Bugzilla Bug #586073 - Add new 'mod_revocator' runtime dependency to RA and TPS

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1624 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

33 files changed, 555 insertions, 2034 deletions

diff --git a/pki/base/CMakeLists.txt b/pki/base/CMakeLists.txt
index fc96f785e..9f4131d3b 100644
--- a/pki/base/CMakeLists.txt
+++ b/pki/base/CMakeLists.txt
@@ -2,10 +2,10 @@ project(base)
 
 # The order is important!
 #   add_subdirectory(osutil)
-if (APPLICATION_FLAVOUR_OSUTIL)
+if (APPLICATION_FLAVOR_OSUTIL)
     add_subdirectory(osutil)
-endif (APPLICATION_FLAVOUR_OSUTIL)
-if (APPLICATION_FLAVOUR_CORE)
+endif (APPLICATION_FLAVOR_OSUTIL)
+if (APPLICATION_FLAVOR_PKI_CORE)
     add_subdirectory(setup)
     add_subdirectory(symkey)
     add_subdirectory(native-tools)
@@ -15,15 +15,25 @@ if (APPLICATION_FLAVOUR_CORE)
     add_subdirectory(selinux)
     add_subdirectory(ca)
     add_subdirectory(silent)
-endif (APPLICATION_FLAVOUR_CORE)
-if (APPLICATION_FLAVOUR_DOGTAG)
+endif (APPLICATION_FLAVOR_PKI_CORE)
+if (APPLICATION_FLAVOR_PKI_KRA)
     add_subdirectory(kra)
+endif (APPLICATION_FLAVOR_PKI_KRA)
+if (APPLICATION_FLAVOR_PKI_OCSP)
     add_subdirectory(ocsp)
+endif (APPLICATION_FLAVOR_PKI_OCSP)
+if (APPLICATION_FLAVOR_PKI_RA)
+    add_subdirectory(ra)
+endif (APPLICATION_FLAVOR_PKI_RA)
+if (APPLICATION_FLAVOR_PKI_TKS)
     add_subdirectory(tks)
+endif (APPLICATION_FLAVOR_PKI_TKS)
+if (APPLICATION_FLAVOR_PKI_TPS)
     add_subdirectory(tps)
-    add_subdirectory(ra)
+endif (APPLICATION_FLAVOR_PKI_TPS)
+if (APPLICATION_FLAVOR_PKI_CONSOLE)
     add_subdirectory(console)
-endif (APPLICATION_FLAVOUR_DOGTAG)
-if (APPLICATION_FLAVOUR_REDHAT)
+endif (APPLICATION_FLAVOR_PKI_CONSOLE)
+if (APPLICATION_FLAVOR_PKI_MIGRATE)
     add_subdirectory(migrate)
-endif (APPLICATION_FLAVOUR_REDHAT)
+endif (APPLICATION_FLAVOR_PKI_MIGRATE)
diff --git a/pki/base/ca/CMakeLists.txt b/pki/base/ca/CMakeLists.txt
index bab50004e..9ad04dadc 100644
--- a/pki/base/ca/CMakeLists.txt
+++ b/pki/base/ca/CMakeLists.txt
@@ -2,6 +2,7 @@ project(ca Java)
 
 add_subdirectory(src)
 add_subdirectory(setup)
+add_subdirectory(shared/conf)
 
 # install init script
 install(
@@ -25,6 +26,8 @@ install(
         "CMakeLists.txt" EXCLUDE
     PATTERN
         "etc/*" EXCLUDE
+    PATTERN
+        "conf/CS.cfg.in" EXCLUDE
 )
 
 # install empty directories
diff --git a/pki/base/ca/shared/CMakeLists.txt b/pki/base/ca/shared/CMakeLists.txt
deleted file mode 100644
index 507395ff2..000000000
--- a/pki/base/ca/shared/CMakeLists.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-# install init script
-install(
-    FILES
-        etc/init.d/pki-cad
-    DESTINATION
-        ${SYSCONF_INSTALL_DIR}/init.d
-    PERMISSIONS
-        OWNER_EXECUTE OWNER_WRITE OWNER_READ
-        GROUP_EXECUTE GROUP_READ
-        WORLD_EXECUTE WORLD_READ
-)
diff --git a/pki/base/ca/shared/conf/CMakeLists.txt b/pki/base/ca/shared/conf/CMakeLists.txt
new file mode 100644
index 000000000..e3cef5915
--- /dev/null
+++ b/pki/base/ca/shared/conf/CMakeLists.txt
@@ -0,0 +1,12 @@
+set(VERSION ${APPLICATION_VERSION})
+set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR})
+set(MINOR_VERSION ${APPLICATION_VERSION_MINOR})
+
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY)
+
+install(
+    FILES
+        ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf
+)
diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg.in
index 3ebd84d6a..e9b265f76 100644
--- a/pki/base/ca/shared/conf/CS.cfg
+++ b/pki/base/ca/shared/conf/CS.cfg.in
@@ -18,7 +18,7 @@ pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
 installDate=[INSTALL_TIME]
 preop.wizard.name=CA Setup Wizard
 preop.product.name=CS
-preop.product.version=
+preop.product.version=@VERSION@
 preop.system.name=CA
 preop.system.fullname=Certificate Authority
 cs.state=0
@@ -705,7 +705,7 @@ cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
 cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
 cms.passwordlist=internaldb,replicationdb
 cms.password.ignore.publishing.failure=true
-cms.version=
+cms.version=@MAJOR_VERSION@.@MINOR_VERSION@
 cmsgateway._000=##
 cmsgateway._001=## In the event that all Admin Certificates have been lost
 cmsgateway._002=## for a given instance, perform the following steps to
diff --git a/pki/base/ca/src/CMakeLists.txt b/pki/base/ca/src/CMakeLists.txt
index ab40e63b7..f8e68c4f6 100644
--- a/pki/base/ca/src/CMakeLists.txt
+++ b/pki/base/ca/src/CMakeLists.txt
@@ -1,21 +1,31 @@
 project(ca_java Java)
 
+# '/usr/share/java' jars
+find_file(LDAPJDK_JAR
+    NAMES
+        ldapjdk.jar
+    PATHS
+        /usr/share/java
+)
+
+
+# '/usr/lib/java' jars
 find_file(JSS_JAR
     NAMES
         jss4.jar
     PATHS
         /usr/lib/java
-        /usr/share/java
 )
 
-find_file(LDAPJDK_JAR
+find_file(OSUTIL_JAR
     NAMES
-        ldapjdk.jar
+        osutil.jar
     PATHS
         /usr/lib/java
-        /usr/share/java
 )
 
+
+# identify java sources
 set(ca_java_SRCS
     com/netscape/ca/CMSCRLExtensions.java
     com/netscape/ca/CAService.java
@@ -26,13 +36,21 @@ set(ca_java_SRCS
     com/netscape/ca/CertificateAuthority.java
 )
 
+
+# set classpath
 set(CMAKE_JAVA_INCLUDE_PATH
-    ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR}
-    ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR}
-    ${CERTSRV_JAR})
+    ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR}
+    ${LDAPJDK_JAR}
+    ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR})
+
+
+# set version
 set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION})
 
+
+# build ca.jar
 add_jar(ca ${ca_java_SRCS})
-add_dependencies(ca nsutil cmsutil osutil symkey cms cmscore certsrv)
+add_dependencies(ca osutil symkey nsutil cmsutil certsrv cms cmscore)
 install_jar(ca ${JAVA_JAR_INSTALL_DIR})
 set(CA_JAR ${ca_JAR_FILE} CACHE INTERNAL "ca jar file")
+
diff --git a/pki/base/console/src/CMakeLists.txt b/pki/base/console/src/CMakeLists.txt
index ff17efc0f..076f18078 100644
--- a/pki/base/console/src/CMakeLists.txt
+++ b/pki/base/console/src/CMakeLists.txt
@@ -1,24 +1,27 @@
-project(console_java Java)
+project(pki_console_java Java)
 
-find_file(JSS_JAR
+# '/usr/share/java/pki' jars
+find_file(NSUTIL_JAR
     NAMES
-        jss4.jar
+        nsutil.jar
     PATHS
         /usr/lib/java
-        /usr/share/java
+        /usr/share/java/pki
 )
 
-find_file(LDAPJDK_JAR
+
+# '/usr/share/java' jars
+find_file(BASE_JAR
     NAMES
-        ldapjdk.jar
+        idm-console-base.jar
     PATHS
         /usr/lib/java
         /usr/share/java
 )
 
-find_file(BASE_JAR
+find_file(LDAPJDK_JAR
     NAMES
-        idm-console-base.jar
+        ldapjdk.jar
     PATHS
         /usr/lib/java
         /usr/share/java
@@ -56,7 +59,19 @@ find_file(NMCLF_EN_JAR
         /usr/share/java
 )
 
-set(console_java_SRCS
+
+# '/usr/lib/java' jars
+find_file(JSS_JAR
+    NAMES
+        jss4.jar
+    PATHS
+        /usr/lib/java
+        /usr/share/java
+)
+
+
+# identify java sources
+set(pki_console_java_SRCS
     com/netscape/certsrv/common/TaskId.java
     com/netscape/certsrv/common/DestDef.java
     com/netscape/certsrv/common/NameValuePairs.java
@@ -578,13 +593,22 @@ set(console_java_SRCS
     com/netscape/admin/certsrv/IUIMapper.java
 )
 
+
+# set classpath
 set(CMAKE_JAVA_INCLUDE_PATH
-    ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR}
-    ${BASE_JAR} ${MMC_JAR} ${MMC_EN_JAR}
-    ${NMCLF_JAR} ${NMCLF_EN_JAR})
+    ${BASE_JAR} ${LDAPJDK_JAR} ${MMC_JAR}
+    ${MMC_EN_JAR} ${NMCLF_JAR} ${NMCLF_EN_JAR}
+    ${NSUTIL_JAR}
+    ${JSS_JAR})
+
+
+# set version
 set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION})
 
-add_jar(console ${console_java_SRCS})
-add_dependencies(console nsutil)
-install_jar(console ${JAVA_JAR_INSTALL_DIR}/pki)
-set(CONSOLE_JAR ${console_JAR_FILE} CACHE INTERNAL "console jar file")
+
+# build pki-console.jar
+add_jar(pki-console ${pki_console_java_SRCS})
+add_dependencies(pki-console nsutil)
+install_jar(pki-console ${JAVA_JAR_INSTALL_DIR})
+set(PKI_CONSOLE_JAR ${pki_console_JAR_FILE} CACHE INTERNAL "pki-console jar file")
+
diff --git a/pki/base/kra/CMakeLists.txt b/pki/base/kra/CMakeLists.txt
index 5155a84ef..dc2564c92 100644
--- a/pki/base/kra/CMakeLists.txt
+++ b/pki/base/kra/CMakeLists.txt
@@ -2,6 +2,7 @@ project(kra Java)
 
 add_subdirectory(src)
 add_subdirectory(setup)
+add_subdirectory(shared/conf)
 
 # install init script
 install(
@@ -25,6 +26,8 @@ install(
         "CMakeLists.txt" EXCLUDE
     PATTERN
         "etc/*" EXCLUDE
+    PATTERN
+        "conf/CS.cfg.in" EXCLUDE
 )
 
 # install empty directories
diff --git a/pki/base/kra/shared/conf/CMakeLists.txt b/pki/base/kra/shared/conf/CMakeLists.txt
new file mode 100644
index 000000000..e3cef5915
--- /dev/null
+++ b/pki/base/kra/shared/conf/CMakeLists.txt
@@ -0,0 +1,12 @@
+set(VERSION ${APPLICATION_VERSION})
+set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR})
+set(MINOR_VERSION ${APPLICATION_VERSION_MINOR})
+
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY)
+
+install(
+    FILES
+        ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf
+)
diff --git a/pki/base/kra/shared/conf/CS.cfg b/pki/base/kra/shared/conf/CS.cfg.in
index 56944d5fc..05ed8ce09 100644
--- a/pki/base/kra/shared/conf/CS.cfg
+++ b/pki/base/kra/shared/conf/CS.cfg.in
@@ -13,7 +13,7 @@ pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
 installDate=[INSTALL_TIME]
 preop.wizard.name=DRM Setup Wizard
 preop.product.name=CS
-preop.product.version=
+preop.product.version=@VERSION@
 preop.system.name=DRM
 preop.system.fullname=Data Recovery Manager
 cs.state=0
@@ -161,7 +161,7 @@ cmc.lraPopWitness.verify.allow=true
 cmc.revokeCert.verify=true
 cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
 cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
-cms.version=
+cms.version=@MAJOR_VERSION@.@MINOR_VERSION@
 dbs.enableSerialManagement=false
 dbs.beginRequestNumber=1
 dbs.endRequestNumber=10000000
diff --git a/pki/base/kra/src/CMakeLists.txt b/pki/base/kra/src/CMakeLists.txt
index d483a0a3a..6e9734383 100644
--- a/pki/base/kra/src/CMakeLists.txt
+++ b/pki/base/kra/src/CMakeLists.txt
@@ -1,21 +1,76 @@
 project(kra_java Java)
 
-find_file(JSS_JAR
+# '/usr/share/java/pki' jars
+find_file(CERTSRV_JAR
     NAMES
-        jss4.jar
+        certsrv.jar
+    PATHS
+        /usr/share/java/pki
+)
+
+find_file(CMS_JAR
+    NAMES
+        cms.jar
+    PATHS
+        /usr/share/java/pki
+)
+
+find_file(CMSCORE_JAR
+    NAMES
+        cmscore.jar
+    PATHS
+        /usr/share/java/pki
+)
+
+find_file(CMSUTIL_JAR
+    NAMES
+        cmsutil.jar
+    PATHS
+        /usr/share/java/pki
+)
+
+find_file(NSUTIL_JAR
+    NAMES
+        nsutil.jar
     PATHS
         /usr/lib/java
-        /usr/share/java
+        /usr/share/java/pki
 )
 
+
+# '/usr/share/java' jars
 find_file(LDAPJDK_JAR
     NAMES
         ldapjdk.jar
     PATHS
-        /usr/lib/java
         /usr/share/java
 )
 
+
+# '/usr/lib/java' jars
+find_file(JSS_JAR
+    NAMES
+        jss4.jar
+    PATHS
+        /usr/lib/java
+)
+
+find_file(OSUTIL_JAR
+    NAMES
+        osutil.jar
+    PATHS
+        /usr/lib/java
+)
+
+find_file(SYMKEY_JAR
+    NAMES
+        symkey.jar
+    PATHS
+        /usr/lib/java
+)
+
+
+# identify java sources
 set(kra_java_SRCS
     com/netscape/kra/KeyRecoveryAuthority.java
     com/netscape/kra/EnrollmentService.java
@@ -30,13 +85,21 @@ set(kra_java_SRCS
     com/netscape/kra/StorageKeyUnit.java
 )
 
+
+# set classpath
 set(CMAKE_JAVA_INCLUDE_PATH
-    ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR}
-    ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR}
-    ${CERTSRV_JAR})
+    ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR}
+    ${LDAPJDK_JAR}
+    ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR})
+
+
+# set version
 set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION})
 
+
+# build kra.jar
 add_jar(kra ${kra_java_SRCS})
-add_dependencies(kra nsutil cmsutil osutil symkey cms cmscore certsrv)
+add_dependencies(kra osutil symkey nsutil cmsutil certsrv cms cmscore)
 install_jar(kra ${JAVA_JAR_INSTALL_DIR})
 set(KRA_JAR ${kra_JAR_FILE} CACHE INTERNAL "kra jar file")
+
diff --git a/pki/base/ocsp/CMakeLists.txt b/pki/base/ocsp/CMakeLists.txt
index 373fb4d18..1a7809074 100644
--- a/pki/base/ocsp/CMakeLists.txt
+++ b/pki/base/ocsp/CMakeLists.txt
@@ -2,6 +2,7 @@ project(ocsp Java)
 
 add_subdirectory(src)
 add_subdirectory(setup)
+add_subdirectory(shared/conf)
 
 # install init script
 install(
@@ -25,6 +26,8 @@ install(
         "CMakeLists.txt" EXCLUDE
     PATTERN
         "etc/*" EXCLUDE
+    PATTERN
+        "CS.cfg.in" EXCLUDE
 )
 
 # install empty directories
diff --git a/pki/base/ocsp/shared/conf/CMakeLists.txt b/pki/base/ocsp/shared/conf/CMakeLists.txt
new file mode 100644
index 000000000..e3cef5915
--- /dev/null
+++ b/pki/base/ocsp/shared/conf/CMakeLists.txt
@@ -0,0 +1,12 @@
+set(VERSION ${APPLICATION_VERSION})
+set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR})
+set(MINOR_VERSION ${APPLICATION_VERSION_MINOR})
+
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY)
+
+install(
+    FILES
+        ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf
+)
diff --git a/pki/base/ocsp/shared/conf/CS.cfg b/pki/base/ocsp/shared/conf/CS.cfg.in
index e4f0d2d7b..84553d3fc 100644
--- a/pki/base/ocsp/shared/conf/CS.cfg
+++ b/pki/base/ocsp/shared/conf/CS.cfg.in
@@ -25,7 +25,7 @@ preop.admincert.profile=caAdminCert
 preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445
 preop.wizard.name=OCSP Setup Wizard
 preop.product.name=CS
-preop.product.version=
+preop.product.version=@VERSION@
 preop.system.name=OCSP
 preop.system.fullname=OCSP Responder
 preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module
@@ -151,7 +151,7 @@ cmc.lraPopWitness.verify.allow=true
 cmc.revokeCert.verify=true
 cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
 cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
-cms.version=
+cms.version=@MAJOR_VERSION@.@MINOR_VERSION@
 dbs.ldap=internaldb
 dbs.newSchemaEntryAdded=true
 debug.append=true
diff --git a/pki/base/ocsp/src/CMakeLists.txt b/pki/base/ocsp/src/CMakeLists.txt
index 53f2dc58a..f707654e5 100644
--- a/pki/base/ocsp/src/CMakeLists.txt
+++ b/pki/base/ocsp/src/CMakeLists.txt
@@ -1,21 +1,76 @@
 project(ocsp_java Java)
 
-find_file(JSS_JAR
+# '/usr/share/java/pki' jars
+find_file(CERTSRV_JAR
     NAMES
-        jss4.jar
+        certsrv.jar
+    PATHS
+        /usr/share/java/pki
+)
+
+find_file(CMS_JAR
+    NAMES
+        cms.jar
+    PATHS
+        /usr/share/java/pki
+)
+
+find_file(CMSCORE_JAR
+    NAMES
+        cmscore.jar
+    PATHS
+        /usr/share/java/pki
+)
+
+find_file(CMSUTIL_JAR
+    NAMES
+        cmsutil.jar
+    PATHS
+        /usr/share/java/pki
+)
+
+find_file(NSUTIL_JAR
+    NAMES
+        nsutil.jar
     PATHS
         /usr/lib/java
-        /usr/share/java
+        /usr/share/java/pki
 )
 
+
+# '/usr/share/java' jars
 find_file(LDAPJDK_JAR
     NAMES
         ldapjdk.jar
     PATHS
-        /usr/lib/java
         /usr/share/java
 )
 
