summaryrefslogtreecommitdiffstats
path: root/pki
diff options
context:
space:
mode:
authorvakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2011-08-23 18:37:28 +0000
committervakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2011-08-23 18:37:28 +0000
commitdcbedb00e5fae3d56bf8091b54773b8f18d4d3ad (patch)
treeddaeb25344e5e2c1379cd588632a1a926de577ff /pki
parent216293aca940f20c72ad5a388f2926657acabe03 (diff)
downloadpki-dcbedb00e5fae3d56bf8091b54773b8f18d4d3ad.tar.gz
pki-dcbedb00e5fae3d56bf8091b54773b8f18d4d3ad.tar.xz
pki-dcbedb00e5fae3d56bf8091b54773b8f18d4d3ad.zip
Resolves #712931 - CS requires too many ports to be open in the FW
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2160 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki')
-rw-r--r--pki/base/ca/shared/conf/CS.cfg.in2
-rw-r--r--pki/base/ca/shared/conf/proxy.conf34
-rw-r--r--pki/base/ca/shared/conf/server.xml8
-rw-r--r--pki/base/ca/shared/webapps/ca/WEB-INF/web.xml28
-rwxr-xr-xpki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java14
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java39
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java36
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java36
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java71
-rw-r--r--pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java22
-rw-r--r--pki/base/kra/shared/conf/CS.cfg.in2
-rw-r--r--pki/base/kra/shared/conf/server.xml8
-rw-r--r--pki/base/kra/shared/webapps/kra/WEB-INF/web.xml22
-rw-r--r--pki/base/ocsp/shared/conf/CS.cfg.in2
-rw-r--r--pki/base/ocsp/shared/conf/server.xml8
-rw-r--r--pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml22
-rw-r--r--pki/base/selinux/src/pki.if3
-rw-r--r--pki/base/selinux/src/pki.te14
-rwxr-xr-xpki/base/setup/pkicommon.pm27
-rwxr-xr-xpki/base/setup/pkicreate113
-rw-r--r--pki/base/tks/shared/conf/CS.cfg.in2
-rw-r--r--pki/base/tks/shared/conf/server.xml8
-rw-r--r--pki/base/tks/shared/webapps/tks/WEB-INF/web.xml22
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/displayCRL.template2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getOCSPInfo.template2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getStats.template2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/CMCEnrollment.html2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ChallengeRevoke1.html6
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManCAEnroll.html2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManRAEnroll.html2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManServerEnroll.html2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/NISUserEnroll.html6
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/OCSPResponder.html2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ObjSignPKCS10Enroll.html2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/UserRevocation.html2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/checkRequest.html2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/index.html2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/index.html2
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.html4
-rw-r--r--pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/requestStatus.template2
-rw-r--r--pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/GrantRecovery.html2
-rw-r--r--pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/getStats.template2
-rw-r--r--pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/processReq.template2
-rw-r--r--pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCA.html2
-rw-r--r--pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCRL.html2
-rw-r--r--pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/CheckCert.html2
-rw-r--r--pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCA.template2
-rw-r--r--pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCRL.template2
-rw-r--r--pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/checkCert.template2
-rw-r--r--pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getOCSPInfo.template2
-rw-r--r--pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getStats.template2
-rw-r--r--pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/listCAs.template2
-rwxr-xr-xpki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/removeCA.template2
-rw-r--r--pki/dogtag/tks-ui/shared/webapps/tks/agent/tks/getStats.template2
55 files changed, 500 insertions, 117 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in
index 289f65147..e3447bbc8 100644
--- a/pki/base/ca/shared/conf/CS.cfg.in
+++ b/pki/base/ca/shared/conf/CS.cfg.in
@@ -20,6 +20,8 @@ preop.product.name=CS
preop.product.version=@VERSION@
preop.system.name=CA
preop.system.fullname=Certificate Authority
+proxy.securePort=[PKI_PROXY_SECURE_PORT]
+proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT]
cs.state._000=##
cs.state._001=## cs.state=0 (pre-operational)
cs.state._002=## cs.state=1 (running)
diff --git a/pki/base/ca/shared/conf/proxy.conf b/pki/base/ca/shared/conf/proxy.conf
new file mode 100644
index 000000000..663ba5722
--- /dev/null
+++ b/pki/base/ca/shared/conf/proxy.conf
@@ -0,0 +1,34 @@
+ProxyRequests Off
+
+# matches for ee port
+<LocationMatch "^/ca/ee/*|^/ca/renewal|^/ca/certbasedenrollment|^/ca/ocsp|^/ca/enrollment|^/ca/profileSubmit|^/ca/cgi-bin/pkiclient.exe">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient none
+ ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+ ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+
+# matches for admin port
+<LocationMatch "^/ca/admin/*|^/ca/auths|^/ca/acl|^/ca/server|^/ca/caadmin|^/ca/caprofile|^/ca/jobsScheduler|^/ca/capublisher|^/ca/log|^/ca/ug">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient none
+ ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+ ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+
+# matches for agent port and eeca port
+<LocationMatch "^/ca/agent/*|^/ca/ca/getCertFromRequest|^/ca/ca/GetBySerial|^/ca/ca/connector|/ca/ca/displayCertFromRequest|^/ca/doRevoke|^/ca/eeca/*">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient require
+ ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+ ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+
+# static content
+<LocationMatch "^/graphics/*">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient none
+ ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+ ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+
diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml
index 07f4a4060..5984d4919 100644
--- a/pki/base/ca/shared/conf/server.xml
+++ b/pki/base/ca/shared/conf/server.xml
@@ -209,10 +209,10 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
clientAuth="false" sslProtocol="TLS" />
-->
- <!-- Define an AJP 1.3 Connector on port 8009 -->
