summaryrefslogtreecommitdiffstats
path: root/pki/base
diff options
context:
space:
mode:
authormharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2010-01-21 23:17:26 +0000
committermharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2010-01-21 23:17:26 +0000
commit67ee705eafd9fb655f61732ba3c8ec2c869a409e (patch)
treed711e76cbd24198cb1247c2c72bbe72e7f40cb4d /pki/base
parent77677d528c57e0648ee149176fa87447c25292b0 (diff)
downloadpki-67ee705eafd9fb655f61732ba3c8ec2c869a409e.tar.gz
pki-67ee705eafd9fb655f61732ba3c8ec2c869a409e.tar.xz
pki-67ee705eafd9fb655f61732ba3c8ec2c869a409e.zip
Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . . Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . . git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@933 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base')
-rw-r--r--pki/base/ra/apache/conf/httpd.conf2
-rw-r--r--pki/base/ra/build.xml16
-rwxr-xr-xpki/base/ra/etc/init.d/httpd758
-rwxr-xr-xpki/base/ra/etc/init.d/pki-rad1415
-rwxr-xr-xpki/base/ra/setup/postinstall66
-rw-r--r--pki/base/selinux/src/pki.fc13
-rw-r--r--pki/base/selinux/src/pki.if34
-rw-r--r--pki/base/selinux/src/pki.te2
-rwxr-xr-xpki/base/setup/pkicommon168
-rwxr-xr-xpki/base/setup/pkicreate524
-rw-r--r--pki/base/tps/Makefile.am10
-rw-r--r--pki/base/tps/Makefile.in74
-rw-r--r--pki/base/tps/apache/conf/httpd.conf2
-rw-r--r--pki/base/tps/build.xml34
-rwxr-xr-xpki/base/tps/configure75
-rw-r--r--pki/base/tps/configure.ac30
-rwxr-xr-xpki/base/tps/etc/init.d/httpd780
-rwxr-xr-xpki/base/tps/etc/init.d/pki-tpsd1439
-rwxr-xr-xpki/base/tps/setup/postinstall68
-rwxr-xr-xpki/base/tps/setup_package2
20 files changed, 3470 insertions, 2042 deletions
diff --git a/pki/base/ra/apache/conf/httpd.conf b/pki/base/ra/apache/conf/httpd.conf
index 4e6d2151f..1312f0822 100644
--- a/pki/base/ra/apache/conf/httpd.conf
+++ b/pki/base/ra/apache/conf/httpd.conf
@@ -78,7 +78,7 @@ ServerRoot "[SERVER_ROOT]"
# identification number when it starts.
#
<IfModule !mpm_netware.c>
-PidFile logs/[INSTANCE_ID].pid
+PidFile run/[INSTANCE_ID].pid
</IfModule>
#
diff --git a/pki/base/ra/build.xml b/pki/base/ra/build.xml
index 499ce45af..3a303fecc 100644
--- a/pki/base/ra/build.xml
+++ b/pki/base/ra/build.xml
@@ -154,12 +154,16 @@
<include name="scripts/schema.sql"/>
<include name="setup/config.desktop"/>
</zipfileset>
+ <zipfileset dir="./etc/init.d"
+ filemode="755"
+ prefix="etc/${init.d}">
+ <include name="pki-rad"/>
+ </zipfileset>
<zipfileset dir="."
filemode="755"
prefix="usr/share/${product.prefix}/${product}">
- <include name="etc/**"/>
<include name="scripts/nss_pcache"/>
- <include name="setup/postinstall"/>
+ <exclude name="etc/init.d/pki-rad"/>
</zipfileset>
<zipfileset dir="./forms"
filemode="755"
@@ -202,12 +206,16 @@
<include name="scripts/schema.sql"/>
<include name="setup/config.desktop"/>
</tarfileset>
+ <tarfileset dir="./etc/init.d"
+ mode="755"
+ prefix="${dist.name}/etc/${init.d}">
+ <include name="pki-rad"/>
+ </tarfileset>
<tarfileset dir="."
mode="755"
prefix="${dist.name}/usr/share/${product.prefix}/${product}">
- <include name="etc/**"/>
<include name="scripts/nss_pcache"/>
- <include name="setup/postinstall"/>
+ <exclude name="etc/init.d/pki-rad"/>
</tarfileset>
<tarfileset dir="./forms"
mode="755"
diff --git a/pki/base/ra/etc/init.d/httpd b/pki/base/ra/etc/init.d/httpd
deleted file mode 100755
index 4f18cd136..000000000
--- a/pki/base/ra/etc/init.d/httpd
+++ /dev/null
@@ -1,758 +0,0 @@
-#!/bin/bash
-#
-# --- BEGIN COPYRIGHT BLOCK ---
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2007 Red Hat, Inc.
-# All rights reserved.
-# --- END COPYRIGHT BLOCK ---
-#
-# [INSTANCE_ID] Startup script for the Apache HTTP Server
-#
-# chkconfig: - 86 14
-# description: Registration Authority \
-# (Apache 2.2)
-# processname: [INSTANCE_ID]
-# config: [HTTPD_CONF]
-# pidfile: [SERVER_ROOT]/logs/[INSTANCE_ID].pid
-
-# Disallow 'others' the ability to 'write' to new files
-umask 00002
-
-# Check to insure that this script's original invocation directory
-# has not been deleted!
-CWD=`/bin/pwd > /dev/null 2>&1`
-if [ $? -ne 0 ] ; then
- echo "Cannot invoke '$0' from non-existent directory!"
- exit 255
-fi
-
-# Check to insure that this script's associated PKI
-# subsystem currently resides on this system.
-SUBSYSTEM_TYPE=[SUBSYSTEM_TYPE]
-if [ ! -d /usr/share/pki/${SUBSYSTEM_TYPE} ] ; then
- echo "This machine is missing the '${SUBSYSTEM_TYPE}' subsystem!"
- exit 255
-fi
-
-# Obtain the operating system upon which this script is being executed
-OS=`uname -s`
-ARCHITECTURE=""
-
-# Time to wait in seconds, before killing process
-#
-# NOTE: Defined in "tomcat5.conf" for other PKI Subsystems.
-#
-STARTUP_WAIT=30
-SHUTDOWN_WAIT=30
-
-# This script must be run as root!
-RV=0
-if [ ${OS} = "Linux" ] ; then
- if [ `id -u` -ne 0 ] ; then
- echo "Must be 'root' to execute '$0'!"
- exit 1
- fi
- ARCHITECTURE=`uname -i`
-elif [ ${OS} = "SunOS" ] ; then
- if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then
- echo "Must be 'root' to execute '$0'!"
- exit 1
- fi
- ARCHITECTURE=`uname -p`
- if [ "${ARCHITECTURE}" = "sparc" ] &&
- [ -d "/usr/lib/sparcv9/" ] ; then
- ARCHITECTURE="sparcv9"
- fi
-else
- echo "Unsupported OS '${OS}'!"
- exit 1
-fi
-
-# Initialize environment variables
-LD_LIBRARY_PATH=[SYSTEM_USER_LIBRARIES]:[SYSTEM_LIBRARIES]:${LD_LIBRARY_PATH}
-LD_LIBRARY_PATH=[SECURITY_LIBRARIES]:${LD_LIBRARY_PATH}
-export LD_LIBRARY_PATH
-
-# Source function library.
-if [ -f /etc/init.d/functions ]; then
- . /etc/init.d/functions
-else
- # The checkpid() function is provided for platforms that do not
- # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . .
-
- # Check if ${pid} (could be plural) are running (keep count)
- checkpid()
- {
- rv=0
- for i in $* ; do
- ps -p $i > /dev/null 2>&1 ;
- if [ $? -ne 0 ] ; then
- rv=`expr $rv + 1`
- else
- rv=`expr $rv + 0`
- fi
- done
- # echo "rv=$rv"
- return $rv
- }
-
- # Create the following directories on platforms
- # where they do not exist (e. g. - Solaris) . . .
- if [ ! -d /var/lock/subsys ] ; then
- mkdir -p /var/lock/subsys
- fi
-fi
-
-########################################################################
-# This section contains modified content of "/etc/sysconfig/httpd" #
-########################################################################
-# Configuration file for the [INSTANCE_ID] service.
-
-#
-# The default processing model (MPM) is the process-based
-# 'prefork' model. A thread-based model, 'worker', is also
-# available, but does not work with some modules (such as PHP).
-# The service must be stopped before changing this variable.
-#
-HTTPD=[FORTITUDE_DIR]/sbin/httpd.worker
-
-#
-# To pass additional options (for instance, -D definitions) to the
-# httpd binary at startup, set OPTIONS here.
-#
-OPTIONS="-f [HTTPD_CONF]"
-
-#
-# By default, the httpd process is started in the C locale; to
-# change the locale in which the server runs, the HTTPD_LANG
-# variable can be set.
-#
-HTTPD_LANG=C
-########################################################################
-# #
-########################################################################
-
-# This will prevent initlog from swallowing up a pass-phrase prompt if
-# mod_ssl needs a pass-phrase from the user.
-INITLOG_ARGS=""
-
-# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
-# with the thread-based "worker" MPM; BE WARNED that some modules may not
-# work correctly with a thread-based MPM; notably PHP will refuse to start.
-
-# Path to the server binary and short-form for messages.
-httpd=${HTTPD:-[FORTITUDE_DIR]/sbin/httpd}
-prog=[INSTANCE_ID]
-pki_instance_configuration_file=[SERVER_ROOT]/conf/CS.cfg
-pidfile=${PIDFILE:-[SERVER_ROOT]/logs/[INSTANCE_ID].pid}
-lockfile=${LOCKFILE:-/var/lock/subsys/[INSTANCE_ID]}
-RESTART_SERVER=[SERVER_ROOT]/conf/restart_server_after_configuration
-RETVAL=0
-
-# see if httpd is linked with the openldap libraries - we need to override them
-if [ ${OS} = "Linux" ]; then
- hasopenldap=0
-
- /usr/bin/ldd $httpd 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1
-
- if [ $hasopenldap -eq 1 ] ; then
- LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libldap60.so"
- LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libssl3.so:${LD_PRELOAD}"
- export LD_PRELOAD
- fi
-elif [ ${OS} = "SunOS" ] ; then
- LD_PRELOAD_64="[SYSTEM_USER_LIBRARIES]/libldap60.so"
- LD_PRELOAD_64="[SYSTEM_USER_LIBRARIES]/dirsec/libssl3.so:${LD_PRELOAD_64}"
- export LD_PRELOAD_64
-fi
-
-check_pki_configuration_status()
-{
- rv=0
-
- rv=`grep -c ^preop ${pki_instance_configuration_file}`
-
- rv=`expr ${rv} + 0`
-
- if [ ${rv} -ne 0 ] ; then
- echo " '[INSTANCE_ID]' must still be CONFIGURED!"
- echo " (see /var/log/[INSTANCE_ID]-install.log)"
- elif [ -f ${RESTART_SERVER} ] ; then
- echo " Although '[INSTANCE_ID]' has been CONFIGURED, it must still be RESTARTED!"
- rv=255
- fi
-
- return ${rv}
-}
-
-get_pki_status_definitions()
-{
- # establish well-known strings
- listen_statement="Listen"
- total_ports=0
- UNSECURE_PORT=""
- CLIENTAUTH_PORT=""
- NON_CLIENTAUTH_PORT=""
-
- # check to see that an instance-specific "httpd.conf" file exists
- if [ ! -f [HTTPD_CONF] ] ; then
- echo "File '[HTTPD_CONF]' does not exist!"
- exit 255
- fi
-
- # check to see that an instance-specific "nss.conf" file exists
- if [ ! -f [NSS_CONF] ] ; then
- echo "File '[NSS_CONF]' does not exist!"
- exit 255
- fi
-
- # read this instance-specific "httpd.conf" file line-by-line
- # to obtain the current value of the PKI unsecure port
-
- exec < [HTTPD_CONF]
- while read line; do
- # look for the listen statement
- head=`echo $line | cut -b1-6`
- if [ "$head" == "$listen_statement" ] ; then
- # once the 'unsecure' listen statement has been found,
- # extract the numeric port information
- port=`echo $line | cut -b8-`
- UNSECURE_PORT=$port
- echo " Unsecure Port = http://[SERVER_NAME]:${UNSECURE_PORT}"
- total_ports=`expr ${total_ports} + 1`
- break;
- fi
- done
-
- # read this instance-specific "nss.conf" file line-by-line
- # to obtain the current value of the "clientauth" PKI secure port
- # AND the current value of the "non-clientauth" PKI secure port
-
- exec < [NSS_CONF]
- while read line; do
- # look for the listen statement
- head=`echo $line | cut -b1-6`
- if [ "$head" == "$listen_statement" ] &&
- [ ${total_ports} -eq 2 ] ; then
- # once the 'non-clientauth' listen statement has been found,
- # extract the numeric port information
- non_clientauth_port=`echo $line | cut -b8-`
- NON_CLIENTAUTH_PORT=$non_clientauth_port
- echo " Secure Non-Clientauth Port = https://[SERVER_NAME]:${NON_CLIENTAUTH_PORT}"
- total_ports=`expr ${total_ports} + 1`
- break
- fi
- if [ "$head" == "$listen_statement" ] &&
- [ ${total_ports} -eq 1 ] ; then
- # once the 'clientauth' listen statement has been found,
- # extract the numeric port information
- clientauth_port=`echo $line | cut -b8-`
- CLIENTAUTH_PORT=$clientauth_port
- echo " Secure Clientauth Port = https://[SERVER_NAME]:${CLIENTAUTH_PORT}"
- total_ports=`expr ${total_ports} + 1`
- fi
- done
-
- if [ ${total_ports} -eq 3 ] ; then
- return 0
- else
- return 255
- fi
-}
-
-get_pki_configuration_definitions()
-{
- # Obtain the PKI Subsystem Type
- line=`grep ^cs.type= ${pki_instance_configuration_file}`
- pki_subsystem=`echo "${line}" | cut -b9-`
- if [ "${line}" != "" ] ; then
- if [ "${pki_subsystem}" != "CA" ] &&
- [ "${pki_subsystem}" != "KRA" ] &&
- [ "${pki_subsystem}" != "OCSP" ] &&
- [ "${pki_subsystem}" != "TKS" ] &&
- [ "${pki_subsystem}" != "RA" ] &&
- [ "${pki_subsystem}" != "TPS" ]
- then
- return 255
- fi
- if [ "${pki_subsystem}" == "KRA" ] ; then
- # Rename "KRA" to "DRM"
- pki_subsystem="DRM"
- fi
- else
- return 255
- fi
-
- # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
- # check to see if "${pki_subsystem}" is a "Clone"
- pki_clone=""
- if [ "${pki_subsystem}" == "CA" ] ||
- [ "${pki_subsystem}" == "DRM" ] ||
- [ "${pki_subsystem}" == "OCSP" ] ||
- [ "${pki_subsystem}" == "TKS" ]
- then
- line=`grep ^subsystem.select= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_clone=`echo "${line}" | cut -b18-`
- if [ "${pki_clone}" != "Clone" ] ; then
- # Reset "${pki_clone}" to be empty
- pki_clone=""
- fi
- else
- return 255
- fi
- fi
-
- # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to
- # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA
- pki_hierarchy=""
- if [ "${pki_subsystem}" == "CA" ] &&
- [ "${pki_clone}" != "Clone" ]
- then
- line=`grep ^hierarchy.select= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_hierarchy=`echo "${line}" | cut -b18-`
- else
- return 255
- fi
- fi
-
- # If ${pki_subsystem} is a CA, check to
- # see if it is also a Security Domain
- pki_security_domain=""
- if [ "${pki_subsystem}" == "CA" ] ; then
- line=`grep ^securitydomain.select= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_security_domain=`echo "${line}" | cut -b23-`
- if [ "${pki_security_domain}" == "new" ] ; then
- # Set a fixed value for "${pki_security_domain}"
- pki_security_domain="(Security Domain)"
- else
- # Reset "${pki_security_domain}" to be empty
- pki_security_domain=""
- fi
- else
- return 255
- fi
- fi
-
- # Always obtain this PKI instance's "registered"
- # security domain information
- pki_security_domain_name=""
- pki_security_domain_hostname=""
- pki_security_domain_https_admin_port=""
-
- line=`grep ^securitydomain.name= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_security_domain_name=`echo "${line}" | cut -b21-`
- else
- return 255
- fi
-
- line=`grep ^securitydomain.host= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_security_domain_hostname=`echo "${line}" | cut -b21-`
- else
- return 255
- fi
-
- line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-`
- else
- return 255
- fi
-
- # Compose the "PKI Instance Name" Status Line
- pki_instance_name="PKI Instance Name: [INSTANCE_ID]"
-
- # Compose the "PKI Subsystem Type" Status Line
- header="PKI Subsystem Type: "
- if [ "${pki_clone}" != "" ] ; then
- if [ "${pki_security_domain}" != "" ]; then
- # Possible Values:
- #
- # "CA Clone (Security Domain)"
- #
- data="${pki_subsystem} ${pki_clone} ${pki_security_domain}"
- else
- # Possible Values:
- #
- # "CA Clone"
- # "DRM Clone"
- # "OCSP Clone"
- # "TKS Clone"
- #
- data="${pki_subsystem} ${pki_clone}"
- fi
- elif [ "${pki_hierarchy}" != "" ] ; then
- if [ "${pki_security_domain}" != "" ]; then
- # Possible Values:
- #
- # "Root CA (Security Domain)"
- # "Subordinate CA (Security Domain)"
- #
- data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}"
- else
- # Possible Values:
- #
- # "Root CA"
- # "Subordinate CA"
- #
- data="${pki_hierarchy} ${pki_subsystem}"
- fi
- else
- # Possible Values:
- #
- # "DRM"
- # "OCSP"
- # "RA"
- # "TKS"
- # "TPS"
- #
- data="${pki_subsystem}"
- fi
- pki_subsystem_type="${header} ${data}"
-
- # Compose the "Registered PKI Security Domain Information" Status Line
- header="Name: "
- registered_pki_security_domain_name="${header} ${pki_security_domain_name}"
-
- header="URL: "
- if [ "${pki_security_domain_hostname}" != "" ] &&
- [ "${pki_security_domain_https_admin_port}" != "" ]
- then
- data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
- else
- return 255
- fi
- registered_pki_security_domain_url="${header} ${data}"
-
- # Print the "PKI Subsystem Type" Status Line
- echo
- echo " ${pki_instance_name}"
-
- # Print the "PKI Subsystem Type" Status Line
- echo
- echo " ${pki_subsystem_type}"
-
- # Print the "Registered PKI Security Domain Information" Status Line
- echo
- echo " Registered PKI Security Domain Information:"
- echo " =========================================================================="
- echo " ${registered_pki_security_domain_name}"
- echo " ${registered_pki_security_domain_url}"
- echo " =========================================================================="
-
- return 0
-}
-
-get_pki_secure_port()
-{
- # establish well-known strings
- listen_statement="Listen"
-
- # first check to see that an instance-specific "nss.conf" file exists
- if [ ! -f [NSS_CONF] ] ; then
- echo "File '[NSS_CONF]' does not exist!"
- exit 255
- fi
-
- # read this instance-specific "nss.conf" file line-by-line
- # to obtain the current value of the "clientauth" PKI secure port
-
- exec < [NSS_CONF]
- while read line; do
- # look for the listen statement
- head=`echo $line | cut -b1-6`
- if [ "$head" == "$listen_statement" ] ; then
- # once the 'clientauth' listen statement has been found,
- # extract the numeric port information
- port=`echo $line | cut -b8-`
- SECURE_PORT=$port
- return 0
- fi
- done
-
- return 255
-}
-
-# The semantics of these two functions differ from the way apachectl does
-# things -- attempting to start while running is a failure, and shutdown
-# when not running is also a failure. So we just do it the way init scripts
-# are expected to behave here.
-start()
-{
- echo -n $"Starting $prog: "
-
- if [ -f ${RESTART_SERVER} ] ; then
- rm -f ${RESTART_SERVER}
- fi
-
- if [ -f ${lockfile} ] ; then
- if [ -f ${pidfile} ]; then
- read kpid < ${pidfile}
- if checkpid $kpid 2>&1; then
- echo
- echo "process already running"
- return 255
- else
- echo
- echo -n "lock file found but no process "
- echo -n "running for pid $kpid, continuing"
- echo
- echo
- fi
- fi
- fi
-
- # restore context for ncipher hsm
- [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
-
-
- if [ -f /etc/init.d/functions ]; then
- /usr/sbin/selinuxenabled
- RETVAL=$?
- if [ $RETVAL = 0 ] ; then
- if [ ${ARCHITECTURE} = "i386" ] ; then
- LANG=$HTTPD_LANG daemon runcon -t pki_ra_t -- $httpd $OPTIONS
- # overwrite output from "daemon"
- echo -n $"Starting $prog: "
- elif [ ${ARCHITECTURE} = "x86_64" ] ; then
- # NOTE: "daemon" is incompatible with "httpd"
- # on 64-bit architectures
- LANG=$HTTPD_LANG runcon -t pki_ra_t -- $httpd $OPTIONS
- fi
- else
- LANG=$HTTPD_LANG daemon $httpd $OPTIONS
- # overwrite output from "daemon"
- echo -n $"Starting $prog: "
- fi
- else
- LANG=$HTTPD_LANG $httpd $OPTIONS -k start
- fi
-
- RETVAL=$?
- [ $RETVAL = 0 ] && touch ${lockfile}
-
- if [ $RETVAL = 0 ] ; then
- count=0;
-
- let swait=$STARTUP_WAIT
- until [ -s ${pidfile} ] ||
- [ $count -gt $swait ]
- do
- echo -n "."
- sleep 1
- let count=$count+1;
- done
-
- if [ -f /etc/init.d/functions ]; then
- echo_success
- echo
- else
- echo " [ OK ]"
- fi
-
- get_pki_secure_port
- if [ $? -ne 0 ] ; then
- SECURE_PORT="<Port Undefined>"
- fi
-
- # Set permissions of log files
- pki_logs_directory=`dirname ${pidfile}`
- for file in ${pki_logs_directory}/*; do
- if [ "${file}" != "${pidfile}" ]; then
- chmod 00660 ${file}
- chgrp [GROUPID] ${file}
- chown [USERID] ${file}
- fi
- done
- else
- if [ -f /etc/init.d/functions ]; then
- echo_failure
- echo
- else
- echo " [ FAILED ]"
- fi
- fi
-
- if [ ${OS} = "Linux" ] ; then
- sleep 10
- elif [ ${OS} = "SunOS" ] ; then
- sleep 20
- fi
- echo
- status
- return $RETVAL
-}
-
-stop()
-{
- echo -n "Stopping $prog: "
-
- if [ -f ${lockfile} ] ; then
- $httpd $OPTIONS -k stop
-
- RETVAL=$?
-
- if [ $RETVAL = 0 ]; then
- count=0;
-
- if [ -f ${pidfile} ]; then
- read kpid < ${pidfile}
- let kwait=$SHUTDOWN_WAIT
-
- until [ `ps -p $kpid | grep -c $kpid` = '0' ] ||
- [ $count -gt $kwait ]
- do
- echo -n "."
