diff options
29 files changed, 42 insertions, 2406 deletions
diff --git a/base/ca/CMakeLists.txt b/base/ca/CMakeLists.txt index 9c1616bac..025f7a132 100644 --- a/base/ca/CMakeLists.txt +++ b/base/ca/CMakeLists.txt @@ -4,30 +4,6 @@ add_subdirectory(src) add_subdirectory(setup) add_subdirectory(shared/conf) -# install systemd scripts -install( - FILES - shared/lib/systemd/system/pki-cad.target - shared/lib/systemd/system/pki-cad@.service - DESTINATION - ${SYSTEMD_LIB_INSTALL_DIR} - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - -# install init script -install( - FILES - shared/etc/init.d/pki-cad - DESTINATION - ${SYSCONF_INSTALL_DIR}/rc.d/init.d - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ -) - # install directories install( DIRECTORY @@ -37,11 +13,7 @@ install( PATTERN "CMakeLists.txt" EXCLUDE PATTERN - "etc/*" EXCLUDE - PATTERN "conf/CS.cfg.in" EXCLUDE - PATTERN - "lib/*" EXCLUDE ) # install empty directories @@ -57,8 +29,3 @@ install( ${VAR_INSTALL_DIR}/run/pki/ca ) -install( - DIRECTORY - DESTINATION - ${SYSTEMD_ETC_INSTALL_DIR}/pki-cad.target.wants -) diff --git a/base/ca/shared/etc/init.d/pki-cad b/base/ca/shared/etc/init.d/pki-cad deleted file mode 100755 index 772523287..000000000 --- a/base/ca/shared/etc/init.d/pki-cad +++ /dev/null @@ -1,87 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007-2010 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# pki-cad Startup script for pki-ca with tomcat6 -# -# chkconfig: - 81 19 -# description: Certificate Authority (Tomcat 6.0) -# processname: pki-cad -# piddir: /var/run/pki/ca -# - -PROG_NAME=`basename $0` -SERVICE_NAME="pki-cad" -SERVICE_PROG="/sbin/service" -PKI_PATH="/usr/share/pki/ca" -PKI_REGISTRY="/etc/sysconfig/pki/ca" -PKI_TYPE="pki-ca" -PKI_TOTAL_PORTS=7 - -# Avoid using 'systemctl' for now -SYSTEMCTL_SKIP_REDIRECT=1 -export SYSTEMCTL_SKIP_REDIRECT - -# Disallow 'others' the ability to 'write' to new files -umask 00002 - -command="$1" -pki_instance="$2" - -# Source function library. -. /etc/init.d/functions - -# Source the PKI function library -. /usr/share/pki/scripts/functions - -# See how we were called. -case $command in - status) - registry_status - exit $? - ;; - start) - start - exit $? - ;; - restart) - restart - exit $? - ;; - stop) - stop - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - exit $? - ;; - reload) - echo "The 'reload' action is an unimplemented feature." - exit ${default_error} - ;; - *) - echo "unknown action ($command)" - usage - echo "where valid instance names include:" - list_instances - exit ${default_error} - ;; -esac - diff --git a/base/ca/shared/lib/systemd/system/pki-cad.target b/base/ca/shared/lib/systemd/system/pki-cad.target deleted file mode 100644 index dab661403..000000000 --- a/base/ca/shared/lib/systemd/system/pki-cad.target +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=PKI Certificate Authority Server -After=syslog.target network.target - -[Install] -WantedBy=multi-user.target - - diff --git a/base/ca/shared/lib/systemd/system/pki-cad@.service b/base/ca/shared/lib/systemd/system/pki-cad@.service deleted file mode 100644 index e205d72fb..000000000 --- a/base/ca/shared/lib/systemd/system/pki-cad@.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=PKI Certificate Authority Server %i -After=pki-cad.target -BindTo=pki-cad.target - -[Service] -Type=forking -ExecStart=/usr/bin/pkicontrol start ca %i -ExecStop=/usr/bin/pkicontrol stop ca %i - -[Install] -WantedBy=multi-user.target - diff --git a/base/kra/CMakeLists.txt b/base/kra/CMakeLists.txt index 7fc45cdb7..02bacd132 100644 --- a/base/kra/CMakeLists.txt +++ b/base/kra/CMakeLists.txt @@ -4,31 +4,6 @@ add_subdirectory(src) add_subdirectory(setup) add_subdirectory(shared/conf) -# install systemd scripts -install( - FILES - shared/lib/systemd/system/pki-krad.target - shared/lib/systemd/system/pki-krad@.service - DESTINATION - ${SYSTEMD_LIB_INSTALL_DIR} - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - -# install init script -install( - FILES - shared/etc/init.d/pki-krad - DESTINATION - ${SYSCONF_INSTALL_DIR}/rc.d/init.d - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - # install directories install( DIRECTORY @@ -38,11 +13,7 @@ install( PATTERN "CMakeLists.txt" EXCLUDE PATTERN - "etc/*" EXCLUDE - PATTERN "conf/CS.cfg.in" EXCLUDE - PATTERN - "lib/*" EXCLUDE ) # install empty directories @@ -58,9 +29,3 @@ install( ${VAR_INSTALL_DIR}/run/pki/kra ) -install( - DIRECTORY - DESTINATION - ${SYSTEMD_ETC_INSTALL_DIR}/pki-krad.target.wants -) - diff --git a/base/kra/shared/etc/init.d/pki-krad b/base/kra/shared/etc/init.d/pki-krad deleted file mode 100755 index fe3f888b1..000000000 --- a/base/kra/shared/etc/init.d/pki-krad +++ /dev/null @@ -1,87 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007-2010 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# pki-krad Startup script pki-kra with tomcat6 -# -# chkconfig: - 82 18 -# description: Data Recovery Manager (Tomcat 6.0) -# processname: pki-krad -# piddir: /var/run/pki/kra -# - -PROG_NAME=`basename $0` -SERVICE_NAME="pki-krad" -SERVICE_PROG="/sbin/service" -PKI_PATH="/usr/share/pki/kra" -PKI_REGISTRY="/etc/sysconfig/pki/kra" -PKI_TYPE="pki-kra" -PKI_TOTAL_PORTS=6 - -# Avoid using 'systemctl' for now -SYSTEMCTL_SKIP_REDIRECT=1 -export SYSTEMCTL_SKIP_REDIRECT - -# Disallow 'others' the ability to 'write' to new files -umask 00002 - -command="$1" -pki_instance="$2" - -# Source function library. -. /etc/init.d/functions - -# Source the PKI function library -. /usr/share/pki/scripts/functions - -# See how we were called. -case $command in - status) - registry_status - exit $? - ;; - start) - start - exit $? - ;; - restart) - restart - exit $? - ;; - stop) - stop - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - exit $? - ;; - reload) - echo "The 'reload' action is an unimplemented feature." - exit ${default_error} - ;; - *) - echo "unknown action ($command)" - usage - echo "where valid instance names include:" - list_instances - exit ${default_error} - ;; -esac - diff --git a/base/kra/shared/lib/systemd/system/pki-krad.target b/base/kra/shared/lib/systemd/system/pki-krad.target deleted file mode 100644 index b7027fc72..000000000 --- a/base/kra/shared/lib/systemd/system/pki-krad.target +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=PKI Key Recovery Authority Server -After=syslog.target network.target - -[Install] -WantedBy=multi-user.target - - diff --git a/base/kra/shared/lib/systemd/system/pki-krad@.service b/base/kra/shared/lib/systemd/system/pki-krad@.service deleted file mode 100644 index 3c4f177a9..000000000 --- a/base/kra/shared/lib/systemd/system/pki-krad@.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=PKI Key Recovery Authority Server %i -After=pki-krad.target -BindTo=pki-krad.target - -[Service] -Type=forking -ExecStart=/usr/bin/pkicontrol start kra %i -ExecStop=/usr/bin/pkicontrol stop kra %i - -[Install] -WantedBy=multi-user.target - diff --git a/base/ocsp/CMakeLists.txt b/base/ocsp/CMakeLists.txt index af6ba8ad0..4a7259b90 100644 --- a/base/ocsp/CMakeLists.txt +++ b/base/ocsp/CMakeLists.txt @@ -4,31 +4,6 @@ add_subdirectory(src) add_subdirectory(setup) add_subdirectory(shared/conf) -# install systemd scripts -install( - FILES - shared/lib/systemd/system/pki-ocspd.target - shared/lib/systemd/system/pki-ocspd@.service - DESTINATION - ${SYSTEMD_LIB_INSTALL_DIR} - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - -# install init script -install( - FILES - shared/etc/init.d/pki-ocspd - DESTINATION - ${SYSCONF_INSTALL_DIR}/rc.d/init.d - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - # install directories install( DIRECTORY @@ -38,11 +13,7 @@ install( PATTERN "CMakeLists.txt" EXCLUDE PATTERN - "etc/*" EXCLUDE - PATTERN "CS.cfg.in" EXCLUDE - PATTERN - "lib/*" EXCLUDE ) # install empty directories @@ -58,8 +29,3 @@ install( ${VAR_INSTALL_DIR}/run/pki/ocsp ) -install( - DIRECTORY - DESTINATION - ${SYSTEMD_ETC_INSTALL_DIR}/pki-ocspd.target.wants -) diff --git a/base/ocsp/shared/etc/init.d/pki-ocspd b/base/ocsp/shared/etc/init.d/pki-ocspd deleted file mode 100755 index 3d69601eb..000000000 --- a/base/ocsp/shared/etc/init.d/pki-ocspd +++ /dev/null @@ -1,87 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007-2010 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# pki-ocspd Startup script for pki-ocsp with tomcat6 -# -# chkconfig: - 83 17 -# description: Online Certificate Status Protocol Manager (Tomcat 6.0) -# processname: pki-ocspd -# piddir: /var/run/pki/ocsp -# - -PROG_NAME=`basename $0` -SERVICE_NAME="pki-ocspd" -SERVICE_PROG="/sbin/service" -PKI_PATH="/usr/share/pki/ocsp" -PKI_REGISTRY="/etc/sysconfig/pki/ocsp" -PKI_TYPE="pki-ocsp" -PKI_TOTAL_PORTS=6 - -# Avoid using 'systemctl' for now -SYSTEMCTL_SKIP_REDIRECT=1 -export SYSTEMCTL_SKIP_REDIRECT - -# Disallow 'others' the ability to 'write' to new files -umask 00002 - -command="$1" -pki_instance="$2" - -# Source function library. -. /etc/init.d/functions - -# Source the PKI function library -. /usr/share/pki/scripts/functions - -# See how we were called. -case $command in - status) - registry_status - exit $? - ;; - start) - start - exit $? - ;; - restart) - restart - exit $? - ;; - stop) - stop - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - exit $? - ;; - reload) - echo "The 'reload' action is an unimplemented feature." - exit ${default_error} - ;; - *) - echo "unknown action ($command)" - usage - echo "where valid instance names include:" - list_instances - exit ${default_error} - ;; -esac - diff --git a/base/ocsp/shared/lib/systemd/system/pki-ocspd.target b/base/ocsp/shared/lib/systemd/system/pki-ocspd.target deleted file mode 100644 index 5db6bf4df..000000000 --- a/base/ocsp/shared/lib/systemd/system/pki-ocspd.target +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=PKI Online Certificate Status Protocol Server -After=syslog.target network.target - -[Install] -WantedBy=multi-user.target - - diff --git a/base/ocsp/shared/lib/systemd/system/pki-ocspd@.service b/base/ocsp/shared/lib/systemd/system/pki-ocspd@.service deleted file mode 100644 index 7b4e7855b..000000000 --- a/base/ocsp/shared/lib/systemd/system/pki-ocspd@.