75 files changed, 2324 insertions, 39 deletions

diff --git a/.classpath b/.classpath
index 0cc81a118..bee1aacbf 100644
--- a/.classpath
+++ b/.classpath
@@ -16,7 +16,7 @@
 	<classpathentry kind="src" path="base/kra/functional/src"/>
 	<classpathentry kind="src" path="base/common/functional/src"/>
 	<classpathentry kind="src" path="base/ca/functional/src"/>
-	<classpathentry kind="src" path="base/tps/java"/>
+	<classpathentry kind="src" path="base/tps-tomcat/src"/>
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
 	<classpathentry kind="lib" path="/usr/share/java/apache-commons-cli.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/apache-commons-logging.jar"/>
diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt
index 0a8e51647..0dc513666 100644
--- a/base/CMakeLists.txt
+++ b/base/CMakeLists.txt
@@ -17,6 +17,7 @@ if (APPLICATION_FLAVOR_PKI_CORE)
     add_subdirectory(kra)
     add_subdirectory(ocsp)
     add_subdirectory(tks)
+    add_subdirectory(tps)
     add_subdirectory(silent)
 
     if(WITH_JAVADOC)
diff --git a/base/ra/CMakeLists.txt b/base/ra/CMakeLists.txt
index e3e2c1eba..ece6713c6 100644
--- a/base/ra/CMakeLists.txt
+++ b/base/ra/CMakeLists.txt
@@ -1,7 +1,7 @@
 project(ra)
 
+add_subdirectory(doc)
 add_subdirectory(setup)
-add_subdirectory(shared/conf)
 
 # install systemd scripts
 install(
diff --git a/base/ra/shared/conf/CMakeLists.txt b/base/ra/doc/CMakeLists.txt
index 419289d03..419289d03 100644
--- a/base/ra/shared/conf/CMakeLists.txt
+++ b/base/ra/doc/CMakeLists.txt
diff --git a/base/ra/shared/conf/CS.cfg.in b/base/ra/doc/CS.cfg.in
index 227b117ce..227b117ce 100644
--- a/base/ra/shared/conf/CS.cfg.in
+++ b/base/ra/doc/CS.cfg.in
diff --git a/base/tps-tomcat/CMakeLists.txt b/base/tps-tomcat/CMakeLists.txt
new file mode 100644
index 000000000..58304db06
--- /dev/null
+++ b/base/tps-tomcat/CMakeLists.txt
@@ -0,0 +1,67 @@
+project(tps Java)
+
+add_subdirectory(src)
+
+# install files
+add_subdirectory(setup)
+add_subdirectory(shared/conf)
+
+# install systemd scripts
+install(
+    FILES
+        shared/lib/systemd/system/pki-tpsd.target
+        shared/lib/systemd/system/pki-tpsd@.service
+    DESTINATION
+        ${SYSTEMD_LIB_INSTALL_DIR}
+    PERMISSIONS
+        OWNER_EXECUTE OWNER_WRITE OWNER_READ
+        GROUP_EXECUTE GROUP_READ
+        WORLD_EXECUTE WORLD_READ
+)
+
+# install init script
+install(
+    FILES
+        shared/etc/init.d/pki-tpsd
+    DESTINATION
+        ${SYSCONF_INSTALL_DIR}/rc.d/init.d
+    PERMISSIONS
+        OWNER_EXECUTE OWNER_WRITE OWNER_READ
+        GROUP_EXECUTE GROUP_READ
+        WORLD_EXECUTE WORLD_READ
+)
+
+# install directories
+install(
+    DIRECTORY
+        shared/
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}
+    PATTERN
+        "CMakeLists.txt" EXCLUDE
+    PATTERN
+        "etc/*" EXCLUDE
+    PATTERN
+        "conf/CS.cfg.in" EXCLUDE
+    PATTERN
+        "lib/*" EXCLUDE
+)
+
+# install empty directories
+install(
+    DIRECTORY
+    DESTINATION
+        ${VAR_INSTALL_DIR}/lock/pki/tps
+)
+
+install(
+    DIRECTORY
+    DESTINATION
+        ${VAR_INSTALL_DIR}/run/pki/tps
+)
+
+install(
+    DIRECTORY
+    DESTINATION
+        ${SYSTEMD_ETC_INSTALL_DIR}/pki-tpsd.target.wants
+)
diff --git a/base/tps-tomcat/LICENSE b/base/tps-tomcat/LICENSE
new file mode 100644
index 000000000..af64f0781
--- /dev/null
+++ b/base/tps-tomcat/LICENSE
@@ -0,0 +1,469 @@
+This Program is free software; you can redistribute it and/or modify it
+under the terms of the GNU Lesser General Public License as published by
+the Free Software Foundation; version 2.1 of the License.
+
+This Program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+for more details.
+
+You should have received a copy of the GNU Lesser General Public License along
+with this Program; if not, write to the Free Software Foundation, Inc.,
+59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
+
+		  GNU LESSER GENERAL PUBLIC LICENSE
+		       Version 2.1, February 1999
+
+ Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+ 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+[This is the first released version of the Lesser GPL.  It also counts
+ as the successor of the GNU Library Public License, version 2, hence
+ the version number 2.1.]
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+Licenses are intended to guarantee your freedom to share and change
+free software--to make sure the software is free for all its users.
+
+  This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it.  You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations below.
+
+  When we speak of free software, we are referring to freedom of use,
+not price.  Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.
+
+  To protect your rights, we need to make restrictions that forbid
+distributors to deny you these rights or to ask you to surrender these
+rights.  These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.
+
+  For example, if you distribute copies of the library, whether gratis
+or for a fee, you must give the recipients all the rights that we gave
+you.  You must make sure that they, too, receive or can get the source
+code.  If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
+it.  And you must show them these terms so they know their rights.
+
+  We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
+permission to copy, distribute and/or modify the library.
+
+  To protect each distributor, we want to make it very clear that
+there is no warranty for the free library.  Also, if the library is
+modified by someone else and passed on, the recipients should know
+that what they have is not the original version, so that the original
+author's reputation will not be affected by problems that might be
+introduced by others.
+
+  Finally, software patents pose a constant threat to the existence of
+any free program.  We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder.  Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.
+
+  Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License.  This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License.  We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.
+
+  When a program is linked with a library, whether statically or using
+a shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library.  The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom.  The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.
+
+  We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License.  It also provides other free software developers Less
+of an advantage over competing non-free programs.  These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries.  However, the Lesser license provides advantages in certain
+special circumstances.
+
+  For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it becomes
+a de-facto standard.  To achieve this, non-free programs must be
+allowed to use the library.  A more frequent case is that a free
+library does the same job as widely used non-free libraries.  In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+
+  In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software.  For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+
+  Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.  Pay close attention to the difference between a
+"work based on the library" and a "work that uses the library".  The
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.
+
+		  GNU LESSER GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License Agreement applies to any software library or other
+program which contains a notice placed by the copyright holder or
+other authorized party saying it may be distributed under the terms of
+this Lesser General Public License (also called "this License").
+Each licensee is addressed as "you".
+
+  A "library" means a collection of software functions and/or data
+prepared so as to be conveniently linked with application programs
+(which use some of those functions and data) to form executables.
+
+  The "Library", below, refers to any such software library or work
+which has been distributed under these terms.  A "work based on the
+Library" means either the Library or any derivative work under
+copyright law: that is to say, a work containing the Library or a
+portion of it, either verbatim or with modifications and/or translated
+straightforwardly into another language.  (Hereinafter, translation is
+included without limitation in the term "modification".)
+
+  "Source code" for a work means the preferred form of the work for
+making modifications to it.  For a library, complete source code means
+all the source code for all modules it contains, plus any associated
+interface definition files, plus the scripts used to control compilation
+and installation of the library.
+
+  Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running a program using the Library is not restricted, and output from
+such a program is covered only if its contents constitute a work based
+on the Library (independent of the use of the Library in a tool for
+writing it).  Whether that is true depends on what the Library does
+and what the program that uses the Library does.
+
+  1. You may copy and distribute verbatim copies of the Library's
+complete source code as you receive it, in any medium, provided that
+you conspicuously and appropriately publish on each copy an
+appropriate copyright notice and disclaimer of warranty; keep intact
+all the notices that refer to this License and to the absence of any
+warranty; and distribute a copy of this License along with the
+Library.
+
+  You may charge a fee for the physical act of transferring a copy,
+and you may at your option offer warranty protection in exchange for a
+fee.
+
+  2. You may modify your copy or copies of the Library or any portion
+of it, thus forming a work based on the Library, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) The modified work must itself be a software library.
+
+    b) You must cause the files modified to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    c) You must cause the whole of the work to be licensed at no
+    charge to all third parties under the terms of this License.
+
+    d) If a facility in the modified Library refers to a function or a
+    table of data to be supplied by an application program that uses
+    the facility, other than as an argument passed when the facility
+    is invoked, then you must make a good faith effort to ensure that,
+    in the event an application does not supply such function or
+    table, the facility still operates, and performs whatever part of
+    its purpose remains meaningful.
+
+    (For example, a function in a library to compute square roots has
+    a purpose that is entirely well-defined independent of the
+    application.  Therefore, Subsection 2d requires that any
+    application-supplied function or table used by this function must
+    be optional: if the application does not supply it, the square
+    root function must still compute square roots.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Library,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Library, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote
+it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Library.
+
+In addition, mere aggregation of another work not based on the Library
+with the Library (or with a work based on the Library) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may opt to apply the terms of the ordinary GNU General Public
+License instead of this License to a given copy of the Library.  To do
+this, you must alter all the notices that refer to this License, so
+that they refer to the ordinary GNU General Public License, version 2,
+instead of to this License.  (If a newer version than version 2 of the
+ordinary GNU General Public License has appeared, then you can specify
+that version instead if you wish.)  Do not make any other change in
+these notices.
+
+  Once this change is made in a given copy, it is irreversible for
+that copy, so the ordinary GNU General Public License applies to all
+subsequent copies and derivative works made from that copy.
+
+  This option is useful when you wish to copy part of the code of
+the Library into a program that is not a library.
+
+  4. You may copy and distribute the Library (or a portion or
+derivative of it, under Section 2) in object code or executable form
+under the terms of Sections 1 and 2 above provided that you accompany
+it with the complete corresponding machine-readable source code, which
+must be distributed under the terms of Sections 1 and 2 above on a
+medium customarily used for software interchange.
+
+  If distribution of object code is made by offering access to copy
+from a designated place, then offering equivalent access to copy the
+source code from the same place satisfies the requirement to
+distribute the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  5. A program that contains no derivative of any portion of the
+Library, but is designed to work with the Library by being compiled or
+linked with it, is called a "work that uses the Library".  Such a
+work, in isolation, is not a derivative work of the Library, and
+therefore falls outside the scope of this License.
+
+  However, linking a "work that uses the Library" with the Library
+creates an executable that is a derivative of the Library (because it
+contains portions of the Library), rather than a "work that uses the
+library".  The executable is therefore covered by this License.
+Section 6 states terms for distribution of such executables.
+
+  When a "work that uses the Library" uses material from a header file
+that is part of the Library, the object code for the work may be a
+derivative work of the Library even though the source code is not.
+Whether this is true is especially significant if the work can be
+linked without the Library, or if the work is itself a library.  The
+threshold for this to be true is not precisely defined by law.
+
+  If such an object file uses only numerical parameters, data
+structure layouts and accessors, and small macros and small inline
+functions (ten lines or less in length), then the use of the object
+file is unrestricted, regardless of whether it is legally a derivative
+work.  (Executables containing this object code plus portions of the
+Library will still fall under Section 6.)
+
+  Otherwise, if the work is a derivative of the Library, you may
+distribute the object code for the work under the terms of Section 6.
+Any executables containing that work also fall under Section 6,
+whether or not they are linked directly with the Library itself.
+
+  6. As an exception to the Sections above, you may also combine or
+link a "work that uses the Library" with the Library to produce a
+work containing portions of the Library, and distribute that work
+under terms of your choice, provided that the terms permit
+modification of the work for the customer's own use and reverse
+engineering for debugging such modifications.
+
+  You must give prominent notice with each copy of the work that the
+Library is used in it and that the Library and its use are covered by
+this License.  You must supply a copy of this License.  If the work
+during execution displays copyright notices, you must include the
+copyright notice for the Library among them, as well as a reference
+directing the user to the copy of this License.  Also, you must do one
+of these things:
+
+    a) Accompany the work with the complete corresponding
+    machine-readable source code for the Library including whatever
+    changes were used in the work (which must be distributed under
+    Sections 1 and 2 above); and, if the work is an executable linked
+    with the Library, with the complete machine-readable "work that
+    uses the Library", as object code and/or source code, so that the
+    user can modify the Library and then relink to produce a modified
+    executable containing the modified Library.  (It is understood
+    that the user who changes the contents of definitions files in the
+    Library will not necessarily be able to recompile the application
+    to use the modified definitions.)
+
+    b) Use a suitable shared library mechanism for linking with the
+    Library.  A suitable mechanism is one that (1) uses at run time a
+    copy of the library already present on the user's computer system,
+    rather than copying library functions into the executable, and (2)
+    will operate properly with a modified version of the library, if
+    the user installs one, as long as the modified version is
+    interface-compatible with the version that the work was made with.
+
+    c) Accompany the work with a written offer, valid for at
+    least three years, to give the same user the materials
+    specified in Subsection 6a, above, for a charge no more
+    than the cost of performing this distribution.
+
+    d) If distribution of the work is made by offering access to copy
+    from a designated place, offer equivalent access to copy the above
+    specified materials from the same place.
+
+    e) Verify that the user has already received a copy of these
+    materials or that you have already sent this user a copy.
+
+  For an executable, the required form of the "work that uses the
+Library" must include any data and utility programs needed for
+reproducing the executable from it.  However, as a special exception,
+the materials to be distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
+components (compiler, kernel, and so on) of the operating system on
+which the executable runs, unless that component itself accompanies
+the executable.
+
+  It may happen that this requirement contradicts the license
+restrictions of other proprietary libraries that do not normally
+accompany the operating system.  Such a contradiction means you cannot
+use both them and the Library together in an executable that you
+distribute.
+
+  7. You may place library facilities that are a work based on the
+Library side-by-side in a single library together with other library
+facilities not covered by this License, and distribute such a combined
+library, provided that the separate distribution of the work based on
+the Library and of the other library facilities is otherwise
+permitted, and provided that you do these two things:
+
+    a) Accompany the combined library with a copy of the same work
+    based on the Library, uncombined with any other library
+    facilities.  This must be distributed under the terms of the
+    Sections above.
+
+    b) Give prominent notice with the combined library of the fact
+    that part of it is a work based on the Library, and explaining
+    where to find the accompanying uncombined form of the same work.
+
+  8. You may not copy, modify, sublicense, link with, or distribute
+the Library except as expressly provided under this License.  Any
+attempt otherwise to copy, modify, sublicense, link with, or
+distribute the Library is void, and will automatically terminate your
+rights under this License.  However, parties who have received copies,
+or rights, from you under this License will not have their licenses
+terminated so long as such parties remain in full compliance.
+
+  9. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Library or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Library (or any work based on the
+Library), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Library or works based on it.
+
+  10. Each time you redistribute the Library (or any work based on the
+Library), the recipient automatically receives a license from the
+original licensor to copy, distribute, link with or modify the Library
+subject to these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties with
+this License.
+
+  11. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Library at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Library by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Library.
+
+If any portion of this section is held invalid or unenforceable under any
+particular circumstance, the balance of the section is intended to apply,
+and the section as a whole is intended to apply in other circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  12. If the distribution and/or use of the Library is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Library under this License may add
+an explicit geographical distribution limitation excluding those countries,
+so that distribution is permitted only in or among countries not thus
+excluded.  In such case, this License incorporates the limitation as if
+written in the body of this License.
+
+  13. The Free Software Foundation may publish revised and/or new
+versions of the Lesser General Public License from time to time.
+Such new versions will be similar in spirit to the present version,
+but may differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Library
+specifies a version number of this License which applies to it and
+"any later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation.  If the Library does not specify a
+license version number, you may choose any version ever published by
+the Free Software Foundation.
+
+  14. If you wish to incorporate parts of the Library into other free
+programs whose distribution conditions are incompatible with these,
+write to the author to ask for permission.  For software which is
+copyrighted by the Free Software Foundation, write to the Free
+Software Foundation; we sometimes make exceptions for this.  Our
+decision will be guided by the two goals of preserving the free status
+of all derivatives of our free software and of promoting the sharing
+and reuse of software generally.
+
+			    NO WARRANTY
+
+  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
+KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+LIBRARY IS WITH YOU.  SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
+THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
+FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
+LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
+RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
+FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
+SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES.
diff --git a/base/tps-tomcat/setup/CMakeLists.txt b/base/tps-tomcat/setup/CMakeLists.txt
new file mode 100644
index 000000000..d2a1399e6
--- /dev/null
+++ b/base/tps-tomcat/setup/CMakeLists.txt
@@ -0,0 +1,6 @@
+install(
+    FILES
+        registry_instance
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/setup
+)
diff --git a/base/tps-tomcat/setup/registry_instance b/base/tps-tomcat/setup/registry_instance
new file mode 100644
index 000000000..6365ecb9e
--- /dev/null
+++ b/base/tps-tomcat/setup/registry_instance
@@ -0,0 +1,60 @@
+# Establish PKI Variable "Slot" Substitutions
+
+PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
+export PKI_SUBSYSTEM_TYPE
+
+PKI_USER=[PKI_USER]
+export PKI_USER
+
+PKI_GROUP=[PKI_GROUP]
+export PKI_GROUP
+
+PKI_INSTANCE_NAME=[PKI_INSTANCE_NAME]
+export PKI_INSTANCE_NAME
+
+PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH]
+export PKI_INSTANCE_PATH
+
+PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT]
+export PKI_INSTANCE_INITSCRIPT
+
+PKI_SERVER_XML_CONF=[PKI_SERVER_XML_CONF]
+export PKI_SERVER_XML_CONF
+
+# Use CATALINA_BASE
+
+CATALINA_BASE=$PKI_INSTANCE_PATH
+export CATALINA_BASE
+
+TOMCAT_PROG=$PKI_INSTANCE_NAME
+export TOMCAT_PROG
+
+TOMCAT_USER=$PKI_USER
+export TOMCAT_USER
+
+TOMCAT_GROUP=$PKI_GROUP
+export TOMCAT_GROUP
+
+PKI_LOCKDIR="/var/lock/pki/${PKI_SUBSYSTEM_TYPE}"
+export PKI_LOCKDIR
+
+PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_NAME}"
+export PKI_LOCKFILE
+
+PKI_PIDDIR="/var/run/pki/${PKI_SUBSYSTEM_TYPE}"
+export PKI_PIDDIR
+
+PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_NAME}.pid"
+export PKI_PIDFILE
+
+TOMCAT_LOCKFILE=/var/lock/subsys/${PKI_INSTANCE_NAME}
+export TOMCAT_LOCKFILE
+
+TOMCAT_PIDFILE=[TOMCAT_PIDFILE]
+export TOMCAT_PIDFILE
+
+pki_instance_configuration_file=${PKI_INSTANCE_PATH}/conf/CS.cfg
+export pki_instance_configuration_file
+
+RESTART_SERVER=${PKI_INSTANCE_PATH}/conf/restart_server_after_configuration
+export RESTART_SERVER
diff --git a/base/tps/shared/conf/CMakeLists.txt b/base/tps-tomcat/shared/conf/CMakeLists.txt
index 419289d03..419289d03 100644
--- a/base/tps/shared/conf/CMakeLists.txt
+++ b/base/tps-tomcat/shared/conf/CMakeLists.txt
diff --git a/base/tps/shared/conf/CS.cfg.in b/base/tps-tomcat/shared/conf/CS.cfg.in
index 1a392a119..1a392a119 100644
--- a/base/tps/shared/conf/CS.cfg.in
+++ b/base/tps-tomcat/shared/conf/CS.cfg.in
diff --git a/base/tps/shared/conf/acl.ldif b/base/tps-tomcat/shared/conf/acl.ldif
index fb63122d1..fb63122d1 100644
--- a/base/tps/shared/conf/acl.ldif
+++ b/base/tps-tomcat/shared/conf/acl.ldif
diff --git a/base/tps/shared/conf/catalina.policy b/base/tps-tomcat/shared/conf/catalina.policy
index 5ccc7959e..5ccc7959e 100644
--- a/base/tps/shared/conf/catalina.policy
+++ b/base/tps-tomcat/shared/conf/catalina.policy
diff --git a/base/tps/shared/conf/catalina.properties b/base/tps-tomcat/shared/conf/catalina.properties
index f6d1d1415..f6d1d1415 100644
--- a/base/tps/shared/conf/catalina.properties
+++ b/base/tps-tomcat/shared/conf/catalina.properties
diff --git a/base/tps/shared/conf/context.xml b/base/tps-tomcat/shared/conf/context.xml
index ba139add2..ba139add2 100644
--- a/base/tps/shared/conf/context.xml
+++ b/base/tps-tomcat/shared/conf/context.xml
diff --git a/base/tps/shared/conf/database.ldif b/base/tps-tomcat/shared/conf/database.ldif
index d3c5f9e68..d3c5f9e68 100644
--- a/base/tps/shared/conf/database.ldif
+++ b/base/tps-tomcat/shared/conf/database.ldif
diff --git a/base/tps/shared/conf/db.ldif b/base/tps-tomcat/shared/conf/db.ldif
index 1dada984a..1dada984a 100644
--- a/base/tps/shared/conf/db.ldif
+++ b/base/tps-tomcat/shared/conf/db.ldif
diff --git a/base/tps/shared/conf/etc/init.d/pki-tpsd b/base/tps-tomcat/shared/conf/etc/init.d/pki-tpsd
index 7b991f39c..7b991f39c 100755
--- a/base/tps/shared/conf/etc/init.d/pki-tpsd
+++ b/base/tps-tomcat/shared/conf/etc/init.d/pki-tpsd
diff --git a/base/tps/shared/conf/index.ldif b/base/tps-tomcat/shared/conf/index.ldif
index d896de394..d896de394 100644
--- a/base/tps/shared/conf/index.ldif
+++ b/base/tps-tomcat/shared/conf/index.ldif
diff --git a/base/tps/shared/conf/jk2.manifest b/base/tps-tomcat/shared/conf/jk2.manifest
index 986d7b874..986d7b874 100644
--- a/base/tps/shared/conf/jk2.manifest
+++ b/base/tps-tomcat/shared/conf/jk2.manifest
diff --git a/base/tps/shared/conf/jk2.properties b/base/tps-tomcat/shared/conf/jk2.properties
index 934d6ed54..934d6ed54 100644
--- a/base/tps/shared/conf/jk2.properties
+++ b/base/tps-tomcat/shared/conf/jk2.properties
diff --git a/base/tps/shared/conf/jkconf.ant.xml b/base/tps-tomcat/shared/conf/jkconf.ant.xml
index 48396f1b7..48396f1b7 100644
--- a/base/tps/shared/conf/jkconf.ant.xml
+++ b/base/tps-tomcat/shared/conf/jkconf.ant.xml
diff --git a/base/tps/shared/conf/jkconfig.manifest b/base/tps-tomcat/shared/conf/jkconfig.manifest
index 3ba1f2e3e..3ba1f2e3e 100644
--- a/base/tps/shared/conf/jkconfig.manifest
+++ b/base/tps-tomcat/shared/conf/jkconfig.manifest
diff --git a/base/tps/shared/conf/logging.properties b/base/tps-tomcat/shared/conf/logging.properties
index 796cfc071..796cfc071 100644
--- a/base/tps/shared/conf/logging.properties
+++ b/base/tps-tomcat/shared/conf/logging.properties
diff --git a/base/tps/shared/conf/manager.ldif b/base/tps-tomcat/shared/conf/manager.ldif
index 18700dd4b..18700dd4b 100644
--- a/base/tps/shared/conf/manager.ldif
+++ b/base/tps-tomcat/shared/conf/manager.ldif
diff --git a/base/tps/shared/conf/schema.ldif b/base/tps-tomcat/shared/conf/schema.ldif
index bde045630..bde045630 100644
--- a/base/tps/shared/conf/schema.ldif
+++ b/base/tps-tomcat/shared/conf/schema.ldif
diff --git a/base/tps/shared/conf/server-minimal.xml b/base/tps-tomcat/shared/conf/server-minimal.xml
index fc855c6e3..fc855c6e3 100644
--- a/base/tps/shared/conf/server-minimal.xml
+++ b/base/tps-tomcat/shared/conf/server-minimal.xml
diff --git a/base/tps/shared/conf/server.xml b/base/tps-tomcat/shared/conf/server.xml
index b66cb51ae..b66cb51ae 100644
--- a/base/tps/shared/conf/server.xml
+++ b/base/tps-tomcat/shared/conf/server.xml
diff --git a/base/tps/shared/conf/shm.manifest b/base/tps-tomcat/shared/conf/shm.manifest
index 0505c085b..0505c085b 100644
--- a/base/tps/shared/conf/shm.manifest
+++ b/base/tps-tomcat/shared/conf/shm.manifest
diff --git a/base/tps/shared/conf/tomcat-jk2.manifest b/base/tps-tomcat/shared/conf/tomcat-jk2.manifest
index acfef4a90..acfef4a90 100644
--- a/base/tps/shared/conf/tomcat-jk2.manifest
+++ b/base/tps-tomcat/shared/conf/tomcat-jk2.manifest
diff --git a/base/tps/shared/conf/tomcat-users.xml b/base/tps-tomcat/shared/conf/tomcat-users.xml
index daa9260cc..daa9260cc 100644
--- a/base/tps/shared/conf/tomcat-users.xml
+++ b/base/tps-tomcat/shared/conf/tomcat-users.xml
diff --git a/base/tps/shared/conf/tomcat6.conf b/base/tps-tomcat/shared/conf/tomcat6.conf
index 2d7def5ec..2d7def5ec 100644
--- a/base/tps/shared/conf/tomcat6.conf
+++ b/base/tps-tomcat/shared/conf/tomcat6.conf
diff --git a/base/tps/shared/conf/uriworkermap.properties b/base/tps-tomcat/shared/conf/uriworkermap.properties
index c89dd82a6..c89dd82a6 100644
--- a/base/tps/shared/conf/uriworkermap.properties
+++ b/base/tps-tomcat/shared/conf/uriworkermap.properties
diff --git a/base/tps/shared/conf/vlv.ldif b/base/tps-tomcat/shared/conf/vlv.ldif
index db7988e36..db7988e36 100644
--- a/base/tps/shared/conf/vlv.ldif
+++ b/base/tps-tomcat/shared/conf/vlv.ldif
diff --git a/base/tps/shared/conf/vlvtasks.ldif b/base/tps-tomcat/shared/conf/vlvtasks.ldif
index b6b4bb762..b6b4bb762 100644
--- a/base/tps/shared/conf/vlvtasks.ldif
+++ b/base/tps-tomcat/shared/conf/vlvtasks.ldif
diff --git a/base/tps/shared/conf/web.xml b/base/tps-tomcat/shared/conf/web.xml
index 8330ecca8..8330ecca8 100644
--- a/base/tps/shared/conf/web.xml
+++ b/base/tps-tomcat/shared/conf/web.xml
diff --git a/base/tps/shared/conf/workers.properties b/base/tps-tomcat/shared/conf/workers.properties
index ae26a983c..ae26a983c 100644
--- a/base/tps/shared/conf/workers.properties
+++ b/base/tps-tomcat/shared/conf/workers.properties
diff --git a/base/tps/shared/conf/workers.properties.minimal b/base/tps-tomcat/shared/conf/workers.properties.minimal
index 51980ac49..51980ac49 100644
--- a/base/tps/shared/conf/workers.properties.minimal
+++ b/base/tps-tomcat/shared/conf/workers.properties.minimal
diff --git a/base/tps/shared/conf/workers2.properties b/base/tps-tomcat/shared/conf/workers2.properties
index 3c8e0f4a5..3c8e0f4a5 100644
--- a/base/tps/shared/conf/workers2.properties
+++ b/base/tps-tomcat/shared/conf/workers2.properties
diff --git a/base/tps/shared/conf/workers2.properties.minimal b/base/tps-tomcat/shared/conf/workers2.properties.minimal
index 0e88d14c7..0e88d14c7 100644
--- a/base/tps/shared/conf/workers2.properties.minimal
+++ b/base/tps-tomcat/shared/conf/workers2.properties.minimal
diff --git a/base/tps/shared/etc/init.d/pki-tpsd b/base/tps-tomcat/shared/etc/init.d/pki-tpsd
index 7b991f39c..7b991f39c 100755
--- a/base/tps/shared/etc/init.d/pki-tpsd
+++ b/base/tps-tomcat/shared/etc/init.d/pki-tpsd
diff --git a/base/tps/shared/lib/systemd/system/pki-tpsd.target b/base/tps-tomcat/shared/lib/systemd/system/pki-tpsd.target
index 443c2adad..443c2adad 100644
--- a/base/tps/shared/lib/systemd/system/pki-tpsd.target
+++ b/base/tps-tomcat/shared/lib/systemd/system/pki-tpsd.target
diff --git a/base/tps/shared/lib/systemd/system/pki-tpsd@.service b/base/tps-tomcat/shared/lib/systemd/system/pki-tpsd@.service
index 4703b3fe8..4703b3fe8 100644
--- a/base/tps/shared/lib/systemd/system/pki-tpsd@.service
+++ b/base/tps-tomcat/shared/lib/systemd/system/pki-tpsd@.service
diff --git a/base/tps/shared/webapps/tps/404.html b/base/tps-tomcat/shared/webapps/tps/404.html
index 0bf93578c..0bf93578c 100755
--- a/base/tps/shared/webapps/tps/404.html
+++ b/base/tps-tomcat/shared/webapps/tps/404.html
diff --git a/base/tps/shared/webapps/tps/500.html b/base/tps-tomcat/shared/webapps/tps/500.html
index 3e1e8bb66..3e1e8bb66 100755
--- a/base/tps/shared/webapps/tps/500.html
+++ b/base/tps-tomcat/shared/webapps/tps/500.html
diff --git a/base/tps/shared/webapps/tps/GenUnexpectedError.template b/base/tps-tomcat/shared/webapps/tps/GenUnexpectedError.template
index ea545c145..ea545c145 100644
--- a/base/tps/shared/webapps/tps/GenUnexpectedError.template
+++ b/base/tps-tomcat/shared/webapps/tps/GenUnexpectedError.template
diff --git a/base/tps/shared/webapps/tps/META-INF/context.xml b/base/tps-tomcat/shared/webapps/tps/META-INF/context.xml
index e838503a6..e838503a6 100644
--- a/base/tps/shared/webapps/tps/META-INF/context.xml
+++ b/base/tps-tomcat/shared/webapps/tps/META-INF/context.xml
diff --git a/base/tps/shared/webapps/tps/WEB-INF/auth.properties b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
index 8ed17dbe0..8ed17dbe0 100644
--- a/base/tps/shared/webapps/tps/WEB-INF/auth.properties
+++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
diff --git a/base/tps/shared/webapps/tps/WEB-INF/velocity.properties b/base/tps-tomcat/shared/webapps/tps/WEB-INF/velocity.properties
index 5cd0454cc..5cd0454cc 100644
--- a/base/tps/shared/webapps/tps/WEB-INF/velocity.properties
+++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/velocity.properties
diff --git a/base/tps/shared/webapps/tps/WEB-INF/web.xml b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
index 9a6c87462..9a6c87462 100644
--- a/base/tps/shared/webapps/tps/WEB-INF/web.xml
+++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
diff --git a/base/tps/shared/webapps/tps/index.html b/base/tps-tomcat/shared/webapps/tps/index.html
index 30662d47a..30662d47a 100644
--- a/base/tps/shared/webapps/tps/index.html
+++ b/base/tps-tomcat/shared/webapps/tps/index.html
diff --git a/base/tps/shared/webapps/tps/services.template b/base/tps-tomcat/shared/webapps/tps/services.template
index c6792fea1..c6792fea1 100644
--- a/base/tps/shared/webapps/tps/services.template
+++ b/base/tps-tomcat/shared/webapps/tps/services.template
diff --git a/base/tps/java/CMakeLists.txt b/base/tps-tomcat/src/CMakeLists.txt
index c8f90e44e..2c9af352a 100644
--- a/base/tps/java/CMakeLists.txt
+++ b/base/tps-tomcat/src/CMakeLists.txt
@@ -104,6 +104,8 @@ javac(pki-tps-classes
         ${JSS_JAR} ${COMMONS_CODEC_JAR} ${SYMKEY_JAR} ${SERVLET_JAR}
     OUTPUT_DIR
         ${CMAKE_BINARY_DIR}/classes
+    DEPENDS
+        pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-cms-jar pki-cmscore-jar
 )
 
