diff options
| -rw-r--r-- | .pydevproject | 5 | ||||
| -rw-r--r-- | base/ca/shared/conf/CS.cfg.in | 2 | ||||
| -rw-r--r-- | base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java | 119 | ||||
| -rw-r--r-- | base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 142 | ||||
| -rw-r--r-- | base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java | 805 | ||||
| -rw-r--r-- | base/kra/shared/conf/CS.cfg.in | 2 | ||||
| -rw-r--r-- | base/ocsp/shared/conf/CS.cfg.in | 2 | ||||
| -rw-r--r-- | base/server/config/pkislots.cfg | 5 | ||||
| -rw-r--r-- | base/server/etc/default.cfg | 8 | ||||
| -rw-r--r-- | base/server/python/pki/server/deployment/pkihelper.py | 15 | ||||
| -rw-r--r-- | base/server/python/pki/server/deployment/pkiparser.py | 19 | ||||
| -rw-r--r-- | base/tks/shared/conf/CS.cfg.in | 2 | ||||
| -rw-r--r-- | base/tps/shared/conf/CS.cfg.in | 2490 | ||||
| -rw-r--r-- | base/tps/shared/conf/db.ldif | 82 | ||||
| -rw-r--r-- | base/tps/shared/conf/index.ldif | 269 | ||||
| -rw-r--r-- | base/tps/shared/conf/schema.ldif | 537 |
16 files changed, 2158 insertions, 2346 deletions
diff --git a/.pydevproject b/.pydevproject index f77c43e10..4a8d2616b 100644 --- a/.pydevproject +++ b/.pydevproject @@ -3,11 +3,8 @@ <pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Default</pydev_property> <pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python 2.7</pydev_property> <pydev_pathproperty name="org.python.pydev.PROJECT_SOURCE_PATH"> -<path>/pki/base/server/src</path> -<path>/pki/base/server/src/engine</path> -<path>/pki/base/server/src/scriptlets</path> -<path>/pki/base/server/python/pki/server</path> <path>/pki/base/common/python/pki</path> +<path>/pki/base/server/python/pki/server</path> <path>/pki/base/kra/functional</path> </pydev_pathproperty> </pydev_project> diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in index d02845310..837ec9a27 100644 --- a/base/ca/shared/conf/CS.cfg.in +++ b/base/ca/shared/conf/CS.cfg.in @@ -51,7 +51,7 @@ service.clientauth_securePort=[PKI_EE_SECURE_CLIENT_AUTH_PORT] service.unsecurePort=[PKI_UNSECURE_PORT] service.instanceID=[PKI_INSTANCE_NAME] preop.admin.name=Certificate System Administrator -preop.admin.group=Certificate Manager Agents +preop.admin.group=Certificate Manager Agents, Administrators preop.admincert.profile=caAdminCert preop.pin=[PKI_RANDOM_NUMBER] ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java index 170e1c031..23021a573 100644 --- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java @@ -74,6 +74,17 @@ public class ConfigurationRequest { private static final String STEP_TWO = "stepTwo"; private static final String GENERATE_SERVER_CERT = "generateServerCert"; + // TPS specific parameters + private static final String AUTHDB_BASEDN = "authdbBaseDN"; + private static final String AUTHDB_HOST = "authdbHost"; + private static final String AUTHDB_PORT = "authdbPort"; + private static final String AUTHDB_SECURE_CONN = "authdbSecureConn"; + private static final String CA_URI = "caUri"; + private static final String TKS_URI = "tksUri"; + private static final String KRA_URI = "kraUri"; + private static final String ENABLE_SERVER_SIDE_KEYGEN = "enableServerSideKeygen"; + + //defaults public static final String TOKEN_DEFAULT = "Internal Key Storage Token"; public static final String NEW_DOMAIN = "newdomain"; @@ -208,6 +219,30 @@ public class ConfigurationRequest { @XmlElement(defaultValue = "true") protected String generateServerCert; + @XmlElement + protected String authdbBaseDN; + + @XmlElement + protected String authdbHost; + + @XmlElement + protected String authdbPort; + + @XmlElement(defaultValue="false") + protected String authdbSecureConn; + + @XmlElement + protected String caUri; + + @XmlElement + protected String tksUri; + + @XmlElement + protected String kraUri; + + @XmlElement(defaultValue="false") + protected String enableServerSideKeyGen; + public ConfigurationRequest() { // required for JAXB } @@ -255,9 +290,16 @@ public class ConfigurationRequest { importAdminCert = form.getFirst(IMPORT_ADMIN_CERT); stepTwo = form.getFirst(STEP_TWO); generateServerCert = form.getFirst(GENERATE_SERVER_CERT); + authdbBaseDN = form.getFirst(AUTHDB_BASEDN); + authdbHost = form.getFirst(AUTHDB_HOST); + authdbPort = form.getFirst(AUTHDB_PORT); + authdbSecureConn = form.getFirst(AUTHDB_SECURE_CONN); + caUri = form.getFirst(CA_URI); + tksUri = form.getFirst(TKS_URI); + kraUri = form.getFirst(KRA_URI); + enableServerSideKeyGen = form.getFirst(ENABLE_SERVER_SIDE_KEYGEN); } - public String getSubsystemName() { return subsystemName; } @@ -772,6 +814,70 @@ public class ConfigurationRequest { this.generateServerCert = generateServerCert; } + public String getAuthdbBaseDN() { + return authdbBaseDN; + } + + public void setAuthdbBaseDN(String authdbBaseDN) { + this.authdbBaseDN = authdbBaseDN; + } + + public String getAuthdbHost() { + return authdbHost; + } + + public void setAuthdbHost(String authdbHost) { + this.authdbHost = authdbHost; + } + + public String getAuthdbPort() { + return authdbPort; + } + + public void setAuthdbPort(String authdbPort) { + this.authdbPort = authdbPort; + } + + public String getAuthdbSecureConn() { + return authdbSecureConn; + } + + public void setAuthdbSecureConn(String authdbSecureConn) { + this.authdbSecureConn = authdbSecureConn; + } + + public String getCaUri() { + return caUri; + } + + public void setCaUri(String caUri) { + this.caUri = caUri; + } + + public String getTksUri() { + return tksUri; + } + + public void setTksUri(String tksUri) { + this.tksUri = tksUri; + } + + public String getKraUri() { + return kraUri; + } + + public void setKraUri(String kraUri) { + this.kraUri = kraUri; + } + + public String getEnableServerSideKeyGen() { + return enableServerSideKeyGen; + } + + public void setEnableServerSideKeyGen(String enableServerSideKeyGen) { + this.enableServerSideKeyGen = enableServerSideKeyGen; + } + @Override public String toString() { return "ConfigurationRequest [pin=XXXX" + @@ -815,6 +921,15 @@ public class ConfigurationRequest { ", adminCert=" + adminCert + ", importAdminCert=" + importAdminCert + ", generateServerCert=" + generateServerCert + - ", stepTwo=" + stepTwo + "]"; + ", stepTwo=" + stepTwo + + ", authdbBaseDN=" + authdbBaseDN + + ", authdbHost=" + authdbHost + + ", authdbPort=" + authdbPort + + ", authdbSecureConn=" + authdbSecureConn + + ", caUri=" + caUri + + ", kraUri=" + kraUri + + ", tksUri=" + tksUri + + ", enableServerSideKeyGen=" + enableServerSideKeyGen + + "]"; } } diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 893a95a89..1ca0476a6 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -29,6 +29,7 @@ import java.io.IOException; import java.io.PrintStream; import java.math.BigInteger; import java.net.ConnectException; +import java.net.URI; import java.net.URISyntaxException; import java.net.URLEncoder; import java.security.DigestException; @@ -3095,7 +3096,7 @@ public class ConfigurationUtils { EBaseException { IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); IConfigStore config = CMS.getConfigStore(); - String groupName = config.getString("preop.admin.group", "Certificate Manager Agents"); + String groupNames = config.getString("preop.admin.group", "Certificate Manager Agents,Administrators"); IUser user = null; @@ -3119,16 +3120,13 @@ public class ConfigurationUtils { } IGroup group = null; - - group = system.getGroupFromName(groupName); - if (!group.isMember(uid)) { - group.addMemberName(uid); - system.modifyGroup(group); - } - group = system.getGroupFromName("Administrators"); - if (!group.isMember(uid)) { - group.addMemberName(uid); - system.modifyGroup(group); + for (String groupName : groupNames.split(",")) { + groupName = groupName.trim(); + group = system.getGroupFromName(groupName); + if (!group.isMember(uid)) { + group.addMemberName(uid); + system.modifyGroup(group); + } } String select = config.getString("securitydomain.select", ""); @@ -3536,6 +3534,39 @@ public class ConfigurationUtils { return null; } + public static String getTransportCert(URI secdomainURI, URI kraUri) + throws IOException, SAXException, ParserConfigurationException { + CMS.debug("getTransportCert() start"); + String sessionId = CMS.getConfigSDSessionId(); + + String content = "&xmlOutput=true" + + "&sessionID=" + sessionId + + "&auth_hostname=" + secdomainURI.getHost() + + "&auth_port=" + secdomainURI.getPort(); + + String c = getHttpResponse( + kraUri.getHost(), + kraUri.getPort(), + true, + "/kra/admin/kra/getTransportCert", + content, null, null); + + if (c != null) { + ByteArrayInputStream bis = + new ByteArrayInputStream(c.getBytes()); + XMLObject parser = new XMLObject(bis); + String status = parser.getValue("Status"); + if (status.equals(SUCCESS)) { + String s = parser.getValue("TransportCert"); + return s; + } else { + return null; + } + } + return null; + } + + public static void importCACertToOCSP() throws IOException, EBaseException, CertificateEncodingException { IConfigStore config = CMS.getConfigStore(); @@ -3648,6 +3679,95 @@ public class ConfigurationUtils { removeOldDBUsers(certs[0].getSubjectDN().toString()); } + public static void registerUser(URI secdomainURI, URI targetURI, String targetType) throws Exception { + IConfigStore cs = CMS.getConfigStore(); + String csType = cs.getString("cs.type"); + String uid = csType.toUpperCase() + "-" + cs.getString("machineName", "") + + "-" + cs.getString("service.securePort", ""); + String sessionId = CMS.getConfigSDSessionId(); + String subsystemName = cs.getString("preop.subsystem.name"); + + String content = "uid=" + uid + + "&xmlOutput=true" + + "&sessionID=" + sessionId + + "&auth_hostname=" + secdomainURI.getHost() + + "&auth_port=" + secdomainURI.getPort() + + "&certificate=" + URLEncoder.encode(getSubsystemCert(), "UTF-8") + + "&name=" + subsystemName; + + String targetURL = "/" + targetType + "/admin/" + targetType + "/registerUser"; + + String response = getHttpResponse( + targetURI.getHost(), + targetURI.getPort(), + true, + targetURL, + content, null, null); + + if (response == null || response.equals("")) { + CMS.debug("registerUser: response is empty or null."); + throw new IOException("The server " + targetURI + "is not available"); + } else { + ByteArrayInputStream bis = new ByteArrayInputStream(response.getBytes()); + XMLObject parser = new XMLObject(bis); + + String status = parser.getValue("Status"); + CMS.debug("registerUser: status=" + status); + + if (status.equals(SUCCESS)) { + CMS.debug("registerUser: Successfully added user " + uid + "to " + targetURI); + } else if (status.equals(AUTH_FAILURE)) { + throw new EAuthException(AUTH_FAILURE); + } else { + String error = parser.getValue("Error"); + throw new IOException(error); + } + } + } + + public static void exportTransportCert(URI secdomainURI, URI targetURI, String transportCert) throws Exception { + IConfigStore cs = CMS.getConfigStore(); + String name = "transportCert-" + cs.getString("machineName", "") + + "-" + cs.getString("service.securePort", ""); + String sessionId = CMS.getConfigSDSessionId(); + + String content = "name=" + name + + "&xmlOutput=true" + + "&sessionID=" + sessionId + + "&auth_hostname=" + secdomainURI.getHost() + + "&auth_port=" + secdomainURI.getPort() + + "&certificate=" + URLEncoder.encode(transportCert, "UTF-8"); + + String targetURL = "/tks/admin/tks/importTransportCert"; + + String response = getHttpResponse( + targetURI.getHost(), + targetURI.getPort(), + true, + targetURL, + content, null, null); + + if (response == null || response.equals("")) { + CMS.debug("exportTransportCert: response is empty or null."); + throw new IOException("The server " + targetURI + "is not available"); + } else { + ByteArrayInputStream bis = new ByteArrayInputStream(response.getBytes()); + XMLObject parser = new XMLObject(bis); + + String status = parser.getValue("Status"); + CMS.debug("exportTransportCert: status=" + status); + + if (status.equals(SUCCESS)) { + CMS.debug("exportTransportCert: Successfully added transport cert to " + targetURI); + } else if (status.equals(AUTH_FAILURE)) { + throw new EAuthException(AUTH_FAILURE); + } else { + String error = parser.getValue("Error"); + throw new IOException(error); + } + } + } + public static void removeOldDBUsers(String subjectDN) throws EBaseException, LDAPException { IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); IConfigStore cs = CMS.getConfigStore(); diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java index 4304f5bf0..ce82c9348 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java @@ -19,6 +19,8 @@ package com.netscape.cms.servlet.csadmin; import java.math.BigInteger; import java.net.MalformedURLException; +import java.net.URI; +import java.net.URISyntaxException; import java.net.URL; import java.security.NoSuchAlgorithmException; import java.util.Collection; @@ -121,90 +123,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou if (token == null) { token = ConfigurationRequest.TOKEN_DEFAULT; } - cs.putString("preop.module.token", token); - - if (! token.equals(ConfigurationRequest.TOKEN_DEFAULT)) { - try { - CryptoManager cryptoManager = CryptoManager.getInstance(); - CryptoToken ctoken = cryptoManager.getTokenByName(token); - String tokenpwd = data.getTokenPassword(); - ConfigurationUtils.loginToken(ctoken, tokenpwd); - } catch (NotInitializedException e) { - throw new PKIException("Token is not initialized"); - } catch (NoSuchTokenException e) { - throw new BadRequestException("Invalid Token provided. No such token."); - } catch (TokenException e) { - e.printStackTrace(); - throw new PKIException("Token Exception" + e); - } catch (IncorrectPasswordException e) { - throw new BadRequestException("Incorrect Password provided for token."); - } - } + tokenPanel(data, token); //configure security domain String securityDomainType = data.getSecurityDomainType(); - String securityDomainName = data.getSecurityDomainName(); - String securityDomainURL = data.getSecurityDomainUri(); - String domainXML = null; - if (securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) { - cs.putString("preop.securitydomain.select", "new"); - cs.putString("securitydomain.select", "new"); - cs.putString("preop.securitydomain.name", securityDomainName); - cs.putString("securitydomain.name", securityDomainName); - cs.putString("securitydomain.host", CMS.getEENonSSLHost()); - cs.putString("securitydomain.httpport", CMS.getEENonSSLPort()); - cs.putString("securitydomain.httpsagentport", CMS.getAgentPort()); - cs.putString("securitydomain.httpseeport", CMS.getEESSLPort()); - cs.putString("securitydomain.httpsadminport", CMS.getAdminPort()); - cs.putString("preop.cert.subsystem.type", "local"); - cs.putString("preop.cert.subsystem.profile", "subsystemCert.profile"); - } else { - cs.putString("preop.securitydomain.select", "existing"); - cs.putString("securitydomain.select", "existing"); - cs.putString("preop.cert.subsystem.type", "remote"); - cs.putString("preop.cert.subsystem.profile", "caInternalAuthSubsystemCert"); - - // contact and log onto security domain - URL secdomainURL; - String host; - int port; - try { - secdomainURL = new URL(securityDomainURL); - host = secdomainURL.getHost(); - port = secdomainURL.getPort(); - cs.putString("securitydomain.host", host); - cs.putInteger("securitydomain.httpsadminport",port); - ConfigurationUtils.importCertChain(host, port, "/ca/admin/ca/getCertChain", "securitydomain"); - } catch (Exception e) { - e.printStackTrace(); - throw new PKIException("Failed to import certificate chain from security domain master: " + e); - } - - // log onto security domain and get token - String user = data.getSecurityDomainUser(); - String pass = data.getSecurityDomainPassword(); - String installToken; - try { - installToken = ConfigurationUtils.getInstallToken(host, port, user, pass); - } catch (Exception e) { - e.printStackTrace(); - throw new PKIException("Failed to obtain installation token from security domain: " + e); - } - - if (installToken == null) { - throw new PKIException("Failed to obtain installation token from security domain"); - } - CMS.setConfigSDSessionId(installToken); - - try { - domainXML = ConfigurationUtils.getDomainXML(host, port, true); - ConfigurationUtils.getSecurityDomainPorts(domainXML, host, port); - } catch (Exception e) { - e.printStackTrace(); - throw new PKIException("Failed to obtain security domain decriptor from security domain master: " + e); - } - } + String domainXML = securityDomainPanel(data, securityDomainType); + //subsystem panel cs.putString("preop.subsystem.name", data.getSubsystemName()); // is this a clone of another subsystem? @@ -214,187 +139,46 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } else { cs.putString("preop.subsystem.select", "clone"); cs.putString("subsystem.select", "Clone"); - - StringTokenizer t = new StringTokenizer(certList, ","); - while (t.hasMoreTokens()) { - String tag = t.nextToken(); - if (tag.equals("sslserver")) { - cs.putBoolean("preop.cert." + tag + ".enable", true); - } else { - cs.putBoolean("preop.cert." + tag + ".enable", false); - } - } - - String cloneUri = data.getCloneUri(); - URL url = null; - try { - url = new URL(cloneUri); - } catch (MalformedURLException e) { - // should not reach here as this check is done in validate() - } - String masterHost = url.getHost(); - int masterPort = url.getPort(); - - // check and store cloneURI information - boolean validCloneUri; - try { - validCloneUri = ConfigurationUtils.isValidCloneURI(domainXML, masterHost, masterPort); - } catch (Exception e) { - e.printStackTrace(); - throw new PKIException("Error in determining whether clone URI is valid"); - } - - if (!validCloneUri) { - throw new BadRequestException( - "Invalid clone URI provided. Does not match the available subsystems in the security domain"); - } - - if (csType.equals("CA")) { - try { - int masterAdminPort = ConfigurationUtils.getPortFromSecurityDomain(domainXML, - masterHost, masterPort, "CA", "SecurePort", "SecureAdminPort"); - ConfigurationUtils.importCertChain(masterHost, masterAdminPort, "/ca/admin/ca/getCertChain", - "clone"); - } catch (Exception e) { - e.printStackTrace(); - throw new PKIException("Failed to import certificate chain from master" + e); - } - } - - try { - ConfigurationUtils.getConfigEntriesFromMaster(); - } catch (Exception e) { - e.printStackTrace(); - throw new PKIException("Failed to obtain configuration entries from the master for cloning " + e); - } - - // restore certs from P12 file - if (token.equals(ConfigurationRequest.TOKEN_DEFAULT)) { - String p12File = data.getP12File(); - String p12Pass = data.getP12Password(); - try { - ConfigurationUtils.restoreCertsFromP12(p12File, p12Pass); - } catch (Exception e) { - e.printStackTrace(); - throw new PKIException("Failed to restore certificates from p12 file" + e); - } - } - - boolean cloneReady = ConfigurationUtils.isCertdbCloned(); - if (!cloneReady) { - CMS.debug("clone does not have all the certificates."); - throw new PKIException("Clone does not have all the required certificates"); - } + getCloningData(data, certList, token, domainXML); } // Hierarchy Panel - if (csType.equals("CA") && data.getIsClone().equals("false")) { - if (data.getHierarchy().equals("root")) { - cs.putString("preop.hierarchy.select", "root"); - cs.putString("hierarchy.select", "Root"); - cs.putString("preop.ca.type", "sdca"); - } else if (data.getHierarchy().equals("join")) { - cs.putString("preop.cert.signing.type", "remote"); - cs.putString("preop.hierarchy.select", "join"); - cs.putString("hierarchy.select", "Subordinate"); - } else { - throw new BadRequestException("Invalid hierarchy provided"); - } - } + hierarchyPanel(data); - // Database Panel - cs.putString("internaldb.ldapconn.host", data.getDsHost()); - cs.putString("internaldb.ldapconn.port", data.getDsPort()); - cs.putString("internaldb.database", data.getDatabase()); - cs.putString("internaldb.basedn", data.getBaseDN()); - cs.putString("internaldb.ldapauth.bindDN", data.getBindDN()); - cs.putString("internaldb.ldapconn.secureConn", (data.getSecureConn().equals("on") ? "true" : "false")); - cs.putString("preop.database.removeData", data.getRemoveData()); - - try { - cs.commit(false); - } catch (EBaseException e2) { - e2.printStackTrace(); - throw new PKIException("Unable to commit config parameters to file"); - } + // TPS Panels + if (csType.equals("TPS")) { - if (data.getIsClone().equals("true")) { - String masterhost = ""; - String masterport = ""; - String masterbasedn = ""; - String realhostname = ""; - try { - masterhost = cs.getString("preop.internaldb.master.ldapconn.host", ""); - masterport = cs.getString("preop.internaldb.master.ldapconn.port", ""); - masterbasedn = cs.getString("preop.internaldb.master.basedn", ""); - realhostname = cs.getString("machineName", ""); - } catch (Exception e) { - } - - if (masterhost.equals(realhostname) && masterport.equals(data.getDsPort())) { - throw new BadRequestException("Master and clone must not share the same internal database"); - } - - if (!masterbasedn.equals(data.getBaseDN())) { - throw new BadRequestException("Master and clone should have the same base DN"); - } - - String masterReplicationPort = data.getMasterReplicationPort(); - if ((masterReplicationPort != null) && (!masterReplicationPort.equals(""))) { - cs.putString("internaldb.ldapconn.masterReplicationPort", masterReplicationPort); - } else { - cs.putString("internaldb.ldapconn.masterReplicationPort", masterport); - } - - String cloneReplicationPort = data.getCloneReplicationPort(); - if ((cloneReplicationPort == null) || (cloneReplicationPort.length() == 0)) { - cloneReplicationPort = data.getDsPort(); + // get subsystem certificate nickname + String subsystemNick = null; + for (SystemCertData cdata: data.getSystemCerts()) { + if (cdata.getTag().equals("subsystem")) { + subsystemNick = cdata.getNickname(); + break; + } } - cs.putString("internaldb.ldapconn.cloneReplicationPort", cloneReplicationPort); - - String replicationSecurity = data.getReplicationSecurity(); - if ((cloneReplicationPort == data.getDsPort()) && (data.getSecureConn().equals("on"))) { - replicationSecurity = "SSL"; - } else if (replicationSecurity == null) { - replicationSecurity = "None"; + if ((subsystemNick == null) || subsystemNick.isEmpty()) { + throw new BadRequestException("No nickname provided for subsystem certificate"); } - cs.putString("internaldb.ldapconn.replicationSecurity", replicationSecurity); - cs.putString("preop.internaldb.replicateSchema", data.getReplicateSchema()); - } - - try { - /* BZ 430745 create password for replication manager */ - String replicationpwd = Integer.toString(new Random().nextInt()); + // CA Info Panel + caInfoPanel(data, subsystemNick); - IConfigStore psStore = null; - String passwordFile = null; - passwordFile = cs.getString("passwordFile"); - psStore = CMS.createFileConfigStore(passwordFile); - psStore.putString("internaldb", data.getBindpwd()); - psStore.putString("replicationdb", replicationpwd); - psStore.commit(false); + // retrieve and import CA cert - if (data.getStepTwo() == null) { - ConfigurationUtils.populateDB(); + // TKS Info Panel + tksInfoPanel(data, subsystemNick); - cs.putString("preop.internaldb.replicationpwd", replicationpwd); - cs.putString("preop.database.removeData", "false"); - cs.commit(false); + //DRM Info Panel + kraInfoPanel(data, subsystemNick); - if (data.getIsClone().equals("true")) { - CMS.debug("Start setting up replication."); - ConfigurationUtils.setupReplication(); - } + //AuthDBPanel + authdbPanel(data); - ConfigurationUtils.reInitSubsystem(csType); - ConfigurationUtils.populateDBManager(); - ConfigurationUtils.populateVLVIndexes(); - } - } catch (Exception e) { - throw new PKIException("Error in populating database" + e); } + // Database Panel + databasePanel(data); + // SizePanel, NamePanel, CertRequestPanel //handle the CA URL try { @@ -595,56 +379,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } // AdminPanel - if (!data.getIsClone().equals("true")) { - try { - X509CertImpl admincerts[] = new X509CertImpl[1]; - ConfigurationUtils.createAdmin(data.getAdminUID(), data.getAdminEmail(), - data.getAdminName(), data.getAdminPassword()); - if (data.getImportAdminCert().equalsIgnoreCase("true")) { - String b64 = CryptoUtil.stripCertBrackets(data.getAdminCert().trim()); - byte[] b = CryptoUtil.base64Decode(b64); - admincerts[0] = new X509CertImpl(b); - } else { - if (csType.equals("CA")) { - ConfigurationUtils.createAdminCertificate(data.getAdminCertRequest(), - data.getAdminCertRequestType(), data.getAdminSubjectDN()); - - String serialno = cs.getString("preop.admincert.serialno.0"); - ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(ICertificateAuthority.ID); - ICertificateRepository repo = ca.getCertificateRepository(); - admincerts[0] = repo.getX509Certificate(new BigInteger(serialno, 16)); - } else { - String type = cs.getString("preop.ca.type", ""); - String ca_hostname = ""; - int ca_port = -1; - if (type.equals("sdca")) { - ca_hostname = cs.getString("preop.ca.hostname"); - ca_port = cs.getInteger("preop.ca.httpsport"); - } else { - ca_hostname = cs.getString("securitydomain.host", ""); - ca_port = cs.getInteger("securitydomain.httpseeport"); - } - String b64 = ConfigurationUtils.submitAdminCertRequest(ca_hostname, ca_port, - data.getAdminProfileID(), data.getAdminCertRequestType(), - data.getAdminCertRequest(), data.getAdminSubjectDN()); - b64 = CryptoUtil.stripCertBrackets(b64.trim()); - byte[] b = CryptoUtil.base64Decode(b64); - admincerts[0] = new X509CertImpl(b); - } - } - CMS.reinit(IUGSubsystem.ID); - - IUGSubsystem ug = (IUGSubsystem) CMS.getSubsystem(IUGSubsystem.ID); - IUser user = ug.getUser(data.getAdminUID()); - user.setX509Certificates(admincerts); - ug.addUserCert(user); - response.setAdminCert(admincerts[0]); - - } catch (Exception e) { - e.printStackTrace(); - throw new PKIException("Error in creating admin user: " + e); - } - } + adminPanel(data, response); // Done Panel // Create or update security domain @@ -730,6 +465,32 @@ public class SystemConfigService extends PKIService implements SystemConfigResou throw new PKIException("Errors in creating or updating dbuser: " + e); } + if (csType.equals("TPS")) { + try { + URI secdomainURI = new URI(data.getSecurityDomainUri()); + + // register tps with ca + URI caURI = new URI(data.getCaUri()); + ConfigurationUtils.registerUser(secdomainURI, caURI, "ca"); + + // register tps with tks + URI tksURI = new URI(data.getTksUri()); + ConfigurationUtils.registerUser(secdomainURI, tksURI, "tks"); + + if (data.getEnableServerSideKeyGen().equalsIgnoreCase("true")) { + URI kraURI = new URI(data.getKraUri()); + ConfigurationUtils.registerUser(secdomainURI, kraURI, "kra"); + String transportCert = ConfigurationUtils.getTransportCert(secdomainURI, kraURI); + ConfigurationUtils.exportTransportCert(secdomainURI, tksURI, transportCert); + } + } catch (URISyntaxException e) { + throw new BadRequestException("Invalid URI for CA, TKS or KRA"); + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Errors in registering TPS to CA, TKS or KRA" + e); + } + } + cs.putInteger("cs.state", 1); // update serial numbers for clones @@ -753,6 +514,403 @@ public class SystemConfigService extends PKIService implements SystemConfigResou return response; } + private void authdbPanel(ConfigurationRequest data) { + cs.putString("auths.instance.ldap1.ldap.basedn", data.getAuthdbBaseDN()); + cs.putString("auths.instance.ldap1.ldap.ldapconn.host", data.getAuthdbHost()); + cs.putString("auths.instance.ldap1.ldap.ldapconn.port", data.getAuthdbPort()); + cs.putString("auths.instance.ldap1.ldap.ldapconn.secureConn", data.getAuthdbSecureConn()); + } + + private void caInfoPanel(ConfigurationRequest data, String subsystemNick) { + URI caUri = null; + try { + caUri = new URI(data.getCaUri()); + } catch (URISyntaxException e) { + throw new BadRequestException("Invalid caURI " + caUri); + } + cs.putString("preop.cainfo.select", data.getCaUri()); + cs.putString("conn.ca1.clientNickname", subsystemNick); + cs.putString("conn.ca1.hostport", caUri.getHost() + ":" + caUri.getPort()); + cs.putString("conn.ca1.hostagentport", caUri.getHost() + ":" + caUri.getPort()); + cs.putString("conn.ca1.hostadminport", caUri.getHost() + ":" + caUri.getPort()); + } + + private void tksInfoPanel(ConfigurationRequest data, String subsystemNick) { + URI tksUri = null; + try { + tksUri = new URI(data.getTksUri()); + } catch (URISyntaxException e) { + throw new BadRequestException("Invalid tksURI " + tksUri); + } + cs.putString("preop.tksinfo.select", data.getTksUri()); + cs.putString("conn.tks1.clientNickname", subsystemNick); + cs.putString("conn.tks1.hostport", tksUri.getHost() + ":" + tksUri.getPort()); + } + + private void kraInfoPanel(ConfigurationRequest data, String subsystemNick) { + if (data.getEnableServerSideKeyGen().equalsIgnoreCase("true")) { + URI kraUri = null; + try { + kraUri = new URI(data.getCaUri()); + } catch (URISyntaxException e) { + throw new BadRequestException("Invalid kraURI " + kraUri); + } + cs.putString("preop.krainfo.select", data.getKraUri()); + cs.putString("conn.drm1.clientNickname", subsystemNick); + cs.putString("conn.drm1.hostport", kraUri.getHost() + ":" + kraUri.getPort()); + cs.putString("conn.tks1.serverKeygen", "true"); + cs.putString("op.enroll.userKey.keyGen.encryption.serverKeygen.enable", "true"); + cs.putString("op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable", "true"); + cs.putString("op.enroll.soKey.keyGen.encryption.serverKeygen.enable", "true"); + cs.putString("op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable", "true"); + } else { + // no keygen + cs.putString("conn.tks1.serverKeygen", "false"); + cs.putString("op.enroll.userKey.keyGen.encryption.serverKeygen.enable", "false"); + cs.putString("op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable", "false"); + cs.putString("op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme", "GenerateNewKey"); + cs.putString("op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme", "GenerateNewKey"); + cs.putString("conn.drm1.clientNickname", ""); + cs.putString("conn.drm1.hostport", ""); + cs.putString("op.enroll.soKey.keyGen.encryption.serverKeygen.enable", "false"); + cs.putString("op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable", "false"); + cs.putString("op.enroll.soKey.keyGen.encryption.recovery.destroyed.scheme", "GenerateNewKey"); + cs.putString("op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme", "GenerateNewKey"); + } + } + + private void adminPanel(ConfigurationRequest data, ConfigurationResponse response) { + if (!data.getIsClone().equals("true")) { + try { + X509CertImpl admincerts[] = new X509CertImpl[1]; + ConfigurationUtils.createAdmin(data.getAdminUID(), data.getAdminEmail(), + data.getAdminName(), data.getAdminPassword()); + if (data.getImportAdminCert().equalsIgnoreCase("true")) { + String b64 = CryptoUtil.stripCertBrackets(data.getAdminCert().trim()); + byte[] b = CryptoUtil.base64Decode(b64); + admincerts[0] = new X509CertImpl(b); + } else { + if (csType.equals("CA")) { + ConfigurationUtils.createAdminCertificate(data.getAdminCertRequest(), + data.getAdminCertRequestType(), data.getAdminSubjectDN()); + + String serialno = cs.getString("preop.admincert.serialno.0"); + ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(ICertificateAuthority.ID); + ICertificateRepository repo = ca.getCertificateRepository(); + admincerts[0] = repo.getX509Certificate(new BigInteger(serialno, 16)); + } else { + String type = cs.getString("preop.ca.type", ""); + String ca_hostname = ""; + int ca_port = -1; + if (type.equals("sdca")) { + ca_hostname = cs.getString("preop.ca.hostname"); + ca_port = cs.getInteger("preop.ca.httpsport"); + } else { + ca_hostname = cs.getString("securitydomain.host", ""); + ca_port = cs.getInteger("securitydomain.httpseeport"); + } + String b64 = ConfigurationUtils.submitAdminCertRequest(ca_hostname, ca_port, + data.getAdminProfileID(), data.getAdminCertRequestType(), + data.getAdminCertRequest(), data.getAdminSubjectDN()); + b64 = CryptoUtil.stripCertBrackets(b64.trim()); + byte[] b = CryptoUtil.base64Decode(b64); + admincerts[0] = new X509CertImpl(b); + } + } + CMS.reinit(IUGSubsystem.ID); + + IUGSubsystem ug = (IUGSubsystem) CMS.getSubsystem(IUGSubsystem.ID); + IUser user = ug.getUser(data.getAdminUID()); + user.setX509Certificates(admincerts); + ug.addUserCert(user); + response.setAdminCert(admincerts[0]); + + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Error in creating admin user: " + e); + } + } + } + + private void databasePanel(ConfigurationRequest data) { + cs.putString("internaldb.ldapconn.host", data.getDsHost()); + cs.putString("internaldb.ldapconn.port", data.getDsPort()); + cs.putString("internaldb.database", data.getDatabase()); + cs.putString("internaldb.basedn", data.getBaseDN()); + cs.putString("internaldb.ldapauth.bindDN", data.getBindDN()); + cs.putString("internaldb.ldapconn.secureConn", (data.getSecureConn().equals("on") ? "true" : "false")); + cs.putString("preop.database.removeData", data.getRemoveData()); + + if (csType.equals("TPS")) { + cs.putString("tokendb.activityBaseDN", "ou=Activities," + data.getBaseDN()); + cs.putString("tokendb.baseDN", "ou=Tokens," + data.getBaseDN()); + cs.putString("tokendb.certBaseDN", "ou=Certificates," + data.getBaseDN()); + cs.putString("tokendb.userBaseDN", data.getBaseDN()); + cs.putString("tokendb.hostport", data.getDsHost() + ":" + data.getDsPort()); + } + + try { + cs.commit(false); + } catch (EBaseException e2) { + e2.printStackTrace(); + throw new PKIException("Unable to commit config parameters to file"); + } + + if (data.getIsClone().equals("true")) { + String masterhost = ""; + String masterport = ""; + String masterbasedn = ""; + String realhostname = ""; + try { + masterhost = cs.getString("preop.internaldb.master.ldapconn.host", ""); + masterport = cs.getString("preop.internaldb.master.ldapconn.port", ""); + masterbasedn = cs.getString("preop.internaldb.master.basedn", ""); + realhostname = cs.getString("machineName", ""); + } catch (Exception e) { + } + + if (masterhost.equals(realhostname) && masterport.equals(data.getDsPort())) { + throw new BadRequestException("Master and clone must not share the same internal database"); + } + + if (!masterbasedn.equals(data.getBaseDN())) { + throw new BadRequestException("Master and clone should have the same base DN"); + } + + String masterReplicationPort = data.getMasterReplicationPort(); + if ((masterReplicationPort != null) && (!masterReplicationPort.equals(""))) { + cs.putString("internaldb.ldapconn.masterReplicationPort", masterReplicationPort); + } else { + cs.putString("internaldb.ldapconn.masterReplicationPort", masterport); + } + + String cloneReplicationPort = data.getCloneReplicationPort(); + if ((cloneReplicationPort == null) || (cloneReplicationPort.length() == 0)) { + cloneReplicationPort = data.getDsPort(); + } + cs.putString("internaldb.ldapconn.cloneReplicationPort", cloneReplicationPort); + + String replicationSecurity = data.getReplicationSecurity(); + if ((cloneReplicationPort == data.getDsPort()) && (data.getSecureConn().equals("on"))) { + replicationSecurity = "SSL"; + } else if (replicationSecurity == null) { + replicationSecurity = "None"; + } + cs.putString("internaldb.ldapconn.replicationSecurity", replicationSecurity); + + cs.putString("preop.internaldb.replicateSchema", data.getReplicateSchema()); + } + + try { + /* BZ 430745 create password for replication manager */ + String replicationpwd = Integer.toString(new Random().nextInt()); + + IConfigStore psStore = null; + String passwordFile = null; + passwordFile = cs.getString("passwordFile"); + psStore = CMS.createFileConfigStore(passwordFile); + psStore.putString("internaldb", data.getBindpwd()); + psStore.putString("replicationdb", replicationpwd); + psStore.commit(false); + + if (data.getStepTwo() == null) { + ConfigurationUtils.populateDB(); + + cs.putString("preop.internaldb.replicationpwd", replicationpwd); + cs.putString("preop.database.removeData", "false"); + cs.commit(false); + + if (data.getIsClone().equals("true")) { + CMS.debug("Start setting up replication."); + ConfigurationUtils.setupReplication(); + } + + ConfigurationUtils.reInitSubsystem(csType); + ConfigurationUtils.populateDBManager(); + ConfigurationUtils.populateVLVIndexes(); + } + } catch (Exception e) { + throw new PKIException("Error in populating database" + e); + } + } + + private void hierarchyPanel(ConfigurationRequest data) { + if (csType.equals("CA") && data.getIsClone().equals("false")) { + if (data.getHierarchy().equals("root")) { + cs.putString("preop.hierarchy.select", "root"); + cs.putString("hierarchy.select", "Root"); + cs.putString("preop.ca.type", "sdca"); + } else if (data.getHierarchy().equals("join")) { + cs.putString("preop.cert.signing.type", "remote"); + cs.putString("preop.hierarchy.select", "join"); + cs.putString("hierarchy.select", "Subordinate"); + } else { + throw new BadRequestException("Invalid hierarchy provided"); + } + } + } + + private void getCloningData(ConfigurationRequest data, String certList, String token, String domainXML) { + StringTokenizer t = new StringTokenizer(certList, ","); + while (t.hasMoreTokens()) { + String tag = t.nextToken(); + if (tag.equals("sslserver")) { + cs.putBoolean("preop.cert." + tag + ".enable", true); + } else { + cs.putBoolean("preop.cert." + tag + ".enable", false); + } + } + + String cloneUri = data.getCloneUri(); + URL url = null; + try { + url = new URL(cloneUri); + } catch (MalformedURLException e) { + // should not reach here as this check is done in validate() + } + String masterHost = url.getHost(); + int masterPort = url.getPort(); + + // check and store cloneURI information + boolean validCloneUri; + try { + validCloneUri = ConfigurationUtils.isValidCloneURI(domainXML, masterHost, masterPort); + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Error in determining whether clone URI is valid"); + } + + if (!validCloneUri) { + throw new BadRequestException( + "Invalid clone URI provided. Does not match the available subsystems in the security domain"); + } + + if (csType.equals("CA")) { + try { + int masterAdminPort = ConfigurationUtils.getPortFromSecurityDomain(domainXML, + masterHost, masterPort, "CA", "SecurePort", "SecureAdminPort"); + ConfigurationUtils.importCertChain(masterHost, masterAdminPort, "/ca/admin/ca/getCertChain", + "clone"); + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Failed to import certificate chain from master" + e); + } + } + + try { + ConfigurationUtils.getConfigEntriesFromMaster(); + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Failed to obtain configuration entries from the master for cloning " + e); + } + + // restore certs from P12 file + if (token.equals(ConfigurationRequest.TOKEN_DEFAULT)) { + String p12File = data.getP12File(); + String p12Pass = data.getP12Password(); + try { + ConfigurationUtils.restoreCertsFromP12(p12File, p12Pass); + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Failed to restore certificates from p12 file" + e); + } + } + + boolean cloneReady = ConfigurationUtils.isCertdbCloned(); + if (!cloneReady) { + CMS.debug("clone does not have all the certificates."); + throw new PKIException("Clone does not have all the required certificates"); + } + } + + private String securityDomainPanel(ConfigurationRequest data, String securityDomainType) { + String domainXML = null; + String securityDomainName = data.getSecurityDomainName(); + String securityDomainURL = data.getSecurityDomainUri(); + + if (securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) { + cs.putString("preop.securitydomain.select", "new"); + cs.putString("securitydomain.select", "new"); + cs.putString("preop.securitydomain.name", securityDomainName); + cs.putString("securitydomain.name", securityDomainName); + cs.putString("securitydomain.host", CMS.getEENonSSLHost()); + cs.putString("securitydomain.httpport", CMS.getEENonSSLPort()); + cs.putString("securitydomain.httpsagentport", CMS.getAgentPort()); + cs.putString("securitydomain.httpseeport", CMS.getEESSLPort()); + cs.putString("securitydomain.httpsadminport", CMS.getAdminPort()); + cs.putString("preop.cert.subsystem.type", "local"); + cs.putString("preop.cert.subsystem.profile", "subsystemCert.profile"); + } else { + cs.putString("preop.securitydomain.select", "existing"); + cs.putString("securitydomain.select", "existing"); + cs.putString("preop.cert.subsystem.type", "remote"); + cs.putString("preop.cert.subsystem.profile", "caInternalAuthSubsystemCert"); + + // contact and log onto security domain + URL secdomainURL; + String host; + int port; + try { + secdomainURL = new URL(securityDomainURL); + host = secdomainURL.getHost(); + port = secdomainURL.getPort(); + cs.putString("securitydomain.host", host); + cs.putInteger("securitydomain.httpsadminport",port); + ConfigurationUtils.importCertChain(host, port, "/ca/admin/ca/getCertChain", "securitydomain"); + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Failed to import certificate chain from security domain master: " + e); + } + + // log onto security domain and get token + String user = data.getSecurityDomainUser(); + String pass = data.getSecurityDomainPassword(); + String installToken; + try { + installToken = ConfigurationUtils.getInstallToken(host, port, user, pass); + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Failed to obtain installation token from security domain: " + e); + } + + if (installToken == null) { + throw new PKIException("Failed to obtain installation token from security domain"); + } + CMS.setConfigSDSessionId(installToken); + + try { + domainXML = ConfigurationUtils.getDomainXML(host, port, true); + ConfigurationUtils.getSecurityDomainPorts(domainXML, host, port); + } catch (Exception e) { + e.printStackTrace(); + throw new PKIException("Failed to obtain security domain decriptor from security domain master: " + e); + } + } + return domainXML; + } + + private void tokenPanel(ConfigurationRequest data, String token) { + cs.putString("preop.module.token", token); + + if (! token.equals(ConfigurationRequest.TOKEN_DEFAULT)) { + try { + CryptoManager cryptoManager = CryptoManager.getInstance(); + CryptoToken ctoken = cryptoManager.getTokenByName(token); + String tokenpwd = data.getTokenPassword(); + ConfigurationUtils.loginToken(ctoken, tokenpwd); + } catch (NotInitializedException e) { + throw new PKIException("Token is not initialized"); + } catch (NoSuchTokenException e) { + throw new BadRequestException("Invalid Token provided. No such token."); + } catch (TokenException e) { + e.printStackTrace(); + throw new PKIException("Token Exception" + e); + } catch (IncorrectPasswordException e) { + throw new BadRequestException("Incorrect Password provided for token."); + } + } + } + private void validateData(ConfigurationRequest data) { // get required info from CS.cfg String preopPin; @@ -946,5 +1104,60 @@ public class SystemConfigService extends PKIService implements SystemConfigResou if (data.getGenerateServerCert() == null) { data.setGenerateServerCert("true"); } + + if (csType.equals("TPS")) { + if ((data.getCaUri() == null) || data.getCaUri().isEmpty()) { + throw new BadRequestException("CA URI not provided"); + } + try { + @SuppressWarnings("unused") + URI ca_uri = new URI(data.getCaUri()); + } catch (URISyntaxException e) { + throw new BadRequestException("Invalid CA URI"); + } + + if ((data.getTksUri() == null) || data.getTksUri().isEmpty()) { + throw new BadRequestException("TKS URI not provided"); + } + try { + @SuppressWarnings("unused") + URI tks_uri = new URI(data.getTksUri()); + } catch (URISyntaxException e) { + throw new BadRequestException("Invalid TKS URI"); + } + + if (data.getEnableServerSideKeyGen().equalsIgnoreCase("true")) { + if ((data.getKraUri() == null) || data.getKraUri().isEmpty()) { + throw new BadRequestException("KRA URI required if server-side key generation requested"); + } + try { + @SuppressWarnings("unused") + URI kra_uri = new URI(data.getKraUri()); + } catch (URISyntaxException e) { + throw new BadRequestException("Invalid KRA URI"); + } + } + + if ((data.getAuthdbBaseDN()==null) || data.getAuthdbBaseDN().isEmpty()) { + throw new BadRequestException("Authentication Database baseDN not provided"); + } + if ((data.getAuthdbHost()==null) || data.getAuthdbHost().isEmpty()) { + throw new BadRequestException("Authentication Database hostname not provided"); + } + if ((data.getAuthdbPort()==null) || data.getAuthdbPort().isEmpty()) { + throw new BadRequestException("Authentication Database port not provided"); + } + if ((data.getAuthdbSecureConn()==null) || data.getAuthdbSecureConn().isEmpty()) { + throw new BadRequestException("Authentication Database secure conn not provided"); + } + + try { + Integer.parseInt(data.getAuthdbPort()); // check for errors + } catch (NumberFormatException e) { + throw new BadRequestException("Authdb port is invalid"); + } + + // TODO check connection with authdb + } } } diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in index 48d285d6a..98d8757a6 100644 --- a/base/kra/shared/conf/CS.cfg.in +++ b/base/kra/shared/conf/CS.cfg.in @@ -40,7 +40,7 @@ service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] service.unsecurePort=[PKI_UNSECURE_PORT] service.instanceID=[PKI_INSTANCE_NAME] preop.admin.name=Data Recovery Manager Administrator -preop.admin.group=Data Recovery Manager Agents +preop.admin.group=Data Recovery Manager Agents, Administrators preop.admincert.profile=caAdminCert preop.pin=[PKI_RANDOM_NUMBER] kra.cert.list=transport,storage,sslserver,subsystem,audit_signing diff --git a/base/ocsp/shared/conf/CS.cfg.in b/base/ocsp/shared/conf/CS.cfg.in index 25e4c9e9e..223e715c5 100644 --- a/base/ocsp/shared/conf/CS.cfg.in +++ b/base/ocsp/shared/conf/CS.cfg.in @@ -20,7 +20,7 @@ cs.type=OCSP admin.interface.uri=ocsp/admin/console/config/wizard agent.interface.uri=ocsp/agent/ocsp preop.admin.name=Online Certificate Status Manager Administrator -preop.admin.group=Online Certificate Status Manager Agents +preop.admin.group=Online Certificate Status Manager Agents, Administrators preop.admincert.profile=caAdminCert preop.securitydomain.admin_url=https://[PKI_HOSTNAME]:9445 preop.wizard.name=OCSP Setup Wizard diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg index 8c5212320..6e13a8971 100644 --- a/base/server/config/pkislots.cfg +++ b/base/server/config/pkislots.cfg @@ -26,7 +26,6 @@ SERVER_ROOT_SLOT=[SERVER_ROOT] SYSTEM_LIBRARIES_SLOT=[SYSTEM_LIBRARIES] SYSTEM_USER_LIBRARIES_SLOT=[SYSTEM_USER_LIBRARIES] TMP_DIR_SLOT=[TMP_DIR] -TPS_DIR_SLOT=[TPS_DIR] [Tomcat] application_version=[APPLICATION_VERSION] INSTALL_TIME_SLOT=[INSTALL_TIME] @@ -85,6 +84,9 @@ PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT] PKI_USER_SLOT=[PKI_USER] PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE] PKI_WEBAPPS_NAME_SLOT=[PKI_WEBAPPS_NAME] +TOKENDB_HOST_SLOT=[TOKENDB_HOST] +TOKENDB_PORT_SLOT={TOKENDB_PORT] +TOKENDB_ROOT_SLOT=[TOKENDB_ROOT] TOMCAT_CFG_SLOT=[TOMCAT_CFG] TOMCAT_INSTANCE_COMMON_LIB_SLOT=[TOMCAT_INSTANCE_COMMON_LIB] TOMCAT_LOG_DIR_SLOT=[TOMCAT_LOG_DIR] @@ -94,3 +96,4 @@ TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS] TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS] TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS] TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS] +TPS_DIR_SLOT=[TPS_DIR] diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index b67b6670e..facdf5f38 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -138,6 +138,7 @@ pki_source_setup_path=/usr/share/pki/setup pki_source_server_path=/usr/share/pki/server/conf pki_source_cs_cfg=/usr/share/pki/%(pki_subsystem_type)s/conf/CS.cfg pki_source_registry=/usr/share/pki/setup/pkidaemon_registry +pki_source_subsystem_path=/usr/share/pki/%(pki_subsystem_type)s pki_path=%(pki_root_prefix)s/var/lib/pki pki_log_path=%(pki_root_prefix)s/var/log/pki pki_configuration_path=%(pki_root_prefix)s/etc/pki @@ -541,6 +542,13 @@ pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=TPS %(pki_hostname)s %(pki_https_port)s pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s TPS pki_subsystem_subject_dn=cn=TPS Subsystem Certificate,o=%(pki_security_domain_name)s +pki_authdb_hostname=%(pki_hostname)s +pki_authdb_port=389 +pki_authdb_secure_conn=False +pki_ca_uri=https://%(pki_hostname)s:%(pki_https_port)s +pki_kra_uri=https://%(pki_hostname)s:%(pki_https_port)s +pki_tks_uri=https://%(pki_hostname)s:%(pki_https_port)s +pki_enable_server_side_keygen=False # Paths # These are used in the processing of pkispawn and are not supposed diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 6d47a902b..fc57e3332 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -3248,6 +3248,10 @@ class ConfigClient: # Create system certs self.set_system_certs(data) + # TPS parameters + if self.master_dict['pki_subsystem'] == "TPS": + self.set_tps_parameters(data) + return data def set_system_certs(self, data): @@ -3461,6 +3465,17 @@ class ConfigClient: # External CA Step 2 data.stepTwo = "true" + def set_tps_parameters(self, data): + data.caUri = self.master_dict['pki_ca_uri'] + data.tksUri = self.master_dict['pki_tks_uri'] + data.enableServerSideKeyGen = self.master_dict['pki_enable_server_side_keygen'] + if config.str2bool(self.master_dict['pki_enable_server_side_keygen']): + data.kraUri = self.master_dict['pki_kra_uri'] + data.authdbHost = self.master_dict['pki_authdb_hostname'] + data.authdbPort = self.master_dict['pki_authdb_port'] + data.authdbBaseDN = self.master_dict['pki_authdb_basedn'] + data.authdbSecureConn = self.master_dict['pki_authdb_secure_conn'] + def create_system_cert(self, tag): cert = pki.system.SystemCertData() cert.tag = self.master_dict["pki_%s_tag" % tag] diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index be502bc01..8f03e5f2d 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -634,7 +634,6 @@ class PKIConfigParser: self.pki_master_dict['SYSTEM_LIBRARIES_SLOT'] = None self.pki_master_dict['SYSTEM_USER_LIBRARIES_SLOT'] = None self.pki_master_dict['TMP_DIR_SLOT'] = None - self.pki_master_dict['TPS_DIR_SLOT'] = None elif self.pki_master_dict['pki_subsystem'] in\ config.PKI_TOMCAT_SUBSYSTEMS: self.pki_master_dict['INSTALL_TIME_SLOT'] = \ @@ -826,6 +825,24 @@ class PKIConfigParser: "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" + + # tps parameters + self.pki_master_dict['TOKENDB_HOST_SLOT'] = \ + self.pki_master_dict['pki_ds_hostname'] + + if config.str2bool(self.pki_master_dict['pki_ds_secure_connection']): + self.pki_master_dict['TOKENDB_PORT_SLOT'] = \ + self.pki_master_dict['pki_ds_ldaps_port'] + else: + self.pki_master_dict['TOKENDB_PORT_SLOT'] = \ + self.pki_master_dict['pki_ds_ldap_port'] + + self.pki_master_dict['TOKENDB_ROOT_SLOT'] = \ + self.pki_master_dict['pki_ds_base_dn'] + + self.pki_master_dict['TPS_DIR_SLOT'] = \ + self.pki_master_dict['pki_source_subsystem_path'] + if self.pki_master_dict['pki_subsystem'] == "CA": self.pki_master_dict['PKI_ENABLE_RANDOM_SERIAL_NUMBERS'] = \ self.pki_master_dict\ diff --git a/base/tks/shared/conf/CS.cfg.in b/base/tks/shared/conf/CS.cfg.in index 4fbf21e68..79aa07ffa 100644 --- a/base/tks/shared/conf/CS.cfg.in +++ b/base/tks/shared/conf/CS.cfg.in @@ -19,7 +19,7 @@ installDate=[INSTALL_TIME] cs.type=TKS admin.interface.uri=tks/admin/console/config/wizard preop.admin.name=Token Key Service Manager Administrator -preop.admin.group=Token Key Service Manager Agents +preop.admin.group=Token Key Service Manager Agents, Administrators preop.admincert.profile=caAdminCert preop.securitydomain.admin_url=https://[PKI_HOSTNAME]:9445 preop.wizard.name=TKS Setup Wizard diff --git a/base/tps/shared/conf/CS.cfg.in b/base/tps/shared/conf/CS.cfg.in index e972bcb9d..2ea111de9 100644 --- a/base/tps/shared/conf/CS.cfg.in +++ b/base/tps/shared/conf/CS.cfg.in @@ -1,184 +1,98 @@ _000=## _001=## Token Processing System (TPS) Configuration File _002=## -pidDir=[PKI_PIDDIR] -pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] -pkicreate.pki_instance_name=[PKI_INSTANCE_NAME] -pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] -pkicreate.secure_port=[PKI_SECURE_PORT] -pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT] -pkicreate.unsecure_port=[PKI_UNSECURE_PORT] -pkicreate.user=[PKI_USER] -pkicreate.group=[PKI_GROUP] -pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_NAME] -cs.type=TPS -selftests._000=## -selftests._001=## Self Tests -selftests._002=## -selftests._003=## The Self-Test plugin TPSSystemCertsVerification uses the -selftests._004=## following parameters (where certusage is optional): -selftests._005=## tps.cert.list = <list of cert tag names deliminated by ","> -selftests._006=## tps.cert.