diff options
author | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-01-21 23:17:26 +0000 |
---|---|---|
committer | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-01-21 23:17:26 +0000 |
commit | 67ee705eafd9fb655f61732ba3c8ec2c869a409e (patch) | |
tree | d711e76cbd24198cb1247c2c72bbe72e7f40cb4d /pki/base | |
parent | 77677d528c57e0648ee149176fa87447c25292b0 (diff) | |
download | pki-67ee705eafd9fb655f61732ba3c8ec2c869a409e.tar.gz pki-67ee705eafd9fb655f61732ba3c8ec2c869a409e.tar.xz pki-67ee705eafd9fb655f61732ba3c8ec2c869a409e.zip |
Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model
Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . .
Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . .
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@933 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base')
-rw-r--r-- | pki/base/ra/apache/conf/httpd.conf | 2 | ||||
-rw-r--r-- | pki/base/ra/build.xml | 16 | ||||
-rwxr-xr-x | pki/base/ra/etc/init.d/httpd | 758 | ||||
-rwxr-xr-x | pki/base/ra/etc/init.d/pki-rad | 1415 | ||||
-rwxr-xr-x | pki/base/ra/setup/postinstall | 66 | ||||
-rw-r--r-- | pki/base/selinux/src/pki.fc | 13 | ||||
-rw-r--r-- | pki/base/selinux/src/pki.if | 34 | ||||
-rw-r--r-- | pki/base/selinux/src/pki.te | 2 | ||||
-rwxr-xr-x | pki/base/setup/pkicommon | 168 | ||||
-rwxr-xr-x | pki/base/setup/pkicreate | 524 | ||||
-rw-r--r-- | pki/base/tps/Makefile.am | 10 | ||||
-rw-r--r-- | pki/base/tps/Makefile.in | 74 | ||||
-rw-r--r-- | pki/base/tps/apache/conf/httpd.conf | 2 | ||||
-rw-r--r-- | pki/base/tps/build.xml | 34 | ||||
-rwxr-xr-x | pki/base/tps/configure | 75 | ||||
-rw-r--r-- | pki/base/tps/configure.ac | 30 | ||||
-rwxr-xr-x | pki/base/tps/etc/init.d/httpd | 780 | ||||
-rwxr-xr-x | pki/base/tps/etc/init.d/pki-tpsd | 1439 | ||||
-rwxr-xr-x | pki/base/tps/setup/postinstall | 68 | ||||
-rwxr-xr-x | pki/base/tps/setup_package | 2 |
20 files changed, 3470 insertions, 2042 deletions
diff --git a/pki/base/ra/apache/conf/httpd.conf b/pki/base/ra/apache/conf/httpd.conf index 4e6d2151f..1312f0822 100644 --- a/pki/base/ra/apache/conf/httpd.conf +++ b/pki/base/ra/apache/conf/httpd.conf @@ -78,7 +78,7 @@ ServerRoot "[SERVER_ROOT]" # identification number when it starts. # <IfModule !mpm_netware.c> -PidFile logs/[INSTANCE_ID].pid +PidFile run/[INSTANCE_ID].pid </IfModule> # diff --git a/pki/base/ra/build.xml b/pki/base/ra/build.xml index 499ce45af..3a303fecc 100644 --- a/pki/base/ra/build.xml +++ b/pki/base/ra/build.xml @@ -154,12 +154,16 @@ <include name="scripts/schema.sql"/> <include name="setup/config.desktop"/> </zipfileset> + <zipfileset dir="./etc/init.d" + filemode="755" + prefix="etc/${init.d}"> + <include name="pki-rad"/> + </zipfileset> <zipfileset dir="." filemode="755" prefix="usr/share/${product.prefix}/${product}"> - <include name="etc/**"/> <include name="scripts/nss_pcache"/> - <include name="setup/postinstall"/> + <exclude name="etc/init.d/pki-rad"/> </zipfileset> <zipfileset dir="./forms" filemode="755" @@ -202,12 +206,16 @@ <include name="scripts/schema.sql"/> <include name="setup/config.desktop"/> </tarfileset> + <tarfileset dir="./etc/init.d" + mode="755" + prefix="${dist.name}/etc/${init.d}"> + <include name="pki-rad"/> + </tarfileset> <tarfileset dir="." mode="755" prefix="${dist.name}/usr/share/${product.prefix}/${product}"> - <include name="etc/**"/> <include name="scripts/nss_pcache"/> - <include name="setup/postinstall"/> + <exclude name="etc/init.d/pki-rad"/> </tarfileset> <tarfileset dir="./forms" mode="755" diff --git a/pki/base/ra/etc/init.d/httpd b/pki/base/ra/etc/init.d/httpd deleted file mode 100755 index 4f18cd136..000000000 --- a/pki/base/ra/etc/init.d/httpd +++ /dev/null @@ -1,758 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# [INSTANCE_ID] Startup script for the Apache HTTP Server -# -# chkconfig: - 86 14 -# description: Registration Authority \ -# (Apache 2.2) -# processname: [INSTANCE_ID] -# config: [HTTPD_CONF] -# pidfile: [SERVER_ROOT]/logs/[INSTANCE_ID].pid - -# Disallow 'others' the ability to 'write' to new files -umask 00002 - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit 255 -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -SUBSYSTEM_TYPE=[SUBSYSTEM_TYPE] -if [ ! -d /usr/share/pki/${SUBSYSTEM_TYPE} ] ; then - echo "This machine is missing the '${SUBSYSTEM_TYPE}' subsystem!" - exit 255 -fi - -# Obtain the operating system upon which this script is being executed -OS=`uname -s` -ARCHITECTURE="" - -# Time to wait in seconds, before killing process -# -# NOTE: Defined in "tomcat5.conf" for other PKI Subsystems. -# -STARTUP_WAIT=30 -SHUTDOWN_WAIT=30 - -# This script must be run as root! -RV=0 -if [ ${OS} = "Linux" ] ; then - if [ `id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - exit 1 - fi - ARCHITECTURE=`uname -i` -elif [ ${OS} = "SunOS" ] ; then - if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - exit 1 - fi - ARCHITECTURE=`uname -p` - if [ "${ARCHITECTURE}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - ARCHITECTURE="sparcv9" - fi -else - echo "Unsupported OS '${OS}'!" - exit 1 -fi - -# Initialize environment variables -LD_LIBRARY_PATH=[SYSTEM_USER_LIBRARIES]:[SYSTEM_LIBRARIES]:${LD_LIBRARY_PATH} -LD_LIBRARY_PATH=[SECURITY_LIBRARIES]:${LD_LIBRARY_PATH} -export LD_LIBRARY_PATH - -# Source function library. -if [ -f /etc/init.d/functions ]; then - . /etc/init.d/functions -else - # The checkpid() function is provided for platforms that do not - # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . - - # Check if ${pid} (could be plural) are running (keep count) - checkpid() - { - rv=0 - for i in $* ; do - ps -p $i > /dev/null 2>&1 ; - if [ $? -ne 0 ] ; then - rv=`expr $rv + 1` - else - rv=`expr $rv + 0` - fi - done - # echo "rv=$rv" - return $rv - } - - # Create the following directories on platforms - # where they do not exist (e. g. - Solaris) . . . - if [ ! -d /var/lock/subsys ] ; then - mkdir -p /var/lock/subsys - fi -fi - -######################################################################## -# This section contains modified content of "/etc/sysconfig/httpd" # -######################################################################## -# Configuration file for the [INSTANCE_ID] service. - -# -# The default processing model (MPM) is the process-based -# 'prefork' model. A thread-based model, 'worker', is also -# available, but does not work with some modules (such as PHP). -# The service must be stopped before changing this variable. -# -HTTPD=[FORTITUDE_DIR]/sbin/httpd.worker - -# -# To pass additional options (for instance, -D definitions) to the -# httpd binary at startup, set OPTIONS here. -# -OPTIONS="-f [HTTPD_CONF]" - -# -# By default, the httpd process is started in the C locale; to -# change the locale in which the server runs, the HTTPD_LANG -# variable can be set. -# -HTTPD_LANG=C -######################################################################## -# # -######################################################################## - -# This will prevent initlog from swallowing up a pass-phrase prompt if -# mod_ssl needs a pass-phrase from the user. -INITLOG_ARGS="" - -# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server -# with the thread-based "worker" MPM; BE WARNED that some modules may not -# work correctly with a thread-based MPM; notably PHP will refuse to start. - -# Path to the server binary and short-form for messages. -httpd=${HTTPD:-[FORTITUDE_DIR]/sbin/httpd} -prog=[INSTANCE_ID] -pki_instance_configuration_file=[SERVER_ROOT]/conf/CS.cfg -pidfile=${PIDFILE:-[SERVER_ROOT]/logs/[INSTANCE_ID].pid} -lockfile=${LOCKFILE:-/var/lock/subsys/[INSTANCE_ID]} -RESTART_SERVER=[SERVER_ROOT]/conf/restart_server_after_configuration -RETVAL=0 - -# see if httpd is linked with the openldap libraries - we need to override them -if [ ${OS} = "Linux" ]; then - hasopenldap=0 - - /usr/bin/ldd $httpd 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1 - - if [ $hasopenldap -eq 1 ] ; then - LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libldap60.so" - LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libssl3.so:${LD_PRELOAD}" - export LD_PRELOAD - fi -elif [ ${OS} = "SunOS" ] ; then - LD_PRELOAD_64="[SYSTEM_USER_LIBRARIES]/libldap60.so" - LD_PRELOAD_64="[SYSTEM_USER_LIBRARIES]/dirsec/libssl3.so:${LD_PRELOAD_64}" - export LD_PRELOAD_64 -fi - -check_pki_configuration_status() -{ - rv=0 - - rv=`grep -c ^preop ${pki_instance_configuration_file}` - - rv=`expr ${rv} + 0` - - if [ ${rv} -ne 0 ] ; then - echo " '[INSTANCE_ID]' must still be CONFIGURED!" - echo " (see /var/log/[INSTANCE_ID]-install.log)" - elif [ -f ${RESTART_SERVER} ] ; then - echo " Although '[INSTANCE_ID]' has been CONFIGURED, it must still be RESTARTED!" - rv=255 - fi - - return ${rv} -} - -get_pki_status_definitions() -{ - # establish well-known strings - listen_statement="Listen" - total_ports=0 - UNSECURE_PORT="" - CLIENTAUTH_PORT="" - NON_CLIENTAUTH_PORT="" - - # check to see that an instance-specific "httpd.conf" file exists - if [ ! -f [HTTPD_CONF] ] ; then - echo "File '[HTTPD_CONF]' does not exist!" - exit 255 - fi - - # check to see that an instance-specific "nss.conf" file exists - if [ ! -f [NSS_CONF] ] ; then - echo "File '[NSS_CONF]' does not exist!" - exit 255 - fi - - # read this instance-specific "httpd.conf" file line-by-line - # to obtain the current value of the PKI unsecure port - - exec < [HTTPD_CONF] - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] ; then - # once the 'unsecure' listen statement has been found, - # extract the numeric port information - port=`echo $line | cut -b8-` - UNSECURE_PORT=$port - echo " Unsecure Port = http://[SERVER_NAME]:${UNSECURE_PORT}" - total_ports=`expr ${total_ports} + 1` - break; - fi - done - - # read this instance-specific "nss.conf" file line-by-line - # to obtain the current value of the "clientauth" PKI secure port - # AND the current value of the "non-clientauth" PKI secure port - - exec < [NSS_CONF] - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] && - [ ${total_ports} -eq 2 ] ; then - # once the 'non-clientauth' listen statement has been found, - # extract the numeric port information - non_clientauth_port=`echo $line | cut -b8-` - NON_CLIENTAUTH_PORT=$non_clientauth_port - echo " Secure Non-Clientauth Port = https://[SERVER_NAME]:${NON_CLIENTAUTH_PORT}" - total_ports=`expr ${total_ports} + 1` - break - fi - if [ "$head" == "$listen_statement" ] && - [ ${total_ports} -eq 1 ] ; then - # once the 'clientauth' listen statement has been found, - # extract the numeric port information - clientauth_port=`echo $line | cut -b8-` - CLIENTAUTH_PORT=$clientauth_port - echo " Secure Clientauth Port = https://[SERVER_NAME]:${CLIENTAUTH_PORT}" - total_ports=`expr ${total_ports} + 1` - fi - done - - if [ ${total_ports} -eq 3 ] ; then - return 0 - else - return 255 - fi -} - -get_pki_configuration_definitions() -{ - # Obtain the PKI Subsystem Type - line=`grep ^cs.type= ${pki_instance_configuration_file}` - pki_subsystem=`echo "${line}" | cut -b9-` - if [ "${line}" != "" ] ; then - if [ "${pki_subsystem}" != "CA" ] && - [ "${pki_subsystem}" != "KRA" ] && - [ "${pki_subsystem}" != "OCSP" ] && - [ "${pki_subsystem}" != "TKS" ] && - [ "${pki_subsystem}" != "RA" ] && - [ "${pki_subsystem}" != "TPS" ] - then - return 255 - fi - if [ "${pki_subsystem}" == "KRA" ] ; then - # Rename "KRA" to "DRM" - pki_subsystem="DRM" - fi - else - return 255 - fi - - # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, - # check to see if "${pki_subsystem}" is a "Clone" - pki_clone="" - if [ "${pki_subsystem}" == "CA" ] || - [ "${pki_subsystem}" == "DRM" ] || - [ "${pki_subsystem}" == "OCSP" ] || - [ "${pki_subsystem}" == "TKS" ] - then - line=`grep ^subsystem.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_clone=`echo "${line}" | cut -b18-` - if [ "${pki_clone}" != "Clone" ] ; then - # Reset "${pki_clone}" to be empty - pki_clone="" - fi - else - return 255 - fi - fi - - # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to - # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA - pki_hierarchy="" - if [ "${pki_subsystem}" == "CA" ] && - [ "${pki_clone}" != "Clone" ] - then - line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_hierarchy=`echo "${line}" | cut -b18-` - else - return 255 - fi - fi - - # If ${pki_subsystem} is a CA, check to - # see if it is also a Security Domain - pki_security_domain="" - if [ "${pki_subsystem}" == "CA" ] ; then - line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain=`echo "${line}" | cut -b23-` - if [ "${pki_security_domain}" == "new" ] ; then - # Set a fixed value for "${pki_security_domain}" - pki_security_domain="(Security Domain)" - else - # Reset "${pki_security_domain}" to be empty - pki_security_domain="" - fi - else - return 255 - fi - fi - - # Always obtain this PKI instance's "registered" - # security domain information - pki_security_domain_name="" - pki_security_domain_hostname="" - pki_security_domain_https_admin_port="" - - line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_name=`echo "${line}" | cut -b21-` - else - return 255 - fi - - line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_hostname=`echo "${line}" | cut -b21-` - else - return 255 - fi - - line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` - else - return 255 - fi - - # Compose the "PKI Instance Name" Status Line - pki_instance_name="PKI Instance Name: [INSTANCE_ID]" - - # Compose the "PKI Subsystem Type" Status Line - header="PKI Subsystem Type: " - if [ "${pki_clone}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "CA Clone (Security Domain)" - # - data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" - else - # Possible Values: - # - # "CA Clone" - # "DRM Clone" - # "OCSP Clone" - # "TKS Clone" - # - data="${pki_subsystem} ${pki_clone}" - fi - elif [ "${pki_hierarchy}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "Root CA (Security Domain)" - # "Subordinate CA (Security Domain)" - # - data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" - else - # Possible Values: - # - # "Root CA" - # "Subordinate CA" - # - data="${pki_hierarchy} ${pki_subsystem}" - fi - else - # Possible Values: - # - # "DRM" - # "OCSP" - # "RA" - # "TKS" - # "TPS" - # - data="${pki_subsystem}" - fi - pki_subsystem_type="${header} ${data}" - - # Compose the "Registered PKI Security Domain Information" Status Line - header="Name: " - registered_pki_security_domain_name="${header} ${pki_security_domain_name}" - - header="URL: " - if [ "${pki_security_domain_hostname}" != "" ] && - [ "${pki_security_domain_https_admin_port}" != "" ] - then - data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" - else - return 255 - fi - registered_pki_security_domain_url="${header} ${data}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_instance_name}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_subsystem_type}" - - # Print the "Registered PKI Security Domain Information" Status Line - echo - echo " Registered PKI Security Domain Information:" - echo " ==========================================================================" - echo " ${registered_pki_security_domain_name}" - echo " ${registered_pki_security_domain_url}" - echo " ==========================================================================" - - return 0 -} - -get_pki_secure_port() -{ - # establish well-known strings - listen_statement="Listen" - - # first check to see that an instance-specific "nss.conf" file exists - if [ ! -f [NSS_CONF] ] ; then - echo "File '[NSS_CONF]' does not exist!" - exit 255 - fi - - # read this instance-specific "nss.conf" file line-by-line - # to obtain the current value of the "clientauth" PKI secure port - - exec < [NSS_CONF] - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] ; then - # once the 'clientauth' listen statement has been found, - # extract the numeric port information - port=`echo $line | cut -b8-` - SECURE_PORT=$port - return 0 - fi - done - - return 255 -} - -# The semantics of these two functions differ from the way apachectl does -# things -- attempting to start while running is a failure, and shutdown -# when not running is also a failure. So we just do it the way init scripts -# are expected to behave here. -start() -{ - echo -n $"Starting $prog: " - - if [ -f ${RESTART_SERVER} ] ; then - rm -f ${RESTART_SERVER} - fi - - if [ -f ${lockfile} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - echo - echo "process already running" - return 255 - else - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - fi - fi - fi - - # restore context for ncipher hsm - [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast - - - if [ -f /etc/init.d/functions ]; then - /usr/sbin/selinuxenabled - RETVAL=$? - if [ $RETVAL = 0 ] ; then - if [ ${ARCHITECTURE} = "i386" ] ; then - LANG=$HTTPD_LANG daemon runcon -t pki_ra_t -- $httpd $OPTIONS - # overwrite output from "daemon" - echo -n $"Starting $prog: " - elif [ ${ARCHITECTURE} = "x86_64" ] ; then - # NOTE: "daemon" is incompatible with "httpd" - # on 64-bit architectures - LANG=$HTTPD_LANG runcon -t pki_ra_t -- $httpd $OPTIONS - fi - else - LANG=$HTTPD_LANG daemon $httpd $OPTIONS - # overwrite output from "daemon" - echo -n $"Starting $prog: " - fi - else - LANG=$HTTPD_LANG $httpd $OPTIONS -k start - fi - - RETVAL=$? - [ $RETVAL = 0 ] && touch ${lockfile} - - if [ $RETVAL = 0 ] ; then - count=0; - - let swait=$STARTUP_WAIT - until [ -s ${pidfile} ] || - [ $count -gt $swait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ -f /etc/init.d/functions ]; then - echo_success - echo - else - echo " [ OK ]" - fi - - get_pki_secure_port - if [ $? -ne 0 ] ; then - SECURE_PORT="<Port Undefined>" - fi - - # Set permissions of log files - pki_logs_directory=`dirname ${pidfile}` - for file in ${pki_logs_directory}/*; do - if [ "${file}" != "${pidfile}" ]; then - chmod 00660 ${file} - chgrp [GROUPID] ${file} - chown [USERID] ${file} - fi - done - else - if [ -f /etc/init.d/functions ]; then - echo_failure - echo - else - echo " [ FAILED ]" - fi - fi - - if [ ${OS} = "Linux" ] ; then - sleep 10 - elif [ ${OS} = "SunOS" ] ; then - sleep 20 - fi - echo - status - return $RETVAL -} - -stop() -{ - echo -n "Stopping $prog: " - - if [ -f ${lockfile} ] ; then - $httpd $OPTIONS -k stop - - RETVAL=$? - - if [ $RETVAL = 0 ]; then - count=0; - - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - let kwait=$SHUTDOWN_WAIT - - until [ `ps -p $kpid | grep -c $kpid` = '0' ] || - [ $count -gt $kwait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ $count -gt $kwait ]; then - kill -9 $kpid - fi - fi - - rm -f ${lockfile} - rm -f ${pidfile} - - if [ -f /etc/init.d/functions ]; then - echo_success - echo - else - echo " [ OK ]" - fi - else - if [ -f /etc/init.d/functions ]; then - echo_failure - echo - else - echo " [ FAILED ]" - fi - fi - else - echo - echo "process already stopped" - fi -} - -reload() -{ - echo -n $"Reloading $prog: " - - if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then - RETVAL=$? - echo $"not reloading due to configuration syntax error" - if [ -f /etc/init.d/functions ]; then - failure $"not reloading $httpd due to configuration syntax error" - else - echo $"not reloading $httpd due to configuration syntax error" - fi - else - if [ -f /etc/init.d/functions ]; then - killproc $httpd -HUP - # overwrite output from "killproc" - echo -n $"Stopping $prog: " - else - if [ -f ${lockfile} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - kill -HUP $kpid - fi - else - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - fi - fi - fi - fi - echo -} - -status() -{ - if [ -f ${pidfile} ] ; then - pid=`cat ${pidfile}` - if [ "${pid}" == "" ] ; then - echo "[INSTANCE_ID] pid file exists but is empty" - elif kill -0 ${pid} > /dev/null 2>&1 ; then - echo "[INSTANCE_ID] (pid ${pid}) is running ..." - echo - check_pki_configuration_status - if [ $? -eq 0 ] ; then - get_pki_status_definitions - if [ $? -ne 0 ] ; then - echo - echo "[INSTANCE_ID] Status Definitions not found" - fi - get_pki_configuration_definitions - if [ $? -ne 0 ] ; then - echo - echo "[INSTANCE_ID] Configuration Definitions not found" - fi - fi - echo - else - echo "[INSTANCE_ID] is dead but pid file exists" - fi - else - echo "[INSTANCE_ID] is stopped" - fi -} - -# See how we were called. -case "$1" in - start) - start - ;; - stop) - stop - ;; - restart) - stop - sleep 2 - start - ;; - condrestart) - if [ -f ${pidfile} ] ; then - stop - sleep 2 - start - else - echo -n "Unable to restart process since " - echo -n "'${pidfile}' does not exist!" - echo - fi - ;; - reload) - reload - ;; - status) - status - ;; - *) - echo $"Usage: $prog {start|stop|restart|condrestart|reload|status}" - exit 1 -esac - -exit $RETVAL - diff --git a/pki/base/ra/etc/init.d/pki-rad b/pki/base/ra/etc/init.d/pki-rad new file mode 100755 index 000000000..3ca7d6669 --- /dev/null +++ b/pki/base/ra/etc/init.d/pki-rad @@ -0,0 +1,1415 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# pki-rad Startup script for the Apache HTTP pki-ra Server +# +# chkconfig: - 86 14 +# description: Registration Authority \ +# (Apache 2.2) +# processname: pki-rad +# piddir: /var/run/pki/ra +# config: ${PKI_SERVER_ROOT}/conf/httpd.conf + +PKI_INIT_SCRIPT="" +PKI_PATH="/usr/share/pki/ra" +PKI_PIDDIR="/var/run/pki/ra" +PKI_PROCESS="pki-rad" +PKI_REGISTRY="/etc/sysconfig/pki/ra" +PKI_SELINUX_TYPE="pki_ra_t" +PKI_TYPE="pki-ra" + +# PKI subsystem-level directory and file values for locks +lockfile="/var/lock/subsys/pki-rad" + +# Disallow 'others' the ability to 'write' to new files +umask 00002 + +default_error=0 +command="$1" +pki_instance="$2" +case "${command}" in + start|stop|restart|condrestart|force-restart|try-restart) + # * 1 generic or unspecified error (current practice) + default_error=1 + ;; + reload) + default_error=3 + ;; + status) + # * 4 program or service status is unknown + default_error=4 + ;; + *) + # * 2 invalid argument(s) + default_error=2 + ;; +esac + +# Check to insure that this script's original invocation directory +# has not been deleted! +CWD=`/bin/pwd > /dev/null 2>&1` +if [ $? -ne 0 ] ; then + echo "Cannot invoke '$0' from non-existent directory!" + exit ${default_error} +fi + +# Check to insure that this script's associated PKI +# subsystem currently resides on this system. +if [ ! -d ${PKI_PATH} ] ; then + echo "This machine is missing the '${PKI_TYPE}' subsystem!" + if [ "${command}" != "status" ]; then + # * 5 program is not installed + exit 5 + else + exit ${default_error} + fi +fi + +# Check to insure that this script's associated PKI +# subsystem instance registry currently resides on this system. +if [ ! -d ${PKI_REGISTRY} ] ; then + echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!" + if [ "${command}" != "status" ]; then + # * 5 program is not installed + exit 5 + else + exit ${default_error} + fi +fi + +# Obtain the operating system upon which this script is being executed +# and initialize environment variables +OS=`uname -s` +ARCHITECTURE="" +LD_LIBRARY_PATH="" + +# Time to wait in seconds, before killing process +# +# NOTE: Defined in "tomcat5.conf" for PKI Java/Tomcat Subsystems. +# +STARTUP_WAIT=30 +SHUTDOWN_WAIT=30 + +# This script must be run as root! +RV=0 +if [ ${OS} = "Linux" ] ; then + PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}" + if [ `id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$0'!" + if [ "${command}" != "status" ]; then + # * 4 user had insufficient privilege + exit 4 + else + # * 4 program or service status is unknown + exit 4 + fi + fi + ARCHITECTURE=`uname -i` + if [ ${ARCHITECTURE} = "i386" ] ; then + LD_LIBRARY_PATH="/usr/lib:/lib:${LD_LIBRARY_PATH}" + elif [ ${ARCHITECTURE} = "x86_64" ] ; then + LD_LIBRARY_PATH="/usr/lib64:/lib64:${LD_LIBRARY_PATH}" + else + echo "Unsupported architecture '${ARCHITECTURE}'!" + exit ${default_error} + fi +elif [ ${OS} = "SunOS" ] ; then + PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}" + if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$0'!" + if [ "${command}" != "status" ]; then + # * 4 user had insufficient privilege + exit 4 + else + # * 4 program or service status is unknown + exit 4 + fi + fi + ARCHITECTURE=`uname -p` + if [ "${ARCHITECTURE}" = "sparc" ] && + [ -d "/usr/lib/sparcv9/" ] ; then + ARCHITECTURE="sparcv9" + fi + if [ ${ARCHITECTURE} = "sparcv9" ] ; then + LD_LIBRARY_PATH="/usr/lib/sparcv9:/lib/sparcv9:${LD_LIBRARY_PATH}" + LD_LIBRARY_PATH="/usr/lib/sparcv9/dirsec:${LD_LIBRARY_PATH}" + else + echo "Unsupported architecture '${ARCHITECTURE}'!" + exit ${default_error} + fi +else + echo "Unsupported OS '${OS}'!" + exit ${default_error} +fi +export LD_LIBRARY_PATH + +# Source function library. +if [ -f /etc/init.d/functions ]; then + . /etc/init.d/functions +else + # The checkpid() function is provided for platforms that do not + # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . + + # Check if ${pid} (could be plural) are running (keep count) + checkpid() + { + rv=0 + for i in $* ; do + ps -p $i > /dev/null 2>&1 ; + if [ $? -ne 0 ] ; then + rv=`expr $rv + 1` + else + rv=`expr $rv + 0` + fi + done + # echo "rv=$rv" + return $rv + } + + # Create the following directories on platforms + # where they do not exist (e. g. - Solaris) . . . + if [ ! -d "/var/lock" ] ; then + mkdir -p /var/lock + chown root:sys /var/lock + chmod 00755 /var/lock + fi + if [ ! -d "/var/lock/subsys" ] ; then + mkdir -p /var/lock/subsys + chown root:root /var/lock/subsys + chmod 00755 /var/lock/subsys + fi +fi + +PKI_REGISTRY_ENTRIES="" +TOTAL_PKI_REGISTRY_ENTRIES=0 +TOTAL_UNCONFIGURED_PKI_ENTRIES=0 + +# Gather ALL registered instances of this PKI subsystem type +for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do + if [ -f "$FILE" ] ; then + inst=`echo "$FILE"` + PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst" + TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` + fi +done + +if [ -n "${pki_instance}" ]; then + for I in ${PKI_REGISTRY_ENTRIES}; do + if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then + PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}" + TOTAL_PKI_REGISTRY_ENTRIES=1 + break + fi + done +fi + +usage() +{ + echo -n "Usage: ${PKI_INIT_SCRIPT} " + echo -n "{start" + echo -n "|stop" + echo -n "|restart" + echo -n "|condrestart" + echo -n "|force-restart" + echo -n "|try-restart" + echo -n "|reload" + echo -n "|status} " + echo -n "[instance-name]" + echo + echo +} + +list_instances() +{ + echo + for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do + echo " ${FILE}" + done + echo +} + +# Check arguments +if [ $# -lt 1 ] ; then + # * 3 unimplemented feature (for example, "reload") + # [insufficient arguments] + echo "$0: Insufficient arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 3 +elif [ ${default_error} -eq 2 ] ; then + # * 2 invalid argument + echo "$0: Invalid arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 2 +elif [ $# -gt 2 ] ; then + echo "$0: Excess arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + if [ "${command}" != "status" ]; then + # * 2 excess arguments + exit 2 + else + # * 4 program or service status is unknown + exit 4 + fi +fi + +# If an "instance" was supplied, check that it is a "valid" instance +if [ -n "${pki_instance}" ]; then + if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then + echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance" + echo_failure + echo + if [ "${command}" != "status" ]; then + # * 5 program is not installed + exit 5 + else + # * 4 program or service status is unknown + exit 4 + fi + fi +fi + +# On Solaris /var/run is in tmpfs and gets wiped out upon reboot +# we have to recreate the ${PKI_PIDDIR} directory and make sure that +# the directory is writable by the ${PKI_TYPE} server process. +# +# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize +# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the +# "${PKI_PIDDIR}" will end up with the ownership permissions +# of the first instance that executes this function! +# +fix_pid_dir_ownership() +{ + if [ ! -d ${PKI_PIDDIR} ] ; then + mkdir -p ${PKI_PIDDIR} + + chown root:root /var/run/pki + chmod 00755 /var/run/pki + + chown root:root ${PKI_PIDDIR} + chmod 00755 ${PKI_PIDDIR} + fi +} + +check_pki_configuration_status() +{ + rv=0 + + rv=`grep -c ^preop ${pki_instance_configuration_file}` + + rv=`expr ${rv} + 0` + + if [ ${rv} -ne 0 ] ; then + echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" + echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" + if [ "${command}" != "status" ]; then + # * 6 program is not configured + rv=6 + else + # * 4 program or service status is unknown + rv=4 + fi + TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` + elif [ -f ${RESTART_SERVER} ] ; then + echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " + echo -n "it must still be RESTARTED!" + echo + if [ "${command}" != "status" ]; then + # * 1 generic or unspecified error (current practice) + rv=1 + else + # * 4 program or service status is unknown + rv=4 + fi + fi + + return ${rv} +} + +get_pki_status_definitions() +{ + # establish well-known strings + listen_statement="Listen" + total_ports=0 + UNSECURE_PORT="" + CLIENTAUTH_PORT="" + NON_CLIENTAUTH_PORT="" + + # check to see that an instance-specific "httpd.conf" file exists + if [ ! -f ${PKI_HTTPD_CONF} ] ; then + echo "File '${PKI_HTTPD_CONF}' does not exist!" + exit ${default_error} + fi + + # check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # read this instance-specific "httpd.conf" file line-by-line + # to obtain the current value of the PKI unsecure port + + exec < ${PKI_HTTPD_CONF} + while read line; do + # look for the listen statement + head=`echo $line | cut -b1-6` + if [ "$head" == "$listen_statement" ] ; then + # once the 'unsecure' listen statement has been found, + # extract the numeric port information + port=`echo $line | cut -b8-` + UNSECURE_PORT=$port + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + total_ports=`expr ${total_ports} + 1` + break; + fi + done + + # read this instance-specific "nss.conf" file line-by-line + # to obtain the current value of the "clientauth" PKI secure port + # AND the current value of the "non-clientauth" PKI secure port + + exec < ${PKI_NSS_CONF} + while read line; do + # look for the listen statement + head=`echo $line | cut -b1-6` + if [ "$head" == "$listen_statement" ] && + [ ${total_ports} -eq 2 ] ; then + # once the 'non-clientauth' listen statement has been found, + # extract the numeric port information + non_clientauth_port=`echo $line | cut -b8-` + NON_CLIENTAUTH_PORT=$non_clientauth_port + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}" + total_ports=`expr ${total_ports} + 1` + break + fi + if [ "$head" == "$listen_statement" ] && + [ ${total_ports} -eq 1 ] ; then + # once the 'clientauth' listen statement has been found, + # extract the numeric port information + clientauth_port=`echo $line | cut -b8-` + CLIENTAUTH_PORT=$clientauth_port + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}" + total_ports=`expr ${total_ports} + 1` + fi + done + + if [ ${total_ports} -eq 3 ] ; then + return 0 + else + return ${default_error} + fi +} + +get_pki_configuration_definitions() +{ + # Obtain the PKI Subsystem Type + line=`grep ^cs.type= ${pki_instance_configuration_file}` + pki_subsystem=`echo "${line}" | cut -b9-` + if [ "${line}" != "" ] ; then + if [ "${pki_subsystem}" != "CA" ] && + [ "${pki_subsystem}" != "KRA" ] && + [ "${pki_subsystem}" != "OCSP" ] && + [ "${pki_subsystem}" != "TKS" ] && + [ "${pki_subsystem}" != "RA" ] && + [ "${pki_subsystem}" != "TPS" ] + then + return ${default_error} + fi + if [ "${pki_subsystem}" == "KRA" ] ; then + # Rename "KRA" to "DRM" + pki_subsystem="DRM" + fi + else + return ${default_error} + fi + + # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, + # check to see if "${pki_subsystem}" is a "Clone" + pki_clone="" + if [ "${pki_subsystem}" == "CA" ] || + [ "${pki_subsystem}" == "DRM" ] || + [ "${pki_subsystem}" == "OCSP" ] || + [ "${pki_subsystem}" == "TKS" ] + then + line=`grep ^subsystem.select= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_clone=`echo "${line}" | cut -b18-` + if [ "${pki_clone}" != "Clone" ] ; then + # Reset "${pki_clone}" to be empty + pki_clone="" + fi + else + return ${default_error} + fi + fi + + # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to + # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA + pki_hierarchy="" + if [ "${pki_subsystem}" == "CA" ] && + [ "${pki_clone}" != "Clone" ] + then + line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_hierarchy=`echo "${line}" | cut -b18-` + else + return ${default_error} + fi + fi + + # If ${pki_subsystem} is a CA, check to + # see if it is also a Security Domain + pki_security_domain="" + if [ "${pki_subsystem}" == "CA" ] ; then + line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_security_domain=`echo "${line}" | cut -b23-` + if [ "${pki_security_domain}" == "new" ] ; then + # Set a fixed value for "${pki_security_domain}" + pki_security_domain="(Security Domain)" + else + # Reset "${pki_security_domain}" to be empty + pki_security_domain="" + fi + else + return ${default_error} + fi + fi + + # Always obtain this PKI instance's "registered" + # security domain information + pki_security_domain_name="" + pki_security_domain_hostname="" + pki_security_domain_https_admin_port="" + + line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_security_domain_name=`echo "${line}" | cut -b21-` + else + return ${default_error} + fi + + line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_security_domain_hostname=`echo "${line}" | cut -b21-` + else + return ${default_error} + fi + + line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` + else + return ${default_error} + fi + + # Compose the "PKI Instance Name" Status Line + pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" + + # Compose the "PKI Subsystem Type" Status Line + header="PKI Subsystem Type: " + if [ "${pki_clone}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "CA Clone (Security Domain)" + # + data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" + else + # Possible Values: + # + # "CA Clone" + # "DRM Clone" + # "OCSP Clone" + # "TKS Clone" + # + data="${pki_subsystem} ${pki_clone}" + fi + elif [ "${pki_hierarchy}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "Root CA (Security Domain)" + # "Subordinate CA (Security Domain)" + # + data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" + else + # Possible Values: + # + # "Root CA" + # "Subordinate CA" + # + data="${pki_hierarchy} ${pki_subsystem}" + fi + else + # Possible Values: + # + # "DRM" + # "OCSP" + # "RA" + # "TKS" + # "TPS" + # + data="${pki_subsystem}" + fi + pki_subsystem_type="${header} ${data}" + + # Compose the "Registered PKI Security Domain Information" Status Line + header="Name: " + registered_pki_security_domain_name="${header} ${pki_security_domain_name}" + + header="URL: " + if [ "${pki_security_domain_hostname}" != "" ] && + [ "${pki_security_domain_https_admin_port}" != "" ] + then + data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" + else + return ${default_error} + fi + registered_pki_security_domain_url="${header} ${data}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " ${pki_instance_name}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " ${pki_subsystem_type}" + + # Print the "Registered PKI Security Domain Information" Status Line + echo + echo " Registered PKI Security Domain Information:" + echo " ==========================================================================" + echo " ${registered_pki_security_domain_name}" + echo " ${registered_pki_security_domain_url}" + echo " ==========================================================================" + + return 0 +} + +get_pki_secure_port() +{ + # establish well-known strings + listen_statement="Listen" + + # first check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # read this instance-specific "nss.conf" file line-by-line + # to obtain the current value of the "clientauth" PKI secure port + exec < ${PKI_NSS_CONF} + while read line; do + # look for the listen statement + head=`echo $line | cut -b1-6` + if [ "$head" == "$listen_statement" ] ; then + # once the 'clientauth' listen statement has been found, + # extract the numeric port information + port=`echo $line | cut -b8-` + SECURE_PORT=$port + return 0 + fi + done + + return ${default_error} +} + +display_instance_status() +{ + rv=0 + + if [ -f ${pidfile} ] ; then + pid=`cat ${pidfile}` + if [ "${pid}" == "" ] ; then + echo "${PKI_INSTANCE_ID} pid file exists but is empty" + if [ "${command}" != "status" ]; then + # * 1 generic or unspecified error (current practice) + rv=1 + else + # * 4 program or service status is unknown + rv=4 + fi + elif kill -0 ${pid} > /dev/null 2>&1 ; then + echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..." + echo + check_pki_configuration_status + rv=$? + if [ ${rv} -eq 0 ] ; then + get_pki_status_definitions + rv=$? + if [ ${rv} -ne 0 ] ; then + echo + echo "${PKI_INSTANCE_ID} Status Definitions not found" + else + get_pki_configuration_definitions + rv=$? + if [ ${rv} -ne 0 ] ; then + echo + echo "${PKI_INSTANCE_ID} Configuration Definitions not found" + fi + fi + else + # From the PKI point of view for a "non-status" action, + # a returned error code of "6" implies that the program + # is not "configured". Similarly, an error code of "1" + # implies that the program was "configured" but must + # still be restarted. + # + # Similarly, from the PKI point of view for a "status" + # action, a returned error code of "4" implies that either + # the program is not "configured", or that the program + # was "configured" but must still be restarted. + # + # Regardless, it must still be considered that the instance + # is "running" from the viewpoint of other OS programs such + # as 'chkconfig'. + # + # For this reason, when returning from + # 'display_instance_status()', ignore non-zero return codes + # returned from 'check_pki_configuration_status()'. + # + if [ "${command}" != "status" ]; then + # * 0 action was successful + rv=0 + else + # * 0 program is running or service is OK + rv=0 + fi + fi + echo + else + echo "${PKI_INSTANCE_ID} is dead but pid file exists" + if [ "${command}" != "status" ]; then + # * 1 generic or unspecified error (current practice) + rv=1 + else + # * 1 program is dead and /var/run pid file exists + rv=1 + fi + fi + else + echo "${PKI_INSTANCE_ID} is stopped" + if [ "${command}" != "status" ]; then + # * 7 program is not running + rv=7 + else + # * 3 program is not running + rv=3 + fi + fi + + return ${rv} +} + +start_instance() +{ + rv=0 + + echo -n $"Starting ${prog}: " + + if [ -f ${RESTART_SERVER} ] ; then + rm -f ${RESTART_SERVER} + fi + + if [ -f ${PKI_LOCKFILE} ] ; then + if [ -f ${pidfile} ]; then + read kpid < ${pidfile} + if checkpid $kpid 2>&1; then + echo + echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..." + echo + check_pki_configuration_status + rv=$? + if [ ${rv} != 0 ]; then + # From the PKI point of view for a "non-status" action, + # a returned error code of "6" implies that the program + # is not "configured". Similarly, an error code of "1" + # implies that the program was "configured" but must + # still be restarted. + # + # Regardless, it must still be considered that the instance + # is "running" from the viewpoint of other OS programs such + # as 'chkconfig'. + # + # For "non-status" actions, ignore return codes of "1" + # from 'check_pki_configuration_status()'. + # + # However, for "non-status" actions that have a return + # code of "6", return this value unchanged to + # the calling routine so that the total number of + # configuration errors may be counted. + # + + echo + if [ ${rv} = 1 ] ; then + # * 0 action was successful + return 0 + elif [ ${rv} = 6 ] ; then + # * 6 program is not configured + return 6 + else + # should never be reached + return ${rv} + fi + else + return 0 + fi + else + echo + echo -n "lock file found but no process " + echo -n "running for pid $kpid, continuing" + echo + echo + rm -f ${PKI_LOCKFILE} + fi + fi + fi + + fix_pid_dir_ownership + + touch ${pidfile} + chown ${PKI_USER}:${PKI_GROUP} ${pidfile} + chmod 00600 ${pidfile} + [ -x /sbin/restorecon ] && /sbin/restorecon ${pidfile} + + # restore context for ncipher hsm + [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast + + if [ -f /etc/init.d/functions ]; then + /usr/sbin/selinuxenabled + rv=$? + if [ ${rv} = 0 ] ; then + if [ ${ARCHITECTURE} = "i386" ] ; then + LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} + # overwrite output from "daemon" + echo -n $"Starting ${prog}: " + elif [ ${ARCHITECTURE} = "x86_64" ] ; then + # NOTE: "daemon" is incompatible with "httpd" + # on 64-bit architectures + LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} + fi + else + LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS} + # overwrite output from "daemon" + echo -n $"Starting ${prog}: " + fi + else + LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -k start + fi + + rv=$? + if [ ${rv} = 0 ] ; then + touch ${PKI_LOCKFILE} + chown ${PKI_USER}:${PKI_GROUP} ${PKI_LOCKFILE} + chmod 00600 ${PKI_LOCKFILE} + fi + + if [ ${rv} = 0 ] ; then + count=0; + + let swait=$STARTUP_WAIT + until [ -s ${pidfile} ] || + [ $count -gt $swait ] + do + echo -n "." + sleep 1 + let count=$count+1; + done + + if [ -f /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_success + echo + else + echo " [ OK ]" + fi + + get_pki_secure_port + if [ $? -ne 0 ] ; then + SECURE_PORT="<Port Undefined>" + fi + + # Set permissions of log files + for file in ${pki_logs_directory}/*; do + chown ${PKI_USER}:${PKI_GROUP} ${file} + chmod 00660 ${file} + done + + # ignore "status" return codes + echo + display_instance_status + else + if [ -f /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + $0 echo -n " " + fi + echo_failure + echo + else + echo " [ FAILED ]" + fi + fi + + if [ ${OS} = "Linux" ] ; then + sleep 10 + elif [ ${OS} = "SunOS" ] ; then + sleep 20 + fi + return ${rv} +} + +stop_instance() +{ + rv=0 + + echo -n "Stopping ${prog}: " + + if [ -f ${PKI_LOCKFILE} ] ; then + ${httpd} ${PKI_OPTIONS} -k stop + + rv=$? + + if [ ${rv} = 0 ]; then + count=0; + + if [ -f ${pidfile} ]; then + read kpid < ${pidfile} + let kwait=$SHUTDOWN_WAIT + + until [ `ps -p $kpid | grep -c $kpid` = '0' ] || + [ $count -gt $kwait ] + do + echo -n "." + sleep 1 + let count=$count+1; + done + + if [ $count -gt $kwait ]; then + kill -9 $kpid + fi + fi + + rm -f ${PKI_LOCKFILE} + rm -f ${pidfile} + + if [ -f /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_success + echo + else + echo " [ OK ]" + fi + else + if [ -f /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_failure + echo + else + echo " [ FAILED ]" + fi + rv=${default_error} + fi + else + echo + echo "process already stopped" + rv=0 + fi + + return ${rv} +} + +reload_instance() +{ + rv=0 + + echo -n $"Reloading ${prog}: " + + if ! LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -t >&/dev/null; then + rv=$? + echo $"not reloading due to configuration syntax error" + if [ -f /etc/init.d/functions ]; then + failure $"not reloading ${httpd} due to configuration syntax error" + else + echo $"not reloading ${httpd} due to configuration syntax error" + fi + else + if [ -f /etc/init.d/functions ]; then + killproc -p ${pidfile} ${httpd} -HUP + rv=$? + else + if [ -f ${PKI_LOCKFILE} ] ; then + if [ -f ${pidfile} ]; then + read kpid < ${pidfile} + if checkpid $kpid 2>&1; then + kill -HUP $kpid + rv=$? + if [ ${rv} != 0 ]; then + rv=${default_error} + fi + fi + else + # * 7 program is not running + rv=7 + echo + echo -n "lock file found but no process " + echo -n "running for pid $kpid, continuing" + echo + echo + rm -f ${PKI_LOCKFILE} + fi + fi + fi + fi + echo + + return ${rv} +} + +# The semantics of the 'start()' function differs from the way 'apachectl' +# does things -- attempting to start while running is a failure. +# So we just do it the way init scripts are expected to behave here. +start() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 action was successful + # * 1 generic or unspecified error (current practice) + # * 2 invalid or excess argument(s) + # * 3 unimplemented feature (for example, "reload") + # * 4 user had insufficient privilege + # * 5 program is not installed + # * 6 program is not configured + # * 7 program is not running + # * 8-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + error_rv=0 + rv=0 + + if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then + config_errors=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):" + fi + + # Start every PKI instance of this type that isn't already running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + start_instance + + rv=$? + if [ ${rv} = 6 ] ; then + # Since at least ONE configuration error exists, then there + # is at least ONE unconfigured instance from the PKI point + # of view. + # + # However, it must still be considered that the + # instance is "running" from the point of view of other + # OS programs such as 'chkconfig'. + # + # Therefore, ignore non-zero return codes resulting + # from configuration errors. + # + + config_errors=`expr $config_errors + 1` + rv=0 + elif [ ${rv} != 0 ] ; then + errors=`expr $errors + 1` + error_rv=${rv} + fi + done + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then + touch ${lockfile} + chmod 00600 ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + # NOTE: "bad" return code(s) OVERRIDE configuration errors! + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances failed to start!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." + fi + else + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + rv=5 + fi + + return ${rv} +} + +# The semantics of the 'stop()' function differs from the way 'apachectl' +# does things -- attempting to shutdown when not running is a failure. +# So we just do it the way init scripts are expected to behave here. +stop() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 action was successful + # * 1 generic or unspecified error (current practice) + # * 2 invalid or excess argument(s) + # * 3 unimplemented feature (for example, "reload") + # * 4 user had insufficient privilege + # * 5 program is not installed + # * 6 program is not configured + # * 7 program is not running + # * 8-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + error_rv=0 + rv=0 + + if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" + fi + + # Shutdown every PKI instance of this type that is running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + stop_instance + + rv=$? + if [ ${rv} != 0 ] ; then + errors=`expr $errors + 1` + error_rv=${rv} + fi + done + + if [ ${errors} -eq 0 ] ; then + rm -f ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances were " + echo -n "unsuccessfully stopped!" + echo + fi + + echo + echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." + fi + else + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + rv=5 + fi + + return ${rv} +} + +restart() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 action was successful + # * 1 generic or unspecified error (current practice) + # * 2 invalid or excess argument(s) + # * 3 unimplemented feature (for example, "reload") + # * 4 user had insufficient privilege + # * 5 program is not installed + # * 6 program is not configured + # * 7 program is not running + # * 8-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + stop + sleep 2 + echo + echo "============================================================" + echo + start + + return $? +} + +reload() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 action was successful + # * 1 generic or unspecified error (current practice) + # * 2 invalid or excess argument(s) + # * 3 unimplemented feature (for example, "reload") + # * 4 user had insufficient privilege + # * 5 program is not installed + # * 6 program is not configured + # * 7 program is not running + # * 8-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + error_rv=0 + rv=0 + + if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):" + fi + + # Reload every PKI instance of this type that is running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + reload_instance + + rv=$? + if [ ${rv} != 0 ] ; then + errors=`expr $errors + 1` + error_rv=${rv} + fi + done + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances were " + echo -n "unsuccessfully reloaded!" + echo + fi + + echo + echo "FINISHED RELOADING '${PKI_TYPE}' INSTANCE(S)." + fi + else + echo + echo "ERROR: No '${PKI_TYPE}' instances reloaded!" + rv=5 + fi + + return ${rv} +} + +status() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 program is running or service is OK + # * 1 program is dead and /var/run pid file exists + # * 2 program is dead and /var/lock lock file exists + # * 3 program is not running + # * 4 program or service status is unknown + # * 5-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + error_rv=0 + rv=0 + + if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" + fi + + # Obtain status of every PKI instance of this type + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + display_instance_status + + rv=$? + if [ ${rv} -ne 0 ] ; then + errors=`expr $errors + 1` + error_rv=${rv} + fi + done + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "4 - program or service status is unknown" + rv=4 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances reported status failures!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." + fi + else + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + rv=4 + fi + + return ${rv} +} + +# See how we were called. +case "${command}" in + start|stop|restart|reload|status) + ${command} + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + *) + # * 3 unimplemented feature (for example, "reload") + # [invalid command - should never be reached] + echo + usage + echo "where valid instance names include:" + list_instances + exit 3 + ;; +esac + diff --git a/pki/base/ra/setup/postinstall b/pki/base/ra/setup/postinstall deleted file mode 100755 index 517c6e448..000000000 --- a/pki/base/ra/setup/postinstall +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# - -############################################################################### -## (1) Check command line arguments to see how many were passed in. ## -############################################################################### - -if [ $# -eq 4 ] -then - PKI_PRODUCT_NAME=$1 - PKI_SUBSYSTEM_NAME=$2 - VERSION=$3 - RELEASE=$4 -else - echo - echo "Usage: $0 PKI_product_name PKI_subsystem_name version release" - echo - - exit 255 -fi - - -############################################################################### -## (2) Specify variables used by this script. ## -############################################################################### - -PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}" -SECURE_PORT=12889 -NON_CLIENTAUTH_SECURE_PORT=12890 -UNSECURE_PORT=12888 - - -############################################################################### -## (3) Create the first instance of a Registration Authority (RA). ## -############################################################################### - -if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ] -then - /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} -fi - - -############################################################################### -## (4) Successfully exit from this postinstallation script. ## -############################################################################### - -exit 0 - diff --git a/pki/base/selinux/src/pki.fc b/pki/base/selinux/src/pki.fc index 21ff9c2e7..bbc6b3ebd 100644 --- a/pki/base/selinux/src/pki.fc +++ b/pki/base/selinux/src/pki.fc @@ -92,3 +92,16 @@ /var/run/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_var_run_t,s0) /etc/init.d/pki-tksd gen_context(system_u:object_r:pki_tks_script_exec_t,s0) /etc/sysconfig/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0) + +# labeling for new RA under pki-rad + +/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0) +/etc/init.d/pki-rad gen_context(system_u:object_r:pki_ra_script_exec_t,s0) +/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) + +# labeling for new TPS under pki-tpsd + +/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0) +/etc/init.d/pki-tpsd gen_context(system_u:object_r:pki_tps_script_exec_t,s0) +/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) + diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if index 1364b15ce..aa78cec3c 100644 --- a/pki/base/selinux/src/pki.if +++ b/pki/base/selinux/src/pki.if @@ -108,7 +108,7 @@ template(`pki_ca_template',` manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) - # start/ stop using pki-cad, pki-krad, pki-ocspd, or pki-tksd + # start/stop using pki-cad, pki-krad, pki-ocspd, or pki-tksd allow setfiles_t $1_etc_rw_t:file read; manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) @@ -413,7 +413,7 @@ interface(`pki_ra_script_domtrans',` template(`pki_tps_template',` gen_require(` attribute pki_tps_process; - attribute pki_tps_config, pki_tps_var_lib; + attribute pki_tps_config, pki_tps_var_lib, pki_tps_var_run; attribute pki_tps_executable, pki_tps_script, pki_tps_var_log; ') ######################################## @@ -432,6 +432,9 @@ template(`pki_tps_template',` type $1_etc_rw_t, pki_tps_config; files_type($1_etc_rw_t) + type $1_var_run_t, pki_tps_var_run; + files_pid_file($1_var_run_t) + type $1_var_lib_t, pki_tps_var_lib; files_type($1_var_lib_t) @@ -456,6 +459,10 @@ template(`pki_tps_template',` manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) + manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t,$1_var_run_t, { file dir }) + manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) @@ -483,6 +490,11 @@ template(`pki_tps_template',` type httpd_suexec_exec_t; ') + #============= httpd_t ============== + allow httpd_t $1_var_run_t:dir search; + allow httpd_t $1_var_run_t:file read; + allow httpd_t $1_var_run_t:file open; + # start up httpd in pki_tps_t mode allow pki_tps_t httpd_config_t:file { read getattr execute }; allow pki_tps_t httpd_exec_t:file entrypoint; @@ -582,7 +594,7 @@ template(`pki_tps_template',` template(`pki_ra_template',` gen_require(` attribute pki_ra_process; - attribute pki_ra_config, pki_ra_var_lib; + attribute pki_ra_config, pki_ra_var_lib, pki_ra_var_run; attribute pki_ra_executable, pki_ra_script, pki_ra_var_log; ') ######################################## @@ -601,6 +613,9 @@ template(`pki_ra_template',` type $1_etc_rw_t, pki_ra_config; files_type($1_etc_rw_t) + type $1_var_run_t, pki_ra_var_run; + files_pid_file($1_var_run_t) + type $1_var_lib_t, pki_ra_var_lib; files_type($1_var_lib_t) @@ -625,6 +640,10 @@ template(`pki_ra_template',` manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) + manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t,$1_var_run_t, { file dir }) + manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) @@ -654,6 +673,11 @@ template(`pki_ra_template',` type httpd_suexec_exec_t; ') + #============= httpd_t ============== + allow httpd_t $1_var_run_t:dir search; + allow httpd_t $1_var_run_t:file read; + allow httpd_t $1_var_run_t:file open; + # start up httpd in pki_ra_t mode allow pki_ra_t httpd_config_t:file { read getattr execute }; allow pki_ra_t httpd_exec_t:file entrypoint; @@ -780,6 +804,7 @@ interface(`pki_ra_admin',` attribute pki_ra_executable; attribute pki_ra_var_lib; attribute pki_ra_var_log; + attribute pki_ra_var_run; attribute pki_ra_script; ') @@ -793,6 +818,7 @@ interface(`pki_ra_admin',` allow $2 system_r; manage_all_pattern($1, pki_ra_config) + manage_all_pattern($1, pki_ra_var_run) manage_all_pattern($1, pki_ra_var_lib) manage_all_pattern($1, pki_ra_var_log) manage_all_pattern($1, pki_ra_config) @@ -917,6 +943,7 @@ interface(`pki_tps_admin',` attribute pki_tps_executable; attribute pki_tps_var_lib; attribute pki_tps_var_log; + attribute pki_tps_var_run; attribute pki_tps_script; ') @@ -930,6 +957,7 @@ interface(`pki_tps_admin',` allow $2 system_r; manage_all_pattern($1, pki_tps_config) + manage_all_pattern($1, pki_tps_var_run) manage_all_pattern($1, pki_tps_var_lib) manage_all_pattern($1, pki_tps_var_log) manage_all_pattern($1, pki_tps_config) diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te index 84da2e54a..6bd3d98b6 100644 --- a/pki/base/selinux/src/pki.te +++ b/pki/base/selinux/src/pki.te @@ -1,4 +1,4 @@ -policy_module(pki,1.0.16) +policy_module(pki,1.0.17) attribute pki_ca_config; attribute pki_ca_executable; diff --git a/pki/base/setup/pkicommon b/pki/base/setup/pkicommon index 2ff95db4b..c2dde215d 100755 --- a/pki/base/setup/pkicommon +++ b/pki/base/setup/pkicommon @@ -102,9 +102,9 @@ my $is_IPv6 = 0; # Compute "hardware platform" of Operating System if( $^O eq "linux" ) { - $default_hardware_platform = `uname -i`; - $default_hardware_platform =~ s/\s+$//g; - chomp( $default_hardware_platform ); + $default_hardware_platform = `uname -i`; + $default_hardware_platform =~ s/\s+$//g; + chomp( $default_hardware_platform ); if( $default_hardware_platform eq "i386" ) { # 32-bit Linux $default_system_binaries = "/bin"; @@ -137,9 +137,9 @@ if( $^O eq "linux" ) { $hostname = hostname; } } elsif( $^O eq "solaris" ) { - $default_hardware_platform = `uname -p`; - $default_hardware_platform =~ s/\s+$//g; - chomp( $default_hardware_platform ); + $default_hardware_platform = `uname -p`; + $default_hardware_platform =~ s/\s+$//g; + chomp( $default_hardware_platform ); if( ( $default_hardware_platform eq "sparc" ) && ( -d "/usr/lib/sparcv9/" ) ) { @@ -217,6 +217,12 @@ $HTTPS_PREFIX = "https://"; $LDAP_PREFIX = "ldap://"; $LDAPS_PREFIX = "ldaps://"; +# Identity values +$PKI_USER = "pkiuser"; +$PKI_GROUP = "pkiuser"; +$PKI_UID = 17; +$PKI_GID = 17; + # Subsystem names $CA = "ca"; $KRA = "kra"; @@ -464,6 +470,90 @@ sub user_exists } +# arg0 username +# arg1 groupname +# return 1 - success, or +# return 0 - failure +sub create_user +{ + my( $username ) = $_[0]; + my( $groupname ) = $_[1]; + + my $command = ""; + my $report = ""; + + my $result = 0; + + if( ( $username eq $PKI_USER ) && + ( $groupname eq $PKI_GROUP ) ) { + # Attempt to create $PKI_USER with $PKI_UID + emit( "create_user(): Adding default PKI user '$username' " + . "(uid=$PKI_UID) to '/etc/passwd'.\n", "debug" ); + if( $^O eq "linux" ) { + $command = "/usr/sbin/useradd " + . "-g $groupname " + . "-d /usr/share/pki " + . "-s /sbin/nologin " + . "-c 'Certificate System' " + . "-u $PKI_UID " + . "-r " + . "$username"; + } elsif( $^O eq "solaris" ) { + $command = "/usr/sbin/useradd " + . "-g $groupname " + . "-d /usr/share/pki " + . "-s /bin/false " + . "-c 'Certificate System' " + . "-u $PKI_UID " + . "$username"; + } else { + $command = "/usr/sbin/useradd " + . "-g $groupname " + . "-d /usr/share/pki " + . "-s '' " + . "-c 'Certificate System' " + . "-u $PKI_UID " + . "$username"; + } + } else { + # Attempt to create $username with random UID + emit( "create_user(): Adding default PKI user '$username' " + . "(uid=random) to '/etc/passwd'.\n", "debug" ); + if( $^O eq "linux" ) { + $command = "/usr/sbin/useradd " + . "-g $groupname " + . "-d /usr/share/pki " + . "-s /sbin/nologin " + . "-c 'Certificate System' " + . "$username"; + } elsif( $^O eq "solaris" ) { + $command = "/usr/sbin/useradd " + . "-g $groupname " + . "-d /usr/share/pki " + . "-s /bin/false " + . "-c 'Certificate System' " + . "$username"; + } else { + $command = "/usr/sbin/useradd " + . "-g $groupname " + . "-d /usr/share/pki " + . "-s '' " + . "-c 'Certificate System' " + . "$username"; + } + } + + $report = `$command`; + if( $report ne "" ) { + emit( "$report", "error" ); + } + + $result = user_exists( $username ); + + return $result; +} + + # arg0 groupname # return 1 - exists, or # return 0 - DOES NOT exist @@ -483,7 +573,65 @@ sub group_exists } +# arg0 groupname +# return 1 - success, or +# return 0 - failure +sub create_group +{ + my( $groupname ) = $_[0]; + + my $command = ""; + my $report = ""; + + my $result = 0; + + if( $groupname eq $PKI_GROUP ) { + # Attempt to create $PKI_GROUP with $PKI_GID + emit( "Adding default PKI group '$groupname' " + . "(gid=$PKI_GID) to '/etc/group'.