Merge CA changes into KRA,OCSP & TKS

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1575 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
author: jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-11-19 21:00:40 +0000
committer: jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-11-19 21:00:40 +0000
commit: 2ab4b4058a240143e513db050bbf4170e9115ef1 (patch)
tree: a00195c6f63f11ee5e2fd9c4fc5f3c216ef7ace2 /pki/base/tps
parent: e73bde97720375973af57a29c5dd62aaec6342f2 (diff)
download: pki-2ab4b4058a240143e513db050bbf4170e9115ef1.tar.gz
pki-2ab4b4058a240143e513db050bbf4170e9115ef1.tar.xz
pki-2ab4b4058a240143e513db050bbf4170e9115ef1.zip
10 files changed, 208 insertions, 1626 deletions
diff --git a/pki/base/tps/Makefile.am b/pki/base/tps/Makefile.am
index 16cec1f81..a98fd8971 100644
--- a/pki/base/tps/Makefile.am
+++ b/pki/base/tps/Makefile.am
@@ -248,7 +248,7 @@ scripts_DATA =	$(srcdir)/scripts/schemaMods.ldif \
 scripts_SCRIPTS =	$(srcdir)/scripts/nss_pcache
 
 if LINUX
-setup_DATA =	$(srcdir)/setup/config.desktop
+setup_DATA =	$(srcdir)/setup/config.desktop $(srcdir)/setup/registry_instance
 endif
 
 templates_DATA =	$(srcdir)/apache/pki_instance_command_wrapper \
diff --git a/pki/base/tps/Makefile.in b/pki/base/tps/Makefile.in
index b50254251..090edfeee 100644
--- a/pki/base/tps/Makefile.in
+++ b/pki/base/tps/Makefile.in
@@ -726,7 +726,7 @@ scripts_DATA = $(srcdir)/scripts/schemaMods.ldif \
 				$(srcdir)/scripts/addVLVIndexes.ldif
 
 scripts_SCRIPTS = $(srcdir)/scripts/nss_pcache
-@LINUX_TRUE@setup_DATA = $(srcdir)/setup/config.desktop
+@LINUX_TRUE@setup_DATA = $(srcdir)/setup/config.desktop $(srcdir)/setup/registry_instance
 templates_DATA = $(srcdir)/apache/pki_instance_command_wrapper \
 					$(srcdir)/apache/pki_subsystem_command_wrapper
 
diff --git a/pki/base/tps/apache/apachectl b/pki/base/tps/apache/apachectl
deleted file mode 100755
index 827512ef3..000000000
--- a/pki/base/tps/apache/apachectl
+++ /dev/null
@@ -1,189 +0,0 @@
-#!/bin/sh
-#
-# --- BEGIN COPYRIGHT BLOCK ---
-#
-# Copyright 2000-2004 The Apache Software Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# 
-# Copyright (C) 2007 Red Hat, Inc.
-# All rights reserved.
-# --- END COPYRIGHT BLOCK ---
-#
-
-#
-#  NOTICE:  This "apachectl" script has been modified to support the
-#           Token Processing System (TPS).
-#
-
-# Initialize environment variables
-LD_LIBRARY_PATH=[SYSTEM_USER_LIBRARIES]:[SYSTEM_LIBRARIES]:${LD_LIBRARY_PATH}
-LD_LIBRARY_PATH=[SECURITY_LIBRARIES]:${LD_LIBRARY_PATH}
-export LD_LIBRARY_PATH
-
-# see if httpd is linked with the openldap libraries - we need to override them
-OS=`uname -s`
-if [ $OS = "Linux" ]; then
-   hasopenldap=0
-
-   /usr/bin/ldd $httpd 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1
-
-   if [ $hasopenldap -eq 1 ] ; then
-       LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libldap50.so"
-       LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libssl3.so ${LD_PRELOAD}"
-       export LD_PRELOAD
-   fi
-fi
-
-#
-# Apache control script designed to allow an easy command line interface
-# to controlling Apache.  Written by Marc Slemko, 1997/08/23
-# 
-# The exit codes returned are:
-#   XXX this doc is no longer correct now that the interesting
-#   XXX functions are handled by [INSTANCE_ID]
-#       0 - operation completed successfully
-#       1 - 
-#       2 - usage error
-#       3 - [INSTANCE_ID] could not be started
-#       4 - [INSTANCE_ID] could not be stopped
-#       5 - [INSTANCE_ID] could not be started during a restart
-#       6 - [INSTANCE_ID] could not be restarted during a restart
-#       7 - [INSTANCE_ID] could not be restarted during a graceful restart
-#       8 - configuration syntax error
-#
-# When multiple arguments are given, only the error from the _last_
-# one is reported.  Run "apachectl help" for usage info
-#
-ARGV="$@"
-#
-# |||||||||||||||||||| START CONFIGURATION SECTION  ||||||||||||||||||||
-# --------------------                              --------------------
-# 
-
-#
-# a command that outputs a formatted text version of the HTML at the
-# url given on the command line.  Designed for lynx, however other
-# programs may work.  
-if [ -x /usr/bin/links ]; then
-    LYNX="links -dump"
-elif [ -x /usr/bin/lynx ]; then
-    LYNX="lynx -dump"
-else
-    LYNX="none"
-fi
-
-#
-# the URL to your server's mod_status status page.  If you do not
-# have one, then status and fullstatus will not work.
-STATUSURL="http://localhost:80/server-status"
-#
-# Set this variable to a command that increases the maximum
-# number of file descriptors allowed per child process. This is
-# critical for configurations that use many file descriptors,
-# such as mass vhosting, or a multithreaded server.
-ULIMIT_MAX_FILES="ulimit -S -n `ulimit -H -n`"
-
-########################################################################
-#   This section contains modified content of "/etc/sysconfig/httpd"   #
-########################################################################
-# Configuration file for the [INSTANCE_ID] service.
-
-#
-# The default processing model (MPM) is the process-based
-# 'prefork' model.  A thread-based model, 'worker', is also
-# available, but does not work with some modules (such as PHP).
-# The service must be stopped before changing this variable.
-#
-HTTPD=[FORTITUDE_DIR]/sbin/httpd.worker
-
-#
-# To pass additional options (for instance, -D definitions) to the
-# httpd binary at startup, set OPTIONS here.
-#
-OPTIONS="-f [HTTPD_CONF]"
-
-#
-# By default, the httpd process is started in the C locale; to 
-# change the locale in which the server runs, the HTTPD_LANG
-# variable can be set.
-#
-HTTPD_LANG=C
-########################################################################
-#                                                                      #
-########################################################################
-
-# Set the maximum number of file descriptors allowed per child process.
-if [ "x$ULIMIT_MAX_FILES" != "x" ] ; then
-    $ULIMIT_MAX_FILES
-fi
-
-ERROR=0
-if [ "x$ARGV" = "x" ] ; then 
-    ARGV="-h"
-fi
-
-function checklynx() {
-if [ "$LYNX" = "none" ]; then
-    echo "The 'links' package is required for this functionality."
-    exit 8
-fi
-}
-
-function testconfig() {
-# [INSTANCE_ID] is denied terminal access in SELinux, so run in the
-# current context to get stdout from $HTTPD -t.
-if test -x /usr/sbin/selinuxenabled && /usr/sbin/selinuxenabled; then
-    runcon -- `id -Z` $HTTPD $OPTIONS -t
-else
-    $HTTPD $OPTIONS -t
-fi
-ERROR=$?
-}
-
-case $ARGV in
-restart|graceful)
-    if $HTTPD -t >&/dev/null; then
-        $HTTPD $OPTIONS -k $ARGV
-        ERROR=$?
-    else
-        echo "apachectl: Configuration syntax error, will not run \"$ARGV\":"
-        testconfig
-    fi
-    ;;
-start|stop)
-    $HTTPD $OPTIONS -k $ARGV
-    ERROR=$?
-    ;;
-startssl|sslstart|start-SSL)
-    $HTTPD $OPTIONS -DSSL -k start
-    ERROR=$?
-    ;;
-configtest)
-    testconfig
-    ;;
-status)
-    checklynx
-    $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } '
-    ;;
-fullstatus)
-    checklynx
-    $LYNX $STATUSURL
-    ;;
-*)
-    $HTTPD $OPTIONS $ARGV
-    ERROR=$?
-esac
-
-exit $ERROR
-
diff --git a/pki/base/tps/apache/conf/httpd.conf b/pki/base/tps/apache/conf/httpd.conf
index 5ad748f55..878a4e655 100644
--- a/pki/base/tps/apache/conf/httpd.conf
+++ b/pki/base/tps/apache/conf/httpd.conf
@@ -78,7 +78,7 @@ ServerRoot "[SERVER_ROOT]"
 # identification number when it starts.
 #
 <IfModule !mpm_netware.c>
-PidFile run/[INSTANCE_ID].pid
+PidFile run/[PKI_INSTANCE_ID].pid
 </IfModule>
 
