diff options
| -rw-r--r-- | base/ca/shared/conf/server.xml | 277 | ||||
| -rw-r--r-- | base/kra/shared/conf/server.xml | 265 | ||||
| -rw-r--r-- | base/ocsp/shared/conf/server.xml | 258 | ||||
| -rw-r--r-- | base/server/scripts/operations | 4 | ||||
| -rw-r--r-- | base/server/tomcat7/conf/server.xml | 2 | ||||
| -rw-r--r-- | base/server/tomcat8/conf/server.xml | 2 | ||||
| -rwxr-xr-x | base/server/upgrade/10.2.6/02-AddPhoneHomeURLsToTPSsServerXML | 112 | ||||
| -rw-r--r-- | base/tks/shared/conf/server.xml | 258 | ||||
| -rw-r--r-- | base/tps/shared/conf/server.xml | 258 |
9 files changed, 120 insertions, 1316 deletions
diff --git a/base/ca/shared/conf/server.xml b/base/ca/shared/conf/server.xml deleted file mode 100644 index 92f84260e..000000000 --- a/base/ca/shared/conf/server.xml +++ /dev/null @@ -1,277 +0,0 @@ -<?xml version='1.0' encoding='utf-8'?> -<!-- BEGIN COPYRIGHT BLOCK - Copyright (C) 2006-2010 Red Hat, Inc. - All rights reserved. - Modifications: configuration parameters - END COPYRIGHT BLOCK --> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<!-- Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" at this level. - Documentation at /docs/config/server.html - --> - -<!-- DO NOT REMOVE - Begin PKI Status Definitions --> -<!-- -Unsecure URL = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Agent URL = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] -Secure EE URL = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Admin URL = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services -EE Client Auth URL = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_CLIENT_AUTH_PORT]/[PKI_SUBSYSTEM_TYPE]/eeca/[PKI_SUBSYSTEM_TYPE] -PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] -Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ---> -<!-- DO NOT REMOVE - End PKI Status Definitions --> - -<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> - - <!--APR library loader. Documentation at /docs/apr.html --> - <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> - <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> - <Listener className="org.apache.catalina.core.JasperListener" /> - <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> - <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> - <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> - - <!-- Global JNDI resources - Documentation at /docs/jndi-resources-howto.html - --> - <GlobalNamingResources> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users - --> - <Resource name="UserDatabase" auth="Container" - type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml" /> - </GlobalNamingResources> - - <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" Note: A "Service" is not itself a "Container", - so you may not define subcomponents such as "Valves" at this level. - Documentation at /docs/config/service.html - --> - <Service name="Catalina"> - - <!--The connectors can use a shared executor, you can define one or more named thread pools--> - <!-- - <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" - maxThreads="150" minSpareThreads="4"/> - --> - - - <!-- A "Connector" represents an endpoint by which requests are received - and responses are returned. Documentation at : - Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) - Java AJP Connector: /docs/config/ajp.html - APR (HTTP/AJP) Connector: /docs/apr.html - Define a non-SSL HTTP/1.1 Connector on port 8080 - --> - - [PKI_UNSECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="[PKI_SECURE_PORT]" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" - /> - - <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> - [PKI_SECURE_PORT_SERVER_COMMENT] - <!-- DO NOT REMOVE - Begin define PKI secure port - NOTE: The OCSP settings take effect globally, so it should only be set once. - - In setup where SSL clientAuth="true", OCSP can be turned on by - setting enableOCSP to true like the following: - enableOCSP="true" - along with changes to related settings, especially: - ocspResponderURL=<see example in connector definition below> - ocspResponderCertNickname=<see example in connector definition below> - Here are the definition to all the OCSP-related settings: - enableOCSP - turns on/off the ocsp check - ocspResponderURL - sets the url where the ocsp requests are sent - ocspResponderCertNickname - sets the nickname of the cert that is - either CA's signing certificate or the OCSP server's signing - certificate. - The CA's signing certificate should already be in the db, in - case of the same security domain. - In case of an ocsp signing certificate, one must import the cert - into the subsystem's nss db and set trust. e.g.: - certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 - ocspCacheSize - sets max cache entries - ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt - ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt - ocspTimeout -sets OCSP timeout in seconds - --> - <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - enableOCSP="false" - ocspResponderURL="http://[PKI_HOSTNAME]:9080/ca/ocsp" - ocspResponderCertNickname="ocspSigningCert cert-pki-ca" - ocspCacheSize="1000" - ocspMinCacheEntryDuration="60" - ocspMaxCacheEntryDuration="120" - ocspTimeout="10" - strictCiphers="false" - clientAuth="[PKI_AGENT_CLIENTAUTH]" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias" - /> - <!