summaryrefslogtreecommitdiffstats
path: root/base
diff options
context:
space:
mode:
Diffstat (limited to 'base')
-rw-r--r--base/ca/shared/conf/CS.cfg.in145
-rw-r--r--base/ca/shared/webapps/ca/WEB-INF/web.xml139
-rw-r--r--base/common/shared/conf/catalina.properties4
-rw-r--r--base/common/shared/conf/log4j.properties27
-rw-r--r--base/common/shared/conf/server.xml95
-rw-r--r--base/common/shared/conf/serverCertNick.conf6
-rw-r--r--base/common/shared/conf/tomcat.conf7
-rw-r--r--base/common/shared/conf/web.xml4283
-rw-r--r--base/common/src/CMakeLists.txt11
-rw-r--r--base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java4
-rw-r--r--base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java21
-rw-r--r--base/deploy/config/pkideployment.cfg201
-rw-r--r--base/deploy/config/pkislots.cfg2
-rwxr-xr-xbase/deploy/scripts/pkidaemon2
-rwxr-xr-xbase/deploy/src/pkidestroy34
-rwxr-xr-xbase/deploy/src/pkispawn34
-rw-r--r--base/deploy/src/scriptlets/configuration.jy116
-rw-r--r--base/deploy/src/scriptlets/configuration.py69
-rw-r--r--base/deploy/src/scriptlets/finalization.py16
-rw-r--r--base/deploy/src/scriptlets/initialization.py7
-rw-r--r--base/deploy/src/scriptlets/instance_layout.py119
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py58
-rw-r--r--base/deploy/src/scriptlets/pkihelper.py382
-rw-r--r--base/deploy/src/scriptlets/pkijython.py429
-rw-r--r--base/deploy/src/scriptlets/pkimessages.py65
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py1251
-rw-r--r--base/deploy/src/scriptlets/security_databases.py33
-rw-r--r--base/deploy/src/scriptlets/slot_substitution.py26
-rw-r--r--base/deploy/src/scriptlets/subsystem_layout.py68
-rw-r--r--base/deploy/src/scriptlets/war_explosion.py32
-rw-r--r--base/kra/shared/conf/CS.cfg.in15
-rw-r--r--base/kra/shared/webapps/kra/WEB-INF/web.xml101
-rw-r--r--base/ocsp/shared/conf/CS.cfg.in15
-rw-r--r--base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml101
-rwxr-xr-xbase/setup/pkicreate2
-rw-r--r--base/tks/shared/conf/CS.cfg.in15
-rw-r--r--base/tks/shared/webapps/tks/WEB-INF/web.xml100
37 files changed, 7353 insertions, 682 deletions
diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
index 78c28435a..ca90d52d5 100644
--- a/base/ca/shared/conf/CS.cfg.in
+++ b/base/ca/shared/conf/CS.cfg.in
@@ -38,6 +38,7 @@ securitydomain.flushinterval=86400000
securitydomain.source=ldap
securitydomain.checkinterval=300000
instanceRoot=[PKI_INSTANCE_PATH]
+configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/
machineName=[PKI_MACHINE_NAME]
instanceId=[PKI_INSTANCE_ID]
pidDir=[PKI_PIDDIR]
@@ -180,7 +181,7 @@ auths.instance.AgentCertAuth.pluginName=AgentCertAuth
auths.instance.raCertAuth.agentGroup=Registration Manager Agents
auths.instance.raCertAuth.pluginName=AgentCertAuth
auths.instance.flatFileAuth.pluginName=FlatFileAuth
-auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/flatfile.txt
+auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]flatfile.txt
auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth
auths.revocationChecking.bufferSize=50
auths.revocationChecking.ca=ca
@@ -643,15 +644,15 @@ ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName=
ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType=
ca.crl.MasterCRL.extension.IssuingDistributionPoint.type=CRLExtension
ca.notification.certIssued.emailSubject=Your Certificate Request
-ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/emails/certIssued_CA.html
+ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/certIssued_CA.html
ca.notification.certIssued.enabled=false
ca.notification.certIssued.senderEmail=
ca.notification.certRevoked.emailSubject=Your Certificate Revoked
-ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/emails/certRevoked_CA.html
+ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/certRevoked_CA.html
ca.notification.certRevoked.enabled=false
ca.notification.certRevoked.senderEmail=
ca.notification.requestInQ.emailSubject=Certificate Request in Queue
-ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/emails/reqInQueue_CA.html
+ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/reqInQueue_CA.html
ca.notification.requestInQ.enabled=false
ca.notification.requestInQ.recipientEmail=
ca.notification.requestInQ.senderEmail=
@@ -793,7 +794,7 @@ dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
debug.append=true
debug.enabled=true
-debug.filename=[PKI_INSTANCE_PATH]/logs/debug
+debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug
debug.hashkeytypes=
debug.level=0
debug.showcaller=false
@@ -815,8 +816,8 @@ internaldb.ldapconn.host=
internaldb.ldapconn.port=
internaldb.ldapconn.secureConn=false
preop.internaldb.schema.ldif=/usr/share/pki/ca/conf/schema.ldif
-preop.internaldb.ldif=/usr/share/pki/ca/conf/database.ldif
-preop.internaldb.data_ldif=/usr/share/pki/ca/conf/db.ldif,/usr/share/pki/ca/conf/acl.ldif
+preop.internaldb.ldif=/usr/share/pki/[PKI_SUBSYSTEM_DIR]conf/database.ldif
+preop.internaldb.data_ldif=/usr/share/pki/[PKI_SUBSYSTEM_DIR]conf/db.ldif,/usr/share/pki/ca/conf/acl.ldif
preop.internaldb.index_ldif=
preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif
preop.internaldb.post_ldif=/usr/share/pki/ca/conf/index.ldif,/usr/share/pki/ca/conf/vlv.ldif,/usr/share/pki/ca/conf/vlvtasks.ldif
@@ -833,25 +834,25 @@ jobsScheduler.impl.RequestInQueueJob.class=com.netscape.cms.jobs.RequestInQueueJ
jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob
jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5
jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification
-jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1.txt
+jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1.txt
jobsScheduler.job.certRenewalNotifier.enabled=false
jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30
jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30
jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob
jobsScheduler.job.certRenewalNotifier.senderEmail=
jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal Notification Summary
-jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Summary.txt
+jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1Summary.txt
jobsScheduler.job.certRenewalNotifier.summary.enabled=true
-jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Item.txt
+jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1Item.txt
jobsScheduler.job.certRenewalNotifier.summary.recipientEmail=
jobsScheduler.job.certRenewalNotifier.summary.senderEmail=
jobsScheduler.job.publishCerts.cron=0 0 * * 2
jobsScheduler.job.publishCerts.enabled=false
jobsScheduler.job.publishCerts.pluginName=PublishCertsJob
jobsScheduler.job.publishCerts.summary.emailSubject=Certs Publishing Summary
-jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/publishCerts.html
+jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/publishCerts.html
jobsScheduler.job.publishCerts.summary.enabled=true
-jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/publishCertsItem.html
+jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/publishCertsItem.html
jobsScheduler.job.publishCerts.summary.recipientEmail=
jobsScheduler.job.publishCerts.summary.senderEmail=
jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0
@@ -859,7 +860,7 @@ jobsScheduler.job.requestInQueueNotifier.enabled=false
jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob
jobsScheduler.job.requestInQueueNotifier.subsystemId=ca
jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report
-jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/riq1Summary.html
+jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/riq1Summary.html
jobsScheduler.job.requestInQueueNotifier.summary.enabled=true
jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail=
jobsScheduler.job.requestInQueueNotifier.summary.senderEmail=
@@ -867,9 +868,9 @@ jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6
jobsScheduler.job.unpublishExpiredCerts.enabled=false
jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob
jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs Unpublished Summary
-jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/euJob1.html
+jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/euJob1.html
jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true
-jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/euJob1Item.html
+jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/euJob1Item.html
jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail=
jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail=
jss._000=##
@@ -897,7 +898,7 @@ log.instance.SignedAudit.bufferSize=512
log.instance.SignedAudit.enable=true
log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER
log.instance.SignedAudit.expirationTime=0
-log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ca_audit
+log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/ca_audit
log.instance.SignedAudit.flushInterval=5
log.instance.SignedAudit.level=1
log.instance.SignedAudit.logSigning=false
@@ -913,7 +914,7 @@ log.instance.System._002=##
log.instance.System.bufferSize=512
log.instance.System.enable=true
log.instance.System.expirationTime=0
-log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system
+log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system
log.instance.System.flushInterval=5
log.instance.System.level=3
log.instance.System.maxFileSize=2000
@@ -926,15 +927,15 @@ log.instance.Transactions._002=##
log.instance.Transactions.bufferSize=512
log.instance.Transactions.enable=true
log.instance.Transactions.expirationTime=0
-log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions
+log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions
log.instance.Transactions.flushInterval=5
log.instance.Transactions.level=1
log.instance.Transactions.maxFileSize=2000
log.instance.Transactions.pluginName=file
log.instance.Transactions.rolloverInterval=2592000
log.instance.Transactions.type=transaction
-logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access
-logError.fileName=[PKI_INSTANCE_PATH]/logs/error
+logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access
+logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error
oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension
oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1
oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword
@@ -956,106 +957,106 @@ oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
os.userid=nobody
profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert
profile.caUUIDdeviceCert.class_id=caEnrollImpl
-profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg
+profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUUIDdeviceCert.cfg
profile.caManualRenewal.class_id=caEnrollImpl
-profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caManualRenewal.cfg
+profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caManualRenewal.cfg
profile.caDirUserRenewal.class_id=caEnrollImpl
-profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserRenewal.cfg
+profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDirUserRenewal.cfg
profile.caSSLClientSelfRenewal.class_id=caEnrollImpl
-profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caSSLClientSelfRenewal.cfg
+profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSSLClientSelfRenewal.cfg
profile.DomainController.class_id=caEnrollImpl
-profile.DomainController.config=[PKI_INSTANCE_PATH]/profiles/ca/DomainController.cfg
+profile.DomainController.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/DomainController.cfg
profile.caAgentFileSigning.class_id=caEnrollImpl
-profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentFileSigning.cfg
+profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAgentFileSigning.cfg
profile.caAgentServerCert.class_id=caEnrollImpl
-profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentServerCert.cfg
+profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAgentServerCert.cfg
profile.caRAserverCert.class_id=caEnrollImpl
-profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAserverCert.cfg
+profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRAserverCert.cfg
profile.caCACert.class_id=caEnrollImpl
-profile.caCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCACert.cfg
+profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caCACert.cfg
profile.caInstallCACert.class_id=caEnrollImpl
-profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInstallCACert.cfg
+profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInstallCACert.cfg
profile.caCMCUserCert.class_id=caEnrollImpl
-profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCMCUserCert.cfg
+profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caCMCUserCert.cfg
profile.caDirUserCert.class_id=caEnrollImpl
-profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserCert.cfg
+profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDirUserCert.cfg
profile.caDualCert.class_id=caEnrollImpl
-profile.caDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualCert.cfg
+profile.caDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDualCert.cfg
profile.caECDualCert.class_id=caEnrollImpl
-profile.caECDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caECDualCert.cfg
+profile.caECDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caECDualCert.cfg
profile.caDualRAuserCert.class_id=caEnrollImpl
-profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualRAuserCert.cfg
+profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDualRAuserCert.cfg
profile.caRAagentCert.class_id=caEnrollImpl
-profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAagentCert.cfg
+profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRAagentCert.cfg
profile.caFullCMCUserCert.class_id=caEnrollImpl
-profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caFullCMCUserCert.cfg
+profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caFullCMCUserCert.cfg
profile.caInternalAuthOCSPCert.class_id=caEnrollImpl
-profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthOCSPCert.cfg
+profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthOCSPCert.cfg
profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl
-profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthAuditSigningCert.cfg
+profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthAuditSigningCert.cfg
profile.caInternalAuthServerCert.class_id=caEnrollImpl
-profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthServerCert.cfg
+profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthServerCert.cfg
profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl
-profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthSubsystemCert.cfg
+profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthSubsystemCert.cfg
profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl
-profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthDRMstorageCert.cfg
+profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthDRMstorageCert.cfg
profile.caInternalAuthTransportCert.class_id=caEnrollImpl
-profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthTransportCert.cfg
+profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthTransportCert.cfg
profile.caOCSPCert.class_id=caEnrollImpl
-profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOCSPCert.cfg
+profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caOCSPCert.cfg
profile.caOtherCert.class_id=caEnrollImpl
-profile.caOtherCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOtherCert.cfg
+profile.caOtherCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caOtherCert.cfg
profile.caRACert.class_id=caEnrollImpl
-profile.caRACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRACert.cfg
+profile.caRACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRACert.cfg
profile.caRARouterCert.class_id=caEnrollImpl
-profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRARouterCert.cfg
+profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRARouterCert.cfg
profile.caRouterCert.class_id=caEnrollImpl
-profile.caRouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRouterCert.cfg
+profile.caRouterCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRouterCert.cfg
profile.caServerCert.class_id=caEnrollImpl
-profile.caServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caServerCert.cfg
+profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caServerCert.cfg
profile.caSignedLogCert.class_id=caEnrollImpl
-profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSignedLogCert.cfg
+profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSignedLogCert.cfg
profile.caSimpleCMCUserCert.class_id=caEnrollImpl
-profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSimpleCMCUserCert.cfg
+profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSimpleCMCUserCert.cfg
profile.caTPSCert.class_id=caEnrollImpl
-profile.caTPSCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTPSCert.cfg
+profile.caTPSCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTPSCert.cfg
profile.caAdminCert.class_id=caEnrollImpl
-profile.caAdminCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAdminCert.cfg
+profile.caAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAdminCert.cfg
profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg
+profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenDeviceKeyEnrollment.cfg
profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg
+profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg
profile.caTokenUserEncryptionKeyRenewal.class_id=caUserCertEnrollImpl
-profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg
+profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserEncryptionKeyRenewal.cfg
profile.caTempTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg
+profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg
profile.caTokenUserSigningKeyRenewal.class_id=caUserCertEnrollImpl
-profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyRenewal.cfg
+profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserSigningKeyRenewal.cfg
profile.caTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenDeviceKeyEnrollment.cfg
+profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenDeviceKeyEnrollment.cfg
profile.caTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg
+profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg
profile.caTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyEnrollment.cfg
+profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserSigningKeyEnrollment.cfg
profile.caTokenMSLoginEnrollment.class_id=caUserCertEnrollImpl
-profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenMSLoginEnrollment.cfg
+profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenMSLoginEnrollment.cfg
profile.caTransportCert.class_id=caEnrollImpl
-profile.caTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTransportCert.cfg
+profile.caTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTransportCert.cfg
profile.caUserCert.class_id=caEnrollImpl
-profile.caUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserCert.cfg
+profile.caUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUserCert.cfg
profile.caECUserCert.class_id=caEnrollImpl
-profile.caECUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caECUserCert.cfg
+profile.caECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caECUserCert.cfg
profile.caUserSMIMEcapCert.class_id=caEnrollImpl
-profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserSMIMEcapCert.cfg
+profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUserSMIMEcapCert.cfg
profile.caJarSigningCert.class_id=caEnrollImpl
-profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caJarSigningCert.cfg
+profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caJarSigningCert.cfg
profile.caIPAserviceCert.class_id=caEnrollImpl
-profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caIPAserviceCert.cfg
+profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caIPAserviceCert.cfg
profile.caEncUserCert.class_id=caEnrollImpl
-profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caEncUserCert.cfg
+profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caEncUserCert.cfg
profile.caEncECUserCert.class_id=caEnrollImpl
-profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caEncECUserCert.cfg
-registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg
+profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caEncECUserCert.cfg
+registry.file=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]registry.cfg
processor.caProfileProcess.getClientCert=true
processor.caProfileProcess.authzMgr=BasicAclAuthz
processor.caProfileProcess.authorityId=ca
@@ -1096,7 +1097,7 @@ selftests.container.logger.bufferSize=512
selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
selftests.container.logger.enable=true
selftests.container.logger.expirationTime=0
-selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
+selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log
selftests.container.logger.flushInterval=5
selftests.container.logger.level=1
selftests.container.logger.maxFileSize=2000
diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
index 692cb4898..8471d6cd4 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -3,90 +3,6 @@
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">
<web-app>
- <filter>
- <filter-name>AgentRequestFilter</filter-name>
- <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
- <init-param>
- <param-name>https_port</param-name>
- <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
- </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>proxy_port</param-name>
- <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
- </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>active</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
-
- <filter>
- <filter-name>AdminRequestFilter</filter-name>
- <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
- <init-param>
- <param-name>https_port</param-name>
- <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
- </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>proxy_port</param-name>
- <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
- </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>active</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
-
- <filter>
- <filter-name>EERequestFilter</filter-name>
- <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
- <init-param>
- <param-name>http_port</param-name>
- <param-value>[PKI_UNSECURE_PORT]</param-value>
- </init-param>
