diff options
Diffstat (limited to 'base/server/scripts/operations')
-rw-r--r-- | base/server/scripts/operations | 1703 |
1 files changed, 1703 insertions, 0 deletions
diff --git a/base/server/scripts/operations b/base/server/scripts/operations new file mode 100644 index 000000000..50dd4e4fd --- /dev/null +++ b/base/server/scripts/operations @@ -0,0 +1,1703 @@ +#!/bin/bash -X + +# From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": +# +# Status Exit Codes +# +# 0 program is running or service is OK +# 1 program is dead and /var/run pid file exists +# 2 program is dead and /var/lock lock file exists +# 3 program is not running +# 4 program or service status is unknown +# 5-99 reserved for future LSB use +# 100-149 reserved for distribution use +# 150-199 reserved for application use +# 200-254 reserved +# +# Non-Status Exit Codes +# +# 0 action was successful +# 1 generic or unspecified error (current practice) +# 2 invalid or excess argument(s) +# 3 unimplemented feature (for example, "reload") +# 4 user had insufficient privilege +# 5 program is not installed +# 6 program is not configured +# 7 program is not running +# 8-99 reserved for future LSB use +# 100-149 reserved for distribution use +# 150-199 reserved for application use +# 200-254 reserved +# + +if [ -f /etc/pki/pki.conf ] ; then + . /etc/pki/pki.conf +fi + +# PKI subsystem-level directory and file values for locks +lockfile="/var/lock/subsys/${SERVICE_NAME}" + +default_error=0 + +case $command in + start|stop|restart|condrestart|force-restart|try-restart) + # 1 generic or unspecified error (current practice) + default_error=1 + ;; + reload) + default_error=3 + ;; + status) + # 4 program or service status is unknown + default_error=4 + ;; + *) + # 2 invalid argument(s) + default_error=2 + ;; +esac + +# Enable nullglob, if set then shell pattern globs which do not match any +# file returns the empty string rather than the unmodified glob pattern. +shopt -s nullglob + +OS=`uname -s` +ARCHITECTURE=`uname -i` + +# Check to insure that this script's original invocation directory +# has not been deleted! +CWD=`/bin/pwd > /dev/null 2>&1` +if [ $? -ne 0 ] ; then + echo "Cannot invoke '$PROG_NAME' from non-existent directory!" + exit ${default_error} +fi + +# Check to insure that this script's associated PKI +# subsystem currently resides on this system. +PKI_CA_PATH="/usr/share/pki/ca" +PKI_KRA_PATH="/usr/share/pki/kra" +PKI_OCSP_PATH="/usr/share/pki/ocsp" +PKI_RA_PATH="/usr/share/pki/ra" +PKI_TKS_PATH="/usr/share/pki/tks" +PKI_TPS_PATH="/usr/share/pki/tps" +if [ '${PKI_TYPE}' == "apache" ] ; then + if [ ! -d ${PKI_RA_PATH} ] && + [ ! -d ${PKI_TPS_PATH} ] ; then + echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" + if [ "${command}" != "status" ]; then + # 5 program is not installed + exit 5 + else + exit ${default_error} + fi + fi +elif [ '${PKI_TYPE}' == "tomcat" ] ; then + if [ ! -d ${PKI_CA_PATH} ] && + [ ! -d ${PKI_KRA_PATH} ] && + [ ! -d ${PKI_OCSP_PATH} ] && + [ ! -d ${PKI_TKS_PATH} ] ; then + echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" + if [ "${command}" != "status" ]; then + # 5 program is not installed + exit 5 + else + exit ${default_error} + fi + fi +fi + +# This script must be run as root! +RV=0 +if [ `id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$PROG_NAME'!" + if [ "${command}" != "status" ]; then + # 4 user had insufficient privilege + exit 4 + else + # 4 program or service status is unknown + exit 4 + fi +fi + +PKI_INSTANCE_TYPES="apache tomcat" +PKI_REGISTRY_ENTRIES="" +PKI_SUBSYSTEMS="" +TOTAL_PKI_REGISTRY_ENTRIES=0 +TOTAL_UNCONFIGURED_PKI_ENTRIES=0 + +# Gather ALL registered instances of this PKI web server type +for INSTANCE in ${PKI_REGISTRY}/*; do + if [ -d "$INSTANCE" ] ; then + for REGISTRY in ${INSTANCE}/*; do + if [ -f "$REGISTRY" ] ; then + PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $REGISTRY" + TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` + fi + done + fi +done + +# Execute the specified registered instance of this PKI web server type +if [ -n "${pki_instance_id}" ]; then + for INSTANCE in ${PKI_REGISTRY_ENTRIES}; do + if [ "`basename ${INSTANCE}`" == "${pki_instance_id}" ]; then + PKI_REGISTRY_ENTRIES="${INSTANCE}" + TOTAL_PKI_REGISTRY_ENTRIES=1 + break + fi + done +fi + +usage() +{ + echo -n "Usage: ${SERVICE_PROG} ${SERVICE_NAME}" + echo -n "{start" + echo -n "|stop" + echo -n "|restart" + echo -n "|condrestart" + echo -n "|force-restart" + echo -n "|try-restart" + echo -n "|reload" + echo -n "|status} " + echo -n "[instance-name]" + echo + echo +} + +usage_systemd() +{ + echo -n "Usage: /usr/bin/pkidaemon " + echo -n "{start" + echo -n "|stop" + echo -n "|restart" + echo -n "|condrestart" + echo -n "|force-restart" + echo -n "|try-restart" + echo -n "|reload" + echo -n "|status} " + echo -n "instance-type " + echo -n "[instance-name]" + echo + echo +} + +list_systemd_instance_types() +{ + echo + for PKI_INSTANCE_TYPE in $PKI_INSTANCE_TYPES; do + echo " $PKI_INSTANCE_TYPE" + done + echo +} + +list_instances() +{ + echo + for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do + instance_name=`basename $PKI_REGISTRY_ENTRY` + echo " $instance_name" + done + echo +} + +list_systemd_instances() +{ + echo + for INSTANCE in /etc/sysconfig/pki/apache/*; do + if [ -d "${INSTANCE}" ] ; then + instance_name=`basename ${INSTANCE}` + echo " $instance_name" + fi + done + for INSTANCE in /etc/sysconfig/pki/tomcat/*; do + if [ -d "${INSTANCE}" ] ; then + instance_name=`basename ${INSTANCE}` + echo " $instance_name" + fi + done + echo +} + +get_subsystems() +{ + # Re-initialize PKI_SUBSYSTEMS for each instance + PKI_SUBSYSTEMS="" + case ${PKI_WEB_SERVER_TYPE} in + tomcat) + for SUBSYSTEM in ca kra ocsp tks; do + if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then + if [ '${PKI_SUBSYSTEMS}' == "" ] ; then + PKI_SUBSYSTEMS="${SUBSYSTEM}" + else + PKI_SUBSYSTEMS="${PKI_SUBSYSTEMS} ${SUBSYSTEM}" + fi + fi + done + ;; + apache) + for SUBSYSTEM in ra tps; do + if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then + if [ '${PKI_SUBSYSTEMS}' == "" ] ; then + PKI_SUBSYSTEMS="${SUBSYSTEM}" + else + PKI_SUBSYSTEMS="${PKI_SUBSYSTEMS} ${SUBSYSTEM}" + fi + fi + done + ;; + *) + echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" + exit ${default_error} + ;; + esac +} + +# Check arguments +if [ $SYSTEMD ]; then + if [ $# -lt 2 ] ; then + # [insufficient arguments] + echo "$PROG_NAME: Insufficient arguments!" + echo + usage_systemd + echo "where valid instance types include:" + list_systemd_instance_types + echo "and where valid instance names include:" + list_systemd_instances + exit 3 + elif [ ${default_error} -eq 2 ] ; then + # 2 invalid argument + echo "$PROG_NAME: Invalid arguments!" + echo + usage_systemd + echo "where valid instance types include:" + list_systemd_instance_types + echo "and where valid instance names include:" + list_systemd_instances + exit 2 + elif [ $# -gt 3 ] ; then + echo "$PROG_NAME: Excess arguments!" + echo + usage_systemd + echo "where valid instance types include:" + list_systemd_instance_types + echo "and where valid instance names include:" + list_systemd_instances + if [ "${command}" != "status" ]; then + # 2 excess arguments + exit 2 + else + # 4 program or service status is unknown + exit 4 + fi + fi +else + if [ $# -lt 1 ] ; then + # 3 unimplemented feature (for example, "reload") + # [insufficient arguments] + echo "$PROG_NAME: Insufficient arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 3 + elif [ ${default_error} -eq 2 ] ; then + # 2 invalid argument + echo "$PROG_NAME: Invalid arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + exit 2 + elif [ $# -gt 2 ] ; then + echo "$PROG_NAME: Excess arguments!" + echo + usage + echo "where valid instance names include:" + list_instances + if [ "${command}" != "status" ]; then + # 2 excess arguments + exit 2 + else + # 4 program or service status is unknown + exit 4 + fi + fi +fi + +# If an "instance" was supplied, check that it is a "valid" instance +if [ -n "${pki_instance_id}" ]; then + valid=0 + for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do + instance_name=`basename $PKI_REGISTRY_ENTRY` + if [ "${pki_instance_id}" == "${instance_name}" ]; then + valid=1 + break + fi + done + if [ $valid -eq 0 ]; then + if [ "${pki_instance_type}" != "apache" ] && + [ "${pki_instance_type}" != "tomcat" ]; then + echo -n "unknown instance type (${pki_instance_type})" + else + echo -n "${pki_instance_id} is an invalid '${PKI_TYPE}' instance" + fi + if [ ! $SYSTEMD ]; then + echo_failure + fi + echo + + if [ "${command}" != "status" ]; then + # 5 program is not installed + exit 5 + else + # 4 program or service status is unknown + exit 4 + fi + fi +fi + +check_pki_configuration_status() +{ + rv=0 + + case ${PKI_WEB_SERVER_TYPE} in + tomcat) + for SUBSYSTEM in ca kra ocsp tks; do + if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then + rv=`grep -c ^preop ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg` + rv=`expr ${rv} + 0` + fi + done + ;; + apache) + # TBD + ;; + *) + echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" + exit ${default_error} + ;; + esac + + if [ $rv -ne 0 ] ; then + echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" + echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" + if [ "${command}" != "status" ]; then + # 6 program is not configured + rv=6 + else + # 4 program or service status is unknown + rv=4 + fi + TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` + elif [ -f ${RESTART_SERVER} ] ; then + echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " + echo -n "it must still be RESTARTED!" + echo + if [ "${command}" != "status" ]; then + # 1 generic or unspecified error (current practice) + rv=1 + else + # 4 program or service status is unknown + rv=4 + fi + fi + + return $rv +} + +get_pki_status_definitions() +{ + case $PKI_WEB_SERVER_TYPE in + tomcat) + PKI_SERVER_XML_CONF=${PKI_INSTANCE_PATH}/conf/server.xml + get_pki_status_definitions_tomcat + return $? + ;; + ra) + get_pki_status_definitions_ra + return $? + ;; + tps) + get_pki_status_definitions_tps + return $? + ;; + *) + echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" + exit ${default_error} + ;; + esac +} + +get_pki_status_definitions_ra() +{ + # establish well-known strings + total_ports=0 + UNSECURE_PORT="" + CLIENTAUTH_PORT="" + NON_CLIENTAUTH_PORT="" + + # check to see that an instance-specific "httpd.conf" file exists + if [ ! -f ${PKI_HTTPD_CONF} ] ; then + echo "File '${PKI_HTTPD_CONF}' does not exist!" + exit ${default_error} + fi + + # check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 0 ]; then + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + else + echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 1 ]; then + CLIENTAUTH_PORT=$port + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}" + fi + if [ $total_ports -eq 2 ]; then + NON_CLIENTAUTH_PORT=$port + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + return 0; +} + +get_pki_status_definitions_tps() +{ + # establish well-known strings + total_ports=0 + UNSECURE_PORT="" + CLIENTAUTH_PORT="" + NON_CLIENTAUTH_PORT="" + + # check to see that an instance-specific "httpd.conf" file exists + if [ ! -f ${PKI_HTTPD_CONF} ] ; then + echo "File '${PKI_HTTPD_CONF}' does not exist!" + exit ${default_error} + fi + + # check to see that an instance-specific "nss.conf" file exists + if [ ! -f ${PKI_NSS_CONF} ] ; then + echo "File '${PKI_NSS_CONF}' does not exist!" + exit ${default_error} + fi + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 0 ]; then + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi" + echo " (ESC Security Officer Enrollment)" + echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi" + echo " (ESC Phone Home)" + else + echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" + fi + total_ports=`expr ${total_ports} + 1` + + done + + # Iterate over Listen statements + for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do + UNSECURE_PORT=$port + if [ $total_ports -eq 1 ]; then + CLIENTAUTH_PORT=$port + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi" + echo " (ESC Security Officer Workstation)" + echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus" + echo " (TPS Roles - Operator/Administrator/Agent)" + fi + if [ $total_ports -eq 2 ]; then + NON_CLIENTAUTH_PORT=$port + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi" + echo " (ESC Security Officer Enrollment)" + echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi" + echo " (ESC Phone Home)" + fi + total_ports=`expr ${total_ports} + 1` + + done + + return 0; +} + +get_pki_status_definitions_tomcat() +{ + # establish well-known strings + begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->" + begin_ca_status_comment="<!-- CA Status Definitions -->" + begin_kra_status_comment="<!-- KRA Status Definitions -->" + begin_ocsp_status_comment="<!-- OCSP Status Definitions -->" + begin_tks_status_comment="<!-- TKS Status Definitions -->" + end_pki_status_comment="<!-- Begin DO NOT REMOVE - End PKI Status Definitions -->" + total_ports=0 + unsecure_port_statement="Unsecure Port" + secure_agent_port_statement="Secure Agent Port" + secure_ee_port_statement="Secure EE Port" + secure_ee_client_auth_port_statement="EE Client Auth Port" + secure_admin_port_statement="Secure Admin Port" + pki_console_port_statement="PKI Console Port" + tomcat_port_statement="Tomcat Port" + + # initialize looping variables + pki_status_comment_found=0 + display_pki_ca_status_banner=0 + display_pki_kra_status_banner=0 + display_pki_ocsp_status_banner=0 + display_pki_tks_status_banner=0 + process_pki_ca_status=0 + process_pki_kra_status=0 + process_pki_ocsp_status=0 + process_pki_tks_status=0 + + # first check to see that an instance-specific "server.xml" file exists + if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then + echo "File '${PKI_SERVER_XML_CONF}' does not exist!" + exit ${default_error} + fi + + # identify all PKI subsystems present within this PKI instance + if [ -e ${PKI_INSTANCE_PATH}/ca ]; then + display_pki_ca_status_banner=1 + fi + if [ -e ${PKI_INSTANCE_PATH}/kra ]; then + display_pki_kra_status_banner=1 + fi + if [ -e ${PKI_INSTANCE_PATH}/ocsp ]; then + display_pki_ocsp_status_banner=1 + fi + if [ -e ${PKI_INSTANCE_PATH}/tks ]; then + display_pki_tks_status_banner=1 + fi + + # read this instance-specific "server.xml" file line-by-line + # to obtain the current PKI Status Definitions + exec < ${PKI_SERVER_XML_CONF} + while read line; do + # first look for the well-known end PKI Status comment + # (to turn off processing) + if [ "$line" == "$end_pki_status_comment" ] ; then + # always turn off processing TKS status at this point + process_pki_tks_status=0 + pki_status_comment_found=0 + break; + fi + + # then look for the well-known begin PKI Status comment + # (to turn on processing) + if [ "$line" == "$begin_pki_status_comment" ] ; then + pki_status_comment_found=1 + fi + + # once the well-known begin PKI Status comment has been found, + # begin processing to obtain all of the PKI Status Definitions + if [ $pki_status_comment_found -eq 1 ] ; then + head=`echo "$line" | sed -e 's/^\([^=]*\)[ \t]*= .*$/\1/' -e 's/[ \t]*$//'` + if [ "$line" == "$begin_ca_status_comment" ] ; then + if [ $display_pki_ca_status_banner -eq 1 ] ; then + # print CA Status Definition banner + echo + echo " [CA Status Definitions]" + # turn on processing CA status at this point + process_pki_ca_status=1 + fi + elif [ "$line" == "$begin_kra_status_comment" ] ; then + # always turn off processing CA status at this point + process_pki_ca_status=0 + if [ $display_pki_kra_status_banner -eq 1 ] ; then + # print DRM Status Definition banner + echo + echo " [DRM Status Definitions]" + # turn on processing DRM status at this point + process_pki_kra_status=1 + fi + elif [ "$line" == "$begin_ocsp_status_comment" ] ; then + # always turn off processing DRM status at this point + process_pki_kra_status=0 + if [ $display_pki_ocsp_status_banner -eq 1 ] ; then + # print OCSP Status Definition banner + echo + echo " [OCSP Status Definitions]" + # turn on processing OCSP status at this point + process_pki_ocsp_status=1 + fi + elif [ "$line" == "$begin_tks_status_comment" ] ; then + # always turn off processing OCSP status at this point + process_pki_ocsp_status=0 + if [ $display_pki_tks_status_banner -eq 1 ] ; then + # print TKS Status Definition banner + echo + echo " [TKS Status Definitions]" + # turn on processing TKS status at this point + process_pki_tks_status=1 + fi + elif [ $process_pki_ca_status -eq 1 ] || + [ $process_pki_kra_status -eq 1 ] || + [ $process_pki_ocsp_status -eq 1 ] || + [ $process_pki_tks_status -eq 1 ] ; then + # look for a PKI Status Definition and print it + if [ "$head" == "$unsecure_port_statement" ] || + [ "$head" == "$secure_agent_port_statement" ] || + [ "$head" == "$secure_ee_port_statement" ] || + [ "$head" == "$secure_admin_port_statement" ] || + [ "$head" == "$secure_ee_client_auth_port_statement" ] || + [ "$head" == "$pki_console_port_statement" ] || + [ "$head" == "$tomcat_port_statement" ] ; then + echo " $line" + total_ports=`expr ${total_ports} + 1` + fi + fi + fi + done + + return 0; +} + +get_pki_configuration_definitions() +{ + # Obtain the PKI Subsystem Type + line=`grep -e '^[ \t]*cs.type[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + pki_subsystem=`echo "${line}" | sed -e 's/^[^=]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${line}" != "" ] ; then + if [ "${pki_subsystem}" != "CA" ] && + [ "${pki_subsystem}" != "KRA" ] && + [ "${pki_subsystem}" != "OCSP" ] && + [ "${pki_subsystem}" != "TKS" ] && + [ "${pki_subsystem}" != "RA" ] && + [ "${pki_subsystem}" != "TPS" ] + then + return ${default_error} + fi + if [ "${pki_subsystem}" == "KRA" ] ; then + # Rename "KRA" to "DRM" + pki_subsystem="DRM" + fi + else + return ${default_error} + fi + + # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, + # check to see if "${pki_subsystem}" is a "Clone" + pki_clone="" + if [ "${pki_subsystem}" == "CA" ] || + [ "${pki_subsystem}" == "DRM" ] || + [ "${pki_subsystem}" == "OCSP" ] || + [ "${pki_subsystem}" == "TKS" ] + then + line=`grep -e '^[ \t]*subsystem.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_clone=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${pki_clone}" != "Clone" ] ; then + # Reset "${pki_clone}" to be empty + pki_clone="" + fi + else + return ${default_error} + fi + fi + + # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to + # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA + pki_hierarchy="" + if [ "${pki_subsystem}" == "CA" ] && + [ "${pki_clone}" != "Clone" ] + then + line=`grep -e '^[ \t]*hierarchy.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_hierarchy=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + fi + + # If ${pki_subsystem} is a CA, check to + # see if it is also a Security Domain + pki_security_domain="" + if [ "${pki_subsystem}" == "CA" ] ; then + line=`grep -e '^[ \t]*securitydomain.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + if [ "${pki_security_domain}" == "new" ] ; then + # Set a fixed value for "${pki_security_domain}" + pki_security_domain="(Security Domain)" + else + # Reset "${pki_security_domain}" to be empty + pki_security_domain="" + fi + else + return ${default_error} + fi + fi + + # Always obtain this PKI instance's "registered" + # security domain information + pki_security_domain_name="" + pki_security_domain_hostname="" + pki_security_domain_https_admin_port="" + + line=`grep -e '^[ \t]*securitydomain.name[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain_name=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + + line=`grep -e '^[ \t]*securitydomain.host[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain_hostname=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + + line=`grep -e '^[ \t]*securitydomain.httpsadminport[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` + if [ "${line}" != "" ] ; then + pki_security_domain_https_admin_port=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` + else + return ${default_error} + fi + + # Compose the "PKI Instance Name" Status Line + pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" + + # Compose the "PKI Subsystem Type" Status Line + header="PKI Subsystem Type: " + if [ "${pki_clone}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "CA Clone (Security Domain)" + # + data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" + else + # Possible Values: + # + # "CA Clone" + # "DRM Clone" + # "OCSP Clone" + # "TKS Clone" + # + data="${pki_subsystem} ${pki_clone}" + fi + elif [ "${pki_hierarchy}" != "" ] ; then + if [ "${pki_security_domain}" != "" ]; then + # Possible Values: + # + # "Root CA (Security Domain)" + # "Subordinate CA (Security Domain)" + # + data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" + else + # Possible Values: + # + # "Root CA" + # "Subordinate CA" + # + data="${pki_hierarchy} ${pki_subsystem}" + fi + else + # Possible Values: + # + # "DRM" + # "OCSP" + # "RA" + # "TKS" + # "TPS" + # + data="${pki_subsystem}" + fi + pki_subsystem_type="${header} ${data}" + + # Compose the "Registered PKI Security Domain Information" Status Line + header="Name: " + registered_pki_security_domain_name="${header} ${pki_security_domain_name}" + + header="URL: " + if [ "${pki_security_domain_hostname}" != "" ] && + [ "${pki_security_domain_https_admin_port}" != "" ] + then + data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" + else + return ${default_error} + fi + registered_pki_security_domain_url="${header} ${data}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " [${pki_subsystem} Configuration Definitions]" + echo " ${pki_instance_name}" + + # Print the "PKI Subsystem Type" Status Line + echo + echo " ${pki_subsystem_type}" + + # Print the "Registered PKI Security Domain Information" Status Line + echo + echo " Registered PKI Security Domain Information:" + echo " ==========================================================================" + echo " ${registered_pki_security_domain_name}" + echo " ${registered_pki_security_domain_url}" + echo " ==========================================================================" + + return 0 +} + +display_configuration_information() +{ + result=0 + check_pki_configuration_status + rv=$? + if [ $rv -eq 0 ] ; then + get_pki_status_definitions + rv=$? + if [ $rv -ne 0 ] ; then + result=$rv + echo + echo "${PKI_INSTANCE_ID} Status Definitions not found" + else + get_subsystems + for SUBSYSTEM in ${PKI_SUBSYSTEMS}; do + PKI_SUBSYSTEM_CONFIGURATION_FILE="${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg" + get_pki_configuration_definitions + rv=$? + if [ $rv -ne 0 ] ; then + result=$rv + echo + echo "${PKI_INSTANCE_ID} Configuration Definitions not found for ${SUBSYSTEM}" + fi + done + fi + fi + return $result +} + +display_instance_status_systemd() +{ + echo -n "Status for ${PKI_INSTANCE_ID}: " + systemctl status "$PKI_SYSTEMD_TARGET@$PKI_INSTANCE_ID.service" > /dev/null 2>&1 + rv=$? + + if [ $rv -eq 0 ] ; then + echo "$PKI_INSTANCE_ID is running .." + display_configuration_information + else + echo "$PKI_INSTANCE_ID is stopped" + fi + + return $rv +} + +display_instance_status() +{ + # Verify there is an initscript for this instance + if [ ! -f $PKI_INSTANCE_INITSCRIPT ]; then + # 4 program or service status is unknown + return 4 + fi + + # Invoke the initscript for this instance + $PKI_INSTANCE_INITSCRIPT status + rv=$? + + if [ $rv -eq 0 ] ; then + display_configuration_information + fi + + return $rv +} + +make_symlink() +{ + symlink="${1}" + target="${2}" + user="${3}" + group="${4}" + + rv=0 + + echo "INFO: Attempting to create '${symlink}' -> '${target}' . . ." + # Check to make certain that the expected target exists. + # + # NOTE: The symbolic link does NOT exist at this point. + # + if [ -e ${target} ]; then + # Check that the expected target is fully resolvable! + if [ ! `readlink -qe ${target}` ]; then + # Issue an ERROR that the target to which the + # symbolic link is expected to point is NOT fully resolvable! + echo "ERROR: Failed making '${symlink}' -> '${target}'"\ + "since target '${target}' is NOT fully resolvable!" + rv=1 + else + # Attempt to create a symbolic link and 'chown' it. + ln -s ${target} ${symlink} + rv=$? + if [ $rv -eq 0 ]; then + # NOTE: Ignore 'chown' errors. + chown -h ${user}:${group} ${symlink} + echo "SUCCESS: Created '${symlink}' -> '${target}'" + else + echo "ERROR: Failed to create '${symlink}' -> '${target}'!" + rv=1 + fi + fi + else + # Issue an ERROR that the target to which the + # symbolic link is expected to point does NOT exist. + echo "ERROR: Failed making '${symlink}' -> '${target}'"\ + "since target '${target}' does NOT exist!" + rv=1 + fi + + return $rv +} + +check_symlinks() +{ + # declare -p symlinks + path="${1}" + user="${2}" + group="${3}" + + rv=0 + + # process key/value pairs (symlink/target) in the associative array + for key in "${!symlinks[@]}" + do + symlink="${path}/${key}" + target=${symlinks[${key}]} + if [ -e ${symlink} ]; then + if [ -h ${symlink} ]; then + current_target=`readlink ${symlink}` + # Verify that the current target to which the + # symlink points is the expected target + if [ ${current_target} == ${target} ]; then + # Check to make certain that the expected target exists. + if [ -e ${target} ]; then + # Check that the expected target is fully resolvable! + if [ ! `readlink -qe ${target}` ]; then + # Issue an ERROR that the target to which the + # symbolic link is expected to point is NOT + # fully resolvable! + echo "WARNING: Symbolic link '${symlink}'"\ + "exists, but is a dangling symlink!"\ + echo "ERROR: Unable to create"\ + "'${symlink}' -> '${target}'"\ + "since target '${target}' is NOT fully"\ + "resolvable!" + rv=1 + else + # ALWAYS run 'chown' on an existing '${symlink}' + # that points to a fully resolvable '${target}' + # + # NOTE: Ignore 'chown' errors. + # + chown -h ${user}:${group} ${symlink} + # echo "SUCCESS: '${symlink}' -> '${target}'" + fi + else + # Issue an ERROR that the target to which the + # symbolic link is expected to point does NOT exist. + echo "WARNING: Symbolic link '${symlink}'"\ + "exists, but is a dangling symlink!"\ + echo "ERROR: Unable to create"\ + "'${symlink}' -> '${target}'"\ + "since target '${target}' does NOT exist!" + rv=1 + fi + else + # Attempt to remove this symbolic link and + # issue a WARNING that a new symbolic link is + # being created to point to the expected target + # rather than the current target to which it + # points. + echo "WARNING: Attempting to change symbolic link"\ + "'${symlink}' to point to target '${target}'"\ + "INSTEAD of current target '${current_target}'!" + rm ${symlink} + rv=$? + if [ $rv -ne 0 ]; then + echo "ERROR: Failed to remove"\ + "'${symlink}' -> '${current_target}'!" + rv=1 + else + echo "INFO: Removed"\ + "'${symlink}' -> '${current_target}'!" + # Attempt to create the symbolic link and chown it. + make_symlink ${symlink} ${target} ${user} ${group} + rv=$? + fi + fi + elif [ -f ${symlink} ]; then + # Issue a WARNING that the administrator may have replaced + # the symbolic link with a file for debugging purposes. + echo "WARNING: '${symlink}' exists but is NOT a symbolic link!" + else + # Issue an ERROR that the symbolic link has been replaced + # by something unusable (such as a