summaryrefslogtreecommitdiffstats
path: root/base/deploy
diff options
context:
space:
mode:
Diffstat (limited to 'base/deploy')
-rw-r--r--base/deploy/CMakeLists.txt16
-rw-r--r--base/deploy/config/pkideployment.cfg5
-rw-r--r--base/deploy/config/pkislots.cfg3
-rw-r--r--base/deploy/scripts/operations1155
-rwxr-xr-xbase/deploy/scripts/pkidaemon74
-rwxr-xr-xbase/deploy/src/pkidestroy22
-rwxr-xr-xbase/deploy/src/pkispawn22
-rw-r--r--base/deploy/src/scriptlets/configuration.py19
-rw-r--r--base/deploy/src/scriptlets/finalization.py10
-rw-r--r--base/deploy/src/scriptlets/infrastructure_layout.py6
-rw-r--r--base/deploy/src/scriptlets/instance_layout.py12
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py12
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py236
-rw-r--r--base/deploy/src/scriptlets/slot_substitution.py20
14 files changed, 1491 insertions, 121 deletions
diff --git a/base/deploy/CMakeLists.txt b/base/deploy/CMakeLists.txt
index 44705818c..c7c4bd19b 100644
--- a/base/deploy/CMakeLists.txt
+++ b/base/deploy/CMakeLists.txt
@@ -23,6 +23,7 @@ set(APACHE_SUBSYSTEMS
install(
FILES
+ scripts/pkidaemon
src/pkispawn
src/pkidestroy
DESTINATION
@@ -35,6 +36,17 @@ install(
install(
FILES
+ scripts/operations
+ DESTINATION
+ ${DATA_INSTALL_DIR}/scripts/
+ PERMISSIONS
+ OWNER_EXECUTE OWNER_WRITE OWNER_READ
+ GROUP_EXECUTE GROUP_READ
+ WORLD_EXECUTE WORLD_READ
+)
+
+install(
+ FILES
config/pkideployment.cfg
config/pkislots.cfg
DESTINATION
@@ -97,8 +109,8 @@ install(
)
# install empty directories
-#install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/lock/pki)")
-#install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/run/pki)")
+install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/lock/pki)")
+install(CODE "file(MAKE_DIRECTORY \$ENV{DESTDIR}${VAR_INSTALL_DIR}/run/pki)")
# install subsystem directories for pkispawn and pkidestroy
foreach(PKI_SUBSYSTEM ${PKI_SUBSYSTEMS})
diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
index c9c356043..dd688ed09 100644
--- a/base/deploy/config/pkideployment.cfg
+++ b/base/deploy/config/pkideployment.cfg
@@ -15,23 +15,20 @@ pki_ajp_port=8009
pki_proxy_http_port=80
pki_proxy_https_port=443
pki_security_manager=true
+pki_tomcat_server_port=8005
[CA]
pki_subsystem=CA
pki_war_name=ca.war
-pki_tomcat_server_port=9701
[KRA]
pki_subsystem=KRA
pki_war_name=kra.war
-pki_tomcat_server_port=10701
[OCSP]
pki_subsystem=OCSP
pki_war_name=ocsp.war
-pki_tomcat_server_port=11701
[RA]
pki_subsystem=RA
[TKS]
pki_subsystem=TKS
pki_war_name=tks.war
-pki_tomcat_server_port=13701
[TPS]
pki_subsystem=TPS
diff --git a/base/deploy/config/pkislots.cfg b/base/deploy/config/pkislots.cfg
index b04b8efa0..b6c40ebe3 100644
--- a/base/deploy/config/pkislots.cfg
+++ b/base/deploy/config/pkislots.cfg
@@ -15,6 +15,7 @@ PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT]
PKI_LOCKDIR_SLOT=[PKI_LOCKDIR]
PKI_PIDDIR_SLOT=[PKI_PIDDIR]
PKI_REGISTRY_FILE_SLOT=[PKI_REGISTRY_FILE]
+PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE]
PORT_SLOT=[PORT]
PROCESS_ID_SLOT=[PROCESS_ID]
REQUIRE_CFG_PL_SLOT=[REQUIRE_CFG_PL]
@@ -48,7 +49,6 @@ PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_UI]
PKI_EE_SECURE_PORT_SLOT=[PKI_EE_SECURE_PORT]
PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_PORT_CONNECTOR_NAME]
PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_PORT_SERVER_COMMENT]
-PKI_FLAVOR_SLOT=[PKI_FLAVOR]
PKI_GROUP_SLOT=[PKI_GROUP]
PKI_INSTANCE_ID_SLOT=[PKI_INSTANCE_ID]
PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT]
@@ -76,6 +76,7 @@ PKI_UNSECURE_PORT_SLOT=[PKI_UNSECURE_PORT]
PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_UNSECURE_PORT_CONNECTOR_NAME]
PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT]
PKI_USER_SLOT=[PKI_USER]
+PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE]
PKI_WEBAPPS_NAME_SLOT=[PKI_WEBAPPS_NAME]
TOMCAT_CFG_SLOT=[TOMCAT_CFG]
TOMCAT_INSTANCE_COMMON_LIB_SLOT=[TOMCAT_INSTANCE_COMMON_LIB]
diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations
new file mode 100644
index 000000000..ea7527f31
--- /dev/null
+++ b/base/deploy/scripts/operations
@@ -0,0 +1,1155 @@
+#!/bin/bash -X
+
+# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts":
+#
+# Status Exit Codes
+#
+# 0 program is running or service is OK
+# 1 program is dead and /var/run pid file exists
+# 2 program is dead and /var/lock lock file exists
+# 3 program is not running
+# 4 program or service status is unknown
+# 5-99 reserved for future LSB use
+# 100-149 reserved for distribution use
+# 150-199 reserved for application use
+# 200-254 reserved
+#
+# Non-Status Exit Codes
+#
+# 0 action was successful
+# 1 generic or unspecified error (current practice)
+# 2 invalid or excess argument(s)
+# 3 unimplemented feature (for example, "reload")
+# 4 user had insufficient privilege
+# 5 program is not installed
+# 6 program is not configured
+# 7 program is not running
+# 8-99 reserved for future LSB use
+# 100-149 reserved for distribution use
+# 150-199 reserved for application use
+# 200-254 reserved
+#
+
+# PKI subsystem-level directory and file values for locks
+lockfile="/var/lock/subsys/${SERVICE_NAME}"
+
+default_error=0
+
+case $command in
+ start|stop|restart|condrestart|force-restart|try-restart)
+ # 1 generic or unspecified error (current practice)
+ default_error=1
+ ;;
+ reload)
+ default_error=3
+ ;;
+ status)
+ # 4 program or service status is unknown
+ default_error=4
+ ;;
+ *)
+ # 2 invalid argument(s)
+ default_error=2
+ ;;
+esac
+
+# Enable nullglob, if set then shell pattern globs which do not match any
+# file returns the empty string rather than the unmodified glob pattern.
+shopt -s nullglob
+
+OS=`uname -s`
+ARCHITECTURE=`uname -i`
+
+# Check to insure that this script's original invocation directory
+# has not been deleted!
+CWD=`/bin/pwd > /dev/null 2>&1`
+if [ $? -ne 0 ] ; then
+ echo "Cannot invoke '$PROG_NAME' from non-existent directory!"
+ exit ${default_error}
+fi
+
+# Check to insure that this script's associated PKI
+# subsystem currently resides on this system.
+PKI_CA_PATH="/usr/share/pki/ca"
+PKI_KRA_PATH="/usr/share/pki/kra"
+PKI_OCSP_PATH="/usr/share/pki/ocsp"
+PKI_RA_PATH="/usr/share/pki/ra"
+PKI_TKS_PATH="/usr/share/pki/tks"
+PKI_TPS_PATH="/usr/share/pki/tps"
+if [ '${PKI_TYPE}' == "apache" ] ; then
+ if [ ! -d ${PKI_RA_PATH} ] &&
+ [ ! -d ${PKI_TPS_PATH} ] ; then
+ echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!"
+ if [ "${command}" != "status" ]; then
+ # 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
+ fi
+elif [ '${PKI_TYPE}' == "tomcat" ] ; then
+ if [ ! -d ${PKI_CA_PATH} ] &&
+ [ ! -d ${PKI_KRA_PATH} ] &&
+ [ ! -d ${PKI_OCSP_PATH} ] &&
+ [ ! -d ${PKI_TKS_PATH} ] ; then
+ echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!"