-<!--
- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
--->
+ <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
+[PKI_OPEN_AJP_PORT_COMMENT]
+ <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
+[PKI_CLOSE_AJP_PORT_COMMENT]
<!-- An Engine represents the entry point (within Catalina) that processes
diff --git a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml
index 43223c661..5e91977aa 100644
--- a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -10,6 +10,12 @@
<param-name>https_port</param-name>
<param-value>[PKI_AGENT_SECURE_PORT]</param-value>
</init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+ <init-param>
+ <param-name>proxy_port</param-name>
+ <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+ </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
<init-param>
<param-name>active</param-name>
<param-value>true</param-value>
@@ -23,6 +29,12 @@
<param-name>https_port</param-name>
<param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
</init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+ <init-param>
+ <param-name>proxy_port</param-name>
+ <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+ </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
<init-param>
<param-name>active</param-name>
<param-value>true</param-value>
@@ -40,6 +52,16 @@
<param-name>https_port</param-name>
<param-value>[PKI_EE_SECURE_PORT]</param-value>
</init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+ <init-param>
+ <param-name>proxy_port</param-name>
+ <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+ </init-param>
+ <init-param>
+ <param-name>proxy_http_port</param-name>
+ <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
+ </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
<init-param>
<param-name>active</param-name>
<param-value>true</param-value>
@@ -53,6 +75,12 @@
<param-name>https_port</param-name>
<param-value>[PKI_EE_SECURE_CLIENT_AUTH_PORT]</param-value>
</init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+ <init-param>
+ <param-name>proxy_port</param-name>
+ <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+ </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
<init-param>
<param-name>active</param-name>
<param-value>true</param-value>
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java
index fe32ee799..8a730d519 100755
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java
@@ -101,10 +101,12 @@ public class ImportCAChainPanel extends WizardPanelBase {
IConfigStore cs = CMS.getConfigStore();
try {
context.put("machineName", cs.getString("machineName"));
- context.put("https_port", CMS.getEESSLPort());
- context.put("http_port", CMS.getEENonSSLPort());
- } catch (EBaseException e) {}
-
+ context.put("https_port", cs.getString("pkicreate.ee_secure_port"));
+ context.put("http_port", cs.getString("pkicreate.unsecure_port"));
+ } catch (EBaseException e) {
+ CMS.debug("ImportCACertChain:display: Exception: " + e.toString());
+ context.put("errorString", "Error loading values for Import CA Certificate Panel");
+ }
ISubsystem ca = (ISubsystem) CMS.getSubsystem("ca");
@@ -150,8 +152,8 @@ public class ImportCAChainPanel extends WizardPanelBase {
IConfigStore cs = CMS.getConfigStore();
try {
context.put("machineName", cs.getString("machineName"));
- context.put("https_port", CMS.getEESSLPort());
- context.put("http_port", CMS.getEENonSSLPort());
+ context.put("https_port", cs.getString("pkicreate.ee_secure_port"));
+ context.put("http_port", cs.getString("pkicreate.unsecure_port"));
context.put("title", "Import CA's Certificate Chain");
context.put("panel", "admin/console/config/importcachainpanel.vm");
} catch (EBaseException e) {}
diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java
index 848ffba6f..75e02a24b 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java
@@ -26,6 +26,7 @@ public class AdminRequestFilter implements Filter
private static final String HTTPS_SCHEME = "https";
private static final String HTTPS_PORT = "https_port";
private static final String HTTPS_ROLE = "Admin";
+ private static final String PROXY_PORT = "proxy_port";
private FilterConfig config;
@@ -51,6 +52,7 @@ public class AdminRequestFilter implements Filter
String request_port = null;
String param_https_port = null;
+ String param_proxy_port = null;
String msg = null;
String param_active = null;
@@ -84,22 +86,39 @@ public class AdminRequestFilter implements Filter
return;
}
+ param_proxy_port = config.getInitParameter(PROXY_PORT);
+ boolean bad_port = false;
+
// Compare the request and param "https" ports
if( ! param_https_port.equals( request_port ) ) {
- String uri = ((HttpServletRequest) request).getRequestURI();
- msg = "Use HTTPS port '" + param_https_port
- + "' instead of '" + request_port
- + "' when performing " + HTTPS_ROLE + " tasks!";
- CMS.debug( filterName + ": " + msg );
- CMS.debug( filterName + ": uri is " + uri);
- if ((param_active != null) &&(param_active.equals("false"))) {
- CMS.debug("Filter is disabled .. continuing");
+ String uri = ((HttpServletRequest) request).getRequestURI();
+ if (param_proxy_port != null) {
+ if (!param_proxy_port.equals(request_port)) {
+ msg = "Use HTTPS port '" + param_https_port
+ + "' or proxy port '" + param_proxy_port
+ + "' instead of '" + request_port
+ + "' when performing " + HTTPS_ROLE + " tasks!";
+ bad_port = true;
+ }
} else {
- resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
- return;
+ msg = "Use HTTPS port '" + param_https_port
+ + "' instead of '" + request_port
+ + "' when performing " + HTTPS_ROLE + " tasks!";
+ bad_port = true;
+ }
+ if (bad_port) {
+ CMS.debug( filterName + ": " + msg );
+ CMS.debug( filterName + ": uri is " + uri);
+ if ((param_active != null) &&(param_active.equals("false"))) {
+ CMS.debug("Filter is disabled .. continuing");
+ } else {
+ resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
+ return;
+ }
}
}
}
+
// CMS.debug("Exiting the admin filter");
chain.doFilter( request, response );
diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java
index e4d1bb3df..da16dc01d 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java
@@ -26,6 +26,7 @@ public class AgentRequestFilter implements Filter
private static final String HTTPS_SCHEME = "https";
private static final String HTTPS_PORT = "https_port";
private static final String HTTPS_ROLE = "Agent";
+ private static final String PROXY_PORT = "proxy_port";
private FilterConfig config;
@@ -51,6 +52,7 @@ public class AgentRequestFilter implements Filter
String request_port = null;
String param_https_port = null;
+ String param_proxy_port = null;
String msg = null;
String param_active = null;
@@ -85,19 +87,35 @@ public class AgentRequestFilter implements Filter
return;
}