- sleep 1
- let count=$count+1;
- done
-
- if [ $count -gt $kwait ]; then
- kill -9 $kpid
- fi
- fi
-
- rm -f ${lockfile}
- rm -f ${pidfile}
-
- if [ -f /etc/init.d/functions ]; then
- echo_success
- echo
- else
- echo " [ OK ]"
- fi
- else
- if [ -f /etc/init.d/functions ]; then
- echo_failure
- echo
- else
- echo " [ FAILED ]"
- fi
- fi
- else
- echo
- echo "process already stopped"
- fi
-}
-
-reload()
-{
- echo -n $"Reloading $prog: "
-
- if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then
- RETVAL=$?
- echo $"not reloading due to configuration syntax error"
- if [ -f /etc/init.d/functions ]; then
- failure $"not reloading $httpd due to configuration syntax error"
- else
- echo $"not reloading $httpd due to configuration syntax error"
- fi
- else
- if [ -f /etc/init.d/functions ]; then
- killproc $httpd -HUP
- # overwrite output from "killproc"
- echo -n $"Stopping $prog: "
- else
- if [ -f ${lockfile} ] ; then
- if [ -f ${pidfile} ]; then
- read kpid < ${pidfile}
- if checkpid $kpid 2>&1; then
- kill -HUP $kpid
- fi
- else
- echo
- echo -n "lock file found but no process "
- echo -n "running for pid $kpid, continuing"
- echo
- echo
- fi
- fi
- fi
- fi
- echo
-}
-
-status()
-{
- if [ -f ${pidfile} ] ; then
- pid=`cat ${pidfile}`
- if [ "${pid}" == "" ] ; then
- echo "[INSTANCE_ID] pid file exists but is empty"
- elif kill -0 ${pid} > /dev/null 2>&1 ; then
- echo "[INSTANCE_ID] (pid ${pid}) is running ..."
- echo
- check_pki_configuration_status
- if [ $? -eq 0 ] ; then
- get_pki_status_definitions
- if [ $? -ne 0 ] ; then
- echo
- echo "[INSTANCE_ID] Status Definitions not found"
- fi
- get_pki_configuration_definitions
- if [ $? -ne 0 ] ; then
- echo
- echo "[INSTANCE_ID] Configuration Definitions not found"
- fi
- fi
- echo
- else
- echo "[INSTANCE_ID] is dead but pid file exists"
- fi
- else
- echo "[INSTANCE_ID] is stopped"
- fi
-}
-
-# See how we were called.
-case "$1" in
- start)
- start
- ;;
- stop)
- stop
- ;;
- restart)
- stop
- sleep 2
- start
- ;;
- condrestart)
- if [ -f ${pidfile} ] ; then
- stop
- sleep 2
- start
- else
- echo -n "Unable to restart process since "
- echo -n "'${pidfile}' does not exist!"
- echo
- fi
- ;;
- reload)
- reload
- ;;
- status)
- status
- ;;
- *)
- echo $"Usage: $prog {start|stop|restart|condrestart|reload|status}"
- exit 1
-esac
-
-exit $RETVAL
-
diff --git a/pki/base/ra/etc/init.d/pki-rad b/pki/base/ra/etc/init.d/pki-rad
new file mode 100755
index 000000000..3ca7d6669
--- /dev/null
+++ b/pki/base/ra/etc/init.d/pki-rad
@@ -0,0 +1,1415 @@
+#!/bin/bash
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+# pki-rad Startup script for the Apache HTTP pki-ra Server
+#
+# chkconfig: - 86 14
+# description: Registration Authority \
+# (Apache 2.2)
+# processname: pki-rad
+# piddir: /var/run/pki/ra
+# config: ${PKI_SERVER_ROOT}/conf/httpd.conf
+
+PKI_INIT_SCRIPT=""
+PKI_PATH="/usr/share/pki/ra"
+PKI_PIDDIR="/var/run/pki/ra"
+PKI_PROCESS="pki-rad"
+PKI_REGISTRY="/etc/sysconfig/pki/ra"
+PKI_SELINUX_TYPE="pki_ra_t"
+PKI_TYPE="pki-ra"
+
+# PKI subsystem-level directory and file values for locks
+lockfile="/var/lock/subsys/pki-rad"
+
+# Disallow 'others' the ability to 'write' to new files
+umask 00002
+
+default_error=0
+command="$1"
+pki_instance="$2"
+case "${command}" in
+ start|stop|restart|condrestart|force-restart|try-restart)
+ # * 1 generic or unspecified error (current practice)
+ default_error=1
+ ;;
+ reload)
+ default_error=3
+ ;;
+ status)
+ # * 4 program or service status is unknown
+ default_error=4
+ ;;
+ *)
+ # * 2 invalid argument(s)
+ default_error=2
+ ;;
+esac
+
+# Check to insure that this script's original invocation directory
+# has not been deleted!
+CWD=`/bin/pwd > /dev/null 2>&1`
+if [ $? -ne 0 ] ; then
+ echo "Cannot invoke '$0' from non-existent directory!"
+ exit ${default_error}
+fi
+
+# Check to insure that this script's associated PKI
+# subsystem currently resides on this system.
+if [ ! -d ${PKI_PATH} ] ; then
+ echo "This machine is missing the '${PKI_TYPE}' subsystem!"
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
+fi
+
+# Check to insure that this script's associated PKI
+# subsystem instance registry currently resides on this system.
+if [ ! -d ${PKI_REGISTRY} ] ; then
+ echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!"
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
+fi
+
+# Obtain the operating system upon which this script is being executed
+# and initialize environment variables
+OS=`uname -s`
+ARCHITECTURE=""
+LD_LIBRARY_PATH=""
+
+# Time to wait in seconds, before killing process
+#
+# NOTE: Defined in "tomcat5.conf" for PKI Java/Tomcat Subsystems.
+#
+STARTUP_WAIT=30
+SHUTDOWN_WAIT=30
+
+# This script must be run as root!
+RV=0
+if [ ${OS} = "Linux" ] ; then
+ PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}"
+ if [ `id -u` -ne 0 ] ; then
+ echo "Must be 'root' to execute '$0'!"
+ if [ "${command}" != "status" ]; then
+ # * 4 user had insufficient privilege
+ exit 4
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+ ARCHITECTURE=`uname -i`
+ if [ ${ARCHITECTURE} = "i386" ] ; then
+ LD_LIBRARY_PATH="/usr/lib:/lib:${LD_LIBRARY_PATH}"
+ elif [ ${ARCHITECTURE} = "x86_64" ] ; then
+ LD_LIBRARY_PATH="/usr/lib64:/lib64:${LD_LIBRARY_PATH}"
+ else
+ echo "Unsupported architecture '${ARCHITECTURE}'!"
+ exit ${default_error}
+ fi
+elif [ ${OS} = "SunOS" ] ; then
+ PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}"
+ if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then
+ echo "Must be 'root' to execute '$0'!"
+ if [ "${command}" != "status" ]; then
+ # * 4 user had insufficient privilege
+ exit 4
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+ ARCHITECTURE=`uname -p`
+ if [ "${ARCHITECTURE}" = "sparc" ] &&
+ [ -d "/usr/lib/sparcv9/" ] ; then
+ ARCHITECTURE="sparcv9"
+ fi
+ if [ ${ARCHITECTURE} = "sparcv9" ] ; then
+ LD_LIBRARY_PATH="/usr/lib/sparcv9:/lib/sparcv9:${LD_LIBRARY_PATH}"
+ LD_LIBRARY_PATH="/usr/lib/sparcv9/dirsec:${LD_LIBRARY_PATH}"
+ else
+ echo "Unsupported architecture '${ARCHITECTURE}'!"
+ exit ${default_error}
+ fi
+else
+ echo "Unsupported OS '${OS}'!"
+ exit ${default_error}
+fi
+export LD_LIBRARY_PATH
+
+# Source function library.
+if [ -f /etc/init.d/functions ]; then
+ . /etc/init.d/functions
+else
+ # The checkpid() function is provided for platforms that do not
+ # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . .
+
+ # Check if ${pid} (could be plural) are running (keep count)
+ checkpid()
+ {
+ rv=0
+ for i in $* ; do
+ ps -p $i > /dev/null 2>&1 ;
+ if [ $? -ne 0 ] ; then
+ rv=`expr $rv + 1`
+ else
+ rv=`expr $rv + 0`
+ fi
+ done
+ # echo "rv=$rv"
+ return $rv
+ }
+
+ # Create the following directories on platforms
+ # where they do not exist (e. g. - Solaris) . . .
+ if [ ! -d "/var/lock" ] ; then
+ mkdir -p /var/lock
+ chown root:sys /var/lock
+ chmod 00755 /var/lock
+ fi
+ if [ ! -d "/var/lock/subsys" ] ; then
+ mkdir -p /var/lock/subsys
+ chown root:root /var/lock/subsys
+ chmod 00755 /var/lock/subsys
+ fi
+fi
+
+PKI_REGISTRY_ENTRIES=""
+TOTAL_PKI_REGISTRY_ENTRIES=0
+TOTAL_UNCONFIGURED_PKI_ENTRIES=0
+
+# Gather ALL registered instances of this PKI subsystem type
+for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
+ if [ -f "$FILE" ] ; then
+ inst=`echo "$FILE"`
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst"
+ TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1`
+ fi
+done
+
+if [ -n "${pki_instance}" ]; then
+ for I in ${PKI_REGISTRY_ENTRIES}; do
+ if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}"
+ TOTAL_PKI_REGISTRY_ENTRIES=1
+ break
+ fi
+ done
+fi
+
+usage()
+{
+ echo -n "Usage: ${PKI_INIT_SCRIPT} "
+ echo -n "{start"
+ echo -n "|stop"
+ echo -n "|restart"
+ echo -n "|condrestart"
+ echo -n "|force-restart"
+ echo -n "|try-restart"
+ echo -n "|reload"
+ echo -n "|status} "
+ echo -n "[instance-name]"
+ echo
+ echo
+}
+
+list_instances()
+{
+ echo
+ for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
+ echo " ${FILE}"
+ done
+ echo
+}
+
+# Check arguments
+if [ $# -lt 1 ] ; then
+ # * 3 unimplemented feature (for example, "reload")
+ # [insufficient arguments]
+ echo "$0: Insufficient arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+elif [ ${default_error} -eq 2 ] ; then
+ # * 2 invalid argument
+ echo "$0: Invalid arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 2
+elif [ $# -gt 2 ] ; then
+ echo "$0: Excess arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ if [ "${command}" != "status" ]; then
+ # * 2 excess arguments
+ exit 2
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+fi
+
+# If an "instance" was supplied, check that it is a "valid" instance
+if [ -n "${pki_instance}" ]; then
+ if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then
+ echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance"
+ echo_failure
+ echo
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+fi
+
+# On Solaris /var/run is in tmpfs and gets wiped out upon reboot
+# we have to recreate the ${PKI_PIDDIR} directory and make sure that
+# the directory is writable by the ${PKI_TYPE} server process.
+#
+# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize
+# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the
+# "${PKI_PIDDIR}" will end up with the ownership permissions
+# of the first instance that executes this function!
+#
+fix_pid_dir_ownership()
+{
+ if [ ! -d ${PKI_PIDDIR} ] ; then
+ mkdir -p ${PKI_PIDDIR}
+
+ chown root:root /var/run/pki
+ chmod 00755 /var/run/pki
+
+ chown root:root ${PKI_PIDDIR}
+ chmod 00755 ${PKI_PIDDIR}
+ fi
+}
+
+check_pki_configuration_status()
+{
+ rv=0
+
+ rv=`grep -c ^preop ${pki_instance_configuration_file}`
+
+ rv=`expr ${rv} + 0`
+
+ if [ ${rv} -ne 0 ] ; then
+ echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!"
+ echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)"
+ if [ "${command}" != "status" ]; then
+ # * 6 program is not configured
+ rv=6
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1`
+ elif [ -f ${RESTART_SERVER} ] ; then
+ echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, "
+ echo -n "it must still be RESTARTED!"
+ echo
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ fi
+
+ return ${rv}
+}
+
+get_pki_status_definitions()
+{
+ # establish well-known strings
+ listen_statement="Listen"
+ total_ports=0
+ UNSECURE_PORT=""
+ CLIENTAUTH_PORT=""
+ NON_CLIENTAUTH_PORT=""
+
+ # check to see that an instance-specific "httpd.conf" file exists
+ if [ ! -f ${PKI_HTTPD_CONF} ] ; then
+ echo "File '${PKI_HTTPD_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # check to see that an instance-specific "nss.conf" file exists
+ if [ ! -f ${PKI_NSS_CONF} ] ; then
+ echo "File '${PKI_NSS_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # read this instance-specific "httpd.conf" file line-by-line
+ # to obtain the current value of the PKI unsecure port
+
+ exec < ${PKI_HTTPD_CONF}
+ while read line; do
+ # look for the listen statement
+ head=`echo $line | cut -b1-6`
+ if [ "$head" == "$listen_statement" ] ; then
+ # once the 'unsecure' listen statement has been found,
+ # extract the numeric port information
+ port=`echo $line | cut -b8-`
+ UNSECURE_PORT=$port
+ echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}"
+ total_ports=`expr ${total_ports} + 1`
+ break;
+ fi
+ done
+
+ # read this instance-specific "nss.conf" file line-by-line
+ # to obtain the current value of the "clientauth" PKI secure port
+ # AND the current value of the "non-clientauth" PKI secure port
+
+ exec < ${PKI_NSS_CONF}
+ while read line; do
+ # look for the listen statement
+ head=`echo $line | cut -b1-6`
+ if [ "$head" == "$listen_statement" ] &&
+ [ ${total_ports} -eq 2 ] ; then
+ # once the 'non-clientauth' listen statement has been found,
+ # extract the numeric port information
+ non_clientauth_port=`echo $line | cut -b8-`
+ NON_CLIENTAUTH_PORT=$non_clientauth_port
+ echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}"
+ total_ports=`expr ${total_ports} + 1`
+ break
+ fi
+ if [ "$head" == "$listen_statement" ] &&
+ [ ${total_ports} -eq 1 ] ; then
+ # once the 'clientauth' listen statement has been found,
+ # extract the numeric port information
+ clientauth_port=`echo $line | cut -b8-`
+ CLIENTAUTH_PORT=$clientauth_port
+ echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}"
+ total_ports=`expr ${total_ports} + 1`
+ fi
+ done
+
+ if [ ${total_ports} -eq 3 ] ; then
+ return 0
+ else
+ return ${default_error}
+ fi
+}
+
+get_pki_configuration_definitions()
+{
+ # Obtain the PKI Subsystem Type
+ line=`grep ^cs.type= ${pki_instance_configuration_file}`
+ pki_subsystem=`echo "${line}" | cut -b9-`
+ if [ "${line}" != "" ] ; then
+ if [ "${pki_subsystem}" != "CA" ] &&
+ [ "${pki_subsystem}" != "KRA" ] &&
+ [ "${pki_subsystem}" != "OCSP" ] &&
+ [ "${pki_subsystem}" != "TKS" ] &&
+ [ "${pki_subsystem}" != "RA" ] &&
+ [ "${pki_subsystem}" != "TPS" ]
+ then
+ return ${default_error}
+ fi
+ if [ "${pki_subsystem}" == "KRA" ] ; then
+ # Rename "KRA" to "DRM"
+ pki_subsystem="DRM"
+ fi
+ else
+ return ${default_error}
+ fi
+
+ # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
+ # check to see if "${pki_subsystem}" is a "Clone"
+ pki_clone=""
+ if [ "${pki_subsystem}" == "CA" ] ||
+ [ "${pki_subsystem}" == "DRM" ] ||
+ [ "${pki_subsystem}" == "OCSP" ] ||
+ [ "${pki_subsystem}" == "TKS" ]
+ then
+ line=`grep ^subsystem.select= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_clone=`echo "${line}" | cut -b18-`
+ if [ "${pki_clone}" != "Clone" ] ; then
+ # Reset "${pki_clone}" to be empty
+ pki_clone=""
+ fi
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to
+ # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA
+ pki_hierarchy=""
+ if [ "${pki_subsystem}" == "CA" ] &&
+ [ "${pki_clone}" != "Clone" ]
+ then
+ line=`grep ^hierarchy.select= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_hierarchy=`echo "${line}" | cut -b18-`
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # If ${pki_subsystem} is a CA, check to
+ # see if it is also a Security Domain
+ pki_security_domain=""
+ if [ "${pki_subsystem}" == "CA" ] ; then
+ line=`grep ^securitydomain.select= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain=`echo "${line}" | cut -b23-`
+ if [ "${pki_security_domain}" == "new" ] ; then
+ # Set a fixed value for "${pki_security_domain}"
+ pki_security_domain="(Security Domain)"
+ else
+ # Reset "${pki_security_domain}" to be empty
+ pki_security_domain=""
+ fi
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # Always obtain this PKI instance's "registered"
+ # security domain information
+ pki_security_domain_name=""
+ pki_security_domain_hostname=""
+ pki_security_domain_https_admin_port=""
+
+ line=`grep ^securitydomain.name= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_name=`echo "${line}" | cut -b21-`
+ else
+ return ${default_error}
+ fi
+
+ line=`grep ^securitydomain.host= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_hostname=`echo "${line}" | cut -b21-`
+ else
+ return ${default_error}
+ fi
+
+ line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-`
+ else
+ return ${default_error}
+ fi
+
+ # Compose the "PKI Instance Name" Status Line
+ pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}"
+
+ # Compose the "PKI Subsystem Type" Status Line
+ header="PKI Subsystem Type: "
+ if [ "${pki_clone}" != "" ] ; then
+ if [ "${pki_security_domain}" != "" ]; then
+ # Possible Values:
+ #
+ # "CA Clone (Security Domain)"
+ #
+ data="${pki_subsystem} ${pki_clone} ${pki_security_domain}"
+ else
+ # Possible Values:
+ #
+ # "CA Clone"
+ # "DRM Clone"
+ # "OCSP Clone"
+ # "TKS Clone"
+ #
+ data="${pki_subsystem} ${pki_clone}"
+ fi
+ elif [ "${pki_hierarchy}" != "" ] ; then
+ if [ "${pki_security_domain}" != "" ]; then
+ # Possible Values:
+ #
+ # "Root CA (Security Domain)"
+ # "Subordinate CA (Security Domain)"
+ #
+ data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}"
+ else
+ # Possible Values:
+ #
+ # "Root CA"
+ # "Subordinate CA"
+ #
+ data="${pki_hierarchy} ${pki_subsystem}"
+ fi
+ else
+ # Possible Values:
+ #
+ # "DRM"
+ # "OCSP"
+ # "RA"
+ # "TKS"
+ # "TPS"
+ #
+ data="${pki_subsystem}"
+ fi
+ pki_subsystem_type="${header} ${data}"
+
+ # Compose the "Registered PKI Security Domain Information" Status Line
+ header="Name: "
+ registered_pki_security_domain_name="${header} ${pki_security_domain_name}"
+
+ header="URL: "
+ if [ "${pki_security_domain_hostname}" != "" ] &&
+ [ "${pki_security_domain_https_admin_port}" != "" ]
+ then
+ data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
+ else
+ return ${default_error}
+ fi
+ registered_pki_security_domain_url="${header} ${data}"
+
+ # Print the "PKI Subsystem Type" Status Line
+ echo
+ echo " ${pki_instance_name}"
+
+ # Print the "PKI Subsystem Type" Status Line
+ echo
+ echo " ${pki_subsystem_type}"
+
+ # Print the "Registered PKI Security Domain Information" Status Line
+ echo
+ echo " Registered PKI Security Domain Information:"
+ echo " =========================================================================="
+ echo " ${registered_pki_security_domain_name}"
+ echo " ${registered_pki_security_domain_url}"
+ echo " =========================================================================="
+
+ return 0
+}
+
+get_pki_secure_port()
+{
+ # establish well-known strings
+ listen_statement="Listen"
+
+ # first check to see that an instance-specific "nss.conf" file exists
+ if [ ! -f ${PKI_NSS_CONF} ] ; then
+ echo "File '${PKI_NSS_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # read this instance-specific "nss.conf" file line-by-line
+ # to obtain the current value of the "clientauth" PKI secure port
+ exec < ${PKI_NSS_CONF}
+ while read line; do
+ # look for the listen statement
+ head=`echo $line | cut -b1-6`
+ if [ "$head" == "$listen_statement" ] ; then
+ # once the 'clientauth' listen statement has been found,
+ # extract the numeric port information
+ port=`echo $line | cut -b8-`
+ SECURE_PORT=$port
+ return 0
+ fi
+ done
+
+ return ${default_error}
+}
+
+display_instance_status()
+{
+ rv=0
+
+ if [ -f ${pidfile} ] ; then
+ pid=`cat ${pidfile}`
+ if [ "${pid}" == "" ] ; then
+ echo "${PKI_INSTANCE_ID} pid file exists but is empty"
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ elif kill -0 ${pid} > /dev/null 2>&1 ; then
+ echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..."
+ echo
+ check_pki_configuration_status
+ rv=$?
+ if [ ${rv} -eq 0 ] ; then
+ get_pki_status_definitions
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ echo
+ echo "${PKI_INSTANCE_ID} Status Definitions not found"
+ else
+ get_pki_configuration_definitions
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ echo
+ echo "${PKI_INSTANCE_ID} Configuration Definitions not found"
+ fi
+ fi
+ else
+ # From the PKI point of view for a "non-status" action,
+ # a returned error code of "6" implies that the program
+ # is not "configured". Similarly, an error code of "1"
+ # implies that the program was "configured" but must
+ # still be restarted.
+ #
+ # Similarly, from the PKI point of view for a "status"
+ # action, a returned error code of "4" implies that either
+ # the program is not "configured", or that the program
+ # was "configured" but must still be restarted.
+ #
+ # Regardless, it must still be considered that the instance
+ # is "running" from the viewpoint of other OS programs such
+ # as 'chkconfig'.
+ #
+ # For this reason, when returning from
+ # 'display_instance_status()', ignore non-zero return codes
+ # returned from 'check_pki_configuration_status()'.
+ #
+ if [ "${command}" != "status" ]; then
+ # * 0 action was successful
+ rv=0
+ else
+ # * 0 program is running or service is OK
+ rv=0
+ fi
+ fi
+ echo
+ else
+ echo "${PKI_INSTANCE_ID} is dead but pid file exists"
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 1 program is dead and /var/run pid file exists
+ rv=1
+ fi
+ fi
+ else
+ echo "${PKI_INSTANCE_ID} is stopped"
+ if [ "${command}" != "status" ]; then
+ # * 7 program is not running
+ rv=7
+ else
+ # * 3 program is not running
+ rv=3
+ fi
+ fi
+
+ return ${rv}
+}
+
+start_instance()
+{
+ rv=0
+
+ echo -n $"Starting ${prog}: "
+
+ if [ -f ${RESTART_SERVER} ] ; then
+ rm -f ${RESTART_SERVER}
+ fi
+
+ if [ -f ${PKI_LOCKFILE} ] ; then
+ if [ -f ${pidfile} ]; then
+ read kpid < ${pidfile}
+ if checkpid $kpid 2>&1; then
+ echo
+ echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..."
+ echo
+ check_pki_configuration_status
+ rv=$?
+ if [ ${rv} != 0 ]; then
+ # From the PKI point of view for a "non-status" action,
+ # a returned error code of "6" implies that the program
+ # is not "configured". Similarly, an error code of "1"
+ # implies that the program was "configured" but must
+ # still be restarted.
