diff options
Diffstat (limited to 'base/kra/shared/conf/server.xml')
-rw-r--r-- | base/kra/shared/conf/server.xml | 265 |
1 files changed, 0 insertions, 265 deletions
diff --git a/base/kra/shared/conf/server.xml b/base/kra/shared/conf/server.xml deleted file mode 100644 index 007524982..000000000 --- a/base/kra/shared/conf/server.xml +++ /dev/null @@ -1,265 +0,0 @@ -<?xml version='1.0' encoding='utf-8'?> -<!-- BEGIN COPYRIGHT BLOCK - Copyright (C) 2006-2010 Red Hat, Inc. - All rights reserved. - Modifications: configuration parameters - END COPYRIGHT BLOCK --> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<!-- Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" at this level. - Documentation at /docs/config/server.html - --> - -<!-- DO NOT REMOVE - Begin PKI Status Definitions --> -<!-- -Unsecure URL = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Agent URL = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] -Secure EE URL = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Admin URL = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services -PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] -Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ---> -<!-- DO NOT REMOVE - End PKI Status Definitions --> - -<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> - - <!--APR library loader. Documentation at /docs/apr.html --> - <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> - <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> - <Listener className="org.apache.catalina.core.JasperListener" /> - <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> - <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> - <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> - - <!-- Global JNDI resources - Documentation at /docs/jndi-resources-howto.html - --> - <GlobalNamingResources> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users - --> - <Resource name="UserDatabase" auth="Container" - type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml" /> - </GlobalNamingResources> - - <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" Note: A "Service" is not itself a "Container", - so you may not define subcomponents such as "Valves" at this level. - Documentation at /docs/config/service.html - --> - <Service name="Catalina"> - - <!--The connectors can use a shared executor, you can define one or more named thread pools--> - <!-- - <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" - maxThreads="150" minSpareThreads="4"/> - --> - - - <!-- A "Connector" represents an endpoint by which requests are received - and responses are returned. Documentation at : - Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) - Java AJP Connector: /docs/config/ajp.html - APR (HTTP/AJP) Connector: /docs/apr.html - Define a non-SSL HTTP/1.1 Connector on port 8080 - --> - - [PKI_UNSECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" - /> - - <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> - [PKI_SECURE_PORT_SERVER_COMMENT] - <!-- DO NOT REMOVE - Begin define PKI secure port - NOTE: The OCSP settings take effect globally, so it should only be set once. - - In setup where SSL clientAuth="true", OCSP can be turned on by - setting enableOCSP to true like the following: - enableOCSP="true" - along with changes to related settings, especially: - ocspResponderURL=<see example in connector definition below> - ocspResponderCertNickname=<see example in connector definition below> - Here are the definition to all the OCSP-related settings: - enableOCSP - turns on/off the ocsp check - ocspResponderURL - sets the url where the ocsp requests are sent - ocspResponderCertNickname - sets the nickname of the cert that is - either CA's signing certificate or the OCSP server's signing - certificate. - The CA's signing certificate should already be in the db, in - case of the same security domain. - In case of an ocsp signing certificate, one must import the cert - into the subsystem's nss db and set trust. e.g.: - certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 - ocspCacheSize - sets max cache entries - ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt - ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt - ocspTimeout -sets OCSP timeout in seconds - --> - <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - enableOCSP="false" - ocspResponderURL="http://[PKI_HOSTNAME]:9080/ca/ocsp" - ocspResponderCertNickname="ocspSigningCert cert-pki-ca" - ocspCacheSize="1000" - ocspMinCacheEntryDuration="60" - ocspMaxCacheEntryDuration="120" - ocspTimeout="10" - strictCiphers="false" - clientAuth="[PKI_AGENT_CLIENTAUTH]" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias" - /> - <!-- DO NOT REMOVE - End define PKI secure port --> - - [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - strictCiphers="false" - clientAuth="false" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" - maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - strictCiphers="false" - clientAuth="false" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> - [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - <!-- A "Connector" using the shared thread pool--> - <!-- - <Connector executor="tomcatThreadPool" - port="8080" protocol="HTTP/1.1" - connectionTimeout="20000" - redirectPort="8443" /> - --> - <!-- Define a SSL HTTP/1.1 Connector on port 8443 - This connector uses the JSSE configuration, when using APR, the - connector should be using the OpenSSL style configuration - described in the APR documentation --> - <!-- - <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" - maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" /> - --> - - <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> -[PKI_OPEN_AJP_PORT_COMMENT] - <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" address="127.0.0.1" /> -[PKI_CLOSE_AJP_PORT_COMMENT] - - - <!-- An Engine represents the entry point (within Catalina) that processes - every request. The Engine implementation for Tomcat stand alone - analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). - Documentation at /docs/config/engine.html --> - - <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> - --> - <Engine name="Catalina" defaultHost="localhost"> - - <!--For clustering, please take a look at documentation at: - /docs/cluster-howto.html (simple how to) - /docs/config/cluster.html (reference documentation) --> - <!-- - <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> - --> - - <!-- The request dumper valve dumps useful debugging information about - the request and response data received and sent by Tomcat. - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.valves.RequestDumperValve"/> - --> - - <!-- This Realm uses the UserDatabase configured in the global JNDI - resources under the key "UserDatabase". Any edits - that are performed against this UserDatabase are immediately - available for use by the Realm. --> - - <!-- - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - --> - - <!-- - <Realm className="com.netscape.cmscore.realm.PKIRealm" /> - --> - - <!-- Define the default virtual host - Note: XML Schema validation will not work with Xerces 2.2. - --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- SingleSignOn valve, share authentication between web applications - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> - --> - - <!-- Access log processes all example. - Documentation at: /docs/config/valve.html --> - [PKI_OPEN_TOMCAT_ACCESS_LOG_COMMENT] - <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" - prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> - [PKI_CLOSE_TOMCAT_ACCESS_LOG_COMMENT] - - </Host> - </Engine> - </Service> -</Server> |