+ if [ "${command}" != "status" ]; then
+ # 5 program is not installed
+ exit 5
+ else
+ exit ${default_error}
+ fi
+ fi
+fi
+
+# This script must be run as root!
+RV=0
+if [ `id -u` -ne 0 ] ; then
+ echo "Must be 'root' to execute '$PROG_NAME'!"
+ if [ "${command}" != "status" ]; then
+ # 4 user had insufficient privilege
+ exit 4
+ else
+ # 4 program or service status is unknown
+ exit 4
+ fi
+fi
+
+PKI_REGISTRY_ENTRIES=""
+TOTAL_PKI_REGISTRY_ENTRIES=0
+TOTAL_UNCONFIGURED_PKI_ENTRIES=0
+
+# Gather ALL registered instances of this PKI web server type
+for INSTANCE in ${PKI_REGISTRY}/*; do
+ if [ -d "$INSTANCE" ] ; then
+ for REGISTRY in ${INSTANCE}/*; do
+ if [ -f "$REGISTRY" ] ; then
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $REGISTRY"
+ TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1`
+ fi
+ done
+ fi
+done
+
+# Execute the specified registered instance of this PKI web server type
+if [ -n "${pki_instance_id}" ]; then
+ for INSTANCE in ${PKI_REGISTRY_ENTRIES}; do
+ if [ "${PKI_REGISTRY}/${pki_instance_id}" = "$INSTANCE" ]; then
+ PKI_REGISTRY_ENTRIES="${PKI_REGISTRY}/${pki_instance_id}"
+ TOTAL_PKI_REGISTRY_ENTRIES=1
+ break
+ fi
+ done
+fi
+
+usage()
+{
+ echo -n "Usage: ${SERVICE_PROG} ${SERVICE_NAME}"
+ echo -n "{start"
+ echo -n "|stop"
+ echo -n "|restart"
+ echo -n "|condrestart"
+ echo -n "|force-restart"
+ echo -n "|try-restart"
+ echo -n "|reload"
+ echo -n "|status} "
+ echo -n "[instance-name]"
+ echo
+ echo
+}
+
+usage_systemd()
+{
+ echo -n "Usage: /usr/bin/pkidaemon "
+ echo -n "{start"
+ echo -n "|stop"
+ echo -n "|restart"
+ echo -n "|condrestart"
+ echo -n "|force-restart"
+ echo -n "|try-restart"
+ echo -n "|reload"
+ echo -n "|status} "
+ echo -n "subsystem-type "
+ echo -n "[instance-name]"
+ echo
+ echo
+}
+
+
+list_instances()
+{
+ echo
+ for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do
+ instance_name=`basename $PKI_REGISTRY_ENTRY`
+ echo " $instance_name"
+ done
+ echo
+}
+
+# Check arguments
+if [ $SYSTEMD ]; then
+ if [ $# -lt 2 ] ; then
+ # [insufficient arguments]
+ echo "$PROG_NAME: Insufficient arguments!"
+ echo
+ usage_systemd
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+ elif [ ${default_error} -eq 2 ] ; then
+ # 2 invalid argument
+ echo "$PROG_NAME: Invalid arguments!"
+ echo
+ usage_systemd
+ echo "where valid instance names include:"
+ list_instances
+ exit 2
+ elif [ $# -gt 3 ] ; then
+ echo "$PROG_NAME: Excess arguments!"
+ echo
+ usage_systemd
+ echo "where valid instance names include:"
+ list_instances
+ if [ "${command}" != "status" ]; then
+ # 2 excess arguments
+ exit 2
+ else
+ # 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+else
+ if [ $# -lt 1 ] ; then
+ # 3 unimplemented feature (for example, "reload")
+ # [insufficient arguments]
+ echo "$PROG_NAME: Insufficient arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 3
+ elif [ ${default_error} -eq 2 ] ; then
+ # 2 invalid argument
+ echo "$PROG_NAME: Invalid arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit 2
+ elif [ $# -gt 2 ] ; then
+ echo "$PROG_NAME: Excess arguments!"
+ echo
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ if [ "${command}" != "status" ]; then
+ # 2 excess arguments
+ exit 2
+ else
+ # 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+fi
+
+# If an "instance" was supplied, check that it is a "valid" instance
+if [ -n "${pki_instance_id}" ]; then
+ valid=0
+ for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do
+ instance_name=`basename $PKI_REGISTRY_ENTRY`
+ if [ "${pki_instance_id}" == "${instance_name}" ]; then
+ valid=1
+ break
+ fi
+ done
+ if [ $valid -eq 0 ]; then
+ echo -n "${pki_instance_id} is an invalid '${PKI_TYPE}' instance"
+ if [ ! $SYSTEMD ]; then
+ echo_failure
+ fi
+ echo
+
+ if [ "${command}" != "status" ]; then
+ # 5 program is not installed
+ exit 5
+ else
+ # 4 program or service status is unknown
+ exit 4
+ fi
+ fi
+fi
+
+check_pki_configuration_status()
+{
+ rv=0
+
+ case ${PKI_WEB_SERVER_TYPE} in
+ tomcat)
+ for SUBSYSTEM in ca kra ocsp tks; do
+ if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then
+ rv=`grep -c ^preop ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg`
+ rv=`expr ${rv} + 0`
+ fi
+ done
+ ;;
+ apache)
+ # TBD
+ ;;
+ *)
+ echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)"
+ exit ${default_error}
+ ;;
+ esac
+
+ if [ $rv -ne 0 ] ; then
+ echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!"
+ echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)"
+ if [ "${command}" != "status" ]; then
+ # 6 program is not configured
+ rv=6
+ else
+ # 4 program or service status is unknown
+ rv=4
+ fi
+ TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1`
+ elif [ -f ${RESTART_SERVER} ] ; then
+ echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, "
+ echo -n "it must still be RESTARTED!"
+ echo
+ if [ "${command}" != "status" ]; then
+ # 1 generic or unspecified error (current practice)
+ rv=1
+ else
+ # 4 program or service status is unknown
+ rv=4
+ fi
+ fi
+
+ return $rv
+}
+
+get_pki_status_definitions()
+{
+ case $PKI_WEB_SERVER_TYPE in
+ tomcat)
+ get_pki_status_definitions_tomcat
+ return $?
+ ;;
+ ra)
+ get_pki_status_definitions_ra
+ return $?
+ ;;
+ tps)
+ get_pki_status_definitions_tps
+ return $?