+
+# '/usr/lib/java' jars
+find_file(JSS_JAR
+    NAMES
+        jss4.jar
+    PATHS
+        /usr/lib/java
+)
+
+find_file(OSUTIL_JAR
+    NAMES
+        osutil.jar
+    PATHS
+        /usr/lib/java
+)
+
+find_file(SYMKEY_JAR
+    NAMES
+        symkey.jar
+    PATHS
+        /usr/lib/java
+)
+
+
+# identify java sources
 set(ocsp_java_SRCS
     com/netscape/ocsp/OCSPResources.java
     com/netscape/ocsp/OCSPAuthority.java
@@ -23,13 +78,21 @@ set(ocsp_java_SRCS
     com/netscape/ocsp/EOCSPException.java
 )
 
+
+# set classpath
 set(CMAKE_JAVA_INCLUDE_PATH
-    ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR}
-    ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR}
-    ${CERTSRV_JAR})
+    ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR}
+    ${LDAPJDK_JAR}
+    ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR})
+
+
+# set version
 set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION})
 
+
+# build ocsp.jar
 add_jar(ocsp ${ocsp_java_SRCS})
-add_dependencies(ocsp nsutil cmsutil osutil symkey cms cmscore certsrv)
+add_dependencies(ocsp osutil symkey nsutil cmsutil certsrv cms cmscore)
 install_jar(ocsp ${JAVA_JAR_INSTALL_DIR})
 set(OCSP_JAR ${ocsp_JAR_FILE} CACHE INTERNAL "ocsp jar file")
+
diff --git a/pki/base/ra/CMakeLists.txt b/pki/base/ra/CMakeLists.txt
index f5aaa1479..59910fe95 100644
--- a/pki/base/ra/CMakeLists.txt
+++ b/pki/base/ra/CMakeLists.txt
@@ -1,7 +1,7 @@
 project(ra)
 
-add_subdirectory(setup)
 add_subdirectory(doc)
+add_subdirectory(setup)
 
 # install init script
 install(
@@ -13,69 +13,52 @@ install(
         OWNER_EXECUTE OWNER_WRITE OWNER_READ
         GROUP_EXECUTE GROUP_READ
         WORLD_EXECUTE WORLD_READ
-    PATTERN
-        "CMakeLists.txt" EXCLUDE
-)
-
-install(
-    FILES
-        scripts/nss_pcache
-    DESTINATION
-        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}
-    PERMISSIONS
-        OWNER_EXECUTE OWNER_WRITE OWNER_READ
-        GROUP_EXECUTE GROUP_READ
-        WORLD_EXECUTE WORLD_READ
-)
-
-install(
-    FILES
-        scripts/schema.sql
-    DESTINATION
-        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}
 )
 
-# install directories
 install(
     DIRECTORY
-        alias/
+        apache/conf/
     DESTINATION
-        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/alias
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf
 )
 
 install(
     DIRECTORY
-        lib/
+        emails/
     DESTINATION
-        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/lib
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf
 )
 
 install(
     DIRECTORY
-        logs/
+        forms/
     DESTINATION
-        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/logs
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot
 )
 
 install(
     DIRECTORY
-        forms/
+        lib/
     DESTINATION
-        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot/forms
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/lib
 )
 
 install(
-    DIRECTORY
-        emails/
+    FILES
+        scripts/nss_pcache
     DESTINATION
-        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/emails
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts
+    PERMISSIONS
+        OWNER_EXECUTE OWNER_WRITE OWNER_READ
+        GROUP_EXECUTE GROUP_READ
+        WORLD_EXECUTE WORLD_READ
 )
 
 install(
-    DIRECTORY
-        apache/conf/
+    FILES
+        scripts/schema.sql
     DESTINATION
-        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/apache/conf
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts
 )
 
 # install empty directories
@@ -90,3 +73,4 @@ install(
     DESTINATION
         ${VAR_INSTALL_DIR}/run/pki/ra
 )
+
diff --git a/pki/base/ra/doc/CS.cfg b/pki/base/ra/doc/CS.cfg
deleted file mode 100644
index 0fc0efb36..000000000
--- a/pki/base/ra/doc/CS.cfg
+++ /dev/null
@@ -1,256 +0,0 @@
-# --- BEGIN COPYRIGHT BLOCK ---
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2007 Red Hat, Inc.
-# All rights reserved.
-# --- END COPYRIGHT BLOCK ---
-#
-pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT]
-pkicreate.pki_instance_name=[PKI_INSTANCE_ID]
-pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE]
-pkicreate.secure_port=[SECURE_PORT]
-pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT]
-pkicreate.unsecure_port=[PORT]
-pkicreate.user=[PKI_USER]
-pkicreate.group=[PKI_GROUP]
-pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
-request._000=#########################################
-request._001=# Request Queue Parameters
-request._002=#########################################
-agent.authorized_groups=administrators,agents
-admin.authorized_groups=administrators
-database.dbfile=[SERVER_ROOT]/conf/dbfile
-database.lockfile=[SERVER_ROOT]/conf/dblock
-request.renewal.approve_request.0.ca=ca1
-request.renewal.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA
-request.renewal.approve_request.0.profileId=caDualRAuserCert
-request.renewal.approve_request.0.reqType=crmf
-request.renewal.approve_request.1.mailTo=$created_by
-request.renewal.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification
-request.renewal.approve_request.1.templateDir=/usr/share/pki/ra/conf
-request.renewal.approve_request.1.templateFile=mail_approve_request.vm
-request.renewal.approve_request.num_plugins=2
-request.renewal.reject_request.num_plugins=0
-request.renewal.create_request.0.assignTo=agents
-request.renewal.create_request.0.plugin=PKI::Request::Plugin::AutoAssign
-request.renewal.create_request.1.mailTo=$created_by
-request.renewal.create_request.1.plugin=PKI::Request::Plugin::EmailNotification
-request.renewal.create_request.1.templateDir=/usr/share/pki/ra/conf
-request.renewal.create_request.1.templateFile=mail_create_request.vm
-request.renewal.create_request.num_plugins=2
-request.scep.profileId=caRARouterCert
-request.scep.reqType=pkcs10
-request.scep.create_request.num_plugins=2
-request.scep.create_request.0.plugin=PKI::Request::Plugin::AutoAssign
-request.scep.create_request.0.assignTo=agents
-request.scep.create_request.1.plugin=PKI::Request::Plugin::EmailNotification
-request.scep.create_request.1.mailTo=
-request.scep.create_request.1.templateDir=/usr/share/pki/ra/conf
-request.scep.create_request.1.templateFile=mail_create_request.vm
-request.scep.approve_request.num_plugins=1
-request.scep.approve_request.0.plugin=PKI::Request::Plugin::CreatePin
-request.scep.approve_request.0.pinFormat=$site_id
-request.scep.reject_request.num_plugins=0
-request.agent.profileId=caRAagentCert
-request.agent.reqType=crmf
-request.agent.create_request.num_plugins=2
-request.agent.create_request.0.plugin=PKI::Request::Plugin::AutoAssign
-request.agent.create_request.0.assignTo=agents
-request.agent.create_request.1.plugin=PKI::Request::Plugin::EmailNotification
-request.agent.create_request.1.mailTo=
-request.agent.create_request.1.templateDir=/usr/share/pki/ra/conf
-request.agent.create_request.1.templateFile=mail_create_request.vm
-request.agent.approve_request.num_plugins=1
-request.agent.approve_request.0.plugin=PKI::Request::Plugin::CreatePin
-request.agent.approve_request.0.pinFormat=$uid
-request.agent.reject_request.num_plugins=0
-request.user.create_request.num_plugins=2
-request.user.create_request.0.plugin=PKI::Request::Plugin::AutoAssign
-request.user.create_request.0.assignTo=agents
-request.user.create_request.1.plugin=PKI::Request::Plugin::EmailNotification
-request.user.create_request.1.templateDir=/usr/share/pki/ra/conf
-request.user.create_request.1.templateFile=mail_create_request.vm
-request.user.create_request.1.mailTo=
-request.user.approve_request.num_plugins=2
-request.user.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA
-request.user.approve_request.0.ca=ca1
-request.user.approve_request.0.profileId=caDualRAuserCert
-request.user.approve_request.0.reqType=crmf
-request.user.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification
-request.user.approve_request.1.mailTo=$created_by
-request.user.approve_request.1.templateDir=/usr/share/pki/ra/conf
-request.user.approve_request.1.templateFile=mail_approve_request.vm
-request.user.reject_request.num_plugins=0
-request.server.create_request.num_plugins=2
-request.server.create_request.0.plugin=PKI::Request::Plugin::AutoAssign
-request.server.create_request.0.assignTo=agents
-request.server.create_request.1.plugin=PKI::Request::Plugin::EmailNotification
-request.server.create_request.1.mailTo=
-request.server.create_request.1.templateDir=/usr/share/pki/ra/conf
-request.server.create_request.1.templateFile=mail_create_request.vm
-request.server.approve_request.num_plugins=2
-request.server.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA
-request.server.approve_request.0.ca=ca1
-request.server.approve_request.0.profileId=caRAserverCert
-request.server.approve_request.0.reqType=pkcs10
-request.server.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification
-request.server.approve_request.1.mailTo=$created_by
-request.server.approve_request.1.templateDir=/usr/share/pki/ra/conf
-request.server.approve_request.1.templateFile=mail_approve_request.vm
-request.server.reject_request.num_plugins=0
-cs.type=RA
-service.machineName=[SERVER_NAME]
-service.instanceDir=[SERVER_ROOT]
-service.securePort=[SECURE_PORT]
-service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT]
-service.unsecurePort=[PORT]
-service.instanceID=[PKI_INSTANCE_ID]
-logging._000=#########################################
-logging._001=# RA configuration File
-logging._002=#
-logging._003=# All <...> must be replaced with
-logging._004=# appropriate values.
-logging._005=#########################################
-logging._006=########################################
-logging._007=# logging
-logging._008=#
-logging._009=# logging.debug.enable:
-logging._010=# logging.audit.enable:
-logging._011=# logging.error.enable:
-logging._012=#   - enable or disable the corresponding logging
-logging._013=# logging.debug.filename:
-logging._014=# logging.audit.filename:
-logging._015=# logging.error.filename:
-logging._016=#   - name of the log file
-logging._017=# logging.debug.level:
-logging._018=# logging.audit.level:
-logging._019=# logging.error.level:
-logging._020=#   - level of logging. (0-10)
-logging._021=#      0 - no logging,
-logging._022=#      4 - LL_PER_SERVER       these messages will occur only once
-logging._023=#                              during the entire invocation of the
-logging._024=#                              server, e. g. at startup or shutdown
-logging._025=#                              time., reading the conf parameters.
-logging._026=#                              Perhaps other infrequent events
-logging._027=#                              relating to failing over of CA, TKS,
-logging._028=#                              too
-logging._029=#      6 - LL_PER_CONNECTION   these messages happen once per
-logging._030=#                              connection - most of the log events
-logging._031=#                              will be at this level
-logging._032=#      8 - LL_PER_PDU          these messages relate to PDU
-logging._033=#                              processing. If you have something that
-logging._034=#                              is done for every PDU, such as
-logging._035=#                              applying the MAC, it should be logged
-logging._036=#                              at this level
-logging._037=#      9 - LL_ALL_DATA_IN_PDU  dump all the data in the PDU - a more
-logging._038=#                              chatty version of the above
-logging._039=#     10 - all logging
-logging._040=#########################################
-logging.debug.enable=true
-logging.debug.filename=[SERVER_ROOT]/logs/ra-debug.log
-logging.debug.level=7
-logging.audit.enable=true
-logging.audit.filename=[SERVER_ROOT]/logs/ra-audit.log
-logging.audit.level=10
-logging.error.enable=true
-logging.error.filename=[SERVER_ROOT]/logs/ra-error.log
-logging.error.level=10
-conn.ca1._000=#########################################
-conn.ca1._001=# CA connection
-conn.ca1._002=#
-conn.ca1._003=# conn.ca<n>.hostport:
-conn.ca1._004=#   - host name and port number of your CA, format is host:port
-conn.ca1._005=# conn.ca<n>.clientNickname:
-conn.ca1._006=#   - nickname of the client certificate for
-conn.ca1._007=#     authentication
-conn.ca1._008=# conn.ca<n>.servlet.enrollment:
-conn.ca1._009=#   - servlet to contact in CA
-conn.ca1._010=#   - must be '/ca/ee/ca/profileSubmitSSLClient'
-conn.ca1._008=# conn.ca<n>.servlet.addagent:
-conn.ca1._009=#   - servlet to add ra agent on CA
-conn.ca1._010=#   - must be '/ca/admin/ca/registerRaUser
-conn.ca1._011=# conn.ca<n>.retryConnect:
-conn.ca1._012=#   - number of reconnection attempts on failure
-conn.ca1._013=# conn.ca<n>.timeout:
-conn.ca1._014=#   - connection timeout
-conn.ca1._015=# conn.ca<n>.SSLOn:
-conn.ca1._016=#   - enable SSL or not
-conn.ca1._017=# conn.ca<n>.keepAlive:
-conn.ca1._018=#   - enable keep alive or not
-conn.ca1._019=#
-conn.ca1._020=# where 
-conn.ca1._021=#  <n>  - CA connection ID
-conn.ca1._022=#########################################
-failover.pod.enable=false
-conn.ca1.hostport=[CA_HOST]:[CA_PORT]
-conn.ca1.clientNickname=[HSM_LABEL][NICKNAME]
-conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient
-conn.ca1.servlet.addagent=/ca/admin/ca/registerRaUser
-conn.ca1.servlet.revoke=/ca/subsystem/ca/doRevoke
-conn.ca1.servlet.unrevoke=/ca/subsystem/ca/doUnrevoke
-conn.ca1.retryConnect=3
-conn.ca1.timeout=100
-conn.ca1.SSLOn=true
-conn.ca1.keepAlive=true
-preop.pin=[PKI_RANDOM_NUMBER]
-preop.product.version=
-preop.cert._000=#########################################
-preop.cert._001=# Installation configuration "preop" certs parameters
-preop.cert._002=#########################################
-preop.cert.list=sslserver,subsystem
-preop.cert.sslserver.enable=true
-preop.cert.subsystem.enable=true
-preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA
-preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID]
-preop.cert.sslserver.keysize.customsize=2048
-preop.cert.sslserver.keysize.size=2048
-preop.cert.sslserver.keysize.select=custom
-preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID]
-preop.cert.sslserver.profile=caInternalAuthServerCert
-preop.cert.sslserver.subsystem=ra
-preop.cert._003=#preop.cert.sslserver.type=local
-preop.cert.sslserver.userfriendlyname=SSL Server Certificate
-preop.cert._004=#preop.cert.sslserver.cncomponent.override=false
-preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA
-preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[PKI_INSTANCE_ID]
-preop.cert.subsystem.keysize.customsize=2048
-preop.cert.subsystem.keysize.size=2048
-preop.cert.subsystem.keysize.select=custom
-preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
-preop.cert.subsystem.profile=caInternalAuthSubsystemCert
-preop.cert.subsystem.subsystem=ra
-preop.cert._005=#preop.cert.subsystem.type=local
-preop.cert.subsystem.userfriendlyname=Subsystem Certificate
-preop.cert._006=#preop.cert.subsystem.cncomponent.override=true
-preop.configModules._000=#########################################
-preop.configModules._001=# Installation configuration "preop" module parameters
-preop.configModules._002=#########################################
-preop.configModules.count=3
-preop.configModules.module0.commonName=NSS Internal PKCS #11 Module
-preop.configModules.module0.imagePath=../img/clearpixel.gif
-preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module
-preop.configModules.module1.commonName=nfast
-preop.configModules.module1.imagePath=../img/clearpixel.gif
-preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module
-preop.configModules.module2.commonName=lunasa
-preop.configModules.module2.imagePath=../img/clearpixel.gif
-preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module
-preop.module.token=NSS Certificate DB
-preop.keysize._000=#########################################
-preop.keysize._001=# Installation configuration "preop" keysize parameters
-preop.keysize._002=#########################################
-preop.keysize.customsize=2048
-preop.keysize.select=default
-preop.keysize.size=2048
-preop.keysize.ecc.size=256
diff --git a/pki/base/ra/doc/CS.cfg.in b/pki/base/ra/doc/CS.cfg.in
index fd564abbc..4fea4674f 100644
--- a/pki/base/ra/doc/CS.cfg.in
+++ b/pki/base/ra/doc/CS.cfg.in
@@ -16,15 +16,15 @@
 # All rights reserved.
 # --- END COPYRIGHT BLOCK ---
 #
-pkicreate.pki_instance_root=[INSTANCE_ROOT]
-pkicreate.pki_instance_name=[INSTANCE_ID]
-pkicreate.subsystem_type=[SUBSYSTEM_TYPE]
+pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT]
+pkicreate.pki_instance_name=[PKI_INSTANCE_ID]
+pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE]
 pkicreate.secure_port=[SECURE_PORT]
 pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT]
 pkicreate.unsecure_port=[PORT]
-pkicreate.user=[USERID]
-pkicreate.group=[GROUPID]
-pkiremove.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID]
+pkicreate.user=[PKI_USER]
+pkicreate.group=[PKI_GROUP]
+pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
 request._000=#########################################
 request._001=# Request Queue Parameters
 request._002=#########################################
@@ -115,7 +115,7 @@ service.instanceDir=[SERVER_ROOT]
 service.securePort=[SECURE_PORT]
 service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT]
 service.unsecurePort=[PORT]
-service.instanceID=[INSTANCE_ID]
+service.instanceID=[PKI_INSTANCE_ID]
 logging._000=#########################################
 logging._001=# RA configuration File
 logging._002=#
@@ -211,23 +211,23 @@ preop.cert._002=#########################################
 preop.cert.list=sslserver,subsystem
 preop.cert.sslserver.enable=true
 preop.cert.subsystem.enable=true
-preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA
-preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[INSTANCE_ID]
+preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA
+preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID]
 preop.cert.sslserver.keysize.customsize=2048
 preop.cert.sslserver.keysize.size=2048
 preop.cert.sslserver.keysize.select=custom
-preop.cert.sslserver.nickname=Server-Cert cert-[INSTANCE_ID]
+preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID]
 preop.cert.sslserver.profile=caInternalAuthServerCert
 preop.cert.sslserver.subsystem=ra
 preop.cert._003=#preop.cert.sslserver.type=local
 preop.cert.sslserver.userfriendlyname=SSL Server Certificate
 preop.cert._004=#preop.cert.sslserver.cncomponent.override=false
-preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA
-preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[INSTANCE_ID]
+preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA
+preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[PKI_INSTANCE_ID]
 preop.cert.subsystem.keysize.customsize=2048
 preop.cert.subsystem.keysize.size=2048
 preop.cert.subsystem.keysize.select=custom
-preop.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID]
+preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
 preop.cert.subsystem.profile=caInternalAuthSubsystemCert
 preop.cert.subsystem.subsystem=ra
 preop.cert._005=#preop.cert.subsystem.type=local
diff --git a/pki/base/tks/CMakeLists.txt b/pki/base/tks/CMakeLists.txt
index 023aaa020..0f1221eaa 100644
--- a/pki/base/tks/CMakeLists.txt
+++ b/pki/base/tks/CMakeLists.txt
@@ -2,6 +2,7 @@ project(tks Java)
 
 add_subdirectory(src)
 add_subdirectory(setup)
+add_subdirectory(shared/conf)
 