+ #
+ # Regardless, it must still be considered that the instance
+ # is "running" from the viewpoint of other OS programs such
+ # as 'chkconfig'.
+ #
+ # For "non-status" actions, ignore return codes of "1"
+ # from 'check_pki_configuration_status()'.
+ #
+ # However, for "non-status" actions that have a return
+ # code of "6", return this value unchanged to
+ # the calling routine so that the total number of
+ # configuration errors may be counted.
+ #
+
+ echo
+ if [ ${rv} = 1 ] ; then
+ # * 0 action was successful
+ return 0
+ elif [ ${rv} = 6 ] ; then
+ # * 6 program is not configured
+ return 6
+ else
+ # should never be reached
+ return ${rv}
+ fi
+ else
+ return 0
+ fi
+ else
+ echo
+ echo -n "lock file found but no process "
+ echo -n "running for pid $kpid, continuing"
+ echo
+ echo
+ rm -f ${PKI_LOCKFILE}
+ fi
+ fi
+ fi
+
+ fix_pid_dir_ownership
+
+ touch ${pidfile}
+ chown ${PKI_USER}:${PKI_GROUP} ${pidfile}
+ chmod 00600 ${pidfile}
+ [ -x /sbin/restorecon ] && /sbin/restorecon ${pidfile}
+
+ # restore context for ncipher hsm
+ [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
+
+ if [ -f /etc/init.d/functions ]; then
+ /usr/sbin/selinuxenabled
+ rv=$?
+ if [ ${rv} = 0 ] ; then
+ if [ ${ARCHITECTURE} = "i386" ] ; then
+ LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS}
+ # overwrite output from "daemon"
+ echo -n $"Starting ${prog}: "
+ elif [ ${ARCHITECTURE} = "x86_64" ] ; then
+ # NOTE: "daemon" is incompatible with "httpd"
+ # on 64-bit architectures
+ LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS}
+ fi
+ else
+ LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS}
+ # overwrite output from "daemon"
+ echo -n $"Starting ${prog}: "
+ fi
+ else
+ LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -k start
+ fi
+
+ rv=$?
+ if [ ${rv} = 0 ] ; then
+ touch ${PKI_LOCKFILE}
+ chown ${PKI_USER}:${PKI_GROUP} ${PKI_LOCKFILE}
+ chmod 00600 ${PKI_LOCKFILE}
+ fi
+
+ if [ ${rv} = 0 ] ; then
+ count=0;
+
+ let swait=$STARTUP_WAIT
+ until [ -s ${pidfile} ] ||
+ [ $count -gt $swait ]
+ do
+ echo -n "."
+ sleep 1
+ let count=$count+1;
+ done
+
+ if [ -f /etc/init.d/functions ]; then
+ if [ "$CONSOLETYPE" = "serial" ]; then
+ echo -n " "
+ fi
+ echo_success
+ echo
+ else
+ echo " [ OK ]"
+ fi
+
+ get_pki_secure_port
+ if [ $? -ne 0 ] ; then
+ SECURE_PORT="<Port Undefined>"
+ fi
+
+ # Set permissions of log files
+ for file in ${pki_logs_directory}/*; do
+ chown ${PKI_USER}:${PKI_GROUP} ${file}
+ chmod 00660 ${file}
+ done
+
+ # ignore "status" return codes
+ echo
+ display_instance_status
+ else
+ if [ -f /etc/init.d/functions ]; then
+ if [ "$CONSOLETYPE" = "serial" ]; then
+ $0 echo -n " "
+ fi
+ echo_failure
+ echo
+ else
+ echo " [ FAILED ]"
+ fi
+ fi
+
+ if [ ${OS} = "Linux" ] ; then
+ sleep 10
+ elif [ ${OS} = "SunOS" ] ; then
+ sleep 20
+ fi
+ return ${rv}
+}
+
+stop_instance()
+{
+ rv=0
+
+ echo -n "Stopping ${prog}: "
+
+ if [ -f ${PKI_LOCKFILE} ] ; then
+ ${httpd} ${PKI_OPTIONS} -k stop
+
+ rv=$?
+
+ if [ ${rv} = 0 ]; then
+ count=0;
+
+ if [ -f ${pidfile} ]; then
+ read kpid < ${pidfile}
+ let kwait=$SHUTDOWN_WAIT
+
+ until [ `ps -p $kpid | grep -c $kpid` = '0' ] ||
+ [ $count -gt $kwait ]
+ do
+ echo -n "."
+ sleep 1
+ let count=$count+1;
+ done
+
+ if [ $count -gt $kwait ]; then
+ kill -9 $kpid
+ fi
+ fi
+
+ rm -f ${PKI_LOCKFILE}
+ rm -f ${pidfile}
+
+ if [ -f /etc/init.d/functions ]; then
+ if [ "$CONSOLETYPE" = "serial" ]; then
+ echo -n " "
+ fi
+ echo_success
+ echo
+ else
+ echo " [ OK ]"
+ fi
+ else
+ if [ -f /etc/init.d/functions ]; then
+ if [ "$CONSOLETYPE" = "serial" ]; then
+ echo -n " "
+ fi
+ echo_failure
+ echo
+ else
+ echo " [ FAILED ]"
+ fi
+ rv=${default_error}
+ fi
+ else
+ echo
+ echo "process already stopped"
+ rv=0
+ fi
+
+ return ${rv}
+}
+
+reload_instance()
+{
+ rv=0
+
+ echo -n $"Reloading ${prog}: "
+
+ if ! LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -t >&/dev/null; then
+ rv=$?
+ echo $"not reloading due to configuration syntax error"
+ if [ -f /etc/init.d/functions ]; then
+ failure $"not reloading ${httpd} due to configuration syntax error"
+ else
+ echo $"not reloading ${httpd} due to configuration syntax error"
+ fi
+ else
+ if [ -f /etc/init.d/functions ]; then
+ killproc -p ${pidfile} ${httpd} -HUP
+ rv=$?
+ else
+ if [ -f ${PKI_LOCKFILE} ] ; then
+ if [ -f ${pidfile} ]; then
+ read kpid < ${pidfile}
+ if checkpid $kpid 2>&1; then
+ kill -HUP $kpid
+ rv=$?
+ if [ ${rv} != 0 ]; then
+ rv=${default_error}
+ fi
+ fi
+ else
+ # * 7 program is not running
+ rv=7
+ echo
+ echo -n "lock file found but no process "
+ echo -n "running for pid $kpid, continuing"
+ echo
+ echo
+ rm -f ${PKI_LOCKFILE}
+ fi
+ fi
+ fi
+ fi
+ echo
+
+ return ${rv}
+}
+
+# The semantics of the 'start()' function differs from the way 'apachectl'
+# does things -- attempting to start while running is a failure.
+# So we just do it the way init scripts are expected to behave here.
+start()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ config_errors=0
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Start every PKI instance of this type that isn't already running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ start_instance
+
+ rv=$?
+ if [ ${rv} = 6 ] ; then
+ # Since at least ONE configuration error exists, then there
+ # is at least ONE unconfigured instance from the PKI point
+ # of view.
+ #
+ # However, it must still be considered that the
+ # instance is "running" from the point of view of other
+ # OS programs such as 'chkconfig'.
+ #
+ # Therefore, ignore non-zero return codes resulting
+ # from configuration errors.
+ #
+
+ config_errors=`expr $config_errors + 1`
+ rv=0
+ elif [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then
+ touch ${lockfile}
+ chmod 00600 ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ # NOTE: "bad" return code(s) OVERRIDE configuration errors!
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances failed to start!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=5
+ fi
+
+ return ${rv}
+}
+
+# The semantics of the 'stop()' function differs from the way 'apachectl'
+# does things -- attempting to shutdown when not running is a failure.
+# So we just do it the way init scripts are expected to behave here.
+stop()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Shutdown every PKI instance of this type that is running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ stop_instance
+
+ rv=$?
+ if [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ if [ ${errors} -eq 0 ] ; then
+ rm -f ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances were "
+ echo -n "unsuccessfully stopped!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=5
+ fi
+
+ return ${rv}
+}
+
+restart()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ stop
+ sleep 2
+ echo
+ echo "============================================================"
+ echo
+ start
+
+ return $?
+}
+
+reload()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Reload every PKI instance of this type that is running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ reload_instance
+
+ rv=$?
+ if [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances were "
+ echo -n "unsuccessfully reloaded!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED RELOADING '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances reloaded!"
+ rv=5
+ fi
+
+ return ${rv}
+}
+
+status()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 program is running or service is OK
+ # * 1 program is dead and /var/run pid file exists
+ # * 2 program is dead and /var/lock lock file exists
+ # * 3 program is not running
+ # * 4 program or service status is unknown
+ # * 5-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Obtain status of every PKI instance of this type
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ display_instance_status
+
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "4 - program or service status is unknown"
+ rv=4
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances reported status failures!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=4
+ fi
+
+ return ${rv}
+}
+
+# See how we were called.
+case "${command}" in
+ start|stop|restart|reload|status)
+ ${command}
+ exit $?
+ ;;
+ condrestart|force-restart|try-restart)
+ [ ! -f ${lockfile} ] || restart
+ exit $?
+ ;;
+ *)
+ # * 3 unimplemented feature (for example, "reload")
+ # [invalid command - should never be reached]
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+ ;;
+esac
+
diff --git a/pki/base/ra/setup/postinstall b/pki/base/ra/setup/postinstall
deleted file mode 100755
index 517c6e448..000000000
--- a/pki/base/ra/setup/postinstall
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/bin/bash
-#
-# --- BEGIN COPYRIGHT BLOCK ---
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2007 Red Hat, Inc.
-# All rights reserved.
-# --- END COPYRIGHT BLOCK ---
-#
-
-###############################################################################
-## (1) Check command line arguments to see how many were passed in. ##
-###############################################################################
-
-if [ $# -eq 4 ]
-then
- PKI_PRODUCT_NAME=$1
- PKI_SUBSYSTEM_NAME=$2
- VERSION=$3
- RELEASE=$4
-else
- echo
- echo "Usage: $0 PKI_product_name PKI_subsystem_name version release"
- echo
-
- exit 255
-fi
-
-
-###############################################################################
-## (2) Specify variables used by this script. ##
-###############################################################################
-
-PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}"
-SECURE_PORT=12889
-NON_CLIENTAUTH_SECURE_PORT=12890
-UNSECURE_PORT=12888
-
-
-###############################################################################
-## (3) Create the first instance of a Registration Authority (RA). ##
-###############################################################################
-
-if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ]
-then
- /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME}
-fi
-
-
-###############################################################################
-## (4) Successfully exit from this postinstallation script. ##
-###############################################################################
-
-exit 0
-
diff --git a/pki/base/selinux/src/pki.fc b/pki/base/selinux/src/pki.fc
index 21ff9c2e7..bbc6b3ebd 100644
--- a/pki/base/selinux/src/pki.fc
+++ b/pki/base/selinux/src/pki.fc
@@ -92,3 +92,16 @@
/var/run/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_var_run_t,s0)
/etc/init.d/pki-tksd gen_context(system_u:object_r:pki_tks_script_exec_t,s0)
/etc/sysconfig/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
+
+# labeling for new RA under pki-rad
+
+/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0)
+/etc/init.d/pki-rad gen_context(system_u:object_r:pki_ra_script_exec_t,s0)
+/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+
+# labeling for new TPS under pki-tpsd
+
+/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0)
+/etc/init.d/pki-tpsd gen_context(system_u:object_r:pki_tps_script_exec_t,s0)
+/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+
diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
index 1364b15ce..aa78cec3c 100644
--- a/pki/base/selinux/src/pki.if
+++ b/pki/base/selinux/src/pki.if
@@ -108,7 +108,7 @@ template(`pki_ca_template',`
manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
- # start/ stop using pki-cad, pki-krad, pki-ocspd, or pki-tksd
+ # start/stop using pki-cad, pki-krad, pki-ocspd, or pki-tksd
allow setfiles_t $1_etc_rw_t:file read;
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
@@ -413,7 +413,7 @@ interface(`pki_ra_script_domtrans',`
template(`pki_tps_template',`
gen_require(`
attribute pki_tps_process;
- attribute pki_tps_config, pki_tps_var_lib;
+ attribute pki_tps_config, pki_tps_var_lib, pki_tps_var_run;
attribute pki_tps_executable, pki_tps_script, pki_tps_var_log;
')
########################################
@@ -432,6 +432,9 @@ template(`pki_tps_template',`
type $1_etc_rw_t, pki_tps_config;
files_type($1_etc_rw_t)
+ type $1_var_run_t, pki_tps_var_run;
+ files_pid_file($1_var_run_t)
+
type $1_var_lib_t, pki_tps_var_lib;
files_type($1_var_lib_t)
@@ -456,6 +459,10 @@ template(`pki_tps_template',`
manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t,$1_var_run_t, { file dir })
+
manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
@@ -483,6 +490,11 @@ template(`pki_tps_template',`
type httpd_suexec_exec_t;
')
+ #============= httpd_t ==============
+ allow httpd_t $1_var_run_t:dir search;
+ allow httpd_t $1_var_run_t:file read;
+ allow httpd_t $1_var_run_t:file open;
+
# start up httpd in pki_tps_t mode
allow pki_tps_t httpd_config_t:file { read getattr execute };
allow pki_tps_t httpd_exec_t:file entrypoint;
@@ -582,7 +594,7 @@ template(`pki_tps_template',`
template(`pki_ra_template',`
gen_require(`
attribute pki_ra_process;
- attribute pki_ra_config, pki_ra_var_lib;
+ attribute pki_ra_config, pki_ra_var_lib, pki_ra_var_run;
attribute pki_ra_executable, pki_ra_script, pki_ra_var_log;
')
########################################
@@ -601,6 +613,9 @@ template(`pki_ra_template',`
type $1_etc_rw_t, pki_ra_config;
files_type($1_etc_rw_t)
+ type $1_var_run_t, pki_ra_var_run;
+ files_pid_file($1_var_run_t)
+
type $1_var_lib_t, pki_ra_var_lib;
files_type($1_var_lib_t)
@@ -625,6 +640,10 @@ template(`pki_ra_template',`
manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t,$1_var_run_t, { file dir })
+
manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
@@ -654,6 +673,11 @@ template(`pki_ra_template',`
type httpd_suexec_exec_t;
')
+ #============= httpd_t ==============
+ allow httpd_t $1_var_run_t:dir search;
+ allow httpd_t $1_var_run_t:file read;
+ allow httpd_t $1_var_run_t:file open;
+
# start up httpd in pki_ra_t mode
allow pki_ra_t httpd_config_t:file { read getattr execute };
allow pki_ra_t httpd_exec_t:file entrypoint;
@@ -780,6 +804,7 @@ interface(`pki_ra_admin',`
attribute pki_ra_executable;
attribute pki_ra_var_lib;
attribute pki_ra_var_log;
+ attribute pki_ra_var_run;
attribute pki_ra_script;
')
@@ -793,6 +818,7 @@ interface(`pki_ra_admin',`
allow $2 system_r;
manage_all_pattern($1, pki_ra_config)
+ manage_all_pattern($1, pki_ra_var_run)
manage_all_pattern($1, pki_ra_var_lib)
manage_all_pattern($1, pki_ra_var_log)
manage_all_pattern($1, pki_ra_config)
@@ -917,6 +943,7 @@ interface(`pki_tps_admin',`
attribute pki_tps_executable;
attribute pki_tps_var_lib;
attribute pki_tps_var_log;
+ attribute pki_tps_var_run;
attribute pki_tps_script;
')
@@ -930,6 +957,7 @@ interface(`pki_tps_admin',`
allow $2 system_r;
manage_all_pattern($1, pki_tps_config)
+ manage_all_pattern($1, pki_tps_var_run)
manage_all_pattern($1, pki_tps_var_lib)
manage_all_pattern($1, pki_tps_var_log)
manage_all_pattern($1, pki_tps_config)
diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
index 84da2e54a..6bd3d98b6 100644
--- a/pki/base/selinux/src/pki.te
+++ b/pki/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.16)
+policy_module(pki,1.0.17)
attribute pki_ca_config;
attribute pki_ca_executable;
diff --git a/pki/base/setup/pkicommon b/pki/base/setup/pkicommon
index 2ff95db4b..c2dde215d 100755
--- a/pki/base/setup/pkicommon
+++ b/pki/base/setup/pkicommon
@@ -102,9 +102,9 @@ my $is_IPv6 = 0;
# Compute "hardware platform" of Operating System
if( $^O eq "linux" ) {
- $default_hardware_platform = `uname -i`;
- $default_hardware_platform =~ s/\s+$//g;
- chomp( $default_hardware_platform );
+ $default_hardware_platform = `uname -i`;
+ $default_hardware_platform =~ s/\s+$//g;
+ chomp( $default_hardware_platform );
if( $default_hardware_platform eq "i386" ) {
# 32-bit Linux
$default_system_binaries = "/bin";
@@ -137,9 +137,9 @@ if( $^O eq "linux" ) {
$hostname = hostname;
}
} elsif( $^O eq "solaris" ) {
- $default_hardware_platform = `uname -p`;
- $default_hardware_platform =~ s/\s+$//g;
- chomp( $default_hardware_platform );
+ $default_hardware_platform = `uname -p`;
+ $default_hardware_platform =~ s/\s+$//g;
+ chomp( $default_hardware_platform );
if( ( $default_hardware_platform eq "sparc" ) &&
( -d "/usr/lib/sparcv9/" ) ) {
@@ -217,6 +217,12 @@ $HTTPS_PREFIX = "https://";
$LDAP_PREFIX = "ldap://";
$LDAPS_PREFIX = "ldaps://";
+# Identity values
+$PKI_USER = "pkiuser";
+$PKI_GROUP = "pkiuser";
+$PKI_UID = 17;
+$PKI_GID = 17;
+
# Subsystem names
$CA = "ca";
$KRA = "kra";
@@ -464,6 +470,90 @@ sub user_exists
}
+# arg0 username
+# arg1 groupname
+# return 1 - success, or
+# return 0 - failure
+sub create_user
+{
+ my( $username ) = $_[0];
+ my( $groupname ) = $_[1];
+
+ my $command = "";
+ my $report = "";
+
+ my $result = 0;
+
+ if( ( $username eq $PKI_USER ) &&
+ ( $groupname eq $PKI_GROUP ) ) {
+ # Attempt to create $PKI_USER with $PKI_UID
+ emit( "create_user(): Adding default PKI user '$username' "
+ . "(uid=$PKI_UID) to '/etc/passwd'.\n", "debug" );
+ if( $^O eq "linux" ) {
+ $command = "/usr/sbin/useradd "
+ . "-g $groupname "
+ . "-d /usr/share/pki "
+ . "-s /sbin/nologin "
+ . "-c 'Certificate System' "
+ . "-u $PKI_UID "
+ . "-r "
+ . "$username";
+ } elsif( $^O eq "solaris" ) {
+ $command = "/usr/sbin/useradd "
+ . "-g $groupname "
+ . "-d /usr/share/pki "
+ . "-s /bin/false "
+ . "-c 'Certificate System' "
+ . "-u $PKI_UID "
+ . "$username";
+ } else {
+ $command = "/usr/sbin/useradd "
+ . "-g $groupname "
+ . "-d /usr/share/pki "
+ . "-s '' "
+ . "-c 'Certificate System' "
+ . "-u $PKI_UID "
+ . "$username";
+ }
+ } else {
+ # Attempt to create $username with random UID
+ emit( "create_user(): Adding default PKI user '$username' "
+ . "(uid=random) to '/etc/passwd'.\n", "debug" );
+ if( $^O eq "linux" ) {
+ $command = "/usr/sbin/useradd "
+ . "-g $groupname "
+ . "-d /usr/share/pki "
+ . "-s /sbin/nologin "
+ . "-c 'Certificate System' "
+ . "$username";
+ } elsif( $^O eq "solaris" ) {
+ $command = "/usr/sbin/useradd "
+ . "-g $groupname "
+ . "-d /usr/share/pki "
+ . "-s /bin/false "
+ . "-c 'Certificate System' "
+ . "$username";
+ } else {
+ $command = "/usr/sbin/useradd "
+ . "-g $groupname "
+ . "-d /usr/share/pki "
+ . "-s '' "
+ . "-c 'Certificate System' "
+ . "$username";
+ }
+ }
+
+ $report = `$command`;
+ if( $report ne "" ) {
+ emit( "$report", "error" );
+ }
+
+ $result = user_exists( $username );
+
+ return $result;
+}
+
+
# arg0 groupname
# return 1 - exists, or
# return 0 - DOES NOT exist
@@ -483,7 +573,65 @@ sub group_exists
}
+# arg0 groupname
+# return 1 - success, or
+# return 0 - failure
+sub create_group
+{
+ my( $groupname ) = $_[0];
+
+ my $command = "";
+ my $report = "";
+
+ my $result = 0;
+
+ if( $groupname eq $PKI_GROUP ) {
+ # Attempt to create $PKI_GROUP with $PKI_GID
+ emit( "Adding default PKI group '$groupname' "
+ . "(gid=$PKI_GID) to '/etc/group'.\n", "debug" );
+ if( $^O eq "linux" ) {
+ $command = "/usr/sbin/groupadd "
+ . "-g $PKI_GID "
+ . "-r "
+ . "$groupname";
+ } elsif( $^O eq "solaris" ) {
+ $command = "/usr/sbin/groupadd "
+ . "-g $PKI_GID "
+ . "$groupname";
+ } else {
+ $command = "/usr/sbin/groupadd "
+ . "-g $PKI_GID "
+ . "$groupname";
+ }
+ } else {
+ # Attempt to create $groupname with random GID
+ emit( "Adding default PKI group '$groupname' "
+ . "(gid=random) to '/etc/group'.\n", "debug" );
+ if( $^O eq "linux" ) {
+ $command = "/usr/sbin/groupadd "
+ . "$groupname";
+ } elsif( $^O eq "solaris" ) {
+ $command = "/usr/sbin/groupadd "
+ . "$groupname";
+ } else {
+ $command = "/usr/sbin/groupadd "
+ . "$groupname";
+ }
+ }
+
+ $report = `$command`;
+ if( $report ne "" ) {
+ emit( "$report", "error" );
+ }
+
+ $result = group_exists( $groupname );
+
+ return $result;
+}
+
+
# arg0 username
+# arg1 groupname
# return 1 - disallows shell, or
# return 0 - allows shell
sub user_disallows_shell
@@ -498,10 +646,10 @@ sub user_disallows_shell
$sans_shell="/sbin/nologin";
$result = 0;
} elsif( $^O eq "solaris" ) {
- $sans_shell="";
+ $sans_shell="/bin/false";
$result = 0;
} else {
- # Don't care
+ $sans_shell="";
return 1;
}
@@ -512,7 +660,9 @@ sub user_disallows_shell
my( $name, $passwd, $uid, $gid, $quota,
$comment, $gcos, $dir, $shell, $expire ) = getpwnam( $username );
- if( $shell eq $sans_shell ) {
+ if( $shell eq "" ) {
+ $result = 1;
+ } elsif( $shell eq $sans_shell ) {
$result = 1;
} else {
# issue a warning and continue
diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate
index d65e23715..d44c4a134 100755
--- a/pki/base/setup/pkicreate
+++ b/pki/base/setup/pkicreate
@@ -242,9 +242,6 @@ my $cmsbundle_jar_base_name = "cmsbundle.jar"; # CA, KRA, OCSP, TKS
my $cmscore_jar_base_name = "cmscore.jar"; # CA, KRA, OCSP, TKS
my $conf_base_name = "conf"; # CA, KRA, OCSP, TKS,
# RA, TPS
-# BEGIN Legacy Start/Stop Implementation
-my $httpd_base_name = "httpd"; # RA, TPS
-# END Legacy Start/Stop Implementation
my $httpd_conf_base_name = "httpd.conf"; # RA, TPS
my $index_html_base_name = "index.html"; # CA, KRA, OCSP, TKS
my $logs_base_name = "logs"; # CA, KRA, OCSP, TKS,
@@ -271,9 +268,6 @@ my $velocity_prop_base_name = "velocity.properties"; # CA, KRA, OCSP, TKS
my $web_xml_base_name = "web.xml"; # CA, KRA, OCSP, TKS
# Subdirectory names
-# BEGIN Legacy Start/Stop Implementation
-my $initd_base_subsystem_dir = "init.d"; # RA, TPS
-# END Legacy Start/Stop Implementation
my $perl_base_instance_symlink = "perl"; # RA, TPS
my $perl_base_subsystem_dir = "perl"; # RA, TPS
my $signed_audit_base_instance_dir = "signedAudit"; # CA, KRA, OCSP, TKS, TPS
@@ -282,7 +276,7 @@ my $webapps_root_base_subsystem_dir = "ROOT"; # CA, KRA, OCSP, TKS
my $webinf_base_instance_dir = "WEB-INF"; # CA, KRA, OCSP, TKS
# Defaults
-my $default_apache_pids_path = "/var/run";
+my $default_apache_pids_path = "/var/run/pki";
my $default_java_path = "/usr/share/java";
my $default_dir_permissions = 00770;
my $default_exe_permissions = 00770;
@@ -291,8 +285,8 @@ my $default_security_token = "internal";
my $default_tomcat_common_path = "/var/lib/tomcat5/common";
# Default PKI user and group to give to PKI installed files
-my $pki_user = "pkiuser";
-my $pki_group = "pkiuser";
+my $pki_user = $PKI_USER;
+my $pki_group = $PKI_GROUP;
# PKI creation constants
my $db_password_low = 100000000000;
@@ -531,11 +525,6 @@ my $pki_cfg_instance_file_path = ""; # CA, KRA, OCSP, TKS,
# RA, TPS
my $pki_cfg_subsystem_file_path = ""; # CA, KRA, OCSP, TKS,
# RA, TPS
-# BEGIN Legacy Start/Stop Implementation
-my $pki_start_stop_script_instance_file_path = ""; # RA, TPS
-my $pki_start_stop_script_subsystem_file_path = ""; # RA, TPS
-my $pki_start_stop_script_symlink_path = ""; # RA, TPS
-# END Legacy Start/Stop Implementation
my $schemaMods_ldif_instance_file_path = ""; # RA, TPS
my $schemaMods_ldif_subsystem_file_path = ""; # RA, TPS
my $server_xml_instance_file_path = ""; # CA, KRA, OCSP, TKS
@@ -1026,16 +1015,9 @@ sub pki_instance_already_exists
my $result = 0;
my $instance = "";
- if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
- # BEGIN Legacy Start/Stop Implementation
- $instance = $default_init_scripts_path
- . "/" . $name;
- # END Legacy Start/Stop Implementation
- } else {
- $instance = $pki_registry_path
- . "/" . $subsystem_type
- . "/" . $name;
- }
+ $instance = $pki_registry_path
+ . "/" . $subsystem_type
+ . "/" . $name;
if( -e $instance ) {
$result = 1;
@@ -1310,65 +1292,71 @@ sub parse_arguments()
}
- ## Optional "-user=<username>" option
- if( $username ne "" ) {
- if( $groupname eq "" ) {
+ ## Optional "-group=<groupname>" option
+ if( $groupname ne "" ) {
+ if( $username eq "" ) {
usage();
- emit( "Must ALSO specify group ownership using -group!\n",
+ emit( "Must ALSO specify user ownership using -user!\n",
"error" );
return 0;
}
- if( !user_exists( $username ) ) {
- usage();
- emit( "The user '$username' is invalid on this machine!\n",
- "error" );
- return 0;
+ if( !group_exists( $groupname ) ) {
+ if( !create_group( $groupname ) ) {
+ usage();
+ emit( "Unable to create group '$groupname' on this machine!\n",
+ "error" );
+ return 0;
+ }
}
- # Overwrite default value of $pki_user with user-specified $username
- $pki_user = $username;
- }
-
-
- # At this point in time, ALWAYS check that "$pki_user" exists!