 #
@@ -268,7 +268,7 @@ LoadModule tokendb_module     [FORTITUDE_MODULE]/mod_tokendb.so
 </Location>
 
 #
-# Load config files from the config directory "/etc/[INSTANCE_ID]/conf.d".
+# Load config files from the config directory "/etc/[PKI_INSTANCE_ID]/conf.d".
 #
 #Include conf.d/*.conf
 Include [SERVER_ROOT]/conf/perl.conf
@@ -295,10 +295,10 @@ Include [SERVER_ROOT]/conf/perl.conf
 <IfModule !mpm_winnt.c>
 <IfModule !mpm_netware.c>
 #
-# If you wish [INSTANCE_ID] to run as a different user or group, you must run
-# [INSTANCE_ID] as root initially and it will switch.  
+# If you wish [PKI_INSTANCE_ID] to run as a different user or group, you must run
+# [PKI_INSTANCE_ID] as root initially and it will switch.  
 #
-# User/Group: The name (or #number) of the user/group to run [INSTANCE_ID] as.
+# User/Group: The name (or #number) of the user/group to run [PKI_INSTANCE_ID] as.
 #  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
 #  . On HPUX you may not be able to use shared memory as nobody, and the
 #    suggested workaround is to create a user www and use that user.
@@ -306,8 +306,8 @@ Include [SERVER_ROOT]/conf/perl.conf
 #  when the value of (unsigned)Group is above 60000; 
 #  don't use Group #-1 on these systems!
 #
-User [USERID]
-Group [GROUPID]
+User [PKI_USER]
+Group [PKI_GROUP]
 #Group #-1
 </IfModule>
 </IfModule>
diff --git a/pki/base/tps/apache/conf/nss.conf b/pki/base/tps/apache/conf/nss.conf
index 70c64116f..2e0b0ecae 100644
--- a/pki/base/tps/apache/conf/nss.conf
+++ b/pki/base/tps/apache/conf/nss.conf
@@ -101,7 +101,7 @@ NSSProtocol SSLv3,TLSv1
 
 #   SSL Certificate Nickname:
 #   The nickname of the server certificate you are going to use.
-NSSNickname "Server-Cert cert-[INSTANCE_ID]"
+NSSNickname "Server-Cert cert-[PKI_INSTANCE_ID]"
 
 #   Server Certificate Database:
 #   The NSS security database directory that holds the certificates and
@@ -196,7 +196,7 @@ NSSProtocol SSLv3,TLSv1
 
 #   SSL Certificate Nickname:
 #   The nickname of the server certificate you are going to use.
-NSSNickname "Server-Cert cert-[INSTANCE_ID]"
+NSSNickname "Server-Cert cert-[PKI_INSTANCE_ID]"
 
 #   Server Certificate Database:
 #   The NSS security database directory that holds the certificates and
diff --git a/pki/base/tps/build.xml b/pki/base/tps/build.xml
index ebfbeb225..603560b2c 100644
--- a/pki/base/tps/build.xml
+++ b/pki/base/tps/build.xml
@@ -184,7 +184,12 @@
                 <include name="lib/**"/>
                 <include name="samples/**"/>
                 <include name="scripts/**"/>
-                <include name="setup/config.desktop"/>
+            </zipfileset>
+            <zipfileset dir="./setup"
+                        filemode="644"
+                        prefix="usr/share/${product.prefix}/${product}/setup">
+                <include name="config.desktop"/>
+                <include name="registry_instance"/>
             </zipfileset>
             <zipfileset dir="."
                         filemode="755"
@@ -230,7 +235,12 @@
                 <include name="lib/**"/>
                 <include name="samples/**"/>
                 <include name="scripts/**"/>
-                <include name="setup/config.desktop"/>
+            </tarfileset>
+            <tarfileset dir="./setup"
+                        mode="644"
+                        prefix="usr/share/${product.prefix}/${product}/setup">
+                <include name="config.desktop"/>
+                <include name="registry_instance"/>
             </tarfileset>
             <tarfileset dir="."
                         mode="755"
diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg
index 5e5c7e30c..32a88010d 100644
--- a/pki/base/tps/doc/CS.cfg
+++ b/pki/base/tps/doc/CS.cfg
@@ -18,15 +18,15 @@
 # All rights reserved.
 # --- END COPYRIGHT BLOCK ---
 #
-pkicreate.pki_instance_root=[INSTANCE_ROOT]
-pkicreate.pki_instance_name=[INSTANCE_ID]
-pkicreate.subsystem_type=[SUBSYSTEM_TYPE]
+pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT]
+pkicreate.pki_instance_name=[PKI_INSTANCE_ID]
+pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE]
 pkicreate.secure_port=[SECURE_PORT]
 pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT]
 pkicreate.unsecure_port=[PORT]
-pkicreate.user=[USERID]
-pkicreate.group=[GROUPID]
-pkiremove.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID]
+pkicreate.user=[PKI_USER]
+pkicreate.group=[PKI_GROUP]
+pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
 cs.type=TPS
 selftests._000=##
 selftests._001=## Self Tests
@@ -47,7 +47,7 @@ service.instanceDir=[SERVER_ROOT]
 service.securePort=[SECURE_PORT]
 service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT]
 service.unsecurePort=[PORT]
-service.instanceID=[INSTANCE_ID]
+service.instanceID=[PKI_INSTANCE_ID]
 logging._000=#########################################
 logging._001=# RA configuration File
 logging._002=#
@@ -111,7 +111,7 @@ logging.audit.filename=[SERVER_ROOT]/logs/tps-audit.log
 logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit
 logging.audit.level=10
 logging.audit.logSigning=false
-logging.audit.signedAuditCertNickname=auditSigningCert cert-[INSTANCE_ID]
+logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID]
 logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL
 logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL
 logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING
@@ -371,33 +371,33 @@ preop.cert.sslserver.enable=true
 preop.cert.subsystem.enable=true
 preop.cert.audit_signing.enable=false
 preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA
-preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[INSTANCE_ID]
+preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID]
 preop.cert.sslserver.keysize.customsize=2048
 preop.cert.sslserver.keysize.size=2048
 preop.cert.sslserver.keysize.select=custom
-preop.cert.sslserver.nickname=Server-Cert cert-[INSTANCE_ID]
+preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID]
 preop.cert.sslserver.profile=caInternalAuthServerCert
 preop.cert.sslserver.subsystem=tps
 preop.cert._003=#preop.cert.sslserver.type=local
 preop.cert.sslserver.userfriendlyname=SSL Server Certificate
 preop.cert._004=#preop.cert.sslserver.cncomponent.override=false
 preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA
-preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[INSTANCE_ID]
+preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_ID]
 preop.cert.subsystem.keysize.customsize=2048
 preop.cert.subsystem.keysize.size=2048
 preop.cert.subsystem.keysize.select=custom
-preop.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID]
+preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
 preop.cert.subsystem.profile=caInternalAuthSubsystemCert
 preop.cert.subsystem.subsystem=tps
 preop.cert._005=#preop.cert.subsystem.type=local
 preop.cert.subsystem.userfriendlyname=Subsystem Certificate
 preop.cert._006=#preop.cert.subsystem.cncomponent.override=true
 preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA
-preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[INSTANCE_ID]
+preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_ID]
 preop.cert.audit_signing.keysize.customsize=2048
 preop.cert.audit_signing.keysize.size=2048
 preop.cert.audit_signing.keysize.select=custom
-preop.cert.audit_signing.nickname=auditSigningCert cert-[INSTANCE_ID]
+preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID]
 preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert
 preop.cert.audit_signing.subsystem=tps
 preop.cert._005=#preop.cert.audit_signing.type=local
diff --git a/pki/base/tps/etc/init.d/pki-tpsd b/pki/base/tps/etc/init.d/pki-tpsd
index ff542a7f2..0631954c2 100755
--- a/pki/base/tps/etc/init.d/pki-tpsd
+++ b/pki/base/tps/etc/init.d/pki-tpsd
@@ -1,1439 +1,83 @@
 #!/bin/bash
 #
 # --- BEGIN COPYRIGHT BLOCK ---
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation;
-# version 2.1 of the License.
-# 
-# This library is distributed in the hope that it will be useful,
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# Lesser General Public License for more details.
-# 
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor,
-# Boston, MA  02110-1301  USA 
-# 
-# Copyright (C) 2007 Red Hat, Inc.
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007-2010 Red Hat, Inc.
 # All rights reserved.
 # --- END COPYRIGHT BLOCK ---
 #
-#
 # pki-tpsd         Startup script for the Apache HTTP pki-tps Server
 #
 # chkconfig:    - 87 13
-# description:  Token Processing System \
-#               (Apache 2.2)
+# description:  Token Processing System (Apache)
 # processname:  pki-tpsd
 # piddir:       /var/run/pki/tps
 # config:       ${PKI_SERVER_ROOT}/conf/httpd.conf
 