 # install init script
 install(
@@ -25,6 +26,8 @@ install(
         "CMakeLists.txt" EXCLUDE
     PATTERN
         "etc/*" EXCLUDE
+    PATTERN
+        "CS.cfg.in" EXCLUDE
 )
 
 # install empty directories
diff --git a/pki/base/tks/shared/conf/CMakeLists.txt b/pki/base/tks/shared/conf/CMakeLists.txt
new file mode 100644
index 000000000..e3cef5915
--- /dev/null
+++ b/pki/base/tks/shared/conf/CMakeLists.txt
@@ -0,0 +1,12 @@
+set(VERSION ${APPLICATION_VERSION})
+set(MAJOR_VERSION ${APPLICATION_VERSION_MAJOR})
+set(MINOR_VERSION ${APPLICATION_VERSION_MINOR})
+
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY)
+
+install(
+    FILES
+        ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf
+)
diff --git a/pki/base/tks/shared/conf/CS.cfg b/pki/base/tks/shared/conf/CS.cfg.in
index 55689d701..1b5d89ea3 100644
--- a/pki/base/tks/shared/conf/CS.cfg
+++ b/pki/base/tks/shared/conf/CS.cfg.in
@@ -28,7 +28,7 @@ preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445
 preop.wizard.name=TKS Setup Wizard
 preop.system.name=TKS
 preop.product.name=CS
-preop.product.version=
+preop.product.version=@VERSION@
 preop.system.fullname=Token Key Service
 tks.cert.list=sslserver,subsystem,audit_signing
 preop.cert.list=sslserver,subsystem,audit_signing
@@ -148,7 +148,7 @@ cmc.lraPopWitness.verify.allow=true
 cmc.revokeCert.verify=true
 cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
 cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
-cms.version=
+cms.version=@MAJOR_VERSION@.@MINOR_VERSION@
 dbs.ldap=internaldb
 dbs.newSchemaEntryAdded=true
 debug.append=true
diff --git a/pki/base/tks/src/CMakeLists.txt b/pki/base/tks/src/CMakeLists.txt
index ac7acb885..6178dd3f9 100644
--- a/pki/base/tks/src/CMakeLists.txt
+++ b/pki/base/tks/src/CMakeLists.txt
@@ -1,32 +1,95 @@
 project(tks_java Java)
 
-find_file(JSS_JAR
+# '/usr/share/java/pki' jars
+find_file(CERTSRV_JAR
     NAMES
-        jss4.jar
+        certsrv.jar
+    PATHS
+        /usr/share/java/pki
+)
+
+find_file(CMS_JAR
+    NAMES
+        cms.jar
+    PATHS
+        /usr/share/java/pki
+)
+
+find_file(CMSCORE_JAR
+    NAMES
+        cmscore.jar
+    PATHS
+        /usr/share/java/pki
+)
+
+find_file(CMSUTIL_JAR
+    NAMES
+        cmsutil.jar
+    PATHS
+        /usr/share/java/pki
+)
+
+find_file(NSUTIL_JAR
+    NAMES
+        nsutil.jar
     PATHS
         /usr/lib/java
-        /usr/share/java
+        /usr/share/java/pki
 )
 
+
+# '/usr/share/java' jars
 find_file(LDAPJDK_JAR
     NAMES
         ldapjdk.jar
     PATHS
-        /usr/lib/java
         /usr/share/java
 )
 
+
+# '/usr/lib/java' jars
+find_file(JSS_JAR
+    NAMES
+        jss4.jar
+    PATHS
+        /usr/lib/java
+)
+
+find_file(OSUTIL_JAR
+    NAMES
+        osutil.jar
+    PATHS
+        /usr/lib/java
+)
+
+find_file(SYMKEY_JAR
+    NAMES
+        symkey.jar
+    PATHS
+        /usr/lib/java
+)
+
+
+# identify java sources
 set(tks_java_SRCS
     com/netscape/tks/TKSAuthority.java
 )
 
+
+# set classpath
 set(CMAKE_JAVA_INCLUDE_PATH
-    ${JSS_JAR} ${LDAPJDK_JAR} ${NSUTIL_JAR} ${CMSUTIL_JAR}
-    ${OSUTIL_JAR} ${SYMKEY_JAR} ${CMS_JAR} ${CMSCORE_JAR}
-    ${CERTSRV_JAR})
+    ${CERTSRV_JAR} ${CMS_JAR} ${CMSCORE_JAR} ${CMSUTIL_JAR} ${NSUTIL_JAR}
+    ${LDAPJDK_JAR}
+    ${JSS_JAR} ${OSUTIL_JAR} ${SYMKEY_JAR})
+
+
+# set version
 set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION})
 
+
+# build tks.jar
 add_jar(tks ${tks_java_SRCS})
-add_dependencies(tks nsutil cmsutil osutil symkey cms cmscore certsrv)
+add_dependencies(tks osutil symkey nsutil cmsutil certsrv cms cmscore)
 install_jar(tks ${JAVA_JAR_INSTALL_DIR})
 set(TKS_JAR ${tks_JAR_FILE} CACHE INTERNAL "tks jar file")
+
diff --git a/pki/base/tps/CMakeLists.txt b/pki/base/tps/CMakeLists.txt
index 05c3a0ac0..0ccce6335 100644
--- a/pki/base/tps/CMakeLists.txt
+++ b/pki/base/tps/CMakeLists.txt
@@ -12,18 +12,47 @@ install(
     FILES
         etc/init.d/pki-tpsd
     DESTINATION
-        ${SYSCONF_INSTALL_DIR}/init.d
+        ${SYSCONF_INSTALL_DIR}/rc.d/init.d
     PERMISSIONS
         OWNER_EXECUTE OWNER_WRITE OWNER_READ
         GROUP_EXECUTE GROUP_READ
         WORLD_EXECUTE WORLD_READ
-    PATTERN
-        "CMakeLists.txt" EXCLUDE
 )
 
 install(
+    FILES
+        applets/1.3.44724DDE.ijc
+        applets/1.4.499dc06c.ijc
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/applets
+)
+
+install(
+    DIRECTORY
+        forms/esc/cgi-bin
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}
+)
+
+install(
+    DIRECTORY
+        apache/conf
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}
+)
+
+install(
+    FILES
+        forms/index.html
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot
+)
+
+install(
+    FILES
+        forms/index.cgi
     DESTINATION
-        ${LIB_INSTALL_DIR}/${APPLICATION_NAME}/${PROJECT_NAME}
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot
     PERMISSIONS
         OWNER_EXECUTE OWNER_WRITE OWNER_READ
         GROUP_EXECUTE GROUP_READ
@@ -31,44 +60,60 @@ install(
 )
 
 install(
-    FILES
-        forms/index.cgi
-        forms/index.html
+    DIRECTORY
+        forms/esc/demo
+        forms/esc/home
+        forms/esc/so
+        forms/esc/sow
+        forms/tps
     DESTINATION
         ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot
+    PATTERN
+        "forms/esc/sow/css" EXCLUDE
+    PATTERN
+        "forms/esc/sow/images"EXCLUDE
+    PATTERN
+        "forms/esc/sow/js"EXCLUDE
+    PATTERN
+        "forms/tps/admin/console/css"EXCLUDE
 )
 
 install(
     DIRECTORY
-        apache/conf
     DESTINATION
-        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot/tokendb
 )
 
 install(
     DIRECTORY
-        forms/esc/cgi-bin
+        lib
     DESTINATION
-        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/cgi-bin
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}
 )
 
-# install directories
-set(INSTALL_DIRS
-    alias
-    applets
-    lib
-    logs
-    scripts
+install(
+    FILES
+        scripts/nss_pcache
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts
+    PERMISSIONS
+        OWNER_EXECUTE OWNER_WRITE OWNER_READ
+        GROUP_EXECUTE GROUP_READ
+        WORLD_EXECUTE WORLD_READ
 )
 
-foreach(INSTALL_DIR ${INSTALL_DIRS})
-    install(
-        DIRECTORY
-            ${INSTALL_DIR}
-        DESTINATION
-            ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/${INSTALL_DIR}
-    )
-endforeach(INSTALL_DIR ${INSTALL_DIRS})
+install(
+    FILES
+        scripts/addAgents.ldif
+        scripts/addIndexes.ldif
+        scripts/addTokens.ldif
+        scripts/addVLVIndexes.ldif
+        scripts/database.ldif
+        scripts/schemaMods.ldif
+        scripts/vlvtasks.ldif
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts
+)
 
 # install empty directories
 install(
@@ -82,3 +127,4 @@ install(
     DESTINATION
         ${VAR_INSTALL_DIR}/run/pki/tps
 )
+
diff --git a/pki/base/tps/Makefile.am b/pki/base/tps/Makefile.am
index be1061847..fb97a8a0c 100644
--- a/pki/base/tps/Makefile.am
+++ b/pki/base/tps/Makefile.am
@@ -163,7 +163,7 @@ conf_DATA =	$(srcdir)/apache/conf/httpd.conf      \
 			$(srcdir)/apache/conf/mime.types      \
 			$(srcdir)/apache/conf/nss.conf        \
 			$(srcdir)/apache/conf/perl.conf       \
-			$(srcdir)/doc/CS.cfg
+			$(srcdir)/doc/CS.cfg.in
 
 docroot_DATA =	$(srcdir)/forms/index.cgi  \
 				$(srcdir)/forms/index.html
diff --git a/pki/base/tps/Makefile.in b/pki/base/tps/Makefile.in
index 0a2581e6f..ec02c5602 100644
--- a/pki/base/tps/Makefile.in
+++ b/pki/base/tps/Makefile.in
@@ -657,7 +657,7 @@ conf_DATA = $(srcdir)/apache/conf/httpd.conf      \
 			$(srcdir)/apache/conf/mime.types      \
 			$(srcdir)/apache/conf/nss.conf        \
 			$(srcdir)/apache/conf/perl.conf       \
-			$(srcdir)/doc/CS.cfg
+			$(srcdir)/doc/CS.cfg.in
 