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=PKI Online Certificate Status Protocol Server %i -After=pki-ocspd.target -BindTo=pki-ocspd.target - -[Service] -Type=forking -ExecStart=/usr/bin/pkicontrol start ocsp %i -ExecStop=/usr/bin/pkicontrol stop ocsp %i - -[Install] -WantedBy=multi-user.target - diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/DonePanel.java index 57583fdcf..d55bd82bf 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -115,13 +115,15 @@ public class DonePanel extends WizardPanelBase { String initDaemon = ""; if (type.equals("CA")) { - initDaemon = "pki-cad"; + initDaemon = "<pki_ca_instance_name>"; } else if (type.equals("KRA")) { - initDaemon = "pki-krad"; + initDaemon = "<pki_kra_instance_name>"; } else if (type.equals("OCSP")) { - initDaemon = "pki-ocspd"; + initDaemon = "<pki_ocsp_instance_name>"; } else if (type.equals("TKS")) { - initDaemon = "pki-tksd"; + initDaemon = "<pki_tks_instance_name>"; + } else if (type.equals("TPS")) { + initDaemon = "<pki_tps_instance_name>"; } String os = System.getProperty("os.name"); if (os.equalsIgnoreCase("Linux")) { diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java index 1ae4c3397..3bc8169bb 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java @@ -96,12 +96,12 @@ public class SecurityDomainPanel extends WizardPanelBase { String errorString = ""; String default_admin_url = ""; String name = ""; - String systemdService = ""; + String systemdInstanceId = ""; try { default_admin_url = config.getString("preop.securitydomain.admin_url", ""); name = config.getString("preop.securitydomain.name", ""); - systemdService = config.getString("pkicreate.systemd.servicename", ""); + systemdInstanceId = config.getString("service.instanceID", ""); } catch (Exception e) { CMS.debug(e.toString()); } @@ -208,13 +208,13 @@ public class SecurityDomainPanel extends WizardPanelBase { } // Information for "existing" Security Domain CAs - String initDaemon = "pki-cad"; + String initDaemon = "<pki_ca_instance_name>"; String instanceId = "<security_domain_instance_name>"; String os = System.getProperty("os.name"); if (os.equalsIgnoreCase("Linux")) { - if (!systemdService.equals("")) { - context.put("initCommand", "/usr/bin/pkicontrol"); - context.put("instanceId", "ca " + systemdService); + if (!systemdInstanceId.equals("")) { + context.put("initCommand", "/usr/bin/pkidaemon"); + context.put("instanceId", "tomcat " + systemdInstanceId); } else { context.put("initCommand", "/sbin/service " + initDaemon); context.put("instanceId", instanceId); @@ -451,12 +451,25 @@ public class SecurityDomainPanel extends WizardPanelBase { } // Information for "existing" Security Domain CAs - String initDaemon = "pki-cad"; + String initDaemon = "<pki_ca_instance_name>"; String instanceId = "<security_domain_instance_name>"; String os = System.getProperty("os.name"); + String systemdInstanceId = ""; + + try { + systemdInstanceId = config.getString("service.instanceID", ""); + } catch (Exception e) { + CMS.debug(e.toString()); + } + if (os.equalsIgnoreCase("Linux")) { - context.put("initCommand", "/sbin/service " + initDaemon); - context.put("instanceId", instanceId); + if (!systemdInstanceId.equals("")) { + context.put("initCommand", "/usr/bin/pkidaemon"); + context.put("instanceId", "tomcat " + systemdInstanceId); + } else { + context.put("initCommand", "/sbin/service " + initDaemon); + context.put("instanceId", instanceId); + } } else { /* default case: e. g. - ( os.equalsIgnoreCase( "SunOS" ) */ context.put("initCommand", "/etc/init.d/" + initDaemon); diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py index 6ffe2e72c..405118a57 100644 --- a/base/server/python/pki/server/deployment/pkimessages.py +++ b/base/server/python/pki/server/deployment/pkimessages.py @@ -374,7 +374,7 @@ PKI_INSTANCE_RESTART_MESSAGE = \ PKI_SPAWN_INFORMATION_HEADER = ''' ========================================================================== - INSTALLATION SUMMARY\n"\ + INSTALLATION SUMMARY\n\ ========================================================================== ''' diff --git a/base/server/share/webapps/pki/admin/console/config/securitydomainpanel.vm b/base/server/share/webapps/pki/admin/console/config/securitydomainpanel.vm index a8ac15bf5..57af87c4f 100644 --- a/base/server/share/webapps/pki/admin/console/config/securitydomainpanel.vm +++ b/base/server/share/webapps/pki/admin/console/config/securitydomainpanel.vm @@ -109,7 +109,7 @@ Enter the URL to an existing security domain. <table> <tr> <td valign="top"><b>NOTE: </b></td> -<td>Since a Security Domain MUST be a CA (although all CAs are NOT necessarily Security Domains), an appropriate value for this URL may be obtained by logging into the machine which hosts the desired Security Domain CA as 'root' and running the command "$initCommand status $instanceId" from the command-line.</td> +<td>Since a Security Domain MUST be a CA (although all CAs are NOT necessarily Security Domains), an appropriate value for this URL may be obtained by logging into the machine which hosts the desired Security Domain CA as 'root' and running the command (e. g. - "$initCommand status $instanceId") from the command-line.</td> </tr> </table> <br/> diff --git a/base/setup/pkicommon.pm b/base/setup/pkicommon.pm index b5bb8110e..bbe8a6b54 100755 --- a/base/setup/pkicommon.pm +++ b/base/setup/pkicommon.pm @@ -40,8 +40,7 @@ our @EXPORT = qw( $FILE_PREFIX $FTP_PREFIX $HTTP_PREFIX $HTTPS_PREFIX $LDAP_PREFIX $LDAPS_PREFIX $PKI_USER $PKI_GROUP $PKI_UID $PKI_GID $CA $KRA $OCSP $TKS $RA $TPS - $CA_INITSCRIPT $KRA_INITSCRIPT $OCSP_INITSCRIPT - $TKS_INITSCRIPT $RA_INITSCRIPT $TPS_INITSCRIPT + $RA_INITSCRIPT $install_info_basename $cleanup_basename %installation_info $semanage $restorecon $SELINUX_PORT_UNDEFINED $SELINUX_PORT_DEFINED $SELINUX_PORT_WRONGLY_DEFINED @@ -292,12 +291,7 @@ our $RA = "ra"; our $TPS = "tps"; # Subsystem init scripts -our $CA_INITSCRIPT = "pki-cad"; -our $KRA_INITSCRIPT = "pki-krad"; -our $OCSP_INITSCRIPT = "pki-ocspd"; -our $TKS_INITSCRIPT = "pki-tksd"; our $RA_INITSCRIPT = "pki-rad"; -our $TPS_INITSCRIPT = "pki-tpsd"; ############################################################## @@ -3474,18 +3468,8 @@ sub get_registry_initscript_name my ($subsystem_type) = @_; my ($pki_initscript); - if ($subsystem_type eq $CA) { - $pki_initscript = $CA_INITSCRIPT; - } elsif($subsystem_type eq $KRA) { - $pki_initscript = $KRA_INITSCRIPT; - } elsif($subsystem_type eq $OCSP) { - $pki_initscript = $OCSP_INITSCRIPT; - } elsif($subsystem_type eq $RA) { + if ($subsystem_type eq $RA) { $pki_initscript = $RA_INITSCRIPT; - } elsif($subsystem_type eq $TKS) { - $pki_initscript = $TKS_INITSCRIPT; - } elsif($subsystem_type eq $TPS) { - $pki_initscript = $TPS_INITSCRIPT; } else { die "unknown subsystem type \"$subsystem_type\""; } diff --git a/base/setup/scripts/functions b/base/setup/scripts/functions index 96722a1ee..ed32c6a5c 100644 --- a/base/setup/scripts/functions +++ b/base/setup/scripts/functions @@ -909,24 +909,9 @@ verify_symlinks() else jni_dir="/usr/lib/java" fi - if [ ${PKI_SUBSYSTEM_TYPE} == "ca" ]; then - pki_systemd_link="pki-cad@${PKI_INSTANCE_NAME}.service" - pki_systemd_service="pki-cad@.service" - elif [ ${PKI_SUBSYSTEM_TYPE} == "kra" ]; then - pki_systemd_link="pki-krad@${PKI_INSTANCE_NAME}.service" - pki_systemd_service="pki-krad@.service" - elif [ ${PKI_SUBSYSTEM_TYPE} == "ocsp" ]; then - pki_systemd_link="pki-ocspd@${PKI_INSTANCE_NAME}.service" - pki_systemd_service="pki-ocspd@.service" - elif [ ${PKI_SUBSYSTEM_TYPE} == "ra" ]; then + if [ ${PKI_SUBSYSTEM_TYPE} == "ra" ]; then pki_systemd_link="pki-rad@${PKI_INSTANCE_NAME}.service" pki_systemd_service="pki-rad@.service" - elif [ ${PKI_SUBSYSTEM_TYPE} == "tks" ]; then - pki_systemd_link="pki-tksd@${PKI_INSTANCE_NAME}.service" - pki_systemd_service="pki-tksd@.service" - elif [ ${PKI_SUBSYSTEM_TYPE} == "tps" ]; then - pki_systemd_link="pki-tpsd@${PKI_INSTANCE_NAME}.service" - pki_systemd_service="pki-tpsd@.service" fi # Dogtag 9 Symbolic Link Target Variables @@ -935,7 +920,7 @@ verify_symlinks() # Dogtag 9 Symbolic Link Variables pki_common_jar_dir="${PKI_INSTANCE_PATH}/common/lib" # pki_registry_dir="/etc/sysconfig/pki/${PKI_SUBSYSTEM_TYPE}/${PKI_INSTANCE_NAME}" - pki_systemd_dir="/etc/systemd/system/pki-cad.target.wants" + pki_systemd_dir="/etc/systemd/system/pki-rad.target.wants" pki_webapps_jar_dir="${PKI_INSTANCE_PATH}/webapps/${PKI_SUBSYSTEM_TYPE}/WEB-INF/lib" # '${PKI_INSTANCE_PATH}' symlinks diff --git a/base/silent/templates/pki_silent.template b/base/silent/templates/pki_silent.template index a175ad7a7..c88d4d334 100755 --- a/base/silent/templates/pki_silent.template +++ b/base/silent/templates/pki_silent.template @@ -92,40 +92,11 @@ pki_security_domain_host=`hostname` pki_security_domain_admin_name=admin pki_security_domain_admin_password= -## PKI Internal LDAP Database Variables -## (e. g. - Database Panel) -pki_ldap_host=localhost -pki_ldap_port=389 -pki_bind_dn="cn=Directory\ Manager" -pki_bind_password= - ## PKI Instance-Specific Token Variables ## (e. g. - Module Panel) -ca_token_name=internal -ca_token_password= - -kra_token_name=internal -kra_token_password= - -ocsp_token_name=internal -ocsp_token_password= - -tks_token_name=internal -tks_token_password= - ra_token_name=internal ra_token_password= -tps_token_name=internal -tps_token_password= - -## PKI Instance-Specific Backup Variables -## (e. g. - Backup Key and Certificates Panel) -ca_backup_password= -kra_backup_password= -ocsp_backup_password= -tks_backup_password= - ## PKI Email Variables ## ## For example, to specify 'pkitest@example.com': @@ -154,93 +125,25 @@ pki_silent_admin_email="${pki_email_name}\@${pki_email_company}\.${pki_email_dom pki_host=`hostname` ## PKI Subsystem Names -ca_subsystem_name="Certificate\ Authority" -kra_subsystem_name="Data\ Recovery\ Manager" -ocsp_subsystem_name="OCSP\ Responder" -tks_subsystem_name="Token\ Key\ Service" ra_subsystem_name="Registration\ Authority" -tps_subsystem_name="Token\ Processing\ System" ## PKI Subsystem Instance Names -ca_instance_name="pki-ca" -kra_instance_name="pki-kra" -ocsp_instance_name="pki-ocsp" -tks_instance_name="pki-tks" ra_instance_name="pki-ra" -tps_instance_name="pki-tps" ## PKI Subsystem Init Script Names -ca_init_script="pki-cad" -kra_init_script="pki-krad" -ocsp_init_script="pki-ocspd" -tks_init_script="pki-tksd" ra_init_script="pki-rad" -tps_init_script="pki-tpsd" - -## -## NOTE: Default PKI Instance Ports -## -## CA, DRM, OCSP, TKS: -## -## *180 - non-secure port (not role specific) -## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port -## *445 - secure Admin port -## -## RA, TPS: -## -## *888 - non-secure port -## *889 - secure port (clientauth) -## *890 - secure port (non-clientauth) -## -## -## For Example: -## -## semanage port -l | grep pki -## -## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445 -## pki_kra_port_t tcp 10180, 10701, 10443, 10444, 10445 -## pki_ocsp_port_t tcp 11180, 11701, 11443, 11444, 11445 -## pki_ra_port_t tcp 12890, 12888, 12889 -## pki_tks_port_t tcp 13180, 13701, 13443, 13444, 13445 -## pki_tps_port_t tcp 7890, 7888, 7889 -## ## CA ports -ca_nonssl_port=9180 -ca_agent_port=9443 -ca_ee_port=9444 -ca_admin_port=9445 - -## DRM ports -kra_nonssl_port=10180 -kra_agent_port=10443 -kra_ee_port=10444 -kra_admin_port=10445 - -## OCSP ports -ocsp_nonssl_port=11180 -ocsp_agent_port=11443 -ocsp_ee_port=11444 -ocsp_admin_port=11445 - -## TKS ports -tks_nonssl_port=13180 -tks_agent_port=13443 -tks_ee_port=13444 -tks_admin_port=13445 +ca_nonssl_port=8080 +ca_agent_port=8443 +ca_ee_port=8443 +ca_admin_port=8443 ## RA ports ra_nonssl_port=12888 ra_clientauth_port=12889 ra_nonclientauth_port=12890 -## TPS ports -tps_nonssl_port=7888 -tps_clientauth_port=7889 -tps_nonclientauth_port=7890 - ############################################################################## @@ -248,434 +151,7 @@ tps_nonclientauth_port=7890 ############################################################################## ## PKI Silent Log Files -pki_silent_ca_log=/tmp/ca.log -pki_silent_kra_log=/tmp/kra.log -pki_silent_ocsp_log=/tmp/ocsp.log pki_silent_ra_log=/tmp/ra.log -pki_silent_tks_log=/tmp/tks.log -pki_silent_tps_log=/tmp/tps.log - - -## -## NOTE: For comparison's sake, if the default instances were manually -## configured using a Firefox browser, the content of the corresponding -## Firefox browser's security libraries would be something similar -## to this: -## -## Certificate Nickname Trust Attributes -## SSL,S/MIME,JAR/XPI -## -## Certificate Authority - ${pki_security_domain_name} CT,C,C -## CA Administrator of Instance ${ca_instance_name}'s -## ${pki_security_domain_name} ID u,u,u -## KRA Administrator of Instance ${kra_instance_name}'s -## ${pki_security_domain_name} ID u,u,u -## OCSP Administrator of Instance ${ocsp_instance_name}'s -## ${pki_security_domain_name} ID u,u,u -## TKS Administrator of Instance ${tks_instance_name}'s -## ${pki_security_domain_name} ID