+ ;;
+ *)
+ echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)"
+ exit ${default_error}
+ ;;
+ esac
+}
+
+get_pki_status_definitions_ra()
+{
+ # establish well-known strings
+ total_ports=0
+ UNSECURE_PORT=""
+ CLIENTAUTH_PORT=""
+ NON_CLIENTAUTH_PORT=""
+
+ # check to see that an instance-specific "httpd.conf" file exists
+ if [ ! -f ${PKI_HTTPD_CONF} ] ; then
+ echo "File '${PKI_HTTPD_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # check to see that an instance-specific "nss.conf" file exists
+ if [ ! -f ${PKI_NSS_CONF} ] ; then
+ echo "File '${PKI_NSS_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # Iterate over Listen statements
+ for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do
+ UNSECURE_PORT=$port
+ if [ $total_ports -eq 0 ]; then
+ echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}"
+ else
+ echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}"
+ fi
+ total_ports=`expr ${total_ports} + 1`
+
+ done
+
+ # Iterate over Listen statements
+ for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do
+ UNSECURE_PORT=$port
+ if [ $total_ports -eq 1 ]; then
+ CLIENTAUTH_PORT=$port
+ echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}"
+ fi
+ if [ $total_ports -eq 2 ]; then
+ NON_CLIENTAUTH_PORT=$port
+ echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}"
+ fi
+ total_ports=`expr ${total_ports} + 1`
+
+ done
+
+ return 0;
+}
+
+get_pki_status_definitions_tps()
+{
+ # establish well-known strings
+ total_ports=0
+ UNSECURE_PORT=""
+ CLIENTAUTH_PORT=""
+ NON_CLIENTAUTH_PORT=""
+
+ # check to see that an instance-specific "httpd.conf" file exists
+ if [ ! -f ${PKI_HTTPD_CONF} ] ; then
+ echo "File '${PKI_HTTPD_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # check to see that an instance-specific "nss.conf" file exists
+ if [ ! -f ${PKI_NSS_CONF} ] ; then
+ echo "File '${PKI_NSS_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # Iterate over Listen statements
+ for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do
+ UNSECURE_PORT=$port
+ if [ $total_ports -eq 0 ]; then
+ echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi"
+ echo " (ESC Security Officer Enrollment)"
+ echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi"
+ echo " (ESC Phone Home)"
+ else
+ echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}"
+ fi
+ total_ports=`expr ${total_ports} + 1`
+
+ done
+
+ # Iterate over Listen statements
+ for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do
+ UNSECURE_PORT=$port
+ if [ $total_ports -eq 1 ]; then
+ CLIENTAUTH_PORT=$port
+ echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi"
+ echo " (ESC Security Officer Workstation)"
+ echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus"
+ echo " (TPS Roles - Operator/Administrator/Agent)"
+ fi
+ if [ $total_ports -eq 2 ]; then
+ NON_CLIENTAUTH_PORT=$port
+ echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi"
+ echo " (ESC Security Officer Enrollment)"
+ echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi"
+ echo " (ESC Phone Home)"
+ fi
+ total_ports=`expr ${total_ports} + 1`
+
+ done
+
+ return 0;
+}
+
+get_pki_status_definitions_tomcat()
+{
+ # establish well-known strings
+ begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->"
+ end_pki_status_comment="<!-- DO NOT REMOVE - End PKI Status Definitions -->"
+ total_ports=0
+ unsecure_port_statement="Unsecure Port"
+ secure_agent_port_statement="Secure Agent Port"
+ secure_ee_port_statement="Secure EE Port"
+ secure_ee_client_auth_port_statement="EE Client Auth Port"
+ secure_admin_port_statement="Secure Admin Port"
+ pki_console_port_statement="PKI Console Port"
+ tomcat_port_statement="Tomcat Port"
+
+ # initialize looping variables
+ pki_status_comment_found=0
+
+ # first check to see that an instance-specific "server.xml" file exists
+ if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then
+ echo "File '${PKI_SERVER_XML_CONF}' does not exist!"
+ exit ${default_error}
+ fi
+
+ # read this instance-specific "server.xml" file line-by-line
+ # to obtain the current PKI Status Definitions
+ exec < ${PKI_SERVER_XML_CONF}
+ while read line; do
+ # first look for the well-known end PKI Status comment
+ # (to turn off processing)
+ if [ "$line" == "$end_pki_status_comment" ] ; then
+ pki_status_comment_found=0
+ break;
+ fi
+
+ # then look for the well-known begin PKI Status comment
+ # (to turn on processing)
+ if [ "$line" == "$begin_pki_status_comment" ] ; then
+ pki_status_comment_found=1
+ fi
+
+ # once the well-known begin PKI Status comment has been found,
+ # begin processing to obtain all of the PKI Status Definitions
+ if [ $pki_status_comment_found -eq 1 ] ; then
+ # look for a PKI Status Definition and print it
+ head=`echo "$line" | sed -e 's/^\([^=]*\)[ \t]*= .*$/\1/' -e 's/[ \t]*$//'`
+ if [ "$head" == "$unsecure_port_statement" ] ||
+ [ "$head" == "$secure_agent_port_statement" ] ||
+ [ "$head" == "$secure_ee_port_statement" ] ||
+ [ "$head" == "$secure_ee_client_auth_port_statement" ] ||
+ [ "$head" == "$secure_admin_port_statement" ] ||
+ [ "$head" == "$pki_console_port_statement" ] ||
+ [ "$head" == "$tomcat_port_statement" ] ; then
+ echo " $line"
+ total_ports=`expr ${total_ports} + 1`
+ fi
+ fi
+ done
+
+ return 0;
+}
+
+get_pki_configuration_definitions()
+{
+ # Obtain the PKI Subsystem Type
+ line=`grep -e '^[ \t]*cs.type[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ pki_subsystem=`echo "${line}" | sed -e 's/^[^=]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ if [ "${line}" != "" ] ; then
+ if [ "${pki_subsystem}" != "CA" ] &&
+ [ "${pki_subsystem}" != "KRA" ] &&
+ [ "${pki_subsystem}" != "OCSP" ] &&
+ [ "${pki_subsystem}" != "TKS" ] &&
+ [ "${pki_subsystem}" != "RA" ] &&
+ [ "${pki_subsystem}" != "TPS" ]
+ then
+ return ${default_error}
+ fi
+ if [ "${pki_subsystem}" == "KRA" ] ; then
+ # Rename "KRA" to "DRM"
+ pki_subsystem="DRM"
+ fi
+ else
+ return ${default_error}
+ fi
+
+ # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS,
+ # check to see if "${pki_subsystem}" is a "Clone"
+ pki_clone=""
+ if [ "${pki_subsystem}" == "CA" ] ||
+ [ "${pki_subsystem}" == "DRM" ] ||
+ [ "${pki_subsystem}" == "OCSP" ] ||
+ [ "${pki_subsystem}" == "TKS" ]
+ then
+ line=`grep -e '^[ \t]*subsystem.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_clone=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ if [ "${pki_clone}" != "Clone" ] ; then
+ # Reset "${pki_clone}" to be empty
+ pki_clone=""
+ fi
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to
+ # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA
+ pki_hierarchy=""
+ if [ "${pki_subsystem}" == "CA" ] &&
+ [ "${pki_clone}" != "Clone" ]
+ then
+ line=`grep -e '^[ \t]*hierarchy.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_hierarchy=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # If ${pki_subsystem} is a CA, check to
+ # see if it is also a Security Domain
+ pki_security_domain=""
+ if [ "${pki_subsystem}" == "CA" ] ; then
+ line=`grep -e '^[ \t]*securitydomain.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ if [ "${pki_security_domain}" == "new" ] ; then
+ # Set a fixed value for "${pki_security_domain}"
+ pki_security_domain="(Security Domain)"
+ else
+ # Reset "${pki_security_domain}" to be empty
+ pki_security_domain=""
+ fi
+ else
+ return ${default_error}
+ fi
+ fi
+
+ # Always obtain this PKI instance's "registered"
+ # security domain information
+ pki_security_domain_name=""
+ pki_security_domain_hostname=""
+ pki_security_domain_https_admin_port=""
+
+ line=`grep -e '^[ \t]*securitydomain.name[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_name=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ else
+ return ${default_error}
+ fi
+
+ line=`grep -e '^[ \t]*securitydomain.host[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_hostname=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ else
+ return ${default_error}
+ fi
+
+ line=`grep -e '^[ \t]*securitydomain.httpsadminport[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}`
+ if [ "${line}" != "" ] ; then
+ pki_security_domain_https_admin_port=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
+ else
+ return ${default_error}
+ fi
+
+ # Compose the "PKI Instance Name" Status Line
+ pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}"
+
+ # Compose the "PKI Subsystem Type" Status Line
+ header="PKI Subsystem Type: "
+ if [ "${pki_clone}" != "" ] ; then
+ if [ "${pki_security_domain}" != "" ]; then
+ # Possible Values:
+ #
+ # "CA Clone (Security Domain)"
+ #
+ data="${pki_subsystem} ${pki_clone} ${pki_security_domain}"
+ else
+ # Possible Values:
+ #
+ # "CA Clone"
+ # "DRM Clone"
+ # "OCSP Clone"
+ # "TKS Clone"
+ #
+ data="${pki_subsystem} ${pki_clone}"
+ fi
+ elif [ "${pki_hierarchy}" != "" ] ; then
+ if [ "${pki_security_domain}" != "" ]; then
+ # Possible Values:
+ #
+ # "Root CA (Security Domain)"
+ # "Subordinate CA (Security Domain)"
+ #
+ data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}"
+ else
+ # Possible Values:
+ #
+ # "Root CA"
+ # "Subordinate CA"
+ #
+ data="${pki_hierarchy} ${pki_subsystem}"
+ fi
+ else
+ # Possible Values:
+ #
+ # "DRM"
+ # "OCSP"
+ # "RA"
+ # "TKS"
+ # "TPS"
+ #
+ data="${pki_subsystem}"
+ fi
+ pki_subsystem_type="${header} ${data}"
+
+ # Compose the "Registered PKI Security Domain Information" Status Line
+ header="Name: "
+ registered_pki_security_domain_name="${header} ${pki_security_domain_name}"
+
+ header="URL: "
+ if [ "${pki_security_domain_hostname}" != "" ] &&
+ [ "${pki_security_domain_https_admin_port}" != "" ]
+ then
+ data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}"
+ else
+ return ${default_error}
+ fi
+ registered_pki_security_domain_url="${header} ${data}"
+
+ # Print the "PKI Subsystem Type" Status Line
+ echo
+ echo " ${pki_instance_name}"
+
+ # Print the "PKI Subsystem Type" Status Line
+ echo
+ echo " ${pki_subsystem_type}"
+
+ # Print the "Registered PKI Security Domain Information" Status Line
+ echo
+ echo " Registered PKI Security Domain Information:"
+ echo " =========================================================================="
+ echo " ${registered_pki_security_domain_name}"
+ echo " ${registered_pki_security_domain_url}"
+ echo " =========================================================================="
+
+ return 0
+}
+
+display_configuration_information()
+{
+ result=0
+ check_pki_configuration_status
+ rv=$?