-PKI_INIT_SCRIPT=""
+PROG_NAME=`basename $0`
+SERVICE_NAME="pki-tpsd"
+SERVICE_PROG="/sbin/service"
 PKI_PATH="/usr/share/pki/tps"
-PKI_PIDDIR="/var/run/pki/tps"
-PKI_PROCESS="pki-tpsd"
 PKI_REGISTRY="/etc/sysconfig/pki/tps"
-PKI_SELINUX_TYPE="pki_tps_t"
 PKI_TYPE="pki-tps"
-
-# PKI subsystem-level directory and file values for locks
-lockfile="/var/lock/subsys/pki-tpsd"
+PKI_TOTAL_PORTS=3
 
 # Disallow 'others' the ability to 'write' to new files
 umask 00002
 
-default_error=0
 command="$1"
 pki_instance="$2"
-case "${command}" in
-	start|stop|restart|condrestart|force-restart|try-restart)
-		# * 1 generic or unspecified error (current practice)
-		default_error=1
-		;;
-	reload)
-		default_error=3
-		;;
-	status)
-		# * 4 program or service status is unknown
-		default_error=4
-		;;
-	*)
-		# * 2 invalid argument(s)
-		default_error=2
-		;;
-esac
-
-# Check to insure that this script's original invocation directory
-# has not been deleted!
-CWD=`/bin/pwd > /dev/null 2>&1`
-if [ $? -ne 0 ] ; then
-	echo "Cannot invoke '$0' from non-existent directory!"
-	exit ${default_error}
-fi
-
-# Check to insure that this script's associated PKI
-# subsystem currently resides on this system.
-if [ ! -d ${PKI_PATH} ] ; then
-	echo "This machine is missing the '${PKI_TYPE}' subsystem!"
-	if [ "${command}" != "status" ]; then
-		# * 5 program is not installed
-		exit 5
-	else
-		exit ${default_error}
-	fi
-fi
-
-# Check to insure that this script's associated PKI
-# subsystem instance registry currently resides on this system.
-if [ ! -d ${PKI_REGISTRY} ] ; then
-	echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!"
-	if [ "${command}" != "status" ]; then
-		# * 5 program is not installed
-		exit 5
-	else
-		exit ${default_error}
-	fi
-fi
-
-# Obtain the operating system upon which this script is being executed
-# and initialize environment variables
-OS=`uname -s`
-ARCHITECTURE=""
-LD_LIBRARY_PATH=""
-
-# Time to wait in seconds, before killing process
-#
-#     NOTE:  Defined in "tomcat5.conf" for PKI Java/Tomcat Subsystems.
-#
-STARTUP_WAIT=30
-SHUTDOWN_WAIT=30
-
-# This script must be run as root!
-RV=0
-if [ ${OS} = "Linux" ] ; then
-	PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}"
-	if [ `id -u` -ne 0 ] ; then
-		echo "Must be 'root' to execute '$0'!"
-		if [ "${command}" != "status" ]; then
-			# * 4 user had insufficient privilege
-			exit 4
-		else
-			# * 4 program or service status is unknown
-			exit 4
-		fi
-	fi
-	ARCHITECTURE=`uname -i`
-	if [ ${ARCHITECTURE} = "i386" ] ; then
-		LD_LIBRARY_PATH="/usr/lib:/lib:${LD_LIBRARY_PATH}"
-	elif [ ${ARCHITECTURE} = "x86_64" ] ; then
-		LD_LIBRARY_PATH="/usr/lib64:/lib64:${LD_LIBRARY_PATH}"
-	else
-		echo "Unsupported architecture '${ARCHITECTURE}'!"
-		exit ${default_error}
-	fi
-elif [ ${OS} = "SunOS" ] ; then
-	PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}"
-	if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then
-		echo "Must be 'root' to execute '$0'!"
-		if [ "${command}" != "status" ]; then
-			# * 4 user had insufficient privilege
-			exit 4
-		else
-			# * 4 program or service status is unknown
-			exit 4
-		fi
-	fi
-	ARCHITECTURE=`uname -p`
-	if	[ "${ARCHITECTURE}" = "sparc" ] &&
-		[ -d "/usr/lib/sparcv9/" ] ; then
-		ARCHITECTURE="sparcv9"
-	fi
-	if [ ${ARCHITECTURE} = "sparcv9" ] ; then
-		LD_LIBRARY_PATH="/usr/lib/sparcv9:/lib/sparcv9:${LD_LIBRARY_PATH}"
-		LD_LIBRARY_PATH="/usr/lib/sparcv9/dirsec:${LD_LIBRARY_PATH}"
-	else
-		echo "Unsupported architecture '${ARCHITECTURE}'!"
-		exit ${default_error}
-	fi
-else
-	echo "Unsupported OS '${OS}'!"
-	exit ${default_error}
-fi
-export LD_LIBRARY_PATH
 