- if( !user_exists( $pki_user ) ) {
- usage();
- emit( "Please contact your system administrator "
- . "to create '$pki_user'!\n",
- "error" );
- return 0;
+ # Overwrite default value of $pki_group with user-specified $groupname
+ $pki_group = $groupname;
}
- ## Optional "-group=<groupname>" option
- if( $groupname ne "" ) {
- if( $username eq "" ) {
+ # At this point in time, ALWAYS check that "$pki_group" exists!
+ if( !group_exists( $pki_group ) ) {
+ if( !create_group( $pki_group ) ) {
usage();
- emit( "Must ALSO specify user ownership using -user!\n",
+ emit( "Unable to create group '$pki_group' on this machine!\n",
"error" );
return 0;
}
+ }
- if( !group_exists( $groupname ) ) {
+
+ ## Optional "-user=<username>" option
+ if( $username ne "" ) {
+ if( $groupname eq "" ) {
usage();
- emit( "The group '$groupname' is invalid on this machine!\n",
+ emit( "Must ALSO specify group ownership using -group!\n",
"error" );
return 0;
}
- # Overwrite default value of $pki_group with user-specified $groupname
- $pki_group = $groupname;
+ if( !user_exists( $username ) ) {
+ if( !create_user( $username, $groupname ) ) {
+ usage();
+ emit( "Unable to create user '$username' on this machine!\n",
+ "error" );
+ return 0;
+ }
+ }
+
+ # Overwrite default value of $pki_user with user-specified $username
+ $pki_user = $username;
}
- # At this point in time, ALWAYS check that "$pki_group" exists!
- if( !group_exists( $pki_group ) ) {
- usage();
- emit( "Please contact your system administrator "
- . "to create '$pki_group'!\n",
- "error" );
- return 0;
+ # At this point in time, ALWAYS check that "$pki_user" exists!
+ if( !user_exists( $pki_user ) ) {
+ if( !create_user( $pki_user, $pki_group ) ) {
+ usage();
+ emit( "Unable to create user '$pki_user' on this machine!\n",
+ "error" );
+ return 0;
+ }
}
@@ -1626,16 +1614,6 @@ sub initialize_subdirectory_paths()
## Initialize subdirectory paths (subsystem independent)
$pki_cfg_subsystem_file_path = $conf_subsystem_path
. "/" . $pki_cfg_base_name;
- # BEGIN Legacy Start/Stop Implementation
- $pki_start_stop_script_instance_file_path = $default_init_scripts_path
- . "/" . $pki_instance_name;
- $pki_start_stop_script_subsystem_file_path = $pki_subsystem_path
- . "/" . $etc_base_subsystem_dir
- . "/" . $initd_base_subsystem_dir
- . "/" . $httpd_base_name;
- $pki_start_stop_script_symlink_path = $pki_instance_path
- . "/" . $pki_instance_name;
- # END Legacy Start/Stop Implementation
if( $^O eq "linux" ) {
$setup_config_instance_file_path = $setup_config_area
. "/" . $pki_instance_name
@@ -1811,17 +1789,8 @@ sub initialize_subdirectory_paths()
. "/" . $server_xml_base_name;
$servercertnick_conf_subsystem_file_path = $conf_subsystem_path
. "/" . $servercertnick_conf_base_name;
- if( ( $subsystem_type ne $RA && $subsystem_type ne $TPS ) ) {
- $subsystem_jar_file_path = $default_java_path
- . "/" . $subsystem_type . ".jar";
- } else {
- # BEGIN Legacy Start/Stop Implementation
- $subsystem_jar_file_path = $default_java_path
- . "/" . $pki_flavor
- . "/" . $subsystem_type
+ $subsystem_jar_file_path = $default_java_path
. "/" . $subsystem_type . ".jar";
- # END Legacy Start/Stop Implementation
- }
$subsystem_jar_symlink_path = $webinf_lib_instance_path
. "/" . $subsystem_type . ".jar";
$tomcat5_conf_subsystem_file_path = $conf_subsystem_path
@@ -2558,32 +2527,6 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so
chmod( $default_file_permissions,
$pki_cfg_instance_file_path );
- # BEGIN Legacy Start/Stop Implementation
- if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
- # process "httpd" template
- #
- # NOTE: CA, KRA, OCSP, TKS instances are dependent upon the location
- # of the instance-specific "server.xml" file, while RA and TPS
- # instances are dependent upon the instance-specific location
- # of the "nss.conf" file.
- #
- $result = process_file_template(
- $pki_start_stop_script_subsystem_file_path,
- $pki_start_stop_script_instance_file_path,
- \%slot_hash );
- if( !$result ) {
- return 0;
- }
-
- chmod( $default_exe_permissions,
- $pki_start_stop_script_instance_file_path );
-
- push( @installed_files,
- $pki_start_stop_script_instance_file_path );
- }
- # END Legacy Start/Stop Implementation
-
-
if( $^O eq "linux" ) {
# process "config.desktop" template
$result = process_file_template( $setup_config_subsystem_file_path,
@@ -2928,85 +2871,61 @@ sub process_pki_files_and_symlinks()
chmod( $default_file_permissions,
$pfile_instance_file_path );
+ # generate a local init script for this PKI instance
+ my $local_pki_init_script = new FileHandle;
+ my $local_pki_init_script_name = $pki_instance_path
+ . "/" . $pki_instance_name;
+ my $local_pki_init_script_command = "";
+
+ # create this PKI instance's local init script
+ $local_pki_init_script->open( ">$local_pki_init_script_name" ) or
+ die "Could not open $local_pki_init_script_name\n";
+
+ # publish the appropriate contents to this
+ # PKI instance's local init script
+ $local_pki_init_script->print( "#!/bin/bash\n" );
+ $local_pki_init_script->print( "if [ \$# -ne 1 ]; then\n" );
+ $local_pki_init_script->print( " echo \"Usage: \$0 {start|stop|"
+ . "restart|condrestart|force-restart|"
+ . "try-restart|reload|status}\"\n" );
+ $local_pki_init_script->print( " exit 3\n" );
+ $local_pki_init_script->print( "fi\n\n" );
- if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
- # BEGIN Legacy Start/Stop Implementation
- # create instance symlink to actual instance "start/stop" script
- $result = create_symbolic_link( $pki_start_stop_script_symlink_path,
- $pki_start_stop_script_instance_file_path );
- if( !$result ) {
- return 0;
- }
- #
- # NOTE: This symlink requires "$root_user:$root_group" ownership
- # since the destination that it refers to is owned by
- # "$root_user:$root_group".
- #
- $result = give_symbolic_link_to( $pki_start_stop_script_symlink_path,
- $root_user,
- $root_group );
- if( !$result ) {
- emit( "$pki_start_stop_script_instance_file_path ownership problems!",
- "error" );
- return 0;
- }
- # END Legacy Start/Stop Implementation
+ if( $^O eq "linux" ) {
+ $local_pki_init_script_command = "/sbin/service"
+ . " " . $pki_init_script
+ . " " . "\$1"
+ . " " . $pki_instance_name;
} else {
- # generate a local init script for this PKI instance
- my $local_pki_init_script = new FileHandle;
- my $local_pki_init_script_name = $pki_instance_path
- . "/" . $pki_instance_name;
- my $local_pki_init_script_command = "";
-
- # create this PKI instance's local init script
- $local_pki_init_script->open( ">$local_pki_init_script_name" ) or
- die "Could not open $local_pki_init_script_name\n";
-
- # publish the appropriate contents to this
- # PKI instance's local init script
- $local_pki_init_script->print( "#!/bin/bash\n" );
- $local_pki_init_script->print( "if [ \$# -ne 1 ]; then\n" );
- $local_pki_init_script->print( " echo \"Usage: \$0 {start|stop|restart|condrestart|force-restart|try-restart|reload|status}\"\n" );
- $local_pki_init_script->print( " exit 3\n" );
- $local_pki_init_script->print( "fi\n\n" );
-
- if( $^O eq "linux" ) {
- $local_pki_init_script_command = "/sbin/service"
- . " " . $pki_init_script
- . " " . "\$1"
- . " " . $pki_instance_name;
- } else {
- # default case: e. g. - ( $^O eq "solaris" )
- $local_pki_init_script_command = $default_init_scripts_path
- . "/" . $pki_init_script
- . " " . "\$1"
- . " " . $pki_instance_name;
- }
-
- $local_pki_init_script->print( "$local_pki_init_script_command\n\n" );
+ # default case: e. g. - ( $^O eq "solaris" )
+ $local_pki_init_script_command = $default_init_scripts_path
+ . "/" . $pki_init_script
+ . " " . "\$1"
+ . " " . $pki_instance_name;
+ }
- # close and save this PKI instance's local init script
- $local_pki_init_script->close();
+ $local_pki_init_script->print( "$local_pki_init_script_command\n\n" );
- #
- # NOTE: This PKI instance's local init script requires
- # "$root_user:$root_group" ownership since the
- # destination that it refers to is owned by
- # "$root_user:$root_group".
- #
- $result = give_file_to( $local_pki_init_script_name,
- $root_user,
- $root_group );
- if( !$result ) {
- emit( "$local_pki_init_script_name ownership problems!",
- "error" );
- return 0;
- }
+ # close and save this PKI instance's local init script
+ $local_pki_init_script->close();
- chmod( $default_exe_permissions,
- $local_pki_init_script_name );
+ #
+ # NOTE: This PKI instance's local init script requires
+ # "$root_user:$root_group" ownership since the
+ # destination that it refers to is owned by
+ # "$root_user:$root_group".
+ #
+ $result = give_file_to( $local_pki_init_script_name,
+ $root_user,
+ $root_group );
+ if( !$result ) {
+ emit( "$local_pki_init_script_name ownership problems!",
+ "error" );
+ return 0;
}
+ chmod( $default_exe_permissions,
+ $local_pki_init_script_name );
## Populate instances (RA, TPS instances)
if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) {
@@ -3048,7 +2967,8 @@ sub process_pki_files_and_symlinks()
# create instance symlink to apache "run" subdirectory
$result = create_symbolic_link( $run_instance_symlink_path,
- $default_apache_pids_path );
+ ( $default_apache_pids_path
+ . "/" . $subsystem_type ) );
if( !$result ) {
return 0;
}
@@ -3452,8 +3372,169 @@ sub construct_pki_instance_registry()
. "conf/"
. "restart_server_after_configuration\n" );
$pki_instance_registry->print( "export RESTART_SERVER\n\n" );
-# } elsif( $subsystem_type eq $RA ||
-# $subsystem_type eq $TPS ) {
+ } elsif( $subsystem_type eq $RA ||
+ $subsystem_type eq $TPS ) {
+ $pki_instance_registry->print( "# Establish PKI Variable \"Slot\" "
+ . "Substitutions\n\n" );
+ $pki_instance_registry->print( "PKI_INSTANCE_ID=$pki_instance_name\n" );
+ $pki_instance_registry->print( "export PKI_INSTANCE_ID\n\n" );
+ $pki_instance_registry->print( "PKI_HTTPD_CONF="
+ . "$httpd_conf_instance_file_path\n" );
+ $pki_instance_registry->print( "export PKI_HTTPD_CONF\n\n" );
+ $pki_instance_registry->print( "PKI_SERVER_ROOT=$pki_instance_path\n" );
+ $pki_instance_registry->print( "export PKI_SERVER_ROOT\n\n" );
+ $pki_instance_registry->print( "PKI_SYSTEM_USER_LIBRARIES="
+ . "$default_system_user_libraries\n" );
+ $pki_instance_registry->print( "export PKI_SYSTEM_USER_LIBRARIES\n\n" );
+ if( is_Fedora() || (is_RHEL() && (! is_RHEL4())) ) {
+ $pki_instance_registry->print( "PKI_FORTITUDE_DIR=\"/usr\"\n" );
+ } else {
+ $pki_instance_registry->print( "PKI_FORTITUDE_DIR="
+ . "\"/opt/fortitude\"\n" );
+ }
+ $pki_instance_registry->print( "export PKI_FORTITUDE_DIR\n\n" );
+ $pki_instance_registry->print( "PKI_NSS_CONF="
+ . "$nss_conf_instance_file_path\n" );
+ $pki_instance_registry->print( "export PKI_NSS_CONF\n\n" );
+ $pki_instance_registry->print( "PKI_SERVER_NAME=$host\n" );
+ $pki_instance_registry->print( "export PKI_SERVER_NAME\n\n" );
+ $pki_instance_registry->print( "PKI_GROUP=$pki_group\n" );
+ $pki_instance_registry->print( "export PKI_GROUP\n\n" );
+ $pki_instance_registry->print( "PKI_USER=$pki_user\n" );
+ $pki_instance_registry->print( "export PKI_USER\n\n" );
+ $pki_instance_registry->print( "##################"
+ . "##################"
+ . "##################"
+ . "##################\n" );
+ $pki_instance_registry->print( "# This section contains "
+ . "modified content of "
+ . "\"/etc/sysconfig/httpd\" #\n" );
+ $pki_instance_registry->print( "##################"
+ . "##################"
+ . "##################"
+ . "##################\n" );
+ $pki_instance_registry->print( "# Configuration file for the "
+ . "\${PKI_INSTANCE_ID} service.\n\n" );
+ $pki_instance_registry->print( "#\n" );
+ $pki_instance_registry->print( "# The default processing model (MPM) "
+ . "is the process-based\n" );
+ $pki_instance_registry->print( "# 'prefork' model. A thread-based "
+ . "model, 'worker', is also\n" );
+ $pki_instance_registry->print( "# available, but does not work with "
+ . "some modules (such as PHP).\n" );
+ $pki_instance_registry->print( "# The service must be stopped before "
+ . "changing this variable.\n" );
+ $pki_instance_registry->print( "#\n" );
+ $pki_instance_registry->print( "PKI_HTTPD="
+ . "\${PKI_FORTITUDE_DIR}"
+ . "/sbin/httpd.worker\n" );
+ $pki_instance_registry->print( "export PKI_HTTPD\n\n" );
+ $pki_instance_registry->print( "#\n" );
+ $pki_instance_registry->print( "# To pass additional options (for "
+ . "instance, -D definitions) to the\n" );
+ $pki_instance_registry->print( "# httpd binary at startup, "
+ . "set PKI_OPTIONS here.\n" );
+ $pki_instance_registry->print( "#\n" );
+ $pki_instance_registry->print( "PKI_OPTIONS="
+ . "\"-f \${PKI_HTTPD_CONF}\"\n" );
+ $pki_instance_registry->print( "export PKI_OPTIONS\n\n" );
+ $pki_instance_registry->print( "#\n" );
+ $pki_instance_registry->print( "# By default, the httpd process "
+ . "is started in the C locale; to\n" );
+ $pki_instance_registry->print( "# change the locale in which the "
+ . "server runs, the PKI_HTTPD_LANG\n" );
+ $pki_instance_registry->print( "# variable can be set.\n" );
+ $pki_instance_registry->print( "#\n" );
+ $pki_instance_registry->print( "PKI_HTTPD_LANG=C\n" );
+ $pki_instance_registry->print( "export PKI_HTTPD_LANG\n" );
+ $pki_instance_registry->print( "##################"
+ . "##################"
+ . "##################"
+ . "##################\n" );
+ $pki_instance_registry->print( "# "
+ . " "
+ . " "
+ . " #\n" );
+ $pki_instance_registry->print( "##################"
+ . "##################"
+ . "##################"
+ . "##################\n\n" );
+ $pki_instance_registry->print( "# This will prevent initlog from "
+ . "swallowing up a pass-phrase prompt "
+ . "if\n" );
+ $pki_instance_registry->print( "# mod_ssl needs a pass-phrase from "
+ . "the user.\n" );
+ $pki_instance_registry->print( "PKI_INITLOG_ARGS=\"\"\n" );
+ $pki_instance_registry->print( "export PKI_INITLOG_ARGS\n\n" );
+ $pki_instance_registry->print( "# Set PKI_HTTPD=/usr/sbin/httpd.worker "
+ . "in /etc/sysconfig/httpd to use a "
+ . "server\n" );
+ $pki_instance_registry->print( "# with the thread-based \"worker\" "
+ . "MPM; BE WARNED that some modules "
+ . "may not\n" );
+ $pki_instance_registry->print( "# work correctly with a "
+ . "thread-based MPM; notably "
+ . "PHP will refuse to start.\n\n" );
+ $pki_instance_registry->print( "# Path to the server binary and "
+ . "short-form for messages.\n" );
+ $pki_instance_registry->print( "httpd=\${PKI_HTTPD}\n" );
+ $pki_instance_registry->print( "export httpd\n" );
+ $pki_instance_registry->print( "prog=\${PKI_INSTANCE_ID}\n" );
+ $pki_instance_registry->print( "export prog\n" );
+ $pki_instance_registry->print( "PKI_LOCKDIR="
+ . "\"/var/lock/$pki_flavor/"
+ . "$subsystem_type\"\n" );
+ $pki_instance_registry->print( "export PKI_LOCKDIR\n" );
+ $pki_instance_registry->print( "PKI_LOCKFILE="
+ . "\"\${PKI_LOCKDIR}/"
+ . "\${PKI_INSTANCE_ID}.pid\"\n" );
+ $pki_instance_registry->print( "export PKI_LOCKFILE\n" );
+ $pki_instance_registry->print( "PKI_PIDFILE="
+ . "\"\${PKI_INSTANCE_ID}.pid\"\n" );
+ $pki_instance_registry->print( "export PKI_PIDFILE\n" );
+ $pki_instance_registry->print( "pki_instance_configuration_file="
+ . "\${PKI_SERVER_ROOT}/conf/CS.cfg\n" );
+ $pki_instance_registry->print( "export "
+ . "pki_instance_configuration_file\n" );
+ $pki_instance_registry->print( "pki_logs_directory="
+ . "\${PKI_SERVER_ROOT}/logs\n" );
+ $pki_instance_registry->print( "export "
+ . "pki_logs_directory\n" );
+ $pki_instance_registry->print( "RESTART_SERVER=\${PKI_SERVER_ROOT}/"
+ . "conf/"
+ . "restart_server_after_configuration\n" );
+ $pki_instance_registry->print( "export RESTART_SERVER\n" );
+ $pki_instance_registry->print( "RETVAL=0\n" );
+ $pki_instance_registry->print( "export RETVAL\n\n" );
+ $pki_instance_registry->print( "# see if httpd is linked with the "
+ . "openldap libraries - we need to "
+ . "override them\n" );
+ $pki_instance_registry->print( "if [ \${OS} = \"Linux\" ]; then\n" );
+ $pki_instance_registry->print( " hasopenldap=0\n\n" );
+ $pki_instance_registry->print( " /usr/bin/ldd \${httpd} 2>&1 | "
+ . "grep libldap- > /dev/null 2>&1 && "
+ . "hasopenldap=1\n\n" );
+ $pki_instance_registry->print( " if [ \${hasopenldap} -eq 1 ] ; "
+ . "then\n" );
+ $pki_instance_registry->print( " LD_PRELOAD="
+ . "\"\${PKI_SYSTEM_USER_LIBRARIES}/"
+ . "libldap60.so\"\n" );
+ $pki_instance_registry->print( " LD_PRELOAD="
+ . "\"\${PKI_SYSTEM_USER_LIBRARIES}/"
+ . "libssl3.so:"
+ . "\${LD_PRELOAD}\"\n" );
+ $pki_instance_registry->print( " export LD_PRELOAD\n" );
+ $pki_instance_registry->print( " fi\n" );
+ $pki_instance_registry->print( "elif [ \${OS} = \"SunOS\" ]; then\n" );
+ $pki_instance_registry->print( " LD_PRELOAD_64="
+ . "\"\${PKI_SYSTEM_USER_LIBRARIES}/"
+ . "libldap60.so\"\n" );
+ $pki_instance_registry->print( " LD_PRELOAD_64="
+ . "\"\${PKI_SYSTEM_USER_LIBRARIES}/"
+ . "dirsec/libssl3.so:"