\n", "debug" ); + if( $^O eq "linux" ) { + $command = "/usr/sbin/groupadd " + . "-g $PKI_GID " + . "-r " + . "$groupname"; + } elsif( $^O eq "solaris" ) { + $command = "/usr/sbin/groupadd " + . "-g $PKI_GID " + . "$groupname"; + } else { + $command = "/usr/sbin/groupadd " + . "-g $PKI_GID " + . "$groupname"; + } + } else { + # Attempt to create $groupname with random GID + emit( "Adding default PKI group '$groupname' " + . "(gid=random) to '/etc/group'.\n", "debug" ); + if( $^O eq "linux" ) { + $command = "/usr/sbin/groupadd " + . "$groupname"; + } elsif( $^O eq "solaris" ) { + $command = "/usr/sbin/groupadd " + . "$groupname"; + } else { + $command = "/usr/sbin/groupadd " + . "$groupname"; + } + } + + $report = `$command`; + if( $report ne "" ) { + emit( "$report", "error" ); + } + + $result = group_exists( $groupname ); + + return $result; +} + + # arg0 username +# arg1 groupname # return 1 - disallows shell, or # return 0 - allows shell sub user_disallows_shell @@ -498,10 +646,10 @@ sub user_disallows_shell $sans_shell="/sbin/nologin"; $result = 0; } elsif( $^O eq "solaris" ) { - $sans_shell=""; + $sans_shell="/bin/false"; $result = 0; } else { - # Don't care + $sans_shell=""; return 1; } @@ -512,7 +660,9 @@ sub user_disallows_shell my( $name, $passwd, $uid, $gid, $quota, $comment, $gcos, $dir, $shell, $expire ) = getpwnam( $username ); - if( $shell eq $sans_shell ) { + if( $shell eq "" ) { + $result = 1; + } elsif( $shell eq $sans_shell ) { $result = 1; } else { # issue a warning and continue diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index d65e23715..d44c4a134 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -242,9 +242,6 @@ my $cmsbundle_jar_base_name = "cmsbundle.jar"; # CA, KRA, OCSP, TKS my $cmscore_jar_base_name = "cmscore.jar"; # CA, KRA, OCSP, TKS my $conf_base_name = "conf"; # CA, KRA, OCSP, TKS, # RA, TPS -# BEGIN Legacy Start/Stop Implementation -my $httpd_base_name = "httpd"; # RA, TPS -# END Legacy Start/Stop Implementation my $httpd_conf_base_name = "httpd.conf"; # RA, TPS my $index_html_base_name = "index.html"; # CA, KRA, OCSP, TKS my $logs_base_name = "logs"; # CA, KRA, OCSP, TKS, @@ -271,9 +268,6 @@ my $velocity_prop_base_name = "velocity.properties"; # CA, KRA, OCSP, TKS my $web_xml_base_name = "web.xml"; # CA, KRA, OCSP, TKS # Subdirectory names -# BEGIN Legacy Start/Stop Implementation -my $initd_base_subsystem_dir = "init.d"; # RA, TPS -# END Legacy Start/Stop Implementation my $perl_base_instance_symlink = "perl"; # RA, TPS my $perl_base_subsystem_dir = "perl"; # RA, TPS my $signed_audit_base_instance_dir = "signedAudit"; # CA, KRA, OCSP, TKS, TPS @@ -282,7 +276,7 @@ my $webapps_root_base_subsystem_dir = "ROOT"; # CA, KRA, OCSP, TKS my $webinf_base_instance_dir = "WEB-INF"; # CA, KRA, OCSP, TKS # Defaults -my $default_apache_pids_path = "/var/run"; +my $default_apache_pids_path = "/var/run/pki"; my $default_java_path = "/usr/share/java"; my $default_dir_permissions = 00770; my $default_exe_permissions = 00770; @@ -291,8 +285,8 @@ my $default_security_token = "internal"; my $default_tomcat_common_path = "/var/lib/tomcat5/common"; # Default PKI user and group to give to PKI installed files -my $pki_user = "pkiuser"; -my $pki_group = "pkiuser"; +my $pki_user = $PKI_USER; +my $pki_group = $PKI_GROUP; # PKI creation constants my $db_password_low = 100000000000; @@ -531,11 +525,6 @@ my $pki_cfg_instance_file_path = ""; # CA, KRA, OCSP, TKS, # RA, TPS my $pki_cfg_subsystem_file_path = ""; # CA, KRA, OCSP, TKS, # RA, TPS -# BEGIN Legacy Start/Stop Implementation -my $pki_start_stop_script_instance_file_path = ""; # RA, TPS -my $pki_start_stop_script_subsystem_file_path = ""; # RA, TPS -my $pki_start_stop_script_symlink_path = ""; # RA, TPS -# END Legacy Start/Stop Implementation my $schemaMods_ldif_instance_file_path = ""; # RA, TPS my $schemaMods_ldif_subsystem_file_path = ""; # RA, TPS my $server_xml_instance_file_path = ""; # CA, KRA, OCSP, TKS @@ -1026,16 +1015,9 @@ sub pki_instance_already_exists my $result = 0; my $instance = ""; - if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { - # BEGIN Legacy Start/Stop Implementation - $instance = $default_init_scripts_path - . "/" . $name; - # END Legacy Start/Stop Implementation - } else { - $instance = $pki_registry_path - . "/" . $subsystem_type - . "/" . $name; - } + $instance = $pki_registry_path + . "/" . $subsystem_type + . "/" . $name; if( -e $instance ) { $result = 1; @@ -1310,65 +1292,71 @@ sub parse_arguments() } - ## Optional "-user=<username>" option - if( $username ne "" ) { - if( $groupname eq "" ) { + ## Optional "-group=<groupname>" option + if( $groupname ne "" ) { + if( $username eq "" ) { usage(); - emit( "Must ALSO specify group ownership using -group!\n", + emit( "Must ALSO specify user ownership using -user!\n", "error" ); return 0; } - if( !user_exists( $username ) ) { - usage(); - emit( "The user '$username' is invalid on this machine!\n", - "error" ); - return 0; + if( !group_exists( $groupname ) ) { + if( !create_group( $groupname ) ) { + usage(); + emit( "Unable to create group '$groupname' on this machine!\n", + "error" ); + return 0; + } } - # Overwrite default value of $pki_user with user-specified $username - $pki_user = $username; - } - - - # At this point in time, ALWAYS check that "$pki_user" exists! - if( !user_exists( $pki_user ) ) { - usage(); - emit( "Please contact your system administrator " - . "to create '$pki_user'!\n", - "error" ); - return 0; + # Overwrite default value of $pki_group with user-specified $groupname + $pki_group = $groupname; } - ## Optional "-group=<groupname>" option - if( $groupname ne "" ) { - if( $username eq "" ) { + # At this point in time, ALWAYS check that "$pki_group" exists! + if( !group_exists( $pki_group ) ) { + if( !create_group( $pki_group ) ) { usage(); - emit( "Must ALSO specify user ownership using -user!\n", + emit( "Unable to create group '$pki_group' on this machine!\n", "error" ); return 0; } + } - if( !group_exists( $groupname ) ) { + + ## Optional "-user=<username>" option + if( $username ne "" ) { + if( $groupname eq "" ) { usage(); - emit( "The group '$groupname' is invalid on this machine!\n", + emit( "Must ALSO specify group ownership using -group!\n", "error" ); return 0; } - # Overwrite default value of $pki_group with user-specified $groupname - $pki_group = $groupname; + if( !user_exists( $username ) ) { + if( !create_user( $username, $groupname ) ) { + usage(); + emit( "Unable to create user '$username' on this machine!\n", + "error" ); + return 0; + } + } + + # Overwrite default value of $pki_user with user-specified $username + $pki_user = $username; } - # At this point in time, ALWAYS check that "$pki_group" exists! - if( !group_exists( $pki_group ) ) { - usage(); - emit( "Please contact your system administrator " - . "to create '$pki_group'!\n", - "error" ); - return 0; + # At this point in time, ALWAYS check that "$pki_user" exists! + if( !user_exists( $pki_user ) ) { + if( !create_user( $pki_user, $pki_group ) ) { + usage(); + emit( "Unable to create user '$pki_user' on this machine!\n", + "error" ); + return 0; + } } @@ -1626,16 +1614,6 @@ sub initialize_subdirectory_paths() ## Initialize subdirectory paths (subsystem independent) $pki_cfg_subsystem_file_path = $conf_subsystem_path . "/" . $pki_cfg_base_name; - # BEGIN Legacy Start/Stop Implementation - $pki_start_stop_script_instance_file_path = $default_init_scripts_path - . "/" . $pki_instance_name; - $pki_start_stop_script_subsystem_file_path = $pki_subsystem_path - . "/" . $etc_base_subsystem_dir - . "/" . $initd_base_subsystem_dir - . "/" . $httpd_base_name; - $pki_start_stop_script_symlink_path = $pki_instance_path - . "/" . $pki_instance_name; - # END Legacy Start/Stop Implementation if( $^O eq "linux" ) { $setup_config_instance_file_path = $setup_config_area . "/" . $pki_instance_name @@ -1811,17 +1789,8 @@ sub initialize_subdirectory_paths() . "/" . $server_xml_base_name; $servercertnick_conf_subsystem_file_path = $conf_subsystem_path . "/" . $servercertnick_conf_base_name; - if( ( $subsystem_type ne $RA && $subsystem_type ne $TPS ) ) { - $subsystem_jar_file_path = $default_java_path - . "/" . $subsystem_type . ".jar"; - } else { - # BEGIN Legacy Start/Stop Implementation - $subsystem_jar_file_path = $default_java_path - . "/" . $pki_flavor - . "/" . $subsystem_type + $subsystem_jar_file_path = $default_java_path . "/" . $subsystem_type . ".jar"; - # END Legacy Start/Stop Implementation - } $subsystem_jar_symlink_path = $webinf_lib_instance_path . "/" . $subsystem_type . ".jar"; $tomcat5_conf_subsystem_file_path = $conf_subsystem_path @@ -2558,32 +2527,6 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so chmod( $default_file_permissions, $pki_cfg_instance_file_path ); - # BEGIN Legacy Start/Stop Implementation - if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { - # process "httpd" template - # - # NOTE: CA, KRA, OCSP, TKS instances are dependent upon the location - # of the instance-specific "server.xml" file, while RA and TPS - # instances are dependent upon the instance-specific location - # of the "nss.conf" file. - # - $result = process_file_template( - $pki_start_stop_script_subsystem_file_path, - $pki_start_stop_script_instance_file_path, - \%slot_hash ); - if( !$result ) { - return 0; - } - - chmod( $default_exe_permissions, - $pki_start_stop_script_instance_file_path ); - - push( @installed_files, - $pki_start_stop_script_instance_file_path ); - } - # END Legacy Start/Stop Implementation - - if( $^O eq "linux" ) { # process "config.desktop" template $result = process_file_template( $setup_config_subsystem_file_path, @@ -2928,85 +2871,61 @@ sub process_pki_files_and_symlinks() chmod( $default_file_permissions, $pfile_instance_file_path ); + # generate a local init script for this PKI instance + my $local_pki_init_script = new FileHandle; + my $local_pki_init_script_name = $pki_instance_path + . "/" . $pki_instance_name; + my $local_pki_init_script_command = ""; + + # create this PKI instance's local init script + $local_pki_init_script->open( ">$local_pki_init_script_name" ) or + die "Could not open $local_pki_init_script_name\n"; + + # publish the appropriate contents to this + # PKI instance's local init script + $local_pki_init_script->print( "#!/bin/bash\n" ); + $local_pki_init_script->print( "if [ \$# -ne 1 ]; then\n" ); + $local_pki_init_script->print( " echo \"Usage: \$0 {start|stop|" + . "restart|condrestart|force-restart|" + . "try-restart|reload|status}\"\n" ); + $local_pki_init_script->print( " exit 3\n" ); + $local_pki_init_script->print( "fi\n\n" ); - if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { - # BEGIN Legacy Start/Stop Implementation - # create instance symlink to actual instance "start/stop" script - $result = create_symbolic_link( $pki_start_stop_script_symlink_path, - $pki_start_stop_script_instance_file_path ); - if( !$result ) { - return 0; - } - # - # NOTE: This symlink requires "$root_user:$root_group" ownership - # since the destination that it refers to is owned by - # "$root_user:$root_group". - # - $result = give_symbolic_link_to( $pki_start_stop_script_symlink_path, - $root_user, - $root_group ); - if( !$result ) { - emit( "$pki_start_stop_script_instance_file_path ownership problems!", - "error" ); - return 0; - } - # END Legacy Start/Stop Implementation + if( $^O eq "linux" ) { + $local_pki_init_script_command = "/sbin/service" + . " " . $pki_init_script + . " " . "\$1" + . " " . $pki_instance_name; } else { - # generate a local init script for this PKI instance - my $local_pki_init_script = new FileHandle; - my $local_pki_init_script_name = $pki_instance_path - . "/" . $pki_instance_name; - my $local_pki_init_script_command = ""; - - # create this PKI instance's local init script - $local_pki_init_script->open( ">$local_pki_init_script_name" ) or - die "Could not open $local_pki_init_script_name\n"; - - # publish the appropriate contents to this - # PKI instance's local init script - $local_pki_init_script->print( "#!/bin/bash\n" ); - $local_pki_init_script->print( "if [ \$# -ne 1 ]; then\n" ); - $local_pki_init_script->print( " echo \"Usage: \$0 {start|stop|restart|condrestart|force-restart|try-restart|reload|status}\"\n" ); - $local_pki_init_script->print( " exit 3\n" ); - $local_pki_init_script->print( "fi\n\n" ); - - if( $^O eq "linux" ) { - $local_pki_init_script_command = "/sbin/service" - . " " . $pki_init_script - . " " . "\$1" - . " " . $pki_instance_name; - } else { - # default case: e. g. - ( $^O eq "solaris" ) - $local_pki_init_script_command = $default_init_scripts_path - . "/" . $pki_init_script - . " " . "\$1" - . " " . $pki_instance_name; - } - - $local_pki_init_script->print( "$local_pki_init_script_command\n\n" ); + # default case: e. g. - ( $^O eq "solaris" ) + $local_pki_init_script_command = $default_init_scripts_path + . "/" . $pki_init_script + . " " . "\$1" + . " " . $pki_instance_name; + } - # close and save this PKI instance's local init script - $local_pki_init_script->close(); + $local_pki_init_script->print( "$local_pki_init_script_command\n\n" ); - # - # NOTE: This PKI instance's local init script requires - # "$root_user:$root_group" ownership since the - # destination that it refers to is owned by - # "$root_user:$root_group". - # - $result = give_file_to( $local_pki_init_script_name, - $root_user, - $root_group ); - if( !$result ) { - emit( "$local_pki_init_script_name ownership problems!", - "error" ); - return 0; - } + # close and save this PKI instance's local init script + $local_pki_init_script->close(); - chmod( $default_exe_permissions, - $local_pki_init_script_name ); + # + # NOTE: This PKI instance's local init script requires + # "$root_user:$root_group" ownership since the + # destination that it refers to is owned by + # "$root_user:$root_group". + # + $result = give_file_to( $local_pki_init_script_name, + $root_user, + $root_group ); + if( !$result ) { + emit( "$local_pki_init_script_name ownership problems!", + "error" ); + return 0; } + chmod( $default_exe_permissions, + $local_pki_init_script_name ); ## Populate instances (RA, TPS instances) if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { @@ -3048,7 +2967,8 @@ sub process_pki_files_and_symlinks() # create instance symlink to apache "run" subdirectory $result = create_symbolic_link( $run_instance_symlink_path, - $default_apache_pids_path ); + ( $default_apache_pids_path + . "/" . $subsystem_type ) ); if( !$result ) { return 0; } @@ -3452,8 +3372,169 @@ sub construct_pki_instance_registry() . "conf/" . "restart_server_after_configuration\n" ); $pki_instance_registry->print( "export RESTART_SERVER\n\n" ); -# } elsif( $subsystem_type eq $RA || -# $subsystem_type eq $TPS ) { + } elsif( $subsystem_type eq $RA || + $subsystem_type eq $TPS ) { + $pki_instance_registry->print( "# Establish PKI Variable \"Slot\" " + . "Substitutions\n\n" ); + $pki_instance_registry->print( "PKI_INSTANCE_ID=$pki_instance_name\n" ); + $pki_instance_registry->print( "export PKI_INSTANCE_ID\n\n" ); + $pki_instance_registry->print( "PKI_HTTPD_CONF=" + . "$httpd_conf_instance_file_path\n" ); + $pki_instance_registry->print( "export PKI_HTTPD_CONF\n\n" ); + $pki_instance_registry->print( "PKI_SERVER_ROOT=$pki_instance_path\n" ); + $pki_instance_registry->print( "export PKI_SERVER_ROOT\n\n" ); + $pki_instance_registry->print( "PKI_SYSTEM_USER_LIBRARIES=" + . "$default_system_user_libraries\n" ); + $pki_instance_registry->print( "export PKI_SYSTEM_USER_LIBRARIES\n\n" ); + if( is_Fedora() || (is_RHEL() && (! is_RHEL4())) ) { + $pki_instance_registry->print( "PKI_FORTITUDE_DIR=\"/usr\"\n" ); + } else { + $pki_instance_registry->print( "PKI_FORTITUDE_DIR=" + . "\"/opt/fortitude\"\n" ); + } + $pki_instance_registry->print( "export PKI_FORTITUDE_DIR\n\n" ); + $pki_instance_registry->print( "PKI_NSS_CONF=" + . "$nss_conf_instance_file_path\n" ); + $pki_instance_registry->print( "export PKI_NSS_CONF\n\n" ); + $pki_instance_registry->print( "PKI_SERVER_NAME=$host\n" ); + $pki_instance_registry->print( "export PKI_SERVER_NAME\n\n" ); + $pki_instance_registry->print( "PKI_GROUP=$pki_group\n" ); + $pki_instance_registry->print( "export PKI_GROUP\n\n" ); + $pki_instance_registry->print( "PKI_USER=$pki_user\n" ); + $pki_instance_registry->print( "export PKI_USER\n\n" ); + $pki_instance_registry->print( "##################" + . "##################" + . "##################" + . "##################\n" ); + $pki_instance_registry->print( "# This section contains " + . "modified content of " + . "\"/etc/sysconfig/httpd\" #\n" ); + $pki_instance_registry->print( "##################" + . "##################" + . "##################" + . "##################\n" ); + $pki_instance_registry->print( "# Configuration file for the " + . "\${PKI_INSTANCE_ID} service.\n\n" ); + $pki_instance_registry->print( "#\n" ); + $pki_instance_registry->print( "# The default processing model (MPM) " + . "is the process-based\n" ); + $pki_instance_registry->print( "# 'prefork' model. A thread-based " + . "model, 'worker', is also\n" ); + $pki_instance_registry->print( "# available, but does not work with " + . "some modules (such as PHP).\n" ); + $pki_instance_registry->print( "# The service must be stopped before " + . "changing this variable.\n" ); + $pki_instance_registry->print( "#\n" ); + $pki_instance_registry->print( "PKI_HTTPD=" + . "\${PKI_FORTITUDE_DIR}" + . "/sbin/httpd.worker\n" ); + $pki_instance_registry->print( "export PKI_HTTPD\n\n" ); + $pki_instance_registry->print( "#\n" ); + $pki_instance_registry->print( "# To pass additional options (for " + . "instance, -D definitions) to the\n" ); + $pki_instance_registry->print( "# httpd binary at startup, " + . "set PKI_OPTIONS here.\n" ); + $pki_instance_registry->print( "#\n" ); + $pki_instance_registry->print( "PKI_OPTIONS=" + . "\"-f \${PKI_HTTPD_CONF}\"\n" ); + $pki_instance_registry->print( "export PKI_OPTIONS\n\n" ); + $pki_instance_registry->print( "#\n" ); + $pki_instance_registry->print( "# By default, the httpd process " + . "is started in the C locale; to\n" ); + $pki_instance_registry->print( "# change the locale in which the " + . "server runs, the PKI_HTTPD_LANG\n" ); + $pki_instance_registry->print( "# variable can be set.\n" ); + $pki_instance_registry->print( "#\n" ); + $pki_instance_registry->print( "PKI_HTTPD_LANG=C\n" ); + $pki_instance_registry->print( "export PKI_HTTPD_LANG\n" ); + $pki_instance_registry->print( "##################" + . "##################" + . "##################" + . "##################\n" ); + $pki_instance_registry->print( "# " + . " " + . " " + . " #\n" ); + $pki_instance_registry->print( "##################" + . "##################" + . "##################" + . "##################\n\n" ); + $pki_instance_registry->print( "# This will prevent initlog from " + . "swallowing up a pass-phrase prompt " + . "if\n" ); + $pki_instance_registry->print( "# mod_ssl needs a pass-phrase from " + . "the user.\n" ); + $pki_instance_registry->print( "PKI_INITLOG_ARGS=\"\"\n" ); + $pki_instance_registry->print( "export PKI_INITLOG_ARGS\n\n" ); + $pki_instance_registry->print( "# Set PKI_HTTPD=/usr/sbin/httpd.worker " + . "in /etc/sysconfig/httpd to use a " + . "server\n" ); + $pki_instance_registry->print( "# with the thread-based \"worker\" " + . "MPM; BE WARNED that some modules " + . "may not\n" ); + $pki_instance_registry->print( "# work correctly with a " + . "thread-based MPM; notably " + . "PHP will refuse to start.\n\n" ); + $pki_instance_registry->print( "# Path to the server binary and " + . "short-form for messages.