directory). + echo "ERROR: '${symlink}' exists but is NOT a symbolic link!" + rv=1 + fi + else + # Issue a WARNING that this symbolic link does not exist. + echo "WARNING: Symbolic link '${symlink}' does NOT exist!" + # Attempt to create the symbolic link and chown it. + make_symlink ${symlink} ${target} ${user} ${group} + rv=$? + fi + done + + return $rv +} + +# Detect and correct any missing or incorrect symlinks. +# +# Use the following command to locate PKI 'instance' symlinks: +# +# find ${PKI_INSTANCE_PATH} -type l | sort | xargs file +# +verify_symlinks() +{ + # declare associative arrays + declare -A base_symlinks + declare -A root_symlinks + declare -A ca_symlinks + declare -A kra_symlinks + declare -A ocsp_symlinks + declare -A tks_symlinks + declare -A common_jar_symlinks + declare -A ca_jar_symlinks + declare -A kra_jar_symlinks + declare -A ocsp_jar_symlinks + declare -A tks_jar_symlinks + declare -A systemd_symlinks + + # Dogtag 10 Conditional Variables + jni_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` + + # Dogtag 10 Symbolic Link Target Variables + java_dir="/usr/share/java" + pki_systemd_service="pki-${PKI_WEB_SERVER_TYPE}d@.service" + systemd_dir="/lib/systemd/system" + + # Dogtag 10 Symbolic Link Variables + pki_common_jar_dir="${PKI_INSTANCE_PATH}/common/lib" + pki_registry_dir="/etc/sysconfig/pki/${PKI_WEB_SERVER_TYPE}/${PKI_INSTANCE_ID}" + pki_systemd_dir="/etc/systemd/system/pki-tomcatd.target.wants" + pki_systemd_link="pki-${PKI_WEB_SERVER_TYPE}d@${PKI_INSTANCE_ID}.service" + pki_ca_jar_dir="${PKI_INSTANCE_PATH}/webapps/ca/WEB-INF/lib" + pki_kra_jar_dir="${PKI_INSTANCE_PATH}/webapps/kra/WEB-INF/lib" + pki_ocsp_jar_dir="${PKI_INSTANCE_PATH}/webapps/ocsp/WEB-INF/lib" + pki_tks_jar_dir="${PKI_INSTANCE_PATH}/webapps/tks/WEB-INF/lib" + + # '${PKI_INSTANCE_PATH}' symlinks + base_symlinks=( + [alias]=/etc/pki/${PKI_INSTANCE_ID}/alias + [bin]=/usr/share/tomcat/bin + [conf]=/etc/pki/${PKI_INSTANCE_ID} + [logs]=/var/log/pki/${PKI_INSTANCE_ID}) + + # '${PKI_INSTANCE_PATH}' symlinks (root:root ownership) + root_symlinks[${PKI_INSTANCE_ID}]=/usr/sbin/tomcat-sysd + + # '${PKI_INSTANCE_PATH}/ca' symlinks + ca_symlinks=( + [alias]=${PKI_INSTANCE_PATH}/alias + [conf]=/etc/pki/${PKI_INSTANCE_ID}/ca + [logs]=/var/log/pki/${PKI_INSTANCE_ID}/ca + [registry]=${pki_registry_dir} + [webapps]=${PKI_INSTANCE_PATH}/webapps) + + # '${pki_ca_jar_dir}' symlinks + ca_jar_symlinks=( + [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar + [pki-cms.jar]=${java_dir}/pki/pki-cms.jar + [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar + [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar + [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar + [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar + [pki-ca.jar]=${java_dir}/pki/pki-ca.jar) + + # '${PKI_INSTANCE_PATH}/kra' symlinks + kra_symlinks=( + [alias]=${PKI_INSTANCE_PATH}/alias + [conf]=/etc/pki/${PKI_INSTANCE_ID}/kra + [logs]=/var/log/pki/${PKI_INSTANCE_ID}/kra + [registry]=${pki_registry_dir} + [webapps]=${PKI_INSTANCE_PATH}/webapps) + + # '${pki_kra_jar_dir}' symlinks + kra_jar_symlinks=( + [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar + [pki-cms.jar]=${java_dir}/pki/pki-cms.jar + [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar + [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar + [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar + [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar + [pki-kra.jar]=${java_dir}/pki/pki-kra.jar) + + # '${PKI_INSTANCE_PATH}/ocsp' symlinks + ocsp_symlinks=( + [alias]=${PKI_INSTANCE_PATH}/alias + [conf]=/etc/pki/${PKI_INSTANCE_ID}/ocsp + [logs]=/var/log/pki/${PKI_INSTANCE_ID}/ocsp + [registry]=${pki_registry_dir} + [webapps]=${PKI_INSTANCE_PATH}/webapps) + + # '${pki_ocsp_jar_dir}' symlinks + ocsp_jar_symlinks=( + [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar + [pki-cms.jar]=${java_dir}/pki/pki-cms.jar + [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar + [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar + [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar + [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar + [pki-ocsp.jar]=${java_dir}/pki/pki-ocsp.jar) + + # '${PKI_INSTANCE_PATH}/tks' symlinks + tks_symlinks=( + [alias]=${PKI_INSTANCE_PATH}/alias + [conf]=/etc/pki/${PKI_INSTANCE_ID}/tks + [logs]=/var/log/pki/${PKI_INSTANCE_ID}/tks + [registry]=${pki_registry_dir} + [webapps]=${PKI_INSTANCE_PATH}/webapps) + + # '${pki_tks_jar_dir}' symlinks + tks_jar_symlinks=( + [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar + [pki-cms.jar]=${java_dir}/pki/pki-cms.jar + [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar + [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar + [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar + [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar + [pki-tks.jar]=${java_dir}/pki/pki-tks.jar) + + # '${pki_common_jar_dir}' symlinks + common_jar_symlinks=( + [apache-commons-codec.jar]=${java_dir}/commons-codec.jar + [apache-commons-collections.jar]=${java_dir}/apache-commons-collections.jar + [apache-commons-lang.jar]=${java_dir}/apache-commons-lang.jar + [apache-commons-logging.jar]=${java_dir}/apache-commons-logging.jar + [httpclient.jar]=${java_dir}/httpcomponents/httpclient.jar + [httpcore.jar]=${java_dir}/httpcomponents/httpcore.jar + [javassist.jar]=${java_dir}/javassist.jar + [jaxrs-api.jar]=${RESTEASY_LIB}/jaxrs-api.jar + [jettison.jar]=${java_dir}/jettison.jar + [jss4.jar]=${jni_dir}/jss4.jar + [ldapjdk.jar]=${java_dir}/ldapjdk.jar + [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar + [resteasy-atom-provider.jar]=${RESTEASY_LIB}/resteasy-atom-provider.jar + [resteasy-jaxb-provider.jar]=${RESTEASY_LIB}/resteasy-jaxb-provider.jar + [resteasy-jaxrs.jar]=${RESTEASY_LIB}/resteasy-jaxrs.jar + [resteasy-jettison-provider.jar]=${RESTEASY_LIB}/resteasy-jettison-provider.jar + [scannotation.jar]=${java_dir}/scannotation.jar + [tomcatjss.jar]=${java_dir}/tomcatjss.jar + [velocity.jar]=${java_dir}/velocity.jar + [xerces-j2.jar]=${java_dir}/xerces-j2.jar + [xml-commons-apis.jar]=${java_dir}/xml-commons-apis.jar + [xml-commons-resolver.jar]=${java_dir}/xml-commons-resolver.jar) + + if [ -e ${PKI_INSTANCE_PATH}/tks ]; then + common_jar_symlinks[symkey.jar]=${jni_dir}/symkey.jar + fi + + # '${pki_systemd_dir}' symlinks + systemd_symlinks[${pki_systemd_link}]=${systemd_dir}/${pki_systemd_service} + + # Detect and correct 'Tomcat' symbolic links + # + # (1) convert the specified associative array into a string + # (2) create a new global 'symlinks' associative array from this + # specified string which will be used by the "check_symlinks()" + # subroutine + # (3) call "check_symlinks()" with the appropriate arguments to + # detect and correct this specified associative array; + # "check_symlinks()" returns 0 on success and 1 on failure + # + if [ ${PKI_WEB_SERVER_TYPE} == 'tomcat' ]; then + # Detect and correct 'base_symlinks' + base_symlinks_string=$(declare -p base_symlinks) + eval "declare -A symlinks=${base_symlinks_string#*=}" + check_symlinks ${PKI_INSTANCE_PATH} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + + # Detect and correct 'root_symlinks' + root_symlinks_string=$(declare -p root_symlinks) + eval "declare -A symlinks=${root_symlinks_string#*=}" + check_symlinks ${PKI_INSTANCE_PATH} "root" "root" + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + + if [ -e ${PKI_INSTANCE_PATH}/ca ]; then + # Detect and correct 'ca_symlinks' + ca_symlinks_string=$(declare -p ca_symlinks) + eval "declare -A symlinks=${ca_symlinks_string#*=}" + check_symlinks ${PKI_INSTANCE_PATH}/ca ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + # Detect and correct 'ca_jar_symlinks' + ca_jar_symlinks_string=$(declare -p ca_jar_symlinks) + eval "declare -A symlinks=${ca_jar_symlinks_string#*=}" + check_symlinks ${pki_ca_jar_dir} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + fi + + if [ -e ${PKI_INSTANCE_PATH}/kra ]; then + # Detect and correct 'kra_symlinks' + kra_symlinks_string=$(declare -p kra_symlinks) + eval "declare -A symlinks=${kra_symlinks_string#*=}" + check_symlinks ${PKI_INSTANCE_PATH}/kra ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + # Detect and correct 'kra_jar_symlinks' + kra_jar_symlinks_string=$(declare -p kra_jar_symlinks) + eval "declare -A symlinks=${kra_jar_symlinks_string#*=}" + check_symlinks ${pki_kra_jar_dir} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + fi + + if [ -e ${PKI_INSTANCE_PATH}/ocsp ]; then + # Detect and correct 'ocsp_symlinks' + ocsp_symlinks_string=$(declare -p ocsp_symlinks) + eval "declare -A symlinks=${ocsp_symlinks_string#*=}" + check_symlinks ${PKI_INSTANCE_PATH}/ocsp ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + # Detect and correct 'ocsp_jar_symlinks' + ocsp_jar_symlinks_string=$(declare -p ocsp_jar_symlinks) + eval "declare -A symlinks=${ocsp_jar_symlinks_string#*=}" + check_symlinks ${pki_ocsp_jar_dir} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + fi + + if [ -e ${PKI_INSTANCE_PATH}/tks ]; then + # Detect and correct 'tks_symlinks' + tks_symlinks_string=$(declare -p tks_symlinks) + eval "declare -A symlinks=${tks_symlinks_string#*=}" + check_symlinks ${PKI_INSTANCE_PATH}/tks ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + # Detect and correct 'tks_jar_symlinks' + tks_jar_symlinks_string=$(declare -p tks_jar_symlinks) + eval "declare -A symlinks=${tks_jar_symlinks_string#*=}" + check_symlinks ${pki_tks_jar_dir} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + fi + + # Detect and correct 'common_jar_symlinks' + common_jar_symlinks_string=$(declare -p common_jar_symlinks) + eval "declare -A symlinks=${common_jar_symlinks_string#*=}" + check_symlinks ${pki_common_jar_dir} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + + # Detect and correct 'systemd_symlinks' + systemd_symlinks_string=$(declare -p systemd_symlinks) + eval "declare -A symlinks=${systemd_symlinks_string#*=}" + check_symlinks ${pki_systemd_dir} ${PKI_USER} ${PKI_GROUP} + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + fi + + return 0 +} + +start_instance() +{ + rv=0 + + if [ -f ${RESTART_SERVER} ] ; then + rm -f ${RESTART_SERVER} + fi + + # Verify symbolic links (detecting and correcting them if possible) + verify_symlinks + rv=$? + if [ $rv -ne 0 ] ; then + return $rv + fi + + # Invoke the initscript for this instance + case $PKI_WEB_SERVER_TYPE in + tomcat) + + # Generate catalina.policy dynamically. + cat /usr/share/pki/server/conf/catalina.policy \ + /usr/share/tomcat/conf/catalina.policy \ + /usr/share/pki/server/conf/pki.policy \ + /var/lib/pki/$PKI_INSTANCE_ID/conf/custom.policy > \ + /var/lib/pki/$PKI_INSTANCE_ID/conf/catalina.policy + + # We must export the service name so that the systemd version + # of the tomcat init script knows which instance specific + # configuration file to source. + export SERVICE_NAME=$PKI_INSTANCE_ID + $PKI_INSTANCE_INITSCRIPT start + rv=$? + ;; + apache) + $PKI_INSTANCE_INITSCRIPT start + rv=$? + ;; + esac + + if [ $rv -ne 0 ] ; then + return $rv + fi + + # On Tomcat subsystems, make certain that the service has started + case $PKI_WEB_SERVER_TYPE in + tomcat) + count=0 + tries=30 + port=${PKI_UNSECURE_PORT} + while [ $count -lt $tries ] + do + netstat -antl | grep ${port} > /dev/null + netrv=$? + if [ $netrv -eq 0 ] ; then + break; + fi + sleep 1 + let count=$count+1; + done + if [ $netrv -ne 0 ] ; then + return 1 + fi + ;; + esac + + if [ $rv -eq 0 ] ; then + # From the PKI point of view a returned error code of 6 implies + # that the program is not "configured". An error code of 1 implies + # that the program was "configured" but must still be restarted. + # + # If the return code is 6 return this value unchanged to the + # calling routine so that the total number of configuration errors + # may be counted. Other return codes are ignored. + # + check_pki_configuration_status + rv=$? + if [ $rv -eq 6 ]; then + # 6 program is not configured + return 6 + else + # 0 success + return 0 + fi + fi + return $rv +} + +stop_instance() +{ + rv=0 + + export SERVICE_NAME=$PKI_INSTANCE_ID + # Invoke the initscript for this instance + $PKI_INSTANCE_INITSCRIPT stop + rv=$? + + # On Tomcat subsystems, always remove the "pki subsystem identity" symlinks + # that were previously associated with the Tomcat 'pid' and 'lock' files. + case $PKI_WEB_SERVER_TYPE in + tomcat) + if [ -f ${PKI_PIDFILE} ]; then + rm -f ${PKI_PIDFILE} + fi + ;; + esac + + return $rv +} + +start() +{ + error_rv=0 + rv=0 + config_errors=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + # 5 program is not installed + return 5 + fi + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ]; then + echo "BEGIN STARTING '${PKI_TYPE}' INSTANCES:" + fi + + # Start every PKI instance of this type that isn't already running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + start_instance + rv=$? + if [ $rv = 6 ] ; then + # Since at least ONE configuration error exists, then there + # is at least ONE unconfigured instance from the PKI point + # of view. + # + # However, it must still be considered that the + # instance is "running" from the point of view of other + # OS programs such as 'chkconfig'. + # + # Therefore, ignore non-zero return codes resulting + # from configuration errors. + # + + config_errors=`expr $config_errors + 1` + rv=0 + elif [ $rv != 0 ] ; then + errors=`expr $errors + 1` + error_rv=$rv + fi + done + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then + touch ${lockfile} + chmod 00600 ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + # NOTE: "bad" return code(s) OVERRIDE configuration errors! + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances failed to start!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." + fi + + return $rv +} + +stop() +{ + error_rv=0 + rv=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + # 5 program is not installed + return 5 + fi + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" + fi + + # Shutdown every PKI instance of this type that is running + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + stop_instance + rv=$? + if [ $rv != 0 ] ; then + errors=`expr $errors + 1` + error_rv=$rv + fi + done + + if [ ${errors} -eq 0 ] ; then + rm -f ${lockfile} + fi + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "1 generic or unspecified error (current practice)" + rv=1 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances were " + echo -n "unsuccessfully stopped!" + echo + fi + + echo + echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." + fi + + return $rv +} + +restart() +{ + stop + sleep 2 + start + + return $? +} + +registry_status() +{ + error_rv=0 + rv=0 + errors=0 + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then + echo + echo "ERROR: No '${PKI_TYPE}' instances installed!" + # 4 program or service status is unknown + return 4 + fi + + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" + fi + + # Obtain status of every PKI instance of this type + for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do + # Source values associated with this particular PKI instance + [ -f ${PKI_REGISTRY_ENTRY} ] && + . ${PKI_REGISTRY_ENTRY} + + [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo + + case $PKI_WEB_SERVER_TYPE in + tomcat) + if [ $SYSTEMD ]; then + display_instance_status_systemd + else + display_instance_status + fi + rv=$? + ;; + apache) + display_instance_status + rv=$? + ;; + esac + if [ $rv -ne 0 ] ; then + errors=`expr $errors + 1` + error_rv=$rv + fi + done + + # ONLY print a "WARNING" message if multiple + # instances are being examined + if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then + if [ ${errors} -eq 1 ]; then + # Since only ONE error exists, return that "bad" error code. + rv=${error_rv} + elif [ ${errors} -gt 1 ]; then + # Since MORE than ONE error exists, return an OVERALL status + # of "4 - program or service status is unknown" + rv=4 + fi + + if [ ${errors} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances reported status failures!" + echo + fi + + if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then + echo + echo -n "WARNING: " + echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " + echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " + echo -n "'${PKI_TYPE}' instances MUST be configured!" + echo + fi + + echo + echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." + fi + + return $rv +} + |