+ . "\${LD_PRELOAD_64}\"\n" );
+ $pki_instance_registry->print( " export LD_PRELOAD_64\n" );
+ $pki_instance_registry->print( "fi\n" );
}
# close and save this PKI instance's registry entry
@@ -3624,18 +3705,6 @@ sub process_pki_selinux_setup()
system("$restorecon -F -R /usr/bin/dtomcat5-$pki_instance_name");
}
- # BEGIN Legacy Start/Stop Implementation
- if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
- # set file context for /etc/rc.d/init.d/$pki_instance_name"
- if ($pki_instance_name ne $default_inst_name) {
- &add_selinux_file_context($setype . "_script_exec_t",
- "/etc/rc\\.d/init\\.d/$pki_instance_name", "f");
- }
- emit("Restorecon file context for /etc/rc.d/init.d/$pki_instance_name\n");
- system("$restorecon -F -R /etc/rc.d/init.d/$pki_instance_name");
- }
- # END Legacy Start/Stop Implementation
-
# set file context for $pki_instance_root/$pki_instance_name
if (($pki_instance_name ne $default_inst_name) || ($pki_instance_root ne $default_inst_root)) {
&add_selinux_file_context( $setype . "_var_lib_t",
@@ -3765,16 +3834,9 @@ sub install_pki_instance()
return 0;
}
- if( ( $subsystem_type ne $RA && $subsystem_type ne $TPS ) ) {
- $result = register_pki_instance();
- if( !$result ) {
- return 0;
- }
-# BEGIN Legacy Start/Stop Implementation
-# } else {
-# # Instance Registration ONLY applies
-# # to the new Start/Stop Implementation
-# END Legacy Start/Stop Implementation
+ $result = register_pki_instance();
+ if( !$result ) {
+ return 0;
}
if (($^O eq "linux") && ( is_Fedora() || (is_RHEL() && (! is_RHEL4())))){
@@ -3980,58 +4042,18 @@ ASK_AGAIN:
exit 255;
}
- # BEGIN Legacy Start/Stop Implementation
- if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
- # Register this instance with "chkconfig"
- if( $^O eq "linux" ) {
- my $runlevel = $DEFAULT_RUNLEVEL;
- my $start_priority = $DEFAULT_START_PRIORITY;
- my $stop_priority = $DEFAULT_STOP_PRIORITY;
-
- # Extract "chkconfig" parameters from instance start/stop script
- ( $runlevel, $start_priority, $stop_priority ) =
- extract_chkconfig_parameters_from_start_stop_script(
- $pki_start_stop_script_instance_file_path );
- emit( "Setting '$pki_instance_name' runlevel "
- . "to '$runlevel'\n" );
- emit( "Setting '$pki_instance_name' start priority "
- . "to '$start_priority'\n" );
- emit( "Setting '$pki_instance_name' stop priority "
- . "to '$stop_priority'\n" );
-
- # Register this instance with '/sbin/chkconfig'
- register_pki_instance_with_chkconfig( $pki_instance_name );
- }
- }
- # END Legacy Start/Stop Implementation
-
# Activate this instance
if( $^O eq "linux" ) {
- if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
- # BEGIN Legacy Start/Stop Implementation
- $pki_init_script_command = "/sbin/service"
- . " " . $pki_instance_name
- . " " . "restart";
- # END Legacy Start/Stop Implementation
- } else {
- $pki_init_script_command = "/sbin/service"
- . " " . $pki_init_script
- . " " . "restart"
- . " " . $pki_instance_name;
- }
+ $pki_init_script_command = "/sbin/service"
+ . " " . $pki_init_script
+ . " " . "restart"
+ . " " . $pki_instance_name;
} else {
# default case: e. g. - ( $^O eq "solaris" )
- if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
- # BEGIN Legacy Start/Stop Implementation
- $pki_init_script_command = $pki_start_stop_script_instance_file_path
- . " " . "restart";
- # END Legacy Start/Stop Implementation
- } else {
- $pki_init_script_command = $default_init_scripts_path
- . "/" . $pki_init_script
- . " " . "restart"
- . " " . $pki_instance_name;
- }
+ $pki_init_script_command = $default_init_scripts_path
+ . "/" . $pki_init_script
+ . " " . "restart"
+ . " " . $pki_instance_name;
}
$command = "$pki_init_script_command";
diff --git a/pki/base/tps/Makefile.am b/pki/base/tps/Makefile.am
index c13bc5802..68930d873 100644
--- a/pki/base/tps/Makefile.am
+++ b/pki/base/tps/Makefile.am
@@ -183,7 +183,7 @@ docroot_tps_img_DATA =
docroot_tps_js_DATA =
-initd_SCRIPTS = $(srcdir)/etc/init.d/httpd
+initd_SCRIPTS = $(srcdir)/etc/init.d/pki-tpsd
license_DATA = $(srcdir)/LICENSE
@@ -250,8 +250,6 @@ if LINUX
setup_DATA = $(srcdir)/setup/config.desktop
endif
-setup_SCRIPTS = $(srcdir)/setup/postinstall
-
templates_DATA = $(srcdir)/apache/pki_instance_command_wrapper \
$(srcdir)/apache/pki_subsystem_command_wrapper
@@ -269,7 +267,7 @@ libtokendb_la_SOURCES = src/tus/tus_db.c
libtokendb_la_CPPFLAGS = $(AM_CPPFLAGS) @ldapsdk_inc@ @svrcore_inc@ \
@sasl_inc@ @nss_inc@ @nspr_inc@
-libtokendb_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version
+libtokendb_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(GENERIC_LIBRARY_VERSION) --release $(VERSION)
libtokendb_la_LIBADD = $(LDAPSDK_LINK) $(SVRCORE_LINK) \
$(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(LIBNSL) $(LIBSOCKET) $(LIBDL) \
$(LIBCSTD) $(LIBCRUN)
@@ -362,7 +360,7 @@ libtps_la_SOURCES = src/main/Buffer.cpp \
libtps_la_CPPFLAGS = $(AM_CPPFLAGS) @ldapsdk_inc@ @svrcore_inc@ \
@sasl_inc@ @nss_inc@ @nspr_inc@
-libtps_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version
+libtps_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(GENERIC_LIBRARY_VERSION) --release $(VERSION)
libtps_la_LIBADD = ${top_builddir}/libtokendb.la $(LDAPSDK_LINK) \
$(SVRCORE_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(LIBNSL) \
$(LIBSOCKET) $(LIBDL) $(LIBCSTD) $(LIBCRUN)
@@ -375,7 +373,7 @@ libldapauth_la_SOURCES = src/authentication/LDAP_Authentication.cpp
libldapauth_la_CPPFLAGS = $(AM_CPPFLAGS) @ldapsdk_inc@ @svrcore_inc@ \
@sasl_inc@ @nss_inc@ @nspr_inc@
-libldapauth_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version
+libldapauth_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(GENERIC_LIBRARY_VERSION) --release $(VERSION)
libldapauth_la_LIBADD = ${top_builddir}/libtps.la $(LDAPSDK_LINK) \
$(SVRCORE_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(LIBNSL) \
$(LIBSOCKET) $(LIBDL) $(LIBCSTD) $(LIBCRUN)
diff --git a/pki/base/tps/Makefile.in b/pki/base/tps/Makefile.in
index da70a646a..7a4bbec62 100644
--- a/pki/base/tps/Makefile.in
+++ b/pki/base/tps/Makefile.in
@@ -108,13 +108,12 @@ am__installdirs = "$(DESTDIR)$(apache_modulesdir)" \
"$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(perl_basedir)" \
"$(DESTDIR)$(perl_modulesdir)" "$(DESTDIR)$(perl_servicedir)" \
"$(DESTDIR)$(perl_templatesdir)" "$(DESTDIR)$(scriptsdir)" \
- "$(DESTDIR)$(setupdir)" "$(DESTDIR)$(aliasdir)" \
- "$(DESTDIR)$(appletsdir)" "$(DESTDIR)$(cgibin_demodir)" \
- "$(DESTDIR)$(cgibin_homedir)" "$(DESTDIR)$(cgibin_sodir)" \
- "$(DESTDIR)$(cgibin_sowdir)" "$(DESTDIR)$(confdir)" \
- "$(DESTDIR)$(docrootdir)" "$(DESTDIR)$(docroot_demodir)" \
- "$(DESTDIR)$(docroot_homedir)" "$(DESTDIR)$(docroot_sodir)" \
- "$(DESTDIR)$(docroot_sowdir)" \
+ "$(DESTDIR)$(aliasdir)" "$(DESTDIR)$(appletsdir)" \
+ "$(DESTDIR)$(cgibin_demodir)" "$(DESTDIR)$(cgibin_homedir)" \
+ "$(DESTDIR)$(cgibin_sodir)" "$(DESTDIR)$(cgibin_sowdir)" \
+ "$(DESTDIR)$(confdir)" "$(DESTDIR)$(docrootdir)" \
+ "$(DESTDIR)$(docroot_demodir)" "$(DESTDIR)$(docroot_homedir)" \
+ "$(DESTDIR)$(docroot_sodir)" "$(DESTDIR)$(docroot_sowdir)" \
"$(DESTDIR)$(docroot_tokendbdir)" \
"$(DESTDIR)$(docroot_tps_configdir)" \
"$(DESTDIR)$(docroot_tps_imgdir)" \
@@ -324,7 +323,7 @@ SCRIPTS = $(bin_SCRIPTS) $(cgibin_demo_SCRIPTS) $(cgibin_home_SCRIPTS) \
$(cgibin_so_SCRIPTS) $(cgibin_sow_SCRIPTS) $(initd_SCRIPTS) \
$(libexec_SCRIPTS) $(perl_base_SCRIPTS) \
$(perl_modules_SCRIPTS) $(perl_service_SCRIPTS) \
- $(perl_templates_SCRIPTS) $(scripts_SCRIPTS) $(setup_SCRIPTS)
+ $(perl_templates_SCRIPTS) $(scripts_SCRIPTS)
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
@@ -402,6 +401,9 @@ ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
+GENERIC_LIBRARY_VERSION = @GENERIC_LIBRARY_VERSION@
+GENERIC_RELEASE = @GENERIC_RELEASE@
+GENERIC_VERSION = @GENERIC_VERSION@
GREP = @GREP@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
@@ -662,7 +664,7 @@ docroot_tokendb_DATA =
docroot_tps_config_DATA =
docroot_tps_img_DATA =
docroot_tps_js_DATA =
-initd_SCRIPTS = $(srcdir)/etc/init.d/httpd
+initd_SCRIPTS = $(srcdir)/etc/init.d/pki-tpsd
license_DATA = $(srcdir)/LICENSE
libexec_SCRIPTS = $(srcdir)/apache/apachectl
@@ -720,7 +722,6 @@ scripts_DATA = $(srcdir)/scripts/schemaMods.ldif \
scripts_SCRIPTS = $(srcdir)/scripts/nss_pcache
@LINUX_TRUE@setup_DATA = $(srcdir)/setup/config.desktop
-setup_SCRIPTS = $(srcdir)/setup/postinstall
templates_DATA = $(srcdir)/apache/pki_instance_command_wrapper \
$(srcdir)/apache/pki_subsystem_command_wrapper
@@ -738,7 +739,7 @@ libtokendb_la_SOURCES = src/tus/tus_db.c
libtokendb_la_CPPFLAGS = $(AM_CPPFLAGS) @ldapsdk_inc@ @svrcore_inc@ \
@sasl_inc@ @nss_inc@ @nspr_inc@
-libtokendb_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version
+libtokendb_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(GENERIC_LIBRARY_VERSION) --release $(VERSION)
libtokendb_la_LIBADD = $(LDAPSDK_LINK) $(SVRCORE_LINK) \
$(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(LIBNSL) $(LIBSOCKET) $(LIBDL) \
$(LIBCSTD) $(LIBCRUN)
@@ -832,7 +833,7 @@ libtps_la_SOURCES = src/main/Buffer.cpp \
libtps_la_CPPFLAGS = $(AM_CPPFLAGS) @ldapsdk_inc@ @svrcore_inc@ \
@sasl_inc@ @nss_inc@ @nspr_inc@
-libtps_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version
+libtps_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(GENERIC_LIBRARY_VERSION) --release $(VERSION)
libtps_la_LIBADD = ${top_builddir}/libtokendb.la $(LDAPSDK_LINK) \
$(SVRCORE_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(LIBNSL) \
$(LIBSOCKET) $(LIBDL) $(LIBCSTD) $(LIBCRUN)
@@ -845,7 +846,7 @@ libldapauth_la_SOURCES = src/authentication/LDAP_Authentication.cpp
libldapauth_la_CPPFLAGS = $(AM_CPPFLAGS) @ldapsdk_inc@ @svrcore_inc@ \
@sasl_inc@ @nss_inc@ @nspr_inc@
-libldapauth_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version
+libldapauth_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(GENERIC_LIBRARY_VERSION) --release $(VERSION)
libldapauth_la_LIBADD = ${top_builddir}/libtps.la $(LDAPSDK_LINK) \
$(SVRCORE_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(LIBNSL) \
$(LIBSOCKET) $(LIBDL) $(LIBCSTD) $(LIBCRUN)
@@ -1918,40 +1919,6 @@ uninstall-scriptsSCRIPTS:
test -n "$$list" || exit 0; \
echo " ( cd '$(DESTDIR)$(scriptsdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(scriptsdir)" && rm -f $$files
-install-setupSCRIPTS: $(setup_SCRIPTS)
- @$(NORMAL_INSTALL)
- test -z "$(setupdir)" || $(MKDIR_P) "$(DESTDIR)$(setupdir)"
- @list='$(setup_SCRIPTS)'; test -n "$(setupdir)" || list=; \
- for p in $$list; do \
- if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
- if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
- done | \
- sed -e 'p;s,.*/,,;n' \
- -e 'h;s|.*|.|' \
- -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
- $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
- { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
- if ($$2 == $$4) { files[d] = files[d] " " $$1; \
- if (++n[d] == $(am__install_max)) { \
- print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
- else { print "f", d "/" $$4, $$1 } } \
- END { for (d in files) print "f", d, files[d] }' | \
- while read type dir files; do \
- if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
- test -z "$$files" || { \
- echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(setupdir)$$dir'"; \
- $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(setupdir)$$dir" || exit $$?; \
- } \
- ; done
-
-uninstall-setupSCRIPTS:
- @$(NORMAL_UNINSTALL)
- @list='$(setup_SCRIPTS)'; test -n "$(setupdir)" || exit 0; \
- files=`for p in $$list; do echo "$$p"; done | \
- sed -e 's,.*/,,;$(transform)'`; \
- test -n "$$list" || exit 0; \
- echo " ( cd '$(DESTDIR)$(setupdir)' && rm -f" $$files ")"; \
- cd "$(DESTDIR)$(setupdir)" && rm -f $$files
mostlyclean-compile:
-rm -f *.$(OBJEXT)
@@ -4374,7 +4341,7 @@ check: check-am
all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) $(DATA) \
config.h
installdirs:
- for dir in "$(DESTDIR)$(apache_modulesdir)" "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(cgibin_demodir)" "$(DESTDIR)$(cgibin_homedir)" "$(DESTDIR)$(cgibin_sodir)" "$(DESTDIR)$(cgibin_sowdir)" "$(DESTDIR)$(initddir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(perl_basedir)" "$(DESTDIR)$(perl_modulesdir)" "$(DESTDIR)$(perl_servicedir)" "$(DESTDIR)$(perl_templatesdir)" "$(DESTDIR)$(scriptsdir)" "$(DESTDIR)$(setupdir)" "$(DESTDIR)$(aliasdir)" "$(DESTDIR)$(appletsdir)" "$(DESTDIR)$(cgibin_demodir)" "$(DESTDIR)$(cgibin_homedir)" "$(DESTDIR)$(cgibin_sodir)" "$(DESTDIR)$(cgibin_sowdir)" "$(DESTDIR)$(confdir)" "$(DESTDIR)$(docrootdir)" "$(DESTDIR)$(docroot_demodir)" "$(DESTDIR)$(docroot_homedir)" "$(DESTDIR)$(docroot_sodir)" "$(DESTDIR)$(docroot_sowdir)" "$(DESTDIR)$(docroot_tokendbdir)" "$(DESTDIR)$(docroot_tps_configdir)" "$(DESTDIR)$(docroot_tps_imgdir)" "$(DESTDIR)$(docroot_tps_jsdir)" "$(DESTDIR)$(licensedir)" "$(DESTDIR)$(logsdir)" "$(DESTDIR)$(samplesdir)" "$(DESTDIR)$(scriptsdir)" "$(DESTDIR)$(setupdir)" "$(DESTDIR)$(templatesdir)"; do \
+ for dir in "$(DESTDIR)$(apache_modulesdir)" "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(cgibin_demodir)" "$(DESTDIR)$(cgibin_homedir)" "$(DESTDIR)$(cgibin_sodir)" "$(DESTDIR)$(cgibin_sowdir)" "$(DESTDIR)$(initddir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(perl_basedir)" "$(DESTDIR)$(perl_modulesdir)" "$(DESTDIR)$(perl_servicedir)" "$(DESTDIR)$(perl_templatesdir)" "$(DESTDIR)$(scriptsdir)" "$(DESTDIR)$(aliasdir)" "$(DESTDIR)$(appletsdir)" "$(DESTDIR)$(cgibin_demodir)" "$(DESTDIR)$(cgibin_homedir)" "$(DESTDIR)$(cgibin_sodir)" "$(DESTDIR)$(cgibin_sowdir)" "$(DESTDIR)$(confdir)" "$(DESTDIR)$(docrootdir)" "$(DESTDIR)$(docroot_demodir)" "$(DESTDIR)$(docroot_homedir)" "$(DESTDIR)$(docroot_sodir)" "$(DESTDIR)$(docroot_sowdir)" "$(DESTDIR)$(docroot_tokendbdir)" "$(DESTDIR)$(docroot_tps_configdir)" "$(DESTDIR)$(docroot_tps_imgdir)" "$(DESTDIR)$(docroot_tps_jsdir)" "$(DESTDIR)$(licensedir)" "$(DESTDIR)$(logsdir)" "$(DESTDIR)$(samplesdir)" "$(DESTDIR)$(scriptsdir)" "$(DESTDIR)$(setupdir)" "$(DESTDIR)$(templatesdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
@@ -4467,7 +4434,7 @@ install-data-am: install-aliasDATA install-apache_modulesLTLIBRARIES \
install-perl_baseSCRIPTS install-perl_modulesSCRIPTS \
install-perl_serviceSCRIPTS install-perl_templatesSCRIPTS \
install-samplesDATA install-scriptsDATA install-scriptsSCRIPTS \
- install-setupDATA install-setupSCRIPTS install-templatesDATA
+ install-setupDATA install-templatesDATA
install-dvi: install-dvi-am
@@ -4534,7 +4501,7 @@ uninstall-am: uninstall-aliasDATA uninstall-apache_modulesLTLIBRARIES \
uninstall-perl_serviceSCRIPTS uninstall-perl_templatesSCRIPTS \
uninstall-samplesDATA uninstall-scriptsDATA \
uninstall-scriptsSCRIPTS uninstall-setupDATA \
- uninstall-setupSCRIPTS uninstall-templatesDATA
+ uninstall-templatesDATA
.MAKE: all install-am install-strip
@@ -4567,8 +4534,8 @@ uninstall-am: uninstall-aliasDATA uninstall-apache_modulesLTLIBRARIES \
install-perl_serviceSCRIPTS install-perl_templatesSCRIPTS \
install-ps install-ps-am install-samplesDATA \
install-scriptsDATA install-scriptsSCRIPTS install-setupDATA \
- install-setupSCRIPTS install-strip install-templatesDATA \
- installcheck installcheck-am installdirs maintainer-clean \
+ install-strip install-templatesDATA installcheck \
+ installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-compile \
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
tags uninstall uninstall-aliasDATA uninstall-am \
@@ -4589,8 +4556,7 @@ uninstall-am: uninstall-aliasDATA uninstall-apache_modulesLTLIBRARIES \
uninstall-perl_modulesSCRIPTS uninstall-perl_serviceSCRIPTS \
uninstall-perl_templatesSCRIPTS uninstall-samplesDATA \
uninstall-scriptsDATA uninstall-scriptsSCRIPTS \
- uninstall-setupDATA uninstall-setupSCRIPTS \
- uninstall-templatesDATA
+ uninstall-setupDATA uninstall-templatesDATA
%: %.in
diff --git a/pki/base/tps/apache/conf/httpd.conf b/pki/base/tps/apache/conf/httpd.conf
index 7d1e8acdf..239ec21f2 100644
--- a/pki/base/tps/apache/conf/httpd.conf
+++ b/pki/base/tps/apache/conf/httpd.conf
@@ -78,7 +78,7 @@ ServerRoot "[SERVER_ROOT]"
# identification number when it starts.
#
<IfModule !mpm_netware.c>
-PidFile logs/[INSTANCE_ID].pid
+PidFile run/[INSTANCE_ID].pid
</IfModule>
#
diff --git a/pki/base/tps/build.xml b/pki/base/tps/build.xml
index 9354a31d2..ebfbeb225 100644
--- a/pki/base/tps/build.xml
+++ b/pki/base/tps/build.xml
@@ -154,11 +154,6 @@
<echo message="${begin.binary.zip.log.message}"/>
<zip destfile="${dist.base.binaries}/${dist.name}.zip">
<zipfileset dir="."
- filemode="644"
- prefix="etc/httpd/modules/">
- <include name="**"/>
- </zipfileset>
- <zipfileset dir="."
filemode="755"
prefix="usr/bin/">
<include name="**"/>
@@ -170,6 +165,11 @@
</zipfileset>
<zipfileset dir="."
filemode="644"
+ prefix="usr/lib/httpd/modules/">
+ <include name="**"/>
+ </zipfileset>
+ <zipfileset dir="."
