diff options
Diffstat (limited to 'base')
37 files changed, 7353 insertions, 682 deletions
diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in index 78c28435a..ca90d52d5 100644 --- a/base/ca/shared/conf/CS.cfg.in +++ b/base/ca/shared/conf/CS.cfg.in @@ -38,6 +38,7 @@ securitydomain.flushinterval=86400000 securitydomain.source=ldap securitydomain.checkinterval=300000 instanceRoot=[PKI_INSTANCE_PATH] +configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/ machineName=[PKI_MACHINE_NAME] instanceId=[PKI_INSTANCE_ID] pidDir=[PKI_PIDDIR] @@ -180,7 +181,7 @@ auths.instance.AgentCertAuth.pluginName=AgentCertAuth auths.instance.raCertAuth.agentGroup=Registration Manager Agents auths.instance.raCertAuth.pluginName=AgentCertAuth auths.instance.flatFileAuth.pluginName=FlatFileAuth -auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/flatfile.txt +auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]flatfile.txt auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth auths.revocationChecking.bufferSize=50 auths.revocationChecking.ca=ca @@ -643,15 +644,15 @@ ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName= ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType= ca.crl.MasterCRL.extension.IssuingDistributionPoint.type=CRLExtension ca.notification.certIssued.emailSubject=Your Certificate Request -ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/emails/certIssued_CA.html +ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/certIssued_CA.html ca.notification.certIssued.enabled=false ca.notification.certIssued.senderEmail= ca.notification.certRevoked.emailSubject=Your Certificate Revoked -ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/emails/certRevoked_CA.html +ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/certRevoked_CA.html ca.notification.certRevoked.enabled=false ca.notification.certRevoked.senderEmail= ca.notification.requestInQ.emailSubject=Certificate Request in Queue -ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/emails/reqInQueue_CA.html +ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/reqInQueue_CA.html ca.notification.requestInQ.enabled=false ca.notification.requestInQ.recipientEmail= ca.notification.requestInQ.senderEmail= @@ -793,7 +794,7 @@ dbs.ldap=internaldb dbs.newSchemaEntryAdded=true debug.append=true debug.enabled=true -debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug debug.hashkeytypes= debug.level=0 debug.showcaller=false @@ -815,8 +816,8 @@ internaldb.ldapconn.host= internaldb.ldapconn.port= internaldb.ldapconn.secureConn=false preop.internaldb.schema.ldif=/usr/share/pki/ca/conf/schema.ldif -preop.internaldb.ldif=/usr/share/pki/ca/conf/database.ldif -preop.internaldb.data_ldif=/usr/share/pki/ca/conf/db.ldif,/usr/share/pki/ca/conf/acl.ldif +preop.internaldb.ldif=/usr/share/pki/[PKI_SUBSYSTEM_DIR]conf/database.ldif +preop.internaldb.data_ldif=/usr/share/pki/[PKI_SUBSYSTEM_DIR]conf/db.ldif,/usr/share/pki/ca/conf/acl.ldif preop.internaldb.index_ldif= preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif preop.internaldb.post_ldif=/usr/share/pki/ca/conf/index.ldif,/usr/share/pki/ca/conf/vlv.ldif,/usr/share/pki/ca/conf/vlvtasks.ldif @@ -833,25 +834,25 @@ jobsScheduler.impl.RequestInQueueJob.class=com.netscape.cms.jobs.RequestInQueueJ jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5 jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification -jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1.txt +jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1.txt jobsScheduler.job.certRenewalNotifier.enabled=false jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30 jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30 jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob jobsScheduler.job.certRenewalNotifier.senderEmail= jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal Notification Summary -jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Summary.txt +jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1Summary.txt jobsScheduler.job.certRenewalNotifier.summary.enabled=true -jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Item.txt +jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1Item.txt jobsScheduler.job.certRenewalNotifier.summary.recipientEmail= jobsScheduler.job.certRenewalNotifier.summary.senderEmail= jobsScheduler.job.publishCerts.cron=0 0 * * 2 jobsScheduler.job.publishCerts.enabled=false jobsScheduler.job.publishCerts.pluginName=PublishCertsJob jobsScheduler.job.publishCerts.summary.emailSubject=Certs Publishing Summary -jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/publishCerts.html +jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/publishCerts.html jobsScheduler.job.publishCerts.summary.enabled=true -jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/publishCertsItem.html +jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/publishCertsItem.html jobsScheduler.job.publishCerts.summary.recipientEmail= jobsScheduler.job.publishCerts.summary.senderEmail= jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0 @@ -859,7 +860,7 @@ jobsScheduler.job.requestInQueueNotifier.enabled=false jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob jobsScheduler.job.requestInQueueNotifier.subsystemId=ca jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report -jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/riq1Summary.html +jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/riq1Summary.html jobsScheduler.job.requestInQueueNotifier.summary.enabled=true jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail= jobsScheduler.job.requestInQueueNotifier.summary.senderEmail= @@ -867,9 +868,9 @@ jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6 jobsScheduler.job.unpublishExpiredCerts.enabled=false jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs Unpublished Summary -jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/euJob1.html +jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/euJob1.html jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true -jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/euJob1Item.html +jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/euJob1Item.html jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail= jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail= jss._000=## @@ -897,7 +898,7 @@ log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER log.instance.SignedAudit.expirationTime=0 -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ca_audit +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/ca_audit log.instance.SignedAudit.flushInterval=5 log.instance.SignedAudit.level=1 log.instance.SignedAudit.logSigning=false @@ -913,7 +914,7 @@ log.instance.System._002=## log.instance.System.bufferSize=512 log.instance.System.enable=true log.instance.System.expirationTime=0 -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system log.instance.System.flushInterval=5 log.instance.System.level=3 log.instance.System.maxFileSize=2000 @@ -926,15 +927,15 @@ log.instance.Transactions._002=## log.instance.Transactions.bufferSize=512 log.instance.Transactions.enable=true log.instance.Transactions.expirationTime=0 -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions log.instance.Transactions.flushInterval=5 log.instance.Transactions.level=1 log.instance.Transactions.maxFileSize=2000 log.instance.Transactions.pluginName=file log.instance.Transactions.rolloverInterval=2592000 log.instance.Transactions.type=transaction -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access -logError.fileName=[PKI_INSTANCE_PATH]/logs/error +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access +logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword @@ -956,106 +957,106 @@ oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 os.userid=nobody profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert profile.caUUIDdeviceCert.class_id=caEnrollImpl -profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg +profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUUIDdeviceCert.cfg profile.caManualRenewal.class_id=caEnrollImpl -profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caManualRenewal.cfg +profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caManualRenewal.cfg profile.caDirUserRenewal.class_id=caEnrollImpl -profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserRenewal.cfg +profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDirUserRenewal.cfg profile.caSSLClientSelfRenewal.class_id=caEnrollImpl -profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caSSLClientSelfRenewal.cfg +profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSSLClientSelfRenewal.cfg profile.DomainController.class_id=caEnrollImpl -profile.DomainController.config=[PKI_INSTANCE_PATH]/profiles/ca/DomainController.cfg +profile.DomainController.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/DomainController.cfg profile.caAgentFileSigning.class_id=caEnrollImpl -profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentFileSigning.cfg +profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAgentFileSigning.cfg profile.caAgentServerCert.class_id=caEnrollImpl -profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentServerCert.cfg +profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAgentServerCert.cfg profile.caRAserverCert.class_id=caEnrollImpl -profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAserverCert.cfg +profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRAserverCert.cfg profile.caCACert.class_id=caEnrollImpl -profile.caCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCACert.cfg +profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caCACert.cfg profile.caInstallCACert.class_id=caEnrollImpl -profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInstallCACert.cfg +profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInstallCACert.cfg profile.caCMCUserCert.class_id=caEnrollImpl -profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCMCUserCert.cfg +profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caCMCUserCert.cfg profile.caDirUserCert.class_id=caEnrollImpl -profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserCert.cfg +profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDirUserCert.cfg profile.caDualCert.class_id=caEnrollImpl -profile.caDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualCert.cfg +profile.caDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDualCert.cfg profile.caECDualCert.class_id=caEnrollImpl -profile.caECDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caECDualCert.cfg +profile.caECDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caECDualCert.cfg profile.caDualRAuserCert.class_id=caEnrollImpl -profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualRAuserCert.cfg +profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDualRAuserCert.cfg profile.caRAagentCert.class_id=caEnrollImpl -profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAagentCert.cfg +profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRAagentCert.cfg profile.caFullCMCUserCert.class_id=caEnrollImpl -profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caFullCMCUserCert.cfg +profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caFullCMCUserCert.cfg profile.caInternalAuthOCSPCert.class_id=caEnrollImpl -profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthOCSPCert.cfg +profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthOCSPCert.cfg profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl -profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthAuditSigningCert.cfg +profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthAuditSigningCert.cfg profile.caInternalAuthServerCert.class_id=caEnrollImpl -profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthServerCert.cfg +profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthServerCert.cfg profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl -profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthSubsystemCert.cfg +profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthSubsystemCert.cfg profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl -profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthDRMstorageCert.cfg +profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthDRMstorageCert.cfg profile.caInternalAuthTransportCert.class_id=caEnrollImpl -profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthTransportCert.cfg +profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthTransportCert.cfg profile.caOCSPCert.class_id=caEnrollImpl -profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOCSPCert.cfg +profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caOCSPCert.cfg profile.caOtherCert.class_id=caEnrollImpl -profile.caOtherCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOtherCert.cfg +profile.caOtherCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caOtherCert.cfg profile.caRACert.class_id=caEnrollImpl -profile.caRACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRACert.cfg +profile.caRACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRACert.cfg profile.caRARouterCert.class_id=caEnrollImpl -profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRARouterCert.cfg +profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRARouterCert.cfg profile.caRouterCert.class_id=caEnrollImpl -profile.caRouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRouterCert.cfg +profile.caRouterCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRouterCert.cfg profile.caServerCert.class_id=caEnrollImpl -profile.caServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caServerCert.cfg +profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caServerCert.cfg profile.caSignedLogCert.class_id=caEnrollImpl -profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSignedLogCert.cfg +profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSignedLogCert.cfg profile.caSimpleCMCUserCert.class_id=caEnrollImpl -profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSimpleCMCUserCert.cfg +profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSimpleCMCUserCert.cfg profile.caTPSCert.class_id=caEnrollImpl -profile.caTPSCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTPSCert.cfg +profile.caTPSCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTPSCert.cfg profile.caAdminCert.class_id=caEnrollImpl -profile.caAdminCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAdminCert.cfg +profile.caAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAdminCert.cfg profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg +profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenDeviceKeyEnrollment.cfg profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg +profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg profile.caTokenUserEncryptionKeyRenewal.class_id=caUserCertEnrollImpl -profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg +profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserEncryptionKeyRenewal.cfg profile.caTempTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg +profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg profile.caTokenUserSigningKeyRenewal.class_id=caUserCertEnrollImpl -profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyRenewal.cfg +profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserSigningKeyRenewal.cfg profile.caTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenDeviceKeyEnrollment.cfg +profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenDeviceKeyEnrollment.cfg profile.caTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg +profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg profile.caTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl -profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyEnrollment.cfg +profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserSigningKeyEnrollment.cfg profile.caTokenMSLoginEnrollment.class_id=caUserCertEnrollImpl -profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenMSLoginEnrollment.cfg +profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenMSLoginEnrollment.cfg profile.caTransportCert.class_id=caEnrollImpl -profile.caTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTransportCert.cfg +profile.caTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTransportCert.cfg profile.caUserCert.class_id=caEnrollImpl -profile.caUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserCert.cfg +profile.caUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUserCert.cfg profile.caECUserCert.class_id=caEnrollImpl -profile.caECUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caECUserCert.cfg +profile.caECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caECUserCert.cfg profile.caUserSMIMEcapCert.class_id=caEnrollImpl -profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserSMIMEcapCert.cfg +profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUserSMIMEcapCert.cfg profile.caJarSigningCert.class_id=caEnrollImpl -profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caJarSigningCert.cfg +profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caJarSigningCert.cfg profile.caIPAserviceCert.class_id=caEnrollImpl -profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caIPAserviceCert.cfg +profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caIPAserviceCert.cfg profile.caEncUserCert.class_id=caEnrollImpl -profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caEncUserCert.cfg +profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caEncUserCert.cfg profile.caEncECUserCert.class_id=caEnrollImpl -profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caEncECUserCert.cfg -registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caEncECUserCert.cfg +registry.file=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]registry.cfg processor.caProfileProcess.getClientCert=true processor.caProfileProcess.authzMgr=BasicAclAuthz processor.caProfileProcess.authorityId=ca @@ -1096,7 +1097,7 @@ selftests.container.logger.bufferSize=512 selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile selftests.container.logger.enable=true selftests.container.logger.expirationTime=0 -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log selftests.container.logger.flushInterval=5 selftests.container.logger.level=1 selftests.container.logger.maxFileSize=2000 diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml index 692cb4898..8471d6cd4 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -3,90 +3,6 @@ PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd"> <web-app> - <filter> - <filter-name>AgentRequestFilter</filter-name> - <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class> - <init-param> - <param-name>https_port</param-name> - <param-value>[PKI_AGENT_SECURE_PORT]</param-value> - </init-param> -[PKI_OPEN_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>proxy_port</param-name> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value> - </init-param> -[PKI_CLOSE_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>active</param-name> - <param-value>true</param-value> - </init-param> - </filter> - - <filter> - <filter-name>AdminRequestFilter</filter-name> - <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class> - <init-param> - <param-name>https_port</param-name> - <param-value>[PKI_ADMIN_SECURE_PORT]</param-value> - </init-param> -[PKI_OPEN_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>proxy_port</param-name> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value> - </init-param> -[PKI_CLOSE_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>active</param-name> - <param-value>true</param-value> - </init-param> - </filter> - - <filter> - <filter-name>EERequestFilter</filter-name> - <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class> - <init-param> - <param-name>http_port</param-name> - <param-value>[PKI_UNSECURE_PORT]</param-value> - </init-param> - <init-param> - <param-name>https_port</param-name> - <param-value>[PKI_EE_SECURE_PORT]</param-value> - </init-param> -[PKI_OPEN_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>proxy_port</param-name> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value> - </init-param> - <init-param> - <param-name>proxy_http_port</param-name> - <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value> - </init-param> -[PKI_CLOSE_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>active</param-name> - <param-value>true</param-value> - </init-param> - </filter> - - <filter> - <filter-name>EEClientAuthRequestFilter</filter-name> - <filter-class>com.netscape.cms.servlet.filter.EEClientAuthRequestFilter</filter-class> - <init-param> - <param-name>https_port</param-name> - <param-value>[PKI_EE_SECURE_CLIENT_AUTH_PORT]</param-value> - </init-param> -[PKI_OPEN_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>proxy_port</param-name> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value> - </init-param> -[PKI_CLOSE_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>active</param-name> - <param-value>true</param-value> - </init-param> - </filter> - <servlet> <servlet-name>csadmin-wizard</servlet-name> <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class> @@ -415,7 +331,7 @@ <init-param><param-name> AuthzMgr </param-name> <param-value> BasicAclAuthz </param-value> </init-param> <init-param><param-name> cfgPath </param-name> - <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param> + <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param> <init-param><param-name> ID </param-name> <param-value> castart </param-value> </init-param> <load-on-startup> 1 </load-on-startup> @@ -1900,10 +1816,9 @@ <param-value> /agent/ca/doRevoke </param-value> </init-param> </servlet> - <context-param> - <param-name>resteasy.scan</param-name> - <param-value>true</param-value> - </context-param> + <listener> + <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class> + </listener> <context-param> <param-name>resteasy.servlet.mapping.prefix</param-name> @@ -1920,50 +1835,12 @@ <servlet> <servlet-name>Resteasy</servlet-name> <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class> + <init-param> + <param-name>javax.ws.rs.Application</param-name> + <param-value>com.netscape.ca.CertificateAuthorityApplication</param-value> + </init-param> </servlet> -[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] - <filter-mapping> - <filter-name> AgentRequestFilter </filter-name> - <url-pattern> /agent/* </url-pattern> - <url-pattern> /ca/getCertFromRequest </url-pattern> - <url-pattern> /ca/getBySerial </url-pattern> - <url-pattern> /ca/connector </url-pattern> - <url-pattern> /ca/displayCertFromRequest </url-pattern> - <url-pattern> /doRevoke </url-pattern> - </filter-mapping> - - <filter-mapping> - <filter-name> AdminRequestFilter </filter-name> - <url-pattern> /admin/* </url-pattern> - <url-pattern> /auths </url-pattern> - <url-pattern> /acl </url-pattern> - <url-pattern> /server </url-pattern> - <url-pattern> /caadmin </url-pattern> - <url-pattern> /caprofile </url-pattern> - <url-pattern> /jobsScheduler </url-pattern> - <url-pattern> /capublisher </url-pattern> - <url-pattern> /log </url-pattern> - <url-pattern> /ug </url-pattern> - </filter-mapping> - - <filter-mapping> - <filter-name> EEClientAuthRequestFilter </filter-name> - <url-pattern> /eeca/* </url-pattern> - </filter-mapping> - - <filter-mapping> - <filter-name> EERequestFilter </filter-name> - <url-pattern> /ee/* </url-pattern> - <url-pattern> /renewal </url-pattern> - <url-pattern> /certbasedenrollment </url-pattern> - <url-pattern> /ocsp </url-pattern> - <url-pattern> /enrollment </url-pattern> - <url-pattern> /profileSubmit </url-pattern> - <url-pattern> /cgi-bin/pkiclient.exe </url-pattern> - </filter-mapping> -[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] - <servlet-mapping> <servlet-name>Resteasy</servlet-name> <url-pattern>/pki/*</url-pattern> diff --git a/base/common/shared/conf/catalina.properties b/base/common/shared/conf/catalina.properties index 003089a43..c44758699 100644 --- a/base/common/shared/conf/catalina.properties +++ b/base/common/shared/conf/catalina.properties @@ -51,6 +51,10 @@ package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache # repositories # "foo/bar.jar": Add bar.jar as a class repository common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB] +#,[PKI_INSTANCE_PATH]/webapps/ca/WEB-INF/lib/pki-ca.jar +#,[PKI_INSTANCE_PATH]/webapps/kra/WEB-INF/lib/pki-kra.jar +#,[PKI_INSTANCE_PATH]/webapps/ocsp/WEB-INF/lib/pki-ocsp.jar +#,[PKI_INSTANCE_PATH]/webapps/tks/WEB-INF/lib/pki-tks.jar # # List of comma-separated paths defining the contents of the "server" diff --git a/base/common/shared/conf/log4j.properties b/base/common/shared/conf/log4j.properties index 5861ec750..dd4bd9318 100644 --- a/base/common/shared/conf/log4j.properties +++ b/base/common/shared/conf/log4j.properties @@ -4,14 +4,27 @@ # Modifications: configuration parameters # --- END COPYRIGHT BLOCK --- -log4j.rootLogger=debug, R -log4j.appender.R=org.apache.log4j.RollingFileAppender -log4j.appender.R.File=${catalina.home}/logs/tomcat.log -log4j.appender.R.MaxFileSize=10MB -log4j.appender.R.MaxBackupIndex=10 -log4j.appender.R.layout=org.apache.log4j.PatternLayout -log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n +log4j.rootLogger=debug, R +log4j.appender.R=org.apache.log4j.RollingFileAppender +log4j.appender.R.File=${catalina.base}/logs/catalina.out +log4j.appender.R.MaxFileSize=10MB +log4j.appender.R.MaxBackupIndex=10 +log4j.appender.R.layout=org.apache.log4j.PatternLayout +log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n log4j.logger.org.apache.catalina=DEBUG, R log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG, R log4j.logger.org.apache.catalina.core=DEBUG, R log4j.logger.org.apache.catalina.session=DEBUG, R + +#resteasy +log4j.appender.stdout=org.apache.log4j.ConsoleAppender +log4j.appender.stdout.Target=System.out +log4j.appender.stdout.layout=org.apache.log4j.PatternLayout +log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p (%c:%L) - %m%n +log4j.rootLogger=warn, stdout +log4j.rootCategory=debug, stdout +log4j.category.org.jboss.resteasy.core=debug +log4j.category.org.jboss.resteasy.plugins.providers=debug +log4j.category.org.jboss.resteasy.specimpl=debug +log4j.category.org.jboss.resteasy.plugins.server=debug +log4j.logger.org.jboss.resteasy.mock=debug diff --git a/base/common/shared/conf/server.xml b/base/common/shared/conf/server.xml index d5788552c..46ee15b0b 100644 --- a/base/common/shared/conf/server.xml +++ b/base/common/shared/conf/server.xml @@ -68,7 +68,10 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> <!--APR library loader. Documentation at /docs/apr.html --> - <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> + <!-- The following Listener class has been commented out because this --> + <!-- implementation depends upon the 'tomcatjss' JSSE module, 'JSS', --> + <!-- and 'NSS' rather than the 'tomcat-native' module! --> + <!-- Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" --> <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> <Listener className="org.apache.catalina.core.JasperListener" /> <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> @@ -116,7 +119,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) [PKI_UNSECURE_PORT_SERVER_COMMENT] <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + acceptCount="100" maxThreads="150" minSpareThreads="25" enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" /> @@ -124,9 +127,31 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) [PKI_SECURE_PORT_SERVER_COMMENT] <!-- DO NOT REMOVE - Begin define PKI secure port 1 + NOTE: The following 'keys' (and their assigned values) are exclusive to + the 'tomcatjss' JSSE module: + + 'enableOCSP' + 'ocspResponderURL' + 'ocspResponderCertNickname' + 'ocspCacheSize' + 'ocspMinCacheEntryDuration' + 'ocspMaxCacheEntryDuration' + 'ocspTimeout' + 'strictCiphers' + 'clientauth' (ALL lowercase) + 'sslOptions' + 'ssl2Ciphers' + 'ssl3Ciphers' + 'tlsCiphers' + 'serverCertNickFile' + 'passwordFile' + 'passwordClass' + 'certdbDir' + + and are referenced via the value of the 'sslImplementationName' key. NOTE: The OCSP settings take effect globally, so it should only be set once. - In setup where SSL clientAuth="true", OCSP can be turned on by + In setup where SSL clientauth="true", OCSP can be turned on by setting enableOCSP to true like the following: enableOCSP="true" along with changes to related settings, especially: @@ -150,9 +175,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) --> <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" maxHttpHeaderSize="8192" - acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + acceptCount="100" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation" enableOCSP="false" ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca" @@ -162,6 +187,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ocspTimeout="10" strictCiphers="false" clientAuth="[PKI_AGENT_CLIENTAUTH]" + clientauth="[PKI_AGENT_CLIENTAUTH]" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" @@ -173,23 +199,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) /> <!-- DO NOT REMOVE - End define PKI secure port --> - <!-- A "Connector" using the shared thread pool--> - <!-- - <Connector executor="tomcatThreadPool" - port="8080" protocol="HTTP/1.1" - connectionTimeout="20000" - redirectPort="8443" /> - --> - <!-- Define a SSL HTTP/1.1 Connector on port 8443 - This connector uses the JSSE configuration, when using APR, the - connector should be using the OpenSSL style configuration - described in the APR documentation --> - <!-- - <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" - maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" /> - --> - <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> [PKI_OPEN_AJP_PORT_COMMENT] <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" /> @@ -281,10 +290,45 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <!-- Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. --> - <Host name="localhost" appBase="webapps" + <Host name="localhost" + appBase="[PKI_INSTANCE_PATH]/webapps" unpackWARs="true" autoDeploy="false" xmlValidation="false" xmlNamespaceAware="false"> + <!-- + <Context path="/ca" + docBase="ca" + allowLinking="true"> + <Loader className="org.apache.catalina.loader.VirtualWebappLoader" + virtualClasspath="[PKI_INSTANCE_PATH]/ca/webapps/ca/WEB-INF/classes;[PKI_INSTANCE_PATH]/ca/webapps/ca/WEB-INF/lib" />" /> + <JarScanner scanAllDirectories="true" /> + </Context> + + <Context path="/kra" + docBase="kra" + allowLinking="true"> + <Loader className="org.apache.catalina.loader.VirtualWebappLoader" + virtualClasspath="[PKI_INSTANCE_PATH]/kra/webapps/kra/WEB-INF/classes;[PKI_INSTANCE_PATH]/kra/webapps/kra/WEB-INF/lib" /> + <JarScanner scanAllDirectories="true" /> + </Context> + + <Context path="/ocsp" + docBase="ocsp" + allowLinking="true"> + <Loader className="org.apache.catalina.loader.VirtualWebappLoader" + virtualClasspath="[PKI_INSTANCE_PATH]/ocsp/webapps/ocsp/WEB-INF/classes;[PKI_INSTANCE_PATH]/ocsp/webapps/ocsp/WEB-INF/lib" /> + <JarScanner scanAllDirectories="true" /> + </Context> + + <Context path="/tks" + docBase="tks" + allowLinking="true"> + <Loader className="org.apache.catalina.loader.VirtualWebappLoader" + virtualClasspath="[PKI_INSTANCE_PATH]/tks/webapps/tks/WEB-INF/classes;[PKI_INSTANCE_PATH]/tks/webapps/tks/WEB-INF/lib" /> + <JarScanner scanAllDirectories="true" /> + </Context> + --> + <!-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html --> <!-- @@ -294,8 +338,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <!-- Access log processes all example. Documentation at: /docs/config/valve.html --> <!-- - <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" - prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> + <Valve className="org.apache.catalina.valves.AccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> --> </Host> diff --git a/base/common/shared/conf/serverCertNick.conf b/base/common/shared/conf/serverCertNick.conf new file mode 100644 index 000000000..25bafd622 --- /dev/null +++ b/base/common/shared/conf/serverCertNick.conf @@ -0,0 +1,6 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +Server-Cert cert-[PKI_INSTANCE_ID] diff --git a/base/common/shared/conf/tomcat.conf b/base/common/shared/conf/tomcat.conf index aa7fefd19..9c1a81bb7 100644 --- a/base/common/shared/conf/tomcat.conf +++ b/base/common/shared/conf/tomcat.conf @@ -21,7 +21,7 @@ CATALINA_BASE="[PKI_INSTANCE_PATH]" #CATALINA_HOME="/usr/share/tomcat" #JASPER_HOME="/usr/share/tomcat" -#CATALINA_TMPDIR="/var/cache/tomcat/temp" +CATALINA_TMPDIR=[PKI_TMPDIR] # You can pass some parameters to java here if you wish to #JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" @@ -29,6 +29,9 @@ CATALINA_BASE="[PKI_INSTANCE_PATH]" # Use JAVA_OPTS to set java.library.path for libtcnative.so #JAVA_OPTS="-Djava.library.path=/usr/lib" +# Enable the following JAVA_OPTS to run a java debugger (e. g. - 'eclipse') +#JAVA_OPTS="-Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n -Djava.awt.headless=true -Xmx128M" + # What user should run tomcat TOMCAT_USER="[PKI_USER]" @@ -36,7 +39,7 @@ TOMCAT_USER="[PKI_USER]" #LANG="en_US" # Run tomcat under the Java Security Manager -SECURITY_MANAGER="[PKI_SECURITY_MANAGER]" +#SECURITY_MANAGER="[PKI_SECURITY_MANAGER]" # Time to wait in seconds, before killing process #SHUTDOWN_WAIT="30" diff --git a/base/common/shared/conf/web.xml b/base/common/shared/conf/web.xml new file mode 100644 index 000000000..cc8383cbf --- /dev/null +++ b/base/common/shared/conf/web.xml @@ -0,0 +1,4283 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<web-app xmlns="http://java.sun.com/xml/ns/javaee" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://java.sun.com/xml/ns/javaee + http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" + version="3.0"> + + <!-- ======================== Introduction ============================== --> + <!-- This document defines default values for *all* web applications --> + <!-- loaded into this instance of Tomcat. As each application is --> + <!-- deployed, this file is processed, followed by the --> + <!-- "/WEB-INF/web.xml" deployment descriptor from your own --> + <!-- applications. --> + <!-- --> + <!-- WARNING: Do not configure application-specific resources here! --> + <!-- They should go in the "/WEB-INF/web.xml" file in your application. --> + + + <!-- ================== Built In Servlet Definitions ==================== --> + + + <!-- The default servlet for all web applications, that serves static --> + <!-- resources. It processes all requests that are not mapped to other --> + <!-- servlets with servlet mappings (defined either here or in your own --> + <!-- web.xml file). This servlet supports the following initialization --> + <!-- parameters (default values are in square brackets): --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + <!-- --> + <!-- fileEncoding Encoding to be used to read static resources --> + <!-- [platform default] --> + <!-- --> + <!-- input Input buffer size (in bytes) when reading --> + <!-- resources to be served. [2048] --> + <!-- --> + <!-- listings Should directory listings be produced if there --> + <!-- is no welcome file in this directory? [false] --> + <!-- WARNING: Listings for directories with many --> + <!-- entries can be slow and may consume --> + <!-- significant proportions of server resources. --> + <!-- --> + <!-- output Output buffer size (in bytes) when writing --> + <!-- resources to be served. [2048] --> + <!-- --> + <!-- readonly Is this context "read only", so HTTP --> + <!-- commands like PUT and DELETE are --> + <!-- rejected? [true] --> + <!-- --> + <!-- readmeFile File to display together with the directory --> + <!-- contents. [null] --> + <!-- --> + <!-- sendfileSize If the connector used supports sendfile, this --> + <!-- represents the minimal file size in KB for --> + <!-- which sendfile will be used. Use a negative --> + <!-- value to always disable sendfile. [48] --> + <!-- --> + <!-- useAcceptRanges Should the Accept-Ranges header be included --> + <!-- in responses where appropriate? [true] --> + <!-- --> + <!-- For directory listing customization. Checks localXsltFile, then --> + <!-- globalXsltFile, then defaults to original behavior. --> + <!-- --> + <!-- localXsltFile Make directory listings an XML doc and --> + <!-- pass the result to this style sheet residing --> + <!-- in that directory. This overrides --> + <!-- contextXsltFile and globalXsltFile[null] --> + <!-- --> + <!-- contextXsltFile Make directory listings an XML doc and --> + <!-- pass the result to this style sheet which is --> + <!-- relative to the context root. This overrides --> + <!-- globalXsltFile[null] --> + <!-- --> + <!-- globalXsltFile Site wide configuration version of --> + <!-- localXsltFile This argument is expected --> + <!-- to be a physical file. [null] --> + <!-- --> + <!-- --> + + <servlet> + <servlet-name>default</servlet-name> + <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> + <init-param> + <param-name>debug</param-name> + <param-value>0</param-value> + </init-param> + <init-param> + <param-name>listings</param-name> + <param-value>false</param-value> + </init-param> + <load-on-startup>1</load-on-startup> + </servlet> + + + <!-- The JSP page compiler and execution servlet, which is the mechanism --> + <!-- used by Tomcat to support JSP pages. Traditionally, this servlet --> + <!-- is mapped to the URL pattern "*.jsp". This servlet supports the --> + <!-- following initialization parameters (default values are in square --> + <!-- brackets): --> + <!-- --> + <!-- checkInterval If development is false and checkInterval is --> + <!-- greater than zero, background compilations are --> + <!-- enabled. checkInterval is the time in seconds --> + <!-- between checks to see if a JSP page (and its --> + <!-- dependent files) needs to be recompiled. [0] --> + <!-- --> + <!-- classdebuginfo Should the class file be compiled with --> + <!-- debugging information? [true] --> + <!-- --> + <!-- classpath What class path should I use while compiling --> + <!-- generated servlets? [Created dynamically --> + <!-- based on the current web application] --> + <!-- --> + <!-- compiler Which compiler Ant should use to compile JSP --> + <!-- pages. See the jasper documentation for more --> + <!