diff options
Diffstat (limited to 'base/server/etc')
-rw-r--r-- | base/server/etc/default.cfg | 531 | ||||
-rw-r--r-- | base/server/etc/pki.conf | 4 |
2 files changed, 535 insertions, 0 deletions
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg new file mode 100644 index 000000000..e848363ab --- /dev/null +++ b/base/server/etc/default.cfg @@ -0,0 +1,531 @@ +############################################################################### +## Default Configuration: ## +## ## +## Values in this section are common to more than one PKI subsystem, and ## +## contain required information which MAY be overridden by users as ## +## necessary. ## +## ## +## There are also some meta-parameters that determine how the PKI ## +## configuratiion should work. ## +## ## +############################################################################### +[DEFAULT] + +# The sensitive_parameters contains a list of parameters which may contain +# sensitive information which must not be displayed to the console nor stored +# in log files for security reasons. +sensitive_parameters= + pki_admin_password + pki_backup_password + pki_client_database_password + pki_client_pin + pki_client_pkcs12_password + pki_clone_pkcs12_password + pki_ds_password + pki_one_time_pin + pki_pin + pki_security_domain_password + pki_token_password + +# The spawn_scriplets contains a list of scriplets to be executed by pkispawn. +spawn_scriplets= + initialization + infrastructure_layout + instance_layout + subsystem_layout + selinux_setup + webapp_deployment + slot_substitution + security_databases + configuration + finalization + +# The destroy_scriplets contains a list of scriplets to be executed by pkidestroy. +destroy_scriplets= + initialization + configuration + webapp_deployment + subsystem_layout + security_databases + instance_layout + selinux_setup + infrastructure_layout + finalization + +# By default, the following parameters will be set for Tomcat and Apache instances. +# There is no reason to uncomment these. They are provided for reference in +# case someone wants to override them in their config file. +# +# Tomcat instances: +# pki_instance_name=pki-tomcat +# pki_https_port=8443 +# pki_http_port=8080 +# +# Apache instances: +# pki_instance_name=pki-apache +# pki_https_port=443 +# pki_http_port=80 + +pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert +pki_admin_cert_request_type=pkcs10 +pki_admin_dualkey=False +pki_admin_keysize=2048 +pki_admin_password= +pki_audit_group=pkiaudit +pki_audit_signing_key_algorithm=SHA256withRSA +pki_audit_signing_key_size=2048 +pki_audit_signing_key_type=rsa +pki_audit_signing_signing_algorithm=SHA256withRSA +pki_audit_signing_token=Internal Key Storage Token +pki_backup_keys=False +pki_backup_password= +pki_client_admin_cert_p12=%(pki_client_dir)s/%(pki_subsystem_type)s_admin_cert.p12 +pki_client_database_password= +pki_client_database_purge=True +pki_client_dir=%(home_dir)s/.pki/%(pki_instance_name)s +pki_client_pkcs12_password= +pki_ds_bind_dn=cn=Directory Manager +pki_ds_ldap_port=389 +pki_ds_ldaps_port=636 +pki_ds_password= +pki_ds_remove_data=True +pki_ds_secure_connection=False +pki_group=pkiuser +pki_issuing_ca_hostname=%(pki_security_domain_hostname)s +pki_issuing_ca_https_port=%(pki_security_domain_https_port)s +pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s +pki_issuing_ca=%(pki_issuing_ca_uri)s +pki_restart_configured_instance=True +pki_security_domain_hostname=%(pki_hostname)s +pki_security_domain_https_port=8443 +pki_security_domain_name=%(pki_dns_domainname)s Security Domain +pki_security_domain_password= +pki_security_domain_user=caadmin +pki_skip_configuration=False +pki_skip_installation=False +pki_ssl_server_key_algorithm=SHA256withRSA +pki_ssl_server_key_size=2048 +pki_ssl_server_key_type=rsa +pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s +pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s +pki_ssl_server_token=Internal Key Storage Token +pki_subsystem_key_algorithm=SHA256withRSA +pki_subsystem_key_size=2048 +pki_subsystem_key_type=rsa +pki_subsystem_token=Internal Key Storage Token +pki_theme_enable=True +pki_theme_server_dir=/usr/share/pki/common-ui +pki_token_name=internal +pki_token_password= +pki_user=pkiuser + +# Paths: +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files. +# +pki_client_database_dir=%(pki_client_subsystem_dir)s/alias +pki_client_subsystem_dir=%(pki_client_dir)s/%(pki_subsystem_type)s +pki_client_password_conf=%(pki_client_subsystem_dir)s/password.conf +pki_client_pkcs12_password_conf=%(pki_client_subsystem_dir)s/pkcs12_password.conf +pki_client_cert_database=%(pki_client_database_dir)s/cert8.db +pki_client_key_database=%(pki_client_database_dir)s/key3.db +pki_client_secmod_database=%(pki_client_database_dir)s/secmod.db +pki_client_admin_cert=%(pki_client_dir)s/%(pki_subsystem_type)s_admin.cert +pki_source_conf_path=/usr/share/pki/%(pki_subsystem_type)s/conf +pki_source_setup_path=/usr/share/pki/setup +pki_source_server_path=/usr/share/pki/server/conf +pki_source_cs_cfg=/usr/share/pki/%(pki_subsystem_type)s/conf/CS.cfg +pki_source_registry=/usr/share/pki/setup/pkidaemon_registry +pki_path=%(pki_root_prefix)s/var/lib/pki +pki_log_path=%(pki_root_prefix)s/var/log/pki +pki_configuration_path=%(pki_root_prefix)s/etc/pki +pki_registry_path=%(pki_root_prefix)s/etc/sysconfig/pki +pki_instance_path=%(pki_path)s/%(pki_instance_name)s +pki_instance_log_path=%(pki_log_path)s/%(pki_instance_name)s +pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s +pki_database_path=%(pki_instance_configuration_path)s/alias +pki_instance_database_link=%(pki_instance_path)s/alias +pki_instance_conf_link=%(pki_instance_path)s/conf +pki_instance_logs_link=%(pki_instance_path)s/logs +pki_subsystem_path=%(pki_instance_path)s/%(pki_subsystem_type)s +pki_subsystem_log_path=%(pki_instance_log_path)s/%(pki_subsystem_type)s +pki_subsystem_archive_log_path=%(pki_subsystem_log_path)s/archive +pki_subsystem_configuration_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s +pki_subsystem_database_link=%(pki_subsystem_path)s/alias +pki_subsystem_conf_link=%(pki_subsystem_path)s/conf +pki_subsystem_logs_link=%(pki_subsystem_path)s/logs +pki_subsystem_registry_link=%(pki_subsystem_path)s/registry + + +############################################################################### +## Apache Configuration: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Apache' (RA and TPS subsystems), and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[Apache] + +# Paths +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files. +# +pki_systemd_service=/lib/systemd/system/pki-apached@.service +pki_systemd_target=/lib/systemd/system/pki-apached.target +pki_systemd_target_wants=/etc/systemd/system/pki-apached.target.wants +pki_systemd_service_link=%(pki_systemd_target_wants)s/pki-apached@%(pki_instance_name)s.service +pki_cgroup_systemd_service_path=/sys/fs/cgroup/systemd/system/%(pki_systemd_service)s +pki_cgroup_systemd_service=%(pki_cgroup_systemd_service_path)s/%(pki_instance_name)s +pki_cgroup_cpu_systemd_service_path=/sys/fs/cgroup/cpu\,cpuacct/system/%(pki_systemd_service)s +pki_cgroup_cpu_systemd_service=%(pki_cgroup_cpu_systemd_service_path)s/%(pki_systemd_service)s +pki_instance_type=Apache +pki_instance_type_registry_path =%(pki_registry_path)s/apache +pki_instance_registry_path=%(pki_instance_type_registry_path)s/%(pki_instance_name)s +pki_subsystem_registry_path=%(pki_instance_registry_path)s/%(pki_subsystem_type)s + +############################################################################### +## Tomcat Configuration: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## +## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## +## or a 'TKS Clone', change the value of 'pki_clone' ## +## from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[Tomcat] +pki_ajp_port=8009 +pki_clone=False +pki_clone_pkcs12_password= +pki_clone_pkcs12_path= +pki_clone_replicate_schema=True +pki_clone_replication_master_port= +pki_clone_replication_clone_port= +pki_clone_replication_security=None +pki_clone_uri= +pki_enable_java_debugger=False +pki_enable_proxy=False +pki_proxy_http_port=80 +pki_proxy_https_port=443 +pki_security_manager=true +pki_tomcat_server_port=8005 + +# Paths +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files. +# +pki_systemd_service=/lib/systemd/system/pki-tomcatd@.service +pki_systemd_target=/lib/systemd/system/pki-tomcatd.target +pki_systemd_target_wants=/etc/systemd/system/pki-tomcatd.target.wants +pki_systemd_service_link=%(pki_systemd_target_wants)s/pki-tomcatd@%(pki_instance_name)s.service +pki_cgroup_systemd_service_path=/sys/fs/cgroup/systemd/system/%(pki_systemd_service)s +pki_cgroup_systemd_service=%(pki_cgroup_systemd_service_path)s/%(pki_instance_name)s +pki_cgroup_cpu_systemd_service_path=/sys/fs/cgroup/cpu\,cpuacct/system/%(pki_systemd_service)s +pki_cgroup_cpu_systemd_service=%(pki_cgroup_cpu_systemd_service_path)s/%(pki_systemd_service)s +pki_tomcat_bin_path=/usr/share/tomcat/bin +pki_tomcat_lib_path=/usr/share/tomcat/lib +pki_tomcat_systemd=/usr/sbin/tomcat-sysd +pki_source_catalina_properties=%(pki_source_server_path)s/catalina.properties +pki_source_servercertnick_conf=%(pki_source_server_path)s/serverCertNick.conf +pki_source_server_xml=%(pki_source_server_path)s/server.xml +pki_source_context_xml=%(pki_source_server_path)s/context.xml +pki_source_tomcat_conf=%(pki_source_server_path)s/tomcat.conf +pki_instance_type=Tomcat +pki_tomcat_common_path=%(pki_instance_path)s/common +pki_tomcat_common_lib_path=%(pki_tomcat_common_path)s/lib +pki_tomcat_tmpdir_path=%(pki_instance_path)s/temp +pki_tomcat_webapps_path=%(pki_instance_path)s/webapps +pki_tomcat_webapps_root_path=%(pki_tomcat_webapps_path)s/ROOT +pki_tomcat_webapps_common_path=%(pki_tomcat_webapps_path)s/pki +pki_tomcat_webapps_root_webinf_path=%(pki_tomcat_webapps_root_path)s/WEB-INF +pki_tomcat_work_path=%(pki_instance_path)s/work +pki_tomcat_work_catalina_path=%(pki_tomcat_work_path)s/Catalina +pki_tomcat_work_catalina_host_path=%(pki_tomcat_work_catalina_path)s/localhost +pki_tomcat_work_catalina_host_run_path=%(pki_tomcat_work_catalina_host_path)s/_ +pki_tomcat_work_catalina_host_subsystem_path=%(pki_tomcat_work_catalina_host_path)s/%(pki_subsystem_type)s +pki_instance_conf_log4j_properties=%(pki_instance_configuration_path)s/log4j.properties +pki_instance_type_registry_path=%(pki_registry_path)s/tomcat +pki_instance_registry_path=%(pki_instance_type_registry_path)s/%(pki_instance_name)s +pki_subsystem_registry_path=%(pki_instance_registry_path)s/%(pki_subsystem_type)s +pki_tomcat_bin_link=%(pki_instance_path)s/bin +pki_instance_lib=%(pki_instance_path)s/lib +pki_instance_lib_log4j_properties=%(pki_instance_lib)s/log4j.properties +pki_instance_systemd_link=%(pki_instance_path)s/%(pki_instance_name)s +pki_subsystem_signed_audit_log_path=%(pki_subsystem_log_path)s/signedAudit +pki_subsystem_tomcat_webapps_link=%(pki_subsystem_path)s/webapps +pki_tomcat_webapps_subsystem_path=%(pki_tomcat_webapps_path)s/%(pki_subsystem_type)s +pki_tomcat_webapps_subsystem_webinf_classes_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/classes +pki_tomcat_webapps_subsystem_webinf_lib_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/lib +pki_certsrv_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-certsrv.jar +pki_cmsbundle_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsbundle.jar +pki_cmscore_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmscore.jar +pki_cms_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cms.jar +pki_cmsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsutil.jar +pki_nsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-nsutil.jar + + +# JAR paths +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files +pki_jss_jar=%(jni_jar_dir)s/jss4.jar +pki_symkey_jar=%(jni_jar_dir)s/symkey.jar +pki_apache_commons_collections_jar=/usr/share/java/apache-commons-collections.jar +pki_apache_commons_lang_jar=/usr/share/java/apache-commons-lang.jar +pki_apache_commons_logging_jar=/usr/share/java/apache-commons-logging.jar +pki_commons_codec_jar=/usr/share/java/commons-codec.jar +pki_httpclient_jar=/usr/share/java/httpcomponents/httpclient.jar +pki_httpcore_jar=/usr/share/java/httpcomponents/httpcore.jar +pki_javassist_jar=/usr/share/java/javassist.jar +pki_jettison_jar=/usr/share/java/jettison.jar +pki_ldapjdk_jar=/usr/share/java/ldapjdk.jar +pki_certsrv_jar=/usr/share/java/pki/pki-certsrv.jar +pki_cmsbundle=/usr/share/java/pki/pki-cmsbundle.jar +pki_cmscore=/usr/share/java/pki/pki-cmscore.jar +pki_cms=/usr/share/java/pki/pki-cms.jar +pki_cmsutil=/usr/share/java/pki/pki-cmsutil.jar +pki_resteasy_jaxrs_api_jar=%(resteasy_lib)s/jaxrs-api.jar +pki_nsutil=/usr/share/java/pki/pki-nsutil.jar +pki_tomcat_jar=/usr/share/java/pki/pki-tomcat.jar +pki_resteasy_atom_provider_jar=%(resteasy_lib)s/resteasy-atom-provider.jar +pki_resteasy_jaxb_provider_jar=%(resteasy_lib)s/resteasy-jaxb-provider.jar +pki_resteasy_jaxrs_jar=%(resteasy_lib)s/resteasy-jaxrs.jar +pki_resteasy_jettison_provider_jar=%(resteasy_lib)s/resteasy-jettison-provider.jar +pki_scannotation_jar=/usr/share/java/scannotation.jar +pki_tomcatjss_jar=/usr/share/java/tomcatjss.jar +pki_velocity_jar=/usr/share/java/velocity.jar +pki_xerces_j2_jar=/usr/share/java/xerces-j2.jar +pki_xml_commons_apis_jar=/usr/share/java/xml-commons-apis.jar +pki_xml_commons_resolver_jar=/usr/share/java/xml-commons-resolver.jar +pki_jss_jar_link=%(pki_tomcat_common_lib_path)s/jss4.jar +pki_symkey_jar_link=%(pki_tomcat_common_lib_path)s/symkey.jar +pki_apache_commons_collections_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-collections.jar +pki_apache_commons_lang_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-lang.jar +pki_apache_commons_logging_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-logging.jar +pki_commons_codec_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-codec.jar +pki_httpclient_jar_link=%(pki_tomcat_common_lib_path)s/httpclient.jar +pki_httpcore_jar_link=%(pki_tomcat_common_lib_path)s/httpcore.jar +pki_javassist_jar_link=%(pki_tomcat_common_lib_path)s/javassist.jar +pki_resteasy_jaxrs_api_jar_link=%(pki_tomcat_common_lib_path)s/jaxrs-api.jar +pki_jettison_jar_link=%(pki_tomcat_common_lib_path)s/jettison.jar +pki_ldapjdk_jar_link=%(pki_tomcat_common_lib_path)s/ldapjdk.jar +pki_tomcat_jar_link=%(pki_tomcat_common_lib_path)s/pki-tomcat.jar +pki_resteasy_atom_provider_jar_link=%(pki_tomcat_common_lib_path)s/resteasy-atom-provider.jar +pki_resteasy_jaxb_provider_jar_link=%(pki_tomcat_common_lib_path)s/resteasy-jaxb-provider.jar +pki_resteasy_jaxrs_jar_link=%(pki_tomcat_common_lib_path)s/resteasy-jaxrs.jar +pki_resteasy_jettison_provider_jar_link=%(pki_tomcat_common_lib_path)s/resteasy-jettison-provider.jar +pki_scannotation_jar_link=%(pki_tomcat_common_lib_path)s/scannotation.jar +pki_tomcatjss_jar_link=%(pki_tomcat_common_lib_path)s/tomcatjss.jar +pki_velocity_jar_link=%(pki_tomcat_common_lib_path)s/velocity.jar +pki_xerces_j2_jar_link=%(pki_tomcat_common_lib_path)s/xerces-j2.jar +pki_xml_commons_apis_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-apis.jar +pki_xml_commons_resolver_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-resolver.jar +pki_ca_jar=/usr/share/java/pki/pki-ca.jar +pki_ca_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ca.jar +pki_kra_jar=/usr/share/java/pki/pki-kra.jar +pki_kra_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-kra.jar +pki_ocsp_jar=/usr/share/java/pki/pki-ocsp.jar +pki_ocsp_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ocsp.jar +pki_tks_jar=/usr/share/java/pki/pki-tks.jar +pki_tks_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-tks.jar + + + +############################################################################### +## CA Configuration: ## +## ## +## Values in this section are common to CA subsystems including 'PKI CAs', ## +## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## EXTERNAL CAs: To specify an 'External CA', change the value ## +## of 'pki_external' from 'False' to 'True'. ## +## ## +## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## +## of 'pki_subordinate' from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[CA] +pki_ca_signing_key_algorithm=SHA256withRSA +pki_ca_signing_key_size=2048 +pki_ca_signing_key_type=rsa +pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA +pki_ca_signing_signing_algorithm=SHA256withRSA +pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s +pki_ca_signing_token=Internal Key Storage Token +pki_external=False +pki_external_ca_cert_chain_path= +pki_external_ca_cert_path= +pki_external_csr_path= +pki_external_step_two=False +pki_import_admin_cert=False +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s +pki_ocsp_signing_token=Internal Key Storage Token +pki_subordinate=False +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=caadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA +pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_name)s-CA +pki_ds_database=%(pki_instance_name)s-CA +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s CA +pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s + +# Paths +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files. +# +pki_source_emails=/usr/share/pki/ca/emails +pki_source_flatfile_txt=%(pki_source_conf_path)s/flatfile.txt +pki_source_profiles=/usr/share/pki/ca/profiles +pki_source_proxy_conf=%(pki_source_conf_path)s/proxy.conf +pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg +pki_source_admincert_profile=%(pki_source_conf_path)s/adminCert.profile +pki_source_caauditsigningcert_profile=%(pki_source_conf_path)s/caAuditSigningCert.profile +pki_source_cacert_profile=%(pki_source_conf_path)s/caCert.profile +pki_source_caocspcert_profile=%(pki_source_conf_path)s/caOCSPCert.profile +pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile +pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile +pki_subsystem_emails_path=%(pki_subsystem_path)s/emails +pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles + + + + +############################################################################### +## KRA Configuration: ## +## ## +## Values in this section are common to KRA subsystems ## +## including 'PKI KRAs' and 'Cloned KRAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[KRA] +pki_import_admin_cert=True +pki_storage_key_algorithm=SHA256withRSA +pki_storage_key_size=2048 +pki_storage_key_type=rsa +pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA +pki_storage_signing_algorithm=SHA256withRSA +pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s +pki_storage_token=Internal Key Storage Token +pki_transport_key_algorithm=SHA256withRSA +pki_transport_key_size=2048 +pki_transport_key_type=rsa +pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA +pki_transport_signing_algorithm=SHA256withRSA +pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s +pki_transport_token=Internal Key Storage Token +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=kraadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA +pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_name)s-KRA +pki_ds_database=%(pki_instance_name)s-KRA +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s KRA +pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s + +# Paths +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files. +# +pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile +pki_source_storagecert_profile=%(pki_source_conf_path)s/storageCert.profile +pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile +pki_source_transportcert_profile=%(pki_source_conf_path)s/transportCert.profile + +############################################################################### +## OCSP Configuration: ## +## ## +## Values in this section are common to OCSP subsystems ## +## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[OCSP] +pki_import_admin_cert=True +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s +pki_ocsp_signing_token=Internal Key Storage Token +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=ocspadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP +pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_name)s-OCSP +pki_ds_database=%(pki_instance_name)s-OCSP +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s OCSP +pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s + +############################################################################### +## RA Configuration: ## +## ## +## Values in this section are common to PKI RA subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[RA] + +############################################################################### +## TKS Configuration: ## +## ## +## Values in this section are common to TKS subsystems ## +## including 'PKI TKSs' and 'Cloned TKSs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TKS] +pki_import_admin_cert=True +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=tksadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS +pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_name)s-TKS +pki_ds_database=%(pki_instance_name)s-TKS +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s TKS +pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s + +############################################################################### +## TPS Configuration: ## +## ## +## Values in this section are common to PKI TPS subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TPS] + +# Paths +# These are used in the processing of pkispawn and are not supposed +# to be overwritten by user configuration files. +# +pki_subsystem_signed_audit_log_path=%(pki_subsystem_log_path)s/signedAudit + diff --git a/base/server/etc/pki.conf b/base/server/etc/pki.conf new file mode 100644 index 000000000..24decec52 --- /dev/null +++ b/base/server/etc/pki.conf @@ -0,0 +1,4 @@ +# RESTEasy library +RESTEASY_LIB=${RESTEASY_LIB} +# JNI jar file location +JNI_JAR_DIR=${JNI_JAR_DIR} |