-- DO NOT REMOVE - End define PKI secure port --> - - [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - strictCiphers="false" - clientAuth="false" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - strictCiphers="false" - clientAuth="false" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT] - <Connector name="[PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_CLIENT_AUTH_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - strictCiphers="false" - clientAuth="true" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - <!-- A "Connector" using the shared thread pool--> - <!-- - <Connector executor="tomcatThreadPool" - port="8080" protocol="HTTP/1.1" - connectionTimeout="20000" - redirectPort="8443" /> - --> - <!-- Define a SSL HTTP/1.1 Connector on port 8443 - This connector uses the JSSE configuration, when using APR, the - connector should be using the OpenSSL style configuration - described in the APR documentation --> - <!-- - <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" - maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" /> - --> - - <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> -[PKI_OPEN_AJP_PORT_COMMENT] - <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" address="127.0.0.1" /> -[PKI_CLOSE_AJP_PORT_COMMENT] - - - <!-- An Engine represents the entry point (within Catalina) that processes - every request. The Engine implementation for Tomcat stand alone - analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). - Documentation at /docs/config/engine.html --> - - <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> - --> - <Engine name="Catalina" defaultHost="localhost"> - - <!--For clustering, please take a look at documentation at: - /docs/cluster-howto.html (simple how to) - /docs/config/cluster.html (reference documentation) --> - <!-- - <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> - --> - - <!-- The request dumper valve dumps useful debugging information about - the request and response data received and sent by Tomcat. - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.valves.RequestDumperValve"/> - --> - - <!-- This Realm uses the UserDatabase configured in the global JNDI - resources under the key "UserDatabase". Any edits - that are performed against this UserDatabase are immediately - available for use by the Realm. --> - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <!-- Define the default virtual host - Note: XML Schema validation will not work with Xerces 2.2. - --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- SingleSignOn valve, share authentication between web applications - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> - --> - - <!-- Access log processes all example. - Documentation at: /docs/config/valve.html --> - [PKI_OPEN_TOMCAT_ACCESS_LOG_COMMENT] - <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" - prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> - [PKI_CLOSE_TOMCAT_ACCESS_LOG_COMMENT] - - </Host> - </Engine> - </Service> -</Server> diff --git a/base/kra/shared/conf/server.xml b/base/kra/shared/conf/server.xml deleted file mode 100644 index 007524982..000000000 --- a/base/kra/shared/conf/server.xml +++ /dev/null @@ -1,265 +0,0 @@ -<?xml version='1.0' encoding='utf-8'?> -<!-- BEGIN COPYRIGHT BLOCK - Copyright (C) 2006-2010 Red Hat, Inc. - All rights reserved. - Modifications: configuration parameters - END COPYRIGHT BLOCK --> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<!-- Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" at this level. - Documentation at /docs/config/server.html - --> - -<!-- DO NOT REMOVE - Begin PKI Status Definitions --> -<!-- -Unsecure URL = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Agent URL = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] -Secure EE URL = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Admin URL = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services -PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] -Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ---> -<!-- DO NOT REMOVE - End PKI Status Definitions --> - -<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> - - <!--APR library loader. Documentation at /docs/apr.html --> - <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> - <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> - <Listener className="org.apache.catalina.core.JasperListener" /> - <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> - <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> - <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> - - <!-- Global JNDI resources - Documentation at /docs/jndi-resources-howto.html - --> - <GlobalNamingResources> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users - --> - <Resource name="UserDatabase" auth="Container" - type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml" /> - </GlobalNamingResources> - - <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" Note: A "Service" is not itself a "Container", - so you may not define subcomponents such as "Valves" at this level. - Documentation at /docs/config/service.html - --> - <Service name="Catalina"> - - <!--The connectors can use a shared executor, you can define one or more named thread pools--> - <!-- - <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" - maxThreads="150" minSpareThreads="4"/> - --> - - - <!