<cert tag name>.nickname -selftests._007=## tps.cert.<cert tag name>.certusage -selftests._008=## -selftests.container.logger.enable=true -selftests.container.logger.expirationTime=0 -selftests.container.logger.file.type=RollingLogFile -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log -selftests.container.logger.level=10 -selftests.container.logger.maxFileSize=2000 -selftests.container.logger.rolloverInterval=2592000 -selftests.container.order.startup=TPSPresence:critical, TPSSystemCertsVerification:critical -selftests.container.order.onDemand=TPSPresence:critical, TPSValidity:critical, TPSSystemCertsVerification:critical -selftests.plugin.TPSPresence.nickname=[HSM_LABEL][NICKNAME] -selftests.plugin.TPSValidity.nickname=[HSM_LABEL][NICKNAME] -cs.state=0 +accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator +accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator +accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +applet._000=######################################### +applet._001=# applet information +applet._002=# SAF Key: +applet._003=# applet.aid.cardmgr_instance=A0000001510000 +applet._004=######################################### +applet.aid.cardmgr_instance=A0000000030000 +applet.aid.netkey_file=627601FF0000 +applet.aid.netkey_instance=627601FF000000 +applet.aid.netkey_old_file=A000000001 +applet.aid.netkey_old_instance=A00000000101 +applet.delete_old=true +applet.so_pin=000000000000 +auths._000=## +auths._001=## new authentication +auths._002=## +auths.impl._000=## +auths.impl._001=## authentication manager implementations +auths.impl._002=## +auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication +auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth +auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth +auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication +auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication +auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication +auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication +auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents +auths.instance.AgentCertAuth.pluginName=AgentCertAuth +auths.instance.TokenAuth.pluginName=TokenAuth +auths.instance.ldap1.dnpattern= +auths.instance.ldap1.ldapByteAttributes= +auths.instance.ldap1.ldapStringAttributes=mail,cn,uid +auths.instance.ldap1.ldap.basedn=[LDAP_ROOT] +auths.instance.ldap1.ldap.maxConns=15 +auths.instance.ldap1.ldap.minConns=3 +auths.instance.ldap1.ldap.ldapauth.authtype=BasicAuth +auths.instance.ldap1.ldap.ldapauth.bindDN= +auths.instance.ldap1.ldap.ldapauth.bindPWPrompt=ldap1 +auths.instance.ldap1.ldap.ldapauth.clientCertNickname= +auths.instance.ldap1.ldap.ldapconn.host=[LDAP_HOST] +auths.instance.ldap1.ldap.ldapconn.port=[LDAP_PORT] +auths.instance.ldap1.ldap.ldapconn.secureConn=false +auths.instance.ldap1.ldap.ldapconn.version=3 +auths.instance.ldap1.pluginName=UidPwdDirAuth +auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth +auths.revocationChecking.bufferSize=50 authType=pwd -instanceRoot=[PKI_INSTANCE_PATH] +authz._000=## +authz._001=## new authorizatioin +authz._002=## +authz.evaluateOrder=deny,allow +authz.impl._000=## +authz.impl._001=## authorization manager implementations +authz.impl._002=## +authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz +authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz +authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz +authz.instance.DirAclAuthz.ldap._000=## +authz.instance.DirAclAuthz.ldap._001=## Internal Database +authz.instance.DirAclAuthz.ldap._002=## +authz.instance.DirAclAuthz.ldap=internaldb +authz.instance.DirAclAuthz.pluginName=DirAclAuthz +authz.sourceType=ldap +channel._000=######################################### +channel._001=# channel.encryption: +channel._002=# +channel._003=# - enable encryption for all operation commands to token +channel._004=# - default is true +channel._005=# channel.blocksize=242 +channel._006=# channel.defKeyVersion=0 +channel._007=# channel.defKeyIndex=0 +channel._008=# +channel._009=# Config the size of memory managed memory in the applet +channel._010=# Default is 5000, try not go get close to the instanceSize +channel._011=# which defaults to 18000: +channel._012=# +channel._013=# * channel.instanceSize=18000 +channel._014=# * channel.appletMemorySize=5000 +channel._015=######################################### +channel.encryption=true +channel.blocksize=248 +channel.defKeyVersion=0 +channel.defKeyIndex=0 +cms.product.version=@APPLICATION_VERSION@ +cms.version=@APPLICATION_VERSION_MAJOR@.@APPLICATION_VERSION_MINOR@ +config.Generals.General.state=Enabled +config.Generals.General.timestamp=1280283607424406 configurationRoot=/[PKI_SUBSYSTEM_TYPE]/conf/ -machineName=[PKI_HOSTNAME] -instanceId=[PKI_INSTANCE_NAME] -service.machineName=[PKI_HOSTNAME] -service.instanceDir=[PKI_INSTANCE_PATH] -service.securePort=[PKI_SECURE_PORT] -service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT] -service.unsecurePort=[PKI_UNSECURE_PORT] -service.instanceID=[PKI_INSTANCE_NAME] -logging._000=######################################### -logging._001=# RA configuration File -logging._002=# -logging._003=# All <...> must be replaced with -logging._004=# appropriate values. -logging._005=######################################### -logging._006=######################################## -logging._007=# logging -logging._008=# -logging._009=# logging.debug.enable: -logging._010=# logging.audit.enable: -logging._011=# logging.error.enable: -logging._012=# - enable or disable the corresponding logging -logging._013=# logging.debug.filename: -logging._014=# logging.audit.filename: -logging._015=# logging.error.filename: -logging._016=# - name of the log file -logging._017=# logging.debug.level: -logging._018=# logging.audit.level: -logging._019=# logging.error.level: -logging._020=# - level of logging. (0-10) -logging._021=# 0 - no logging, -logging._022=# 4 - LL_PER_SERVER these messages will occur only once -logging._023=# during the entire invocation of the -logging._024=# server, e. g. at startup or shutdown -logging._025=# time., reading the conf parameters. -logging._026=# Perhaps other infrequent events -logging._027=# relating to failing over of CA, TKS, -logging._028=# too -logging._029=# 6 - LL_PER_CONNECTION these messages happen once per -logging._030=# connection - most of the log events -logging._031=# will be at this level -logging._032=# 8 - LL_PER_PDU these messages relate to PDU -logging._033=# processing. If you have something that -logging._034=# is done for every PDU, such as -logging._035=# applying the MAC, it should be logged -logging._036=# at this level -logging._037=# 9 - LL_ALL_DATA_IN_PDU dump all the data in the PDU - a more -logging._038=# chatty version of the above -logging._039=# 10 - all logging -logging._040=# logging.audit.buffer.size: # in bytes -logging._041=# logging.audit.flush.interval: # in seconds, 0 disables flush thread -logging._042=# logging.*.file.type: -logging._043=# - file type: RollingLogFile or LogFile -logging._044=# logging.*.rolloverInterval: -logging._045=# - interval to roll over logs (seconds), 0 to disable rollover -logging._046=# logging.*.maxFileSize: -logging._047=# - size at which file rollover occurs, in kB -logging._048=# logging.*.expirationTime: -logging._049=# - maximum age of log, older unmodified logs are deleted( in seconds, 0 to disable) -logging._050=######################################### -logging.debug.enable=true -logging.debug.filename=[PKI_INSTANCE_PATH]/logs/tps-debug.log -logging.debug.level=10 -logging.debug.file.type=RollingLogFile -logging.debug.maxFileSize=2000 -logging.debug.rolloverInterval=2592000 -logging.debug.expirationTime=0 -logging.audit.enable=true -logging.audit.filename=[PKI_INSTANCE_PATH]/logs/tps-audit.log -logging.audit.signedAuditFilename=[PKI_INSTANCE_PATH]/logs/signedAudit/tps_audit -logging.audit.level=10 -logging.audit.logSigning=false -logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_NAME] -logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION -logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION -logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING -logging.audit.buffer.size=512 -logging.audit.flush.interval=5 -logging.audit.file.type=RollingLogFile -logging.audit.maxFileSize=2000 -logging.audit.rolloverInterval=2592000 -logging.audit.expirationTime=0 -logging.error.enable=true -logging.error.filename=[PKI_INSTANCE_PATH]/logs/tps-error.log -logging.error.level=10 -logging.error.file.type=RollingLogFile -logging.error.maxFileSize=2000 -logging.error.rolloverInterval=2592000 -logging.error.expirationTime=0 -log._000=## -log._001=## Logging -log._002=## -log.impl.file.class=com.netscape.cms.logging.RollingLogFile -log.instance.SignedAudit._000=## -log.instance.SignedAudit._001=## Signed Audit Logging -log.instance.SignedAudit._002=## -log.instance.SignedAudit._003=## -log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit._006=## -log.instance.SignedAudit.bufferSize=512 -log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION -log.instance.SignedAudit.expirationTime=0 -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/tps_cert-tps_audit -log.instance.SignedAudit.flushInterval=5 -log.instance.SignedAudit.level=1 -log.instance.SignedAudit.logSigning=false -log.instance.SignedAudit.maxFileSize=2000 -log.instance.SignedAudit.pluginName=file -log.instance.SignedAudit.rolloverInterval=2592000 -log.instance.SignedAudit.signedAudit:_000=## -log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow TPS audit logs to be signed -log.instance.SignedAudit.signedAudit:_002=## -log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_NAME] -log.instance.SignedAudit.type=signedAudit -log.instance.System._000=## -log.instance.System._001=## System Logging -log.instance.System._002=## -log.instance.System.bufferSize=512 -log.instance.System.enable=true -log.instance.System.expirationTime=0 -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/system -log.instance.System.flushInterval=5 -log.instance.System.level=3 -log.instance.System.maxFileSize=2000 -log.instance.System.pluginName=file -log.instance.System.rolloverInterval=2592000 -log.instance.System.type=system -log.instance.Transactions._000=## -log.instance.Transactions._001=## Transaction Logging -log.instance.Transactions._002=## -log.instance.Transactions.bufferSize=512 -log.instance.Transactions.enable=true -log.instance.Transactions.expirationTime=0 -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/transactions -log.instance.Transactions.flushInterval=5 -log.instance.Transactions.level=1 -log.instance.Transactions.maxFileSize=2000 -log.instance.Transactions.pluginName=file -log.instance.Transactions.rolloverInterval=2592000 -log.instance.Transactions.type=transaction -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/access -logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/error conn.ca1._000=######################################### conn.ca1._001=# CA connection conn.ca1._002=# @@ -210,17 +124,51 @@ conn.ca1._027=# conn.ca1._028=# where conn.ca1._029=# <n> - CA connection ID conn.ca1._030=######################################### -failover.pod.enable=false -conn.ca1.hostport=[PKI_CA_HOSTNAME]:[PKI_CA_PORT] conn.ca1.clientNickname=[HSM_LABEL][NICKNAME] +conn.ca1.hostport=[PKI_CA_HOSTNAME]:[PKI_CA_PORT] +conn.ca1.keepAlive=true +conn.ca1.retryConnect=3 conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient conn.ca1.servlet.renewal=/ca/ee/ca/profileSubmitSSLClient conn.ca1.servlet.revoke=/ca/ee/subsystem/ca/doRevoke conn.ca1.servlet.unrevoke=/ca/ee/subsystem/ca/doUnrevoke -conn.ca1.retryConnect=3 -conn.ca1.timeout=100 conn.ca1.SSLOn=true -conn.ca1.keepAlive=true +conn.ca1.timeout=100 +conn.drm1._000=######################################### +conn.drm1._001=# DRM connection +conn.drm1._002=# +conn.drm1._003=#conn.drm.totalConns +conn.drm1._004=# - # of DRM connections +conn.drm1._005=#conn.drm<n>.hostport +conn.drm1._006=# - host name and port number of your DRM, the format is host:port +conn.drm1._007=#conn.drm<n>.clientNickname +conn.drm1._008=# - nickname of the client certificate for +conn.drm1._009=# authentication +conn.drm1._010=#conn.drm<n>.servlet.GenerateKeyPair +conn.drm1._011=# - servlet to generate key pairs and archive keys on DRM +conn.drm1._012=# - must be '/kra/GenerateKeyPair' +conn.drm1._013=#conn.drm<n>.servlet.TokenKeyRecovery=/kra/TokenKeyRecovery +conn.drm1._014=# - servlet to handle key recovery +conn.drm1._015=# - must be '/kra/TokenKeyRecovery' +conn.drm1._016=#conn.drm<n>.retryConnect=3 +conn.drm1._017=# - number of reconnection attempts on failure +conn.drm1._018=#conn.drm<n>.SSLOn=true +conn.drm1._019=# - enable SSL or not +conn.drm1._020=#conn.drm<n>.keepAlive=false +conn.drm1._021=# - enable keep alive or not +conn.drm1._022=# +conn.drm1._023=# where +conn.drm1._024=# <n> - DRM connection ID +conn.drm1._025=######################################### +conn.drm1.clientNickname=[HSM_LABEL][NICKNAME] +conn.drm1.hostport=[DRM_HOST]:[DRM_PORT] +conn.drm1.keepAlive=false +conn.drm1.retryConnect=3 +conn.drm1.servlet.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair +conn.drm1.servlet.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery +conn.drm1.SSLOn=true +conn.drm1.timeout=100 +conn.drm.totalConns=1 conn.tks1._000=######################################### conn.tks1._001=# TKS connection conn.tks1._002=# @@ -250,191 +198,22 @@ conn.tks1._025=# <n> - TKS connection ID conn.tks1._026=# conn.tks<n>.tksSharedSymKeyName: conn.tks1._027=# - set shared secret key name conn.tks1._028=######################################### -conn.tks1.hostport=[TKS_HOST]:[TKS_PORT] conn.tks1.clientNickname=[HSM_LABEL][NICKNAME] -conn.tks1.servlet.computeSessionKey=/tks/agent/tks/computeSessionKey -conn.tks1.servlet.encryptData=/tks/agent/tks/encryptData -conn.tks1.servlet.createKeySetData=/tks/agent/tks/createKeySetData -conn.tks1.servlet.computeRandomData=/tks/agent/tks/computeRandomData -conn.tks1.retryConnect=3 -conn.tks1.timeout=100 conn.tks1.generateHostChallenge=true -conn.tks1.SSLOn=true +conn.tks1.hostport=[TKS_HOST]:[TKS_PORT] conn.tks1.keepAlive=false conn.tks1.keySet=defKeySet +conn.tks1.retryConnect=3 conn.tks1.serverKeygen=[SERVER_KEYGEN] +conn.tks1.servlet.computeRandomData=/tks/agent/tks/computeRandomData +conn.tks1.servlet.computeSessionKey=/tks/agent/tks/computeSessionKey +conn.tks1.servlet.createKeySetData=/tks/agent/tks/createKeySetData +conn.tks1.servlet.encryptData=/tks/agent/tks/encryptData +conn.tks1.SSLOn=true +conn.tks1.timeout=100 conn.tks1.tksSharedSymKeyName=sharedSecret -conn.drm1._000=######################################### -conn.drm1._001=# DRM connection -conn.drm1._002=# -conn.drm1._003=#conn.drm.totalConns -conn.drm1._004=# - # of DRM connections -conn.drm1._005=#conn.drm<n>.hostport -conn.drm1._006=# - host name and port number of your DRM, the format is host:port -conn.drm1._007=#conn.drm<n>.clientNickname -conn.drm1._008=# - nickname of the client certificate for -conn.drm1._009=# authentication -conn.drm1._010=#conn.drm<n>.servlet.GenerateKeyPair -conn.drm1._011=# - servlet to generate key pairs and archive keys on DRM -conn.drm1._012=# - must be '/kra/GenerateKeyPair' -conn.drm1._013=#conn.drm<n>.servlet.TokenKeyRecovery=/kra/TokenKeyRecovery -conn.drm1._014=# - servlet to handle key recovery -conn.drm1._015=# - must be '/kra/TokenKeyRecovery' -conn.drm1._016=#conn.drm<n>.retryConnect=3 -conn.drm1._017=# - number of reconnection attempts on failure -conn.drm1._018=#conn.drm<n>.SSLOn=true -conn.drm1._019=# - enable SSL or not -conn.drm1._020=#conn.drm<n>.keepAlive=false -conn.drm1._021=# - enable keep alive or not -conn.drm1._022=# -conn.drm1._023=# where -conn.drm1._024=# <n> - DRM connection ID -conn.drm1._025=######################################### -conn.drm.totalConns=1 -conn.drm1.hostport=[DRM_HOST]:[DRM_PORT] -conn.drm1.clientNickname=[HSM_LABEL][NICKNAME] -conn.drm1.servlet.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair -conn.drm1.servlet.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery -conn.drm1.retryConnect=3 -conn.drm1.timeout=100 -conn.drm1.SSLOn=true -conn.drm1.keepAlive=false -auth.instance._000=######################################## -auth.instance._001=# publishing -auth.instance._002=# -auth.instance._003=# publisher.instance.<n>.libraryName: -auth.instance._004=# - name of the library specified with a fully qualified path name -auth.instance._005=# publisher.instance.<n>.libraryFactory: -auth.instance._006=# - the name of the function which instantiates the publisher -auth.instance._007=# publisher.instance.<n>.publisherId: -auth.instance._008=# - the publisher ID -auth.instance._009=# -auth.instance._010=# where -auth.instance._011=# <n> - publisher connection ID -auth.instance._012=######################################## -auth.instance._013=######################################### -auth.instance._014=# authentication -auth.instance._015=# -auth.instance._016=# auth.instance.<n>.libraryName: -auth.instance._017=# - name of the library specified with a fully qualified path name -auth.instance._018=# auth.instance.<n>.libraryFactory: -auth.instance._019=# - the name of the function which instantiates the authentication -auth.instance._020=# auth.instance.<n>.authId -auth.instance._021=# - the authentication ID -auth.instance._022=# auth.instance.<n>.hostport -auth.instance._023=# - parameter specific to the given authentication, -auth.instance._024=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._025=# - host name and port number, host:port -auth.instance._026=# - for failover, provide multiple host:port designations -auth.instance._027=# separated by " " -auth.instance._028=# auth.instance.<n>.SSLOn: -auth.instance._029=# - parameter specific to the given authentication, -auth.instance._030=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._031=# - use SSL or not for LDAP service -auth.instance._032=# auth.instance.<n>.retries: -auth.instance._033=# - parameter specific to the given authentication, -auth.instance._034=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._035=# - number of authentication re-attempts when authentication failed -auth.instance._036=# auth.instance.<n>.retryConnect: -auth.instance._037=# - parameter specific to the given authentication, -auth.instance._038=# i. e., LDAPAuthentication (id=ldap1) -auth.instance._039=# - number of connection re-attempts when connection failed -auth.instance._040=# -auth.instance._041=# where -auth.instance._042=# <n> - authentication connection ID -auth.instance._043=######################################### -auth.instance.0.type=LDAP_Authentication -auth.instance.0.libraryName=[SYSTEM_USER_LIBRARIES]/tps/[LIB_PREFIX]ldapauth[OBJ_EXT] -auth.instance.0.libraryFactory=GetAuthentication -auth.instance.0.authId=ldap1 -auth.instance.0.hostport=[LDAP_HOST]:[LDAP_PORT] -auth.instance.0.SSLOn=false -auth.instance.0.retries=1 -auth.instance.0.retryConnect=3 -auth.instance.0.baseDN=[LDAP_ROOT] -auth.instance.0.ssl=false -auth.instance.0.attributes._001=############################################## -auth.instance.0.attributes._002=# attributes will be available -auth.instance.0.attributes._003=# as $auth.<attribute>$ -auth.instance.0.attributes._004=############################################## -auth.instance.0.attributes=mail,cn,uid -auth.instance.0.ui.title.en=LDAP Authentication -auth.instance.0.ui.description.en=This authenticates user against the LDAP directory. -auth.instance.0.ui.id.UID.name.en=LDAP User ID -auth.instance.0.ui.id.PASSWORD.name.en=LDAP Password -auth.instance.0.ui.id.UID.description.en=LDAP User ID -auth.instance.0.ui.id.PASSWORD.description.en=LDAP Password -auth.instance.1.type=LDAP_Authentication -auth.instance.1.libraryName=[SYSTEM_USER_LIBRARIES]/tps/[LIB_PREFIX]ldapauth[OBJ_EXT] -auth.instance.1.libraryFactory=GetAuthentication -auth.instance.1.authId=ldap2 -auth.instance.1.bindDN=cn=Directory Manager -auth.instance.1.bindPWD=[PKI_INSTANCE_PATH]/conf/password.conf -auth.instance.1.hostport=[TOKENDB_HOST]:[TOKENDB_PORT] -auth.instance.1.SSLOn=false -auth.instance.1.retries=1 -auth.instance.1.retryConnect=3 -auth.instance.1.baseDN=[TOKENDB_ROOT] -auth.instance.1.ssl=false -auth.instance.1.attributes._001=############################################## -auth.instance.1.attributes._002=# attributes will be available -auth.instance.1.attributes._003=# as $auth.