- <init-param>
- <param-name>https_port</param-name>
- <param-value>[PKI_EE_SECURE_PORT]</param-value>
- </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>proxy_port</param-name>
- <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
- </init-param>
- <init-param>
- <param-name>proxy_http_port</param-name>
- <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
- </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>active</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
-
- <filter>
- <filter-name>EEClientAuthRequestFilter</filter-name>
- <filter-class>com.netscape.cms.servlet.filter.EEClientAuthRequestFilter</filter-class>
- <init-param>
- <param-name>https_port</param-name>
- <param-value>[PKI_EE_SECURE_CLIENT_AUTH_PORT]</param-value>
- </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>proxy_port</param-name>
- <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
- </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>active</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
-
<servlet>
<servlet-name>csadmin-wizard</servlet-name>
<servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
@@ -415,7 +331,7 @@
<init-param><param-name> AuthzMgr </param-name>
<param-value> BasicAclAuthz </param-value> </init-param>
<init-param><param-name> cfgPath </param-name>
- <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param>
+ <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param>
<init-param><param-name> ID </param-name>
<param-value> castart </param-value> </init-param>
<load-on-startup> 1 </load-on-startup>
@@ -1900,10 +1816,9 @@
<param-value> /agent/ca/doRevoke </param-value> </init-param>
</servlet>
- <context-param>
- <param-name>resteasy.scan</param-name>
- <param-value>true</param-value>
- </context-param>
+ <listener>
+ <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
+ </listener>
<context-param>
<param-name>resteasy.servlet.mapping.prefix</param-name>
@@ -1920,50 +1835,12 @@
<servlet>
<servlet-name>Resteasy</servlet-name>
<servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
+ <init-param>
+ <param-name>javax.ws.rs.Application</param-name>
+ <param-value>com.netscape.ca.CertificateAuthorityApplication</param-value>
+ </init-param>
</servlet>
-[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
- <filter-mapping>
- <filter-name> AgentRequestFilter </filter-name>
- <url-pattern> /agent/* </url-pattern>
- <url-pattern> /ca/getCertFromRequest </url-pattern>
- <url-pattern> /ca/getBySerial </url-pattern>
- <url-pattern> /ca/connector </url-pattern>
- <url-pattern> /ca/displayCertFromRequest </url-pattern>
- <url-pattern> /doRevoke </url-pattern>
- </filter-mapping>
-
- <filter-mapping>
- <filter-name> AdminRequestFilter </filter-name>
- <url-pattern> /admin/* </url-pattern>
- <url-pattern> /auths </url-pattern>
- <url-pattern> /acl </url-pattern>
- <url-pattern> /server </url-pattern>
- <url-pattern> /caadmin </url-pattern>
- <url-pattern> /caprofile </url-pattern>
- <url-pattern> /jobsScheduler </url-pattern>
- <url-pattern> /capublisher </url-pattern>
- <url-pattern> /log </url-pattern>
- <url-pattern> /ug </url-pattern>
- </filter-mapping>
-
- <filter-mapping>
- <filter-name> EEClientAuthRequestFilter </filter-name>
- <url-pattern> /eeca/* </url-pattern>
- </filter-mapping>
-
- <filter-mapping>
- <filter-name> EERequestFilter </filter-name>
- <url-pattern> /ee/* </url-pattern>
- <url-pattern> /renewal </url-pattern>
- <url-pattern> /certbasedenrollment </url-pattern>
- <url-pattern> /ocsp </url-pattern>
- <url-pattern> /enrollment </url-pattern>
- <url-pattern> /profileSubmit </url-pattern>
- <url-pattern> /cgi-bin/pkiclient.exe </url-pattern>
- </filter-mapping>
-[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
-
<servlet-mapping>
<servlet-name>Resteasy</servlet-name>
<url-pattern>/pki/*</url-pattern>
diff --git a/base/common/shared/conf/catalina.properties b/base/common/shared/conf/catalina.properties
index 003089a43..c44758699 100644
--- a/base/common/shared/conf/catalina.properties
+++ b/base/common/shared/conf/catalina.properties
@@ -51,6 +51,10 @@ package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB]
+#,[PKI_INSTANCE_PATH]/webapps/ca/WEB-INF/lib/pki-ca.jar
+#,[PKI_INSTANCE_PATH]/webapps/kra/WEB-INF/lib/pki-kra.jar
+#,[PKI_INSTANCE_PATH]/webapps/ocsp/WEB-INF/lib/pki-ocsp.jar
+#,[PKI_INSTANCE_PATH]/webapps/tks/WEB-INF/lib/pki-tks.jar
#
# List of comma-separated paths defining the contents of the "server"
diff --git a/base/common/shared/conf/log4j.properties b/base/common/shared/conf/log4j.properties
index 5861ec750..dd4bd9318 100644
--- a/base/common/shared/conf/log4j.properties
+++ b/base/common/shared/conf/log4j.properties
@@ -4,14 +4,27 @@
# Modifications: configuration parameters
# --- END COPYRIGHT BLOCK ---
-log4j.rootLogger=debug, R
-log4j.appender.R=org.apache.log4j.RollingFileAppender
-log4j.appender.R.File=${catalina.home}/logs/tomcat.log
-log4j.appender.R.MaxFileSize=10MB
-log4j.appender.R.MaxBackupIndex=10
-log4j.appender.R.layout=org.apache.log4j.PatternLayout
-log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n
+log4j.rootLogger=debug, R
+log4j.appender.R=org.apache.log4j.RollingFileAppender
+log4j.appender.R.File=${catalina.base}/logs/catalina.out
+log4j.appender.R.MaxFileSize=10MB
+log4j.appender.R.MaxBackupIndex=10
+log4j.appender.R.layout=org.apache.log4j.PatternLayout
+log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n
log4j.logger.org.apache.catalina=DEBUG, R
log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG, R
log4j.logger.org.apache.catalina.core=DEBUG, R
log4j.logger.org.apache.catalina.session=DEBUG, R
+
+#resteasy
+log4j.appender.stdout=org.apache.log4j.ConsoleAppender
+log4j.appender.stdout.Target=System.out
+log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
+log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p (%c:%L) - %m%n
+log4j.rootLogger=warn, stdout
+log4j.rootCategory=debug, stdout
+log4j.category.org.jboss.resteasy.core=debug
+log4j.category.org.jboss.resteasy.plugins.providers=debug
+log4j.category.org.jboss.resteasy.specimpl=debug
+log4j.category.org.jboss.resteasy.plugins.server=debug
+log4j.logger.org.jboss.resteasy.mock=debug
diff --git a/base/common/shared/conf/server.xml b/base/common/shared/conf/server.xml
index d5788552c..46ee15b0b 100644
--- a/base/common/shared/conf/server.xml
+++ b/base/common/shared/conf/server.xml
@@ -68,7 +68,10 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN">
<!--APR library loader. Documentation at /docs/apr.html -->
- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+ <!-- The following Listener class has been commented out because this -->
+ <!-- implementation depends upon the 'tomcatjss' JSSE module, 'JSS', -->
+ <!-- and 'NSS' rather than the 'tomcat-native' module! -->
+ <!-- Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" -->
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
@@ -116,7 +119,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
[PKI_UNSECURE_PORT_SERVER_COMMENT]
<Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443"
maxHttpHeaderSize="8192"
- acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
+ acceptCount="100" maxThreads="150" minSpareThreads="25"
enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
/>
@@ -124,9 +127,31 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
[PKI_SECURE_PORT_SERVER_COMMENT]
<!-- DO NOT REMOVE - Begin define PKI secure port
1
+ NOTE: The following 'keys' (and their assigned values) are exclusive to
+ the 'tomcatjss' JSSE module:
+
+ 'enableOCSP'
+ 'ocspResponderURL'
+ 'ocspResponderCertNickname'
+ 'ocspCacheSize'
+ 'ocspMinCacheEntryDuration'
+ 'ocspMaxCacheEntryDuration'
+ 'ocspTimeout'
+ 'strictCiphers'
+ 'clientauth' (ALL lowercase)
+ 'sslOptions'
+ 'ssl2Ciphers'
+ 'ssl3Ciphers'
+ 'tlsCiphers'
+ 'serverCertNickFile'
+ 'passwordFile'
+ 'passwordClass'
+ 'certdbDir'
+
+ and are referenced via the value of the 'sslImplementationName' key.
NOTE: The OCSP settings take effect globally, so it should only be set once.
- In setup where SSL clientAuth="true", OCSP can be turned on by
+ In setup where SSL clientauth="true", OCSP can be turned on by
setting enableOCSP to true like the following:
enableOCSP="true"
along with changes to related settings, especially:
@@ -150,9 +175,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
-->
<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
maxHttpHeaderSize="8192"
- acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
+ acceptCount="100" maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
- SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
+ sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
enableOCSP="false"
ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp"
ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
@@ -162,6 +187,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
ocspTimeout="10"
strictCiphers="false"
clientAuth="[PKI_AGENT_CLIENTAUTH]"
+ clientauth="[PKI_AGENT_CLIENTAUTH]"
sslOptions="[TOMCAT_SSL_OPTIONS]"
ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
@@ -173,23 +199,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
/>
<!-- DO NOT REMOVE - End define PKI secure port -->
- <!-- A "Connector" using the shared thread pool-->
- <!--
- <Connector executor="tomcatThreadPool"
- port="8080" protocol="HTTP/1.1"
- connectionTimeout="20000"
- redirectPort="8443" />
- -->
- <!-- Define a SSL HTTP/1.1 Connector on port 8443
- This connector uses the JSSE configuration, when using APR, the
- connector should be using the OpenSSL style configuration
- described in the APR documentation -->
- <!--
- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
- maxThreads="150" scheme="https" secure="true"
- clientAuth="false" sslProtocol="TLS" />
- -->
-
<!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
[PKI_OPEN_AJP_PORT_COMMENT]
<Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
@@ -281,10 +290,45 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
-->
- <Host name="localhost" appBase="webapps"
+ <Host name="localhost"
+ appBase="[PKI_INSTANCE_PATH]/webapps"
unpackWARs="true" autoDeploy="false"
xmlValidation="false" xmlNamespaceAware="false">
+ <!--
+ <Context path="/ca"
+ docBase="ca"
+ allowLinking="true">
+ <Loader className="org.apache.catalina.loader.VirtualWebappLoader"
+ virtualClasspath="[PKI_INSTANCE_PATH]/ca/webapps/ca/WEB-INF/classes;[PKI_INSTANCE_PATH]/ca/webapps/ca/WEB-INF/lib" />" />
+ <JarScanner scanAllDirectories="true" />
+ </Context>
+
+ <Context path="/kra"
+ docBase="kra"
+ allowLinking="true">
+ <Loader className="org.apache.catalina.loader.VirtualWebappLoader"
+ virtualClasspath="[PKI_INSTANCE_PATH]/kra/webapps/kra/WEB-INF/classes;[PKI_INSTANCE_PATH]/kra/webapps/kra/WEB-INF/lib" />
+ <JarScanner scanAllDirectories="true" />
+ </Context>
+
+ <Context path="/ocsp"
+ docBase="ocsp"
+ allowLinking="true">
+ <Loader className="org.apache.catalina.loader.VirtualWebappLoader"
+ virtualClasspath="[PKI_INSTANCE_PATH]/ocsp/webapps/ocsp/WEB-INF/classes;[PKI_INSTANCE_PATH]/ocsp/webapps/ocsp/WEB-INF/lib" />
+ <JarScanner scanAllDirectories="true" />
+ </Context>
+
+ <Context path="/tks"
+ docBase="tks"
+ allowLinking="true">
+ <Loader className="org.apache.catalina.loader.VirtualWebappLoader"
+ virtualClasspath="[PKI_INSTANCE_PATH]/tks/webapps/tks/WEB-INF/classes;[PKI_INSTANCE_PATH]/tks/webapps/tks/WEB-INF/lib" />
+ <JarScanner scanAllDirectories="true" />
+ </Context>
+ -->
+
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
@@ -294,8 +338,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html -->
<!--
- <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
- prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
+ <Valve className="org.apache.catalina.valves.AccessLogValve"
+ directory="logs" prefix="localhost_access_log." suffix=".txt"
+ pattern="common" resolveHosts="false"/>
-->
</Host>
diff --git a/base/common/shared/conf/serverCertNick.conf b/base/common/shared/conf/serverCertNick.conf
new file mode 100644
index 000000000..25bafd622
--- /dev/null
+++ b/base/common/shared/conf/serverCertNick.conf
@@ -0,0 +1,6 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+Server-Cert cert-[PKI_INSTANCE_ID]
diff --git a/base/common/shared/conf/tomcat.conf b/base/common/shared/conf/tomcat.conf
index aa7fefd19..9c1a81bb7 100644
--- a/base/common/shared/conf/tomcat.conf
+++ b/base/common/shared/conf/tomcat.conf
@@ -21,7 +21,7 @@
CATALINA_BASE="[PKI_INSTANCE_PATH]"
#CATALINA_HOME="/usr/share/tomcat"
#JASPER_HOME="/usr/share/tomcat"
-#CATALINA_TMPDIR="/var/cache/tomcat/temp"
+CATALINA_TMPDIR=[PKI_TMPDIR]
# You can pass some parameters to java here if you wish to
#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"
@@ -29,6 +29,9 @@ CATALINA_BASE="[PKI_INSTANCE_PATH]"
# Use JAVA_OPTS to set java.library.path for libtcnative.so
#JAVA_OPTS="-Djava.library.path=/usr/lib"
+# Enable the following JAVA_OPTS to run a java debugger (e. g. - 'eclipse')
+#JAVA_OPTS="-Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n -Djava.awt.headless=true -Xmx128M"
+
# What user should run tomcat
TOMCAT_USER="[PKI_USER]"
@@ -36,7 +39,7 @@ TOMCAT_USER="[PKI_USER]"
#LANG="en_US"
# Run tomcat under the Java Security Manager
-SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
+#SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
# Time to wait in seconds, before killing process
#SHUTDOWN_WAIT="30"
diff --git a/base/common/shared/conf/web.xml b/base/common/shared/conf/web.xml
new file mode 100644
index 000000000..cc8383cbf
--- /dev/null
+++ b/base/common/shared/conf/web.xml
@@ -0,0 +1,4283 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+ http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <!-- ======================== Introduction ============================== -->
+ <!-- This document defines default values for *all* web applications -->
+ <!-- loaded into this instance of Tomcat. As each application is -->
+ <!-- deployed, this file is processed, followed by the -->
+ <!-- "/WEB-INF/web.xml" deployment descriptor from your own -->
+ <!-- applications. -->
+ <!-- -->
+ <!-- WARNING: Do not configure application-specific resources here! -->
+ <!-- They should go in the "/WEB-INF/web.xml" file in your application. -->
+
+
+ <!-- ================== Built In Servlet Definitions ==================== -->
+
+
+ <!-- The default servlet for all web applications, that serves static -->
+ <!-- resources. It processes all requests that are not mapped to other -->
+ <!-- servlets with servlet mappings (defined either here or in your own -->
+ <!-- web.xml file). This servlet supports the following initialization -->
+ <!-- parameters (default values are in square brackets): -->
+ <!-- -->
+ <!-- debug Debugging detail level for messages logged -->
+ <!-- by this servlet. [0] -->
+ <!-- -->
+ <!-- fileEncoding Encoding to be used to read static resources -->
+ <!-- [platform default] -->
+ <!-- -->
+ <!-- input Input buffer size (in bytes) when reading -->
+ <!-- resources to be served. [2048] -->
+ <!-- -->
+ <!-- listings Should directory listings be produced if there -->
+ <!-- is no welcome file in this directory? [false] -->
+ <!-- WARNING: Listings for directories with many -->
+ <!-- entries can be slow and may consume -->
+ <!-- significant proportions of server resources. -->
+ <!-- -->
+ <!-- output Output buffer size (in bytes) when writing -->
+ <!-- resources to be served. [2048] -->
+ <!-- -->
+ <!-- readonly Is this context "read only", so HTTP -->
+ <!-- commands like PUT and DELETE are -->
+ <!-- rejected? [true] -->
+ <!-- -->
+ <!-- readmeFile File to display together with the directory -->
+ <!-- contents. [null] -->
+ <!-- -->
+ <!-- sendfileSize If the connector used supports sendfile, this -->
+ <!-- represents the minimal file size in KB for -->
+ <!-- which sendfile will be used. Use a negative -->
+ <!-- value to always disable sendfile. [48] -->
+ <!-- -->
+ <!-- useAcceptRanges Should the Accept-Ranges header be included -->
+ <!-- in responses where appropriate? [true] -->
+ <!-- -->
+ <!-- For directory listing customization. Checks localXsltFile, then -->
+ <!-- globalXsltFile, then defaults to original behavior. -->
+ <!-- -->
+ <!-- localXsltFile Make directory listings an XML doc and -->
+ <!-- pass the result to this style sheet residing -->
+ <!-- in that directory. This overrides -->
+ <!-- contextXsltFile and globalXsltFile[null] -->
+ <!-- -->
+ <!-- contextXsltFile Make directory listings an XML doc and -->
+ <!-- pass the result to this style sheet which is -->
+ <!-- relative to the context root. This overrides -->
+ <!-- globalXsltFile[null] -->
+ <!-- -->
+ <!-- globalXsltFile Site wide configuration version of -->
+ <!-- localXsltFile This argument is expected -->
+ <!-- to be a physical file. [null] -->
+ <!-- -->
+ <!-- -->
+
+ <servlet>
+ <servlet-name>default</servlet-name>
+ <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
+ <init-param>
+ <param-name>debug</param-name>
+ <param-value>0</param-value>
+ </init-param>
+ <init-param>
+ <param-name>listings</param-name>
+ <param-value>false</param-value>
+ </init-param>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+
+ <!-- The JSP page compiler and execution servlet, which is the mechanism -->
+ <!-- used by Tomcat to support JSP pages. Traditionally, this servlet -->
+ <!-- is mapped to the URL pattern "*.jsp". This servlet supports the -->
+ <!-- following initialization parameters (default values are in square -->
+ <!-- brackets): -->
+ <!-- -->
+ <!-- checkInterval If development is false and checkInterval is -->
+ <!-- greater than zero, background compilations are -->
+ <!-- enabled. checkInterval is the time in seconds -->
+ <!-- between checks to see if a JSP page (and its -->
+ <!-- dependent files) needs to be recompiled. [0] -->
+ <!-- -->
+ <!-- classdebuginfo Should the class file be compiled with -->
+ <!-- debugging information? [true] -->
+ <!-- -->
+ <!-- classpath What class path should I use while compiling -->
+ <!-- generated servlets? [Created dynamically -->
+ <!-- based on the current web application] -->
+ <!-- -->
+ <!-- compiler Which compiler Ant should use to compile JSP -->
+ <!-- pages. See the jasper documentation for more -->
+ <!-- information. -->
+ <!-- -->
+ <!-- compilerSourceVM Compiler source VM. [1.6] -->
+ <!-- -->
+ <!-- compilerTargetVM Compiler target VM. [1.6] -->
+ <!-- -->
+ <!-- development Is Jasper used in development mode? If true, -->
+ <!-- the frequency at which JSPs are checked for -->
+ <!-- modification may be specified via the -->
+ <!-- modificationTestInterval parameter. [true] -->
+ <!-- -->
+ <!-- displaySourceFragment -->
+ <!-- Should a source fragment be included in -->
+ <!-- exception messages? [true] -->
+ <!-- -->
+ <!-- dumpSmap Should the SMAP info for JSR45 debugging be -->
+ <!-- dumped to a file? [false] -->
+ <!-- False if suppressSmap is true -->
+ <!-- -->
+ <!-- enablePooling Determines whether tag handler pooling is -->
+ <!-- enabled. This is a compilation option. It will -->
+ <!-- not alter the behaviour of JSPs that have -->
+ <!-- already been compiled. [true] -->
+ <!-- -->
+ <!-- engineOptionsClass Allows specifying the Options class used to -->
+ <!-- configure Jasper. If not present, the default -->
+ <!-- EmbeddedServletOptions will be used. -->
+ <!-- -->
+ <!-- errorOnUseBeanInvalidClassAttribute -->
+ <!-- Should Jasper issue an error when the value of -->
+ <!-- the class attribute in an useBean action is -->
+ <!-- not a valid bean class? [true] -->
+ <!-- -->
+ <!-- fork Tell Ant to fork compiles of JSP pages so that -->
+ <!-- a separate JVM is used for JSP page compiles -->
+ <!-- from the one Tomcat is running in. [true] -->
+ <!-- -->
+ <!-- genStringAsCharArray -->
+ <!-- Should text strings be generated as char -->
+ <!-- arrays, to improve performance in some cases? -->
+ <!-- [false] -->
+ <!-- -->
+ <!-- ieClassId The class-id value to be sent to Internet -->
+ <!-- Explorer when using <jsp:plugin> tags. -->
+ <!-- [clsid:8AD9C840-044E-11D1-B3E9-00805F499D93] -->
+ <!-- -->
+ <!-- javaEncoding Java file encoding to use for generating java -->
+ <!-- source files. [UTF8] -->
+ <!-- -->
+ <!-- keepgenerated Should we keep the generated Java source code -->
+ <!-- for each page instead of deleting it? [true] -->
+ <!-- -->
+ <!-- mappedfile Should we generate static content with one -->
+ <!-- print statement per input line, to ease -->
+ <!-- debugging? [true] -->
+ <!-- -->
+ <!-- maxLoadedJsps The maximum number of JSPs that will be loaded -->
+ <!-- for a web application. If more than this -->
+ <!-- number of JSPs are loaded, the least recently -->
+ <!-- used JSPs will be unloaded so that the number -->
+ <!-- of JSPs loaded at any one time does not exceed -->
+ <!-- this limit. A value of zero or less indicates -->
+ <!-- no limit. [-1] -->
+ <!-- -->
+ <!-- jspIdleTimeout The amount of time in seconds a JSP can be -->
+ <!-- idle before it is unloaded. A value of zero -->
+ <!-- or less indicates never unload. [-1] -->
+ <!-- -->
+ <!-- modificationTestInterval -->
+ <!-- Causes a JSP (and its dependent files) to not -->
+ <!-- be checked for modification during the -->
+ <!-- specified time interval (in seconds) from the -->
+ <!-- last time the JSP was checked for -->
+ <!-- modification. A value of 0 will cause the JSP -->
+ <!-- to be checked on every access. -->
+ <!-- Used in development mode only. [4] -->
+ <!-- -->
+ <!-- recompileOnFail If a JSP compilation fails should the -->
+ <!-- modificationTestInterval be ignored and the -->
+ <!-- next access trigger a re-compilation attempt? -->
+ <!-- Used in development mode only and is disabled -->
+ <!-- by default as compilation may be expensive and -->
+ <!-- could lead to excessive resource usage. -->
+ <!-- [false] -->
+ <!-- -->
+ <!-- scratchdir What scratch directory should we use when -->
+ <!-- compiling JSP pages? [default work directory -->
+ <!-- for the current web application] -->
+ <!-- -->
+ <!-- suppressSmap Should the generation of SMAP info for JSR45 -->
+ <!-- debugging be suppressed? [false] -->
+ <!-- -->
+ <!-- trimSpaces Should white spaces in template text between -->
+ <!-- actions or directives be trimmed? [false] -->
+ <!-- -->
+ <!-- xpoweredBy Determines whether X-Powered-By response -->
+ <!-- header is added by generated servlet. [false] -->
+
+ <servlet>
+ <servlet-name>jsp</servlet-name>