u,u,u -## RA Administrator's ${pki_security_domain_name} ID u,u,u -## TPS Administrator's ${pki_security_domain_name} ID u,u,u -## -## where: -## -## Nickname: "Certificate Authority - " -## + "${pki_security_domain_name}" -## Subject Name: "cn=Certificate Authority," -## + "o=${pki_security_domain_name}" -## -## Nickname: "CA Administrator of Instance " -## + "${ca_instance_name}'s " -## + "${pki_security_domain_name} ID" -## Subject Name: "cn=CA Administrator of Instance " -## + "${ca_instance_name}," -## + "uid=admin," -## + "e=${pki_silent_admin_email}," -## + "o=${pki_security_domain_name}" -## -## Nickname: "KRA Administrator of Instance " -## + "${kra_instance_name}'s " -## + "${pki_security_domain_name} ID" -## Subject Name: "cn=KRA Administrator of Instance " -## + "${kra_instance_name}," -## + "uid=admin," -## + "e=${pki_silent_admin_email}," -## + "o=${pki_security_domain_name}" -## -## Nickname: "OCSP Administrator of Instance " -## + "${ocsp_instance_name}'s " -## + "${pki_security_domain_name} ID" -## Subject Name: "cn=OCSP Administrator of Instance " -## + "${ocsp_instance_name}," -## + "uid=admin," -## + "e=${pki_silent_admin_email}," -## + "o=${pki_security_domain_name}" -## -## Nickname: "TKS Administrator of Instance " -## + "${tks_instance_name}'s " -## + "${pki_security_domain_name} ID" -## Subject Name: "cn=TKS Administrator of Instance " -## + "${tks_instance_name}," -## + "uid=admin," -## + "e=${pki_silent_admin_email}," -## + "o=${pki_security_domain_name}" -## -## Nickname: "RA Administrator's " -## + "${pki_security_domain_name} ID" -## Subject Name: "cn=RA Administrator," -## + "uid=admin," -## + "e=${pki_silent_admin_email}," -## + "o=${pki_security_domain_name}" -## -## Nickname: "TPS Administrator's " -## + "${pki_security_domain_name} ID" -## Subject Name: "cn=TPS Administrator," -## + "uid=admin," -## + "e=${pki_silent_admin_email}," -## + "o=${pki_security_domain_name}" -## - - -## Miscellaneous CA Variables -## -## REMINDER: 'Escape' ALL spaces in EACH variable specified below! -## -## NOTE: For comparison's sake, if the default instances were manually -## configured using a Firefox browser, the content of the corresponding -## "/var/lib/${ca_instance_name}/alias/" security libraries would be -## something similar to this: -## -## Certificate Nickname Trust Attributes -## SSL,S/MIME,JAR/XPI -## -## ocspSigningCert cert-${ca_instance_name} u,u,u -## subsystemCert cert-${ca_instance_name} u,u,u -## caSigningCert cert-${ca_instance_name} CTu,Cu,Cu -## Server-Cert cert-${ca_instance_name} u,u,u -## auditSigningCert cert-${ca_instance_name} u,u,u -## -## where: -## -## Nickname: "caSigningCert cert-${ca_instance_name}" -## Subject Name: "cn=Certificate Authority," -## + "o=${pki_security_domain_name}" -## -## Nickname: "subsystemCert cert-${ca_instance_name}" -## Subject Name: "cn=CA Subsystem Certificate," -## + "o=${pki_security_domain_name}" -## -## Nickname: "ocspSigningCert cert-${ca_instance_name}" -## Subject Name: "cn=OCSP Signing Certificate," -## + "o=${pki_security_domain_name}" -## -## Nickname: "Server-Cert cert-${ca_instance_name}" -## Subject Name: "cn=${pki_host}," -## + "o=${pki_security_domain_name}" -## -## Nickname: "auditSigningCert cert-${ca_instance_name}" -## Subject Name: "cn=CA Audit Signing Certificate," -## + "o=${pki_security_domain_name}" -## -## NOTE: The parameters for the signing and key algorithms have the following meaning: -## ca_key_algorithm - signature algorithm used to sign the CA certificate -## ca_signing_algorithm - signature algorithm used by the CA and OCSP signing certs to sign objects. -## ca_signing_signingalgorithm - optionally specify the algorithm used by the CA signing cert to sign objects -## ca_ocsp_signing_signingalgorithm - optionally specify the algorithm used by the CA ocsp signing cert to sign objects -## -## NOTE: Additional variables to specify the LDAP connection are as follows: -## remove_data - set to true/false. Remove any existing data found under the baseDN -## secure_conn - use the ldaps port -ca_agent_name="CA\ Administrator\ of\ Instance\ ${ca_instance_name}\'s\ ${pki_security_domain_name}\ ID" -ca_agent_key_size=2048 -ca_agent_key_type=rsa -ca_agent_cert_subject="cn=CA\ Administrator\ of\ Instance\ ${ca_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" -ca_base_dn="dc=${pki_host}-${ca_instance_name}" -ca_db_name="${pki_host}-${ca_instance_name}" -ca_key_size=2048 -ca_key_type=rsa -ca_key_algorithm=SHA256withRSA -ca_signing_algorithm=SHA256withRSA -ca_signing_signingalgorithm=SHA256withRSA -ca_ocsp_signing_signingalgorithm=SHA256withRSA -ca_save_p12=false -ca_sign_cert_subject_name="cn=Certificate\ Authority,o=${pki_security_domain_name}" -ca_subsystem_cert_subject_name="cn=CA\ Subsystem\ Certificate,o=${pki_security_domain_name}" -ca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate,o=${pki_security_domain_name}" -ca_server_cert_subject_name="cn=${pki_host},o=${pki_security_domain_name}" -ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,o=${pki_security_domain_name}" - -## Optional CA Variables for creating a clone CA -## -## It is possible for pkisilent to create a CA that is a clone of a previously -## installed CA (the master CA). To do so, the keys of the master CA must -## first be backed up in a pk12 file, and this file should be copied to the -## alias directory of the clone CA. This file should have read permission for -## the PKI user (pkisuer). -## -## An example file would be /var/lib/ca-clone/alias/ca-master.p12. -## -## The following variables should then be uncommented and defined for the clone CA. -## ca_clone=true -## ca_clone_p12_file= -## ca_clone_p12_password= -## clone_uri= -## sd_hostname= -## sd_admin_port= -## sd_admin_name= -## sd_admin_password= -## clone_start_tls=false -## -## NOTES: -## 1. ca_clone_p12_file must be just the filename relative to the alias directory. -## So in the example above, ca_clone_p12_file="ca-master.p12" -## 2. sd_* refer to the CA where the security domain is hosted. -## 3. clone_uri has the following format: https://<hostname>:<EE port> fo the CA to be cloned -## 4. clone_start_tls can be set to true if we require replication between the master and clone databases -## to be encrypted using startTLS on the standard (non-ldaps) port. The databases must -## be ssl enabled first or the replication will fail. -## -## ADDITIONAL NOTES: -## 1. The clone CA and master CA cannot share the same database instance. A new -## instance should be created for the clone CA. -## 2. The variables ca_base_dn and ca_db_name defined above MUST be identical to the -## ca_base_dn and ca_db_name of the master CA. The following assignments attempt -## to ensure this is correct. -## -## ca_master_instance_name= -## ca_base_dn="dc=${pki_host}-${ca_master_instance_name}" -## ca_db_name="${pki_host}-${ca_master_instance_name}" - -## Optional CA variables for creating a CA using an external CA -## -## It is possible to configure a CA that has its certificates signed by an external CA. -## This is a two step process. -## -## In the first step, pkisilent will create a CSR to be signed by the external CA -## and write it to the file specified. If this file is not specified, the default -## location /tmp/ext_ca.csr is used. -## -## The following parameters are required: -## ca_external=true -## ca_ext_csr_file= -## -## Once the CSR is approved by the external CA, the resulting certificate and CA -## cert chain are copied into files on the system. -## -## pkisilent is then rerun for the second step, providing the cert and cert chain files as -## parameters. For the second step, the following parameters are then required: -## -## ca_external=true -## ca_ext_cert_file= -## ca_ext_cert_chain_file= - -## Miscellaneous DRM Variables -## -## REMINDER: 'Escape' ALL spaces in EACH variable specified below! -## -## NOTE: For comparison's sake, if the default instances were manually -## configured using a Firefox browser, the content of the corresponding -## "/var/lib/${kra_instance_name}/alias/" security libraries would be -## something similar to this: -## -## Certificate Nickname Trust Attributes -## SSL,S/MIME,JAR/XPI -## -## transportCert cert-${kra_instance_name} u,u,u -## Server-Cert cert-${kra_instance_name} u,u,u -## auditSigningCert cert-${kra_instance_name} u,u,u -## Certificate Authority - ${pki_security_domain_name} CT,c, -## storageCert cert-${kra_instance_name} u,u,u -## subsystemCert cert-${kra_instance_name} u,u,u -## -## where: -## -## Nickname: "transportCert cert-${kra_instance_name}" -## Subject Name: "cn=DRM Transport Certificate," -## + "o=${pki_security_domain_name}" -## -## Nickname: "Server-Cert cert-${kra_instance_name}" -## Subject Name: "cn=${pki_host}," -## + "o=${pki_security_domain_name}" -## -## Nickname: "auditSigningCert cert-${kra_instance_name}" -## Subject Name: "cn=DRM Audit Signing Certificate," -## + "o=${pki_security_domain_name}" -## -## Nickname: "Certificate Authority - " -## + "${pki_security_domain_name}" -## Subject Name: "cn=Certificate Authority," -## + "o=${pki_security_domain_name}" -## -## Nickname: "storageCert cert-${kra_instance_name}" -## Subject Name: "cn=DRM Storage Certificate," -## + "o=${pki_security_domain_name}" -## -## Nickname: "subsystemCert cert-${kra_instance_name}" -## Subject Name: "cn=DRM Subsystem Certificate," -## + "o=${pki_security_domain_name}" -## - -## Optional CA Variables for creating a clone DRM -## -## It is possible for pkisilent to create a DRM that is a clone of a previously -## installed DRM (the master DRM). To do so, the keys of the master DRM must -## first be backed up in a pk12 file, and this file should be copied to the -## alias directory of the clone DRM. This file should have read permission for -## the PKI user (pkiuser). -## -## An example file would be /var/lib/drm-clone/alias/drm-master.p12. -## -## The following variables should then be uncommented and defined for the clone CA. -## kra_clone=true -## kra_clone_p12_file= -## kra_clone_p12_password= -## kra_clone_uri= -## clone_start_tls=false -## -## NOTES: -## 1. drm_clone_p12_file must be just the filename relative to the alias directory. -## So in the example above, drm_clone_p12_file="drm-master.p12" -## 2. drm_clone_uri has the following format: https://<hostname>:<EE port> of the DRM to be cloned -## 3. clone_start_tls can be set to true if we require replication between the master and clone databases -## to be encrypted using startTLS on the standard (non-ldaps) port. The databases must -## be ssl enabled first or the replication will fail. -## -## ADDITIONAL NOTES: -## 1. The clone DRM and master DRM cannot share the same database instance. A new -## instance should be created for the clone DRM. -## 2. The variables kra_base_dn and kra_db_name defined above MUST be identical to the -## kra_base_dn and kra_name of the master CA. The following assignments attempt -## to ensure this is correct. -## -## kra_master_instance_name= -## kra_base_dn="dc=${pki_host}-${kra_master_instance_name}" -## kra_db_name="${pki_host}-${kra_master_instance_name}" - -kra_agent_name="KRA\ Administrator\ of\ Instance\ ${kra_instance_name}\'s\ ${pki_security_domain_name}\ ID" -kra_agent_key_size=2048 -kra_agent_key_type=rsa -kra_agent_cert_subject="cn=KRA\ Administrator\ of\ Instance\ ${kra_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" -kra_base_dn="dc=${pki_host}-${kra_instance_name}" -kra_db_name="${pki_host}-${kra_instance_name}" -kra_key_size=2048 -kra_key_type=rsa -kra_transport_cert_subject_name="cn=DRM\ Transport\ Certificate,o=${pki_security_domain_name}" -kra_subsystem_cert_subject_name="cn=DRM\ Subsystem\ Certificate,o=${pki_security_domain_name}" -kra_storage_cert_subject_name="cn=DRM\ Storage\ Certificate,o=${pki_security_domain_name}" -kra_server_cert_subject_name="cn=${pki_host},o=${pki_security_domain_name}" -kra_audit_signing_cert_subject_name="cn=DRM\ Audit\ Signing\ Certificate,o=${pki_security_domain_name}" - - -## Miscellaneous OCSP Variables -## -## REMINDER: 'Escape' ALL spaces in EACH variable specified below! -## -## NOTE: For comparison's sake, if the default instances were manually -## configured using a Firefox browser, the content of the corresponding -## "/var/lib/${ocsp_instance_name}/alias/" security libraries would be -## something similar to this: -## -## Certificate Nickname Trust Attributes -## SSL,S/MIME,JAR/XPI -## -## ocspSigningCert cert-${ocsp_instance_name} CTu,Cu,Cu -## subsystemCert cert-${ocsp_instance_name} u,u,u -## Certificate Authority - ${pki_security_domain_name} CT,c, -## Server-Cert cert-${ocsp_instance_name} u,u,u -## auditSigningCert cert-${ocsp_instance_name} u,u,u -## -## where: -## -## Nickname: "ocspSigningCert cert-${ocsp_instance_name}" -## Subject Name: "cn=OCSP Signing Certificate," -## + "o=${pki_security_domain_name}" -## -## Nickname: "subsystemCert cert-${ocsp_instance_name}" -## Subject Name: "cn=OCSP Subsystem Certificate," -## + "o=${pki_security_domain_name}" -## -## Nickname: "Certificate Authority - " -## + "${pki_security_domain_name}" -## Subject Name: "cn=Certificate Authority," -## + "o=${pki_security_domain_name}" -## -## Nickname: "Server-Cert cert-${ocsp_instance_name}" -## Subject Name: "cn=${pki_host}," -## + "o=${pki_security_domain_name}" -## -## Nickname: "auditSigningCert cert-${ocsp_instance_name}" -## Subject Name: "cn=OCSP Audit Signing Certificate," -## + "o=${pki_security_domain_name}" -## - -ocsp_agent_name="OCSP\ Administrator\ of\ Instance\ ${ocsp_instance_name}\'s\ ${pki_security_domain_name}\ ID" -ocsp_agent_key_size=2048 -ocsp_agent_key_type=rsa -ocsp_agent_cert_subject="cn=OCSP\ Administrator\ of\ Instance\ ${ocsp_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" -ocsp_base_dn="dc=${pki_host}-${ocsp_instance_name}" -ocsp_db_name="${pki_host}-${ocsp_instance_name}" -ocsp_key_size=2048 -ocsp_key_type=rsa -ocsp_sign_cert_subject_name="cn=OCSP\ Signing\ Certificate,o=${pki_security_domain_name}" -ocsp_subsystem_cert_subject_name="cn=OCSP\ Subsystem\ Certificate,o=${pki_security_domain_name}" -ocsp_server_cert_subject_name="cn=${pki_host},o=${pki_security_domain_name}" -ocsp_audit_signing_cert_subject_name="cn=OCSP\ Audit\ Signing\ Certificate,o=${pki_security_domain_name}" - - -## Miscellaneous TKS Variables -## -## REMINDER: 'Escape' ALL spaces in EACH variable specified below! -## -## NOTE: For comparison's sake, if the default instances were manually -## configured using a Firefox browser, the content of the corresponding -## "/var/lib/${tks_instance_name}/alias/" security libraries would be -## something similar to this: -## -## Certificate Nickname Trust Attributes -## SSL,S/MIME,JAR/XPI -## -## subsystemCert cert-${tks_instance_name} u,u,u -## DRM Transport Certificate - ${pki_security_domain_name} c,c,c -## Certificate Authority - ${pki_security_domain_name} CT,c, -## Server-Cert cert-${tks_instance_name} u,u,u -## auditSigningCert cert-${tks_instance_name} u,u,u -## -## where: -## -## Nickname: "subsystemCert cert-${tks_instance_name}" -## Subject Name: "cn=TKS Subsystem Certificate," -## + "o=${pki_security_domain_name}" -## -## Nickname: "DRM Transport Certificate - " -## + "${pki_security_domain_name}" -## Subject Name: "cn=DRM Transport Certificate," -## + "o=${pki_security_domain_name}" -## -## Nickname: "Certificate Authority - " -## + "${pki_security_domain_name}" -## Subject Name: "cn=Certificate Authority," -## + "o=${pki_security_domain_name}" -## -## Nickname: "Server-Cert cert-${tks_instance_name}" -## Subject Name: "cn=${pki_host}," -## + "o=${pki_security_domain_name}" -## -## Nickname: "auditSigningCert cert-${tks_instance_name}" -## Subject Name: "cn=TKS Audit Signing Certificate," -## + "o=${pki_security_domain_name}" -## - -tks_agent_name="TKS\ Administrator\ of\ Instance\ ${tks_instance_name}\'s\ ${pki_security_domain_name}\ ID" -tks_agent_key_size=2048 -tks_agent_key_type=rsa -tks_agent_cert_subject="cn=TKS\ Administrator\ of\ Instance\ ${tks_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" -tks_base_dn="dc=${pki_host}-${tks_instance_name}" -tks_db_name="${pki_host}-${tks_instance_name}" -tks_key_size=2048 -tks_key_type=rsa -tks_subsystem_cert_subject_name="cn=TKS\ Subsystem\ Certificate,o=${pki_security_domain_name}" -tks_server_cert_subject_name="cn=${pki_host},o=${pki_security_domain_name}" -tks_audit_signing_cert_subject_name="cn=TKS\ Audit\ Signing\ Certificate,o=${pki_security_domain_name}" ## Miscellaneous RA Variables @@ -727,73 +203,6 @@ ra_subsystem_cert_nickname="subsystemCert\ cert-${ra_instance_name}" ra_subsystem_cert_subject_name="cn=RA\ Subsystem\ Certificate,ou=${ra_instance_name},o=${pki_security_domain_name}" -## Miscellaneous TPS Variables -## -## REMINDER: 'Escape' ALL spaces in EACH variable specified below! -## -## NOTE: For comparison's sake, if the default instances were manually -## configured using a Firefox browser, the content of the corresponding -## "/var/lib/${tps_instance_name}/alias/" security libraries would be -## something similar to this: -## -## Certificate Nickname Trust Attributes -## SSL,S/MIME,JAR/XPI -## -## subsystemCert cert-${tps_instance_name} u,u,u -## caCert CT,C,C -## Server-Cert cert-${tps_instance_name} u,u,u -## auditSigningCert cert-${tps_instance_name} u,u,u -## -## where: -## -## Nickname: "subsystemCert cert-${tps_instance_name}" -## Subject Name: "cn=TPS Subsystem Certificate," -## + "ou=${tps_instance_name}," -## + "o=${pki_security_domain_name}" -## -## Nickname: "caCert" -## Subject Name: "cn=Certificate Authority," -## + "o=${pki_security_domain_name}" -## -## Nickname: "Server-Cert cert-${tps_instance_name}" -## Subject Name: "cn=${pki_host}," -## + "ou=${tps_instance_name}," -## + "o=${pki_security_domain_name}" -## -## Nickname: "auditSigningCert cert-${tps_instance_name}" -## Subject Name: "cn=TPS Audit Signing Certificate," -## + "ou=${tps_instance_name}," -## + "o=${pki_security_domain_name}" -## - -tps_chosen_ca_hostname=${pki_security_domain_host} -tps_chosen_ca_nonssl_port=${ca_nonssl_port} -tps_chosen_ca_ssl_port=${ca_ee_port} -tps_chosen_ca_admin_port=${ca_admin_port} -tps_chosen_tks_hostname=${pki_host} -tps_chosen_tks_ssl_port=${tks_ee_port} -tps_chosen_drm_hostname=${pki_host} -tps_chosen_drm_ssl_port=${kra_ee_port} -tps_agent_name="TPS\ Administrator\'s\ ${pki_security_domain_name}\ ID" -tps_agent_key_size=2048 -tps_agent_key_type=rsa -tps_agent_cert_subject="cn=TPS\ Administrator,uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" -tps_ldap_auth_host=localhost -tps_ldap_auth_port=389 -tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" -tps_base_dn="dc=${pki_host}-${tps_instance_name}" -tps_db_name="${pki_host}-${tps_instance_name}" -tps_key_size=2048 -tps_key_type=rsa -tps_ss_keygen=true -tps_server_cert_subject_name="cn=${pki_host},ou=${tps_instance_name},o=${pki_security_domain_name}" -tps_server_cert_nickname="Server-Cert\ cert-${tps_instance_name}" -tps_subsystem_cert_subject_name="cn=TPS\ Subsystem\ Certificate,ou=${tps_instance_name},o=${pki_security_domain_name}" -tps_subsystem_cert_nickname="subsystemCert\ cert-${tps_instance_name}" -tps_audit_signing_cert_subject_name="cn=TPS\ Audit\ Signing\ Certificate,ou=${tps_instance_name},o=${pki_security_domain_name}" -tps_audit_signing_cert_nickname="auditSigningCert\ cert-${tps_instance_name}" - - ############################################################################## ############################################################################## @@ -823,50 +232,10 @@ if [ "${pki_security_domain_admin_password}" = "" ] ; then printf "${usage_error_preamble} 'pki_security_domain_admin_password'!\n" usage_errors=`expr ${usage_errors} + 1` fi -if [ "${pki_bind_password}" = "" ] ; then - printf "${usage_error_preamble} 'pki_bind_password'!\n" - usage_errors=`expr ${usage_errors} + 1` -fi -if [ "${ca_token_password}" = "" ] ; then - printf "${usage_error_preamble} 'ca_token_password'!\n" - usage_errors=`expr ${usage_errors} + 1` -fi -if [ "${kra_token_password}" = "" ] ; then - printf "${usage_error_preamble} 'kra_token_password'!\n" - usage_errors=`expr ${usage_errors} + 1` -fi -if [ "${ocsp_token_password}" = "" ] ; then - printf "${usage_error_preamble} 'ocsp_token_password'!\n" - usage_errors=`expr ${usage_errors} + 1` -fi -if [ "${tks_token_password}" = "" ] ; then - printf "${usage_error_preamble} 'tks_token_password'!\n" - usage_errors=`expr ${usage_errors} + 1` -fi if [ "${ra_token_password}" = "" ] ; then printf "${usage_error_preamble} 'ra_token_password'!\n" usage_errors=`expr ${usage_errors} + 1` fi -if [ "${tps_token_password}" = "" ] ; then - printf "${usage_error_preamble} 'tps_token_password'!\n" - usage_errors=`expr ${usage_errors} + 1` -fi -if [ "${ca_backup_password}" = "" ] ; then - printf "${usage_error_preamble} 'ca_backup_password'!\n" - usage_errors=`expr ${usage_errors} + 1` -fi -if [ "${kra_backup_password}" = "" ] ; then - printf "${usage_error_preamble} 'kra_backup_password'!\n" - usage_errors=`expr ${usage_errors} + 1` -fi -if [ "${ocsp_backup_password}" = "" ] ; then - printf "${usage_error_preamble} 'ocsp_backup_password'!\n" - usage_errors=`expr ${usage_errors} + 1` -fi -if [ "${tks_backup_password}" = "" ] ; then - printf "${usage_error_preamble} 'tks_backup_password'!\n" - usage_errors=`expr ${usage_errors} + 1` -fi if [ "${pki_email_name}" = "" ] ; then printf "${usage_error_preamble} 'pki_email_name'!\n" usage_errors=`expr ${usage_errors} + 1` @@ -893,50 +262,6 @@ configuration_errors=0 configuration_error_preamble="ERROR: A PKI Instance named" configuration_error_postamble="EXISTS,\n but has PREVIOUSLY been CONFIGURED!" -if [ ! -f "/var/lib/${ca_instance_name}/conf/CS.cfg" ] ; then - printf "${existence_error_preamble} '${ca_instance_name}' EXISTS!\n" - existence_errors=`expr ${existence_errors} + 1` -else - ca_configuration_check=`grep -c preop /var/lib/${ca_instance_name}/conf/CS.cfg` - if [ ${ca_configuration_check} -eq 0 ] ; then - printf "${configuration_error_preamble} '${ca_instance_name}' " - printf "${configuration_error_postamble}\n" - configuration_errors=`expr ${configuration_errors} + 1` - fi -fi -if [ ! -f "/var/lib/${kra_instance_name}/conf/CS.cfg" ] ; then - printf "${existence_error_preamble} '${kra_instance_name}' EXISTS!\n" - existence_errors=`expr ${existence_errors} + 1` -else - kra_configuration_check=`grep -c preop /var/lib/${kra_instance_name}/conf/CS.cfg` - if [ ${kra_configuration_check} -eq 0 ] ; then - printf "${configuration_error_preamble} '${kra_instance_name}' " - printf "${configuration_error_postamble}\n" - configuration_errors=`expr ${configuration_errors} + 1` - fi -fi -if [ ! -f "/var/lib/${ocsp_instance_name}/conf/CS.cfg" ] ; then - printf "${existence_error_preamble} '${ocsp_instance_name}' EXISTS!\n" - existence_errors=`expr ${existence_errors} + 1` -else - ocsp_configuration_check=`grep -c preop /var/lib/${ocsp_instance_name}/conf/CS.cfg` - if [ ${ocsp_configuration_check} -eq 0 ] ; then - printf "${configuration_error_preamble} '${ocsp_instance_name}' " - printf "${configuration_error_postamble}\n" - configuration_errors=`expr ${configuration_errors} + 1` - fi -fi -if [ ! -f "/var/lib/${tks_instance_name}/conf/CS.cfg" ] ; then - printf "${existence_error_preamble} '${tks_instance_name}' EXISTS!