+ if [ $rv -eq 0 ] ; then
+ get_pki_status_definitions
+ rv=$?
+ if [ $rv -ne 0 ] ; then
+ result=$rv
+ echo
+ echo "${PKI_INSTANCE_ID} Status Definitions not found"
+ else
+ get_pki_configuration_definitions
+ rv=$?
+ if [ $rv -ne 0 ] ; then
+ result=$rv
+ echo
+ echo "${PKI_INSTANCE_ID} Configuration Definitions not found"
+ fi
+ fi
+ fi
+ return $result
+}
+
+display_instance_status_systemd()
+{
+ echo -n "Status for ${PKI_INSTANCE_ID}: "
+ systemctl status "$PKI_SYSTEMD_TARGET@$PKI_INSTANCE_ID.service" > /dev/null 2>&1
+ rv=$?
+
+ if [ $rv -eq 0 ] ; then
+ echo "$PKI_INSTANCE_ID is running .."
+ display_configuration_information
+ else
+ echo "$PKI_INSTANCE_ID is stopped"
+ fi
+
+ return $rv
+}
+
+display_instance_status()
+{
+ # Verify there is an initscript for this instance
+ if [ ! -f $PKI_INSTANCE_INITSCRIPT ]; then
+ # 4 program or service status is unknown
+ return 4
+ fi
+
+ # Invoke the initscript for this instance
+ $PKI_INSTANCE_INITSCRIPT status
+ rv=$?
+
+ if [ $rv -eq 0 ] ; then
+ display_configuration_information
+ fi
+
+ return $rv
+}
+
+start_instance()
+{
+ rv=0
+
+ if [ -f ${RESTART_SERVER} ] ; then
+ rm -f ${RESTART_SERVER}
+ fi
+
+ # Invoke the initscript for this instance
+ case $PKI_WEB_SERVER_TYPE in
+ tomcat)
+
+ # We must export the service name so that the systemd version
+ # of the tomcat init script knows which instance specific
+ # configuration file to source.
+ export SERVICE_NAME=$PKI_INSTANCE_ID
+
+ if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
+ # HACKS:
+ # (1) MUST eventually replace hard-coded 'pki_ca_script_t'
+ # with programmatic replacement of either
+ # 'pki_tomcat_script_t' or 'pki_apache_script_t', AND
+ # (2) MUST currently be run with SELinux in 'Permissive' mode!
+ /usr/bin/runcon -t pki_ca_script_t \
+ $PKI_INSTANCE_INITSCRIPT start
+ rv=$?
+ else
+ $PKI_INSTANCE_INITSCRIPT start
+ rv=$?
+ fi
+ ;;
+ apache)
+ $PKI_INSTANCE_INITSCRIPT start
+ rv=$?
+ ;;
+ esac
+
+ if [ $rv -ne 0 ] ; then
+ return $rv
+ fi
+
+ # On Tomcat subsystems, make certain that the service has started
+ case $PKI_WEB_SERVER_TYPE in
+ tomcat)
+ count=0
+ tries=30
+ port=${PKI_UNSECURE_PORT}
+ while [ $count -lt $tries ]
+ do
+ netstat -antl | grep ${port} > /dev/null
+ netrv=$?
+ if [ $netrv -eq 0 ] ; then
+ break;
+ fi
+ sleep 1
+ let count=$count+1;
+ done
+ if [ $netrv -ne 0 ] ; then
+ return 1
+ fi
+ ;;
+ esac
+
+ if [ $rv -eq 0 ] ; then
+ # From the PKI point of view a returned error code of 6 implies
+ # that the program is not "configured". An error code of 1 implies
+ # that the program was "configured" but must still be restarted.
+ #
+ # If the return code is 6 return this value unchanged to the
+ # calling routine so that the total number of configuration errors
+ # may be counted. Other return codes are ignored.
+ #
+ check_pki_configuration_status
+ rv=$?
+ if [ $rv -eq 6 ]; then
+ # 6 program is not configured
+ return 6
+ else
+ # 0 success
+
+ # Tomcat instances automatically place pid files under
+ # '/var/run' and lock files under '/var/lock/subsys'.
+ #
+ # However, since PKI subsystem instances can have any name,
+ # in order to identify the PKI subsystem type of a particular
+ # PKI instance, we create a separate "pki subsystem identity"
+ # symlink to the PKI instance pid file and place it under
+ # '/var/run/pki/<pki subsystem>', and a separate
+ # "pki subsystem identity" symlink to the PKI instance
+ # lock file and place it under '/var/lock/pki/<pki subsystem>'.
+ #
+ case $PKI_WEB_SERVER_TYPE in
+ tomcat)
+ if [ -h ${PKI_PIDFILE} ]; then
+ rm -f ${PKI_PIDFILE}
+ fi
+ if [ -f ${TOMCAT_PIDFILE} ]; then
+ ln -s ${TOMCAT_PIDFILE} ${PKI_PIDFILE}
+ chown -h ${TOMCAT_USER}:${TOMCAT_GROUP} ${PKI_PIDFILE}
+ fi
+ if [ -h ${PKI_LOCKFILE} ]; then
+ rm -f ${PKI_LOCKFILE}
+ fi
+ if [ -f ${TOMCAT_LOCKFILE} ]; then
+ ln -s ${TOMCAT_LOCKFILE} ${PKI_LOCKFILE}
+ fi
+ ;;
+ esac
+
+ return 0
+ fi
+ fi
+ return $rv
+}
+
+stop_instance()
+{
+ rv=0
+
+ export SERVICE_NAME=$PKI_INSTANCE_ID
+ # Invoke the initscript for this instance
+ $PKI_INSTANCE_INITSCRIPT stop
+ rv=$?
+
+ # On Tomcat subsystems, always remove the "pki subsystem identity" symlinks
+ # that were previously associated with the Tomcat 'pid' and 'lock' files.
+ case $PKI_WEB_SERVER_TYPE in
+ tomcat)
+ if [ -h ${PKI_PIDFILE} ]; then
+ rm -f ${PKI_PIDFILE}
+ fi
+ if [ -h ${PKI_LOCKFILE} ]; then
+ rm -f ${PKI_LOCKFILE}
+ fi
+ ;;
+ esac
+
+ return $rv
+}
+
+start()
+{
+ error_rv=0
+ rv=0
+ config_errors=0
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ # 5 program is not installed
+ return 5
+ fi
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ]; then
+ echo "BEGIN STARTING '${PKI_TYPE}' INSTANCES:"
+ fi
+
+ # Start every PKI instance of this type that isn't already running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ start_instance
+ rv=$?
+ if [ $rv = 6 ] ; then
+ # Since at least ONE configuration error exists, then there
+ # is at least ONE unconfigured instance from the PKI point
+ # of view.
+ #
+ # However, it must still be considered that the
+ # instance is "running" from the point of view of other
+ # OS programs such as 'chkconfig'.
+ #
+ # Therefore, ignore non-zero return codes resulting
+ # from configuration errors.
+ #
+
+ config_errors=`expr $config_errors + 1`
+ rv=0
+ elif [ $rv != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=$rv
+ fi
+ done
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then
+ touch ${lockfile}
+ chmod 00600 ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ # NOTE: "bad" return code(s) OVERRIDE configuration errors!
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances failed to start!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)."
+ fi
+
+ return $rv
+}
+
+stop()
+{
+ error_rv=0
+ rv=0
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ # 5 program is not installed
+ return 5
+ fi
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Shutdown every PKI instance of this type that is running
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ stop_instance
+ rv=$?