 docroot_DATA = $(srcdir)/forms/index.cgi  \
 				$(srcdir)/forms/index.html
diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg
deleted file mode 100644
index 0bcf905cc..000000000
--- a/pki/base/tps/doc/CS.cfg
+++ /dev/null
@@ -1,1577 +0,0 @@
-# --- BEGIN COPYRIGHT BLOCK ---
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation;
-# version 2.1 of the License.
-# 
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# Lesser General Public License for more details.
-# 
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor,
-# Boston, MA  02110-1301  USA 
-# 
-# Copyright (C) 2007 Red Hat, Inc.
-# All rights reserved.
-# --- END COPYRIGHT BLOCK ---
-#
-pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT]
-pkicreate.pki_instance_name=[PKI_INSTANCE_ID]
-pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE]
-pkicreate.secure_port=[SECURE_PORT]
-pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT]
-pkicreate.unsecure_port=[PORT]
-pkicreate.user=[PKI_USER]
-pkicreate.group=[PKI_GROUP]
-pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
-cs.type=TPS
-selftests._000=##
-selftests._001=## Self Tests
-selftests._002=##
-selftests._003=## The Self-Test plugin TPSSystemCertsVerification uses the
-selftests._004=## following parameters (where certusage is optional):
-selftests._005=## tps.cert.list = <list of cert tag names deliminated by ",">
-selftests._006=## tps.cert.<cert tag name>.nickname
-selftests._007=## tps.cert.<cert tag name>.certusage
-selftests._008=##
-selftests.container.logger.enable=true
-selftests.container.logger.expirationTime=0
-selftests.container.logger.file.type=RollingLogFile
-selftests.container.logger.fileName=[SERVER_ROOT]/logs/selftests.log
-selftests.container.logger.level=10
-selftests.container.logger.maxFileSize=2000
-selftests.container.logger.rolloverInterval=2592000
-selftests.container.order.startup=TPSPresence:critical, TPSSystemCertsVerification:critical
-selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical, TPSSystemCertsVerification:critical
-selftests.plugin.TPSPresence.nickname=[HSM_LABEL][NICKNAME]
-selftests.plugin.TPSValidity.nickname=[HSM_LABEL][NICKNAME]
-service.machineName=[SERVER_NAME]
-service.instanceDir=[SERVER_ROOT]
-service.securePort=[SECURE_PORT]
-service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT]
-service.unsecurePort=[PORT]
-service.instanceID=[PKI_INSTANCE_ID]
-logging._000=#########################################
-logging._001=# RA configuration File
-logging._002=#
-logging._003=# All <...> must be replaced with
-logging._004=# appropriate values.
-logging._005=#########################################
-logging._006=########################################
-logging._007=# logging
-logging._008=#
-logging._009=# logging.debug.enable:
-logging._010=# logging.audit.enable:
-logging._011=# logging.error.enable:
-logging._012=#   - enable or disable the corresponding logging
-logging._013=# logging.debug.filename:
-logging._014=# logging.audit.filename:
-logging._015=# logging.error.filename:
-logging._016=#   - name of the log file
-logging._017=# logging.debug.level:
-logging._018=# logging.audit.level:
-logging._019=# logging.error.level:
-logging._020=#   - level of logging. (0-10)
-logging._021=#      0 - no logging,
-logging._022=#      4 - LL_PER_SERVER       these messages will occur only once
-logging._023=#                              during the entire invocation of the
-logging._024=#                              server, e. g. at startup or shutdown
-logging._025=#                              time., reading the conf parameters.
-logging._026=#                              Perhaps other infrequent events
-logging._027=#                              relating to failing over of CA, TKS,
-logging._028=#                              too
-logging._029=#      6 - LL_PER_CONNECTION   these messages happen once per
-logging._030=#                              connection - most of the log events
-logging._031=#                              will be at this level
-logging._032=#      8 - LL_PER_PDU          these messages relate to PDU
-logging._033=#                              processing. If you have something that
-logging._034=#                              is done for every PDU, such as
-logging._035=#                              applying the MAC, it should be logged
-logging._036=#                              at this level
-logging._037=#      9 - LL_ALL_DATA_IN_PDU  dump all the data in the PDU - a more
-logging._038=#                              chatty version of the above
-logging._039=#     10 - all logging
-logging._040=# logging.audit.buffer.size: # in bytes
-logging._041=# logging.audit.flush.interval: # in seconds, 0 disables flush thread
-logging._042=# logging.*.file.type: 
-logging._043=#    - file type: RollingLogFile or LogFile
-logging._044=# logging.*.rolloverInterval: 
-logging._045=#    - interval to roll over logs (seconds), 0 to disable rollover
-logging._046=# logging.*.maxFileSize: 
-logging._047=#    - size at which file rollover occurs, in kB
-logging._048=# logging.*.expirationTime: 
-logging._049=#    - maximum age of log, older unmodified logs are deleted( in seconds, 0 to disable)
-logging._050=#########################################
-logging.debug.enable=true
-logging.debug.filename=[SERVER_ROOT]/logs/tps-debug.log
-logging.debug.level=10
-logging.debug.file.type=RollingLogFile
-logging.debug.maxFileSize=2000
-logging.debug.rolloverInterval=2592000
-logging.debug.expirationTime=0
-logging.audit.enable=true
-logging.audit.filename=[SERVER_ROOT]/logs/tps-audit.log
-logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit
-logging.audit.level=10
-logging.audit.logSigning=false
-logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID]
-logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION
-logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION
-logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING
-logging.audit.buffer.size=512
-logging.audit.flush.interval=5
-logging.audit.file.type=RollingLogFile
-logging.audit.maxFileSize=2000
-logging.audit.rolloverInterval=2592000
-logging.audit.expirationTime=0
-logging.error.enable=true
-logging.error.filename=[SERVER_ROOT]/logs/tps-error.log
-logging.error.level=10
-logging.error.file.type=RollingLogFile
-logging.error.maxFileSize=2000
-logging.error.rolloverInterval=2592000
-logging.error.expirationTime=0
-conn.ca1._000=#########################################
-conn.ca1._001=# CA connection
-conn.ca1._002=#
-conn.ca1._003=# conn.ca<n>.hostport:
-conn.ca1._004=#   - host name and port number of your CA, format is host:port
-conn.ca1._005=# conn.ca<n>.clientNickname:
-conn.ca1._006=#   - nickname of the client certificate for
-conn.ca1._007=#     authentication
-conn.ca1._008=# conn.ca<n>.servlet.enrollment:
-conn.ca1._009=#   - servlet to contact in CA
-conn.ca1._010=#   - must be '/ca/profileSubmitSSLClient'
-conn.ca1._011=# conn.ca<n>.retryConnect:
-conn.ca1._012=#   - number of reconnection attempts on failure
-conn.ca1._013=# conn.ca<n>.timeout:
-conn.ca1._014=#   - connection timeout
-conn.ca1._015=# conn.ca<n>.SSLOn:
-conn.ca1._016=#   - enable SSL or not
-conn.ca1._017=# conn.ca<n>.keepAlive:
-conn.ca1._018=#   - enable keep alive or not
-conn.ca1._019=#
-conn.ca1._020=# where 
-conn.ca1._021=#  <n>  - CA connection ID
-conn.ca1._022=#########################################
-failover.pod.enable=false
-conn.ca1.hostport=[CA_HOST]:[CA_PORT]
-conn.ca1.clientNickname=[HSM_LABEL][NICKNAME]
-conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient
-conn.ca1.servlet.renewal=/ca/ee/ca/profileSubmitSSLClient
-conn.ca1.servlet.revoke=/ca/ee/subsystem/ca/doRevoke
-conn.ca1.servlet.unrevoke=/ca/ee/subsystem/ca/doUnrevoke
-conn.ca1.retryConnect=3
-conn.ca1.timeout=100
-conn.ca1.SSLOn=true
-conn.ca1.keepAlive=true
-conn.tks1._000=#########################################
-conn.tks1._001=# TKS connection
-conn.tks1._002=#
-conn.tks1._003=# conn.tks<n>.hostport:
-conn.tks1._004=#   - host name and port number of your TKS, the format is host:port
-conn.tks1._005=# conn.tks<n>.clientNickname:
-conn.tks1._006=#   - nickname of the client certificate for
-conn.tks1._007=#     authentication
-conn.tks1._008=# conn.tks<n>.servlet.computeSessionKey:
-conn.tks1._009=#   - servlet to compute session key
-conn.tks1._010=#   - must be '/tks/computeSessionKey'
-conn.tks1._011=# conn.tks<n>.servlet.encryptData:
-conn.tks1._012=#   - servlet to encrypt data
-conn.tks1._013=#   - must be '/tks/encryptData'
-conn.tks1._014=# conn.tks<n>.servlet.createKeySetData:
-conn.tks1._015=#   - servlet to create key set data
-conn.tks1._016=#   - must be '/tks/createKeySetData'
-conn.tks1._017=# conn.tks<n>.retryConnect:
-conn.tks1._018=#   - number of reconnection attempts on failure
-conn.tks1._019=# conn.tks<n>.SSLOn
-conn.tks1._020=#   - enable SSL or not
-conn.tks1._021=# conn.tks<n>.keepAlive:
-conn.tks1._022=#   - enable keep alive or not
-conn.tks1._023=#
-conn.tks1._024=# where 
-conn.tks1._025=#  <n>  - TKS connection ID
-conn.tks1._026=#########################################
-conn.tks1.hostport=[TKS_HOST]:[TKS_PORT]
-conn.tks1.clientNickname=[HSM_LABEL][NICKNAME]
-conn.tks1.servlet.computeSessionKey=/tks/agent/tks/computeSessionKey
-conn.tks1.servlet.encryptData=/tks/agent/tks/encryptData
-conn.tks1.servlet.createKeySetData=/tks/agent/tks/createKeySetData
-conn.tks1.servlet.computeRandomData=/tks/agent/tks/computeRandomData
-conn.tks1.retryConnect=3
-conn.tks1.timeout=100
-conn.tks1.generateHostChallenge=true
-conn.tks1.SSLOn=true
-conn.tks1.keepAlive=false
-conn.tks1.keySet=defKeySet
-conn.tks1.serverKeygen=[SERVER_KEYGEN]
-conn.drm1._000=#########################################
-conn.drm1._001=# DRM connection
-conn.drm1._002=#
-conn.drm1._003=#conn.drm.totalConns
-conn.drm1._004=#   - # of DRM connections
-conn.drm1._005=#conn.drm<n>.hostport
-conn.drm1._006=#   - host name and port number of your DRM, the format is host:port
-conn.drm1._007=#conn.drm<n>.clientNickname
-conn.drm1._008=#   - nickname of the client certificate for
-conn.drm1._009=#     authentication
-conn.drm1._010=#conn.drm<n>.servlet.GenerateKeyPair
-conn.drm1._011=#   - servlet to generate key pairs and archive keys on DRM
-conn.drm1._012=#   - must be '/kra/GenerateKeyPair'
-conn.drm1._013=#conn.drm<n>.servlet.TokenKeyRecovery=/kra/TokenKeyRecovery
-conn.drm1._014=#   - servlet to handle key recovery
-conn.drm1._015=#   - must be '/kra/TokenKeyRecovery'
-conn.drm1._016=#conn.drm<n>.retryConnect=3
-conn.drm1._017=#   - number of reconnection attempts on failure
-conn.drm1._018=#conn.drm<n>.SSLOn=true
-conn.drm1._019=#   - enable SSL or not
-conn.drm1._020=#conn.drm<n>.keepAlive=false
-conn.drm1._021=#   - enable keep alive or not
-conn.drm1._022=#
-conn.drm1._023=# where 
-conn.drm1._024=#  <n>  - DRM connection ID
-conn.drm1._025=#########################################
-conn.drm.totalConns=1
-conn.drm1.hostport=[DRM_HOST]:[DRM_PORT]
-conn.drm1.clientNickname=[HSM_LABEL][NICKNAME]
-conn.drm1.servlet.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair
-conn.drm1.servlet.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery
-conn.drm1.retryConnect=3
-conn.drm1.timeout=100
-conn.drm1.SSLOn=true
-conn.drm1.keepAlive=false
-auth.instance._000=########################################
-auth.instance._001=# publishing
-auth.instance._002=#
-auth.instance._003=# publisher.instance.<n>.libraryName:
-auth.instance._004=#   - name of the library specified with a fully qualified path name
-auth.instance._005=# publisher.instance.<n>.libraryFactory:
-auth.instance._006=#   - the name of the function which instantiates the publisher
-auth.instance._007=# publisher.instance.<n>.publisherId:
-auth.instance._008=#   - the publisher ID
-auth.instance._009=#
-auth.instance._010=# where 
-auth.instance._011=#  <n>  - publisher connection ID
-auth.instance._012=########################################
-auth.instance._013=#########################################
-auth.instance._014=# authentication
-auth.instance._015=#
-auth.instance._016=# auth.instance.<n>.libraryName:
-auth.instance._017=#   - name of the library specified with a fully qualified path name
-auth.instance._018=# auth.instance.<n>.libraryFactory:
-auth.instance._019=#   - the name of the function which instantiates the authentication
-auth.instance._020=# auth.instance.<n>.authId 
-auth.instance._021=#   - the authentication ID
-auth.instance._022=# auth.instance.<n>.hostport
-auth.instance._023=#   - parameter specific to the given authentication,
-auth.instance._024=#     i. e., LDAPAuthentication (id=ldap1)
-auth.instance._025=#   - host name and port number, host:port
-auth.instance._026=#   - for failover, provide multiple host:port designations
-auth.instance._027=#     separated by " "
-auth.instance._028=# auth.instance.<n>.SSLOn:
-auth.instance._029=#   - parameter specific to the given authentication,
-auth.instance._030=#     i. e., LDAPAuthentication (id=ldap1)
-auth.instance._031=#   - use SSL or not for LDAP service
-auth.instance._032=# auth.instance.<n>.retries:
-auth.instance._033=#   - parameter specific to the given authentication,
-auth.instance._034=#     i. e., LDAPAuthentication (id=ldap1)
-auth.instance._035=#   - number of authentication re-attempts when authentication failed
-auth.instance._036=# auth.instance.<n>.retryConnect:
-auth.instance._037=#   - parameter specific to the given authentication,
-auth.instance._038=#     i. e., LDAPAuthentication (id=ldap1)
-auth.instance._039=#   - number of connection re-attempts when connection failed
-auth.instance._040=#
-auth.instance._041=# where 
-auth.instance._042=#  <n>  - authentication connection ID
-auth.instance._043=#########################################
-auth.instance.0.type=LDAP_Authentication
-auth.instance.0.libraryName=[SYSTEM_USER_LIBRARIES]/[LIB_PREFIX]ldapauth[OBJ_EXT]
-auth.instance.0.libraryFactory=GetAuthentication
-auth.instance.0.authId=ldap1
-auth.instance.0.hostport=[LDAP_HOST]:[LDAP_PORT]
-auth.instance.0.SSLOn=false
-auth.instance.0.retries=1
-auth.instance.0.retryConnect=3
-auth.instance.0.baseDN=[LDAP_ROOT]
-auth.instance.0.ssl=false
-auth.instance.0.attributes._001=##############################################
-auth.instance.0.attributes._002=# attributes will be available 
-auth.instance.0.attributes._003=# as $auth.<attribute>$
-auth.instance.0.attributes._004=##############################################
-auth.instance.0.attributes=mail,cn,uid
-auth.instance.0.ui.title.en=LDAP Authentication
-auth.instance.0.ui.description.en=This authenticates user against the LDAP directory.
-auth.instance.0.ui.id.UID.name.en=LDAP User ID
-auth.instance.0.ui.id.PASSWORD.name.en=LDAP Password
-auth.instance.0.ui.id.UID.description.en=LDAP User ID
-auth.instance.0.ui.id.PASSWORD.description.en=LDAP Password
-auth.instance.1.type=LDAP_Authentication
-auth.instance.1.libraryName=[SYSTEM_USER_LIBRARIES]/[LIB_PREFIX]ldapauth[OBJ_EXT]
-auth.instance.1.libraryFactory=GetAuthentication
-auth.instance.1.authId=ldap2
-auth.instance.1.bindDN=cn=Directory Manager
-auth.instance.1.bindPWD=[SERVER_ROOT]/conf/password.conf
-auth.instance.1.hostport=[TOKENDB_HOST]:[TOKENDB_PORT]
-auth.instance.1.SSLOn=false
-auth.instance.1.retries=1
-auth.instance.1.retryConnect=3
-auth.instance.1.baseDN=[TOKENDB_ROOT]
-auth.instance.1.ssl=false
-auth.instance.1.attributes._001=##############################################
-auth.instance.1.attributes._002=# attributes will be available 
-auth.instance.1.attributes._003=# as $auth.<attribute>$
-auth.instance.1.attributes._004=##############################################
-auth.instance.1.attributes=mail,cn,uid
-auth.instance.1.ui.title.en=LDAP Authentication
-auth.instance.1.ui.description.en=This authenticates user against the LDAP directory.
-auth.instance.1.ui.id.UID.name.en=LDAP User ID
-auth.instance.1.ui.id.PASSWORD.name.en=LDAP Password
-auth.instance.1.ui.id.UID.description.en=LDAP User ID
-auth.instance.1.ui.id.PASSWORD.description.en=LDAP Password
-applet._000=#########################################
-applet._001=# applet information
-applet._002=# SAF Key:
-applet._003=# applet.aid.cardmgr_instance=A0000001510000 
-applet._004=#########################################
-applet.aid.cardmgr_instance=A0000000030000
-applet.aid.netkey_instance=627601FF000000
-applet.aid.netkey_file=627601FF0000
-applet.aid.netkey_old_instance=A00000000101
-applet.aid.netkey_old_file=A000000001
-applet.so_pin=000000000000
-applet.delete_old=true
-general.verifyProof=1
-general.applet_ext=ijc
-general.search.sizelimit.max=2000
-general.search.sizelimit.default=100
-general.search.timelimit.max=10
-general.search.timelimit.default=10
-general.pwlength.min=16
-channel._000=#########################################
-channel._001=# channel.encryption:
-channel._002=#
-channel._003=#   - enable encryption for all operation commands to token
-channel._004=#   - default is true
-channel._005=#  channel.blocksize=242
-channel._006=#  channel.defKeyVersion=0
-channel._007=#  channel.defKeyIndex=0
-channel._008=#########################################
-channel.encryption=true
-channel.blocksize=248
-channel.defKeyVersion=0
-channel.defKeyIndex=0
-#Config the size of memory managed memory in the applet
-#Default is 5000, try not go get close to the instanceSize
-#Which defaults to 18000
-#channel.instanceSize=18000
-#channel.appletMemorySize=5000
-preop.pin=[PKI_RANDOM_NUMBER]
-preop.product.version=
-preop.cert._000=#########################################
-preop.cert._001=# Installation configuration "preop" certs parameters
-preop.cert._002=#########################################
-preop.cert.list=sslserver,subsystem,audit_signing
-preop.cert.sslserver.enable=true
-preop.cert.subsystem.enable=true
-preop.cert.audit_signing.enable=false
-preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA
-preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID]
-preop.cert.sslserver.keysize.customsize=2048
-preop.cert.sslserver.keysize.size=2048
-preop.cert.sslserver.keysize.select=custom
-preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID]
-preop.cert.sslserver.profile=caInternalAuthServerCert
-preop.cert.sslserver.subsystem=tps
-preop.cert._003=#preop.cert.sslserver.type=local
-preop.cert.sslserver.userfriendlyname=SSL Server Certificate
-preop.cert._004=#preop.cert.sslserver.cncomponent.override=false
-preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA
-preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_ID]
-preop.cert.subsystem.keysize.customsize=2048
-preop.cert.subsystem.keysize.size=2048
-preop.cert.subsystem.keysize.select=custom
-preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
-preop.cert.subsystem.profile=caInternalAuthSubsystemCert
-preop.cert.subsystem.subsystem=tps
-preop.cert._005=#preop.cert.subsystem.type=local
-preop.cert.subsystem.userfriendlyname=Subsystem Certificate
-preop.cert._006=#preop.cert.subsystem.cncomponent.override=true
-preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA
-preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_ID]
-preop.cert.audit_signing.keysize.customsize=2048
-preop.cert.audit_signing.keysize.size=2048
-preop.cert.audit_signing.keysize.select=custom
-preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID]
-preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert
-preop.cert.audit_signing.subsystem=tps
-preop.cert._005=#preop.cert.audit_signing.type=local
-preop.cert.audit_signing.userfriendlyname=Audit Log Signing Certificate
-preop.cert._006=#preop.cert.audit_signing.cncomponent.override=true
-preop.configModules._000=#########################################
-preop.configModules._001=# Installation configuration "preop" module parameters
-preop.configModules._002=#########################################
-preop.configModules.count=3
-preop.configModules.module0.commonName=NSS Internal PKCS #11 Module
-preop.configModules.module0.imagePath=../img/clearpixel.gif
-preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module
-preop.configModules.module1.commonName=nfast
-preop.configModules.module1.imagePath=../img/clearpixel.gif
-preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module
-preop.configModules.module2.commonName=lunasa
-preop.configModules.module2.imagePath=../img/clearpixel.gif
-preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module
-preop.module.token=NSS Certificate DB
-preop.keysize._000=#########################################
-preop.keysize._001=# Installation configuration "preop" keysize parameters
-preop.keysize._002=#########################################
-preop.keysize.customsize=2048
-preop.keysize.select=default
-preop.keysize.size=2048
-preop.keysize.ecc.size=256
-preop.adminauth.done=false
-preop.adminpanel.done=false
-preop.agentauth.done=false
-preop.authdb.done=false
-preop.cainfo.done=false
-preop.certprettyprint.done=false
-preop.certrequest.done=false
-preop.confighsmlogin.done=false
-preop.confighsm.done=false
-preop.database.done=false
-preop.displaycertchain2.done=false
-preop.displaycertchain.done=false
-preop.donepanel.done=false
-preop.drminfo.done=false
-preop.importadmincert.done=false
-preop.loginpanel.done=false
-preop.ModulePanel.done=false
-preop.namepanel.done=false
-preop.securitydomain.done=false
-preop.SizePanel.done=false
-preop.subsystemtype.done=false
-preop.tksinfo.done=false
-preop.welcome.done=false
-op.enroll._000=#########################################
-op.enroll._001=# Default Operations
-op.enroll._002=#
-op.enroll._003=# op.<op>.mapping.order=<n>,<n>,<n>
-op.enroll._004=#    - contains at least one value or a series
-op.enroll._005=#      of comma-separated mapping values which
-op.enroll._006=#      are checked in sequential order
-op.enroll._007=# op.<op>.mapping.<n>.filter.tokenType=userKey
-op.enroll._008=#    - can be either empty or token type
-op.enroll._009=#      specified by the client 
-op.enroll._010=# op.<op>.mapping.<n>.filter.tokenATR=
-op.enroll._011=#    - can be either empty or token ATR
-op.enroll._012=#      specified by the client 
-op.enroll._013=# op.<op>.mapping.<n>.filter.appletMajorVersion=1
-op.enroll._014=#    - can be either empty or applet major version
-op.enroll._015=#      specified by the client 
-op.enroll._016=# op.<op>.mapping.<n>.filter.appletMinorVersion=
-op.enroll._017=#    - can be either empty or applet minor version 
-op.enroll._018=#      specified by the client 
-op.enroll._019=#    - if major and minor versions are both zero, this
-op.enroll._020=#      indicate there is no applet on the token.
-op.enroll._021=# op.<op>.mapping.<n>.target.tokenType=userKey
-op.enroll._022=#    - if tokenType, tokenATR, appletMajorVersion, 
-op.enroll._023=#      and appletMinorVersion are matched, value in 
-op.enroll._024=#      targetTokenType will be used to locate
-op.enroll._025=#      the corresponding token profile to
-op.enroll._026=#      process the request.
-op.enroll._027=#
-op.enroll._028=# where 
-op.enroll._029=#  <op> - operation; enroll,pinReset,format
-op.enroll._030=#  <n>  - mapping ID; order is specifiable
-op.enroll._031=#
-op.enroll._032=# Token ATR:
-op.enroll._033=#   Web Store  - 3B759400006202020201
-op.enroll._034=#########################################
-op.enroll.mapping.order=0,1,2
-op.enroll.mapping.0.filter.tokenType=userKey
-op.enroll.mapping.0.filter.tokenATR=
-op.enroll.mapping.0.filter.tokenCUID.start=
-op.enroll.mapping.0.filter.tokenCUID.end=
-op.enroll.mapping.0.filter.appletMajorVersion=1
-op.enroll.mapping.0.filter.appletMinorVersion=
-op.enroll.mapping.0.target.tokenType=userKey
-op.enroll.mapping.1.filter.tokenType=soKey
-op.enroll.mapping.1.filter.tokenATR=
-op.enroll.mapping.1.filter.tokenCUID.start=
-op.enroll.mapping.1.filter.tokenCUID.end=
-op.enroll.mapping.1.filter.appletMajorVersion=
-op.enroll.mapping.1.filter.appletMinorVersion=
-op.enroll.mapping.1.target.tokenType=soKey
-op.enroll.mapping.2.filter.tokenType=
-op.enroll.mapping.2.filter.tokenATR=
-op.enroll.mapping.2.filter.tokenCUID.start=
-op.enroll.mapping.2.filter.tokenCUID.end=
-op.enroll.mapping.2.filter.appletMajorVersion=
-op.enroll.mapping.2.filter.appletMinorVersion=
-op.enroll.mapping.2.target.tokenType=userKey
-op.pinReset.mapping.order=0
-op.pinReset.mapping.0.filter.tokenType=
-op.pinReset.mapping.0.filter.tokenATR=
-op.pinReset.mapping.0.filter.tokenCUID.start=
-op.pinReset.mapping.0.filter.tokenCUID.end=
-op.pinReset.mapping.0.filter.appletMajorVersion=
-op.pinReset.mapping.0.filter.appletMinorVersion=
-op.pinReset.mapping.0.target.tokenType=userKey
-op.format.mapping.order=0,1,2,3,4,5,6
-op.format.mapping.0.filter.tokenType=soCleanUserToken
-op.format.mapping.0.filter.tokenATR=
-op.format.mapping.0.filter.tokenCUID.start=
-op.format.mapping.0.filter.tokenCUID.end=
-op.format.mapping.0.filter.appletMajorVersion=
-op.format.mapping.0.filter.appletMinorVersion=
-op.format.mapping.0.target.tokenType=soCleanUserToken