\n" - existence_errors=`expr ${existence_errors} + 1` -else - tks_configuration_check=`grep -c preop /var/lib/${tks_instance_name}/conf/CS.cfg` - if [ ${tks_configuration_check} -eq 0 ] ; then - printf "${configuration_error_preamble} '${tks_instance_name}' " - printf "${configuration_error_postamble}\n" - configuration_errors=`expr ${configuration_errors} + 1` - fi -fi if [ ! -f "/var/lib/${ra_instance_name}/conf/CS.cfg" ] ; then printf "${existence_error_preamble} '${ra_instance_name}' EXISTS!\n" existence_errors=`expr ${existence_errors} + 1` @@ -948,17 +273,6 @@ else configuration_errors=`expr ${configuration_errors} + 1` fi fi -if [ ! -f "/var/lib/${tps_instance_name}/conf/CS.cfg" ] ; then - printf "${existence_error_preamble} '${tps_instance_name}' EXISTS!\n" - existence_errors=`expr ${existence_errors} + 1` -else - tps_configuration_check=`grep -c preop /var/lib/${tps_instance_name}/conf/CS.cfg` - if [ ${tps_configuration_check} -eq 0 ] ; then - printf "${configuration_error_preamble} '${tps_instance_name}' " - printf "${configuration_error_postamble}\n" - configuration_errors=`expr ${configuration_errors} + 1` - fi -fi if [ ${usage_errors} -ne 0 ] || @@ -999,36 +313,11 @@ fi ## (5) Remove ALL old PKI Silent log files printf "Removing old PKI Silent log files:\n" -if [ -f ${pki_silent_ca_log} ] ; then - printf " Removing old '${pki_silent_ca_log}' . . . " - rm ${pki_silent_ca_log} - printf "done.\n" -fi -if [ -f ${pki_silent_kra_log} ] ; then - printf " Removing old '${pki_silent_kra_log}' . . . " - rm ${pki_silent_kra_log} - printf "done.\n" -fi -if [ -f ${pki_silent_ocsp_log} ] ; then - printf " Removing old '${pki_silent_ocsp_log}' . . . " - rm ${pki_silent_ocsp_log} - printf "done.\n" -fi -if [ -f ${pki_silent_tks_log} ] ; then - printf " Removing old '${pki_silent_tks_log}' . . . " - rm ${pki_silent_tks_log} - printf "done.\n" -fi if [ -f ${pki_silent_ra_log} ] ; then printf " Removing old '${pki_silent_ra_log}' . . . " rm ${pki_silent_ra_log} printf "done.\n" fi -if [ -f ${pki_silent_tps_log} ] ; then - printf " Removing old '${pki_silent_tps_log}' . . . " - rm ${pki_silent_tps_log} - printf "done.\n" -fi printf "Done.\n\n" @@ -1038,557 +327,8 @@ printf "Done.\n\n" ############################################################################## ## PKI Subsystem Instance PINS -ca_preop_pin=`cat /var/lib/${ca_instance_name}/conf/CS.cfg \ - | grep preop.pin | grep -v grep | awk -F= '{print $2}'` -kra_preop_pin=`cat /var/lib/${kra_instance_name}/conf/CS.cfg \ - | grep preop.pin | grep -v grep | awk -F= '{print $2}'` -ocsp_preop_pin=`cat /var/lib/${ocsp_instance_name}/conf/CS.cfg \ - | grep preop.pin | grep -v grep | awk -F= '{print $2}'` -tks_preop_pin=`cat /var/lib/${tks_instance_name}/conf/CS.cfg \ - | grep preop.pin | grep -v grep | awk -F= '{print $2}'` ra_preop_pin=`cat /var/lib/${ra_instance_name}/conf/CS.cfg \ | grep preop.pin | grep -v grep | awk -F= '{print $2}'` -tps_preop_pin=`cat /var/lib/${tps_instance_name}/conf/CS.cfg \ - | grep preop.pin | grep -v grep | awk -F= '{print $2}'` - - - -############################################################################## -## C E R T I F I C A T E A U T H O R I T Y ## -############################################################################## -## -## For example, upon completion, -## execute '/sbin/service ${ca_init_script} status ${ca_instance_name}': -## -## ${ca_instance_name} (pid 7843) is running ... -## -## Unsecure Port = http://${pki_host}:9180/ca/ee/ca -## Secure Agent Port = https://${pki_host}:9443/ca/agent/ca -## Secure EE Port = https://${pki_host}:9444/ca/ee/ca -## Secure Admin Port = https://${pki_host}:9445/ca/services -## PKI Console Port = pkiconsole https://${pki_host}:9445/ca -## Tomcat Port = 9701 (for shutdown) -## -## -## Security Domain URL: -## ================================================================== -## https://${pki_host}:9445 -## ================================================================== -## - -## Configure CA -printf "'${pki_silent_script}': Configuring '${ca_instance_name}' . . .\n" -pkisilent ConfigureCA \ - -cs_hostname "${pki_host}" \ - -cs_port ${ca_admin_port} \ - -client_certdb_dir ${pki_silent_security_database_repository} \ - -client_certdb_pwd ${pki_silent_security_database_password} \ - -preop_pin ${ca_preop_pin} \ - -domain_name "${pki_security_domain_name}" \ - -admin_user ${pki_silent_admin_user} \ - -admin_password ${pki_silent_admin_password} \ - -admin_email "${pki_silent_admin_email}" \ - -agent_name ${ca_agent_name} \ - -agent_key_size ${ca_agent_key_size} \ - -agent_key_type ${ca_agent_key_type} \ - -agent_cert_subject "${ca_agent_cert_subject}" \ - -ldap_host ${pki_ldap_host} \ - -ldap_port ${pki_ldap_port} \ - -bind_dn "${pki_bind_dn}" \ - -bind_password ${pki_bind_password} \ - -base_dn "${ca_base_dn}" \ - -db_name "${ca_db_name}" \ - -key_size ${ca_key_size} \ - -key_type ${ca_key_type} \ - -key_algorithm ${ca_key_algorithm} \ - -signing_algorithm ${ca_signing_algorithm} \ - -signing_signingalgorithm ${ca_signing_signingalgorithm} \ - -ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \ - -save_p12 ${ca_save_p12} \ - -subsystem_name ${ca_subsystem_name} \ - -token_name ${ca_token_name} \ - -token_pwd ${ca_token_password} \ - -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ - -ca_subsystem_cert_subject_name "${ca_subsystem_cert_subject_name}" \ - -ca_ocsp_cert_subject_name "${ca_ocsp_cert_subject_name}" \ - -ca_server_cert_subject_name "${ca_server_cert_subject_name}" \ - -ca_audit_signing_cert_subject_name \ - "${ca_audit_signing_cert_subject_name}" \ - | tee ${pki_silent_ca_log} - -## Restart CA -/sbin/service ${ca_init_script} restart ${ca_instance_name} - - -############################################################################## -## C E R T I F I C A T E A U T H O R I T Y (Clone) ## -############################################################################## -## -## Use this to create a clone CA .. -## -## For example, upon completion, -## execute '/sbin/service ${ca_init_script} status ${ca_instance_name}': -## -## ${ca_instance_name} (pid 7843) is running ... -## -## Unsecure Port = http://${pki_host}:9180/ca/ee/ca -## Secure Agent Port = https://${pki_host}:9443/ca/agent/ca -## Secure EE Port = https://${pki_host}:9444/ca/ee/ca -## Secure Admin Port = https://${pki_host}:9445/ca/services -## PKI Console Port = pkiconsole https://${pki_host}:9445/ca -## Tomcat Port = 9701 (for shutdown) -## -## -## Security Domain URL: -## ================================================================== -## https://${pki_host}:9445 -## ================================================================== -## - -## Configure clone CA -# printf "'${pki_silent_script}': Configuring '${ca_instance_name}' . . .\n" -# pkisilent ConfigureCA \ -# -cs_hostname "${pki_host}" \ -# -cs_port ${ca_admin_port} \ -# -client_certdb_dir ${pki_silent_security_database_repository} \ -# -client_certdb_pwd ${pki_silent_security_database_password} \ -# -preop_pin ${ca_preop_pin} \ -# -domain_name "${pki_security_domain_name}" \ -# -admin_user ${pki_silent_admin_user} \ -# -admin_password ${pki_silent_admin_password} \ -# -admin_email "${pki_silent_admin_email}" \ -# -agent_name ${ca_agent_name} \ -# -agent_key_size ${ca_agent_key_size} \ -# -agent_key_type ${ca_agent_key_type} \ -# -agent_cert_subject "${ca_agent_cert_subject}" \ -# -ldap_host ${pki_ldap_host} \ -# -ldap_port ${pki_ldap_port} \ -# -bind_dn "${pki_bind_dn}" \ -# -bind_password ${pki_bind_password} \ -# -base_dn "${ca_base_dn}" \ -# -db_name "${ca_db_name}" \ -# -key_size ${ca_key_size} \ -# -key_type ${ca_key_type} \ -# -key_algorithm ${ca_key_algorithm} \ -# -save_p12 ${ca_save_p12} \ -# -subsystem_name ${ca_subsystem_name} \ -# -token_name ${ca_token_name} \ -# -token_pwd ${ca_token_password} \ -# -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ -# -ca_subsystem_cert_subject_name "${ca_subsystem_cert_subject_name}" \ -# -ca_ocsp_cert_subject_name "${ca_ocsp_cert_subject_name}" \ -# -ca_server_cert_subject_name "${ca_server_cert_subject_name}" \ -# -ca_audit_signing_cert_subject_name \ -# "${ca_audit_signing_cert_subject_name}" \ -# -clone ${ca_clone} \ -# -clone_p12_file ${ca_clone_p12_file} \ -# -clone_p12_password ${ca_clone_p12_password} \ -# -clone_uri ${clone_uri} \ -# -sd_hostname ${sd_hostname} \ -# -sd_admin_port ${sd_admin_port} \ -# -sd_admin_name ${sd_admin_name} \ -# -sd_admin_password ${sd_admin_password} \ -# -clone_start_tls ${clone_start_tls} \ -# | tee ${pki_silent_ca_log} - -## Restart CA -#/sbin/service ${ca_init_script} restart ${ca_instance_name} - -############################################################################## -## C E R T I F I C A T E A U T H O R I T Y (External CA - step 1) ## -############################################################################## -## -## Use this invocation for the first step in creating a CA signed by -## and external CA .. -## -## For example, upon completion, -## -## A Certificate Request has been generated and stored in /tmp/ext_ca_csr.csr -## Please submit this CSR to your external CA and obtain the CA Cert and CA Cert Chain" - -## Configure CA signed by external CA (step 1) -# printf "'${pki_silent_script}': First step in configuring '${ca_instance_name}' . . .\n" -# pkisilent ConfigureCA \ -# -cs_hostname "${pki_host}" \ -# -cs_port ${ca_admin_port} \ -# -client_certdb_dir ${pki_silent_security_database_repository} \ -# -client_certdb_pwd ${pki_silent_security_database_password} \ -# -preop_pin ${ca_preop_pin} \ -# -domain_name "${pki_security_domain_name}" \ -# -admin_user ${pki_silent_admin_user} \ -# -admin_password ${pki_silent_admin_password} \ -# -admin_email "${pki_silent_admin_email}" \ -# -agent_name ${ca_agent_name} \ -# -agent_key_size ${ca_agent_key_size} \ -# -agent_key_type ${ca_agent_key_type} \ -# -agent_cert_subject "${ca_agent_cert_subject}" \ -# -ldap_host ${pki_ldap_host} \ -# -ldap_port ${pki_ldap_port} \ -# -bind_dn "${pki_bind_dn}" \ -# -bind_password ${pki_bind_password} \ -# -base_dn "${ca_base_dn}" \ -# -db_name "${ca_db_name}" \ -# -key_size ${ca_key_size} \ -# -key_type ${ca_key_type} \ -# -key_algorithm ${ca_key_algorithm} \ -# -signing_algorithm ${ca_signing_algorithm} \ -# -signing_signingalgorithm ${ca_signing_signingalgorithm} \ -# -ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \ -# -save_p12 ${ca_save_p12} \ -# -subsystem_name ${ca_subsystem_name} \ -# -token_name ${ca_token_name} \ -# -token_pwd ${ca_token_password} \ -# -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ -# -ca_subsystem_cert_subject_name "${ca_subsystem_cert_subject_name}" \ -# -ca_ocsp_cert_subject_name "${ca_ocsp_cert_subject_name}" \ -# -ca_server_cert_subject_name "${ca_server_cert_subject_name}" \ -# -ca_audit_signing_cert_subject_name \ -# "${ca_audit_signing_cert_subject_name}" \ -# -external ${ca_external} \ -# -ext_csr_file ${ca_ext_csr_file} \ -# | tee ${pki_silent_ca_log} - -## Restart CA -#/sbin/service ${ca_init_script} restart ${ca_instance_name} - -############################################################################## -## C E R T I F I C A T E A U T H O R I T Y (External CA step 2) ## -############################################################################## -## -## Use this to create a CA signed by an external CA (step 2) -## -## For example, upon completion, -## execute '/sbin/service ${ca_init_script} status ${ca_instance_name}': -## -## ${ca_instance_name} (pid 7843) is running ... -## -## Unsecure Port = http://${pki_host}:9180/ca/ee/ca -## Secure Agent Port = https://${pki_host}:9443/ca/agent/ca -## Secure EE Port = https://${pki_host}:9444/ca/ee/ca -## Secure Admin Port = https://${pki_host}:9445/ca/services -## PKI Console Port = pkiconsole https://${pki_host}:9445/ca -## Tomcat Port = 9701 (for shutdown) -## -## -## Security Domain URL: -## ================================================================== -## https://${pki_host}:9445 -## ================================================================== -## - -## Configure an externally signed CA (step 2) -# printf "'${pki_silent_script}': Step 2 in configuring external signed '${ca_instance_name}' . . .