+ if [ $rv != 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=$rv
+ fi
+ done
+
+ if [ ${errors} -eq 0 ] ; then
+ rm -f ${lockfile}
+ fi
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "1 generic or unspecified error (current practice)"
+ rv=1
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances were "
+ echo -n "unsuccessfully stopped!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)."
+ fi
+
+ return $rv
+}
+
+restart()
+{
+ stop
+ sleep 2
+ start
+
+ return $?
+}
+
+registry_status()
+{
+ error_rv=0
+ rv=0
+ errors=0
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then
+ echo
+ echo "ERROR: No '${PKI_TYPE}' instances installed!"
+ # 4 program or service status is unknown
+ return 4
+ fi
+
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):"
+ fi
+
+ # Obtain status of every PKI instance of this type
+ for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do
+ # Source values associated with this particular PKI instance
+ [ -f ${PKI_REGISTRY_ENTRY} ] &&
+ . ${PKI_REGISTRY_ENTRY}
+
+ [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo
+
+ case $PKI_WEB_SERVER_TYPE in
+ tomcat)
+ if [ $SYSTEMD ]; then
+ display_instance_status_systemd
+ else
+ display_instance_status
+ fi
+ rv=$?
+ ;;
+ apache)
+ display_instance_status
+ rv=$?
+ ;;
+ esac
+ if [ $rv -ne 0 ] ; then
+ errors=`expr $errors + 1`
+ error_rv=$rv
+ fi
+ done
+
+ # ONLY print a "WARNING" message if multiple
+ # instances are being examined
+ if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then
+ if [ ${errors} -eq 1 ]; then
+ # Since only ONE error exists, return that "bad" error code.
+ rv=${error_rv}
+ elif [ ${errors} -gt 1 ]; then
+ # Since MORE than ONE error exists, return an OVERALL status
+ # of "4 - program or service status is unknown"
+ rv=4
+ fi
+
+ if [ ${errors} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances reported status failures!"
+ echo
+ fi
+
+ if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then
+ echo
+ echo -n "WARNING: "
+ echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} "
+ echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} "
+ echo -n "'${PKI_TYPE}' instances MUST be configured!"
+ echo
+ fi
+
+ echo
+ echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)."
+ fi
+
+ return $rv
+}
+
diff --git a/base/deploy/scripts/pkidaemon b/base/deploy/scripts/pkidaemon
new file mode 100755
index 000000000..7be30c9d3
--- /dev/null
+++ b/base/deploy/scripts/pkidaemon
@@ -0,0 +1,74 @@
+#!/bin/bash
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+
+PROG_NAME=`basename $0`
+SERVICE_NAME="pkidaemon"
+SERVICE_PROG="/bin/systemctl"
+
+command="$1"
+pki_instance_type="$2"
+pki_instance_id="$3"
+
+PKI_REGISTRY="/etc/sysconfig/pki/${pki_instance_type}"
+PKI_TYPE="${pki_instance_type}"
+PKI_SYSTEMD_TARGET="pki-${pki_instance_type}d"
+SYSTEMD=1
+
+# Source the PKI function library
+. /usr/share/pki/scripts/operations
+
+# See how we were called.
+case $command in
+ status)
+ # registry_status
+ echo "The 'status' action is TBD."
+ exit $?
+ ;;
+ start)
+ start
+ exit $?
+ ;;
+ restart)
+ restart
+ exit $?
+ ;;
+ stop)
+ stop
+ exit $?
+ ;;
+ condrestart|force-restart|try-restart)
+ [ ! -f ${lockfile} ] || restart
+ echo "The '${command}' action is TBD."
+ exit $?
+ ;;
+ reload)
+ echo "The 'reload' action is an unimplemented feature."
+ exit ${default_error}
+ ;;
+ *)
+ echo "unknown action ($command)"
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit ${default_error}
+ ;;
+esac
+
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index 2d0b5d285..6a2db56b8 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -125,21 +125,21 @@ def main(argv):
extra=config.PKI_INDENTATION_LEVEL_0)
# Override PKI configuration file values with 'custom' command-line values.
- if not config.pki_admin_domain_name is None:
+ if not config.custom_pki_admin_domain_name is None:
config.pki_common_dict['pki_admin_domain_name'] =\
- config.pki_admin_domain_name
- if not config.pki_instance_name is None:
- config.pki_common_dict['pki_instance_name'] =\
- config.pki_instance_name
- if not config.pki_http_port is None:
+ config.custom_pki_admin_domain_name
+ if not config.custom_pki_instance_name is None:
+ config.pki_web_server_dict['pki_instance_name'] =\
+ config.custom_pki_instance_name
+ if not config.custom_pki_http_port is None:
config.pki_web_server_dict['pki_http_port'] =\
- config.pki_http_port
- if not config.pki_https_port is None:
+ config.custom_pki_http_port
+ if not config.custom_pki_https_port is None:
config.pki_web_server_dict['pki_https_port'] =\
- config.pki_https_port
- if not config.pki_ajp_port is None:
+ config.custom_pki_https_port
+ if not config.custom_pki_ajp_port is None:
config.pki_web_server_dict['pki_ajp_port'] =\
- config.pki_ajp_port
+ config.custom_pki_ajp_port
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pp.pformat(config.pki_common_dict),
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index d665f3c9f..66152a334 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -154,21 +154,21 @@ def main(argv):
extra=config.PKI_INDENTATION_LEVEL_0)
# Override PKI configuration file values with 'custom' command-line values.
- if not config.pki_admin_domain_name is None:
+ if not config.custom_pki_admin_domain_name is None:
config.pki_common_dict['pki_admin_domain_name'] =\
- config.pki_admin_domain_name
- if not config.pki_instance_name is None:
- config.pki_common_dict['pki_instance_name'] =\
- config.pki_instance_name
- if not config.pki_http_port is None:
+ config.custom_pki_admin_domain_name
+ if not config.custom_pki_instance_name is None:
+ config.pki_web_server_dict['pki_instance_name'] =\
+ config.custom_pki_instance_name
+ if not config.custom_pki_http_port is None:
config.pki_web_server_dict['pki_http_port'] =\
- config.pki_http_port
- if not config.pki_https_port is None:
+ config.custom_pki_http_port
+ if not config.custom_pki_https_port is None:
config.pki_web_server_dict['pki_https_port'] =\
- config.pki_https_port
- if not config.pki_ajp_port is None:
+ config.custom_pki_https_port
+ if not config.custom_pki_ajp_port is None:
config.pki_web_server_dict['pki_ajp_port'] =\
- config.pki_ajp_port
+ config.custom_pki_ajp_port
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pp.pformat(config.pki_common_dict),
diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py
index 1155e9002..f40573940 100644
--- a/base/deploy/src/scriptlets/configuration.py
+++ b/base/deploy/src/scriptlets/configuration.py
@@ -47,6 +47,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_client_key_database'],
master['pki_client_secmod_database'],
password_file=master['pki_client_password_conf'])
+ util.symlink.create(
+ config.pki_master_dict['pki_systemd_service'],
+ config.pki_master_dict['pki_systemd_service_link'])
else:
util.password.create_password_conf(
master['pki_client_password_conf'],
@@ -71,17 +74,25 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
if not config.pki_dry_run_flag:
if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instances() == 0:
+ util.instance.apache_instances() == 1:
util.directory.delete(master['pki_client_path'])
+ util.symlink.delete(
+ config.pki_master_dict['pki_systemd_service_link'])
elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instances() == 0:
+ util.instance.tomcat_instances() == 1:
util.directory.delete(master['pki_client_path'])
+ util.symlink.delete(
+ config.pki_master_dict['pki_systemd_service_link'])
else:
# ALWAYS display correct information (even during dry_run)
if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instances() == 1:
+ util.instance.apache_instances() == 0:
util.directory.delete(master['pki_client_path'])
+ util.symlink.delete(
+ config.pki_master_dict['pki_systemd_service_link'])
elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instances() == 1:
+ util.instance.tomcat_instances() == 0:
util.directory.delete(master['pki_client_path'])
+ util.symlink.delete(
+ config.pki_master_dict['pki_systemd_service_link'])
return self.rv
diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py
index acf51391a..02c5065cb 100644
--- a/base/deploy/src/scriptlets/finalization.py
+++ b/base/deploy/src/scriptlets/finalization.py
@@ -41,10 +41,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_subsystem_registry_path'] +\
"/" + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE)
# Save a timestamped copy of the installation manifest file
- filename = master['pki_root_prefix'] +\
- config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
- master['pki_instance_id'] + "/" +\
- master['pki_subsystem'].lower() +"/" +\
+ filename = master['pki_subsystem_registry_path'] + "/" +\
"spawn" + "_" + "manifest" + "." +\
master['pki_timestamp'] + "." + "csv"
config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, filename,
@@ -74,10 +71,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
"/" + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE,
overwrite_flag=True)
# Save a timestamped copy of the updated manifest file
- filename = master['pki_root_prefix'] +\
- config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
- master['pki_instance_id'] + "/" +\
- master['pki_subsystem'].lower() +"/" +\
+ filename = master['pki_subsystem_registry_path'] + "/" +\
"respawn" + "_" + "manifest" + "." +\
master['pki_timestamp'] + "." + "csv"
config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, filename,
diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py