\n" ); + $pki_instance_registry->print( "httpd=\${PKI_HTTPD}\n" ); + $pki_instance_registry->print( "export httpd\n" ); + $pki_instance_registry->print( "prog=\${PKI_INSTANCE_ID}\n" ); + $pki_instance_registry->print( "export prog\n" ); + $pki_instance_registry->print( "PKI_LOCKDIR=" + . "\"/var/lock/$pki_flavor/" + . "$subsystem_type\"\n" ); + $pki_instance_registry->print( "export PKI_LOCKDIR\n" ); + $pki_instance_registry->print( "PKI_LOCKFILE=" + . "\"\${PKI_LOCKDIR}/" + . "\${PKI_INSTANCE_ID}.pid\"\n" ); + $pki_instance_registry->print( "export PKI_LOCKFILE\n" ); + $pki_instance_registry->print( "PKI_PIDFILE=" + . "\"\${PKI_INSTANCE_ID}.pid\"\n" ); + $pki_instance_registry->print( "export PKI_PIDFILE\n" ); + $pki_instance_registry->print( "pki_instance_configuration_file=" + . "\${PKI_SERVER_ROOT}/conf/CS.cfg\n" ); + $pki_instance_registry->print( "export " + . "pki_instance_configuration_file\n" ); + $pki_instance_registry->print( "pki_logs_directory=" + . "\${PKI_SERVER_ROOT}/logs\n" ); + $pki_instance_registry->print( "export " + . "pki_logs_directory\n" ); + $pki_instance_registry->print( "RESTART_SERVER=\${PKI_SERVER_ROOT}/" + . "conf/" + . "restart_server_after_configuration\n" ); + $pki_instance_registry->print( "export RESTART_SERVER\n" ); + $pki_instance_registry->print( "RETVAL=0\n" ); + $pki_instance_registry->print( "export RETVAL\n\n" ); + $pki_instance_registry->print( "# see if httpd is linked with the " + . "openldap libraries - we need to " + . "override them\n" ); + $pki_instance_registry->print( "if [ \${OS} = \"Linux\" ]; then\n" ); + $pki_instance_registry->print( " hasopenldap=0\n\n" ); + $pki_instance_registry->print( " /usr/bin/ldd \${httpd} 2>&1 | " + . "grep libldap- > /dev/null 2>&1 && " + . "hasopenldap=1\n\n" ); + $pki_instance_registry->print( " if [ \${hasopenldap} -eq 1 ] ; " + . "then\n" ); + $pki_instance_registry->print( " LD_PRELOAD=" + . "\"\${PKI_SYSTEM_USER_LIBRARIES}/" + . "libldap60.so\"\n" ); + $pki_instance_registry->print( " LD_PRELOAD=" + . "\"\${PKI_SYSTEM_USER_LIBRARIES}/" + . "libssl3.so:" + . "\${LD_PRELOAD}\"\n" ); + $pki_instance_registry->print( " export LD_PRELOAD\n" ); + $pki_instance_registry->print( " fi\n" ); + $pki_instance_registry->print( "elif [ \${OS} = \"SunOS\" ]; then\n" ); + $pki_instance_registry->print( " LD_PRELOAD_64=" + . "\"\${PKI_SYSTEM_USER_LIBRARIES}/" + . "libldap60.so\"\n" ); + $pki_instance_registry->print( " LD_PRELOAD_64=" + . "\"\${PKI_SYSTEM_USER_LIBRARIES}/" + . "dirsec/libssl3.so:" + . "\${LD_PRELOAD_64}\"\n" ); + $pki_instance_registry->print( " export LD_PRELOAD_64\n" ); + $pki_instance_registry->print( "fi\n" ); } # close and save this PKI instance's registry entry @@ -3624,18 +3705,6 @@ sub process_pki_selinux_setup() system("$restorecon -F -R /usr/bin/dtomcat5-$pki_instance_name"); } - # BEGIN Legacy Start/Stop Implementation - if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { - # set file context for /etc/rc.d/init.d/$pki_instance_name" - if ($pki_instance_name ne $default_inst_name) { - &add_selinux_file_context($setype . "_script_exec_t", - "/etc/rc\\.d/init\\.d/$pki_instance_name", "f"); - } - emit("Restorecon file context for /etc/rc.d/init.d/$pki_instance_name\n"); - system("$restorecon -F -R /etc/rc.d/init.d/$pki_instance_name"); - } - # END Legacy Start/Stop Implementation - # set file context for $pki_instance_root/$pki_instance_name if (($pki_instance_name ne $default_inst_name) || ($pki_instance_root ne $default_inst_root)) { &add_selinux_file_context( $setype . "_var_lib_t", @@ -3765,16 +3834,9 @@ sub install_pki_instance() return 0; } - if( ( $subsystem_type ne $RA && $subsystem_type ne $TPS ) ) { - $result = register_pki_instance(); - if( !$result ) { - return 0; - } -# BEGIN Legacy Start/Stop Implementation -# } else { -# # Instance Registration ONLY applies -# # to the new Start/Stop Implementation -# END Legacy Start/Stop Implementation + $result = register_pki_instance(); + if( !$result ) { + return 0; } if (($^O eq "linux") && ( is_Fedora() || (is_RHEL() && (! is_RHEL4())))){ @@ -3980,58 +4042,18 @@ ASK_AGAIN: exit 255; } - # BEGIN Legacy Start/Stop Implementation - if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { - # Register this instance with "chkconfig" - if( $^O eq "linux" ) { - my $runlevel = $DEFAULT_RUNLEVEL; - my $start_priority = $DEFAULT_START_PRIORITY; - my $stop_priority = $DEFAULT_STOP_PRIORITY; - - # Extract "chkconfig" parameters from instance start/stop script - ( $runlevel, $start_priority, $stop_priority ) = - extract_chkconfig_parameters_from_start_stop_script( - $pki_start_stop_script_instance_file_path ); - emit( "Setting '$pki_instance_name' runlevel " - . "to '$runlevel'\n" ); - emit( "Setting '$pki_instance_name' start priority " - . "to '$start_priority'\n" ); - emit( "Setting '$pki_instance_name' stop priority " - . "to '$stop_priority'\n" ); - - # Register this instance with '/sbin/chkconfig' - register_pki_instance_with_chkconfig( $pki_instance_name ); - } - } - # END Legacy Start/Stop Implementation - # Activate this instance if( $^O eq "linux" ) { - if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { - # BEGIN Legacy Start/Stop Implementation - $pki_init_script_command = "/sbin/service" - . " " . $pki_instance_name - . " " . "restart"; - # END Legacy Start/Stop Implementation - } else { - $pki_init_script_command = "/sbin/service" - . " " . $pki_init_script - . " " . "restart" - . " " . $pki_instance_name; - } + $pki_init_script_command = "/sbin/service" + . " " . $pki_init_script + . " " . "restart" + . " " . $pki_instance_name; } else { # default case: e. g. - ( $^O eq "solaris" ) - if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { - # BEGIN Legacy Start/Stop Implementation - $pki_init_script_command = $pki_start_stop_script_instance_file_path - . " " . "restart"; - # END Legacy Start/Stop Implementation - } else { - $pki_init_script_command = $default_init_scripts_path - . "/" . $pki_init_script - . " " . "restart" - . " " . $pki_instance_name; - } + $pki_init_script_command = $default_init_scripts_path + . "/" . $pki_init_script + . " " . "restart" + . " " . $pki_instance_name; } $command = "$pki_init_script_command"; diff --git a/pki/base/tps/Makefile.am b/pki/base/tps/Makefile.am index c13bc5802..68930d873 100644 --- a/pki/base/tps/Makefile.am +++ b/pki/base/tps/Makefile.am @@ -183,7 +183,7 @@ docroot_tps_img_DATA = docroot_tps_js_DATA = -initd_SCRIPTS = $(srcdir)/etc/init.d/httpd +initd_SCRIPTS = $(srcdir)/etc/init.d/pki-tpsd license_DATA = $(srcdir)/LICENSE @@ -250,8 +250,6 @@ if LINUX setup_DATA = $(srcdir)/setup/config.desktop endif -setup_SCRIPTS = $(srcdir)/setup/postinstall - templates_DATA = $(srcdir)/apache/pki_instance_command_wrapper \ $(srcdir)/apache/pki_subsystem_command_wrapper @@ -269,7 +267,7 @@ libtokendb_la_SOURCES = src/tus/tus_db.c libtokendb_la_CPPFLAGS = $(AM_CPPFLAGS) @ldapsdk_inc@ @svrcore_inc@ \ @sasl_inc@ @nss_inc@ @nspr_inc@ -libtokendb_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version +libtokendb_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(GENERIC_LIBRARY_VERSION) --release $(VERSION) libtokendb_la_LIBADD = $(LDAPSDK_LINK) $(SVRCORE_LINK) \ $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(LIBNSL) $(LIBSOCKET) $(LIBDL) \ $(LIBCSTD) $(LIBCRUN) @@ -362,7 +360,7 @@ libtps_la_SOURCES = src/main/Buffer.cpp \ libtps_la_CPPFLAGS = $(AM_CPPFLAGS) @ldapsdk_inc@ @svrcore_inc@ \ @sasl_inc@ @nss_inc@ @nspr_inc@ -libtps_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version +libtps_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(GENERIC_LIBRARY_VERSION) --release $(VERSION) libtps_la_LIBADD = ${top_builddir}/libtokendb.la $(LDAPSDK_LINK) \ $(SVRCORE_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(LIBNSL) \ $(LIBSOCKET) $(LIBDL) $(LIBCSTD) $(LIBCRUN) @@ -375,7 +373,7 @@ libldapauth_la_SOURCES = src/authentication/LDAP_Authentication.cpp libldapauth_la_CPPFLAGS = $(AM_CPPFLAGS) @ldapsdk_inc@ @svrcore_inc@ \ @sasl_inc@ @nss_inc@ @nspr_inc@ -libldapauth_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version +libldapauth_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(GENERIC_LIBRARY_VERSION) --release $(VERSION) libldapauth_la_LIBADD = ${top_builddir}/libtps.la $(LDAPSDK_LINK) \ $(SVRCORE_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(LIBNSL) \ $(LIBSOCKET) $(LIBDL) $(LIBCSTD) $(LIBCRUN) diff --git a/pki/base/tps/Makefile.in b/pki/base/tps/Makefile.in index da70a646a..7a4bbec62 100644 --- a/pki/base/tps/Makefile.in +++ b/pki/base/tps/Makefile.in @@ -108,13 +108,12 @@ am__installdirs = "$(DESTDIR)$(apache_modulesdir)" \ "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(perl_basedir)" \ "$(DESTDIR)$(perl_modulesdir)" "$(DESTDIR)$(perl_servicedir)" \ "$(DESTDIR)$(perl_templatesdir)" "$(DESTDIR)$(scriptsdir)" \ - "$(DESTDIR)$(setupdir)" "$(DESTDIR)$(aliasdir)" \ - "$(DESTDIR)$(appletsdir)" "$(DESTDIR)$(cgibin_demodir)" \ - "$(DESTDIR)$(cgibin_homedir)" "$(DESTDIR)$(cgibin_sodir)" \ - "$(DESTDIR)$(cgibin_sowdir)" "$(DESTDIR)$(confdir)" \ - "$(DESTDIR)$(docrootdir)" "$(DESTDIR)$(docroot_demodir)" \ - "$(DESTDIR)$(docroot_homedir)" "$(DESTDIR)$(docroot_sodir)" \ - "$(DESTDIR)$(docroot_sowdir)" \ + "$(DESTDIR)$(aliasdir)" "$(DESTDIR)$(appletsdir)" \ + "$(DESTDIR)$(cgibin_demodir)" "$(DESTDIR)$(cgibin_homedir)" \ + "$(DESTDIR)$(cgibin_sodir)" "$(DESTDIR)$(cgibin_sowdir)" \ + "$(DESTDIR)$(confdir)" "$(DESTDIR)$(docrootdir)" \ + "$(DESTDIR)$(docroot_demodir)" "$(DESTDIR)$(docroot_homedir)" \ + "$(DESTDIR)$(docroot_sodir)" "$(DESTDIR)$(docroot_sowdir)" \ "$(DESTDIR)$(docroot_tokendbdir)" \ "$(DESTDIR)$(docroot_tps_configdir)" \ "$(DESTDIR)$(docroot_tps_imgdir)" \ @@ -324,7 +323,7 @@ SCRIPTS = $(bin_SCRIPTS) $(cgibin_demo_SCRIPTS) $(cgibin_home_SCRIPTS) \ $(cgibin_so_SCRIPTS) $(cgibin_sow_SCRIPTS) $(initd_SCRIPTS) \ $(libexec_SCRIPTS) $(perl_base_SCRIPTS) \ $(perl_modules_SCRIPTS) $(perl_service_SCRIPTS) \ - $(perl_templates_SCRIPTS) $(scripts_SCRIPTS) $(setup_SCRIPTS) + $(perl_templates_SCRIPTS) $(scripts_SCRIPTS) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -402,6 +401,9 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +GENERIC_LIBRARY_VERSION = @GENERIC_LIBRARY_VERSION@ +GENERIC_RELEASE = @GENERIC_RELEASE@ +GENERIC_VERSION = @GENERIC_VERSION@ GREP = @GREP@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -662,7 +664,7 @@ docroot_tokendb_DATA = docroot_tps_config_DATA = docroot_tps_img_DATA = docroot_tps_js_DATA = -initd_SCRIPTS = $(srcdir)/etc/init.d/httpd +initd_SCRIPTS = $(srcdir)/etc/init.d/pki-tpsd license_DATA = $(srcdir)/LICENSE libexec_SCRIPTS = $(srcdir)/apache/apachectl @@ -720,7 +722,6 @@ scripts_DATA = $(srcdir)/scripts/schemaMods.ldif \ scripts_SCRIPTS = $(srcdir)/scripts/nss_pcache @LINUX_TRUE@setup_DATA = $(srcdir)/setup/config.desktop -setup_SCRIPTS = $(srcdir)/setup/postinstall templates_DATA = $(srcdir)/apache/pki_instance_command_wrapper \ $(srcdir)/apache/pki_subsystem_command_wrapper @@ -738,7 +739,7 @@ libtokendb_la_SOURCES = src/tus/tus_db.c libtokendb_la_CPPFLAGS = $(AM_CPPFLAGS) @ldapsdk_inc@ @svrcore_inc@ \ @sasl_inc@ @nss_inc@ @nspr_inc@ -libtokendb_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version +libtokendb_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(GENERIC_LIBRARY_VERSION) --release $(VERSION) libtokendb_la_LIBADD = $(LDAPSDK_LINK) $(SVRCORE_LINK) \ $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(LIBNSL) $(LIBSOCKET) $(LIBDL) \ $(LIBCSTD) $(LIBCRUN) @@ -832,7 +833,7 @@ libtps_la_SOURCES = src/main/Buffer.cpp \ libtps_la_CPPFLAGS = $(AM_CPPFLAGS) @ldapsdk_inc@ @svrcore_inc@ \ @sasl_inc@ @nss_inc@ @nspr_inc@ -libtps_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version +libtps_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(GENERIC_LIBRARY_VERSION) --release $(VERSION) libtps_la_LIBADD = ${top_builddir}/libtokendb.la $(LDAPSDK_LINK) \ $(SVRCORE_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(LIBNSL) \ $(LIBSOCKET) $(LIBDL) $(LIBCSTD) $(LIBCRUN) @@ -845,7 +846,7 @@ libldapauth_la_SOURCES = src/authentication/LDAP_Authentication.cpp libldapauth_la_CPPFLAGS = $(AM_CPPFLAGS) @ldapsdk_inc@ @svrcore_inc@ \ @sasl_inc@ @nss_inc@ @nspr_inc@ -libldapauth_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version +libldapauth_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(GENERIC_LIBRARY_VERSION) --release $(VERSION) libldapauth_la_LIBADD = ${top_builddir}/libtps.la $(LDAPSDK_LINK) \ $(SVRCORE_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(LIBNSL) \ $(LIBSOCKET) $(LIBDL) $(LIBCSTD) $(LIBCRUN) @@ -1918,40 +1919,6 @@ uninstall-scriptsSCRIPTS: test -n "$$list" || exit 0; \ echo " ( cd '$(DESTDIR)$(scriptsdir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(scriptsdir)" && rm -f $$files -install-setupSCRIPTS: $(setup_SCRIPTS) - @$(NORMAL_INSTALL) - test -z "$(setupdir)" || $(MKDIR_P) "$(DESTDIR)$(setupdir)" - @list='$(setup_SCRIPTS)'; test -n "$(setupdir)" || list=; \ - for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ - done | \ - sed -e 'p;s,.*/,,;n' \ - -e 'h;s|.*|.|' \ - -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ - $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ - { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ - if ($$2 == $$4) { files[d] = files[d] " " $$1; \ - if (++n[d] == $(am__install_max)) { \ - print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ - else { print "f", d "/" $$4, $$1 } } \ - END { for (d in files) print "f", d, files[d] }' | \ - while read type dir files; do \ - if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ - test -z "$$files" || { \ - echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(setupdir)$$dir'"; \ - $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(setupdir)$$dir" || exit $$?; \ - } \ - ; done - -uninstall-setupSCRIPTS: - @$(NORMAL_UNINSTALL) - @list='$(setup_SCRIPTS)'; test -n "$(setupdir)" || exit 0; \ - files=`for p in $$list; do echo "$$p"; done | \ - sed -e 's,.*/,,;$(transform)'`; \ - test -n "$$list" || exit 0; \ - echo " ( cd '$(DESTDIR)$(setupdir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(setupdir)" && rm -f $$files mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -4374,7 +4341,7 @@ check: check-am all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) $(DATA) \ config.h installdirs: - for dir in "$(DESTDIR)$(apache_modulesdir)" "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(cgibin_demodir)" "$(DESTDIR)$(cgibin_homedir)" "$(DESTDIR)$(cgibin_sodir)" "$(DESTDIR)$(cgibin_sowdir)" "$(DESTDIR)$(initddir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(perl_basedir)" "$(DESTDIR)$(perl_modulesdir)" "$(DESTDIR)$(perl_servicedir)" "$(DESTDIR)$(perl_templatesdir)" "$(DESTDIR)$(scriptsdir)" "$(DESTDIR)$(setupdir)" "$(DESTDIR)$(aliasdir)" "$(DESTDIR)$(appletsdir)" "$(DESTDIR)$(cgibin_demodir)" "$(DESTDIR)$(cgibin_homedir)" "$(DESTDIR)$(cgibin_sodir)" "$(DESTDIR)$(cgibin_sowdir)" "$(DESTDIR)$(confdir)" "$(DESTDIR)$(docrootdir)" "$(DESTDIR)$(docroot_demodir)" "$(DESTDIR)$(docroot_homedir)" "$(DESTDIR)$(docroot_sodir)" "$(DESTDIR)$(docroot_sowdir)" "$(DESTDIR)$(docroot_tokendbdir)" "$(DESTDIR)$(docroot_tps_configdir)" "$(DESTDIR)$(docroot_tps_imgdir)" "$(DESTDIR)$(docroot_tps_jsdir)" "$(DESTDIR)$(licensedir)" "$(DESTDIR)$(logsdir)" "$(DESTDIR)$(samplesdir)" "$(DESTDIR)$(scriptsdir)" "$(DESTDIR)$(setupdir)" "$(DESTDIR)$(templatesdir)"; do \ + for dir in "$(DESTDIR)$(apache_modulesdir)" "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(cgibin_demodir)" "$(DESTDIR)$(cgibin_homedir)" "$(DESTDIR)$(cgibin_sodir)" "$(DESTDIR)$(cgibin_sowdir)" "$(DESTDIR)$(initddir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(perl_basedir)" "$(DESTDIR)$(perl_modulesdir)" "$(DESTDIR)$(perl_servicedir)" "$(DESTDIR)$(perl_templatesdir)" "$(DESTDIR)$(scriptsdir)" "$(DESTDIR)$(aliasdir)" "$(DESTDIR)$(appletsdir)" "$(DESTDIR)$(cgibin_demodir)" "$(DESTDIR)$(cgibin_homedir)" "$(DESTDIR)$(cgibin_sodir)" "$(DESTDIR)$(cgibin_sowdir)" "$(DESTDIR)$(confdir)" "$(DESTDIR)$(docrootdir)" "$(DESTDIR)$(docroot_demodir)" "$(DESTDIR)$(docroot_homedir)" "$(DESTDIR)$(docroot_sodir)" "$(DESTDIR)$(docroot_sowdir)" "$(DESTDIR)$(docroot_tokendbdir)" "$(DESTDIR)$(docroot_tps_configdir)" "$(DESTDIR)$(docroot_tps_imgdir)" "$(DESTDIR)$(docroot_tps_jsdir)" "$(DESTDIR)$(licensedir)" "$(DESTDIR)$(logsdir)" "$(DESTDIR)$(samplesdir)" "$(DESTDIR)$(scriptsdir)" "$(DESTDIR)$(setupdir)" "$(DESTDIR)$(templatesdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -4467,7 +4434,7 @@ install-data-am: install-aliasDATA install-apache_modulesLTLIBRARIES \ install-perl_baseSCRIPTS install-perl_modulesSCRIPTS \ install-perl_serviceSCRIPTS install-perl_templatesSCRIPTS \ install-samplesDATA install-scriptsDATA install-scriptsSCRIPTS \ - install-setupDATA install-setupSCRIPTS install-templatesDATA + install-setupDATA install-templatesDATA install-dvi: install-dvi-am @@ -4534,7 +4501,7 @@ uninstall-am: uninstall-aliasDATA uninstall-apache_modulesLTLIBRARIES \ uninstall-perl_serviceSCRIPTS uninstall-perl_templatesSCRIPTS \ uninstall-samplesDATA uninstall-scriptsDATA \ uninstall-scriptsSCRIPTS uninstall-setupDATA \ - uninstall-setupSCRIPTS uninstall-templatesDATA + uninstall-templatesDATA .MAKE: all install-am install-strip @@ -4567,8 +4534,8 @@ uninstall-am: uninstall-aliasDATA uninstall-apache_modulesLTLIBRARIES \ install-perl_serviceSCRIPTS install-perl_templatesSCRIPTS \ install-ps install-ps-am install-samplesDATA \ install-scriptsDATA install-scriptsSCRIPTS install-setupDATA \ - install-setupSCRIPTS install-strip install-templatesDATA \ - installcheck installcheck-am installdirs maintainer-clean \ + install-strip install-templatesDATA installcheck \ + installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags uninstall uninstall-aliasDATA uninstall-am \ @@ -4589,8 +4556,7 @@ uninstall-am: uninstall-aliasDATA uninstall-apache_modulesLTLIBRARIES \ uninstall-perl_modulesSCRIPTS uninstall-perl_serviceSCRIPTS \ uninstall-perl_templatesSCRIPTS uninstall-samplesDATA \ uninstall-scriptsDATA uninstall-scriptsSCRIPTS \ - uninstall-setupDATA uninstall-setupSCRIPTS \ - uninstall-templatesDATA + uninstall-setupDATA uninstall-templatesDATA %: %.in diff --git a/pki/base/tps/apache/conf/httpd.conf b/pki/base/tps/apache/conf/httpd.conf index 7d1e8acdf..239ec21f2 100644 --- a/pki/base/tps/apache/conf/httpd.conf +++ b/pki/base/tps/apache/conf/httpd.conf @@ -78,7 +78,7 @@ ServerRoot "[SERVER_ROOT]" # identification number when it starts. # <IfModule !mpm_netware.c> -PidFile logs/[INSTANCE_ID].pid +PidFile run/[INSTANCE_ID].pid </IfModule> # diff --git a/pki/base/tps/build.xml b/pki/base/tps/build.xml index 9354a31d2..ebfbeb225 100644 --- a/pki/base/tps/build.xml +++ b/pki/base/tps/build.xml @@ -154,11 +154,6 @@ <echo message="${begin.binary.zip.log.message}"/> <zip destfile="${dist.base.binaries}/${dist.name}.zip"> <zipfileset dir="." - filemode="644" - prefix="etc/httpd/modules/"> - <include name="**"/> - </zipfileset> - <zipfileset dir="." filemode="755" prefix="usr/bin/"> <include name="**"/> @@ -170,6 +165,11 @@ </zipfileset> <zipfileset dir="." filemode="644" + prefix="usr/lib/httpd/modules/"> + <include name="**"/> + </zipfileset> + <zipfileset dir="." + filemode="644" prefix="usr/share/doc/${dist.name}"> <include name="EULA"/> <include name="LICENSE"/> @@ -192,7 +192,6 @@ <include name="cgi-bin/**"/> <include name="docroot/index.cgi"/> <include name="logs/signedAudit"/> - <include name="setup/postinstall"/> </zipfileset> </zip> <echo message="${end.binary.zip.log.message}"/> @@ -201,11 +200,6 @@ <tar longfile="gnu" destfile="${dist.base.binaries}/${dist.name}.tar"> <tarfileset dir="." - mode="644" - prefix="etc/httpd/modules/"> - <include name="**"/> - </tarfileset> - <tarfileset dir="." mode="755" prefix="usr/bin/"> <include name="**"/> @@ -217,6 +211,11 @@ </tarfileset> <tarfileset dir="." mode="644" + prefix="usr/lib/httpd/modules/"> + <include name="**"/> + </tarfileset> + <tarfileset dir="." + mode="644" prefix="usr/share/doc/${dist.name}"> <include name="EULA"/> <include name="LICENSE"/> @@ -239,7 +238,6 @@ <include name="cgi-bin/**"/> <include name="docroot/index.cgi"/> <include name="logs/signedAudit"/> - <include name="setup/postinstall"/> </tarfileset> </tar> <echo message="${end.binary.tar.log.message}"/> @@ -301,12 +299,18 @@ <include name="ui/**"/> <include name="wrappers/**"/> </zipfileset> + <zipfileset dir="./etc/init.d" + filemode="755" + prefix="etc/${init.d}"> + <include name="pki-tpsd"/> + </zipfileset> <zipfileset dir="." filemode="755" prefix="${src.dist.name}"> <include name="autogen.sh"/> <include name="configure"/> <include name="setup_package"/> + <exclude name="etc/init.d/pki-tpsd"/> </zipfileset> </zip> <echo message="${end.source.zip.log.message}"/> @@ -355,12 +359,18 @@ <include name="ui/**"/> <include name="wrappers/**"/> </tarfileset> + <tarfileset dir="./etc/init.d" + mode="755" + prefix="${dist.name}/etc/${init.d}"> + <include name="pki-tpsd"/> + </tarfileset> <tarfileset dir="." mode="755" prefix="${src.dist.name}"> <include name="autogen.sh"/> <include name="configure"/> <include name="setup_package"/> + <exclude name="etc/init.d/pki-tpsd"/> </tarfileset> </tar> <echo message="${end.source.tar.log.message}"/> diff --git a/pki/base/tps/configure b/pki/base/tps/configure index 6fe3bb7ee..92c3c4b6f 100755 --- a/pki/base/tps/configure +++ b/pki/base/tps/configure @@ -822,6 +822,7 @@ LIBCSTD LIBDL LIBNSL LIBSOCKET +initddir WINNT_FALSE WINNT_TRUE templatesdir @@ -834,7 +835,6 @@ perl_modulesdir perl_basedir logsdir licensedir -initddir docroot_tps_jsdir docroot_tps_imgdir docroot_tps_cssdir @@ -901,6 +901,9 @@ CPPFLAGS LDFLAGS CXXFLAGS CXX +GENERIC_VERSION +GENERIC_RELEASE +GENERIC_LIBRARY_VERSION host_os host_vendor host_cpu @@ -2778,6 +2781,18 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac +# Library versioning. +GENERIC_MAJOR_VERSION=1 +GENERIC_MINOR_VERSION=0 +GENERIC_MICRO_VERSION=0 +GENERIC_LIBRARY_VERSION=0:0:0 + +GENERIC_VERSION=$GENERIC_MAJOR_VERSION.