-- A "Connector" represents an endpoint by which requests are received - and responses are returned. Documentation at : - Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) - Java AJP Connector: /docs/config/ajp.html - APR (HTTP/AJP) Connector: /docs/apr.html - Define a non-SSL HTTP/1.1 Connector on port 8080 - --> - - [PKI_UNSECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" - /> - - <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> - [PKI_SECURE_PORT_SERVER_COMMENT] - <!-- DO NOT REMOVE - Begin define PKI secure port - NOTE: The OCSP settings take effect globally, so it should only be set once. - - In setup where SSL clientAuth="true", OCSP can be turned on by - setting enableOCSP to true like the following: - enableOCSP="true" - along with changes to related settings, especially: - ocspResponderURL=<see example in connector definition below> - ocspResponderCertNickname=<see example in connector definition below> - Here are the definition to all the OCSP-related settings: - enableOCSP - turns on/off the ocsp check - ocspResponderURL - sets the url where the ocsp requests are sent - ocspResponderCertNickname - sets the nickname of the cert that is - either CA's signing certificate or the OCSP server's signing - certificate. - The CA's signing certificate should already be in the db, in - case of the same security domain. - In case of an ocsp signing certificate, one must import the cert - into the subsystem's nss db and set trust. e.g.: - certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 - ocspCacheSize - sets max cache entries - ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt - ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt - ocspTimeout -sets OCSP timeout in seconds - --> - <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - enableOCSP="false" - ocspResponderURL="http://[PKI_HOSTNAME]:9080/ca/ocsp" - ocspResponderCertNickname="ocspSigningCert cert-pki-ca" - ocspCacheSize="1000" - ocspMinCacheEntryDuration="60" - ocspMaxCacheEntryDuration="120" - ocspTimeout="10" - strictCiphers="false" - clientAuth="[PKI_AGENT_CLIENTAUTH]" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias" - /> - <!-- DO NOT REMOVE - End define PKI secure port --> - - [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - strictCiphers="false" - clientAuth="false" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - strictCiphers="false" - clientAuth="false" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - <!-- A "Connector" using the shared thread pool--> - <!-- - <Connector executor="tomcatThreadPool" - port="8080" protocol="HTTP/1.1" - connectionTimeout="20000" - redirectPort="8443" /> - --> - <!-- Define a SSL HTTP/1.1 Connector on port 8443 - This connector uses the JSSE configuration, when using APR, the - connector should be using the OpenSSL style configuration - described in the APR documentation --> - <!-- - <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" - maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" /> - --> - - <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> -[PKI_OPEN_AJP_PORT_COMMENT] - <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" address="127.0.0.1" /> -[PKI_CLOSE_AJP_PORT_COMMENT] - - - <!-- An Engine represents the entry point (within Catalina) that processes - every request. The Engine implementation for Tomcat stand alone - analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). - Documentation at /docs/config/engine.html --> - - <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> - --> - <Engine name="Catalina" defaultHost="localhost"> - - <!--For clustering, please take a look at documentation at: - /docs/cluster-howto.html (simple how to) - /docs/config/cluster.html (reference documentation) --> - <!-- - <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> - --> - - <!-- The request dumper valve dumps useful debugging information about - the request and response data received and sent by Tomcat. - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.valves.RequestDumperValve"/> - --> - - <!-- This Realm uses the UserDatabase configured in the global JNDI - resources under the key "UserDatabase". Any edits - that are performed against this UserDatabase are immediately - available for use by the Realm. --> - - <!-- - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - --> - - <!-- - <Realm className="com.netscape.cmscore.realm.PKIRealm" /> - --> - - <!-- Define the default virtual host - Note: XML Schema validation will not work with Xerces 2.2. - --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- SingleSignOn valve, share authentication between web applications - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> - --> - - <!-- Access log processes all example. - Documentation at: /docs/config/valve.html --> - [PKI_OPEN_TOMCAT_ACCESS_LOG_COMMENT] - <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" - prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> - [PKI_CLOSE_TOMCAT_ACCESS_LOG_COMMENT] - - </Host> - </Engine> - </Service> -</Server> diff --git a/base/ocsp/shared/conf/server.xml b/base/ocsp/shared/conf/server.xml deleted file mode 100644 index 744b57dc1..000000000 --- a/base/ocsp/shared/conf/server.xml +++ /dev/null @@ -1,258 +0,0 @@ -<?xml version='1.0' encoding='utf-8'?> -<!