+ <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
+ <init-param>
+ <param-name>fork</param-name>
+ <param-value>false</param-value>
+ </init-param>
+ <init-param>
+ <param-name>xpoweredBy</param-name>
+ <param-value>false</param-value>
+ </init-param>
+ <load-on-startup>3</load-on-startup>
+ </servlet>
+
+
+ <!-- NOTE: An SSI Filter is also available as an alternative SSI -->
+ <!-- implementation. Use either the Servlet or the Filter but NOT both. -->
+ <!-- -->
+ <!-- Server Side Includes processing servlet, which processes SSI -->
+ <!-- directives in HTML pages consistent with similar support in web -->
+ <!-- servers like Apache. Traditionally, this servlet is mapped to the -->
+ <!-- URL pattern "*.shtml". This servlet supports the following -->
+ <!-- initialization parameters (default values are in square brackets): -->
+ <!-- -->
+ <!-- buffered Should output from this servlet be buffered? -->
+ <!-- (0=false, 1=true) [0] -->
+ <!-- -->
+ <!-- debug Debugging detail level for messages logged -->
+ <!-- by this servlet. [0] -->
+ <!-- -->
+ <!-- expires The number of seconds before a page with SSI -->
+ <!-- directives will expire. [No default] -->
+ <!-- -->
+ <!-- isVirtualWebappRelative -->
+ <!-- Should "virtual" paths be interpreted as -->
+ <!-- relative to the context root, instead of -->
+ <!-- the server root? (0=false, 1=true) [0] -->
+ <!-- -->
+ <!-- inputEncoding The encoding to assume for SSI resources if -->
+ <!-- one is not available from the resource. -->
+ <!-- [Platform default] -->
+ <!-- -->
+ <!-- outputEncoding The encoding to use for the page that results -->
+ <!-- from the SSI processing. [UTF-8] -->
+ <!-- -->
+ <!-- allowExec Is use of the exec command enabled? [false] -->
+
+<!--
+ <servlet>
+ <servlet-name>ssi</servlet-name>
+ <servlet-class>
+ org.apache.catalina.ssi.SSIServlet
+ </servlet-class>
+ <init-param>
+ <param-name>buffered</param-name>
+ <param-value>1</param-value>
+ </init-param>
+ <init-param>
+ <param-name>debug</param-name>
+ <param-value>0</param-value>
+ </init-param>
+ <init-param>
+ <param-name>expires</param-name>
+ <param-value>666</param-value>
+ </init-param>
+ <init-param>
+ <param-name>isVirtualWebappRelative</param-name>
+ <param-value>0</param-value>
+ </init-param>
+ <load-on-startup>4</load-on-startup>
+ </servlet>
+-->
+
+
+ <!-- Common Gateway Includes (CGI) processing servlet, which supports -->
+ <!-- execution of external applications that conform to the CGI spec -->
+ <!-- requirements. Typically, this servlet is mapped to the URL pattern -->
+ <!-- "/cgi-bin/*", which means that any CGI applications that are -->
+ <!-- executed must be present within the web application. This servlet -->
+ <!-- supports the following initialization parameters (default values -->
+ <!-- are in square brackets): -->
+ <!-- -->
+ <!-- cgiPathPrefix The CGI search path will start at -->
+ <!-- webAppRootDir + File.separator + this prefix. -->
+ <!-- [WEB-INF/cgi] -->
+ <!-- -->
+ <!-- debug Debugging detail level for messages logged -->
+ <!-- by this servlet. [0] -->
+ <!-- -->
+ <!-- executable Name of the executable used to run the -->
+ <!-- script. [perl] -->
+ <!-- -->
+ <!-- parameterEncoding Name of parameter encoding to be used with -->
+ <!-- CGI servlet. -->
+ <!-- [System.getProperty("file.encoding","UTF-8")] -->
+ <!-- -->
+ <!-- passShellEnvironment Should the shell environment variables (if -->
+ <!-- any) be passed to the CGI script? [false] -->
+ <!-- -->
+ <!-- stderrTimeout The time (in milliseconds) to wait for the -->
+ <!-- reading of stderr to complete before -->
+ <!-- terminating the CGI process. [2000] -->
+
+<!--
+ <servlet>
+ <servlet-name>cgi</servlet-name>
+ <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
+ <init-param>
+ <param-name>debug</param-name>
+ <param-value>0</param-value>
+ </init-param>
+ <init-param>
+ <param-name>cgiPathPrefix</param-name>
+ <param-value>WEB-INF/cgi</param-value>
+ </init-param>
+ <load-on-startup>5</load-on-startup>
+ </servlet>
+-->
+
+
+ <!-- ================ Built In Servlet Mappings ========================= -->
+
+
+ <!-- The servlet mappings for the built in servlets defined above. Note -->
+ <!-- that, by default, the CGI and SSI servlets are *not* mapped. You -->
+ <!-- must uncomment these mappings (or add them to your application's own -->
+ <!-- web.xml deployment descriptor) to enable these services -->
+
+ <!-- The mapping for the default servlet -->
+ <servlet-mapping>
+ <servlet-name>default</servlet-name>
+ <url-pattern>/</url-pattern>
+ </servlet-mapping>
+
+ <!-- The mappings for the JSP servlet -->
+ <servlet-mapping>
+ <servlet-name>jsp</servlet-name>
+ <url-pattern>*.jsp</url-pattern>
+ <url-pattern>*.jspx</url-pattern>
+ </servlet-mapping>
+
+ <!-- The mapping for the SSI servlet -->
+<!--
+ <servlet-mapping>
+ <servlet-name>ssi</servlet-name>
+ <url-pattern>*.shtml</url-pattern>
+ </servlet-mapping>
+-->
+
+ <!-- The mapping for the CGI Gateway servlet -->
+
+<!--
+ <servlet-mapping>
+ <servlet-name>cgi</servlet-name>
+ <url-pattern>/cgi-bin/*</url-pattern>
+ </servlet-mapping>
+-->
+
+
+ <!-- ================== Built In Filter Definitions ===================== -->
+
+ <!-- A filter that sets character encoding that is used to decode -->
+ <!-- parameters in a POST request -->
+<!--
+ <filter>
+ <filter-name>setCharacterEncodingFilter</filter-name>
+ <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class>
+ <init-param>
+ <param-name>encoding</param-name>
+ <param-value>UTF-8</param-value>
+ </init-param>
+ <async-supported>true</async-supported>
+ </filter>
+-->
+
+ <!-- A filter that triggers request parameters parsing and rejects the -->
+ <!-- request if some parameters were skipped because of parsing errors or -->
+ <!-- request size limitations. -->
+<!--
+ <filter>
+ <filter-name>failedRequestFilter</filter-name>
+ <filter-class>
+ org.apache.catalina.filters.FailedRequestFilter
+ </filter-class>
+ <async-supported>true</async-supported>
+ </filter>
+-->
+
+
+ <!-- NOTE: An SSI Servlet is also available as an alternative SSI -->
+ <!-- implementation. Use either the Servlet or the Filter but NOT both. -->
+ <!-- -->
+ <!-- Server Side Includes processing filter, which processes SSI -->
+ <!-- directives in HTML pages consistent with similar support in web -->
+ <!-- servers like Apache. Traditionally, this filter is mapped to the -->
+ <!-- URL pattern "*.shtml", though it can be mapped to "*" as it will -->
+ <!-- selectively enable/disable SSI processing based on mime types. For -->
+ <!-- this to work you will need to uncomment the .shtml mime type -->
+ <!-- definition towards the bottom of this file. -->
+ <!-- The contentType init param allows you to apply SSI processing to JSP -->
+ <!-- pages, javascript, or any other content you wish. This filter -->
+ <!-- supports the following initialization parameters (default values are -->
+ <!-- in square brackets): -->
+ <!-- -->
+ <!-- contentType A regex pattern that must be matched before -->
+ <!-- SSI processing is applied. -->
+ <!-- [text/x-server-parsed-html(;.*)?] -->
+ <!-- -->
+ <!-- debug Debugging detail level for messages logged -->
+ <!-- by this servlet. [0] -->
+ <!-- -->
+ <!-- expires The number of seconds before a page with SSI -->
+ <!-- directives will expire. [No default] -->
+ <!-- -->
+ <!-- isVirtualWebappRelative -->
+ <!-- Should "virtual" paths be interpreted as -->
+ <!-- relative to the context root, instead of -->
+ <!-- the server root? (0=false, 1=true) [0] -->
+ <!-- -->
+ <!-- allowExec Is use of the exec command enabled? [false] -->
+
+<!--
+ <filter>
+ <filter-name>ssi</filter-name>
+ <filter-class>
+ org.apache.catalina.ssi.SSIFilter
+ </filter-class>
+ <init-param>
+ <param-name>contentType</param-name>
+ <param-value>text/x-server-parsed-html(;.*)?</param-value>
+ </init-param>
+ <init-param>
+ <param-name>debug</param-name>
+ <param-value>0</param-value>
+ </init-param>
+ <init-param>
+ <param-name>expires</param-name>
+ <param-value>666</param-value>
+ </init-param>
+ <init-param>
+ <param-name>isVirtualWebappRelative</param-name>
+ <param-value>0</param-value>
+ </init-param>
+ </filter>
+-->
+
+
+ <!-- ==================== Built In Filter Mappings ====================== -->
+
+ <!-- The mapping for the Set Character Encoding Filter -->
+<!--
+ <filter-mapping>
+ <filter-name>setCharacterEncodingFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+-->
+
+ <!-- The mapping for the Failed Request Filter -->
+<!--
+ <filter-mapping>
+ <filter-name>failedRequestFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+-->
+
+ <!-- The mapping for the SSI Filter -->
+<!--
+ <filter-mapping>
+ <filter-name>ssi</filter-name>
+ <url-pattern>*.shtml</url-pattern>
+ </filter-mapping>
+-->
+
+
+ <!-- ==================== Default Session Configuration ================= -->
+ <!-- You can set the default session timeout (in minutes) for all newly -->
+ <!-- created sessions by modifying the value below. -->
+
+ <session-config>
+ <session-timeout>30</session-timeout>
+ </session-config>
+
+
+ <!-- ===================== Default MIME Type Mappings =================== -->
+ <!-- When serving static resources, Tomcat will automatically generate -->
+ <!-- a "Content-Type" header based on the resource's filename extension, -->
+ <!-- based on these mappings. Additional mappings can be added here (to -->
+ <!-- apply to all web applications), or in your own application's web.xml -->
+ <!-- deployment descriptor. -->
+
+ <mime-mapping>
+ <extension>123</extension>
+ <mime-type>application/vnd.lotus-1-2-3</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>3dml</extension>
+ <mime-type>text/vnd.in3d.3dml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>3g2</extension>
+ <mime-type>video/3gpp2</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>3gp</extension>
+ <mime-type>video/3gpp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>7z</extension>
+ <mime-type>application/x-7z-compressed</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>aab</extension>
+ <mime-type>application/x-authorware-bin</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>aac</extension>
+ <mime-type>audio/x-aac</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>aam</extension>
+ <mime-type>application/x-authorware-map</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>aas</extension>
+ <mime-type>application/x-authorware-seg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>abs</extension>
+ <mime-type>audio/x-mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>abw</extension>
+ <mime-type>application/x-abiword</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ac</extension>
+ <mime-type>application/pkix-attr-cert</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>acc</extension>
+ <mime-type>application/vnd.americandynamics.acc</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ace</extension>
+ <mime-type>application/x-ace-compressed</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>acu</extension>
+ <mime-type>application/vnd.acucobol</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>acutc</extension>
+ <mime-type>application/vnd.acucorp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>adp</extension>
+ <mime-type>audio/adpcm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>aep</extension>
+ <mime-type>application/vnd.audiograph</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>afm</extension>
+ <mime-type>application/x-font-type1</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>afp</extension>
+ <mime-type>application/vnd.ibm.modcap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ahead</extension>
+ <mime-type>application/vnd.ahead.space</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ai</extension>
+ <mime-type>application/postscript</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>aif</extension>
+ <mime-type>audio/x-aiff</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>aifc</extension>
+ <mime-type>audio/x-aiff</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>aiff</extension>
+ <mime-type>audio/x-aiff</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>aim</extension>
+ <mime-type>application/x-aim</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>air</extension>
+ <mime-type>application/vnd.adobe.air-application-installer-package+zip</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ait</extension>
+ <mime-type>application/vnd.dvb.ait</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ami</extension>
+ <mime-type>application/vnd.amiga.ami</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>anx</extension>
+ <mime-type>application/annodex</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>apk</extension>
+ <mime-type>application/vnd.android.package-archive</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>application</extension>
+ <mime-type>application/x-ms-application</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>apr</extension>
+ <mime-type>application/vnd.lotus-approach</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>art</extension>
+ <mime-type>image/x-jg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>asc</extension>
+ <mime-type>application/pgp-signature</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>asf</extension>
+ <mime-type>video/x-ms-asf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>asm</extension>
+ <mime-type>text/x-asm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>aso</extension>
+ <mime-type>application/vnd.accpac.simply.aso</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>asx</extension>
+ <mime-type>video/x-ms-asf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>atc</extension>
+ <mime-type>application/vnd.acucorp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>atom</extension>
+ <mime-type>application/atom+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>atomcat</extension>
+ <mime-type>application/atomcat+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>atomsvc</extension>
+ <mime-type>application/atomsvc+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>atx</extension>
+ <mime-type>application/vnd.antix.game-component</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>au</extension>
+ <mime-type>audio/basic</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>avi</extension>
+ <mime-type>video/x-msvideo</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>avx</extension>
+ <mime-type>video/x-rad-screenplay</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>aw</extension>
+ <mime-type>application/applixware</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>axa</extension>
+ <mime-type>audio/annodex</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>axv</extension>
+ <mime-type>video/annodex</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>azf</extension>
+ <mime-type>application/vnd.airzip.filesecure.azf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>azs</extension>
+ <mime-type>application/vnd.airzip.filesecure.azs</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>azw</extension>
+ <mime-type>application/vnd.amazon.ebook</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>bat</extension>
+ <mime-type>application/x-msdownload</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>bcpio</extension>
+ <mime-type>application/x-bcpio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>bdf</extension>
+ <mime-type>application/x-font-bdf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>bdm</extension>
+ <mime-type>application/vnd.syncml.dm+wbxml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>bed</extension>
+ <mime-type>application/vnd.realvnc.bed</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>bh2</extension>
+ <mime-type>application/vnd.fujitsu.oasysprs</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>bin</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>bmi</extension>
+ <mime-type>application/vnd.bmi</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>bmp</extension>
+ <mime-type>image/bmp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>body</extension>
+ <mime-type>text/html</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>book</extension>
+ <mime-type>application/vnd.framemaker</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>box</extension>
+ <mime-type>application/vnd.previewsystems.box</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>boz</extension>
+ <mime-type>application/x-bzip2</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>bpk</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>btif</extension>
+ <mime-type>image/prs.btif</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>bz</extension>
+ <mime-type>application/x-bzip</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>bz2</extension>
+ <mime-type>application/x-bzip2</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>c</extension>
+ <mime-type>text/x-c</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>c11amc</extension>
+ <mime-type>application/vnd.cluetrust.cartomobile-config</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>c11amz</extension>
+ <mime-type>application/vnd.cluetrust.cartomobile-config-pkg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>c4d</extension>
+ <mime-type>application/vnd.clonk.c4group</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>c4f</extension>
+ <mime-type>application/vnd.clonk.c4group</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>c4g</extension>
+ <mime-type>application/vnd.clonk.c4group</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>c4p</extension>
+ <mime-type>application/vnd.clonk.c4group</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>c4u</extension>
+ <mime-type>application/vnd.clonk.c4group</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cab</extension>
+ <mime-type>application/vnd.ms-cab-compressed</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cap</extension>
+ <mime-type>application/vnd.tcpdump.pcap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>car</extension>
+ <mime-type>application/vnd.curl.car</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cat</extension>
+ <mime-type>application/vnd.ms-pki.seccat</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cc</extension>
+ <mime-type>text/x-c</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cct</extension>
+ <mime-type>application/x-director</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ccxml</extension>
+ <mime-type>application/ccxml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cdbcmsg</extension>
+ <mime-type>application/vnd.contact.cmsg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cdf</extension>
+ <mime-type>application/x-cdf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cdkey</extension>
+ <mime-type>application/vnd.mediastation.cdkey</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cdmia</extension>
+ <mime-type>application/cdmi-capability</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cdmic</extension>
+ <mime-type>application/cdmi-container</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cdmid</extension>
+ <mime-type>application/cdmi-domain</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cdmio</extension>
+ <mime-type>application/cdmi-object</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cdmiq</extension>
+ <mime-type>application/cdmi-queue</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cdx</extension>
+ <mime-type>chemical/x-cdx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cdxml</extension>
+ <mime-type>application/vnd.chemdraw+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cdy</extension>
+ <mime-type>application/vnd.cinderella</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cer</extension>
+ <mime-type>application/pkix-cert</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cgm</extension>
+ <mime-type>image/cgm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>chat</extension>
+ <mime-type>application/x-chat</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>chm</extension>
+ <mime-type>application/vnd.ms-htmlhelp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>chrt</extension>
+ <mime-type>application/vnd.kde.kchart</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cif</extension>
+ <mime-type>chemical/x-cif</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cii</extension>
+ <mime-type>application/vnd.anser-web-certificate-issue-initiation</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cil</extension>
+ <mime-type>application/vnd.ms-artgalry</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cla</extension>
+ <mime-type>application/vnd.claymore</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>class</extension>
+ <mime-type>application/java</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>clkk</extension>
+ <mime-type>application/vnd.crick.clicker.keyboard</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>clkp</extension>
+ <mime-type>application/vnd.crick.clicker.palette</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>clkt</extension>
+ <mime-type>application/vnd.crick.clicker.template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>clkw</extension>
+ <mime-type>application/vnd.crick.clicker.wordbank</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>clkx</extension>
+ <mime-type>application/vnd.crick.clicker</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>clp</extension>
+ <mime-type>application/x-msclip</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cmc</extension>
+ <mime-type>application/vnd.cosmocaller</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cmdf</extension>
+ <mime-type>chemical/x-cmdf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cml</extension>
+ <mime-type>chemical/x-cml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cmp</extension>
+ <mime-type>application/vnd.yellowriver-custom-menu</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cmx</extension>
+ <mime-type>image/x-cmx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cod</extension>
+ <mime-type>application/vnd.rim.cod</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>com</extension>
+ <mime-type>application/x-msdownload</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>conf</extension>
+ <mime-type>text/plain</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cpio</extension>