 # Source function library.
-if [ -f /etc/init.d/functions ]; then
-	. /etc/init.d/functions
-else
-	# The checkpid() function is provided for platforms that do not
-	# contain the "/etc/init.d/functions" file (e. g. - Solaris) . . .
-
-	# Check if ${pid} (could be plural) are running (keep count)
-	checkpid()
-	{
-		rv=0
-		for i in $* ; do
-			ps -p $i > /dev/null 2>&1 ;
-			if [ $? -ne 0 ] ; then
-				rv=`expr $rv + 1`
-			else
-				rv=`expr $rv + 0`
-			fi
-		done
-		# echo "rv=$rv"
-		return $rv
-	}
-
-	# Create the following directories on platforms
-	# where they do not exist (e. g. - Solaris) . . .
-	if [ ! -d "/var/lock" ] ; then
-		mkdir -p /var/lock
-		chown root:sys /var/lock
-		chmod 00755 /var/lock
-	fi
-	if [ ! -d "/var/lock/subsys" ] ; then
-		mkdir -p /var/lock/subsys
-		chown root:root /var/lock/subsys
-		chmod 00755 /var/lock/subsys
-	fi
-fi
-
-PKI_REGISTRY_ENTRIES=""
-TOTAL_PKI_REGISTRY_ENTRIES=0
-TOTAL_UNCONFIGURED_PKI_ENTRIES=0
-
-# Gather ALL registered instances of this PKI subsystem type
-for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
-	if [ -f "$FILE" ] ; then
-		inst=`echo "$FILE"`
-		PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst"
-		TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1`
-	fi
-done
-
-if [ -n "${pki_instance}" ]; then
-	for I in ${PKI_REGISTRY_ENTRIES}; do
-		if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then
-			PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}"
-			TOTAL_PKI_REGISTRY_ENTRIES=1
-			break
-		fi
-	done
-fi
-
-usage()
-{
-	echo -n "Usage: ${PKI_INIT_SCRIPT} "
-	echo -n "{start"
-	echo -n "|stop"
-	echo -n "|restart"
-	echo -n "|condrestart"
-	echo -n "|force-restart"
-	echo -n "|try-restart"
-	echo -n "|reload"
-	echo -n "|status} "
-	echo -n "[instance-name]"
-	echo
-	echo
-}
-
-list_instances()
-{
-	echo
-	for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
-		echo "    ${FILE}"
-	done
-	echo
-}
-
-# Check arguments
-if [ $# -lt 1 ] ; then
-	# * 3 unimplemented feature (for example, "reload")
-	#     [insufficient arguments]
-	echo "$0:  Insufficient arguments!"
-	echo
-	usage
-	echo "where valid instance names include:"
-	list_instances
-	exit 3
-elif [ ${default_error} -eq 2 ] ; then
-	# * 2 invalid argument
-	echo "$0:  Invalid arguments!"
-	echo
-	usage
-	echo "where valid instance names include:"
-	list_instances
-	exit 2
-elif [ $# -gt 2 ] ; then
-	echo "$0:  Excess arguments!"
-	echo
-	usage
-	echo "where valid instance names include:"
-	list_instances
-	if [ "${command}" != "status" ]; then
-		# * 2 excess arguments
-		exit 2
-	else
-		# * 4 program or service status is unknown
-		exit 4
-	fi
-fi
-
-# If an "instance" was supplied, check that it is a "valid" instance
-if [ -n "${pki_instance}" ]; then
-	if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then
-		echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance"
-		echo_failure
-		echo
-		if [ "${command}" != "status" ]; then
-			# * 5 program is not installed
-			exit 5
-		else
-			# * 4 program or service status is unknown
-			exit 4
-		fi
-	fi
-fi
-
-# On Solaris /var/run is in tmpfs and gets wiped out upon reboot
-# we have to recreate the ${PKI_PIDDIR} directory and make sure that
-# the directory is writable by the ${PKI_TYPE} server process.
-#
-# IMPORTANT:  ALL PKI subsystems installed on this machine MUST utilize
-#             the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the
-#             "${PKI_PIDDIR}" will end up with the ownership permissions
-#             of the first instance that executes this function!
-#
-fix_pid_dir_ownership()
-{
-	if [ ! -d ${PKI_PIDDIR} ] ; then
-		mkdir -p ${PKI_PIDDIR}
-
-		chown root:root /var/run/pki
-		chmod 00755 /var/run/pki
-
-		chown root:root ${PKI_PIDDIR}
-		chmod 00755 ${PKI_PIDDIR}
-	fi
-}
-
-check_pki_configuration_status()
-{
-	rv=0
-
-	rv=`grep -c ^preop ${pki_instance_configuration_file}`
-
-	rv=`expr ${rv} + 0`
-
-	if [ ${rv} -ne 0 ] ; then
-		echo "    '${PKI_INSTANCE_ID}' must still be CONFIGURED!"
-		echo "    (see /var/log/${PKI_INSTANCE_ID}-install.log)"
-		if [ "${command}" != "status" ]; then
-			# * 6 program is not configured
-			rv=6
-		else
-			# * 4 program or service status is unknown
-			rv=4
-		fi
-		TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1`
-	elif [ -f ${RESTART_SERVER} ] ; then
-		echo -n "    Although '${PKI_INSTANCE_ID}' has been CONFIGURED, "
-		echo -n "it must still be RESTARTED!"
-		echo
-		if [ "${command}" != "status" ]; then
-			# * 1 generic or unspecified error (current practice)
-			rv=1
-		else
-			# * 4 program or service status is unknown
-			rv=4
-		fi
-	fi
-
-	return ${rv}
-}
-
-get_pki_status_definitions()
-{
-	# establish well-known strings
-	listen_statement="Listen"
-	total_ports=0
-	UNSECURE_PORT=""
-	CLIENTAUTH_PORT=""
-	NON_CLIENTAUTH_PORT=""
-
-	# check to see that an instance-specific "httpd.conf" file exists
-	if [ ! -f ${PKI_HTTPD_CONF} ] ; then
-		echo "File '${PKI_HTTPD_CONF}' does not exist!"
-		exit ${default_error}
-	fi
-
-	# check to see that an instance-specific "nss.conf" file exists
-	if [ ! -f ${PKI_NSS_CONF} ] ; then
-		echo "File '${PKI_NSS_CONF}' does not exist!"
-		exit ${default_error}
-	fi
-
-	# read this instance-specific "httpd.conf" file line-by-line
-	# to obtain the current value of the PKI unsecure port
-
-	exec < ${PKI_HTTPD_CONF}
-	while read line; do
-		# look for the listen statement
-		head=`echo $line | cut -b1-6`
-		if [ "$head" == "$listen_statement" ] ; then
-			# once the 'unsecure' listen statement has been found,
-			# extract the numeric port information
-			port=`echo $line | cut -b8-`
-			UNSECURE_PORT=$port
-			echo "    Unsecure Port              = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi"
-			echo "                                 (ESC Security Officer Enrollment)"
-			echo "    Unsecure Port              = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi"
-			echo "                                 (ESC Phone Home)"
-			total_ports=`expr ${total_ports} + 1`
-			break;
-		fi
-	done
-
-	# read this instance-specific "nss.conf" file line-by-line
-	# to obtain the current value of the "clientauth" PKI secure port
-	# AND the current value of the "non-clientauth" PKI secure port
-
-	exec < ${PKI_NSS_CONF}
-	while read line; do
-		# look for the listen statement
-		head=`echo $line | cut -b1-6`
-		if	[ "$head" == "$listen_statement" ] &&
-			[ ${total_ports} -eq 2           ] ; then
-			# once the 'non-clientauth' listen statement has been found,
-			# extract the numeric port information
-			non_clientauth_port=`echo $line | cut -b8-`
-			NON_CLIENTAUTH_PORT=$non_clientauth_port
-			echo "    Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi"