$GENERIC_MINOR_VERSION.$GENERIC_MICRO_VERSION +GENERIC_RELEASE=$GENERIC_MAJOR_VERSION.$GENERIC_MINOR_VERSION + + +VERSION=$GENERIC_VERSION + # Checks for programs. ac_ext=cpp ac_cpp='$CXXCPP $CPPFLAGS' @@ -5183,13 +5198,13 @@ if test "${lt_cv_nm_interface+set}" = set; then else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:5186: $ac_compile\"" >&5) + (eval echo "\"\$as_me:5201: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:5189: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:5204: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:5192: output\"" >&5) + (eval echo "\"\$as_me:5207: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -6395,7 +6410,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 6398 "configure"' > conftest.$ac_ext + echo '#line 6413 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -8960,11 +8975,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8963: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8978: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8967: \$? = $ac_status" >&5 + echo "$as_me:8982: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9299,11 +9314,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9302: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9317: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9306: \$? = $ac_status" >&5 + echo "$as_me:9321: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9404,11 +9419,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9407: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9422: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9411: \$? = $ac_status" >&5 + echo "$as_me:9426: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9459,11 +9474,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9462: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9477: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9466: \$? = $ac_status" >&5 + echo "$as_me:9481: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12262,7 +12277,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12265 "configure" +#line 12280 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12358,7 +12373,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12361 "configure" +#line 12376 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -14378,11 +14393,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:14381: $lt_compile\"" >&5) + (eval echo "\"\$as_me:14396: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:14385: \$? = $ac_status" >&5 + echo "$as_me:14400: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -14477,11 +14492,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:14480: $lt_compile\"" >&5) + (eval echo "\"\$as_me:14495: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:14484: \$? = $ac_status" >&5 + echo "$as_me:14499: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -14529,11 +14544,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:14532: $lt_compile\"" >&5) + (eval echo "\"\$as_me:14547: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:14536: \$? = $ac_status" >&5 + echo "$as_me:14551: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -19893,8 +19908,6 @@ docroot_tps_configdir=/docroot/tps/admin/console/config docroot_tps_cssdir=/docroot/tps/admin/console/css docroot_tps_imgdir=/docroot/tps/admin/console/img docroot_tps_jsdir=/docroot/tps/admin/console/js -# relative to sysconfdir -initddir=/init.d # relative to prefix licensedir=/doc logsdir=/logs/signedAudit @@ -19938,7 +19951,6 @@ templatesdir=/templates - # WINNT should be true if building on Windows system not using # cygnus, mingw, or the like and using cmd.exe as the shell if false; then @@ -20080,6 +20092,9 @@ cat >>confdefs.h <<\_ACEOF _ACEOF platform="linux" + # relative to sysconfdir + initddir=/rc.d/init.d + ;; ia64-hp-hpux*) @@ -20128,6 +20143,9 @@ cat >>confdefs.h <<\_ACEOF _ACEOF platform="hpux" + # relative to sysconfdir + initddir=/init.d + ;; hppa*-hp-hpux*) @@ -20202,6 +20220,9 @@ cat >>confdefs.h <<\_ACEOF _ACEOF platform="hpux" + # relative to sysconfdir + initddir=/init.d + ;; sparc-sun-solaris*) @@ -20316,9 +20337,15 @@ cat >>confdefs.h <<\_ACEOF _ACEOF platform="solaris" + # relative to sysconfdir + initddir=/init.d + ;; *) platform="" + # relative to sysconfdir + initddir=/init.d + ;; esac diff --git a/pki/base/tps/configure.ac b/pki/base/tps/configure.ac index 8a12e8ec6..b3efd7c8b 100644 --- a/pki/base/tps/configure.ac +++ b/pki/base/tps/configure.ac @@ -28,6 +28,18 @@ AM_INIT_AUTOMAKE([1.9 foreign subdir-objects]) AM_MAINTAINER_MODE AC_CANONICAL_HOST +# Library versioning. +GENERIC_MAJOR_VERSION=1 +GENERIC_MINOR_VERSION=0 +GENERIC_MICRO_VERSION=0 +GENERIC_LIBRARY_VERSION=0:0:0 +AC_SUBST(GENERIC_LIBRARY_VERSION) +GENERIC_VERSION=$GENERIC_MAJOR_VERSION.$GENERIC_MINOR_VERSION.$GENERIC_MICRO_VERSION +GENERIC_RELEASE=$GENERIC_MAJOR_VERSION.$GENERIC_MINOR_VERSION +AC_SUBST(GENERIC_RELEASE) +AC_SUBST(GENERIC_VERSION) +VERSION=$GENERIC_VERSION + # Checks for programs. AC_PROG_CXX AC_PROG_CC @@ -131,8 +143,6 @@ docroot_tps_configdir=/docroot/tps/admin/console/config docroot_tps_cssdir=/docroot/tps/admin/console/css docroot_tps_imgdir=/docroot/tps/admin/console/img docroot_tps_jsdir=/docroot/tps/admin/console/js -# relative to sysconfdir -initddir=/init.d # relative to prefix licensedir=/doc logsdir=/logs/signedAudit @@ -165,7 +175,6 @@ AC_SUBST(docroot_tps_configdir) AC_SUBST(docroot_tps_cssdir) AC_SUBST(docroot_tps_imgdir) AC_SUBST(docroot_tps_jsdir) -AC_SUBST(initddir) AC_SUBST(licensedir) AC_SUBST(logsdir) AC_SUBST(perl_basedir) @@ -211,6 +220,9 @@ case $host in AC_DEFINE([SW_THREADS], [], [SW_THREADS]) AC_DEFINE([USE_NODL_TABS], [], [USE_NODL_TABS]) platform="linux" + # relative to sysconfdir + initddir=/rc.d/init.d + AC_SUBST(initddir) ;; ia64-hp-hpux*) AC_DEFINE([XP_UNIX], [], [UNIX]) @@ -223,6 +235,9 @@ case $host in AC_DEFINE([_POSIX_C_SOURCE], [199506L], [POSIX revision]) AC_DEFINE([_HPUX_SOURCE], [], [_HPUX_SOURCE]) platform="hpux" + # relative to sysconfdir + initddir=/init.d + AC_SUBST(initddir) ;; hppa*-hp-hpux*) AC_DEFINE([XP_UNIX], [], [UNIX]) @@ -241,6 +256,9 @@ case $host in AC_DEFINE([NET_SSL], [], [NET_SSL]) AC_DEFINE([SW_THREADS], [], [SW_THREADS]) platform="hpux" + # relative to sysconfdir + initddir=/init.d + AC_SUBST(initddir) ;; sparc-sun-solaris*) AC_DEFINE([XP_UNIX], [], [UNIX]) @@ -276,9 +294,15 @@ dnl Cstd and Crun are required to link any C++ related code AC_DEFINE([SOLARIS_55_OR_GREATER], [], [SOLARIS_55_OR_GREATER]) AC_DEFINE([SYSV], [], [SYSV]) platform="solaris" + # relative to sysconfdir + initddir=/init.d + AC_SUBST(initddir) ;; *) platform="" + # relative to sysconfdir + initddir=/init.d + AC_SUBST(initddir) ;; esac diff --git a/pki/base/tps/etc/init.d/httpd b/pki/base/tps/etc/init.d/httpd deleted file mode 100755 index e0a273009..000000000 --- a/pki/base/tps/etc/init.d/httpd +++ /dev/null @@ -1,780 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; -# version 2.1 of the License. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301 USA -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# -# [INSTANCE_ID] Startup script for the Apache HTTP Server -# -# chkconfig: - 87 13 -# description: Token Processing System \ -# (Apache 2.2) -# processname: [INSTANCE_ID] -# config: [HTTPD_CONF] -# pidfile: [SERVER_ROOT]/logs/[INSTANCE_ID].pid - -# Disallow 'others' the ability to 'write' to new files -umask 00002 - -# Check to insure that this script's original invocation directory -# has not been deleted! -CWD=`/bin/pwd > /dev/null 2>&1` -if [ $? -ne 0 ] ; then - echo "Cannot invoke '$0' from non-existent directory!" - exit 255 -fi - -# Check to insure that this script's associated PKI -# subsystem currently resides on this system. -SUBSYSTEM_TYPE=[SUBSYSTEM_TYPE] -if [ ! -d /usr/share/pki/${SUBSYSTEM_TYPE} ] ; then - echo "This machine is missing the '${SUBSYSTEM_TYPE}' subsystem!" - exit 255 -fi - -# Obtain the operating system upon which this script is being executed -OS=`uname -s` -ARCHITECTURE="" - -# Time to wait in seconds, before killing process -# -# NOTE: Defined in "tomcat5.conf" for other PKI Subsystems. -# -STARTUP_WAIT=30 -SHUTDOWN_WAIT=30 - -# This script must be run as root! -RV=0 -if [ ${OS} = "Linux" ] ; then - if [ `id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - exit 1 - fi - ARCHITECTURE=`uname -i` -elif [ ${OS} = "SunOS" ] ; then - if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then - echo "Must be 'root' to execute '$0'!" - exit 1 - fi - ARCHITECTURE=`uname -p` - if [ "${ARCHITECTURE}" = "sparc" ] && - [ -d "/usr/lib/sparcv9/" ] ; then - ARCHITECTURE="sparcv9" - fi -else - echo "Unsupported OS '${OS}'!" - exit 1 -fi - -# Initialize environment variables -LD_LIBRARY_PATH=[SYSTEM_USER_LIBRARIES]:[SYSTEM_LIBRARIES]:${LD_LIBRARY_PATH} -LD_LIBRARY_PATH=[SECURITY_LIBRARIES]:${LD_LIBRARY_PATH} -export LD_LIBRARY_PATH - -# Source function library. -if [ -f /etc/init.d/functions ]; then - . /etc/init.d/functions -else - # The checkpid() function is provided for platforms that do not - # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . - - # Check if ${pid} (could be plural) are running (keep count) - checkpid() - { - rv=0 - for i in $* ; do - ps -p $i > /dev/null 2>&1 ; - if [ $? -ne 0 ] ; then - rv=`expr $rv + 1` - else - rv=`expr $rv + 0` - fi - done - # echo "rv=$rv" - return $rv - } - - # Create the following directories on platforms - # where they do not exist (e. g. - Solaris) . . . - if [ ! -d /var/lock/subsys ] ; then - mkdir -p /var/lock/subsys - fi -fi - -######################################################################## -# This section contains modified content of "/etc/sysconfig/httpd" # -######################################################################## -# Configuration file for the [INSTANCE_ID] service. - -# -# The default processing model (MPM) is the process-based -# 'prefork' model. A thread-based model, 'worker', is also -# available, but does not work with some modules (such as PHP). -# The service must be stopped before changing this variable. -# -HTTPD=[FORTITUDE_DIR]/sbin/httpd.worker - -# -# To pass additional options (for instance, -D definitions) to the -# httpd binary at startup, set OPTIONS here. -# -OPTIONS="-f [HTTPD_CONF]" - -# -# By default, the httpd process is started in the C locale; to -# change the locale in which the server runs, the HTTPD_LANG -# variable can be set. -# -HTTPD_LANG=C -######################################################################## -# # -######################################################################## - -# This will prevent initlog from swallowing up a pass-phrase prompt if -# mod_ssl needs a pass-phrase from the user. -INITLOG_ARGS="" - -# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server -# with the thread-based "worker" MPM; BE WARNED that some modules may not -# work correctly with a thread-based MPM; notably PHP will refuse to start. - -# Path to the server binary and short-form for messages. -httpd=${HTTPD:-[FORTITUDE_DIR]/sbin/httpd} -prog=[INSTANCE_ID] -pki_instance_configuration_file=[SERVER_ROOT]/conf/CS.cfg -pidfile=${PIDFILE:-[SERVER_ROOT]/logs/[INSTANCE_ID].pid} -lockfile=${LOCKFILE:-/var/lock/subsys/[INSTANCE_ID]} -RESTART_SERVER=[SERVER_ROOT]/conf/restart_server_after_configuration -RETVAL=0 - -# see if httpd is linked with the openldap libraries - we need to override them -if [ ${OS} = "Linux" ]; then - hasopenldap=0 - - /usr/bin/ldd $httpd 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1 - - if [ $hasopenldap -eq 1 ] ; then - LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libldap60.so" - LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libssl3.so:${LD_PRELOAD}" - export LD_PRELOAD - fi -elif [ ${OS} = "SunOS" ] ; then - LD_PRELOAD_64="[SYSTEM_USER_LIBRARIES]/libldap60.so" - LD_PRELOAD_64="[SYSTEM_USER_LIBRARIES]/dirsec/libssl3.so:${LD_PRELOAD_64}" - export LD_PRELOAD_64 -fi - -check_pki_configuration_status() -{ - rv=0 - - rv=`grep -c ^preop ${pki_instance_configuration_file}` - - rv=`expr ${rv} + 0` - - if [ ${rv} -ne 0 ] ; then - echo " '[INSTANCE_ID]' must still be CONFIGURED!" - echo " (see /var/log/[INSTANCE_ID]-install.log)" - elif [ -f ${RESTART_SERVER} ] ; then - echo " Although '[INSTANCE_ID]' has been CONFIGURED, it must still be RESTARTED!" - rv=255 - fi - - return ${rv} -} - -get_pki_status_definitions() -{ - # establish well-known strings - listen_statement="Listen" - total_ports=0 - UNSECURE_PORT="" - CLIENTAUTH_PORT="" - NON_CLIENTAUTH_PORT="" - - # check to see that an instance-specific "httpd.conf" file exists - if [ ! -f [HTTPD_CONF] ] ; then - echo "File '[HTTPD_CONF]' does not exist!" - exit 255 - fi - - # check to see that an instance-specific "nss.conf" file exists - if [ ! -f [NSS_CONF] ] ; then - echo "File '[NSS_CONF]' does not exist!" - exit 255 - fi - - # read this instance-specific "httpd.conf" file line-by-line - # to obtain the current value of the PKI unsecure port - - exec < [HTTPD_CONF] - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] ; then - # once the 'unsecure' listen statement has been found, - # extract the numeric port information - port=`echo $line | cut -b8-` - UNSECURE_PORT=$port - echo " Unsecure Port = http://[SERVER_NAME]:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi" - echo " (ESC Security Officer Enrollment)" - echo " Unsecure Port = http://[SERVER_NAME]:${UNSECURE_PORT}/cgi-bin/home/index.cgi" - echo " (ESC Phone Home)" - total_ports=`expr ${total_ports} + 1` - break; - fi - done - - # read this instance-specific "nss.conf" file line-by-line - # to obtain the current value of the "clientauth" PKI secure port - # AND the current value of the "non-clientauth" PKI secure port - - exec < [NSS_CONF] - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] && - [ ${total_ports} -eq 2 ] ; then - # once the 'non-clientauth' listen statement has been found, - # extract the numeric port information - non_clientauth_port=`echo $line | cut -b8-` - NON_CLIENTAUTH_PORT=$non_clientauth_port - echo " Secure Non-Clientauth Port = https://[SERVER_NAME]:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi" - echo " (ESC Security Officer Enrollment)" - echo " Secure Non-Clientauth Port = https://[SERVER_NAME]:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi" - echo " (ESC Phone Home)" - total_ports=`expr ${total_ports} + 1` - break - fi - if [ "$head" == "$listen_statement" ] && - [ ${total_ports} -eq 1 ] ; then - # once the 'clientauth' listen statement has been found, - # extract the numeric port information - clientauth_port=`echo $line | cut -b8-` - CLIENTAUTH_PORT=$clientauth_port - echo " Secure Clientauth Port = https://[SERVER_NAME]:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi" - echo " (ESC Security Officer Workstation)" - echo " Secure Clientauth Port = https://[SERVER_NAME]:${CLIENTAUTH_PORT}/tus" - echo " (TPS Roles - Operator/Administrator/Agent)" - total_ports=`expr ${total_ports} + 1` - fi - done - - if [ ${total_ports} -eq 3 ] ; then - return 0 - else - return 255 - fi -} - -get_pki_configuration_definitions() -{ - # Obtain the PKI Subsystem Type - line=`grep ^cs.type= ${pki_instance_configuration_file}` - pki_subsystem=`echo "${line}" | cut -b9-` - if [ "${line}" != "" ] ; then - if [ "${pki_subsystem}" != "CA" ] && - [ "${pki_subsystem}" != "KRA" ] && - [ "${pki_subsystem}" != "OCSP" ] && - [ "${pki_subsystem}" != "TKS" ] && - [ "${pki_subsystem}" != "RA" ] && - [ "${pki_subsystem}" != "TPS" ] - then - return 255 - fi - if [ "${pki_subsystem}" == "KRA" ] ; then - # Rename "KRA" to "DRM" - pki_subsystem="DRM" - fi - else - return 255 - fi - - # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, - # check to see if "${pki_subsystem}" is a "Clone" - pki_clone="" - if [ "${pki_subsystem}" == "CA" ] || - [ "${pki_subsystem}" == "DRM" ] || - [ "${pki_subsystem}" == "OCSP" ] || - [ "${pki_subsystem}" == "TKS" ] - then - line=`grep ^subsystem.