index fd94de512..471739700 100644
--- a/base/deploy/src/scriptlets/infrastructure_layout.py
+++ b/base/deploy/src/scriptlets/infrastructure_layout.py
@@ -80,7 +80,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove top-level infrastructure registry
util.directory.delete(master['pki_registry_path'])
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
- util.file.delete(master['pki_target_tomcat_conf'])
+ util.file.delete(
+ master['pki_target_tomcat_conf_instance_id'])
else:
# ALWAYS display correct information (even during dry_run)
@@ -98,5 +99,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove top-level infrastructure registry
util.directory.delete(master['pki_registry_path'])
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
- util.file.delete(master['pki_target_tomcat_conf'])
+ util.file.delete(
+ master['pki_target_tomcat_conf_instance_id'])
return self.rv
diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py
index 60e94d1a1..8a645f029 100644
--- a/base/deploy/src/scriptlets/instance_layout.py
+++ b/base/deploy/src/scriptlets/instance_layout.py
@@ -41,6 +41,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# establish instance configuration
util.directory.create(master['pki_instance_configuration_path'])
# establish instance registry
+ util.directory.create(master['pki_instance_type_registry_path'])
util.directory.create(master['pki_instance_registry_path'])
# establish Apache/Tomcat specific instance
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
@@ -59,6 +60,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.directory.create(master['pki_tomcat_webapps_webinf_lib_path'])
# establish Tomcat instance logs
# establish Tomcat instance configuration
+ util.directory.copy(master['pki_source_shared_path'],
+ master['pki_instance_configuration_path'],
+ overwrite_flag=True)
# establish Tomcat instance registry
# establish Tomcat instance convenience
# symbolic links
@@ -89,6 +93,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# update instance configuration
util.directory.modify(master['pki_instance_configuration_path'])
# update instance registry
+ util.directory.modify(master['pki_instance_type_registry_path'])
util.directory.modify(master['pki_instance_registry_path'])
# update Apache/Tomcat specific instance
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
@@ -116,6 +121,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# update instance convenience symbolic links
util.symlink.modify(master['pki_instance_database_link'])
util.symlink.modify(master['pki_instance_conf_link'])
+ util.directory.copy(master['pki_source_shared_path'],
+ master['pki_instance_configuration_path'],
+ overwrite_flag=True)
util.symlink.modify(master['pki_instance_logs_link'])
return self.rv
@@ -133,6 +141,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove Apache instance configuration
util.directory.delete(master['pki_instance_configuration_path'])
# remove Apache instance registry
+ util.directory.delete(master['pki_instance_type_registry_path'])
elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
util.instance.tomcat_instances() == 0:
# remove Tomcat instance base
@@ -143,6 +152,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove Tomcat instance configuration
util.directory.delete(master['pki_instance_configuration_path'])
# remove Tomcat instance registry
+ util.directory.delete(master['pki_instance_type_registry_path'])
else:
# ALWAYS display correct information (even during dry_run)
if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
@@ -155,6 +165,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove Apache instance configuration
util.directory.delete(master['pki_instance_configuration_path'])
# remove Apache instance registry
+ util.directory.delete(master['pki_instance_type_registry_path'])
elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
util.instance.tomcat_instances() == 1:
# remove Tomcat instance base
@@ -165,4 +176,5 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove Tomcat instance configuration
util.directory.delete(master['pki_instance_configuration_path'])
# remove Tomcat instance registry
+ util.directory.delete(master['pki_instance_type_registry_path'])
return self.rv
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 76d54ad15..2acd37d36 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -40,6 +40,8 @@ PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '}
PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '}
PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki"
+PKI_DEPLOYMENT_SYSTEMD_ROOT = "/lib/systemd/system"
+PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT = "/etc/systemd/system"
PKI_DEPLOYMENT_TOMCAT_ROOT = "/usr/share/tomcat"
PKI_DEPLOYMENT_TOMCAT_SYSTEMD = "/usr/sbin/tomcat-sysd"
PKI_DEPLOYMENT_BASE_ROOT = "/var/lib/pki"
@@ -92,11 +94,11 @@ pki_root_prefix = None
pki_update_flag = False
# PKI Deployment "Custom" Command-Line Variables
-pki_admin_domain_name = None
-pki_instance_name = None
-pki_http_port = None
-pki_https_port = None
-pki_ajp_port = None
+custom_pki_admin_domain_name = None
+custom_pki_instance_name = None
+custom_pki_http_port = None
+custom_pki_https_port = None
+custom_pki_ajp_port = None
# PKI Deployment Logger Variables
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index a9a53dd76..0add192f7 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -79,23 +79,23 @@ def process_command_line_arguments(argv):
custom = parser.add_argument_group('custom arguments '
'(OVERRIDES configuration file values)')
custom.add_argument('-d',
- dest='pki_admin_domain_name', action='store',
+ dest='custom_pki_admin_domain_name', action='store',
nargs=1, metavar='<admin_domain>',
help='PKI admin domain name (instance name prefix)')
custom.add_argument('-i',
- dest='pki_instance_name', action='store',
+ dest='custom_pki_instance_name', action='store',
nargs=1, metavar='<instance>',
help='PKI instance name (MUST specify REQUIRED ports)')
custom.add_argument('--http_port',
- dest='pki_http_port', action='store',
+ dest='custom_pki_http_port', action='store',
nargs=1, metavar='<port>',
help='HTTP port (CA, KRA, OCSP, RA, TKS, TPS)')
custom.add_argument('--https_port',
- dest='pki_https_port', action='store',
+ dest='custom_pki_https_port', action='store',
nargs=1, metavar='<port>',
help='HTTPS port (CA, KRA, OCSP, RA, TKS, TPS)')
custom.add_argument('--ajp_port',
- dest='pki_ajp_port', action='store',
+ dest='custom_pki_ajp_port', action='store',
nargs=1, metavar='<port>',
help='AJP port (CA, KRA, OCSP, TKS)')
args = parser.parse_args()
@@ -141,19 +141,22 @@ def process_command_line_arguments(argv):
config.pki_jython_log_level = config.PKI_JYTHON_WARNING_LOG_LEVEL
config.pki_console_log_level = logging.WARNING
config.pki_log_level = logging.INFO
- if not args.pki_admin_domain_name is None:
- config.pki_admin_domain_name =\
- str(args.pki_admin_domain_name).strip('[\']')
- if not args.pki_instance_name is None:
- config.pki_instance_name =\
- str(args.pki_instance_name).strip('[\']')
- if not args.pki_http_port is None:
- config.pki_http_port = str(args.pki_http_port).strip('[\']')
- if not args.pki_https_port is None:
- config.pki_https_port = str(args.pki_https_port).strip('[\']')
- if not args.pki_ajp_port is None:
+ if not args.custom_pki_admin_domain_name is None:
+ config.custom_pki_admin_domain_name =\
+ str(args.custom_pki_admin_domain_name).strip('[\']')
+ if not args.custom_pki_instance_name is None:
+ config.custom_pki_instance_name =\
+ str(args.custom_pki_instance_name).strip('[\']')
+ if not args.custom_pki_http_port is None:
+ config.custom_pki_http_port =\
+ str(args.custom_pki_http_port).strip('[\']')
+ if not args.custom_pki_https_port is None:
+ config.custom_pki_https_port =\
+ str(args.custom_pki_https_port).strip('[\']')
+ if not args.custom_pki_ajp_port is None:
if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- config.pki_ajp_port = str(args.pki_ajp_port).strip('[\']')
+ config.custom_pki_ajp_port =\
+ str(args.custom_pki_ajp_port).strip('[\']')
else:
print "ERROR: " +\
log.PKI_CUSTOM_TOMCAT_AJP_PORT_1 %\
@@ -161,24 +164,24 @@ def process_command_line_arguments(argv):
print
parser.print_help()
parser.exit(-1);
- if not args.pki_instance_name is None or\
- not args.pki_http_port is None or\
- not args.pki_https_port is None or\
- not args.pki_ajp_port is None:
+ if not args.custom_pki_instance_name is None or\
+ not args.custom_pki_http_port is None or\
+ not args.custom_pki_https_port is None or\
+ not args.custom_pki_ajp_port is None:
if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- if args.pki_instance_name is None or\
- args.pki_http_port is None or\
- args.pki_https_port is None:
+ if args.custom_pki_instance_name is None or\
+ args.custom_pki_http_port is None or\
+ args.custom_pki_https_port is None:
print "ERROR: " + log.PKI_CUSTOM_APACHE_INSTANCE_1 %\
config.pki_subsystem
print
parser.print_help()
parser.exit(-1);
elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- if args.pki_instance_name is None or\
- args.pki_http_port is None or\
- args.pki_https_port is None or\
- args.pki_ajp_port is None:
+ if args.custom_pki_instance_name is None or\
+ args.custom_pki_http_port is None or\
+ args.custom_pki_https_port is None or\
+ args.custom_pki_ajp_port is None:
print "ERROR: " + log.PKI_CUSTOM_TOMCAT_INSTANCE_1 %\
config.pki_subsystem
print
@@ -191,16 +194,51 @@ def process_command_line_arguments(argv):