-- BEGIN COPYRIGHT BLOCK - Copyright (C) 2006-2010 Red Hat, Inc. - All rights reserved. - Modifications: configuration parameters - END COPYRIGHT BLOCK --> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<!-- Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" at this level. - Documentation at /docs/config/server.html - --> - -<!-- DO NOT REMOVE - Begin PKI Status Definitions --> -<!-- -Unsecure URL = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Agent URL = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] -Secure EE URL = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Admin URL = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services -PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] -Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ---> -<!-- DO NOT REMOVE - End PKI Status Definitions --> - -<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> - - <!--APR library loader. Documentation at /docs/apr.html --> - <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> - <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> - <Listener className="org.apache.catalina.core.JasperListener" /> - <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> - <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> - <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> - - <!-- Global JNDI resources - Documentation at /docs/jndi-resources-howto.html - --> - <GlobalNamingResources> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users - --> - <Resource name="UserDatabase" auth="Container" - type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml" /> - </GlobalNamingResources> - - <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" Note: A "Service" is not itself a "Container", - so you may not define subcomponents such as "Valves" at this level. - Documentation at /docs/config/service.html - --> - <Service name="Catalina"> - - <!--The connectors can use a shared executor, you can define one or more named thread pools--> - <!-- - <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" - maxThreads="150" minSpareThreads="4"/> - --> - - - <!-- A "Connector" represents an endpoint by which requests are received - and responses are returned. Documentation at : - Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) - Java AJP Connector: /docs/config/ajp.html - APR (HTTP/AJP) Connector: /docs/apr.html - Define a non-SSL HTTP/1.1 Connector on port 8080 - --> - - [PKI_UNSECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" - /> - - <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> - [PKI_SECURE_PORT_SERVER_COMMENT] - <!-- DO NOT REMOVE - Begin define PKI secure port - NOTE: The OCSP settings take effect globally, so it should only be set once. - - In setup where SSL clientAuth="true", OCSP can be turned on by - setting enableOCSP to true like the following: - enableOCSP="true" - along with changes to related settings, especially: - ocspResponderURL=<see example in connector definition below> - ocspResponderCertNickname=<see example in connector definition below> - Here are the definition to all the OCSP-related settings: - enableOCSP - turns on/off the ocsp check - ocspResponderURL - sets the url where the ocsp requests are sent - ocspResponderCertNickname - sets the nickname of the cert that is - either CA's signing certificate or the OCSP server's signing - certificate. - The CA's signing certificate should already be in the db, in - case of the same security domain. - In case of an ocsp signing certificate, one must import the cert - into the subsystem's nss db and set trust. e.g.: - certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 - ocspCacheSize - sets max cache entries - ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt - ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt - ocspTimeout -sets OCSP timeout in seconds - --> - <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - enableOCSP="false" - ocspResponderURL="http://[PKI_HOSTNAME]:9080/ca/ocsp" - ocspResponderCertNickname="ocspSigningCert cert-pki-ca" - ocspCacheSize="1000" - ocspMinCacheEntryDuration="60" - ocspMaxCacheEntryDuration="120" - ocspTimeout="10" - strictCiphers="false" - clientAuth="[PKI_AGENT_CLIENTAUTH]" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias" - /> - <!-- DO NOT REMOVE - End define PKI secure port --> - - [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - strictCiphers="false" - clientAuth="false" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - strictCiphers="false" - clientAuth="false" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - <!-- A "Connector" using the shared thread pool--> - <!-- - <Connector executor="tomcatThreadPool" - port="8080" protocol="HTTP/1.1" - connectionTimeout="20000" - redirectPort="8443" /> - --> - <!-- Define a SSL HTTP/1.1 Connector on port 8443 - This connector uses the JSSE configuration, when using APR, the - connector should be using the OpenSSL style configuration - described in the APR documentation --> - <!-- - <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" - maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" /> - --> - - <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> -[PKI_OPEN_AJP_PORT_COMMENT] - <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" address="127.0.0.1" /> -[PKI_CLOSE_AJP_PORT_COMMENT] - - - <!