-			echo "                                 (ESC Security Officer Enrollment)"
-			echo "    Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi"
-			echo "                                 (ESC Phone Home)"
-			total_ports=`expr ${total_ports} + 1`
-			break
-		fi
-		if	[ "$head" == "$listen_statement" ] &&
-			[ ${total_ports} -eq 1           ] ; then
-			# once the 'clientauth' listen statement has been found,
-			# extract the numeric port information
-			clientauth_port=`echo $line | cut -b8-`
-			CLIENTAUTH_PORT=$clientauth_port
-			echo "    Secure Clientauth Port     = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi"
-			echo "                                 (ESC Security Officer Workstation)"
-			echo "    Secure Clientauth Port     = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus"
-			echo "                                 (TPS Roles - Operator/Administrator/Agent)"
-			total_ports=`expr ${total_ports} + 1`
-		fi
-	done
-
-	if [ ${total_ports} -eq 3 ] ; then
-		return 0
-	else
-		return ${default_error}
-	fi
-}
-
-get_pki_configuration_definitions()
-{
-	# Obtain the PKI Subsystem Type
-	line=`grep ^cs.type= ${pki_instance_configuration_file}`
-	pki_subsystem=`echo "${line}" | cut -b9-`
-	if [ "${line}" != "" ] ; then
-		if	[ "${pki_subsystem}" != "CA"   ]  &&
-			[ "${pki_subsystem}" != "KRA"  ]  &&
-			[ "${pki_subsystem}" != "OCSP" ]  &&
-			[ "${pki_subsystem}" != "TKS"  ]  &&
-			[ "${pki_subsystem}" != "RA"   ]  &&
-			[ "${pki_subsystem}" != "TPS"  ]
-		then
-			return ${default_error}
-		fi
-		if	[ "${pki_subsystem}" == "KRA"   ] ; then
-			# Rename "KRA" to "DRM"
-			pki_subsystem="DRM"
-		fi
-	else
-		return ${default_error}
-	fi
-
-	# If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
-	# check to see if "${pki_subsystem}" is a "Clone"
-	pki_clone=""
-	if	[ "${pki_subsystem}" == "CA"   ]  ||
-		[ "${pki_subsystem}" == "DRM"  ]  ||
-		[ "${pki_subsystem}" == "OCSP" ]  ||
-		[ "${pki_subsystem}" == "TKS"  ]
-	then
-		line=`grep ^subsystem.select= ${pki_instance_configuration_file}`
-		if [ "${line}" != "" ] ; then
-			pki_clone=`echo "${line}" | cut -b18-`
-			if [ "${pki_clone}" != "Clone" ] ; then
-				# Reset "${pki_clone}" to be empty
-				pki_clone=""
-			fi
-		else
-			return ${default_error}
-		fi
-	fi
-
-	# If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to
-	# see "${pki_subsystem}" is a "Root" or a "Subordinate" CA
-	pki_hierarchy=""
-	if	[ "${pki_subsystem}" == "CA" ]  &&
-		[ "${pki_clone}" != "Clone"  ]
-	then
-		line=`grep ^hierarchy.select= ${pki_instance_configuration_file}`
-		if [ "${line}" != "" ] ; then
-			pki_hierarchy=`echo "${line}" | cut -b18-`
-		else
-			return ${default_error}
-		fi
-	fi
-
-	# If ${pki_subsystem} is a CA, check to
-	# see if it is also a Security Domain
-	pki_security_domain=""
-	if	[ "${pki_subsystem}" == "CA" ] ; then
-		line=`grep ^securitydomain.select= ${pki_instance_configuration_file}`
-		if [ "${line}" != "" ] ; then
-			pki_security_domain=`echo "${line}" | cut -b23-`
-			if [ "${pki_security_domain}" == "new" ] ; then
-				# Set a fixed value for "${pki_security_domain}"
-				pki_security_domain="(Security Domain)"
-			else
-				# Reset "${pki_security_domain}" to be empty
-				pki_security_domain=""
-			fi
-		else
-			return ${default_error}
-		fi
-	fi
-
-	# Always obtain this PKI instance's "registered"
-	# security domain information
-	pki_security_domain_name=""
-	pki_security_domain_hostname=""
-	pki_security_domain_https_admin_port=""
-
-	line=`grep ^securitydomain.name= ${pki_instance_configuration_file}`
-	if [ "${line}" != "" ] ; then
-		pki_security_domain_name=`echo "${line}" | cut -b21-`
-	else
-		return ${default_error}
-	fi
-
-	line=`grep ^securitydomain.host= ${pki_instance_configuration_file}`
-	if [ "${line}" != "" ] ; then
-		pki_security_domain_hostname=`echo "${line}" | cut -b21-`
-	else
-		return ${default_error}
-	fi
-
-	line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}`
-	if [ "${line}" != "" ] ; then
-		pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-`
-	else
-		return ${default_error}
-	fi
-
-	# Compose the "PKI Instance Name" Status Line
-	pki_instance_name="PKI Instance Name:   ${PKI_INSTANCE_ID}"
-
-	# Compose the "PKI Subsystem Type" Status Line
-	header="PKI Subsystem Type: "
-	if   [ "${pki_clone}" != "" ] ; then
-		if [ "${pki_security_domain}" != "" ]; then
-			# Possible Values:
-			#
-			#     "CA Clone (Security Domain)"
-			#
-			data="${pki_subsystem} ${pki_clone} ${pki_security_domain}"
-		else
-			# Possible Values:
-			#
-			#     "CA Clone"
-			#     "DRM Clone"
-			#     "OCSP Clone"
-			#     "TKS Clone"
-			#
-			data="${pki_subsystem} ${pki_clone}"
-		fi
-	elif [ "${pki_hierarchy}" != "" ] ; then
-		if [ "${pki_security_domain}" != "" ]; then
-			# Possible Values:
-			#
-			#     "Root CA (Security Domain)"
-			#     "Subordinate CA (Security Domain)"
-			#
-			data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}"
-		else
-			# Possible Values:
-			#
-			#     "Root CA"
-			#     "Subordinate CA"
-			#
-			data="${pki_hierarchy} ${pki_subsystem}"
-		fi
-	else
-		# Possible Values:
-		#
-		#     "DRM"
-		#     "OCSP"
-		#     "RA"
-		#     "TKS"
-		#     "TPS"
-		#
-		data="${pki_subsystem}"
-	fi
-	pki_subsystem_type="${header} ${data}"
-
-	# Compose the "Registered PKI Security Domain Information" Status Line
-	header="Name: "
-	registered_pki_security_domain_name="${header} ${pki_security_domain_name}"
-
-	header="URL:  "
-	if	[ "${pki_security_domain_hostname}" != ""         ] &&
-		[ "${pki_security_domain_https_admin_port}" != "" ]
-	then
-		data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
-	else
-		return ${default_error}
-	fi
-	registered_pki_security_domain_url="${header} ${data}"
-
-	# Print the "PKI Subsystem Type" Status Line
-	echo
-	echo "    ${pki_instance_name}"
-
-	# Print the "PKI Subsystem Type" Status Line
-	echo
-	echo "    ${pki_subsystem_type}"
-
-	# Print the "Registered PKI Security Domain Information" Status Line
-	echo
-	echo "    Registered PKI Security Domain Information:"
-	echo "    =========================================================================="
-	echo "    ${registered_pki_security_domain_name}"
-	echo "    ${registered_pki_security_domain_url}"
-	echo "    =========================================================================="
-
-	return 0
-}
-
-get_pki_secure_port()
-{
-	# establish well-known strings
-	listen_statement="Listen"
-
-	# first check to see that an instance-specific "nss.conf" file exists
-	if [ ! -f ${PKI_NSS_CONF} ] ; then
-		echo "File '${PKI_NSS_CONF}' does not exist!"
-		exit ${default_error}
-	fi
-
-	# read this instance-specific "nss.conf" file line-by-line