-- information. --> + <!-- --> + <!-- compilerSourceVM Compiler source VM. [1.6] --> + <!-- --> + <!-- compilerTargetVM Compiler target VM. [1.6] --> + <!-- --> + <!-- development Is Jasper used in development mode? If true, --> + <!-- the frequency at which JSPs are checked for --> + <!-- modification may be specified via the --> + <!-- modificationTestInterval parameter. [true] --> + <!-- --> + <!-- displaySourceFragment --> + <!-- Should a source fragment be included in --> + <!-- exception messages? [true] --> + <!-- --> + <!-- dumpSmap Should the SMAP info for JSR45 debugging be --> + <!-- dumped to a file? [false] --> + <!-- False if suppressSmap is true --> + <!-- --> + <!-- enablePooling Determines whether tag handler pooling is --> + <!-- enabled. This is a compilation option. It will --> + <!-- not alter the behaviour of JSPs that have --> + <!-- already been compiled. [true] --> + <!-- --> + <!-- engineOptionsClass Allows specifying the Options class used to --> + <!-- configure Jasper. If not present, the default --> + <!-- EmbeddedServletOptions will be used. --> + <!-- --> + <!-- errorOnUseBeanInvalidClassAttribute --> + <!-- Should Jasper issue an error when the value of --> + <!-- the class attribute in an useBean action is --> + <!-- not a valid bean class? [true] --> + <!-- --> + <!-- fork Tell Ant to fork compiles of JSP pages so that --> + <!-- a separate JVM is used for JSP page compiles --> + <!-- from the one Tomcat is running in. [true] --> + <!-- --> + <!-- genStringAsCharArray --> + <!-- Should text strings be generated as char --> + <!-- arrays, to improve performance in some cases? --> + <!-- [false] --> + <!-- --> + <!-- ieClassId The class-id value to be sent to Internet --> + <!-- Explorer when using <jsp:plugin> tags. --> + <!-- [clsid:8AD9C840-044E-11D1-B3E9-00805F499D93] --> + <!-- --> + <!-- javaEncoding Java file encoding to use for generating java --> + <!-- source files. [UTF8] --> + <!-- --> + <!-- keepgenerated Should we keep the generated Java source code --> + <!-- for each page instead of deleting it? [true] --> + <!-- --> + <!-- mappedfile Should we generate static content with one --> + <!-- print statement per input line, to ease --> + <!-- debugging? [true] --> + <!-- --> + <!-- maxLoadedJsps The maximum number of JSPs that will be loaded --> + <!-- for a web application. If more than this --> + <!-- number of JSPs are loaded, the least recently --> + <!-- used JSPs will be unloaded so that the number --> + <!-- of JSPs loaded at any one time does not exceed --> + <!-- this limit. A value of zero or less indicates --> + <!-- no limit. [-1] --> + <!-- --> + <!-- jspIdleTimeout The amount of time in seconds a JSP can be --> + <!-- idle before it is unloaded. A value of zero --> + <!-- or less indicates never unload. [-1] --> + <!-- --> + <!-- modificationTestInterval --> + <!-- Causes a JSP (and its dependent files) to not --> + <!-- be checked for modification during the --> + <!-- specified time interval (in seconds) from the --> + <!-- last time the JSP was checked for --> + <!-- modification. A value of 0 will cause the JSP --> + <!-- to be checked on every access. --> + <!-- Used in development mode only. [4] --> + <!-- --> + <!-- recompileOnFail If a JSP compilation fails should the --> + <!-- modificationTestInterval be ignored and the --> + <!-- next access trigger a re-compilation attempt? --> + <!-- Used in development mode only and is disabled --> + <!-- by default as compilation may be expensive and --> + <!-- could lead to excessive resource usage. --> + <!-- [false] --> + <!-- --> + <!-- scratchdir What scratch directory should we use when --> + <!-- compiling JSP pages? [default work directory --> + <!-- for the current web application] --> + <!-- --> + <!-- suppressSmap Should the generation of SMAP info for JSR45 --> + <!-- debugging be suppressed? [false] --> + <!-- --> + <!-- trimSpaces Should white spaces in template text between --> + <!-- actions or directives be trimmed? [false] --> + <!-- --> + <!-- xpoweredBy Determines whether X-Powered-By response --> + <!-- header is added by generated servlet. [false] --> + + <servlet> + <servlet-name>jsp</servlet-name> + <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class> + <init-param> + <param-name>fork</param-name> + <param-value>false</param-value> + </init-param> + <init-param> + <param-name>xpoweredBy</param-name> + <param-value>false</param-value> + </init-param> + <load-on-startup>3</load-on-startup> + </servlet> + + + <!-- NOTE: An SSI Filter is also available as an alternative SSI --> + <!-- implementation. Use either the Servlet or the Filter but NOT both. --> + <!-- --> + <!-- Server Side Includes processing servlet, which processes SSI --> + <!-- directives in HTML pages consistent with similar support in web --> + <!-- servers like Apache. Traditionally, this servlet is mapped to the --> + <!-- URL pattern "*.shtml". This servlet supports the following --> + <!-- initialization parameters (default values are in square brackets): --> + <!-- --> + <!-- buffered Should output from this servlet be buffered? --> + <!-- (0=false, 1=true) [0] --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + <!-- --> + <!-- expires The number of seconds before a page with SSI --> + <!-- directives will expire. [No default] --> + <!-- --> + <!-- isVirtualWebappRelative --> + <!-- Should "virtual" paths be interpreted as --> + <!-- relative to the context root, instead of --> + <!-- the server root? (0=false, 1=true) [0] --> + <!-- --> + <!-- inputEncoding The encoding to assume for SSI resources if --> + <!-- one is not available from the resource. --> + <!-- [Platform default] --> + <!-- --> + <!-- outputEncoding The encoding to use for the page that results --> + <!-- from the SSI processing. [UTF-8] --> + <!-- --> + <!-- allowExec Is use of the exec command enabled? [false] --> + +<!-- + <servlet> + <servlet-name>ssi</servlet-name> + <servlet-class> + org.apache.catalina.ssi.SSIServlet + </servlet-class> + <init-param> + <param-name>buffered</param-name> + <param-value>1</param-value> + </init-param> + <init-param> + <param-name>debug</param-name> + <param-value>0</param-value> + </init-param> + <init-param> + <param-name>expires</param-name> + <param-value>666</param-value> + </init-param> + <init-param> + <param-name>isVirtualWebappRelative</param-name> + <param-value>0</param-value> + </init-param> + <load-on-startup>4</load-on-startup> + </servlet> +--> + + + <!-- Common Gateway Includes (CGI) processing servlet, which supports --> + <!-- execution of external applications that conform to the CGI spec --> + <!-- requirements. Typically, this servlet is mapped to the URL pattern --> + <!-- "/cgi-bin/*", which means that any CGI applications that are --> + <!-- executed must be present within the web application. This servlet --> + <!-- supports the following initialization parameters (default values --> + <!-- are in square brackets): --> + <!-- --> + <!-- cgiPathPrefix The CGI search path will start at --> + <!-- webAppRootDir + File.separator + this prefix. --> + <!-- [WEB-INF/cgi] --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + <!-- --> + <!-- executable Name of the executable used to run the --> + <!-- script. [perl] --> + <!-- --> + <!-- parameterEncoding Name of parameter encoding to be used with --> + <!-- CGI servlet. --> + <!-- [System.getProperty("file.encoding","UTF-8")] --> + <!-- --> + <!-- passShellEnvironment Should the shell environment variables (if --> + <!-- any) be passed to the CGI script? [false] --> + <!-- --> + <!-- stderrTimeout The time (in milliseconds) to wait for the --> + <!-- reading of stderr to complete before --> + <!-- terminating the CGI process. [2000] --> + +<!-- + <servlet> + <servlet-name>cgi</servlet-name> + <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class> + <init-param> + <param-name>debug</param-name> + <param-value>0</param-value> + </init-param> + <init-param> + <param-name>cgiPathPrefix</param-name> + <param-value>WEB-INF/cgi</param-value> + </init-param> + <load-on-startup>5</load-on-startup> + </servlet> +--> + + + <!-- ================ Built In Servlet Mappings ========================= --> + + + <!-- The servlet mappings for the built in servlets defined above. Note --> + <!-- that, by default, the CGI and SSI servlets are *not* mapped. You --> + <!-- must uncomment these mappings (or add them to your application's own --> + <!-- web.xml deployment descriptor) to enable these services --> + + <!-- The mapping for the default servlet --> + <servlet-mapping> + <servlet-name>default</servlet-name> + <url-pattern>/</url-pattern> + </servlet-mapping> + + <!-- The mappings for the JSP servlet --> + <servlet-mapping> + <servlet-name>jsp</servlet-name> + <url-pattern>*.jsp</url-pattern> + <url-pattern>*.jspx</url-pattern> + </servlet-mapping> + + <!-- The mapping for the SSI servlet --> +<!-- + <servlet-mapping> + <servlet-name>ssi</servlet-name> + <url-pattern>*.shtml</url-pattern> + </servlet-mapping> +--> + + <!-- The mapping for the CGI Gateway servlet --> + +<!-- + <servlet-mapping> + <servlet-name>cgi</servlet-name> + <url-pattern>/cgi-bin/*</url-pattern> + </servlet-mapping> +--> + + + <!-- ================== Built In Filter Definitions ===================== --> + + <!-- A filter that sets character encoding that is used to decode --> + <!-- parameters in a POST request --> +<!-- + <filter> + <filter-name>setCharacterEncodingFilter</filter-name> + <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> + <init-param> + <param-name>encoding</param-name> + <param-value>UTF-8</param-value> + </init-param> + <async-supported>true</async-supported> + </filter> +--> + + <!-- A filter that triggers request parameters parsing and rejects the --> + <!-- request if some parameters were skipped because of parsing errors or --> + <!-- request size limitations. --> +<!-- + <filter> + <filter-name>failedRequestFilter</filter-name> + <filter-class> + org.apache.catalina.filters.FailedRequestFilter + </filter-class> + <async-supported>true</async-supported> + </filter> +--> + + + <!-- NOTE: An SSI Servlet is also available as an alternative SSI --> + <!-- implementation. Use either the Servlet or the Filter but NOT both. --> + <!-- --> + <!-- Server Side Includes processing filter, which processes SSI --> + <!-- directives in HTML pages consistent with similar support in web --> + <!-- servers like Apache. Traditionally, this filter is mapped to the --> + <!-- URL pattern "*.shtml", though it can be mapped to "*" as it will --> + <!-- selectively enable/disable SSI processing based on mime types. For --> + <!-- this to work you will need to uncomment the .shtml mime type --> + <!-- definition towards the bottom of this file. --> + <!-- The contentType init param allows you to apply SSI processing to JSP --> + <!-- pages, javascript, or any other content you wish. This filter --> + <!-- supports the following initialization parameters (default values are --> + <!-- in square brackets): --> + <!-- --> + <!-- contentType A regex pattern that must be matched before --> + <!-- SSI processing is applied. --> + <!-- [text/x-server-parsed-html(;.*)?] --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + <!-- --> + <!-- expires The number of seconds before a page with SSI --> + <!-- directives will expire. [No default] --> + <!-- --> + <!-- isVirtualWebappRelative --> + <!-- Should "virtual" paths be interpreted as --> + <!-- relative to the context root, instead of --> + <!-- the server root? (0=false, 1=true) [0] --> + <!-- --> + <!-- allowExec Is use of the exec command enabled? [false] --> + +<!-- + <filter> + <filter-name>ssi</filter-name> + <filter-class> + org.apache.catalina.ssi.SSIFilter + </filter-class> + <init-param> + <param-name>contentType</param-name> + <param-value>text/x-server-parsed-html(;.*)?</param-value> + </init-param> + <init-param> + <param-name>debug</param-name> + <param-value>0</param-value> + </init-param> + <init-param> + <param-name>expires</param-name> + <param-value>666</param-value> + </init-param> + <init-param> + <param-name>isVirtualWebappRelative</param-name> + <param-value>0</param-value> + </init-param> + </filter> +--> + + + <!-- ==================== Built In Filter Mappings ====================== --> + + <!-- The mapping for the Set Character Encoding Filter --> +<!-- + <filter-mapping> + <filter-name>setCharacterEncodingFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> +--> + + <!-- The mapping for the Failed Request Filter --> +<!-- + <filter-mapping> + <filter-name>failedRequestFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> +--> + + <!-- The mapping for the SSI Filter --> +<!-- + <filter-mapping> + <filter-name>ssi</filter-name> + <url-pattern>*.shtml</url-pattern> + </filter-mapping> +--> + + + <!-- ==================== Default Session Configuration ================= --> + <!-- You can set the default session timeout (in minutes) for all newly --> + <!-- created sessions by modifying the value below. --> + + <session-config> + <session-timeout>30</session-timeout> + </session-config> + + + <!-- ===================== Default MIME Type Mappings =================== --> + <!-- When serving static resources, Tomcat will automatically generate --> + <!-- a "Content-Type" header based on the resource's filename extension, --> + <!-- based on these mappings. Additional mappings can be added here (to --> + <!-- apply to all web applications), or in your own application's web.xml --> + <!-- deployment descriptor. --> + + <mime-mapping> + <extension>123</extension> + <mime-type>application/vnd.lotus-1-2-3</mime-type> + </mime-mapping> + <mime-mapping> + <extension>3dml</extension> + <mime-type>text/vnd.in3d.3dml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>3g2</extension> + <mime-type>video/3gpp2</mime-type> + </mime-mapping> + <mime-mapping> + <extension>3gp</extension> + <mime-type>video/3gpp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>7z</extension> + <mime-type>application/x-7z-compressed</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aab</extension> + <mime-type>application/x-authorware-bin</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aac</extension> + <mime-type>audio/x-aac</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aam</extension> + <mime-type>application/x-authorware-map</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aas</extension> + <mime-type>application/x-authorware-seg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>abs</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>abw</extension> + <mime-type>application/x-abiword</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ac</extension> + <mime-type>application/pkix-attr-cert</mime-type> + </mime-mapping> + <mime-mapping> + <extension>acc</extension> + <mime-type>application/vnd.americandynamics.acc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ace</extension> + <mime-type>application/x-ace-compressed</mime-type> + </mime-mapping> + <mime-mapping> + <extension>acu</extension> + <mime-type>application/vnd.acucobol</mime-type> + </mime-mapping> + <mime-mapping> + <extension>acutc</extension> + <mime-type>application/vnd.acucorp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>adp</extension> + <mime-type>audio/adpcm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aep</extension> + <mime-type>application/vnd.audiograph</mime-type> + </mime-mapping> + <mime-mapping> + <extension>afm</extension> + <mime-type>application/x-font-type1</mime-type> + </mime-mapping> + <mime-mapping> + <extension>afp</extension> + <mime-type>application/vnd.ibm.modcap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ahead</extension> + <mime-type>application/vnd.ahead.space</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ai</extension> + <mime-type>application/postscript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aif</extension> + <mime-type>audio/x-aiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aifc</extension> + <mime-type>audio/x-aiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aiff</extension> + <mime-type>audio/x-aiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aim</extension> + <mime-type>application/x-aim</mime-type> + </mime-mapping> + <mime-mapping> + <extension>air</extension> + <mime-type>application/vnd.adobe.air-application-installer-package+zip</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ait</extension> + <mime-type>application/vnd.dvb.ait</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ami</extension> + <mime-type>application/vnd.amiga.ami</mime-type> + </mime-mapping> + <mime-mapping> + <extension>anx</extension> + <mime-type>application/annodex</mime-type> + </mime-mapping> + <mime-mapping> + <extension>apk</extension> + <mime-type>application/vnd.android.package-archive</mime-type> + </mime-mapping> + <mime-mapping> + <extension>application</extension> + <mime-type>application/x-ms-application</mime-type> + </mime-mapping> + <mime-mapping> + <extension>apr</extension> + <mime-type>application/vnd.lotus-approach</mime-type> + </mime-mapping> + <mime-mapping> + <extension>art</extension> + <mime-type>image/x-jg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>asc</extension> + <mime-type>application/pgp-signature</mime-type> + </mime-mapping> + <mime-mapping> + <extension>asf</extension> + <mime-type>video/x-ms-asf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>asm</extension> + <mime-type>text/x-asm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aso</extension> + <mime-type>application/vnd.accpac.simply.aso</mime-type> + </mime-mapping> + <mime-mapping> + <extension>asx</extension> + <mime-type>video/x-ms-asf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>atc</extension> + <mime-type>application/vnd.acucorp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>atom</extension> + <mime-type>application/atom+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>atomcat</extension> + <mime-type>application/atomcat+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>atomsvc</extension> + <mime-type>application/atomsvc+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>atx</extension> + <mime-type>application/vnd.antix.game-component</mime-type> + </mime-mapping> + <mime-mapping> + <extension>au</extension> + <mime-type>audio/basic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>avi</extension> + <mime-type>video/x-msvideo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>avx</extension> + <mime-type>video/x-rad-screenplay</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aw</extension> + <mime-type>application/applixware</mime-type> + </mime-mapping> + <mime-mapping> + <extension>axa</extension> + <mime-type>audio/annodex</mime-type> + </mime-mapping> + <mime-mapping> + <extension>axv</extension> + <mime-type>video/annodex</mime-type> + </mime-mapping> + <mime-mapping> + <extension>azf</extension> + <mime-type>application/vnd.airzip.filesecure.azf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>azs</extension> + <mime-type>application/vnd.airzip.filesecure.azs</mime-type> + </mime-mapping> + <mime-mapping> + <extension>azw</extension> + <mime-type>application/vnd.amazon.ebook</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bat</extension> + <mime-type>application/x-msdownload</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bcpio</extension> + <mime-type>application/x-bcpio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bdf</extension> + <mime-type>application/x-font-bdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bdm</extension> + <mime-type>application/vnd.syncml.dm+wbxml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bed</extension> + <mime-type>application/vnd.realvnc.bed</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bh2</extension> + <mime-type>application/vnd.fujitsu.oasysprs</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bin</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bmi</extension> + <mime-type>application/vnd.bmi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bmp</extension> + <mime-type>image/bmp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>body</extension> + <mime-type>text/html</mime-type> + </mime-mapping> + <mime-mapping> + <extension>book</extension> + <mime-type>application/vnd.framemaker</mime-type> + </mime-mapping> + <mime-mapping> + <extension>box</extension> + <mime-type>application/vnd.previewsystems.box</mime-type> + </mime-mapping> + <mime-mapping> + <extension>boz</extension> + <mime-type>application/x-bzip2</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bpk</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>btif</extension> + <mime-type>image/prs.btif</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bz</extension> + <mime-type>application/x-bzip</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bz2</extension> + <mime-type>application/x-bzip2</mime-type> + </mime-mapping> + <mime-mapping> + <extension>c</extension> + <mime-type>text/x-c</mime-type> + </mime-mapping> + <mime-mapping> + <extension>c11amc</extension> + <mime-type>application/vnd.cluetrust.cartomobile-config</mime-type> + </mime-mapping> + <mime-mapping> + <extension>c11amz</extension> + <mime-type>application/vnd.cluetrust.cartomobile-config-pkg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>c4d</extension> + <mime-type>application/vnd.clonk.c4group</mime-type> + </mime-mapping> + <mime-mapping> + <extension>c4f</extension> + <mime-type>application/vnd.clonk.c4group</mime-type> + </mime-mapping> + <mime-mapping> + <extension>c4g</extension> + <mime-type>application/vnd.clonk.c4group</mime-type> + </mime-mapping> + <mime-mapping> + <extension>c4p</extension> + <mime-type>application/vnd.clonk.c4group</mime-type> + </mime-mapping> + <mime-mapping> + <extension>c4u</extension> + <mime-type>application/vnd.clonk.c4group</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cab</extension> + <mime-type>application/vnd.ms-cab-compressed</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cap</extension> + <mime-type>application/vnd.tcpdump.pcap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>car</extension> + <mime-type>application/vnd.curl.car</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cat</extension> + <mime-type>application/vnd.ms-pki.seccat</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cc</extension> + <mime-type>text/x-c</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cct</extension> + <mime-type>application/x-director</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ccxml</extension> + <mime-type>application/ccxml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdbcmsg</extension> + <mime-type>application/vnd.contact.cmsg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdf</extension> + <mime-type>application/x-cdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdkey</extension> + <mime-type>application/vnd.mediastation.cdkey</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdmia</extension> + <mime-type>application/cdmi-capability</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdmic</extension> + <mime-type>application/cdmi-container</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdmid</extension> + <mime-type>application/cdmi-domain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdmio</extension> + <mime-type>application/cdmi-object</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdmiq</extension> + <mime-type>application/cdmi-queue</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdx</extension> + <mime-type>chemical/x-cdx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdxml</extension> + <mime-type>application/vnd.chemdraw+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdy</extension> + <mime-type>application/vnd.cinderella</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cer</extension> + <mime-type>application/pkix-cert</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cgm</extension> + <mime-type>image/cgm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>chat</extension> + <mime-type>application/x-chat</mime-type> + </mime-mapping> + <mime-mapping> + <extension>chm</extension> + <mime-type>application/vnd.ms-htmlhelp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>chrt</extension> + <mime-type>application/vnd.kde.kchart</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cif</extension> + <mime-type>chemical/x-cif</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cii</extension> + <mime-type>application/vnd.anser-web-certificate-issue-initiation</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cil</extension> + <mime-type>application/vnd.ms-artgalry</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cla</extension> + <mime-type>application/vnd.claymore</mime-type> + </mime-mapping> + <mime-mapping> + <extension>class</extension> + <mime-type>application/java</mime-type> + </mime-mapping> + <mime-mapping> + <extension>clkk</extension> + <mime-type>application/vnd.crick.clicker.keyboard</mime-type> + </mime-mapping> + <mime-mapping> + <extension>clkp</extension> + <mime-type>application/vnd.crick.clicker.palette</mime-type> + </mime-mapping> + <mime-mapping> + <extension>clkt</extension> + <mime-type>application/vnd.crick.clicker.template</mime-type> + </mime-mapping> + <mime-mapping> + <extension>clkw</extension> + <mime-type>application/vnd.crick.clicker.wordbank</mime-type> + </mime-mapping> + <mime-mapping> + <extension>clkx</extension> + <mime-type>application/vnd.crick.clicker</mime-type> + </mime-mapping> + <mime-mapping> + <extension>clp</extension> + <mime-type>application/x-msclip</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cmc</extension> + <mime-type>application/vnd.cosmocaller</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cmdf</extension> + <mime-type>chemical/x-cmdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cml</extension> + <mime-type>chemical/x-cml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cmp</extension> + <mime-type>application/vnd.yellowriver-custom-menu</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cmx</extension> + <mime-type>image/x-cmx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cod</extension> + <mime-type>application/vnd.rim.cod</mime-type> + </mime-mapping> + <mime-mapping> + <extension>com</extension> + <mime-type>application/x-msdownload</mime-type> + </mime-mapping> + <mime-mapping> + <extension>conf</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cpio</extension> + <mime-type>application/x-cpio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cpp</extension> + <mime-type>text/x-c</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cpt</extension> + <mime-type>application/mac-compactpro</mime-type> + </mime-mapping> + <mime-mapping> + <extension>crd</extension> + <mime-type>application/x-mscardfile</mime-type> + </mime-mapping> + <mime-mapping> + <extension>crl</extension> + <mime-type>application/pkix-crl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>crt</extension> + <mime-type>application/x-x509-ca-cert</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cryptonote</extension> + <mime-type>application/vnd.rig.cryptonote</mime-type> + </mime-mapping> + <mime-mapping> + <extension>csh</extension> + <mime-type>application/x-csh</mime-type> + </mime-mapping> + <mime-mapping> + <extension>csml</extension> + <mime-type>chemical/x-csml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>csp</extension> + <mime-type>application/vnd.commonspace</mime-type> + </mime-mapping> + <mime-mapping> + <extension>css</extension> + <mime-type>text/css</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cst</extension> + <mime-type>application/x-director</mime-type> + </mime-mapping> + <mime-mapping> + <extension>csv</extension> + <mime-type>text/csv</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cu</extension> + <mime-type>application/cu-seeme</mime-type> + </mime-mapping> + <mime-mapping> + <extension>curl</extension> + <mime-type>text/vnd.curl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cww</extension> + <mime-type>application/prs.cww</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cxt</extension> + <mime-type>application/x-director</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cxx</extension> + <mime-type>text/x-c</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dae</extension> + <mime-type>model/vnd.collada+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>daf</extension> + <mime-type>application/vnd.mobius.daf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dataless</extension> + <mime-type>application/vnd.fdsn.seed</mime-type> + </mime-mapping> + <mime-mapping> + <extension>davmount</extension> + <mime-type>application/davmount+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dcr</extension> + <mime-type>application/x-director</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dcurl</extension> + <mime-type>text/vnd.curl.dcurl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dd2</extension> + <mime-type>application/vnd.oma.dd2+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ddd</extension> + <mime-type>application/vnd.fujixerox.ddd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>deb</extension> + <mime-type>application/x-debian-package</mime-type> + </mime-mapping> + <mime-mapping> + <extension>def</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>deploy</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>der</extension> + <mime-type>application/x-x509-ca-cert</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dfac</extension> + <mime-type>application/vnd.dreamfactory</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dib</extension> + <mime-type>image/bmp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dic</extension> + <mime-type>text/x-c</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dir</extension> + <mime-type>application/x-director</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dis</extension> + <mime-type>application/vnd.mobius.dis</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dist</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>distz</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>djv</extension> + <mime-type>image/vnd.djvu</mime-type> + </mime-mapping> + <mime-mapping> + <extension>djvu</extension> + <mime-type>image/vnd.djvu</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dll</extension> + <mime-type>application/x-msdownload</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dmg</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dmp</extension> + <mime-type>application/vnd.tcpdump.pcap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dms</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dna</extension> + <mime-type>application/vnd.dna</mime-type> + </mime-mapping> + <mime-mapping> + <extension>doc</extension> + <mime-type>application/msword</mime-type> + </mime-mapping> + <mime-mapping> + <extension>docm</extension> + <mime-type>application/vnd.ms-word.document.macroenabled.12</mime-type> + </mime-mapping> + <mime-mapping> + <extension>docx</extension> + <mime-type>application/vnd.openxmlformats-officedocument.wordprocessingml.document</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dot</extension> + <mime-type>application/msword</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dotm</extension> + <mime-type>application/vnd.ms-word.template.macroenabled.12</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dotx</extension> + <mime-type>application/vnd.openxmlformats-officedocument.wordprocessingml.template</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dp</extension> + <mime-type>application/vnd.osgi.dp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dpg</extension> + <mime-type>application/vnd.dpgraph</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dra</extension> + <mime-type>audio/vnd.dra</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dsc</extension> + <mime-type>text/prs.lines.tag</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dssc</extension> + <mime-type>application/dssc+der</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dtb</extension> + <mime-type>application/x-dtbook+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dtd</extension> + <mime-type>application/xml-dtd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dts</extension> + <mime-type>audio/vnd.dts</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dtshd</extension> + <mime-type>audio/vnd.dts.hd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dump</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dv</extension> + <mime-type>video/x-dv</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dvb</extension> + <mime-type>video/vnd.dvb.file</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dvi</extension> + <mime-type>application/x-dvi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dwf</extension> + <mime-type>model/vnd.dwf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dwg</extension> + <mime-type>image/vnd.dwg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dxf</extension> + <mime-type>image/vnd.dxf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dxp</extension> + <mime-type>application/vnd.spotfire.dxp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dxr</extension> + <mime-type>application/x-director</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ecelp4800</extension> + <mime-type>audio/vnd.nuera.ecelp4800</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ecelp7470</extension> + <mime-type>audio/vnd.nuera.ecelp7470</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ecelp9600</extension> + <mime-type>audio/vnd.nuera.ecelp9600</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ecma</extension> + <mime-type>application/ecmascript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>edm</extension> + <mime-type>application/vnd.novadigm.edm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>edx</extension> + <mime-type>application/vnd.novadigm.edx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>efif</extension> + <mime-type>application/vnd.picsel</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ei6</extension> + <mime-type>application/vnd.pg.osasli</mime-type> + </mime-mapping> + <mime-mapping> + <extension>elc</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>eml</extension> + <mime-type>message/rfc822</mime-type> + </mime-mapping> + <mime-mapping> + <extension>emma</extension> + <mime-type>application/emma+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>eol</extension> + <mime-type>audio/vnd.digital-winds</mime-type> + </mime-mapping> + <mime-mapping> + <extension>eot</extension> + <mime-type>application/vnd.ms-fontobject</mime-type> + </mime-mapping> + <mime-mapping> + <extension>eps</extension> + <mime-type>application/postscript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>epub</extension> + <mime-type>application/epub+zip</mime-type> + </mime-mapping> + <mime-mapping> + <extension>es3</extension> + <mime-type>application/vnd.eszigno3+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>esf</extension> + <mime-type>application/vnd.epson.esf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>et3</extension> + <mime-type>application/vnd.eszigno3+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>etx</extension> + <mime-type>text/x-setext</mime-type> + </mime-mapping> + <mime-mapping> + <extension>exe</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>exi</extension> + <mime-type>application/exi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ext</extension> + <mime-type>application/vnd.novadigm.ext</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ez</extension> + <mime-type>application/andrew-inset</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ez2</extension> + <mime-type>application/vnd.ezpix-album</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ez3</extension> + <mime-type>application/vnd.ezpix-package</mime-type> + </mime-mapping> + <mime-mapping> + <extension>f</extension> + <mime-type>text/x-fortran</mime-type> + </mime-mapping> + <mime-mapping> + <extension>f4v</extension> + <mime-type>video/x-f4v</mime-type> + </mime-mapping> + <mime-mapping> + <extension>f77</extension> + <mime-type>text/x-fortran</mime-type> + </mime-mapping> + <mime-mapping> + <extension>f90</extension> + <mime-type>text/x-fortran</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fbs</extension> + <mime-type>image/vnd.fastbidsheet</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fcs</extension> + <mime-type>application/vnd.isac.fcs</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fdf</extension> + <mime-type>application/vnd.fdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fe_launch</extension> + <mime-type>application/vnd.denovo.fcselayout-link</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fg5</extension> + <mime-type>application/vnd.fujitsu.oasysgp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fgd</extension> + <mime-type>application/x-director</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fh</extension> + <mime-type>image/x-freehand</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fh4</extension> + <mime-type>image/x-freehand</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fh5</extension> + <mime-type>image/x-freehand</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fh7</extension> + <mime-type>image/x-freehand</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fhc</extension> + <mime-type>image/x-freehand</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fig</extension> + <mime-type>application/x-xfig</mime-type> + </mime-mapping> + <mime-mapping> + <extension>flac</extension> + <mime-type>audio/flac</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fli</extension> + <mime-type>video/x-fli</mime-type> + </mime-mapping> + <mime-mapping> + <extension>flo</extension> + <mime-type>application/vnd.micrografx.flo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>flv</extension> + <mime-type>video/x-flv</mime-type> + </mime-mapping> + <mime-mapping> + <extension>flw</extension> + <mime-type>application/vnd.kde.kivio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>flx</extension> + <mime-type>text/vnd.fmi.flexstor</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