+ param_proxy_port = config.getInitParameter(PROXY_PORT);
+ boolean bad_port = false;
+
// Compare the request and param "https" ports
if( ! param_https_port.equals( request_port ) ) {
String uri = ((HttpServletRequest) request).getRequestURI();
- msg = "Use HTTPS port '" + param_https_port
- + "' instead of '" + request_port
- + "' when performing " + HTTPS_ROLE + " tasks!";
- CMS.debug( filterName + ": " + msg );
- CMS.debug( filterName + ": uri is " + uri);
- if ((param_active != null) &&(param_active.equals("false"))) {
- CMS.debug("Filter is disabled .. continuing");
+ if (param_proxy_port != null) {
+ if (!param_proxy_port.equals(request_port)) {
+ msg = "Use HTTPS port '" + param_https_port
+ + "' or proxy port '" + param_proxy_port
+ + "' instead of '" + request_port
+ + "' when performing " + HTTPS_ROLE + " tasks!";
+ bad_port = true;
+ }
} else {
- resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
- return;
+ msg = "Use HTTPS port '" + param_https_port
+ + "' instead of '" + request_port
+ + "' when performing " + HTTPS_ROLE + " tasks!";
+ bad_port = true;
+ }
+ if (bad_port) {
+ CMS.debug( filterName + ": " + msg );
+ CMS.debug( filterName + ": uri is " + uri);
+ if ((param_active != null) &&(param_active.equals("false"))) {
+ CMS.debug("Filter is disabled .. continuing");
+ } else {
+ resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
+ return;
+ }
}
}
}
diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java
index 6ed6617bc..3c11dbd55 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java
@@ -26,6 +26,7 @@ public class EEClientAuthRequestFilter implements Filter
private static final String HTTPS_SCHEME = "https";
private static final String HTTPS_PORT = "https_port";
private static final String HTTPS_ROLE = "EE Client Auth";
+ private static final String PROXY_PORT = "proxy_port";
private FilterConfig config;
@@ -53,6 +54,7 @@ public class EEClientAuthRequestFilter implements Filter
String param_https_port = null;
String msg = null;
String param_active = null;
+ String param_proxy_port = null;
// CMS.debug("Entering the EECA filter");
param_active = config.getInitParameter( "active");
@@ -84,19 +86,35 @@ public class EEClientAuthRequestFilter implements Filter
return;
}
+ param_proxy_port = config.getInitParameter(PROXY_PORT);
+ boolean bad_port = false;
+
// Compare the request and param "https" ports
if( ! param_https_port.equals( request_port ) ) {
String uri = ((HttpServletRequest) request).getRequestURI();
- msg = "Use HTTPS port '" + param_https_port
- + "' instead of '" + request_port
- + "' when performing " + HTTPS_ROLE + " tasks!";
- CMS.debug( filterName + ": " + msg );
- CMS.debug( filterName + ": uri is " + msg);
- if ((param_active != null) &&(param_active.equals("false"))) {
- CMS.debug("Filter is disabled .. continuing");
+ if (param_proxy_port != null) {
+ if (!param_proxy_port.equals(request_port)) {
+ msg = "Use HTTPS port '" + param_https_port
+ + "' or proxy port '" + param_proxy_port
+ + "' instead of '" + request_port
+ + "' when performing " + HTTPS_ROLE + " tasks!";
+ bad_port = true;
+ }
} else {
- resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
- return;
+ msg = "Use HTTPS port '" + param_https_port
+ + "' instead of '" + request_port
+ + "' when performing " + HTTPS_ROLE + " tasks!";
+ bad_port = true;
+ }
+ if (bad_port) {
+ CMS.debug( filterName + ": " + msg );
+ CMS.debug( filterName + ": uri is " + uri);
+ if ((param_active != null) &&(param_active.equals("false"))) {
+ CMS.debug("Filter is disabled .. continuing");
+ } else {
+ resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
+ return;
+ }
}
}
}
diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java
index 23df05954..69634506e 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java
@@ -29,6 +29,8 @@ public class EERequestFilter implements Filter
private static final String HTTPS_SCHEME = "https";
private static final String HTTPS_PORT = "https_port";
private static final String HTTPS_ROLE = "EE";
+ private static final String PROXY_PORT = "proxy_port";
+ private static final String PROXY_HTTP_PORT = "proxy_http_port";
private FilterConfig config;
@@ -55,6 +57,8 @@ public class EERequestFilter implements Filter
String request_port = null;
String param_http_port = null;
String param_https_port = null;
+ String param_proxy_port = null;
+ String param_proxy_http_port = null;
String msg = null;
String param_active = null;
@@ -100,6 +104,10 @@ public class EERequestFilter implements Filter
return;
}
+ param_proxy_http_port = config.getInitParameter(PROXY_HTTP_PORT);
+ param_proxy_port = config.getInitParameter(PROXY_PORT);
+ boolean bad_port = false;
+
// If the scheme is "http", compare
// the request and param "http" ports;
// otherwise, if the scheme is "https", compare
@@ -107,32 +115,61 @@ public class EERequestFilter implements Filter
if( scheme.equals( HTTP_SCHEME ) ) {
if( ! param_http_port.equals( request_port ) ) {
String uri = ((HttpServletRequest) request).getRequestURI();
- msg = "Use HTTP port '" + param_http_port
- + "' instead of '" + request_port
- + "' when performing " + HTTP_ROLE + " tasks!";
- CMS.debug( filterName + ": " + msg );
- CMS.debug( filterName + ": uri is " + uri);
- if ((param_active != null) &&(param_active.equals("false"))) {
- CMS.debug("Filter is disabled .. continuing");
+ if (param_proxy_http_port != null) {
+ if (!param_proxy_http_port.equals(request_port)) {
+ msg = "Use HTTP port '" + param_http_port
+ + "' or proxy port '" + param_proxy_http_port
+ + "' instead of '" + request_port
+ + "' when performing " + HTTP_ROLE + " tasks!";
+ bad_port = true;
+ }
} else {
- resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
- return;
+ msg = "Use HTTP port '" + param_http_port
+ + "' instead of '" + request_port
+ + "' when performing " + HTTP_ROLE + " tasks!";
+ bad_port = true;
+ }
+ if (bad_port) {
+ CMS.debug( filterName + ": " + msg );
+ CMS.debug( filterName + ": uri is " + uri);
+ if ((param_active != null) &&(param_active.equals("false"))) {
+ CMS.debug("Filter is disabled .. continuing");
+ } else {
+ resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
+ return;
+ }
}
}
} else if( scheme.equals( HTTPS_SCHEME ) ) {
if( ! param_https_port.equals( request_port ) ) {
- msg = "Use HTTPS port '" + param_https_port
- + "' instead of '" + request_port
- + "' when performing " + HTTPS_ROLE + " tasks!";
- CMS.debug( filterName + ": " + msg );
- if ((param_active != null) &&(param_active.equals("false"))) {
- CMS.debug("Filter is disabled .. continuing");
+ String uri = ((HttpServletRequest) request).getRequestURI();
+ if (param_proxy_port != null) {
+ if (!param_proxy_port.equals(request_port)) {
+ msg = "Use HTTPS port '" + param_https_port