-op.format.mapping.1.filter.tokenType=soUserKey
-op.format.mapping.1.filter.tokenATR=
-op.format.mapping.1.filter.tokenCUID.start=
-op.format.mapping.1.filter.tokenCUID.end=
-op.format.mapping.1.filter.appletMajorVersion=
-op.format.mapping.1.filter.appletMinorVersion=
-op.format.mapping.1.target.tokenType=soUserKey
-op.format.mapping.2.filter.tokenType=soKey
-op.format.mapping.2.filter.tokenATR=
-op.format.mapping.2.filter.tokenCUID.start=
-op.format.mapping.2.filter.tokenCUID.end=
-op.format.mapping.2.filter.appletMajorVersion=
-op.format.mapping.2.filter.appletMinorVersion=
-op.format.mapping.2.target.tokenType=soKey
-op.format.mapping.3.filter.tokenType=userKey
-op.format.mapping.3.filter.tokenATR=
-op.format.mapping.3.filter.tokenCUID.start=
-op.format.mapping.3.filter.tokenCUID.end=
-op.format.mapping.3.filter.appletMajorVersion=
-op.format.mapping.3.filter.appletMinorVersion=
-op.format.mapping.3.target.tokenType=userKey
-op.format.mapping.4.filter.tokenType=soCleanSOToken
-op.format.mapping.4.filter.tokenATR=
-op.format.mapping.4.filter.tokenCUID.start=
-op.format.mapping.4.filter.tokenCUID.end=
-op.format.mapping.4.filter.appletMajorVersion=
-op.format.mapping.4.filter.appletMinorVersion=
-op.format.mapping.5.filter.tokenType=cleanToken
-op.format.mapping.5.filter.tokenATR=
-op.format.mapping.5.filter.tokenCUID.start=
-op.format.mapping.5.filter.tokenCUID.end=
-op.format.mapping.5.filter.appletMajorVersion=
-op.format.mapping.5.filter.appletMinorVersion=
-op.format.mapping.5.target.tokenType=cleanToken
-op.format.mapping.4.target.tokenType=soCleanSOToken
-op.format.mapping.6.filter.tokenATR=
-op.format.mapping.6.filter.tokenCUID.start=
-op.format.mapping.6.filter.tokenCUID.end=
-op.format.mapping.6.filter.appletMajorVersion=
-op.format.mapping.6.filter.appletMinorVersion=
-op.format.mapping.6.target.tokenType=tokenKey
-op.enroll.userKey._000=#########################################
-op.enroll.userKey._001=# Enrollment Operation For CoolKey
-op.enroll.userKey._002=#
-op.enroll.userKey._003=# op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
-op.enroll.userKey._004=#  - size of the key the token should generate
-op.enroll.userKey._005=#  - max value: 1024
-op.enroll.userKey._006=#
-op.enroll.userKey._007=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.encrypt=false
-op.enroll.userKey._008=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.sign=true
-op.enroll.userKey._009=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.signRecover=true
-op.enroll.userKey._010=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.decrypt=false
-op.enroll.userKey._011=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.derive=false
-op.enroll.userKey._012=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.unwrap=false
-op.enroll.userKey._013=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.wrap=false
-op.enroll.userKey._014=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.verifyRecover=true
-op.enroll.userKey._015=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.verify=true
-op.enroll.userKey._016=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.sensitive=true
-op.enroll.userKey._017=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.private=true
-op.enroll.userKey._018=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.token=true
-op.enroll.userKey._019=#  - specify the PKCS11 attributes to set on the token
-op.enroll.userKey._020=#
-op.enroll.userKey._021=# op.enroll.userKey.keyGen.signing.cuid_label
-op.enroll.userKey._022=#  - specify the CUID shown in the certificate
-op.enroll.userKey._023=#
-op.enroll.userKey._024=# op.enroll.userKey.keyGen.signing.label
-op.enroll.userKey._025=#  - specify the token name. all resulting labels for co-existing keys
-op.enroll.userKey._026=#    on the same token must be unique
-op.enroll.userKey._027=#  - $pretty_cuid$ - Pretty Print CUID (i.e. 4090-0062-FF02-0000-0B9C)
-op.enroll.userKey._028=#  - $cuid$ - CUID (i.e. 40900062FF0200000B9C)
-op.enroll.userKey._029=#  - $msn$ - MSN
-op.enroll.userKey._030=#  - $userid$ - User ID
-op.enroll.userKey._031=#  - $profileId$ - Profile ID
-op.enroll.userKey._032=#
-op.enroll.userKey._033=# op.enroll.<tokenType>.keyGen.<keyType>.overwrite=true|false
-op.enroll.userKey._034=#  - if key and certificate exist, should RA overwrite them
-op.enroll.userKey._035=#
-op.enroll.userKey._036=# op.enroll.<tokenType>.keyGen.<keyType>.certId=C1
-op.enroll.userKey._037=# op.enroll.<tokenType>.keyGen.<keyType>.certAttrId=c1
-op.enroll.userKey._038=# op.enroll.<tokenType>.keyGen.<keyType>.privateKeyAttrId=k2
-op.enroll.userKey._039=# op.enroll.<tokenType>.keyGen.<keyType>.publicKeyAttrId=k3
-op.enroll.userKey._040=# op.enroll.<tokenType>.keyGen.<keyType>.privateKeyNumber=2
-op.enroll.userKey._041=# op.enroll.<tokenType>.keyGen.<keyType>.publicKeyNumber=3
-op.enroll.userKey._042=#  - specify name PKCS11 object IDs
-op.enroll.userKey._043=#  - Lower case letters signify objects containing PKCS11 object attributes,
-op.enroll.userKey._044=#    in the format described below.
-op.enroll.userKey._045=#    'c' An object containing PKCS11 attributes for a certificate.  
-op.enroll.userKey._046=#    'k' An object containing PKCS11 attributes for a public or private key
-op.enroll.userKey._047=#    'r' An object containing PKCS11 attributes for an "reader".
-op.enroll.userKey._048=#  - Upper case letters signify objects containing raw data corresponding to
-op.enroll.userKey._049=#    the lower case letters described above.  For example, object "C0" 
-op.enroll.userKey._050=#    contains raw data corresponding to object "c0".  
-op.enroll.userKey._051=#   'C' This object contains an entire DER cert, and nothing else.  
-op.enroll.userKey._052=#   'K' This object contains a MUSCLE "key blob".  TPS does not use this.
-op.enroll.userKey._053=#
-op.enroll.userKey._054=# op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0
-op.enroll.userKey._055=# op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0
-op.enroll.userKey._056=#  - user specifies which PIN user should be granted
-op.enroll.userKey._057=#    use privilege of the generated private key, or
-op.enroll.userKey._058=#    15 if all users have use privilege for the private key
-op.enroll.userKey._059=#  - Valid uage: (only specifies the usage for the private key)
-op.enroll.userKey._060=#    0 - default usage (Signing only for this APDU)
-op.enroll.userKey._061=#    1 - signing only
-op.enroll.userKey._062=#    2 - decryption only
-op.enroll.userKey._063=#    3 - signing and decryption
-op.enroll.userKey._064=#
-op.enroll.userKey._065=# op.enroll.<tokenType>.pkcs11obj.enable=true|false
-op.enroll.userKey._066=#  - enable writing of PKCS11 cache object to the token
-op.enroll.userKey._067=#
-op.enroll.userKey._068=# op.enroll.<tokenType>.pkcs11obj.compress.enable=true|false
-op.enroll.userKey._069=#  - enable compression for writing of PKCS11 cache object to the token
-op.enroll.userKey._070=#
-op.enroll.userKey._071=# op.enroll.<tokenType>.pinReset.pin.maxRetries=127
-op.enroll.userKey._072=#  - max number of retries before blocking the token
-op.enroll.userKey._073=#  - max value: 127
-op.enroll.userKey._074=#
-op.enroll.userKey._075=# There is a special case of tokenType userKeyTemporary. 
-op.enroll.userKey._076=# Make sure the profile specified by the profileId to have
-op.enroll.userKey._077=# short validity period (eg, 7 days) for the certificate.
-op.enroll.userKey._078=#########################################
-op.enroll.allowUnknownToken=true
-#The three recovery schemes supported are:
-# GenerateNewKey - Generate a new cert for the encryption cert.
-# RecoverLast - Recover the most recent cert for the encryption cert.
-# GenerateNewKeyandRecoverLast - Generate new cert AND recover last for encryption cert.
-op.enroll.userKey.temporaryToken.tokenType=userKeyTemporary
-op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=2
-op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=signing
-op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.1=encryption
-op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
-op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true
-op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0
-op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast
-op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false
-op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
-op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.num=2
-op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.0=signing
-op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption
-op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey
-op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert=true
-op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1
-op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey
-op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true
-op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1
-op.enroll.userKey.keyGen.recovery.onHold.keyType.num=2
-op.enroll.userKey.keyGen.recovery.onHold.keyType.value.0=signing
-op.enroll.userKey.keyGen.recovery.onHold.keyType.value.1=encryption
-op.enroll.userKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
-op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert=true
-op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert.reason=6
-op.enroll.userKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey
-op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert=true
-op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6
-op.enroll.userKey.keyGen.tokenName=$auth.cn$
-op.enroll.userKey.keyGen.keyType.num=2
-op.enroll.userKey.keyGen.keyType.value.0=signing
-op.enroll.userKey.keyGen.keyType.value.1=encryption
-op.enroll.userKey.keyGen.signing.keySize=1024
-op.enroll.userKey.keyGen.signing.public.keyCapabilities.encrypt=false
-op.enroll.userKey.keyGen.signing.public.keyCapabilities.sign=false
-op.enroll.userKey.keyGen.signing.public.keyCapabilities.signRecover=false
-op.enroll.userKey.keyGen.signing.public.keyCapabilities.decrypt=false
-op.enroll.userKey.keyGen.signing.public.keyCapabilities.derive=false
-op.enroll.userKey.keyGen.signing.public.keyCapabilities.unwrap=false
-op.enroll.userKey.keyGen.signing.public.keyCapabilities.wrap=false
-op.enroll.userKey.keyGen.signing.public.keyCapabilities.verifyRecover=true
-op.enroll.userKey.keyGen.signing.public.keyCapabilities.verify=true
-op.enroll.userKey.keyGen.signing.public.keyCapabilities.sensitive=false
-op.enroll.userKey.keyGen.signing.public.keyCapabilities.private=false
-op.enroll.userKey.keyGen.signing.public.keyCapabilities.token=true
-op.enroll.userKey.keyGen.signing.private.keyCapabilities.encrypt=false
-op.enroll.userKey.keyGen.signing.private.keyCapabilities.sign=true
-op.enroll.userKey.keyGen.signing.private.keyCapabilities.signRecover=true
-op.enroll.userKey.keyGen.signing.private.keyCapabilities.decrypt=false
-op.enroll.userKey.keyGen.signing.private.keyCapabilities.derive=false
-op.enroll.userKey.keyGen.signing.private.keyCapabilities.unwrap=false
-op.enroll.userKey.keyGen.signing.private.keyCapabilities.wrap=false
-op.enroll.userKey.keyGen.signing.private.keyCapabilities.verifyRecover=false
-op.enroll.userKey.keyGen.signing.private.keyCapabilities.verify=false
-op.enroll.userKey.keyGen.signing.private.keyCapabilities.sensitive=true
-op.enroll.userKey.keyGen.signing.private.keyCapabilities.private=true
-op.enroll.userKey.keyGen.signing.private.keyCapabilities.token=true
-op.enroll.userKey.keyGen.signing.label=signing key for $userid$
-op.enroll.userKey.keyGen.signing.cuid_label=$cuid$
-op.enroll.userKey.keyGen.signing.overwrite=true
-op.enroll.userKey.keyGen.signing.certId=C1
-op.enroll.userKey.keyGen.signing.certAttrId=c1
-op.enroll.userKey.keyGen.signing.privateKeyAttrId=k2
-op.enroll.userKey.keyGen.signing.publicKeyAttrId=k3
-op.enroll.userKey.keyGen.signing.keyUsage=0
-op.enroll.userKey.keyGen.signing.keyUser=0
-op.enroll.userKey.keyGen.signing.privateKeyNumber=2
-op.enroll.userKey.keyGen.signing.publicKeyNumber=3
-op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment
-op.enroll.userKey.keyGen.signing.ca.conn=ca1
-op.enroll.userKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher
-op.enroll.userKey.keyGen.encryption.keySize=1024
-op.enroll.userKey.keyGen.encryption.public.keyCapabilities.encrypt=true
-op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sign=false
-op.enroll.userKey.keyGen.encryption.public.keyCapabilities.signRecover=false
-op.enroll.userKey.keyGen.encryption.public.keyCapabilities.decrypt=false
-op.enroll.userKey.keyGen.encryption.public.keyCapabilities.derive=false
-op.enroll.userKey.keyGen.encryption.public.keyCapabilities.unwrap=false
-op.enroll.userKey.keyGen.encryption.public.keyCapabilities.wrap=true
-op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false
-op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verify=false
-op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sensitive=false
-op.enroll.userKey.keyGen.encryption.public.keyCapabilities.private=false
-op.enroll.userKey.keyGen.encryption.public.keyCapabilities.token=true
-op.enroll.userKey.keyGen.encryption.private.keyCapabilities.encrypt=false
-op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sign=false
-op.enroll.userKey.keyGen.encryption.private.keyCapabilities.signRecover=false
-op.enroll.userKey.keyGen.encryption.private.keyCapabilities.decrypt=true
-op.enroll.userKey.keyGen.encryption.private.keyCapabilities.derive=false
-op.enroll.userKey.keyGen.encryption.private.keyCapabilities.unwrap=true
-op.enroll.userKey.keyGen.encryption.private.keyCapabilities.wrap=false
-op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false
-op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verify=false
-op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sensitive=true
-op.enroll.userKey.keyGen.encryption.private.keyCapabilities.private=true
-op.enroll.userKey.keyGen.encryption.private.keyCapabilities.token=true
-op.enroll.userKey.keyGen.encryption.label=encryption key for $userid$
-op.enroll.userKey.keyGen.encryption.cuid_label=$cuid$
-op.enroll.userKey.keyGen.encryption.overwrite=true
-op.enroll.userKey.keyGen.encryption.certId=C2
-op.enroll.userKey.keyGen.encryption.certAttrId=c2
-op.enroll.userKey.keyGen.encryption.privateKeyAttrId=k4
-op.enroll.userKey.keyGen.encryption.publicKeyAttrId=k5
-op.enroll.userKey.keyGen.encryption.keyUsage=0
-op.enroll.userKey.keyGen.encryption.keyUser=0
-op.enroll.userKey.keyGen.encryption.privateKeyNumber=4
-op.enroll.userKey.keyGen.encryption.publicKeyNumber=5
-op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment
-op.enroll.userKey.keyGen.encryption.ca.conn=ca1
-op.enroll.userKey.pkcs11obj.enable=true
-op.enroll.userKey.pkcs11obj.compress.enable=true
-op.enroll.userKey.update.applet.emptyToken.enable=true
-op.enroll.userKey.update.applet.enable=true
-op.enroll.userKey.update.applet.requiredVersion=1.4.499dc06c
-op.enroll.userKey.update.applet.directory=[TPS_DIR]/applets
-op.enroll.userKey.update.applet.encryption=true
-op.enroll.userKey.update.symmetricKeys.enable=false
-op.enroll.userKey.update.symmetricKeys.requiredVersion=1
-op.enroll.userKey.loginRequest.enable=true
-op.enroll.userKey.pinReset.enable=true
-op.enroll.userKey.pinReset.pin.maxRetries=127
-op.enroll.userKey.pinReset.pin.minLen=4
-op.enroll.userKey.pinReset.pin.maxLen=10
-op.enroll.userKey.cardmgr_instance=A0000000030000
-op.enroll.userKey.tks.conn=tks1
-op.enroll.userKey.auth.id=ldap1
-op.enroll.userKey.auth.enable=true
-op.enroll.userKey.issuerinfo.enable=true
-op.enroll.userKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi
-op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.num=2
-op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing
-op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption
-op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
-op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true
-op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0
-op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast
-op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true
-op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0
-op.enroll.userKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
-op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=drm1
-op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true
-op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=true
-op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1
-op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.archive=true
-op.enroll.userKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary)
-op.enroll.userKeyTemporary.keyGen.keyType.num=3
-op.enroll.userKeyTemporary.keyGen.keyType.value.0=auth
-op.enroll.userKeyTemporary.keyGen.keyType.value.1=signing
-op.enroll.userKeyTemporary.keyGen.keyType.value.2=encryption
-op.enroll.userKeyTemporary.keyGen.auth.keySize=1024
-op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false
-op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true
-op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true
-op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false
-op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false
-op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false
-op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false
-op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true
-op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true
-op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true
-op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.private=false
-op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.token=true
-op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false
-op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true
-op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true
-op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false
-op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false
-op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false
-op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false
-op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true
-op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true
-op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true
-op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.private=false
-op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.token=true
-op.enroll.userKeyTemporary.keyGen.auth.label=Temporary Key for $userid$
-op.enroll.userKeyTemporary.keyGen.auth.cuid_label=$cuid$
-op.enroll.userKeyTemporary.keyGen.auth.overwrite=false
-op.enroll.userKeyTemporary.keyGen.auth.certId=C0
-op.enroll.userKeyTemporary.keyGen.auth.certAttrId=c0
-op.enroll.userKeyTemporary.keyGen.auth.privateKeyAttrId=k0
-op.enroll.userKeyTemporary.keyGen.auth.publicKeyAttrId=k1
-op.enroll.userKeyTemporary.keyGen.auth.keyUsage=0
-op.enroll.userKeyTemporary.keyGen.auth.keyUser=15
-op.enroll.userKeyTemporary.keyGen.auth.privateKeyNumber=0
-op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1
-op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment
-op.enroll.userKeyTemporary.keyGen.auth.ca.conn=ca1
-op.enroll.userKeyTemporary.keyGen.signing.keySize=1024
-op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false
-op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false
-op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false
-op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false
-op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false
-op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false
-op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false
-op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true
-op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true
-op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false
-op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.private=false
-op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.token=true
-op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false
-op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true
-op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true
-op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false
-op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false
-op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false
-op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false
-op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false
-op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false
-op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true
-op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.private=true
-op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.token=true
-op.enroll.userKeyTemporary.keyGen.signing.label=signing key for $userid$
-op.enroll.userKeyTemporary.keyGen.signing.cuid_label=$cuid$
-op.enroll.userKeyTemporary.keyGen.signing.overwrite=true
-op.enroll.userKeyTemporary.keyGen.signing.certId=C1
-op.enroll.userKeyTemporary.keyGen.signing.certAttrId=c1
-op.enroll.userKeyTemporary.keyGen.signing.privateKeyAttrId=k2
-op.enroll.userKeyTemporary.keyGen.signing.publicKeyAttrId=k3
-op.enroll.userKeyTemporary.keyGen.signing.keyUsage=0
-op.enroll.userKeyTemporary.keyGen.signing.keyUser=0
-op.enroll.userKeyTemporary.keyGen.signing.privateKeyNumber=2
-op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3
-op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment
-op.enroll.userKeyTemporary.keyGen.signing.ca.conn=ca1
-op.enroll.userKey._080=#op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher
-op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024
-op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true
-op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false
-op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false
-op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false
-op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false
-op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false
-op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true
-op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false
-op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false
-op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false
-op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false
-op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true
-op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false
-op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false
-op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false
-op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true
-op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false
-op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true
-op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false
-op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false
-op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false
-op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true
-op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true
-op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true
-op.enroll.userKeyTemporary.keyGen.encryption.label=encryption key for $userid$
-op.enroll.userKeyTemporary.keyGen.encryption.cuid_label=$cuid$
-op.enroll.userKeyTemporary.keyGen.encryption.overwrite=true
-op.enroll.userKeyTemporary.keyGen.encryption.certId=C2
-op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2
-op.enroll.userKeyTemporary.keyGen.encryption.privateKeyAttrId=k4
-op.enroll.userKeyTemporary.keyGen.encryption.publicKeyAttrId=k5
-op.enroll.userKeyTemporary.keyGen.encryption.keyUsage=0
-op.enroll.userKeyTemporary.keyGen.encryption.keyUser=0
-op.enroll.userKeyTemporary.keyGen.encryption.privateKeyNumber=4
-op.enroll.userKeyTemporary.keyGen.encryption.publicKeyNumber=5
-op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment
-op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1
-op.enroll.userKeyTemporary.pkcs11obj.enable=true
-op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true
-op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true
-op.enroll.userKeyTemporary.update.applet.enable=true
-op.enroll.userKeyTemporary.update.applet.requiredVersion=1.4.499dc06c
-op.enroll.userKeyTemporary.update.applet.directory=[TPS_DIR]/applets
-op.enroll.userKeyTemporary.update.applet.encryption=true
-op.enroll.userKeyTemporary.update.symmetricKeys.enable=false
-op.enroll.userKeyTemporary.update.symmetricKeys.requiredVersion=1
-op.enroll.userKeyTemporary.loginRequest.enable=true
-op.enroll.userKeyTemporary.pinReset.enable=true
-op.enroll.userKeyTemporary.pinReset.pin.maxRetries=127
-op.enroll.userKeyTemporary.pinReset.pin.minLen=4
-op.enroll.userKeyTemporary.pinReset.pin.maxLen=10
-op.enroll.userKeyTemporary.tks.conn=tks1
-op.enroll.userKeyTemporary.cardmgr_instance=A0000000030000
-op.enroll.userKeyTemporary.auth.id=ldap1
-op.enroll.userKeyTemporary.auth.enable=true
-# Token Renewal.
-# For each token in TPS UI set the following:
-#     RENEW=YES
-# To trigger renewal operations.
-op.enroll.userKey.renewal.keyType.num=2
-op.enroll.userKey.renewal.keyType.value.0=signing
-op.enroll.userKey.renewal.keyType.value.1=encryption
-op.enroll.userKey.renewal.signing.enable=true
-#optional grace period enforcement
-#must coincide exactly with what the CA enforces
-op.enroll.userKey.renewal.signing.gracePeriod.enable=false
-op.enroll.userKey.renewal.signing.gracePeriod.before=30
-op.enroll.userKey.renewal.signing.gracePeriod.after=30
-op.enroll.userKey.renewal.signing.certId=C1
-#in case of renewal, encryption certId values for completeness only
-#server code calculates actual values used.
-op.enroll.userKey.renewal.encryption.certId=C2
-op.enroll.userKey.renewal.signing.certAttrId=c1
-op.enroll.userKey.renewal.encryption.certAttrId=c2
-op.enroll.userKey.renewal.encryption.enable=true
-#optional grace period enforcement
-#must coincide exactly with what the CA enforces
-op.enroll.userKey.renewal.encryption.gracePeriod.enable=false
-op.enroll.userKey.renewal.encryption.gracePeriod.before=30
-op.enroll.userKey.renewal.encryption.gracePeriod.after=30
-op.enroll.userKey.renewal.signing.ca.conn=ca1
-op.enroll.userKey.renewal.encryption.ca.conn=ca1
-op.enroll.userKey.renewal.signing.ca.profileId=caTokenUserSigningKeyRenewal
-op.enroll.userKey.renewal.encryption.ca.profileId=caTokenUserEncryptionKeyRenewal
-op.enroll.soKey.temporaryToken.tokenType=soKeyTemporary
-op.enroll.soKey.keyGen.recovery.destroyed.keyType.num=2
-op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.0=signing
-op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.1=encryption
-op.enroll.soKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
-op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert=true
-op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0
-op.enroll.soKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast
-op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert=false
-op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
-op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.num=2
-op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.0=signing
-op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption
-op.enroll.soKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey
-op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert=true
-op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1
-op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey
-op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true
-op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1
-op.enroll.soKey.keyGen.recovery.onHold.keyType.num=2
-op.enroll.soKey.keyGen.recovery.onHold.keyType.value.0=signing
-op.enroll.soKey.keyGen.recovery.onHold.keyType.value.1=encryption
-op.enroll.soKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
-op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert=true
-op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert.reason=6
-op.enroll.soKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey
-op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert=true
-op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6
-op.enroll.soKey.keyGen.tokenName=$auth.cn$
-op.enroll.soKey.keyGen.keyType.num=2
-op.enroll.soKey.keyGen.keyType.value.0=signing
-op.enroll.soKey.keyGen.keyType.value.1=encryption
-op.enroll.soKey.keyGen.signing.keySize=1024
-op.enroll.soKey.keyGen.signing.public.keyCapabilities.encrypt=false
-op.enroll.soKey.keyGen.signing.public.keyCapabilities.sign=false
-op.enroll.soKey.keyGen.signing.public.keyCapabilities.signRecover=false
-op.enroll.soKey.keyGen.signing.public.keyCapabilities.decrypt=false
-op.enroll.soKey.keyGen.signing.public.keyCapabilities.derive=false
-op.enroll.soKey.keyGen.signing.public.keyCapabilities.unwrap=false
-op.enroll.soKey.keyGen.signing.public.keyCapabilities.wrap=false
-op.enroll.soKey.keyGen.signing.public.keyCapabilities.verifyRecover=true
-op.enroll.soKey.keyGen.signing.public.keyCapabilities.verify=true
-op.enroll.soKey.keyGen.signing.public.keyCapabilities.sensitive=false
-op.enroll.soKey.keyGen.signing.public.keyCapabilities.private=false
-op.enroll.soKey.keyGen.signing.public.keyCapabilities.token=true
-op.enroll.soKey.keyGen.signing.private.keyCapabilities.encrypt=false
-op.enroll.soKey.keyGen.signing.private.keyCapabilities.sign=true
-op.enroll.soKey.keyGen.signing.private.keyCapabilities.signRecover=true
-op.enroll.soKey.keyGen.signing.private.keyCapabilities.decrypt=false
-op.enroll.soKey.keyGen.signing.private.keyCapabilities.derive=false
-op.enroll.soKey.keyGen.signing.private.keyCapabilities.unwrap=false
-op.enroll.soKey.keyGen.signing.private.keyCapabilities.wrap=false
-op.enroll.soKey.keyGen.signing.private.keyCapabilities.verifyRecover=false
-op.enroll.soKey.keyGen.signing.private.keyCapabilities.verify=false
-op.enroll.soKey.keyGen.signing.private.keyCapabilities.sensitive=true
-op.enroll.soKey.keyGen.signing.private.keyCapabilities.private=true
-op.enroll.soKey.keyGen.signing.private.keyCapabilities.token=true
-op.enroll.soKey.keyGen.signing.label=signing key for $userid$
-op.enroll.soKey.keyGen.signing.cuid_label=$cuid$
-op.enroll.soKey.keyGen.signing.overwrite=true
-op.enroll.soKey.keyGen.signing.certId=C1
-op.enroll.soKey.keyGen.signing.certAttrId=c1
-op.enroll.soKey.keyGen.signing.privateKeyAttrId=k2
-op.enroll.soKey.keyGen.signing.publicKeyAttrId=k3
-op.enroll.soKey.keyGen.signing.keyUsage=0
-op.enroll.soKey.keyGen.signing.keyUser=0
-op.enroll.soKey.keyGen.signing.privateKeyNumber=2
-op.enroll.soKey.keyGen.signing.publicKeyNumber=3
-op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment
-op.enroll.soKey.keyGen.signing.ca.conn=ca1
-op.enroll.soKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher
-op.enroll.soKey.keyGen.encryption.keySize=1024
-op.enroll.soKey.keyGen.encryption.public.keyCapabilities.encrypt=true
-op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sign=false
-op.enroll.soKey.keyGen.encryption.public.keyCapabilities.signRecover=false
-op.enroll.soKey.keyGen.encryption.public.keyCapabilities.decrypt=false
-op.enroll.soKey.keyGen.encryption.public.keyCapabilities.derive=false
-op.enroll.soKey.keyGen.encryption.public.keyCapabilities.unwrap=false
-op.enroll.soKey.keyGen.encryption.public.keyCapabilities.wrap=true
-op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false
-op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verify=false
-op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sensitive=false
-op.enroll.soKey.keyGen.encryption.public.keyCapabilities.private=false
-op.enroll.soKey.keyGen.encryption.public.keyCapabilities.token=true
-op.enroll.soKey.keyGen.encryption.private.keyCapabilities.encrypt=false
-op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sign=false
-op.enroll.soKey.keyGen.encryption.private.keyCapabilities.signRecover=false
-op.enroll.soKey.keyGen.encryption.private.keyCapabilities.decrypt=true
-op.enroll.soKey.keyGen.encryption.private.keyCapabilities.derive=false
-op.enroll.soKey.keyGen.encryption.private.keyCapabilities.unwrap=true
-op.enroll.soKey.keyGen.encryption.private.keyCapabilities.wrap=false
-op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false
-op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verify=false
-op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sensitive=true
-op.enroll.soKey.keyGen.encryption.private.keyCapabilities.private=true
-op.enroll.soKey.keyGen.encryption.private.keyCapabilities.token=true
-op.enroll.soKey.keyGen.encryption.label=encryption key for $userid$
-op.enroll.soKey.keyGen.encryption.cuid_label=$cuid$
-op.enroll.soKey.keyGen.encryption.overwrite=true
-op.enroll.soKey.keyGen.encryption.certId=C2
-op.enroll.soKey.keyGen.encryption.certAttrId=c2
-op.enroll.soKey.keyGen.encryption.privateKeyAttrId=k4
-op.enroll.soKey.keyGen.encryption.publicKeyAttrId=k5
-op.enroll.soKey.keyGen.encryption.keyUsage=0
-op.enroll.soKey.keyGen.encryption.keyUser=0
-op.enroll.soKey.keyGen.encryption.privateKeyNumber=4
-op.enroll.soKey.keyGen.encryption.publicKeyNumber=5
-op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment
-op.enroll.soKey.keyGen.encryption.ca.conn=ca1
-op.enroll.soKey.pkcs11obj.enable=true
-op.enroll.soKey.pkcs11obj.compress.enable=true
-op.enroll.soKey.update.applet.emptyToken.enable=true
-op.enroll.soKey.update.applet.enable=true
-op.enroll.soKey.update.applet.requiredVersion=1.4.499dc06c
-op.enroll.soKey.update.applet.directory=[TPS_DIR]/applets
-op.enroll.soKey.update.applet.encryption=true
-op.enroll.soKey.update.symmetricKeys.enable=false
-op.enroll.soKey.update.symmetricKeys.requiredVersion=1
-op.enroll.soKey.loginRequest.enable=true
-op.enroll.soKey.pinReset.enable=true
-op.enroll.soKey.pinReset.pin.maxRetries=127
-op.enroll.soKey.pinReset.pin.minLen=4
-op.enroll.soKey.pinReset.pin.maxLen=10
-op.enroll.soKey.cardmgr_instance=A0000000030000
-op.enroll.soKey.tks.conn=tks1
-op.enroll.soKey.auth.id=ldap2
-op.enroll.soKey.auth.enable=true
-op.enroll.soKey.issuerinfo.enable=true
-op.enroll.soKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/so/index.cgi
-op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.num=2
-op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing
-op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption
-op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
-op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true
-op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0
-op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast
-op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true
-op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0
-op.enroll.soKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
-op.enroll.soKey.keyGen.encryption.serverKeygen.drm.conn=drm1
-op.enroll.soKey.keyGen.encryption.serverKeygen.archive=true
-op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=true
-op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1
-op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.archive=true
-op.enroll.soKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary)
-op.enroll.soKeyTemporary.keyGen.keyType.num=3
-op.enroll.soKeyTemporary.keyGen.keyType.value.0=auth
-op.enroll.soKeyTemporary.keyGen.keyType.value.1=signing
-op.enroll.soKeyTemporary.keyGen.keyType.value.2=encryption
-op.enroll.soKeyTemporary.keyGen.auth.keySize=1024
-op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false
-op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true
-op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true
-op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false
-op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false
-op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false
-op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false
-op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true
-op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true
-op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true
-op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.private=false
-op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.token=true
-op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false
-op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true
-op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true
-op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false
-op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false
-op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false
-op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false
-op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true
-op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true
-op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true
-op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.private=false
-op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.token=true
-op.enroll.soKeyTemporary.keyGen.auth.label=Temporary Key for $userid$
-op.enroll.soKeyTemporary.keyGen.auth.cuid_label=$cuid$
-op.enroll.soKeyTemporary.keyGen.auth.overwrite=false
-op.enroll.soKeyTemporary.keyGen.auth.certId=C0
-op.enroll.soKeyTemporary.keyGen.auth.certAttrId=c0
-op.enroll.soKeyTemporary.keyGen.auth.privateKeyAttrId=k0
-op.enroll.soKeyTemporary.keyGen.auth.publicKeyAttrId=k1
-op.enroll.soKeyTemporary.keyGen.auth.keyUsage=0
-op.enroll.soKeyTemporary.keyGen.auth.keyUser=15
-op.enroll.soKeyTemporary.keyGen.auth.privateKeyNumber=0
-op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1
-op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment
-op.enroll.soKeyTemporary.keyGen.auth.ca.conn=ca1
-op.enroll.soKeyTemporary.keyGen.signing.keySize=1024
-op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false
-op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false
-op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false
-op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false
-op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false
-op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false
-op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false
-op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true
-op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true
-op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false
-op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.private=false
-op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.token=true
-op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false
-op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true
-op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true
-op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false
-op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false
-op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false
-op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false
-op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false
-op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false
-op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true
-op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.private=true
-op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.token=true
-op.enroll.soKeyTemporary.keyGen.signing.label=signing key for $userid$
-op.enroll.soKeyTemporary.keyGen.signing.cuid_label=$cuid$
-op.enroll.soKeyTemporary.keyGen.signing.overwrite=true
-op.enroll.soKeyTemporary.keyGen.signing.certId=C1
-op.enroll.soKeyTemporary.keyGen.signing.certAttrId=c1
-op.enroll.soKeyTemporary.keyGen.signing.privateKeyAttrId=k2
-op.enroll.soKeyTemporary.keyGen.signing.publicKeyAttrId=k3
-op.enroll.soKeyTemporary.keyGen.signing.keyUsage=0
-op.enroll.soKeyTemporary.keyGen.signing.keyUser=0
-op.enroll.soKeyTemporary.keyGen.signing.privateKeyNumber=2
-op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3
-op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment
-op.enroll.soKeyTemporary.keyGen.signing.ca.conn=ca1
-op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024
-op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true
-op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false
-op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false
-op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false
-op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false
-op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false
-op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true
-op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false
-op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false
-op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false
-op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false
-op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true
-op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false
-op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false
-op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false
-op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true
-op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false
-op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true
-op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false
-op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false
-op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false
-op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true
-op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true
-op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true
-op.enroll.soKeyTemporary.keyGen.encryption.label=encryption key for $userid$
-op.enroll.soKeyTemporary.keyGen.encryption.cuid_label=$cuid$
-op.enroll.soKeyTemporary.keyGen.encryption.overwrite=true
-op.enroll.soKeyTemporary.keyGen.encryption.certId=C2
-op.enroll.soKeyTemporary.keyGen.encryption.certAttrId=c2
-op.enroll.soKeyTemporary.keyGen.encryption.privateKeyAttrId=k4
-op.enroll.soKeyTemporary.keyGen.encryption.publicKeyAttrId=k5
-op.enroll.soKeyTemporary.keyGen.encryption.keyUsage=0
-op.enroll.soKeyTemporary.keyGen.encryption.keyUser=0
-op.enroll.soKeyTemporary.keyGen.encryption.privateKeyNumber=4
-op.enroll.soKeyTemporary.keyGen.encryption.publicKeyNumber=5
-op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment
-op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1
-op.enroll.soKeyTemporary.pkcs11obj.enable=true
-op.enroll.soKeyTemporary.pkcs11obj.compress.enable=true
-op.enroll.soKeyTemporary.update.applet.emptyToken.enable=true
-op.enroll.soKeyTemporary.update.applet.enable=true
-op.enroll.soKeyTemporary.update.applet.requiredVersion=1.4.499dc06c
-op.enroll.soKeyTemporary.update.applet.directory=[TPS_DIR]/applets
-op.enroll.soKeyTemporary.update.applet.encryption=true
-op.enroll.soKeyTemporary.update.symmetricKeys.enable=false
-op.enroll.soKeyTemporary.update.symmetricKeys.requiredVersion=1
-op.enroll.soKeyTemporary.loginRequest.enable=true
-op.enroll.soKeyTemporary.pinReset.enable=true
-op.enroll.soKeyTemporary.pinReset.pin.maxRetries=127
-op.enroll.soKeyTemporary.pinReset.pin.minLen=4
-op.enroll.soKeyTemporary.pinReset.pin.maxLen=10
-op.enroll.soKeyTemporary.cardmgr_instance=A0000000030000
-op.enroll.soKeyTemporary.tks.conn=tks1
-op.enroll.soKeyTemporary.tks.keySet=defKeyset
-op.enroll.soKeyTemporary.auth.id=ldap2
-op.enroll.soKeyTemporary.auth.enable=true
-op.pinReset._000=#########################################
-op.pinReset._001=# Certificate Chain Imports 
-op.pinReset._002=#
-op.pinReset._003=# op.enroll.certificates.num=1
-op.pinReset._004=# op.enroll.certificates.value.0=caCert
-op.pinReset._005=# op.enroll.certificates.caCert.nickName=caCert0 pki-tps
-op.pinReset._006=# op.enroll.certificates.caCert.certId=C5
-op.pinReset._007=# op.enroll.certificates.caCert.certAttrId=c5
-op.pinReset._008=# op.enroll.certificates.caCert.label=caCert Label
-op.pinReset._009=#########################################
-op.pinReset._010=#########################################
-op.pinReset._011=# Pin Reset Operation For CoolKey
-op.pinReset._012=#
-op.pinReset._013=# op.pinReset.userKey.update.applet.emptyToken.enable=false
-op.pinReset._014=#  - update applet or not if token is empty
-op.pinReset._015=#
-op.pinReset._016=# - N/A for HouseKey
-op.pinReset._017=# - N/A for HouseKey with Legacy Applet
-op.pinReset._018=#########################################
-op.pinReset.userKey.update.applet.emptyToken.enable=true
-op.pinReset.userKey.update.applet.enable=false
-op.pinReset.userKey.update.applet.requiredVersion=1.4.499dc06c
-op.pinReset.userKey.update.applet.directory=[TPS_DIR]/applets
-op.pinReset.userKey.update.applet.encryption=true
-op.pinReset.userKey.update.symmetricKeys.enable=false
-op.pinReset.userKey.update.symmetricKeys.requiredVersion=1
-op.pinReset.userKey.loginRequest.enable=true
-op.pinReset.userKey.pinReset.pin.minLen=4
-op.pinReset.userKey.pinReset.pin.maxLen=10
-op.pinReset.userKey.tks.conn=tks1
-op.pinReset.userKey.cardmgr_instance=A0000000030000
-op.pinReset.userKey.auth.id=ldap1
-op.pinReset.userKey.auth.enable=true
-op.format._000=#########################################
-op.format._001=# Format Operation For tokenKey
-op.format._002=#
-op.format._003=# op.format.tokenKey.update.applet.emptyToken.enable=false
-op.format._004=#  - update applet or not if token is empty
-op.format._005=#
-op.format._006=# - applicable to CoolKey
-op.format._007=# - applicable to HouseKey
-op.format._008=# - applicable to HouseKey with Legacy Applet
-op.format._009=#########################################
-op.format.allowUnknownToken=true
-op.format.soCleanUserToken.update.applet.emptyToken.enable=true
-op.format.soCleanUserToken.update.applet.requiredVersion=1.4.499dc06c
-op.format.soCleanUserToken.update.applet.directory=[TPS_DIR]/applets
-op.format.soCleanUserToken.update.applet.encryption=true
-op.format.soCleanUserToken.update.symmetricKeys.enable=false
-op.format.soCleanUserToken.update.symmetricKeys.requiredVersion=1
-op.format.soCleanUserToken.revokeCert=true
-op.format.soCleanUserToken.ca.conn=ca1
-op.format.soCleanUserToken.loginRequest.enable=false
-op.format.soCleanUserToken.cardmgr_instance=A0000000030000
-op.format.soCleanUserToken.tks.conn=tks1
-op.format.soCleanUserToken.auth.id=ldap1
-op.format.soCleanUserToken.auth.enable=false
-op.format.soCleanUserToken.issuerinfo.enable=true
-op.format.soCleanUserToken.issuerinfo.value=
-op.format.soCleanSOToken.update.applet.emptyToken.enable=true
-op.format.soCleanSOToken.update.applet.requiredVersion=1.4.499dc06c
-op.format.soCleanSOToken.update.applet.directory=[TPS_DIR]/applets
-op.format.soCleanSOToken.update.applet.encryption=true
-op.format.soCleanSOToken.update.symmetricKeys.enable=false
-op.format.soCleanSOToken.update.symmetricKeys.requiredVersion=1
-op.format.soCleanSOToken.revokeCert=true
-op.format.soCleanSOToken.ca.conn=ca1
-op.format.soCleanSOToken.loginRequest.enable=false
-op.format.soCleanSOToken.cardmgr_instance=A0000000030000
-op.format.soCleanSOToken.tks.conn=tks1
-op.format.soCleanSOToken.auth.id=ldap1
-op.format.soCleanSOToken.auth.enable=false
-op.format.soCleanSOToken.issuerinfo.enable=true
-op.format.soCleanSOToken.issuerinfo.value=
-op.format.cleanToken.update.applet.emptyToken.enable=true
-op.format.cleanToken.update.applet.requiredVersion=1.4.499dc06c
-op.format.cleanToken.update.applet.directory=[TPS_DIR]/applets
-op.format.cleanToken.update.applet.encryption=true
-op.format.cleanToken.update.symmetricKeys.enable=false
-op.format.cleanToken.update.symmetricKeys.requiredVersion=1
-op.format.cleanToken.revokeCert=true
-op.format.cleanToken.ca.conn=ca1
-op.format.cleanToken.loginRequest.enable=true
-op.format.cleanToken.cardmgr_instance=A0000000030000
-op.format.cleanToken.tks.conn=tks1
-op.format.cleanToken.auth.id=ldap1
-op.format.cleanToken.auth.enable=false
-op.format.cleanToken.issuerinfo.enable=true
-op.format.cleanToken.issuerinfo.value=
-op.format.soUserKey.update.applet.emptyToken.enable=true
-op.format.soUserKey.update.applet.requiredVersion=1.4.499dc06c
-op.format.soUserKey.update.applet.directory=[TPS_DIR]/applets
-op.format.soUserKey.update.applet.encryption=true
-op.format.soUserKey.update.symmetricKeys.enable=false
-op.format.soUserKey.update.symmetricKeys.requiredVersion=1
-op.format.soUserKey.revokeCert=true
-op.format.soUserKey.ca.conn=ca1
-op.format.soUserKey.loginRequest.enable=false
-op.format.soUserKey.cardmgr_instance=A0000000030000
-op.format.soUserKey.tks.conn=tks1
-op.format.soUserKey.auth.id=ldap1
-op.format.soUserKey.auth.enable=false
-op.format.soUserKey.issuerinfo.enable=true
-op.format.soUserKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi
-op.format.soKey.update.applet.emptyToken.enable=true
-op.format.soKey.update.applet.requiredVersion=1.4.499dc06c
-op.format.soKey.update.applet.directory=[TPS_DIR]/applets
-op.format.soKey.update.applet.encryption=true
-op.format.soKey.update.symmetricKeys.enable=false
-op.format.soKey.update.symmetricKeys.requiredVersion=1
-op.format.soKey.revokeCert=true
-op.format.soKey.ca.conn=ca1
-op.format.soKey.loginRequest.enable=true
-op.format.soKey.cardmgr_instance=A0000000030000
-op.format.soKey.tks.conn=tks1
-op.format.soKey.auth.id=ldap2
-op.format.soKey.auth.enable=true
-op.format.soKey.issuerinfo.enable=true
-op.format.soKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/so/index.cgi
-op.format.userKey.update.applet.emptyToken.enable=true
-op.format.userKey.update.applet.requiredVersion=1.4.499dc06c
-op.format.userKey.update.applet.directory=[TPS_DIR]/applets
-op.format.userKey.update.applet.encryption=true
-op.format.userKey.update.symmetricKeys.enable=false
-op.format.userKey.update.symmetricKeys.requiredVersion=1
-op.format.userKey.revokeCert=true
-op.format.userKey.ca.conn=ca1
-op.format.userKey.loginRequest.enable=true
-op.format.userKey.cardmgr_instance=A0000000030000
-op.format.userKey.tks.conn=tks1
-op.format.userKey.auth.id=ldap1
-op.format.userKey.auth.enable=true
-op.format.userKey.issuerinfo.enable=true
-op.format.userKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi
-op.format.tokenKey.update.applet.emptyToken.enable=true