+ filemode="644"
prefix="usr/share/doc/${dist.name}">
<include name="EULA"/>
<include name="LICENSE"/>
@@ -192,7 +192,6 @@
<include name="cgi-bin/**"/>
<include name="docroot/index.cgi"/>
<include name="logs/signedAudit"/>
- <include name="setup/postinstall"/>
</zipfileset>
</zip>
<echo message="${end.binary.zip.log.message}"/>
@@ -201,11 +200,6 @@
<tar longfile="gnu"
destfile="${dist.base.binaries}/${dist.name}.tar">
<tarfileset dir="."
- mode="644"
- prefix="etc/httpd/modules/">
- <include name="**"/>
- </tarfileset>
- <tarfileset dir="."
mode="755"
prefix="usr/bin/">
<include name="**"/>
@@ -217,6 +211,11 @@
</tarfileset>
<tarfileset dir="."
mode="644"
+ prefix="usr/lib/httpd/modules/">
+ <include name="**"/>
+ </tarfileset>
+ <tarfileset dir="."
+ mode="644"
prefix="usr/share/doc/${dist.name}">
<include name="EULA"/>
<include name="LICENSE"/>
@@ -239,7 +238,6 @@
<include name="cgi-bin/**"/>
<include name="docroot/index.cgi"/>
<include name="logs/signedAudit"/>
- <include name="setup/postinstall"/>
</tarfileset>
</tar>
<echo message="${end.binary.tar.log.message}"/>
@@ -301,12 +299,18 @@
<include name="ui/**"/>
<include name="wrappers/**"/>
</zipfileset>
+ <zipfileset dir="./etc/init.d"
+ filemode="755"
+ prefix="etc/${init.d}">
+ <include name="pki-tpsd"/>
+ </zipfileset>
<zipfileset dir="."
filemode="755"
prefix="${src.dist.name}">
<include name="autogen.sh"/>
<include name="configure"/>
<include name="setup_package"/>
+ <exclude name="etc/init.d/pki-tpsd"/>
</zipfileset>
</zip>
<echo message="${end.source.zip.log.message}"/>
@@ -355,12 +359,18 @@
<include name="ui/**"/>
<include name="wrappers/**"/>
</tarfileset>
+ <tarfileset dir="./etc/init.d"
+ mode="755"
+ prefix="${dist.name}/etc/${init.d}">
+ <include name="pki-tpsd"/>
+ </tarfileset>
<tarfileset dir="."
mode="755"
prefix="${src.dist.name}">
<include name="autogen.sh"/>
<include name="configure"/>
<include name="setup_package"/>
+ <exclude name="etc/init.d/pki-tpsd"/>
</tarfileset>
</tar>
<echo message="${end.source.tar.log.message}"/>
diff --git a/pki/base/tps/configure b/pki/base/tps/configure
index 6fe3bb7ee..92c3c4b6f 100755
--- a/pki/base/tps/configure
+++ b/pki/base/tps/configure
@@ -822,6 +822,7 @@ LIBCSTD
LIBDL
LIBNSL
LIBSOCKET
+initddir
WINNT_FALSE
WINNT_TRUE
templatesdir
@@ -834,7 +835,6 @@ perl_modulesdir
perl_basedir
logsdir
licensedir
-initddir
docroot_tps_jsdir
docroot_tps_imgdir
docroot_tps_cssdir
@@ -901,6 +901,9 @@ CPPFLAGS
LDFLAGS
CXXFLAGS
CXX
+GENERIC_VERSION
+GENERIC_RELEASE
+GENERIC_LIBRARY_VERSION
host_os
host_vendor
host_cpu
@@ -2778,6 +2781,18 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
+# Library versioning.
+GENERIC_MAJOR_VERSION=1
+GENERIC_MINOR_VERSION=0
+GENERIC_MICRO_VERSION=0
+GENERIC_LIBRARY_VERSION=0:0:0
+
+GENERIC_VERSION=$GENERIC_MAJOR_VERSION.$GENERIC_MINOR_VERSION.$GENERIC_MICRO_VERSION
+GENERIC_RELEASE=$GENERIC_MAJOR_VERSION.$GENERIC_MINOR_VERSION
+
+
+VERSION=$GENERIC_VERSION
+
# Checks for programs.
ac_ext=cpp
ac_cpp='$CXXCPP $CPPFLAGS'
@@ -5183,13 +5198,13 @@ if test "${lt_cv_nm_interface+set}" = set; then
else
lt_cv_nm_interface="BSD nm"
echo "int some_variable = 0;" > conftest.$ac_ext
- (eval echo "\"\$as_me:5186: $ac_compile\"" >&5)
+ (eval echo "\"\$as_me:5201: $ac_compile\"" >&5)
(eval "$ac_compile" 2>conftest.err)
cat conftest.err >&5
- (eval echo "\"\$as_me:5189: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+ (eval echo "\"\$as_me:5204: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
(eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
cat conftest.err >&5
- (eval echo "\"\$as_me:5192: output\"" >&5)
+ (eval echo "\"\$as_me:5207: output\"" >&5)
cat conftest.out >&5
if $GREP 'External.*some_variable' conftest.out > /dev/null; then
lt_cv_nm_interface="MS dumpbin"
@@ -6395,7 +6410,7 @@ ia64-*-hpux*)
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 6398 "configure"' > conftest.$ac_ext
+ echo '#line 6413 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -8960,11 +8975,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:8963: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:8978: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:8967: \$? = $ac_status" >&5
+ echo "$as_me:8982: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -9299,11 +9314,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9302: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9317: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:9306: \$? = $ac_status" >&5
+ echo "$as_me:9321: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -9404,11 +9419,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9407: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9422: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:9411: \$? = $ac_status" >&5
+ echo "$as_me:9426: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -9459,11 +9474,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9462: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9477: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:9466: \$? = $ac_status" >&5
+ echo "$as_me:9481: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -12262,7 +12277,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 12265 "configure"
+#line 12280 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -12358,7 +12373,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 12361 "configure"
+#line 12376 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -14378,11 +14393,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:14381: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:14396: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:14385: \$? = $ac_status" >&5
+ echo "$as_me:14400: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -14477,11 +14492,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:14480: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:14495: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:14484: \$? = $ac_status" >&5
+ echo "$as_me:14499: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -14529,11 +14544,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:14532: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:14547: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:14536: \$? = $ac_status" >&5
+ echo "$as_me:14551: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -19893,8 +19908,6 @@ docroot_tps_configdir=/docroot/tps/admin/console/config
docroot_tps_cssdir=/docroot/tps/admin/console/css
docroot_tps_imgdir=/docroot/tps/admin/console/img
docroot_tps_jsdir=/docroot/tps/admin/console/js
-# relative to sysconfdir
-initddir=/init.d
# relative to prefix
licensedir=/doc
logsdir=/logs/signedAudit
@@ -19938,7 +19951,6 @@ templatesdir=/templates
-
# WINNT should be true if building on Windows system not using
# cygnus, mingw, or the like and using cmd.exe as the shell
if false; then
@@ -20080,6 +20092,9 @@ cat >>confdefs.h <<\_ACEOF
_ACEOF
platform="linux"
+ # relative to sysconfdir
+ initddir=/rc.d/init.d
+
;;
ia64-hp-hpux*)
@@ -20128,6 +20143,9 @@ cat >>confdefs.h <<\_ACEOF
_ACEOF
platform="hpux"
+ # relative to sysconfdir
+ initddir=/init.d
+
;;
hppa*-hp-hpux*)
@@ -20202,6 +20220,9 @@ cat >>confdefs.h <<\_ACEOF
_ACEOF
platform="hpux"
+ # relative to sysconfdir
+ initddir=/init.d
+
;;
sparc-sun-solaris*)
@@ -20316,9 +20337,15 @@ cat >>confdefs.h <<\_ACEOF
_ACEOF
platform="solaris"
+ # relative to sysconfdir
+ initddir=/init.d
+
;;
*)
platform=""
+ # relative to sysconfdir
+ initddir=/init.d
+
;;
esac
diff --git a/pki/base/tps/configure.ac b/pki/base/tps/configure.ac
index 8a12e8ec6..b3efd7c8b 100644
--- a/pki/base/tps/configure.ac
+++ b/pki/base/tps/configure.ac
@@ -28,6 +28,18 @@ AM_INIT_AUTOMAKE([1.9 foreign subdir-objects])
AM_MAINTAINER_MODE
AC_CANONICAL_HOST
+# Library versioning.
+GENERIC_MAJOR_VERSION=1
+GENERIC_MINOR_VERSION=0
+GENERIC_MICRO_VERSION=0
+GENERIC_LIBRARY_VERSION=0:0:0
+AC_SUBST(GENERIC_LIBRARY_VERSION)
+GENERIC_VERSION=$GENERIC_MAJOR_VERSION.$GENERIC_MINOR_VERSION.$GENERIC_MICRO_VERSION
+GENERIC_RELEASE=$GENERIC_MAJOR_VERSION.$GENERIC_MINOR_VERSION
+AC_SUBST(GENERIC_RELEASE)
+AC_SUBST(GENERIC_VERSION)
+VERSION=$GENERIC_VERSION
+
# Checks for programs.
AC_PROG_CXX
AC_PROG_CC
@@ -131,8 +143,6 @@ docroot_tps_configdir=/docroot/tps/admin/console/config
docroot_tps_cssdir=/docroot/tps/admin/console/css
docroot_tps_imgdir=/docroot/tps/admin/console/img
docroot_tps_jsdir=/docroot/tps/admin/console/js
-# relative to sysconfdir
-initddir=/init.d
# relative to prefix
licensedir=/doc
logsdir=/logs/signedAudit
@@ -165,7 +175,6 @@ AC_SUBST(docroot_tps_configdir)
AC_SUBST(docroot_tps_cssdir)
AC_SUBST(docroot_tps_imgdir)
AC_SUBST(docroot_tps_jsdir)
-AC_SUBST(initddir)
AC_SUBST(licensedir)
AC_SUBST(logsdir)
AC_SUBST(perl_basedir)
@@ -211,6 +220,9 @@ case $host in
AC_DEFINE([SW_THREADS], [], [SW_THREADS])
AC_DEFINE([USE_NODL_TABS], [], [USE_NODL_TABS])
platform="linux"
+ # relative to sysconfdir
+ initddir=/rc.d/init.d
+ AC_SUBST(initddir)
;;
ia64-hp-hpux*)
AC_DEFINE([XP_UNIX], [], [UNIX])
@@ -223,6 +235,9 @@ case $host in
AC_DEFINE([_POSIX_C_SOURCE], [199506L], [POSIX revision])
AC_DEFINE([_HPUX_SOURCE], [], [_HPUX_SOURCE])
platform="hpux"
+ # relative to sysconfdir
+ initddir=/init.d
+ AC_SUBST(initddir)
;;
hppa*-hp-hpux*)
AC_DEFINE([XP_UNIX], [], [UNIX])
@@ -241,6 +256,9 @@ case $host in
AC_DEFINE([NET_SSL], [], [NET_SSL])
AC_DEFINE([SW_THREADS], [], [SW_THREADS])
platform="hpux"
+ # relative to sysconfdir
+ initddir=/init.d
+ AC_SUBST(initddir)
;;
sparc-sun-solaris*)
AC_DEFINE([XP_UNIX], [], [UNIX])
@@ -276,9 +294,15 @@ dnl Cstd and Crun are required to link any C++ related code
AC_DEFINE([SOLARIS_55_OR_GREATER], [], [SOLARIS_55_OR_GREATER])
AC_DEFINE([SYSV], [], [SYSV])
platform="solaris"
+ # relative to sysconfdir
+ initddir=/init.d
+ AC_SUBST(initddir)
;;
*)
platform=""
+ # relative to sysconfdir
+ initddir=/init.d
+ AC_SUBST(initddir)
;;
esac
diff --git a/pki/base/tps/etc/init.d/httpd b/pki/base/tps/etc/init.d/httpd
deleted file mode 100755
index e0a273009..000000000
--- a/pki/base/tps/etc/init.d/httpd
+++ /dev/null
@@ -1,780 +0,0 @@
-#!/bin/bash
-#
-# --- BEGIN COPYRIGHT BLOCK ---
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation;
-# version 2.1 of the License.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor,
-# Boston, MA 02110-1301 USA
-#
-# Copyright (C) 2007 Red Hat, Inc.
-# All rights reserved.
-# --- END COPYRIGHT BLOCK ---
-#
-#
-# [INSTANCE_ID] Startup script for the Apache HTTP Server
-#
-# chkconfig: - 87 13
-# description: Token Processing System \
-# (Apache 2.2)
-# processname: [INSTANCE_ID]
-# config: [HTTPD_CONF]
-# pidfile: [SERVER_ROOT]/logs/[INSTANCE_ID].pid
-
-# Disallow 'others' the ability to 'write' to new files
-umask 00002
-
-# Check to insure that this script's original invocation directory
-# has not been deleted!
-CWD=`/bin/pwd > /dev/null 2>&1`
-if [ $? -ne 0 ] ; then
- echo "Cannot invoke '$0' from non-existent directory!"
- exit 255
-fi
-
-# Check to insure that this script's associated PKI
-# subsystem currently resides on this system.
-SUBSYSTEM_TYPE=[SUBSYSTEM_TYPE]
-if [ ! -d /usr/share/pki/${SUBSYSTEM_TYPE} ] ; then
- echo "This machine is missing the '${SUBSYSTEM_TYPE}' subsystem!"
- exit 255
-fi
-
-# Obtain the operating system upon which this script is being executed
-OS=`uname -s`
-ARCHITECTURE=""
-
-# Time to wait in seconds, before killing process
-#
-# NOTE: Defined in "tomcat5.conf" for other PKI Subsystems.
-#
-STARTUP_WAIT=30
-SHUTDOWN_WAIT=30
-
-# This script must be run as root!
-RV=0
-if [ ${OS} = "Linux" ] ; then
- if [ `id -u` -ne 0 ] ; then
- echo "Must be 'root' to execute '$0'!"
- exit 1
- fi
- ARCHITECTURE=`uname -i`
-elif [ ${OS} = "SunOS" ] ; then
- if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then
- echo "Must be 'root' to execute '$0'!"
- exit 1
- fi
- ARCHITECTURE=`uname -p`
- if [ "${ARCHITECTURE}" = "sparc" ] &&
- [ -d "/usr/lib/sparcv9/" ] ; then
- ARCHITECTURE="sparcv9"
- fi
-else
- echo "Unsupported OS '${OS}'!"
- exit 1
-fi
-
-# Initialize environment variables
-LD_LIBRARY_PATH=[SYSTEM_USER_LIBRARIES]:[SYSTEM_LIBRARIES]:${LD_LIBRARY_PATH}
-LD_LIBRARY_PATH=[SECURITY_LIBRARIES]:${LD_LIBRARY_PATH}
-export LD_LIBRARY_PATH
-
-# Source function library.
-if [ -f /etc/init.d/functions ]; then
- . /etc/init.d/functions
-else
- # The checkpid() function is provided for platforms that do not
- # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . .
-
- # Check if ${pid} (could be plural) are running (keep count)
- checkpid()
- {
- rv=0
- for i in $* ; do
- ps -p $i > /dev/null 2>&1 ;
- if [ $? -ne 0 ] ; then
- rv=`expr $rv + 1`
- else
- rv=`expr $rv + 0`
- fi
- done
- # echo "rv=$rv"
- return $rv
- }
-
- # Create the following directories on platforms
- # where they do not exist (e. g. - Solaris) . . .
- if [ ! -d /var/lock/subsys ] ; then
- mkdir -p /var/lock/subsys
- fi
-fi
-
-########################################################################
-# This section contains modified content of "/etc/sysconfig/httpd" #
-########################################################################
-# Configuration file for the [INSTANCE_ID] service.
-
-#
-# The default processing model (MPM) is the process-based
-# 'prefork' model. A thread-based model, 'worker', is also
-# available, but does not work with some modules (such as PHP).
-# The service must be stopped before changing this variable.
-#
-HTTPD=[FORTITUDE_DIR]/sbin/httpd.worker
-
-#
-# To pass additional options (for instance, -D definitions) to the
-# httpd binary at startup, set OPTIONS here.
-#
-OPTIONS="-f [HTTPD_CONF]"
-
-#
-# By default, the httpd process is started in the C locale; to
-# change the locale in which the server runs, the HTTPD_LANG
-# variable can be set.
-#
-HTTPD_LANG=C
-########################################################################
-# #
-########################################################################
-
-# This will prevent initlog from swallowing up a pass-phrase prompt if
-# mod_ssl needs a pass-phrase from the user.
-INITLOG_ARGS=""
-
-# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
-# with the thread-based "worker" MPM; BE WARNED that some modules may not
-# work correctly with a thread-based MPM; notably PHP will refuse to start.
-
-# Path to the server binary and short-form for messages.
-httpd=${HTTPD:-[FORTITUDE_DIR]/sbin/httpd}
-prog=[INSTANCE_ID]
-pki_instance_configuration_file=[SERVER_ROOT]/conf/CS.cfg
-pidfile=${PIDFILE:-[SERVER_ROOT]/logs/[INSTANCE_ID].pid}
-lockfile=${LOCKFILE:-/var/lock/subsys/[INSTANCE_ID]}
-RESTART_SERVER=[SERVER_ROOT]/conf/restart_server_after_configuration
-RETVAL=0
-
-# see if httpd is linked with the openldap libraries - we need to override them
-if [ ${OS} = "Linux" ]; then
- hasopenldap=0
-
- /usr/bin/ldd $httpd 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1
-
- if [ $hasopenldap -eq 1 ] ; then
- LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libldap60.so"
- LD_PRELOAD="[SYSTEM_USER_LIBRARIES]/libssl3.so:${LD_PRELOAD}"
- export LD_PRELOAD
- fi
-elif [ ${OS} = "SunOS" ] ; then
- LD_PRELOAD_64="[SYSTEM_USER_LIBRARIES]/libldap60.so"
- LD_PRELOAD_64="[SYSTEM_USER_LIBRARIES]/dirsec/libssl3.so:${LD_PRELOAD_64}"
- export LD_PRELOAD_64
-fi
-
-check_pki_configuration_status()
-{
- rv=0
-
- rv=`grep -c ^preop ${pki_instance_configuration_file}`
-
- rv=`expr ${rv} + 0`
-
- if [ ${rv} -ne 0 ] ; then
- echo " '[INSTANCE_ID]' must still be CONFIGURED!"
- echo " (see /var/log/[INSTANCE_ID]-install.log)"
- elif [ -f ${RESTART_SERVER} ] ; then
- echo " Although '[INSTANCE_ID]' has been CONFIGURED, it must still be RESTARTED!"
- rv=255
- fi
-
- return ${rv}
-}
-
-get_pki_status_definitions()
-{
- # establish well-known strings
- listen_statement="Listen"
- total_ports=0
- UNSECURE_PORT=""
- CLIENTAUTH_PORT=""
- NON_CLIENTAUTH_PORT=""
-
- # check to see that an instance-specific "httpd.conf" file exists
- if [ ! -f [HTTPD_CONF] ] ; then
- echo "File '[HTTPD_CONF]' does not exist!"
- exit 255
- fi
-
- # check to see that an instance-specific "nss.conf" file exists
- if [ ! -f [NSS_CONF] ] ; then
- echo "File '[NSS_CONF]' does not exist!"
- exit 255
- fi
-
- # read this instance-specific "httpd.conf" file line-by-line
- # to obtain the current value of the PKI unsecure port
-
- exec < [HTTPD_CONF]
- while read line; do
- # look for the listen statement
- head=`echo $line | cut -b1-6`
- if [ "$head" == "$listen_statement" ] ; then
- # once the 'unsecure' listen statement has been found,
- # extract the numeric port information
- port=`echo $line | cut -b8-`
- UNSECURE_PORT=$port
- echo " Unsecure Port = http://[SERVER_NAME]:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi"
- echo " (ESC Security Officer Enrollment)"
- echo " Unsecure Port = http://[SERVER_NAME]:${UNSECURE_PORT}/cgi-bin/home/index.cgi"
- echo " (ESC Phone Home)"
- total_ports=`expr ${total_ports} + 1`
- break;
- fi
- done
-
- # read this instance-specific "nss.conf" file line-by-line
- # to obtain the current value of the "clientauth" PKI secure port
- # AND the current value of the "non-clientauth" PKI secure port
-
- exec < [NSS_CONF]
- while read line; do
- # look for the listen statement
- head=`echo $line | cut -b1-6`
- if [ "$head" == "$listen_statement" ] &&
- [ ${total_ports} -eq 2 ] ; then
- # once the 'non-clientauth' listen statement has been found,
- # extract the numeric port information
- non_clientauth_port=`echo $line | cut -b8-`
- NON_CLIENTAUTH_PORT=$non_clientauth_port
- echo " Secure Non-Clientauth Port = https://[SERVER_NAME]:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi"
- echo " (ESC Security Officer Enrollment)"
- echo " Secure Non-Clientauth Port = https://[SERVER_NAME]:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi"
- echo " (ESC Phone Home)"
- total_ports=`expr ${total_ports} + 1`
- break
- fi
- if [ "$head" == "$listen_statement" ] &&
- [ ${total_ports} -eq 1 ] ; then
- # once the 'clientauth' listen statement has been found,
- # extract the numeric port information
- clientauth_port=`echo $line | cut -b8-`
- CLIENTAUTH_PORT=$clientauth_port
- echo " Secure Clientauth Port = https://[SERVER_NAME]:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi"
- echo " (ESC Security Officer Workstation)"
- echo " Secure Clientauth Port = https://[SERVER_NAME]:${CLIENTAUTH_PORT}/tus"
- echo " (TPS Roles - Operator/Administrator/Agent)"
- total_ports=`expr ${total_ports} + 1`
- fi
- done
-
- if [ ${total_ports} -eq 3 ] ; then
- return 0
- else
- return 255
- fi
-}
-
-get_pki_configuration_definitions()
-{
- # Obtain the PKI Subsystem Type
- line=`grep ^cs.type= ${pki_instance_configuration_file}`
- pki_subsystem=`echo "${line}" | cut -b9-`
- if [ "${line}" != "" ] ; then
- if [ "${pki_subsystem}" != "CA" ] &&
- [ "${pki_subsystem}" != "KRA" ] &&
- [ "${pki_subsystem}" != "OCSP" ] &&
- [ "${pki_subsystem}" != "TKS" ] &&
- [ "${pki_subsystem}" != "RA" ] &&
- [ "${pki_subsystem}" != "TPS" ]
- then
- return 255
- fi
- if [ "${pki_subsystem}" == "KRA" ] ; then
- # Rename "KRA" to "DRM"
- pki_subsystem="DRM"
- fi
- else
- return 255
- fi
-
- # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
- # check to see if "${pki_subsystem}" is a "Clone"
- pki_clone=""
- if [ "${pki_subsystem}" == "CA" ] ||
- [ "${pki_subsystem}" == "DRM" ] ||
- [ "${pki_subsystem}" == "OCSP" ] ||
- [ "${pki_subsystem}" == "TKS" ]
- then
- line=`grep ^subsystem.select= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_clone=`echo "${line}" | cut -b18-`
- if [ "${pki_clone}" != "Clone" ] ; then
- # Reset "${pki_clone}" to be empty
- pki_clone=""
- fi
- else
- return 255
- fi
- fi
-
- # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to
- # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA
- pki_hierarchy=""
- if [ "${pki_subsystem}" == "CA" ] &&
- [ "${pki_clone}" != "Clone" ]
- then
- line=`grep ^hierarchy.select= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_hierarchy=`echo "${line}" | cut -b18-`
- else
- return 255
- fi
- fi
-
- # If ${pki_subsystem} is a CA, check to
- # see if it is also a Security Domain
- pki_security_domain=""
- if [ "${pki_subsystem}" == "CA" ] ; then
- line=`grep ^securitydomain.select= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_security_domain=`echo "${line}" | cut -b23-`
- if [ "${pki_security_domain}" == "new" ] ; then
- # Set a fixed value for "${pki_security_domain}"
- pki_security_domain="(Security Domain)"
- else
- # Reset "${pki_security_domain}" to be empty
- pki_security_domain=""
- fi
- else
- return 255
- fi
- fi
-
- # Always obtain this PKI instance's "registered"
- # security domain information
- pki_security_domain_name=""
- pki_security_domain_hostname=""
- pki_security_domain_https_admin_port=""
-
- line=`grep ^securitydomain.name= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_security_domain_name=`echo "${line}" | cut -b21-`
- else
- return 255
- fi
-
- line=`grep ^securitydomain.host= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_security_domain_hostname=`echo "${line}" | cut -b21-`
- else
- return 255
- fi
-
- line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}`
- if [ "${line}" != "" ] ; then
- pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-`
- else
- return 255
- fi
-
- # Compose the "PKI Instance Name" Status Line
- pki_instance_name="PKI Instance Name: [INSTANCE_ID]"
-
- # Compose the "PKI Subsystem Type" Status Line
- header="PKI Subsystem Type: "
- if [ "${pki_clone}" != "" ] ; then
- if [ "${pki_security_domain}" != "" ]; then
- # Possible Values:
- #
- # "CA Clone (Security Domain)"
- #
- data="${pki_subsystem} ${pki_clone} ${pki_security_domain}"
- else
- # Possible Values:
- #
- # "CA Clone"
- # "DRM Clone"
- # "OCSP Clone"
- # "TKS Clone"
- #
- data="${pki_subsystem} ${pki_clone}"
- fi
- elif [ "${pki_hierarchy}" != "" ] ; then
- if [ "${pki_security_domain}" != "" ]; then
- # Possible Values:
- #
- # "Root CA (Security Domain)"
- # "Subordinate CA (Security Domain)"
- #
- data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}"
- else
- # Possible Values:
- #
- # "Root CA"
- # "Subordinate CA"
- #
- data="${pki_hierarchy} ${pki_subsystem}"
- fi
- else
- # Possible Values:
- #
- # "DRM"
- # "OCSP"
- # "RA"
- # "TKS"
- # "TPS"
- #
- data="${pki_subsystem}"
- fi
- pki_subsystem_type="${header} ${data}"
-
- # Compose the "Registered PKI Security Domain Information" Status Line
- header="Name: "
- registered_pki_security_domain_name="${header} ${pki_security_domain_name}"
-
- header="URL: "
- if [ "${pki_security_domain_hostname}" != "" ] &&
- [ "${pki_security_domain_https_admin_port}" != "" ]
- then
- data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
- else
- return 255
- fi
- registered_pki_security_domain_url="${header} ${data}"
-
- # Print the "PKI Subsystem Type" Status Line
- echo
- echo " ${pki_instance_name}"
-
- # Print the "PKI Subsystem Type" Status Line
- echo
- echo " ${pki_subsystem_type}"
-
- # Print the "Registered PKI Security Domain Information" Status Line
- echo
- echo " Registered PKI Security Domain Information:"
- echo " =========================================================================="
- echo " ${registered_pki_security_domain_name}"
- echo " ${registered_pki_security_domain_url}"
- echo " =========================================================================="
-
- return 0
-}
-
-get_pki_secure_port()
-{
- # establish well-known strings
- listen_statement="Listen"
-
- # first check to see that an instance-specific "nss.conf" file exists
- if [ ! -f [NSS_CONF] ] ; then
- echo "File '[NSS_CONF]' does not exist!"