 configure_file(
diff --git a/base/tps/java/org/dogtagpki/tps/TPSConnection.java b/base/tps-tomcat/src/org/dogtagpki/tps/TPSConnection.java
index cd62ff530..cd62ff530 100644
--- a/base/tps/java/org/dogtagpki/tps/TPSConnection.java
+++ b/base/tps-tomcat/src/org/dogtagpki/tps/TPSConnection.java
diff --git a/base/tps/java/org/dogtagpki/tps/TPSMessage.java b/base/tps-tomcat/src/org/dogtagpki/tps/TPSMessage.java
index 522a0f408..522a0f408 100644
--- a/base/tps/java/org/dogtagpki/tps/TPSMessage.java
+++ b/base/tps-tomcat/src/org/dogtagpki/tps/TPSMessage.java
diff --git a/base/tps/java/org/dogtagpki/tps/server/TPSApplication.java b/base/tps-tomcat/src/org/dogtagpki/tps/server/TPSApplication.java
index 2f2b2a63a..2f2b2a63a 100644
--- a/base/tps/java/org/dogtagpki/tps/server/TPSApplication.java
+++ b/base/tps-tomcat/src/org/dogtagpki/tps/server/TPSApplication.java
diff --git a/base/tps/java/org/dogtagpki/tps/server/TPSServlet.java b/base/tps-tomcat/src/org/dogtagpki/tps/server/TPSServlet.java
index 78e6df4f8..78e6df4f8 100644
--- a/base/tps/java/org/dogtagpki/tps/server/TPSServlet.java
+++ b/base/tps-tomcat/src/org/dogtagpki/tps/server/TPSServlet.java
diff --git a/base/tps/java/org/dogtagpki/tps/server/TPSSubsystem.java b/base/tps-tomcat/src/org/dogtagpki/tps/server/TPSSubsystem.java
index 92017812c..92017812c 100644
--- a/base/tps/java/org/dogtagpki/tps/server/TPSSubsystem.java
+++ b/base/tps-tomcat/src/org/dogtagpki/tps/server/TPSSubsystem.java
diff --git a/base/tps/java/org/dogtagpki/tps/token/TokenDatabase.java b/base/tps-tomcat/src/org/dogtagpki/tps/token/TokenDatabase.java
index 3db76649f..3db76649f 100644
--- a/base/tps/java/org/dogtagpki/tps/token/TokenDatabase.java
+++ b/base/tps-tomcat/src/org/dogtagpki/tps/token/TokenDatabase.java
diff --git a/base/tps/java/org/dogtagpki/tps/token/TokenRecord.java b/base/tps-tomcat/src/org/dogtagpki/tps/token/TokenRecord.java
index 1f9d9caf5..1f9d9caf5 100644
--- a/base/tps/java/org/dogtagpki/tps/token/TokenRecord.java
+++ b/base/tps-tomcat/src/org/dogtagpki/tps/token/TokenRecord.java
diff --git a/base/tps/java/org/dogtagpki/tps/token/TokenService.java b/base/tps-tomcat/src/org/dogtagpki/tps/token/TokenService.java
index bc8b35d59..bc8b35d59 100644
--- a/base/tps/java/org/dogtagpki/tps/token/TokenService.java
+++ b/base/tps-tomcat/src/org/dogtagpki/tps/token/TokenService.java
diff --git a/base/tps/java/pki-tps.mf b/base/tps-tomcat/src/pki-tps.mf
index d77fe8fa9..d77fe8fa9 100644
--- a/base/tps/java/pki-tps.mf
+++ b/base/tps-tomcat/src/pki-tps.mf
diff --git a/base/tps/CMakeLists.txt b/base/tps/CMakeLists.txt
index aa6ac8cb1..954146cb4 100644
--- a/base/tps/CMakeLists.txt
+++ b/base/tps/CMakeLists.txt
@@ -36,13 +36,12 @@ SET(CMAKE_INSTALL_RPATH "${LIB_INSTALL_DIR}/tps")
 # which point to directories outside the build tree to the install RPATH
 SET(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
 