\n" -# pkisilent ConfigureCA \ -# -cs_hostname "${pki_host}" \ -# -cs_port ${ca_admin_port} \ -# -client_certdb_dir ${pki_silent_security_database_repository} \ -# -client_certdb_pwd ${pki_silent_security_database_password} \ -# -preop_pin ${ca_preop_pin} \ -# -domain_name "${pki_security_domain_name}" \ -# -admin_user ${pki_silent_admin_user} \ -# -admin_password ${pki_silent_admin_password} \ -# -admin_email "${pki_silent_admin_email}" \ -# -agent_name ${ca_agent_name} \ -# -agent_key_size ${ca_agent_key_size} \ -# -agent_key_type ${ca_agent_key_type} \ -# -agent_cert_subject "${ca_agent_cert_subject}" \ -# -ldap_host ${pki_ldap_host} \ -# -ldap_port ${pki_ldap_port} \ -# -bind_dn "${pki_bind_dn}" \ -# -bind_password ${pki_bind_password} \ -# -base_dn "${ca_base_dn}" \ -# -db_name "${ca_db_name}" \ -# -key_size ${ca_key_size} \ -# -key_type ${ca_key_type} \ -# -key_algorithm ${ca_key_algorithm} \ -# -signing_algorithm ${ca_signing_algorithm} \ -# -signing_signingalgorithm ${ca_signing_signingalgorithm} \ -# -ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \ -# -save_p12 ${ca_save_p12} \ -# -subsystem_name ${ca_subsystem_name} \ -# -token_name ${ca_token_name} \ -# -token_pwd ${ca_token_password} \ -# -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ -# -ca_subsystem_cert_subject_name "${ca_subsystem_cert_subject_name}" \ -# -ca_ocsp_cert_subject_name "${ca_ocsp_cert_subject_name}" \ -# -ca_server_cert_subject_name "${ca_server_cert_subject_name}" \ -# -ca_audit_signing_cert_subject_name \ -# "${ca_audit_signing_cert_subject_name}" \ -# -external ${ca_external} \ -# -ext_ca_cert_file ${ca_ext_cert_file} \ -# -ext_ca_cert_chain_file ${ca_ext_cert_chain_file} \ -# | tee ${pki_silent_ca_log} - -## Restart CA -#/sbin/service ${ca_init_script} restart ${ca_instance_name} - -############################################################################## -## D A T A R E C O V E R Y M A N A G E R ## -############################################################################## -## -## For example, upon completion, -## execute '/sbin/service ${kra_init_script} status ${kra_instance_name}': -## -## ${kra_instance_name} (pid 11723) is running ... -## -## Unsecure Port = http://${pki_host}:10180/kra/ee/kra -## Secure Agent Port = https://${pki_host}:10443/kra/agent/kra -## Secure EE Port = https://${pki_host}:10444/kra/ee/kra -## Secure Admin Port = https://${pki_host}:10445/kra/services -## PKI Console Port = pkiconsole https://${pki_host}:10445/kra -## Tomcat Port = 10701 (for shutdown) -## - -## Configure DRM -printf "'${pki_silent_script}': Configuring '${kra_instance_name}' . . .\n" -pkisilent ConfigureDRM \ - -cs_hostname "${pki_host}" \ - -cs_port ${kra_admin_port} \ - -sd_hostname "${pki_security_domain_host}" \ - -sd_ssl_port ${ca_ee_port} \ - -sd_agent_port ${ca_agent_port} \ - -sd_admin_port ${ca_admin_port} \ - -sd_admin_name "${pki_security_domain_admin_name}" \ - -sd_admin_password ${pki_security_domain_admin_password} \ - -ca_hostname ${pki_security_domain_host} \ - -ca_port ${ca_nonssl_port} \ - -ca_ssl_port ${ca_ee_port} \ - -client_certdb_dir ${pki_silent_security_database_repository} \ - -client_certdb_pwd ${pki_silent_security_database_password} \ - -preop_pin ${kra_preop_pin} \ - -domain_name "${pki_security_domain_name}" \ - -admin_user ${pki_silent_admin_user} \ - -admin_password ${pki_silent_admin_password} \ - -admin_email "${pki_silent_admin_email}" \ - -agent_name ${kra_agent_name} \ - -ldap_host ${pki_ldap_host} \ - -ldap_port ${pki_ldap_port} \ - -bind_dn "${pki_bind_dn}" \ - -bind_password ${pki_bind_password} \ - -base_dn "${kra_base_dn}" \ - -db_name "${kra_db_name}" \ - -key_size ${kra_key_size} \ - -key_type ${kra_key_type} \ - -token_name ${kra_token_name} \ - -token_pwd ${kra_token_password} \ - -agent_key_size ${kra_agent_key_size} \ - -agent_key_type ${kra_agent_key_type} \ - -agent_cert_subject "${kra_agent_cert_subject}" \ - -subsystem_name ${kra_subsystem_name} \ - -backup_pwd ${kra_backup_password} \ - -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ - -drm_subsystem_cert_subject_name "${kra_subsystem_cert_subject_name}" \ - -drm_storage_cert_subject_name "${kra_storage_cert_subject_name}" \ - -drm_server_cert_subject_name "${kra_server_cert_subject_name}" \ - -drm_audit_signing_cert_subject_name \ - "${kra_audit_signing_cert_subject_name}" \ - | tee ${pki_silent_kra_log} - -## Restart drm -/sbin/service ${kra_init_script} restart ${kra_instance_name} - - -############################################################################## -## D A T A R E C O V E R Y M A N A G E R (clone) ## -############################################################################## -## -## Use this to configure a DRM clone. -## -## For example, upon completion, -## execute '/sbin/service ${kra_init_script} status ${kra_instance_name}': -## -## ${kra_instance_name} (pid 11723) is running ... -## -## Unsecure Port = http://${pki_host}:10180/kra/ee/kra -## Secure Agent Port = https://${pki_host}:10443/kra/agent/kra -## Secure EE Port = https://${pki_host}:10444/kra/ee/kra -## Secure Admin Port = https://${pki_host}:10445/kra/services -## PKI Console Port = pkiconsole https://${pki_host}:10445/kra -## Tomcat Port = 10701 (for shutdown) -## - -## Configure DRM -# printf "'${pki_silent_script}': Configuring '${kra_instance_name}' . . .\n" -# pkisilent ConfigureDRM \ -# -cs_hostname "${pki_host}" \ -# -cs_port ${kra_admin_port} \ -# -sd_hostname "${pki_security_domain_host}" \ -# -sd_ssl_port ${ca_ee_port} \ -# -sd_agent_port ${ca_agent_port} \ -# -sd_admin_port ${ca_admin_port} \ -# -sd_admin_name "${pki_security_domain_admin_name}" \ -# -sd_admin_password ${pki_security_domain_admin_password} \ -# -ca_hostname ${pki_security_domain_host} \ -# -ca_port ${ca_nonssl_port} \ -# -ca_ssl_port ${ca_ee_port} \ -# -client_certdb_dir ${pki_silent_security_database_repository} \ -# -client_certdb_pwd ${pki_silent_security_database_password} \ -# -preop_pin ${kra_preop_pin} \ -# -domain_name "${pki_security_domain_name}" \ -# -admin_user ${pki_silent_admin_user} \ -# -admin_password ${pki_silent_admin_password} \ -# -admin_email "${pki_silent_admin_email}" \ -# -agent_name ${kra_agent_name} \ -# -ldap_host ${pki_ldap_host} \ -# -ldap_port ${pki_ldap_port} \ -# -bind_dn "${pki_bind_dn}" \ -# -bind_password ${pki_bind_password} \ -# -base_dn "${kra_base_dn}" \ -# -db_name "${kra_db_name}" \ -# -key_size ${kra_key_size} \ -# -key_type ${kra_key_type} \ -# -token_name ${kra_token_name} \ -# -token_pwd ${kra_token_password} \ -# -agent_key_size ${kra_agent_key_size} \ -# -agent_key_type ${kra_agent_key_type} \ -# -agent_cert_subject "${kra_agent_cert_subject}" \ -# -subsystem_name ${kra_subsystem_name} \ -# -backup_pwd ${kra_backup_password} \ -# -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ -# -drm_subsystem_cert_subject_name "${kra_subsystem_cert_subject_name}" \ -# -drm_storage_cert_subject_name "${kra_storage_cert_subject_name}" \ -# -drm_server_cert_subject_name "${kra_server_cert_subject_name}" \ -# -drm_audit_signing_cert_subject_name \ -# "${kra_audit_signing_cert_subject_name}" \ -# -clone ${kra_clone} \ -# -clone_p12_file ${kra_clone_p12_file} \ -# -clone_p12_password ${kra_clone_p12_password} \ -# -clone_uri ${kra_uri} \ -# -clone_start_tls ${clone_start_tls} \ -# | tee ${pki_silent_kra_log} - -## Restart drm -#/sbin/service ${kra_init_script} restart ${kra_instance_name} - - -############################################################################## -## O N L I N E S T A T U S C E R T I F I C A T E P R O T O C O L ## -############################################################################### -## -## For example, upon completion, -## execute '/sbin/service ${ocsp_init_script} status ${ocsp_instance_name}': -## -## ${ocsp_instance_name} (pid 13058) is running ... -## -## Unsecure Port = http://${pki_host}:11180/ocsp/ee/ocsp -## Secure Agent Port = https://${pki_host}:11443/ocsp/agent/ocsp -## Secure EE Port = https://${pki_host}:11444/ocsp/ee/ocsp -## Secure Admin Port = https://${pki_host}:11445/ocsp/services -## PKI Console Port = pkiconsole https://${pki_host}:11445/ocsp -## Tomcat Port = 11701 (for shutdown) -## - -## Configure OCSP -printf "'${pki_silent_script}': Configuring '${ocsp_instance_name}' . . .\n" -pkisilent ConfigureOCSP \ - -cs_hostname "${pki_host}" \ - -cs_port ${ocsp_admin_port} \ - -sd_hostname "${pki_security_domain_host}" \ - -sd_ssl_port ${ca_ee_port} \ - -sd_agent_port ${ca_agent_port} \ - -sd_admin_port ${ca_admin_port} \ - -sd_admin_name "${pki_security_domain_admin_name}" \ - -sd_admin_password ${pki_security_domain_admin_password} \ - -ca_hostname ${pki_security_domain_host} \ - -ca_port ${ca_nonssl_port} \ - -ca_ssl_port ${ca_ee_port} \ - -client_certdb_dir ${pki_silent_security_database_repository} \ - -client_certdb_pwd ${pki_silent_security_database_password} \ - -preop_pin ${ocsp_preop_pin} \ - -domain_name "${pki_security_domain_name}" \ - -admin_user ${pki_silent_admin_user} \ - -admin_password ${pki_silent_admin_password} \ - -admin_email "${pki_silent_admin_email}" \ - -agent_name ${ocsp_agent_name} \ - -ldap_host ${pki_ldap_host} \ - -ldap_port ${pki_ldap_port} \ - -bind_dn "${pki_bind_dn}" \ - -bind_password ${pki_bind_password} \ - -base_dn "${ocsp_base_dn}" \ - -db_name "${ocsp_db_name}" \ - -key_size ${ocsp_key_size} \ - -key_type ${ocsp_key_type} \ - -token_name ${ocsp_token_name} \ - -token_pwd ${ocsp_token_password} \ - -agent_key_size ${ocsp_agent_key_size} \ - -agent_key_type ${ocsp_agent_key_type} \ - -agent_cert_subject "${ocsp_agent_cert_subject}" \ - -subsystem_name ${ocsp_subsystem_name} \ - -backup_pwd ${ocsp_backup_password} \ - -ocsp_sign_cert_subject_name "${ocsp_sign_cert_subject_name}" \ - -ocsp_subsystem_cert_subject_name "${ocsp_subsystem_cert_subject_name}" \ - -ocsp_server_cert_subject_name "${ocsp_server_cert_subject_name}" \ - -ocsp_audit_signing_cert_subject_name \ - "${ocsp_audit_signing_cert_subject_name}" \ - | tee ${pki_silent_ocsp_log} - -## Restart OCSP -/sbin/service ${ocsp_init_script} restart ${ocsp_instance_name} - - - -############################################################################## -## T O K E N K E Y S E R V I C E ## -############################################################################## -## -## For example, upon completion, -## execute '/sbin/service ${tks_init_script} status ${tks_instance_name}': -## -## ${tks_instance_name} (pid 14129) is running ... -## -## Unsecure Port = http://${pki_host}:13180/tks/ee/tks -## Secure Agent Port = https://${pki_host}:13443/tks/agent/tks -## Secure EE Port = https://${pki_host}:13444/tks/ee/tks -## Secure Admin Port = https://${pki_host}:13445/tks/services -## PKI Console Port = pkiconsole https://${pki_host}:13445/tks -## Tomcat Port = 13701 (for shutdown) -## - -## Configure TKS -printf "'${pki_silent_script}': Configuring '${tks_instance_name}' . . .