-- An Engine represents the entry point (within Catalina) that processes - every request. The Engine implementation for Tomcat stand alone - analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). - Documentation at /docs/config/engine.html --> - - <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> - --> - <Engine name="Catalina" defaultHost="localhost"> - - <!--For clustering, please take a look at documentation at: - /docs/cluster-howto.html (simple how to) - /docs/config/cluster.html (reference documentation) --> - <!-- - <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> - --> - - <!-- The request dumper valve dumps useful debugging information about - the request and response data received and sent by Tomcat. - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.valves.RequestDumperValve"/> - --> - - <!-- This Realm uses the UserDatabase configured in the global JNDI - resources under the key "UserDatabase". Any edits - that are performed against this UserDatabase are immediately - available for use by the Realm. --> - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <!-- Define the default virtual host - Note: XML Schema validation will not work with Xerces 2.2. - --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- SingleSignOn valve, share authentication between web applications - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> - --> - - <!-- Access log processes all example. - Documentation at: /docs/config/valve.html --> - [PKI_OPEN_TOMCAT_ACCESS_LOG_COMMENT] - <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" - prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> - [PKI_CLOSE_TOMCAT_ACCESS_LOG_COMMENT] - - </Host> - </Engine> - </Service> -</Server> diff --git a/base/server/scripts/operations b/base/server/scripts/operations index 8fa58e1ba..ede5f8229 100644 --- a/base/server/scripts/operations +++ b/base/server/scripts/operations @@ -488,6 +488,8 @@ get_pki_status_definitions_tomcat() secure_admin_url_statement="Secure Admin URL" pki_console_command_statement="PKI Console Command" tomcat_port_statement="Tomcat Port" + unsecure_phone_home_statement="Unsecure PHONE HOME" + secure_phone_home_statement="Secure PHONE HOME" # initialize looping variables pki_status_comment_found=0 @@ -615,6 +617,8 @@ get_pki_status_definitions_tomcat() [ "$head" == "$secure_admin_url_statement" ] || [ "$head" == "$secure_ee_client_auth_url_statement" ] || [ "$head" == "$pki_console_command_statement" ] || + [ "$head" == "$unsecure_phone_home_statement" ] || + [ "$head" == "$secure_phone_home_statement" ] || [ "$head" == "$tomcat_port_statement" ] ; then echo " $line" total_ports=`expr ${total_ports} + 1` diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml index c52bd5bab..81a801628 100644 --- a/base/server/tomcat7/conf/server.xml +++ b/base/server/tomcat7/conf/server.xml @@ -64,6 +64,8 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <!-- Unsecure URL = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps Secure URL = https://[PKI_HOSTNAME]:[PKI_SECURE_PORT]/tps +Unsecure PHONE HOME = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome +Secure PHONE HOME = https://[PKI_HOSTNAME]:[PKI_SECURE_PORT]/tps/phoneHome Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) --> <!-- DO NOT REMOVE - End PKI Status Definitions --> diff --git a/base/server/tomcat8/conf/server.xml b/base/server/tomcat8/conf/server.xml index a794760d8..c482fc138 100644 --- a/base/server/tomcat8/conf/server.xml +++ b/base/server/tomcat8/conf/server.xml @@ -64,6 +64,8 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <!-- Unsecure URL = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps Secure URL = https://[PKI_HOSTNAME]:[PKI_SECURE_PORT]/tps +Unsecure PHONE HOME = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome +Secure PHONE HOME = https://[PKI_HOSTNAME]:[PKI_SECURE_PORT]/tps/phoneHome Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) --> <!-- DO NOT REMOVE - End PKI Status Definitions --> diff --git a/base/server/upgrade/10.2.6/02-AddPhoneHomeURLsToTPSsServerXML b/base/server/upgrade/10.2.6/02-AddPhoneHomeURLsToTPSsServerXML new file mode 100755 index 000000000..1cf7413ed --- /dev/null +++ b/base/server/upgrade/10.2.6/02-AddPhoneHomeURLsToTPSsServerXML @@ -0,0 +1,112 @@ +#!/usr/bin/python +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2015 Red Hat, Inc. +# All rights reserved. +# + +import os + +import pki.server.upgrade + + +class AddPhoneHomeURLsToTPSsServerXML( + pki.server.upgrade.PKIServerUpgradeScriptlet): + def __init__(self): + super(AddPhoneHomeURLsToTPSsServerXML, self).__init__() + self.message = 'Add Phone Home URLs to TPS section of server.xml.' + + def upgrade_instance(self, instance): + server_xml = os.path.join(instance.conf_dir, 'server.xml') + # Backup + self.backup(server_xml) + + # Simply read in the document by lines + + with open(server_xml) as f: + content = f.readlines() + f.close() + + tps_statuses_pattern = "<!