+ + "' or proxy port '" + param_proxy_port
+ + "' instead of '" + request_port
+ + "' when performing " + HTTPS_ROLE + " tasks!";
+ bad_port = true;
+ }
} else {
- resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
- return;
+ msg = "Use HTTPS port '" + param_https_port
+ + "' instead of '" + request_port
+ + "' when performing " + HTTPS_ROLE + " tasks!";
+ bad_port = true;
+ }
+ if (bad_port) {
+ CMS.debug( filterName + ": " + msg );
+ CMS.debug( filterName + ": uri is " + uri);
+ if ((param_active != null) &&(param_active.equals("false"))) {
+ CMS.debug("Filter is disabled .. continuing");
+ } else {
+ resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg );
+ return;
+ }
}
}
}
+
}
// CMS.debug("Exiting the EE filter");
diff --git a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
index b9809043c..afaa5c9fc 100644
--- a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -323,6 +323,7 @@ public class CMSEngine implements ICMSEngine {
}
}
parseServerXML();
+ fixProxyPorts();
}
/**
@@ -543,6 +544,27 @@ public class CMSEngine implements ICMSEngine {
}
}
+ private void fixProxyPorts() throws EBaseException {
+ try {
+ String port = mConfig.getString("proxy.securePort", "");
+ if (!port.equals("")) {
+ info[EE_SSL][PORT] = port;
+ info[ADMIN][PORT] = port;
+ info[AGENT][PORT] = port;
+ info[EE_CLIENT_AUTH_SSL][PORT] = port;
+ }
+
+ port = mConfig.getString("proxy.unsecurePort", "");
+ if (!port.equals("")) {
+ info[EE_NON_SSL][PORT] = port;
+ }
+ } catch (EBaseException e) {
+ CMS.debug("CMSEngine: fixProxyPorts exception: " + e.toString());
+ throw e;
+ }
+ }
+
+
public IConfigStore createFileConfigStore(String path) throws EBaseException {
try {
/* if the file is not there, create one */
diff --git a/pki/base/kra/shared/conf/CS.cfg.in b/pki/base/kra/shared/conf/CS.cfg.in
index 9332d119e..4bf1c738e 100644
--- a/pki/base/kra/shared/conf/CS.cfg.in
+++ b/pki/base/kra/shared/conf/CS.cfg.in
@@ -19,6 +19,8 @@ preop.product.name=CS
preop.product.version=@VERSION@
preop.system.name=DRM
preop.system.fullname=Data Recovery Manager
+proxy.securePort=[PKI_PROXY_SECURE_PORT]
+proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT]
cs.state=0
cs.type=KRA
admin.interface.uri=kra/admin/console/config/wizard
diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml
index 856c2c2a5..d7df4b13e 100644
--- a/pki/base/kra/shared/conf/server.xml
+++ b/pki/base/kra/shared/conf/server.xml
@@ -191,10 +191,10 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
clientAuth="false" sslProtocol="TLS" />
-->
- <!-- Define an AJP 1.3 Connector on port 8009 -->
-<!--
- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
--->
+ <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
+[PKI_OPEN_AJP_PORT_COMMENT]
+ <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="PKI_AJP_REDIRECT_PORT]" />
+[PKI_CLOSE_AJP_PORT_COMMENT]
<!-- An Engine represents the entry point (within Catalina) that processes
diff --git a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
index 095f74481..fdc2779b1 100644
--- a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
+++ b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
@@ -10,6 +10,12 @@
<param-name>https_port</param-name>
<param-value>[PKI_AGENT_SECURE_PORT]</param-value>
</init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+ <init-param>
+ <param-name>proxy_port</param-name>
+ <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+ </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
<init-param>
<param-name>active</param-name>
<param-value>true</param-value>
@@ -23,6 +29,12 @@
<param-name>https_port</param-name>
<param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
</init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+ <init-param>
+ <param-name>proxy_port</param-name>
+ <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+ </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
<init-param>
<param-name>active</param-name>
<param-value>true</param-value>
@@ -40,6 +52,16 @@
<param-name>https_port</param-name>
<param-value>[PKI_EE_SECURE_PORT]</param-value>
</init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+ <init-param>
+ <param-name>proxy_port</param-name>
+ <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+ </init-param>
+ <init-param>
+ <param-name>proxy_http_port</param-name>
+ <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
+ </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
<init-param>
<param-name>active</param-name>
<param-value>true</param-value>
diff --git a/pki/base/ocsp/shared/conf/CS.cfg.in b/pki/base/ocsp/shared/conf/CS.cfg.in
index 309417641..4cd234c84 100644
--- a/pki/base/ocsp/shared/conf/CS.cfg.in
+++ b/pki/base/ocsp/shared/conf/CS.cfg.in
@@ -26,6 +26,8 @@ preop.product.name=CS
preop.product.version=@VERSION@
preop.system.name=OCSP
preop.system.fullname=OCSP Responder
+proxy.securePort=[PKI_PROXY_SECURE_PORT]
+proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT]
preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module
preop.configModules.module0.commonName=NSS Internal PKCS #11 Module
preop.configModules.module0.imagePath=../img/clearpixel.gif
diff --git a/pki/base/ocsp/shared/conf/server.xml b/pki/base/ocsp/shared/conf/server.xml
index 856c2c2a5..ff33b9aa4 100644
--- a/pki/base/ocsp/shared/conf/server.xml
+++ b/pki/base/ocsp/shared/conf/server.xml
@@ -191,10 +191,10 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
clientAuth="false" sslProtocol="TLS" />
-->
- <!-- Define an AJP 1.3 Connector on port 8009 -->
-<!--
- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
--->
+ <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
+[PKI_OPEN_AJP_PORT_COMMENT]
+ <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
+[PKI_CLOSE_AJP_PORT_COMMENT]
<!-- An Engine represents the entry point (within Catalina) that processes
diff --git a/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
index ef79e3865..7ac6247e3 100644
--- a/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
+++ b/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
@@ -14,6 +14,12 @@
<param-name>https_port</param-name>
<param-value>[PKI_AGENT_SECURE_PORT]</param-value>
</init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+ <init-param>
+ <param-name>proxy_port</param-name>
+ <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+ </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
<init-param>
<param-name>active</param-name>
<param-value>true</param-value>
@@ -27,6 +33,12 @@
<param-name>https_port</param-name>
<param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
</init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+ <init-param>
+ <param-name>proxy_port</param-name>