+ <mime-type>application/x-cpio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cpp</extension>
+ <mime-type>text/x-c</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cpt</extension>
+ <mime-type>application/mac-compactpro</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>crd</extension>
+ <mime-type>application/x-mscardfile</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>crl</extension>
+ <mime-type>application/pkix-crl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>crt</extension>
+ <mime-type>application/x-x509-ca-cert</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cryptonote</extension>
+ <mime-type>application/vnd.rig.cryptonote</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>csh</extension>
+ <mime-type>application/x-csh</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>csml</extension>
+ <mime-type>chemical/x-csml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>csp</extension>
+ <mime-type>application/vnd.commonspace</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>css</extension>
+ <mime-type>text/css</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cst</extension>
+ <mime-type>application/x-director</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>csv</extension>
+ <mime-type>text/csv</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cu</extension>
+ <mime-type>application/cu-seeme</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>curl</extension>
+ <mime-type>text/vnd.curl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cww</extension>
+ <mime-type>application/prs.cww</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cxt</extension>
+ <mime-type>application/x-director</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>cxx</extension>
+ <mime-type>text/x-c</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dae</extension>
+ <mime-type>model/vnd.collada+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>daf</extension>
+ <mime-type>application/vnd.mobius.daf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dataless</extension>
+ <mime-type>application/vnd.fdsn.seed</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>davmount</extension>
+ <mime-type>application/davmount+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dcr</extension>
+ <mime-type>application/x-director</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dcurl</extension>
+ <mime-type>text/vnd.curl.dcurl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dd2</extension>
+ <mime-type>application/vnd.oma.dd2+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ddd</extension>
+ <mime-type>application/vnd.fujixerox.ddd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>deb</extension>
+ <mime-type>application/x-debian-package</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>def</extension>
+ <mime-type>text/plain</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>deploy</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>der</extension>
+ <mime-type>application/x-x509-ca-cert</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dfac</extension>
+ <mime-type>application/vnd.dreamfactory</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dib</extension>
+ <mime-type>image/bmp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dic</extension>
+ <mime-type>text/x-c</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dir</extension>
+ <mime-type>application/x-director</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dis</extension>
+ <mime-type>application/vnd.mobius.dis</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dist</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>distz</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>djv</extension>
+ <mime-type>image/vnd.djvu</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>djvu</extension>
+ <mime-type>image/vnd.djvu</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dll</extension>
+ <mime-type>application/x-msdownload</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dmg</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dmp</extension>
+ <mime-type>application/vnd.tcpdump.pcap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dms</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dna</extension>
+ <mime-type>application/vnd.dna</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>doc</extension>
+ <mime-type>application/msword</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>docm</extension>
+ <mime-type>application/vnd.ms-word.document.macroenabled.12</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>docx</extension>
+ <mime-type>application/vnd.openxmlformats-officedocument.wordprocessingml.document</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dot</extension>
+ <mime-type>application/msword</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dotm</extension>
+ <mime-type>application/vnd.ms-word.template.macroenabled.12</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dotx</extension>
+ <mime-type>application/vnd.openxmlformats-officedocument.wordprocessingml.template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dp</extension>
+ <mime-type>application/vnd.osgi.dp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dpg</extension>
+ <mime-type>application/vnd.dpgraph</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dra</extension>
+ <mime-type>audio/vnd.dra</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dsc</extension>
+ <mime-type>text/prs.lines.tag</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dssc</extension>
+ <mime-type>application/dssc+der</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dtb</extension>
+ <mime-type>application/x-dtbook+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dtd</extension>
+ <mime-type>application/xml-dtd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dts</extension>
+ <mime-type>audio/vnd.dts</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dtshd</extension>
+ <mime-type>audio/vnd.dts.hd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dump</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dv</extension>
+ <mime-type>video/x-dv</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dvb</extension>
+ <mime-type>video/vnd.dvb.file</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dvi</extension>
+ <mime-type>application/x-dvi</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dwf</extension>
+ <mime-type>model/vnd.dwf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dwg</extension>
+ <mime-type>image/vnd.dwg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dxf</extension>
+ <mime-type>image/vnd.dxf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dxp</extension>
+ <mime-type>application/vnd.spotfire.dxp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>dxr</extension>
+ <mime-type>application/x-director</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ecelp4800</extension>
+ <mime-type>audio/vnd.nuera.ecelp4800</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ecelp7470</extension>
+ <mime-type>audio/vnd.nuera.ecelp7470</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ecelp9600</extension>
+ <mime-type>audio/vnd.nuera.ecelp9600</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ecma</extension>
+ <mime-type>application/ecmascript</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>edm</extension>
+ <mime-type>application/vnd.novadigm.edm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>edx</extension>
+ <mime-type>application/vnd.novadigm.edx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>efif</extension>
+ <mime-type>application/vnd.picsel</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ei6</extension>
+ <mime-type>application/vnd.pg.osasli</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>elc</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>eml</extension>
+ <mime-type>message/rfc822</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>emma</extension>
+ <mime-type>application/emma+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>eol</extension>
+ <mime-type>audio/vnd.digital-winds</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>eot</extension>
+ <mime-type>application/vnd.ms-fontobject</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>eps</extension>
+ <mime-type>application/postscript</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>epub</extension>
+ <mime-type>application/epub+zip</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>es3</extension>
+ <mime-type>application/vnd.eszigno3+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>esf</extension>
+ <mime-type>application/vnd.epson.esf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>et3</extension>
+ <mime-type>application/vnd.eszigno3+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>etx</extension>
+ <mime-type>text/x-setext</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>exe</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>exi</extension>
+ <mime-type>application/exi</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ext</extension>
+ <mime-type>application/vnd.novadigm.ext</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ez</extension>
+ <mime-type>application/andrew-inset</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ez2</extension>
+ <mime-type>application/vnd.ezpix-album</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ez3</extension>
+ <mime-type>application/vnd.ezpix-package</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>f</extension>
+ <mime-type>text/x-fortran</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>f4v</extension>
+ <mime-type>video/x-f4v</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>f77</extension>
+ <mime-type>text/x-fortran</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>f90</extension>
+ <mime-type>text/x-fortran</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fbs</extension>
+ <mime-type>image/vnd.fastbidsheet</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fcs</extension>
+ <mime-type>application/vnd.isac.fcs</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fdf</extension>
+ <mime-type>application/vnd.fdf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fe_launch</extension>
+ <mime-type>application/vnd.denovo.fcselayout-link</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fg5</extension>
+ <mime-type>application/vnd.fujitsu.oasysgp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fgd</extension>
+ <mime-type>application/x-director</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fh</extension>
+ <mime-type>image/x-freehand</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fh4</extension>
+ <mime-type>image/x-freehand</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fh5</extension>
+ <mime-type>image/x-freehand</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fh7</extension>
+ <mime-type>image/x-freehand</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fhc</extension>
+ <mime-type>image/x-freehand</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fig</extension>
+ <mime-type>application/x-xfig</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>flac</extension>
+ <mime-type>audio/flac</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fli</extension>
+ <mime-type>video/x-fli</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>flo</extension>
+ <mime-type>application/vnd.micrografx.flo</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>flv</extension>
+ <mime-type>video/x-flv</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>flw</extension>
+ <mime-type>application/vnd.kde.kivio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>flx</extension>
+ <mime-type>text/vnd.fmi.flexstor</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fly</extension>
+ <mime-type>text/vnd.fly</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fm</extension>
+ <mime-type>application/vnd.framemaker</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fnc</extension>
+ <mime-type>application/vnd.frogans.fnc</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>for</extension>
+ <mime-type>text/x-fortran</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fpx</extension>
+ <mime-type>image/vnd.fpx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>frame</extension>
+ <mime-type>application/vnd.framemaker</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fsc</extension>
+ <mime-type>application/vnd.fsc.weblaunch</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fst</extension>
+ <mime-type>image/vnd.fst</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ftc</extension>
+ <mime-type>application/vnd.fluxtime.clip</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fti</extension>
+ <mime-type>application/vnd.anser-web-funds-transfer-initiation</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fvt</extension>
+ <mime-type>video/vnd.fvt</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fxp</extension>
+ <mime-type>application/vnd.adobe.fxp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fxpl</extension>
+ <mime-type>application/vnd.adobe.fxp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>fzs</extension>
+ <mime-type>application/vnd.fuzzysheet</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>g2w</extension>
+ <mime-type>application/vnd.geoplan</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>g3</extension>
+ <mime-type>image/g3fax</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>g3w</extension>
+ <mime-type>application/vnd.geospace</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gac</extension>
+ <mime-type>application/vnd.groove-account</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gbr</extension>
+ <mime-type>application/rpki-ghostbusters</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gdl</extension>
+ <mime-type>model/vnd.gdl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>geo</extension>
+ <mime-type>application/vnd.dynageo</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gex</extension>
+ <mime-type>application/vnd.geometry-explorer</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ggb</extension>
+ <mime-type>application/vnd.geogebra.file</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ggt</extension>
+ <mime-type>application/vnd.geogebra.tool</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ghf</extension>
+ <mime-type>application/vnd.groove-help</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gif</extension>
+ <mime-type>image/gif</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gim</extension>
+ <mime-type>application/vnd.groove-identity-message</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gmx</extension>
+ <mime-type>application/vnd.gmx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gnumeric</extension>
+ <mime-type>application/x-gnumeric</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gph</extension>
+ <mime-type>application/vnd.flographit</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gqf</extension>
+ <mime-type>application/vnd.grafeq</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gqs</extension>
+ <mime-type>application/vnd.grafeq</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gram</extension>
+ <mime-type>application/srgs</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gre</extension>
+ <mime-type>application/vnd.geometry-explorer</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>grv</extension>
+ <mime-type>application/vnd.groove-injector</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>grxml</extension>
+ <mime-type>application/srgs+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gsf</extension>
+ <mime-type>application/x-font-ghostscript</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gtar</extension>
+ <mime-type>application/x-gtar</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gtm</extension>
+ <mime-type>application/vnd.groove-tool-message</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gtw</extension>
+ <mime-type>model/vnd.gtw</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gv</extension>
+ <mime-type>text/vnd.graphviz</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gxt</extension>
+ <mime-type>application/vnd.geonext</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>gz</extension>
+ <mime-type>application/x-gzip</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>h</extension>
+ <mime-type>text/x-c</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>h261</extension>
+ <mime-type>video/h261</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>h263</extension>
+ <mime-type>video/h263</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>h264</extension>
+ <mime-type>video/h264</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>hal</extension>
+ <mime-type>application/vnd.hal+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>hbci</extension>
+ <mime-type>application/vnd.hbci</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>hdf</extension>
+ <mime-type>application/x-hdf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>hh</extension>
+ <mime-type>text/x-c</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>hlp</extension>
+ <mime-type>application/winhlp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>hpgl</extension>
+ <mime-type>application/vnd.hp-hpgl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>hpid</extension>
+ <mime-type>application/vnd.hp-hpid</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>hps</extension>
+ <mime-type>application/vnd.hp-hps</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>hqx</extension>
+ <mime-type>application/mac-binhex40</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>htc</extension>
+ <mime-type>text/x-component</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>htke</extension>
+ <mime-type>application/vnd.kenameaapp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>htm</extension>
+ <mime-type>text/html</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>html</extension>
+ <mime-type>text/html</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>hvd</extension>
+ <mime-type>application/vnd.yamaha.hv-dic</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>hvp</extension>
+ <mime-type>application/vnd.yamaha.hv-voice</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>hvs</extension>
+ <mime-type>application/vnd.yamaha.hv-script</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>i2g</extension>
+ <mime-type>application/vnd.intergeo</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>icc</extension>
+ <mime-type>application/vnd.iccprofile</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ice</extension>
+ <mime-type>x-conference/x-cooltalk</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>icm</extension>
+ <mime-type>application/vnd.iccprofile</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ico</extension>
+ <mime-type>image/x-icon</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ics</extension>
+ <mime-type>text/calendar</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ief</extension>
+ <mime-type>image/ief</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ifb</extension>
+ <mime-type>text/calendar</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ifm</extension>
+ <mime-type>application/vnd.shana.informed.formdata</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>iges</extension>
+ <mime-type>model/iges</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>igl</extension>
+ <mime-type>application/vnd.igloader</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>igm</extension>
+ <mime-type>application/vnd.insors.igm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>igs</extension>
+ <mime-type>model/iges</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>igx</extension>
+ <mime-type>application/vnd.micrografx.igx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>iif</extension>
+ <mime-type>application/vnd.shana.informed.interchange</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>imp</extension>
+ <mime-type>application/vnd.accpac.simply.imp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ims</extension>
+ <mime-type>application/vnd.ms-ims</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>in</extension>
+ <mime-type>text/plain</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ink</extension>
+ <mime-type>application/inkml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>inkml</extension>
+ <mime-type>application/inkml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>iota</extension>
+ <mime-type>application/vnd.astraea-software.iota</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ipfix</extension>
+ <mime-type>application/ipfix</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ipk</extension>
+ <mime-type>application/vnd.shana.informed.package</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>irm</extension>
+ <mime-type>application/vnd.ibm.rights-management</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>irp</extension>
+ <mime-type>application/vnd.irepository.package+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>iso</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>itp</extension>
+ <mime-type>application/vnd.shana.informed.formtemplate</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ivp</extension>
+ <mime-type>application/vnd.immervision-ivp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ivu</extension>
+ <mime-type>application/vnd.immervision-ivu</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jad</extension>
+ <mime-type>text/vnd.sun.j2me.app-descriptor</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jam</extension>
+ <mime-type>application/vnd.jam</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jar</extension>
+ <mime-type>application/java-archive</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>java</extension>
+ <mime-type>text/x-java-source</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jisp</extension>
+ <mime-type>application/vnd.jisp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jlt</extension>
+ <mime-type>application/vnd.hp-jlyt</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jnlp</extension>
+ <mime-type>application/x-java-jnlp-file</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>joda</extension>
+ <mime-type>application/vnd.joost.joda-archive</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jpe</extension>