# explicitly specified if it does not use the default location
# and/or default configuration file name.
if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
- default_pki_instance_name =\
- config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME
+ if not config.custom_pki_instance_name is None:
+ default_pki_instance_name = config.custom_pki_instance_name
+ else:
+ default_pki_instance_name =\
+ config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME
+ if not config.custom_pki_admin_domain_name is None:
+ config.pkideployment_cfg =\
+ config.pki_root_prefix +\
+ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME + "/" +\
+ config.custom_pki_admin_domain_name + "-" +\
+ default_pki_instance_name +"/" +\
+ config.pki_subsystem.lower() +"/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
+ else:
+ config.pkideployment_cfg =\
+ config.pki_root_prefix +\
+ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME + "/" +\
+ default_pki_instance_name +"/" +\
+ config.pki_subsystem.lower() +"/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- default_pki_instance_name =\
- config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME
- config.pkideployment_cfg = config.pki_root_prefix +\
- config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
- default_pki_instance_name +"/" +\
- config.pki_subsystem.lower() +"/" +\
- config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
+ if not config.custom_pki_instance_name is None:
+ default_pki_instance_name = config.custom_pki_instance_name
+ else:
+ default_pki_instance_name =\
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME
+ if not config.custom_pki_admin_domain_name is None:
+ config.pkideployment_cfg =\
+ config.pki_root_prefix +\
+ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME + "/" +\
+ config.custom_pki_admin_domain_name + "-" +\
+ default_pki_instance_name +"/" +\
+ config.pki_subsystem.lower() +"/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
+ else:
+ config.pkideployment_cfg =\
+ config.pki_root_prefix +\
+ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME + "/" +\
+ default_pki_instance_name +"/" +\
+ config.pki_subsystem.lower() +"/" +\
+ config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
if not os.path.exists(config.pkideployment_cfg) or\
not os.path.isfile(config.pkideployment_cfg):
print "ERROR: " +\
@@ -334,16 +372,47 @@ def compose_pki_master_dictionary():
"conf")
config.pki_master_dict['pki_source_setup_path'] =\
os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
- config.pki_master_dict['pki_subsystem'].lower(),
"setup")
+ config.pki_master_dict['pki_source_shared_path'] =\
+ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
+ "shared",
+ "conf")
config.pki_master_dict['pki_source_cs_cfg'] =\
os.path.join(config.pki_master_dict['pki_source_conf_path'],
"CS.cfg")
config.pki_master_dict['pki_source_registry'] =\
os.path.join(config.pki_master_dict['pki_source_setup_path'],
- "registry_instance")
+ "pkidaemon_registry")
if config.pki_master_dict['pki_subsystem'] in\
- config.PKI_TOMCAT_SUBSYSTEMS:
+ config.PKI_APACHE_SUBSYSTEMS:
+ config.pki_master_dict['pki_systemd_service'] =\
+ config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\
+ "pki-apached" + "@" + ".service"
+ config.pki_master_dict['pki_systemd_target'] =\
+ config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\
+ "pki-apached.target"
+ config.pki_master_dict['pki_systemd_target_wants'] =\
+ config.PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT + "/" +\
+ "pki-apached.target.wants"
+ config.pki_master_dict['pki_systemd_service_link'] =\
+ config.pki_master_dict['pki_systemd_target_wants'] + "/" +\
+ "pki-apached" + "@" +\
+ config.pki_master_dict['pki_instance_id'] + ".service"
+ elif config.pki_master_dict['pki_subsystem'] in\
+ config.PKI_TOMCAT_SUBSYSTEMS:
+ config.pki_master_dict['pki_systemd_service'] =\
+ config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\
+ "pki-tomcatd" + "@" + ".service"
+ config.pki_master_dict['pki_systemd_target'] =\
+ config.PKI_DEPLOYMENT_SYSTEMD_ROOT + "/" +\
+ "pki-tomcatd.target"
+ config.pki_master_dict['pki_systemd_target_wants'] =\
+ config.PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT + "/" +\
+ "pki-tomcatd.target.wants"
+ config.pki_master_dict['pki_systemd_service_link'] =\
+ config.pki_master_dict['pki_systemd_target_wants'] + "/" +\
+ "pki-tomcatd" + "@" +\
+ config.pki_master_dict['pki_instance_id'] + ".service"
config.pki_master_dict['pki_tomcat_bin_path'] =\
os.path.join(config.PKI_DEPLOYMENT_TOMCAT_ROOT,
"bin")
@@ -364,16 +433,16 @@ def compose_pki_master_dictionary():
os.path.join(config.pki_master_dict['pki_war_path'],
config.pki_master_dict['pki_war_name'])
config.pki_master_dict['pki_source_catalina_properties'] =\
- os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ os.path.join(config.pki_master_dict['pki_source_shared_path'],
"catalina.properties")
config.pki_master_dict['pki_source_servercertnick_conf'] =\
- os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ os.path.join(config.pki_master_dict['pki_source_shared_path'],
"serverCertNick.conf")
config.pki_master_dict['pki_source_server_xml'] =\
- os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ os.path.join(config.pki_master_dict['pki_source_shared_path'],
"server.xml")
config.pki_master_dict['pki_source_tomcat_conf'] =\
- os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ os.path.join(config.pki_master_dict['pki_source_shared_path'],
"tomcat.conf")
config.pki_master_dict['pki_source_index_jsp'] =\
os.path.join(config.pki_master_dict['pki_source_webapps_path'],
@@ -425,12 +494,24 @@ def compose_pki_master_dictionary():
os.path.join(config.pki_master_dict['pki_configuration_path'],
config.pki_master_dict['pki_instance_id'])
# Apache/Tomcat instance registry name/value pairs
- config.pki_master_dict['pki_instance_registry_path'] =\
- os.path.join(config.pki_master_dict['pki_registry_path'],
- config.pki_master_dict['pki_instance_id'])
- # Tomcat-specific instance name/value pairs
+ # Apache-specific instance name/value pairs
if config.pki_master_dict['pki_subsystem'] in\
- config.PKI_TOMCAT_SUBSYSTEMS:
+ config.PKI_APACHE_SUBSYSTEMS:
+ # Apache instance base name/value pairs
+ # Apache instance log name/value pairs
+ # Apache instance configuration name/value pairs
+ # Apache instance registry name/value pairs
+ config.pki_master_dict['pki_instance_type_registry_path'] =\
+ os.path.join(config.pki_master_dict['pki_registry_path'],
+ "apache")
+ config.pki_master_dict['pki_instance_registry_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_type_registry_path'],
+ config.pki_master_dict['pki_instance_id'])
+ # Apache instance convenience symbolic links
+ # Tomcat-specific instance name/value pairs
+ elif config.pki_master_dict['pki_subsystem'] in\
+ config.PKI_TOMCAT_SUBSYSTEMS:
# Tomcat instance base name/value pairs
config.pki_master_dict['pki_tomcat_common_path'] =\
os.path.join(config.pki_master_dict['pki_instance_path'],
@@ -467,6 +548,13 @@ def compose_pki_master_dictionary():
# Tomcat instance log name/value pairs
# Tomcat instance configuration name/value pairs
# Tomcat instance registry name/value pairs
+ config.pki_master_dict['pki_instance_type_registry_path'] =\
+ os.path.join(config.pki_master_dict['pki_registry_path'],
+ "tomcat")
+ config.pki_master_dict['pki_instance_registry_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_type_registry_path'],
+ config.pki_master_dict['pki_instance_id'])