-- TPS Status Definitions -->" + tps_end_statuses_pattern = "-->" + tps_unsecure_phone_home_pattern = "Unsecure PHONE HOME" + tps_secure_phone_home_pattern = "Secure PHONE HOME" + tps_secure_url_pattern = "Secure URL" + tps_unsecure_url_pattern = "Unsecure URL" + tps_phone_home_path = "phoneHome" + + tps_secure_url = None + tps_unsecure_url = None + + found_tps_statuses = -1 + # loop through file, looking for TPS settings + + rewrite_server_xml = False + final_content = [] + for index, line in enumerate(content): + + if found_tps_statuses == -1: + found_tps_statuses = line.find(tps_statuses_pattern) + else: + if line.find(tps_unsecure_phone_home_pattern) != -1: + # already upgraded, abort + break + if line.find(tps_secure_phone_home_pattern) != -1: + # already upgraded, abort + break + + if line.find(tps_unsecure_url_pattern) != -1: + splits = line.split("=") + if len(splits) == 2: + tps_unsecure_url = splits[1].strip() + + if line.find(tps_secure_url_pattern) != -1: + splits = line.split("=") + if len(splits) == 2: + tps_secure_url = splits[1].strip() + + if line.find(tps_end_statuses_pattern) != -1: + if tps_unsecure_url and tps_secure_url: + # Create the added lines we need + # Phone home url is simply a super set of the base url + unsec_phone_home_url = tps_unsecure_phone_home_pattern + \ + ' = ' + tps_unsecure_url + \ + '/' + tps_phone_home_path + '\n' + sec_phone_home_url = tps_secure_phone_home_pattern + \ + ' = ' + tps_secure_url + \ + '/' + tps_phone_home_path + '\n' + # Spot to add the URLs + final_content.append(unsec_phone_home_url) + final_content.append(sec_phone_home_url) + # Just write the rest of the original to the copy + final_content.extend(content[index:]) + # Indicate that we want to update the server.xml + rewrite_server_xml = True + # Done + break + else: + # Just give up + break + + final_content.append(line) + + # Rewrite the file if needed + if rewrite_server_xml: + with open(server_xml, 'w') as fout: + for line_out in final_content: + fout.write(line_out) + fout.close() diff --git a/base/tks/shared/conf/server.xml b/base/tks/shared/conf/server.xml deleted file mode 100644 index 744b57dc1..000000000 --- a/base/tks/shared/conf/server.xml +++ /dev/null @@ -1,258 +0,0 @@ -<?xml version='1.0' encoding='utf-8'?> -<!-- BEGIN COPYRIGHT BLOCK - Copyright (C) 2006-2010 Red Hat, Inc. - All rights reserved. - Modifications: configuration parameters - END COPYRIGHT BLOCK --> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<!-- Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" at this level. - Documentation at /docs/config/server.html - --> - -<!-- DO NOT REMOVE - Begin PKI Status Definitions --> -<!-- -Unsecure URL = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Agent URL = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] -Secure EE URL = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Admin URL = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services -PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] -Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ---> -<!-- DO NOT REMOVE - End PKI Status Definitions --> - -<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> - - <!--APR library loader. Documentation at /docs/apr.html --> - <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> - <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> - <Listener className="org.apache.catalina.core.JasperListener" /> - <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> - <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> - <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> - - <!-- Global JNDI resources - Documentation at /docs/jndi-resources-howto.html - --> - <GlobalNamingResources> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users - --> - <Resource name="UserDatabase" auth="Container" - type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml" /> - </GlobalNamingResources> - - <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" Note: A "Service" is not itself a "Container", - so you may not define subcomponents such as "Valves" at this level. - Documentation at /docs/config/service.html - --> - <Service name="Catalina"> - - <!--The connectors can use a shared executor, you can define one or more named thread pools--> - <!-- - <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" - maxThreads="150" minSpareThreads="4"/> - --> - - - <!-- A "Connector" represents an endpoint by which requests are received - and responses are returned. Documentation at : - Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) - Java AJP Connector: /docs/config/ajp.html - APR (HTTP/AJP) Connector: /docs/apr.html - Define a non-SSL HTTP/1.1 Connector on port 8080 - --> - - [PKI_UNSECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" - /> - - <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> - [PKI_SECURE_PORT_SERVER_COMMENT] - <!-- DO NOT REMOVE - Begin define PKI secure port - NOTE: The OCSP settings take effect globally, so it should only be set once. - - In setup where SSL clientAuth="true", OCSP can be turned on by - setting enableOCSP to true like the following: - enableOCSP="true" - along with changes to related settings, especially: - ocspResponderURL=<see example in connector definition below> - ocspResponderCertNickname=<see example in connector definition below> - Here are the definition to all the OCSP-related settings: - enableOCSP - turns on/off the ocsp check - ocspResponderURL - sets the url where the ocsp requests are sent - ocspResponderCertNickname - sets the nickname of the cert that is - either CA's signing certificate or the OCSP server's signing - certificate. - The CA's signing certificate should already be in the db, in - case of the same security domain. - In case of an ocsp signing certificate, one must import the cert - into the subsystem's nss db and set trust. e.g.: - certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 - ocspCacheSize - sets max cache entries - ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt - ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt - ocspTimeout -sets OCSP timeout in seconds - --> - <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - enableOCSP="false" - ocspResponderURL="http://[PKI_HOSTNAME]:9080/ca/ocsp" - ocspResponderCertNickname="ocspSigningCert cert-pki-ca" - ocspCacheSize="1000" - ocspMinCacheEntryDuration="60" - ocspMaxCacheEntryDuration="120" - ocspTimeout="10" - strictCiphers="false" - clientAuth="[PKI_AGENT_CLIENTAUTH]" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias" - /> - <!