fly</extension> + <mime-type>text/vnd.fly</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fm</extension> + <mime-type>application/vnd.framemaker</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fnc</extension> + <mime-type>application/vnd.frogans.fnc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>for</extension> + <mime-type>text/x-fortran</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fpx</extension> + <mime-type>image/vnd.fpx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>frame</extension> + <mime-type>application/vnd.framemaker</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fsc</extension> + <mime-type>application/vnd.fsc.weblaunch</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fst</extension> + <mime-type>image/vnd.fst</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ftc</extension> + <mime-type>application/vnd.fluxtime.clip</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fti</extension> + <mime-type>application/vnd.anser-web-funds-transfer-initiation</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fvt</extension> + <mime-type>video/vnd.fvt</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fxp</extension> + <mime-type>application/vnd.adobe.fxp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fxpl</extension> + <mime-type>application/vnd.adobe.fxp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>fzs</extension> + <mime-type>application/vnd.fuzzysheet</mime-type> + </mime-mapping> + <mime-mapping> + <extension>g2w</extension> + <mime-type>application/vnd.geoplan</mime-type> + </mime-mapping> + <mime-mapping> + <extension>g3</extension> + <mime-type>image/g3fax</mime-type> + </mime-mapping> + <mime-mapping> + <extension>g3w</extension> + <mime-type>application/vnd.geospace</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gac</extension> + <mime-type>application/vnd.groove-account</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gbr</extension> + <mime-type>application/rpki-ghostbusters</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gdl</extension> + <mime-type>model/vnd.gdl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>geo</extension> + <mime-type>application/vnd.dynageo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gex</extension> + <mime-type>application/vnd.geometry-explorer</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ggb</extension> + <mime-type>application/vnd.geogebra.file</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ggt</extension> + <mime-type>application/vnd.geogebra.tool</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ghf</extension> + <mime-type>application/vnd.groove-help</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gif</extension> + <mime-type>image/gif</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gim</extension> + <mime-type>application/vnd.groove-identity-message</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gmx</extension> + <mime-type>application/vnd.gmx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gnumeric</extension> + <mime-type>application/x-gnumeric</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gph</extension> + <mime-type>application/vnd.flographit</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gqf</extension> + <mime-type>application/vnd.grafeq</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gqs</extension> + <mime-type>application/vnd.grafeq</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gram</extension> + <mime-type>application/srgs</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gre</extension> + <mime-type>application/vnd.geometry-explorer</mime-type> + </mime-mapping> + <mime-mapping> + <extension>grv</extension> + <mime-type>application/vnd.groove-injector</mime-type> + </mime-mapping> + <mime-mapping> + <extension>grxml</extension> + <mime-type>application/srgs+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gsf</extension> + <mime-type>application/x-font-ghostscript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gtar</extension> + <mime-type>application/x-gtar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gtm</extension> + <mime-type>application/vnd.groove-tool-message</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gtw</extension> + <mime-type>model/vnd.gtw</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gv</extension> + <mime-type>text/vnd.graphviz</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gxt</extension> + <mime-type>application/vnd.geonext</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gz</extension> + <mime-type>application/x-gzip</mime-type> + </mime-mapping> + <mime-mapping> + <extension>h</extension> + <mime-type>text/x-c</mime-type> + </mime-mapping> + <mime-mapping> + <extension>h261</extension> + <mime-type>video/h261</mime-type> + </mime-mapping> + <mime-mapping> + <extension>h263</extension> + <mime-type>video/h263</mime-type> + </mime-mapping> + <mime-mapping> + <extension>h264</extension> + <mime-type>video/h264</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hal</extension> + <mime-type>application/vnd.hal+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hbci</extension> + <mime-type>application/vnd.hbci</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hdf</extension> + <mime-type>application/x-hdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hh</extension> + <mime-type>text/x-c</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hlp</extension> + <mime-type>application/winhlp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hpgl</extension> + <mime-type>application/vnd.hp-hpgl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hpid</extension> + <mime-type>application/vnd.hp-hpid</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hps</extension> + <mime-type>application/vnd.hp-hps</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hqx</extension> + <mime-type>application/mac-binhex40</mime-type> + </mime-mapping> + <mime-mapping> + <extension>htc</extension> + <mime-type>text/x-component</mime-type> + </mime-mapping> + <mime-mapping> + <extension>htke</extension> + <mime-type>application/vnd.kenameaapp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>htm</extension> + <mime-type>text/html</mime-type> + </mime-mapping> + <mime-mapping> + <extension>html</extension> + <mime-type>text/html</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hvd</extension> + <mime-type>application/vnd.yamaha.hv-dic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hvp</extension> + <mime-type>application/vnd.yamaha.hv-voice</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hvs</extension> + <mime-type>application/vnd.yamaha.hv-script</mime-type> + </mime-mapping> + <mime-mapping> + <extension>i2g</extension> + <mime-type>application/vnd.intergeo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>icc</extension> + <mime-type>application/vnd.iccprofile</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ice</extension> + <mime-type>x-conference/x-cooltalk</mime-type> + </mime-mapping> + <mime-mapping> + <extension>icm</extension> + <mime-type>application/vnd.iccprofile</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ico</extension> + <mime-type>image/x-icon</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ics</extension> + <mime-type>text/calendar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ief</extension> + <mime-type>image/ief</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ifb</extension> + <mime-type>text/calendar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ifm</extension> + <mime-type>application/vnd.shana.informed.formdata</mime-type> + </mime-mapping> + <mime-mapping> + <extension>iges</extension> + <mime-type>model/iges</mime-type> + </mime-mapping> + <mime-mapping> + <extension>igl</extension> + <mime-type>application/vnd.igloader</mime-type> + </mime-mapping> + <mime-mapping> + <extension>igm</extension> + <mime-type>application/vnd.insors.igm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>igs</extension> + <mime-type>model/iges</mime-type> + </mime-mapping> + <mime-mapping> + <extension>igx</extension> + <mime-type>application/vnd.micrografx.igx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>iif</extension> + <mime-type>application/vnd.shana.informed.interchange</mime-type> + </mime-mapping> + <mime-mapping> + <extension>imp</extension> + <mime-type>application/vnd.accpac.simply.imp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ims</extension> + <mime-type>application/vnd.ms-ims</mime-type> + </mime-mapping> + <mime-mapping> + <extension>in</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ink</extension> + <mime-type>application/inkml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>inkml</extension> + <mime-type>application/inkml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>iota</extension> + <mime-type>application/vnd.astraea-software.iota</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ipfix</extension> + <mime-type>application/ipfix</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ipk</extension> + <mime-type>application/vnd.shana.informed.package</mime-type> + </mime-mapping> + <mime-mapping> + <extension>irm</extension> + <mime-type>application/vnd.ibm.rights-management</mime-type> + </mime-mapping> + <mime-mapping> + <extension>irp</extension> + <mime-type>application/vnd.irepository.package+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>iso</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>itp</extension> + <mime-type>application/vnd.shana.informed.formtemplate</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ivp</extension> + <mime-type>application/vnd.immervision-ivp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ivu</extension> + <mime-type>application/vnd.immervision-ivu</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jad</extension> + <mime-type>text/vnd.sun.j2me.app-descriptor</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jam</extension> + <mime-type>application/vnd.jam</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jar</extension> + <mime-type>application/java-archive</mime-type> + </mime-mapping> + <mime-mapping> + <extension>java</extension> + <mime-type>text/x-java-source</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jisp</extension> + <mime-type>application/vnd.jisp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jlt</extension> + <mime-type>application/vnd.hp-jlyt</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jnlp</extension> + <mime-type>application/x-java-jnlp-file</mime-type> + </mime-mapping> + <mime-mapping> + <extension>joda</extension> + <mime-type>application/vnd.joost.joda-archive</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpe</extension> + <mime-type>image/jpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpeg</extension> + <mime-type>image/jpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpg</extension> + <mime-type>image/jpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpgm</extension> + <mime-type>video/jpm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpgv</extension> + <mime-type>video/jpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpm</extension> + <mime-type>video/jpm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>js</extension> + <mime-type>application/javascript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jsf</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>json</extension> + <mime-type>application/json</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jspf</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kar</extension> + <mime-type>audio/midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>karbon</extension> + <mime-type>application/vnd.kde.karbon</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kfo</extension> + <mime-type>application/vnd.kde.kformula</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kia</extension> + <mime-type>application/vnd.kidspiration</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kml</extension> + <mime-type>application/vnd.google-earth.kml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kmz</extension> + <mime-type>application/vnd.google-earth.kmz</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kne</extension> + <mime-type>application/vnd.kinar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>knp</extension> + <mime-type>application/vnd.kinar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kon</extension> + <mime-type>application/vnd.kde.kontour</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kpr</extension> + <mime-type>application/vnd.kde.kpresenter</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kpt</extension> + <mime-type>application/vnd.kde.kpresenter</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ksp</extension> + <mime-type>application/vnd.kde.kspread</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ktr</extension> + <mime-type>application/vnd.kahootz</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ktx</extension> + <mime-type>image/ktx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ktz</extension> + <mime-type>application/vnd.kahootz</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kwd</extension> + <mime-type>application/vnd.kde.kword</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kwt</extension> + <mime-type>application/vnd.kde.kword</mime-type> + </mime-mapping> + <mime-mapping> + <extension>lasxml</extension> + <mime-type>application/vnd.las.las+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>latex</extension> + <mime-type>application/x-latex</mime-type> + </mime-mapping> + <mime-mapping> + <extension>lbd</extension> + <mime-type>application/vnd.llamagraphics.life-balance.desktop</mime-type> + </mime-mapping> + <mime-mapping> + <extension>lbe</extension> + <mime-type>application/vnd.llamagraphics.life-balance.exchange+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>les</extension> + <mime-type>application/vnd.hhe.lesson-player</mime-type> + </mime-mapping> + <mime-mapping> + <extension>lha</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>link66</extension> + <mime-type>application/vnd.route66.link66+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>list</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>list3820</extension> + <mime-type>application/vnd.ibm.modcap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>listafp</extension> + <mime-type>application/vnd.ibm.modcap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>log</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>lostxml</extension> + <mime-type>application/lost+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>lrf</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>lrm</extension> + <mime-type>application/vnd.ms-lrm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ltf</extension> + <mime-type>application/vnd.frogans.ltf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>lvp</extension> + <mime-type>audio/vnd.lucent.voice</mime-type> + </mime-mapping> + <mime-mapping> + <extension>lwp</extension> + <mime-type>application/vnd.lotus-wordpro</mime-type> + </mime-mapping> + <mime-mapping> + <extension>lzh</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m13</extension> + <mime-type>application/x-msmediaview</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m14</extension> + <mime-type>application/x-msmediaview</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m1v</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m21</extension> + <mime-type>application/mp21</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m2a</extension> + <mime-type>audio/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m2v</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m3a</extension> + <mime-type>audio/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m3u</extension> + <mime-type>audio/x-mpegurl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m3u8</extension> + <mime-type>application/vnd.apple.mpegurl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m4a</extension> + <mime-type>audio/mp4</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m4b</extension> + <mime-type>audio/mp4</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m4r</extension> + <mime-type>audio/mp4</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m4u</extension> + <mime-type>video/vnd.mpegurl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m4v</extension> + <mime-type>video/mp4</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ma</extension> + <mime-type>application/mathematica</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mac</extension> + <mime-type>image/x-macpaint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mads</extension> + <mime-type>application/mads+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mag</extension> + <mime-type>application/vnd.ecowin.chart</mime-type> + </mime-mapping> + <mime-mapping> + <extension>maker</extension> + <mime-type>application/vnd.framemaker</mime-type> + </mime-mapping> + <mime-mapping> + <extension>man</extension> + <mime-type>text/troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mathml</extension> + <mime-type>application/mathml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mb</extension> + <mime-type>application/mathematica</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mbk</extension> + <mime-type>application/vnd.mobius.mbk</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mbox</extension> + <mime-type>application/mbox</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mc1</extension> + <mime-type>application/vnd.medcalcdata</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mcd</extension> + <mime-type>application/vnd.mcd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mcurl</extension> + <mime-type>text/vnd.curl.mcurl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mdb</extension> + <mime-type>application/x-msaccess</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mdi</extension> + <mime-type>image/vnd.ms-modi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>me</extension> + <mime-type>text/troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mesh</extension> + <mime-type>model/mesh</mime-type> + </mime-mapping> + <mime-mapping> + <extension>meta4</extension> + <mime-type>application/metalink4+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mets</extension> + <mime-type>application/mets+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mfm</extension> + <mime-type>application/vnd.mfmp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mft</extension> + <mime-type>application/rpki-manifest</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mgp</extension> + <mime-type>application/vnd.osgeo.mapguide.package</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mgz</extension> + <mime-type>application/vnd.proteus.magazine</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mid</extension> + <mime-type>audio/midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>midi</extension> + <mime-type>audio/midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mif</extension> + <mime-type>application/x-mif</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mime</extension> + <mime-type>message/rfc822</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mj2</extension> + <mime-type>video/mj2</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mjp2</extension> + <mime-type>video/mj2</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mlp</extension> + <mime-type>application/vnd.dolby.mlp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mmd</extension> + <mime-type>application/vnd.chipnuts.karaoke-mmd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mmf</extension> + <mime-type>application/vnd.smaf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mmr</extension> + <mime-type>image/vnd.fujixerox.edmics-mmr</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mny</extension> + <mime-type>application/x-msmoney</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mobi</extension> + <mime-type>application/x-mobipocket-ebook</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mods</extension> + <mime-type>application/mods+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mov</extension> + <mime-type>video/quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>movie</extension> + <mime-type>video/x-sgi-movie</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp1</extension> + <mime-type>audio/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp2</extension> + <mime-type>audio/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp21</extension> + <mime-type>application/mp21</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp2a</extension> + <mime-type>audio/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp3</extension> + <mime-type>audio/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp4</extension> + <mime-type>video/mp4</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp4a</extension> + <mime-type>audio/mp4</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp4s</extension> + <mime-type>application/mp4</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp4v</extension> + <mime-type>video/mp4</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpa</extension> + <mime-type>audio/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpc</extension> + <mime-type>application/vnd.mophun.certificate</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpe</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpeg</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpega</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpg</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpg4</extension> + <mime-type>video/mp4</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpga</extension> + <mime-type>audio/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpkg</extension> + <mime-type>application/vnd.apple.installer+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpm</extension> + <mime-type>application/vnd.blueice.multipass</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpn</extension> + <mime-type>application/vnd.mophun.application</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpp</extension> + <mime-type>application/vnd.ms-project</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpt</extension> + <mime-type>application/vnd.ms-project</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpv2</extension> + <mime-type>video/mpeg2</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpy</extension> + <mime-type>application/vnd.ibm.minipay</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mqy</extension> + <mime-type>application/vnd.mobius.mqy</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mrc</extension> + <mime-type>application/marc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mrcx</extension> + <mime-type>application/marcxml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ms</extension> + <mime-type>text/troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mscml</extension> + <mime-type>application/mediaservercontrol+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mseed</extension> + <mime-type>application/vnd.fdsn.mseed</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mseq</extension> + <mime-type>application/vnd.mseq</mime-type> + </mime-mapping> + <mime-mapping> + <extension>msf</extension> + <mime-type>application/vnd.epson.msf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>msh</extension> + <mime-type>model/mesh</mime-type> + </mime-mapping> + <mime-mapping> + <extension>msi</extension> + <mime-type>application/x-msdownload</mime-type> + </mime-mapping> + <mime-mapping> + <extension>msl</extension> + <mime-type>application/vnd.mobius.msl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>msty</extension> + <mime-type>application/vnd.muvee.style</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mts</extension> + <mime-type>model/vnd.mts</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mus</extension> + <mime-type>application/vnd.musician</mime-type> + </mime-mapping> + <mime-mapping> + <extension>musicxml</extension> + <mime-type>application/vnd.recordare.musicxml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mvb</extension> + <mime-type>application/x-msmediaview</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mwf</extension> + <mime-type>application/vnd.mfer</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mxf</extension> + <mime-type>application/mxf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mxl</extension> + <mime-type>application/vnd.recordare.musicxml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mxml</extension> + <mime-type>application/xv+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mxs</extension> + <mime-type>application/vnd.triscape.mxs</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mxu</extension> + <mime-type>video/vnd.mpegurl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>n-gage</extension> + <mime-type>application/vnd.nokia.n-gage.symbian.install</mime-type> + </mime-mapping> + <mime-mapping> + <extension>n3</extension> + <mime-type>text/n3</mime-type> + </mime-mapping> + <mime-mapping> + <extension>nb</extension> + <mime-type>application/mathematica</mime-type> + </mime-mapping> + <mime-mapping> + <extension>nbp</extension> + <mime-type>application/vnd.wolfram.player</mime-type> + </mime-mapping> + <mime-mapping> + <extension>nc</extension> + <mime-type>application/x-netcdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ncx</extension> + <mime-type>application/x-dtbncx+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ngdat</extension> + <mime-type>application/vnd.nokia.n-gage.data</mime-type> + </mime-mapping> + <mime-mapping> + <extension>nlu</extension> + <mime-type>application/vnd.neurolanguage.nlu</mime-type> + </mime-mapping> + <mime-mapping> + <extension>nml</extension> + <mime-type>application/vnd.enliven</mime-type> + </mime-mapping> + <mime-mapping> + <extension>nnd</extension> + <mime-type>application/vnd.noblenet-directory</mime-type> + </mime-mapping> + <mime-mapping> + <extension>nns</extension> + <mime-type>application/vnd.noblenet-sealer</mime-type> + </mime-mapping> + <mime-mapping> + <extension>nnw</extension> + <mime-type>application/vnd.noblenet-web</mime-type> + </mime-mapping> + <mime-mapping> + <extension>npx</extension> + <mime-type>image/vnd.net-fpx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>nsf</extension> + <mime-type>application/vnd.lotus-notes</mime-type> + </mime-mapping> + <mime-mapping> + <extension>oa2</extension> + <mime-type>application/vnd.fujitsu.oasys2</mime-type> + </mime-mapping> + <mime-mapping> + <extension>oa3</extension> + <mime-type>application/vnd.fujitsu.oasys3</mime-type> + </mime-mapping> + <mime-mapping> + <extension>oas</extension> + <mime-type>application/vnd.fujitsu.oasys</mime-type> + </mime-mapping> + <mime-mapping> + <extension>obd</extension> + <mime-type>application/x-msbinder</mime-type> + </mime-mapping> + <mime-mapping> + <extension>oda</extension> + <mime-type>application/oda</mime-type> + </mime-mapping> + <mime-mapping> + <!-- OpenDocument Database --> + <extension>odb</extension> + <mime-type>application/vnd.oasis.opendocument.database</mime-type> + </mime-mapping> + <mime-mapping> + <!-- OpenDocument Chart --> + <extension>odc</extension> + <mime-type>application/vnd.oasis.opendocument.chart</mime-type> + </mime-mapping> + <mime-mapping> + <!-- OpenDocument Formula --> + <extension>odf</extension> + <mime-type>application/vnd.oasis.opendocument.formula</mime-type> + </mime-mapping> + <mime-mapping> + <extension>odft</extension> + <mime-type>application/vnd.oasis.opendocument.formula-template</mime-type> + </mime-mapping> + <mime-mapping> + <!-- OpenDocument Drawing --> + <extension>odg</extension> + <mime-type>application/vnd.oasis.opendocument.graphics</mime-type> + </mime-mapping> + <mime-mapping> + <!-- OpenDocument Image --> + <extension>odi</extension> + <mime-type>application/vnd.oasis.opendocument.image</mime-type> + </mime-mapping> + <mime-mapping> + <!-- OpenDocument Master Document --> + <extension>odm</extension> + <mime-type>application/vnd.oasis.opendocument.text-master</mime-type> + </mime-mapping> + <mime-mapping> + <!-- OpenDocument Presentation --> + <extension>odp</extension> + <mime-type>application/vnd.oasis.opendocument.presentation</mime-type> + </mime-mapping> + <mime-mapping> + <!-- OpenDocument Spreadsheet --> + <extension>ods</extension> + <mime-type>application/vnd.oasis.opendocument.spreadsheet</mime-type> + </mime-mapping> + <mime-mapping> + <!-- OpenDocument Text --> + <extension>odt</extension> + <mime-type>application/vnd.oasis.opendocument.text</mime-type> + </mime-mapping> + <mime-mapping> + <extension>oga</extension> + <mime-type>audio/ogg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ogg</extension> + <mime-type>audio/ogg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ogv</extension> + <mime-type>video/ogg</mime-type> + </mime-mapping> + <mime-mapping> + <!-- xiph mime types --> + <extension>ogx</extension> + <mime-type>application/ogg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>onepkg</extension> + <mime-type>application/onenote</mime-type> + </mime-mapping> + <mime-mapping> + <extension>onetmp</extension> + <mime-type>application/onenote</mime-type> + </mime-mapping> + <mime-mapping> + <extension>onetoc</extension> + <mime-type>application/onenote</mime-type> + </mime-mapping> + <mime-mapping> + <extension>onetoc2</extension> + <mime-type>application/onenote</mime-type> + </mime-mapping> + <mime-mapping> + <extension>opf</extension> + <mime-type>application/oebps-package+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>oprc</extension> + <mime-type>application/vnd.palm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>org</extension> + <mime-type>application/vnd.lotus-organizer</mime-type> + </mime-mapping> + <mime-mapping> + <extension>osf</extension> + <mime-type>application/vnd.yamaha.openscoreformat</mime-type> + </mime-mapping> + <mime-mapping> + <extension>osfpvg</extension> + <mime-type>application/vnd.yamaha.openscoreformat.osfpvg+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>otc</extension> + <mime-type>application/vnd.oasis.opendocument.chart-template</mime-type> + </mime-mapping> + <mime-mapping> + <extension>otf</extension> + <mime-type>application/x-font-otf</mime-type> + </mime-mapping> + <mime-mapping> + <!-- OpenDocument Drawing Template --> + <extension>otg</extension> + <mime-type>application/vnd.oasis.opendocument.graphics-template</mime-type> + </mime-mapping> + <mime-mapping> + <!-- HTML Document Template --> + <extension>oth</extension> + <mime-type>application/vnd.oasis.opendocument.text-web</mime-type> + </mime-mapping> + <mime-mapping> + <extension>oti</extension> + <mime-type>application/vnd.oasis.opendocument.image-template</mime-type> + </mime-mapping> + <mime-mapping> + <!-- OpenDocument Presentation Template --> + <extension>otp</extension> + <mime-type>application/vnd.oasis.opendocument.presentation-template</mime-type> + </mime-mapping> + <mime-mapping> + <!-- OpenDocument Spreadsheet Template --> + <extension>ots</extension> + <mime-type>application/vnd.oasis.opendocument.spreadsheet-template</mime-type> + </mime-mapping> + <mime-mapping> + <!-- OpenDocument Text Template --> + <extension>ott</extension> + <mime-type>application/vnd.oasis.opendocument.text-template</mime-type> + </mime-mapping> + <mime-mapping> + <extension>oxps</extension> + <mime-type>application/oxps</mime-type> + </mime-mapping> + <mime-mapping> + <extension>oxt</extension> + <mime-type>application/vnd.openofficeorg.extension</mime-type> + </mime-mapping> + <mime-mapping> + <extension>p</extension> + <mime-type>text/x-pascal</mime-type> + </mime-mapping> + <mime-mapping> + <extension>p10</extension> + <mime-type>application/pkcs10</mime-type> + </mime-mapping> + <mime-mapping> + <extension>p12</extension> + <mime-type>application/x-pkcs12</mime-type> + </mime-mapping> + <mime-mapping> + <extension>p7b</extension> + <mime-type>application/x-pkcs7-certificates</mime-type> + </mime-mapping> + <mime-mapping> + <extension>p7c</extension> + <mime-type>application/pkcs7-mime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>p7m</extension> + <mime-type>application/pkcs7-mime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>p7r</extension> + <mime-type>application/x-pkcs7-certreqresp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>p7s</extension> + <mime-type>application/pkcs7-signature</mime-type> + </mime-mapping> + <mime-mapping> + <extension>p8</extension> + <mime-type>application/pkcs8</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pas</extension> + <mime-type>text/x-pascal</mime-type> + </mime-mapping> + <mime-mapping> + <extension>paw</extension> + <mime-type>application/vnd.pawaafile</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pbd</extension> + <mime-type>application/vnd.powerbuilder6</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pbm</extension> + <mime-type>image/x-portable-bitmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pcap</extension> + <mime-type>application/vnd.tcpdump.pcap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pcf</extension> + <mime-type>application/x-font-pcf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pcl</extension> + <mime-type>application/vnd.hp-pcl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pclxl</extension> + <mime-type>application/vnd.hp-pclxl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pct</extension> + <mime-type>image/pict</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pcurl</extension> + <mime-type>application/vnd.curl.pcurl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pcx</extension> + <mime-type>image/x-pcx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pdb</extension> + <mime-type>application/vnd.palm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pdf</extension> + <mime-type>application/pdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pfa</extension> + <mime-type>application/x-font-type1</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pfb</extension> + <mime-type>application/x-font-type1</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pfm</extension> + <mime-type>application/x-font-type1</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pfr</extension> + <mime-type>application/font-tdpfr</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pfx</extension> + <mime-type>application/x-pkcs12</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pgm</extension> + <mime-type>image/x-portable-graymap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pgn</extension> + <mime-type>application/x-chess-pgn</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pgp</extension> + <mime-type>application/pgp-encrypted</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pic</extension> + <mime-type>image/pict</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pict</extension> + <mime-type>image/pict</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pkg</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pki</extension> + <mime-type>application/pkixcmp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pkipath</extension> + <mime-type>application/pkix-pkipath</mime-type> + </mime-mapping> + <mime-mapping> + <extension>plb</extension> + <mime-type>application/vnd.3gpp.pic-bw-large</mime-type> + </mime-mapping> + <mime-mapping> + <extension>plc</extension> + <mime-type>application/vnd.mobius.plc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>plf</extension> + <mime-type>application/vnd.pocketlearn</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pls</extension> + <mime-type>audio/x-scpls</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pml</extension> + <mime-type>application/vnd.ctc-posml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>png</extension> + <mime-type>image/png</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pnm</extension> + <mime-type>image/x-portable-anymap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pnt</extension> + <mime-type>image/x-macpaint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>portpkg</extension> + <mime-type>application/vnd.macports.portpkg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pot</extension> + <mime-type>application/vnd.ms-powerpoint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>potm</extension> + <mime-type>application/vnd.ms-powerpoint.template.macroenabled.12</mime-type> + </mime-mapping> + <mime-mapping> + <extension>potx</extension> + <mime-type>application/vnd.openxmlformats-officedocument.presentationml.template</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ppam</extension> + <mime-type>application/vnd.ms-powerpoint.addin.macroenabled.12</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ppd</extension> + <mime-type>application/vnd.cups-ppd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ppm</extension> + <mime-type>image/x-portable-pixmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pps</extension> + <mime-type>application/vnd.ms-powerpoint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ppsm</extension> + <mime-type>application/vnd.ms-powerpoint.slideshow.macroenabled.12</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ppsx</extension> + <mime-type>application/vnd.openxmlformats-officedocument.presentationml.slideshow</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ppt</extension> + <mime-type>application/vnd.ms-powerpoint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pptm</extension> + <mime-type>application/vnd.ms-powerpoint.presentation.macroenabled.12</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pptx</extension> + <mime-type>application/vnd.openxmlformats-officedocument.presentationml.presentation</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pqa</extension> + <mime-type>application/vnd.palm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>prc</extension> + <mime-type>application/x-mobipocket-ebook</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pre</extension> + <mime-type>application/vnd.lotus-freelance</mime-type> + </mime-mapping> + <mime-mapping> + <extension>prf</extension> + <mime-type>application/pics-rules</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