- exit 255
- fi
-
- # read this instance-specific "nss.conf" file line-by-line
- # to obtain the current value of the "clientauth" PKI secure port
- exec < [NSS_CONF]
- while read line; do
- # look for the listen statement
- head=`echo $line | cut -b1-6`
- if [ "$head" == "$listen_statement" ] ; then
- # once the 'clientauth' listen statement has been found,
- # extract the numeric port information
- port=`echo $line | cut -b8-`
- SECURE_PORT=$port
- return 0
- fi
- done
-
- return 255
-}
-
-# The semantics of these two functions differ from the way apachectl does
-# things -- attempting to start while running is a failure, and shutdown
-# when not running is also a failure. So we just do it the way init scripts
-# are expected to behave here.
-start()
-{
- echo -n $"Starting $prog: "
-
- if [ -f ${RESTART_SERVER} ] ; then
- rm -f ${RESTART_SERVER}
- fi
-
- if [ -f ${lockfile} ] ; then
- if [ -f ${pidfile} ]; then
- read kpid < ${pidfile}
- if checkpid $kpid 2>&1; then
- echo
- echo "process already running"
- return 255
- else
- echo
- echo -n "lock file found but no process "
- echo -n "running for pid $kpid, continuing"
- echo
- echo
- fi
- fi
- fi
-
- # restore context for ncipher hsm
- [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
-
- if [ -f /etc/init.d/functions ]; then
- /usr/sbin/selinuxenabled
- RETVAL=$?
- if [ $RETVAL = 0 ] ; then
- if [ ${ARCHITECTURE} = "i386" ] ; then
- LANG=$HTTPD_LANG daemon runcon -t pki_tps_t -- $httpd $OPTIONS
- # overwrite output from "daemon"
- echo -n $"Starting $prog: "
- elif [ ${ARCHITECTURE} = "x86_64" ] ; then
- # NOTE: "daemon" is incompatible with "httpd"
- # on 64-bit architectures
- LANG=$HTTPD_LANG runcon -t pki_tps_t -- $httpd $OPTIONS
- fi
- else
- LANG=$HTTPD_LANG daemon $httpd $OPTIONS
- # overwrite output from "daemon"
- echo -n $"Starting $prog: "
- fi
- else
- LANG=$HTTPD_LANG $httpd $OPTIONS -k start
- fi
-
- RETVAL=$?
- [ $RETVAL = 0 ] && touch ${lockfile}
-
- if [ $RETVAL = 0 ] ; then
- count=0;
-
- let swait=$STARTUP_WAIT
- until [ -s ${pidfile} ] ||
- [ $count -gt $swait ]
- do
- echo -n "."
- sleep 1
- let count=$count+1;
- done
-
- if [ -f /etc/init.d/functions ]; then
- echo_success
- echo
- else
- echo " [ OK ]"
- fi
-
- get_pki_secure_port
- if [ $? -ne 0 ] ; then
- SECURE_PORT="<Port Undefined>"
- fi
-
- # Set permissions of log files
- pki_logs_directory=`dirname ${pidfile}`
- pki_signedAudit="${pki_logs_directory}/signedAudit"
- for file in ${pki_logs_directory}/*; do
- if [ "${file}" != "${pidfile}" ] &&
- [ "${file}" != "${pki_signedAudit}" ]; then
- chmod 00660 ${file}
- chgrp [GROUPID] ${file}
- chown [USERID] ${file}
- fi
- done
-
- # Set permissions of signedAudit log files
- pki_signedAudit_files=`ls -1A ${pki_signedAudit} | wc -l`
- if [ ${pki_signedAudit_files} -gt 0 ]; then
- for file in ${pki_signedAudit}/*; do
- chmod 00660 ${file}
- chgrp [GROUPID] ${file}
- chown [USERID] ${file}
- done
- fi
- else
- if [ -f /etc/init.d/functions ]; then
- echo_failure
- echo
- else
- echo " [ FAILED ]"
- fi
- fi
-
- if [ ${OS} = "Linux" ] ; then
- sleep 10
- elif [ ${OS} = "SunOS" ] ; then
- sleep 20
- fi
- echo
- status
- return $RETVAL
-}
-
-stop()
-{
- echo -n "Stopping $prog: "
-
- if [ -f ${lockfile} ] ; then
- $httpd $OPTIONS -k stop
-
- RETVAL=$?
-
- if [ $RETVAL = 0 ]; then
- count=0;
-
- if [ -f ${pidfile} ]; then
- read kpid < ${pidfile}
- let kwait=$SHUTDOWN_WAIT
-
- until [ `ps -p $kpid | grep -c $kpid` = '0' ] ||
- [ $count -gt $kwait ]
- do
- echo -n "."
- sleep 1
- let count=$count+1;
- done
-
- if [ $count -gt $kwait ]; then
- kill -9 $kpid
- fi
- fi
-
- rm -f ${lockfile}
- rm -f ${pidfile}
-
- if [ -f /etc/init.d/functions ]; then
- echo_success
- echo
- else
- echo " [ OK ]"
- fi
- else
- if [ -f /etc/init.d/functions ]; then
- echo_failure
- echo
- else
- echo " [ FAILED ]"
- fi
- fi
- else
- echo
- echo "process already stopped"
- fi
-}
-
-reload()
-{
- echo -n $"Reloading $prog: "
-
- if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then
- RETVAL=$?
- echo $"not reloading due to configuration syntax error"
- if [ -f /etc/init.d/functions ]; then
- failure $"not reloading $httpd due to configuration syntax error"
- else
- echo $"not reloading $httpd due to configuration syntax error"
- fi
- else
- if [ -f /etc/init.d/functions ]; then
- killproc $httpd -HUP
- # overwrite output from "killproc"
- echo -n $"Stopping $prog: "
- else
- if [ -f ${lockfile} ] ; then
- if [ -f ${pidfile} ]; then
- read kpid < ${pidfile}
- if checkpid $kpid 2>&1; then
- kill -HUP $kpid
- fi
- else
- echo
- echo -n "lock file found but no process "
- echo -n "running for pid $kpid, continuing"
- echo
- echo
- fi
- fi
- fi
- fi
- echo
-}
-
-status()
-{
- if [ -f ${pidfile} ] ; then
- pid=`cat ${pidfile}`
- if [ "${pid}" == "" ] ; then
- echo "[INSTANCE_ID] pid file exists but is empty"
- elif kill -0 ${pid} > /dev/null 2>&1 ; then
- echo "[INSTANCE_ID] (pid ${pid}) is running ..."
- echo
- check_pki_configuration_status
- if [ $? -eq 0 ] ; then
- get_pki_status_definitions
- if [ $? -ne 0 ] ; then
- echo
- echo "[INSTANCE_ID] Status Definitions not found"
- fi
- get_pki_configuration_definitions
- if [ $? -ne 0 ] ; then
- echo
- echo "[INSTANCE_ID] Configuration Definitions not found"
- fi
- fi
- echo
- else
- echo "[INSTANCE_ID] is dead but pid file exists"
- fi
- else
- echo "[INSTANCE_ID] is stopped"
- fi
-}
-
-# See how we were called.
-case "$1" in
- start)
- start
- ;;
- stop)
- stop
- ;;
- restart)
- stop
- sleep 2
- start
- ;;
- condrestart)
- if [ -f ${pidfile} ] ; then
- stop
- sleep 2
- start
- else
- echo -n "Unable to restart process since "
- echo -n "'${pidfile}' does not exist!"
- echo
- fi
- ;;
- reload)
- reload
- ;;
- status)
- status
- ;;
- *)
- echo $"Usage: $prog {start|stop|restart|condrestart|reload|status}"
- exit 1
-esac
-
-exit $RETVAL
-
diff --git a/pki/base/tps/etc/init.d/pki-tpsd b/pki/base/tps/etc/init.d/pki-tpsd
new file mode 100755
index 000000000..0ca55abf4
--- /dev/null
+++ b/pki/base/tps/etc/init.d/pki-tpsd
@@ -0,0 +1,1439 @@
+#!/bin/bash
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation;
+# version 2.1 of the License.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor,
+# Boston, MA 02110-1301 USA
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+# pki-tpsd Startup script for the Apache HTTP pki-tps Server
+#
+# chkconfig: - 87 13
+# description: Token Processing System \
+# (Apache 2.2)
+# processname: pki-tpsd
+# piddir: /var/run/pki/tps
+# config: ${PKI_SERVER_ROOT}/conf/httpd.conf
+
+PKI_INIT_SCRIPT=""
+PKI_PATH="/usr/share/pki/tps"
+PKI_PIDDIR="/var/run/pki/tps"
+PKI_PROCESS="pki-tpsd"
+PKI_REGISTRY="/etc/sysconfig/pki/tps"
+PKI_SELINUX_TYPE="pki_tps_t"
+PKI_TYPE="pki-tps"
+
+# PKI subsystem-level directory and file values for locks
+lockfile="/var/lock/subsys/pki-tpsd"
+
+# Disallow 'others' the ability to 'write' to new files
+umask 00002
+
+default_error=0
+command="$1"
+pki_instance="$2"
+case "${command}" in
+ start|stop|restart|condrestart|force-restart|try-restart)
+ # * 1 generic or unspecified error (current practice)
+ default_error=1
+ ;;
+ reload)
+ default_error=3
+ ;;
+ status)
+ # * 4 program or service status is unknown
+ default_error=4
+ ;;
+ *)
+ # * 2 invalid argument(s)
+ default_error=2
+ ;;
+esac
+
+# Check to insure that this script's original invocation directory
+# has not been deleted!
+CWD=`/bin/pwd > /dev/null 2>&1`
+if [ $? -ne 0 ] ; then
+ echo "Cannot invoke '$0' from non-existent directory!"
+ exit ${default_error}
+fi
+
+# Check to insure that this script's associated PKI
+# subsystem currently resides on this system.
+if [ ! -d ${PKI_PATH} ] ; then
+ echo "This machine is missing the '${PKI_TYPE}' subsystem!"
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
+fi
+
+# Check to insure that this script's associated PKI
+# subsystem instance registry currently resides on this system.
+if [ ! -d ${PKI_REGISTRY} ] ; then
+ echo "This machine contains no registered '${PKI_TYPE}' subsystem instances!"
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
+fi
+
+# Obtain the operating system upon which this script is being executed
+# and initialize environment variables
+OS=`uname -s`
+ARCHITECTURE=""
+LD_LIBRARY_PATH=""
+
+# Time to wait in seconds, before killing process
+#
+# NOTE: Defined in "tomcat5.conf" for PKI Java/Tomcat Subsystems.
+#
+STARTUP_WAIT=30
+SHUTDOWN_WAIT=30
+
+# This script must be run as root!
+RV=0
+if [ ${OS} = "Linux" ] ; then
+ PKI_INIT_SCRIPT="/sbin/service ${PKI_PROCESS}"
+ if [ `id -u` -ne 0 ] ; then
+ echo "Must be 'root' to execute '$0'!"
+ if [ "${command}" != "status" ]; then
+ # * 4 user had insufficient privilege
+ exit 4
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+ ARCHITECTURE=`uname -i`
+ if [ ${ARCHITECTURE} = "i386" ] ; then
+ LD_LIBRARY_PATH="/usr/lib:/lib:${LD_LIBRARY_PATH}"
+ elif [ ${ARCHITECTURE} = "x86_64" ] ; then
+ LD_LIBRARY_PATH="/usr/lib64:/lib64:${LD_LIBRARY_PATH}"
+ else
+ echo "Unsupported architecture '${ARCHITECTURE}'!"
+ exit ${default_error}
+ fi
+elif [ ${OS} = "SunOS" ] ; then
+ PKI_INIT_SCRIPT="/etc/init.d/${PKI_PROCESS}"
+ if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then
+ echo "Must be 'root' to execute '$0'!"
+ if [ "${command}" != "status" ]; then
+ # * 4 user had insufficient privilege
+ exit 4
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+ ARCHITECTURE=`uname -p`
+ if [ "${ARCHITECTURE}" = "sparc" ] &&
+ [ -d "/usr/lib/sparcv9/" ] ; then
+ ARCHITECTURE="sparcv9"
+ fi
+ if [ ${ARCHITECTURE} = "sparcv9" ] ; then
+ LD_LIBRARY_PATH="/usr/lib/sparcv9:/lib/sparcv9:${LD_LIBRARY_PATH}"
+ LD_LIBRARY_PATH="/usr/lib/sparcv9/dirsec:${LD_LIBRARY_PATH}"
+ else
+ echo "Unsupported architecture '${ARCHITECTURE}'!"
+ exit ${default_error}
+ fi
+else
+ echo "Unsupported OS '${OS}'!"
+ exit ${default_error}
+fi
+export LD_LIBRARY_PATH
+
+# Source function library.
+if [ -f /etc/init.d/functions ]; then
+ . /etc/init.d/functions
+else
+ # The checkpid() function is provided for platforms that do not
+ # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . .
+
+ # Check if ${pid} (could be plural) are running (keep count)
+ checkpid()
+ {
+ rv=0
+ for i in $* ; do
+ ps -p $i > /dev/null 2>&1 ;
+ if [ $? -ne 0 ] ; then
+ rv=`expr $rv + 1`
+ else
+ rv=`expr $rv + 0`
+ fi
+ done
+ # echo "rv=$rv"
+ return $rv
+ }
+
+ # Create the following directories on platforms
+ # where they do not exist (e. g. - Solaris) . . .
+ if [ ! -d "/var/lock" ] ; then
+ mkdir -p /var/lock
+ chown root:sys /var/lock
+ chmod 00755 /var/lock
+ fi
+ if [ ! -d "/var/lock/subsys" ] ; then
+ mkdir -p /var/lock/subsys
+ chown root:root /var/lock/subsys
+ chmod 00755 /var/lock/subsys
+ fi
+fi
+
+PKI_REGISTRY_ENTRIES=""
+TOTAL_PKI_REGISTRY_ENTRIES=0
+TOTAL_UNCONFIGURED_PKI_ENTRIES=0
+
+# Gather ALL registered instances of this PKI subsystem type
+for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
+ if [ -f "$FILE" ] ; then
+ inst=`echo "$FILE"`
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $inst"
+ TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1`
+ fi
+done
+
+if [ -n "${pki_instance}" ]; then
+ for I in ${PKI_REGISTRY_ENTRIES}; do
+ if [ "${PKI_REGISTRY}/${pki_instance}" = "$I" ]; then
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance}"
+ TOTAL_PKI_REGISTRY_ENTRIES=1
+ break
+ fi
+ done
+fi
+
+usage()
+{
+ echo -n "Usage: ${PKI_INIT_SCRIPT} "
+ echo -n "{start"
+ echo -n "|stop"
+ echo -n "|restart"
+ echo -n "|condrestart"
+ echo -n "|force-restart"
+ echo -n "|try-restart"
+ echo -n "|reload"
+ echo -n "|status} "
+ echo -n "[instance-name]"
+ echo
+ echo
+}
+
+list_instances()
+{
+ echo
+ for FILE in `/bin/ls -1 ${PKI_REGISTRY}/* 2>/dev/null`; do
+ echo " ${FILE}"
+ done
+ echo
+}
+
+# Check arguments
+if [ $# -lt 1 ] ; then
+ # * 3 unimplemented feature (for example, "reload")
+ # [insufficient arguments]
+ echo "$0: Insufficient arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+elif [ ${default_error} -eq 2 ] ; then
+ # * 2 invalid argument
+ echo "$0: Invalid arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 2
+elif [ $# -gt 2 ] ; then
+ echo "$0: Excess arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ if [ "${command}" != "status" ]; then
+ # * 2 excess arguments
+ exit 2
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+fi
+
+# If an "instance" was supplied, check that it is a "valid" instance
+if [ -n "${pki_instance}" ]; then
+ if [ "${PKI_REGISTRY}/${pki_instance}" != "${PKI_REGISTRY_ENTRIES}" ]; then
+ echo -n "${pki_instance} is an invalid '${PKI_TYPE}' instance"
+ echo_failure
+ echo
+ if [ "${command}" != "status" ]; then
+ # * 5 program is not installed
+ exit 5
+ else
+ # * 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+fi
+
+# On Solaris /var/run is in tmpfs and gets wiped out upon reboot
+# we have to recreate the ${PKI_PIDDIR} directory and make sure that
+# the directory is writable by the ${PKI_TYPE} server process.
+#
+# IMPORTANT: ALL PKI subsystems installed on this machine MUST utilize
+# the SAME values for ${PKI_GROUP} and ${PKI_USER}, since the
+# "${PKI_PIDDIR}" will end up with the ownership permissions
+# of the first instance that executes this function!
+#
+fix_pid_dir_ownership()
+{
+ if [ ! -d ${PKI_PIDDIR} ] ; then
+ mkdir -p ${PKI_PIDDIR}
+
+ chown root:root /var/run/pki
+ chmod 00755 /var/run/pki
+
+ chown root:root ${PKI_PIDDIR}
+ chmod 00755 ${PKI_PIDDIR}
+ fi
+}
+
+check_pki_configuration_status()
+{
+ rv=0
+
+ rv=`grep -c ^preop ${pki_instance_configuration_file}`
+
+ rv=`expr ${rv} + 0`
+
+ if [ ${rv} -ne 0 ] ; then
+ echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!"
+ echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)"
+ if [ "${command}" != "status" ]; then
+ # * 6 program is not configured
+ rv=6
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1`
+ elif [ -f ${RESTART_SERVER} ] ; then
+ echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, "
+ echo -n "it must still be RESTARTED!"