-op.format.tokenKey.update.applet.requiredVersion=1.4.499dc06c
-op.format.tokenKey.update.applet.directory=[TPS_DIR]/applets
-op.format.tokenKey.update.applet.encryption=true
-op.format.tokenKey.update.symmetricKeys.enable=false
-op.format.tokenKey.update.symmetricKeys.requiredVersion=1
-op.format.tokenKey.revokeCert=true
-op.format.tokenKey.ca.conn=ca1
-op.format.tokenKey.loginRequest.enable=true
-op.format.tokenKey.cardmgr_instance=A0000000030000
-op.format.tokenKey.tks.conn=tks1
-op.format.tokenKey.auth.id=ldap1
-op.format.tokenKey.auth.enable=true
-op.format.tokenKey.issuerinfo.enable=true
-op.format.tokenKey.issuerinfo.value=http://[SERVER_NAME]:[PORT]/cgi-bin/home/index.cgi
-tokendb._000=#########################################
-tokendb._001=# tokendb.auditLog:
-tokendb._002=#   - audit log path
-tokendb._003=# tokendb.host:
-tokendb._004=#   - tokendb host name
-tokendb._005=# tokendb.port:
-tokendb._006=#   - tokendb port number
-tokendb._007=# tokendb.bindDN:
-tokendb._008=#   - tokendb administration DN (i.e. cn=Directory Manager)
-tokendb._009=# tokendb.bindPassPath:
-tokendb._010=#   - tokendb administration password file path
-tokendb._011=# tokendb.templateDir
-tokendb._012=#   - directory where all the tokendb templates are located
-tokendb._013=# tokendb.userBaseDN:
-tokendb._014=#   - directory base DN for users and groups
-tokendb._015=# tokendb.baseDN:
-tokendb._016=#   - directory base DN for tokens
-tokendb._017=# tokendb.activityBaseDN:
-tokendb._018=#   - directory base DN for activities
-tokendb._019=# tokendb.indexTemplate=index.template
-tokendb._020=#   - index template
-tokendb._021=# tokendb.newTemplate=new.template
-tokendb._022=#   - add template
-tokendb._023=# tokendb.showTemplate=show.template
-tokendb._024=#   - show template
-tokendb._025=# tokendb.errorTemplate=error.template
-tokendb._026=#   - error template
-tokendb._027=# tokendb.searchTemplate=search.template
-tokendb._028=#   - search template
-tokendb._029=# tokendb.searchResultTemplate=searchResults.template
-tokendb._030=#   - search result template
-tokendb._031=# tokendb.editTemplate=edit.template
-tokendb._032=#   - edit template
-tokendb._033=# tokendb.editResultTemplate=editResults.template
-tokendb._034=#   - edit result template
-tokendb._035=# tokendb.addResultTemplate=addResults.template
-tokendb._036=#   - add result template
-tokendb._037=# tokendb.deleteResultTemplate=deleteResults.template
-tokendb._038=#   - delete result template
-tokendb._039=# tokendb.searchActivityTemplate=searchActivity.template
-tokendb._040=#   - search activity template
-tokendb._041=# tokendb.searchActivityResultTemplate=searchActivityResults.template
-tokendb._042=#   - search activity result template
-tokendb._043=# tokendb.showAdminTemplate=showAdmin.template
-tokendb._044=#   - show admin template
-tokendb._045=# tokendb.editAdminTemplate=editAdmin.template
-tokendb._046=#   - edit admin template
-tokendb._047=# tokendb.editAdminResultTemplate=editAdminResults.template
-tokendb._048=#   - edit admin result template
-tokendb._049=# tokendb.searchAdminTemplate=searchAdmin.template
-tokendb._050=#   - search admin template
-tokendb._051=# tokendb.searchAdminResultTemplate=searchAdminResults.template
-tokendb._052=#   - search admin result template
-tokendb._053=# tokendb.defaultPolicy:
-tokendb._054=# Supported Policy (Separated by ; [Semicolon]):
-tokendb._055=# For example, PIN_RESET=YES|NO;RE_ENROLL=YES|NO
-tokendb._056=#   PIN_RESET=YES|NO
-tokendb._057=#   - If not present, pin reset by user is allowed.
-tokendb._058=#   - If present and agent change PIN_RESET from NO 
-tokendb._059=#     to YES, user is allowed to do pin reset. This 
-tokendb._060=#     policy will be changed back to NO after pin reset.
-tokendb._061=#   RE_ENROLL=YES|NO
-tokendb._062=#   - If not present, re-enrollment is allowed.
-tokendb._063=#   - If present, re-enrollment is allowed when RE_ENROLL
-tokendb._064=#     is set to YES. Otherwise, re-enrollment is not 
-tokendb._065=#     allowed.
-tokendb._066=# tokendb.allowedTransitions: 
-tokendb._067=#   - has transitions between the following states
-tokendb._068=#     TOKEN_UNINITIALIZED = 0,
-tokendb._069=#     TOKEN_DAMAGED =1,
-tokendb._070=#     TOKEN_PERM_LOST=2,
-tokendb._071=#     TOKEN_TEMP_LOST=3,
-tokendb._072=#     TOKEN_FOUND =4,
-tokendb._073=#     TOKEN_TEMP_LOST_PERM_LOST =5,
-tokendb._074=#     TOKEN_TERMINATED = 6
-tokendb._075=#########################################
-tokendb.auditLog=[SERVER_ROOT]/logs/tokendb-audit.log
-tokendb.hostport=[TOKENDB_HOST]:[TOKENDB_PORT]
-tokendb.ssl=false
-tokendb.bindDN=cn=Directory Manager
-tokendb.bindPassPath=[SERVER_ROOT]/conf/password.conf
-tokendb.templateDir=[SERVER_ROOT]/docroot/tus
-tokendb.userBaseDN=[TOKENDB_ROOT]
-tokendb.baseDN=ou=Tokens,[TOKENDB_ROOT]
-tokendb.activityBaseDN=ou=Activities,[TOKENDB_ROOT]
-tokendb.certBaseDN=ou=Certificates,[TOKENDB_ROOT]
-tokendb.indexTemplate=index.template
-tokendb.indexAdminTemplate=indexAdmin.template
-tokendb.newTemplate=new.template
-tokendb.showTemplate=show.template
-tokendb.showCertTemplate=showCert.template
-tokendb.errorTemplate=error.template
-tokendb.searchTemplate=search.template
-tokendb.searchResultTemplate=searchResults.template
-tokendb.searchCertificateResultTemplate=searchCertificateResults.template
-tokendb.editTemplate=edit.template
-tokendb.editResultTemplate=editResults.template
-tokendb.addResultTemplate=addResults.template
-tokendb.deleteTemplate=delete.template
-tokendb.deleteResultTemplate=deleteResults.template
-tokendb.searchActivityTemplate=searchActivity.template
-tokendb.searchCertificateTemplate=searchCertificate.template
-tokendb.searchActivityResultTemplate=searchActivityResults.template
-tokendb.searchActivityAdminTemplate=searchActivityAdmin.template
-tokendb.searchActivityAdminResultTemplate=searchActivityAdminResults.template
-tokendb.showAdminTemplate=showAdmin.template
-tokendb.doTokenTemplate=doToken.template
-tokendb.doTokenConfirmTemplate=doTokenConfirm.template
-tokendb.revokeTemplate=revoke.template
-tokendb.searchAdminTemplate=searchAdmin.template
-tokendb.searchAdminResultTemplate=searchAdminResults.template
-tokendb.defaultPolicy=RE_ENROLL=YES
-tokendb.newUserTemplate=newUser.template
-tokendb.userDeleteTemplate=userDelete.template
-tokendb.searchUserResultTemplate=searchUserResults.template
-tokendb.searchUserTemplate=searchUser.template
-tokendb.editUserTemplate=editUser.template
-tokendb.indexOperatorTemplate=indexOperator.template
-tokendb.selfTestTemplate=selfTest.template
-tokendb.selfTestResultsTemplate=selfTestResults.template
-tokendb.auditAdminTemplate=auditAdmin.template
-tokendb.selectConfigTemplate=selectConfig.template
-tokendb.agentSelectConfigTemplate=agentSelectConfig.template
-tokendb.editConfigTemplate=editConfig.template
-tokendb.agentViewConfigTemplate=agentViewConfig.template
-tokendb.addConfigTemplate=addConfig.template
-tokendb.confirmConfigChangesTemplate=confirmConfigChanges.template
-tokendb.confirmDeleteConfigTemplate=confirmDeleteConfig.template
-log.instance.SignedAudit.selected.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL
-log.instance.SignedAudit.selectable.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL
-log.instance.SignedAudit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST
-tokendb.allowedTransitions=0:1,0:2,0:3,0:4,0:5,0:6,3:4,3:5,3:6,4:1,4:2,4:3,4:6
-target._000=#########################################
-target._001=# entries to enable configuration of parameter sets through the TPS UI agent and admin tabs
-target._002=#
-target._003=# target.configure.list = comma separated lists of all parameter sets that can be configured by the admin.
-target._004=#    Each entry will show up (with underscore replaced by space) under Advanced Configuration on the admin tab.
-target._005=#
-target._006=# target.agent_approve.list = comma separated subset of above list.  Parameter sets in this list
-target._007=#    will show up in the agent tab (under advanced configuration) and will require agent involvement
-target._008=#   (enable/ disable) to be edited.
-target._009=#
-target._010=# For the wording to display correctly, the values in the above list should be plurals.
-target._011=#
-target._012=# Each parameter set in the lists above requires three parameters:
-target._013=#    target.<type name>.list : list of choices of this parameter set type (will display in the drop down box) 
-target._014=#    target.<type name>.pattern : the regular expression to select parameters in CS.cfg for this parameter set.
-target._015=#    target.<type_name>.displayname: used in the UI display text.  This should be the singular form of <type_name>.
-target._016=#
-target._017=# The exception is the parameter set Generals, which has only a pattern and displayname defined. 
-target._018=#   
-target._019=########################################   
-target.configure.list=Profiles,Subsystem_Connections,Profile_Mappings,Authentication_Sources
-target.agent_approve.list=Profiles
-target.Profiles.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey
-target.Profiles.pattern=op\..*\.$name\..*
-target.Profiles.displayname=Profile
-target.Subsystem_Connections.list=ca1,drm1,tks1
-target.Subsystem_Connections.pattern=conn\.$name\..*
-target.Subsystem_Connections.displayname=Subsystem Connection
-target.Profile_Mappings.list=enroll,format,pinReset
-target.Profile_Mappings.pattern=op\.$name\.mapping\..*
-target.Profile_Mappings.displayname=Profile Mapping
-target.Authentication_Sources.list=0,1
-target.Authentication_Sources.pattern=auth\.instance\.$name\..*
-target.Authentication_Sources.displayname=Authentication Source
-target.Generals.displayname=General
-target.Generals.pattern=^applet\..*\|^general\..*\|^failover.pod.enable\|^channel\..*
-config.Generals.General.state=Enabled
-config.Generals.General.timestamp=1280283607424406
-tps._000=########################################
-tps._001=# For verifying system certificates
-tps._002=# tps.cert.list=sslserver,subsystem,audit_signing
-tps._003=# tps.cert.sslserver.nickname=xxx
-tps._005=# tps.cert.subsystem.nickname=xxx
-tps._007=# tps.cert.audit_signing.nickname=xxx 
-tps._009=########################################
-tps.cert.list=sslserver,subsystem,audit_signing
-tps.cert.sslserver.nickname=[HSM_LABEL][NICKNAME]
-tps.cert.subsystem.nickname=[HSM_LABEL][NICKNAME]
-tps.cert.audit_signing.nickname=[HSM_LABEL][NICKNAME]
diff --git a/pki/base/tps/doc/CS.cfg.in b/pki/base/tps/doc/CS.cfg.in
index 896bcbc14..2c7ec6020 100644
--- a/pki/base/tps/doc/CS.cfg.in
+++ b/pki/base/tps/doc/CS.cfg.in
@@ -18,19 +18,25 @@
 # All rights reserved.
 # --- END COPYRIGHT BLOCK ---
 #
-pkicreate.pki_instance_root=[INSTANCE_ROOT]
-pkicreate.pki_instance_name=[INSTANCE_ID]
-pkicreate.subsystem_type=[SUBSYSTEM_TYPE]
+pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT]
+pkicreate.pki_instance_name=[PKI_INSTANCE_ID]
+pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE]
 pkicreate.secure_port=[SECURE_PORT]
 pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT]
 pkicreate.unsecure_port=[PORT]
-pkicreate.user=[USERID]
-pkicreate.group=[GROUPID]
-pkiremove.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID]
+pkicreate.user=[PKI_USER]
+pkicreate.group=[PKI_GROUP]
+pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
 cs.type=TPS
 selftests._000=##
 selftests._001=## Self Tests
 selftests._002=##
+selftests._003=## The Self-Test plugin TPSSystemCertsVerification uses the
+selftests._004=## following parameters (where certusage is optional):
+selftests._005=## tps.cert.list = <list of cert tag names deliminated by ",">
+selftests._006=## tps.cert.<cert tag name>.nickname
+selftests._007=## tps.cert.<cert tag name>.certusage
+selftests._008=##
 selftests.container.logger.enable=true
 selftests.container.logger.expirationTime=0
 selftests.container.logger.file.type=RollingLogFile
@@ -38,8 +44,8 @@ selftests.container.logger.fileName=[SERVER_ROOT]/logs/selftests.log
 selftests.container.logger.level=10
 selftests.container.logger.maxFileSize=2000
 selftests.container.logger.rolloverInterval=2592000
-selftests.container.order.startup=TPSPresence:critical, TPSValidity:critical
-selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical
+selftests.container.order.startup=TPSPresence:critical, TPSSystemCertsVerification:critical
+selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical, TPSSystemCertsVerification:critical
 selftests.plugin.TPSPresence.nickname=[HSM_LABEL][NICKNAME]
 selftests.plugin.TPSValidity.nickname=[HSM_LABEL][NICKNAME]
 service.machineName=[SERVER_NAME]
@@ -47,7 +53,7 @@ service.instanceDir=[SERVER_ROOT]
 service.securePort=[SECURE_PORT]
 service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT]
 service.unsecurePort=[PORT]
-service.instanceID=[INSTANCE_ID]
+service.instanceID=[PKI_INSTANCE_ID]
 logging._000=#########################################
 logging._001=# RA configuration File
 logging._002=#
@@ -111,9 +117,9 @@ logging.audit.filename=[SERVER_ROOT]/logs/tps-audit.log
 logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit
 logging.audit.level=10
 logging.audit.logSigning=false
-logging.audit.signedAuditCertNickname=auditSigningCert cert-[INSTANCE_ID]
-logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL
-logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL
+logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID]
+logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION
+logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION
 logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING
 logging.audit.buffer.size=512
 logging.audit.flush.interval=5
@@ -156,8 +162,8 @@ conn.ca1.hostport=[CA_HOST]:[CA_PORT]
 conn.ca1.clientNickname=[HSM_LABEL][NICKNAME]
 conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient
 conn.ca1.servlet.renewal=/ca/ee/ca/profileSubmitSSLClient
-conn.ca1.servlet.revoke=/ca/subsystem/ca/doRevoke
-conn.ca1.servlet.unrevoke=/ca/subsystem/ca/doUnrevoke
+conn.ca1.servlet.revoke=/ca/ee/subsystem/ca/doRevoke
+conn.ca1.servlet.unrevoke=/ca/ee/subsystem/ca/doUnrevoke
 conn.ca1.retryConnect=3
 conn.ca1.timeout=100
 conn.ca1.SSLOn=true
@@ -343,6 +349,7 @@ general.search.sizelimit.max=2000
 general.search.sizelimit.default=100
 general.search.timelimit.max=10
 general.search.timelimit.default=10
+general.pwlength.min=16
 channel._000=#########################################
 channel._001=# channel.encryption:
 channel._002=#
@@ -370,34 +377,34 @@ preop.cert.list=sslserver,subsystem,audit_signing
 preop.cert.sslserver.enable=true
 preop.cert.subsystem.enable=true
 preop.cert.audit_signing.enable=false
-preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA
-preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[INSTANCE_ID]
+preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA
+preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID]
 preop.cert.sslserver.keysize.customsize=2048
 preop.cert.sslserver.keysize.size=2048
 preop.cert.sslserver.keysize.select=custom
-preop.cert.sslserver.nickname=Server-Cert cert-[INSTANCE_ID]
+preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID]
 preop.cert.sslserver.profile=caInternalAuthServerCert
 preop.cert.sslserver.subsystem=tps
 preop.cert._003=#preop.cert.sslserver.type=local
 preop.cert.sslserver.userfriendlyname=SSL Server Certificate
 preop.cert._004=#preop.cert.sslserver.cncomponent.override=false
-preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA
-preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[INSTANCE_ID]
+preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA
+preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_ID]
 preop.cert.subsystem.keysize.customsize=2048
 preop.cert.subsystem.keysize.size=2048
 preop.cert.subsystem.keysize.select=custom
-preop.cert.subsystem.nickname=subsystemCert cert-[INSTANCE_ID]
+preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
 preop.cert.subsystem.profile=caInternalAuthSubsystemCert
 preop.cert.subsystem.subsystem=tps
 preop.cert._005=#preop.cert.subsystem.type=local
 preop.cert.subsystem.userfriendlyname=Subsystem Certificate
 preop.cert._006=#preop.cert.subsystem.cncomponent.override=true
-preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA
-preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[INSTANCE_ID]
+preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA
+preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_ID]
 preop.cert.audit_signing.keysize.customsize=2048
 preop.cert.audit_signing.keysize.size=2048
 preop.cert.audit_signing.keysize.select=custom
-preop.cert.audit_signing.nickname=auditSigningCert cert-[INSTANCE_ID]
+preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID]
 preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert
 preop.cert.audit_signing.subsystem=tps
 preop.cert._005=#preop.cert.audit_signing.type=local
@@ -715,7 +722,6 @@ op.enroll.userKey.keyGen.signing.privateKeyNumber=2
 op.enroll.userKey.keyGen.signing.publicKeyNumber=3
 op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment
 op.enroll.userKey.keyGen.signing.ca.conn=ca1
-op.enroll.userKey.keyGen.signing.revokeCert=true
 op.enroll.userKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher
 op.enroll.userKey.keyGen.encryption.keySize=1024
 op.enroll.userKey.keyGen.encryption.public.keyCapabilities.encrypt=true
@@ -755,7 +761,6 @@ op.enroll.userKey.keyGen.encryption.privateKeyNumber=4
 op.enroll.userKey.keyGen.encryption.publicKeyNumber=5
 op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment
 op.enroll.userKey.keyGen.encryption.ca.conn=ca1
-op.enroll.userKey.keyGen.encryption.revokeCert=true
 op.enroll.userKey.pkcs11obj.enable=true
 op.enroll.userKey.pkcs11obj.compress.enable=true
 op.enroll.userKey.update.applet.emptyToken.enable=true
@@ -834,7 +839,6 @@ op.enroll.userKeyTemporary.keyGen.auth.privateKeyNumber=0
 op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1
 op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment
 op.enroll.userKeyTemporary.keyGen.auth.ca.conn=ca1
-op.enroll.userKeyTemporary.keyGen.auth.revokeCert=true
 op.enroll.userKeyTemporary.keyGen.signing.keySize=1024
 op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false
 op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false
@@ -873,7 +877,6 @@ op.enroll.userKeyTemporary.keyGen.signing.privateKeyNumber=2
 op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3
 op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment
 op.enroll.userKeyTemporary.keyGen.signing.ca.conn=ca1
-op.enroll.userKeyTemporary.keyGen.signing.revokeCert=true
 op.enroll.userKey._080=#op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher
 op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024
 op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true
@@ -913,7 +916,6 @@ op.enroll.userKeyTemporary.keyGen.encryption.privateKeyNumber=4
 op.enroll.userKeyTemporary.keyGen.encryption.publicKeyNumber=5
 op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment
 op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1
-op.enroll.userKeyTemporary.keyGen.encryption.revokeCert=true
 op.enroll.userKeyTemporary.pkcs11obj.enable=true
 op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true
 op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true
@@ -1031,7 +1033,6 @@ op.enroll.soKey.keyGen.signing.privateKeyNumber=2
 op.enroll.soKey.keyGen.signing.publicKeyNumber=3
 op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment
 op.enroll.soKey.keyGen.signing.ca.conn=ca1
-op.enroll.soKey.keyGen.signing.revokeCert=true
 op.enroll.soKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher
 op.enroll.soKey.keyGen.encryption.keySize=1024
 op.enroll.soKey.keyGen.encryption.public.keyCapabilities.encrypt=true
@@ -1071,7 +1072,6 @@ op.enroll.soKey.keyGen.encryption.privateKeyNumber=4
 op.enroll.soKey.keyGen.encryption.publicKeyNumber=5
 op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment
 op.enroll.soKey.keyGen.encryption.ca.conn=ca1
-op.enroll.soKey.keyGen.encryption.revokeCert=true
 op.enroll.soKey.pkcs11obj.enable=true
 op.enroll.soKey.pkcs11obj.compress.enable=true
 op.enroll.soKey.update.applet.emptyToken.enable=true
@@ -1150,7 +1150,6 @@ op.enroll.soKeyTemporary.keyGen.auth.privateKeyNumber=0
 op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1
 op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment
 op.enroll.soKeyTemporary.keyGen.auth.ca.conn=ca1
-op.enroll.soKeyTemporary.keyGen.auth.revokeCert=true
 op.enroll.soKeyTemporary.keyGen.signing.keySize=1024
 op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false
 op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false
@@ -1189,7 +1188,6 @@ op.enroll.soKeyTemporary.keyGen.signing.privateKeyNumber=2
 op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3
 op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment
 op.enroll.soKeyTemporary.keyGen.signing.ca.conn=ca1
-op.enroll.soKeyTemporary.keyGen.signing.revokeCert=true
 op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024
 op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true
 op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false
@@ -1228,7 +1226,6 @@ op.enroll.soKeyTemporary.keyGen.encryption.privateKeyNumber=4
 op.enroll.soKeyTemporary.keyGen.encryption.publicKeyNumber=5
 op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment
 op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1
-op.enroll.soKeyTemporary.keyGen.encryption.revokeCert=true
 op.enroll.soKeyTemporary.pkcs11obj.enable=true
 op.enroll.soKeyTemporary.pkcs11obj.compress.enable=true
 op.enroll.soKeyTemporary.update.applet.emptyToken.enable=true
@@ -1539,23 +1536,42 @@ target._006=# target.agent_approve.list = comma separated subset of above list.
 target._007=#    will show up in the agent tab (under advanced configuration) and will require agent involvement
 target._008=#   (enable/ disable) to be edited.
 target._009=#
-target._010=# Each parameter set in the lists above requires two parameters:
-target._011=#    target.<type name>.list : list of choices of this parameter set type (will display in the drop down box)
-target._012=#    target.<type name>.pattern : the regular expression to select parameters in CS.cfg for this parameter set.
-target._013=#
-target._014=# The exception is the parameter set Generals, which only has a pattern defined. ie. target.Generals.pattern
+target._010=# For the wording to display correctly, the values in the above list should be plurals.
+target._011=#
+target._012=# Each parameter set in the lists above requires three parameters:
+target._013=#    target.<type name>.list : list of choices of this parameter set type (will display in the drop down box)
+target._014=#    target.<type name>.pattern : the regular expression to select parameters in CS.cfg for this parameter set.
+target._015=#    target.<type_name>.displayname: used in the UI display text.  This should be the singular form of <type_name>.
 target._016=#
-target._017=########################################
+target._017=# The exception is the parameter set Generals, which has only a pattern and displayname defined.
+target._018=#
+target._019=########################################
 target.configure.list=Profiles,Subsystem_Connections,Profile_Mappings,Authentication_Sources
 target.agent_approve.list=Profiles
 target.Profiles.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey
 target.Profiles.pattern=op\..*\.$name\..*
+target.Profiles.displayname=Profile
 target.Subsystem_Connections.list=ca1,drm1,tks1
 target.Subsystem_Connections.pattern=conn\.$name\..*
+target.Subsystem_Connections.displayname=Subsystem Connection
 target.Profile_Mappings.list=enroll,format,pinReset
 target.Profile_Mappings.pattern=op\.$name\.mapping\..*
+target.Profile_Mappings.displayname=Profile Mapping
 target.Authentication_Sources.list=0,1
 target.Authentication_Sources.pattern=auth\.instance\.$name\..*
+target.Authentication_Sources.displayname=Authentication Source
+target.Generals.displayname=General
 target.Generals.pattern=^applet\..*\|^general\..*\|^failover.pod.enable\|^channel\..*
 config.Generals.General.state=Enabled
 config.Generals.General.timestamp=1280283607424406
+tps._000=########################################
+tps._001=# For verifying system certificates
+tps._002=# tps.cert.list=sslserver,subsystem,audit_signing
+tps._003=# tps.cert.sslserver.nickname=xxx
+tps._005=# tps.cert.subsystem.nickname=xxx
+tps._007=# tps.cert.audit_signing.nickname=xxx
+tps._009=########################################
+tps.cert.list=sslserver,subsystem,audit_signing
+tps.cert.sslserver.nickname=[HSM_LABEL][NICKNAME]
+tps.cert.subsystem.nickname=[HSM_LABEL][NICKNAME]
+tps.cert.audit_signing.nickname=[HSM_LABEL][NICKNAME]
diff --git a/pki/base/tps/src/CMakeLists.txt b/pki/base/tps/src/CMakeLists.txt
index fe27b3e63..7f7859ba4 100644
--- a/pki/base/tps/src/CMakeLists.txt
+++ b/pki/base/tps/src/CMakeLists.txt
@@ -1,10 +1,11 @@
 project(tps_library CXX)
 