ps</extension> + <mime-type>application/postscript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>psb</extension> + <mime-type>application/vnd.3gpp.pic-bw-small</mime-type> + </mime-mapping> + <mime-mapping> + <extension>psd</extension> + <mime-type>image/vnd.adobe.photoshop</mime-type> + </mime-mapping> + <mime-mapping> + <extension>psf</extension> + <mime-type>application/x-font-linux-psf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pskcxml</extension> + <mime-type>application/pskc+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ptid</extension> + <mime-type>application/vnd.pvi.ptid1</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pub</extension> + <mime-type>application/x-mspublisher</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pvb</extension> + <mime-type>application/vnd.3gpp.pic-bw-var</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pwn</extension> + <mime-type>application/vnd.3m.post-it-notes</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pya</extension> + <mime-type>audio/vnd.ms-playready.media.pya</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pyv</extension> + <mime-type>video/vnd.ms-playready.media.pyv</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qam</extension> + <mime-type>application/vnd.epson.quickanime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qbo</extension> + <mime-type>application/vnd.intu.qbo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qfx</extension> + <mime-type>application/vnd.intu.qfx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qps</extension> + <mime-type>application/vnd.publishare-delta-tree</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qt</extension> + <mime-type>video/quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qti</extension> + <mime-type>image/x-quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qtif</extension> + <mime-type>image/x-quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qwd</extension> + <mime-type>application/vnd.quark.quarkxpress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qwt</extension> + <mime-type>application/vnd.quark.quarkxpress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qxb</extension> + <mime-type>application/vnd.quark.quarkxpress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qxd</extension> + <mime-type>application/vnd.quark.quarkxpress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qxl</extension> + <mime-type>application/vnd.quark.quarkxpress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qxt</extension> + <mime-type>application/vnd.quark.quarkxpress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ra</extension> + <mime-type>audio/x-pn-realaudio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ram</extension> + <mime-type>audio/x-pn-realaudio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rar</extension> + <mime-type>application/x-rar-compressed</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ras</extension> + <mime-type>image/x-cmu-raster</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rcprofile</extension> + <mime-type>application/vnd.ipunplugged.rcprofile</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rdf</extension> + <mime-type>application/rdf+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rdz</extension> + <mime-type>application/vnd.data-vision.rdz</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rep</extension> + <mime-type>application/vnd.businessobjects</mime-type> + </mime-mapping> + <mime-mapping> + <extension>res</extension> + <mime-type>application/x-dtbresource+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rgb</extension> + <mime-type>image/x-rgb</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rif</extension> + <mime-type>application/reginfo+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rip</extension> + <mime-type>audio/vnd.rip</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rl</extension> + <mime-type>application/resource-lists+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rlc</extension> + <mime-type>image/vnd.fujixerox.edmics-rlc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rld</extension> + <mime-type>application/resource-lists-diff+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rm</extension> + <mime-type>application/vnd.rn-realmedia</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rmi</extension> + <mime-type>audio/midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rmp</extension> + <mime-type>audio/x-pn-realaudio-plugin</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rms</extension> + <mime-type>application/vnd.jcp.javame.midlet-rms</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rnc</extension> + <mime-type>application/relax-ng-compact-syntax</mime-type> + </mime-mapping> + <mime-mapping> + <extension>roa</extension> + <mime-type>application/rpki-roa</mime-type> + </mime-mapping> + <mime-mapping> + <extension>roff</extension> + <mime-type>text/troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rp9</extension> + <mime-type>application/vnd.cloanto.rp9</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rpss</extension> + <mime-type>application/vnd.nokia.radio-presets</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rpst</extension> + <mime-type>application/vnd.nokia.radio-preset</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rq</extension> + <mime-type>application/sparql-query</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rs</extension> + <mime-type>application/rls-services+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rsd</extension> + <mime-type>application/rsd+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rss</extension> + <mime-type>application/rss+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rtf</extension> + <mime-type>application/rtf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rtx</extension> + <mime-type>text/richtext</mime-type> + </mime-mapping> + <mime-mapping> + <extension>s</extension> + <mime-type>text/x-asm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>saf</extension> + <mime-type>application/vnd.yamaha.smaf-audio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sbml</extension> + <mime-type>application/sbml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sc</extension> + <mime-type>application/vnd.ibm.secure-container</mime-type> + </mime-mapping> + <mime-mapping> + <extension>scd</extension> + <mime-type>application/x-msschedule</mime-type> + </mime-mapping> + <mime-mapping> + <extension>scm</extension> + <mime-type>application/vnd.lotus-screencam</mime-type> + </mime-mapping> + <mime-mapping> + <extension>scq</extension> + <mime-type>application/scvp-cv-request</mime-type> + </mime-mapping> + <mime-mapping> + <extension>scs</extension> + <mime-type>application/scvp-cv-response</mime-type> + </mime-mapping> + <mime-mapping> + <extension>scurl</extension> + <mime-type>text/vnd.curl.scurl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sda</extension> + <mime-type>application/vnd.stardivision.draw</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sdc</extension> + <mime-type>application/vnd.stardivision.calc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sdd</extension> + <mime-type>application/vnd.stardivision.impress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sdkd</extension> + <mime-type>application/vnd.solent.sdkm+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sdkm</extension> + <mime-type>application/vnd.solent.sdkm+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sdp</extension> + <mime-type>application/sdp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sdw</extension> + <mime-type>application/vnd.stardivision.writer</mime-type> + </mime-mapping> + <mime-mapping> + <extension>see</extension> + <mime-type>application/vnd.seemail</mime-type> + </mime-mapping> + <mime-mapping> + <extension>seed</extension> + <mime-type>application/vnd.fdsn.seed</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sema</extension> + <mime-type>application/vnd.sema</mime-type> + </mime-mapping> + <mime-mapping> + <extension>semd</extension> + <mime-type>application/vnd.semd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>semf</extension> + <mime-type>application/vnd.semf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ser</extension> + <mime-type>application/java-serialized-object</mime-type> + </mime-mapping> + <mime-mapping> + <extension>setpay</extension> + <mime-type>application/set-payment-initiation</mime-type> + </mime-mapping> + <mime-mapping> + <extension>setreg</extension> + <mime-type>application/set-registration-initiation</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sfd-hdstx</extension> + <mime-type>application/vnd.hydrostatix.sof-data</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sfs</extension> + <mime-type>application/vnd.spotfire.sfs</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sgl</extension> + <mime-type>application/vnd.stardivision.writer-global</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sgm</extension> + <mime-type>text/sgml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sgml</extension> + <mime-type>text/sgml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sh</extension> + <mime-type>application/x-sh</mime-type> + </mime-mapping> + <mime-mapping> + <extension>shar</extension> + <mime-type>application/x-shar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>shf</extension> + <mime-type>application/shf+xml</mime-type> + </mime-mapping> + <!-- + <mime-mapping> + <extension>shtml</extension> + <mime-type>text/x-server-parsed-html</mime-type> + </mime-mapping> + --> + <mime-mapping> + <extension>sig</extension> + <mime-type>application/pgp-signature</mime-type> + </mime-mapping> + <mime-mapping> + <extension>silo</extension> + <mime-type>model/mesh</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sis</extension> + <mime-type>application/vnd.symbian.install</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sisx</extension> + <mime-type>application/vnd.symbian.install</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sit</extension> + <mime-type>application/x-stuffit</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sitx</extension> + <mime-type>application/x-stuffitx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>skd</extension> + <mime-type>application/vnd.koan</mime-type> + </mime-mapping> + <mime-mapping> + <extension>skm</extension> + <mime-type>application/vnd.koan</mime-type> + </mime-mapping> + <mime-mapping> + <extension>skp</extension> + <mime-type>application/vnd.koan</mime-type> + </mime-mapping> + <mime-mapping> + <extension>skt</extension> + <mime-type>application/vnd.koan</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sldm</extension> + <mime-type>application/vnd.ms-powerpoint.slide.macroenabled.12</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sldx</extension> + <mime-type>application/vnd.openxmlformats-officedocument.presentationml.slide</mime-type> + </mime-mapping> + <mime-mapping> + <extension>slt</extension> + <mime-type>application/vnd.epson.salt</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sm</extension> + <mime-type>application/vnd.stepmania.stepchart</mime-type> + </mime-mapping> + <mime-mapping> + <extension>smf</extension> + <mime-type>application/vnd.stardivision.math</mime-type> + </mime-mapping> + <mime-mapping> + <extension>smi</extension> + <mime-type>application/smil+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>smil</extension> + <mime-type>application/smil+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>smzip</extension> + <mime-type>application/vnd.stepmania.package</mime-type> + </mime-mapping> + <mime-mapping> + <extension>snd</extension> + <mime-type>audio/basic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>snf</extension> + <mime-type>application/x-font-snf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>so</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>spc</extension> + <mime-type>application/x-pkcs7-certificates</mime-type> + </mime-mapping> + <mime-mapping> + <extension>spf</extension> + <mime-type>application/vnd.yamaha.smaf-phrase</mime-type> + </mime-mapping> + <mime-mapping> + <extension>spl</extension> + <mime-type>application/x-futuresplash</mime-type> + </mime-mapping> + <mime-mapping> + <extension>spot</extension> + <mime-type>text/vnd.in3d.spot</mime-type> + </mime-mapping> + <mime-mapping> + <extension>spp</extension> + <mime-type>application/scvp-vp-response</mime-type> + </mime-mapping> + <mime-mapping> + <extension>spq</extension> + <mime-type>application/scvp-vp-request</mime-type> + </mime-mapping> + <mime-mapping> + <extension>spx</extension> + <mime-type>audio/ogg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>src</extension> + <mime-type>application/x-wais-source</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sru</extension> + <mime-type>application/sru+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>srx</extension> + <mime-type>application/sparql-results+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sse</extension> + <mime-type>application/vnd.kodak-descriptor</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ssf</extension> + <mime-type>application/vnd.epson.ssf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ssml</extension> + <mime-type>application/ssml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>st</extension> + <mime-type>application/vnd.sailingtracker.track</mime-type> + </mime-mapping> + <mime-mapping> + <extension>stc</extension> + <mime-type>application/vnd.sun.xml.calc.template</mime-type> + </mime-mapping> + <mime-mapping> + <extension>std</extension> + <mime-type>application/vnd.sun.xml.draw.template</mime-type> + </mime-mapping> + <mime-mapping> + <extension>stf</extension> + <mime-type>application/vnd.wt.stf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sti</extension> + <mime-type>application/vnd.sun.xml.impress.template</mime-type> + </mime-mapping> + <mime-mapping> + <extension>stk</extension> + <mime-type>application/hyperstudio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>stl</extension> + <mime-type>application/vnd.ms-pki.stl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>str</extension> + <mime-type>application/vnd.pg.format</mime-type> + </mime-mapping> + <mime-mapping> + <extension>stw</extension> + <mime-type>application/vnd.sun.xml.writer.template</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sub</extension> + <mime-type>text/vnd.dvb.subtitle</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sus</extension> + <mime-type>application/vnd.sus-calendar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>susp</extension> + <mime-type>application/vnd.sus-calendar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sv4cpio</extension> + <mime-type>application/x-sv4cpio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sv4crc</extension> + <mime-type>application/x-sv4crc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>svc</extension> + <mime-type>application/vnd.dvb.service</mime-type> + </mime-mapping> + <mime-mapping> + <extension>svd</extension> + <mime-type>application/vnd.svd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>svg</extension> + <mime-type>image/svg+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>svgz</extension> + <mime-type>image/svg+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>swa</extension> + <mime-type>application/x-director</mime-type> + </mime-mapping> + <mime-mapping> + <extension>swf</extension> + <mime-type>application/x-shockwave-flash</mime-type> + </mime-mapping> + <mime-mapping> + <extension>swi</extension> + <mime-type>application/vnd.aristanetworks.swi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sxc</extension> + <mime-type>application/vnd.sun.xml.calc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sxd</extension> + <mime-type>application/vnd.sun.xml.draw</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sxg</extension> + <mime-type>application/vnd.sun.xml.writer.global</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sxi</extension> + <mime-type>application/vnd.sun.xml.impress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sxm</extension> + <mime-type>application/vnd.sun.xml.math</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sxw</extension> + <mime-type>application/vnd.sun.xml.writer</mime-type> + </mime-mapping> + <mime-mapping> + <extension>t</extension> + <mime-type>text/troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>taglet</extension> + <mime-type>application/vnd.mynfc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tao</extension> + <mime-type>application/vnd.tao.intent-module-archive</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tar</extension> + <mime-type>application/x-tar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tcap</extension> + <mime-type>application/vnd.3gpp2.tcap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tcl</extension> + <mime-type>application/x-tcl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>teacher</extension> + <mime-type>application/vnd.smart.teacher</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tei</extension> + <mime-type>application/tei+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>teicorpus</extension> + <mime-type>application/tei+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tex</extension> + <mime-type>application/x-tex</mime-type> + </mime-mapping> + <mime-mapping> + <extension>texi</extension> + <mime-type>application/x-texinfo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>texinfo</extension> + <mime-type>application/x-texinfo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>text</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tfi</extension> + <mime-type>application/thraud+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tfm</extension> + <mime-type>application/x-tex-tfm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>thmx</extension> + <mime-type>application/vnd.ms-officetheme</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tif</extension> + <mime-type>image/tiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tiff</extension> + <mime-type>image/tiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tmo</extension> + <mime-type>application/vnd.tmobile-livetv</mime-type> + </mime-mapping> + <mime-mapping> + <extension>torrent</extension> + <mime-type>application/x-bittorrent</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tpl</extension> + <mime-type>application/vnd.groove-tool-template</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tpt</extension> + <mime-type>application/vnd.trid.tpt</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tr</extension> + <mime-type>text/troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tra</extension> + <mime-type>application/vnd.trueapp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>trm</extension> + <mime-type>application/x-msterminal</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tsd</extension> + <mime-type>application/timestamped-data</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tsv</extension> + <mime-type>text/tab-separated-values</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ttc</extension> + <mime-type>application/x-font-ttf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ttf</extension> + <mime-type>application/x-font-ttf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ttl</extension> + <mime-type>text/turtle</mime-type> + </mime-mapping> + <mime-mapping> + <extension>twd</extension> + <mime-type>application/vnd.simtech-mindmapper</mime-type> + </mime-mapping> + <mime-mapping> + <extension>twds</extension> + <mime-type>application/vnd.simtech-mindmapper</mime-type> + </mime-mapping> + <mime-mapping> + <extension>txd</extension> + <mime-type>application/vnd.genomatix.tuxedo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>txf</extension> + <mime-type>application/vnd.mobius.txf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>txt</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>u32</extension> + <mime-type>application/x-authorware-bin</mime-type> + </mime-mapping> + <mime-mapping> + <extension>udeb</extension> + <mime-type>application/x-debian-package</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ufd</extension> + <mime-type>application/vnd.ufdl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ufdl</extension> + <mime-type>application/vnd.ufdl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ulw</extension> + <mime-type>audio/basic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>umj</extension> + <mime-type>application/vnd.umajin</mime-type> + </mime-mapping> + <mime-mapping> + <extension>unityweb</extension> + <mime-type>application/vnd.unity</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uoml</extension> + <mime-type>application/vnd.uoml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uri</extension> + <mime-type>text/uri-list</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uris</extension> + <mime-type>text/uri-list</mime-type> + </mime-mapping> + <mime-mapping> + <extension>urls</extension> + <mime-type>text/uri-list</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ustar</extension> + <mime-type>application/x-ustar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>utz</extension> + <mime-type>application/vnd.uiq.theme</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uu</extension> + <mime-type>text/x-uuencode</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uva</extension> + <mime-type>audio/vnd.dece.audio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvd</extension> + <mime-type>application/vnd.dece.data</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvf</extension> + <mime-type>application/vnd.dece.data</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvg</extension> + <mime-type>image/vnd.dece.graphic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvh</extension> + <mime-type>video/vnd.dece.hd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvi</extension> + <mime-type>image/vnd.dece.graphic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvm</extension> + <mime-type>video/vnd.dece.mobile</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvp</extension> + <mime-type>video/vnd.dece.pd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvs</extension> + <mime-type>video/vnd.dece.sd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvt</extension> + <mime-type>application/vnd.dece.ttml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvu</extension> + <mime-type>video/vnd.uvvu.mp4</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvv</extension> + <mime-type>video/vnd.dece.video</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvva</extension> + <mime-type>audio/vnd.dece.audio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvvd</extension> + <mime-type>application/vnd.dece.data</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvvf</extension> + <mime-type>application/vnd.dece.data</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvvg</extension> + <mime-type>image/vnd.dece.graphic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvvh</extension> + <mime-type>video/vnd.dece.hd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvvi</extension> + <mime-type>image/vnd.dece.graphic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvvm</extension> + <mime-type>video/vnd.dece.mobile</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvvp</extension> + <mime-type>video/vnd.dece.pd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvvs</extension> + <mime-type>video/vnd.dece.sd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvvt</extension> + <mime-type>application/vnd.dece.ttml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvvu</extension> + <mime-type>video/vnd.uvvu.mp4</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvvv</extension> + <mime-type>video/vnd.dece.video</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvvx</extension> + <mime-type>application/vnd.dece.unspecified</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvvz</extension> + <mime-type>application/vnd.dece.zip</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvx</extension> + <mime-type>application/vnd.dece.unspecified</mime-type> + </mime-mapping> + <mime-mapping> + <extension>uvz</extension> + <mime-type>application/vnd.dece.zip</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vcard</extension> + <mime-type>text/vcard</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vcd</extension> + <mime-type>application/x-cdlink</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vcf</extension> + <mime-type>text/x-vcard</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vcg</extension> + <mime-type>application/vnd.groove-vcard</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vcs</extension> + <mime-type>text/x-vcalendar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vcx</extension> + <mime-type>application/vnd.vcx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vis</extension> + <mime-type>application/vnd.visionary</mime-type> + </mime-mapping> + <mime-mapping> + <extension>viv</extension> + <mime-type>video/vnd.vivo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vor</extension> + <mime-type>application/vnd.stardivision.writer</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vox</extension> + <mime-type>application/x-authorware-bin</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vrml</extension> + <mime-type>model/vrml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vsd</extension> + <mime-type>application/vnd.visio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vsf</extension> + <mime-type>application/vnd.vsf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vss</extension> + <mime-type>application/vnd.visio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vst</extension> + <mime-type>application/vnd.visio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vsw</extension> + <mime-type>application/vnd.visio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vtu</extension> + <mime-type>model/vnd.vtu</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vxml</extension> + <mime-type>application/voicexml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>w3d</extension> + <mime-type>application/x-director</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wad</extension> + <mime-type>application/x-doom</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wav</extension> + <mime-type>audio/x-wav</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wax</extension> + <mime-type>audio/x-ms-wax</mime-type> + </mime-mapping> + <mime-mapping> + <!-- Wireless Bitmap --> + <extension>wbmp</extension> + <mime-type>image/vnd.wap.wbmp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wbs</extension> + <mime-type>application/vnd.criticaltools.wbs+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wbxml</extension> + <mime-type>application/vnd.wap.wbxml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wcm</extension> + <mime-type>application/vnd.ms-works</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wdb</extension> + <mime-type>application/vnd.ms-works</mime-type> + </mime-mapping> + <mime-mapping> + <extension>weba</extension> + <mime-type>audio/webm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>webm</extension> + <mime-type>video/webm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>webp</extension> + <mime-type>image/webp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wg</extension> + <mime-type>application/vnd.pmi.widget</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wgt</extension> + <mime-type>application/widget</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wks</extension> + <mime-type>application/vnd.ms-works</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wm</extension> + <mime-type>video/x-ms-wm</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wma</extension> + <mime-type>audio/x-ms-wma</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wmd</extension> + <mime-type>application/x-ms-wmd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wmf</extension> + <mime-type>application/x-msmetafile</mime-type> + </mime-mapping> + <mime-mapping> + <!-- WML Source --> + <extension>wml</extension> + <mime-type>text/vnd.wap.wml</mime-type> + </mime-mapping> + <mime-mapping> + <!-- Compiled WML --> + <extension>wmlc</extension> + <mime-type>application/vnd.wap.wmlc</mime-type> + </mime-mapping> + <mime-mapping> + <!-- WML Script Source --> + <extension>wmls</extension> + <mime-type>text/vnd.wap.wmlscript</mime-type> + </mime-mapping> + <mime-mapping> + <!-- Compiled WML Script --> + <extension>wmlsc</extension> + <mime-type>application/vnd.wap.wmlscriptc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wmv</extension> + <mime-type>video/x-ms-wmv</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wmx</extension> + <mime-type>video/x-ms-wmx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wmz</extension> + <mime-type>application/x-ms-wmz</mime-type> + </mime-mapping> + <mime-mapping> + <extension>woff</extension> + <mime-type>application/x-font-woff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wpd</extension> + <mime-type>application/vnd.wordperfect</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wpl</extension> + <mime-type>application/vnd.ms-wpl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wps</extension> + <mime-type>application/vnd.ms-works</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wqd</extension> + <mime-type>application/vnd.wqd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wri</extension> + <mime-type>application/x-mswrite</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wrl</extension> + <mime-type>model/vrml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wsdl</extension> + <mime-type>application/wsdl+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wspolicy</extension> + <mime-type>application/wspolicy+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wtb</extension> + <mime-type>application/vnd.webturbo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wvx</extension> + <mime-type>video/x-ms-wvx</mime-type> + </mime-mapping> + <mime-mapping> + <extension>x32</extension> + <mime-type>application/x-authorware-bin</mime-type> + </mime-mapping> + <mime-mapping> + <extension>x3d</extension> + <mime-type>application/vnd.hzn-3d-crossword</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xap</extension> + <mime-type>application/x-silverlight-app</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xar</extension> + <mime-type>application/vnd.xara</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xbap</extension> + <mime-type>application/x-ms-xbap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xbd</extension> + <mime-type>application/vnd.fujixerox.docuworks.binder</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xbm</extension> + <mime-type>image/x-xbitmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xdf</extension> + <mime-type>application/xcap-diff+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xdm</extension> + <mime-type>application/vnd.syncml.dm+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xdp</extension> + <mime-type>application/vnd.adobe.xdp+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xdssc</extension> + <mime-type>application/dssc+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xdw</extension> + <mime-type>application/vnd.fujixerox.docuworks</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xenc</extension> + <mime-type>application/xenc+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xer</extension> + <mime-type>application/patch-ops-error+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xfdf</extension> + <mime-type>application/vnd.adobe.xfdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xfdl</extension> + <mime-type>application/vnd.xfdl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xht</extension> + <mime-type>application/xhtml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xhtml</extension> + <mime-type>application/xhtml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xhvml</extension> + <mime-type>application/xv+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xif</extension> + <mime-type>image/vnd.xiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xla</extension> + <mime-type>application/vnd.ms-excel</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xlam</extension> + <mime-type>application/vnd.ms-excel.addin.macroenabled.12</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xlc</extension> + <mime-type>application/vnd.ms-excel</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xlm</extension> + <mime-type>application/vnd.ms-excel</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xls</extension> + <mime-type>application/vnd.ms-excel</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xlsb</extension> + <mime-type>application/vnd.ms-excel.sheet.binary.macroenabled.12</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xlsm</extension> + <mime-type>application/vnd.ms-excel.sheet.macroenabled.12</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xlsx</extension> + <mime-type>application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xlt</extension> + <mime-type>application/vnd.ms-excel</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xltm</extension> + <mime-type>application/vnd.ms-excel.template.macroenabled.12</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xltx</extension> + <mime-type>application/vnd.openxmlformats-officedocument.spreadsheetml.template</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xlw</extension> + <mime-type>application/vnd.ms-excel</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xml</extension> + <mime-type>application/xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xo</extension> + <mime-type>application/vnd.olpc-sugar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xop</extension> + <mime-type>application/xop+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xpi</extension> + <mime-type>application/x-xpinstall</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xpm</extension> + <mime-type>image/x-xpixmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xpr</extension> + <mime-type>application/vnd.is-xpr</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xps</extension> + <mime-type>application/vnd.ms-xpsdocument</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xpw</extension> + <mime-type>application/vnd.intercon.formnet</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xpx</extension> + <mime-type>application/vnd.intercon.formnet</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xsl</extension> + <mime-type>application/xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xslt</extension> + <mime-type>application/xslt+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xsm</extension> + <mime-type>application/vnd.syncml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xspf</extension> + <mime-type>application/xspf+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xul</extension> + <mime-type>application/vnd.mozilla.xul+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xvm</extension> + <mime-type>application/xv+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xvml</extension> + <mime-type>application/xv+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xwd</extension> + <mime-type>image/x-xwindowdump</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xyz</extension> + <mime-type>chemical/x-xyz</mime-type> + </mime-mapping> + <mime-mapping> + <extension>yang</extension> + <mime-type>application/yang</mime-type> + </mime-mapping> + <mime-mapping> + <extension>yin</extension> + <mime-type>application/yin+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>z</extension> + <mime-type>application/x-compress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>Z</extension> + <mime-type>application/x-compress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>zaz</extension> + <mime-type>application/vnd.zzazz.deck+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>zip</extension> + <mime-type>application/zip</mime-type> + </mime-mapping> + <mime-mapping> + <extension>zir</extension> + <mime-type>application/vnd.zul</mime-type> + </mime-mapping> + <mime-mapping> + <extension>zirz</extension> + <mime-type>application/vnd.zul</mime-type> + </mime-mapping> + <mime-mapping> + <extension>zmm</extension> + <mime-type>application/vnd.handheld-entertainment+xml</mime-type> + </mime-mapping> + + <!-- ==================== Default Welcome File List ===================== --> + <!-- When a request URI refers to a directory, the default servlet looks --> + <!-- for a "welcome file" within that directory and, if present, to the --> + <!-- corresponding resource URI for display. --> + <!-- If no welcome files are present, the default servlet either serves a --> + <!-- directory listing (see default servlet configuration on how to --> + <!-- customize) or returns a 404 status, depending on the value of the --> + <!-- listings setting. --> + <!-- --> + <!-- If you define welcome files in your own application's web.xml --> + <!-- deployment descriptor, that list *replaces* the list configured --> + <!-- here, so be sure to include any of the default values that you wish --> + <!