-add_subdirectory(java)
 add_subdirectory(src)
 add_subdirectory(tools)
 
 # install files
+add_subdirectory(doc)
 add_subdirectory(setup)
-add_subdirectory(shared/conf)
 
 # install systemd scripts
 install(
@@ -214,19 +213,3 @@ install(
     DESTINATION
         ${SYSTEMD_ETC_INSTALL_DIR}/pki-tpsd.target.wants
 )
-
-# install directories
-install(
-    DIRECTORY
-        shared/
-    DESTINATION
-        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}
-    PATTERN
-        "CMakeLists.txt" EXCLUDE
-    PATTERN
-        "etc/*" EXCLUDE
-    PATTERN
-        "conf/CS.cfg.in" EXCLUDE
-    PATTERN
-        "lib/*" EXCLUDE
-)
diff --git a/base/tps/doc/CMakeLists.txt b/base/tps/doc/CMakeLists.txt
new file mode 100644
index 000000000..419289d03
--- /dev/null
+++ b/base/tps/doc/CMakeLists.txt
@@ -0,0 +1,8 @@
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY)
+
+install(
+    FILES
+        ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf
+)
diff --git a/base/tps/doc/CS.cfg.in b/base/tps/doc/CS.cfg.in
new file mode 100644
index 000000000..d5c0f312e
--- /dev/null
+++ b/base/tps/doc/CS.cfg.in
@@ -0,0 +1,1608 @@
+_000=##
+_001=## Token Processing System (TPS) Configuration File
+_002=##
+pidDir=[PKI_PIDDIR]
+pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT]
+pkicreate.pki_instance_name=[PKI_INSTANCE_NAME]
+pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE]
+pkicreate.secure_port=[PKI_SECURE_PORT]
+pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT]
+pkicreate.unsecure_port=[PKI_UNSECURE_PORT]
+pkicreate.user=[PKI_USER]
+pkicreate.group=[PKI_GROUP]
+pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_NAME]
+cs.type=TPS
+selftests._000=##
+selftests._001=## Self Tests
+selftests._002=##
+selftests._003=## The Self-Test plugin TPSSystemCertsVerification uses the
+selftests._004=## following parameters (where certusage is optional):
+selftests._005=## tps.cert.list = <list of cert tag names deliminated by ",">
+selftests._006=## tps.cert.<cert tag name>.nickname
+selftests._007=## tps.cert.<cert tag name>.certusage
+selftests._008=##
+selftests.container.logger.enable=true
+selftests.container.logger.expirationTime=0
+selftests.container.logger.file.type=RollingLogFile
+selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
+selftests.container.logger.level=10
+selftests.container.logger.maxFileSize=2000
+selftests.container.logger.rolloverInterval=2592000
+selftests.container.order.startup=TPSPresence:critical, TPSSystemCertsVerification:critical
+selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical, TPSSystemCertsVerification:critical
+selftests.plugin.TPSPresence.nickname=[HSM_LABEL][NICKNAME]
+selftests.plugin.TPSValidity.nickname=[HSM_LABEL][NICKNAME]
+service.machineName=[PKI_HOSTNAME]
+service.instanceDir=[PKI_INSTANCE_PATH]
+service.securePort=[PKI_SECURE_PORT]
+service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT]
+service.unsecurePort=[PKI_UNSECURE_PORT]
+service.instanceID=[PKI_INSTANCE_NAME]
+logging._000=#########################################
+logging._001=# RA configuration File
+logging._002=#
+logging._003=# All <...> must be replaced with
+logging._004=# appropriate values.
+logging._005=#########################################
+logging._006=########################################
+logging._007=# logging
+logging._008=#
+logging._009=# logging.debug.enable:
+logging._010=# logging.audit.enable:
+logging._011=# logging.error.enable:
+logging._012=#   - enable or disable the corresponding logging
+logging._013=# logging.debug.filename:
+logging._014=# logging.audit.filename:
+logging._015=# logging.error.filename:
+logging._016=#   - name of the log file
+logging._017=# logging.debug.level:
+logging._018=# logging.audit.level:
+logging._019=# logging.error.level:
+logging._020=#   - level of logging. (0-10)
+logging._021=#      0 - no logging,
+logging._022=#      4 - LL_PER_SERVER       these messages will occur only once
+logging._023=#                              during the entire invocation of the
+logging._024=#                              server, e. g. at startup or shutdown
+logging._025=#                              time., reading the conf parameters.
+logging._026=#                              Perhaps other infrequent events
+logging._027=#                              relating to failing over of CA, TKS,
+logging._028=#                              too
+logging._029=#      6 - LL_PER_CONNECTION   these messages happen once per
+logging._030=#                              connection - most of the log events
+logging._031=#                              will be at this level
+logging._032=#      8 - LL_PER_PDU          these messages relate to PDU
+logging._033=#                              processing. If you have something that
+logging._034=#                              is done for every PDU, such as
+logging._035=#                              applying the MAC, it should be logged
+logging._036=#                              at this level
+logging._037=#      9 - LL_ALL_DATA_IN_PDU  dump all the data in the PDU - a more
+logging._038=#                              chatty version of the above
+logging._039=#     10 - all logging
+logging._040=# logging.audit.buffer.size: # in bytes
+logging._041=# logging.audit.flush.interval: # in seconds, 0 disables flush thread
+logging._042=# logging.*.file.type:
+logging._043=#    - file type: RollingLogFile or LogFile
+logging._044=# logging.*.rolloverInterval:
+logging._045=#    - interval to roll over logs (seconds), 0 to disable rollover
+logging._046=# logging.*.maxFileSize:
+logging._047=#    - size at which file rollover occurs, in kB
+logging._048=# logging.*.expirationTime:
+logging._049=#    - maximum age of log, older unmodified logs are deleted( in seconds, 0 to disable)
+logging._050=#########################################
+logging.debug.enable=true
+logging.debug.filename=[PKI_INSTANCE_PATH]/logs/tps-debug.log
+logging.debug.level=10
+logging.debug.file.type=RollingLogFile
+logging.debug.maxFileSize=2000
+logging.debug.rolloverInterval=2592000
+logging.debug.expirationTime=0
+logging.audit.enable=true
+logging.audit.filename=[PKI_INSTANCE_PATH]/logs/tps-audit.log
+logging.audit.signedAuditFilename=[PKI_INSTANCE_PATH]/logs/signedAudit/tps_audit
+logging.audit.level=10
+logging.audit.logSigning=false
+logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_NAME]
+logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION
+logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION
+logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING
+logging.audit.buffer.size=512
+logging.audit.flush.interval=5
+logging.audit.file.type=RollingLogFile
+logging.audit.maxFileSize=2000
+logging.audit.rolloverInterval=2592000
+logging.audit.expirationTime=0
+logging.error.enable=true
+logging.error.filename=[PKI_INSTANCE_PATH]/logs/tps-error.log
+logging.error.level=10
+logging.error.file.type=RollingLogFile
+logging.error.maxFileSize=2000
+logging.error.rolloverInterval=2592000
+logging.error.expirationTime=0
+conn.ca1._000=#########################################
+conn.ca1._001=# CA connection
+conn.ca1._002=#
+conn.ca1._003=# conn.ca<n>.hostport:
+conn.ca1._004=#   - host name and port number of your CA, format is host:port
+conn.ca1._005=# conn.ca<n>.clientNickname:
+conn.ca1._006=#   - nickname of the client certificate for
+conn.ca1._007=#     authentication
+conn.ca1._008=# conn.ca<n>.servlet.enrollment:
+conn.ca1._009=#   - servlet to contact in CA
+conn.ca1._010=#   - must be '/ca/profileSubmitSSLClient'
+conn.ca1._011=# conn.ca<n>.retryConnect:
+conn.ca1._012=#   - number of reconnection attempts on failure
+conn.ca1._013=# conn.ca<n>.timeout:
+conn.ca1._014=#   - connection timeout
+conn.ca1._015=# conn.ca<n>.SSLOn:
+conn.ca1._016=#   - enable SSL or not
+conn.ca1._017=# conn.ca<n>.keepAlive:
+conn.ca1._018=#   - enable keep alive or not
+conn.ca1._019=# conn.ca<n>.caNickname:
+conn.ca1._020=#   - nickname of the ca certificate
+conn.ca1._021=# conn.ca<n>.caSKI:
+conn.ca1._022=#   - Subject Key Identifier (in Base64) of the ca certificate
+conn.ca1._023=#     (automatically calculated by the system)
+conn.ca1._024=#
+conn.ca1._025=# conn.ca.list=ca1,ca2...ca<n>
+conn.ca1._026=#   - list of ca connection IDs for revocation routing
+conn.ca1._027=#
+conn.ca1._028=# where
+conn.ca1._029=#  <n>  - CA connection ID
+conn.ca1._030=#########################################
+failover.pod.enable=false
+conn.ca1.hostport=[PKI_CA_HOSTNAME]:[PKI_CA_PORT]
+conn.ca1.clientNickname=[HSM_LABEL][NICKNAME]
+conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient
+conn.ca1.servlet.renewal=/ca/ee/ca/profileSubmitSSLClient
+conn.ca1.servlet.revoke=/ca/ee/subsystem/ca/doRevoke
+conn.ca1.servlet.unrevoke=/ca/ee/subsystem/ca/doUnrevoke
+conn.ca1.retryConnect=3
+conn.ca1.timeout=100
+conn.ca1.SSLOn=true
+conn.ca1.keepAlive=true
+conn.tks1._000=#########################################
+conn.tks1._001=# TKS connection
+conn.tks1._002=#
+conn.tks1._003=# conn.tks<n>.hostport:
+conn.tks1._004=#   - host name and port number of your TKS, the format is host:port
+conn.tks1._005=# conn.tks<n>.clientNickname:
+conn.tks1._006=#   - nickname of the client certificate for
+conn.tks1._007=#     authentication
+conn.tks1._008=# conn.tks<n>.servlet.computeSessionKey:
+conn.tks1._009=#   - servlet to compute session key
+conn.tks1._010=#   - must be '/tks/computeSessionKey'
+conn.tks1._011=# conn.tks<n>.servlet.encryptData:
+conn.tks1._012=#   - servlet to encrypt data
+conn.tks1._013=#   - must be '/tks/encryptData'
+conn.tks1._014=# conn.tks<n>.servlet.createKeySetData:
+conn.tks1._015=#   - servlet to create key set data
+conn.tks1._016=#   - must be '/tks/createKeySetData'
+conn.tks1._017=# conn.tks<n>.retryConnect:
+conn.tks1._018=#   - number of reconnection attempts on failure
+conn.tks1._019=# conn.tks<n>.SSLOn
+conn.tks1._020=#   - enable SSL or not
+conn.tks1._021=# conn.tks<n>.keepAlive:
+conn.tks1._022=#   - enable keep alive or not
+conn.tks1._023=#
+conn.tks1._024=# where
+conn.tks1._025=#  <n>  - TKS connection ID
+conn.tks1._026=# conn.tks<n>.tksSharedSymKeyName:
+conn.tks1._027=#   - set shared secret key name
+conn.tks1._028=#########################################
+conn.tks1.hostport=[TKS_HOST]:[TKS_PORT]
+conn.tks1.clientNickname=[HSM_LABEL][NICKNAME]
+conn.tks1.servlet.computeSessionKey=/tks/agent/tks/computeSessionKey
+conn.tks1.servlet.encryptData=/tks/agent/tks/encryptData
+conn.tks1.servlet.createKeySetData=/tks/agent/tks/createKeySetData
+conn.tks1.servlet.computeRandomData=/tks/agent/tks/computeRandomData
+conn.tks1.retryConnect=3
+conn.tks1.timeout=100
+conn.tks1.generateHostChallenge=true
+conn.tks1.SSLOn=true
+conn.tks1.keepAlive=false
+conn.tks1.keySet=defKeySet
+conn.tks1.serverKeygen=[SERVER_KEYGEN]
+conn.tks1.tksSharedSymKeyName=sharedSecret
+conn.drm1._000=#########################################
+conn.drm1._001=# DRM connection
+conn.drm1._002=#
+conn.drm1._003=#conn.drm.totalConns
+conn.drm1._004=#   - # of DRM connections
+conn.drm1._005=#conn.drm<n>.hostport
+conn.drm1._006=#   - host name and port number of your DRM, the format is host:port
+conn.drm1._007=#conn.drm<n>.clientNickname
+conn.drm1._008=#   - nickname of the client certificate for
+conn.drm1._009=#     authentication
+conn.drm1._010=#conn.drm<n>.servlet.GenerateKeyPair
+conn.drm1._011=#   - servlet to generate key pairs and archive keys on DRM
+conn.drm1._012=#   - must be '/kra/GenerateKeyPair'
+conn.drm1._013=#conn.drm<n>.servlet.TokenKeyRecovery=/kra/TokenKeyRecovery
+conn.drm1._014=#   - servlet to handle key recovery
+conn.drm1._015=#   - must be '/kra/TokenKeyRecovery'
+conn.drm1._016=#conn.drm<n>.retryConnect=3
+conn.drm1._017=#   - number of reconnection attempts on failure
+conn.drm1._018=#conn.drm<n>.SSLOn=true
+conn.drm1._019=#   - enable SSL or not
+conn.drm1._020=#conn.drm<n>.keepAlive=false
+conn.drm1._021=#   - enable keep alive or not
+conn.drm1._022=#
+conn.drm1._023=# where
+conn.drm1._024=#  <n>  - DRM connection ID
+conn.drm1._025=#########################################
+conn.drm.totalConns=1
+conn.drm1.hostport=[DRM_HOST]:[DRM_PORT]
+conn.drm1.clientNickname=[HSM_LABEL][NICKNAME]
+conn.drm1.servlet.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair
+conn.drm1.servlet.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery
+conn.drm1.retryConnect=3
+conn.drm1.timeout=100
+conn.drm1.SSLOn=true
+conn.drm1.keepAlive=false
+auth.instance._000=########################################
+auth.instance._001=# publishing
+auth.instance._002=#
+auth.instance._003=# publisher.instance.<n>.libraryName:
+auth.instance._004=#   - name of the library specified with a fully qualified path name
+auth.instance._005=# publisher.instance.<n>.libraryFactory:
+auth.instance._006=#   - the name of the function which instantiates the publisher
+auth.instance._007=# publisher.instance.<n>.publisherId:
+auth.instance._008=#   - the publisher ID
+auth.instance._009=#
+auth.instance._010=# where
+auth.instance._011=#  <n>  - publisher connection ID
+auth.instance._012=########################################
+auth.instance._013=#########################################
+auth.instance._014=# authentication
+auth.instance._015=#
+auth.instance._016=# auth.instance.<n>.libraryName:
+auth.instance._017=#   - name of the library specified with a fully qualified path name
+auth.instance._018=# auth.instance.<n>.libraryFactory:
+auth.instance._019=#   - the name of the function which instantiates the authentication
+auth.instance._020=# auth.instance.<n>.authId
+auth.instance._021=#   - the authentication ID
+auth.instance._022=# auth.instance.<n>.hostport
+auth.instance._023=#   - parameter specific to the given authentication,
+auth.instance._024=#     i. e., LDAPAuthentication (id=ldap1)
+auth.instance._025=#   - host name and port number, host:port
+auth.instance._026=#   - for failover, provide multiple host:port designations
+auth.instance._027=#     separated by " "
+auth.instance._028=# auth.instance.<n>.SSLOn:
+auth.instance._029=#   - parameter specific to the given authentication,
+auth.instance._030=#     i. e., LDAPAuthentication (id=ldap1)
+auth.instance._031=#   - use SSL or not for LDAP service
+auth.instance._032=# auth.instance.<n>.retries:
+auth.instance._033=#   - parameter specific to the given authentication,
+auth.instance._034=#     i. e., LDAPAuthentication (id=ldap1)
+auth.instance._035=#   - number of authentication re-attempts when authentication failed
+auth.instance._036=# auth.instance.<n>.retryConnect:
+auth.instance._037=#   - parameter specific to the given authentication,
+auth.instance._038=#     i. e., LDAPAuthentication (id=ldap1)
+auth.instance._039=#   - number of connection re-attempts when connection failed
+auth.instance._040=#
+auth.instance._041=# where
+auth.instance._042=#  <n>  - authentication connection ID
+auth.instance._043=#########################################
+auth.instance.0.type=LDAP_Authentication
+auth.instance.0.libraryName=[SYSTEM_USER_LIBRARIES]/tps/[LIB_PREFIX]ldapauth[OBJ_EXT]
+auth.instance.0.libraryFactory=GetAuthentication
+auth.instance.0.authId=ldap1
+auth.instance.0.hostport=[LDAP_HOST]:[LDAP_PORT]
+auth.instance.0.SSLOn=false
+auth.instance.0.retries=1
+auth.instance.0.retryConnect=3
+auth.instance.0.baseDN=[LDAP_ROOT]
+auth.instance.0.ssl=false
+auth.instance.0.attributes._001=##############################################
+auth.instance.0.attributes._002=# attributes will be available
+auth.instance.0.attributes._003=# as $auth.<attribute>$
+auth.instance.0.attributes._004=##############################################
+auth.instance.0.attributes=mail,cn,uid
+auth.instance.0.ui.title.en=LDAP Authentication
+auth.instance.0.ui.description.en=This authenticates user against the LDAP directory.
+auth.instance.0.ui.id.UID.name.en=LDAP User ID
+auth.instance.0.ui.id.PASSWORD.name.en=LDAP Password
+auth.instance.0.ui.id.UID.description.en=LDAP User ID
+auth.instance.0.ui.id.PASSWORD.description.en=LDAP Password
+auth.instance.1.type=LDAP_Authentication
+auth.instance.1.libraryName=[SYSTEM_USER_LIBRARIES]/tps/[LIB_PREFIX]ldapauth[OBJ_EXT]
+auth.instance.1.libraryFactory=GetAuthentication
+auth.instance.1.authId=ldap2
+auth.instance.1.bindDN=cn=Directory Manager
+auth.instance.1.bindPWD=[PKI_INSTANCE_PATH]/conf/password.conf
+auth.instance.1.hostport=[TOKENDB_HOST]:[TOKENDB_PORT]
+auth.instance.1.SSLOn=false
+auth.instance.1.retries=1
+auth.instance.1.retryConnect=3
+auth.instance.1.baseDN=[TOKENDB_ROOT]
+auth.instance.1.ssl=false
+auth.instance.1.attributes._001=##############################################
+auth.instance.1.attributes._002=# attributes will be available
+auth.instance.1.attributes._003=# as $auth.<attribute>$
+auth.instance.1.attributes._004=##############################################
+auth.instance.1.attributes=mail,cn,uid
+auth.instance.1.ui.title.en=LDAP Authentication
+auth.instance.1.ui.description.en=This authenticates user against the LDAP directory.
+auth.instance.1.ui.id.UID.name.en=LDAP User ID
+auth.instance.1.ui.id.PASSWORD.name.en=LDAP Password
+auth.instance.1.ui.id.UID.description.en=LDAP User ID
+auth.instance.1.ui.id.PASSWORD.description.en=LDAP Password
+applet._000=#########################################
+applet._001=# applet information
+applet._002=# SAF Key:
+applet._003=# applet.aid.cardmgr_instance=A0000001510000
+applet._004=#########################################
+applet.aid.cardmgr_instance=A0000000030000
+applet.aid.netkey_instance=627601FF000000
+applet.aid.netkey_file=627601FF0000
+applet.aid.netkey_old_instance=A00000000101
+applet.aid.netkey_old_file=A000000001
+applet.so_pin=000000000000
+applet.delete_old=true
+general.verifyProof=1
+general.applet_ext=ijc
+general.search.sizelimit.max=2000
+general.search.sizelimit.default=100
+general.search.timelimit.max=10
+general.search.timelimit.default=10
+general.pwlength.min=16
+channel._000=#########################################
+channel._001=# channel.encryption:
+channel._002=#
+channel._003=#   - enable encryption for all operation commands to token
+channel._004=#   - default is true
+channel._005=#  channel.blocksize=242
+channel._006=#  channel.defKeyVersion=0
+channel._007=#  channel.defKeyIndex=0
+channel._008=#########################################
+channel.encryption=true
+channel.blocksize=248
+channel.defKeyVersion=0
+channel.defKeyIndex=0
+# NOTE:  Since the following comments will be 'scrubbed' from any TPS
+#        instance's configuration file, they will ONLY be viewable in
+#        the '/usr/share/pki/tps/conf/CS.cfg' TPS subsystem template!
+#
+#        Config the size of memory managed memory in the applet
+#        Default is 5000, try not go get close to the instanceSize
+#        which defaults to 18000:
+#
+#            * channel.instanceSize=18000
+#            * channel.appletMemorySize=5000
+#
+preop.pin=[PKI_RANDOM_NUMBER]
+cms.product.version=@APPLICATION_VERSION@
+preop.cert._000=#########################################
+preop.cert._001=# Installation configuration "preop" certs parameters
+preop.cert._002=#########################################
+preop.cert.list=sslserver,subsystem,audit_signing
+tps.cert.audit_signing.certusage=ObjectSigner
+tps.cert.sslserver.certusage=SSLServer
+tps.cert.subsystem.certusage=SSLClient
+preop.cert.sslserver.enable=true
+preop.cert.subsystem.enable=true
+preop.cert.audit_signing.enable=false
+preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA
+preop.cert.sslserver.dn=CN=[PKI_HOSTNAME], OU=[PKI_INSTANCE_NAME]
+preop.cert.sslserver.keysize.customsize=2048
+preop.cert.sslserver.keysize.size=2048
+preop.cert.sslserver.keysize.select=default
+preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_NAME]
+preop.cert.sslserver.profile=caInternalAuthServerCert
+preop.cert.sslserver.subsystem=tps
+preop.cert._003=#preop.cert.sslserver.type=local
+preop.cert.sslserver.userfriendlyname=SSL Server Certificate
+preop.cert._004=#preop.cert.sslserver.cncomponent.override=false
+preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA
+preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_NAME]
+preop.cert.subsystem.keysize.customsize=2048
+preop.cert.subsystem.keysize.size=2048
+preop.cert.subsystem.keysize.select=default
+preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_NAME]
+preop.cert.subsystem.profile=caInternalAuthSubsystemCert
+preop.cert.subsystem.subsystem=tps
+preop.cert._005=#preop.cert.subsystem.type=local
+preop.cert.subsystem.userfriendlyname=Subsystem Certificate
+preop.cert._006=#preop.cert.subsystem.cncomponent.override=true
+preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA
+preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_NAME]
+preop.cert.audit_signing.keysize.customsize=2048
+preop.cert.audit_signing.keysize.size=2048
+preop.cert.audit_signing.keysize.select=default
+preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_NAME]
+preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert
+preop.cert.audit_signing.subsystem=tps
+preop.cert._005=#preop.cert.audit_signing.type=local
+preop.cert.audit_signing.userfriendlyname=Audit Log Signing Certificate
+preop.cert._006=#preop.cert.audit_signing.cncomponent.override=true
+preop.configModules._000=#########################################
+preop.configModules._001=# Installation configuration "preop" module parameters
+preop.configModules._002=#########################################
+preop.configModules.count=3
+preop.configModules.module0.commonName=NSS Internal PKCS #11 Module
+preop.configModules.module0.imagePath=/pki/images/clearpixel.gif
+preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module
+preop.configModules.module1.commonName=nfast
+preop.configModules.module1.imagePath=/pki/images/clearpixel.gif
+preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module
+preop.configModules.module2.commonName=lunasa
+preop.configModules.module2.imagePath=/pki/images/clearpixel.gif
+preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module
+preop.module.token=NSS Certificate DB
+preop.keysize._000=#########################################
+preop.keysize._001=# Installation configuration "preop" keysize parameters