-- DO NOT REMOVE - End define PKI secure port --> - - [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - strictCiphers="false" - clientAuth="false" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - strictCiphers="false" - clientAuth="false" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - <!-- A "Connector" using the shared thread pool--> - <!-- - <Connector executor="tomcatThreadPool" - port="8080" protocol="HTTP/1.1" - connectionTimeout="20000" - redirectPort="8443" /> - --> - <!-- Define a SSL HTTP/1.1 Connector on port 8443 - This connector uses the JSSE configuration, when using APR, the - connector should be using the OpenSSL style configuration - described in the APR documentation --> - <!-- - <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" - maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" /> - --> - - <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> -[PKI_OPEN_AJP_PORT_COMMENT] - <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" address="127.0.0.1" /> -[PKI_CLOSE_AJP_PORT_COMMENT] - - - <!-- An Engine represents the entry point (within Catalina) that processes - every request. The Engine implementation for Tomcat stand alone - analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). - Documentation at /docs/config/engine.html --> - - <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> - --> - <Engine name="Catalina" defaultHost="localhost"> - - <!--For clustering, please take a look at documentation at: - /docs/cluster-howto.html (simple how to) - /docs/config/cluster.html (reference documentation) --> - <!-- - <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> - --> - - <!-- The request dumper valve dumps useful debugging information about - the request and response data received and sent by Tomcat. - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.valves.RequestDumperValve"/> - --> - - <!-- This Realm uses the UserDatabase configured in the global JNDI - resources under the key "UserDatabase". Any edits - that are performed against this UserDatabase are immediately - available for use by the Realm. --> - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <!-- Define the default virtual host - Note: XML Schema validation will not work with Xerces 2.2. - --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- SingleSignOn valve, share authentication between web applications - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> - --> - - <!-- Access log processes all example. - Documentation at: /docs/config/valve.html --> - [PKI_OPEN_TOMCAT_ACCESS_LOG_COMMENT] - <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" - prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> - [PKI_CLOSE_TOMCAT_ACCESS_LOG_COMMENT] - - </Host> - </Engine> - </Service> -</Server> diff --git a/base/tps/shared/conf/server.xml b/base/tps/shared/conf/server.xml deleted file mode 100644 index 23e4f5fde..000000000 --- a/base/tps/shared/conf/server.xml +++ /dev/null @@ -1,258 +0,0 @@ -<?xml version='1.0' encoding='utf-8'?> -<!-- BEGIN COPYRIGHT BLOCK - Copyright (C) 2006-2010 Red Hat, Inc. - All rights reserved. - Modifications: configuration parameters - END COPYRIGHT BLOCK --> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<!-- Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" at this level. - Documentation at /docs/config/server.html - --> - -<!-- DO NOT REMOVE - Begin PKI Status Definitions --> -<!-- -Unsecure URL = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Agent URL = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] -Secure EE URL = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Admin URL = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services -PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] -Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ---> -<!-- DO NOT REMOVE - End PKI Status Definitions --> - -<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> - - <!--APR library loader. Documentation at /docs/apr.html --> - <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> - <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> - <Listener className="org.apache.catalina.core.JasperListener" /> - <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> - <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> - <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> - - <!-- Global JNDI resources - Documentation at /docs/jndi-resources-howto.html - --> - <GlobalNamingResources> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users - --> - <Resource name="UserDatabase" auth="Container" - type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml" /> - </GlobalNamingResources> - - <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" Note: A "Service" is not itself a "Container", - so you may not define subcomponents such as "Valves" at this level. - Documentation at /docs/config/service.html - --> - <Service name="Catalina"> - - <!