-- to use within your application. --> + + <welcome-file-list> + <welcome-file>index.html</welcome-file> + <welcome-file>index.htm</welcome-file> + <welcome-file>index.jsp</welcome-file> + </welcome-file-list> + +</web-app> diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt index eab5db24c..0505c7e74 100644 --- a/base/common/src/CMakeLists.txt +++ b/base/common/src/CMakeLists.txt @@ -48,7 +48,14 @@ find_file(TOMCAT_CATALINA_JAR NAMES catalina.jar PATHS - /usr/share/java/tomcat6 + /usr/share/java/tomcat +) + +find_file(TOMCAT_UTIL_JAR + NAMES + tomcat-util.jar + PATHS + /usr/share/java/tomcat ) find_file(SERVLET_JAR @@ -1193,7 +1200,7 @@ set(CMAKE_JAVA_INCLUDE_PATH ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR} ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR} ${APACHE_COMMONS_CLI_JAR} ${APACHE_COMMONS_LANG_JAR} - ${TOMCAT_CATALINA_JAR} ${SYMKEY_JAR} + ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR} ${SYMKEY_JAR} ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR} ${HTTPCLIENT_JAR} ${HTTPCORE_JAR}) diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 35ec7c515..6ad9e7680 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -371,8 +371,10 @@ public class CertUtil { String instanceRoot = config.getString("instanceRoot"); + String configurationRoot = config.getString("configurationRoot"); + CertInfoProfile processor = new CertInfoProfile( - instanceRoot + "/conf/" + profile); + instanceRoot + configurationRoot + profile); // cfu - create request to enable renewal try { diff --git a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java index 86debf3da..bd551baf0 100644 --- a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java +++ b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java @@ -28,6 +28,7 @@ import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.catalina.deploy.SecurityConstraint; import org.apache.catalina.realm.JNDIRealm; +import org.apache.catalina.Wrapper; /* * Self contained PKI JNDI Real that overrides the standard JNDI Realm @@ -206,6 +207,8 @@ public class PKIJNDIRealm extends JNDIRealm { boolean allowed = super.hasResourcePermission(request, response, constraints, context); + Wrapper wrapper = request.getWrapper(); + if (allowed == true && hasResourceACLS()) { loadAuthzProperties(context); @@ -238,7 +241,7 @@ public class PKIJNDIRealm extends JNDIRealm { } } - allowed = checkACLPermission(principal, resourceID, operation); + allowed = checkACLPermission(principal, resourceID, operation, wrapper); logDebug("resourceID: " + resourceID + " operation: " + operation + " allowed: " + allowed); } } @@ -351,7 +354,7 @@ public class PKIJNDIRealm extends JNDIRealm { // Check a PKI ACL resourceID and operation for permissions // If the check fails the user (principal) is not authorized to access the resource - private boolean checkACLPermission(Principal principal, String resourceId, String operation) { + private boolean checkACLPermission(Principal principal, String resourceId, String operation, Wrapper wrapper) { boolean allowed = true; @@ -378,7 +381,7 @@ public class PKIJNDIRealm extends JNDIRealm { String expressions = entry.getAttributeExpressions(); - allowed = evaluateExpressions(principal, expressions); + allowed = evaluateExpressions(principal, expressions, wrapper); if (isEntryNegative) { allowed = !allowed; @@ -400,7 +403,7 @@ public class PKIJNDIRealm extends JNDIRealm { // Evaluate an expression as part of a PKI ACL // Ex: user=anybody , group=Data Recovery Manager Agents - private boolean evaluateExpression(Principal principal, String expression) { + private boolean evaluateExpression(Principal principal, String expression, Wrapper wrapper) { boolean allowed = true; if (principal == null || expression == null) { @@ -445,7 +448,7 @@ public class PKIJNDIRealm extends JNDIRealm { allowed = false; if (left.equals(PROP_GROUP)) { // Check JNDI to see if the user has this role/group - if (hasRole(principal, right)) { + if (hasRole(wrapper, principal, right)) { allowed = true; } } else if (left.equals(PROP_USER)) { @@ -482,7 +485,7 @@ public class PKIJNDIRealm extends JNDIRealm { } // Take a set of expressions in an ACL and evaluate it - private boolean evaluateExpressions(Principal principal, String s) { + private boolean evaluateExpressions(Principal principal, String s, Wrapper wrapper) { Vector<Object> v = new Vector<Object>(); @@ -492,7 +495,7 @@ public class PKIJNDIRealm extends JNDIRealm { // this is the last expression if (orIndex == -1 && andIndex == -1) { - boolean passed = evaluateExpression(principal, s.trim()); + boolean passed = evaluateExpression(principal, s.trim(), wrapper); v.addElement(Boolean.valueOf(passed)); break; @@ -500,7 +503,7 @@ public class PKIJNDIRealm extends JNDIRealm { // || first } else if (andIndex == -1 || (orIndex != -1 && orIndex < andIndex)) { String s1 = s.substring(0, orIndex); - boolean passed = evaluateExpression(principal, s1.trim()); + boolean passed = evaluateExpression(principal, s1.trim(), wrapper); v.addElement(Boolean.valueOf(passed)); v.addElement("||"); @@ -508,7 +511,7 @@ public class PKIJNDIRealm extends JNDIRealm { // && first } else { String s1 = s.substring(0, andIndex); - boolean passed = evaluateExpression(principal, s1.trim()); + boolean passed = evaluateExpression(principal, s1.trim(), wrapper); v.addElement(Boolean.valueOf(passed)); v.addElement("&&"); diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg index dd688ed09..542fc5bef 100644 --- a/base/deploy/config/pkideployment.cfg +++ b/base/deploy/config/pkideployment.cfg @@ -1,34 +1,219 @@ -[Common] +############################################################################### +## 'Sensitive' Data: ## +## ## +## Values in this section pertain to various PKI subsystems, and contain ## +## required 'sensitive' information which MUST ALWAYS be provided by users. ## +## ## +## IMPORTANT: Sensitive data values must NEVER be displayed to the ## +## console NOR stored in log files!!! ## +############################################################################### +[Sensitive] +pki_admin_password= +pki_backup_password= +pki_ds_password= +pki_pkcs12_password= +pki_security_domain_password= +############################################################################### +## 'Mandatory' Data: ## +## ## +## Values in this section pertain to various PKI subsystems, and contain ## +## required information which MUST ALWAYS be provided by users. ## +############################################################################### +[Mandatory] +############################################################################### +## 'Optional' Data: ## +## ## +## Values in this section pertain to various PKI subsystems, and contain ## +## required information which MAY OPTIONALLY be provided by users. ## +## ## +## NOTE: Default values will be generated for any and all required ## +## 'optional' data values which are left undefined. ## +############################################################################### +[Optional] pki_admin_domain_name= -pki_user=pkiuser -pki_group=pkiuser +pki_admin_email= +pki_admin_subject_dn= +pki_audit_signing_nickname= +pki_audit_signing_subject_dn= +pki_audit_signing_token= +pki_backup_file= +pki_ca_signing_nickname= +pki_ca_signing_subject_dn= +pki_ca_signing_token= +pki_ds_base_dn= +pki_ds_database= +pki_ds_hostname= +pki_ocsp_signing_nickname= +pki_ocsp_signing_subject_dn= +pki_ocsp_signing_token= +pki_security_domain_hostname= +pki_security_domain_name= +pki_ssl_server_nickname= +pki_ssl_server_subject_dn= +pki_ssl_server_token= +pki_storage_nickname= +pki_storage_subject_dn= +pki_storage_token= +pki_subsystem_nickname= +pki_subsystem_subject_dn= +pki_subsystem_token= +pki_transport_nickname= +pki_transport_subject_dn= +pki_transport_token= +############################################################################### +## 'Common' Data: ## +## ## +## Values in this section are common to ALL PKI subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[Common] +pki_admin_cert_request_type=crmf +pki_admin_dualkey=False +pki_admin_keysize=2048 +pki_admin_name=admin +pki_admin_uid=admin pki_audit_group=pkiaudit +pki_audit_signing_key_algorithm=SHA256withRSA +pki_audit_signing_key_size=2048 +pki_audit_signing_key_type=rsa +pki_audit_signing_signing_algorithm=SHA256withRSA +pki_backup_keys=False +pki_ds_bind_dn=cn=Directory Manager +pki_ds_http_port=389 +pki_ds_https_port=636 +pki_ds_remove_data=True +pki_ds_secure_connection=False +pki_group=pkiuser +pki_security_domain_https_port=8443 +pki_security_domain_user=admin +pki_ssl_server_key_algorithm=SHA256withRSA +pki_ssl_server_key_size=2048 +pki_ssl_server_key_type=rsa +pki_subsystem_key_algorithm=SHA256withRSA +pki_subsystem_key_size=2048 +pki_subsystem_key_type=rsa +pki_user=pkiuser +############################################################################### +## 'Apache' Data: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Apache' (RA and TPS subsystems), and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### [Apache] pki_instance_name=apache pki_http_port=80 pki_https_port=443 +############################################################################### +## 'Tomcat' Data: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## +## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## +## or a 'TKS Clone', change the value of 'pki_clone' ## +## from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### [Tomcat] -pki_instance_name=tomcat +pki_ajp_port=8009 +pki_clone=False +pki_enable_java_debugger=False pki_http_port=8080 pki_https_port=8443 -pki_ajp_port=8009 -pki_proxy_http_port=80 -pki_proxy_https_port=443 -pki_security_manager=true +pki_instance_name=tomcat +pki_proxy_http_port= +pki_proxy_https_port= +pki_security_manager=false pki_tomcat_server_port=8005 +############################################################################### +## 'CA' Data: ## +## ## +## Values in this section are common to CA subsystems including 'PKI CAs', ## +## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## EXTERNAL CAs: To specify an 'External CA', change the value ## +## of 'pki_external' from 'False' to 'True'. ## +## ## +## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## +## of 'pki_subordinate' from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### [CA] +pki_ca_signing_key_algorithm=SHA256withRSA +pki_ca_signing_key_size=2048 +pki_ca_signing_key_type=rsa +pki_ca_signing_signing_algorithm=SHA256withRSA +pki_external=False +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_subordinate=False pki_subsystem=CA pki_war_name=ca.war +############################################################################### +## 'KRA' Data: ## +## ## +## Values in this section are common to KRA subsystems ## +## including 'PKI KRAs' and 'Cloned KRAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### [KRA] +pki_storage_key_algorithm=SHA256withRSA +pki_storage_key_size=2048 +pki_storage_key_type=rsa +pki_storage_signing_algorithm=SHA256withRSA pki_subsystem=KRA +pki_transport_key_algorithm=SHA256withRSA +pki_transport_key_size=2048 +pki_transport_key_type=rsa +pki_transport_signing_algorithm=SHA256withRSA pki_war_name=kra.war +############################################################################### +## 'OCSP' Data: ## +## ## +## Values in this section are common to OCSP subsystems ## +## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### [OCSP] +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_signing_algorithm=SHA256withRSA pki_subsystem=OCSP pki_war_name=ocsp.war +############################################################################### +## 'RA' Data: ## +## ## +## Values in this section are common to PKI RA subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### [RA] pki_subsystem=RA +############################################################################### +## 'TKS' Data: ## +## ## +## Values in this section are common to TKS subsystems ## +## including 'PKI TKSs' and 'Cloned TKSs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### [TKS] pki_subsystem=TKS pki_war_name=tks.war +############################################################################### +## 'TPS' Data: ## +## ## +## Values in this section are common to PKI TPS subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### [TPS] pki_subsystem=TPS diff --git a/base/deploy/config/pkislots.cfg b/base/deploy/config/pkislots.cfg index b6c40ebe3..ee75154ce 100644 --- a/base/deploy/config/pkislots.cfg +++ b/base/deploy/config/pkislots.cfg @@ -70,8 +70,10 @@ PKI_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_SECURE_PORT_CONNECTOR_NAME] PKI_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_SECURE_PORT_SERVER_COMMENT] PKI_SECURITY_MANAGER_SLOT=[PKI_SECURITY_MANAGER] PKI_SERVER_XML_CONF_SLOT=[PKI_SERVER_XML_CONF] +PKI_SUBSYSTEM_DIR_SLOT=[PKI_SUBSYSTEM_DIR] PKI_SUBSYSTEM_TYPE_SLOT=[PKI_SUBSYSTEM_TYPE] PKI_SYSTEMD_SERVICENAME_SLOT=[PKI_SYSTEMD_SERVICENAME] +PKI_TMPDIR_SLOT=[PKI_TMPDIR] PKI_UNSECURE_PORT_SLOT=[PKI_UNSECURE_PORT] PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_UNSECURE_PORT_CONNECTOR_NAME] PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT] diff --git a/base/deploy/scripts/pkidaemon b/base/deploy/scripts/pkidaemon index 7be30c9d3..02b02370f 100755 --- a/base/deploy/scripts/pkidaemon +++ b/base/deploy/scripts/pkidaemon @@ -51,6 +51,8 @@ case $command in exit $? ;; stop) + echo "An exit status of '143' refers to the 'systemd' method of using"\ + "'SIGTERM' to shutdown a Java process and can safely be ignored." stop exit $? ;; diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy index 6a2db56b8..5faa97cee 100755 --- a/base/deploy/src/pkidestroy +++ b/base/deploy/src/pkidestroy @@ -34,6 +34,7 @@ try: import socket import string import struct + import subprocess import time from time import strftime as date from pki.deployment import pkiconfig as config @@ -74,7 +75,18 @@ def main(argv): config.pki_architecture = struct.calcsize("P") * 8 # Retrieve hostname - config.pki_hostname = socket.gethostname() + config.pki_hostname = socket.getfqdn() + + # Retrieve DNS domainname + config.pki_dns_domainname = None + try: + config.pki_dns_domainname = subprocess.check_output("domainname", + shell=True) + config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n') + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_0) + sys.exit(1) # Initialize 'pretty print' for objects pp = pprint.PrettyPrinter(indent=4) @@ -111,6 +123,15 @@ def main(argv): extra=config.PKI_INDENTATION_LEVEL_0) sys.exit(1) else: + # NEVER print out 'sensitive' name/value pairs!!! + config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_mandatory_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_optional_dict), + extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), @@ -126,7 +147,7 @@ def main(argv): # Override PKI configuration file values with 'custom' command-line values. if not config.custom_pki_admin_domain_name is None: - config.pki_common_dict['pki_admin_domain_name'] =\ + config.pki_optional_dict['pki_admin_domain_name'] =\ config.custom_pki_admin_domain_name if not config.custom_pki_instance_name is None: config.pki_web_server_dict['pki_instance_name'] =\ @@ -140,6 +161,15 @@ def main(argv): if not config.custom_pki_ajp_port is None: config.pki_web_server_dict['pki_ajp_port'] =\ config.custom_pki_ajp_port + # NEVER print out 'sensitive' name/value pairs!!! + config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_mandatory_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_optional_dict), + extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn index 66152a334..931b9baf0 100755 --- a/base/deploy/src/pkispawn +++ b/base/deploy/src/pkispawn @@ -34,6 +34,7 @@ try: import socket import string import struct + import subprocess import time from time import strftime as date from pki.deployment import pkiconfig as config @@ -74,7 +75,18 @@ def main(argv): config.pki_architecture = struct.calcsize("P") * 8 # Retrieve hostname - config.pki_hostname = socket.gethostname() + config.pki_hostname = socket.getfqdn() + + # Retrieve DNS domainname + config.pki_dns_domainname = None + try: + config.pki_dns_domainname = subprocess.check_output("domainname", + shell=True) + config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n') + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_0) + sys.exit(1) # Generate random 'pin's for use as security database passwords pin_low = 100000000000 @@ -140,6 +152,15 @@ def main(argv): extra=config.PKI_INDENTATION_LEVEL_0) sys.exit(1) else: + # NEVER print out 'sensitive' name/value pairs!!! + config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_mandatory_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_optional_dict), + extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), @@ -155,7 +176,7 @@ def main(argv): # Override PKI configuration file values with 'custom' command-line values. if not config.custom_pki_admin_domain_name is None: - config.pki_common_dict['pki_admin_domain_name'] =\ + config.pki_optional_dict['pki_admin_domain_name'] =\ config.custom_pki_admin_domain_name if not config.custom_pki_instance_name is None: config.pki_web_server_dict['pki_instance_name'] =\ @@ -169,6 +190,15 @@ def main(argv): if not config.custom_pki_ajp_port is None: config.pki_web_server_dict['pki_ajp_port'] =\ config.custom_pki_ajp_port + # NEVER print out 'sensitive' name/value pairs!!! + config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_mandatory_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_optional_dict), + extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy index f7366c723..a40e7c645 100644 --- a/base/deploy/src/scriptlets/configuration.jy +++ b/base/deploy/src/scriptlets/configuration.jy @@ -9,7 +9,6 @@ import sys # PKI Python Imports import pkijython as jyutil import pkiconfig as config -from pkiconfig import pki_master_jython_dict as master import pkimessages as log @@ -18,12 +17,19 @@ from java.lang import System as javasystem def main(argv): + rv = 0 + # Establish 'master' as the PKI jython dictionary master = dict() - # import the master dictionary from 'pkispawn' + # Import the master dictionary from 'pkispawn' master = pickle.loads(argv[1]) + # Optionally enable a java debugger (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.wait_to_attach_an_external_java_debugger() + + # IMPORTANT: Unfortunately, 'jython 2.2' does NOT support logging! # # Until, and unless, 'jython 2.5' or later is used, @@ -59,11 +65,107 @@ def main(argv): master['pki_jython_log_level']) # Log into token - jyutil.security_databases.log_into_token( - master['pki_client_database_path'], - master['pki_client_password_conf'], - master['pki_dry_run_flag'], - master['pki_jython_log_level']) + token = jyutil.security_databases.log_into_token( + master['pki_client_database_path'], + master['pki_client_password_conf'], + master['pki_dry_run_flag'], + master['pki_jython_log_level']) + + # Establish REST Client + client = jyutil.rest_client.initialize( + master['pki_jython_base_uri'], + master['pki_dry_run_flag'], + master['pki_jython_log_level']) + + # Construct PKI Subsystem Configuration Data + data = None + if master['pki_instance_type'] == "Apache": + if master['pki_subsystem'] == "RA": + print "%s '%s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + elif master['pki_subsystem'] == "TPS": + print "%s '%s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + elif master['pki_instance_type'] == "Tomcat": + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_clone']): + print "%s '%s %s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + elif config.str2bool(master['pki_external']): + print "%s '%s %s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_EXTERNAL_CA, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + elif config.str2bool(master['pki_subordinate']): + print "%s '%s %s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_SUBORDINATE_CA, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + else: + data = jyutil.rest_client.construct_pki_configuration_data( + master, token) + elif master['pki_subsystem'] == "KRA": + if config.str2bool(master['pki_clone']): + print "%s '%s %s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + else: + print "%s '%s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + elif master['pki_subsystem'] == "OCSP": + if config.str2bool(master['pki_clone']): + print "%s '%s %s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + else: + print "%s '%s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + elif master['pki_subsystem'] == "TKS": + if config.str2bool(master['pki_clone']): + print "%s '%s %s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + else: + print "%s '%s' %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + master['pki_subsystem'], + log.PKI_JYTHON_NOT_YET_IMPLEMENTED) + return self.rv + + # Formulate PKI Subsystem Configuration Data Response + jyutil.rest_client.configure_pki_data(data, + master['pki_subsystem'], + master['pki_dry_run_flag'], + master['pki_jython_log_level']) if __name__ == "__main__": diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py index f40573940..421e08dc0 100644 --- a/base/deploy/src/scriptlets/configuration.py +++ b/base/deploy/src/scriptlets/configuration.py @@ -36,9 +36,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) if not config.pki_dry_run_flag: util.directory.create(master['pki_client_path'], uid=0, gid=0) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a client password file + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases util.password.create_password_conf( master['pki_client_password_conf'], - master['pki_client_pin']) + master['pki_client_pin'], pin_sans_token=True) util.directory.create(master['pki_client_database_path'], uid=0, gid=0) util.certutil.create_security_databases( @@ -47,19 +51,60 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_client_key_database'], master['pki_client_secmod_database'], password_file=master['pki_client_password_conf']) - util.symlink.create( - config.pki_master_dict['pki_systemd_service'], - config.pki_master_dict['pki_systemd_service_link']) + util.symlink.create(master['pki_systemd_service'], + master['pki_systemd_service_link']) else: + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a client password file + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases util.password.create_password_conf( master['pki_client_password_conf'], - master['pki_client_pin']) + master['pki_client_pin'], pin_sans_token=True) util.certutil.create_security_databases( master['pki_client_database_path'], master['pki_client_cert_database'], master['pki_client_key_database'], master['pki_client_secmod_database'], password_file=master['pki_client_password_conf']) + # Start/Restart this Apache/Tomcat PKI Process + if not config.pki_dry_run_flag: + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + apache_instances = util.instance.apache_instances() + if apache_instances == 1: + util.systemd.start() + elif apache_instances > 1: + util.systemd.restart() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Optionally prepare to enable a java debugger + # (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.prepare_for_an_external_java_debugger( + master['pki_target_tomcat_conf_instance_id']) + tomcat_instances = util.instance.tomcat_instances() + if tomcat_instances == 1: + util.systemd.start() + elif tomcat_instances > 1: + util.systemd.restart() + else: + # ALWAYS display correct information (even during dry_run) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + apache_instances = util.instance.apache_instances() + if apache_instances == 0: + util.systemd.start() + elif apache_instances > 0: + util.systemd.restart() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Optionally prepare to enable a java debugger + # (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.prepare_for_an_external_java_debugger( + master['pki_target_tomcat_conf_instance_id']) + tomcat_instances = util.instance.tomcat_instances() + if tomcat_instances == 0: + util.systemd.start() + elif tomcat_instances > 0: + util.systemd.restart() # Pass control to the Java servlet via Jython 2.2 'configuration.jy' util.jython.invoke(master['pki_jython_configuration_scriptlet']) return self.rv @@ -67,6 +112,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def respawn(self): config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) + # ALWAYS Restart this Apache/Tomcat PKI Process + util.systemd.restart() return self.rv def destroy(self): @@ -76,23 +123,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ util.instance.apache_instances() == 1: util.directory.delete(master['pki_client_path']) - util.symlink.delete( - config.pki_master_dict['pki_systemd_service_link']) + util.symlink.delete(master['pki_systemd_service_link']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ util.instance.tomcat_instances() == 1: util.directory.delete(master['pki_client_path']) - util.symlink.delete( - config.pki_master_dict['pki_systemd_service_link']) + util.symlink.delete(master['pki_systemd_service_link']) else: # ALWAYS display correct information (even during dry_run) if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ util.instance.apache_instances() == 0: util.directory.delete(master['pki_client_path']) - util.symlink.delete( - config.pki_master_dict['pki_systemd_service_link']) + util.symlink.delete(master['pki_systemd_service_link']) elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ util.instance.tomcat_instances() == 0: util.directory.delete(master['pki_client_path']) - util.symlink.delete( - config.pki_master_dict['pki_systemd_service_link']) + util.symlink.delete(master['pki_systemd_service_link']) return self.rv diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py index 02c5065cb..bceec67e0 100644 --- a/base/deploy/src/scriptlets/finalization.py +++ b/base/deploy/src/scriptlets/finalization.py @@ -100,4 +100,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_0) if not config.pki_dry_run_flag: util.file.modify(master['pki_destroy_log'], silent=True) + # Start this Apache/Tomcat PKI Process + if not config.pki_dry_run_flag: + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() >= 1: + util.systemd.start() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() >= 1: + util.systemd.start() + else: + # ALWAYS display correct information (even during dry_run) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() >= 0: + util.systemd.start() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() >= 0: + util.systemd.start() return self.rv diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py index 3077737c8..1ff8522ed 100644 --- a/base/deploy/src/scriptlets/initialization.py +++ b/base/deploy/src/scriptlets/initialization.py @@ -41,9 +41,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # verify that this type of "subsystem" does NOT yet # exist for this "instance" util.instance.verify_subsystem_does_not_exist() + # initialize 'uid' and 'gid' + util.identity.add_uid_and_gid(master['pki_user'], master['pki_group']) # establish 'uid' and 'gid' util.identity.set_uid(master['pki_user']) util.identity.set_gid(master['pki_group']) + # verify existence of MANDATORY configuration file data + util.configuration_file.verify_sensitive_data() + util.configuration_file.verify_mutually_exclusive_data() return self.rv def respawn(self): @@ -74,4 +79,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # establish 'uid' and 'gid' util.identity.set_uid(master['pki_user']) util.identity.set_gid(master['pki_group']) + # ALWAYS Stop this Apache/Tomcat PKI Process + util.systemd.stop() return self.rv diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py index 8a645f029..2fd7165d1 100644 --- a/base/deploy/src/scriptlets/instance_layout.py +++ b/base/deploy/src/scriptlets/instance_layout.py @@ -48,30 +48,90 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # establish Tomcat instance base util.directory.create(master['pki_tomcat_common_path']) util.directory.create(master['pki_tomcat_common_lib_path']) + util.directory.create(master['pki_tomcat_tmpdir_path']) util.directory.create(master['pki_tomcat_webapps_path']) util.directory.create(master['pki_tomcat_webapps_root_path']) util.directory.create(master['pki_tomcat_webapps_root_webinf_path']) util.file.copy(master['pki_source_webapps_root_web_xml'], master['pki_tomcat_webapps_root_webinf_web_xml'], overwrite_flag=True) - util.directory.create(master['pki_tomcat_webapps_webinf_path']) + util.directory.create(master['pki_tomcat_work_path']) + util.directory.create(master['pki_tomcat_work_catalina_path']) + util.directory.create(master['pki_tomcat_work_catalina_host_path']) util.directory.create( - master['pki_tomcat_webapps_webinf_classes_path']) - util.directory.create(master['pki_tomcat_webapps_webinf_lib_path']) + master['pki_tomcat_work_catalina_host_run_path']) + util.directory.create( + master['pki_tomcat_work_catalina_host_subsystem_path']) # establish Tomcat instance logs # establish Tomcat instance configuration util.directory.copy(master['pki_source_shared_path'], master['pki_instance_configuration_path'], overwrite_flag=True) # establish Tomcat instance registry - # establish Tomcat instance convenience - # symbolic links + # establish Tomcat instance convenience symbolic links util.symlink.create(master['pki_tomcat_bin_path'], master['pki_tomcat_bin_link']) util.symlink.create(master['pki_tomcat_lib_path'], master['pki_tomcat_lib_link']) + util.symlink.create(master['pki_instance_log4j_properties'], + master['pki_tomcat_lib_log4j_properties_link'], + uid=0, gid=0) util.symlink.create(master['pki_tomcat_systemd'], - master['pki_instance_systemd_link']) + master['pki_instance_systemd_link'], + uid=0, gid=0) + # establish Tomcat instance common lib jar symbolic links + util.symlink.create(master['pki_apache_commons_collections_jar'], + master['pki_apache_commons_collections_jar_link']) + util.symlink.create(master['pki_apache_commons_lang_jar'], + master['pki_apache_commons_lang_jar_link']) + util.symlink.create(master['pki_apache_commons_logging_jar'], + master['pki_apache_commons_logging_jar_link']) + util.symlink.create(master['pki_commons_codec_jar'], + master['pki_commons_codec_jar_link']) + util.symlink.create(master['pki_httpclient_jar'], + master['pki_httpclient_jar_link']) + util.symlink.create(master['pki_javassist_jar'], + master['pki_javassist_jar_link']) + util.symlink.create(master['pki_resteasy_jaxrs_api_jar'], + master['pki_resteasy_jaxrs_api_jar_link']) + util.symlink.create(master['pki_jettison_jar'], + master['pki_jettison_jar_link']) + util.symlink.create(master['pki_jss_jar'], + master['pki_jss_jar_link']) + util.symlink.create(master['pki_ldapjdk_jar'], + master['pki_ldapjdk_jar_link']) + util.symlink.create(master['pki_certsrv_jar'], + master['pki_certsrv_jar_link']) + util.symlink.create(master['pki_cmsbundle'], + master['pki_cmsbundle_jar_link']) + util.symlink.create(master['pki_cmscore'], + master['pki_cmscore_jar_link']) + util.symlink.create(master['pki_cms'], + master['pki_cms_jar_link']) + util.symlink.create(master['pki_cmsutil'], + master['pki_cmsutil_jar_link']) + util.symlink.create(master['pki_nsutil'], + master['pki_nsutil_jar_link']) + util.symlink.create(master['pki_resteasy_jaxb_provider_jar'], + master['pki_resteasy_jaxb_provider_jar_link']) + util.symlink.create(master['pki_resteasy_jaxrs_jar'], + master['pki_resteasy_jaxrs_jar_link']) + util.symlink.create(master['pki_resteasy_jettison_provider_jar'], + master['pki_resteasy_jettison_provider_jar_link']) + util.symlink.create(master['pki_scannotation_jar'], + master['pki_scannotation_jar_link']) + util.symlink.create(master['pki_symkey_jar'], + master['pki_symkey_jar_link']) + util.symlink.create(master['pki_tomcatjss_jar'], + master['pki_tomcatjss_jar_link']) + util.symlink.create(master['pki_velocity_jar'], + master['pki_velocity_jar_link']) + util.symlink.create(master['pki_xerces_j2_jar'], + master['pki_xerces_j2_jar_link']) + util.symlink.create(master['pki_xml_commons_apis_jar'], + master['pki_xml_commons_apis_jar_link']) + util.symlink.create(master['pki_xml_commons_resolver_jar'], + master['pki_xml_commons_resolver_jar_link']) # establish shared NSS security databases for this instance util.directory.create(master['pki_database_path']) # establish instance convenience symbolic links @@ -106,16 +166,53 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.copy(master['pki_source_webapps_root_web_xml'], master['pki_tomcat_webapps_root_webinf_web_xml'], overwrite_flag=True) - util.directory.modify(master['pki_tomcat_webapps_webinf_path']) + util.directory.modify(master['pki_tomcat_work_path']) + util.directory.modify(master['pki_tomcat_work_catalina_path']) + util.directory.modify(master['pki_tomcat_work_catalina_host_path']) + util.directory.modify( + master['pki_tomcat_work_catalina_host_run_path']) util.directory.modify( - master['pki_tomcat_webapps_webinf_classes_path']) - util.directory.modify(master['pki_tomcat_webapps_webinf_lib_path']) + master['pki_tomcat_work_catalina_host_subsystem_path']) # update Tomcat instance logs # update Tomcat instance configuration # update Tomcat instance registry # update Tomcat instance convenience symbolic links util.symlink.modify(master['pki_tomcat_bin_link']) util.symlink.modify(master['pki_tomcat_lib_link']) + util.symlink.modify(master['pki_tomcat_lib_log4j_properties_link'], + uid=0, gid=0) + util.symlink.modify(master['pki_instance_systemd_link'], + uid=0, gid=0) + # update Tomcat instance common lib jar symbolic links + + util.symlink.modify( + master['pki_apache_commons_collections_jar_link']) + util.symlink.modify(master['pki_apache_commons_lang_jar_link']) + util.symlink.modify(master['pki_apache_commons_logging_jar_link']) + util.symlink.modify(master['pki_commons_codec_jar_link']) + util.symlink.modify(master['pki_httpclient_jar_link']) + util.symlink.modify(master['pki_javassist_jar_link']) + util.symlink.modify(master['pki_resteasy_jaxrs_api_jar_link']) + util.symlink.modify(master['pki_jettison_jar_link']) + util.symlink.modify(master['pki_jss_jar_link']) + util.symlink.modify(master['pki_ldapjdk_jar_link']) + util.symlink.modify(master['pki_certsrv_jar_link']) + util.symlink.modify(master['pki_cmsbundle_jar_link']) + util.symlink.modify(master['pki_cmscore_jar_link']) + util.symlink.modify(master['pki_cms_jar_link']) + util.symlink.modify(master['pki_cmsutil_jar_link']) + util.symlink.modify(master['pki_nsutil_jar_link']) + util.symlink.modify(master['pki_resteasy_jaxb_provider_jar_link']) + util.symlink.modify(master['pki_resteasy_jaxrs_jar_link']) + util.symlink.modify( + master['pki_resteasy_jettison_provider_jar_link']) + util.symlink.modify(master['pki_scannotation_jar_link']) + util.symlink.modify(master['pki_symkey_jar_link']) + util.symlink.modify(master['pki_tomcatjss_jar_link']) + util.symlink.modify(master['pki_velocity_jar_link']) + util.symlink.modify(master['pki_xerces_j2_jar_link']) + util.symlink.modify(master['pki_xml_commons_apis_jar_link']) + util.symlink.modify(master['pki_xml_commons_resolver_jar_link']) # update shared NSS security databases for this instance util.directory.modify(master['pki_database_path']) # update instance convenience symbolic links @@ -150,6 +247,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove shared NSS security database path for this instance util.directory.delete(master['pki_database_path']) # remove Tomcat instance configuration + util.symlink.delete( + master['pki_tomcat_lib_log4j_properties_link']) util.directory.delete(master['pki_instance_configuration_path']) # remove Tomcat instance registry util.directory.delete(master['pki_instance_type_registry_path']) @@ -174,6 +273,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # remove shared NSS security database path for this instance util.directory.delete(master['pki_database_path']) # remove Tomcat instance configuration + util.symlink.delete( + master['pki_tomcat_lib_log4j_properties_link']) util.directory.delete(master['pki_instance_configuration_path']) # remove Tomcat instance registry util.directory.delete(master['pki_instance_type_registry_path']) diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 2acd37d36..07537d7aa 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -28,6 +28,13 @@ PKI_DEPLOYMENT_DEFAULT_SGID_DIR_PERMISSIONS = 02770 PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS = 00777 PKI_DEPLOYMENT_DEFAULT_UMASK = 00002 +PKI_DEPLOYMENT_DEFAULT_COMMENT = "'Certificate System'" +PKI_DEPLOYMENT_DEFAULT_GID = 17 +PKI_DEPLOYMENT_DEFAULT_GROUP = "pkiuser" +PKI_DEPLOYMENT_DEFAULT_SHELL = "/sbin/nologin" +PKI_DEPLOYMENT_DEFAULT_UID = 17 +PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser" + PKI_SUBSYSTEMS = ["CA","KRA","OCSP","RA","TKS","TPS"] PKI_SIGNED_AUDIT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS","TPS"] PKI_APACHE_SUBSYSTEMS = ["RA","TPS"] @@ -39,6 +46,12 @@ PKI_INDENTATION_LEVEL_2 = {'indent' : '....... '} PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '} PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '} +PKI_DEPLOYMENT_INTERRUPT_BANNER = "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"\ + "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-" +PKI_DEPLOYMENT_JAR_SOURCE_ROOT = "/usr/share/java" +PKI_DEPLOYMENT_HTTPCOMPONENTS_JAR_SOURCE_ROOT = "/usr/share/java/httpcomponents" +PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT = "/usr/share/java/pki" +PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT = "/usr/share/java/resteasy" PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki" PKI_DEPLOYMENT_SYSTEMD_ROOT = "/lib/systemd/system" PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT = "/etc/systemd/system" @@ -101,6 +114,48 @@ custom_pki_https_port = None custom_pki_ajp_port = None +# PKI Deployment Helper Functions +def str2bool(string): + return string.lower() in ("yes", "true", "t", "1") + +# NOTE: To utilize the 'preparations_for_an_external_java_debugger(master)' +# and 'wait_to_attach_an_external_java_debugger(master)' functions, +# change 'pki_enable_java_debugger=False' to +# 'pki_enable_java_debugger=True' in the appropriate +# 'pkideployment.cfg' configuration file. +def prepare_for_an_external_java_debugger(instance): + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + print "The following 'JAVA_OPTS' MUST be enabled (uncommented) in" + print "'%s':" % instance + print + print " JAVA_OPTS=\"-Xdebug -Xrunjdwp:transport=dt_socket,\"" + print " \"address=8000,server=y,suspend\"" + print + raw_input("Enable external java debugger 'JAVA_OPTS' "\ + "and press return to continue . . . ") + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + return + +def wait_to_attach_an_external_java_debugger(): + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + print "Attach the java debugger to this process on the port specified by" + print "the 'address' selected by 'JAVA_OPTS' (e. g. - port 8000) and" + print "set any desired breakpoints" + print + raw_input("Please attach an external java debugger "\ + "and press return to continue . . . ") + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + return + + # PKI Deployment Logger Variables pki_jython_log_level = None pki_log = None @@ -111,6 +166,9 @@ pki_console_log_level = None # PKI Deployment Global Dictionaries +pki_sensitive_dict = None +pki_mandatory_dict = None +pki_optional_dict = None pki_common_dict = None pki_web_server_dict = None pki_subsystem_dict = None diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index b88eafe72..7b77bcee5 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -30,14 +30,17 @@ import random import shutil import string import subprocess +from grp import getgrgid from grp import getgrnam from pwd import getpwnam +from pwd import getpwuid import zipfile # PKI Deployment Imports import pkiconfig as config from pkiconfig import pki_master_dict as master +from pkiconfig import pki_sensitive_dict as sensitive from pkiconfig import pki_slots_dict as slots import pkimanifest as manifest import pkimessages as log @@ -117,6 +120,136 @@ def pki_copytree(src, dst, symlinks=False, ignore=None): # PKI Deployment Identity Class class identity: + def __add_gid(self, pki_group): + pki_gid = None + try: + # Does the specified 'pki_group' exist? + pki_gid = getgrnam(pki_group)[2] + # Yes, group 'pki_group' exists! + config.pki_log.info(log.PKIHELPER_GROUP_ADD_2, pki_group, pki_gid, + extra=config.PKI_INDENTATION_LEVEL_2) + except KeyError as exc: + # No, group 'pki_group' does not exist! + config.pki_log.debug(log.PKIHELPER_GROUP_ADD_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + try: + # Is the default well-known GID already defined? + group = getgrgid(config.PKI_DEPLOYMENT_DEFAULT_GID)[0] + # Yes, the default well-known GID exists! + config.pki_log.info(log.PKIHELPER_GROUP_ADD_DEFAULT_2, + group, config.PKI_DEPLOYMENT_DEFAULT_GID, + extra=config.PKI_INDENTATION_LEVEL_2) + # Attempt to create 'pki_group' using a random GID. + command = "/usr/sbin/groupadd" + " " +\ + pki_group + " " +\ + "> /dev/null 2>&1" + except KeyError as exc: + # No, the default well-known GID does not exist! + config.pki_log.debug(log.PKIHELPER_GROUP_ADD_GID_KEYERROR_1, + exc, extra=config.PKI_INDENTATION_LEVEL_2) + # Is the specified 'pki_group' the default well-known group? + if pki_group == config.PKI_DEPLOYMENT_DEFAULT_GROUP: + # Yes, attempt to create the default well-known group + # using the default well-known GID. + command = "/usr/sbin/groupadd" + " " +\ + "-g" + " " +\ + str(config.PKI_DEPLOYMENT_DEFAULT_GID) + " " +\ + "-r" + " " +\ + pki_group + " " +\ + "> /dev/null 2>&1" + else: + # No, attempt to create 'pki_group' using a random GID. + command = "/usr/sbin/groupadd" + " " +\ + pki_group + " " +\ + "> /dev/null 2>&1" + # Execute this "groupadd" command. + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def __add_uid(self, pki_user, pki_group): + pki_uid = None + try: + # Does the specified 'pki_user' exist? + pki_uid = getpwnam(pki_user)[2] + # Yes, user 'pki_user' exists! + config.pki_log.info(log.PKIHELPER_USER_ADD_2, pki_user, pki_uid, + extra=config.PKI_INDENTATION_LEVEL_2) + # NOTE: For now, never check validity of specified 'pki_group'! + except KeyError as exc: + # No, user 'pki_user' does not exist! + config.pki_log.debug(log.PKIHELPER_USER_ADD_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + try: + # Is the default well-known UID already defined? + user = getpwuid(config.PKI_DEPLOYMENT_DEFAULT_UID)[0] + # Yes, the default well-known UID exists! + config.pki_log.info(log.PKIHELPER_USER_ADD_DEFAULT_2, + user, config.PKI_DEPLOYMENT_DEFAULT_UID, + extra=config.PKI_INDENTATION_LEVEL_2) + # Attempt to create 'pki_user' using a random UID. + command = "/usr/sbin/useradd" + " " +\ + "-g" + " " +\ + pki_group + " " +\ + "-d" + " " +\ + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ + "-s" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ + "-c" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ + pki_user + " " +\ + "> /dev/null 2>&1" + except KeyError as exc: + # No, the default well-known UID does not exist! + config.pki_log.debug(log.PKIHELPER_USER_ADD_UID_KEYERROR_1, + exc, extra=config.PKI_INDENTATION_LEVEL_2) + # Is the specified 'pki_user' the default well-known user? + if pki_user == config.PKI_DEPLOYMENT_DEFAULT_USER: + # Yes, attempt to create the default well-known user + # using the default well-known UID. + command = "/usr/sbin/useradd" + " " +\ + "-g" + " " +\ + pki_group + " " +\ + "-d" + " " +\ + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ + "-s" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ + "-c" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ + "-u" + " " +\ + str(config.PKI_DEPLOYMENT_DEFAULT_UID) + " " +\ + "-r" + " " +\ + pki_user + " " +\ + "> /dev/null 2>&1" + else: + # No, attempt to create 'pki_user' using a random UID. + command = "/usr/sbin/useradd" + " " +\ + "-g" + " " +\ + pki_group + " " +\ + "-d" + " " +\ + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ + "-s" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ + "-c" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ + pki_user + " " +\ + "> /dev/null 2>&1" + # Execute this "useradd" command. + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def add_uid_and_gid(self, pki_user, pki_group): + self.