\n" -pkisilent ConfigureTKS \ - -cs_hostname "${pki_host}" \ - -cs_port ${tks_admin_port} \ - -sd_hostname "${pki_security_domain_host}" \ - -sd_ssl_port ${ca_ee_port} \ - -sd_agent_port ${ca_agent_port} \ - -sd_admin_port ${ca_admin_port} \ - -sd_admin_name "${pki_security_domain_admin_name}" \ - -sd_admin_password ${pki_security_domain_admin_password} \ - -ca_hostname ${pki_security_domain_host} \ - -ca_port ${ca_nonssl_port} \ - -ca_ssl_port ${ca_ee_port} \ - -client_certdb_dir ${pki_silent_security_database_repository} \ - -client_certdb_pwd ${pki_silent_security_database_password} \ - -preop_pin ${tks_preop_pin} \ - -domain_name "${pki_security_domain_name}" \ - -admin_user ${pki_silent_admin_user} \ - -admin_password ${pki_silent_admin_password} \ - -admin_email "${pki_silent_admin_email}" \ - -agent_name ${tks_agent_name} \ - -ldap_host ${pki_ldap_host} \ - -ldap_port ${pki_ldap_port} \ - -bind_dn "${pki_bind_dn}" \ - -bind_password ${pki_bind_password} \ - -base_dn "${tks_base_dn}" \ - -db_name "${tks_db_name}" \ - -key_size ${tks_key_size} \ - -key_type ${tks_key_type} \ - -token_name ${tks_token_name} \ - -token_pwd ${tks_token_password} \ - -agent_key_size ${tks_agent_key_size} \ - -agent_key_type ${tks_agent_key_type} \ - -agent_cert_subject "${tks_agent_cert_subject}" \ - -subsystem_name ${tks_subsystem_name} \ - -backup_pwd ${tks_backup_password} \ - -tks_subsystem_cert_subject_name "${tks_subsystem_cert_subject_name}" \ - -tks_server_cert_subject_name "${tks_server_cert_subject_name}" \ - -tks_audit_signing_cert_subject_name \ - "${tks_audit_signing_cert_subject_name}" \ - | tee ${pki_silent_tks_log} - -## restart tks -/sbin/service ${tks_init_script} restart ${tks_instance_name} @@ -1647,89 +387,5 @@ pkisilent ConfigureRA \ ## Restart RA /sbin/service ${ra_init_script} restart ${ra_instance_name} - -############################################################################## -## T O K E N P R O C E S S I N G S Y S T E M ## -############################################################################## -## -## For example, upon completion, -## execute '/sbin/service ${tps_init_script} status ${tps_instance_name}': -## -## -## ${tps_instance_name} (pid 16241) is running ... -## -## Unsecure Port = http://${pki_host}:7888/cgi-bin/so/enroll.cgi -## (ESC Security Officer Enrollment) -## Unsecure Port = http://${pki_host}:7888/cgi-bin/home/index.cgi -## (ESC Phone Home) -## Secure Clientauth Port = https://${pki_host}:7889/cgi-bin/sow/welcome.cgi -## (ESC Security Officer Workstation) -## Secure Clientauth Port = https://${pki_host}:7889/tus -## (TPS Roles - Operator/Administrator/Agent) -## Secure Non-Clientauth Port = https://${pki_host}:7890/cgi-bin/so/enroll.cgi -## (ESC Security Officer Enrollment) -## Secure Non-Clientauth Port = https://${pki_host}:7890/cgi-bin/home/index.cgi -## (ESC Phone Home) -## - -## Configure TPS -printf "'${pki_silent_script}': Configuring '${tps_instance_name}' . . .\n" -pkisilent ConfigureTPS \ - -cs_hostname "${pki_host}" \ - -cs_port ${tps_nonclientauth_port} \ - -cs_clientauth_port ${tps_clientauth_port} \ - -sd_hostname "${pki_security_domain_host}" \ - -sd_ssl_port ${ca_ee_port} \ - -sd_agent_port ${ca_agent_port} \ - -sd_admin_port ${ca_admin_port} \ - -sd_admin_name "${pki_security_domain_admin_name}" \ - -sd_admin_password ${pki_security_domain_admin_password} \ - -ca_hostname ${tps_chosen_ca_hostname} \ - -ca_port ${tps_chosen_ca_nonssl_port} \ - -ca_ssl_port ${tps_chosen_ca_ssl_port} \ - -ca_admin_port ${tps_chosen_ca_admin_port} \ - -drm_hostname ${tps_chosen_drm_hostname} \ - -drm_ssl_port ${tps_chosen_drm_ssl_port} \ - -ss_keygen ${tps_ss_keygen} \ - -tks_hostname ${tps_chosen_tks_hostname} \ - -tks_ssl_port ${tps_chosen_tks_ssl_port} \ - -client_certdb_dir ${pki_silent_security_database_repository} \ - -client_certdb_pwd ${pki_silent_security_database_password} \ - -preop_pin ${tps_preop_pin} \ - -domain_name "${pki_security_domain_name}" \ - -admin_user ${pki_silent_admin_user} \ - -admin_password ${pki_silent_admin_password} \ - -admin_email "${pki_silent_admin_email}" \ - -agent_name ${tps_agent_name} \ - -ldap_host ${pki_ldap_host} \ - -ldap_port ${pki_ldap_port} \ - -bind_dn "${pki_bind_dn}" \ - -bind_password ${pki_bind_password} \ - -base_dn "${tps_base_dn}" \ - -db_name "${tps_db_name}" \ - -key_size ${tps_key_size} \ - -key_type ${tps_key_type} \ - -token_name ${tps_token_name} \ - -token_pwd ${tps_token_password} \ - -agent_key_size ${tps_agent_key_size} \ - -agent_key_type ${tps_agent_key_type} \ - -agent_cert_subject "${tps_agent_cert_subject}" \ - -subsystem_name ${tps_subsystem_name} \ - -ldap_auth_host ${tps_ldap_auth_host} \ - -ldap_auth_port ${tps_ldap_auth_port} \ - -ldap_auth_base_dn ${tps_ldap_auth_base_dn} \ - -tps_server_cert_subject_name "${tps_server_cert_subject_name}" \ - -tps_server_cert_nickname "${tps_server_cert_nickname}" \ - -tps_subsystem_cert_subject_name "${tps_subsystem_cert_subject_name}" \ - -tps_subsystem_cert_nickname "${tps_subsystem_cert_nickname}" \ - -tps_audit_signing_cert_subject_name \ - "${tps_audit_signing_cert_subject_name}" \ - -tps_audit_signing_cert_nickname \ - "${tps_audit_signing_cert_nickname}" \ - | tee ${pki_silent_tps_log} - -## Restart TPS -/sbin/service ${tps_init_script} restart ${tps_instance_name} - exit 0 diff --git a/base/tks/CMakeLists.txt b/base/tks/CMakeLists.txt index a503f2401..4b17ca0c8 100644 --- a/base/tks/CMakeLists.txt +++ b/base/tks/CMakeLists.txt @@ -4,31 +4,6 @@ add_subdirectory(src) add_subdirectory(setup) add_subdirectory(shared/conf) -# install systemd scripts -install( - FILES - shared/lib/systemd/system/pki-tksd.target - shared/lib/systemd/system/pki-tksd@.service - DESTINATION - ${SYSTEMD_LIB_INSTALL_DIR} - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - -# install init script -install( - FILES - shared/etc/init.d/pki-tksd - DESTINATION - ${SYSCONF_INSTALL_DIR}/rc.d/init.d - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - # install directories install( DIRECTORY @@ -38,11 +13,7 @@ install( PATTERN "CMakeLists.txt" EXCLUDE PATTERN - "etc/*" EXCLUDE - PATTERN "CS.cfg.in" EXCLUDE - PATTERN - "lib/*" EXCLUDE ) # install empty directories @@ -58,8 +29,3 @@ install( ${VAR_INSTALL_DIR}/run/pki/tks ) -install( - DIRECTORY - DESTINATION - ${SYSTEMD_ETC_INSTALL_DIR}/pki-tksd.target.wants -) diff --git a/base/tks/shared/etc/init.d/pki-tksd b/base/tks/shared/etc/init.d/pki-tksd deleted file mode 100755 index 2b2fc4e82..000000000 --- a/base/tks/shared/etc/init.d/pki-tksd +++ /dev/null @@ -1,87 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007-2010 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# pki-tksd Startup script for pki-tks with tomcat6 -# -# chkconfig: - 84 16 -# description: Token Key Service (Tomcat 6.0) -# processname: pki-tksd -# piddir: /var/run/pki/tks -# - -PROG_NAME=`basename $0` -SERVICE_NAME="pki-tksd" -SERVICE_PROG="/sbin/service" -PKI_PATH="/usr/share/pki/tks" -PKI_REGISTRY="/etc/sysconfig/pki/tks" -PKI_TYPE="pki-tks" -PKI_TOTAL_PORTS=6 - -# Avoid using 'systemctl' for now -SYSTEMCTL_SKIP_REDIRECT=1 -export SYSTEMCTL_SKIP_REDIRECT - -# Disallow 'others' the ability to 'write' to new files -umask 00002 - -command="$1" -pki_instance="$2" - -# Source function library. -. /etc/init.d/functions - -# Source the PKI function library -. /usr/share/pki/scripts/functions - -# See how we were called. -case $command in - status) - registry_status - exit $? - ;; - start) - start - exit $? - ;; - restart) - restart - exit $? - ;; - stop) - stop - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - exit $? - ;; - reload) - echo "The 'reload' action is an unimplemented feature." - exit ${default_error} - ;; - *) - echo "unknown action ($command)" - usage - echo "where valid instance names include:" - list_instances - exit ${default_error} - ;; -esac - diff --git a/base/tks/shared/lib/systemd/system/pki-tksd.target b/base/tks/shared/lib/systemd/system/pki-tksd.target deleted file mode 100644 index 3e2b89edd..000000000 --- a/base/tks/shared/lib/systemd/system/pki-tksd.target +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=PKI Token Key Service -After=syslog.target network.target - -[Install] -WantedBy=multi-user.target - - diff --git a/base/tks/shared/lib/systemd/system/pki-tksd@.service b/base/tks/shared/lib/systemd/system/pki-tksd@.service deleted file mode 100644 index d624eece4..000000000 --- a/base/tks/shared/lib/systemd/system/pki-tksd@.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=PKI Token Key Service %i -After=pki-tksd.target -BindTo=pki-tksd.target - -[Service] -Type=forking -ExecStart=/usr/bin/pkicontrol start tks %i -ExecStop=/usr/bin/pkicontrol stop tks %i - -[Install] -WantedBy=multi-user.target - diff --git a/base/tps-tomcat/CMakeLists.txt b/base/tps-tomcat/CMakeLists.txt index c953d8adf..dac32876c 100644 --- a/base/tps-tomcat/CMakeLists.txt +++ b/base/tps-tomcat/CMakeLists.txt @@ -18,31 +18,6 @@ install( WORLD_READ ) -# install systemd scripts -install( - FILES - shared/lib/systemd/system/pki-tpsd.target - shared/lib/systemd/system/pki-tpsd@.service - DESTINATION - ${SYSTEMD_LIB_INSTALL_DIR} - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - -# install init script -install( - FILES - shared/etc/init.d/pki-tpsd - DESTINATION - ${SYSCONF_INSTALL_DIR}/rc.d/init.d - PERMISSIONS - OWNER_EXECUTE OWNER_WRITE OWNER_READ - GROUP_EXECUTE GROUP_READ - WORLD_EXECUTE WORLD_READ -) - # install directories install( DIRECTORY @@ -52,11 +27,7 @@ install( PATTERN "CMakeLists.txt" EXCLUDE PATTERN - "etc/*" EXCLUDE - PATTERN "conf/CS.cfg.in" EXCLUDE - PATTERN - "lib/*" EXCLUDE ) # install empty directories @@ -72,8 +43,3 @@ install( ${VAR_INSTALL_DIR}/run/pki/tps ) -install( - DIRECTORY - DESTINATION - ${SYSTEMD_ETC_INSTALL_DIR}/pki-tpsd.target.wants -) diff --git a/base/tps-tomcat/shared/conf/etc/init.d/pki-tpsd b/base/tps-tomcat/shared/conf/etc/init.d/pki-tpsd deleted file mode 100755 index 7b991f39c..000000000 --- a/base/tps-tomcat/shared/conf/etc/init.d/pki-tpsd +++ /dev/null @@ -1,86 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007-2010 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# pki-tpsd Startup script for pki-tps with tomcat7 -# -# chkconfig: - 84 16 -# description: Token Processing Service (Tomcat 7.0) -# processname: pki-tpsd -# piddir: /var/run/pki/tps -# - -PROG_NAME=`basename $0` -SERVICE_NAME="pki-tpsd" -SERVICE_PROG="/sbin/service" -PKI_PATH="/usr/share/pki/tps" -PKI_REGISTRY="/etc/sysconfig/pki/tps" -PKI_TYPE="pki-tps" -PKI_TOTAL_PORTS=6 - -# Avoid using 'systemctl' for now -SYSTEMCTL_SKIP_REDIRECT=1 -export SYSTEMCTL_SKIP_REDIRECT - -# Disallow 'others' the ability to 'write' to new files -umask 00002 - -command="$1" -pki_instance="$2" - -# Source function library. -. /etc/init.d/functions - -# Source the PKI function library -. /usr/share/pki/scripts/functions - -# See how we were called. -case $command in - status) - registry_status - exit $? - ;; - start) - start - exit $? - ;; - restart) - restart - exit $? - ;; - stop) - stop - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - exit $? - ;; - reload) - echo "The 'reload' action is an unimplemented feature." - exit ${default_error} - ;; - *) - echo "unknown action ($command)" - usage - echo "where valid instance names include:" - list_instances - exit ${default_error} - ;; -esac diff --git a/base/tps-tomcat/shared/etc/init.d/pki-tpsd b/base/tps-tomcat/shared/etc/init.d/pki-tpsd deleted file mode 100755 index 7b991f39c..000000000 --- a/base/tps-tomcat/shared/etc/init.d/pki-tpsd +++ /dev/null @@ -1,86 +0,0 @@ -#!