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_clone=`echo "${line}" | cut -b18-` - if [ "${pki_clone}" != "Clone" ] ; then - # Reset "${pki_clone}" to be empty - pki_clone="" - fi - else - return 255 - fi - fi - - # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to - # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA - pki_hierarchy="" - if [ "${pki_subsystem}" == "CA" ] && - [ "${pki_clone}" != "Clone" ] - then - line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_hierarchy=`echo "${line}" | cut -b18-` - else - return 255 - fi - fi - - # If ${pki_subsystem} is a CA, check to - # see if it is also a Security Domain - pki_security_domain="" - if [ "${pki_subsystem}" == "CA" ] ; then - line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain=`echo "${line}" | cut -b23-` - if [ "${pki_security_domain}" == "new" ] ; then - # Set a fixed value for "${pki_security_domain}" - pki_security_domain="(Security Domain)" - else - # Reset "${pki_security_domain}" to be empty - pki_security_domain="" - fi - else - return 255 - fi - fi - - # Always obtain this PKI instance's "registered" - # security domain information - pki_security_domain_name="" - pki_security_domain_hostname="" - pki_security_domain_https_admin_port="" - - line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_name=`echo "${line}" | cut -b21-` - else - return 255 - fi - - line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_hostname=`echo "${line}" | cut -b21-` - else - return 255 - fi - - line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` - if [ "${line}" != "" ] ; then - pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` - else - return 255 - fi - - # Compose the "PKI Instance Name" Status Line - pki_instance_name="PKI Instance Name: [INSTANCE_ID]" - - # Compose the "PKI Subsystem Type" Status Line - header="PKI Subsystem Type: " - if [ "${pki_clone}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "CA Clone (Security Domain)" - # - data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" - else - # Possible Values: - # - # "CA Clone" - # "DRM Clone" - # "OCSP Clone" - # "TKS Clone" - # - data="${pki_subsystem} ${pki_clone}" - fi - elif [ "${pki_hierarchy}" != "" ] ; then - if [ "${pki_security_domain}" != "" ]; then - # Possible Values: - # - # "Root CA (Security Domain)" - # "Subordinate CA (Security Domain)" - # - data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" - else - # Possible Values: - # - # "Root CA" - # "Subordinate CA" - # - data="${pki_hierarchy} ${pki_subsystem}" - fi - else - # Possible Values: - # - # "DRM" - # "OCSP" - # "RA" - # "TKS" - # "TPS" - # - data="${pki_subsystem}" - fi - pki_subsystem_type="${header} ${data}" - - # Compose the "Registered PKI Security Domain Information" Status Line - header="Name: " - registered_pki_security_domain_name="${header} ${pki_security_domain_name}" - - header="URL: " - if [ "${pki_security_domain_hostname}" != "" ] && - [ "${pki_security_domain_https_admin_port}" != "" ] - then - data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" - else - return 255 - fi - registered_pki_security_domain_url="${header} ${data}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_instance_name}" - - # Print the "PKI Subsystem Type" Status Line - echo - echo " ${pki_subsystem_type}" - - # Print the "Registered PKI Security Domain Information" Status Line - echo - echo " Registered PKI Security Domain Information:" - echo " ==========================================================================" - echo " ${registered_pki_security_domain_name}" - echo " ${registered_pki_security_domain_url}" - echo " ==========================================================================" - - return 0 -} - -get_pki_secure_port() -{ - # establish well-known strings - listen_statement="Listen" - - # first check to see that an instance-specific "nss.conf" file exists - if [ ! -f [NSS_CONF] ] ; then - echo "File '[NSS_CONF]' does not exist!" - exit 255 - fi - - # read this instance-specific "nss.conf" file line-by-line - # to obtain the current value of the "clientauth" PKI secure port - exec < [NSS_CONF] - while read line; do - # look for the listen statement - head=`echo $line | cut -b1-6` - if [ "$head" == "$listen_statement" ] ; then - # once the 'clientauth' listen statement has been found, - # extract the numeric port information - port=`echo $line | cut -b8-` - SECURE_PORT=$port - return 0 - fi - done - - return 255 -} - -# The semantics of these two functions differ from the way apachectl does -# things -- attempting to start while running is a failure, and shutdown -# when not running is also a failure. So we just do it the way init scripts -# are expected to behave here. -start() -{ - echo -n $"Starting $prog: " - - if [ -f ${RESTART_SERVER} ] ; then - rm -f ${RESTART_SERVER} - fi - - if [ -f ${lockfile} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - echo - echo "process already running" - return 255 - else - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - fi - fi - fi - - # restore context for ncipher hsm - [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast - - if [ -f /etc/init.d/functions ]; then - /usr/sbin/selinuxenabled - RETVAL=$? - if [ $RETVAL = 0 ] ; then - if [ ${ARCHITECTURE} = "i386" ] ; then - LANG=$HTTPD_LANG daemon runcon -t pki_tps_t -- $httpd $OPTIONS - # overwrite output from "daemon" - echo -n $"Starting $prog: " - elif [ ${ARCHITECTURE} = "x86_64" ] ; then - # NOTE: "daemon" is incompatible with "httpd" - # on 64-bit architectures - LANG=$HTTPD_LANG runcon -t pki_tps_t -- $httpd $OPTIONS - fi - else - LANG=$HTTPD_LANG daemon $httpd $OPTIONS - # overwrite output from "daemon" - echo -n $"Starting $prog: " - fi - else - LANG=$HTTPD_LANG $httpd $OPTIONS -k start - fi - - RETVAL=$? - [ $RETVAL = 0 ] && touch ${lockfile} - - if [ $RETVAL = 0 ] ; then - count=0; - - let swait=$STARTUP_WAIT - until [ -s ${pidfile} ] || - [ $count -gt $swait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ -f /etc/init.d/functions ]; then - echo_success - echo - else - echo " [ OK ]" - fi - - get_pki_secure_port - if [ $? -ne 0 ] ; then - SECURE_PORT="<Port Undefined>" - fi - - # Set permissions of log files - pki_logs_directory=`dirname ${pidfile}` - pki_signedAudit="${pki_logs_directory}/signedAudit" - for file in ${pki_logs_directory}/*; do - if [ "${file}" != "${pidfile}" ] && - [ "${file}" != "${pki_signedAudit}" ]; then - chmod 00660 ${file} - chgrp [GROUPID] ${file} - chown [USERID] ${file} - fi - done - - # Set permissions of signedAudit log files - pki_signedAudit_files=`ls -1A ${pki_signedAudit} | wc -l` - if [ ${pki_signedAudit_files} -gt 0 ]; then - for file in ${pki_signedAudit}/*; do - chmod 00660 ${file} - chgrp [GROUPID] ${file} - chown [USERID] ${file} - done - fi - else - if [ -f /etc/init.d/functions ]; then - echo_failure - echo - else - echo " [ FAILED ]" - fi - fi - - if [ ${OS} = "Linux" ] ; then - sleep 10 - elif [ ${OS} = "SunOS" ] ; then - sleep 20 - fi - echo - status - return $RETVAL -} - -stop() -{ - echo -n "Stopping $prog: " - - if [ -f ${lockfile} ] ; then - $httpd $OPTIONS -k stop - - RETVAL=$? - - if [ $RETVAL = 0 ]; then - count=0; - - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - let kwait=$SHUTDOWN_WAIT - - until [ `ps -p $kpid | grep -c $kpid` = '0' ] || - [ $count -gt $kwait ] - do - echo -n "." - sleep 1 - let count=$count+1; - done - - if [ $count -gt $kwait ]; then - kill -9 $kpid - fi - fi - - rm -f ${lockfile} - rm -f ${pidfile} - - if [ -f /etc/init.d/functions ]; then - echo_success - echo - else - echo " [ OK ]" - fi - else - if [ -f /etc/init.d/functions ]; then - echo_failure - echo - else - echo " [ FAILED ]" - fi - fi - else - echo - echo "process already stopped" - fi -} - -reload() -{ - echo -n $"Reloading $prog: " - - if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then - RETVAL=$? - echo $"not reloading due to configuration syntax error" - if [ -f /etc/init.d/functions ]; then - failure $"not reloading $httpd due to configuration syntax error" - else - echo $"not reloading $httpd due to configuration syntax error" - fi - else - if [ -f /etc/init.d/functions ]; then - killproc $httpd -HUP - # overwrite output from "killproc" - echo -n $"Stopping $prog: " - else - if [ -f ${lockfile} ] ; then - if [ -f ${pidfile} ]; then - read kpid < ${pidfile} - if checkpid $kpid 2>&1; then - kill -HUP $kpid - fi - else - echo - echo -n "lock file found but no process " - echo -n "running for pid $kpid, continuing" - echo - echo - fi - fi - fi - fi - echo -} - -status() -{ - if [ -f ${pidfile} ] ; then - pid=`cat ${pidfile}` - if [ "${pid}" == "" ] ; then - echo "[INSTANCE_ID] pid file exists but is empty" - elif kill -0 ${pid} > /dev/null 2>&1 ; then - echo "[INSTANCE_ID] (pid ${pid}) is running ..." - echo - check_pki_configuration_status - if [ $? -eq 0 ] ; then - get_pki_status_definitions - if [ $? -ne 0 ] ; then - echo - echo "[INSTANCE_ID] Status Definitions not found" - fi - get_pki_configuration_definitions - if [ $? -ne 0 ] ; then - echo - echo "[INSTANCE_ID] Configuration Definitions not found" - fi - fi - echo - else - echo "[INSTANCE_ID] is dead but pid file exists" - fi - else - echo "[INSTANCE_ID] is stopped" - fi -} - -# See how we were called. -case "$1" in - start) - start - ;; - stop) - stop - ;; - restart) - stop - sleep 2 - start - ;; - condrestart) - if [ -f ${pidfile} ] ; then - stop - sleep 2 - start - else - echo -n "Unable to restart process since " - echo -n "'${pidfile}' does not exist!" - echo - fi - ;; - reload) - reload - ;; - status) - status - ;; - *) - echo $"Usage: $prog {start|stop|restart|condrestart|reload|status}" - exit 1 -esac - -exit $RETVAL - diff --git a/pki/base/tps/etc/init.d/pki-tpsd b/pki/base/tps/etc/init.d/pki-tpsd new file mode 100755 index 000000000..0ca55abf4 --- /dev/null +++ b/pki/base/tps/etc/init.d/pki-tpsd @@ -0,0 +1,1439 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; +# version 2.1 of the License. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301 USA +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# pki-tpsd Startup script for the Apache HTTP pki-tps Server +# +# chkconfig: - 87 13 +# description: Token Processing System \ +# (Apache 2.2) +# processname: pki-tpsd +# piddir: /var/run/pki/tps +# config: ${PKI_SERVER_ROOT}/conf/httpd.conf + +PKI_INIT_SCRIPT="" +PKI_PATH="/usr/share/pki/tps" +PKI_PIDDIR="/var/run/pki/tps" +PKI_PROCESS="pki-tpsd" +PKI_REGISTRY="/etc/sysconfig/pki/tps" +PKI_SELINUX_TYPE="pki_tps_t" +PKI_TYPE="pki-tps" + +# PKI subsystem-level directory and file values for locks +lockfile="/var/lock/subsys/pki-tpsd" + +# Disallow 'others' the ability to 'write' to new files +umask 00002 + +default_error=0 +command="$1" +pki_instance="$2" +case "${command}" in + start|stop|restart|condrestart|force-restart|try-restart) + # * 1 generic or unspecified error (current practice) + default_error=1 + ;; + reload) + default_error=3 + ;; + status) + # * 4 program or service status is unknown + default_error=4 + ;; + *) + # * 2 invalid argument(s) + default_error=2 + ;; +esac + +# Check to insure that this script's original invocation directory +# has not been deleted! +CWD=`/bin/pwd > /dev/null 2>&1` +if [ $? -ne 0 ] ; then + echo "Cannot invoke '$0' from non-existent directory!" + exit ${default_error} +fi + +# Check to insure that this script's associated PKI +# subsystem currently resides on this system. +if [ ! -d ${PKI_PATH} ] ; then + echo "This machine is missing the '${PKI_TYPE}' subsystem!" + if [ "${command}" != "status" ]; then + # * 5 program is not installed + exit 5 + else + exit ${default_error} + fi +fi + +# Check to insure that this script's associated PKI +# subsystem instance registry currently resides on this system. +if [ ! -d ${PKI_REGISTRY} ] ; then + echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!" + if [ "${command}" != "status" ]; then + # * 5 program is not installed + exit 5 + else + exit ${default_error} + fi +fi + +# Obtain the operating system upon which this script is being executed +# and initialize environment variables +OS=`uname -s` +ARCHITECTURE="" +LD_LIBRARY_PATH="" + +# Time to wait in seconds, before killing process +# +# NOTE: Defined in "tomcat5.conf" for PKI Java/Tomcat Subsystems. +# +STARTUP_WAIT=30 +SHUTDOWN_WAIT=30 + +# This script must be run as root! +RV=0 +if [ ${OS} = "Linux" ] ; then + PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}" + if [ `id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$0'!" + if [ "${command}" != "status" ]; then + # * 4 user had insufficient privilege + exit 4 + else + # * 4 program or service status is unknown + exit 4 + fi + fi + ARCHITECTURE=`uname -i` + if [ ${ARCHITECTURE} = "i386" ] ; then + LD_LIBRARY_PATH="/usr/lib:/lib:${LD_LIBRARY_PATH}" + elif [ ${ARCHITECTURE} = "x86_64" ] ; then + LD_LIBRARY_PATH="/usr/lib64:/lib64:${LD_LIBRARY_PATH}" + else + echo "Unsupported architecture '${ARCHITECTURE}'!" + exit ${default_error} + fi +elif [ ${OS} = "SunOS" ] ; then + PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}" + if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$0'!" + if [ "${command}" != "status" ]; then + # * 4 user had insufficient privilege + exit 4 + else + # * 4 program or service status is unknown + exit 4 + fi + fi + ARCHITECTURE=`uname -p` + if [ "${ARCHITECTURE}" = "sparc" ] && + [ -d "/usr/lib/sparcv9/" ] ; then + ARCHITECTURE="sparcv9" + fi + if [ ${ARCHITECTURE} = "sparcv9" ] ; then + LD_LIBRARY_PATH="/usr/lib/sparcv9:/lib/sparcv9:${LD_LIBRARY_PATH}" + LD_LIBRARY_PATH="/usr/lib/sparcv9/dirsec:${LD_LIBRARY_PATH}" + else + echo "Unsupported architecture '${ARCHITECTURE}'!" + exit ${default_error} + fi +else + echo "Unsupported OS '${OS}'!" + exit ${default_error} +fi +export LD_LIBRARY_PATH + +# Source function library. +if [ -f /etc/init.d/functions ]; then + . /etc/init.d/functions +else + # The checkpid() function is provided for platforms that do not + # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . + + # Check if ${pid} (could be plural) are running (keep count) + checkpid() + { + rv=0 + for i in $* ; do + ps -p $i > /dev/null 2>&1 ; + if [ $? -ne 0 ] ; then + rv=`expr $rv + 1` + else + rv=`expr $rv + 0` + fi + done + # echo "rv=$rv" + return $rv + } + + # Create the following directories on platforms + # where they do not exist (e. g. - Solaris) . . . + if [ ! -d "/var/lock" ] ; then + mkdir -p /var/lock + chown root:sys /var/lock + chmod 00755 /var/lock + fi + if [ ! -d "/var/lock/subsys" ] ; then + mkdir -p /var/lock/subsys + chown root:root /var/lock/subsys + chmod 00755 /var/lock/subsys + fi +fi + +PKI_REGISTRY_ENTRIES="" +TOTAL_PKI_REGISTRY_ENTRIES=0 +TOTAL_UNCONFIGURED_PKI_ENTRIES=0 + +# Gather ALL registered instances of this PKI subsystem type +for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do + if [ -f "$FILE" ] ; then + inst=`echo "$FILE"` + PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst" + TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` + fi +done + +if [ -n "${pki_instance}" ]; then + for I in ${PKI_REGISTRY_ENTRIES}; do + if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then + PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}" + TOTAL_PKI_REGISTRY_ENTRIES=1 + break + fi + done +fi + +usage() +{ + echo -n "Usage: ${PKI_INIT_SCRIPT} " + echo -n "{start" + echo -n "|stop" + echo -n "|restart" + echo -n "|condrestart" + echo -n "|force-restart" + echo -n "|try-restart" + echo -n "|reload" + echo -n "|status} " + echo -n "[instance-name]" + echo + echo +} + +list_instances() +{ + echo + for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do + echo " ${FILE}" + done + echo +} + +# Check arguments +if [ $# -lt 1 ] ; then + # * 3 unimplemented feature (for example, "reload") + # [insufficient arguments] + echo "$0: Insufficient arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 3 +elif [ ${default_error} -eq 2 ] ; then + # * 2 invalid argument + echo "$0: Invalid arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 2 +elif [ $# -gt 2 ] ; then + echo "$0: Excess arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + if [ "${command}" != "status" ]; then + # * 2 excess arguments + exit 2 + else + # * 4 program or service status is unknown + exit 4 + fi +fi + +# If an "instance" was supplied, check that it is a "valid" instance +if [ -n "${pki_instance}" ]; then + if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then + echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance" + echo_failure + echo + if [ "${command}" != "status" ]; then + # * 5 program is not installed + exit 5 + else + # * 4 program or service status is unknown + exit 4 + fi + fi +fi + +# On Solaris /var/run is in tmpfs and gets wiped out upon reboot +# we have to recreate the ${PKI_PIDDIR} directory and make sure that +# the directory is writable by the ${PKI_TYPE} server process. +# +# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize +# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the +# "${PKI_PIDDIR}" will end up with the ownership permissions +# of the first instance that executes this function! +# +fix_pid_dir_ownership() +{ + if [ ! -d ${PKI_PIDDIR} ] ; then + mkdir -p ${PKI_PIDDIR} + + chown root:root /var/run/pki + chmod 00755 /var/run/pki + + chown root:root ${PKI_PIDDIR} + chmod 00755 ${PKI_PIDDIR} + fi +} + +check_pki_configuration_status() +{ + rv=0 + + rv=`grep -c ^preop ${pki_instance_configuration_file}` + + rv=`expr ${rv} + 0` + + if [ ${rv} -ne 0 ] ; then + echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" + echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" + if [ "${command}" != "status" ]; then + # * 6 program is not configured + rv=6 + else + # * 4 program or service status is unknown + rv=4 + fi + TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` + elif [ -f ${RESTART_SERVER} ] ; then + echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " + echo -n "it must still be RESTARTED!" + echo + if [ "${command}" != "status" ]; then + # * 1 generic or unspecified error (current practice) + rv=1 + else + # * 4 program or service status is unknown + rv=4 + fi + fi + + return ${rv} +} + +get_pki_status_definitions() +{ + # establish well-known strings + listen_statement="Listen" + total_ports=0 + UNSECURE_PORT="" + CLIENTAUTH_PORT="" + NON_CLIENTAUTH_PORT="" + + # check to see that an instance-specific "httpd.conf" file exists + if [ ! -f ${PKI_HTTPD_CONF} ] ; then + echo "File '${PKI_HTTPD_CONF}' does not exist!" + exit ${default_error} + fi + + # check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # read this instance-specific "httpd.conf" file line-by-line + # to obtain the current value of the PKI unsecure port + + exec < ${PKI_HTTPD_CONF} + while read line; do + # look for the listen statement + head=`echo $line | cut -b1-6` + if [ "$head" == "$listen_statement" ] ; then + # once the 'unsecure' listen statement has been found, + # extract the numeric port information + port=`echo $line | cut -b8-` + UNSECURE_PORT=$port + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi" + echo " (ESC Security Officer Enrollment)" + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi" + echo " (ESC Phone Home)" + total_ports=`expr ${total_ports} + 1` + break; + fi + done + + # read this instance-specific "nss.conf" file line-by-line + # to obtain the current value of the "clientauth" PKI secure port + # AND the current value of the "non-clientauth" PKI secure port + + exec < ${PKI_NSS_CONF} + while read line; do + # look for the listen statement + head=`echo $line | cut -b1-6` + if [ "$head" == "$listen_statement" ] && + [ ${total_ports} -eq 2 ] ; then + # once the 'non-clientauth' listen statement has been found, + # extract the numeric port information + non_clientauth_port=`echo $line | cut -b8-` + NON_CLIENTAUTH_PORT=$non_clientauth_port + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi" + echo " (ESC Security Officer Enrollment)" + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi" + echo " (ESC Phone Home)" + total_ports=`expr ${total_ports} + 1` + break + fi + if [ "$head" == "$listen_statement" ] && + [ ${total_ports} -eq 1 ] ; then + # once the 'clientauth' listen statement has been found, + # extract the numeric port information + clientauth_port=`echo $line | cut -b8-` + CLIENTAUTH_PORT=$clientauth_port + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi" + echo " (ESC Security Officer Workstation)" + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus" + echo " (TPS Roles - Operator/Administrator/Agent)" + total_ports=`expr ${total_ports} + 1` + fi + done + + if [ ${total_ports} -eq 3 ] ; then + return 0 + else + return ${default_error} + fi +} + +get_pki_configuration_definitions() +{ + # Obtain the PKI Subsystem Type + line=`grep ^cs.type= ${pki_instance_configuration_file}` + pki_subsystem=`echo "${line}" | cut -b9-` + if [ "${line}" != "" ] ; then + if [ "${pki_subsystem}" != "CA" ] && + [ "${pki_subsystem}" != "KRA" ] && + [ "${pki_subsystem}" != "OCSP" ] && + [ "${pki_subsystem}" != "TKS" ] && + [ "${pki_subsystem}" != "RA" ] && + [ "${pki_subsystem}" != "TPS" ] + then + return ${default_error} + fi + if [ "${pki_subsystem}" == "KRA" ] ; then + # Rename "KRA" to "DRM" + pki_subsystem="DRM" + fi + else + return ${default_error} + fi + + # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, + # check to see if "${pki_subsystem}" is a "Clone" + pki_clone="" + if [ "${pki_subsystem}" == "CA" ] || + [ "${pki_subsystem}" == "DRM" ] || + [ "${pki_subsystem}" == "OCSP" ] || + [ "${pki_subsystem}" == "TKS" ] + then + line=`grep ^subsystem.select= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_clone=`echo "${line}" | cut -b18-` + if [ "${pki_clone}" != "Clone" ] ; then + # Reset "${pki_clone}" to be empty + pki_clone="" + fi + else + return ${default_error} + fi + fi + + # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to + # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA + pki_hierarchy="" + if [ "${pki_subsystem}" == "CA" ] && + [ "${pki_clone}" != "Clone" ] + then + line=`grep ^hierarchy.select= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_hierarchy=`echo "${line}" | cut -b18-` + else + return ${default_error} + fi + fi + + # If ${pki_subsystem} is a CA, check to + # see if it is also a Security Domain + pki_security_domain="" + if [ "${pki_subsystem}" == "CA" ] ; then + line=`grep ^securitydomain.select= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_security_domain=`echo "${line}" | cut -b23-` + if [ "${pki_security_domain}" == "new" ] ; then + # Set a fixed value for "${pki_security_domain}" + pki_security_domain="(Security Domain)" + else + # Reset "${pki_security_domain}" to be empty + pki_security_domain="" + fi + else + return ${default_error} + fi + fi + + # Always obtain this PKI instance's "registered" + # security domain information + pki_security_domain_name="" + pki_security_domain_hostname="" + pki_security_domain_https_admin_port="" + + line=`grep ^securitydomain.name= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_security_domain_name=`echo "${line}" | cut -b21-` + else + return ${default_error} + fi + + line=`grep ^securitydomain.host= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_security_domain_hostname=`echo "${line}" | cut -b21-` + else + return ${default_error} + fi + + line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}` + if [ "${line}" != "" ] ; then + pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-` + else + return ${default_error} + fi + + # Compose the "PKI Instance Name" Status Line + pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" + + # Compose the "PKI Subsystem Type" Status Line + header="PKI Subsystem Type: " + if [ "${pki_clone}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "CA Clone (Security Domain)" + # + data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" + else + # Possible Values: + # + # "CA Clone" + # "DRM Clone" + # "OCSP Clone" + # "TKS Clone" + # + data="${pki_subsystem} ${pki_clone}" + fi + elif [ "${pki_hierarchy}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "Root CA (Security Domain)" + # "Subordinate CA (Security Domain)" + # + data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" + else + # Possible Values: + # + # "Root CA" + # "Subordinate CA" + # + data="${pki_hierarchy} ${pki_subsystem}" + fi + else + # Possible Values: + # + # "DRM" + # "OCSP" + # "RA" + # "TKS" + # "TPS" + # + data="${pki_subsystem}" + fi + pki_subsystem_type="${header} ${data}" + + # Compose the "Registered PKI Security Domain Information" Status Line + header="Name: " + registered_pki_security_domain_name="${header} ${pki_security_domain_name}" + + header="URL: " + if [ "${pki_security_domain_hostname}" != "" ] && + [ "${pki_security_domain_https_admin_port}" != "" ] + then + data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" + else + return ${default_error} + fi + registered_pki_security_domain_url="${header} ${data}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " ${pki_instance_name}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " ${pki_subsystem_type}" + + # Print the "Registered PKI Security Domain Information" Status Line + echo + echo " Registered PKI Security Domain Information:" + echo " ==========================================================================" + echo " ${registered_pki_security_domain_name}" + echo " ${registered_pki_security_domain_url}" + echo " ==========================================================================" + + return 0 +} + +get_pki_secure_port() +{ + # establish well-known strings + listen_statement="Listen" + + # first check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # read this instance-specific "nss.conf" file line-by-line + # to obtain the current value of the "clientauth" PKI secure port + exec < ${PKI_NSS_CONF} + while read line; do + # look for the listen statement + head=`echo $line | cut -b1-6` + if [ "$head" == "$listen_statement" ] ; then + # once the 'clientauth' listen statement has been found, + # extract the numeric port information + port=`echo $line | cut -b8-` + SECURE_PORT=$port + return 0 + fi + done + + return ${default_error} +} + +display_instance_status() +{ + rv=0 + + if [ -f ${pidfile} ] ; then + pid=`cat ${pidfile}` + if [ "${pid}" == "" ] ; then + echo "${PKI_INSTANCE_ID} pid file exists but is empty" + if [ "${command}" != "status" ]; then + # * 1 generic or unspecified error (current practice) + rv=1 + else + # * 4 program or service status is unknown + rv=4 + fi + elif kill -0 ${pid} > /dev/null 2>&1 ; then + echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..." + echo + check_pki_configuration_status + rv=$? + if [ ${rv} -eq 0 ] ; then + get_pki_status_definitions + rv=$? + if [ ${rv} -ne 0 ] ; then + echo + echo "${PKI_INSTANCE_ID} Status Definitions not found" + else + get_pki_configuration_definitions + rv=$? + if [ ${rv} -ne 0 ] ; then + echo + echo "${PKI_INSTANCE_ID} Configuration Definitions not found" + fi + fi + else + # From the PKI point of view for a "non-status" action, + # a returned error code of "6" implies that the program + # is not "configured". Similarly, an error code of "1" + # implies that the program was "configured" but must + # still be restarted. + # + # Similarly, from the PKI point of view for a "status" + # action, a returned error code of "4" implies that either + # the program is not "configured", or that the program + # was "configured" but must still be restarted. + # + # Regardless, it must still be considered that the instance + # is "running" from the viewpoint of other OS programs such + # as 'chkconfig'. + # + # For this reason, when returning from + # 'display_instance_status()', ignore non-zero return codes + # returned from 'check_pki_configuration_status()'. + # + if [ "${command}" != "status" ]; then + # * 0 action was successful + rv=0 + else + # * 0 program is running or service is OK + rv=0 + fi + fi + echo + else + echo "${PKI_INSTANCE_ID} is dead but pid file exists" + if [ "${command}" != "status" ]; then + # * 1 generic or unspecified error (current practice) + rv=1 + else + # * 1 program is dead and /var/run pid file exists + rv=1 + fi + fi + else + echo "${PKI_INSTANCE_ID} is stopped" + if [ "${command}" != "status" ]; then + # * 7 program is not running + rv=7 + else + # * 3 program is not running + rv=3 + fi + fi + + return ${rv} +} + +start_instance() +{ + rv=0 + + echo -n $"Starting ${prog}: " + + if [ -f ${RESTART_SERVER} ] ; then + rm -f ${RESTART_SERVER} + fi + + if [ -f ${PKI_LOCKFILE} ] ; then + if [ -f ${pidfile} ]; then + read kpid < ${pidfile} + if checkpid $kpid 2>&1; then + echo + echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..." + echo + check_pki_configuration_status + rv=$? + if [ ${rv} != 0 ]; then + # From the PKI point of view for a "non-status" action, + # a returned error code of "6" implies that the program + # is not "configured". Similarly, an error code of "1" + # implies that the program was "configured" but must + # still be restarted. + # + # Regardless, it must still be considered that the instance + # is "running" from the viewpoint of other OS programs such + # as 'chkconfig'. + # + # For "non-status" actions, ignore return codes of "1" + # from 'check_pki_configuration_status()'. + # + # However, for "non-status" actions that have a return + # code of "6", return this value unchanged to + # the calling routine so that the total number of + # configuration errors may be counted. + # + + echo + if [ ${rv} = 1 ] ; then + # * 0 action was successful + return 0 + elif [ ${rv} = 6 ] ; then + # * 6 program is not configured + return 6 + else + # should never be reached + return ${rv} + fi + else + return 0 + fi + else + echo + echo -n "lock file found but no process " + echo -n "running for pid $kpid, continuing" + echo + echo + rm -f ${PKI_LOCKFILE} + fi + fi + fi + + fix_pid_dir_ownership + + touch ${pidfile} + chown ${PKI_USER}:${PKI_GROUP} ${pidfile} + chmod 00600 ${pidfile} + [ -x /sbin/restorecon ] && /sbin/restorecon ${pidfile} + + # restore context for ncipher hsm + [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast + + if [ -f /etc/init.d/functions ]; then + /usr/sbin/selinuxenabled + rv=$? + if [ ${rv} = 0 ] ; then + if [ ${ARCHITECTURE} = "i386" ] ; then + LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} + # overwrite output from "daemon" + echo -n $"Starting ${prog}: " + elif [ ${ARCHITECTURE} = "x86_64" ] ; then + # NOTE: "daemon" is incompatible with "httpd" + # on 64-bit architectures + LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS} + fi + else + LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS} + # overwrite output from "daemon" + echo -n $"Starting ${prog}: " + fi + else + LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -k start + fi + + rv=$? + if [ ${rv} = 0 ] ; then + touch ${PKI_LOCKFILE} + chown ${PKI_USER}:${PKI_GROUP} ${PKI_LOCKFILE} + chmod 00600 ${PKI_LOCKFILE} + fi + + if [ ${rv} = 0 ] ; then + count=0; + + let swait=$STARTUP_WAIT + until [ -s ${pidfile} ] || + [ $count -gt $swait ] + do + echo -n "." + sleep 1 + let count=$count+1; + done + + if [ -f /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_success + echo + else + echo " [ OK ]" + fi + + get_pki_secure_port + if [ $? -ne 0 ] ; then + SECURE_PORT="<Port Undefined>" + fi + + # Set permissions of log files + pki_signedAudit="${pki_logs_directory}/signedAudit" + for file in ${pki_logs_directory}/*; do + if [ "${file}" != "${pki_signedAudit}" ]; then + chown ${PKI_USER}:${PKI_GROUP} ${file} + chmod 00660 ${file} + fi + done + + # Set permissions of signedAudit log files + pki_signedAudit_files=`ls -1A ${pki_signedAudit} | wc -l` + if [ ${pki_signedAudit_files} -gt 0 ]; then + for file in ${pki_signedAudit}/*; do + chown ${PKI_USER}:${PKI_GROUP} ${file} + chmod 00660 ${file} + done + fi + + # ignore "status" return codes + echo + display_instance_status + else + if [ -f /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + $0 echo -n " " + fi + echo_failure + echo + else + echo " [ FAILED ]" + fi + fi + + if [ ${OS} = "Linux" ] ; then + sleep 10 + elif [ ${OS} = "SunOS" ] ; then + sleep 20 + fi + return ${rv} +} + +stop_instance() +{ + rv=0 + + echo -n "Stopping ${prog}: " + + if [ -f ${PKI_LOCKFILE} ] ; then + ${httpd} ${PKI_OPTIONS} -k stop + + rv=$? + + if [ ${rv} = 0 ]; then + count=0; + + if [ -f ${pidfile} ]; then + read kpid < ${pidfile} + let kwait=$SHUTDOWN_WAIT + + until [ `ps -p $kpid | grep -c $kpid` = '0' ] || + [ $count -gt $kwait ] + do + echo -n "." + sleep 1 + let count=$count+1; + done + + if [ $count -gt $kwait ]; then + kill -9 $kpid + fi + fi + + rm -f ${PKI_LOCKFILE} + rm -f ${pidfile} + + if [ -f /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_success + echo + else + echo " [ OK ]" + fi + else + if [ -f /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_failure + echo + else + echo " [ FAILED ]" + fi + rv=${default_error} + fi + else + echo + echo "process already stopped" + rv=0 + fi + + return ${rv} +} + +reload_instance() +{ + rv=0 + + echo -n $"Reloading ${prog}: " + + if ! LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -t >&/dev/null; then + rv=$? + echo $"not reloading due to configuration syntax error" + if [ -f /etc/init.d/functions ]; then + failure $"not reloading ${httpd} due to configuration syntax error" + else + echo $"not reloading ${httpd} due to configuration syntax error" + fi + else + if [ -f /etc/init.d/functions ]; then + killproc -p ${pidfile} ${httpd} -HUP + rv=$? + else + if [ -f ${PKI_LOCKFILE} ] ; then + if [ -f ${pidfile} ]; then + read kpid < ${pidfile} + if checkpid $kpid 2>&1; then + kill -HUP $kpid + rv=$? + if [ ${rv} != 0 ]; then + rv=${default_error} + fi + fi + else + # * 7 program is not running + rv=7 + echo + echo -n "lock file found but no process " + echo -n "running for pid $kpid, continuing" + echo + echo + rm -f ${PKI_LOCKFILE} + fi + fi + fi + fi + echo + + return ${rv} +} + +# The semantics of the 'start()' function differs from the way 'apachectl' +# does things -- attempting to start while running is a failure. +# So we just do it the way init scripts are expected to behave here. +start() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 action was successful + # * 1 generic or unspecified error (current practice) + # * 2 invalid or excess argument(s) + # * 3 unimplemented feature (for example, "reload") + # * 4 user had insufficient privilege + # * 5 program is not installed + # * 6 program is not configured + # * 7 program is not running + # * 8-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + error_rv=0 + rv=0 + + if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then + config_errors=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):" + fi + + # Start every PKI instance of this type that isn't already running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + start_instance + + rv=$? + if [ ${rv} = 6 ] ; then + # Since at least ONE configuration error exists, then there + # is at least ONE unconfigured instance from the PKI point + # of view. + # + # However, it must still be considered that the + # instance is "running" from the point of view of other + # OS programs such as 'chkconfig'. + # + # Therefore, ignore non-zero return codes resulting + # from configuration errors. + # + + config_errors=`expr $config_errors + 1` + rv=0 + elif [ ${rv} != 0 ] ; then + errors=`expr $errors + 1` + error_rv=${rv} + fi + done + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then + touch ${lockfile} + chmod 00600 ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + # NOTE: "bad" return code(s) OVERRIDE configuration errors! + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances failed to start!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." + fi + else + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + rv=5 + fi + + return ${rv} +} + +# The semantics of the 'stop()' function differs from the way 'apachectl' +# does things -- attempting to shutdown when not running is a failure. +# So we just do it the way init scripts are expected to behave here. +stop() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 action was successful + # * 1 generic or unspecified error (current practice) + # * 2 invalid or excess argument(s) + # * 3 unimplemented feature (for example, "reload") + # * 4 user had insufficient privilege + # * 5 program is not installed + # * 6 program is not configured + # * 7 program is not running + # * 8-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + error_rv=0 + rv=0 + + if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" + fi + + # Shutdown every PKI instance of this type that is running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + stop_instance + + rv=$? + if [ ${rv} != 0 ] ; then + errors=`expr $errors + 1` + error_rv=${rv} + fi + done + + if [ ${errors} -eq 0 ] ; then + rm -f ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances were " + echo -n "unsuccessfully stopped!" + echo + fi + + echo + echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." + fi + else + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + rv=5 + fi + + return ${rv} +} + +restart() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 action was successful + # * 1 generic or unspecified error (current practice) + # * 2 invalid or excess argument(s) + # * 3 unimplemented feature (for example, "reload") + # * 4 user had insufficient privilege + # * 5 program is not installed + # * 6 program is not configured + # * 7 program is not running + # * 8-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + stop + sleep 2 + echo + echo "============================================================" + echo + start + + return $? +} + +reload() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 action was successful + # * 1 generic or unspecified error (current practice) + # * 2 invalid or excess argument(s) + # * 3 unimplemented feature (for example, "reload") + # * 4 user had insufficient privilege + # * 5 program is not installed + # * 6 program is not configured + # * 7 program is not running + # * 8-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + error_rv=0 + rv=0 + + if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):" + fi + + # Reload every PKI instance of this type that is running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + reload_instance + + rv=$? + if [ ${rv} != 0 ] ; then + errors=`expr $errors + 1` + error_rv=${rv} + fi + done + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances were " + echo -n "unsuccessfully reloaded!" + echo + fi + + echo + echo "FINISHED RELOADING '${PKI_TYPE}' INSTANCE(S)." + fi + else + echo + echo "ERROR: No '${PKI_TYPE}' instances reloaded!" + rv=5 + fi + + return ${rv} +} + +status() +{ + # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": + # + # * 0 program is running or service is OK + # * 1 program is dead and /var/run pid file exists + # * 2 program is dead and /var/lock lock file exists + # * 3 program is not running + # * 4 program or service status is unknown + # * 5-99 reserved for future LSB use + # * 100-149 reserved for distribution use + # * 150-199 reserved for application use + # * 200-254 reserved + # + + error_rv=0 + rv=0 + + if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" + fi + + # Obtain status of every PKI instance of this type + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + pidfile=${PKI_PIDDIR}/${PKI_PIDFILE} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + display_instance_status + + rv=$? + if [ ${rv} -ne 0 ] ; then + errors=`expr $errors + 1` + error_rv=${rv} + fi + done + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "4 - program or service status is unknown" + rv=4 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances reported status failures!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." + fi + else + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + rv=4 + fi + + return ${rv} +} + +# See how we were called. +case "${command}" in + start|stop|restart|reload|status) + ${command} + exit $? + ;; + condrestart|force-restart|try-restart) + [ ! -f ${lockfile} ] || restart + exit $? + ;; + *) + # * 3 unimplemented feature (for example, "reload") + # [invalid command - should never be reached] + echo + usage + echo "where valid instance names include:" + list_instances + exit 3 + ;; +esac + diff --git a/pki/base/tps/setup/postinstall b/pki/base/tps/setup/postinstall deleted file mode 100755 index 4bab87edd..000000000 --- a/pki/base/tps/setup/postinstall +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; -# version 2.1 of the License. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301 USA -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# - -############################################################################### -## (1) Check command line arguments to see how many were passed in. ## -############################################################################### - -if [ $# -eq 4 ] -then - PKI_PRODUCT_NAME=$1 - PKI_SUBSYSTEM_NAME=$2 - VERSION=$3 - RELEASE=$4 -else - echo - echo "Usage: $0 PKI_product_name PKI_subsystem_name version release" - echo - - exit 255 -fi - - -############################################################################### -## (2) Specify variables used by this script. ## -############################################################################### - -PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}" -SECURE_PORT=7889 -NON_CLIENTAUTH_SECURE_PORT=7890 -UNSECURE_PORT=7888 - - -############################################################################### -## (3) Create the first instance of a Token Processing System (TPS). ## -############################################################################### - -if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ] -then - /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} -fi - - -############################################################################### -## (4) Successfully exit from this postinstallation script. ## -############################################################################### - -exit 0 - diff --git a/pki/base/tps/setup_package b/pki/base/tps/setup_package index ea8728760..32ff70985 100755 --- a/pki/base/tps/setup_package +++ b/pki/base/tps/setup_package @@ -152,7 +152,7 @@ SYSTEM_LIBRARIES=${PKI_BUILD_PREFIX}/usr/${LIB_DIR} if [ "${USE_OPT_FORTITUDE}" = "TRUE" ] ; then APACHE_MODULES=${PKI_BUILD_PREFIX}/opt/fortitude/modules.local else - APACHE_MODULES=${PKI_BUILD_PREFIX}/etc/httpd/modules + APACHE_MODULES=${PKI_BUILD_PREFIX}/usr/${LIB_DIR}/httpd/modules fi # comply with standard JPackage 1.6.0 jar locations |