# Tomcat instance convenience symbolic links
config.pki_master_dict['pki_tomcat_bin_link'] =\
os.path.join(config.pki_master_dict['pki_instance_path'],
@@ -572,26 +660,30 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_subsystem_configuration_path'],
"CS.cfg")
config.pki_master_dict['pki_target_registry'] =\
- os.path.join(config.pki_master_dict['pki_subsystem_registry_path'],
+ os.path.join(config.pki_master_dict['pki_instance_registry_path'],
config.pki_master_dict['pki_instance_id'])
if config.pki_master_dict['pki_subsystem'] in\
config.PKI_TOMCAT_SUBSYSTEMS:
config.pki_master_dict['pki_target_catalina_properties'] =\
os.path.join(
- config.pki_master_dict['pki_subsystem_configuration_path'],
+ config.pki_master_dict['pki_instance_configuration_path'],
"catalina.properties")
config.pki_master_dict['pki_target_servercertnick_conf'] =\
os.path.join(
- config.pki_master_dict['pki_subsystem_configuration_path'],
+ config.pki_master_dict['pki_instance_configuration_path'],
"serverCertNick.conf")
config.pki_master_dict['pki_target_server_xml'] =\
os.path.join(
- config.pki_master_dict['pki_subsystem_configuration_path'],
+ config.pki_master_dict['pki_instance_configuration_path'],
"server.xml")
- config.pki_master_dict['pki_target_tomcat_conf'] =\
+ config.pki_master_dict['pki_target_tomcat_conf_instance_id'] =\
config.pki_master_dict['pki_root_prefix'] +\
"/etc/sysconfig/" +\
config.pki_master_dict['pki_instance_id']
+ config.pki_master_dict['pki_target_tomcat_conf'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_configuration_path'],
+ "tomcat.conf")
config.pki_master_dict['pki_target_index_jsp'] =\
os.path.join(
config.pki_master_dict['pki_tomcat_webapps_root_path'],
@@ -626,14 +718,8 @@ def compose_pki_master_dictionary():
config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\
config.pki_master_dict['pki_instance_id']
config.pki_master_dict['PKI_INSTANCE_INITSCRIPT_SLOT'] =\
- os.path.join(config.pki_master_dict['pki_subsystem_path'],
+ os.path.join(config.pki_master_dict['pki_instance_path'],
config.pki_master_dict['pki_instance_id'])
- config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\
- os.path.join("/var/lock/pki",
- config.pki_master_dict['pki_subsystem'].lower())
- config.pki_master_dict['PKI_PIDDIR_SLOT'] =\
- os.path.join("/var/run/pki",
- config.pki_master_dict['pki_subsystem'].lower())
config.pki_master_dict['PKI_REGISTRY_FILE_SLOT'] =\
os.path.join(config.pki_master_dict['pki_subsystem_registry_path'],
config.pki_master_dict['pki_instance_id'])
@@ -650,6 +736,13 @@ def compose_pki_master_dictionary():
config.pki_master_dict['NON_CLIENTAUTH_SECURE_PORT_SLOT'] = None
config.pki_master_dict['NSS_CONF_SLOT'] = None
config.pki_master_dict['OBJ_EXT_SLOT'] = None
+ config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\
+ os.path.join("/var/lock/pki",
+ "apache")
+ config.pki_master_dict['PKI_PIDDIR_SLOT'] =\
+ os.path.join("/var/run/pki",
+ "apache")
+ config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] = "apache"
config.pki_master_dict['PORT_SLOT'] = None
config.pki_master_dict['PROCESS_ID_SLOT'] = None
config.pki_master_dict['REQUIRE_CFG_PL_SLOT'] = None
@@ -711,14 +804,15 @@ def compose_pki_master_dictionary():
"Unused"
config.pki_master_dict['PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT'] =\
""
- config.pki_master_dict['PKI_FLAVOR_SLOT'] =\
- "pki"
config.pki_master_dict['PKI_GROUP_SLOT'] =\
config.pki_master_dict['pki_group']
config.pki_master_dict['PKI_INSTANCE_PATH_SLOT'] =\
- config.pki_master_dict['pki_subsystem_path']
- config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\
config.pki_master_dict['pki_instance_path']
+ config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\
+ config.pki_master_dict['pki_path']
+ config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\
+ os.path.join("/var/lock/pki",
+ "tomcat")
config.pki_master_dict['PKI_MACHINE_NAME_SLOT'] =\
config.pki_master_dict['pki_hostname']
config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\
@@ -731,6 +825,9 @@ def compose_pki_master_dictionary():
config.pki_master_dict\
['PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\
"<!--"
+ config.pki_master_dict['PKI_PIDDIR_SLOT'] =\
+ os.path.join("/var/run/pki",
+ "tomcat")
config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\
config.pki_master_dict['pki_proxy_https_port']
config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\
@@ -752,9 +849,8 @@ def compose_pki_master_dictionary():
config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\
config.pki_master_dict['pki_subsystem'].lower()
config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\
- "pki-" + config.pki_master_dict['pki_subsystem'].lower() +\
- "d" + "@" + "pki-" +\
- config.pki_master_dict['pki_subsystem'].lower() + ".service"
+ "pki-tomcatd" + "@" +\
+ config.pki_master_dict['pki_instance_id'] + ".service"
config.pki_master_dict['PKI_UNSECURE_PORT_SLOT'] =\
config.pki_master_dict['pki_http_port']
config.pki_master_dict['PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT'] =\
@@ -763,6 +859,8 @@ def compose_pki_master_dictionary():
"<!-- Shared Ports: Unsecure Port Connector -->"
config.pki_master_dict['PKI_USER_SLOT'] =\
config.pki_master_dict['pki_user']
+ config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] =\
+ "tomcat"
config.pki_master_dict['PKI_WEBAPPS_NAME_SLOT'] =\
"webapps"
config.pki_master_dict['TOMCAT_CFG_SLOT'] =\
@@ -772,7 +870,7 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_tomcat_common_lib_path'],
"*.jar")
config.pki_master_dict['TOMCAT_LOG_DIR_SLOT'] =\
- config.pki_master_dict['pki_subsystem_log_path']
+ config.pki_master_dict['pki_instance_log_path']
config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\
"/var/run/" + config.pki_master_dict['pki_instance_id'] + ".pid"
config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\
diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py
index 2e2d94545..93b0ae750 100644
--- a/base/deploy/src/scriptlets/slot_substitution.py
+++ b/base/deploy/src/scriptlets/slot_substitution.py
@@ -38,17 +38,25 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.file.copy_with_slot_substitution(master['pki_source_cs_cfg'],
master['pki_target_cs_cfg'])
util.file.copy_with_slot_substitution(master['pki_source_registry'],
- master['pki_target_registry'])
+ master['pki_target_registry'],
+ overwrite_flag=True)
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
util.file.copy_with_slot_substitution(
master['pki_source_catalina_properties'],
- master['pki_target_catalina_properties'])
+ master['pki_target_catalina_properties'],
+ overwrite_flag=True)
util.file.copy_with_slot_substitution(
master['pki_source_servercertnick_conf'],
- master['pki_target_servercertnick_conf'])
+ master['pki_target_servercertnick_conf'],
+ overwrite_flag=True)
util.file.copy_with_slot_substitution(
master['pki_source_server_xml'],
- master['pki_target_server_xml'])
+ master['pki_target_server_xml'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_tomcat_conf'],
+ master['pki_target_tomcat_conf_instance_id'],
+ overwrite_flag=True)
util.file.copy_with_slot_substitution(
master['pki_source_tomcat_conf'],
master['pki_target_tomcat_conf'],
@@ -93,6 +101,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
overwrite_flag=True)
util.file.copy_with_slot_substitution(
master['pki_source_tomcat_conf'],
+ master['pki_target_tomcat_conf_instance_id'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_tomcat_conf'],
master['pki_target_tomcat_conf'],
overwrite_flag=True)
util.file.copy_with_slot_substitution(