/bin/bash -# -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007-2010 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# pki-tpsd Startup script for pki-tps with tomcat7 -# -# chkconfig: - 84 16 -# description: Token Processing Service (Tomcat 7.0) -# processname: pki-tpsd -# piddir: /var/run/pki/tps -# - -PROG_NAME=`basename $0` -SERVICE_NAME="pki-tpsd" -SERVICE_PROG="/sbin/service" -PKI_PATH="/usr/share/pki/tps" -PKI_REGISTRY="/etc/sysconfig/pki/tps" -PKI_TYPE="pki-tps" -PKI_TOTAL_PORTS=6 - -# Avoid using 'systemctl' for now -SYSTEMCTL_SKIP_REDIRECT=1 -export SYSTEMCTL_SKIP_REDIRECT - -# Disallow 'others' the ability to 'write' to new files -umask 00002 - -command="$1" -pki_instance="$2" - -# Source function library. -. /etc/init.d/functions - -# Source the PKI function library -. /usr/share/pki/scripts/functions - -# See how we were called. -case $command in - status) - registry_status - exit $? - ;; - start) - start - exit $? - ;; - restart) - restart - exit $? - ;; - stop) - stop - exit $? - ;; - condrestart|force-restart|try-restart) - [ ! -f ${lockfile} ] || restart - exit $? - ;; - reload) - echo "The 'reload' action is an unimplemented feature." - exit ${default_error} - ;; - *) - echo "unknown action ($command)" - usage - echo "where valid instance names include:" - list_instances - exit ${default_error} - ;; -esac diff --git a/base/tps-tomcat/shared/lib/systemd/system/pki-tpsd.target b/base/tps-tomcat/shared/lib/systemd/system/pki-tpsd.target deleted file mode 100644 index 443c2adad..000000000 --- a/base/tps-tomcat/shared/lib/systemd/system/pki-tpsd.target +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -Description=PKI Token Processing Service -After=syslog.target network.target - -[Install] -WantedBy=multi-user.target diff --git a/base/tps-tomcat/shared/lib/systemd/system/pki-tpsd@.service b/base/tps-tomcat/shared/lib/systemd/system/pki-tpsd@.service deleted file mode 100644 index 4703b3fe8..000000000 --- a/base/tps-tomcat/shared/lib/systemd/system/pki-tpsd@.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=PKI Token Processing Service %i -After=pki-tpsd.target -BindTo=pki-tpsd.target - -[Service] -Type=forking -ExecStart=/usr/bin/pkicontrol start tps %i -ExecStop=/usr/bin/pkicontrol stop tps %i - -[Install] -WantedBy=multi-user.target diff --git a/specs/pki-core.spec b/specs/pki-core.spec index 1c50267cd..d940f330d 100644 --- a/specs/pki-core.spec +++ b/specs/pki-core.spec @@ -5,7 +5,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} Name: pki-core Version: 10.2.0 -Release: 0.4%{?dist} +Release: 0.5%{?dist} Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -542,28 +542,8 @@ if [ $? -eq 1 ]; then exit 1 fi -%{__rm} %{buildroot}%{_initrddir}/pki-cad -%{__rm} %{buildroot}%{_initrddir}/pki-krad -%{__rm} %{buildroot}%{_initrddir}/pki-ocspd -%{__rm} %{buildroot}%{_initrddir}/pki-tksd -%{__rm} %{buildroot}%{_initrddir}/pki-tpsd - %{__rm} -rf %{buildroot}%{_datadir}/pki/server/lib -# tomcat6 has changed how TOMCAT_LOG is used. -# Need to adjust accordingly -# This macro will be executed in the postinstall scripts -%define fix_tomcat_log() ( \ -if [ -d /etc/sysconfig/pki/%i ]; then \ - for F in `find /etc/sysconfig/pki/%1 -type f`; do \ - instance=`basename $F` \ - if [ -f /etc/sysconfig/$instance ]; then \ - sed -i -e 's/catalina.out/tomcat-initd.log/' /etc/sysconfig/$instance \ - fi \ - done \ -fi \ -) - %endif # %{with server} %{__mkdir_p} %{buildroot}%{_localstatedir}/log/pki @@ -621,130 +601,6 @@ fi %if %{with server} -%post -n pki-ca -# Attempt to update ALL old "CA" instances to "systemd" -if [ -d /etc/sysconfig/pki/ca ]; then - for inst in `ls /etc/sysconfig/pki/ca`; do - if [ ! -e "/etc/systemd/system/pki-cad.target.wants/pki-cad@${inst}.service" ]; then - ln -s "/lib/systemd/system/pki-cad@.service" \ - "/etc/systemd/system/pki-cad.target.wants/pki-cad@${inst}.service" - [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} - ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} - - if [ -e /var/run/${inst}.pid ]; then - kill -9 `cat /var/run/${inst}.pid` || : - rm -f /var/run/${inst}.pid - echo "pkicreate.systemd.servicename=pki-cad@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - /bin/systemctl restart pki-cad@${inst}.service || : - else - echo "pkicreate.systemd.servicename=pki-cad@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - fi - else - # Conditionally restart this Dogtag 9 instance - /bin/systemctl condrestart pki-cad@${inst}.service - fi - done -fi -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -%fix_tomcat_log ca - - -%post -n pki-kra -# Attempt to update ALL old "KRA" instances to "systemd" -if [ -d /etc/sysconfig/pki/kra ]; then - for inst in `ls /etc/sysconfig/pki/kra`; do - if [ ! -e "/etc/systemd/system/pki-krad.target.wants/pki-krad@${inst}.service" ]; then - ln -s "/lib/systemd/system/pki-krad@.service" \ - "/etc/systemd/system/pki-krad.target.wants/pki-krad@${inst}.service" - [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} - ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} - - if [ -e /var/run/${inst}.pid ]; then - kill -9 `cat /var/run/${inst}.pid` || : - rm -f /var/run/${inst}.pid - echo "pkicreate.systemd.servicename=pki-krad@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - /bin/systemctl restart pki-krad@${inst}.service || : - else - echo "pkicreate.systemd.servicename=pki-krad@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - fi - else - # Conditionally restart this Dogtag 9 instance - /bin/systemctl condrestart pki-krad@${inst}.service - fi - done -fi -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -%fix_tomcat_log kra - - -%post -n pki-ocsp -# Attempt to update ALL old "OCSP" instances to "systemd" -if [ -d /etc/sysconfig/pki/ocsp ]; then - for inst in `ls /etc/sysconfig/pki/ocsp`; do - if [ ! -e "/etc/systemd/system/pki-ocspd.target.wants/pki-ocspd@${inst}.service" ]; then - ln -s "/lib/systemd/system/pki-ocspd@.service" \ - "/etc/systemd/system/pki-ocspd.target.wants/pki-ocspd@${inst}.service" - [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} - ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} - - if [ -e /var/run/${inst}.pid ]; then - kill -9 `cat /var/run/${inst}.pid` || : - rm -f /var/run/${inst}.pid - echo "pkicreate.systemd.servicename=pki-ocspd@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - /bin/systemctl restart pki-ocspd@${inst}.service || : - else - echo "pkicreate.systemd.servicename=pki-ocspd@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - fi - else - # Conditionally restart this Dogtag 9 instance - /bin/systemctl condrestart pki-ocspd@${inst}.service - fi - done -fi -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -%fix_tomcat_log ocsp - - -%post -n pki-tks -# Attempt to update ALL old "TKS" instances to "systemd" -if [ -d /etc/sysconfig/pki/tks ]; then - for inst in `ls /etc/sysconfig/pki/tks`; do - if [ ! -e "/etc/systemd/system/pki-tksd.target.wants/pki-tksd@${inst}.service" ]; then - ln -s "/lib/systemd/system/pki-tksd@.service" \ - "/etc/systemd/system/pki-tksd.target.wants/pki-tksd@${inst}.service" - [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} - ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} - - if [ -e /var/run/${inst}.pid ]; then - kill -9 `cat /var/run/${inst}.pid` || : - rm -f /var/run/${inst}.pid - echo "pkicreate.systemd.servicename=pki-tksd@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - /bin/systemctl restart pki-tksd@${inst}.service || : - else - echo "pkicreate.systemd.servicename=pki-tksd@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - fi - else - # Conditionally restart this Dogtag 9 instance - /bin/systemctl condrestart pki-tksd@${inst}.service - fi - done -fi -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -%fix_tomcat_log tks - - %post -n pki-server ## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new @@ -755,68 +611,12 @@ echo "Upgrading server at `/bin/date`." >> /var/log/pki/pki-server-upgrade-%{ver echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 -%preun -n pki-ca -if [ $1 = 0 ] ; then - /bin/systemctl --no-reload disable pki-cad.target > /dev/null 2>&1 || : - /bin/systemctl stop pki-cad.target > /dev/null 2>&1 || : -fi - - -%preun -n pki-kra -if [ $1 = 0 ] ; then - /bin/systemctl --no-reload disable pki-krad.target > /dev/null 2>&1 || : - /bin/systemctl stop pki-krad.target > /dev/null 2>&1 || : -fi - - -%preun -n pki-ocsp -if [ $1 = 0 ] ; then - /bin/systemctl --no-reload disable pki-ocspd.target > /dev/null 2>&1 || : - /bin/systemctl stop pki-ocspd.target > /dev/null 2>&1 || : -fi - - -%preun -n pki-tks -if [ $1 = 0 ] ; then - /bin/systemctl --no-reload disable pki-tksd.target > /dev/null 2>&1 || : - /bin/systemctl stop pki-tksd.target > /dev/null 2>&1 || : -fi - - ## %preun -n pki-server ## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new ## PKI deployment process -%postun -n pki-ca -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ "$1" -ge "1" ] ; then - /bin/systemctl try-restart pki-cad.target >/dev/null 2>&1 || : -fi - - -%postun -n pki-kra -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ "$1" -ge "1" ] ; then - /bin/systemctl try-restart pki-krad.target >/dev/null 2>&1 || : -fi - - -%postun -n pki-ocsp -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ "$1" -ge "1" ] ; then - /bin/systemctl try-restart pki-ocspd.target >/dev/null 2>&1 || : -fi - - -%postun -n pki-tks -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ "$1" -ge "1" ] ; then - /bin/systemctl try-restart pki-tksd.target >/dev/null 2>&1 || : -fi - - ## %postun -n pki-server ## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new @@ -943,9 +743,6 @@ fi %files -n pki-ca %defattr(-,root,root,-) %doc base/ca/LICENSE -%dir %{_sysconfdir}/systemd/system/pki-cad.target.wants -%{_unitdir}/pki-cad@.service -%{_unitdir}/pki-cad.target %{_javadir}/pki/pki-ca.jar %dir %{_datadir}/pki/ca %{_datadir}/pki/ca/conf/ @@ -958,9 +755,6 @@ fi %files -n pki-kra %defattr(-,root,root,-) %doc base/kra/LICENSE -%dir %{_sysconfdir}/systemd/system/pki-krad.target.wants -%{_unitdir}/pki-krad@.service -%{_unitdir}/pki-krad.target %{_javadir}/pki/pki-kra.jar %dir %{_datadir}/pki/kra %{_datadir}/pki/kra/conf/ @@ -970,9 +764,6 @@ fi %files -n pki-ocsp %defattr(-,root,root,-) %doc base/ocsp/LICENSE -%dir %{_sysconfdir}/systemd/system/pki-ocspd.target.wants -%{_unitdir}/pki-ocspd@.service -%{_unitdir}/pki-ocspd.target %{_javadir}/pki/pki-ocsp.jar %dir %{_datadir}/pki/ocsp %{_datadir}/pki/ocsp/conf/ @@ -982,9 +773,6 @@ fi %files -n pki-tks %defattr(-,root,root,-) %doc base/tks/LICENSE -%dir %{_sysconfdir}/systemd/system/pki-tksd.target.wants -%{_unitdir}/pki-tksd@.service -%{_unitdir}/pki-tksd.target %{_javadir}/pki/pki-tks.jar %dir %{_datadir}/pki/tks %{_datadir}/pki/tks/conf/ @@ -994,9 +782,6 @@ fi %files -n pki-tps-tomcat %defattr(-,root,root,-) %doc base/tps/LICENSE -%dir %{_sysconfdir}/systemd/system/pki-tpsd.target.wants -%{_unitdir}/pki-tpsd@.service -%{_unitdir}/pki-tpsd.target %{_javadir}/pki/pki-tps.jar %dir %{_datadir}/pki/tps %{_datadir}/pki/tps/conf/ @@ -1014,6 +799,9 @@ fi %endif # %{with server} %changelog +* Wed Jul 2 2014 Matthew Harmsen <mharmsen@redhat.com> - 10.2.0-0.5 +- PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . . + * Tue Jul 1 2014 Ade Lee <alee@redhat.com> - 10.2.0-0.4 - Update rawhide build |