+preop.keysize._002=#########################################
+preop.keysize.customsize=2048
+preop.keysize.select=default
+preop.keysize.size=2048
+preop.keysize.ecc.size=256
+preop.adminauth.done=false
+preop.adminpanel.done=false
+preop.agentauth.done=false
+preop.authdb.done=false
+preop.cainfo.done=false
+preop.certprettyprint.done=false
+preop.certrequest.done=false
+preop.confighsmlogin.done=false
+preop.confighsm.done=false
+preop.database.done=false
+preop.displaycertchain2.done=false
+preop.displaycertchain.done=false
+preop.donepanel.done=false
+preop.drminfo.done=false
+preop.importadmincert.done=false
+preop.loginpanel.done=false
+preop.ModulePanel.done=false
+preop.namepanel.done=false
+preop.securitydomain.done=false
+preop.SizePanel.done=false
+preop.subsystemtype.done=false
+preop.tksinfo.done=false
+preop.welcome.done=false
+op.enroll._000=#########################################
+op.enroll._001=# Default Operations
+op.enroll._002=#
+op.enroll._003=# op.<op>.mapping.order=<n>,<n>,<n>
+op.enroll._004=#    - contains at least one value or a series
+op.enroll._005=#      of comma-separated mapping values which
+op.enroll._006=#      are checked in sequential order
+op.enroll._007=# op.<op>.mapping.<n>.filter.tokenType=userKey
+op.enroll._008=#    - can be either empty or token type
+op.enroll._009=#      specified by the client
+op.enroll._010=# op.<op>.mapping.<n>.filter.tokenATR=
+op.enroll._011=#    - can be either empty or token ATR
+op.enroll._012=#      specified by the client
+op.enroll._013=# op.<op>.mapping.<n>.filter.appletMajorVersion=1
+op.enroll._014=#    - can be either empty or applet major version
+op.enroll._015=#      specified by the client
+op.enroll._016=# op.<op>.mapping.<n>.filter.appletMinorVersion=
+op.enroll._017=#    - can be either empty or applet minor version
+op.enroll._018=#      specified by the client
+op.enroll._019=#    - if major and minor versions are both zero, this
+op.enroll._020=#      indicate there is no applet on the token.
+op.enroll._021=# op.<op>.mapping.<n>.target.tokenType=userKey
+op.enroll._022=#    - if tokenType, tokenATR, appletMajorVersion,
+op.enroll._023=#      and appletMinorVersion are matched, value in
+op.enroll._024=#      targetTokenType will be used to locate
+op.enroll._025=#      the corresponding token profile to
+op.enroll._026=#      process the request.
+op.enroll._027=#
+op.enroll._028=# where
+op.enroll._029=#  <op> - operation; enroll,pinReset,format
+op.enroll._030=#  <n>  - mapping ID; order is specifiable
+op.enroll._031=#
+op.enroll._032=# Token ATR:
+op.enroll._033=#   Web Store  - 3B759400006202020201
+op.enroll._034=#########################################
+op.enroll.mapping.order=0,1,2
+op.enroll.mapping.0.filter.tokenType=userKey
+op.enroll.mapping.0.filter.tokenATR=
+op.enroll.mapping.0.filter.tokenCUID.start=
+op.enroll.mapping.0.filter.tokenCUID.end=
+op.enroll.mapping.0.filter.appletMajorVersion=1
+op.enroll.mapping.0.filter.appletMinorVersion=
+op.enroll.mapping.0.target.tokenType=userKey
+op.enroll.mapping.1.filter.tokenType=soKey
+op.enroll.mapping.1.filter.tokenATR=
+op.enroll.mapping.1.filter.tokenCUID.start=
+op.enroll.mapping.1.filter.tokenCUID.end=
+op.enroll.mapping.1.filter.appletMajorVersion=
+op.enroll.mapping.1.filter.appletMinorVersion=
+op.enroll.mapping.1.target.tokenType=soKey
+op.enroll.mapping.2.filter.tokenType=
+op.enroll.mapping.2.filter.tokenATR=
+op.enroll.mapping.2.filter.tokenCUID.start=
+op.enroll.mapping.2.filter.tokenCUID.end=
+op.enroll.mapping.2.filter.appletMajorVersion=
+op.enroll.mapping.2.filter.appletMinorVersion=
+op.enroll.mapping.2.target.tokenType=userKey
+op.pinReset.mapping.order=0
+op.pinReset.mapping.0.filter.tokenType=
+op.pinReset.mapping.0.filter.tokenATR=
+op.pinReset.mapping.0.filter.tokenCUID.start=
+op.pinReset.mapping.0.filter.tokenCUID.end=
+op.pinReset.mapping.0.filter.appletMajorVersion=
+op.pinReset.mapping.0.filter.appletMinorVersion=
+op.pinReset.mapping.0.target.tokenType=userKey
+op.format.mapping.order=0,1,2,3,4,5,6
+op.format.mapping.0.filter.tokenType=soCleanUserToken
+op.format.mapping.0.filter.tokenATR=
+op.format.mapping.0.filter.tokenCUID.start=
+op.format.mapping.0.filter.tokenCUID.end=
+op.format.mapping.0.filter.appletMajorVersion=
+op.format.mapping.0.filter.appletMinorVersion=
+op.format.mapping.0.target.tokenType=soCleanUserToken
+op.format.mapping.1.filter.tokenType=soUserKey
+op.format.mapping.1.filter.tokenATR=
+op.format.mapping.1.filter.tokenCUID.start=
+op.format.mapping.1.filter.tokenCUID.end=
+op.format.mapping.1.filter.appletMajorVersion=
+op.format.mapping.1.filter.appletMinorVersion=
+op.format.mapping.1.target.tokenType=soUserKey
+op.format.mapping.2.filter.tokenType=soKey
+op.format.mapping.2.filter.tokenATR=
+op.format.mapping.2.filter.tokenCUID.start=
+op.format.mapping.2.filter.tokenCUID.end=
+op.format.mapping.2.filter.appletMajorVersion=
+op.format.mapping.2.filter.appletMinorVersion=
+op.format.mapping.2.target.tokenType=soKey
+op.format.mapping.3.filter.tokenType=userKey
+op.format.mapping.3.filter.tokenATR=
+op.format.mapping.3.filter.tokenCUID.start=
+op.format.mapping.3.filter.tokenCUID.end=
+op.format.mapping.3.filter.appletMajorVersion=
+op.format.mapping.3.filter.appletMinorVersion=
+op.format.mapping.3.target.tokenType=userKey
+op.format.mapping.4.filter.tokenType=soCleanSOToken
+op.format.mapping.4.filter.tokenATR=
+op.format.mapping.4.filter.tokenCUID.start=
+op.format.mapping.4.filter.tokenCUID.end=
+op.format.mapping.4.filter.appletMajorVersion=
+op.format.mapping.4.filter.appletMinorVersion=
+op.format.mapping.5.filter.tokenType=cleanToken
+op.format.mapping.5.filter.tokenATR=
+op.format.mapping.5.filter.tokenCUID.start=
+op.format.mapping.5.filter.tokenCUID.end=
+op.format.mapping.5.filter.appletMajorVersion=
+op.format.mapping.5.filter.appletMinorVersion=
+op.format.mapping.5.target.tokenType=cleanToken
+op.format.mapping.4.target.tokenType=soCleanSOToken
+op.format.mapping.6.filter.tokenATR=
+op.format.mapping.6.filter.tokenCUID.start=
+op.format.mapping.6.filter.tokenCUID.end=
+op.format.mapping.6.filter.appletMajorVersion=
+op.format.mapping.6.filter.appletMinorVersion=
+op.format.mapping.6.target.tokenType=tokenKey
+op.enroll.userKey._000=#########################################
+op.enroll.userKey._001=# Enrollment Operation For CoolKey
+op.enroll.userKey._002=#
+op.enroll.userKey._003=# op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
+op.enroll.userKey._004=#  - size of the key the token should generate
+op.enroll.userKey._005=#  - max value: 1024
+op.enroll.userKey._006=#
+op.enroll.userKey._007=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.encrypt=false
+op.enroll.userKey._008=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.sign=true
+op.enroll.userKey._009=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.signRecover=true
+op.enroll.userKey._010=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.decrypt=false
+op.enroll.userKey._011=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.derive=false
+op.enroll.userKey._012=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.unwrap=false
+op.enroll.userKey._013=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.wrap=false
+op.enroll.userKey._014=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.verifyRecover=true
+op.enroll.userKey._015=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.verify=true
+op.enroll.userKey._016=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.sensitive=true
+op.enroll.userKey._017=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.private=true
+op.enroll.userKey._018=# op.enroll.<tokenType>.keyGen.<keyType>.keyCapabilities.token=true
+op.enroll.userKey._019=#  - specify the PKCS11 attributes to set on the token
+op.enroll.userKey._020=#
+op.enroll.userKey._021=# op.enroll.userKey.keyGen.signing.cuid_label
+op.enroll.userKey._022=#  - specify the CUID shown in the certificate
+op.enroll.userKey._023=#
+op.enroll.userKey._024=# op.enroll.userKey.keyGen.signing.label
+op.enroll.userKey._025=#  - specify the token name. all resulting labels for co-existing keys
+op.enroll.userKey._026=#    on the same token must be unique
+op.enroll.userKey._027=#  - $pretty_cuid$ - Pretty Print CUID (i.e. 4090-0062-FF02-0000-0B9C)
+op.enroll.userKey._028=#  - $cuid$ - CUID (i.e. 40900062FF0200000B9C)
+op.enroll.userKey._029=#  - $msn$ - MSN
+op.enroll.userKey._030=#  - $userid$ - User ID
+op.enroll.userKey._031=#  - $profileId$ - Profile ID
+op.enroll.userKey._032=#
+op.enroll.userKey._033=# op.enroll.<tokenType>.keyGen.<keyType>.overwrite=true|false
+op.enroll.userKey._034=#  - if key and certificate exist, should RA overwrite them
+op.enroll.userKey._035=#
+op.enroll.userKey._036=# op.enroll.<tokenType>.keyGen.<keyType>.certId=C1
+op.enroll.userKey._037=# op.enroll.<tokenType>.keyGen.<keyType>.certAttrId=c1
+op.enroll.userKey._038=# op.enroll.<tokenType>.keyGen.<keyType>.privateKeyAttrId=k2
+op.enroll.userKey._039=# op.enroll.<tokenType>.keyGen.<keyType>.publicKeyAttrId=k3
+op.enroll.userKey._040=# op.enroll.<tokenType>.keyGen.<keyType>.privateKeyNumber=2
+op.enroll.userKey._041=# op.enroll.<tokenType>.keyGen.<keyType>.publicKeyNumber=3
+op.enroll.userKey._042=#  - specify name PKCS11 object IDs
+op.enroll.userKey._043=#  - Lower case letters signify objects containing PKCS11 object attributes,
+op.enroll.userKey._044=#    in the format described below.
+op.enroll.userKey._045=#    'c' An object containing PKCS11 attributes for a certificate.
+op.enroll.userKey._046=#    'k' An object containing PKCS11 attributes for a public or private key
+op.enroll.userKey._047=#    'r' An object containing PKCS11 attributes for an "reader".
+op.enroll.userKey._048=#  - Upper case letters signify objects containing raw data corresponding to
+op.enroll.userKey._049=#    the lower case letters described above.  For example, object "C0"
+op.enroll.userKey._050=#    contains raw data corresponding to object "c0".
+op.enroll.userKey._051=#   'C' This object contains an entire DER cert, and nothing else.
+op.enroll.userKey._052=#   'K' This object contains a MUSCLE "key blob".  TPS does not use this.
+op.enroll.userKey._053=#
+op.enroll.userKey._054=# op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0
+op.enroll.userKey._055=# op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0
+op.enroll.userKey._056=#  - user specifies which PIN user should be granted
+op.enroll.userKey._057=#    use privilege of the generated private key, or
+op.enroll.userKey._058=#    15 if all users have use privilege for the private key
+op.enroll.userKey._059=#  - Valid uage: (only specifies the usage for the private key)
+op.enroll.userKey._060=#    0 - default usage (Signing only for this APDU)
+op.enroll.userKey._061=#    1 - signing only
+op.enroll.userKey._062=#    2 - decryption only
+op.enroll.userKey._063=#    3 - signing and decryption
+op.enroll.userKey._064=#
+op.enroll.userKey._065=# op.enroll.<tokenType>.pkcs11obj.enable=true|false
+op.enroll.userKey._066=#  - enable writing of PKCS11 cache object to the token
+op.enroll.userKey._067=#
+op.enroll.userKey._068=# op.enroll.<tokenType>.pkcs11obj.compress.enable=true|false
+op.enroll.userKey._069=#  - enable compression for writing of PKCS11 cache object to the token
+op.enroll.userKey._070=#
+op.enroll.userKey._071=# op.enroll.<tokenType>.pinReset.pin.maxRetries=127
+op.enroll.userKey._072=#  - max number of retries before blocking the token
+op.enroll.userKey._073=#  - max value: 127
+op.enroll.userKey._074=#
+op.enroll.userKey._075=# There is a special case of tokenType userKeyTemporary.
+op.enroll.userKey._076=# Make sure the profile specified by the profileId to have
+op.enroll.userKey._077=# short validity period (eg, 7 days) for the certificate.
+op.enroll.userKey._078=#
+op.enroll.userKey._079=# The three recovery schemes supported are:
+op.enroll.userKey._080=#
+op.enroll.userKey._081=# * GenerateNewKey               - Generate a new
+op.enroll.userKey._082=#                                  cert for the
+op.enroll.userKey._083=#                                  encryption cert.
+op.enroll.userKey._084=# * RecoverLast                  - Recover the most
+op.enroll.userKey._085=#                                  recent cert for the
+op.enroll.userKey._086=#                                  encryption cert.
+op.enroll.userKey._087=# * GenerateNewKeyandRecoverLast - Generate new cert AND
+op.enroll.userKey._088=#                                  recover last for
+op.enroll.userKey._089=#                                  encryption cert.
+op.enroll.userKey._090=#########################################
+op.enroll.allowUnknownToken=true
+op.enroll.userKey.temporaryToken.tokenType=userKeyTemporary
+op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=2
+op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=signing
+op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.1=encryption
+op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
+op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true
+op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0
+op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast
+op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false
+op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
+op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.num=2
+op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.0=signing
+op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption
+op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey
+op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert=true
+op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1
+op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey
+op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true
+op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1
+op.enroll.userKey.keyGen.recovery.onHold.keyType.num=2
+op.enroll.userKey.keyGen.recovery.onHold.keyType.value.0=signing
+op.enroll.userKey.keyGen.recovery.onHold.keyType.value.1=encryption
+op.enroll.userKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
+op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert=true
+op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert.reason=6
+op.enroll.userKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey
+op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert=true
+op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6
+op.enroll.userKey.keyGen.tokenName=$auth.cn$
+op.enroll.userKey.keyGen.keyType.num=2
+op.enroll.userKey.keyGen.keyType.value.0=signing
+op.enroll.userKey.keyGen.keyType.value.1=encryption
+op.enroll.userKey.keyGen.signing.keySize=1024
+op.enroll.userKey.keyGen.signing.public.keyCapabilities.encrypt=false
+op.enroll.userKey.keyGen.signing.public.keyCapabilities.sign=false
+op.enroll.userKey.keyGen.signing.public.keyCapabilities.signRecover=false
+op.enroll.userKey.keyGen.signing.public.keyCapabilities.decrypt=false
+op.enroll.userKey.keyGen.signing.public.keyCapabilities.derive=false
+op.enroll.userKey.keyGen.signing.public.keyCapabilities.unwrap=false
+op.enroll.userKey.keyGen.signing.public.keyCapabilities.wrap=false
+op.enroll.userKey.keyGen.signing.public.keyCapabilities.verifyRecover=true
+op.enroll.userKey.keyGen.signing.public.keyCapabilities.verify=true
+op.enroll.userKey.keyGen.signing.public.keyCapabilities.sensitive=false
+op.enroll.userKey.keyGen.signing.public.keyCapabilities.private=false
+op.enroll.userKey.keyGen.signing.public.keyCapabilities.token=true
+op.enroll.userKey.keyGen.signing.private.keyCapabilities.encrypt=false
+op.enroll.userKey.keyGen.signing.private.keyCapabilities.sign=true
+op.enroll.userKey.keyGen.signing.private.keyCapabilities.signRecover=true
+op.enroll.userKey.keyGen.signing.private.keyCapabilities.decrypt=false
+op.enroll.userKey.keyGen.signing.private.keyCapabilities.derive=false
+op.enroll.userKey.keyGen.signing.private.keyCapabilities.unwrap=false
+op.enroll.userKey.keyGen.signing.private.keyCapabilities.wrap=false
+op.enroll.userKey.keyGen.signing.private.keyCapabilities.verifyRecover=false
+op.enroll.userKey.keyGen.signing.private.keyCapabilities.verify=false
+op.enroll.userKey.keyGen.signing.private.keyCapabilities.sensitive=true
+op.enroll.userKey.keyGen.signing.private.keyCapabilities.private=true
+op.enroll.userKey.keyGen.signing.private.keyCapabilities.token=true
+op.enroll.userKey.keyGen.signing.label=signing key for $userid$
+op.enroll.userKey.keyGen.signing.cuid_label=$cuid$
+op.enroll.userKey.keyGen.signing.overwrite=true
+op.enroll.userKey.keyGen.signing.certId=C1
+op.enroll.userKey.keyGen.signing.certAttrId=c1
+op.enroll.userKey.keyGen.signing.privateKeyAttrId=k2
+op.enroll.userKey.keyGen.signing.publicKeyAttrId=k3
+op.enroll.userKey.keyGen.signing.keyUsage=0
+op.enroll.userKey.keyGen.signing.keyUser=0
+op.enroll.userKey.keyGen.signing.privateKeyNumber=2
+op.enroll.userKey.keyGen.signing.publicKeyNumber=3
+op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment
+op.enroll.userKey.keyGen.signing.ca.conn=ca1
+op.enroll.userKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher
+op.enroll.userKey.keyGen.encryption.keySize=1024
+op.enroll.userKey.keyGen.encryption.public.keyCapabilities.encrypt=true
+op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sign=false
+op.enroll.userKey.keyGen.encryption.public.keyCapabilities.signRecover=false
+op.enroll.userKey.keyGen.encryption.public.keyCapabilities.decrypt=false
+op.enroll.userKey.keyGen.encryption.public.keyCapabilities.derive=false
+op.enroll.userKey.keyGen.encryption.public.keyCapabilities.unwrap=false
+op.enroll.userKey.keyGen.encryption.public.keyCapabilities.wrap=true
+op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false
+op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verify=false
+op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sensitive=false
+op.enroll.userKey.keyGen.encryption.public.keyCapabilities.private=false
+op.enroll.userKey.keyGen.encryption.public.keyCapabilities.token=true
+op.enroll.userKey.keyGen.encryption.private.keyCapabilities.encrypt=false
+op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sign=false
+op.enroll.userKey.keyGen.encryption.private.keyCapabilities.signRecover=false
+op.enroll.userKey.keyGen.encryption.private.keyCapabilities.decrypt=true
+op.enroll.userKey.keyGen.encryption.private.keyCapabilities.derive=false
+op.enroll.userKey.keyGen.encryption.private.keyCapabilities.unwrap=true
+op.enroll.userKey.keyGen.encryption.private.keyCapabilities.wrap=false
+op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false
+op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verify=false
+op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sensitive=true
+op.enroll.userKey.keyGen.encryption.private.keyCapabilities.private=true
+op.enroll.userKey.keyGen.encryption.private.keyCapabilities.token=true
+op.enroll.userKey.keyGen.encryption.label=encryption key for $userid$
+op.enroll.userKey.keyGen.encryption.cuid_label=$cuid$
+op.enroll.userKey.keyGen.encryption.overwrite=true
+op.enroll.userKey.keyGen.encryption.certId=C2
+op.enroll.userKey.keyGen.encryption.certAttrId=c2
+op.enroll.userKey.keyGen.encryption.privateKeyAttrId=k4
+op.enroll.userKey.keyGen.encryption.publicKeyAttrId=k5
+op.enroll.userKey.keyGen.encryption.keyUsage=0
+op.enroll.userKey.keyGen.encryption.keyUser=0
+op.enroll.userKey.keyGen.encryption.privateKeyNumber=4
+op.enroll.userKey.keyGen.encryption.publicKeyNumber=5
+op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment
+op.enroll.userKey.keyGen.encryption.ca.conn=ca1
+op.enroll.userKey.pkcs11obj.enable=true
+op.enroll.userKey.pkcs11obj.compress.enable=true
+op.enroll.userKey.update.applet.emptyToken.enable=true
+op.enroll.userKey.update.applet.enable=true
+op.enroll.userKey.update.applet.requiredVersion=1.4.4d40a449
+op.enroll.userKey.update.applet.directory=[TPS_DIR]/applets
+op.enroll.userKey.update.applet.encryption=true
+op.enroll.userKey.update.symmetricKeys.enable=false
+op.enroll.userKey.update.symmetricKeys.requiredVersion=1
+op.enroll.userKey.loginRequest.enable=true
+op.enroll.userKey.pinReset.enable=true
+op.enroll.userKey.pinReset.pin.maxRetries=127
+op.enroll.userKey.pinReset.pin.minLen=4
+op.enroll.userKey.pinReset.pin.maxLen=10
+op.enroll.userKey.cardmgr_instance=A0000000030000
+op.enroll.userKey.tks.conn=tks1
+op.enroll.userKey.auth.id=ldap1
+op.enroll.userKey.auth.enable=true
+op.enroll.userKey.issuerinfo.enable=true
+op.enroll.userKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/home/index.cgi
+op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.num=2
+op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing
+op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption
+op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
+op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true
+op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0
+op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast
+op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true
+op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0
+op.enroll.userKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
+op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=drm1
+op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true
+op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=true
+op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1
+op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.archive=true
+op.enroll.userKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary)
+op.enroll.userKeyTemporary.keyGen.keyType.num=3
+op.enroll.userKeyTemporary.keyGen.keyType.value.0=auth
+op.enroll.userKeyTemporary.keyGen.keyType.value.1=signing
+op.enroll.userKeyTemporary.keyGen.keyType.value.2=encryption
+op.enroll.userKeyTemporary.keyGen.auth.keySize=1024
+op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false
+op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true
+op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true
+op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false
+op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false
+op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false
+op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false