+ <mime-type>image/jpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jpeg</extension>
+ <mime-type>image/jpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jpg</extension>
+ <mime-type>image/jpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jpgm</extension>
+ <mime-type>video/jpm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jpgv</extension>
+ <mime-type>video/jpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jpm</extension>
+ <mime-type>video/jpm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>js</extension>
+ <mime-type>application/javascript</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jsf</extension>
+ <mime-type>text/plain</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>json</extension>
+ <mime-type>application/json</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>jspf</extension>
+ <mime-type>text/plain</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>kar</extension>
+ <mime-type>audio/midi</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>karbon</extension>
+ <mime-type>application/vnd.kde.karbon</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>kfo</extension>
+ <mime-type>application/vnd.kde.kformula</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>kia</extension>
+ <mime-type>application/vnd.kidspiration</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>kml</extension>
+ <mime-type>application/vnd.google-earth.kml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>kmz</extension>
+ <mime-type>application/vnd.google-earth.kmz</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>kne</extension>
+ <mime-type>application/vnd.kinar</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>knp</extension>
+ <mime-type>application/vnd.kinar</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>kon</extension>
+ <mime-type>application/vnd.kde.kontour</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>kpr</extension>
+ <mime-type>application/vnd.kde.kpresenter</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>kpt</extension>
+ <mime-type>application/vnd.kde.kpresenter</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ksp</extension>
+ <mime-type>application/vnd.kde.kspread</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ktr</extension>
+ <mime-type>application/vnd.kahootz</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ktx</extension>
+ <mime-type>image/ktx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ktz</extension>
+ <mime-type>application/vnd.kahootz</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>kwd</extension>
+ <mime-type>application/vnd.kde.kword</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>kwt</extension>
+ <mime-type>application/vnd.kde.kword</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>lasxml</extension>
+ <mime-type>application/vnd.las.las+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>latex</extension>
+ <mime-type>application/x-latex</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>lbd</extension>
+ <mime-type>application/vnd.llamagraphics.life-balance.desktop</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>lbe</extension>
+ <mime-type>application/vnd.llamagraphics.life-balance.exchange+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>les</extension>
+ <mime-type>application/vnd.hhe.lesson-player</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>lha</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>link66</extension>
+ <mime-type>application/vnd.route66.link66+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>list</extension>
+ <mime-type>text/plain</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>list3820</extension>
+ <mime-type>application/vnd.ibm.modcap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>listafp</extension>
+ <mime-type>application/vnd.ibm.modcap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>log</extension>
+ <mime-type>text/plain</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>lostxml</extension>
+ <mime-type>application/lost+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>lrf</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>lrm</extension>
+ <mime-type>application/vnd.ms-lrm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ltf</extension>
+ <mime-type>application/vnd.frogans.ltf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>lvp</extension>
+ <mime-type>audio/vnd.lucent.voice</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>lwp</extension>
+ <mime-type>application/vnd.lotus-wordpro</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>lzh</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m13</extension>
+ <mime-type>application/x-msmediaview</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m14</extension>
+ <mime-type>application/x-msmediaview</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m1v</extension>
+ <mime-type>video/mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m21</extension>
+ <mime-type>application/mp21</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m2a</extension>
+ <mime-type>audio/mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m2v</extension>
+ <mime-type>video/mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m3a</extension>
+ <mime-type>audio/mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m3u</extension>
+ <mime-type>audio/x-mpegurl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m3u8</extension>
+ <mime-type>application/vnd.apple.mpegurl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m4a</extension>
+ <mime-type>audio/mp4</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m4b</extension>
+ <mime-type>audio/mp4</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m4r</extension>
+ <mime-type>audio/mp4</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m4u</extension>
+ <mime-type>video/vnd.mpegurl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>m4v</extension>
+ <mime-type>video/mp4</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ma</extension>
+ <mime-type>application/mathematica</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mac</extension>
+ <mime-type>image/x-macpaint</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mads</extension>
+ <mime-type>application/mads+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mag</extension>
+ <mime-type>application/vnd.ecowin.chart</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>maker</extension>
+ <mime-type>application/vnd.framemaker</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>man</extension>
+ <mime-type>text/troff</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mathml</extension>
+ <mime-type>application/mathml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mb</extension>
+ <mime-type>application/mathematica</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mbk</extension>
+ <mime-type>application/vnd.mobius.mbk</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mbox</extension>
+ <mime-type>application/mbox</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mc1</extension>
+ <mime-type>application/vnd.medcalcdata</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mcd</extension>
+ <mime-type>application/vnd.mcd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mcurl</extension>
+ <mime-type>text/vnd.curl.mcurl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mdb</extension>
+ <mime-type>application/x-msaccess</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mdi</extension>
+ <mime-type>image/vnd.ms-modi</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>me</extension>
+ <mime-type>text/troff</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mesh</extension>
+ <mime-type>model/mesh</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>meta4</extension>
+ <mime-type>application/metalink4+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mets</extension>
+ <mime-type>application/mets+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mfm</extension>
+ <mime-type>application/vnd.mfmp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mft</extension>
+ <mime-type>application/rpki-manifest</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mgp</extension>
+ <mime-type>application/vnd.osgeo.mapguide.package</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mgz</extension>
+ <mime-type>application/vnd.proteus.magazine</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mid</extension>
+ <mime-type>audio/midi</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>midi</extension>
+ <mime-type>audio/midi</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mif</extension>
+ <mime-type>application/x-mif</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mime</extension>
+ <mime-type>message/rfc822</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mj2</extension>
+ <mime-type>video/mj2</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mjp2</extension>
+ <mime-type>video/mj2</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mlp</extension>
+ <mime-type>application/vnd.dolby.mlp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mmd</extension>
+ <mime-type>application/vnd.chipnuts.karaoke-mmd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mmf</extension>
+ <mime-type>application/vnd.smaf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mmr</extension>
+ <mime-type>image/vnd.fujixerox.edmics-mmr</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mny</extension>
+ <mime-type>application/x-msmoney</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mobi</extension>
+ <mime-type>application/x-mobipocket-ebook</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mods</extension>
+ <mime-type>application/mods+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mov</extension>
+ <mime-type>video/quicktime</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>movie</extension>
+ <mime-type>video/x-sgi-movie</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mp1</extension>
+ <mime-type>audio/mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mp2</extension>
+ <mime-type>audio/mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mp21</extension>
+ <mime-type>application/mp21</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mp2a</extension>
+ <mime-type>audio/mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mp3</extension>
+ <mime-type>audio/mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mp4</extension>
+ <mime-type>video/mp4</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mp4a</extension>
+ <mime-type>audio/mp4</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mp4s</extension>
+ <mime-type>application/mp4</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mp4v</extension>
+ <mime-type>video/mp4</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpa</extension>
+ <mime-type>audio/mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpc</extension>
+ <mime-type>application/vnd.mophun.certificate</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpe</extension>
+ <mime-type>video/mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpeg</extension>
+ <mime-type>video/mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpega</extension>
+ <mime-type>audio/x-mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpg</extension>
+ <mime-type>video/mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpg4</extension>
+ <mime-type>video/mp4</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpga</extension>
+ <mime-type>audio/mpeg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpkg</extension>
+ <mime-type>application/vnd.apple.installer+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpm</extension>
+ <mime-type>application/vnd.blueice.multipass</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpn</extension>
+ <mime-type>application/vnd.mophun.application</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpp</extension>
+ <mime-type>application/vnd.ms-project</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpt</extension>
+ <mime-type>application/vnd.ms-project</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpv2</extension>
+ <mime-type>video/mpeg2</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mpy</extension>
+ <mime-type>application/vnd.ibm.minipay</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mqy</extension>
+ <mime-type>application/vnd.mobius.mqy</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mrc</extension>
+ <mime-type>application/marc</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mrcx</extension>
+ <mime-type>application/marcxml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ms</extension>
+ <mime-type>text/troff</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mscml</extension>
+ <mime-type>application/mediaservercontrol+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mseed</extension>
+ <mime-type>application/vnd.fdsn.mseed</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mseq</extension>
+ <mime-type>application/vnd.mseq</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>msf</extension>
+ <mime-type>application/vnd.epson.msf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>msh</extension>
+ <mime-type>model/mesh</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>msi</extension>
+ <mime-type>application/x-msdownload</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>msl</extension>
+ <mime-type>application/vnd.mobius.msl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>msty</extension>
+ <mime-type>application/vnd.muvee.style</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mts</extension>
+ <mime-type>model/vnd.mts</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mus</extension>
+ <mime-type>application/vnd.musician</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>musicxml</extension>
+ <mime-type>application/vnd.recordare.musicxml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mvb</extension>
+ <mime-type>application/x-msmediaview</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mwf</extension>
+ <mime-type>application/vnd.mfer</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mxf</extension>
+ <mime-type>application/mxf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mxl</extension>
+ <mime-type>application/vnd.recordare.musicxml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mxml</extension>
+ <mime-type>application/xv+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mxs</extension>
+ <mime-type>application/vnd.triscape.mxs</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>mxu</extension>
+ <mime-type>video/vnd.mpegurl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>n-gage</extension>
+ <mime-type>application/vnd.nokia.n-gage.symbian.install</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>n3</extension>
+ <mime-type>text/n3</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>nb</extension>
+ <mime-type>application/mathematica</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>nbp</extension>
+ <mime-type>application/vnd.wolfram.player</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>nc</extension>
+ <mime-type>application/x-netcdf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ncx</extension>
+ <mime-type>application/x-dtbncx+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ngdat</extension>
+ <mime-type>application/vnd.nokia.n-gage.data</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>nlu</extension>
+ <mime-type>application/vnd.neurolanguage.nlu</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>nml</extension>
+ <mime-type>application/vnd.enliven</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>nnd</extension>
+ <mime-type>application/vnd.noblenet-directory</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>nns</extension>
+ <mime-type>application/vnd.noblenet-sealer</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>nnw</extension>
+ <mime-type>application/vnd.noblenet-web</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>npx</extension>
+ <mime-type>image/vnd.net-fpx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>nsf</extension>
+ <mime-type>application/vnd.lotus-notes</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>oa2</extension>
+ <mime-type>application/vnd.fujitsu.oasys2</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>oa3</extension>
+ <mime-type>application/vnd.fujitsu.oasys3</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>oas</extension>
+ <mime-type>application/vnd.fujitsu.oasys</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>obd</extension>
+ <mime-type>application/x-msbinder</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>oda</extension>
+ <mime-type>application/oda</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- OpenDocument Database -->
+ <extension>odb</extension>
+ <mime-type>application/vnd.oasis.opendocument.database</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- OpenDocument Chart -->
+ <extension>odc</extension>
+ <mime-type>application/vnd.oasis.opendocument.chart</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- OpenDocument Formula -->
+ <extension>odf</extension>
+ <mime-type>application/vnd.oasis.opendocument.formula</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>odft</extension>
+ <mime-type>application/vnd.oasis.opendocument.formula-template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- OpenDocument Drawing -->
+ <extension>odg</extension>
+ <mime-type>application/vnd.oasis.opendocument.graphics</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- OpenDocument Image -->
+ <extension>odi</extension>
+ <mime-type>application/vnd.oasis.opendocument.image</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- OpenDocument Master Document -->
+ <extension>odm</extension>
+ <mime-type>application/vnd.oasis.opendocument.text-master</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- OpenDocument Presentation -->
+ <extension>odp</extension>
+ <mime-type>application/vnd.oasis.opendocument.presentation</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- OpenDocument Spreadsheet -->
+ <extension>ods</extension>
+ <mime-type>application/vnd.oasis.opendocument.spreadsheet</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- OpenDocument Text -->
+ <extension>odt</extension>
+ <mime-type>application/vnd.oasis.opendocument.text</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>oga</extension>
+ <mime-type>audio/ogg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ogg</extension>
+ <mime-type>audio/ogg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ogv</extension>
+ <mime-type>video/ogg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- xiph mime types -->
+ <extension>ogx</extension>
+ <mime-type>application/ogg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>onepkg</extension>
+ <mime-type>application/onenote</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>onetmp</extension>
+ <mime-type>application/onenote</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>onetoc</extension>
+ <mime-type>application/onenote</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>onetoc2</extension>
+ <mime-type>application/onenote</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>opf</extension>
+ <mime-type>application/oebps-package+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>oprc</extension>
+ <mime-type>application/vnd.palm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>org</extension>
+ <mime-type>application/vnd.lotus-organizer</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>osf</extension>
+ <mime-type>application/vnd.yamaha.openscoreformat</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>osfpvg</extension>
+ <mime-type>application/vnd.yamaha.openscoreformat.osfpvg+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>otc</extension>
+ <mime-type>application/vnd.oasis.opendocument.chart-template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>otf</extension>
+ <mime-type>application/x-font-otf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- OpenDocument Drawing Template -->
+ <extension>otg</extension>
+ <mime-type>application/vnd.oasis.opendocument.graphics-template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- HTML Document Template -->
+ <extension>oth</extension>
+ <mime-type>application/vnd.oasis.opendocument.text-web</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>oti</extension>
+ <mime-type>application/vnd.oasis.opendocument.image-template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- OpenDocument Presentation Template -->
+ <extension>otp</extension>
+ <mime-type>application/vnd.oasis.opendocument.presentation-template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- OpenDocument Spreadsheet Template -->
+ <extension>ots</extension>
+ <mime-type>application/vnd.oasis.opendocument.spreadsheet-template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- OpenDocument Text Template -->
+ <extension>ott</extension>
+ <mime-type>application/vnd.oasis.opendocument.text-template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>oxps</extension>
+ <mime-type>application/oxps</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>oxt</extension>
+ <mime-type>application/vnd.openofficeorg.extension</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>p</extension>
+ <mime-type>text/x-pascal</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>p10</extension>
+ <mime-type>application/pkcs10</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>p12</extension>
+ <mime-type>application/x-pkcs12</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>p7b</extension>
+ <mime-type>application/x-pkcs7-certificates</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>p7c</extension>
+ <mime-type>application/pkcs7-mime</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>p7m</extension>
+ <mime-type>application/pkcs7-mime</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>p7r</extension>
+ <mime-type>application/x-pkcs7-certreqresp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>p7s</extension>
+ <mime-type>application/pkcs7-signature</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>p8</extension>
+ <mime-type>application/pkcs8</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pas</extension>
+ <mime-type>text/x-pascal</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>paw</extension>