+ echo
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ fi
+
+ return ${rv}
+}
+
+get_pki_status_definitions()
+{
+ # establish well-known strings
+ listen_statement="Listen"
+ total_ports=0
+ UNSECURE_PORT=""
+ CLIENTAUTH_PORT=""
+ NON_CLIENTAUTH_PORT=""
+
+ # check to see that an instance-specific "httpd.conf" file exists
+ if [ ! -f ${PKI_HTTPD_CONF} ] ; then
+ echo "File '${PKI_HTTPD_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # check to see that an instance-specific "nss.conf" file exists
+ if [ ! -f ${PKI_NSS_CONF} ] ; then
+ echo "File '${PKI_NSS_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # read this instance-specific "httpd.conf" file line-by-line
+ # to obtain the current value of the PKI unsecure port
+
+ exec < ${PKI_HTTPD_CONF}
+ while read line; do
+ # look for the listen statement
+ head=`echo $line | cut -b1-6`
+ if [ "$head" == "$listen_statement" ] ; then
+ # once the 'unsecure' listen statement has been found,
+ # extract the numeric port information
+ port=`echo $line | cut -b8-`
+ UNSECURE_PORT=$port
+ echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi"
+ echo " (ESC Security Officer Enrollment)"
+ echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi"
+ echo " (ESC Phone Home)"
+ total_ports=`expr ${total_ports} + 1`
+ break;
+ fi
+ done
+
+ # read this instance-specific "nss.conf" file line-by-line
+ # to obtain the current value of the "clientauth" PKI secure port
+ # AND the current value of the "non-clientauth" PKI secure port
+
+ exec < ${PKI_NSS_CONF}
+ while read line; do
+ # look for the listen statement
+ head=`echo $line | cut -b1-6`
+ if [ "$head" == "$listen_statement" ] &&
+ [ ${total_ports} -eq 2 ] ; then
+ # once the 'non-clientauth' listen statement has been found,
+ # extract the numeric port information
+ non_clientauth_port=`echo $line | cut -b8-`
+ NON_CLIENTAUTH_PORT=$non_clientauth_port
+ echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi"
+ echo " (ESC Security Officer Enrollment)"
+ echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi"
+ echo " (ESC Phone Home)"
+ total_ports=`expr ${total_ports} + 1`
+ break
+ fi
+ if [ "$head" == "$listen_statement" ] &&
+ [ ${total_ports} -eq 1 ] ; then
+ # once the 'clientauth' listen statement has been found,
+ # extract the numeric port information
+ clientauth_port=`echo $line | cut -b8-`
+ CLIENTAUTH_PORT=$clientauth_port
+ echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi"
+ echo " (ESC Security Officer Workstation)"
+ echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus"
+ echo " (TPS Roles - Operator/Administrator/Agent)"
+ total_ports=`expr ${total_ports} + 1`
+ fi
+ done
+
+ if [ ${total_ports} -eq 3 ] ; then
+ return 0
+ else
+ return ${default_error}
+ fi
+}
+
+get_pki_configuration_definitions()
+{
+ # Obtain the PKI Subsystem Type
+ line=`grep ^cs.type= ${pki_instance_configuration_file}`
+ pki_subsystem=`echo "${line}" | cut -b9-`
+ if [ "${line}" != "" ] ; then
+ if [ "${pki_subsystem}" != "CA" ] &&
+ [ "${pki_subsystem}" != "KRA" ] &&
+ [ "${pki_subsystem}" != "OCSP" ] &&
+ [ "${pki_subsystem}" != "TKS" ] &&
+ [ "${pki_subsystem}" != "RA" ] &&
+ [ "${pki_subsystem}" != "TPS" ]
+ then
+ return ${default_error}
+ fi
+ if [ "${pki_subsystem}" == "KRA" ] ; then
+ # Rename "KRA" to "DRM"
+ pki_subsystem="DRM"
+ fi
+ else
+ return ${default_error}
+ fi
+
+ # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
+ # check to see if "${pki_subsystem}" is a "Clone"
+ pki_clone=""
+ if [ "${pki_subsystem}" == "CA" ] ||
+ [ "${pki_subsystem}" == "DRM" ] ||
+ [ "${pki_subsystem}" == "OCSP" ] ||
+ [ "${pki_subsystem}" == "TKS" ]
+ then
+ line=`grep ^subsystem.select= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_clone=`echo "${line}" | cut -b18-`
+ if [ "${pki_clone}" != "Clone" ] ; then
+ # Reset "${pki_clone}" to be empty
+ pki_clone=""
+ fi
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to
+ # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA
+ pki_hierarchy=""
+ if [ "${pki_subsystem}" == "CA" ] &&
+ [ "${pki_clone}" != "Clone" ]
+ then
+ line=`grep ^hierarchy.select= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_hierarchy=`echo "${line}" | cut -b18-`
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # If ${pki_subsystem} is a CA, check to
+ # see if it is also a Security Domain
+ pki_security_domain=""
+ if [ "${pki_subsystem}" == "CA" ] ; then
+ line=`grep ^securitydomain.select= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain=`echo "${line}" | cut -b23-`
+ if [ "${pki_security_domain}" == "new" ] ; then
+ # Set a fixed value for "${pki_security_domain}"
+ pki_security_domain="(Security Domain)"
+ else
+ # Reset "${pki_security_domain}" to be empty
+ pki_security_domain=""
+ fi
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # Always obtain this PKI instance's "registered"
+ # security domain information
+ pki_security_domain_name=""
+ pki_security_domain_hostname=""
+ pki_security_domain_https_admin_port=""
+
+ line=`grep ^securitydomain.name= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_name=`echo "${line}" | cut -b21-`
+ else
+ return ${default_error}
+ fi
+
+ line=`grep ^securitydomain.host= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_hostname=`echo "${line}" | cut -b21-`
+ else
+ return ${default_error}
+ fi
+
+ line=`grep ^securitydomain.httpsadminport= ${pki_instance_configuration_file}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_https_admin_port=`echo "${line}" | cut -b31-`
+ else
+ return ${default_error}
+ fi
+
+ # Compose the "PKI Instance Name" Status Line
+ pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}"
+
+ # Compose the "PKI Subsystem Type" Status Line
+ header="PKI Subsystem Type: "
+ if [ "${pki_clone}" != "" ] ; then
+ if [ "${pki_security_domain}" != "" ]; then
+ # Possible Values:
+ #
+ # "CA Clone (Security Domain)"
+ #
+ data="${pki_subsystem} ${pki_clone} ${pki_security_domain}"
+ else
+ # Possible Values:
+ #
+ # "CA Clone"
+ # "DRM Clone"
+ # "OCSP Clone"
+ # "TKS Clone"
+ #
+ data="${pki_subsystem} ${pki_clone}"
+ fi
+ elif [ "${pki_hierarchy}" != "" ] ; then
+ if [ "${pki_security_domain}" != "" ]; then
+ # Possible Values:
+ #
+ # "Root CA (Security Domain)"
+ # "Subordinate CA (Security Domain)"
+ #
+ data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}"
+ else
+ # Possible Values:
+ #
+ # "Root CA"
+ # "Subordinate CA"
+ #
+ data="${pki_hierarchy} ${pki_subsystem}"
+ fi
+ else
+ # Possible Values:
+ #
+ # "DRM"
+ # "OCSP"
+ # "RA"
+ # "TKS"
+ # "TPS"
+ #
+ data="${pki_subsystem}"
+ fi
+ pki_subsystem_type="${header} ${data}"
+
+ # Compose the "Registered PKI Security Domain Information" Status Line
+ header="Name: "
+ registered_pki_security_domain_name="${header} ${pki_security_domain_name}"
+
+ header="URL: "
+ if [ "${pki_security_domain_hostname}" != "" ] &&
+ [ "${pki_security_domain_https_admin_port}" != "" ]
+ then
+ data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
+ else
+ return ${default_error}
+ fi
+ registered_pki_security_domain_url="${header} ${data}"
+
+ # Print the "PKI Subsystem Type" Status Line
+ echo
+ echo " ${pki_instance_name}"
+
+ # Print the "PKI Subsystem Type" Status Line
+ echo
+ echo " ${pki_subsystem_type}"
+
+ # Print the "Registered PKI Security Domain Information" Status Line
+ echo
+ echo " Registered PKI Security Domain Information:"
+ echo " =========================================================================="
+ echo " ${registered_pki_security_domain_name}"
+ echo " ${registered_pki_security_domain_url}"
+ echo " =========================================================================="
+
+ return 0
+}
+
+get_pki_secure_port()
+{
+ # establish well-known strings
+ listen_statement="Listen"
+
+ # first check to see that an instance-specific "nss.conf" file exists
+ if [ ! -f ${PKI_NSS_CONF} ] ; then
+ echo "File '${PKI_NSS_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # read this instance-specific "nss.conf" file line-by-line
+ # to obtain the current value of the "clientauth" PKI secure port
+ exec < ${PKI_NSS_CONF}
+ while read line; do
+ # look for the listen statement
+ head=`echo $line | cut -b1-6`
+ if [ "$head" == "$listen_statement" ] ; then
+ # once the 'clientauth' listen statement has been found,
+ # extract the numeric port information
+ port=`echo $line | cut -b8-`
+ SECURE_PORT=$port
+ return 0
+ fi
+ done
+
+ return ${default_error}
+}
+
+display_instance_status()
+{
+ rv=0
+
+ if [ -f ${pidfile} ] ; then
+ pid=`cat ${pidfile}`
+ if [ "${pid}" == "" ] ; then
+ echo "${PKI_INSTANCE_ID} pid file exists but is empty"
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 4 program or service status is unknown
+ rv=4
+ fi
+ elif kill -0 ${pid} > /dev/null 2>&1 ; then
+ echo "${PKI_INSTANCE_ID} (pid ${pid}) is running ..."
+ echo
+ check_pki_configuration_status
+ rv=$?
+ if [ ${rv} -eq 0 ] ; then
+ get_pki_status_definitions
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ echo
+ echo "${PKI_INSTANCE_ID} Status Definitions not found"
+ else
+ get_pki_configuration_definitions
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ echo
+ echo "${PKI_INSTANCE_ID} Configuration Definitions not found"
+ fi
+ fi
+ else
+ # From the PKI point of view for a "non-status" action,
+ # a returned error code of "6" implies that the program
+ # is not "configured". Similarly, an error code of "1"
+ # implies that the program was "configured" but must
+ # still be restarted.
+ #
+ # Similarly, from the PKI point of view for a "status"
+ # action, a returned error code of "4" implies that either
+ # the program is not "configured", or that the program
+ # was "configured" but must still be restarted.
+ #
+ # Regardless, it must still be considered that the instance
+ # is "running" from the viewpoint of other OS programs such
+ # as 'chkconfig'.
+ #
+ # For this reason, when returning from
+ # 'display_instance_status()', ignore non-zero return codes
+ # returned from 'check_pki_configuration_status()'.
+ #
+ if [ "${command}" != "status" ]; then
+ # * 0 action was successful
+ rv=0
+ else
+ # * 0 program is running or service is OK
+ rv=0
+ fi
+ fi
+ echo
+ else
+ echo "${PKI_INSTANCE_ID} is dead but pid file exists"
+ if [ "${command}" != "status" ]; then
+ # * 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # * 1 program is dead and /var/run pid file exists
+ rv=1
+ fi
+ fi
+ else
+ echo "${PKI_INSTANCE_ID} is stopped"
+ if [ "${command}" != "status" ]; then
+ # * 7 program is not running
+ rv=7
+ else
+ # * 3 program is not running
+ rv=3
+ fi
+ fi
+
+ return ${rv}
+}
+
+start_instance()
+{
+ rv=0
+
+ echo -n $"Starting ${prog}: "
+
+ if [ -f ${RESTART_SERVER} ] ; then
+ rm -f ${RESTART_SERVER}
+ fi
+
+ if [ -f ${PKI_LOCKFILE} ] ; then
+ if [ -f ${pidfile} ]; then
+ read kpid < ${pidfile}
+ if checkpid $kpid 2>&1; then
+ echo
+ echo "${PKI_INSTANCE_ID} (pid ${kpid}) is already running ..."
+ echo
+ check_pki_configuration_status
+ rv=$?
+ if [ ${rv} != 0 ]; then
+ # From the PKI point of view for a "non-status" action,
+ # a returned error code of "6" implies that the program
+ # is not "configured". Similarly, an error code of "1"
+ # implies that the program was "configured" but must
+ # still be restarted.
+ #
+ # Regardless, it must still be considered that the instance
+ # is "running" from the viewpoint of other OS programs such
+ # as 'chkconfig'.
+ #
+ # For "non-status" actions, ignore return codes of "1"
+ # from 'check_pki_configuration_status()'.
+ #
+ # However, for "non-status" actions that have a return
+ # code of "6", return this value unchanged to
+ # the calling routine so that the total number of
+ # configuration errors may be counted.
+ #
+
+ echo
+ if [ ${rv} = 1 ] ; then
+ # * 0 action was successful
+ return 0
+ elif [ ${rv} = 6 ] ; then
+ # * 6 program is not configured
+ return 6
+ else
+ # should never be reached
+ return ${rv}
+ fi
+ else
+ return 0
+ fi
+ else
+ echo
+ echo -n "lock file found but no process "
+ echo -n "running for pid $kpid, continuing"
+ echo
+ echo
+ rm -f ${PKI_LOCKFILE}
+ fi
+ fi
+ fi
+
+ fix_pid_dir_ownership
+
+ touch ${pidfile}
+ chown ${PKI_USER}:${PKI_GROUP} ${pidfile}
+ chmod 00600 ${pidfile}
+ [ -x /sbin/restorecon ] && /sbin/restorecon ${pidfile}
+
+ # restore context for ncipher hsm
+ [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
+
+ if [ -f /etc/init.d/functions ]; then
+ /usr/sbin/selinuxenabled
+ rv=$?
+ if [ ${rv} = 0 ] ; then
+ if [ ${ARCHITECTURE} = "i386" ] ; then
+ LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS}
+ # overwrite output from "daemon"
+ echo -n $"Starting ${prog}: "
+ elif [ ${ARCHITECTURE} = "x86_64" ] ; then
+ # NOTE: "daemon" is incompatible with "httpd"
+ # on 64-bit architectures
+ LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -- ${httpd} ${PKI_OPTIONS}
+ fi
+ else
+ LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS}
+ # overwrite output from "daemon"
+ echo -n $"Starting ${prog}: "
+ fi
+ else
+ LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -k start
+ fi
+
+ rv=$?
+ if [ ${rv} = 0 ] ; then
+ touch ${PKI_LOCKFILE}
+ chown ${PKI_USER}:${PKI_GROUP} ${PKI_LOCKFILE}
+ chmod 00600 ${PKI_LOCKFILE}
+ fi
+
+ if [ ${rv} = 0 ] ; then
+ count=0;
+
+ let swait=$STARTUP_WAIT
+ until [ -s ${pidfile} ] ||
+ [ $count -gt $swait ]
+ do
+ echo -n "."
+ sleep 1
+ let count=$count+1;
+ done
+
+ if [ -f /etc/init.d/functions ]; then
+ if [ "$CONSOLETYPE" = "serial" ]; then
+ echo -n " "
+ fi
+ echo_success
+ echo
+ else
+ echo " [ OK ]"
+ fi
+
+ get_pki_secure_port
+ if [ $? -ne 0 ] ; then
+ SECURE_PORT="<Port Undefined>"
+ fi
+
+ # Set permissions of log files
+ pki_signedAudit="${pki_logs_directory}/signedAudit"
+ for file in ${pki_logs_directory}/*; do
+ if [ "${file}" != "${pki_signedAudit}" ]; then
+ chown ${PKI_USER}:${PKI_GROUP} ${file}
+ chmod 00660 ${file}
+ fi
+ done
+
+ # Set permissions of signedAudit log files
+ pki_signedAudit_files=`ls -1A ${pki_signedAudit} | wc -l`
+ if [ ${pki_signedAudit_files} -gt 0 ]; then
+ for file in ${pki_signedAudit}/*; do
+ chown ${PKI_USER}:${PKI_GROUP} ${file}
+ chmod 00660 ${file}
+ done
+ fi
+
+ # ignore "status" return codes
+ echo
+ display_instance_status
+ else
+ if [ -f /etc/init.d/functions ]; then
+ if [ "$CONSOLETYPE" = "serial" ]; then
+ $0 echo -n " "
+ fi
+ echo_failure
+ echo
+ else
+ echo " [ FAILED ]"
+ fi
+ fi
+
+ if [ ${OS} = "Linux" ] ; then
+ sleep 10
+ elif [ ${OS} = "SunOS" ] ; then
+ sleep 20
+ fi
+ return ${rv}
+}
+
+stop_instance()
+{
+ rv=0
+
+ echo -n "Stopping ${prog}: "
+
+ if [ -f ${PKI_LOCKFILE} ] ; then
+ ${httpd} ${PKI_OPTIONS} -k stop
+
+ rv=$?
+
+ if [ ${rv} = 0 ]; then
+ count=0;
+
+ if [ -f ${pidfile} ]; then
+ read kpid < ${pidfile}
+ let kwait=$SHUTDOWN_WAIT
+
+ until [ `ps -p $kpid | grep -c $kpid` = '0' ] ||
+ [ $count -gt $kwait ]
+ do
+ echo -n "."
+ sleep 1
+ let count=$count+1;
+ done
+
+ if [ $count -gt $kwait ]; then
+ kill -9 $kpid
+ fi
+ fi
+
+ rm -f ${PKI_LOCKFILE}
+ rm -f ${pidfile}
+
+ if [ -f /etc/init.d/functions ]; then
+ if [ "$CONSOLETYPE" = "serial" ]; then
+ echo -n " "
+ fi
+ echo_success
+ echo
+ else
+ echo " [ OK ]"
+ fi
+ else
+ if [ -f /etc/init.d/functions ]; then
+ if [ "$CONSOLETYPE" = "serial" ]; then
+ echo -n " "
+ fi
+ echo_failure
+ echo
+ else
+ echo " [ FAILED ]"
+ fi
+ rv=${default_error}
+ fi
+ else
+ echo
+ echo "process already stopped"
+ rv=0
+ fi
+
+ return ${rv}
+}
+
+reload_instance()
+{
+ rv=0
+
+ echo -n $"Reloading ${prog}: "
+
+ if ! LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} -t >&/dev/null; then
+ rv=$?
+ echo $"not reloading due to configuration syntax error"
+ if [ -f /etc/init.d/functions ]; then
+ failure $"not reloading ${httpd} due to configuration syntax error"
+ else
+ echo $"not reloading ${httpd} due to configuration syntax error"
+ fi
+ else
+ if [ -f /etc/init.d/functions ]; then
+ killproc -p ${pidfile} ${httpd} -HUP
+ rv=$?
+ else
+ if [ -f ${PKI_LOCKFILE} ] ; then
+ if [ -f ${pidfile} ]; then
+ read kpid < ${pidfile}
+ if checkpid $kpid 2>&1; then
+ kill -HUP $kpid
+ rv=$?
+ if [ ${rv} != 0 ]; then
+ rv=${default_error}
+ fi
+ fi
+ else
+ # * 7 program is not running
+ rv=7
+ echo
+ echo -n "lock file found but no process "
+ echo -n "running for pid $kpid, continuing"
+ echo
+ echo
+ rm -f ${PKI_LOCKFILE}
+ fi
+ fi
+ fi
+ fi
+ echo
+
+ return ${rv}
+}
+
+# The semantics of the 'start()' function differs from the way 'apachectl'
+# does things -- attempting to start while running is a failure.
+# So we just do it the way init scripts are expected to behave here.
+start()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ config_errors=0
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN STARTING '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Start every PKI instance of this type that isn't already running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ start_instance
+
+ rv=$?
+ if [ ${rv} = 6 ] ; then
+ # Since at least ONE configuration error exists, then there
+ # is at least ONE unconfigured instance from the PKI point
+ # of view.
+ #
+ # However, it must still be considered that the
+ # instance is "running" from the point of view of other
+ # OS programs such as 'chkconfig'.
+ #
+ # Therefore, ignore non-zero return codes resulting
+ # from configuration errors.
+ #
+
+ config_errors=`expr $config_errors + 1`
+ rv=0
+ elif [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then
+ touch ${lockfile}
+ chmod 00600 ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ # NOTE: "bad" return code(s) OVERRIDE configuration errors!
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances failed to start!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=5
+ fi
+
+ return ${rv}
+}
+
+# The semantics of the 'stop()' function differs from the way 'apachectl'
+# does things -- attempting to shutdown when not running is a failure.
+# So we just do it the way init scripts are expected to behave here.
+stop()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Shutdown every PKI instance of this type that is running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ stop_instance
+
+ rv=$?
+ if [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ if [ ${errors} -eq 0 ] ; then
+ rm -f ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances were "
+ echo -n "unsuccessfully stopped!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=5
+ fi
+
+ return ${rv}
+}
+
+restart()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ stop
+ sleep 2
+ echo
+ echo "============================================================"
+ echo
+ start
+
+ return $?
+}
+
+reload()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 action was successful
+ # * 1 generic or unspecified error (current practice)
+ # * 2 invalid or excess argument(s)
+ # * 3 unimplemented feature (for example, "reload")
+ # * 4 user had insufficient privilege
+ # * 5 program is not installed
+ # * 6 program is not configured
+ # * 7 program is not running
+ # * 8-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Reload every PKI instance of this type that is running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ reload_instance
+
+ rv=$?
+ if [ ${rv} != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances were "
+ echo -n "unsuccessfully reloaded!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED RELOADING '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances reloaded!"
+ rv=5
+ fi
+
+ return ${rv}
+}
+
+status()
+{
+ # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+ #
+ # * 0 program is running or service is OK
+ # * 1 program is dead and /var/run pid file exists
+ # * 2 program is dead and /var/lock lock file exists
+ # * 3 program is not running
+ # * 4 program or service status is unknown
+ # * 5-99 reserved for future LSB use
+ # * 100-149 reserved for distribution use
+ # * 150-199 reserved for application use
+ # * 200-254 reserved
+ #
+
+ error_rv=0
+ rv=0
+
+ if [ -n "${PKI_REGISTRY_ENTRIES}" ]; then
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Obtain status of every PKI instance of this type
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ pidfile=${PKI_PIDDIR}/${PKI_PIDFILE}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ display_instance_status
+
+ rv=$?
+ if [ ${rv} -ne 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=${rv}
+ fi
+ done
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "4 - program or service status is unknown"
+ rv=4
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances reported status failures!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)."
+ fi
+ else
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ rv=4
+ fi
+
+ return ${rv}
+}
+
+# See how we were called.
+case "${command}" in
+ start|stop|restart|reload|status)
+ ${command}
+ exit $?
+ ;;
+ condrestart|force-restart|try-restart)
+ [ ! -f ${lockfile} ] || restart
+ exit $?
+ ;;
+ *)
+ # * 3 unimplemented feature (for example, "reload")
+ # [invalid command - should never be reached]
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+ ;;
+esac
+
diff --git a/pki/base/tps/setup/postinstall b/pki/base/tps/setup/postinstall
deleted file mode 100755
index 4bab87edd..000000000
--- a/pki/base/tps/setup/postinstall
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/bin/bash
-#
-# --- BEGIN COPYRIGHT BLOCK ---
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation;
-# version 2.1 of the License.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor,
-# Boston, MA 02110-1301 USA
-#
-# Copyright (C) 2007 Red Hat, Inc.
-# All rights reserved.
-# --- END COPYRIGHT BLOCK ---
-#
-
-###############################################################################
-## (1) Check command line arguments to see how many were passed in. ##
-###############################################################################
-
-if [ $# -eq 4 ]
-then
- PKI_PRODUCT_NAME=$1
- PKI_SUBSYSTEM_NAME=$2
- VERSION=$3
- RELEASE=$4
-else
- echo
- echo "Usage: $0 PKI_product_name PKI_subsystem_name version release"
- echo
-
- exit 255
-fi
-
-
-###############################################################################
-## (2) Specify variables used by this script. ##
-###############################################################################
-
-PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}"
-SECURE_PORT=7889
-NON_CLIENTAUTH_SECURE_PORT=7890
-UNSECURE_PORT=7888
-
-
-###############################################################################
-## (3) Create the first instance of a Token Processing System (TPS). ##
-###############################################################################
-
-if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ]
-then
- /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME}
-fi
-
-
-###############################################################################
-## (4) Successfully exit from this postinstallation script. ##
-###############################################################################
-
-exit 0
-
diff --git a/pki/base/tps/setup_package b/pki/base/tps/setup_package
index ea8728760..32ff70985 100755
--- a/pki/base/tps/setup_package
+++ b/pki/base/tps/setup_package
@@ -152,7 +152,7 @@ SYSTEM_LIBRARIES=${PKI_BUILD_PREFIX}/usr/${LIB_DIR}
if [ "${USE_OPT_FORTITUDE}" = "TRUE" ] ; then
APACHE_MODULES=${PKI_BUILD_PREFIX}/opt/fortitude/modules.local
else
- APACHE_MODULES=${PKI_BUILD_PREFIX}/etc/httpd/modules
+ APACHE_MODULES=${PKI_BUILD_PREFIX}/usr/${LIB_DIR}/httpd/modules
fi
# comply with standard JPackage 1.6.0 jar locations
generated by cgit (git 2.34.1) at 2024-07-08 10:52:27 +0000