+ <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+ </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
<init-param>
<param-name>active</param-name>
<param-value>true</param-value>
@@ -44,6 +56,16 @@
<param-name>https_port</param-name>
<param-value>[PKI_EE_SECURE_PORT]</param-value>
</init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+ <init-param>
+ <param-name>proxy_port</param-name>
+ <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+ </init-param>
+ <init-param>
+ <param-name>proxy_http_port</param-name>
+ <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
+ </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
<init-param>
<param-name>active</param-name>
<param-value>true</param-value>
diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
index 56b671d0c..cba0f91ac 100644
--- a/pki/base/selinux/src/pki.if
+++ b/pki/base/selinux/src/pki.if
@@ -22,6 +22,7 @@ template(`pki_ca_template',`
type rpm_var_lib_t;
type rpm_exec_t;
type setfiles_t;
+ type httpd_t;
')
########################################
#
@@ -192,6 +193,8 @@ template(`pki_ca_template',`
# allow writing to the kernel keyring
allow $1_t self:key { write read };
+ #reverse proxy
+ corenet_tcp_connect_dogtag_port($1_t)
')
diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
index f12059fa9..2261af4b3 100644
--- a/pki/base/selinux/src/pki.te
+++ b/pki/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.24)
+policy_module(pki,1.0.25)
attribute pki_ca_config;
attribute pki_ca_executable;
@@ -22,6 +22,9 @@ pki_ca_template(pki_ca)
corenet_tcp_connect_pki_kra_port(pki_ca_t)
corenet_tcp_connect_pki_ocsp_port(pki_ca_t)
+# forward proxy
+corenet_tcp_connect_pki_ca_port(httpd_t)
+
# for crl publishing
allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink };
@@ -43,6 +46,9 @@ files_type(pki_kra_tomcat_exec_t)
pki_ca_template(pki_kra)
corenet_tcp_connect_pki_ca_port(pki_kra_t)
+# forward proxy
+corenet_tcp_connect_pki_kra_port(httpd_t)
+
attribute pki_ocsp_config;
attribute pki_ocsp_executable;
attribute pki_ocsp_var_lib;
@@ -58,6 +64,9 @@ files_type(pki_ocsp_tomcat_exec_t)
pki_ca_template(pki_ocsp)
corenet_tcp_connect_pki_ca_port(pki_ocsp_t)
+# forward proxy
+corenet_tcp_connect_pki_ocsp_port(httpd_t)
+
attribute pki_ra_config;
attribute pki_ra_executable;
attribute pki_ra_var_lib;
@@ -87,6 +96,9 @@ files_type(pki_tks_tomcat_exec_t)
pki_ca_template(pki_tks)
corenet_tcp_connect_pki_ca_port(pki_tks_t)
+# forward proxy
+corenet_tcp_connect_pki_tks_port(httpd_t)
+
# needed for token enrollment, list /var/cache/tomcat5/temp
files_list_var(pki_tks_t)
diff --git a/pki/base/setup/pkicommon.pm b/pki/base/setup/pkicommon.pm
index 002e8a0a2..0d7be6080 100755
--- a/pki/base/setup/pkicommon.pm
+++ b/pki/base/setup/pkicommon.pm
@@ -1214,7 +1214,8 @@ sub AreConnectorPortsValid
{
# parse parameters
my ($secure_port, $unsecure_port, $agent_secure_port,
- $ee_secure_port, $admin_secure_port) = @_;
+ $ee_secure_port, $admin_secure_port, $proxy_secure_port,
+ $proxy_unsecure_port, $ajp_port) = @_;
if ($secure_port == -1 && $agent_secure_port == -1)
@@ -1236,18 +1237,30 @@ sub AreConnectorPortsValid
return 1;
}
- # Now make sure none of the separated ports are the same
- if (($agent_secure_port == $admin_secure_port) ||
- ($agent_secure_port == $ee_secure_port) ||
- ($ee_secure_port == $admin_secure_port))
- {
+ if (!portsUnique($agent_secure_port,$ee_secure_port, $admin_secure_port, $proxy_secure_port,
+ $proxy_unsecure_port, $ajp_port)) {
return 0;
}
return 1;
-
+
}
+#return 1 - if non-negative ports are uique
+#return 0 - otherwise (failure)
+sub portsUnique
+{
+ my @ports = sort @_;
+ my $last_port = -1;
+ for my $port (@ports) {
+ next if ($port < 0);
+ if ($port == $last_port) {
+ return 0;
+ }
+ $last_port = $port;
+ }
+ return 1;
+}
# return 1 - port is available (success)
# return 0 - port is unavailable; report an error (failure)
diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate
index 404738de4..da6f3c478 100755
--- a/pki/base/setup/pkicreate
+++ b/pki/base/setup/pkicreate
@@ -221,6 +221,7 @@ my $tomcat6_conf_base_name = "tomcat6.conf"; # CA, KRA, OCSP, T
my $velocity_prop_base_name = "velocity.properties"; # CA, KRA, OCSP, TKS
my $web_xml_base_name = "web.xml"; # CA, KRA, OCSP, TKS
my $profile_select_base_name = "ProfileSelect.template"; # CA
+my $proxy_conf_base_name = "proxy.conf"; # CA
my $registry_template_base_name = "registry_instance"; # CA, KRA, OCSP, TKS, RA, TPS
my $pki_apache_initscript_base_name = "pki_apache_initscript"; # RA, TPS
@@ -291,6 +292,7 @@ my $PKI_RANDOM_NUMBER_SLOT = "PKI_RANDOM_NUMBER";
my $PKI_SECURE_PORT_SLOT = "PKI_SECURE_PORT";
my $PKI_EE_SECURE_PORT_SLOT = "PKI_EE_SECURE_PORT";
my $PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT = "PKI_EE_SECURE_CLIENT_AUTH_PORT";
+my $PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT = "PKI_EE_SECURE_CLIENT_AUTH_PORT_UI";
my $PKI_AGENT_SECURE_PORT_SLOT = "PKI_AGENT_SECURE_PORT";
my $PKI_ADMIN_SECURE_PORT_SLOT = "PKI_ADMIN_SECURE_PORT";
my $PKI_SERVER_XML_CONF = "PKI_SERVER_XML_CONF";
@@ -322,6 +324,14 @@ my $PKI_OPEN_SEPARATE_PORTS_COMMENT_SERVER_SLOT = "PKI_OPEN_SEPARATE_PORT
my $PKI_CLOSE_SEPARATE_PORTS_COMMENT_SERVER_SLOT = "PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT";
my $PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT = "PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT";
my $PKI_CLOSE_SEPARATE_PORTS_COMMENT_WEB_SLOT = "PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT";
+my $PKI_OPEN_AJP_PORT_COMMENT_SLOT = "PKI_OPEN_AJP_PORT_COMMENT";
+my $PKI_CLOSE_AJP_PORT_COMMENT_SLOT = "PKI_CLOSE_AJP_PORT_COMMENT";
+my $PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT = "PKI_OPEN_ENABLE_PROXY_COMMENT";
+my $PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT = "PKI_CLOSE_ENABLE_PROXY_COMMENT";
+my $PKI_AJP_REDIRECT_PORT_SLOT = "PKI_AJP_REDIRECT_PORT";
+my $PKI_AJP_PORT_SLOT = "PKI_AJP_PORT";
+my $PROXY_SECURE_PORT_SLOT = "PKI_PROXY_SECURE_PORT";
+my $PROXY_UNSECURE_PORT_SLOT = "PKI_PROXY_UNSECURE_PORT";
my $PKI_UNSECURE_PORT_NAME = "Unsecure";
my $PKI_AGENT_SECURE_PORT_NAME = "Agent";
my $PKI_ADMIN_SECURE_PORT_NAME = "Admin";
@@ -347,6 +357,11 @@ my $SELINUX_PORT_UNDEFINED = 0;
my $SELINUX_PORT_DEFINED = 1;
my $SELINUX_PORT_WRONGLY_DEFINED = 2;
+#proxy defaults
+my $PROXY_SECURE_PORT_DEFAULT = "443";
+my $PROXY_UNSECURE_PORT_DEFAULT = "80";
+my $AJP_PORT_DEFAULT = "9447";
+
##############################################################
# Local Data Structures
##############################################################
@@ -376,6 +391,10 @@ my $agent_secure_port = -1;
my $ee_secure_port = -1;
my $ee_secure_client_auth_port = -1;
my $admin_secure_port = -1;
+my $proxy_secure_port = -1;
+my $proxy_unsecure_port = -1;
+my $ajp_port = -1;