+op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true
+op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true
+op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true
+op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.private=false
+op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.token=true
+op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false
+op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true
+op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true
+op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false
+op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false
+op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false
+op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false
+op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true
+op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true
+op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true
+op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.private=false
+op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.token=true
+op.enroll.userKeyTemporary.keyGen.auth.label=Temporary Key for $userid$
+op.enroll.userKeyTemporary.keyGen.auth.cuid_label=$cuid$
+op.enroll.userKeyTemporary.keyGen.auth.overwrite=false
+op.enroll.userKeyTemporary.keyGen.auth.certId=C0
+op.enroll.userKeyTemporary.keyGen.auth.certAttrId=c0
+op.enroll.userKeyTemporary.keyGen.auth.privateKeyAttrId=k0
+op.enroll.userKeyTemporary.keyGen.auth.publicKeyAttrId=k1
+op.enroll.userKeyTemporary.keyGen.auth.keyUsage=0
+op.enroll.userKeyTemporary.keyGen.auth.keyUser=15
+op.enroll.userKeyTemporary.keyGen.auth.privateKeyNumber=0
+op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1
+op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment
+op.enroll.userKeyTemporary.keyGen.auth.ca.conn=ca1
+op.enroll.userKeyTemporary.keyGen.signing.keySize=1024
+op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false
+op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false
+op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false
+op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false
+op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false
+op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false
+op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false
+op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true
+op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true
+op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false
+op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.private=false
+op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.token=true
+op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false
+op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true
+op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true
+op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false
+op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false
+op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false
+op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false
+op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false
+op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false
+op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true
+op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.private=true
+op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.token=true
+op.enroll.userKeyTemporary.keyGen.signing.label=signing key for $userid$
+op.enroll.userKeyTemporary.keyGen.signing.cuid_label=$cuid$
+op.enroll.userKeyTemporary.keyGen.signing.overwrite=true
+op.enroll.userKeyTemporary.keyGen.signing.certId=C1
+op.enroll.userKeyTemporary.keyGen.signing.certAttrId=c1
+op.enroll.userKeyTemporary.keyGen.signing.privateKeyAttrId=k2
+op.enroll.userKeyTemporary.keyGen.signing.publicKeyAttrId=k3
+op.enroll.userKeyTemporary.keyGen.signing.keyUsage=0
+op.enroll.userKeyTemporary.keyGen.signing.keyUser=0
+op.enroll.userKeyTemporary.keyGen.signing.privateKeyNumber=2
+op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3
+op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment
+op.enroll.userKeyTemporary.keyGen.signing.ca.conn=ca1
+op.enroll.userKey._080=#op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher
+op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024
+op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true
+op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false
+op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false
+op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false
+op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false
+op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false
+op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true
+op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false
+op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false
+op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false
+op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false
+op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true
+op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false
+op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false
+op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false
+op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true
+op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false
+op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true
+op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false
+op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false
+op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false
+op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true
+op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true
+op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true
+op.enroll.userKeyTemporary.keyGen.encryption.label=encryption key for $userid$
+op.enroll.userKeyTemporary.keyGen.encryption.cuid_label=$cuid$
+op.enroll.userKeyTemporary.keyGen.encryption.overwrite=true
+op.enroll.userKeyTemporary.keyGen.encryption.certId=C2
+op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2
+op.enroll.userKeyTemporary.keyGen.encryption.privateKeyAttrId=k4
+op.enroll.userKeyTemporary.keyGen.encryption.publicKeyAttrId=k5
+op.enroll.userKeyTemporary.keyGen.encryption.keyUsage=0
+op.enroll.userKeyTemporary.keyGen.encryption.keyUser=0
+op.enroll.userKeyTemporary.keyGen.encryption.privateKeyNumber=4
+op.enroll.userKeyTemporary.keyGen.encryption.publicKeyNumber=5
+op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment
+op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1
+op.enroll.userKeyTemporary.pkcs11obj.enable=true
+op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true
+op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true
+op.enroll.userKeyTemporary.update.applet.enable=true
+op.enroll.userKeyTemporary.update.applet.requiredVersion=1.4.4d40a449
+op.enroll.userKeyTemporary.update.applet.directory=[TPS_DIR]/applets
+op.enroll.userKeyTemporary.update.applet.encryption=true
+op.enroll.userKeyTemporary.update.symmetricKeys.enable=false
+op.enroll.userKeyTemporary.update.symmetricKeys.requiredVersion=1
+op.enroll.userKeyTemporary.loginRequest.enable=true
+op.enroll.userKeyTemporary.pinReset.enable=true
+op.enroll.userKeyTemporary.pinReset.pin.maxRetries=127
+op.enroll.userKeyTemporary.pinReset.pin.minLen=4
+op.enroll.userKeyTemporary.pinReset.pin.maxLen=10
+op.enroll.userKeyTemporary.tks.conn=tks1
+op.enroll.userKeyTemporary.cardmgr_instance=A0000000030000
+op.enroll.userKeyTemporary.auth.id=ldap1
+op.enroll.userKeyTemporary.auth.enable=true
+op.enroll.userKey.renewal._000=#########################################
+op.enroll.userKey.renewal._001=# Token Renewal.
+op.enroll.userKey.renewal._002=#
+op.enroll.userKey.renewal._003=# For each token in TPS UI, set the
+op.enroll.userKey.renewal._004=# following to trigger renewal
+op.enroll.userKey.renewal._005=# operations:
+op.enroll.userKey.renewal._006=#
+op.enroll.userKey.renewal._007=#     RENEW=YES
+op.enroll.userKey.renewal._008=#
+op.enroll.userKey.renewal._009=# Optional grace period enforcement
+op.enroll.userKey.renewal._010=# must coincide exactly with what
+op.enroll.userKey.renewal._011=# the CA enforces.
+op.enroll.userKey.renewal._012=#
+op.enroll.userKey.renewal._013=# In case of renewal, encryption certId
+op.enroll.userKey.renewal._014=# values are for completeness only, server
+op.enroll.userKey.renewal._015=# code calculates actual values used.
+op.enroll.userKey.renewal._016=#
+op.enroll.userKey.renewal._017=#########################################
+op.enroll.userKey.renewal.keyType.num=2
+op.enroll.userKey.renewal.keyType.value.0=signing
+op.enroll.userKey.renewal.keyType.value.1=encryption
+op.enroll.userKey.renewal.signing.enable=true
+op.enroll.userKey.renewal.signing.gracePeriod.enable=false
+op.enroll.userKey.renewal.signing.gracePeriod.before=30
+op.enroll.userKey.renewal.signing.gracePeriod.after=30
+op.enroll.userKey.renewal.signing.certId=C1
+op.enroll.userKey.renewal.encryption.certId=C2
+op.enroll.userKey.renewal.signing.certAttrId=c1
+op.enroll.userKey.renewal.encryption.certAttrId=c2
+op.enroll.userKey.renewal.encryption.enable=true
+op.enroll.userKey.renewal.encryption.gracePeriod.enable=false
+op.enroll.userKey.renewal.encryption.gracePeriod.before=30
+op.enroll.userKey.renewal.encryption.gracePeriod.after=30
+op.enroll.userKey.renewal.signing.ca.conn=ca1
+op.enroll.userKey.renewal.encryption.ca.conn=ca1
+op.enroll.userKey.renewal.signing.ca.profileId=caTokenUserSigningKeyRenewal
+op.enroll.userKey.renewal.encryption.ca.profileId=caTokenUserEncryptionKeyRenewal
+op.enroll.soKey.temporaryToken.tokenType=soKeyTemporary
+op.enroll.soKey.keyGen.recovery.destroyed.keyType.num=2
+op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.0=signing
+op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.1=encryption
+op.enroll.soKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
+op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert=true
+op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0
+op.enroll.soKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast
+op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert=false
+op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
+op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.num=2
+op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.0=signing
+op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption
+op.enroll.soKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey
+op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert=true
+op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1
+op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey
+op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true
+op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1
+op.enroll.soKey.keyGen.recovery.onHold.keyType.num=2
+op.enroll.soKey.keyGen.recovery.onHold.keyType.value.0=signing
+op.enroll.soKey.keyGen.recovery.onHold.keyType.value.1=encryption
+op.enroll.soKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
+op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert=true
+op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert.reason=6
+op.enroll.soKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey
+op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert=true
+op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6
+op.enroll.soKey.keyGen.tokenName=$auth.cn$
+op.enroll.soKey.keyGen.keyType.num=2
+op.enroll.soKey.keyGen.keyType.value.0=signing
+op.enroll.soKey.keyGen.keyType.value.1=encryption
+op.enroll.soKey.keyGen.signing.keySize=1024
+op.enroll.soKey.keyGen.signing.public.keyCapabilities.encrypt=false
+op.enroll.soKey.keyGen.signing.public.keyCapabilities.sign=false
+op.enroll.soKey.keyGen.signing.public.keyCapabilities.signRecover=false
+op.enroll.soKey.keyGen.signing.public.keyCapabilities.decrypt=false
+op.enroll.soKey.keyGen.signing.public.keyCapabilities.derive=false
+op.enroll.soKey.keyGen.signing.public.keyCapabilities.unwrap=false
+op.enroll.soKey.keyGen.signing.public.keyCapabilities.wrap=false
+op.enroll.soKey.keyGen.signing.public.keyCapabilities.verifyRecover=true
+op.enroll.soKey.keyGen.signing.public.keyCapabilities.verify=true
+op.enroll.soKey.keyGen.signing.public.keyCapabilities.sensitive=false
+op.enroll.soKey.keyGen.signing.public.keyCapabilities.private=false
+op.enroll.soKey.keyGen.signing.public.keyCapabilities.token=true
+op.enroll.soKey.keyGen.signing.private.keyCapabilities.encrypt=false
+op.enroll.soKey.keyGen.signing.private.keyCapabilities.sign=true
+op.enroll.soKey.keyGen.signing.private.keyCapabilities.signRecover=true
+op.enroll.soKey.keyGen.signing.private.keyCapabilities.decrypt=false
+op.enroll.soKey.keyGen.signing.private.keyCapabilities.derive=false
+op.enroll.soKey.keyGen.signing.private.keyCapabilities.unwrap=false
+op.enroll.soKey.keyGen.signing.private.keyCapabilities.wrap=false
+op.enroll.soKey.keyGen.signing.private.keyCapabilities.verifyRecover=false
+op.enroll.soKey.keyGen.signing.private.keyCapabilities.verify=false
+op.enroll.soKey.keyGen.signing.private.keyCapabilities.sensitive=true
+op.enroll.soKey.keyGen.signing.private.keyCapabilities.private=true
+op.enroll.soKey.keyGen.signing.private.keyCapabilities.token=true
+op.enroll.soKey.keyGen.signing.label=signing key for $userid$
+op.enroll.soKey.keyGen.signing.cuid_label=$cuid$
+op.enroll.soKey.keyGen.signing.overwrite=true
+op.enroll.soKey.keyGen.signing.certId=C1
+op.enroll.soKey.keyGen.signing.certAttrId=c1
+op.enroll.soKey.keyGen.signing.privateKeyAttrId=k2
+op.enroll.soKey.keyGen.signing.publicKeyAttrId=k3
+op.enroll.soKey.keyGen.signing.keyUsage=0
+op.enroll.soKey.keyGen.signing.keyUser=0
+op.enroll.soKey.keyGen.signing.privateKeyNumber=2
+op.enroll.soKey.keyGen.signing.publicKeyNumber=3
+op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment
+op.enroll.soKey.keyGen.signing.ca.conn=ca1
+op.enroll.soKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher
+op.enroll.soKey.keyGen.encryption.keySize=1024
+op.enroll.soKey.keyGen.encryption.public.keyCapabilities.encrypt=true
+op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sign=false
+op.enroll.soKey.keyGen.encryption.public.keyCapabilities.signRecover=false
+op.enroll.soKey.keyGen.encryption.public.keyCapabilities.decrypt=false
+op.enroll.soKey.keyGen.encryption.public.keyCapabilities.derive=false
+op.enroll.soKey.keyGen.encryption.public.keyCapabilities.unwrap=false
+op.enroll.soKey.keyGen.encryption.public.keyCapabilities.wrap=true
+op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false
+op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verify=false
+op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sensitive=false
+op.enroll.soKey.keyGen.encryption.public.keyCapabilities.private=false
+op.enroll.soKey.keyGen.encryption.public.keyCapabilities.token=true
+op.enroll.soKey.keyGen.encryption.private.keyCapabilities.encrypt=false
+op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sign=false
+op.enroll.soKey.keyGen.encryption.private.keyCapabilities.signRecover=false
+op.enroll.soKey.keyGen.encryption.private.keyCapabilities.decrypt=true
+op.enroll.soKey.keyGen.encryption.private.keyCapabilities.derive=false
+op.enroll.soKey.keyGen.encryption.private.keyCapabilities.unwrap=true
+op.enroll.soKey.keyGen.encryption.private.keyCapabilities.wrap=false
+op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false
+op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verify=false
+op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sensitive=true
+op.enroll.soKey.keyGen.encryption.private.keyCapabilities.private=true
+op.enroll.soKey.keyGen.encryption.private.keyCapabilities.token=true
+op.enroll.soKey.keyGen.encryption.label=encryption key for $userid$
+op.enroll.soKey.keyGen.encryption.cuid_label=$cuid$
+op.enroll.soKey.keyGen.encryption.overwrite=true
+op.enroll.soKey.keyGen.encryption.certId=C2
+op.enroll.soKey.keyGen.encryption.certAttrId=c2
+op.enroll.soKey.keyGen.encryption.privateKeyAttrId=k4
+op.enroll.soKey.keyGen.encryption.publicKeyAttrId=k5
+op.enroll.soKey.keyGen.encryption.keyUsage=0
+op.enroll.soKey.keyGen.encryption.keyUser=0
+op.enroll.soKey.keyGen.encryption.privateKeyNumber=4
+op.enroll.soKey.keyGen.encryption.publicKeyNumber=5
+op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment
+op.enroll.soKey.keyGen.encryption.ca.conn=ca1
+op.enroll.soKey.pkcs11obj.enable=true
+op.enroll.soKey.pkcs11obj.compress.enable=true
+op.enroll.soKey.update.applet.emptyToken.enable=true
+op.enroll.soKey.update.applet.enable=true
+op.enroll.soKey.update.applet.requiredVersion=1.4.4d40a449
+op.enroll.soKey.update.applet.directory=[TPS_DIR]/applets
+op.enroll.soKey.update.applet.encryption=true
+op.enroll.soKey.update.symmetricKeys.enable=false
+op.enroll.soKey.update.symmetricKeys.requiredVersion=1
+op.enroll.soKey.loginRequest.enable=true
+op.enroll.soKey.pinReset.enable=true
+op.enroll.soKey.pinReset.pin.maxRetries=127
+op.enroll.soKey.pinReset.pin.minLen=4
+op.enroll.soKey.pinReset.pin.maxLen=10
+op.enroll.soKey.cardmgr_instance=A0000000030000
+op.enroll.soKey.tks.conn=tks1
+op.enroll.soKey.auth.id=ldap2
+op.enroll.soKey.auth.enable=true
+op.enroll.soKey.issuerinfo.enable=true
+op.enroll.soKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/so/index.cgi
+op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.num=2
+op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing
+op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption
+op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
+op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true
+op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0
+op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast
+op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true
+op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0
+op.enroll.soKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
+op.enroll.soKey.keyGen.encryption.serverKeygen.drm.conn=drm1
+op.enroll.soKey.keyGen.encryption.serverKeygen.archive=true
+op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=true
+op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1
+op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.archive=true
+op.enroll.soKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary)
+op.enroll.soKeyTemporary.keyGen.keyType.num=3
+op.enroll.soKeyTemporary.keyGen.keyType.value.0=auth
+op.enroll.soKeyTemporary.keyGen.keyType.value.1=signing
+op.enroll.soKeyTemporary.keyGen.keyType.value.2=encryption
+op.enroll.soKeyTemporary.keyGen.auth.keySize=1024
+op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false
+op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true
+op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true
+op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false
+op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false
+op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false
+op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false
+op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true
+op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true
+op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true
+op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.private=false
+op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.token=true
+op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false
+op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true
+op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true
+op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false
+op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false
+op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false
+op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false
+op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true
+op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true
+op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true
+op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.private=false
+op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.token=true
+op.enroll.soKeyTemporary.keyGen.auth.label=Temporary Key for $userid$
+op.enroll.soKeyTemporary.keyGen.auth.cuid_label=$cuid$
+op.enroll.soKeyTemporary.keyGen.auth.overwrite=false
+op.enroll.soKeyTemporary.keyGen.auth.certId=C0
+op.enroll.soKeyTemporary.keyGen.auth.certAttrId=c0
+op.enroll.soKeyTemporary.keyGen.auth.privateKeyAttrId=k0
+op.enroll.soKeyTemporary.keyGen.auth.publicKeyAttrId=k1
+op.enroll.soKeyTemporary.keyGen.auth.keyUsage=0
+op.enroll.soKeyTemporary.keyGen.auth.keyUser=15
+op.enroll.soKeyTemporary.keyGen.auth.privateKeyNumber=0
+op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1
+op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment
+op.enroll.soKeyTemporary.keyGen.auth.ca.conn=ca1
+op.enroll.soKeyTemporary.keyGen.signing.keySize=1024
+op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false
+op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false
+op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false
+op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false
+op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false
+op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false
+op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false
+op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true
+op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true
+op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false
+op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.private=false
+op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.token=true
+op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false
+op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true
+op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true
+op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false
+op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false
+op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false
+op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false
+op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false
+op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false
+op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true