+ <mime-type>application/vnd.pawaafile</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pbd</extension>
+ <mime-type>application/vnd.powerbuilder6</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pbm</extension>
+ <mime-type>image/x-portable-bitmap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pcap</extension>
+ <mime-type>application/vnd.tcpdump.pcap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pcf</extension>
+ <mime-type>application/x-font-pcf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pcl</extension>
+ <mime-type>application/vnd.hp-pcl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pclxl</extension>
+ <mime-type>application/vnd.hp-pclxl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pct</extension>
+ <mime-type>image/pict</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pcurl</extension>
+ <mime-type>application/vnd.curl.pcurl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pcx</extension>
+ <mime-type>image/x-pcx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pdb</extension>
+ <mime-type>application/vnd.palm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pdf</extension>
+ <mime-type>application/pdf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pfa</extension>
+ <mime-type>application/x-font-type1</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pfb</extension>
+ <mime-type>application/x-font-type1</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pfm</extension>
+ <mime-type>application/x-font-type1</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pfr</extension>
+ <mime-type>application/font-tdpfr</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pfx</extension>
+ <mime-type>application/x-pkcs12</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pgm</extension>
+ <mime-type>image/x-portable-graymap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pgn</extension>
+ <mime-type>application/x-chess-pgn</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pgp</extension>
+ <mime-type>application/pgp-encrypted</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pic</extension>
+ <mime-type>image/pict</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pict</extension>
+ <mime-type>image/pict</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pkg</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pki</extension>
+ <mime-type>application/pkixcmp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pkipath</extension>
+ <mime-type>application/pkix-pkipath</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>plb</extension>
+ <mime-type>application/vnd.3gpp.pic-bw-large</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>plc</extension>
+ <mime-type>application/vnd.mobius.plc</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>plf</extension>
+ <mime-type>application/vnd.pocketlearn</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pls</extension>
+ <mime-type>audio/x-scpls</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pml</extension>
+ <mime-type>application/vnd.ctc-posml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>png</extension>
+ <mime-type>image/png</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pnm</extension>
+ <mime-type>image/x-portable-anymap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pnt</extension>
+ <mime-type>image/x-macpaint</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>portpkg</extension>
+ <mime-type>application/vnd.macports.portpkg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pot</extension>
+ <mime-type>application/vnd.ms-powerpoint</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>potm</extension>
+ <mime-type>application/vnd.ms-powerpoint.template.macroenabled.12</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>potx</extension>
+ <mime-type>application/vnd.openxmlformats-officedocument.presentationml.template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ppam</extension>
+ <mime-type>application/vnd.ms-powerpoint.addin.macroenabled.12</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ppd</extension>
+ <mime-type>application/vnd.cups-ppd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ppm</extension>
+ <mime-type>image/x-portable-pixmap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pps</extension>
+ <mime-type>application/vnd.ms-powerpoint</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ppsm</extension>
+ <mime-type>application/vnd.ms-powerpoint.slideshow.macroenabled.12</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ppsx</extension>
+ <mime-type>application/vnd.openxmlformats-officedocument.presentationml.slideshow</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ppt</extension>
+ <mime-type>application/vnd.ms-powerpoint</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pptm</extension>
+ <mime-type>application/vnd.ms-powerpoint.presentation.macroenabled.12</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pptx</extension>
+ <mime-type>application/vnd.openxmlformats-officedocument.presentationml.presentation</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pqa</extension>
+ <mime-type>application/vnd.palm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>prc</extension>
+ <mime-type>application/x-mobipocket-ebook</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pre</extension>
+ <mime-type>application/vnd.lotus-freelance</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>prf</extension>
+ <mime-type>application/pics-rules</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ps</extension>
+ <mime-type>application/postscript</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>psb</extension>
+ <mime-type>application/vnd.3gpp.pic-bw-small</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>psd</extension>
+ <mime-type>image/vnd.adobe.photoshop</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>psf</extension>
+ <mime-type>application/x-font-linux-psf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pskcxml</extension>
+ <mime-type>application/pskc+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ptid</extension>
+ <mime-type>application/vnd.pvi.ptid1</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pub</extension>
+ <mime-type>application/x-mspublisher</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pvb</extension>
+ <mime-type>application/vnd.3gpp.pic-bw-var</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pwn</extension>
+ <mime-type>application/vnd.3m.post-it-notes</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pya</extension>
+ <mime-type>audio/vnd.ms-playready.media.pya</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>pyv</extension>
+ <mime-type>video/vnd.ms-playready.media.pyv</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>qam</extension>
+ <mime-type>application/vnd.epson.quickanime</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>qbo</extension>
+ <mime-type>application/vnd.intu.qbo</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>qfx</extension>
+ <mime-type>application/vnd.intu.qfx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>qps</extension>
+ <mime-type>application/vnd.publishare-delta-tree</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>qt</extension>
+ <mime-type>video/quicktime</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>qti</extension>
+ <mime-type>image/x-quicktime</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>qtif</extension>
+ <mime-type>image/x-quicktime</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>qwd</extension>
+ <mime-type>application/vnd.quark.quarkxpress</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>qwt</extension>
+ <mime-type>application/vnd.quark.quarkxpress</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>qxb</extension>
+ <mime-type>application/vnd.quark.quarkxpress</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>qxd</extension>
+ <mime-type>application/vnd.quark.quarkxpress</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>qxl</extension>
+ <mime-type>application/vnd.quark.quarkxpress</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>qxt</extension>
+ <mime-type>application/vnd.quark.quarkxpress</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ra</extension>
+ <mime-type>audio/x-pn-realaudio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ram</extension>
+ <mime-type>audio/x-pn-realaudio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rar</extension>
+ <mime-type>application/x-rar-compressed</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ras</extension>
+ <mime-type>image/x-cmu-raster</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rcprofile</extension>
+ <mime-type>application/vnd.ipunplugged.rcprofile</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rdf</extension>
+ <mime-type>application/rdf+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rdz</extension>
+ <mime-type>application/vnd.data-vision.rdz</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rep</extension>
+ <mime-type>application/vnd.businessobjects</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>res</extension>
+ <mime-type>application/x-dtbresource+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rgb</extension>
+ <mime-type>image/x-rgb</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rif</extension>
+ <mime-type>application/reginfo+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rip</extension>
+ <mime-type>audio/vnd.rip</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rl</extension>
+ <mime-type>application/resource-lists+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rlc</extension>
+ <mime-type>image/vnd.fujixerox.edmics-rlc</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rld</extension>
+ <mime-type>application/resource-lists-diff+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rm</extension>
+ <mime-type>application/vnd.rn-realmedia</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rmi</extension>
+ <mime-type>audio/midi</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rmp</extension>
+ <mime-type>audio/x-pn-realaudio-plugin</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rms</extension>
+ <mime-type>application/vnd.jcp.javame.midlet-rms</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rnc</extension>
+ <mime-type>application/relax-ng-compact-syntax</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>roa</extension>
+ <mime-type>application/rpki-roa</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>roff</extension>
+ <mime-type>text/troff</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rp9</extension>
+ <mime-type>application/vnd.cloanto.rp9</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rpss</extension>
+ <mime-type>application/vnd.nokia.radio-presets</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rpst</extension>
+ <mime-type>application/vnd.nokia.radio-preset</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rq</extension>
+ <mime-type>application/sparql-query</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rs</extension>
+ <mime-type>application/rls-services+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rsd</extension>
+ <mime-type>application/rsd+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rss</extension>
+ <mime-type>application/rss+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rtf</extension>
+ <mime-type>application/rtf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>rtx</extension>
+ <mime-type>text/richtext</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>s</extension>
+ <mime-type>text/x-asm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>saf</extension>
+ <mime-type>application/vnd.yamaha.smaf-audio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sbml</extension>
+ <mime-type>application/sbml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sc</extension>
+ <mime-type>application/vnd.ibm.secure-container</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>scd</extension>
+ <mime-type>application/x-msschedule</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>scm</extension>
+ <mime-type>application/vnd.lotus-screencam</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>scq</extension>
+ <mime-type>application/scvp-cv-request</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>scs</extension>
+ <mime-type>application/scvp-cv-response</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>scurl</extension>
+ <mime-type>text/vnd.curl.scurl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sda</extension>
+ <mime-type>application/vnd.stardivision.draw</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sdc</extension>
+ <mime-type>application/vnd.stardivision.calc</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sdd</extension>
+ <mime-type>application/vnd.stardivision.impress</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sdkd</extension>
+ <mime-type>application/vnd.solent.sdkm+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sdkm</extension>
+ <mime-type>application/vnd.solent.sdkm+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sdp</extension>
+ <mime-type>application/sdp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sdw</extension>
+ <mime-type>application/vnd.stardivision.writer</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>see</extension>
+ <mime-type>application/vnd.seemail</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>seed</extension>
+ <mime-type>application/vnd.fdsn.seed</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sema</extension>
+ <mime-type>application/vnd.sema</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>semd</extension>
+ <mime-type>application/vnd.semd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>semf</extension>
+ <mime-type>application/vnd.semf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ser</extension>
+ <mime-type>application/java-serialized-object</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>setpay</extension>
+ <mime-type>application/set-payment-initiation</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>setreg</extension>
+ <mime-type>application/set-registration-initiation</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sfd-hdstx</extension>
+ <mime-type>application/vnd.hydrostatix.sof-data</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sfs</extension>
+ <mime-type>application/vnd.spotfire.sfs</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sgl</extension>
+ <mime-type>application/vnd.stardivision.writer-global</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sgm</extension>
+ <mime-type>text/sgml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sgml</extension>
+ <mime-type>text/sgml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sh</extension>
+ <mime-type>application/x-sh</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>shar</extension>
+ <mime-type>application/x-shar</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>shf</extension>
+ <mime-type>application/shf+xml</mime-type>
+ </mime-mapping>
+ <!--
+ <mime-mapping>
+ <extension>shtml</extension>
+ <mime-type>text/x-server-parsed-html</mime-type>
+ </mime-mapping>
+ -->
+ <mime-mapping>
+ <extension>sig</extension>
+ <mime-type>application/pgp-signature</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>silo</extension>
+ <mime-type>model/mesh</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sis</extension>
+ <mime-type>application/vnd.symbian.install</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sisx</extension>
+ <mime-type>application/vnd.symbian.install</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sit</extension>
+ <mime-type>application/x-stuffit</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sitx</extension>
+ <mime-type>application/x-stuffitx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>skd</extension>
+ <mime-type>application/vnd.koan</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>skm</extension>
+ <mime-type>application/vnd.koan</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>skp</extension>
+ <mime-type>application/vnd.koan</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>skt</extension>
+ <mime-type>application/vnd.koan</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sldm</extension>
+ <mime-type>application/vnd.ms-powerpoint.slide.macroenabled.12</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sldx</extension>
+ <mime-type>application/vnd.openxmlformats-officedocument.presentationml.slide</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>slt</extension>
+ <mime-type>application/vnd.epson.salt</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sm</extension>
+ <mime-type>application/vnd.stepmania.stepchart</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>smf</extension>
+ <mime-type>application/vnd.stardivision.math</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>smi</extension>
+ <mime-type>application/smil+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>smil</extension>
+ <mime-type>application/smil+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>smzip</extension>
+ <mime-type>application/vnd.stepmania.package</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>snd</extension>
+ <mime-type>audio/basic</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>snf</extension>
+ <mime-type>application/x-font-snf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>so</extension>
+ <mime-type>application/octet-stream</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>spc</extension>
+ <mime-type>application/x-pkcs7-certificates</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>spf</extension>
+ <mime-type>application/vnd.yamaha.smaf-phrase</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>spl</extension>
+ <mime-type>application/x-futuresplash</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>spot</extension>
+ <mime-type>text/vnd.in3d.spot</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>spp</extension>
+ <mime-type>application/scvp-vp-response</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>spq</extension>
+ <mime-type>application/scvp-vp-request</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>spx</extension>
+ <mime-type>audio/ogg</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>src</extension>
+ <mime-type>application/x-wais-source</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sru</extension>
+ <mime-type>application/sru+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>srx</extension>
+ <mime-type>application/sparql-results+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sse</extension>
+ <mime-type>application/vnd.kodak-descriptor</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ssf</extension>
+ <mime-type>application/vnd.epson.ssf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ssml</extension>
+ <mime-type>application/ssml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>st</extension>
+ <mime-type>application/vnd.sailingtracker.track</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>stc</extension>
+ <mime-type>application/vnd.sun.xml.calc.template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>std</extension>
+ <mime-type>application/vnd.sun.xml.draw.template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>stf</extension>
+ <mime-type>application/vnd.wt.stf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sti</extension>
+ <mime-type>application/vnd.sun.xml.impress.template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>stk</extension>
+ <mime-type>application/hyperstudio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>stl</extension>
+ <mime-type>application/vnd.ms-pki.stl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>str</extension>
+ <mime-type>application/vnd.pg.format</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>stw</extension>
+ <mime-type>application/vnd.sun.xml.writer.template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sub</extension>
+ <mime-type>text/vnd.dvb.subtitle</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sus</extension>
+ <mime-type>application/vnd.sus-calendar</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>susp</extension>
+ <mime-type>application/vnd.sus-calendar</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sv4cpio</extension>
+ <mime-type>application/x-sv4cpio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sv4crc</extension>
+ <mime-type>application/x-sv4crc</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>svc</extension>
+ <mime-type>application/vnd.dvb.service</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>svd</extension>
+ <mime-type>application/vnd.svd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>svg</extension>
+ <mime-type>image/svg+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>svgz</extension>
+ <mime-type>image/svg+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>swa</extension>
+ <mime-type>application/x-director</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>swf</extension>
+ <mime-type>application/x-shockwave-flash</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>swi</extension>
+ <mime-type>application/vnd.aristanetworks.swi</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sxc</extension>
+ <mime-type>application/vnd.sun.xml.calc</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sxd</extension>
+ <mime-type>application/vnd.sun.xml.draw</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sxg</extension>
+ <mime-type>application/vnd.sun.xml.writer.global</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sxi</extension>
+ <mime-type>application/vnd.sun.xml.impress</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sxm</extension>
+ <mime-type>application/vnd.sun.xml.math</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>sxw</extension>
+ <mime-type>application/vnd.sun.xml.writer</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>t</extension>
+ <mime-type>text/troff</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>taglet</extension>
+ <mime-type>application/vnd.mynfc</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tao</extension>
+ <mime-type>application/vnd.tao.intent-module-archive</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tar</extension>
+ <mime-type>application/x-tar</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tcap</extension>
+ <mime-type>application/vnd.3gpp2.tcap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tcl</extension>