__add_gid(pki_group) + self.__add_uid(pki_user, pki_group) + return + def get_uid(self, critical_failure=True): try: pki_uid = master['pki_uid'] @@ -170,18 +303,140 @@ class identity: return pki_gid +# PKI Deployment Configuration File Class +class configuration_file: + def verify_sensitive_data(self): + # Silently verify the existence of 'sensitive' data + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Verify existence of Directory Server Password (ALWAYS) + if not sensitive.has_key('pki_ds_password') or\ + not len(sensitive['pki_ds_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_DS_PASSWORD_1, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of Admin Password (except for Clones) + if not config.str2bool(master['pki_clone']): + if not sensitive.has_key('pki_admin_password') or\ + not len(sensitive['pki_admin_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_ADMIN_PASSWORD_1, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # If required, verify existence of Backup Password + # (except for Clones) + if config.str2bool(master['pki_backup_keys']): + if not config.str2bool(master['pki_clone']): + if not sensitive.has_key('pki_backup_password') or\ + not len(sensitive['pki_backup_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of PKCS #12 Password (ONLY for Clones) + if config.str2bool(master['pki_clone']): + if not sensitive.has_key('pki_pkcs12_password') or\ + not len(sensitive['pki_pkcs12_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of Security Domain Password File + # (ONLY for Clones, Subordinate CA, KRA, OCSP, RA, TKS, or TPS) + if config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']) or\ + master['pki_subsystem'] == "KRA" or\ + master['pki_subsystem'] == "OCSP" or\ + master['pki_subsystem'] == "RA" or\ + master['pki_subsystem'] == "TKS" or\ + master['pki_subsystem'] == "TPS": + if not sensitive.has_key('pki_security_domain_password') or\ + not len(sensitive['pki_security_domain_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_SECURITY_DOMAIN_PASSWORD_1, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def verify_mutually_exclusive_data(self): + # Silently verify the existence of 'mutually exclusive' data + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_clone']) and\ + config.str2bool(master['pki_external']) and\ + config.str2bool(master['pki_subordinate']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif config.str2bool(master['pki_clone']) and\ + config.str2bool(master['pki_external']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif config.str2bool(master['pki_clone']) and\ + config.str2bool(master['pki_subordinate']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif config.str2bool(master['pki_external']) and\ + config.str2bool(master['pki_subordinate']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA, + config.pkideployment_cfg, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + +# PKI Deployment XML File Class +#class xml_file: +# def remove_filter_section_from_web_xml(self, +# web_xml_source, +# web_xml_target): +# config.pki_log.info(log.PKIHELPER_REMOVE_FILTER_SECTION_1, +# master['pki_target_subsystem_web_xml'], +# extra=config.PKI_INDENTATION_LEVEL_2) +# if not config.pki_dry_run_flag: +# begin_filters_section = False +# begin_servlet_section = False +# FILE = open(web_xml_target, "w") +# for line in fileinput.FileInput(web_xml_source): +# if not begin_filters_section: +# # Read and write lines until first "<filter>" tag +# if line.count("<filter>") >= 1: +# # Mark filters section +# begin_filters_section = True +# else: +# FILE.write(line) +# elif not begin_servlet_section: +# # Skip lines until first "<servlet>" tag +# if line.count("<servlet>") >= 1: +# # Mark servlets section and write out the opening tag +# begin_servlet_section = True +# FILE.write(line) +# else: +# continue +# else: +# # Read and write lines all lines after "<servlet>" tag +# FILE.write(line) +# FILE.close() + + # PKI Deployment Instance Class class instance: def apache_instances(self): rv = 0 try: - if not os.path.exists(master['pki_instance_path']) or\ - not os.path.isdir(master['pki_instance_path']): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - master['pki_instance_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) # count number of PKI subsystems present # within the specified Apache instance for subsystem in config.PKI_APACHE_SUBSYSTEMS: @@ -206,13 +461,6 @@ class instance: def pki_subsystem_instances(self): rv = 0 try: - if not os.path.exists(master['pki_path']) or\ - not os.path.isdir(master['pki_path']): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - master['pki_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) # Since ALL directories within the top-level PKI infrastructure # SHOULD represent PKI instances, look for all possible # PKI instances within the top-level PKI infrastructure @@ -247,13 +495,6 @@ class instance: def tomcat_instances(self): rv = 0 try: - if not os.path.exists(master['pki_instance_path']) or\ - not os.path.isdir(master['pki_instance_path']): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - master['pki_instance_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) # count number of PKI subsystems present # within the specified Tomcat instance for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: @@ -1295,8 +1536,8 @@ class war: # PKI Deployment Password Class class password: - def create_password_conf(self, path, pin, overwrite_flag=False, - critical_failure=True): + def create_password_conf(self, path, pin, pin_sans_token=False, + overwrite_flag=False, critical_failure=True): try: if not config.pki_dry_run_flag: if os.path.exists(path): @@ -1306,7 +1547,9 @@ class password: extra=config.PKI_INDENTATION_LEVEL_2) # overwrite the existing 'password.conf' file with open(path, "wt") as fd: - if master['pki_subsystem'] in\ + if pin_sans_token == True: + fd.write(str(pin)) + elif master['pki_subsystem'] in\ config.PKI_APACHE_SUBSYSTEMS: fd.write(master['pki_self_signed_token'] +\ ":" + str(pin)) @@ -1319,7 +1562,9 @@ class password: extra=config.PKI_INDENTATION_LEVEL_2) # create a new 'password.conf' file with open(path, "wt") as fd: - if master['pki_subsystem'] in\ + if pin_sans_token == True: + fd.write(str(pin)) + elif master['pki_subsystem'] in\ config.PKI_APACHE_SUBSYSTEMS: fd.write(master['pki_self_signed_token'] +\ ":" + str(pin)) @@ -1642,6 +1887,90 @@ class certutil: return +# PKI Deployment 'systemd' Execution Management Class +class systemd: + def start(self, critical_failure=True): + try: + # Compose this "systemd" execution management command + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + command = "systemctl" + " " +\ + "start" + " " +\ + "pki-apached" + "@" +\ + master['pki_instance_id'] + "." + "service" + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + command = "systemctl" + " " +\ + "start" + " " +\ + "pki-tomcatd" + "@" +\ + master['pki_instance_id'] + "." + "service" + # Display this "systemd" execution managment command + config.pki_log.info( + log.PKIHELPER_SYSTEMD_COMMAND_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + if not config.pki_dry_run_flag: + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def stop(self, critical_failure=True): + try: + # Compose this "systemd" execution management command + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + command = "systemctl" + " " +\ + "stop" + " " +\ + "pki-apached" + "@" +\ + master['pki_instance_id'] + "." + "service" + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + command = "systemctl" + " " +\ + "stop" + " " +\ + "pki-tomcatd" + "@" +\ + master['pki_instance_id'] + "." + "service" + # Display this "systemd" execution managment command + config.pki_log.info( + log.PKIHELPER_SYSTEMD_COMMAND_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + if not config.pki_dry_run_flag: + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def restart(self, critical_failure=True): + try: + # Compose this "systemd" execution management command + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + command = "systemctl" + " " +\ + "restart" + " " +\ + "pki-apached" + "@" +\ + master['pki_instance_id'] + "." + "service" + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + command = "systemctl" + " " +\ + "restart" + " " +\ + "pki-tomcatd" + "@" +\ + master['pki_instance_id'] + "." + "service" + # Display this "systemd" execution managment command + config.pki_log.info( + log.PKIHELPER_SYSTEMD_COMMAND_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + if not config.pki_dry_run_flag: + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + # PKI Deployment 'jython' Class class jython: def invoke(self, scriptlet, critical_failure=True): @@ -1681,6 +2010,8 @@ class jython: # PKI Deployment Helper Class Instances identity = identity() +configuration_file = configuration_file() +#xml_file = xml_file() instance = instance() directory = directory() file = file() @@ -1688,4 +2019,5 @@ symlink = symlink() war = war() password = password() certutil = certutil() +systemd = systemd() jython = jython() diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py index 9c8765a80..800826635 100644 --- a/base/deploy/src/scriptlets/pkijython.py +++ b/base/deploy/src/scriptlets/pkijython.py @@ -5,6 +5,7 @@ from java.io import BufferedReader from java.io import ByteArrayInputStream from java.io import FileReader from java.io import IOException +from java.lang import Integer from java.lang import String as javastring from java.lang import System as javasystem from java.net import URISyntaxException @@ -18,6 +19,7 @@ import jarray # System Python Imports +import ConfigParser import os import sys pki_python_module_path = os.path.join(sys.prefix, @@ -79,10 +81,15 @@ class classPathHacker: jarLoad = classPathHacker() # Webserver Jars jarLoad.addFile("/usr/share/java/httpcomponents/httpclient.jar") +jarLoad.addFile("/usr/share/java/httpcomponents/httpcore.jar") jarLoad.addFile("/usr/share/java/apache-commons-cli.jar") +jarLoad.addFile("/usr/share/java/apache-commons-codec.jar") +jarLoad.addFile("/usr/share/java/apache-commons-logging.jar") +jarLoad.addFile("/usr/share/java/istack-commons-runtime.jar") # Resteasy Jars jarLoad.addFile("/usr/share/java/glassfish-jaxb/jaxb-impl.jar") jarLoad.addFile("/usr/share/java/resteasy/jaxrs-api.jar") +jarLoad.addFile("/usr/share/java/resteasy/resteasy-atom-provider.jar") jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxb-provider.jar") jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxrs.jar") jarLoad.addFile("/usr/share/java/resteasy/resteasy-jettison-provider.jar") @@ -145,6 +152,63 @@ import pkiconfig as config import pkimessages as log +# PKI Deployment Jython Helper Functions +def extract_sensitive_data(configuration_file): + "Read 'sensitive' configuration file section into a dictionary" + try: + parser = ConfigParser.ConfigParser() + # Make keys case-sensitive! + parser.optionxform = str + parser.read(configuration_file) + # return dict(parser._sections['Sensitive']) + dictionary = {} + for option in parser.options('Sensitive'): + dictionary[option] = parser.get('Sensitive', option) + return dictionary + except ConfigParser.ParsingError, err: + javasystem.out.println(log.PKI_JYTHON_EXCEPTION_PARSER + " '" +\ + configuration_file + "': " + str(err)) + javasystem.exit(1) + +def generateCRMFRequest(token, keysize, subjectdn, dualkey): + kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA) + x = Integer(keysize) + key_len = x.intValue() + kg.initialize(key_len) + # 1st key pair + pair = kg.genKeyPair() + # create CRMF + certTemplate = CertTemplate() + certTemplate.setVersion(INTEGER(2)) + if not subjectdn is None: + name = X500Name(subjectdn) + cs = ByteArrayInputStream(name.getEncoded()) + n = Name.getTemplate().decode(cs) + certTemplate.setSubject(n) + certTemplate.setPublicKey(SubjectPublicKeyInfo(pair.getPublic())) + seq = SEQUENCE() + certReq = CertRequest(INTEGER(1), certTemplate, seq) + popdata = jarray.array([0x0,0x3,0x0], 'b') + pop = ProofOfPossession.createKeyEncipherment( + POPOPrivKey.createThisMessage(BIT_STRING(popdata, 3))) + crmfMsg = CertReqMsg(certReq, pop, None) + s1 = SEQUENCE() + # 1st : Encryption key + s1.addElement(crmfMsg) + # 2nd : Signing Key + if dualkey: + javasystem.out.println(log.PKI_JYTHON_IS_DUALKEY) + seq1 = SEQUENCE() + certReqSigning = CertRequest(INTEGER(1), certTemplate, seq1) + signingMsg = CertReqMsg(certReqSigning, pop, None) + s1.addElement(signingMsg) + encoded = jarray.array(ASN1Util.encode(s1), 'b') + # encoder = BASE64Encoder() + # Req1 = encoder.encodeBuffer(encoded) + Req1 = Utils.base64encode(encoded) + return Req1 + + # PKI Deployment 'security databases' Class class security_databases: def initialize_token(self, pki_database_path, pki_dry_run_flag, log_level): @@ -160,11 +224,13 @@ class security_databases: # it is ok if it is already initialized pass except Exception, e: - javasystem.out.println("INITIALIZATION ERROR: " + str(e)) + javasystem.out.println(log.PKI_JYTHON_INITIALIZATION_ERROR +\ + " " + str(e)) javasystem.exit(1) def log_into_token(self, pki_database_path, password_conf, pki_dry_run_flag, log_level): + token = None try: if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: print "%s %s '%s'" %\ @@ -174,10 +240,10 @@ class security_databases: if not pki_dry_run_flag: manager = CryptoManager.getInstance() token = manager.getInternalKeyStorageToken() - # Retrieve 'token_pwd' from 'password_conf' + # Retrieve 'password' from client-side 'password_conf' # # NOTE: For now, ONLY read the first line - # (which contains the password) + # (which contains "password") # fd = open(password_conf, "r") token_pwd = fd.readline() @@ -188,13 +254,364 @@ class security_databases: try: token.login(password) except Exception, e: - javasystem.out.println("login Exception: " + str(e)) + javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\ + " " + str(e)) if not token.isLoggedIn(): token.initPassword(password, password) + javasystem.exit(1) except Exception, e: - javasystem.out.println("Exception in logging into token: " +\ - str(e)) + javasystem.out.println(log.PKI_JYTHON_TOKEN_LOGIN_EXCEPTION +\ + " " + str(e)) javasystem.exit(1) + return token + + +# PKI Deployment 'REST Client' Class +class rest_client: + client = None + + def initialize(self, base_uri, pki_dry_run_flag, log_level): + try: + if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: + print "%s %s '%s'" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_INITIALIZING_REST_CLIENT, + base_uri) + if not pki_dry_run_flag: + self.client = ConfigurationRESTClient(base_uri, None) + return self.client + except URISyntaxException, e: + e.printStackTrace() + javasystem.exit(1) + + def construct_pki_configuration_data(self, master, token): + data = None + if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL: + print "%s %s '%s'" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_CONSTRUCTING_PKI_DATA, + master['pki_subsystem']) + if not master['pki_dry_run_flag']: + sensitive = extract_sensitive_data(master['pki_deployment_cfg']) + data = ConfigurationData() + # Miscellaneous Configuration Information + data.setPin(master['pki_one_time_pin']) + data.setToken(ConfigurationData.TOKEN_DEFAULT) + if master['pki_instance_type'] == "Tomcat": + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_clone']): + # Cloned CA + data.setHierarchy("root") + data.setIsClone("true") + data.setSubsystemName("Cloned CA Subsystem") + elif config.str2bool(master['pki_external']): + # External CA + data.setHierarchy("join") + data.setIsClone("false") + data.setSubsystemName("External CA Subsystem") + elif config.str2bool(master['pki_subordinate']): + # Subordinate CA + data.setHierarchy("join") + data.setIsClone("false") + data.setSubsystemName("Subordinate CA Subsystem") + else: + # PKI CA + data.setHierarchy("root") + data.setIsClone("false") + data.setSubsystemName("PKI CA Subsystem") + elif master['pki_subsystem'] == "KRA": + if config.str2bool(master['pki_clone']): + # Cloned KRA + data.setIsClone("true") + data.setSubsystemName("Cloned KRA Subsystem") + else: + # PKI KRA + data.setIsClone("false") + data.setSubsystemName("PKI KRA Subsystem") + elif master['pki_subsystem'] == "OCSP": + if config.str2bool(master['pki_clone']): + # Cloned OCSP + data.setIsClone("true") + data.setSubsystemName("Cloned OCSP Subsystem") + else: + # PKI OCSP + data.setIsClone("false") + data.setSubsystemName("PKI OCSP Subsystem") + elif master['pki_subsystem'] == "TKS": + if config.str2bool(master['pki_clone']): + # Cloned TKS + data.setIsClone("true") + data.setSubsystemName("Cloned TKS Subsystem") + else: + # PKI TKS + data.setIsClone("false") + data.setSubsystemName("PKI TKS Subsystem") + # Security Domain Information + if master['pki_instance_type'] == "Tomcat": + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_external']): + # External CA + data.setSecurityDomainType( + ConfigurationData.NEW_DOMAIN) + data.setSecurityDomainName( + master['pki_security_domain_name']) + elif not config.str2bool(master['pki_clone']) and\ + not config.str2bool(master['pki_subordinate']): + # PKI CA + data.setSecurityDomainType( + ConfigurationData.NEW_DOMAIN) + data.setSecurityDomainName( + master['pki_security_domain_name']) + else: + # PKI Cloned or Subordinate CA + data.setSecurityDomainType( + ConfigurationData.EXISTING_DOMAIN) + data.setSecurityDomainUri( + master['pki_security_domain_uri']) + data.setSecurityDomainUser( + master['pki_security_domain_user']) + data.setSecurityDomainPassword( + sensitive['pki_security_domain_password']) + else: + # PKI KRA, OCSP, or TKS + data.setSecurityDomainType( + ConfigurationData.EXISTING_DOMAIN) + data.setSecurityDomainUri( + master['pki_security_domain_uri']) + data.setSecurityDomainUser( + master['pki_security_domain_user']) + data.setSecurityDomainPassword( + sensitive['pki_security_domain_password']) + # Directory Server Information + if master['pki_subsystem'] != "RA": + data.setDsHost(master['pki_ds_hostname']) + data.setDsPort(master['pki_ds_http_port']) + data.setBaseDN(master['pki_ds_base_dn']) + data.setBindDN(master['pki_ds_bind_dn']) + data.setDatabase(master['pki_ds_database']) + data.setBindpwd(sensitive['pki_ds_password']) + if config.str2bool(master['pki_ds_remove_data']): + data.setRemoveData("true") + else: + data.setRemoveData("false") + if config.str2bool(master['pki_ds_secure_connection']): + data.setSecureConn("true") + else: + data.setSecureConn("false") + # Backup Information + if master['pki_instance_type'] == "Tomcat": + if config.str2bool(master['pki_backup_keys']): + data.setBackupKeys("true") + data.setBackupFile(master['pki_backup_file']) + data.setBackupPassword( + sensitive['pki_backup_password']) + else: + data.setBackupKeys("false") + # Admin Information + if master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + data.setAdminEmail(master['pki_admin_email']) + data.setAdminName(master['pki_admin_name']) + data.setAdminPassword(sensitive['pki_admin_password']) + data.setAdminProfileID(master['pki_admin_profile_id']) + data.setAdminUID(master['pki_admin_uid']) + data.setAdminSubjectDN(master['pki_admin_subject_dn']) + if master['pki_admin_cert_request_type'] == "crmf": + data.setAdminCertRequestType("crmf") + if config.str2bool(master['pki_admin_dualkey']): + crmf_request = generateCRMFRequest( + token, + master['pki_admin_keysize'], + master['pki_admin_subject_dn'], + "true") + else: + crmf_request = generateCRMFRequest( + token, + master['pki_admin_keysize'], + master['pki_admin_subject_dn'], + "false") + data.setAdminCertRequest(crmf_request) + else: + javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY) + javasystem.exit(1) + # Create system certs + systemCerts = ArrayList() + # Create 'CA Signing Certificate' + if master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "CA": + # External CA, Subordinate CA, or PKI CA + cert1 = CertData() + cert1.setTag(master['pki_ca_signing_tag']) + cert1.setKeyAlgorithm( + master['pki_ca_signing_key_algorithm']) + cert1.setKeySize(master['pki_ca_signing_key_size']) + cert1.setKeyType(master['pki_ca_signing_key_type']) + cert1.setNickname(master['pki_ca_signing_nickname']) + cert1.setSigningAlgorithm( + master['pki_ca_signing_signing_algorithm']) + cert1.setSubjectDN(master['pki_ca_signing_subject_dn']) + cert1.setToken(master['pki_ca_signing_token']) + systemCerts.add(cert1) + # Create 'OCSP Signing Certificate' + if master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "CA" or\ + master['pki_subsystem'] == "OCSP": + # External CA, Subordinate CA, PKI CA, or PKI OCSP + cert2 = CertData() + cert2.setTag(master['pki_ocsp_signing_tag']) + cert2.setKeyAlgorithm( + master['pki_ocsp_signing_key_algorithm']) + cert2.setKeySize(master['pki_ocsp_signing_key_size']) + cert2.setKeyType(master['pki_ocsp_signing_key_type']) + cert2.setNickname(master['pki_ocsp_signing_nickname']) + cert2.setSigningAlgorithm( + master['pki_ocsp_signing_signing_algorithm']) + cert2.setSubjectDN( + master['pki_ocsp_signing_subject_dn']) + cert2.setToken(master['pki_ocsp_signing_token']) + systemCerts.add(cert2) + # Create 'SSL Server Certificate' + # PKI RA, PKI TPS, + # PKI CA, PKI KRA, PKI OCSP, PKI TKS, + # PKI CA CLONE, PKI KRA CLONE, PKI OCSP CLONE, PKI TKS CLONE, + # External CA, or Subordinate CA + cert3 = CertData() + cert3.setTag(master['pki_ssl_server_tag']) + cert3.setKeyAlgorithm(master['pki_ssl_server_key_algorithm']) + cert3.setKeySize(master['pki_ssl_server_key_size']) + cert3.setKeyType(master['pki_ssl_server_key_type']) + cert3.setNickname(master['pki_ssl_server_nickname']) + cert3.setSubjectDN(master['pki_ssl_server_subject_dn']) + cert3.setToken(master['pki_ssl_server_token']) + systemCerts.add(cert3) + # Create 'Subsystem Certificate' + if master['pki_instance_type'] == "Apache": + # PKI RA or PKI TPS + cert4 = CertData() + cert4.setTag(master['pki_subsystem_tag']) + cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm']) + cert4.setKeySize(master['pki_subsystem_key_size']) + cert4.setKeyType(master['pki_subsystem_key_type']) + cert4.setNickname(master['pki_subsystem_nickname']) + cert4.setSubjectDN(master['pki_subsystem_subject_dn']) + cert4.setToken(master['pki_subsystem_token']) + systemCerts.add(cert4) + elif master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + # PKI CA, PKI KRA, PKI OCSP, PKI TKS, + # External CA, or Subordinate CA + cert4 = CertData() + cert4.setTag(master['pki_subsystem_tag']) + cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm']) + cert4.setKeySize(master['pki_subsystem_key_size']) + cert4.setKeyType(master['pki_subsystem_key_type']) + cert4.setNickname(master['pki_subsystem_nickname']) + cert4.setSubjectDN(master['pki_subsystem_subject_dn']) + cert4.setToken(master['pki_subsystem_token']) + systemCerts.add(cert4) + # Create 'Audit Signing Certificate' + if master['pki_instance_type'] == "Apache": + if master['pki_subsystem'] != "RA": + # PKI TPS + cert5 = CertData() + cert5.setTag(master['pki_audit_signing_tag']) + cert5.setKeyAlgorithm( + master['pki_audit_signing_key_algorithm']) + cert5.setKeySize(master['pki_audit_signing_key_size']) + cert5.setKeyType(master['pki_audit_signing_key_type']) + cert5.setNickname(master['pki_audit_signing_nickname']) + cert5.setKeyAlgorithm( + master['pki_audit_signing_signing_algorithm']) + cert5.setSubjectDN(master['pki_audit_signing_subject_dn']) + cert5.setToken(master['pki_audit_signing_token']) + systemCerts.add(cert5) + elif master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + # PKI CA, PKI KRA, PKI OCSP, PKI TKS, + # External CA, or Subordinate CA + cert5 = CertData() + cert5.setTag(master['pki_audit_signing_tag']) + cert5.setKeyAlgorithm( + master['pki_audit_signing_key_algorithm']) + cert5.setKeySize(master['pki_audit_signing_key_size']) + cert5.setKeyType(master['pki_audit_signing_key_type']) + cert5.setNickname(master['pki_audit_signing_nickname']) + cert5.setKeyAlgorithm( + master['pki_audit_signing_signing_algorithm']) + cert5.setSubjectDN(master['pki_audit_signing_subject_dn']) + cert5.setToken(master['pki_audit_signing_token']) + systemCerts.add(cert5) + # Create 'DRM Transport Certificate' + if master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "KRA": + # PKI KRA + cert6 = CertData() + cert6.setTag(master['pki_transport_tag']) + cert6.setKeyAlgorithm( + master['pki_transport_key_algorithm']) + cert6.setKeySize(master['pki_transport_key_size']) + cert6.setKeyType(master['pki_transport_key_type']) + cert6.setNickname(master['pki_transport_nickname']) + cert6.setKeyAlgorithm( + master['pki_transport_signing_algorithm']) + cert6.setSubjectDN(master['pki_transport_subject_dn']) + cert6.setToken(master['pki_transport_token']) + systemCerts.add(cert6) + # Create 'DRM Storage Certificate' + if master['pki_instance_type'] == "Tomcat": + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "KRA": + # PKI KRA + cert7 = CertData() + cert7.setTag(master['pki_storage_tag']) + cert7.setKeyAlgorithm( + master['pki_storage_key_algorithm']) + cert7.setKeySize(master['pki_storage_key_size']) + cert7.setKeyType(master['pki_storage_key_type']) + cert7.setNickname(master['pki_storage_nickname']) + cert7.setKeyAlgorithm( + master['pki_storage_signing_algorithm']) + cert7.setSubjectDN(master['pki_storage_subject_dn']) + cert7.setToken(master['pki_storage_token']) + systemCerts.add(cert7) + # Create system certs + data.setSystemCerts(systemCerts) + return data + + def configure_pki_data(self, data, pki_subsystem, pki_dry_run_flag, + log_level): + if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: + print "%s %s '%s'" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_CONFIGURING_PKI_DATA, + pki_subsystem) + if not pki_dry_run_flag: + try: + response = self.client.configure(data) + javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\ + " " + response.getStatus()) + javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\ + " " + response.getAdminCert().getCert()) + certs = response.getSystemCerts() + iterator = certs.iterator() + while iterator.hasNext(): + cdata = iterator.next() + javasystem.out.println(log.PKI_JYTHON_CDATA_TAG + " " +\ + cdata.getTag()) + javasystem.out.println(log.PKI_JYTHON_CDATA_CERT + " " +\ + cdata.getCert()) + javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\ + cdata.getRequest()) + except Exception, e: + javasystem.out.println( + log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e)) + javasystem.exit(1) + return + # PKI Deployment Jython Class Instances security_databases = security_databases() +rest_client = rest_client() diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py index 806a64e4d..d7d50a63e 100644 --- a/base/deploy/src/scriptlets/pkimessages.py +++ b/base/deploy/src/scriptlets/pkimessages.py @@ -20,6 +20,14 @@ # # PKI Deployment Engine Messages +PKI_DICTIONARY_MANDATORY ="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI MANDATORY DICTIONARY\n"\ +"=====================================================" +PKI_DICTIONARY_OPTIONAL ="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI OPTIONAL DICTIONARY\n"\ +"=====================================================" PKI_DICTIONARY_COMMON ="\n"\ "=====================================================\n"\ " DISPLAY CONTENTS OF PKI COMMON DICTIONARY\n"\ @@ -40,6 +48,7 @@ PKI_DICTIONARY_WEB_SERVER="\n"\ "=====================================================\n"\ " DISPLAY CONTENTS OF PKI WEB SERVER DICTIONARY\n"\ "=====================================================" +# NEVER print out 'sensitive' data dictionary!!! # PKI Deployment Log Messages @@ -150,10 +159,16 @@ PKIHELPER_CP_P_2 = "cp -p %s %s" PKIHELPER_CP_RP_2 = "cp -rp %s %s" PKIHELPER_CREATE_SECURITY_DATABASES_1 = "executing '%s'" PKIHELPER_DANGLING_SYMLINK_2 = "Dangling symlink '%s'-->'%s'" +PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1 = "KeyError: Master dictionary "\ + "is missing the key called '%s'!" PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty" PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty" PKIHELPER_GID_2 = "GID of '%s' is %s" PKIHELPER_GROUP_1 = "retrieving GID for '%s' . . ." +PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ." +PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ." +PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" +PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\ "jython %s %s <master_dictionary>'" PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" @@ -165,32 +180,82 @@ PKIHELPER_MKDIR_1 = "mkdir -p %s" PKIHELPER_MODIFY_DIR_1 = "modifying '%s'" PKIHELPER_MODIFY_FILE_1 = "modifying '%s'" PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA = "cloned CAs and external "\ + "CAs MUST be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = "cloned CAs, external "\ + "CAs, and subordinate CAs"\ + "MUST ALL be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA = "cloned CAs and subordinate "\ + "CAs MUST be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA = "external CAs and subordinate "\ + "CAs MUST be MUTUALLY "\ + "EXCLUSIVE in '%s'" PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\ "filling it with '%d' random bytes" PKIHELPER_PASSWORD_CONF_1 = "generating '%s'" PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2 = "instance '%s' contains '%d' "\ "PKI subsystems" +PKIHELPER_REMOVE_FILTER_SECTION_1 = "removing filter section from '%s'" PKIHELPER_RM_F_1 = "rm -f %s" PKIHELPER_RM_RF_1 = "rm -rf %s" PKIHELPER_RMDIR_1 = "rmdir %s" PKIHELPER_SET_MODE_1 = "setting ownerships, permissions, and acls on '%s'" PKIHELPER_SLOT_SUBSTITUTION_2 = "slot substitution: '%s' ==> '%s'" +PKIHELPER_SYSTEMD_COMMAND_1 = "executing '%s'" PKIHELPER_TOMCAT_INSTANCES_2 = "instance '%s' contains '%d' "\ "Tomcat PKI subsystems" PKIHELPER_TOUCH_1 = "touch %s" PKIHELPER_UID_2 = "UID of '%s' is %s" +PKIHELPER_UNDEFINED_ADMIN_PASSWORD_1 =\ + "A value for 'pki_admin_password' MUST be defined in '%s'" +PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1 =\ + "A value for 'pki_backup_password' MUST be defined in '%s'" +PKIHELPER_UNDEFINED_DS_PASSWORD_1 =\ + "A value for 'pki_ds_password' MUST be defined in '%s'" +PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1 =\ + "A value for 'pki_pkcs12_password' MUST be defined in '%s'" +PKIHELPER_UNDEFINED_SECURITY_DOMAIN_PASSWORD_1 =\ + "A value for 'pki_security_domain_password' MUST be defined in '%s'" PKIHELPER_USER_1 = "retrieving UID for '%s' . . ." +PKIHELPER_USER_ADD_2 = "adding UID '%s' for user '%s' . . ." +PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ." +PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s" +PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s" # PKI Deployment Jython "Scriptlet" Messages # (MUST contain NO embedded formats since Jython 2.2 does not support logging!) +PKI_JYTHON_CDATA_TAG = "tag:" +PKI_JYTHON_CDATA_CERT = "cert:" +PKI_JYTHON_CDATA_REQUEST = "request:" +PKI_JYTHON_CLONED_PKI_SUBSYSTEM = "Cloned" +PKI_JYTHON_CONFIGURING_PKI_DATA = "configuring PKI configuration data for" +PKI_JYTHON_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data for" +PKI_JYTHON_CRMF_SUPPORT_ONLY = "only the 'crmf' certificate request type "\ + "is currently supported" +PKI_JYTHON_IS_DUALKEY = "dualkey = true" +PKI_JYTHON_EXCEPTION_PARSER = "Problem parsing" +PKI_JYTHON_EXTERNAL_CA = "External" PKI_JYTHON_INDENTATION_0 = "pkispawn : JYTHON " PKI_JYTHON_INDENTATION_1 = "pkispawn : JYTHON ..." PKI_JYTHON_INDENTATION_2 = "pkispawn : JYTHON ......." PKI_JYTHON_INDENTATION_3 = "pkispawn : JYTHON ..........." PKI_JYTHON_INDENTATION_4 = "pkispawn : JYTHON ..............." +PKI_JYTHON_INITIALIZATION_ERROR = "INITIALIZATION ERROR:" +PKI_JYTHON_INITIALIZING_REST_CLIENT = "initializing REST client via" PKI_JYTHON_INITIALIZING_TOKEN = "initializing token located in" +PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION =\ + "Exception from Java Configuration Servlet:" PKI_JYTHON_LOG_INTO_TOKEN = "logging into token located in" +PKI_JYTHON_LOGIN_EXCEPTION = "login Exception:" +PKI_JYTHON_RESPONSE_ADMIN_CERT = "adminCert:" +PKI_JYTHON_RESPONSE_STATUS = "status:" +PKI_JYTHON_TOKEN_LOGIN_EXCEPTION = "Exception in logging into token:" +PKI_JYTHON_NOT_YET_IMPLEMENTED = "NOT YET IMPLEMENTED" +PKI_JYTHON_SUBORDINATE_CA = "Subordinate" # PKI Deployment "Scriptlet" Messages diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 0add192f7..5abfdc064 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -53,22 +53,18 @@ def process_command_line_arguments(argv): required=True, metavar='<subsystem>', help='where <subsystem> is ' 'CA, KRA, OCSP, RA, TKS, or TPS') + if os.path.basename(argv[0]) == 'pkispawn': + mandatory.add_argument('-f', + dest='pkideployment_cfg', action='store', + nargs=1, required=True, metavar='<file>', + help='specifies configuration filename') optional = parser.add_argument_group('optional arguments') optional.add_argument('--dry_run', dest='pki_dry_run_flag', action='store_true', help='do not actually perform any actions') - optional.add_argument('-f', - dest='pkideployment_cfg', action='store', - nargs=1, metavar='<file>', - help='overrides default configuration filename') optional.add_argument('-h', '--help', dest='help', action='help', help='show this help message and exit') - optional.add_argument('-p', - dest='pki_root_prefix', action='store', - nargs=1, metavar='<prefix>', - help='directory prefix to specify local directory ' - '[TEST