_GROUP} ${PKI_LOCKFILE} - chmod 00600 ${PKI_LOCKFILE} - fi - - if [ ${rv} = 0 ] ; then - count=0; - - let swait=$STARTUP_WAIT - until [ -s ${pidfile} ] || - [ $count -gt $swait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - - get_pki_secure_port - if [ $? -ne 0 ] ; then - SECURE_PORT="<Port Undefined>" - fi - - # Set permissions of log files - pki_signedAudit="${pki_logs_directory}/signedAudit" - for file in ${pki_logs_directory}/*; do - if [ "${file}" != "${pki_signedAudit}" ]; then - chown ${PKI_USER}:${PKI_GROUP} ${file} - chmod 00640 ${file} - fi - done - - # Set permissions of signedAudit log files - pki_signedAudit_files=`ls -1A ${pki_signedAudit} | wc -l` - if [ ${pki_signedAudit_files} -gt 0 ]; then - for file in ${pki_signedAudit}/*; do - chown ${PKI_USER} ${file} - chmod 00640 ${file} - done - fi +. /etc/init.d/functions - # ignore "status" return codes - echo - display_instance_status - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - $0 echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - fi - - if [ ${OS} = "Linux" ] ; then - sleep 10 - elif [ ${OS} = "SunOS" ] ; then - sleep 20 - fi - return ${rv} -} - -stop_instance() -{ - rv=0 - - echo -n "Stopping ${prog}: " - - if [ -f ${PKI_LOCKFILE} ] ; then - ${httpd} ${PKI_OPTIONS} -k stop - - rv=$? - - if [ ${rv} = 0 ]; then - count=0; - - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - let kwait=$SHUTDOWN_WAIT - - until [ `ps -p $kpid | grep -c $kpid` = '0' ] || - [ $count -gt $kwait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ $count -gt $kwait ]; then - kill -9 $kpid - fi - fi - - rm -f ${PKI_LOCKFILE} - rm -f ${pidfile} - - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_success - echo - else - echo " [ OK ]" - fi - else - if [ -f /etc/init.d/functions ]; then - if [ "$CONSOLETYPE" = "serial" ]; then - echo -n " " - fi - echo_failure - echo - else - echo " [ FAILED ]" - fi - rv=${default_error} - fi - else - echo - echo "process already stopped" - rv=0 - fi - - return ${rv} -} - -reload_instance() -{ - rv=0 - - echo -n $"Reloading ${prog}: " - - if ! LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -t >&/dev/null; then - rv=$? - echo $"not reloading due to configuration syntax error" - if [ -f /etc/init.d/functions ]; then - failure $"not reloading ${httpd} due to configuration syntax error" - else - echo $"not reloading ${httpd} due to configuration syntax error" - fi - else - if [ -f /etc/init.d/functions ]; then - killproc -p ${pidfile} ${httpd} -HUP - rv=$? - else - if [ -f ${PKI_LOCKFILE} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - kill -HUP $kpid - rv=$? - if [ ${rv} != 0 ]; then - rv=${default_error} - fi - fi - else - # * 7 program is not running - rv=7 - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - rm -f ${PKI_LOCKFILE} - fi - fi - fi - fi - echo - - return ${rv} -} - -# The semantics of the 'start()' function differs from the way 'apachectl' -# does things -- attempting to start while running is a failure. -# So we just do it the way init scripts are expected to behave here. -start() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - config_errors=0 - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):" - fi - - # Start every PKI instance of this type that isn't already running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - start_instance - - rv=$? - if [ ${rv} = 6 ] ; then - # Since at least ONE configuration error exists, then there - # is at least ONE unconfigured instance from the PKI point - # of view. - # - # However, it must still be considered that the - # instance is "running" from the point of view of other - # OS programs such as 'chkconfig'. - # - # Therefore, ignore non-zero return codes resulting - # from configuration errors. - # - - config_errors=`expr $config_errors + 1` - rv=0 - elif [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then - touch ${lockfile} - chmod 00600 ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - # NOTE: "bad" return code(s) OVERRIDE configuration errors! - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances failed to start!