+my $enable_proxy = undef;
my $username = undef;
my $groupname = undef;
my $redirected_conf_path = undef;
@@ -526,8 +545,10 @@ my $webapps_root_subsystem_path = undef; # CA, KRA, OCSP, TKS
my $webinf_instance_path = undef; # CA, KRA, OCSP, TKS
my $webinf_lib_instance_path = undef; # CA, KRA, OCSP, TKS
my $webinf_subsystem_path = undef; # CA, KRA, OCSP, TKS
-my $profile_select_template_subsystem_file_path = undef; #CA
+my $profile_select_template_subsystem_file_path = undef; #CA
my $profile_select_template_instance_file_path = undef; #CA
+my $proxy_conf_subsystem_file_path = undef; #CA
+my $proxy_conf_instance_file_path = undef; #CA
# PKI init script variables
my $pki_registry_initscript = undef; # CA, KRA, OCSP, TKS, RA, TPS
@@ -668,6 +689,25 @@ pkicreate -pki_instance_root=<pki_instance_root> # Instance root directory
-tomcat_server_port=<tomcat_server_port> # Unique port for each
# Tomcat instance
+ #####################################################################
+ ### proxy configuration ###
+ ### if -enable_proxy is set, ajp_port, proxy_secure_port, and ###
+ ### proxy_unsecure_port are also set. ###
+ #####################################################################
+
+ [-enable_proxy] #enable proxy configuration
+ [-ajp_port=<ajp_port>] #AJP port, default 9447
+
+ [-proxy_secure_port=<proxy_secure_port>] # Proxy secure port,
+ # default 443
+
+ [-proxy_unsecure_port=<unsecure_port>] # Proxy unsecure port,
+ # default 80
+
+ #####################################################################
+ ### END proxy configuration ###
+ #####################################################################
+
[-user=<username>] # User ownership
# (must ALSO specify
# group ownership)
@@ -916,6 +956,9 @@ sub parse_arguments
my $l_ee_secure_port = -1;
my $l_ee_secure_client_auth_port = -1;
my $l_admin_secure_port = -1;
+ my $l_proxy_secure_port = -1;
+ my $l_proxy_unsecure_port = -1;
+ my $l_ajp_port = -1;
my $show_help = 0;
my $result = GetOptions("help" => \$show_help,
@@ -930,6 +973,10 @@ sub parse_arguments
"ee_secure_client_auth_port:i" => \$l_ee_secure_client_auth_port,
"admin_secure_port:i" => \$l_admin_secure_port,
"tomcat_server_port:i" => \$l_tomcat_server_port,
+ "proxy_secure_port:i" => \$l_proxy_secure_port,
+ "proxy_unsecure_port:i" => \$l_proxy_unsecure_port,
+ "ajp_port:i" => \$l_ajp_port,
+ "enable_proxy" => \$enable_proxy,
"user=s" => \$username,
"group=s" => \$groupname,
"verbose+" => \$verbose,
@@ -1186,8 +1233,23 @@ sub parse_arguments
}
}
+ if ($enable_proxy) {
+
+ $proxy_secure_port = ($l_proxy_secure_port >= 0) ? $l_proxy_secure_port :
+ $PROXY_SECURE_PORT_DEFAULT;
+ emit(" proxy_secure_port $proxy_secure_port\n");
+
+ $proxy_unsecure_port = ($l_proxy_unsecure_port >= 0) ? $l_proxy_unsecure_port :
+ $PROXY_UNSECURE_PORT_DEFAULT;
+ emit(" proxy_unsecure_port $proxy_unsecure_port\n");
+
+ $ajp_port = ($l_ajp_port >= 0) ? $l_ajp_port : $AJP_PORT_DEFAULT;
+ emit(" ajp_port $ajp_port\n");
+ }
+
if (!AreConnectorPortsValid($secure_port,$unsecure_port,$agent_secure_port,
- $ee_secure_port,$ee_secure_client_auth_port, $admin_secure_port))
+ $ee_secure_port,$ee_secure_client_auth_port, $admin_secure_port,
+ $proxy_secure_port, $proxy_unsecure_port))
{
usage();
emit("Invalid port numbers submitted!\n","error");
@@ -1547,6 +1609,9 @@ sub initialize_subdirectory_paths
$profile_select_template_instance_file_path = $webapps_subsystem_instance_path
. "/ee/". $subsystem_type
. "/" . $profile_select_base_name;
+
+ $proxy_conf_subsystem_file_path = $conf_subsystem_path
+ . "/" . $proxy_conf_base_name;
}
## Initialize subdirectory paths (RA, TPS subsystems)
@@ -1901,6 +1966,8 @@ sub process_pki_directories
. "/" . $pfile_base_name;
$pki_cfg_instance_file_path = $conf_instance_path
. "/" . $pki_cfg_base_name;
+ $proxy_conf_instance_file_path = $conf_instance_path
+ . "/" . $proxy_conf_base_name;
$catalina_properties_instance_file_path = $conf_instance_path
. "/" . $catalina_properties_base_name;
@@ -1948,6 +2015,8 @@ sub process_pki_directories
. "/" . $pfile_base_name;
$pki_cfg_instance_file_path = $redirected_conf_path
. "/" . $pki_cfg_base_name;
+ $proxy_conf_instance_file_path = $redirected_conf_path
+ . "/" . $proxy_conf_base_name;
$catalina_properties_instance_file_path = $redirected_conf_path
. "/" . $catalina_properties_base_name;
@@ -2346,6 +2415,7 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so
$slot_hash{$PKI_AGENT_SECURE_PORT_SLOT} = $agent_secure_port;
$slot_hash{$PKI_EE_SECURE_PORT_SLOT} = $ee_secure_port;
$slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT} = $ee_secure_client_auth_port;
+ $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT} = $ee_secure_client_auth_port;
$slot_hash{$PKI_ADMIN_SECURE_PORT_SLOT} = $admin_secure_port;
# Comment "Port Separation" appropriately
@@ -2378,7 +2448,8 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so
$slot_hash{$PKI_SECURE_PORT_SLOT} = $secure_port;
$slot_hash{$PKI_AGENT_SECURE_PORT_SLOT} = $secure_port;
$slot_hash{$PKI_EE_SECURE_PORT_SLOT} = $secure_port;
- $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT} = $secure_port;
+ $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT} = $secure_port;
+ $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT} = $secure_port;
$slot_hash{$PKI_ADMIN_SECURE_PORT_SLOT} = $secure_port;
# Comment "Shared Ports" appropriately
@@ -2398,7 +2469,31 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so
# Comment out the "Admin/Agent/EE" Filters
$slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT} = $PKI_OPEN_COMMENT;
$slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_WEB_SLOT} = $PKI_CLOSE_COMMENT;
- }
+ }
+
+ if ($enable_proxy) {
+ if ($use_port_separation) {
+ $slot_hash{$PKI_AJP_REDIRECT_PORT_SLOT} = $ee_secure_port;
+ } else {
+ $slot_hash{$PKI_AJP_REDIRECT_PORT_SLOT} = $secure_port;
+ }
+ $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT} = $proxy_secure_port;
+ $slot_hash{$PKI_AJP_PORT_SLOT} = $ajp_port;
+ $slot_hash{$PKI_OPEN_AJP_PORT_COMMENT_SLOT} = "";
+ $slot_hash{$PKI_CLOSE_AJP_PORT_COMMENT_SLOT} = "";
+ $slot_hash{$PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT} = "";
+ $slot_hash{$PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT} = "";
+ } else {
+ $slot_hash{$PKI_OPEN_AJP_PORT_COMMENT_SLOT} = $PKI_OPEN_COMMENT;
+ $slot_hash{$PKI_CLOSE_AJP_PORT_COMMENT_SLOT} = $PKI_CLOSE_COMMENT;
+ $slot_hash{$PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT} = $PKI_OPEN_COMMENT;
+ $slot_hash{$PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT} = $PKI_CLOSE_COMMENT;
+ }
+
+ $slot_hash{$PROXY_SECURE_PORT_SLOT} = ($proxy_secure_port >=0) ?
+ $proxy_secure_port : "";
+ $slot_hash{$PROXY_UNSECURE_PORT_SLOT} = ($proxy_unsecure_port>=0) ?