ONLY]') if os.path.basename(argv[0]) == 'pkispawn': optional.add_argument('-u', dest='pki_update_flag', action='store_true', @@ -98,6 +94,12 @@ def process_command_line_arguments(argv): dest='custom_pki_ajp_port', action='store', nargs=1, metavar='<port>', help='AJP port (CA, KRA, OCSP, TKS)') + test = parser.add_argument_group('test arguments') + test.add_argument('-p', + dest='pki_root_prefix', action='store', + nargs=1, metavar='<prefix>', + help='directory prefix to specify local directory ' + '[TEST ONLY]') args = parser.parse_args() config.pki_subsystem = str(args.pki_subsystem).strip('[\']') @@ -187,7 +189,7 @@ def process_command_line_arguments(argv): print parser.print_help() parser.exit(-1); - if not args.pkideployment_cfg is None: + if os.path.basename(argv[0]) == 'pkispawn': config.pkideployment_cfg = str(args.pkideployment_cfg).strip('[\']') elif os.path.basename(argv[0]) == 'pkidestroy': # NOTE: When performing 'pkidestroy', a configuration file must be @@ -258,6 +260,9 @@ def read_pki_configuration_file(): # Make keys case-sensitive! parser.optionxform = str parser.read(config.pkideployment_cfg) + config.pki_sensitive_dict = dict(parser._sections['Sensitive']) + config.pki_mandatory_dict = dict(parser._sections['Mandatory']) + config.pki_optional_dict = dict(parser._sections['Optional']) config.pki_common_dict = dict(parser._sections['Common']) if config.pki_subsystem == "CA": config.pki_web_server_dict = dict(parser._sections['Tomcat']) @@ -278,6 +283,9 @@ def read_pki_configuration_file(): config.pki_web_server_dict = dict(parser._sections['Apache']) config.pki_subsystem_dict = dict(parser._sections['TPS']) # Insert empty record into dictionaries for "pretty print" statements + # NEVER print "sensitive" key value pairs!!! + config.pki_mandatory_dict[0] = None + config.pki_optional_dict[0] = None config.pki_common_dict[0] = None config.pki_web_server_dict[0] = None config.pki_subsystem_dict[0] = None @@ -297,13 +305,19 @@ def compose_pki_master_dictionary(): config.pki_certificate_timestamp config.pki_master_dict['pki_architecture'] = config.pki_architecture config.pki_master_dict['pki_hostname'] = config.pki_hostname + config.pki_master_dict['pki_dns_domainname'] =\ + config.pki_dns_domainname config.pki_master_dict['pki_pin'] = config.pki_pin config.pki_master_dict['pki_client_pin'] = config.pki_client_pin config.pki_master_dict['pki_one_time_pin'] = config.pki_one_time_pin config.pki_master_dict['pki_dry_run_flag'] = config.pki_dry_run_flag config.pki_master_dict['pki_jython_log_level'] =\ config.pki_jython_log_level + config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg # Configuration file name/value pairs + # NEVER add "sensitive" key value pairs to the master dictionary!!! + config.pki_master_dict.update(config.pki_mandatory_dict) + config.pki_master_dict.update(config.pki_optional_dict) config.pki_master_dict.update(config.pki_common_dict) config.pki_master_dict.update(config.pki_web_server_dict) config.pki_master_dict.update(config.pki_subsystem_dict) @@ -357,8 +371,7 @@ def compose_pki_master_dictionary(): # (e. g. Tomcat: "tomcat", "example.com-tomcat") # (e. g. Apache: "apache", "example.com-apache") # - if not config.pki_master_dict['pki_admin_domain_name'] is None and\ - not config.pki_master_dict['pki_admin_domain_name'] is '': + if len(config.pki_master_dict['pki_admin_domain_name']): config.pki_master_dict['pki_instance_id'] =\ config.pki_master_dict['pki_admin_domain_name'] +\ "-" + config.pki_master_dict['pki_instance_name'] @@ -458,6 +471,9 @@ def compose_pki_master_dictionary(): os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, "ca", "emails") + config.pki_master_dict['pki_source_flatfile_txt'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "flatfile.txt") config.pki_master_dict['pki_source_profiles'] =\ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, "ca", @@ -465,6 +481,43 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_source_proxy_conf'] =\ os.path.join(config.pki_master_dict['pki_source_conf_path'], "proxy.conf") + config.pki_master_dict['pki_source_registry_cfg'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "registry.cfg") + # '*.profile' + config.pki_master_dict['pki_source_admincert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "adminCert.profile") + config.pki_master_dict['pki_source_caauditsigningcert_profile']\ + = os.path.join( + config.pki_master_dict['pki_source_conf_path'], + "caAuditSigningCert.profile") + config.pki_master_dict['pki_source_cacert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "caCert.profile") + config.pki_master_dict['pki_source_caocspcert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "caOCSPCert.profile") + config.pki_master_dict['pki_source_servercert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "serverCert.profile") + config.pki_master_dict['pki_source_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "subsystemCert.profile") + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # '*.profile' + config.pki_master_dict['pki_source_servercert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "serverCert.profile") + config.pki_master_dict['pki_source_storagecert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "storageCert.profile") + config.pki_master_dict['pki_source_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "subsystemCert.profile") + config.pki_master_dict['pki_source_transportcert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "transportCert.profile") # PKI top-level file system layout name/value pairs # NOTE: Never use 'os.path.join()' whenever 'pki_root_prefix' # is being prepended!!! @@ -498,12 +551,14 @@ def compose_pki_master_dictionary(): if config.pki_master_dict['pki_subsystem'] in\ config.PKI_APACHE_SUBSYSTEMS: # Apache instance base name/value pairs + config.pki_master_dict['pki_instance_type'] = "Apache" # Apache instance log name/value pairs # Apache instance configuration name/value pairs # Apache instance registry name/value pairs config.pki_master_dict['pki_instance_type_registry_path'] =\ - os.path.join(config.pki_master_dict['pki_registry_path'], - "apache") + os.path.join( + config.pki_master_dict['pki_registry_path'], + config.pki_master_dict['pki_instance_type'].lower()) config.pki_master_dict['pki_instance_registry_path'] =\ os.path.join( config.pki_master_dict['pki_instance_type_registry_path'], @@ -513,12 +568,16 @@ def compose_pki_master_dictionary(): elif config.pki_master_dict['pki_subsystem'] in\ config.PKI_TOMCAT_SUBSYSTEMS: # Tomcat instance base name/value pairs + config.pki_master_dict['pki_instance_type'] = "Tomcat" config.pki_master_dict['pki_tomcat_common_path'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], "common") config.pki_master_dict['pki_tomcat_common_lib_path'] =\ os.path.join(config.pki_master_dict['pki_tomcat_common_path'], "lib") + config.pki_master_dict['pki_tomcat_tmpdir_path'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], + "temp") config.pki_master_dict['pki_tomcat_webapps_path'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], "webapps") @@ -529,28 +588,43 @@ def compose_pki_master_dictionary(): os.path.join( config.pki_master_dict['pki_tomcat_webapps_root_path'], "WEB-INF") - config.pki_master_dict['pki_tomcat_webapps_webinf_path'] =\ - os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], - "WEB-INF") - config.pki_master_dict['pki_tomcat_webapps_webinf_classes_path'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_webinf_path'], - "classes") - config.pki_master_dict['pki_tomcat_webapps_webinf_lib_path'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_webinf_path'], - "lib") config.pki_master_dict['pki_tomcat_webapps_root_webinf_web_xml'] =\ os.path.join( config.pki_master_dict\ ['pki_tomcat_webapps_root_webinf_path'], "web.xml") + config.pki_master_dict['pki_tomcat_work_path'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], + "work") + config.pki_master_dict['pki_tomcat_work_catalina_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_work_path'], + "Catalina") + config.pki_master_dict['pki_tomcat_work_catalina_host_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_work_catalina_path'], + "localhost") + config.pki_master_dict['pki_tomcat_work_catalina_host_run_path'] =\ + os.path.join( + config.pki_master_dict\ + ['pki_tomcat_work_catalina_host_path'], + "_") + config.pki_master_dict\ + ['pki_tomcat_work_catalina_host_subsystem_path'] =\ + os.path.join( + config.pki_master_dict\ + ['pki_tomcat_work_catalina_host_path'], + config.pki_master_dict['pki_subsystem'].lower()) # Tomcat instance log name/value pairs # Tomcat instance configuration name/value pairs + config.pki_master_dict['pki_instance_log4j_properties'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "log4j.properties") # Tomcat instance registry name/value pairs config.pki_master_dict['pki_instance_type_registry_path'] =\ - os.path.join(config.pki_master_dict['pki_registry_path'], - "tomcat") + os.path.join( + config.pki_master_dict['pki_registry_path'], + config.pki_master_dict['pki_instance_type'].lower()) config.pki_master_dict['pki_instance_registry_path'] =\ os.path.join( config.pki_master_dict['pki_instance_type_registry_path'], @@ -562,9 +636,205 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_tomcat_lib_link'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], "lib") + config.pki_master_dict['pki_tomcat_lib_log4j_properties_link'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_lib_path'], + "log4j.properties") config.pki_master_dict['pki_instance_systemd_link'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], config.pki_master_dict['pki_instance_id']) + # Tomcat instance common lib jars + if config.pki_master_dict['pki_architecture'] == 64: + config.pki_master_dict['pki_jss_jar'] =\ + os.path.join("/usr/lib64/java", + "jss4.jar") + config.pki_master_dict['pki_symkey_jar'] =\ + os.path.join("/usr/lib64/java", + "symkey.jar") + else: + config.pki_master_dict['pki_jss_jar'] =\ + os.path.join("/usr/lib/java", + "jss4.jar") + config.pki_master_dict['pki_symkey_jar'] =\ + os.path.join("/usr/lib/java", + "symkey.jar") + config.pki_master_dict['pki_apache_commons_collections_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "apache-commons-collections.jar") + config.pki_master_dict['pki_apache_commons_lang_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "apache-commons-lang.jar") + config.pki_master_dict['pki_apache_commons_logging_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "apache-commons-logging.jar") + config.pki_master_dict['pki_commons_codec_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "commons-codec.jar") + config.pki_master_dict['pki_httpclient_jar'] =\ + os.path.join( + config.PKI_DEPLOYMENT_HTTPCOMPONENTS_JAR_SOURCE_ROOT, + "httpclient.jar") + config.pki_master_dict['pki_javassist_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "javassist.jar") + config.pki_master_dict['pki_resteasy_jaxrs_api_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT, + "jaxrs-api.jar") + config.pki_master_dict['pki_jettison_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "jettison.jar") + config.pki_master_dict['pki_ldapjdk_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "ldapjdk.jar") + config.pki_master_dict['pki_certsrv_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-certsrv.jar") + config.pki_master_dict['pki_cmsbundle'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-cmsbundle.jar") + config.pki_master_dict['pki_cmscore'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-cmscore.jar") + config.pki_master_dict['pki_cms'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-cms.jar") + config.pki_master_dict['pki_cmsutil'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-cmsutil.jar") + config.pki_master_dict['pki_nsutil'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-nsutil.jar") + config.pki_master_dict['pki_resteasy_jaxb_provider_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT, + "resteasy-jaxb-provider.jar") + config.pki_master_dict['pki_resteasy_jaxrs_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT, + "resteasy-jaxrs.jar") + config.pki_master_dict['pki_resteasy_jettison_provider_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT, + "resteasy-jettison-provider.jar") + config.pki_master_dict['pki_scannotation_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "scannotation.jar") + config.pki_master_dict['pki_tomcatjss_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "tomcatjss.jar") + config.pki_master_dict['pki_velocity_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "velocity.jar") + config.pki_master_dict['pki_xerces_j2_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "xerces-j2.jar") + config.pki_master_dict['pki_xml_commons_apis_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "xml-commons-apis.jar") + config.pki_master_dict['pki_xml_commons_resolver_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "xml-commons-resolver.jar") + # Tomcat instance common lib jar symbolic links + config.pki_master_dict['pki_jss_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "jss4.jar") + config.pki_master_dict['pki_symkey_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "symkey.jar") + config.pki_master_dict['pki_apache_commons_collections_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "apache-commons-collections.jar") + config.pki_master_dict['pki_apache_commons_lang_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "apache-commons-lang.jar") + config.pki_master_dict['pki_apache_commons_logging_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "apache-commons-logging.jar") + config.pki_master_dict['pki_commons_codec_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "apache-commons-codec.jar") + config.pki_master_dict['pki_httpclient_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "httpclient.jar") + config.pki_master_dict['pki_javassist_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "javassist.jar") + config.pki_master_dict['pki_resteasy_jaxrs_api_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "jaxrs-api.jar") + config.pki_master_dict['pki_jettison_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "jettison.jar") + config.pki_master_dict['pki_ldapjdk_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "ldapjdk.jar") + config.pki_master_dict['pki_certsrv_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-certsrv.jar") + config.pki_master_dict['pki_cmsbundle_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-cmsbundle.jar") + config.pki_master_dict['pki_cmscore_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-cmscore.jar") + config.pki_master_dict['pki_cms_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-cms.jar") + config.pki_master_dict['pki_cmsutil_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-cmsutil.jar") + config.pki_master_dict['pki_nsutil_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-nsutil.jar") + config.pki_master_dict['pki_resteasy_jaxb_provider_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "resteasy-jaxb-provider.jar") + config.pki_master_dict['pki_resteasy_jaxrs_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "resteasy-jaxrs.jar") + config.pki_master_dict['pki_resteasy_jettison_provider_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "resteasy-jettison-provider.jar") + config.pki_master_dict['pki_scannotation_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "scannotation.jar") + config.pki_master_dict['pki_tomcatjss_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "tomcatjss.jar") + config.pki_master_dict['pki_velocity_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "velocity.jar") + config.pki_master_dict['pki_xerces_j2_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "xerces-j2.jar") + config.pki_master_dict['pki_xml_commons_apis_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "xml-commons-apis.jar") + config.pki_master_dict['pki_xml_commons_resolver_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "xml-commons-resolver.jar") # Instance layout NSS security database name/value pairs config.pki_master_dict['pki_database_path'] =\ os.path.join( @@ -612,9 +882,6 @@ def compose_pki_master_dictionary(): elif config.pki_master_dict['pki_subsystem'] in\ config.PKI_TOMCAT_SUBSYSTEMS: # Instance-based Tomcat PKI subsystem base name/value pairs - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\ - os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], - config.pki_master_dict['pki_subsystem'].lower()) if config.pki_master_dict['pki_subsystem'] == "CA": config.pki_master_dict['pki_subsystem_emails_path'] =\ os.path.join(config.pki_master_dict['pki_subsystem_path'], @@ -632,18 +899,6 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_subsystem_tomcat_webapps_link'] =\ os.path.join(config.pki_master_dict['pki_subsystem_path'], "webapps") - config.pki_master_dict\ - ['pki_tomcat_webapps_subsystem_webinf_classes_link'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "classes") - config.pki_master_dict\ - ['pki_tomcat_webapps_subsystem_webinf_lib_link'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "lib") # Instance-based Apache/Tomcat PKI subsystem convenience symbolic links config.pki_master_dict['pki_subsystem_database_link'] =\ os.path.join(config.pki_master_dict['pki_subsystem_path'], @@ -654,6 +909,78 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_subsystem_logs_link'] =\ os.path.join(config.pki_master_dict['pki_subsystem_path'], "logs") + # PKI Target (war file) name/value pairs + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + # Tomcat PKI subsystem war file base name/value pairs + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], + config.pki_master_dict['pki_subsystem'].lower()) + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_classes_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "classes") + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_lib_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "lib") + # Tomcat PKI subsystem war file convenience symbolic links + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_ca_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-ca.jar") + # config.pki_master_dict['pki_ca_jar_link'] =\ + # os.path.join( + # config.pki_master_dict\ + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], + # "pki-ca.jar") + config.pki_master_dict['pki_ca_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-ca.jar") + elif config.pki_master_dict['pki_subsystem'] == "KRA": + config.pki_master_dict['pki_kra_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-kra.jar") + # config.pki_master_dict['pki_kra_jar_link'] =\ + # os.path.join( + # config.pki_master_dict\ + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], + # "pki-kra.jar") + config.pki_master_dict['pki_kra_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-kra.jar") + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + config.pki_master_dict['pki_ocsp_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-ocsp.jar") + # config.pki_master_dict['pki_ocsp_jar_link'] =\ + # os.path.join( + # config.pki_master_dict\ + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], + # "pki-ocsp.jar") + config.pki_master_dict['pki_ocsp_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-ocsp.jar") + elif config.pki_master_dict['pki_subsystem'] == "TKS": + config.pki_master_dict['pki_tks_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-tks.jar") + # config.pki_master_dict['pki_tks_jar_link'] =\ + # os.path.join( + # config.pki_master_dict\ + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], + # "pki-tks.jar") + config.pki_master_dict['pki_tks_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-tks.jar") # PKI Target (slot substitution) name/value pairs config.pki_master_dict['pki_target_cs_cfg'] =\ os.path.join( @@ -699,12 +1026,50 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], "WEB-INF", "web.xml") + config.pki_master_dict['pki_target_subsystem_web_xml_orig'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "web.xml.orig") # subystem-specific slot substitution name/value pairs if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_target_flatfile_txt'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "flatfile.txt") config.pki_master_dict['pki_target_proxy_conf'] =\ os.path.join(config.pki_master_dict\ ['pki_subsystem_configuration_path'], "proxy.conf") + config.pki_master_dict['pki_target_registry_cfg'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "registry.cfg") + # '*.profile' + config.pki_master_dict['pki_target_admincert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "adminCert.profile") + config.pki_master_dict['pki_target_caauditsigningcert_profile']\ + = os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caAuditSigningCert.profile") + config.pki_master_dict['pki_target_cacert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caCert.profile") + config.pki_master_dict['pki_target_caocspcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caOCSPCert.profile") + config.pki_master_dict['pki_target_servercert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "serverCert.profile") + config.pki_master_dict['pki_target_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "subsystemCert.profile") # in-place slot substitution name/value pairs config.pki_master_dict['pki_target_profileselect_template'] =\ os.path.join( @@ -713,6 +1078,24 @@ def compose_pki_master_dictionary(): "ee", config.pki_master_dict['pki_subsystem'].lower(), "ProfileSelect.template") + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # '*.profile' + config.pki_master_dict['pki_target_servercert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "serverCert.profile") + config.pki_master_dict['pki_target_storagecert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "storageCert.profile") + config.pki_master_dict['pki_target_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "subsystemCert.profile") + config.pki_master_dict['pki_target_transportcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "transportCert.profile") # Slot assignment name/value pairs # NOTE: Master key == Slots key; Master value ==> Slots value config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\ @@ -830,6 +1213,8 @@ def compose_pki_master_dictionary(): "tomcat") config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_proxy_https_port'] + config.pki_master_dict['PKI_TMPDIR_SLOT'] =\ + config.pki_master_dict['pki_tomcat_tmpdir_path'] config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_proxy_http_port'] config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\ @@ -846,6 +1231,8 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_security_manager'] config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\ config.pki_master_dict['pki_target_server_xml'] + config.pki_master_dict['PKI_SUBSYSTEM_DIR_SLOT'] =\ + config.pki_master_dict['pki_subsystem'].lower() + "/" config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\ config.pki_master_dict['pki_subsystem'].lower() config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\ @@ -924,6 +1311,10 @@ def compose_pki_master_dictionary(): "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" # Shared Apache/Tomcat NSS security database name/value pairs + config.pki_master_dict['pki_shared_pfile'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "pfile") config.pki_master_dict['pki_shared_password_conf'] =\ os.path.join( config.pki_master_dict['pki_instance_configuration_path'], @@ -941,13 +1332,13 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_self_signed_nickname'] =\ "Server-Cert cert-" + config.pki_master_dict['pki_instance_id'] config.pki_master_dict['pki_self_signed_subject'] =\ - "CN=" + config.pki_master_dict['pki_hostname'] + "," +\ - "O=" + config.pki_master_dict['pki_certificate_timestamp'] + "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ + "o=" + config.pki_master_dict['pki_certificate_timestamp'] config.pki_master_dict['pki_self_signed_serial_number'] = 0 config.pki_master_dict['pki_self_signed_validity_period'] = 12 config.pki_master_dict['pki_self_signed_issuer_name'] =\ - "CN=" + config.pki_master_dict['pki_hostname'] + "," +\ - "O=" + config.pki_master_dict['pki_certificate_timestamp'] + "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ + "o=" + config.pki_master_dict['pki_certificate_timestamp'] config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu" config.pki_master_dict['pki_self_signed_noise_file'] =\ os.path.join( @@ -992,10 +1383,778 @@ def compose_pki_master_dictionary(): "pki", "deployment", "configuration.jy") + config.pki_master_dict['pki_jython_base_uri'] =\ + "https" + "://" + config.pki_master_dict['pki_hostname'] + ":" +\ + config.pki_master_dict['pki_https_port'] + "/" +\ + config.pki_master_dict['pki_subsystem'].lower() + "/" + "pki" + # Jython scriptlet + # 'Security Domain' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_security_domain_type'] + # config.pki_master_dict['pki_security_domain_uri'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_security_domain_https_port'] + # config.pki_master_dict['pki_security_domain_password'] + # config.pki_master_dict['pki_security_domain_user'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_security_domain_hostname'] + # config.pki_master_dict['pki_security_domain_name'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if config.pki_subsystem == "CA": + if config.str2bool(config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict['pki_security_domain_type'] = "new" + if not len(config.pki_master_dict\ + ['pki_security_domain_name']): + config.pki_master_dict['pki_security_domain_name'] =\ + "External CA Security Domain" + elif not config.str2bool(config.pki_master_dict['pki_clone'])\ + and not\ + config.str2bool(config.pki_master_dict['pki_subordinate']): + # PKI CA + config.pki_master_dict['pki_security_domain_type'] = "new" + if not len(config.pki_master_dict\ + ['pki_security_domain_name']): + config.pki_master_dict['pki_security_domain_name'] =\ + config.pki_master_dict['pki_dns_domainname'] +\ + " " + "Security Domain" + else: + # PKI Cloned or Subordinate CA + config.pki_master_dict['pki_security_domain_type'] =\ + "existing" + if not len(config.pki_master_dict\ + ['pki_security_domain_hostname']): + # Guess that it is the local host + config.pki_master_dict['pki_security_domain_hostname']\ + = config.pki_master_dict['pki_hostname'] + config.pki_master_dict['pki_security_domain_uri'] =\ + "https" + "://" +\ + config.pki_master_dict['pki_security_domain_hostname']\ + + ":" + config.pki_security_domain_https_port + else: + # PKI KRA, OCSP, or TKS + config.pki_master_dict['pki_security_domain_type'] = "existing" + if not len(config.pki_master_dict\ + ['pki_security_domain_hostname']): + # Guess that it is the local host + config.pki_master_dict['pki_security_domain_hostname'] =\ + config.pki_master_dict['pki_hostname'] + config.pki_master_dict['pki_security_domain_uri'] =\ + "https" + "://" +\ + config.pki_master_dict['pki_security_domain_hostname'] +\ + ":" +\ + config.pki_master_dict['pki_security_domain_https_port'] + # Jython scriptlet + # 'Directory Server' Configuration name/value pairs + # + # Apache - [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_ds_bind_dn'] + # config.pki_master_dict['pki_ds_http_port'] + # config.pki_master_dict['pki_ds_https_port'] + # config.pki_master_dict['pki_ds_password'] + # config.pki_master_dict['pki_ds_remove_data'] + # config.pki_master_dict['pki_ds_secure_connection'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_ds_base_dn'] + # config.pki_master_dict['pki_ds_database'] + # config.pki_master_dict['pki_ds_hostname'] + # + if not len(config.pki_master_dict['pki_ds_base_dn']): + config.pki_master_dict['pki_ds_base_dn'] =\ + "o=" + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_ds_database']): + config.pki_master_dict['pki_ds_database'] =\ + "o=" + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_ds_hostname']): + # Guess that the Directory Server resides on the local host + config.pki_master_dict['pki_ds_hostname'] =\ + config.pki_master_dict['pki_hostname'] + # Jython scriptlet + # 'Backup' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_backup_keys'] + # config.pki_master_dict['pki_backup_password'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_backup_file'] + # + if config.str2bool(config.pki_master_dict['pki_backup_keys']): + if not len(config.pki_master_dict['pki_backup_file']): + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "CA": + if config.str2bool( + config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "externalca.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "subca.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + else: + # PKI CA + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "ca.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "kra.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "ocsp.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + elif config.pki_master_dict['pki_subsystem'] == "TKS": + # PKI TKS + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "tks.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + # Jython scriptlet + # 'Admin Certificate' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_admin_cert_request_type'] + # config.pki_master_dict['pki_admin_dualkey'] + # config.pki_master_dict['pki_admin_keysize'] + # config.pki_master_dict['pki_admin_name'] + # config.pki_master_dict['pki_admin_password'] + # config.pki_master_dict['pki_admin_uid'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_admin_email'] + # config.pki_master_dict['pki_admin_subject_dn'] + # + config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert" + if not len(config.pki_master_dict['pki_admin_email']): + config.pki_master_dict['pki_admin_email'] =\ + config.pki_master_dict['pki_admin_name'] + "@" +\ + config.pki_master_dict['pki_dns_domainname'] + if not len(config.pki_master_dict['pki_admin_subject_dn']): + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + if config.pki_master_dict['pki_subsystem'] == "RA": + # PKI RA + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "RA Administrator" + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TPS": + # PKI TPS + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "TPS Administrator" + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "CA": + # PKI CA, Subordinate CA, or External CA + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "CA Administrator of Instance" + " " +\ + config.pki_master_dict['pki_instance_id'] + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "KRA Administrator of Instance" + " " +\ + config.pki_master_dict['pki_instance_id'] + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "OCSP Administrator of Instance" + " " +\ + config.pki_master_dict['pki_instance_id'] + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TKS": + # PKI TKS + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "TKS Administrator of Instance" + " " +\ + config.pki_master_dict['pki_instance_id'] + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + # Jython scriptlet + # 'CA Signing Certificate' Configuration name/value pairs + # + # Tomcat - [CA] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_ca_signing_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_ca_signing_key_algorithm'] + # config.pki_master_dict['pki_ca_signing_key_size'] + # config.pki_master_dict['pki_ca_signing_key_type'] + # config.pki_master_dict['pki_ca_signing_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_ca_signing_nickname'] + # config.pki_master_dict['pki_ca_signing_subject_dn'] + # config.pki_master_dict['pki_ca_signing_token'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "CA": + # config.pki_master_dict['pki_ca_signing_nickname'] + if not len(config.pki_master_dict\ + ['pki_ca_signing_nickname']): + config.pki_master_dict['pki_ca_signing_nickname'] =\ + "caSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + # config.pki_master_dict['pki_ca_signing_subject_dn'] + if config.str2bool(config.pki_master_dict['pki_external']): + # External CA + if not len(config.pki_master_dict\ + ['pki_ca_signing_subject_dn']): + config.pki_master_dict['pki_ca_signing_subject_dn']\ + = "cn=" + "External CA Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + if not len(config.pki_master_dict\ + ['pki_ca_signing_subject_dn']): + config.pki_master_dict['pki_ca_signing_subject_dn']\ + = "cn=" + "SubCA Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + else: + # PKI CA + if not len(config.pki_master_dict\ + ['pki_ca_signing_subject_dn']): + config.pki_master_dict['pki_ca_signing_subject_dn']\ + = "cn=" + "CA Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + # config.pki_master_dict['pki_ca_signing_tag'] + config.pki_master_dict['pki_ca_signing_tag'] =\ + "signing" + # config.pki_master_dict['pki_ca_signing_token'] + if not len(config.pki_master_dict['pki_ca_signing_token']): + config.pki_master_dict['pki_ca_signing_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'OCSP Signing Certificate' Configuration name/value pairs + # + # Tomcat - [CA], [OCSP] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_ocsp_signing_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_ocsp_signing_key_algorithm'] + # config.pki_master_dict['pki_ocsp_signing_key_size'] + # config.pki_master_dict['pki_ocsp_signing_key_type'] + # config.pki_master_dict['pki_ocsp_signing_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_ocsp_signing_nickname'] + # config.pki_master_dict['pki_ocsp_signing_subject_dn'] + # config.pki_master_dict['pki_ocsp_signing_token'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "CA": + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_nickname']): + config.pki_master_dict['pki_ocsp_signing_nickname'] =\ + "ocspSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if config.str2bool(config.pki_master_dict['pki_external']): + # External CA + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn']): + config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn'] =\ + "cn=" + "External CA OCSP Signing Certificate"\ + + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn']): + config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn'] =\ + "cn=" + "SubCA OCSP Signing Certificate"\ + + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + else: + # PKI CA + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn']): + config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn'] =\ + "cn=" + "CA OCSP Signing Certificate"\ + + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + config.pki_master_dict['pki_ocsp_signing_tag'] =\ + "ocsp_signing" + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_token']): + config.pki_master_dict['pki_ocsp_signing_token'] =\ + "Internal Key Storage Token" + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_nickname']): + config.pki_master_dict['pki_ocsp_signing_nickname'] =\ + "ocspSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn']): + config.pki_master_dict['pki_ocsp_signing_subject_dn'] =\ + "cn=" + "OCSP Signing Certificate" + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_ocsp_signing_tag'] =\ + "signing" + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_token']): + config.pki_master_dict['pki_ocsp_signing_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'SSL Server Certificate' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_ssl_server_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_ssl_server_key_algorithm'] + # config.pki_master_dict['pki_ssl_server_key_size'] + # config.pki_master_dict['pki_ssl_server_key_type'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_ssl_server_nickname'] + # config.pki_master_dict['pki_ssl_server_subject_dn'] + # config.pki_master_dict['pki_ssl_server_token'] + # + if not len(config.pki_master_dict['pki_ssl_server_nickname']): + config.pki_master_dict['pki_ssl_server_nickname'] =\ + "Server-Cert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_ssl_server_subject_dn']): + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + config.pki_master_dict['pki_ssl_server_subject_dn'] =\ + "cn=" + config.pki_master_dict['pki_hostname'] +\ + "," + "ou=" + config.pki_master_dict['pki_instance_id'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['pki_ssl_server_subject_dn'] =\ + "cn=" + config.pki_master_dict['pki_hostname'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_ssl_server_tag'] = "sslserver" + if not len(config.pki_master_dict['pki_ssl_server_token']): + config.pki_master_dict['pki_ssl_server_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'Subsystem Certificate' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_subsystem_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_subsystem_key_algorithm'] + # config.pki_master_dict['pki_subsystem_key_size'] + # config.pki_master_dict['pki_subsystem_key_type'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_subsystem_nickname'] + # config.pki_master_dict['pki_subsystem_subject_dn'] + # config.pki_master_dict['pki_subsystem_token'] + # + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + if not len(config.pki_master_dict['pki_subsystem_nickname']): + config.pki_master_dict['pki_subsystem_nickname'] =\ + "subsystemCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_subsystem_subject_dn']): + if config.pki_master_dict['pki_subsystem'] == "RA": + # PKI RA + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "RA Subsystem Certificate" +\ + "," + "ou=" + config.pki_master_dict['pki_instance_id']\ + + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TPS": + # PKI TPS + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "TPS Subsystem Certificate" +\ + "," + "ou=" + config.pki_master_dict['pki_instance_id']\ + + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_subsystem_tag'] = "subsystem" + if not len(config.pki_master_dict['pki_subsystem_token']): + config.pki_master_dict['pki_subsystem_token'] =\ + "Internal Key Storage Token" + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if not len(config.pki_master_dict['pki_subsystem_nickname']): + config.pki_master_dict['pki_subsystem_nickname'] =\ + "subsystemCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_subsystem_subject_dn']): + if config.pki_master_dict['pki_subsystem'] == "CA": + if