+set(TPS_LIBRARY_VERSION ${APPLICATION_VERSION})
+set(TPS_LIBRARY_SOVERSION 9)
+
 set(TPS_INCLUDE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/include)
 
-add_subdirectory(authentication)
 add_subdirectory(tus)
-add_subdirectory(modules)
 
 set(TPS_PUBLIC_INCLUDE_DIRS
   ${CMAKE_CURRENT_BINARY_DIR}
@@ -19,6 +20,7 @@ set(TPS_PRIVATE_INCLUDE_DIRS
   ${NSS_INCLUDE_DIRS}
   ${NSPR_INCLUDE_DIRS}
   ${APR_INCLUDE_DIRS}
+  ${SVRCORE_INCLUDE_DIRS}
   ${MOZLDAP_INCLUDE_DIRS}
 )
 
@@ -31,6 +33,7 @@ set(TPS_LINK_LIBRARIES
   ${NSPR_LIBRARIES}
   ${NSS_LIBRARIES}
   ${APR_LIBRARIES}
+  ${SVRCORE_LIBRARIES}
   ${MOZLDAP_LIBRARIES}
   ${TOKENDB_SHARED_LIBRARY}
 )
@@ -121,6 +124,7 @@ set(tps_library_SRCS
     processor/RA_Format_Processor.cpp
     selftests/SelfTest.cpp
     selftests/TPSPresence.cpp
+    selftests/TPSSystemCertsVerification.cpp
     selftests/TPSValidity.cpp
 )
 
@@ -144,3 +148,7 @@ install(
         ${TPS_SHARED_LIBRARY}
     LIBRARY DESTINATION ${LIB_INSTALL_DIR}
 )
+
+add_subdirectory(authentication)
+add_subdirectory(modules)
+
diff --git a/pki/base/tps/src/authentication/CMakeLists.txt b/pki/base/tps/src/authentication/CMakeLists.txt
index 5dec1b5c7..25cb4720b 100644
--- a/pki/base/tps/src/authentication/CMakeLists.txt
+++ b/pki/base/tps/src/authentication/CMakeLists.txt
@@ -1,7 +1,7 @@
 project(ldapauth_library CXX)
 
 set(LDAPAUTH_LIBRARY_VERSION ${APPLICATION_VERSION})
-set(LDAPAUTH_LIBRARY_SOVERSION 1)
+set(LDAPAUTH_LIBRARY_SOVERSION 9)
 
 set(LDAPAUTH_PUBLIC_INCLUDE_DIRS
   ${CMAKE_CURRENT_BINARY_DIR}
@@ -15,6 +15,7 @@ set(LDAPAUTH_PRIVATE_INCLUDE_DIRS
   ${CMAKE_BINARY_DIR}
   ${NSPR_INCLUDE_DIRS}
   ${NSS_INCLUDE_DIRS}
+  ${SVRCORE_INCLUDE_DIRS}
   ${MOZLDAP_INCLUDE_DIRS}
 )
 
@@ -26,7 +27,10 @@ set(LDAPAUTH_SHARED_LIBRARY
 set(LDAPAUTH_LINK_LIBRARIES
   ${NSPR_LIBRARIES}
   ${NSS_LIBRARIES}
+  ${SVRCORE_LIBRARIES}
   ${MOZLDAP_LIBRARIES}
+  ${TOKENDB_SHARED_LIBRARY}
+  ${TPS_SHARED_LIBRARY}
 )
 
 set(ldapauth_library_SRCS
diff --git a/pki/base/tps/src/modules/tokendb/CMakeLists.txt b/pki/base/tps/src/modules/tokendb/CMakeLists.txt
index 927d2ff7f..c152d80e7 100644
--- a/pki/base/tps/src/modules/tokendb/CMakeLists.txt
+++ b/pki/base/tps/src/modules/tokendb/CMakeLists.txt
@@ -6,6 +6,7 @@ set(TOKENDB_PRIVATE_INCLUDE_DIRS
     ${NSPR_INCLUDE_DIRS}
     ${NSS_INCLUDE_DIRS}
     ${APR_INCLUDE_DIRS}
+    ${SVRCORE_INCLUDE_DIRS}
     ${MOZLDAP_INCLUDE_DIRS}
 )
 
@@ -19,6 +20,7 @@ set(TOKENDB_LINK_LIBRARIES
     ${NSPR_LIBRARIES}
     ${NSS_LIBRARIES}
     ${APR_LIBRARIES}
+    ${SVRCORE_LIBRARIES}
     ${MOZLDAP_LIBRARIES}
 )
 
@@ -33,7 +35,6 @@ target_link_libraries(${TOKENDB_MODULE} ${TOKENDB_LINK_LIBRARIES})
 
 set_target_properties(${TOKENDB_MODULE}
     PROPERTIES
-            ${TOKENDB_LIBRARY_SOVERSION}
         OUTPUT_NAME
             mod_tokendb
         PREFIX ""
@@ -43,5 +44,5 @@ install(
     TARGETS
         ${TOKENDB_MODULE}
     DESTINATION
-        ${SYSCONF_INSTALL_DIR}/httpd/modules
+        ${LIB_INSTALL_DIR}/httpd/modules
 )
diff --git a/pki/base/tps/src/modules/tps/CMakeLists.txt b/pki/base/tps/src/modules/tps/CMakeLists.txt
index ecc99ff0e..069c87f89 100644
--- a/pki/base/tps/src/modules/tps/CMakeLists.txt
+++ b/pki/base/tps/src/modules/tps/CMakeLists.txt
@@ -6,6 +6,7 @@ set(TPS_PRIVATE_INCLUDE_DIRS
     ${NSPR_INCLUDE_DIRS}
     ${NSS_INCLUDE_DIRS}
     ${APR_INCLUDE_DIRS}
+    ${SVRCORE_INCLUDE_DIRS}
     ${MOZLDAP_INCLUDE_DIRS}
 )
 
@@ -19,7 +20,10 @@ set(TPS_LINK_LIBRARIES
     ${NSPR_LIBRARIES}
     ${NSS_LIBRARIES}
     ${APR_LIBRARIES}
+    ${SVRCORE_LIBRARIES}
     ${MOZLDAP_LIBRARIES}
+    ${TOKENDB_SHARED_LIBRARY}
+    ${TPS_SHARED_LIBRARY}
 )
 
 set(tps_module_SRCS
@@ -35,7 +39,6 @@ target_link_libraries(${TPS_MODULE} ${TPS_LINK_LIBRARIES})
 
 set_target_properties(${TPS_MODULE}
     PROPERTIES
-            ${TPS_LIBRARY_SOVERSION}
         OUTPUT_NAME
             mod_tps
         PREFIX ""
@@ -45,5 +48,5 @@ install(
     TARGETS
         ${TPS_MODULE}
     DESTINATION
-        ${SYSCONF_INSTALL_DIR}/httpd/modules
+        ${LIB_INSTALL_DIR}/httpd/modules
 )
diff --git a/pki/base/tps/src/tus/CMakeLists.txt b/pki/base/tps/src/tus/CMakeLists.txt
index 6785ed625..7cff9d73b 100644
--- a/pki/base/tps/src/tus/CMakeLists.txt
+++ b/pki/base/tps/src/tus/CMakeLists.txt
@@ -1,7 +1,7 @@
 project(tokendb_library C)
 
 set(TOKENDB_LIBRARY_VERSION ${APPLICATION_VERSION})
-set(TOKENDB_LIBRARY_SOVERSION 1)
+set(TOKENDB_LIBRARY_SOVERSION 9)
 
 set(TOKENDB_PUBLIC_INCLUDE_DIRS
   ${CMAKE_CURRENT_BINARY_DIR}
@@ -15,6 +15,7 @@ set(TOKENDB_PRIVATE_INCLUDE_DIRS
   ${CMAKE_BINARY_DIR}
   ${NSPR_INCLUDE_DIRS}
   ${NSS_INCLUDE_DIRS}
+  ${SVRCORE_INCLUDE_DIRS}
   ${MOZLDAP_INCLUDE_DIRS}
 )
 
@@ -26,6 +27,7 @@ set(TOKENDB_SHARED_LIBRARY
 set(TOKENDB_LINK_LIBRARIES
   ${NSPR_LIBRARIES}
   ${NSS_LIBRARIES}
+  ${SVRCORE_LIBRARIES}
   ${MOZLDAP_LIBRARIES}
 )
 
diff --git a/pki/base/tps/tools/raclient/CMakeLists.txt b/pki/base/tps/tools/raclient/CMakeLists.txt
index e28a40d5d..9f4020b31 100644
--- a/pki/base/tps/tools/raclient/CMakeLists.txt
+++ b/pki/base/tps/tools/raclient/CMakeLists.txt
@@ -43,5 +43,5 @@ install(
         format.tps
         reset_pin.tps
     DESTINATION
-        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/samples
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/tps/samples
 )