-	# to obtain the current value of the "clientauth" PKI secure port
-	exec < ${PKI_NSS_CONF}
-	while read line; do
-		# look for the listen statement
-		head=`echo $line | cut -b1-6`
-		if [ "$head" == "$listen_statement" ] ; then
-			# once the 'clientauth' listen statement has been found,
-			# extract the numeric port information
-			port=`echo $line | cut -b8-`
-			SECURE_PORT=$port
-			return 0
-		fi
-	done
-
-	return ${default_error}
-}
-
-display_instance_status()
-{
-	rv=0
-
-	if [ -f ${pidfile} ] ; then
-		pid=`cat ${pidfile}`
-		if [ "${pid}" == "" ] ; then
-			echo "${PKI_INSTANCE_ID} pid file exists but is empty"
-			if [ "${command}" != "status" ]; then
-				# * 1 generic or unspecified error (current practice)
-				rv=1
-			else
-				# * 4 program or service status is unknown
-				rv=4
-			fi
-		elif kill -0 ${pid} > /dev/null 2>&1 ; then
-			echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..."
-			echo
-			check_pki_configuration_status
-			rv=$?
-			if [ ${rv} -eq 0 ] ; then
-				get_pki_status_definitions
-				rv=$?
-				if [ ${rv} -ne 0 ] ; then
-					echo
-					echo "${PKI_INSTANCE_ID} Status Definitions not found"
-				else
-					get_pki_configuration_definitions
-					rv=$?
-					if [ ${rv} -ne 0 ] ; then
-						echo
-						echo "${PKI_INSTANCE_ID} Configuration Definitions not found"
-					fi
-				fi
-			else
-				# From the PKI point of view for a "non-status" action,
-				# a returned error code of "6" implies that the program
-				# is not "configured".  Similarly, an error code of "1"
-				# implies that the program was "configured" but must
-				# still be restarted.
-				#
-				# Similarly, from the PKI point of view for a "status"
-				# action, a returned error code of "4" implies that either
-				# the program is not "configured", or that the program
-				# was "configured" but must still be restarted.
-				#
-				# Regardless, it must still be considered that the instance
-				# is "running" from the viewpoint of other OS programs such
-				# as 'chkconfig'.
-				#
-				# For this reason, when returning from
-				# 'display_instance_status()', ignore non-zero return codes
-				# returned from 'check_pki_configuration_status()'.
-				#
-				if [ "${command}" != "status" ]; then
-					# * 0 action was successful
-					rv=0
-				else
-					# * 0 program is running or service is OK
-					rv=0
-				fi
-			fi
-			echo
-		else
-			echo "${PKI_INSTANCE_ID} is dead but pid file exists"
-			if [ "${command}" != "status" ]; then
-				# * 1 generic or unspecified error (current practice)
-				rv=1
-			else
-				# * 1 program is dead and /var/run pid file exists
-				rv=1
-			fi
-		fi
-	else
-		echo "${PKI_INSTANCE_ID} is stopped"
-		if [ "${command}" != "status" ]; then
-			# * 7 program is not running
-			rv=7
-		else
-			# * 3 program is not running
-			rv=3
-		fi
-	fi
-
-	return ${rv}
-}
-
-start_instance()
-{
-	rv=0
-
-	echo -n $"Starting ${prog}: "
-
-	if [ -f ${RESTART_SERVER} ] ; then
-		rm -f ${RESTART_SERVER}
-	fi
-
-	if [ -f ${PKI_LOCKFILE} ] ; then
-		if [ -f ${pidfile} ]; then
-			read kpid < ${pidfile}
-			if checkpid $kpid 2>&1; then
-				echo
-				echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..."
-				echo
-				check_pki_configuration_status
-				rv=$?
-				if [ ${rv} != 0 ]; then
-					# From the PKI point of view for a "non-status" action,
-					# a returned error code of "6" implies that the program
-					# is not "configured".  Similarly, an error code of "1"
-					# implies that the program was "configured" but must
-					# still be restarted.
-					#
-					# Regardless, it must still be considered that the instance
-					# is "running" from the viewpoint of other OS programs such
-					# as 'chkconfig'.
-					#
-					# For "non-status" actions, ignore return codes of "1"
-					# from 'check_pki_configuration_status()'.
-					#
-					# However, for "non-status" actions that have a return
-					# code of "6", return this value unchanged to
-					# the calling routine so that the total number of
-					# configuration errors may be counted.
-					#
-
-					echo
-					if [ ${rv} = 1 ] ; then
-						# * 0 action was successful
-						return 0
-					elif [ ${rv} = 6 ] ; then
-						# * 6 program is not configured
-						return 6
-					else
-						# should never be reached
-						return ${rv}
-					fi
-				else
-					return 0
-				fi
-			else
-				echo
-				echo -n "lock file found but no process "
-				echo -n "running for pid $kpid, continuing"
-				echo
-				echo
-				rm -f ${PKI_LOCKFILE}
-			fi
-		fi
-	fi
-
-	fix_pid_dir_ownership
-
-	touch ${pidfile}
-	chown ${PKI_USER}:${PKI_GROUP} ${pidfile}
-	chmod 00600 ${pidfile}
-	[ -x /sbin/restorecon ] && /sbin/restorecon  ${pidfile}
-
-	# restore context for ncipher hsm
-	[ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
-
-	if [ -f /etc/init.d/functions ]; then
-		/usr/sbin/selinuxenabled
-		rv=$?
-		if [ ${rv} = 0 ] ; then	
-			if [ ${ARCHITECTURE} = "i386" ] ; then
-				LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS}
-				# overwrite output from "daemon"
-				echo -n $"Starting ${prog}: "
-			elif [ ${ARCHITECTURE} = "x86_64" ] ; then
-				# NOTE:  "daemon" is incompatible with "httpd"
-				#        on 64-bit architectures
-				LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS}
-			fi
-		else
-			LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS}
-			# overwrite output from "daemon"
-			echo -n $"Starting ${prog}: "
-		fi
-	else
-		LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -k start
-	fi
-
-	rv=$?
-	if [ ${rv} = 0 ] ; then
-		touch ${PKI_LOCKFILE}
-		chown ${PKI_USER}:${PKI_GROUP} ${PKI_LOCKFILE}
-		chmod 00600 ${PKI_LOCKFILE}
-	fi
-
-	if [ ${rv} = 0 ] ; then
-		count=0;
-
-		let swait=$STARTUP_WAIT
-		until	[ -s ${pidfile} ] ||
-				[ $count -gt $swait ]
-		do
-			echo -n "."
-			sleep 1
-			let count=$count+1;
-		done
-
-		if [ -f /etc/init.d/functions ]; then
-			if [ "$CONSOLETYPE" = "serial" ]; then
-				echo -n "                                       "
-			fi
-			echo_success
-			echo
-		else
-			echo "                                       [  OK  ]"
-		fi
-
-		get_pki_secure_port
-		if [ $? -ne 0 ] ; then
-			SECURE_PORT="<Port Undefined>"
-		fi
-
-		# Set permissions of log files
-		pki_signedAudit="${pki_logs_directory}/signedAudit"
-		for file in ${pki_logs_directory}/*; do
-			if	[ "${file}" != "${pki_signedAudit}" ]; then
-				chown ${PKI_USER}:${PKI_GROUP} ${file}
-				chmod 00640 ${file}
-			fi
-		done
-
-		# Set permissions of signedAudit log files
-		pki_signedAudit_files=`ls -1A ${pki_signedAudit} | wc -l`
-		if	[ ${pki_signedAudit_files} -gt 0 ]; then
-			for file in ${pki_signedAudit}/*; do
-				chown ${PKI_USER} ${file}
-				chmod 00640 ${file}
-			done
-		fi
+. /etc/init.d/functions
 