+op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.private=true
+op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.token=true
+op.enroll.soKeyTemporary.keyGen.signing.label=signing key for $userid$
+op.enroll.soKeyTemporary.keyGen.signing.cuid_label=$cuid$
+op.enroll.soKeyTemporary.keyGen.signing.overwrite=true
+op.enroll.soKeyTemporary.keyGen.signing.certId=C1
+op.enroll.soKeyTemporary.keyGen.signing.certAttrId=c1
+op.enroll.soKeyTemporary.keyGen.signing.privateKeyAttrId=k2
+op.enroll.soKeyTemporary.keyGen.signing.publicKeyAttrId=k3
+op.enroll.soKeyTemporary.keyGen.signing.keyUsage=0
+op.enroll.soKeyTemporary.keyGen.signing.keyUser=0
+op.enroll.soKeyTemporary.keyGen.signing.privateKeyNumber=2
+op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3
+op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment
+op.enroll.soKeyTemporary.keyGen.signing.ca.conn=ca1
+op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024
+op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true
+op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false
+op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false
+op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false
+op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false
+op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false
+op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true
+op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false
+op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false
+op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false
+op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false
+op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true
+op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false
+op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false
+op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false
+op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true
+op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false
+op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true
+op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false
+op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false
+op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false
+op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true
+op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true
+op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true
+op.enroll.soKeyTemporary.keyGen.encryption.label=encryption key for $userid$
+op.enroll.soKeyTemporary.keyGen.encryption.cuid_label=$cuid$
+op.enroll.soKeyTemporary.keyGen.encryption.overwrite=true
+op.enroll.soKeyTemporary.keyGen.encryption.certId=C2
+op.enroll.soKeyTemporary.keyGen.encryption.certAttrId=c2
+op.enroll.soKeyTemporary.keyGen.encryption.privateKeyAttrId=k4
+op.enroll.soKeyTemporary.keyGen.encryption.publicKeyAttrId=k5
+op.enroll.soKeyTemporary.keyGen.encryption.keyUsage=0
+op.enroll.soKeyTemporary.keyGen.encryption.keyUser=0
+op.enroll.soKeyTemporary.keyGen.encryption.privateKeyNumber=4
+op.enroll.soKeyTemporary.keyGen.encryption.publicKeyNumber=5
+op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment
+op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1
+op.enroll.soKeyTemporary.pkcs11obj.enable=true
+op.enroll.soKeyTemporary.pkcs11obj.compress.enable=true
+op.enroll.soKeyTemporary.update.applet.emptyToken.enable=true
+op.enroll.soKeyTemporary.update.applet.enable=true
+op.enroll.soKeyTemporary.update.applet.requiredVersion=1.4.4d40a449
+op.enroll.soKeyTemporary.update.applet.directory=[TPS_DIR]/applets
+op.enroll.soKeyTemporary.update.applet.encryption=true
+op.enroll.soKeyTemporary.update.symmetricKeys.enable=false
+op.enroll.soKeyTemporary.update.symmetricKeys.requiredVersion=1
+op.enroll.soKeyTemporary.loginRequest.enable=true
+op.enroll.soKeyTemporary.pinReset.enable=true
+op.enroll.soKeyTemporary.pinReset.pin.maxRetries=127
+op.enroll.soKeyTemporary.pinReset.pin.minLen=4
+op.enroll.soKeyTemporary.pinReset.pin.maxLen=10
+op.enroll.soKeyTemporary.cardmgr_instance=A0000000030000
+op.enroll.soKeyTemporary.tks.conn=tks1
+op.enroll.soKeyTemporary.tks.keySet=defKeyset
+op.enroll.soKeyTemporary.auth.id=ldap2
+op.enroll.soKeyTemporary.auth.enable=true
+op.pinReset._000=#########################################
+op.pinReset._001=# Certificate Chain Imports
+op.pinReset._002=#
+op.pinReset._003=# op.enroll.certificates.num=1
+op.pinReset._004=# op.enroll.certificates.value.0=caCert
+op.pinReset._005=# op.enroll.certificates.caCert.nickName=caCert0 pki-tps
+op.pinReset._006=# op.enroll.certificates.caCert.certId=C5
+op.pinReset._007=# op.enroll.certificates.caCert.certAttrId=c5
+op.pinReset._008=# op.enroll.certificates.caCert.label=caCert Label
+op.pinReset._009=#########################################
+op.pinReset._010=#########################################
+op.pinReset._011=# Pin Reset Operation For CoolKey
+op.pinReset._012=#
+op.pinReset._013=# op.pinReset.userKey.update.applet.emptyToken.enable=false
+op.pinReset._014=#  - update applet or not if token is empty
+op.pinReset._015=#
+op.pinReset._016=# - N/A for HouseKey
+op.pinReset._017=# - N/A for HouseKey with Legacy Applet
+op.pinReset._018=#########################################
+op.pinReset.userKey.update.applet.emptyToken.enable=true
+op.pinReset.userKey.update.applet.enable=false
+op.pinReset.userKey.update.applet.requiredVersion=1.4.4d40a449
+op.pinReset.userKey.update.applet.directory=[TPS_DIR]/applets
+op.pinReset.userKey.update.applet.encryption=true
+op.pinReset.userKey.update.symmetricKeys.enable=false
+op.pinReset.userKey.update.symmetricKeys.requiredVersion=1
+op.pinReset.userKey.loginRequest.enable=true
+op.pinReset.userKey.pinReset.pin.minLen=4
+op.pinReset.userKey.pinReset.pin.maxLen=10
+op.pinReset.userKey.tks.conn=tks1
+op.pinReset.userKey.cardmgr_instance=A0000000030000
+op.pinReset.userKey.auth.id=ldap1
+op.pinReset.userKey.auth.enable=true
+op.format._000=#########################################
+op.format._001=# Format Operation For tokenKey
+op.format._002=#
+op.format._003=# op.format.tokenKey.update.applet.emptyToken.enable=false
+op.format._004=#  - update applet or not if token is empty
+op.format._005=#
+op.format._006=# - applicable to CoolKey
+op.format._007=# - applicable to HouseKey
+op.format._008=# - applicable to HouseKey with Legacy Applet
+op.format._009=#########################################
+op.format.allowUnknownToken=true
+op.format.soCleanUserToken.update.applet.emptyToken.enable=true
+op.format.soCleanUserToken.update.applet.requiredVersion=1.4.4d40a449
+op.format.soCleanUserToken.update.applet.directory=[TPS_DIR]/applets
+op.format.soCleanUserToken.update.applet.encryption=true
+op.format.soCleanUserToken.update.symmetricKeys.enable=false
+op.format.soCleanUserToken.update.symmetricKeys.requiredVersion=1
+op.format.soCleanUserToken.revokeCert=true
+op.format.soCleanUserToken.ca.conn=ca1
+op.format.soCleanUserToken.loginRequest.enable=false
+op.format.soCleanUserToken.cardmgr_instance=A0000000030000
+op.format.soCleanUserToken.tks.conn=tks1
+op.format.soCleanUserToken.auth.id=ldap1
+op.format.soCleanUserToken.auth.enable=false
+op.format.soCleanUserToken.issuerinfo.enable=true
+op.format.soCleanUserToken.issuerinfo.value=
+op.format.soCleanSOToken.update.applet.emptyToken.enable=true
+op.format.soCleanSOToken.update.applet.requiredVersion=1.4.4d40a449
+op.format.soCleanSOToken.update.applet.directory=[TPS_DIR]/applets
+op.format.soCleanSOToken.update.applet.encryption=true
+op.format.soCleanSOToken.update.symmetricKeys.enable=false
+op.format.soCleanSOToken.update.symmetricKeys.requiredVersion=1
+op.format.soCleanSOToken.revokeCert=true
+op.format.soCleanSOToken.ca.conn=ca1
+op.format.soCleanSOToken.loginRequest.enable=false
+op.format.soCleanSOToken.cardmgr_instance=A0000000030000
+op.format.soCleanSOToken.tks.conn=tks1
+op.format.soCleanSOToken.auth.id=ldap1
+op.format.soCleanSOToken.auth.enable=false
+op.format.soCleanSOToken.issuerinfo.enable=true
+op.format.soCleanSOToken.issuerinfo.value=
+op.format.cleanToken.update.applet.emptyToken.enable=true
+op.format.cleanToken.update.applet.requiredVersion=1.4.4d40a449
+op.format.cleanToken.update.applet.directory=[TPS_DIR]/applets
+op.format.cleanToken.update.applet.encryption=true
+op.format.cleanToken.update.symmetricKeys.enable=false
+op.format.cleanToken.update.symmetricKeys.requiredVersion=1
+op.format.cleanToken.revokeCert=true
+op.format.cleanToken.ca.conn=ca1
+op.format.cleanToken.loginRequest.enable=true
+op.format.cleanToken.cardmgr_instance=A0000000030000
+op.format.cleanToken.tks.conn=tks1
+op.format.cleanToken.auth.id=ldap1
+op.format.cleanToken.auth.enable=false
+op.format.cleanToken.issuerinfo.enable=true
+op.format.cleanToken.issuerinfo.value=
+op.format.soUserKey.update.applet.emptyToken.enable=true
+op.format.soUserKey.update.applet.requiredVersion=1.4.4d40a449
+op.format.soUserKey.update.applet.directory=[TPS_DIR]/applets
+op.format.soUserKey.update.applet.encryption=true
+op.format.soUserKey.update.symmetricKeys.enable=false
+op.format.soUserKey.update.symmetricKeys.requiredVersion=1
+op.format.soUserKey.revokeCert=true
+op.format.soUserKey.ca.conn=ca1
+op.format.soUserKey.loginRequest.enable=false
+op.format.soUserKey.cardmgr_instance=A0000000030000
+op.format.soUserKey.tks.conn=tks1
+op.format.soUserKey.auth.id=ldap1
+op.format.soUserKey.auth.enable=false
+op.format.soUserKey.issuerinfo.enable=true
+op.format.soUserKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/home/index.cgi
+op.format.soKey.update.applet.emptyToken.enable=true
+op.format.soKey.update.applet.requiredVersion=1.4.4d40a449
+op.format.soKey.update.applet.directory=[TPS_DIR]/applets
+op.format.soKey.update.applet.encryption=true
+op.format.soKey.update.symmetricKeys.enable=false
+op.format.soKey.update.symmetricKeys.requiredVersion=1
+op.format.soKey.revokeCert=true
+op.format.soKey.ca.conn=ca1
+op.format.soKey.loginRequest.enable=true
+op.format.soKey.cardmgr_instance=A0000000030000
+op.format.soKey.tks.conn=tks1
+op.format.soKey.auth.id=ldap2
+op.format.soKey.auth.enable=true
+op.format.soKey.issuerinfo.enable=true
+op.format.soKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/so/index.cgi
+op.format.userKey.update.applet.emptyToken.enable=true
+op.format.userKey.update.applet.requiredVersion=1.4.4d40a449
+op.format.userKey.update.applet.directory=[TPS_DIR]/applets
+op.format.userKey.update.applet.encryption=true
+op.format.userKey.update.symmetricKeys.enable=false
+op.format.userKey.update.symmetricKeys.requiredVersion=1
+op.format.userKey.revokeCert=true
+op.format.userKey.ca.conn=ca1
+op.format.userKey.loginRequest.enable=true
+op.format.userKey.cardmgr_instance=A0000000030000
+op.format.userKey.tks.conn=tks1
+op.format.userKey.auth.id=ldap1
+op.format.userKey.auth.enable=true
+op.format.userKey.issuerinfo.enable=true
+op.format.userKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/home/index.cgi
+op.format.tokenKey.update.applet.emptyToken.enable=true
+op.format.tokenKey.update.applet.requiredVersion=1.4.4d40a449
+op.format.tokenKey.update.applet.directory=[TPS_DIR]/applets
+op.format.tokenKey.update.applet.encryption=true
+op.format.tokenKey.update.symmetricKeys.enable=false
+op.format.tokenKey.update.symmetricKeys.requiredVersion=1
+op.format.tokenKey.revokeCert=true
+op.format.tokenKey.ca.conn=ca1
+op.format.tokenKey.loginRequest.enable=true
+op.format.tokenKey.cardmgr_instance=A0000000030000
+op.format.tokenKey.tks.conn=tks1
+op.format.tokenKey.auth.id=ldap1
+op.format.tokenKey.auth.enable=true
+op.format.tokenKey.issuerinfo.enable=true
+op.format.tokenKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/home/index.cgi
+tokendb._000=#########################################
+tokendb._001=# tokendb.auditLog:
+tokendb._002=#   - audit log path
+tokendb._003=# tokendb.host:
+tokendb._004=#   - tokendb host name
+tokendb._005=# tokendb.port:
+tokendb._006=#   - tokendb port number
+tokendb._007=# tokendb.bindDN:
+tokendb._008=#   - tokendb administration DN (i.e. cn=Directory Manager)
+tokendb._009=# tokendb.bindPassPath:
+tokendb._010=#   - tokendb administration password file path
+tokendb._011=# tokendb.templateDir
+tokendb._012=#   - directory where all the tokendb templates are located
+tokendb._013=# tokendb.userBaseDN:
+tokendb._014=#   - directory base DN for users and groups
+tokendb._015=# tokendb.baseDN:
+tokendb._016=#   - directory base DN for tokens
+tokendb._017=# tokendb.activityBaseDN:
+tokendb._018=#   - directory base DN for activities
+tokendb._019=# tokendb.indexTemplate=index.template
+tokendb._020=#   - index template
+tokendb._021=# tokendb.newTemplate=new.template
+tokendb._022=#   - add template
+tokendb._023=# tokendb.showTemplate=show.template
+tokendb._024=#   - show template
+tokendb._025=# tokendb.errorTemplate=error.template
+tokendb._026=#   - error template
+tokendb._027=# tokendb.searchTemplate=search.template
+tokendb._028=#   - search template
+tokendb._029=# tokendb.searchResultTemplate=searchResults.template
+tokendb._030=#   - search result template
+tokendb._031=# tokendb.editTemplate=edit.template
+tokendb._032=#   - edit template
+tokendb._033=# tokendb.editResultTemplate=editResults.template
+tokendb._034=#   - edit result template
+tokendb._035=# tokendb.addResultTemplate=addResults.template
+tokendb._036=#   - add result template
+tokendb._037=# tokendb.deleteResultTemplate=deleteResults.template
+tokendb._038=#   - delete result template
+tokendb._039=# tokendb.searchActivityTemplate=searchActivity.template
+tokendb._040=#   - search activity template
+tokendb._041=# tokendb.searchActivityResultTemplate=searchActivityResults.template
+tokendb._042=#   - search activity result template
+tokendb._043=# tokendb.showAdminTemplate=showAdmin.template
+tokendb._044=#   - show admin template
+tokendb._045=# tokendb.editAdminTemplate=editAdmin.template
+tokendb._046=#   - edit admin template
+tokendb._047=# tokendb.editAdminResultTemplate=editAdminResults.template
+tokendb._048=#   - edit admin result template
+tokendb._049=# tokendb.searchAdminTemplate=searchAdmin.template
+tokendb._050=#   - search admin template
+tokendb._051=# tokendb.searchAdminResultTemplate=searchAdminResults.template
+tokendb._052=#   - search admin result template
+tokendb._053=# tokendb.defaultPolicy:
+tokendb._054=# Supported Policy (Separated by ; [Semicolon]):
+tokendb._055=# For example, PIN_RESET=YES|NO;RE_ENROLL=YES|NO
+tokendb._056=#   PIN_RESET=YES|NO
+tokendb._057=#   - If not present, pin reset by user is allowed.
+tokendb._058=#   - If present and agent change PIN_RESET from NO
+tokendb._059=#     to YES, user is allowed to do pin reset. This
+tokendb._060=#     policy will be changed back to NO after pin reset.
+tokendb._061=#   RE_ENROLL=YES|NO
+tokendb._062=#   - If not present, re-enrollment is allowed.
+tokendb._063=#   - If present, re-enrollment is allowed when RE_ENROLL
+tokendb._064=#     is set to YES. Otherwise, re-enrollment is not
+tokendb._065=#     allowed.
+tokendb._066=# tokendb.allowedTransitions:
+tokendb._067=#   - has transitions between the following states
+tokendb._068=#     TOKEN_UNINITIALIZED = 0,
+tokendb._069=#     TOKEN_DAMAGED =1,
+tokendb._070=#     TOKEN_PERM_LOST=2,
+tokendb._071=#     TOKEN_TEMP_LOST=3,
+tokendb._072=#     TOKEN_FOUND =4,
+tokendb._073=#     TOKEN_TEMP_LOST_PERM_LOST =5,
+tokendb._074=#     TOKEN_TERMINATED = 6
+tokendb._075=#########################################
+tokendb.auditLog=[PKI_INSTANCE_PATH]/logs/tokendb-audit.log
+tokendb.hostport=[TOKENDB_HOST]:[TOKENDB_PORT]
+tokendb.ssl=false
+tokendb.bindDN=cn=Directory Manager
+tokendb.bindPassPath=[PKI_INSTANCE_PATH]/conf/password.conf
+tokendb.templateDir=[PKI_INSTANCE_PATH]/docroot/tus
+tokendb.userBaseDN=[TOKENDB_ROOT]
+tokendb.baseDN=ou=Tokens,[TOKENDB_ROOT]
+tokendb.activityBaseDN=ou=Activities,[TOKENDB_ROOT]
+tokendb.certBaseDN=ou=Certificates,[TOKENDB_ROOT]
+tokendb.indexTemplate=index.template
+tokendb.indexAdminTemplate=indexAdmin.template
+tokendb.newTemplate=new.template
+tokendb.showTemplate=show.template
+tokendb.showCertTemplate=showCert.template
+tokendb.errorTemplate=error.template
+tokendb.searchTemplate=search.template
+tokendb.searchResultTemplate=searchResults.template
+tokendb.searchCertificateResultTemplate=searchCertificateResults.template
+tokendb.editTemplate=edit.template
+tokendb.editResultTemplate=editResults.template
+tokendb.addResultTemplate=addResults.template
+tokendb.deleteTemplate=delete.template
+tokendb.deleteResultTemplate=deleteResults.template
+tokendb.searchActivityTemplate=searchActivity.template
+tokendb.searchCertificateTemplate=searchCertificate.template
+tokendb.searchActivityResultTemplate=searchActivityResults.template
+tokendb.searchActivityAdminTemplate=searchActivityAdmin.template
+tokendb.searchActivityAdminResultTemplate=searchActivityAdminResults.template
+tokendb.showAdminTemplate=showAdmin.template
+tokendb.doTokenTemplate=doToken.template
+tokendb.doTokenConfirmTemplate=doTokenConfirm.template
+tokendb.revokeTemplate=revoke.template
+tokendb.searchAdminTemplate=searchAdmin.template
+tokendb.searchAdminResultTemplate=searchAdminResults.template
+tokendb.defaultPolicy=RE_ENROLL=YES
+tokendb.newUserTemplate=newUser.template
+tokendb.userDeleteTemplate=userDelete.template
+tokendb.searchUserResultTemplate=searchUserResults.template
+tokendb.searchUserTemplate=searchUser.template
+tokendb.editUserTemplate=editUser.template
+tokendb.indexOperatorTemplate=indexOperator.template
+tokendb.selfTestTemplate=selfTest.template
+tokendb.selfTestResultsTemplate=selfTestResults.template
+tokendb.auditAdminTemplate=auditAdmin.template
+tokendb.selectConfigTemplate=selectConfig.template
+tokendb.agentSelectConfigTemplate=agentSelectConfig.template
+tokendb.editConfigTemplate=editConfig.template
+tokendb.agentViewConfigTemplate=agentViewConfig.template
+tokendb.addConfigTemplate=addConfig.template
+tokendb.confirmConfigChangesTemplate=confirmConfigChanges.template
+tokendb.confirmDeleteConfigTemplate=confirmDeleteConfig.template
+log.instance.SignedAudit.selected.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL
+log.instance.SignedAudit.selectable.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL
+log.instance.SignedAudit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST
+tokendb.allowedTransitions=0:1,0:2,0:3,0:4,0:5,0:6,3:4,3:5,3:6,4:1,4:2,4:3,4:6
+target._000=#########################################
+target._001=# entries to enable configuration of parameter sets through the TPS UI agent and admin tabs
+target._002=#
+target._003=# target.configure.list = comma separated lists of all parameter sets that can be configured by the admin.
+target._004=#    Each entry will show up (with underscore replaced by space) under Advanced Configuration on the admin tab.
+target._005=#
+target._006=# target.agent_approve.list = comma separated subset of above list.  Parameter sets in this list
+target._007=#    will show up in the agent tab (under advanced configuration) and will require agent involvement
+target._008=#   (enable/ disable) to be edited.
+target._009=#
+target._010=# For the wording to display correctly, the values in the above list should be plurals.
+target._011=#
+target._012=# Each parameter set in the lists above requires three parameters:
+target._013=#    target.<type name>.list : list of choices of this parameter set type (will display in the drop down box)
+target._014=#    target.<type name>.pattern : the regular expression to select parameters in CS.cfg for this parameter set.
+target._015=#    target.<type_name>.displayname: used in the UI display text.  This should be the singular form of <type_name>.
+target._016=#
+target._017=# The exception is the parameter set Generals, which has only a pattern and displayname defined.
+target._018=#
+target._019=########################################
+target.configure.list=Profiles,Subsystem_Connections,Profile_Mappings,Authentication_Sources
+target.agent_approve.list=Profiles
+target.Profiles.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey
+target.Profiles.pattern=op\..*\.$name\..*
+target.Profiles.displayname=Profile
+target.Subsystem_Connections.list=ca1,drm1,tks1
+target.Subsystem_Connections.pattern=conn\.$name\..*
+target.Subsystem_Connections.displayname=Subsystem Connection
+target.Profile_Mappings.list=enroll,format,pinReset
+target.Profile_Mappings.pattern=op\.$name\.mapping\..*
+target.Profile_Mappings.displayname=Profile Mapping
+target.Authentication_Sources.list=0,1
+target.Authentication_Sources.pattern=auth\.instance\.$name\..*
+target.Authentication_Sources.displayname=Authentication Source
+target.Generals.displayname=General
+target.Generals.pattern=^applet\..*\|^general\..*\|^failover.pod.enable\|^channel\..*
+config.Generals.General.state=Enabled
+config.Generals.General.timestamp=1280283607424406
+tps._000=########################################
+tps._001=# For verifying system certificates
+tps._002=# tps.cert.list=sslserver,subsystem,audit_signing
+tps._003=# tps.cert.sslserver.nickname=xxx
+tps._005=# tps.cert.subsystem.nickname=xxx
+tps._007=# tps.cert.audit_signing.nickname=xxx
+tps._008=# operations.allowedTransitions:
+tps._009=#   - token operations, like formatting and enrollment have transitions between the following states
+tps._010=#     TOKEN_UNINITIALIZED = 0,
+tps._011=#     TOKEN_DAMAGED =1,
+tps._012=#     TOKEN_PERM_LOST=2,
+tps._013=#     TOKEN_TEMP_LOST=3,
+tps._014=#     TOKEN_FOUND =4,
+tps._015=#     TOKEN_TEMP_LOST_PERM_LOST =5,
+tps._016=#     TOKEN_TERMINATED = 6
+tps._017=# Sample: tps.operations.allowedTransitions=0:0,0:4,4:6,6:0
+tps._018=########################################
+tps.operations.allowedTransitions=0:0,0:4,4:0
+tps.cert.list=sslserver,subsystem,audit_signing
+tps.cert.sslserver.nickname=[HSM_LABEL][NICKNAME]
+tps.cert.subsystem.nickname=[HSM_LABEL][NICKNAME]
+tps.cert.audit_signing.nickname=[HSM_LABEL][NICKNAME]
diff --git a/scripts/compose_dogtag_pki_meta_packages b/scripts/compose_dogtag_pki_meta_packages
index a2dd5752f..a70213c79 100755
--- a/scripts/compose_dogtag_pki_meta_packages
+++ b/scripts/compose_dogtag_pki_meta_packages
@@ -30,7 +30,7 @@ PKI_PWD=`pwd`
 ##
 