+ <mime-type>application/x-tcl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>teacher</extension>
+ <mime-type>application/vnd.smart.teacher</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tei</extension>
+ <mime-type>application/tei+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>teicorpus</extension>
+ <mime-type>application/tei+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tex</extension>
+ <mime-type>application/x-tex</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>texi</extension>
+ <mime-type>application/x-texinfo</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>texinfo</extension>
+ <mime-type>application/x-texinfo</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>text</extension>
+ <mime-type>text/plain</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tfi</extension>
+ <mime-type>application/thraud+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tfm</extension>
+ <mime-type>application/x-tex-tfm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>thmx</extension>
+ <mime-type>application/vnd.ms-officetheme</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tif</extension>
+ <mime-type>image/tiff</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tiff</extension>
+ <mime-type>image/tiff</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tmo</extension>
+ <mime-type>application/vnd.tmobile-livetv</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>torrent</extension>
+ <mime-type>application/x-bittorrent</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tpl</extension>
+ <mime-type>application/vnd.groove-tool-template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tpt</extension>
+ <mime-type>application/vnd.trid.tpt</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tr</extension>
+ <mime-type>text/troff</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tra</extension>
+ <mime-type>application/vnd.trueapp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>trm</extension>
+ <mime-type>application/x-msterminal</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tsd</extension>
+ <mime-type>application/timestamped-data</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>tsv</extension>
+ <mime-type>text/tab-separated-values</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ttc</extension>
+ <mime-type>application/x-font-ttf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ttf</extension>
+ <mime-type>application/x-font-ttf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ttl</extension>
+ <mime-type>text/turtle</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>twd</extension>
+ <mime-type>application/vnd.simtech-mindmapper</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>twds</extension>
+ <mime-type>application/vnd.simtech-mindmapper</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>txd</extension>
+ <mime-type>application/vnd.genomatix.tuxedo</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>txf</extension>
+ <mime-type>application/vnd.mobius.txf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>txt</extension>
+ <mime-type>text/plain</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>u32</extension>
+ <mime-type>application/x-authorware-bin</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>udeb</extension>
+ <mime-type>application/x-debian-package</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ufd</extension>
+ <mime-type>application/vnd.ufdl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ufdl</extension>
+ <mime-type>application/vnd.ufdl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ulw</extension>
+ <mime-type>audio/basic</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>umj</extension>
+ <mime-type>application/vnd.umajin</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>unityweb</extension>
+ <mime-type>application/vnd.unity</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uoml</extension>
+ <mime-type>application/vnd.uoml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uri</extension>
+ <mime-type>text/uri-list</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uris</extension>
+ <mime-type>text/uri-list</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>urls</extension>
+ <mime-type>text/uri-list</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>ustar</extension>
+ <mime-type>application/x-ustar</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>utz</extension>
+ <mime-type>application/vnd.uiq.theme</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uu</extension>
+ <mime-type>text/x-uuencode</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uva</extension>
+ <mime-type>audio/vnd.dece.audio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvd</extension>
+ <mime-type>application/vnd.dece.data</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvf</extension>
+ <mime-type>application/vnd.dece.data</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvg</extension>
+ <mime-type>image/vnd.dece.graphic</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvh</extension>
+ <mime-type>video/vnd.dece.hd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvi</extension>
+ <mime-type>image/vnd.dece.graphic</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvm</extension>
+ <mime-type>video/vnd.dece.mobile</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvp</extension>
+ <mime-type>video/vnd.dece.pd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvs</extension>
+ <mime-type>video/vnd.dece.sd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvt</extension>
+ <mime-type>application/vnd.dece.ttml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvu</extension>
+ <mime-type>video/vnd.uvvu.mp4</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvv</extension>
+ <mime-type>video/vnd.dece.video</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvva</extension>
+ <mime-type>audio/vnd.dece.audio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvvd</extension>
+ <mime-type>application/vnd.dece.data</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvvf</extension>
+ <mime-type>application/vnd.dece.data</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvvg</extension>
+ <mime-type>image/vnd.dece.graphic</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvvh</extension>
+ <mime-type>video/vnd.dece.hd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvvi</extension>
+ <mime-type>image/vnd.dece.graphic</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvvm</extension>
+ <mime-type>video/vnd.dece.mobile</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvvp</extension>
+ <mime-type>video/vnd.dece.pd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvvs</extension>
+ <mime-type>video/vnd.dece.sd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvvt</extension>
+ <mime-type>application/vnd.dece.ttml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvvu</extension>
+ <mime-type>video/vnd.uvvu.mp4</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvvv</extension>
+ <mime-type>video/vnd.dece.video</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvvx</extension>
+ <mime-type>application/vnd.dece.unspecified</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvvz</extension>
+ <mime-type>application/vnd.dece.zip</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvx</extension>
+ <mime-type>application/vnd.dece.unspecified</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>uvz</extension>
+ <mime-type>application/vnd.dece.zip</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vcard</extension>
+ <mime-type>text/vcard</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vcd</extension>
+ <mime-type>application/x-cdlink</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vcf</extension>
+ <mime-type>text/x-vcard</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vcg</extension>
+ <mime-type>application/vnd.groove-vcard</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vcs</extension>
+ <mime-type>text/x-vcalendar</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vcx</extension>
+ <mime-type>application/vnd.vcx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vis</extension>
+ <mime-type>application/vnd.visionary</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>viv</extension>
+ <mime-type>video/vnd.vivo</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vor</extension>
+ <mime-type>application/vnd.stardivision.writer</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vox</extension>
+ <mime-type>application/x-authorware-bin</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vrml</extension>
+ <mime-type>model/vrml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vsd</extension>
+ <mime-type>application/vnd.visio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vsf</extension>
+ <mime-type>application/vnd.vsf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vss</extension>
+ <mime-type>application/vnd.visio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vst</extension>
+ <mime-type>application/vnd.visio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vsw</extension>
+ <mime-type>application/vnd.visio</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vtu</extension>
+ <mime-type>model/vnd.vtu</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>vxml</extension>
+ <mime-type>application/voicexml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>w3d</extension>
+ <mime-type>application/x-director</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wad</extension>
+ <mime-type>application/x-doom</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wav</extension>
+ <mime-type>audio/x-wav</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wax</extension>
+ <mime-type>audio/x-ms-wax</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- Wireless Bitmap -->
+ <extension>wbmp</extension>
+ <mime-type>image/vnd.wap.wbmp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wbs</extension>
+ <mime-type>application/vnd.criticaltools.wbs+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wbxml</extension>
+ <mime-type>application/vnd.wap.wbxml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wcm</extension>
+ <mime-type>application/vnd.ms-works</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wdb</extension>
+ <mime-type>application/vnd.ms-works</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>weba</extension>
+ <mime-type>audio/webm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>webm</extension>
+ <mime-type>video/webm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>webp</extension>
+ <mime-type>image/webp</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wg</extension>
+ <mime-type>application/vnd.pmi.widget</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wgt</extension>
+ <mime-type>application/widget</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wks</extension>
+ <mime-type>application/vnd.ms-works</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wm</extension>
+ <mime-type>video/x-ms-wm</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wma</extension>
+ <mime-type>audio/x-ms-wma</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wmd</extension>
+ <mime-type>application/x-ms-wmd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wmf</extension>
+ <mime-type>application/x-msmetafile</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- WML Source -->
+ <extension>wml</extension>
+ <mime-type>text/vnd.wap.wml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- Compiled WML -->
+ <extension>wmlc</extension>
+ <mime-type>application/vnd.wap.wmlc</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- WML Script Source -->
+ <extension>wmls</extension>
+ <mime-type>text/vnd.wap.wmlscript</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <!-- Compiled WML Script -->
+ <extension>wmlsc</extension>
+ <mime-type>application/vnd.wap.wmlscriptc</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wmv</extension>
+ <mime-type>video/x-ms-wmv</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wmx</extension>
+ <mime-type>video/x-ms-wmx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wmz</extension>
+ <mime-type>application/x-ms-wmz</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>woff</extension>
+ <mime-type>application/x-font-woff</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wpd</extension>
+ <mime-type>application/vnd.wordperfect</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wpl</extension>
+ <mime-type>application/vnd.ms-wpl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wps</extension>
+ <mime-type>application/vnd.ms-works</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wqd</extension>
+ <mime-type>application/vnd.wqd</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wri</extension>
+ <mime-type>application/x-mswrite</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wrl</extension>
+ <mime-type>model/vrml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wsdl</extension>
+ <mime-type>application/wsdl+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wspolicy</extension>
+ <mime-type>application/wspolicy+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wtb</extension>
+ <mime-type>application/vnd.webturbo</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>wvx</extension>
+ <mime-type>video/x-ms-wvx</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>x32</extension>
+ <mime-type>application/x-authorware-bin</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>x3d</extension>
+ <mime-type>application/vnd.hzn-3d-crossword</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xap</extension>
+ <mime-type>application/x-silverlight-app</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xar</extension>
+ <mime-type>application/vnd.xara</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xbap</extension>
+ <mime-type>application/x-ms-xbap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xbd</extension>
+ <mime-type>application/vnd.fujixerox.docuworks.binder</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xbm</extension>
+ <mime-type>image/x-xbitmap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xdf</extension>
+ <mime-type>application/xcap-diff+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xdm</extension>
+ <mime-type>application/vnd.syncml.dm+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xdp</extension>
+ <mime-type>application/vnd.adobe.xdp+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xdssc</extension>
+ <mime-type>application/dssc+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xdw</extension>
+ <mime-type>application/vnd.fujixerox.docuworks</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xenc</extension>
+ <mime-type>application/xenc+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xer</extension>
+ <mime-type>application/patch-ops-error+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xfdf</extension>
+ <mime-type>application/vnd.adobe.xfdf</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xfdl</extension>
+ <mime-type>application/vnd.xfdl</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xht</extension>
+ <mime-type>application/xhtml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xhtml</extension>
+ <mime-type>application/xhtml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xhvml</extension>
+ <mime-type>application/xv+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xif</extension>
+ <mime-type>image/vnd.xiff</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xla</extension>
+ <mime-type>application/vnd.ms-excel</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xlam</extension>
+ <mime-type>application/vnd.ms-excel.addin.macroenabled.12</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xlc</extension>
+ <mime-type>application/vnd.ms-excel</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xlm</extension>
+ <mime-type>application/vnd.ms-excel</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xls</extension>
+ <mime-type>application/vnd.ms-excel</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xlsb</extension>
+ <mime-type>application/vnd.ms-excel.sheet.binary.macroenabled.12</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xlsm</extension>
+ <mime-type>application/vnd.ms-excel.sheet.macroenabled.12</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xlsx</extension>
+ <mime-type>application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xlt</extension>
+ <mime-type>application/vnd.ms-excel</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xltm</extension>
+ <mime-type>application/vnd.ms-excel.template.macroenabled.12</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xltx</extension>
+ <mime-type>application/vnd.openxmlformats-officedocument.spreadsheetml.template</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xlw</extension>
+ <mime-type>application/vnd.ms-excel</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xml</extension>
+ <mime-type>application/xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xo</extension>
+ <mime-type>application/vnd.olpc-sugar</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xop</extension>
+ <mime-type>application/xop+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xpi</extension>
+ <mime-type>application/x-xpinstall</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xpm</extension>
+ <mime-type>image/x-xpixmap</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xpr</extension>
+ <mime-type>application/vnd.is-xpr</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xps</extension>
+ <mime-type>application/vnd.ms-xpsdocument</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xpw</extension>
+ <mime-type>application/vnd.intercon.formnet</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xpx</extension>
+ <mime-type>application/vnd.intercon.formnet</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xsl</extension>
+ <mime-type>application/xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xslt</extension>
+ <mime-type>application/xslt+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xsm</extension>
+ <mime-type>application/vnd.syncml+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xspf</extension>
+ <mime-type>application/xspf+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xul</extension>
+ <mime-type>application/vnd.mozilla.xul+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xvm</extension>
+ <mime-type>application/xv+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xvml</extension>
+ <mime-type>application/xv+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xwd</extension>
+ <mime-type>image/x-xwindowdump</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>xyz</extension>
+ <mime-type>chemical/x-xyz</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>yang</extension>
+ <mime-type>application/yang</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>yin</extension>
+ <mime-type>application/yin+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>z</extension>
+ <mime-type>application/x-compress</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>Z</extension>
+ <mime-type>application/x-compress</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>zaz</extension>
+ <mime-type>application/vnd.zzazz.deck+xml</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>zip</extension>
+ <mime-type>application/zip</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>zir</extension>
+ <mime-type>application/vnd.zul</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>zirz</extension>
+ <mime-type>application/vnd.zul</mime-type>
+ </mime-mapping>
+ <mime-mapping>
+ <extension>zmm</extension>
+ <mime-type>application/vnd.handheld-entertainment+xml</mime-type>
+ </mime-mapping>
+
+ <!-- ==================== Default Welcome File List ===================== -->
+ <!-- When a request URI refers to a directory, the default servlet looks -->
+ <!-- for a "welcome file" within that directory and, if present, to the -->
+ <!-- corresponding resource URI for display. -->
+ <!-- If no welcome files are present, the default servlet either serves a -->
+ <!-- directory listing (see default servlet configuration on how to -->
+ <!-- customize) or returns a 404 status, depending on the value of the -->
+ <!-- listings setting. -->
+ <!-- -->
+ <!-- If you define welcome files in your own application's web.xml -->
+ <!-- deployment descriptor, that list *replaces* the list configured -->
+ <!-- here, so be sure to include any of the default values that you wish -->
+ <!-- to use within your application. -->
+
+ <welcome-file-list>
+ <welcome-file>index.html</welcome-file>
+ <welcome-file>index.htm</welcome-file>
+ <welcome-file>index.jsp</welcome-file>
+ </welcome-file-list>
+
+</web-app>
diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
index eab5db24c..0505c7e74 100644
--- a/base/common/src/CMakeLists.txt
+++ b/base/common/src/CMakeLists.txt
@@ -48,7 +48,14 @@ find_file(TOMCAT_CATALINA_JAR
NAMES
catalina.jar
PATHS
- /usr/share/java/tomcat6
+ /usr/share/java/tomcat
+)
+
+find_file(TOMCAT_UTIL_JAR
+ NAMES
+ tomcat-util.jar
+ PATHS
+ /usr/share/java/tomcat
)
find_file(SERVLET_JAR
@@ -1193,7 +1200,7 @@ set(CMAKE_JAVA_INCLUDE_PATH
${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR}
${APACHE_COMMONS_CLI_JAR} ${APACHE_COMMONS_LANG_JAR}
- ${TOMCAT_CATALINA_JAR} ${SYMKEY_JAR}
+ ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR} ${SYMKEY_JAR}
${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR}
${HTTPCLIENT_JAR} ${HTTPCORE_JAR})
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
index 35ec7c515..6ad9e7680 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
@@ -371,8 +371,10 @@ public class CertUtil {
String instanceRoot = config.getString("instanceRoot");
+ String configurationRoot = config.getString("configurationRoot");
+
CertInfoProfile processor = new CertInfoProfile(
- instanceRoot + "/conf/" + profile);
+ instanceRoot + configurationRoot + profile);
// cfu - create request to enable renewal
try {
diff --git a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
index 86debf3da..bd551baf0 100644
--- a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
+++ b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
@@ -28,6 +28,7 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.realm.JNDIRealm;
+import org.apache.catalina.Wrapper;