-		# ignore "status" return codes
-		echo
-		display_instance_status
-	else
-		if [ -f /etc/init.d/functions ]; then
-			if [ "$CONSOLETYPE" = "serial" ]; then
-				$0	echo -n "                                       "
-			fi
-			echo_failure
-			echo
-		else
-			echo "                                       [  FAILED  ]"
-		fi
-	fi
-
-	if [ ${OS} = "Linux" ] ; then
-		sleep 10
-	elif [ ${OS} = "SunOS" ] ; then
-		sleep 20
-	fi
-	return ${rv}
-}
-
-stop_instance()
-{
-	rv=0
-
-	echo -n "Stopping ${prog}: "
-
-	if [ -f ${PKI_LOCKFILE} ] ; then
-		${httpd} ${PKI_OPTIONS} -k stop
-
-		rv=$?
-
-		if [ ${rv} = 0 ]; then
-			count=0;
-
-			if [ -f ${pidfile} ]; then
-				read kpid < ${pidfile}
-				let kwait=$SHUTDOWN_WAIT
-
-				until	[ `ps -p $kpid | grep -c $kpid` = '0' ] ||
-						[ $count -gt $kwait ]
-				do
-					echo -n "."
-					sleep 1
-					let count=$count+1;
-				done
-
-				if [ $count -gt $kwait ]; then
-					kill -9 $kpid
-				fi
-			fi
-
-			rm -f ${PKI_LOCKFILE}
-			rm -f ${pidfile}
-
-			if [ -f /etc/init.d/functions ]; then
-				if [ "$CONSOLETYPE" = "serial" ]; then
-					echo -n "                                       "
-				fi
-				echo_success
-				echo
-			else
-				echo "                                       [  OK  ]"
-			fi
-		else
-			if [ -f /etc/init.d/functions ]; then
-				if [ "$CONSOLETYPE" = "serial" ]; then
-					echo -n "                                       "
-				fi
-				echo_failure
-				echo
-			else
-				echo "                                       [  FAILED  ]"
-			fi
-			rv=${default_error}
-		fi
-	else
-		echo
-		echo "process already stopped"
-		rv=0
-	fi
-
-	return ${rv}
-}
-
-reload_instance()
-{
-	rv=0
-
-	echo -n $"Reloading ${prog}: "
-
-	if ! LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -t >&/dev/null; then
-		rv=$?
-		echo $"not reloading due to configuration syntax error"
-		if [ -f /etc/init.d/functions ]; then
-			failure $"not reloading ${httpd} due to configuration syntax error"
-		else
-			echo $"not reloading ${httpd} due to configuration syntax error"
-		fi
-	else
-		if [ -f /etc/init.d/functions ]; then
-			killproc -p ${pidfile} ${httpd} -HUP
-			rv=$?
-		else
-			if [ -f ${PKI_LOCKFILE} ] ; then
-				if [ -f ${pidfile} ]; then
-					read kpid < ${pidfile}
-					if checkpid $kpid 2>&1; then
-						kill -HUP $kpid
-						rv=$?
-						if [ ${rv} != 0 ]; then
-							rv=${default_error}
-						fi
-					fi
-				else
-					# * 7 program is not running
-					rv=7
-					echo
-					echo -n "lock file found but no process "
-					echo -n "running for pid $kpid, continuing"
-					echo
-					echo
-					rm -f ${PKI_LOCKFILE}
-				fi
-			fi
-		fi
-	fi
-	echo
-
-	return ${rv}
-}
-
-# The semantics of the 'start()' function differs from the way 'apachectl'
-# does things -- attempting to start while running is a failure.
-# So we just do it the way init scripts are expected to behave here.
-start()
-{
-	# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
-	#
-	#     * 0 action was successful
-	#     * 1 generic or unspecified error (current practice)
-	#     * 2 invalid or excess argument(s)
-	#     * 3 unimplemented feature (for example, "reload")
-	#     * 4 user had insufficient privilege
-	#     * 5 program is not installed
-	#     * 6 program is not configured
-	#     * 7 program is not running
-	#     * 8-99 reserved for future LSB use
-	#     * 100-149 reserved for distribution use
-	#     * 150-199 reserved for application use
-	#     * 200-254 reserved
-	#
-
-	error_rv=0
-	rv=0
-
-	if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
-		config_errors=0
-		errors=0
-
-		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
-			echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):"
-		fi
-
-		# Start every PKI instance of this type that isn't already running
-		for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
-			# Source values associated with this particular PKI instance
-			[ -f ${PKI_REGISTRY_ENTRY} ] &&
-			. ${PKI_REGISTRY_ENTRY}
-
-			pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
-
-			[ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
-
-			start_instance
-
-			rv=$?
-			if [ ${rv} = 6 ] ; then
-				# Since at least ONE configuration error exists, then there
-				# is at least ONE unconfigured instance from the PKI point
-				# of view.
-				#
-				# However, it must still be considered that the
-				# instance is "running" from the point of view of other
-				# OS programs such as 'chkconfig'.
-				#
-				# Therefore, ignore non-zero return codes resulting
-				# from configuration errors.
-				#
-
-				config_errors=`expr $config_errors + 1`
-				rv=0
-			elif [ ${rv} != 0 ] ; then
-				errors=`expr $errors + 1`
-				error_rv=${rv}
-			fi
-		done
-
-		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then
-			touch ${lockfile}
-			chmod 00600 ${lockfile}
-		fi
-
-		# ONLY print a "WARNING" message if multiple
-		# instances are being examined
-		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
-			# NOTE:  "bad" return code(s) OVERRIDE configuration errors!
-			if [ ${errors} -eq 1 ]; then
-				# Since only ONE error exists, return that "bad" error code.
-				rv=${error_rv}
-			elif [ ${errors} -gt 1 ]; then
-				# Since MORE than ONE error exists, return an OVERALL status
-				# of "1 generic or unspecified error (current practice)"
-				rv=1
-			fi
-
-			if [ ${errors} -ge 1 ]; then
-				echo
-				echo -n "WARNING:  "
-				echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
-				echo -n "'${PKI_TYPE}' instances failed to start!"
-				echo
-			fi
-
-			if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
-				echo
-				echo -n "WARNING:  "
-				echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
-				echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
-				echo -n "'${PKI_TYPE}' instances MUST be configured!"
-				echo
-			fi
-
-			echo
-			echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)."
-		fi
-	else
-		echo
-		echo "ERROR:  No '${PKI_TYPE}' instances installed!"
-		rv=5
-	fi
-
-	return ${rv}
-}
-
-# The semantics of the 'stop()' function differs from the way 'apachectl'
-# does things -- attempting to shutdown when not running is a failure.
-# So we just do it the way init scripts are expected to behave here.
-stop()
-{
-	# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
-	#
-	#     * 0 action was successful
-	#     * 1 generic or unspecified error (current practice)
-	#     * 2 invalid or excess argument(s)
-	#     * 3 unimplemented feature (for example, "reload")
-	#     * 4 user had insufficient privilege
-	#     * 5 program is not installed
-	#     * 6 program is not configured
-	#     * 7 program is not running
-	#     * 8-99 reserved for future LSB use
-	#     * 100-149 reserved for distribution use
-	#     * 150-199 reserved for application use
-	#     * 200-254 reserved
-	#
-
-	error_rv=0
-	rv=0
-
-	if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
-		errors=0
-
-		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
-			echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):"
-		fi
-
-		# Shutdown every PKI instance of this type that is running
-		for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
-			# Source values associated with this particular PKI instance
-			[ -f ${PKI_REGISTRY_ENTRY} ] &&
-			. ${PKI_REGISTRY_ENTRY}
-
-			pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
-
-			[ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
-
-			stop_instance
-
-			rv=$?
-			if [ ${rv} != 0 ] ; then
-				errors=`expr $errors + 1`
-				error_rv=${rv}
-			fi
-		done
-
-		if [ ${errors} -eq 0 ] ; then
-			rm -f ${lockfile}
-		fi
-
-		# ONLY print a "WARNING" message if multiple
-		# instances are being examined
-		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
-			if [ ${errors} -eq 1 ]; then
-				# Since only ONE error exists, return that "bad" error code.
-				rv=${error_rv}
-			elif [ ${errors} -gt 1 ]; then
-				# Since MORE than ONE error exists, return an OVERALL status
-				# of "1 generic or unspecified error (current practice)"
-				rv=1
-			fi
-
-			if [ ${errors} -ge 1 ]; then
-				echo
-				echo -n "WARNING:  "
-				echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
-				echo -n "'${PKI_TYPE}' instances were "
-				echo -n "unsuccessfully stopped!"
-				echo
-			fi
-
-			echo
-			echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)."
-		fi
-	else
-		echo
-		echo "ERROR:  No '${PKI_TYPE}' instances installed!"
-		rv=5
-	fi
-
-	return ${rv}
-}
-
-restart()
-{
-	# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
-	#
-	#     * 0 action was successful
-	#     * 1 generic or unspecified error (current practice)
-	#     * 2 invalid or excess argument(s)
-	#     * 3 unimplemented feature (for example, "reload")
-	#     * 4 user had insufficient privilege
-	#     * 5 program is not installed
-	#     * 6 program is not configured
-	#     * 7 program is not running
-	#     * 8-99 reserved for future LSB use
-	#     * 100-149 reserved for distribution use
-	#     * 150-199 reserved for application use
-	#     * 200-254 reserved
-	#
-
-	stop
-	sleep 2
-	echo
-	echo "============================================================"
-	echo
-	start
-
-	return $?
-}
-
-reload()
-{
-	# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
-	#
-	#     * 0 action was successful
-	#     * 1 generic or unspecified error (current practice)
-	#     * 2 invalid or excess argument(s)
-	#     * 3 unimplemented feature (for example, "reload")
-	#     * 4 user had insufficient privilege
-	#     * 5 program is not installed
-	#     * 6 program is not configured
-	#     * 7 program is not running
-	#     * 8-99 reserved for future LSB use
-	#     * 100-149 reserved for distribution use
-	#     * 150-199 reserved for application use
-	#     * 200-254 reserved
-	#
-
-	error_rv=0
-	rv=0
-
-	if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
-		errors=0
-
-		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
-			echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):"
-		fi
-
-		# Reload every PKI instance of this type that is running
-		for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
-			# Source values associated with this particular PKI instance
-			[ -f ${PKI_REGISTRY_ENTRY} ] &&
-			. ${PKI_REGISTRY_ENTRY}
-
-			pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
-
-			[ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
-
-			reload_instance
-
-			rv=$?
-			if [ ${rv} != 0 ] ; then
-				errors=`expr $errors + 1`
-				error_rv=${rv}
-			fi
-		done
-
-		# ONLY print a "WARNING" message if multiple
-		# instances are being examined
-		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
-			if [ ${errors} -eq 1 ]; then
-				# Since only ONE error exists, return that "bad" error code.
-				rv=${error_rv}
-			elif [ ${errors} -gt 1 ]; then
-				# Since MORE than ONE error exists, return an OVERALL status
-				# of "1 generic or unspecified error (current practice)"
-				rv=1
-			fi
-
-			if [ ${errors} -ge 1 ]; then
-				echo
-				echo -n "WARNING:  "
-				echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
-				echo -n "'${PKI_TYPE}' instances were "
-				echo -n "unsuccessfully reloaded!"
-				echo
-			fi
-
-			echo
-			echo "FINISHED RELOADING '${PKI_TYPE}' INSTANCE(S)."
-		fi
-	else
-		echo
-		echo "ERROR:  No '${PKI_TYPE}' instances reloaded!"
-		rv=5
-	fi
-
-	return ${rv}
-}
-
-status()
-{
-	# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
-	#
-	#     * 0 program is running or service is OK
-	#     * 1 program is dead and /var/run pid file exists
-	#     * 2 program is dead and /var/lock lock file exists
-	#     * 3 program is not running
-	#     * 4 program or service status is unknown
-	#     * 5-99 reserved for future LSB use
-	#     * 100-149 reserved for distribution use
-	#     * 150-199 reserved for application use
-	#     * 200-254 reserved
-	#
-
-	error_rv=0
-	rv=0
-
-	if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
-		errors=0
-
-		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
-			echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):"
-		fi
-
-		# Obtain status of every PKI instance of this type
-		for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
-			# Source values associated with this particular PKI instance
-			[ -f ${PKI_REGISTRY_ENTRY} ] &&
-			. ${PKI_REGISTRY_ENTRY}
-
-			pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
-
-			[ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
-
-			display_instance_status
-
-			rv=$?
-			if [ ${rv} -ne 0 ] ; then
-				errors=`expr $errors + 1`
-				error_rv=${rv}
-			fi
-		done
-
-		# ONLY print a "WARNING" message if multiple
-		# instances are being examined
-		if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
-			if [ ${errors} -eq 1 ]; then
-				# Since only ONE error exists, return that "bad" error code.
-				rv=${error_rv}
-			elif [ ${errors} -gt 1 ]; then
-				# Since MORE than ONE error exists, return an OVERALL status
-				# of "4 - program or service status is unknown"
-				rv=4
-			fi
-
-			if [ ${errors} -ge 1 ]; then
-				echo
-				echo -n "WARNING:  "
-				echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
-				echo -n "'${PKI_TYPE}' instances reported status failures!"
-				echo
-			fi
-
-			if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
-				echo
-				echo -n "WARNING:  "
-				echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
-				echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
-				echo -n "'${PKI_TYPE}' instances MUST be configured!"
-				echo
-			fi
-
-			echo
-			echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)."
-		fi
-	else
-		echo
-		echo "ERROR:  No '${PKI_TYPE}' instances installed!"
-		rv=4
-	fi
-
-	return ${rv}
-}
+# Source the PKI function library
+. /usr/share/pki/scripts/functions
 