 if [ $WORK_DIR ]; then
-    PKI_PACKAGES="$WORK_DIR"
+    PKI_PACKAGES="`cd $WORK_DIR ; pwd`"
 else
     PKI_PACKAGES="${PKI_PWD}/packages"
 fi
diff --git a/scripts/compose_dogtag_pki_theme_packages b/scripts/compose_dogtag_pki_theme_packages
index f340dbf9c..5b52acaef 100755
--- a/scripts/compose_dogtag_pki_theme_packages
+++ b/scripts/compose_dogtag_pki_theme_packages
@@ -47,7 +47,7 @@ PKI_COMPONENT_LIST="test common-ui ra-ui tps-ui console-ui"
 ##
 
 if [ $WORK_DIR ]; then
-    PKI_PACKAGES="$WORK_DIR"
+    PKI_PACKAGES="`cd $WORK_DIR ; pwd`"
 else
     PKI_PACKAGES="${PKI_PWD}/packages"
 fi
diff --git a/scripts/compose_ipa_pki_theme_packages b/scripts/compose_ipa_pki_theme_packages
index eac6cddd6..8cd8768b0 100755
--- a/scripts/compose_ipa_pki_theme_packages
+++ b/scripts/compose_ipa_pki_theme_packages
@@ -47,7 +47,7 @@ PKI_COMPONENT_LIST="common-ui ca-ui"
 ##
 