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -# The semantics of the 'stop()' function differs from the way 'apachectl' -# does things -- attempting to shutdown when not running is a failure. -# So we just do it the way init scripts are expected to behave here. -stop() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" - fi - - # Shutdown every PKI instance of this type that is running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - stop_instance - - rv=$? - if [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - if [ ${errors} -eq 0 ] ; then - rm -f ${lockfile} - fi - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances were " - echo -n "unsuccessfully stopped!" - echo - fi - - echo - echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=5 - fi - - return ${rv} -} - -restart() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - stop - sleep 2 - echo - echo "============================================================" - echo - start - - return $? -} - -reload() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 action was successful - # * 1 generic or unspecified error (current practice) - # * 2 invalid or excess argument(s) - # * 3 unimplemented feature (for example, "reload") - # * 4 user had insufficient privilege - # * 5 program is not installed - # * 6 program is not configured - # * 7 program is not running - # * 8-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):" - fi - - # Reload every PKI instance of this type that is running - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - reload_instance - - rv=$? - if [ ${rv} != 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "1 generic or unspecified error (current practice)" - rv=1 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances were " - echo -n "unsuccessfully reloaded!" - echo - fi - - echo - echo "FINISHED RELOADING '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances reloaded!" - rv=5 - fi - - return ${rv} -} - -status() -{ - # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": - # - # * 0 program is running or service is OK - # * 1 program is dead and /var/run pid file exists - # * 2 program is dead and /var/lock lock file exists - # * 3 program is not running - # * 4 program or service status is unknown - # * 5-99 reserved for future LSB use - # * 100-149 reserved for distribution use - # * 150-199 reserved for application use - # * 200-254 reserved - # - - error_rv=0 - rv=0 - - if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then - errors=0 - - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" - fi - - # Obtain status of every PKI instance of this type - for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do - # Source values associated with this particular PKI instance - [ -f ${PKI_REGISTRY_ENTRY} ] && - . ${PKI_REGISTRY_ENTRY} - - pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} - - [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo - - display_instance_status - - rv=$? - if [ ${rv} -ne 0 ] ; then - errors=`expr $errors + 1` - error_rv=${rv} - fi - done - - # ONLY print a "WARNING" message if multiple - # instances are being examined - if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then - if [ ${errors} -eq 1 ]; then - # Since only ONE error exists, return that "bad" error code. - rv=${error_rv} - elif [ ${errors} -gt 1 ]; then - # Since MORE than ONE error exists, return an OVERALL status - # of "4 - program or service status is unknown" - rv=4 - fi - - if [ ${errors} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances reported status failures!" - echo - fi - - if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then - echo - echo -n "WARNING: " - echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " - echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " - echo -n "'${PKI_TYPE}' instances MUST be configured!" - echo - fi - - echo - echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." - fi - else - echo - echo "ERROR: No '${PKI_TYPE}' instances installed!" - rv=4 - fi - - return ${rv} -} +# Source the PKI function library +. /usr/share/pki/scripts/functions # See how we were called. -case "${command}" in - start|stop|restart|reload|status) - ${command} - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - exit $? - ;; - *) - # * 3 unimplemented feature (for example, "reload") - # [invalid command - should never be reached] - echo - usage - echo "where valid instance names include:" - list_instances - exit 3 - ;; +case $command in + status) + registry_status + exit $? + ;; + start) + start + exit $? + ;; + restart) + restart + exit $? + ;; + stop) + stop + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + reload) + echo "The 'reload' action is an unimplemented feature." + exit ${default_error} + ;; + *) + echo "unknown action ($command)" + usage + echo "where valid instance names include:" + list_instances + exit ${default_error} + ;; esac diff --git a/pki/base/tps/setup/config.desktop b/pki/base/tps/setup/config.desktop index f84fadac2..2bfc396e6 100644 --- a/pki/base/tps/setup/config.desktop +++ b/pki/base/tps/setup/config.desktop @@ -21,7 +21,7 @@ [Desktop Entry] Version=1.0.0 Encoding=UTF-8 -Name=Token Processing System Configuration - [INSTANCE_ID] +Name=Token Processing System Configuration - [PKI_INSTANCE_ID] GenericName=Token Processing System Configuration Comment=Configure Token Processing System Exec=firefox https://[SERVER_NAME]:[SECURE_PORT]/tps/admin/console/config/login?pin=[PKI_RANDOM_NUMBER] diff --git a/pki/base/tps/setup/registry_instance b/pki/base/tps/setup/registry_instance new file mode 100644 index 000000000..e02f19011 --- /dev/null +++ b/pki/base/tps/setup/registry_instance @@ -0,0 +1,117 @@ +# Establish PKI Variable "Slot" Substitutions + +PKI_FLAVOR=[PKI_FLAVOR] +export PKI_FLAVOR + +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +export PKI_SUBSYSTEM_TYPE + +PKI_USER=[PKI_USER] +export PKI_USER + +PKI_GROUP=[PKI_GROUP] +export PKI_GROUP + +PKI_INSTANCE_ID=[PKI_INSTANCE_ID] +export PKI_INSTANCE_ID + +PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] +export PKI_INSTANCE_INITSCRIPT + +PKI_HTTPD_CONF=[HTTPD_CONF] +export PKI_HTTPD_CONF + +PKI_SERVER_ROOT=[SERVER_ROOT] +export PKI_SERVER_ROOT + +PKI_SYSTEM_USER_LIBRARIES=[SYSTEM_USER_LIBRARIES] +export PKI_SYSTEM_USER_LIBRARIES + +PKI_FORTITUDE_DIR=[FORTITUDE_DIR] +export PKI_FORTITUDE_DIR + +PKI_NSS_CONF=[NSS_CONF] +export PKI_NSS_CONF + +PKI_SERVER_NAME=[SERVER_NAME] +export PKI_SERVER_NAME + +PKI_LOCK_FILE="[PKI_LOCKDIR]/${PKI_INSTANCE_ID}.pid" +export PKI_LOCK_FILE + +PKI_PID_FILE="[PKI_PIDDIR]/${PKI_INSTANCE_ID}.pid" +export PKI_PID_FILE + +PKI_SELINUX_TYPE="pki_tps_t" +export PKI_SELINUX_TYPE + +pki_instance_configuration_file=${PKI_SERVER_ROOT}/conf/CS.cfg +export pki_instance_configuration_file + +RESTART_SERVER=${PKI_SERVER_ROOT}/conf/restart_server_after_configuration +export RESTART_SERVER + +######################################################################## +# This section contains modified content of "/etc/sysconfig/httpd" # +######################################################################## +# Configuration file for the ${PKI_INSTANCE_ID} service. + +# +# The default processing model (MPM) is the process-based +# 'prefork' model. A thread-based model, 'worker', is also +# available, but does not work with some modules (such as PHP). +# The service must be stopped before changing this variable. +# +PKI_HTTPD=${PKI_FORTITUDE_DIR}/sbin/httpd.worker +export PKI_HTTPD + +# +# To pass additional options (for instance, -D definitions) to the +# httpd binary at startup, set PKI_OPTIONS here. +# +PKI_OPTIONS="-f ${PKI_HTTPD_CONF}" +export PKI_OPTIONS + +# +# By default, the httpd process is started in the C locale; to +# change the locale in which the server runs, the PKI_HTTPD_LANG +# variable can be set. +# +PKI_HTTPD_LANG=C +export PKI_HTTPD_LANG +######################################################################## +# # +######################################################################## + +# This will prevent initlog from swallowing up a pass-phrase prompt if +# mod_ssl needs a pass-phrase from the user. +PKI_INITLOG_ARGS="" +export PKI_INITLOG_ARGS + +# Set PKI_HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server +# with the thread-based "worker" MPM; BE WARNED that some modules may not +# work correctly with a thread-based MPM; notably PHP will refuse to start. + +# Path to the server binary and short-form for messages. +httpd=${PKI_HTTPD} +export httpd + +pki_logs_directory=${PKI_SERVER_ROOT}/logs +export pki_logs_directory + +# see if httpd is linked with the openldap libraries - we need to override them +if [ ${OS} = "Linux" ]; then + hasopenldap=0 + + /usr/bin/ldd ${httpd} 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1 + + if [ ${hasopenldap} -eq 1 ] ; then + LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libldap60.so" + LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libssl3.so:${LD_PRELOAD}" + export LD_PRELOAD + fi +elif [ ${OS} = "SunOS" ]; then + LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/libldap60.so" + LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/dirsec/libssl3.so:${LD_PRELOAD_64}" + export LD_PRELOAD_64 +fi |