 # See how we were called.
-case "${command}" in
-	start|stop|restart|reload|status)
-		${command}
-		exit $?
-		;;
-	condrestart|force-restart|try-restart)
-		[ ! -f ${lockfile} ] || restart
-		exit $?
-		;;
-	*)
-		# * 3 unimplemented feature (for example, "reload")
-		#     [invalid command - should never be reached]
-		echo
-		usage
-		echo "where valid instance names include:"
-		list_instances
-		exit 3
-		;;
+case $command in
+    status)
+	registry_status
+	exit $?
+	;;
+    start)
+	start
+	exit $?
+	;;
+    restart)
+	restart
+	exit $?
+	;;
+    stop)
+	stop
+	exit $?
+	;;
+    condrestart|force-restart|try-restart)
+        [ ! -f ${lockfile} ] || restart
+        exit $?
+        ;;
+    reload)
+        echo "The 'reload' action is an unimplemented feature."
+        exit ${default_error}
+        ;;
+    *)
+	echo "unknown action ($command)"
+        usage
+        echo "where valid instance names include:"
+        list_instances
+        exit ${default_error}
+        ;;
 esac
 
diff --git a/pki/base/tps/setup/config.desktop b/pki/base/tps/setup/config.desktop
index f84fadac2..2bfc396e6 100644
--- a/pki/base/tps/setup/config.desktop
+++ b/pki/base/tps/setup/config.desktop
@@ -21,7 +21,7 @@
 [Desktop Entry]
 Version=1.0.0
 Encoding=UTF-8
-Name=Token Processing System Configuration - [INSTANCE_ID]
+Name=Token Processing System Configuration - [PKI_INSTANCE_ID]
 GenericName=Token Processing System Configuration
 Comment=Configure Token Processing System
 Exec=firefox https://[SERVER_NAME]:[SECURE_PORT]/tps/admin/console/config/login?pin=[PKI_RANDOM_NUMBER]
diff --git a/pki/base/tps/setup/registry_instance b/pki/base/tps/setup/registry_instance
new file mode 100644
index 000000000..e02f19011
--- /dev/null
+++ b/pki/base/tps/setup/registry_instance
@@ -0,0 +1,117 @@
+# Establish PKI Variable "Slot" Substitutions
+
+PKI_FLAVOR=[PKI_FLAVOR]
+export PKI_FLAVOR
+
+PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
+export PKI_SUBSYSTEM_TYPE
+
+PKI_USER=[PKI_USER]
+export PKI_USER
+
+PKI_GROUP=[PKI_GROUP]
+export PKI_GROUP
+
+PKI_INSTANCE_ID=[PKI_INSTANCE_ID]
+export PKI_INSTANCE_ID
+
+PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT]
+export PKI_INSTANCE_INITSCRIPT
+
+PKI_HTTPD_CONF=[HTTPD_CONF]
+export PKI_HTTPD_CONF
+
+PKI_SERVER_ROOT=[SERVER_ROOT]
+export PKI_SERVER_ROOT
+
+PKI_SYSTEM_USER_LIBRARIES=[SYSTEM_USER_LIBRARIES]
+export PKI_SYSTEM_USER_LIBRARIES
+
+PKI_FORTITUDE_DIR=[FORTITUDE_DIR]
+export PKI_FORTITUDE_DIR
+
+PKI_NSS_CONF=[NSS_CONF]
+export PKI_NSS_CONF
+
+PKI_SERVER_NAME=[SERVER_NAME]
+export PKI_SERVER_NAME
+
+PKI_LOCK_FILE="[PKI_LOCKDIR]/${PKI_INSTANCE_ID}.pid"
+export PKI_LOCK_FILE
+
+PKI_PID_FILE="[PKI_PIDDIR]/${PKI_INSTANCE_ID}.pid"
+export PKI_PID_FILE
+
+PKI_SELINUX_TYPE="pki_tps_t"
+export PKI_SELINUX_TYPE
+
+pki_instance_configuration_file=${PKI_SERVER_ROOT}/conf/CS.cfg
+export pki_instance_configuration_file
+
+RESTART_SERVER=${PKI_SERVER_ROOT}/conf/restart_server_after_configuration
+export RESTART_SERVER
+
+########################################################################
+#   This section contains modified content of "/etc/sysconfig/httpd"   #
+########################################################################
+# Configuration file for the ${PKI_INSTANCE_ID} service.
+
+#
+# The default processing model (MPM) is the process-based
+# 'prefork' model.  A thread-based model, 'worker', is also
+# available, but does not work with some modules (such as PHP).
+# The service must be stopped before changing this variable.
+#
+PKI_HTTPD=${PKI_FORTITUDE_DIR}/sbin/httpd.worker
+export PKI_HTTPD
+
+#
+# To pass additional options (for instance, -D definitions) to the
+# httpd binary at startup, set PKI_OPTIONS here.
+#
+PKI_OPTIONS="-f ${PKI_HTTPD_CONF}"
+export PKI_OPTIONS
+
+#
+# By default, the httpd process is started in the C locale; to
+# change the locale in which the server runs, the PKI_HTTPD_LANG
+# variable can be set.
+#
+PKI_HTTPD_LANG=C
+export PKI_HTTPD_LANG
+########################################################################
+#                                                                      #
+########################################################################
+
+# This will prevent initlog from swallowing up a pass-phrase prompt if
+# mod_ssl needs a pass-phrase from the user.
+PKI_INITLOG_ARGS=""
+export PKI_INITLOG_ARGS
+
+# Set PKI_HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
+# with the thread-based "worker" MPM; BE WARNED that some modules may not
+# work correctly with a thread-based MPM; notably PHP will refuse to start.
+
+# Path to the server binary and short-form for messages.
+httpd=${PKI_HTTPD}
+export httpd
+
+pki_logs_directory=${PKI_SERVER_ROOT}/logs
+export pki_logs_directory
+
+# see if httpd is linked with the openldap libraries - we need to override them
+if [ ${OS} = "Linux" ]; then
+    hasopenldap=0
+
+    /usr/bin/ldd ${httpd} 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1
+
+    if [ ${hasopenldap} -eq 1 ] ; then
+        LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libldap60.so"
+        LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libssl3.so:${LD_PRELOAD}"
+        export LD_PRELOAD
+    fi
+elif [ ${OS} = "SunOS" ]; then
+    LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/libldap60.so"
+    LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/dirsec/libssl3.so:${LD_PRELOAD_64}"
+    export LD_PRELOAD_64
+fi
author	jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-11-19 21:00:40 +0000
committer	jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-11-19 21:00:40 +0000
commit	2ab4b4058a240143e513db050bbf4170e9115ef1 (patch)
tree	a00195c6f63f11ee5e2fd9c4fc5f3c216ef7ace2 /pki/base/tps
parent	e73bde97720375973af57a29c5dd62aaec6342f2 (diff)
download	pki-2ab4b4058a240143e513db050bbf4170e9115ef1.tar.gz pki-2ab4b4058a240143e513db050bbf4170e9115ef1.tar.xz pki-2ab4b4058a240143e513db050bbf4170e9115ef1.zip