config.str2bool( + config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict['pki_subsystem_subject_dn']\ + = "cn=" + "External CA Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + config.pki_master_dict['pki_subsystem_subject_dn']\ + = "cn=" + "SubCA Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + else: + # PKI CA + config.pki_master_dict['pki_subsystem_subject_dn']\ + = "cn=" + "CA Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "DRM Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "OCSP Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TKS": + # PKI TKS + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "TKS Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + config.pki_master_dict['pki_subsystem_tag'] = "subsystem" + if not len(config.pki_master_dict['pki_subsystem_token']): + config.pki_master_dict['pki_subsystem_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'Audit Signing Certificate' Configuration name/value pairs + # + # Apache - [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_audit_signing_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_audit_signing_key_algorithm'] + # config.pki_master_dict['pki_audit_signing_key_size'] + # config.pki_master_dict['pki_audit_signing_key_type'] + # config.pki_master_dict['pki_audit_signing_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_audit_signing_nickname'] + # config.pki_master_dict['pki_audit_signing_subject_dn'] + # config.pki_master_dict['pki_audit_signing_token'] + # + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + if config.pki_master_dict['pki_subsystem'] != "RA": + if not len(config.pki_master_dict\ + ['pki_audit_signing_nickname']): + config.pki_master_dict['pki_audit_signing_nickname'] =\ + "auditSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_audit_signing_subject_dn']): + config.pki_master_dict['pki_audit_signing_subject_dn'] =\ + "cn=" + "TPS Audit Signing Certificate" +\ + "," + "ou=" + config.pki_master_dict['pki_instance_id']\ + + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_audit_signing_tag'] =\ + "audit_signing" + if not len(config.pki_master_dict['pki_audit_signing_token']): + config.pki_master_dict['pki_audit_signing_token'] =\ + "Internal Key Storage Token" + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if not len(config.pki_master_dict\ + ['pki_audit_signing_nickname']): + config.pki_master_dict['pki_audit_signing_nickname'] =\ + "auditSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_audit_signing_subject_dn']): + if config.pki_master_dict['pki_subsystem'] == "CA": + if config.str2bool( + config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict\ + ['pki_audit_signing_subject_dn'] =\ + "cn=" + "External CA Audit Signing Certificate"\ + + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + config.pki_master_dict\ + ['pki_audit_signing_subject_dn'] =\ + "cn=" + "SubCA Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + else: + # PKI CA + config.pki_master_dict\ + ['pki_audit_signing_subject_dn'] =\ + "cn=" + "CA Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + config.pki_master_dict['pki_audit_signing_subject_dn']\ + = "cn=" + "DRM Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + config.pki_master_dict['pki_audit_signing_subject_dn']\ + = "cn=" + "OCSP Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TKS": + # PKI TKS + config.pki_master_dict['pki_audit_signing_subject_dn']\ + = "cn=" + "TKS Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_audit_signing_tag'] =\ + "audit_signing" + if not len(config.pki_master_dict['pki_audit_signing_token']): + config.pki_master_dict['pki_audit_signing_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'DRM Transport Certificate' Configuration name/value pairs + # + # Tomcat - [KRA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_transport_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_transport_key_algorithm'] + # config.pki_master_dict['pki_transport_key_size'] + # config.pki_master_dict['pki_transport_key_type'] + # config.pki_master_dict['pki_transport_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_transport_nickname'] + # config.pki_master_dict['pki_transport_subject_dn'] + # config.pki_master_dict['pki_transport_token'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + if not len(config.pki_master_dict\ + ['pki_transport_nickname']): + config.pki_master_dict['pki_transport_nickname'] =\ + "transportCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_transport_subject_dn']): + config.pki_master_dict['pki_transport_subject_dn']\ + = "cn=" + "DRM Transport Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_transport_tag'] =\ + "transport" + if not len(config.pki_master_dict['pki_transport_token']): + config.pki_master_dict['pki_transport_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'DRM Storage Certificate' Configuration name/value pairs + # + # Tomcat - [KRA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_storage_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_storage_key_algorithm'] + # config.pki_master_dict['pki_storage_key_size'] + # config.pki_master_dict['pki_storage_key_type'] + # config.pki_master_dict['pki_storage_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_storage_nickname'] + # config.pki_master_dict['pki_storage_subject_dn'] + # config.pki_master_dict['pki_storage_token'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + if not len(config.pki_master_dict['pki_storage_nickname']): + config.pki_master_dict['pki_storage_nickname'] =\ + "storageCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_storage_subject_dn']): + config.pki_master_dict['pki_storage_subject_dn']\ + = "cn=" + "DRM Storage Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_storage_tag'] =\ + "storage" + if not len(config.pki_master_dict['pki_storage_token']): + config.pki_master_dict['pki_storage_token'] =\ + "Internal Key Storage Token" except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) + except KeyError as err: + config.pki_log.error(log.PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1, + err, extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) return diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py index 1a08fdccb..8364d9519 100644 --- a/base/deploy/src/scriptlets/security_databases.py +++ b/base/deploy/src/scriptlets/security_databases.py @@ -38,13 +38,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.password.create_password_conf( master['pki_shared_password_conf'], master['pki_pin']) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a temporary server 'pfile' + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_shared_pfile'], + master['pki_pin'], pin_sans_token=True) util.file.modify(master['pki_shared_password_conf']) util.certutil.create_security_databases( master['pki_database_path'], master['pki_cert_database'], master['pki_key_database'], master['pki_secmod_database'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) util.file.modify(master['pki_cert_database'], perms=\ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) util.file.modify(master['pki_key_database'], perms=\ @@ -58,7 +65,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) if not rv: util.file.generate_noise_file( master['pki_self_signed_noise_file'], @@ -76,18 +83,28 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_self_signed_issuer_name'], master['pki_self_signed_trustargs'], master['pki_self_signed_noise_file'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) + # Delete the temporary 'noise' file util.file.delete(master['pki_self_signed_noise_file']) + # Delete the temporary 'pfile' + util.file.delete(master['pki_shared_pfile']) else: util.password.create_password_conf( master['pki_shared_password_conf'], master['pki_pin']) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a temporary server 'pfile' + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_shared_pfile'], + master['pki_pin'], pin_sans_token=True) util.certutil.create_security_databases( master['pki_database_path'], master['pki_cert_database'], master['pki_key_database'], master['pki_secmod_database'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) rv = util.certutil.verify_certificate_exists( master['pki_database_path'], master['pki_cert_database'], @@ -95,7 +112,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) if not rv: util.file.generate_noise_file( master['pki_self_signed_noise_file'], @@ -113,7 +130,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_self_signed_issuer_name'], master['pki_self_signed_trustargs'], master['pki_self_signed_noise_file'], - password_file=master['pki_shared_password_conf']) + password_file=master['pki_shared_pfile']) + # Delete the temporary 'noise' file + util.file.delete(master['pki_self_signed_noise_file']) + # Delete the temporary 'pfile' + util.file.delete(master['pki_shared_pfile']) return self.rv def respawn(self): diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py index 93b0ae750..3467596e8 100644 --- a/base/deploy/src/scriptlets/slot_substitution.py +++ b/base/deploy/src/scriptlets/slot_substitution.py @@ -39,7 +39,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_cs_cfg']) util.file.copy_with_slot_substitution(master['pki_source_registry'], master['pki_target_registry'], - overwrite_flag=True) + uid=0, gid=0, overwrite_flag=True) if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: util.file.copy_with_slot_substitution( master['pki_source_catalina_properties'], @@ -56,7 +56,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf_instance_id'], - overwrite_flag=True) + uid=0, gid=0, overwrite_flag=True) util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf'], @@ -69,6 +69,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_velocity_properties']) util.file.apply_slot_substitution( master['pki_target_subsystem_web_xml']) + # Strip "<filter>" section from subsystem "web.xml" + # This is ONLY necessary because XML comments cannot be "nested"! + #util.file.copy(master['pki_target_subsystem_web_xml'], + # master['pki_target_subsystem_web_xml_orig']) + #util.file.delete(master['pki_target_subsystem_web_xml']) + #util.xml_file.remove_filter_section_from_web_xml( + # master['pki_target_subsystem_web_xml_orig'], + # master['pki_target_subsystem_web_xml']) + #util.file.delete(master['pki_target_subsystem_web_xml_orig']) if master['pki_subsystem'] == "CA": util.file.copy_with_slot_substitution( master['pki_source_proxy_conf'], @@ -85,7 +94,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): overwrite_flag=True) util.file.copy_with_slot_substitution(master['pki_source_registry'], master['pki_target_registry'], - overwrite_flag=True) + uid=0, gid=0, overwrite_flag=True) if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: util.file.copy_with_slot_substitution( master['pki_source_catalina_properties'], @@ -102,7 +111,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf_instance_id'], - overwrite_flag=True) + uid=0, gid=0, overwrite_flag=True) util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf'], @@ -115,6 +124,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_velocity_properties']) util.file.apply_slot_substitution( master['pki_target_subsystem_web_xml']) + # Strip "<filter>" section from subsystem "web.xml" + # This is ONLY necessary because XML comments cannot be "nested"! + #util.file.copy(master['pki_target_subsystem_web_xml'], + # master['pki_target_subsystem_web_xml_orig']) + #util.file.delete(master['pki_target_subsystem_web_xml']) + #util.xml_file.remove_filter_section_from_web_xml( + # master['pki_target_subsystem_web_xml_orig'], + # master['pki_target_subsystem_web_xml']) + #util.file.delete(master['pki_target_subsystem_web_xml_orig']) if master['pki_subsystem'] == "CA": util.file.copy_with_slot_substitution( master['pki_source_proxy_conf'], diff --git a/base/deploy/src/scriptlets/subsystem_layout.py b/base/deploy/src/scriptlets/subsystem_layout.py index 4ea5e6f84..d9c597d60 100644 --- a/base/deploy/src/scriptlets/subsystem_layout.py +++ b/base/deploy/src/scriptlets/subsystem_layout.py @@ -56,6 +56,34 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_subsystem_profiles_path']) # establish instance-based Tomcat PKI subsystem logs # establish instance-based Tomcat PKI subsystem configuration + if master['pki_subsystem'] == "CA": + util.file.copy(master['pki_source_flatfile_txt'], + master['pki_target_flatfile_txt']) + util.file.copy(master['pki_source_registry_cfg'], + master['pki_target_registry_cfg']) + # '*.profile' + util.file.copy(master['pki_source_admincert_profile'], + master['pki_target_admincert_profile']) + util.file.copy(master['pki_source_caauditsigningcert_profile'], + master['pki_target_caauditsigningcert_profile']) + util.file.copy(master['pki_source_cacert_profile'], + master['pki_target_cacert_profile']) + util.file.copy(master['pki_source_caocspcert_profile'], + master['pki_target_caocspcert_profile']) + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile']) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile']) + elif master['pki_subsystem'] == "KRA": + # '*.profile' + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile']) + util.file.copy(master['pki_source_storagecert_profile'], + master['pki_target_storagecert_profile']) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile']) + util.file.copy(master['pki_source_transportcert_profile'], + master['pki_target_transportcert_profile']) # establish instance-based Tomcat PKI subsystem registry # establish instance-based Tomcat PKI subsystem convenience # symbolic links @@ -98,6 +126,46 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): overwrite_flag=True) # update instance-based Tomcat PKI subsystem logs # update instance-based Tomcat PKI subsystem configuration + if master['pki_subsystem'] == "CA": + # util.file.copy(master['pki_source_flatfile_txt'], + # master['pki_target_flatfile_txt'], + # overwrite_flag=True) + util.file.copy(master['pki_source_registry_cfg'], + master['pki_target_registry_cfg'], + overwrite_flag=True) + # '*.profile' + util.file.copy(master['pki_source_admincert_profile'], + master['pki_target_admincert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_caauditsigningcert_profile'], + master['pki_target_caauditsigningcert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_cacert_profile'], + master['pki_target_cacert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_caocspcert_profile'], + master['pki_target_caocspcert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile'], + overwrite_flag=True) + elif master['pki_subsystem'] == "KRA": + # '*.profile' + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_storagecert_profile'], + master['pki_target_storagecert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile'], + overwrite_flag=True) + util.file.copy(master['pki_source_transportcert_profile'], + master['pki_target_transportcert_profile'], + overwrite_flag=True) # update instance-based Tomcat PKI subsystem registry # update instance-based Tomcat PKI subsystem convenience # symbolic links diff --git a/base/deploy/src/scriptlets/war_explosion.py b/base/deploy/src/scriptlets/war_explosion.py index ca2ea601b..16113ba7d 100644 --- a/base/deploy/src/scriptlets/war_explosion.py +++ b/base/deploy/src/scriptlets/war_explosion.py @@ -39,11 +39,23 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.directory.create(master['pki_tomcat_webapps_subsystem_path']) util.war.explode(master['pki_war'], master['pki_tomcat_webapps_subsystem_path']) - # establish convenience symbolic links - util.symlink.create(master['pki_tomcat_webapps_webinf_classes_path'], - master['pki_tomcat_webapps_subsystem_webinf_classes_link']) - util.symlink.create(master['pki_tomcat_webapps_webinf_lib_path'], - master['pki_tomcat_webapps_subsystem_webinf_lib_link']) + util.directory.create( + master['pki_tomcat_webapps_subsystem_webinf_classes_path']) + util.directory.create( + master['pki_tomcat_webapps_subsystem_webinf_lib_path']) + # establish Tomcat webapps subsystem WEB-INF lib symbolic links + if master['pki_subsystem'] == "CA": + util.symlink.create(master['pki_ca_jar'], + master['pki_ca_jar_link']) + elif master['pki_subsystem'] == "KRA": + util.symlink.create(master['pki_kra_jar'], + master['pki_kra_jar_link']) + elif master['pki_subsystem'] == "OCSP": + util.symlink.create(master['pki_ocsp_jar'], + master['pki_ocsp_jar_link']) + elif master['pki_subsystem'] == "TKS": + util.symlink.create(master['pki_tks_jar'], + master['pki_tks_jar_link']) # set ownerships, permissions, and acls util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path']) return self.rv @@ -56,8 +68,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.directory.modify(master['pki_tomcat_webapps_subsystem_path']) util.war.explode(master['pki_war'], master['pki_tomcat_webapps_subsystem_path']) + # update Tomcat webapps subsystem WEB-INF lib symbolic links + if master['pki_subsystem'] == "CA": + util.symlink.modify(master['pki_ca_jar_link']) + elif master['pki_subsystem'] == "KRA": + util.symlink.modify(master['pki_kra_jar_link']) + elif master['pki_subsystem'] == "OCSP": + util.symlink.modify(master['pki_ocsp_jar_link']) + elif master['pki_subsystem'] == "TKS": + util.symlink.modify(master['pki_tks_jar_link']) # update ownerships, permissions, and acls - # NOTE: This includes existing convenience symbolic links util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path']) return self.rv diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in index 5135e1311..c2655fc75 100644 --- a/base/kra/shared/conf/CS.cfg.in +++ b/base/kra/shared/conf/CS.cfg.in @@ -29,6 +29,7 @@ agent.interface.uri=kra/agent/kra authType=pwd preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445 instanceRoot=[PKI_INSTANCE_PATH] +configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/ machineName=[PKI_MACHINE_NAME] instanceId=[PKI_INSTANCE_ID] pidDir=[PKI_PIDDIR] @@ -201,7 +202,7 @@ dbs.ldap=internaldb dbs.newSchemaEntryAdded=true debug.append=true debug.enabled=true -debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug debug.hashkeytypes= debug.level=0 debug.showcaller=false @@ -277,7 +278,7 @@ log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER log.instance.SignedAudit.expirationTime=0 -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/kra_cert-kra_audit +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/kra_cert-kra_audit log.instance.SignedAudit.flushInterval=5 log.instance.SignedAudit.level=1 log.instance.SignedAudit.logSigning=false @@ -295,7 +296,7 @@ log.instance.System._002=## log.instance.System.bufferSize=512 log.instance.System.enable=true log.instance.System.expirationTime=0 -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system log.instance.System.flushInterval=5 log.instance.System.level=3 log.instance.System.maxFileSize=2000 @@ -308,15 +309,15 @@ log.instance.Transactions._002=## log.instance.Transactions.bufferSize=512 log.instance.Transactions.enable=true log.instance.Transactions.expirationTime=0 -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions log.instance.Transactions.flushInterval=5 log.instance.Transactions.level=1 log.instance.Transactions.maxFileSize=2000 log.instance.Transactions.pluginName=file log.instance.Transactions.rolloverInterval=2592000 log.instance.Transactions.type=transaction -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access -logError.fileName=[PKI_INSTANCE_PATH]/logs/error +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access +logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword @@ -353,7 +354,7 @@ selftests.container.logger.bufferSize=512 selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile selftests.container.logger.enable=true selftests.container.logger.expirationTime=0 -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log selftests.container.logger.flushInterval=5 selftests.container.logger.level=1 selftests.container.logger.maxFileSize=2000 diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml index c6e9934eb..273ca1fa4 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/web.xml +++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml @@ -3,71 +3,6 @@ PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd"> <web-app> - <filter> - <filter-name>AgentRequestFilter</filter-name> - <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class> - <init-param> - <param-name>https_port</param-name> - <param-value>[PKI_AGENT_SECURE_PORT]</param-value> - </init-param> -[PKI_OPEN_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>proxy_port</param-name> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value> - </init-param> -[PKI_CLOSE_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>active</param-name> - <param-value>true</param-value> - </init-param> - </filter> - - <filter> - <filter-name>AdminRequestFilter</filter-name> - <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class> - <init-param> - <param-name>https_port</param-name> - <param-value>[PKI_ADMIN_SECURE_PORT]</param-value> - </init-param> -[PKI_OPEN_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>proxy_port</param-name> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value> - </init-param> -[PKI_CLOSE_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>active</param-name> - <param-value>true</param-value> - </init-param> - </filter> - - <filter> - <filter-name>EERequestFilter</filter-name> - <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class> - <init-param> - <param-name>http_port</param-name> - <param-value>[PKI_UNSECURE_PORT]</param-value> - </init-param> - <init-param> - <param-name>https_port</param-name> - <param-value>[PKI_EE_SECURE_PORT]</param-value> - </init-param> -[PKI_OPEN_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>proxy_port</param-name> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value> - </init-param> - <init-param> - <param-name>proxy_http_port</param-name> - <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value> - </init-param> -[PKI_CLOSE_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>active</param-name> - <param-value>true</param-value> - </init-param> - </filter> - <servlet> <servlet-name>csadmin-wizard</servlet-name> <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class> @@ -640,7 +575,7 @@ <init-param><param-name> AuthzMgr </param-name> <param-value> BasicAclAuthz </param-value> </init-param> <init-param><param-name> cfgPath </param-name> - <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param> + <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param> <init-param><param-name> ID </param-name> <param-value> krastart </param-value> </init-param> <load-on-startup> 1 </load-on-startup> @@ -756,10 +691,9 @@ <param-value> ee </param-value> </init-param> </servlet> - <context-param> - <param-name>resteasy.scan</param-name> - <param-value>true</param-value> - </context-param> + <listener> + <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class> + </listener> <context-param> <param-name>resteasy.servlet.mapping.prefix</param-name> @@ -776,31 +710,12 @@ <servlet> <servlet-name>Resteasy</servlet-name> <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class> + <init-param> + <param-name>javax.ws.rs.Application</param-name> + <param-value>com.netscape.kra.KeyRecoveryAuthorityApplication</param-value> + </init-param> </servlet> -[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] - <filter-mapping> - <filter-name> AgentRequestFilter </filter-name> - <url-pattern> /agent/* </url-pattern> - </filter-mapping> - - <filter-mapping> - <filter-name> AdminRequestFilter </filter-name> - <url-pattern> /admin/* </url-pattern> - <url-pattern> /auths </url-pattern> - <url-pattern> /server </url-pattern> - <url-pattern> /log </url-pattern> - <url-pattern> /ug </url-pattern> - <url-pattern> /acl </url-pattern> - <url-pattern> /kra </url-pattern> - </filter-mapping> - - <filter-mapping> - <filter-name> EERequestFilter </filter-name> - <url-pattern> /ee/* </url-pattern> - </filter-mapping> -[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] - <servlet-mapping> <servlet-name>Resteasy</servlet-name> <url-pattern>/pki/*</url-pattern> diff --git a/base/ocsp/shared/conf/CS.cfg.in b/base/ocsp/shared/conf/CS.cfg.in index 658a1b6d3..0910d6672 100644 --- a/base/ocsp/shared/conf/CS.cfg.in +++ b/base/ocsp/shared/conf/CS.cfg.in @@ -99,6 +99,7 @@ preop.cert.subsystem.cncomponent.override=true cs.state=0 authType=pwd instanceRoot=[PKI_INSTANCE_PATH] +configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/ machineName=[PKI_MACHINE_NAME] instanceId=[PKI_INSTANCE_ID] service.machineName=[PKI_MACHINE_NAME] @@ -163,7 +164,7 @@ dbs.ldap=internaldb dbs.newSchemaEntryAdded=true debug.append=true debug.enabled=true -debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug debug.hashkeytypes= debug.level=0 debug.showcaller=false @@ -216,7 +217,7 @@ log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION log.instance.SignedAudit.expirationTime=0 -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ocsp_cert-ocsp_audit +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/ocsp_cert-ocsp_audit log.instance.SignedAudit.flushInterval=5 log.instance.SignedAudit.level=1 log.instance.SignedAudit.logSigning=false @@ -234,7 +235,7 @@ log.instance.System._002=## log.instance.System.bufferSize=512 log.instance.System.enable=true log.instance.System.expirationTime=0 -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system log.instance.System.flushInterval=5 log.instance.System.level=3 log.instance.System.maxFileSize=2000 @@ -247,15 +248,15 @@ log.instance.Transactions._002=## log.instance.Transactions.bufferSize=512 log.instance.Transactions.enable=true log.instance.Transactions.expirationTime=0 -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions log.instance.Transactions.flushInterval=5 log.instance.Transactions.level=1 log.instance.Transactions.maxFileSize=2000 log.instance.Transactions.pluginName=file log.instance.Transactions.rolloverInterval=2592000 log.instance.Transactions.type=transaction -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access -logError.fileName=[PKI_INSTANCE_PATH]/logs/error +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access +logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error ocsp.certNickname= ocsp.storeId=defStore ocsp.signing.certnickname= @@ -302,7 +303,7 @@ selftests.container.logger.bufferSize=512 selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile selftests.container.logger.enable=true selftests.container.logger.expirationTime=0 -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log selftests.container.logger.flushInterval=5 selftests.container.logger.level=1 selftests.container.logger.maxFileSize=2000 diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml index e4ea799eb..cb18574b3 100644 --- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml @@ -7,71 +7,6 @@ PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd"> <web-app> - <filter> - <filter-name>AgentRequestFilter</filter-name> - <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class> - <init-param> - <param-name>https_port</param-name> - <param-value>[PKI_AGENT_SECURE_PORT]</param-value> - </init-param> -[PKI_OPEN_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>proxy_port</param-name> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value> - </init-param> -[PKI_CLOSE_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>active</param-name> - <param-value>true</param-value> - </init-param> - </filter> - - <filter> - <filter-name>AdminRequestFilter</filter-name> - <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class> - <init-param> - <param-name>https_port</param-name> - <param-value>[PKI_ADMIN_SECURE_PORT]</param-value> - </init-param> -[PKI_OPEN_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>proxy_port</param-name> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value> - </init-param> -[PKI_CLOSE_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>active</param-name> - <param-value>true</param-value> - </init-param> - </filter> - - <filter> - <filter-name>EERequestFilter</filter-name> - <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class> - <init-param> - <param-name>http_port</param-name> - <param-value>[PKI_UNSECURE_PORT]</param-value> - </init-param> - <init-param> - <param-name>https_port</param-name> - <param-value>[PKI_EE_SECURE_PORT]</param-value> - </init-param> -[PKI_OPEN_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>proxy_port</param-name> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value> - </init-param> - <init-param> - <param-name>proxy_http_port</param-name> - <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value> - </init-param> -[PKI_CLOSE_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>active</param-name> - <param-value>true</param-value> - </init-param> - </filter> - <servlet> <servlet-name>csadmin-wizard</servlet-name> <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class> @@ -160,7 +95,7 @@ <init-param><param-name> AuthzMgr </param-name> <param-value> BasicAclAuthz </param-value> </init-param> <init-param><param-name> cfgPath </param-name> - <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param> + <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param> <init-param><param-name> ID </param-name> <param-value> ocspstart </param-value> </init-param> <load-on-startup> 1 </load-on-startup> @@ -469,10 +404,9 @@ <param-value> ee </param-value> </init-param> </servlet> - <context-param> - <param-name>resteasy.scan</param-name> - <param-value>true</param-value> - </context-param> + <listener> + <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class> + </listener> <context-param> <param-name>resteasy.servlet.mapping.prefix</param-name> @@ -489,31 +423,12 @@ <servlet> <servlet-name>Resteasy</servlet-name> <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class> + <init-param> + <param-name>javax.ws.rs.Application</param-name> + <param-value>com.netscape.ocsp.OCSPApplication</param-value> + </init-param> </servlet> -[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] - <filter-mapping> - <filter-name> AgentRequestFilter </filter-name> - <url-pattern> /agent/* </url-pattern> - </filter-mapping> - - <filter-mapping> - <filter-name> AdminRequestFilter </filter-name> - <url-pattern> /admin/* </url-pattern> - <url-pattern> /auths </url-pattern> - <url-pattern> /ug </url-pattern> - <url-pattern> /log </url-pattern> - <url-pattern> /acl </url-pattern> - <url-pattern> /server </url-pattern> - <url-pattern> /ocsp </url-pattern> - </filter-mapping> - - <filter-mapping> - <filter-name> EERequestFilter </filter-name> - <url-pattern> /ee/* </url-pattern> - </filter-mapping> -[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] - <servlet-mapping> <servlet-name>Resteasy</servlet-name> <url-pattern>/pki/*</url-pattern> diff --git a/base/setup/pkicreate b/base/setup/pkicreate index bd07eb0b0..6abb73755 100755 --- a/base/setup/pkicreate +++ b/base/setup/pkicreate @@ -307,6 +307,7 @@ my $PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT = "PKI_EE_SECURE_CLIENT_AUTH_PORT_UI" my $PKI_AGENT_SECURE_PORT_SLOT = "PKI_AGENT_SECURE_PORT"; my $PKI_ADMIN_SECURE_PORT_SLOT = "PKI_ADMIN_SECURE_PORT"; my $PKI_SERVER_XML_CONF = "PKI_SERVER_XML_CONF"; +my $PKI_SUBSYSTEM_DIR_SLOT = "PKI_SUBSYSTEM_DIR"; my $PKI_SUBSYSTEM_TYPE_SLOT = "PKI_SUBSYSTEM_TYPE"; my $PKI_UNSECURE_PORT_SLOT = "PKI_UNSECURE_PORT"; my $PKI_USER_SLOT = "PKI_USER"; @@ -2417,6 +2418,7 @@ sub process_pki_templates emit("Processing PKI templates for '$pki_instance_path' ...\n"); + $slot_hash{$PKI_SUBSYSTEM_DIR_SLOT} = ""; $slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT} = $subsystem_type; $slot_hash{$PKI_INSTANCE_ID_SLOT} = $pki_instance_name; $slot_hash{$PKI_INSTANCE_ROOT_SLOT} = $pki_instance_root; diff --git a/base/tks/shared/conf/CS.cfg.in b/base/tks/shared/conf/CS.cfg.in index 740baf61e..f641e026f 100644 --- a/base/tks/shared/conf/CS.cfg.in +++ b/base/tks/shared/conf/CS.cfg.in @@ -91,6 +91,7 @@ preop.module.token=Internal Key Storage Token cs.state=0 authType=pwd instanceRoot=[PKI_INSTANCE_PATH] +configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/ machineName=[PKI_MACHINE_NAME] instanceId=[PKI_INSTANCE_ID] preop.pin=[PKI_RANDOM_NUMBER] @@ -156,7 +157,7 @@ dbs.ldap=internaldb dbs.newSchemaEntryAdded=true debug.append=true debug.enabled=true -debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug debug.hashkeytypes= debug.level=0 debug.showcaller=false @@ -209,7 +210,7 @@ log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION log.instance.SignedAudit.expirationTime=0 -log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/tks_cert-tks_audit +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/tks_cert-tks_audit log.instance.SignedAudit.flushInterval=5 log.instance.SignedAudit.level=1 log.instance.SignedAudit.logSigning=false @@ -227,7 +228,7 @@ log.instance.System._002=## log.instance.System.bufferSize=512 log.instance.System.enable=true log.instance.System.expirationTime=0 -log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system log.instance.System.flushInterval=5 log.instance.System.level=3 log.instance.System.maxFileSize=2000 @@ -240,15 +241,15 @@ log.instance.Transactions._002=## log.instance.Transactions.bufferSize=512 log.instance.Transactions.enable=true log.instance.Transactions.expirationTime=0 -log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions log.instance.Transactions.flushInterval=5 log.instance.Transactions.level=1 log.instance.Transactions.maxFileSize=2000 log.instance.Transactions.pluginName=file log.instance.Transactions.rolloverInterval=2592000 log.instance.Transactions.type=transaction -logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access -logError.fileName=[PKI_INSTANCE_PATH]/logs/error +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access +logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword @@ -285,7 +286,7 @@ selftests.container.logger.bufferSize=512 selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile selftests.container.logger.enable=true selftests.container.logger.expirationTime=0 -selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log selftests.container.logger.flushInterval=5 selftests.container.logger.level=1 selftests.container.logger.maxFileSize=2000 diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml index c3f7593c2..20874de45 100644 --- a/base/tks/shared/webapps/tks/WEB-INF/web.xml +++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml @@ -7,71 +7,6 @@ PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd"> <web-app> - <filter> - <filter-name>AgentRequestFilter</filter-name> - <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class> - <init-param> - <param-name>https_port</param-name> - <param-value>[PKI_AGENT_SECURE_PORT]</param-value> - </init-param> -[PKI_OPEN_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>proxy_port</param-name> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value> - </init-param> -[PKI_CLOSE_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>active</param-name> - <param-value>true</param-value> - </init-param> - </filter> - - <filter> - <filter-name>AdminRequestFilter</filter-name> - <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class> - <init-param> - <param-name>https_port</param-name> - <param-value>[PKI_ADMIN_SECURE_PORT]</param-value> - </init-param> -[PKI_OPEN_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>proxy_port</param-name> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value> - </init-param> -[PKI_CLOSE_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>active</param-name> - <param-value>true</param-value> - </init-param> - </filter> - - <filter> - <filter-name>EERequestFilter</filter-name> - <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class> - <init-param> - <param-name>http_port</param-name> - <param-value>[PKI_UNSECURE_PORT]</param-value> - </init-param> - <init-param> - <param-name>https_port</param-name> - <param-value>[PKI_EE_SECURE_PORT]</param-value> - </init-param> -[PKI_OPEN_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>proxy_port</param-name> - <param-value>[PKI_PROXY_SECURE_PORT]</param-value> - </init-param> - <init-param> - <param-name>proxy_http_port</param-name> - <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value> - </init-param> -[PKI_CLOSE_ENABLE_PROXY_COMMENT] - <init-param> - <param-name>active</param-name> - <param-value>true</param-value> - </init-param> - </filter> - <servlet> <servlet-name>csadmin-wizard</servlet-name> <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class> @@ -104,7 +39,7 @@ <init-param><param-name> AuthzMgr </param-name> <param-value> BasicAclAuthz </param-value> </init-param> <init-param><param-name> cfgPath </param-name> - <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param> + <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param> <init-param><param-name> ID </param-name> <param-value> tksstart </param-value> </init-param> <load-on-startup> 1 </load-on-startup> @@ -338,10 +273,9 @@ <param-value> ee </param-value> </init-param> </servlet> - <context-param> - <param-name>resteasy.scan</param-name> - <param-value>true</param-value> - </context-param> + <listener> + <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class> + </listener> <context-param> <param-name>resteasy.servlet.mapping.prefix</param-name> @@ -358,30 +292,12 @@ <servlet> <servlet-name>Resteasy</servlet-name> <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class> + <init-param> + <param-name>javax.ws.rs.Application</param-name> + <param-value>com.netscape.tks.TKSApplication</param-value> + </init-param> </servlet> -[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] - <filter-mapping> - <filter-name> AgentRequestFilter </filter-name> - <url-pattern> /agent/* </url-pattern> - </filter-mapping> - - <filter-mapping> - <filter-name> AdminRequestFilter </filter-name> - <url-pattern> /admin/* </url-pattern> - <url-pattern> /auths </url-pattern> - <url-pattern> /ug </url-pattern> - <url-pattern> /log </url-pattern> - <url-pattern> /acl </url-pattern> - <url-pattern> /server </url-pattern> - </filter-mapping> - - <filter-mapping> - <filter-name> EERequestFilter </filter-name> - <url-pattern> /ee/* </url-pattern> - </filter-mapping> -[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] - <servlet-mapping> <servlet-name>Resteasy</servlet-name> <url-pattern>/pki/*</url-pattern> |