--The connectors can use a shared executor, you can define one or more named thread pools--> - <!-- - <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" - maxThreads="150" minSpareThreads="4"/> - --> - - - <!-- A "Connector" represents an endpoint by which requests are received - and responses are returned. Documentation at : - Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) - Java AJP Connector: /docs/config/ajp.html - APR (HTTP/AJP) Connector: /docs/apr.html - Define a non-SSL HTTP/1.1 Connector on port 8080 - --> - - [PKI_UNSECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" - /> - - <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> - [PKI_SECURE_PORT_SERVER_COMMENT] - <!-- DO NOT REMOVE - Begin define PKI secure port - NOTE: The OCSP settings take effect globally, so it should only be set once. - - In setup where SSL clientAuth="true", OCSP can be turned on by - setting enableOCSP to true like the following: - enableOCSP="true" - along with changes to related settings, especially: - ocspResponderURL=<see example in connector definition below> - ocspResponderCertNickname=<see example in connector definition below> - Here are the definition to all the OCSP-related settings: - enableOCSP - turns on/off the ocsp check - ocspResponderURL - sets the url where the ocsp requests are sent - ocspResponderCertNickname - sets the nickname of the cert that is - either CA's signing certificate or the OCSP server's signing - certificate. - The CA's signing certificate should already be in the db, in - case of the same security domain. - In case of an ocsp signing certificate, one must import the cert - into the subsystem's nss db and set trust. e.g.: - certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 - ocspCacheSize - sets max cache entries - ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt - ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt - ocspTimeout -sets OCSP timeout in seconds - --> - <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - enableOCSP="false" - ocspResponderURL="http://[PKI_HOSTNAME]:9080/ca/ocsp" - ocspResponderCertNickname="ocspSigningCert cert-pki-ca" - ocspCacheSize="1000" - ocspMinCacheEntryDuration="60" - ocspMaxCacheEntryDuration="120" - ocspTimeout="10" - strictCiphers="false" - clientAuth="[PKI_AGENT_CLIENTAUTH]" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias" - /> - <!-- DO NOT REMOVE - End define PKI secure port --> - - [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - strictCiphers="false" - clientAuth="false" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - strictCiphers="false" - clientAuth="false" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - <!-- A "Connector" using the shared thread pool--> - <!-- - <Connector executor="tomcatThreadPool" - port="8080" protocol="HTTP/1.1" - connectionTimeout="20000" - redirectPort="8443" /> - --> - <!-- Define a SSL HTTP/1.1 Connector on port 8443 - This connector uses the JSSE configuration, when using APR, the - connector should be using the OpenSSL style configuration - described in the APR documentation --> - <!-- - <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" - maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" /> - --> - - <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> -[PKI_OPEN_AJP_PORT_COMMENT] - <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" address="127.0.0.1" /> -[PKI_CLOSE_AJP_PORT_COMMENT] - - - <!-- An Engine represents the entry point (within Catalina) that processes - every request. The Engine implementation for Tomcat stand alone - analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). - Documentation at /docs/config/engine.html --> - - <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> - --> - <Engine name="Catalina" defaultHost="localhost"> - - <!--For clustering, please take a look at documentation at: - /docs/cluster-howto.html (simple how to) - /docs/config/cluster.html (reference documentation) --> - <!-- - <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> - --> - - <!-- The request dumper valve dumps useful debugging information about - the request and response data received and sent by Tomcat. - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.valves.RequestDumperValve"/> - --> - - <!-- This Realm uses the UserDatabase configured in the global JNDI - resources under the key "UserDatabase". Any edits - that are performed against this UserDatabase are immediately - available for use by the Realm. --> - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <!-- Define the default virtual host - Note: XML Schema validation will not work with Xerces 2.2. - --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- SingleSignOn valve, share authentication between web applications - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> - --> - - <!-- Access log processes all example. - Documentation at: /docs/config/valve.html --> - [PKI_OPEN_TOMCAT_ACCESS_LOG_COMMENT] - <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" - prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> - [PKI_CLOSE_TOMCAT_ACCESS_LOG_COMMENT] - - </Host> - </Engine> - </Service> -</Server> |