<attribute>$ -auth.instance.1.attributes._004=############################################## -auth.instance.1.attributes=mail,cn,uid -auth.instance.1.ui.title.en=LDAP Authentication -auth.instance.1.ui.description.en=This authenticates user against the LDAP directory. -auth.instance.1.ui.id.UID.name.en=LDAP User ID -auth.instance.1.ui.id.PASSWORD.name.en=LDAP Password -auth.instance.1.ui.id.UID.description.en=LDAP User ID -auth.instance.1.ui.id.PASSWORD.description.en=LDAP Password -applet._000=######################################### -applet._001=# applet information -applet._002=# SAF Key: -applet._003=# applet.aid.cardmgr_instance=A0000001510000 -applet._004=######################################### -applet.aid.cardmgr_instance=A0000000030000 -applet.aid.netkey_instance=627601FF000000 -applet.aid.netkey_file=627601FF0000 -applet.aid.netkey_old_instance=A00000000101 -applet.aid.netkey_old_file=A000000001 -applet.so_pin=000000000000 -applet.delete_old=true -general.verifyProof=1 -general.applet_ext=ijc -general.search.sizelimit.max=2000 -general.search.sizelimit.default=100 -general.search.timelimit.max=10 -general.search.timelimit.default=10 -general.pwlength.min=16 -channel._000=######################################### -channel._001=# channel.encryption: -channel._002=# -channel._003=# - enable encryption for all operation commands to token -channel._004=# - default is true -channel._005=# channel.blocksize=242 -channel._006=# channel.defKeyVersion=0 -channel._007=# channel.defKeyIndex=0 -channel._008=######################################### -channel.encryption=true -channel.blocksize=248 -channel.defKeyVersion=0 -channel.defKeyIndex=0 -# NOTE: Since the following comments will be 'scrubbed' from any TPS -# instance's configuration file, they will ONLY be viewable in -# the '/usr/share/pki/tps/conf/CS.cfg' TPS subsystem template! -# -# Config the size of memory managed memory in the applet -# Default is 5000, try not go get close to the instanceSize -# which defaults to 18000: -# -# * channel.instanceSize=18000 -# * channel.appletMemorySize=5000 -# -preop.pin=[PKI_RANDOM_NUMBER] -cms.product.version=@APPLICATION_VERSION@ -preop.admin.name=Token Processing Service Manager Administrator -preop.admin.group=Token Processing Service Manager Agents -preop.admincert.profile=caAdminCert +cs.state=0 +cs.type=TPS dbs.ldap=internaldb dbs.newSchemaEntryAdded=true debug.append=true @@ -443,11 +222,20 @@ debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/debug debug.hashkeytypes= debug.level=0 debug.showcaller=false +failover.pod.enable=false +general.applet_ext=ijc +general.pwlength.min=16 +general.search.sizelimit.default=100 +general.search.sizelimit.max=2000 +general.search.timelimit.default=10 +general.search.timelimit.max=10 +general.verifyProof=1 +installDate=[INSTALL_TIME] +instanceId=[PKI_INSTANCE_NAME] +instanceRoot=[PKI_INSTANCE_PATH] internaldb._000=## internaldb._001=## Internal Database internaldb._002=## -internaldb.maxConns=15 -internaldb.minConns=3 internaldb.ldapauth.authtype=BasicAuth internaldb.ldapauth.bindDN=cn=Directory Manager internaldb.ldapauth.bindPWPrompt=Internal LDAP Database @@ -455,101 +243,86 @@ internaldb.ldapauth.clientCertNickname= internaldb.ldapconn.host= internaldb.ldapconn.port= internaldb.ldapconn.secureConn=false -preop.internaldb.schema.ldif=/usr/share/pki/tps/conf/schema.ldif -preop.internaldb.ldif=/usr/share/pki/tps/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/pki/tps/conf/db.ldif,/usr/share/pki/tps/conf/acl.ldif -preop.internaldb.index_ldif=/usr/share/pki/tps/conf/index.ldif -preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif -preop.internaldb.post_ldif= -preop.internaldb.wait_dn= -preop.cert._000=######################################### -preop.cert._001=# Installation configuration "preop" certs parameters -preop.cert._002=######################################### -preop.cert.list=sslserver,subsystem,audit_signing -tps.cert.audit_signing.certusage=ObjectSigner -tps.cert.sslserver.certusage=SSLServer -tps.cert.subsystem.certusage=SSLClient -preop.cert.sslserver.enable=true -preop.cert.subsystem.enable=true -preop.cert.audit_signing.enable=false -preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA -preop.cert.sslserver.dn=CN=[PKI_HOSTNAME], OU=[PKI_INSTANCE_NAME] -preop.cert.sslserver.keysize.customsize=2048 -preop.cert.sslserver.keysize.size=2048 -preop.cert.sslserver.keysize.select=default -preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_NAME] -preop.cert.sslserver.profile=caInternalAuthServerCert -preop.cert.sslserver.subsystem=tps -preop.cert._003=#preop.cert.sslserver.type=local -preop.cert.sslserver.type=remote -preop.cert.sslserver.userfriendlyname=SSL Server Certificate -preop.cert._004=#preop.cert.sslserver.cncomponent.override=false -preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA -preop.cert.subsystem.dn=CN=TPS Subsystem Certificate, OU=[PKI_INSTANCE_NAME] -preop.cert.subsystem.keysize.customsize=2048 -preop.cert.subsystem.keysize.size=2048 -preop.cert.subsystem.keysize.select=default -preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_NAME] -preop.cert.subsystem.profile=caInternalAuthSubsystemCert -preop.cert.subsystem.subsystem=tps -preop.cert._005=#preop.cert.subsystem.type=local -preop.cert.subsystem.userfriendlyname=Subsystem Certificate -preop.cert._006=#preop.cert.subsystem.cncomponent.override=true -preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA -preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate, OU=[PKI_INSTANCE_NAME] -preop.cert.audit_signing.keysize.customsize=2048 -preop.cert.audit_signing.keysize.size=2048 -preop.cert.audit_signing.keysize.select=default -preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_NAME] -preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert -preop.cert.audit_signing.subsystem=tps -preop.cert._005=#preop.cert.audit_signing.type=local -preop.cert.audit_signing.userfriendlyname=Audit Log Signing Certificate -preop.cert._006=#preop.cert.audit_signing.cncomponent.override=true -preop.configModules._000=######################################### -preop.configModules._001=# Installation configuration "preop" module parameters -preop.configModules._002=######################################### -preop.configModules.count=3 -preop.configModules.module0.commonName=NSS Internal PKCS #11 Module -preop.configModules.module0.imagePath=/pki/images/clearpixel.gif -preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module -preop.configModules.module1.commonName=nfast -preop.configModules.module1.imagePath=/pki/images/clearpixel.gif -preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module -preop.configModules.module2.commonName=lunasa -preop.configModules.module2.imagePath=/pki/images/clearpixel.gif -preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module -preop.module.token=NSS Certificate DB -preop.keysize._000=######################################### -preop.keysize._001=# Installation configuration "preop" keysize parameters -preop.keysize._002=######################################### -preop.keysize.customsize=2048 -preop.keysize.select=default -preop.keysize.size=2048 -preop.keysize.ecc.size=256 -preop.adminauth.done=false -preop.adminpanel.done=false -preop.agentauth.done=false -preop.authdb.done=false -preop.cainfo.done=false -preop.certprettyprint.done=false -preop.certrequest.done=false -preop.confighsmlogin.done=false -preop.confighsm.done=false -preop.database.done=false -preop.displaycertchain2.done=false -preop.displaycertchain.done=false -preop.donepanel.done=false -preop.drminfo.done=false -preop.importadmincert.done=false -preop.loginpanel.done=false -preop.ModulePanel.done=false -preop.namepanel.done=false -preop.securitydomain.done=false -preop.SizePanel.done=false -preop.subsystemtype.done=false -preop.tksinfo.done=false -preop.welcome.done=false +internaldb.maxConns=15 +internaldb.minConns=3 +internaldb.multipleSuffix.enable=false +jss._000=## +jss._001=## JSS +jss._002=## +jss.configDir=[PKI_INSTANCE_PATH]/alias/ +jss.enable=true +jss.ocspcheck.enable=false +jss.secmodName=secmod.db +jss.ssl.cipherfortezza=true +jss.ssl.cipherpref= +jss.ssl.cipherversion=cipherdomestic +keys.ecc.curve.default=nistp256 +keys.ecc.curve.display.list=nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.ecc.curve.list=nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 +keys.rsa.keysize.default=2048 +log._000=## +log._001=## Logging +log._002=## +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/access +logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/error +log.impl.file.class=com.netscape.cms.logging.RollingLogFile +log.instance.SignedAudit._000=## +log.instance.SignedAudit._001=## Signed Audit Logging +log.instance.SignedAudit._002=## +log.instance.SignedAudit._003=## +log.instance.SignedAudit._004=## Available Audit events: +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION +log.instance.SignedAudit._006=## +log.instance.SignedAudit.bufferSize=512 +log.instance.SignedAudit.enable=true +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,LOGGING_SIGNED_AUDIT_SIGNING,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_TOKEN,CONFIG_PROFILE,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION +log.instance.SignedAudit.expirationTime=0 +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/tps_cert-tps_audit +log.instance.SignedAudit.flushInterval=5 +log.instance.SignedAudit.level=1 +log.instance.SignedAudit.logSigning=false +log.instance.SignedAudit.maxFileSize=2000 +log.instance.SignedAudit.pluginName=file +log.instance.SignedAudit.rolloverInterval=2592000 +log.instance.SignedAudit.signedAudit:_000=## +log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow TPS audit logs to be signed +log.instance.SignedAudit.signedAudit:_002=## +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_NAME] +log.instance.SignedAudit.type=signedAudit +log.instance.System._000=## +log.instance.System._001=## System Logging +log.instance.System._002=## +log.instance.System.bufferSize=512 +log.instance.System.enable=true +log.instance.System.expirationTime=0 +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/system +log.instance.System.flushInterval=5 +log.instance.System.level=3 +log.instance.System.maxFileSize=2000 +log.instance.System.pluginName=file +log.instance.System.rolloverInterval=2592000 +log.instance.System.type=system +log.instance.Transactions._000=## +log.instance.Transactions._001=## Transaction Logging +log.instance.Transactions._002=## +log.instance.Transactions.bufferSize=512 +log.instance.Transactions.enable=true +log.instance.Transactions.expirationTime=0 +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/transactions +log.instance.Transactions.flushInterval=5 +log.instance.Transactions.level=1 +log.instance.Transactions.maxFileSize=2000 +log.instance.Transactions.pluginName=file +log.instance.Transactions.rolloverInterval=2592000 +log.instance.Transactions.type=transaction +machineName=[PKI_HOSTNAME] +multiroles._000=## +multiroles._001=## multiroles +multiroles._002=## +multiroles.enable=true +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Administrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group,ClonedSubsystems +multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group +multiroles=true op.enroll._000=######################################### op.enroll._001=# Default Operations op.enroll._002=# @@ -585,85 +358,311 @@ op.enroll._031=# op.enroll._032=# Token ATR: op.enroll._033=# Web Store - 3B759400006202020201 op.enroll._034=######################################### -op.enroll.mapping.order=0,1,2 -op.enroll.mapping.0.filter.tokenType=userKey -op.enroll.mapping.0.filter.tokenATR= -op.enroll.mapping.0.filter.tokenCUID.start= -op.enroll.mapping.0.filter.tokenCUID.end= +op.enroll.allowUnknownToken=true op.enroll.mapping.0.filter.appletMajorVersion=1 op.enroll.mapping.0.filter.appletMinorVersion= +op.enroll.mapping.0.filter.tokenATR= +op.enroll.mapping.0.filter.tokenCUID.end= +op.enroll.mapping.0.filter.tokenCUID.start= +op.enroll.mapping.0.filter.tokenType=userKey op.enroll.mapping.0.target.tokenType=userKey -op.enroll.mapping.1.filter.tokenType=soKey -op.enroll.mapping.1.filter.tokenATR= -op.enroll.mapping.1.filter.tokenCUID.start= -op.enroll.mapping.1.filter.tokenCUID.end= op.enroll.mapping.1.filter.appletMajorVersion= op.enroll.mapping.1.filter.appletMinorVersion= +op.enroll.mapping.1.filter.tokenATR= +op.enroll.mapping.1.filter.tokenCUID.end= +op.enroll.mapping.1.filter.tokenCUID.start= +op.enroll.mapping.1.filter.tokenType=soKey op.enroll.mapping.1.target.tokenType=soKey -op.enroll.mapping.2.filter.tokenType= -op.enroll.mapping.2.filter.tokenATR= -op.enroll.mapping.2.filter.tokenCUID.start= -op.enroll.mapping.2.filter.tokenCUID.end= op.enroll.mapping.2.filter.appletMajorVersion= op.enroll.mapping.2.filter.appletMinorVersion= +op.enroll.mapping.2.filter.tokenATR= +op.enroll.mapping.2.filter.tokenCUID.end= +op.enroll.mapping.2.filter.tokenCUID.start= +op.enroll.mapping.2.filter.tokenType= op.enroll.mapping.2.target.tokenType=userKey -op.pinReset.mapping.order=0 -op.pinReset.mapping.0.filter.tokenType= -op.pinReset.mapping.0.filter.tokenATR= -op.pinReset.mapping.0.filter.tokenCUID.start= -op.pinReset.mapping.0.filter.tokenCUID.end= -op.pinReset.mapping.0.filter.appletMajorVersion= -op.pinReset.mapping.0.filter.appletMinorVersion= -op.pinReset.mapping.0.target.tokenType=userKey -op.format.mapping.order=0,1,2,3,4,5,6 -op.format.mapping.0.filter.tokenType=soCleanUserToken -op.format.mapping.0.filter.tokenATR= -op.format.mapping.0.filter.tokenCUID.start= -op.format.mapping.0.filter.tokenCUID.end= -op.format.mapping.0.filter.appletMajorVersion= -op.format.mapping.0.filter.appletMinorVersion= -op.format.mapping.0.target.tokenType=soCleanUserToken -op.format.mapping.1.filter.tokenType=soUserKey -op.format.mapping.1.filter.tokenATR= -op.format.mapping.1.filter.tokenCUID.start= -op.format.mapping.1.filter.tokenCUID.end= -op.format.mapping.1.filter.appletMajorVersion= -op.format.mapping.1.filter.appletMinorVersion= -op.format.mapping.1.target.tokenType=soUserKey -op.format.mapping.2.filter.tokenType=soKey -op.format.mapping.2.filter.tokenATR= -op.format.mapping.2.filter.tokenCUID.start= -op.format.mapping.2.filter.tokenCUID.end= -op.format.mapping.2.filter.appletMajorVersion= -op.format.mapping.2.filter.appletMinorVersion= -op.format.mapping.2.target.tokenType=soKey -op.format.mapping.3.filter.tokenType=userKey -op.format.mapping.3.filter.tokenATR= -op.format.mapping.3.filter.tokenCUID.start= -op.format.mapping.3.filter.tokenCUID.end= -op.format.mapping.3.filter.appletMajorVersion= -op.format.mapping.3.filter.appletMinorVersion= -op.format.mapping.3.target.tokenType=userKey -op.format.mapping.4.filter.tokenType=soCleanSOToken -op.format.mapping.4.filter.tokenATR= -op.format.mapping.4.filter.tokenCUID.start= -op.format.mapping.4.filter.tokenCUID.end= -op.format.mapping.4.filter.appletMajorVersion= -op.format.mapping.4.filter.appletMinorVersion= -op.format.mapping.5.filter.tokenType=cleanToken -op.format.mapping.5.filter.tokenATR= -op.format.mapping.5.filter.tokenCUID.start= -op.format.mapping.5.filter.tokenCUID.end= -op.format.mapping.5.filter.appletMajorVersion= -op.format.mapping.5.filter.appletMinorVersion= -op.format.mapping.5.target.tokenType=cleanToken -op.format.mapping.4.target.tokenType=soCleanSOToken -op.format.mapping.6.filter.tokenATR= -op.format.mapping.6.filter.tokenCUID.start= -op.format.mapping.6.filter.tokenCUID.end= -op.format.mapping.6.filter.appletMajorVersion= -op.format.mapping.6.filter.appletMinorVersion= -op.format.mapping.6.target.tokenType=tokenKey +op.enroll.mapping.order=0,1,2 +op.enroll.soKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher +op.enroll.soKey.auth.enable=true +op.enroll.soKey.auth.id=ldap2 +op.enroll.soKey.cardmgr_instance=A0000000030000 +op.enroll.soKey.issuerinfo.enable=true +op.enroll.soKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/so/index.cgi +op.enroll.soKey.keyGen.encryption.ca.conn=ca1 +op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment +op.enroll.soKey.keyGen.encryption.certAttrId=c2 +op.enroll.soKey.keyGen.encryption.certId=C2 +op.enroll.soKey.keyGen.encryption.cuid_label=$cuid$ +op.enroll.soKey.keyGen.encryption.keySize=1024 +op.enroll.soKey.keyGen.encryption.keyUsage=0 +op.enroll.soKey.keyGen.encryption.keyUser=0 +op.enroll.soKey.keyGen.encryption.label=encryption key for $userid$ +op.enroll.soKey.keyGen.encryption.overwrite=true +op.enroll.soKey.keyGen.encryption.privateKeyAttrId=k4 +op.enroll.soKey.keyGen.encryption.private.keyCapabilities.decrypt=true +op.enroll.soKey.keyGen.encryption.private.keyCapabilities.derive=false +op.enroll.soKey.keyGen.encryption.private.keyCapabilities.encrypt=false +op.enroll.soKey.keyGen.encryption.private.keyCapabilities.private=true +op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sensitive=true +op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sign=false +op.enroll.soKey.keyGen.encryption.private.keyCapabilities.signRecover=false +op.enroll.soKey.keyGen.encryption.private.keyCapabilities.token=true +op.enroll.soKey.keyGen.encryption.private.keyCapabilities.unwrap=true +op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verify=false +op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false +op.enroll.soKey.keyGen.encryption.private.keyCapabilities.wrap=false +op.enroll.soKey.keyGen.encryption.privateKeyNumber=4 +op.enroll.soKey.keyGen.encryption.publicKeyAttrId=k5 +op.enroll.soKey.keyGen.encryption.public.keyCapabilities.decrypt=false +op.enroll.soKey.keyGen.encryption.public.keyCapabilities.derive=false +op.enroll.soKey.keyGen.encryption.public.keyCapabilities.encrypt=true +op.enroll.soKey.keyGen.encryption.public.keyCapabilities.private=false +op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sensitive=false +op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sign=false +op.enroll.soKey.keyGen.encryption.public.keyCapabilities.signRecover=false +op.enroll.soKey.keyGen.encryption.public.keyCapabilities.token=true +op.enroll.soKey.keyGen.encryption.public.keyCapabilities.unwrap=false +op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verify=false +op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false +op.enroll.soKey.keyGen.encryption.public.keyCapabilities.wrap=true +op.enroll.soKey.keyGen.encryption.publicKeyNumber=5 +op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert=false +op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 +op.enroll.soKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast +op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1 +op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true +op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey +op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6 +op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert=true +op.enroll.soKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey +op.enroll.soKey.keyGen.encryption.serverKeygen.archive=true +op.enroll.soKey.keyGen.encryption.serverKeygen.drm.conn=drm1 +op.enroll.soKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] +op.enroll.soKey.keyGen.keyType.num=2 +op.enroll.soKey.keyGen.keyType.value.0=signing +op.enroll.soKey.keyGen.keyType.value.1=encryption +op.enroll.soKey.keyGen.recovery.destroyed.keyType.num=2 +op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.0=signing +op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.1=encryption +op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.num=2 +op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.0=signing +op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption +op.enroll.soKey.keyGen.recovery.onHold.keyType.num=2 +op.enroll.soKey.keyGen.recovery.onHold.keyType.value.0=signing +op.enroll.soKey.keyGen.recovery.onHold.keyType.value.1=encryption +op.enroll.soKey.keyGen.signing.ca.conn=ca1 +op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment +op.enroll.soKey.keyGen.signing.certAttrId=c1 +op.enroll.soKey.keyGen.signing.certId=C1 +op.enroll.soKey.keyGen.signing.cuid_label=$cuid$ +op.enroll.soKey.keyGen.signing.keySize=1024 +op.enroll.soKey.keyGen.signing.keyUsage=0 +op.enroll.soKey.keyGen.signing.keyUser=0 +op.enroll.soKey.keyGen.signing.label=signing key for $userid$ +op.enroll.soKey.keyGen.signing.overwrite=true +op.enroll.soKey.keyGen.signing.privateKeyAttrId=k2 +op.enroll.soKey.keyGen.signing.private.keyCapabilities.decrypt=false +op.enroll.soKey.keyGen.signing.private.keyCapabilities.derive=false +op.enroll.soKey.keyGen.signing.private.keyCapabilities.encrypt=false +op.enroll.soKey.keyGen.signing.private.keyCapabilities.private=true +op.enroll.soKey.keyGen.signing.private.keyCapabilities.sensitive=true +op.enroll.soKey.keyGen.signing.private.keyCapabilities.signRecover=true +op.enroll.soKey.keyGen.signing.private.keyCapabilities.sign=true +op.enroll.soKey.keyGen.signing.private.keyCapabilities.token=true +op.enroll.soKey.keyGen.signing.private.keyCapabilities.unwrap=false +op.enroll.soKey.keyGen.signing.private.keyCapabilities.verify=false +op.enroll.soKey.keyGen.signing.private.keyCapabilities.verifyRecover=false +op.enroll.soKey.keyGen.signing.private.keyCapabilities.wrap=false +op.enroll.soKey.keyGen.signing.privateKeyNumber=2 +op.enroll.soKey.keyGen.signing.publicKeyAttrId=k3 +op.enroll.soKey.keyGen.signing.public.keyCapabilities.decrypt=false +op.enroll.soKey.keyGen.signing.public.keyCapabilities.derive=false +op.enroll.soKey.keyGen.signing.public.keyCapabilities.encrypt=false +op.enroll.soKey.keyGen.signing.public.keyCapabilities.private=false +op.enroll.soKey.keyGen.signing.public.keyCapabilities.sensitive=false +op.enroll.soKey.keyGen.signing.public.keyCapabilities.sign=false +op.enroll.soKey.keyGen.signing.public.keyCapabilities.signRecover=false +op.enroll.soKey.keyGen.signing.public.keyCapabilities.token=true +op.enroll.soKey.keyGen.signing.public.keyCapabilities.unwrap=false +op.enroll.soKey.keyGen.signing.public.keyCapabilities.verifyRecover=true +op.enroll.soKey.keyGen.signing.public.keyCapabilities.verify=true +op.enroll.soKey.keyGen.signing.public.keyCapabilities.wrap=false +op.enroll.soKey.keyGen.signing.publicKeyNumber=3 +op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0 +op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert=true +op.enroll.soKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey +op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1 +op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert=true +op.enroll.soKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey +op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 +op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert=true +op.enroll.soKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.soKey.keyGen.tokenName=$auth.cn$ +op.enroll.soKey.loginRequest.enable=true +op.enroll.soKey.pinReset.enable=true +op.enroll.soKey.pinReset.pin.maxLen=10 +op.enroll.soKey.pinReset.pin.maxRetries=127 +op.enroll.soKey.pinReset.pin.minLen=4 +op.enroll.soKey.pkcs11obj.compress.enable=true +op.enroll.soKey.pkcs11obj.enable=true +op.enroll.soKeyTemporary.auth.enable=true +op.enroll.soKeyTemporary.auth.id=ldap2 +op.enroll.soKeyTemporary.cardmgr_instance=A0000000030000 +op.enroll.soKeyTemporary.keyGen.auth.ca.conn=ca1 +op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment +op.enroll.soKeyTemporary.keyGen.auth.certAttrId=c0 +op.enroll.soKeyTemporary.keyGen.auth.certId=C0 +op.enroll.soKeyTemporary.keyGen.auth.cuid_label=$cuid$ +op.enroll.soKeyTemporary.keyGen.auth.keySize=1024 +op.enroll.soKeyTemporary.keyGen.auth.keyUsage=0 +op.enroll.soKeyTemporary.keyGen.auth.keyUser=15 +op.enroll.soKeyTemporary.keyGen.auth.label=Temporary Key for $userid$ +op.enroll.soKeyTemporary.keyGen.auth.overwrite=false +op.enroll.soKeyTemporary.keyGen.auth.privateKeyAttrId=k0 +op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false +op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false +op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false +op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.private=false +op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true +op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true +op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true +op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.token=true +op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false +op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true +op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true +op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false +op.enroll.soKeyTemporary.keyGen.auth.privateKeyNumber=0 +op.enroll.soKeyTemporary.keyGen.auth.publicKeyAttrId=k1 +op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false +op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false +op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false +op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.private=false +op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true +op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true +op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true +op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.token=true +op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false +op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true +op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true +op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false +op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1 +op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1 +op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment +op.enroll.soKeyTemporary.keyGen.encryption.certAttrId=c2 +op.enroll.soKeyTemporary.keyGen.encryption.certId=C2 +op.enroll.soKeyTemporary.keyGen.encryption.cuid_label=$cuid$ +op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024 +op.enroll.soKeyTemporary.keyGen.encryption.keyUsage=0 +op.enroll.soKeyTemporary.keyGen.encryption.keyUser=0 +op.enroll.soKeyTemporary.keyGen.encryption.label=encryption key for $userid$ +op.enroll.soKeyTemporary.keyGen.encryption.overwrite=true +op.enroll.soKeyTemporary.keyGen.encryption.privateKeyAttrId=k4 +op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true +op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false +op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false +op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true +op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true +op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false +op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false +op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true +op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true +op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false +op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false +op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false +op.enroll.soKeyTemporary.keyGen.encryption.privateKeyNumber=4 +op.enroll.soKeyTemporary.keyGen.encryption.publicKeyAttrId=k5 +op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false +op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false +op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true +op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false +op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false +op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false +op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false +op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true +op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false +op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false +op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false +op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true +op.enroll.soKeyTemporary.keyGen.encryption.publicKeyNumber=5 +op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0 +op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true +op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast +op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.archive=true +op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1 +op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=true +op.enroll.soKeyTemporary.keyGen.keyType.num=3 +op.enroll.soKeyTemporary.keyGen.keyType.value.0=auth +op.enroll.soKeyTemporary.keyGen.keyType.value.1=signing +op.enroll.soKeyTemporary.keyGen.keyType.value.2=encryption +op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.num=2 +op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing +op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption +op.enroll.soKeyTemporary.keyGen.signing.ca.conn=ca1 +op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment +op.enroll.soKeyTemporary.keyGen.signing.certAttrId=c1 +op.enroll.soKeyTemporary.keyGen.signing.certId=C1 +op.enroll.soKeyTemporary.keyGen.signing.cuid_label=$cuid$ +op.enroll.soKeyTemporary.keyGen.signing.keySize=1024 +op.enroll.soKeyTemporary.keyGen.signing.keyUsage=0 +op.enroll.soKeyTemporary.keyGen.signing.keyUser=0 +op.enroll.soKeyTemporary.keyGen.signing.label=signing key for $userid$ +op.enroll.soKeyTemporary.keyGen.signing.overwrite=true +op.enroll.soKeyTemporary.keyGen.signing.privateKeyAttrId=k2 +op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false +op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false +op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false +op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.private=true +op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true +op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true +op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true +op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.token=true +op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false +op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false +op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false +op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false +op.enroll.soKeyTemporary.keyGen.signing.privateKeyNumber=2 +op.enroll.soKeyTemporary.keyGen.signing.publicKeyAttrId=k3 +op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false +op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false +op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false +op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.private=false +op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false +op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false +op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false +op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.token=true +op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false +op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true +op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true +op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false +op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3 +op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 +op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true +op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.soKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) +op.enroll.soKeyTemporary.loginRequest.enable=true +op.enroll.soKeyTemporary.pinReset.enable=true +op.enroll.soKeyTemporary.pinReset.pin.maxLen=10 +op.enroll.soKeyTemporary.pinReset.pin.maxRetries=127 +op.enroll.soKeyTemporary.pinReset.pin.minLen=4 +op.enroll.soKeyTemporary.pkcs11obj.compress.enable=true +op.enroll.soKeyTemporary.pkcs11obj.enable=true +op.enroll.soKeyTemporary.tks.conn=tks1 +op.enroll.soKeyTemporary.tks.keySet=defKeyset +op.enroll.soKey.temporaryToken.tokenType=soKeyTemporary +op.enroll.soKeyTemporary.update.applet.directory=[TPS_DIR]/applets +op.enroll.soKeyTemporary.update.applet.emptyToken.enable=true +op.enroll.soKeyTemporary.update.applet.enable=true +op.enroll.soKeyTemporary.update.applet.encryption=true +op.enroll.soKeyTemporary.update.applet.requiredVersion=1.4.4d40a449 +op.enroll.soKeyTemporary.update.symmetricKeys.enable=false +op.enroll.soKeyTemporary.update.symmetricKeys.requiredVersion=1 +op.enroll.soKey.tks.conn=tks1 +op.enroll.soKey.update.applet.directory=[TPS_DIR]/applets +op.enroll.soKey.update.applet.emptyToken.enable=true +op.enroll.soKey.update.applet.enable=true +op.enroll.soKey.update.applet.encryption=true +op.enroll.soKey.update.applet.requiredVersion=1.4.4d40a449 +op.enroll.soKey.update.symmetricKeys.enable=false +op.enroll.soKey.update.symmetricKeys.requiredVersion=1 op.enroll.userKey._000=######################################### op.enroll.userKey._001=# Enrollment Operation For CoolKey op.enroll.userKey._002=# @@ -743,8 +742,10 @@ op.enroll.userKey._075=# There is a special case of tokenType userKeyTemporary. op.enroll.userKey._076=# Make sure the profile specified by the profileId to have op.enroll.userKey._077=# short validity period (eg, 7 days) for the certificate. op.enroll.userKey._078=# +op.enroll.userKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher op.enroll.userKey._079=# The three recovery schemes supported are: op.enroll.userKey._080=# +op.enroll.userKey._080=#op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher op.enroll.userKey._081=# * GenerateNewKey - Generate a new op.enroll.userKey._082=# cert for the op.enroll.userKey._083=# encryption cert. @@ -755,289 +756,128 @@ op.enroll.userKey._087=# * GenerateNewKeyandRecoverLast - Generate new cert AND op.enroll.userKey._088=# recover last for op.enroll.userKey._089=# encryption cert. op.enroll.userKey._090=######################################### -op.enroll.allowUnknownToken=true -op.enroll.userKey.temporaryToken.tokenType=userKeyTemporary +op.enroll.userKey.auth.enable=true +op.enroll.userKey.auth.id=ldap1 +op.enroll.userKey.cardmgr_instance=A0000000030000 +op.enroll.userKey.issuerinfo.enable=true +op.enroll.userKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/home/index.cgi +op.enroll.userKey.keyGen.encryption.ca.conn=ca1 +op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment +op.enroll.userKey.keyGen.encryption.certAttrId=c2 +op.enroll.userKey.keyGen.encryption.certId=C2 +op.enroll.userKey.keyGen.encryption.cuid_label=$cuid$ +op.enroll.userKey.keyGen.encryption.keySize=1024 +op.enroll.userKey.keyGen.encryption.keyUsage=0 +op.enroll.userKey.keyGen.encryption.keyUser=0 +op.enroll.userKey.keyGen.encryption.label=encryption key for $userid$ +op.enroll.userKey.keyGen.encryption.overwrite=true +op.enroll.userKey.keyGen.encryption.privateKeyAttrId=k4 +op.enroll.userKey.keyGen.encryption.private.keyCapabilities.decrypt=true +op.enroll.userKey.keyGen.encryption.private.keyCapabilities.derive=false +op.enroll.userKey.keyGen.encryption.private.keyCapabilities.encrypt=false +op.enroll.userKey.keyGen.encryption.private.keyCapabilities.private=true +op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sensitive=true +op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sign=false +op.enroll.userKey.keyGen.encryption.private.keyCapabilities.signRecover=false +op.enroll.userKey.keyGen.encryption.private.keyCapabilities.token=true +op.enroll.userKey.keyGen.encryption.private.keyCapabilities.unwrap=true +op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verify=false +op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false +op.enroll.userKey.keyGen.encryption.private.keyCapabilities.wrap=false +op.enroll.userKey.keyGen.encryption.privateKeyNumber=4 +op.enroll.userKey.keyGen.encryption.publicKeyAttrId=k5 +op.enroll.userKey.keyGen.encryption.public.keyCapabilities.decrypt=false +op.enroll.userKey.keyGen.encryption.public.keyCapabilities.derive=false +op.enroll.userKey.keyGen.encryption.public.keyCapabilities.encrypt=true +op.enroll.userKey.keyGen.encryption.public.keyCapabilities.private=false +op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sensitive=false +op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sign=false +op.enroll.userKey.keyGen.encryption.public.keyCapabilities.signRecover=false +op.enroll.userKey.keyGen.encryption.public.keyCapabilities.token=true +op.enroll.userKey.keyGen.encryption.public.keyCapabilities.unwrap=false +op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verify=false +op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false +op.enroll.userKey.keyGen.encryption.public.keyCapabilities.wrap=true +op.enroll.userKey.keyGen.encryption.publicKeyNumber=5 +op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false +op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 +op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast +op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1 +op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true +op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey +op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6 +op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert=true +op.enroll.userKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey +op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true +op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=drm1 +op.enroll.userKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] +op.enroll.userKey.keyGen.keyType.num=2 +op.enroll.userKey.keyGen.keyType.value.0=signing +op.enroll.userKey.keyGen.keyType.value.1=encryption op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=2 op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=signing op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey -op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true -op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0 -op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast -op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false -op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.num=2 op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.0=signing op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert=true -op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true -op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1 op.enroll.userKey.keyGen.recovery.onHold.keyType.num=2 op.enroll.userKey.keyGen.recovery.onHold.keyType.value.0=signing op.enroll.userKey.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.userKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 -op.enroll.userKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey -op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6 -op.enroll.userKey.keyGen.tokenName=$auth.cn$ -op.enroll.userKey.keyGen.keyType.num=2 -op.enroll.userKey.keyGen.keyType.value.0=signing -op.enroll.userKey.keyGen.keyType.value.1=encryption +op.enroll.userKey.keyGen.signing.ca.conn=ca1 +op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment +op.enroll.userKey.keyGen.signing.certAttrId=c1 +op.enroll.userKey.keyGen.signing.certId=C1 +op.enroll.userKey.keyGen.signing.cuid_label=$cuid$ op.enroll.userKey.keyGen.signing.keySize=1024 +op.enroll.userKey.keyGen.signing.keyUsage=0 +op.enroll.userKey.keyGen.signing.keyUser=0 +op.enroll.userKey.keyGen.signing.label=signing key for $userid$ +op.enroll.userKey.keyGen.signing.overwrite=true +op.enroll.userKey.keyGen.signing.privateKeyAttrId=k2 +op.enroll.userKey.keyGen.signing.private.keyCapabilities.decrypt=false +op.enroll.userKey.keyGen.signing.private.keyCapabilities.derive=false +op.enroll.userKey.keyGen.signing.private.keyCapabilities.encrypt=false +op.enroll.userKey.keyGen.signing.private.keyCapabilities.private=true +op.enroll.userKey.keyGen.signing.private.keyCapabilities.sensitive=true +op.enroll.userKey.keyGen.signing.private.keyCapabilities.signRecover=true +op.enroll.userKey.keyGen.signing.private.keyCapabilities.sign=true +op.enroll.userKey.keyGen.signing.private.keyCapabilities.token=true +op.enroll.userKey.keyGen.signing.private.keyCapabilities.unwrap=false +op.enroll.userKey.keyGen.signing.private.keyCapabilities.verify=false +op.enroll.userKey.keyGen.signing.private.keyCapabilities.verifyRecover=false +op.enroll.userKey.keyGen.signing.private.keyCapabilities.wrap=false +op.enroll.userKey.keyGen.signing.privateKeyNumber=2 +op.enroll.userKey.keyGen.signing.publicKeyAttrId=k3 +op.enroll.userKey.keyGen.signing.public.keyCapabilities.decrypt=false +op.enroll.userKey.keyGen.signing.public.keyCapabilities.derive=false op.enroll.userKey.keyGen.signing.public.keyCapabilities.encrypt=false +op.enroll.userKey.keyGen.signing.public.keyCapabilities.private=false +op.enroll.userKey.keyGen.signing.public.keyCapabilities.sensitive=false op.enroll.userKey.keyGen.signing.public.keyCapabilities.sign=false op.enroll.userKey.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.derive=false +op.enroll.userKey.keyGen.signing.public.keyCapabilities.token=true op.enroll.userKey.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.wrap=false op.enroll.userKey.keyGen.signing.public.keyCapabilities.verifyRecover=true op.enroll.userKey.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.userKey.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.private=false -op.enroll.userKey.keyGen.signing.public.keyCapabilities.token=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.userKey.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.private=true -op.enroll.userKey.keyGen.signing.private.keyCapabilities.token=true -op.enroll.userKey.keyGen.signing.label=signing key for $userid$ -op.enroll.userKey.keyGen.signing.cuid_label=$cuid$ -op.enroll.userKey.keyGen.signing.overwrite=true -op.enroll.userKey.keyGen.signing.certId=C1 -op.enroll.userKey.keyGen.signing.certAttrId=c1 -op.enroll.userKey.keyGen.signing.privateKeyAttrId=k2 -op.enroll.userKey.keyGen.signing.publicKeyAttrId=k3 -op.enroll.userKey.keyGen.signing.keyUsage=0 -op.enroll.userKey.keyGen.signing.keyUser=0 -op.enroll.userKey.keyGen.signing.privateKeyNumber=2 +op.enroll.userKey.keyGen.signing.public.keyCapabilities.wrap=false op.enroll.userKey.keyGen.signing.publicKeyNumber=3 -op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment -op.enroll.userKey.keyGen.signing.ca.conn=ca1 -op.enroll.userKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher -op.enroll.userKey.keyGen.encryption.keySize=1024 -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.userKey.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.userKey.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.userKey.keyGen.encryption.label=encryption key for $userid$ -op.enroll.userKey.keyGen.encryption.cuid_label=$cuid$ -op.enroll.userKey.keyGen.encryption.overwrite=true -op.enroll.userKey.keyGen.encryption.certId=C2 -op.enroll.userKey.keyGen.encryption.certAttrId=c2 -op.enroll.userKey.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.userKey.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.userKey.keyGen.encryption.keyUsage=0 -op.enroll.userKey.keyGen.encryption.keyUser=0 -op.enroll.userKey.keyGen.encryption.privateKeyNumber=4 -op.enroll.userKey.keyGen.encryption.publicKeyNumber=5 -op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment -op.enroll.userKey.keyGen.encryption.ca.conn=ca1 -op.enroll.userKey.pkcs11obj.enable=true -op.enroll.userKey.pkcs11obj.compress.enable=true -op.enroll.userKey.update.applet.emptyToken.enable=true -op.enroll.userKey.update.applet.enable=true -op.enroll.userKey.update.applet.requiredVersion=1.4.4d40a449 -op.enroll.userKey.update.applet.directory=[TPS_DIR]/applets -op.enroll.userKey.update.applet.encryption=true -op.enroll.userKey.update.symmetricKeys.enable=false -op.enroll.userKey.update.symmetricKeys.requiredVersion=1 +op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0 +op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true +op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey +op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1 +op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert=true +op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey +op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 +op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert=true +op.enroll.userKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.userKey.keyGen.tokenName=$auth.cn$ op.enroll.userKey.loginRequest.enable=true op.enroll.userKey.pinReset.enable=true +op.enroll.userKey.pinReset.pin.maxLen=10 op.enroll.userKey.pinReset.pin.maxRetries=127 op.enroll.userKey.pinReset.pin.minLen=4 -op.enroll.userKey.pinReset.pin.maxLen=10 -op.enroll.userKey.cardmgr_instance=A0000000030000 -op.enroll.userKey.tks.conn=tks1 -op.enroll.userKey.auth.id=ldap1 -op.enroll.userKey.auth.enable=true -op.enroll.userKey.issuerinfo.enable=true -op.enroll.userKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/home/index.cgi -op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.num=2 -op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 -op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast -op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0 -op.enroll.userKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] -op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=true -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.archive=true -op.enroll.userKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) -op.enroll.userKeyTemporary.keyGen.keyType.num=3 -op.enroll.userKeyTemporary.keyGen.keyType.value.0=auth -op.enroll.userKeyTemporary.keyGen.keyType.value.1=signing -op.enroll.userKeyTemporary.keyGen.keyType.value.2=encryption -op.enroll.userKeyTemporary.keyGen.auth.keySize=1024 -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.auth.label=Temporary Key for $userid$ -op.enroll.userKeyTemporary.keyGen.auth.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.auth.overwrite=false -op.enroll.userKeyTemporary.keyGen.auth.certId=C0 -op.enroll.userKeyTemporary.keyGen.auth.certAttrId=c0 -op.enroll.userKeyTemporary.keyGen.auth.privateKeyAttrId=k0 -op.enroll.userKeyTemporary.keyGen.auth.publicKeyAttrId=k1 -op.enroll.userKeyTemporary.keyGen.auth.keyUsage=0 -op.enroll.userKeyTemporary.keyGen.auth.keyUser=15 -op.enroll.userKeyTemporary.keyGen.auth.privateKeyNumber=0 -op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1 -op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment -op.enroll.userKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.userKeyTemporary.keyGen.signing.keySize=1024 -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.private=true -op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.signing.label=signing key for $userid$ -op.enroll.userKeyTemporary.keyGen.signing.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.signing.overwrite=true -op.enroll.userKeyTemporary.keyGen.signing.certId=C1 -op.enroll.userKeyTemporary.keyGen.signing.certAttrId=c1 -op.enroll.userKeyTemporary.keyGen.signing.privateKeyAttrId=k2 -op.enroll.userKeyTemporary.keyGen.signing.publicKeyAttrId=k3 -op.enroll.userKeyTemporary.keyGen.signing.keyUsage=0 -op.enroll.userKeyTemporary.keyGen.signing.keyUser=0 -op.enroll.userKeyTemporary.keyGen.signing.privateKeyNumber=2 -op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3 -op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment -op.enroll.userKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.userKey._080=#op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher -op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024 -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.userKeyTemporary.keyGen.encryption.label=encryption key for $userid$ -op.enroll.userKeyTemporary.keyGen.encryption.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.encryption.overwrite=true -op.enroll.userKeyTemporary.keyGen.encryption.certId=C2 -op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2 -op.enroll.userKeyTemporary.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.userKeyTemporary.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.userKeyTemporary.keyGen.encryption.keyUsage=0 -op.enroll.userKeyTemporary.keyGen.encryption.keyUser=0 -op.enroll.userKeyTemporary.keyGen.encryption.privateKeyNumber=4 -op.enroll.userKeyTemporary.keyGen.encryption.publicKeyNumber=5 -op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment -op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.userKeyTemporary.pkcs11obj.enable=true -op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true -op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true -op.enroll.userKeyTemporary.update.applet.enable=true -op.enroll.userKeyTemporary.update.applet.requiredVersion=1.4.4d40a449 -op.enroll.userKeyTemporary.update.applet.directory=[TPS_DIR]/applets -op.enroll.userKeyTemporary.update.applet.encryption=true -op.enroll.userKeyTemporary.update.symmetricKeys.enable=false -op.enroll.userKeyTemporary.update.symmetricKeys.requiredVersion=1 -op.enroll.userKeyTemporary.loginRequest.enable=true -op.enroll.userKeyTemporary.pinReset.enable=true -op.enroll.userKeyTemporary.pinReset.pin.maxRetries=127 -op.enroll.userKeyTemporary.pinReset.pin.minLen=4 -op.enroll.userKeyTemporary.pinReset.pin.maxLen=10 -op.enroll.userKeyTemporary.tks.conn=tks1 -op.enroll.userKeyTemporary.cardmgr_instance=A0000000030000 -op.enroll.userKeyTemporary.auth.id=ldap1 -op.enroll.userKeyTemporary.auth.enable=true +op.enroll.userKey.pkcs11obj.compress.enable=true +op.enroll.userKey.pkcs11obj.enable=true op.enroll.userKey.renewal._000=######################################### op.enroll.userKey.renewal._001=# Token Renewal. op.enroll.userKey.renewal._002=# @@ -1056,307 +896,348 @@ op.enroll.userKey.renewal._014=# values are for completeness only, server op.enroll.userKey.renewal._015=# code calculates actual values used. op.enroll.userKey.renewal._016=# op.enroll.userKey.renewal._017=######################################### -op.enroll.userKey.renewal.keyType.num=2 -op.enroll.userKey.renewal.keyType.value.0=signing -op.enroll.userKey.renewal.keyType.value.1=encryption -op.enroll.userKey.renewal.signing.enable=true -op.enroll.userKey.renewal.signing.gracePeriod.enable=false -op.enroll.userKey.renewal.signing.gracePeriod.before=30 -op.enroll.userKey.renewal.signing.gracePeriod.after=30 -op.enroll.userKey.renewal.signing.certId=C1 -op.enroll.userKey.renewal.encryption.certId=C2 -op.enroll.userKey.renewal.signing.certAttrId=c1 +op.enroll.userKey.renewal.encryption.ca.conn=ca1 +op.enroll.userKey.renewal.encryption.ca.profileId=caTokenUserEncryptionKeyRenewal op.enroll.userKey.renewal.encryption.certAttrId=c2 +op.enroll.userKey.renewal.encryption.certId=C2 op.enroll.userKey.renewal.encryption.enable=true -op.enroll.userKey.renewal.encryption.gracePeriod.enable=false -op.enroll.userKey.renewal.encryption.gracePeriod.before=30 op.enroll.userKey.renewal.encryption.gracePeriod.after=30 +op.enroll.userKey.renewal.encryption.gracePeriod.before=30 +op.enroll.userKey.renewal.encryption.gracePeriod.enable=false +op.enroll.userKey.renewal.keyType.num=2 +op.enroll.userKey.renewal.keyType.value.0=signing +op.enroll.userKey.renewal.keyType.value.1=encryption op.enroll.userKey.renewal.signing.ca.conn=ca1 -op.enroll.userKey.renewal.encryption.ca.conn=ca1 op.enroll.userKey.renewal.signing.ca.profileId=caTokenUserSigningKeyRenewal -op.enroll.userKey.renewal.encryption.ca.profileId=caTokenUserEncryptionKeyRenewal -op.enroll.soKey.temporaryToken.tokenType=soKeyTemporary -op.enroll.soKey.keyGen.recovery.destroyed.keyType.num=2 -op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.0=signing -op.enroll.soKey.keyGen.recovery.destroyed.