 if [ $WORK_DIR ]; then
-    PKI_PACKAGES="$WORK_DIR"
+    PKI_PACKAGES="`cd $WORK_DIR ; pwd`"
 else
     PKI_PACKAGES="${PKI_PWD}/packages"
 fi
diff --git a/scripts/compose_pki_console_packages b/scripts/compose_pki_console_packages
index 22f17d07d..4e5bc66ba 100755
--- a/scripts/compose_pki_console_packages
+++ b/scripts/compose_pki_console_packages
@@ -47,7 +47,7 @@ PKI_COMPONENT_LIST="test console"
 ##
 
 if [ $WORK_DIR ]; then
-    PKI_PACKAGES="$WORK_DIR"
+    PKI_PACKAGES="`cd $WORK_DIR ; pwd`"
 else
     PKI_PACKAGES="${PKI_PWD}/packages"
 fi
diff --git a/scripts/compose_pki_core_packages b/scripts/compose_pki_core_packages
index 99d480c31..eb124ebb0 100755
--- a/scripts/compose_pki_core_packages
+++ b/scripts/compose_pki_core_packages
@@ -39,9 +39,9 @@ PKI_CORE_VERSION="10.1.0"
 ##
 
 PKI_SPECS_FILE="${PKI_DIR}/specs/${PKI_CORE}.spec"
-PKI_COMPONENT_LIST="test setup symkey util common native-tools java-tools server selinux ca kra ocsp tks silent"
+PKI_COMPONENT_LIST="test setup symkey util common native-tools java-tools server selinux ca kra ocsp tks tps-tomcat silent"
 
-if [ "$JAVADOC" = "" ]; then
+if [ "$WITHOUT_JAVADOC" = "" ]; then
     PKI_COMPONENT_LIST="$PKI_COMPONENT_LIST javadoc"
 fi
 
@@ -50,7 +50,7 @@ fi
 ##
 
 if [ $WORK_DIR ]; then
-    PKI_PACKAGES="$WORK_DIR"
+    PKI_PACKAGES="`cd $WORK_DIR ; pwd`"
 else
     PKI_PACKAGES="${PKI_PWD}/packages"
 fi
@@ -154,12 +154,25 @@ else
 	cd ${PKI_BASE_DIR}
 	cp -p ${PKI_BASE_MANIFEST} ${PKI_CORE_BASE_DIR}
 	cp -p VERSION ${PKI_CORE_BASE_DIR}
-	for component in "${PKI_COMPONENT_LIST}" ;
+	for component in ${PKI_COMPONENT_LIST} ;
 	do
-		find ${component}             \
+		if [ "${component}" = "tps-tomcat" ] ; then
+			# rename tps-tomcat to tps
+			dest="tps"
+		else
+			dest="${component}"
+		fi
+
+		# copying ${PKI_BASE_DIR}/${component} to ${PKI_CORE_BASE_DIR}/${dest}
+		cd ${component}
+		mkdir ${PKI_CORE_BASE_DIR}/${dest}
+
+		find                          \
 		-name .svn -prune -o          \
 		-name *.swp -prune -o         \
-		-print | cpio -pdum ${PKI_CORE_BASE_DIR} > /dev/null 2>&1
+		-print | cpio -pdum ${PKI_CORE_BASE_DIR}/${dest} > /dev/null 2>&1
+
+		cd ..
 	done
 	cd - > /dev/null 2>&1
 
diff --git a/scripts/compose_pki_migrate_packages b/scripts/compose_pki_migrate_packages
index f9bcaccb8..be93c42c1 100755
--- a/scripts/compose_pki_migrate_packages
+++ b/scripts/compose_pki_migrate_packages
@@ -47,7 +47,7 @@ PKI_COMPONENT_LIST="test migrate"
 ##
 
 if [ $WORK_DIR ]; then
-    PKI_PACKAGES="$WORK_DIR"
+    PKI_PACKAGES="`cd $WORK_DIR ; pwd`"
 else
     PKI_PACKAGES="${PKI_PWD}/packages"
 fi
diff --git a/scripts/compose_pki_ra_packages b/scripts/compose_pki_ra_packages
index 0e93ee4e1..9aa4dda14 100755
--- a/scripts/compose_pki_ra_packages
+++ b/scripts/compose_pki_ra_packages
@@ -47,7 +47,7 @@ PKI_COMPONENT_LIST="ra"
 ##
 
 if [ $WORK_DIR ]; then
-    PKI_PACKAGES="$WORK_DIR"
+    PKI_PACKAGES="`cd $WORK_DIR ; pwd`"
 else
     PKI_PACKAGES="${PKI_PWD}/packages"
 fi
diff --git a/scripts/compose_pki_tps_packages b/scripts/compose_pki_tps_packages
index a23c52982..4ffa83cf5 100755
--- a/scripts/compose_pki_tps_packages
+++ b/scripts/compose_pki_tps_packages
@@ -47,7 +47,7 @@ PKI_COMPONENT_LIST="tps"
 ##
 
 if [ $WORK_DIR ]; then
-    PKI_PACKAGES="$WORK_DIR"
+    PKI_PACKAGES="`cd $WORK_DIR ; pwd`"
 else
     PKI_PACKAGES="${PKI_PWD}/packages"
 fi
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index fc277dd7d..3bf959da5 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -5,7 +5,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 
 Name:             pki-core
 Version:          10.1.0
-Release:          0.9%{?dist}
+Release:          0.10%{?dist}
 Summary:          Certificate System - PKI Core Components
 URL:              http://pki.fedoraproject.org/
 License:          GPLv2
@@ -107,6 +107,7 @@ PKI Core contains ALL top-level java-based Tomcat PKI components:      \
   * pki-kra                                                            \
   * pki-ocsp                                                           \
   * pki-tks                                                            \
+  * pki-tps-tomcat                                                     \
   * pki-javadoc                                                        \
                                                                        \
 which comprise the following corresponding PKI subsystems:             \
@@ -115,6 +116,7 @@ which comprise the following corresponding PKI subsystems:             \
   * Data Recovery Manager (DRM)                                        \
   * Online Certificate Status Protocol (OCSP) Manager                  \
   * Token Key Service (TKS)                                            \
+  * Token Processing Service (TPS)                                     \
                                                                        \
 For deployment purposes, PKI Core contains fundamental packages        \
 required by BOTH native-based Apache AND java-based Tomcat             \
@@ -313,8 +315,9 @@ The PKI Server Framework is required by the following four PKI subsystems:
 
     the Certificate Authority (CA),
     the Data Recovery Manager (DRM),
-    the Online Certificate Status Protocol (OCSP) Manager, and
-    the Token Key Service (TKS).
+    the Online Certificate Status Protocol (OCSP) Manager,
+    the Token Key Service (TKS), and
+    the Token Processing Service (TPS).
 
 This package is a part of the PKI Core used by the Certificate System.
 The package contains scripts to create and remove PKI subsystems.
@@ -476,6 +479,39 @@ provided by the PKI Core used by the Certificate System.
 %{overview}
 
 
+%package -n       pki-tps-tomcat
+Summary:          Certificate System - Token Processing Service
+Group:            System Environment/Daemons
+
+BuildArch:        noarch
+
+Provides:         pki-tps
+Conflicts:        pki-tps
+Requires:         java >= 1:1.7.0
+Requires:         pki-server = %{version}-%{release}
+Requires(post):   systemd-units
+Requires(preun):  systemd-units
+Requires(postun): systemd-units
+
+%description -n   pki-tps-tomcat
+The Token Processing System (TPS) is an optional PKI subsystem that acts
+as a Registration Authority (RA) for authenticating and processing
+enrollment requests, PIN reset requests, and formatting requests from
+the Enterprise Security Client (ESC).
+
+TPS is designed to communicate with tokens that conform to
+Global Platform's Open Platform Specification.
+
+TPS communicates over SSL with various PKI backend subsystems (including
+the Certificate Authority (CA), the Data Recovery Manager (DRM), and the
+Token Key Service (TKS)) to fulfill the user's requests.
+
+TPS also interacts with the token database, an LDAP server that stores
+information about individual tokens.
+
+%{overview}
+
+
 %package -n       pki-javadoc
 Summary:          Certificate System - PKI Framework Javadocs
 Group:            Documentation
@@ -575,11 +611,17 @@ echo "D /var/lock/pki 0755 root root -"     >  %{buildroot}%{_sysconfdir}/tmpfil
 echo "D /var/lock/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf
 echo "D /var/run/pki 0755 root root -"      >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf
 echo "D /var/run/pki/tks 0755 root root -"  >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf
+# generate 'pki-tps.conf' under the 'tmpfiles.d' directory
+echo "D /var/lock/pki 0755 root root -"     >  %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tps.conf
+echo "D /var/lock/pki/tps 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tps.conf
+echo "D /var/run/pki 0755 root root -"      >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tps.conf
+echo "D /var/run/pki/tps 0755 root root -"  >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tps.conf
 
 %{__rm} %{buildroot}%{_initrddir}/pki-cad
 %{__rm} %{buildroot}%{_initrddir}/pki-krad
 %{__rm} %{buildroot}%{_initrddir}/pki-ocspd
 %{__rm} %{buildroot}%{_initrddir}/pki-tksd
+%{__rm} %{buildroot}%{_initrddir}/pki-tpsd
 
 %{__rm} -rf %{buildroot}%{_datadir}/pki/server/lib
 
@@ -1089,6 +1131,27 @@ fi
 %config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tks.conf
 
 
+%files -n pki-tps-tomcat
+%defattr(-,root,root,-)
+%doc base/tps/LICENSE
+%dir %{_sysconfdir}/systemd/system/pki-tpsd.target.wants
+%{_unitdir}/pki-tpsd@.service
+%{_unitdir}/pki-tpsd.target
+%{_javadir}/pki/pki-tps.jar
+%dir %{_datadir}/pki/tps
+%{_datadir}/pki/tps/conf/
+%{_datadir}/pki/tps/setup/
+%{_datadir}/pki/tps/webapps/
+%dir %{_localstatedir}/lock/pki/tps
+%dir %{_localstatedir}/run/pki/tps
+# Details:
+#
+#     * https://fedoraproject.org/wiki/Features/var-run-tmpfs
+#     * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
+#
+%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tps.conf
+
+
 %if %{?_without_javadoc:0}%{!?_without_javadoc:1}
 %files -n pki-javadoc
 %defattr(-,root,root,-)
@@ -1097,6 +1160,9 @@ fi
 
 
 %changelog
+* Wed Aug 14 2013 Endi S. Dewata <edewata@redhat.com> 10.1.0-0.10
+- Moved Tomcat-based TPS into pki-core.
+
 * Fri Aug 14 2013 Abhishek Koneru <akoneru@redhat.com> 10.1.0.0.9
 - Listed new packages required during build, due to issues reported
   by pylint.
diff --git a/specs/pki-tps.spec b/specs/pki-tps.spec
index 4f26ebbc4..da7e9024f 100644
--- a/specs/pki-tps.spec
+++ b/specs/pki-tps.spec
@@ -1,6 +1,6 @@
 Name:             pki-tps
 Version:          10.1.0
-Release:          0.4%{?dist}
+Release:          0.5%{?dist}
 Summary:          Certificate System - Token Processing System
 URL:              http://pki.fedoraproject.org/
 License:          LGPLv2
@@ -25,6 +25,7 @@ BuildRequires:    svrcore-devel
 BuildRequires:    zlib
 BuildRequires:    zlib-devel
 
+Conflicts:        pki-tps-tomcat
 Requires:         java >= 1:1.7.0
 Requires:         mod_nss
 Requires:         mod_perl
@@ -220,7 +221,6 @@ fi
 %{_bindir}/tpsclient
 %{_libdir}/httpd/modules/*
 %{_libdir}/tps/
-%{_javadir}/pki/pki-tps.jar
 %dir %{_datadir}/pki/tps
 %{_datadir}/pki/tps/applets/
 %{_datadir}/pki/tps/cgi-bin/
@@ -230,7 +230,6 @@ fi
 %{_datadir}/pki/tps/samples/
 %{_datadir}/pki/tps/scripts/
 %{_datadir}/pki/tps/setup/
-%{_datadir}/pki/tps/webapps/
 %dir %{_localstatedir}/lock/pki/tps
 %dir %{_localstatedir}/run/pki/tps
 # Details:
@@ -242,6 +241,9 @@ fi
 
 
 %changelog
+* Wed Aug 14 2013 Endi S. Dewata <edewata@redhat.com> 10.1.0-0.5
+- Moved Tomcat-based TPS into pki-core.
+
 * Thu Jul 11 2013 Ade Lee <alee@redhat.com> 10.1.0-0.4
 - Add systemd build requirement to fix build failures in f19