+ $proxy_unsecure_port : "";
$slot_hash{$PKI_WEBAPPS_NAME} = $webapps_base_subsystem_dir;
$slot_hash{$PKI_FLAVOR_SLOT} = $pki_flavor;
@@ -2470,7 +2565,12 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so
$profile_select_template_subsystem_file_path,
$profile_select_template_instance_file_path,
\%slot_hash);
- }
+ # process proxy.conf file
+ return 0 if !process_file_template("proxy_conf",
+ $proxy_conf_subsystem_file_path,
+ $proxy_conf_instance_file_path,
+ \%slot_hash);
+ }
## Process templates (RA, TPS instances)
@@ -3073,6 +3173,9 @@ sub process_pki_selinux_setup
if ($admin_secure_port != -1) {
add_selinux_port($setype_p, $admin_secure_port, \$semanage_cmds);
}
+ if ($ajp_port != -1) {
+ add_selinux_port($setype_p, $ajp_port, \$semanage_cmds);
+ }
# now run the selinux commands in batch mode
if ($semanage_cmds ne "") {
diff --git a/pki/base/tks/shared/conf/CS.cfg.in b/pki/base/tks/shared/conf/CS.cfg.in
index 64296808a..d98a25154 100644
--- a/pki/base/tks/shared/conf/CS.cfg.in
+++ b/pki/base/tks/shared/conf/CS.cfg.in
@@ -25,6 +25,8 @@ preop.system.name=TKS
preop.product.name=CS
preop.product.version=@VERSION@
preop.system.fullname=Token Key Service
+proxy.securePort=[PKI_PROXY_SECURE_PORT]
+proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT]
tks.cert.list=sslserver,subsystem,audit_signing
tks.cert.sslserver.certusage=SSLServer
tks.cert.subsystem.certusage=SSLClient
diff --git a/pki/base/tks/shared/conf/server.xml b/pki/base/tks/shared/conf/server.xml
index 856c2c2a5..ff33b9aa4 100644
--- a/pki/base/tks/shared/conf/server.xml
+++ b/pki/base/tks/shared/conf/server.xml
@@ -191,10 +191,10 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
clientAuth="false" sslProtocol="TLS" />
-->
- <!-- Define an AJP 1.3 Connector on port 8009 -->
-<!--
- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
--->
+ <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
+[PKI_OPEN_AJP_PORT_COMMENT]
+ <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
+[PKI_CLOSE_AJP_PORT_COMMENT]
<!-- An Engine represents the entry point (within Catalina) that processes
diff --git a/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml b/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml
index 693d7b9fd..34517a63d 100644
--- a/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml
+++ b/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml
@@ -14,6 +14,12 @@
<param-name>https_port</param-name>
<param-value>[PKI_AGENT_SECURE_PORT]</param-value>
</init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+ <init-param>
+ <param-name>proxy_port</param-name>
+ <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+ </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
<init-param>
<param-name>active</param-name>
<param-value>true</param-value>
@@ -27,6 +33,12 @@
<param-name>https_port</param-name>
<param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
</init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+ <init-param>
+ <param-name>proxy_port</param-name>
+ <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+ </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
<init-param>
<param-name>active</param-name>
<param-value>true</param-value>
@@ -44,6 +56,16 @@
<param-name>https_port</param-name>
<param-value>[PKI_EE_SECURE_PORT]</param-value>
</init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+ <init-param>
+ <param-name>proxy_port</param-name>
+ <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+ </init-param>
+ <init-param>
+ <param-name>proxy_http_port</param-name>
+ <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
+ </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
<init-param>
<param-name>active</param-name>
<param-value>true</param-value>
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/displayCRL.template b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/displayCRL.template
index 20180af45..b3f0a50a0 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/displayCRL.template
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/displayCRL.template
@@ -20,7 +20,7 @@
<head>
<title>Display CRL</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<SCRIPT type="text/javascript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT type="text/javascript" SRC="../helpfun.js"></SCRIPT>
<SCRIPT type="text/javascript">
<!--
if (navigator.appName == "Microsoft Internet Explorer") {
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getOCSPInfo.template b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getOCSPInfo.template
index beea645cb..46e4ccf32 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getOCSPInfo.template
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getOCSPInfo.template
@@ -20,7 +20,7 @@
<head>
<title>Display CRL</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
-<SCRIPT type="text/javascript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT type="text/javascript" SRC="../helpfun.js"></SCRIPT>
<SCRIPT type="text/javascript">
<!--
if (navigator.appName == "Microsoft Internet Explorer") {
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getStats.template b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getStats.template
index 5cbb9642d..59c59eea5 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getStats.template
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/getStats.template
@@ -20,7 +20,7 @@
<head>
<title>Display CRL</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
-<SCRIPT type="text/javascript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT type="text/javascript" SRC="../helpfun.js"></SCRIPT>
<SCRIPT type="text/javascript">
<!--
if (navigator.appName == "Microsoft Internet Explorer") {
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/CMCEnrollment.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/CMCEnrollment.html
index c6a082ba8..d570addc6 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/CMCEnrollment.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/CMCEnrollment.html
@@ -46,7 +46,7 @@ function validate(form)
}
</SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js">
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js">
</SCRIPT>
</head>
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ChallengeRevoke1.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ChallengeRevoke1.html
index f5b9f3f68..ea4916cdb 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ChallengeRevoke1.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ChallengeRevoke1.html
@@ -21,9 +21,9 @@
<TITLE>Revoke a Certificate using a challenge password</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<script LANGUAGE="JavaScript" SRC="/ee/cms-funcs.js"></script>
+<script LANGUAGE="JavaScript" SRC="../cms-funcs.js"></script>
-<script LANGUAGE="JavaScript" SRC="/ee/helpfun.js"></script>
+<script LANGUAGE="JavaScript" SRC="../helpfun.js"></script>
<SCRIPT LANGUAGE="JavaScript">
function validate(form)
@@ -51,7 +51,7 @@ function validate(form)
}
</SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/ee/helpfun.js">
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js">
</SCRIPT>
</head>
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManCAEnroll.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManCAEnroll.html
index 443c9ff27..b96909fb0 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManCAEnroll.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManCAEnroll.html
@@ -39,7 +39,7 @@ function validate(form)
}
</SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js">
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js">
</SCRIPT>
</head>
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManRAEnroll.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManRAEnroll.html
index 5da4ee594..c1a807bc9 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManRAEnroll.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManRAEnroll.html
@@ -39,7 +39,7 @@ function validate(form)
}
</SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js">
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js">
</SCRIPT>
</head>
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManServerEnroll.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManServerEnroll.html
index 2dfa7b725..ff15fee59 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManServerEnroll.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ManServerEnroll.html
@@ -39,7 +39,7 @@ function validate(form)
}
</SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js">
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js">
</SCRIPT>
</head>
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/NISUserEnroll.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/NISUserEnroll.html
index c16bde466..26915188d 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/NISUserEnroll.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/NISUserEnroll.html
@@ -21,9 +21,9 @@
<TITLE>NIS Based User Enrollment Form</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/cms-funcs.js"> </SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"> </SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/dynamicVars.js"> </SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../cms-funcs.js"> </SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"> </SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="/ca/ee/dynamicVars.js"> </SCRIPT>
<SCRIPT>
//<!--
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/OCSPResponder.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/OCSPResponder.html
index b1aa906e8..4d14f513f 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/OCSPResponder.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/OCSPResponder.html
@@ -39,7 +39,7 @@ function validate(form)
}
</SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js">
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js">
</SCRIPT>
</head>
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ObjSignPKCS10Enroll.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ObjSignPKCS10Enroll.html
index 901410326..fcf68f12e 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ObjSignPKCS10Enroll.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ObjSignPKCS10Enroll.html
@@ -56,7 +56,7 @@ function validate(form)
}
</SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js">
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js">
</SCRIPT>
</head>
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template
index 4ddd1a945..f05930f8f 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template
@@ -282,7 +282,7 @@ function setCRMFRequest()
var uri = 'profileSubmit';
if (typeof(authName) != "undefined") {
if (authIsSSLClientRequired == 'true') {
- uri = 'https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_CLIENT_AUTH_PORT]/[PKI_SUBSYSTEM_TYPE]/eeca/[PKI_SUBSYSTEM_TYPE]/profileSubmitSSLClient';
+ uri = 'https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_CLIENT_AUTH_PORT_UI]/[PKI_SUBSYSTEM_TYPE]/eeca/[PKI_SUBSYSTEM_TYPE]/profileSubmitSSLClient';