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey -op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert=true -op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0 -op.enroll.soKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast -op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert=false -op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 -op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.num=2 -op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.0=signing -op.enroll.soKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert=true -op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey -op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true -op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1 -op.enroll.soKey.keyGen.recovery.onHold.keyType.num=2 -op.enroll.soKey.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.soKey.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 -op.enroll.soKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey -op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6 -op.enroll.soKey.keyGen.tokenName=$auth.cn$ -op.enroll.soKey.keyGen.keyType.num=2 -op.enroll.soKey.keyGen.keyType.value.0=signing -op.enroll.soKey.keyGen.keyType.value.1=encryption -op.enroll.soKey.keyGen.signing.keySize=1024 -op.enroll.soKey.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.soKey.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.soKey.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.private=false -op.enroll.soKey.keyGen.signing.public.keyCapabilities.token=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.soKey.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.private=true -op.enroll.soKey.keyGen.signing.private.keyCapabilities.token=true -op.enroll.soKey.keyGen.signing.label=signing key for $userid$ -op.enroll.soKey.keyGen.signing.cuid_label=$cuid$ -op.enroll.soKey.keyGen.signing.overwrite=true -op.enroll.soKey.keyGen.signing.certId=C1 -op.enroll.soKey.keyGen.signing.certAttrId=c1 -op.enroll.soKey.keyGen.signing.privateKeyAttrId=k2 -op.enroll.soKey.keyGen.signing.publicKeyAttrId=k3 -op.enroll.soKey.keyGen.signing.keyUsage=0 -op.enroll.soKey.keyGen.signing.keyUser=0 -op.enroll.soKey.keyGen.signing.privateKeyNumber=2 -op.enroll.soKey.keyGen.signing.publicKeyNumber=3 -op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment -op.enroll.soKey.keyGen.signing.ca.conn=ca1 -op.enroll.soKey._079=#op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher -op.enroll.soKey.keyGen.encryption.keySize=1024 -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.soKey.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.soKey.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.soKey.keyGen.encryption.label=encryption key for $userid$ -op.enroll.soKey.keyGen.encryption.cuid_label=$cuid$ -op.enroll.soKey.keyGen.encryption.overwrite=true -op.enroll.soKey.keyGen.encryption.certId=C2 -op.enroll.soKey.keyGen.encryption.certAttrId=c2 -op.enroll.soKey.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.soKey.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.soKey.keyGen.encryption.keyUsage=0 -op.enroll.soKey.keyGen.encryption.keyUser=0 -op.enroll.soKey.keyGen.encryption.privateKeyNumber=4 -op.enroll.soKey.keyGen.encryption.publicKeyNumber=5 -op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment -op.enroll.soKey.keyGen.encryption.ca.conn=ca1 -op.enroll.soKey.pkcs11obj.enable=true -op.enroll.soKey.pkcs11obj.compress.enable=true -op.enroll.soKey.update.applet.emptyToken.enable=true -op.enroll.soKey.update.applet.enable=true -op.enroll.soKey.update.applet.requiredVersion=1.4.4d40a449 -op.enroll.soKey.update.applet.directory=[TPS_DIR]/applets -op.enroll.soKey.update.applet.encryption=true -op.enroll.soKey.update.symmetricKeys.enable=false -op.enroll.soKey.update.symmetricKeys.requiredVersion=1 -op.enroll.soKey.loginRequest.enable=true -op.enroll.soKey.pinReset.enable=true -op.enroll.soKey.pinReset.pin.maxRetries=127 -op.enroll.soKey.pinReset.pin.minLen=4 -op.enroll.soKey.pinReset.pin.maxLen=10 -op.enroll.soKey.cardmgr_instance=A0000000030000 -op.enroll.soKey.tks.conn=tks1 -op.enroll.soKey.auth.id=ldap2 -op.enroll.soKey.auth.enable=true -op.enroll.soKey.issuerinfo.enable=true -op.enroll.soKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/so/index.cgi -op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.num=2 -op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing -op.enroll.soKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption -op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey -op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true -op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 -op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast -op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true -op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0 -op.enroll.soKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] -op.enroll.soKey.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.soKey.keyGen.encryption.serverKeygen.archive=true -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=true -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1 -op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.archive=true -op.enroll.soKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) -op.enroll.soKeyTemporary.keyGen.keyType.num=3 -op.enroll.soKeyTemporary.keyGen.keyType.value.0=auth -op.enroll.soKeyTemporary.keyGen.keyType.value.1=signing -op.enroll.soKeyTemporary.keyGen.keyType.value.2=encryption -op.enroll.soKeyTemporary.keyGen.auth.keySize=1024 -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.auth.private.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.auth.label=Temporary Key for $userid$ -op.enroll.soKeyTemporary.keyGen.auth.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.auth.overwrite=false -op.enroll.soKeyTemporary.keyGen.auth.certId=C0 -op.enroll.soKeyTemporary.keyGen.auth.certAttrId=c0 -op.enroll.soKeyTemporary.keyGen.auth.privateKeyAttrId=k0 -op.enroll.soKeyTemporary.keyGen.auth.publicKeyAttrId=k1 -op.enroll.soKeyTemporary.keyGen.auth.keyUsage=0 -op.enroll.soKeyTemporary.keyGen.auth.keyUser=15 -op.enroll.soKeyTemporary.keyGen.auth.privateKeyNumber=0 -op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1 -op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment -op.enroll.soKeyTemporary.keyGen.auth.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.signing.keySize=1024 -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.signing.public.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.private=true -op.enroll.soKeyTemporary.keyGen.signing.private.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.signing.label=signing key for $userid$ -op.enroll.soKeyTemporary.keyGen.signing.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.signing.overwrite=true -op.enroll.soKeyTemporary.keyGen.signing.certId=C1 -op.enroll.soKeyTemporary.keyGen.signing.certAttrId=c1 -op.enroll.soKeyTemporary.keyGen.signing.privateKeyAttrId=k2 -op.enroll.soKeyTemporary.keyGen.signing.publicKeyAttrId=k3 -op.enroll.soKeyTemporary.keyGen.signing.keyUsage=0 -op.enroll.soKeyTemporary.keyGen.signing.keyUser=0 -op.enroll.soKeyTemporary.keyGen.signing.privateKeyNumber=2 -op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3 -op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment -op.enroll.soKeyTemporary.keyGen.signing.ca.conn=ca1 -op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024 -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false -op.enroll.soKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true -op.enroll.soKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true -op.enroll.soKeyTemporary.keyGen.encryption.label=encryption key for $userid$ -op.enroll.soKeyTemporary.keyGen.encryption.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.encryption.overwrite=true -op.enroll.soKeyTemporary.keyGen.encryption.certId=C2 -op.enroll.soKeyTemporary.keyGen.encryption.certAttrId=c2 -op.enroll.soKeyTemporary.keyGen.encryption.privateKeyAttrId=k4 -op.enroll.soKeyTemporary.keyGen.encryption.publicKeyAttrId=k5 -op.enroll.soKeyTemporary.keyGen.encryption.keyUsage=0 -op.enroll.soKeyTemporary.keyGen.encryption.keyUser=0 -op.enroll.soKeyTemporary.keyGen.encryption.privateKeyNumber=4 -op.enroll.soKeyTemporary.keyGen.encryption.publicKeyNumber=5 -op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment -op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1 -op.enroll.soKeyTemporary.pkcs11obj.enable=true -op.enroll.soKeyTemporary.pkcs11obj.compress.enable=true -op.enroll.soKeyTemporary.update.applet.emptyToken.enable=true -op.enroll.soKeyTemporary.update.applet.enable=true -op.enroll.soKeyTemporary.update.applet.requiredVersion=1.4.4d40a449 -op.enroll.soKeyTemporary.update.applet.directory=[TPS_DIR]/applets -op.enroll.soKeyTemporary.update.applet.encryption=true -op.enroll.soKeyTemporary.update.symmetricKeys.enable=false -op.enroll.soKeyTemporary.update.symmetricKeys.requiredVersion=1 -op.enroll.soKeyTemporary.loginRequest.enable=true -op.enroll.soKeyTemporary.pinReset.enable=true -op.enroll.soKeyTemporary.pinReset.pin.maxRetries=127 -op.enroll.soKeyTemporary.pinReset.pin.minLen=4 -op.enroll.soKeyTemporary.pinReset.pin.maxLen=10 -op.enroll.soKeyTemporary.cardmgr_instance=A0000000030000 -op.enroll.soKeyTemporary.tks.conn=tks1 -op.enroll.soKeyTemporary.tks.keySet=defKeyset -op.enroll.soKeyTemporary.auth.id=ldap2 -op.enroll.soKeyTemporary.auth.enable=true +op.enroll.userKey.renewal.signing.certAttrId=c1 +op.enroll.userKey.renewal.signing.certId=C1 +op.enroll.userKey.renewal.signing.enable=true +op.enroll.userKey.renewal.signing.gracePeriod.after=30 +op.enroll.userKey.renewal.signing.gracePeriod.before=30 +op.enroll.userKey.renewal.signing.gracePeriod.enable=false +op.enroll.userKeyTemporary.auth.enable=true +op.enroll.userKeyTemporary.auth.id=ldap1 +op.enroll.userKeyTemporary.cardmgr_instance=A0000000030000 +op.enroll.userKeyTemporary.keyGen.auth.ca.conn=ca1 +op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment +op.enroll.userKeyTemporary.keyGen.auth.certAttrId=c0 +op.enroll.userKeyTemporary.keyGen.auth.certId=C0 +op.enroll.userKeyTemporary.keyGen.auth.cuid_label=$cuid$ +op.enroll.userKeyTemporary.keyGen.auth.keySize=1024 +op.enroll.userKeyTemporary.keyGen.auth.keyUsage=0 +op.enroll.userKeyTemporary.keyGen.auth.keyUser=15 +op.enroll.userKeyTemporary.keyGen.auth.label=Temporary Key for $userid$ +op.enroll.userKeyTemporary.keyGen.auth.overwrite=false +op.enroll.userKeyTemporary.keyGen.auth.privateKeyAttrId=k0 +op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.decrypt=false +op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.derive=false +op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.encrypt=false +op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.private=false +op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sensitive=true +op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.signRecover=true +op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.sign=true +op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.token=true +op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.unwrap=false +op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verifyRecover=true +op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.verify=true +op.enroll.userKeyTemporary.keyGen.auth.private.keyCapabilities.wrap=false +op.enroll.userKeyTemporary.keyGen.auth.privateKeyNumber=0 +op.enroll.userKeyTemporary.keyGen.auth.publicKeyAttrId=k1 +op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.decrypt=false +op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.derive=false +op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.encrypt=false +op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.private=false +op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sensitive=true +op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.signRecover=true +op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.sign=true +op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.token=true +op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false +op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true +op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true +op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false +op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1 +op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1 +op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment +op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2 +op.enroll.userKeyTemporary.keyGen.encryption.certId=C2 +op.enroll.userKeyTemporary.keyGen.encryption.cuid_label=$cuid$ +op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024 +op.enroll.userKeyTemporary.keyGen.encryption.keyUsage=0 +op.enroll.userKeyTemporary.keyGen.encryption.keyUser=0 +op.enroll.userKeyTemporary.keyGen.encryption.label=encryption key for $userid$ +op.enroll.userKeyTemporary.keyGen.encryption.overwrite=true +op.enroll.userKeyTemporary.keyGen.encryption.privateKeyAttrId=k4 +op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true +op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false +op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false +op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true +op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true +op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false +op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false +op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true +op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true +op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false +op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false +op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false +op.enroll.userKeyTemporary.keyGen.encryption.privateKeyNumber=4 +op.enroll.userKeyTemporary.keyGen.encryption.publicKeyAttrId=k5 +op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.decrypt=false +op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.derive=false +op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.encrypt=true +op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.private=false +op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sensitive=false +op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.sign=false +op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.signRecover=false +op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.token=true +op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.unwrap=false +op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verify=false +op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.verifyRecover=false +op.enroll.userKeyTemporary.keyGen.encryption.public.keyCapabilities.wrap=true +op.enroll.userKeyTemporary.keyGen.encryption.publicKeyNumber=5 +op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0 +op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true +op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast +op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.archive=true +op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=drm1 +op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=true +op.enroll.userKeyTemporary.keyGen.keyType.num=3 +op.enroll.userKeyTemporary.keyGen.keyType.value.0=auth +op.enroll.userKeyTemporary.keyGen.keyType.value.1=signing +op.enroll.userKeyTemporary.keyGen.keyType.value.2=encryption +op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.num=2 +op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing +op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption +op.enroll.userKeyTemporary.keyGen.signing.ca.conn=ca1 +op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEnrollment +op.enroll.userKeyTemporary.keyGen.signing.certAttrId=c1 +op.enroll.userKeyTemporary.keyGen.signing.certId=C1 +op.enroll.userKeyTemporary.keyGen.signing.cuid_label=$cuid$ +op.enroll.userKeyTemporary.keyGen.signing.keySize=1024 +op.enroll.userKeyTemporary.keyGen.signing.keyUsage=0 +op.enroll.userKeyTemporary.keyGen.signing.keyUser=0 +op.enroll.userKeyTemporary.keyGen.signing.label=signing key for $userid$ +op.enroll.userKeyTemporary.keyGen.signing.overwrite=true +op.enroll.userKeyTemporary.keyGen.signing.privateKeyAttrId=k2 +op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.decrypt=false +op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.derive=false +op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.encrypt=false +op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.private=true +op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sensitive=true +op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.signRecover=true +op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.sign=true +op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.token=true +op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.unwrap=false +op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verify=false +op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.verifyRecover=false +op.enroll.userKeyTemporary.keyGen.signing.private.keyCapabilities.wrap=false +op.enroll.userKeyTemporary.keyGen.signing.privateKeyNumber=2 +op.enroll.userKeyTemporary.keyGen.signing.publicKeyAttrId=k3 +op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.decrypt=false +op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.derive=false +op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.encrypt=false +op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.private=false +op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sensitive=false +op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.sign=false +op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.signRecover=false +op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.token=true +op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.unwrap=false +op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verifyRecover=true +op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.verify=true +op.enroll.userKeyTemporary.keyGen.signing.public.keyCapabilities.wrap=false +op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3 +op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 +op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true +op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey +op.enroll.userKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary) +op.enroll.userKeyTemporary.loginRequest.enable=true +op.enroll.userKeyTemporary.pinReset.enable=true +op.enroll.userKeyTemporary.pinReset.pin.maxLen=10 +op.enroll.userKeyTemporary.pinReset.pin.maxRetries=127 +op.enroll.userKeyTemporary.pinReset.pin.minLen=4 +op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true +op.enroll.userKeyTemporary.pkcs11obj.enable=true +op.enroll.userKeyTemporary.tks.conn=tks1 +op.enroll.userKey.temporaryToken.tokenType=userKeyTemporary +op.enroll.userKeyTemporary.update.applet.directory=[TPS_DIR]/applets +op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true +op.enroll.userKeyTemporary.update.applet.enable=true +op.enroll.userKeyTemporary.update.applet.encryption=true +op.enroll.userKeyTemporary.update.applet.requiredVersion=1.4.4d40a449 +op.enroll.userKeyTemporary.update.symmetricKeys.enable=false +op.enroll.userKeyTemporary.update.symmetricKeys.requiredVersion=1 +op.enroll.userKey.tks.conn=tks1 +op.enroll.userKey.update.applet.directory=[TPS_DIR]/applets +op.enroll.userKey.update.applet.emptyToken.enable=true +op.enroll.userKey.update.applet.enable=true +op.enroll.userKey.update.applet.encryption=true +op.enroll.userKey.update.applet.requiredVersion=1.4.4d40a449 +op.enroll.userKey.update.symmetricKeys.enable=false +op.enroll.userKey.update.symmetricKeys.requiredVersion=1 +op.format._000=######################################### +op.format._001=# Format Operation For tokenKey +op.format._002=# +op.format._003=# op.format.tokenKey.update.applet.emptyToken.enable=false +op.format._004=# - update applet or not if token is empty +op.format._005=# +op.format._006=# - applicable to CoolKey +op.format._007=# - applicable to HouseKey +op.format._008=# - applicable to HouseKey with Legacy Applet +op.format._009=######################################### +op.format.allowUnknownToken=true +op.format.cleanToken.auth.enable=false +op.format.cleanToken.auth.id=ldap1 +op.format.cleanToken.ca.conn=ca1 +op.format.cleanToken.cardmgr_instance=A0000000030000 +op.format.cleanToken.issuerinfo.enable=true +op.format.cleanToken.issuerinfo.value= +op.format.cleanToken.loginRequest.enable=true +op.format.cleanToken.revokeCert=true +op.format.cleanToken.tks.conn=tks1 +op.format.cleanToken.update.applet.directory=[TPS_DIR]/applets +op.format.cleanToken.update.applet.emptyToken.enable=true +op.format.cleanToken.update.applet.encryption=true +op.format.cleanToken.update.applet.requiredVersion=1.4.4d40a449 +op.format.cleanToken.update.symmetricKeys.enable=false +op.format.cleanToken.update.symmetricKeys.requiredVersion=1 +op.format.mapping.0.filter.appletMajorVersion= +op.format.mapping.0.filter.appletMinorVersion= +op.format.mapping.0.filter.tokenATR= +op.format.mapping.0.filter.tokenCUID.end= +op.format.mapping.0.filter.tokenCUID.start= +op.format.mapping.0.filter.tokenType=soCleanUserToken +op.format.mapping.0.target.tokenType=soCleanUserToken +op.format.mapping.1.filter.appletMajorVersion= +op.format.mapping.1.filter.appletMinorVersion= +op.format.mapping.1.filter.tokenATR= +op.format.mapping.1.filter.tokenCUID.end= +op.format.mapping.1.filter.tokenCUID.start= +op.format.mapping.1.filter.tokenType=soUserKey +op.format.mapping.1.target.tokenType=soUserKey +op.format.mapping.2.filter.appletMajorVersion= +op.format.mapping.2.filter.appletMinorVersion= +op.format.mapping.2.filter.tokenATR= +op.format.mapping.2.filter.tokenCUID.end= +op.format.mapping.2.filter.tokenCUID.start= +op.format.mapping.2.filter.tokenType=soKey +op.format.mapping.2.target.tokenType=soKey +op.format.mapping.3.filter.appletMajorVersion= +op.format.mapping.3.filter.appletMinorVersion= +op.format.mapping.3.filter.tokenATR= +op.format.mapping.3.filter.tokenCUID.end= +op.format.mapping.3.filter.tokenCUID.start= +op.format.mapping.3.filter.tokenType=userKey +op.format.mapping.3.target.tokenType=userKey +op.format.mapping.4.filter.appletMajorVersion= +op.format.mapping.4.filter.appletMinorVersion= +op.format.mapping.4.filter.tokenATR= +op.format.mapping.4.filter.tokenCUID.end= +op.format.mapping.4.filter.tokenCUID.start= +op.format.mapping.4.filter.tokenType=soCleanSOToken +op.format.mapping.4.target.tokenType=soCleanSOToken +op.format.mapping.5.filter.appletMajorVersion= +op.format.mapping.5.filter.appletMinorVersion= +op.format.mapping.5.filter.tokenATR= +op.format.mapping.5.filter.tokenCUID.end= +op.format.mapping.5.filter.tokenCUID.start= +op.format.mapping.5.filter.tokenType=cleanToken +op.format.mapping.5.target.tokenType=cleanToken +op.format.mapping.6.filter.appletMajorVersion= +op.format.mapping.6.filter.appletMinorVersion= +op.format.mapping.6.filter.tokenATR= +op.format.mapping.6.filter.tokenCUID.end= +op.format.mapping.6.filter.tokenCUID.start= +op.format.mapping.6.target.tokenType=tokenKey +op.format.mapping.order=0,1,2,3,4,5,6 +op.format.soCleanSOToken.auth.enable=false +op.format.soCleanSOToken.auth.id=ldap1 +op.format.soCleanSOToken.ca.conn=ca1 +op.format.soCleanSOToken.cardmgr_instance=A0000000030000 +op.format.soCleanSOToken.issuerinfo.enable=true +op.format.soCleanSOToken.issuerinfo.value= +op.format.soCleanSOToken.loginRequest.enable=false +op.format.soCleanSOToken.revokeCert=true +op.format.soCleanSOToken.tks.conn=tks1 +op.format.soCleanSOToken.update.applet.directory=[TPS_DIR]/applets +op.format.soCleanSOToken.update.applet.emptyToken.enable=true +op.format.soCleanSOToken.update.applet.encryption=true +op.format.soCleanSOToken.update.applet.requiredVersion=1.4.4d40a449 +op.format.soCleanSOToken.update.symmetricKeys.enable=false +op.format.soCleanSOToken.update.symmetricKeys.requiredVersion=1 +op.format.soCleanUserToken.auth.enable=false +op.format.soCleanUserToken.auth.id=ldap1 +op.format.soCleanUserToken.ca.conn=ca1 +op.format.soCleanUserToken.cardmgr_instance=A0000000030000 +op.format.soCleanUserToken.issuerinfo.enable=true +op.format.soCleanUserToken.issuerinfo.value= +op.format.soCleanUserToken.loginRequest.enable=false +op.format.soCleanUserToken.revokeCert=true +op.format.soCleanUserToken.tks.conn=tks1 +op.format.soCleanUserToken.update.applet.directory=[TPS_DIR]/applets +op.format.soCleanUserToken.update.applet.emptyToken.enable=true +op.format.soCleanUserToken.update.applet.encryption=true +op.format.soCleanUserToken.update.applet.requiredVersion=1.4.4d40a449 +op.format.soCleanUserToken.update.symmetricKeys.enable=false +op.format.soCleanUserToken.update.symmetricKeys.requiredVersion=1 +op.format.soKey.auth.enable=true +op.format.soKey.auth.id=ldap2 +op.format.soKey.ca.conn=ca1 +op.format.soKey.cardmgr_instance=A0000000030000 +op.format.soKey.issuerinfo.enable=true +op.format.soKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/so/index.cgi +op.format.soKey.loginRequest.enable=true +op.format.soKey.revokeCert=true +op.format.soKey.tks.conn=tks1 +op.format.soKey.update.applet.directory=[TPS_DIR]/applets +op.format.soKey.update.applet.emptyToken.enable=true +op.format.soKey.update.applet.encryption=true +op.format.soKey.update.applet.requiredVersion=1.4.4d40a449 +op.format.soKey.update.symmetricKeys.enable=false +op.format.soKey.update.symmetricKeys.requiredVersion=1 +op.format.soUserKey.auth.enable=false +op.format.soUserKey.auth.id=ldap1 +op.format.soUserKey.ca.conn=ca1 +op.format.soUserKey.cardmgr_instance=A0000000030000 +op.format.soUserKey.issuerinfo.enable=true +op.format.soUserKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/home/index.cgi +op.format.soUserKey.loginRequest.enable=false +op.format.soUserKey.revokeCert=true +op.format.soUserKey.tks.conn=tks1 +op.format.soUserKey.update.applet.directory=[TPS_DIR]/applets +op.format.soUserKey.update.applet.emptyToken.enable=true +op.format.soUserKey.update.applet.encryption=true +op.format.soUserKey.update.applet.requiredVersion=1.4.4d40a449 +op.format.soUserKey.update.symmetricKeys.enable=false +op.format.soUserKey.update.symmetricKeys.requiredVersion=1 +op.format.tokenKey.auth.enable=true +op.format.tokenKey.auth.id=ldap1 +op.format.tokenKey.ca.conn=ca1 +op.format.tokenKey.cardmgr_instance=A0000000030000 +op.format.tokenKey.issuerinfo.enable=true +op.format.tokenKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/home/index.cgi +op.format.tokenKey.loginRequest.enable=true +op.format.tokenKey.revokeCert=true +op.format.tokenKey.tks.conn=tks1 +op.format.tokenKey.update.applet.directory=[TPS_DIR]/applets +op.format.tokenKey.update.applet.emptyToken.enable=true +op.format.tokenKey.update.applet.encryption=true +op.format.tokenKey.update.applet.requiredVersion=1.4.4d40a449 +op.format.tokenKey.update.symmetricKeys.enable=false +op.format.tokenKey.update.symmetricKeys.requiredVersion=1 +op.format.userKey.auth.enable=true +op.format.userKey.auth.id=ldap1 +op.format.userKey.ca.conn=ca1 +op.format.userKey.cardmgr_instance=A0000000030000 +op.format.userKey.issuerinfo.enable=true +op.format.userKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/home/index.cgi +op.format.userKey.loginRequest.enable=true +op.format.userKey.revokeCert=true +op.format.userKey.tks.conn=tks1 +op.format.userKey.update.applet.directory=[TPS_DIR]/applets +op.format.userKey.update.applet.emptyToken.enable=true +op.format.userKey.update.applet.encryption=true +op.format.userKey.update.applet.requiredVersion=1.4.4d40a449 +op.format.userKey.update.symmetricKeys.enable=false +op.format.userKey.update.symmetricKeys.requiredVersion=1 op.pinReset._000=######################################### op.pinReset._001=# Certificate Chain Imports op.pinReset._002=# @@ -1376,141 +1257,194 @@ op.pinReset._015=# op.pinReset._016=# - N/A for HouseKey op.pinReset._017=# - N/A for HouseKey with Legacy Applet op.pinReset._018=######################################### +op.pinReset.mapping.0.filter.appletMajorVersion= +op.pinReset.mapping.0.filter.appletMinorVersion= +op.pinReset.mapping.0.filter.tokenATR= +op.pinReset.mapping.0.filter.tokenCUID.end= +op.pinReset.mapping.0.filter.tokenCUID.start= +op.pinReset.mapping.0.filter.tokenType= +op.pinReset.mapping.0.target.tokenType=userKey +op.pinReset.mapping.order=0 +op.pinReset.userKey.auth.enable=true +op.pinReset.userKey.auth.id=ldap1 +op.pinReset.userKey.cardmgr_instance=A0000000030000 +op.pinReset.userKey.loginRequest.enable=true +op.pinReset.userKey.pinReset.pin.maxLen=10 +op.pinReset.userKey.pinReset.pin.minLen=4 +op.pinReset.userKey.tks.conn=tks1 +op.pinReset.userKey.update.applet.directory=[TPS_DIR]/applets op.pinReset.userKey.update.applet.emptyToken.enable=true op.pinReset.userKey.update.applet.enable=false -op.pinReset.userKey.update.applet.requiredVersion=1.4.4d40a449 -op.pinReset.userKey.update.applet.directory=[TPS_DIR]/applets op.pinReset.userKey.update.applet.encryption=true +op.pinReset.userKey.update.applet.requiredVersion=1.4.4d40a449 op.pinReset.userKey.update.symmetricKeys.enable=false op.pinReset.userKey.update.symmetricKeys.requiredVersion=1 -op.pinReset.userKey.loginRequest.enable=true -op.pinReset.userKey.pinReset.pin.minLen=4 -op.pinReset.userKey.pinReset.pin.maxLen=10 -op.pinReset.userKey.tks.conn=tks1 -op.pinReset.userKey.cardmgr_instance=A0000000030000 -op.pinReset.userKey.auth.id=ldap1 -op.pinReset.userKey.auth.enable=true -op.format._000=######################################### -op.format._001=# Format Operation For tokenKey -op.format._002=# -op.format._003=# op.format.tokenKey.update.applet.emptyToken.enable=false -op.format._004=# - update applet or not if token is empty -op.format._005=# -op.format._006=# - applicable to CoolKey -op.format._007=# - applicable to HouseKey -op.format._008=# - applicable to HouseKey with Legacy Applet -op.format._009=######################################### -op.format.allowUnknownToken=true -op.format.soCleanUserToken.update.applet.emptyToken.enable=true -op.format.soCleanUserToken.update.applet.requiredVersion=1.4.4d40a449 -op.format.soCleanUserToken.update.applet.directory=[TPS_DIR]/applets -op.format.soCleanUserToken.update.applet.encryption=true -op.format.soCleanUserToken.update.symmetricKeys.enable=false -op.format.soCleanUserToken.update.symmetricKeys.requiredVersion=1 -op.format.soCleanUserToken.revokeCert=true -op.format.soCleanUserToken.ca.conn=ca1 -op.format.soCleanUserToken.loginRequest.enable=false -op.format.soCleanUserToken.cardmgr_instance=A0000000030000 -op.format.soCleanUserToken.tks.conn=tks1 -op.format.soCleanUserToken.auth.id=ldap1 -op.format.soCleanUserToken.auth.enable=false -op.format.soCleanUserToken.issuerinfo.enable=true -op.format.soCleanUserToken.issuerinfo.value= -op.format.soCleanSOToken.update.applet.emptyToken.enable=true -op.format.soCleanSOToken.update.applet.requiredVersion=1.4.4d40a449 -op.format.soCleanSOToken.update.applet.directory=[TPS_DIR]/applets -op.format.soCleanSOToken.update.applet.encryption=true -op.format.soCleanSOToken.update.symmetricKeys.enable=false -op.format.soCleanSOToken.update.symmetricKeys.requiredVersion=1 -op.format.soCleanSOToken.revokeCert=true -op.format.soCleanSOToken.ca.conn=ca1 -op.format.soCleanSOToken.loginRequest.enable=false -op.format.soCleanSOToken.cardmgr_instance=A0000000030000 -op.format.soCleanSOToken.tks.conn=tks1 -op.format.soCleanSOToken.auth.id=ldap1 -op.format.soCleanSOToken.auth.enable=false -op.format.soCleanSOToken.issuerinfo.enable=true -op.format.soCleanSOToken.issuerinfo.value= -op.format.cleanToken.update.applet.emptyToken.enable=true -op.format.cleanToken.update.applet.requiredVersion=1.4.4d40a449 -op.format.cleanToken.update.applet.directory=[TPS_DIR]/applets -op.format.cleanToken.update.applet.encryption=true -op.format.cleanToken.update.symmetricKeys.enable=false -op.format.cleanToken.update.symmetricKeys.requiredVersion=1 -op.format.cleanToken.revokeCert=true -op.format.cleanToken.ca.conn=ca1 -op.format.cleanToken.loginRequest.enable=true -op.format.cleanToken.cardmgr_instance=A0000000030000 -op.format.cleanToken.tks.conn=tks1 -op.format.cleanToken.auth.id=ldap1 -op.format.cleanToken.auth.enable=false -op.format.cleanToken.issuerinfo.enable=true -op.format.cleanToken.issuerinfo.value= -op.format.soUserKey.update.applet.emptyToken.enable=true -op.format.soUserKey.update.applet.requiredVersion=1.4.4d40a449 -op.format.soUserKey.update.applet.directory=[TPS_DIR]/applets -op.format.soUserKey.update.applet.encryption=true -op.format.soUserKey.update.symmetricKeys.enable=false -op.format.soUserKey.update.symmetricKeys.requiredVersion=1 -op.format.soUserKey.revokeCert=true -op.format.soUserKey.ca.conn=ca1 -op.format.soUserKey.loginRequest.enable=false -op.format.soUserKey.cardmgr_instance=A0000000030000 -op.format.soUserKey.tks.conn=tks1 -op.format.soUserKey.auth.id=ldap1 -op.format.soUserKey.auth.enable=false -op.format.soUserKey.issuerinfo.enable=true -op.format.soUserKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/home/index.cgi -op.format.soKey.update.applet.emptyToken.enable=true -op.format.soKey.update.applet.requiredVersion=1.4.4d40a449 -op.format.soKey.update.applet.directory=[TPS_DIR]/applets -op.format.soKey.update.applet.encryption=true -op.format.soKey.update.symmetricKeys.enable=false -op.format.soKey.update.symmetricKeys.requiredVersion=1 -op.format.soKey.revokeCert=true -op.format.soKey.ca.conn=ca1 -op.format.soKey.loginRequest.enable=true -op.format.soKey.cardmgr_instance=A0000000030000 -op.format.soKey.tks.conn=tks1 -op.format.soKey.auth.id=ldap2 -op.format.soKey.auth.enable=true -op.format.soKey.issuerinfo.enable=true -op.format.soKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/so/index.cgi -op.format.userKey.update.applet.emptyToken.enable=true -op.format.userKey.update.applet.requiredVersion=1.4.4d40a449 -op.format.userKey.update.applet.directory=[TPS_DIR]/applets -op.format.userKey.update.applet.encryption=true -op.format.userKey.update.symmetricKeys.enable=false -op.format.userKey.update.symmetricKeys.requiredVersion=1 -op.format.userKey.revokeCert=true -op.format.userKey.ca.conn=ca1 -op.format.userKey.loginRequest.enable=true -op.format.userKey.cardmgr_instance=A0000000030000 -op.format.userKey.tks.conn=tks1 -op.format.userKey.auth.id=ldap1 -op.format.userKey.auth.enable=true -op.format.userKey.issuerinfo.enable=true -op.format.userKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/home/index.cgi -op.format.tokenKey.update.applet.emptyToken.enable=true -op.format.tokenKey.update.applet.requiredVersion=1.4.4d40a449 -op.format.tokenKey.update.applet.directory=[TPS_DIR]/applets -op.format.tokenKey.update.applet.encryption=true -op.format.tokenKey.update.symmetricKeys.enable=false -op.format.tokenKey.update.symmetricKeys.requiredVersion=1 -op.format.tokenKey.revokeCert=true -op.format.tokenKey.ca.conn=ca1 -op.format.tokenKey.loginRequest.enable=true -op.format.tokenKey.cardmgr_instance=A0000000030000 -op.format.tokenKey.tks.conn=tks1 -op.format.tokenKey.auth.id=ldap1 -op.format.tokenKey.auth.enable=true -op.format.tokenKey.issuerinfo.enable=true -op.format.tokenKey.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/cgi-bin/home/index.cgi -passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +os.serverName=cert-[PKI_INSTANCE_NAME] +os.userid=nobody passwordClass=com.netscape.cmsutil.password.PlainPasswordFile +passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +pidDir=[PKI_PIDDIR] +pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT] +pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT] +pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT] +pkicreate.group=[PKI_GROUP] +pkicreate.pki_instance_name=[PKI_INSTANCE_NAME] +pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT] +pkicreate.secure_port=[PKI_SECURE_PORT] +pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE] +pkicreate.systemd.servicename=[PKI_SYSTEMD_SERVICENAME] +pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT] +pkicreate.unsecure_port=[PKI_UNSECURE_PORT] +pkicreate.user=[PKI_USER] +pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_NAME] +preop.admincert.profile=caAdminCert +preop.admin.group=TUS Agents,TUS Operators,TUS Administrators,TUS Officers +preop.admin.name=Token Processing Service Manager Administrator +preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA +preop.cert.admin.dn=uid=admin,cn=admin +preop.cert.admin.keysize.custom_size=2048 +preop.cert.admin.keysize.size=2048 +preop.cert.admin.profile=adminCert.profile +preop.cert.audit_signing.cncomponent.override=true +preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA +preop.cert.audit_signing.dn=CN=TPS Audit Signing Certificate +preop.cert.audit_signing.enable=true +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_NAME] +preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.audit_signing.signing.required=false +preop.cert.audit_signing.subsystem=tps +preop.cert.audit_signing.type=remote +preop.cert.audit_signing.userfriendlyname=TPS Audit Signing Certificate +preop.cert.list=sslserver,subsystem,audit_signing +preop.cert.rsalist=audit_signing +preop.cert.sslserver.cncomponent.override=false +preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA +preop.cert.sslserver.dn=CN=[PKI_HOSTNAME] +preop.cert.sslserver.enable=true +preop.cert.sslserver.keysize.custom_size=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.nickname=[PKI_SSL_SERVER_NICKNAME] +preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.sslserver.signing.required=false +preop.cert.sslserver.subsystem=tps +preop.cert.sslserver.type=remote +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert.subsystem.cncomponent.override=true +preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA +preop.cert.subsystem.dn=CN=TPS Subsystem Certificate +preop.cert.subsystem.enable=true +preop.cert.subsystem.keysize.custom_size=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_NAME] +preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.subsystem.signing.required=false +preop.cert.subsystem.subsystem=tps +preop.cert.subsystem.type=remote +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.configModules.count=3 +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=/pki/images/clearpixel.gif +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=/pki/images/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=/pki/images/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.hierarchy.profile=caCert.profile +preop.internaldb.data_ldif=/usr/share/pki/tps/conf/db.ldif +preop.internaldb.index_ldif=/usr/share/pki/tps/conf/index.ldif +preop.internaldb.ldif=/usr/share/pki/tps/conf/database.ldif +preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif +preop.internaldb.post_ldif= +preop.internaldb.schema.ldif=/usr/share/pki/tps/conf/schema.ldif +preop.internaldb.wait_dn= +preop.module.token=Internal Key Storage Token +preop.pin=[PKI_RANDOM_NUMBER] +preop.product.name=CS +preop.securitydomain.admin_url=https://[PKI_HOSTNAME]:8443 +preop.system.fullname=Token Key Service +preop.system.name=TPS +preop.wizard.name=TPS Setup Wizard +proxy.securePort=[PKI_PROXY_SECURE_PORT] +proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT] registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +selftests._000=## +selftests._001=## Self Tests +selftests._002=## +selftests._003=## The Self-Test plugin TPSSystemCertsVerification uses the +selftests._004=## following parameters (where certusage is optional): +selftests._005=## tps.cert.list = <list of cert tag names deliminated by ","> +selftests._006=## tps.cert.<cert tag name>.nickname +selftests._007=## tps.cert.<cert tag name>.certusage +selftests._008=## +selftests.container.instance.SystemCertsVerification=com.netscape.cms.selftests.common.SystemCertsVerification +selftests.container.logger.bufferSize=512 +selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile +selftests.container.logger.enable=true +selftests.container.logger.expirationTime=0 +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/selftests.log +selftests.container.logger.flushInterval=5 +selftests.container.logger.level=1 +selftests.container.logger.maxFileSize=2000 +selftests.container.logger.register=false +selftests.container.logger.rolloverInterval=2592000 +selftests.container.logger.type=transaction +selftests.container.order.onDemand=SystemCertsVerification:critical +selftests.container.order.startup=SystemCertsVerification:critical +selftests.plugin.SystemCertsVerification.SubId=tps +service.instanceDir=[PKI_INSTANCE_ROOT] +service.instanceID=[PKI_INSTANCE_NAME] +service.machineName=[PKI_HOSTNAME] +service.non_clientauth_securePort=[PKI_EE_SECURE_PORT] +service.securePort=[PKI_AGENT_SECURE_PORT] +service.unsecurePort=[PKI_UNSECURE_PORT] +smtp.host=localhost +smtp.port=25 subsystem.0.class=org.dogtagpki.tps.server.TPSSubsystem subsystem.0.id=tps +subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem +subsystem.1.id=selftests +subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem +subsystem.2.id=stats +target._000=######################################### +target._001=# entries to enable configuration of parameter sets through the TPS UI agent and admin tabs +target._002=# +target._003=# target.configure.list = comma separated lists of all parameter sets that can be configured by the admin. +target._004=# Each entry will show up (with underscore replaced by space) under Advanced Configuration on the admin tab. +target._005=# +target._006=# target.agent_approve.list = comma separated subset of above list. Parameter sets in this list +target._007=# will show up in the agent tab (under advanced configuration) and will require agent involvement +target._008=# (enable/ disable) to be edited. +target._009=# +target._010=# For the wording to display correctly, the values in the above list should be plurals. +target._011=# +target._012=# Each parameter set in the lists above requires three parameters: +target._013=# target.<type name>.list : list of choices of this parameter set type (will display in the drop down box) +target._014=# target.<type name>.pattern : the regular expression to select parameters in CS.cfg for this parameter set. +target._015=# target.<type_name>.displayname: used in the UI display text. This should be the singular form of <type_name>. +target._016=# +target._017=# The exception is the parameter set Generals, which has only a pattern and displayname defined. +target._018=# +target._019=######################################## +target.agent_approve.list=Profiles +target.Authentication_Sources.displayname=Authentication Source +target.Authentication_Sources.list=0,1 +target.Authentication_Sources.pattern=auth\.instance\.$name\..* +target.configure.list=Profiles,Subsystem_Connections,Profile_Mappings,Authentication_Sources +target.Generals.displayname=General +target.Generals.pattern=^applet\..*\|^general\..*\|^failover.pod.enable\|^channel\..* +target.Profile_Mappings.displayname=Profile Mapping +target.Profile_Mappings.list=enroll,format,pinReset +target.Profile_Mappings.pattern=op\.$name\.mapping\..* +target.Profiles.displayname=Profile +target.Profiles.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey +target.Profiles.pattern=op\..*\.$name\..* +target.Subsystem_Connections.displayname=Subsystem Connection +target.Subsystem_Connections.list=ca1,drm1,tks1 +target.Subsystem_Connections.pattern=conn\.$name\..* tokendb._000=######################################### tokendb._001=# tokendb.auditLog: tokendb._002=# - audit log path @@ -1587,100 +1521,59 @@ tokendb._072=# TOKEN_FOUND =4, tokendb._073=# TOKEN_TEMP_LOST_PERM_LOST =5, tokendb._074=# TOKEN_TERMINATED = 6 tokendb._075=######################################### +tokendb.activityBaseDN=ou=Activities,[TOKENDB_ROOT] +tokendb.addConfigTemplate=addConfig.template +tokendb.addResultTemplate=addResults.template +tokendb.agentSelectConfigTemplate=agentSelectConfig.template +tokendb.agentViewConfigTemplate=agentViewConfig.template +tokendb.allowedTransitions=0:1,0:2,0:3,0:4,0:5,0:6,3:4,3:5,3:6,4:1,4:2,4:3,4:6 +tokendb.auditAdminTemplate=auditAdmin.template tokendb.auditLog=[PKI_INSTANCE_PATH]/logs/tokendb-audit.log -tokendb.hostport=[TOKENDB_HOST]:[TOKENDB_PORT] -tokendb.ssl=false +tokendb.baseDN=ou=Tokens,[TOKENDB_ROOT] tokendb.bindDN=cn=Directory Manager tokendb.bindPassPath=[PKI_INSTANCE_PATH]/conf/password.conf -tokendb.templateDir=[PKI_INSTANCE_PATH]/docroot/tus -tokendb.userBaseDN=[TOKENDB_ROOT] -tokendb.baseDN=ou=Tokens,[TOKENDB_ROOT] -tokendb.activityBaseDN=ou=Activities,[TOKENDB_ROOT] tokendb.certBaseDN=ou=Certificates,[TOKENDB_ROOT] -tokendb.indexTemplate=index.template -tokendb.indexAdminTemplate=indexAdmin.template -tokendb.newTemplate=new.template -tokendb.showTemplate=show.template -tokendb.showCertTemplate=showCert.template -tokendb.errorTemplate=error.template -tokendb.searchTemplate=search.template -tokendb.searchResultTemplate=searchResults.template -tokendb.searchCertificateResultTemplate=searchCertificateResults.template -tokendb.editTemplate=edit.template -tokendb.editResultTemplate=editResults.template -tokendb.addResultTemplate=addResults.template -tokendb.deleteTemplate=delete.template +tokendb.confirmConfigChangesTemplate=confirmConfigChanges.template +tokendb.confirmDeleteConfigTemplate=confirmDeleteConfig.template +tokendb.defaultPolicy=RE_ENROLL=YES tokendb.deleteResultTemplate=deleteResults.template -tokendb.searchActivityTemplate=searchActivity.template -tokendb.searchCertificateTemplate=searchCertificate.template -tokendb.searchActivityResultTemplate=searchActivityResults.template -tokendb.searchActivityAdminTemplate=searchActivityAdmin.template -tokendb.searchActivityAdminResultTemplate=searchActivityAdminResults.template -tokendb.showAdminTemplate=showAdmin.template -tokendb.doTokenTemplate=doToken.template +tokendb.deleteTemplate=delete.template tokendb.doTokenConfirmTemplate=doTokenConfirm.template +tokendb.doTokenTemplate=doToken.template +tokendb.editConfigTemplate=editConfig.template +tokendb.editResultTemplate=editResults.template +tokendb.editTemplate=edit.template +tokendb.editUserTemplate=editUser.template +tokendb.errorTemplate=error.template +tokendb.hostport=[TOKENDB_HOST]:[TOKENDB_PORT] +tokendb.indexAdminTemplate=indexAdmin.template +tokendb.indexOperatorTemplate=indexOperator.template +tokendb.indexTemplate=index.template +tokendb.newTemplate=new.template +tokendb.newUserTemplate=newUser.template tokendb.revokeTemplate=revoke.template -tokendb.searchAdminTemplate=searchAdmin.template +tokendb.searchActivityAdminResultTemplate=searchActivityAdminResults.template +tokendb.searchActivityAdminTemplate=searchActivityAdmin.template +tokendb.searchActivityResultTemplate=searchActivityResults.template +tokendb.searchActivityTemplate=searchActivity.template tokendb.searchAdminResultTemplate=searchAdminResults.template -tokendb.defaultPolicy=RE_ENROLL=YES -tokendb.newUserTemplate=newUser.template -tokendb.userDeleteTemplate=userDelete.template +tokendb.searchAdminTemplate=searchAdmin.template +tokendb.searchCertificateResultTemplate=searchCertificateResults.template +tokendb.searchCertificateTemplate=searchCertificate.template +tokendb.searchResultTemplate=searchResults.template +tokendb.searchTemplate=search.template tokendb.searchUserResultTemplate=searchUserResults.template tokendb.searchUserTemplate=searchUser.template -tokendb.editUserTemplate=editUser.template -tokendb.indexOperatorTemplate=indexOperator.template -tokendb.selfTestTemplate=selfTest.template -tokendb.selfTestResultsTemplate=selfTestResults.template -tokendb.auditAdminTemplate=auditAdmin.template tokendb.selectConfigTemplate=selectConfig.template -tokendb.agentSelectConfigTemplate=agentSelectConfig.template -tokendb.editConfigTemplate=editConfig.template -tokendb.agentViewConfigTemplate=agentViewConfig.template -tokendb.addConfigTemplate=addConfig.template -tokendb.confirmConfigChangesTemplate=confirmConfigChanges.template -tokendb.confirmDeleteConfigTemplate=confirmDeleteConfig.template -log.instance.SignedAudit.selected.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL -log.instance.SignedAudit.selectable.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL -log.instance.SignedAudit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST -tokendb.allowedTransitions=0:1,0:2,0:3,0:4,0:5,0:6,3:4,3:5,3:6,4:1,4:2,4:3,4:6 -target._000=######################################### -target._001=# entries to enable configuration of parameter sets through the TPS UI agent and admin tabs -target._002=# -target._003=# target.configure.list = comma separated lists of all parameter sets that can be configured by the admin. -target._004=# Each entry will show up (with underscore replaced by space) under Advanced Configuration on the admin tab. -target._005=# -target._006=# target.agent_approve.list = comma separated subset of above list. Parameter sets in this list -target._007=# will show up in the agent tab (under advanced configuration) and will require agent involvement -target._008=# (enable/ disable) to be edited. -target._009=# -target._010=# For the wording to display correctly, the values in the above list should be plurals. -target._011=# -target._012=# Each parameter set in the lists above requires three parameters: -target._013=# target.<type name>.list : list of choices of this parameter set type (will display in the drop down box) -target._014=# target.<type name>.pattern : the regular expression to select parameters in CS.cfg for this parameter set. -target._015=# target.<type_name>.displayname: used in the UI display text. This should be the singular form of <type_name>. -target._016=# -target._017=# The exception is the parameter set Generals, which has only a pattern and displayname defined. -target._018=# -target._019=######################################## -target.configure.list=Profiles,Subsystem_Connections,Profile_Mappings,Authentication_Sources -target.agent_approve.list=Profiles -target.Profiles.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey -target.Profiles.pattern=op\..*\.$name\..* -target.Profiles.displayname=Profile -target.Subsystem_Connections.list=ca1,drm1,tks1 -target.Subsystem_Connections.pattern=conn\.$name\..* -target.Subsystem_Connections.displayname=Subsystem Connection -target.Profile_Mappings.list=enroll,format,pinReset -target.Profile_Mappings.pattern=op\.$name\.mapping\..* -target.Profile_Mappings.displayname=Profile Mapping -target.Authentication_Sources.list=0,1 -target.Authentication_Sources.pattern=auth\.instance\.$name\..* -target.Authentication_Sources.displayname=Authentication Source -target.Generals.displayname=General -target.Generals.pattern=^applet\..*\|^general\..*\|^failover.pod.enable\|^channel\..* -config.Generals.General.state=Enabled -config.Generals.General.timestamp=1280283607424406 +tokendb.selfTestResultsTemplate=selfTestResults.template +tokendb.selfTestTemplate=selfTest.template +tokendb.showAdminTemplate=showAdmin.template +tokendb.showCertTemplate=showCert.template +tokendb.showTemplate=show.template +tokendb.ssl=false +tokendb.templateDir=[PKI_INSTANCE_PATH]/docroot/tus +tokendb.userBaseDN=[TOKENDB_ROOT] +tokendb.userDeleteTemplate=userDelete.template tps._000=######################################## tps._001=# For verifying system certificates tps._002=# tps.cert.list=sslserver,subsystem,audit_signing @@ -1698,11 +1591,12 @@ tps._015=# TOKEN_TEMP_LOST_PERM_LOST =5, tps._016=# TOKEN_TERMINATED = 6 tps._017=# Sample: tps.operations.allowedTransitions=0:0,0:4,4:6,6:0 tps._018=######################################## -tps.operations.allowedTransitions=0:0,0:4,4:0 -tps.cert.list=sslserver,subsystem,audit_signing -tps.cert.sslserver.nickname=[HSM_LABEL][NICKNAME] -tps.cert.subsystem.nickname=[HSM_LABEL][NICKNAME] +tps.cert.audit_signing.certusage=ObjectSigner tps.cert.audit_signing.nickname=[HSM_LABEL][NICKNAME] +tps.cert.list=sslserver,subsystem,audit_signing +tps.cert.sslserver.certusage=SSLServer +tps.cert.subsystem.certusage=SSLClient +tps.operations.allowedTransitions=0:0,0:4,4:0 usrgrp._000=## usrgrp._001=## User/Group usrgrp._002=## diff --git a/base/tps/shared/conf/db.ldif b/base/tps/shared/conf/db.ldif index 050118d1f..1dada984a 100644 --- a/base/tps/shared/conf/db.ldif +++ b/base/tps/shared/conf/db.ldif @@ -3,64 +3,52 @@ # All rights reserved. # --- END COPYRIGHT BLOCK --- # -dn: ou=people,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: people +dn: ou=Tokens,{rootSuffix} +objectclass: top +objectclass: organizationalunit +ou: Tokens + +dn: ou=Activities,{rootSuffix} +objectclass: top +objectclass: organizationalunit +ou: Activities + +dn: ou=Certificates,{rootSuffix} +objectclass: top +objectclass: organizationalunit +ou: Certificates + +dn: ou=People,{rootSuffix} +objectclass: top +objectclass: organizationalunit +ou: People aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";) -dn: ou=groups,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: groups - -dn: cn=Token Processing Service Manager Agents,ou=groups,{rootSuffix} -objectClass: top -objectClass: groupOfUniqueNames -cn: Token Processing Service Manager Agents -description: Agents for Token Processing Service Manager - -dn: cn=Subsystem Group, ou=groups, {rootSuffix} -objectClass: top -objectClass: groupOfUniqueNames -cn: Subsystem Group -description: Subsystem Group +dn: ou=Groups,{rootSuffix} +objectclass: top +objectclass: organizationalunit +ou: Groups -dn: cn=Trusted Managers,ou=groups,{rootSuffix} +dn: cn=TUS Agents,ou=Groups,{rootSuffix} objectClass: top objectClass: groupOfUniqueNames -cn: Trusted Managers -description: Managers trusted by this PKI instance +cn: TUS Agents +description: Agents for TUS -dn: cn=Administrators,ou=groups,{rootSuffix} +dn: cn=TUS Officers,ou=Groups,{rootSuffix} objectClass: top objectClass: groupOfUniqueNames -cn: Administrators -description: People who manage the Certificate System +cn: TUS Officers +description: Security Officers for TUS -dn: cn=Auditors,ou=groups,{rootSuffix} +dn: cn=TUS Administrators,ou=Groups,{rootSuffix} objectClass: top objectClass: groupOfUniqueNames -cn: Auditors -description: People who can read the signed audits +cn: TUS Administrators +description: Administrators for TUS -dn: cn=ClonedSubsystems,ou=groups,{rootSuffix} +dn: cn=TUS Operators,ou=Groups,{rootSuffix} objectClass: top objectClass: groupOfUniqueNames -cn: ClonedSubsystems -description: People who can clone the master subsystem - -dn: ou=requests,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: requests - -dn: cn=crossCerts,{rootSuffix} -cn: crossCerts -sn: crossCerts -objectClass: top -objectClass: person -objectClass: pkiCA -cACertificate;binary: -authorityRevocationList;binary: -certificateRevocationList;binary: +cn: TUS Operators +description: Operators for TUS diff --git a/base/tps/shared/conf/index.ldif b/base/tps/shared/conf/index.ldif index fa4f2828c..d896de394 100644 --- a/base/tps/shared/conf/index.ldif +++ b/base/tps/shared/conf/index.ldif @@ -1,203 +1,76 @@ # --- BEGIN COPYRIGHT BLOCK --- -# Copyright (C) 2006 Red Hat, Inc. +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; +# version 2.1 of the License. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301 USA +# +# Copyright (C) 2007 Red Hat, Inc. # All rights reserved. # --- END COPYRIGHT BLOCK --- # -dn: cn=revokedby,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsSystemIndex: false -cn: revokedby - -dn: cn=issuedby,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsSystemIndex: false -cn: issuedby - -dn: cn=publicKeyData,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsSystemIndex: false -cn: publicKeyData - -dn: cn=clientId,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsSystemIndex: false -cn: clientId - -dn: cn=dataType,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsSystemIndex: false -cn: dataType - -dn: cn=status,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsSystemIndex: false -cn: status - -dn: cn=description,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false -cn: description - -dn: cn=serialno,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false -cn: serialno - -dn: cn=metaInfo,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false -cn: metaInfo - -dn: cn=certstatus,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false -cn: certstatus - -dn: cn=requestid,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false -cn: requestid - -dn: cn=requesttype,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false -cn: requesttype - -dn: cn=requeststate,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false -cn: requeststate - -dn: cn=requestowner,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false -cn: requestowner - -dn: cn=notbefore,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false -cn: notbefore - -dn: cn=notafter,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false -cn: notafter - -dn: cn=duration,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false -cn: duration - -dn: cn=dateOfCreate,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false +dn: cn=tokenUserID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +objectclass: top +objectclass: nsIndex +cn: tokenUserID +nsindextype: eq +nsindextype: pres +nsindextype: sub +nssystemindex: false + +dn: cn=tokenID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +objectclass: top +objectclass: nsIndex +cn: tokenID +nsindextype: eq +nsindextype: pres +nsindextype: sub +nssystemindex: false + +dn: cn=dateOfCreate,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +objectclass: top +objectclass: nsIndex cn: dateOfCreate - -dn: cn=revokedOn,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false -cn: revokedOn - -dn: cn=archivedBy,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsSystemIndex: false -cn: archivedBy - -dn: cn=ownername,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsIndexType: sub -nsSystemIndex: false -cn: ownername - -dn: cn=subjectname,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsIndexType: sub -nsSystemIndex: false -cn: subjectname - -dn: cn=requestsourceid,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsIndexType: sub -nsSystemIndex: false -cn: requestsourceid - -dn: cn=revInfo,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsIndexType: sub -nsSystemIndex: false -cn: revInfo - -dn: cn=extension,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -nsIndexType: eq -nsIndexType: pres -nsIndexType: sub -nsSystemIndex: false -cn: extension +nsindextype: eq +nsindextype: pres +nsindextype: sub +nssystemindex: false + +dn: cn=dateOfModify,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +objectclass: top +objectclass: nsIndex +cn: dateOfModify +nsindextype: eq +nsindextype: pres +nsindextype: sub +nssystemindex: false + +dn: cn=userCertificate,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +objectclass: top +objectclass: nsIndex +cn: userCertificate +nsindextype: eq +nssystemindex: false + +dn: cn=tokenSerial,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +objectclass: top +objectclass: nsIndex +cn: tokenSerial +nsindextype: eq +nssystemindex: false + +dn: cn=tokenKeyType,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +objectclass: top +objectclass: nsIndex +cn: tokenKeyType +nsindextype: eq +nssystemindex: false diff --git a/base/tps/shared/conf/schema.ldif b/base/tps/shared/conf/schema.ldif index 777bbef12..bde045630 100644 --- a/base/tps/shared/conf/schema.ldif +++ b/base/tps/shared/conf/schema.ldif @@ -1,489 +1,58 @@ -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( usertype-oid NAME 'usertype' DESC 'Distinguish whether the user is administrator, agent or subsystem.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( userstate-oid NAME 'userstate' DESC 'Distinguish whether the user is administrator, agent or subsystem.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( cmsuser-oid NAME 'cmsuser' DESC 'CMS User' SUP top STRUCTURAL MUST usertype MAY userstate X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( archivedBy-oid NAME 'archivedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( adminMessages-oid NAME 'adminMessages' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( algorithm-oid NAME 'algorithm' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( algorithmId-oid NAME 'algorithmId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( signingAlgorithmId-oid NAME 'signingAlgorithmId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( autoRenew-oid NAME 'autoRenew' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( certStatus-oid NAME 'certStatus' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( crlName-oid NAME 'crlName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( crlSize-oid NAME 'crlSize' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( deltaSize-oid NAME 'deltaSize' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( crlNumber-oid NAME 'crlNumber' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( deltaNumber-oid NAME 'deltaNumber' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( firstUnsaved-oid NAME 'firstUnsaved' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( crlCache-oid NAME 'crlCache' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( revokedCerts-oid NAME 'revokedCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( unrevokedCerts-oid NAME 'unrevokedCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( expiredCerts-oid NAME 'expiredCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( crlExtensions-oid NAME 'crlExtensions' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( dateOfArchival-oid NAME 'dateOfArchival' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( dateOfRecovery-oid NAME 'dateOfRecovery' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( dateOfRevocation-oid NAME 'dateOfRevocation' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - +# --- BEGIN COPYRIGHT BLOCK --- +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; +# version 2.1 of the License. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301 USA +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( dateOfCreate-oid NAME 'dateOfCreate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes attributeTypes: ( dateOfModify-oid NAME 'dateOfModify' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( duration-oid NAME 'duration' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( extension-oid NAME 'extension' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( issuedBy-oid NAME 'issuedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( issueInfo-oid NAME 'issueInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( issuerName-oid NAME 'issuerName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( keySize-oid NAME 'keySize' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( clientId-oid NAME 'clientId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( dataType-oid NAME 'dataType' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( status-oid NAME 'status' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( keyState-oid NAME 'keyState' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( metaInfo-oid NAME 'metaInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( nextUpdate-oid NAME 'nextUpdate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( notAfter-oid NAME 'notAfter' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( notBefore-oid NAME 'notBefore' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( ownerName-oid NAME 'ownerName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( password-oid NAME 'password' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( p12Expiration-oid NAME 'p12Expiration' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( proofOfArchival-oid NAME 'proofOfArchival' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( publicKeyData-oid NAME 'publicKeyData' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( publicKeyFormat-oid NAME 'publicKeyFormat' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( privateKeyData-oid NAME 'privateKeyData' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( requestId-oid NAME 'requestId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( requestInfo-oid NAME 'requestInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( requestState-oid NAME 'requestState' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( requestResult-oid NAME 'requestResult' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( requestOwner-oid NAME 'requestOwner' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( requestAgentGroup-oid NAME 'requestAgentGroup' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( requestSourceId-oid NAME 'requestSourceId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( requestType-oid NAME 'requestType' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( requestFlag-oid NAME 'requestFlag' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( requestError-oid NAME 'requestError' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( resourceACLS-oid NAME 'resourceACLS' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( revInfo-oid NAME 'revInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( revokedBy-oid NAME 'revokedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( revokedOn-oid NAME 'revokedOn' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( serialno-oid NAME 'serialno' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( nextRange-oid NAME 'nextRange' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( publishingStatus-oid NAME 'publishingStatus' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( beginRange-oid NAME 'beginRange' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( endRange-oid NAME 'endRange' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( subjectName-oid NAME 'subjectName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( sessionContext-oid NAME 'sessionContext' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( thisUpdate-oid NAME 'thisUpdate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( transId-oid NAME 'transId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( transStatus-oid NAME 'transStatus' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( transName-oid NAME 'transName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( transOps-oid NAME 'transOps' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( userDN-oid NAME 'userDN' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( userMessages-oid NAME 'userMessages' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( version-oid NAME 'version' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( Clone-oid NAME 'Clone' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( DomainManager-oid NAME 'DomainManager' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( SecureAgentPort-oid NAME 'SecureAgentPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( SecureEEClientAuthPort-oid NAME 'SecureEEClientAuthPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( SubsystemName-oid NAME 'SubsystemName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: attributeTypes -attributeTypes: ( cmsUserGroup-oid NAME 'cmsUserGroup' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( CertACLS-oid NAME 'CertACLS' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY resourceACLS X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( repository-oid NAME 'repository' DESC 'CMS defined class' SUP top STRUCTURAL MUST ou MAY ( serialno $ description $ nextRange $ publishingStatus ) X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( transaction-oid NAME 'transaction' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( transId $ description $ transName $ transStatus $ transOps ) X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( crlIssuingPointRecord-oid NAME 'crlIssuingPointRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ crlNumber $ crlSize $ thisUpdate $ nextUpdate $ deltaNumber $ deltaSize $ firstUnsaved $ certificateRevocationList $ deltaRevocationList $ crlCache $ revokedCerts $ unrevokedCerts $ expiredCerts $ cACertificate ) X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( userDetails-oid NAME 'userDetails' DESC 'CMS defined class' SUP top STRUCTURAL MUST userDN MAY ( dateOfCreate $ dateOfModify $ password $ p12Expiration ) X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $ status ) X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( pkiSecurityDomain-oid NAME 'pkiSecurityDomain' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( ou $ name ) X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $SecureEEClientAuthPort $ UnSecurePort ) X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( pkiRange-oid NAME 'pkiRange' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ beginRange $ endRange $ Host $ SecurePort ) X-ORIGIN 'user defined' ) - -dn: cn=schema -changetype: modify -add: objectClasses -objectClasses: ( securityDomainSessionEntry-oid NAME 'securityDomainSessionEntry' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ host $ uid $ cmsUserGroup $ dateOfCreate ) X-ORIGIN 'user defined' ) +attributeTypes: ( modified-oid NAME 'modified' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenUserID-oid NAME 'tokenUserID' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenStatus-oid NAME 'tokenStatus' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenAppletID-oid NAME 'tokenAppletID' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( keyInfo-oid NAME 'keyInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( numberOfResets-oid NAME 'numberOfResets' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'user defined' ) +attributeTypes: ( numberOfEnrollments-oid NAME 'numberOfEnrollments' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'user defined' ) +attributeTypes: ( numberOfRenewals-oid NAME 'numberOfRenewals' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'user defined' ) +attributeTypes: ( numberOfRecoveries-oid NAME 'numberOfRecoveries' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'user defined' ) +attributeTypes: ( allowPinReset-oid NAME 'allowPinReset' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( extensions-oid NAME 'extensions' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenOp-oid NAME 'tokenOp' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenID-oid NAME 'tokenID' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenMsg-oid NAME 'tokenMsg' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenResult-oid NAME 'tokenResult' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenIP-oid NAME 'tokenIP' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenPolicy-oid NAME 'tokenPolicy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenIssuer-oid NAME 'tokenIssuer' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenSubject-oid NAME 'tokenSubject' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenSerial-oid NAME 'tokenSerial' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenOrigin-oid NAME 'tokenOrigin' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenType-oid NAME 'tokenType' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenKeyType-oid NAME 'tokenKeyType' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenReason-oid NAME 'tokenReason' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenNotBefore-oid NAME 'tokenNotBefore' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( tokenNotAfter-oid NAME 'tokenNotAfter' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +attributeTypes: ( profileID-oid NAME 'profileID' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) +- +add: objectClasses +objectClasses: ( tokenRecord-oid NAME 'tokenRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ modified $ tokenReason $ tokenUserID $ tokenStatus $ tokenAppletID $ keyInfo $ tokenPolicy $ extensions $ numberOfResets $ numberOfEnrollments $ numberOfRenewals $ numberOfRecoveries $ userCertificate $ tokenType ) X-ORIGIN 'user defined' ) +objectClasses: ( tokenActivity-oid NAME 'tokenActivity' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ tokenOp $ tokenIP $ tokenResult $ tokenID $ tokenUserID $ tokenMsg $ extensions $ tokenType ) X-ORIGIN 'user defined' ) +objectClasses: ( tokenCert-oid NAME 'tokenCert' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ userCertificate $ tokenUserID $ tokenID $ tokenIssuer $ tokenOrigin $ tokenSubject $ tokenSerial $ tokenStatus $ tokenType $ tokenKeyType $ tokenNotBefore $ tokenNotAfter $ extensions ) X-ORIGIN 'user defined' ) +objectClasses: ( tpsProfileID-oid NAME 'tpsProfileID' DESC 'CMS defined class' SUP top AUXILIARY MAY ( profileID ) X-ORIGIN 'user-defined' ) |