}
}
if (navigator.appName == "Microsoft Internet Explorer") {
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/UserRevocation.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/UserRevocation.html
index 21685917f..50cca6507 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/UserRevocation.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/UserRevocation.html
@@ -20,7 +20,7 @@
<head>
<TITLE>User Certificate Revocation Form</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
-<SCRIPT LANGUAGE="JavaScript" SRC="/ee/helpfun.js">
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js">
</SCRIPT>
</head>
<body bgcolor="#FFFFFF">
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/checkRequest.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/checkRequest.html
index cd22063ec..e315aa817 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/checkRequest.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/checkRequest.html
@@ -22,7 +22,7 @@
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<script LANGUAGE="JavaScript" SRC="/ee/helpfun.js"></script>
+<script LANGUAGE="JavaScript" SRC="../helpfun.js"></script>
</head>
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/index.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/index.html
index 25fb5d05d..d0d823416 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/index.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/index.html
@@ -22,7 +22,7 @@
<link rel="shortcut icon" href="/ca/ee/graphics/favicon.ico" />
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
<script lang="javascript" src="/dynamicVars.js"></script>
-<script lang="javascript" src="/cms-funcs.js"></script>
+<script lang="javascript" src="../cms-funcs.js"></script>
<script lang="javascript">
<!--//
function doResize() {
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/index.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/index.html
index 5f195b889..efcc3c67d 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/index.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/index.html
@@ -22,7 +22,7 @@
<link rel="shortcut icon" href="/ca/ee/graphics/favicon.ico" />
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
<script lang="javascript" src="/dynamicVars.js"></script>
-<script lang="javascript" src="/cms-funcs.js"></script>
+<script lang="javascript" src="../cms-funcs.js"></script>
<script lang="javascript">
<!--//
function doResize() {
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.html b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.html
index 605bad0f9..1855ffaac 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.html
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.html
@@ -22,8 +22,8 @@
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<script LANGUAGE="JavaScript" SRC="/ee/cms-funcs.js"></script>
-<script LANGUAGE="JavaScript" SRC="/ee/helpfun.js"></script>
+<script LANGUAGE="JavaScript" SRC="../cms-funcs.js"></script>
+<script LANGUAGE="JavaScript" SRC="../helpfun.js"></script>
</head>
<body bgcolor="#FFFFFF" link="#666699" vlink="#666699" alink="#333366">
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/requestStatus.template b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/requestStatus.template
index 3279f6fde..b00e55766 100644
--- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/requestStatus.template
+++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/requestStatus.template
@@ -23,7 +23,7 @@
</head>
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<script LANGUAGE="JavaScript" SRC="/ee/helpfun.js"></script>
+<script LANGUAGE="JavaScript" SRC="../helpfun.js"></script>
<CMS_TEMPLATE>
diff --git a/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/GrantRecovery.html b/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/GrantRecovery.html
index 4f7aa9e16..225bbdb30 100644
--- a/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/GrantRecovery.html
+++ b/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/GrantRecovery.html
@@ -3,7 +3,7 @@
<HEAD>
<TITLE>Authorize Recovery (for Recovery Agents)</TITLE>
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js">
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js">
</SCRIPT>
</HEAD>
diff --git a/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/getStats.template b/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/getStats.template
index e49bb2dea..cfd2f3193 100644
--- a/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/getStats.template
+++ b/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/getStats.template
@@ -4,7 +4,7 @@
<title>Display CRL</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript">
<!--
if (navigator.appName == "Microsoft Internet Explorer") {
diff --git a/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/processReq.template b/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/processReq.template
index 25cb142ab..a5292102d 100644
--- a/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/processReq.template
+++ b/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/processReq.template
@@ -5,7 +5,7 @@
</head>
<CMS_TEMPLATE>
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript">
//<!--
diff --git a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCA.html b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCA.html
index f81121b14..79fe51529 100644
--- a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCA.html
+++ b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCA.html
@@ -20,7 +20,7 @@
<HEAD>
<TITLE>Add Certificate Authority</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"></SCRIPT>
</HEAD>
<body bgcolor="#FFFFFF" link="#666699" vlink="#666699" alink="#333366">
diff --git a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCRL.html b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCRL.html
index 008a129ab..98f4b0771 100644
--- a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCRL.html
+++ b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/AddCRL.html
@@ -20,7 +20,7 @@
<HEAD>
<TITLE>Add Certificate Revocation List</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"></SCRIPT>
</HEAD>
<body bgcolor="#FFFFFF" link="#666699" vlink="#666699" alink="#333366">
diff --git a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/CheckCert.html b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/CheckCert.html
index 9dd152f5f..6e614c87f 100644
--- a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/CheckCert.html
+++ b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/CheckCert.html
@@ -20,7 +20,7 @@
<HEAD>
<TITLE>Check Certificate Status</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"></SCRIPT>
</HEAD>
<body bgcolor="#FFFFFF" link="#666699" vlink="#666699" alink="#333366">
diff --git a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCA.template b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCA.template
index 8ce61e83b..5d71adca8 100644
--- a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCA.template
+++ b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCA.template
@@ -21,7 +21,7 @@
<title>Adding Certificate Authority</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript">
<!--
if (navigator.appName == "Microsoft Internet Explorer") {
diff --git a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCRL.template b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCRL.template
index a7e160418..12f4ce1d3 100644
--- a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCRL.template
+++ b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/addCRL.template
@@ -21,7 +21,7 @@
<title>Adding Certificate Revocation List</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript">
<!--
if (navigator.appName == "Microsoft Internet Explorer") {
diff --git a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/checkCert.template b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/checkCert.template
index 350ddd142..d00e15c31 100644
--- a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/checkCert.template
+++ b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/checkCert.template
@@ -21,7 +21,7 @@
<title>Check Certificate Status</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript">
<!--
if (navigator.appName == "Microsoft Internet Explorer") {
diff --git a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getOCSPInfo.template b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getOCSPInfo.template
index 4cbf9f714..8b739b45d 100644
--- a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getOCSPInfo.template
+++ b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getOCSPInfo.template
@@ -21,7 +21,7 @@
<title>Display CRL</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript">
<!--
if (navigator.appName == "Microsoft Internet Explorer") {
diff --git a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getStats.template b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getStats.template
index c6f56b1f7..a08a6fe60 100644
--- a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getStats.template
+++ b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/getStats.template
@@ -21,7 +21,7 @@
<title>Display CRL</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript">
<!--
if (navigator.appName == "Microsoft Internet Explorer") {
diff --git a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/listCAs.template b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/listCAs.template
index 494df1d58..6fbf5fd73 100644
--- a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/listCAs.template
+++ b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/listCAs.template
@@ -21,7 +21,7 @@
<title>List Certificate Authorities</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript">
<!--
if (navigator.appName == "Microsoft Internet Explorer") {
diff --git a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/removeCA.template b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/removeCA.template
index e8903ea18..1b85bba95 100755
--- a/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/removeCA.template
+++ b/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/removeCA.template
@@ -21,7 +21,7 @@
<title>Removing Certificate Authority</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript">
<!--
if (navigator.appName == "Microsoft Internet Explorer") {
diff --git a/pki/dogtag/tks-ui/shared/webapps/tks/agent/tks/getStats.template b/pki/dogtag/tks-ui/shared/webapps/tks/agent/tks/getStats.template
index c6f56b1f7..a08a6fe60 100644
--- a/pki/dogtag/tks-ui/shared/webapps/tks/agent/tks/getStats.template
+++ b/pki/dogtag/tks-ui/shared/webapps/tks/agent/tks/getStats.template
@@ -21,7 +21,7 @@
<title>Display CRL</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/helpfun.js"></SCRIPT>
+<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript">
<!--
if (navigator.appName == "Microsoft Internet Explorer") {