/*
* Self contained PKI JNDI Real that overrides the standard JNDI Realm
@@ -206,6 +207,8 @@ public class PKIJNDIRealm extends JNDIRealm {
boolean allowed = super.hasResourcePermission(request, response, constraints, context);
+ Wrapper wrapper = request.getWrapper();
+
if (allowed == true && hasResourceACLS()) {
loadAuthzProperties(context);
@@ -238,7 +241,7 @@ public class PKIJNDIRealm extends JNDIRealm {
}
}
- allowed = checkACLPermission(principal, resourceID, operation);
+ allowed = checkACLPermission(principal, resourceID, operation, wrapper);
logDebug("resourceID: " + resourceID + " operation: " + operation + " allowed: " + allowed);
}
}
@@ -351,7 +354,7 @@ public class PKIJNDIRealm extends JNDIRealm {
// Check a PKI ACL resourceID and operation for permissions
// If the check fails the user (principal) is not authorized to access the resource
- private boolean checkACLPermission(Principal principal, String resourceId, String operation) {
+ private boolean checkACLPermission(Principal principal, String resourceId, String operation, Wrapper wrapper) {
boolean allowed = true;
@@ -378,7 +381,7 @@ public class PKIJNDIRealm extends JNDIRealm {
String expressions = entry.getAttributeExpressions();
- allowed = evaluateExpressions(principal, expressions);
+ allowed = evaluateExpressions(principal, expressions, wrapper);
if (isEntryNegative) {
allowed = !allowed;
@@ -400,7 +403,7 @@ public class PKIJNDIRealm extends JNDIRealm {
// Evaluate an expression as part of a PKI ACL
// Ex: user=anybody , group=Data Recovery Manager Agents
- private boolean evaluateExpression(Principal principal, String expression) {
+ private boolean evaluateExpression(Principal principal, String expression, Wrapper wrapper) {
boolean allowed = true;
if (principal == null || expression == null) {
@@ -445,7 +448,7 @@ public class PKIJNDIRealm extends JNDIRealm {
allowed = false;
if (left.equals(PROP_GROUP)) {
// Check JNDI to see if the user has this role/group
- if (hasRole(principal, right)) {
+ if (hasRole(wrapper, principal, right)) {
allowed = true;
}
} else if (left.equals(PROP_USER)) {
@@ -482,7 +485,7 @@ public class PKIJNDIRealm extends JNDIRealm {
}
// Take a set of expressions in an ACL and evaluate it
- private boolean evaluateExpressions(Principal principal, String s) {
+ private boolean evaluateExpressions(Principal principal, String s, Wrapper wrapper) {
Vector<Object> v = new Vector<Object>();
@@ -492,7 +495,7 @@ public class PKIJNDIRealm extends JNDIRealm {
// this is the last expression
if (orIndex == -1 && andIndex == -1) {
- boolean passed = evaluateExpression(principal, s.trim());
+ boolean passed = evaluateExpression(principal, s.trim(), wrapper);
v.addElement(Boolean.valueOf(passed));
break;
@@ -500,7 +503,7 @@ public class PKIJNDIRealm extends JNDIRealm {
// || first
} else if (andIndex == -1 || (orIndex != -1 && orIndex < andIndex)) {
String s1 = s.substring(0, orIndex);
- boolean passed = evaluateExpression(principal, s1.trim());
+ boolean passed = evaluateExpression(principal, s1.trim(), wrapper);
v.addElement(Boolean.valueOf(passed));
v.addElement("||");
@@ -508,7 +511,7 @@ public class PKIJNDIRealm extends JNDIRealm {
// && first
} else {
String s1 = s.substring(0, andIndex);
- boolean passed = evaluateExpression(principal, s1.trim());
+ boolean passed = evaluateExpression(principal, s1.trim(), wrapper);
v.addElement(Boolean.valueOf(passed));
v.addElement("&&");
diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
index dd688ed09..542fc5bef 100644
--- a/base/deploy/config/pkideployment.cfg
+++ b/base/deploy/config/pkideployment.cfg
@@ -1,34 +1,219 @@
-[Common]
+###############################################################################
+## 'Sensitive' Data: ##
+## ##
+## Values in this section pertain to various PKI subsystems, and contain ##
+## required 'sensitive' information which MUST ALWAYS be provided by users. ##
+## ##
+## IMPORTANT: Sensitive data values must NEVER be displayed to the ##
+## console NOR stored in log files!!! ##
+###############################################################################
+[Sensitive]
+pki_admin_password=
+pki_backup_password=
+pki_ds_password=
+pki_pkcs12_password=
+pki_security_domain_password=
+###############################################################################
+## 'Mandatory' Data: ##
+## ##
+## Values in this section pertain to various PKI subsystems, and contain ##
+## required information which MUST ALWAYS be provided by users. ##
+###############################################################################
+[Mandatory]
+###############################################################################
+## 'Optional' Data: ##
+## ##
+## Values in this section pertain to various PKI subsystems, and contain ##
+## required information which MAY OPTIONALLY be provided by users. ##
+## ##
+## NOTE: Default values will be generated for any and all required ##
+## 'optional' data values which are left undefined. ##
+###############################################################################
+[Optional]
pki_admin_domain_name=
-pki_user=pkiuser
-pki_group=pkiuser
+pki_admin_email=
+pki_admin_subject_dn=
+pki_audit_signing_nickname=
+pki_audit_signing_subject_dn=
+pki_audit_signing_token=
+pki_backup_file=
+pki_ca_signing_nickname=
+pki_ca_signing_subject_dn=
+pki_ca_signing_token=
+pki_ds_base_dn=
+pki_ds_database=
+pki_ds_hostname=
+pki_ocsp_signing_nickname=
+pki_ocsp_signing_subject_dn=
+pki_ocsp_signing_token=
+pki_security_domain_hostname=
+pki_security_domain_name=
+pki_ssl_server_nickname=
+pki_ssl_server_subject_dn=
+pki_ssl_server_token=
+pki_storage_nickname=
+pki_storage_subject_dn=
+pki_storage_token=
+pki_subsystem_nickname=
+pki_subsystem_subject_dn=
+pki_subsystem_token=
+pki_transport_nickname=
+pki_transport_subject_dn=
+pki_transport_token=
+###############################################################################
+## 'Common' Data: ##
+## ##
+## Values in this section are common to ALL PKI subsystems, and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
+[Common]
+pki_admin_cert_request_type=crmf
+pki_admin_dualkey=False
+pki_admin_keysize=2048
+pki_admin_name=admin
+pki_admin_uid=admin
pki_audit_group=pkiaudit
+pki_audit_signing_key_algorithm=SHA256withRSA
+pki_audit_signing_key_size=2048
+pki_audit_signing_key_type=rsa
+pki_audit_signing_signing_algorithm=SHA256withRSA
+pki_backup_keys=False
+pki_ds_bind_dn=cn=Directory Manager
+pki_ds_http_port=389
+pki_ds_https_port=636
+pki_ds_remove_data=True
+pki_ds_secure_connection=False
+pki_group=pkiuser
+pki_security_domain_https_port=8443
+pki_security_domain_user=admin
+pki_ssl_server_key_algorithm=SHA256withRSA
+pki_ssl_server_key_size=2048
+pki_ssl_server_key_type=rsa
+pki_subsystem_key_algorithm=SHA256withRSA
+pki_subsystem_key_size=2048
+pki_subsystem_key_type=rsa
+pki_user=pkiuser
+###############################################################################
+## 'Apache' Data: ##
+## ##
+## Values in this section are common to PKI subsystems that run ##
+## as an instance of 'Apache' (RA and TPS subsystems), and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
[Apache]
pki_instance_name=apache
pki_http_port=80
pki_https_port=443
+###############################################################################
+## 'Tomcat' Data: ##
+## ##
+## Values in this section are common to PKI subsystems that run ##
+## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ##
+## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ##
+## required information which MAY be overridden by users as necessary. ##
+## ##
+## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ##
+## or a 'TKS Clone', change the value of 'pki_clone' ##
+## from 'False' to 'True'. ##
+## ##
+## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ##
+## are MUTUALLY EXCLUSIVE entities!!! ##
+###############################################################################
[Tomcat]
-pki_instance_name=tomcat
+pki_ajp_port=8009
+pki_clone=False
+pki_enable_java_debugger=False
pki_http_port=8080
pki_https_port=8443
-pki_ajp_port=8009
-pki_proxy_http_port=80
-pki_proxy_https_port=443
-pki_security_manager=true
+pki_instance_name=tomcat
+pki_proxy_http_port=
+pki_proxy_https_port=
+pki_security_manager=false
pki_tomcat_server_port=8005
+###############################################################################
+## 'CA' Data: ##
+## ##
+## Values in this section are common to CA subsystems including 'PKI CAs', ##
+## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ##
+## required information which MAY be overridden by users as necessary. ##
+## ##
+## EXTERNAL CAs: To specify an 'External CA', change the value ##
+## of 'pki_external' from 'False' to 'True'. ##
+## ##
+## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ##
+## of 'pki_subordinate' from 'False' to 'True'. ##
+## ##
+## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ##
+## are MUTUALLY EXCLUSIVE entities!!! ##
+###############################################################################
[CA]
+pki_ca_signing_key_algorithm=SHA256withRSA
+pki_ca_signing_key_size=2048
+pki_ca_signing_key_type=rsa
+pki_ca_signing_signing_algorithm=SHA256withRSA
+pki_external=False
+pki_ocsp_signing_key_algorithm=SHA256withRSA
+pki_ocsp_signing_key_size=2048
+pki_ocsp_signing_key_type=rsa
+pki_ocsp_signing_signing_algorithm=SHA256withRSA
+pki_subordinate=False
pki_subsystem=CA
pki_war_name=ca.war
+###############################################################################
+## 'KRA' Data: ##
+## ##
+## Values in this section are common to KRA subsystems ##
+## including 'PKI KRAs' and 'Cloned KRAs', and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
[KRA]
+pki_storage_key_algorithm=SHA256withRSA
+pki_storage_key_size=2048
+pki_storage_key_type=rsa
+pki_storage_signing_algorithm=SHA256withRSA
pki_subsystem=KRA
+pki_transport_key_algorithm=SHA256withRSA
+pki_transport_key_size=2048
+pki_transport_key_type=rsa
+pki_transport_signing_algorithm=SHA256withRSA
pki_war_name=kra.war
+###############################################################################
+## 'OCSP' Data: ##
+## ##
+## Values in this section are common to OCSP subsystems ##
+## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
[OCSP]
+pki_ocsp_signing_key_algorithm=SHA256withRSA
+pki_ocsp_signing_key_size=2048
+pki_ocsp_signing_key_type=rsa
+pki_ocsp_signing_signing_algorithm=SHA256withRSA
pki_subsystem=OCSP
pki_war_name=ocsp.war
+###############################################################################
+## 'RA' Data: ##
+## ##
+## Values in this section are common to PKI RA subsystems, and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
[RA]
pki_subsystem=RA
+###############################################################################
+## 'TKS' Data: ##
+## ##
+## Values in this section are common to TKS subsystems ##
+## including 'PKI TKSs' and 'Cloned TKSs', and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
[TKS]
pki_subsystem=TKS
pki_war_name=tks.war
+###############################################################################
+## 'TPS' Data: ##
+## ##
+## Values in this section are common to PKI TPS subsystems, and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
[TPS]
pki_subsystem=TPS
diff --git a/base/deploy/config/pkislots.cfg b/base/deploy/config/pkislots.cfg
index b6c40ebe3..ee75154ce 100644
--- a/base/deploy/config/pkislots.cfg
+++ b/base/deploy/config/pkislots.cfg
@@ -70,8 +70,10 @@ PKI_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_SECURE_PORT_CONNECTOR_NAME]
PKI_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_SECURE_PORT_SERVER_COMMENT]
PKI_SECURITY_MANAGER_SLOT=[PKI_SECURITY_MANAGER]
PKI_SERVER_XML_CONF_SLOT=[PKI_SERVER_XML_CONF]
+PKI_SUBSYSTEM_DIR_SLOT=[PKI_SUBSYSTEM_DIR]
PKI_SUBSYSTEM_TYPE_SLOT=[PKI_SUBSYSTEM_TYPE]
PKI_SYSTEMD_SERVICENAME_SLOT=[PKI_SYSTEMD_SERVICENAME]
+PKI_TMPDIR_SLOT=[PKI_TMPDIR]
PKI_UNSECURE_PORT_SLOT=[PKI_UNSECURE_PORT]
PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_UNSECURE_PORT_CONNECTOR_NAME]
PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT]
diff --git a/base/deploy/scripts/pkidaemon b/base/deploy/scripts/pkidaemon
index 7be30c9d3..02b02370f 100755
--- a/base/deploy/scripts/pkidaemon
+++ b/base/deploy/scripts/pkidaemon
@@ -51,6 +51,8 @@ case $command in
exit $?
;;
stop)
+ echo "An exit status of '143' refers to the 'systemd' method of using"\
+ "'SIGTERM' to shutdown a Java process and can safely be ignored."
stop
exit $?
;;
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index 6a2db56b8..5faa97cee 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -34,6 +34,7 @@ try:
import socket
import string
import struct
+ import subprocess
import time
from time import strftime as date
from pki.deployment import pkiconfig as config
@@ -74,7 +75,18 @@ def main(argv):
config.pki_architecture = struct.calcsize("P") * 8
# Retrieve hostname
- config.pki_hostname = socket.gethostname()
+ config.pki_hostname = socket.getfqdn()
+
+ # Retrieve DNS domainname
+ config.pki_dns_domainname = None
+ try:
+ config.pki_dns_domainname = subprocess.check_output("domainname",
+ shell=True)
+ config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n')
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ sys.exit(1)
# Initialize 'pretty print' for objects
pp = pprint.PrettyPrinter(indent=4)
@@ -111,6 +123,15 @@ def main(argv):
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
else:
+ # NEVER print out 'sensitive' name/value pairs!!!
+ config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.debug(pp.pformat(config.pki_optional_dict),
+ extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pp.pformat(config.pki_common_dict),
@@ -126,7 +147,7 @@ def main(argv):
# Override PKI configuration file values with 'custom' command-line values.
if not config.custom_pki_admin_domain_name is None:
- config.pki_common_dict['pki_admin_domain_name'] =\
+ config.pki_optional_dict['pki_admin_domain_name'] =\
config.custom_pki_admin_domain_name
if not config.custom_pki_instance_name is None:
config.pki_web_server_dict['pki_instance_name'] =\
@@ -140,6 +161,15 @@ def main(argv):
if not config.custom_pki_ajp_port is None:
config.pki_web_server_dict['pki_ajp_port'] =\
config.custom_pki_ajp_port
+ # NEVER print out 'sensitive' name/value pairs!!!
+ config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.debug(pp.pformat(config.pki_optional_dict),
+ extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pp.pformat(config.pki_common_dict),
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index 66152a334..931b9baf0 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -34,6 +34,7 @@ try:
import socket
import string
import struct
+ import subprocess
import time
from time import strftime as date
from pki.deployment import pkiconfig as config
@@ -74,7 +75,18 @@ def main(argv):
config.pki_architecture = struct.calcsize("P") * 8
# Retrieve hostname
- config.pki_hostname = socket.gethostname()
+ config.pki_hostname = socket.getfqdn()
+
+ # Retrieve DNS domainname
+ config.pki_dns_domainname = None
+ try:
+ config.pki_dns_domainname = subprocess.check_output("domainname",
+ shell=True)
+ config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n')
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ sys.exit(1)
# Generate random 'pin's for use as security database passwords
pin_low = 100000000000
@@ -140,6 +152,15 @@ def main(argv):
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
else:
+ # NEVER print out 'sensitive' name/value pairs!!!
+ config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.debug(pp.pformat(config.pki_optional_dict),
+ extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pp.pformat(config.pki_common_dict),
@@ -155,7 +176,7 @@ def main(argv):
# Override PKI configuration file values with 'custom' command-line values.
if not config.custom_pki_admin_domain_name is None:
- config.pki_common_dict['pki_admin_domain_name'] =\
+ config.pki_optional_dict['pki_admin_domain_name'] =\
config.custom_pki_admin_domain_name
if not config.custom_pki_instance_name is None:
config.pki_web_server_dict['pki_instance_name'] =\
@@ -169,6 +190,15 @@ def main(argv):
if not config.custom_pki_ajp_port is None:
config.pki_web_server_dict['pki_ajp_port'] =\
config.custom_pki_ajp_port
+ # NEVER print out 'sensitive' name/value pairs!!!
+ config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.debug(pp.pformat(config.pki_optional_dict),
+ extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
extra=config.PKI_INDENTATION_LEVEL_0)
config.pki_log.debug(pp.pformat(config.pki_common_dict),
diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy
index f7366c723..a40e7c645 100644
--- a/base/deploy/src/scriptlets/configuration.jy
+++ b/base/deploy/src/scriptlets/configuration.jy
@@ -9,7 +9,6 @@ import sys
# PKI Python Imports
import pkijython as jyutil
import pkiconfig as config
-from pkiconfig import pki_master_jython_dict as master
import pkimessages as log
@@ -18,12 +17,19 @@ from java.lang import System as javasystem
def main(argv):
+ rv = 0
+
# Establish 'master' as the PKI jython dictionary
master = dict()
- # import the master dictionary from 'pkispawn'
+ # Import the master dictionary from 'pkispawn'
master = pickle.loads(argv[1])
+ # Optionally enable a java debugger (e. g. - 'eclipse'):
+ if config.str2bool(master['pki_enable_java_debugger']):
+ config.wait_to_attach_an_external_java_debugger()
+
+
# IMPORTANT: Unfortunately, 'jython 2.2' does NOT support logging!
#
# Until, and unless, 'jython 2.5' or later is used,
@@ -59,11 +65,107 @@ def main(argv):
master['pki_jython_log_level'])
# Log into token
- jyutil.security_databases.log_into_token(
- master['pki_client_database_path'],
- master['pki_client_password_conf'],
- master['pki_dry_run_flag'],
- master['pki_jython_log_level'])
+ token = jyutil.security_databases.log_into_token(
+ master['pki_client_database_path'],
+ master['pki_client_password_conf'],
+ master['pki_dry_run_flag'],
+ master['pki_jython_log_level'])
+
+ # Establish REST Client
+ client = jyutil.rest_client.initialize(
+ master['pki_jython_base_uri'],
+ master['pki_dry_run_flag'],
+ master['pki_jython_log_level'])
+
+ # Construct PKI Subsystem Configuration Data
+ data = None
+ if master['pki_instance_type'] == "Apache":
+ if master['pki_subsystem'] == "RA":
+ print "%s '%s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ elif master['pki_subsystem'] == "TPS":
+ print "%s '%s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ elif master['pki_instance_type'] == "Tomcat":
+ if master['pki_subsystem'] == "CA":
+ if config.str2bool(master['pki_clone']):
+ print "%s '%s %s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ elif config.str2bool(master['pki_external']):
+ print "%s '%s %s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_EXTERNAL_CA,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ elif config.str2bool(master['pki_subordinate']):
+ print "%s '%s %s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_SUBORDINATE_CA,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ else:
+ data = jyutil.rest_client.construct_pki_configuration_data(
+ master, token)
+ elif master['pki_subsystem'] == "KRA":
+ if config.str2bool(master['pki_clone']):
+ print "%s '%s %s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ else:
+ print "%s '%s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ elif master['pki_subsystem'] == "OCSP":
+ if config.str2bool(master['pki_clone']):
+ print "%s '%s %s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ else:
+ print "%s '%s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ elif master['pki_subsystem'] == "TKS":
+ if config.str2bool(master['pki_clone']):
+ print "%s '%s %s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+ else:
+ print "%s '%s' %s" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ master['pki_subsystem'],
+ log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+ return self.rv
+
+ # Formulate PKI Subsystem Configuration Data Response
+ jyutil.rest_client.configure_pki_data(data,
+ master['pki_subsystem'],
+ master['pki_dry_run_flag'],
+ master['pki_jython_log_level'])
if __name__ == "__main__":
diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py
index f40573940..421e08dc0 100644
--- a/base/deploy/src/scriptlets/configuration.py
+++ b/base/deploy/src/scriptlets/configuration.py
@@ -36,9 +36,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
if not config.pki_dry_run_flag:
util.directory.create(master['pki_client_path'], uid=0, gid=0)
+ # Since 'certutil' does NOT strip the 'token=' portion of
+ # the 'token=password' entries, create a client password file
+ # which ONLY contains the 'password' for the purposes of
+ # allowing 'certutil' to generate the security databases
util.password.create_password_conf(
master['pki_client_password_conf'],
- master['pki_client_pin'])
+ master['pki_client_pin'], pin_sans_token=True)
util.directory.create(master['pki_client_database_path'],
uid=0, gid=0)
util.certutil.create_security_databases(
@@ -47,19 +51,60 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_client_key_database'],
master['pki_client_secmod_database'],
password_file=master['pki_client_password_conf'])
- util.symlink.create(
- config.pki_master_dict['pki_systemd_service'],
- config.pki_master_dict['pki_systemd_service_link'])
+ util.symlink.create(master['pki_systemd_service'],
+ master['pki_systemd_service_link'])
else:
+ # Since 'certutil' does NOT strip the 'token=' portion of
+ # the 'token=password' entries, create a client password file
+ # which ONLY contains the 'password' for the purposes of
+ # allowing 'certutil' to generate the security databases
util.password.create_password_conf(
master['pki_client_password_conf'],
- master['pki_client_pin'])
+ master['pki_client_pin'], pin_sans_token=True)
util.certutil.create_security_databases(
master['pki_client_database_path'],
master['pki_client_cert_database'],
master['pki_client_key_database'],
master['pki_client_secmod_database'],
password_file=master['pki_client_password_conf'])
+ # Start/Restart this Apache/Tomcat PKI Process
+ if not config.pki_dry_run_flag:
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+ apache_instances = util.instance.apache_instances()
+ if apache_instances == 1:
+ util.systemd.start()
+ elif apache_instances > 1:
+ util.systemd.restart()
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # Optionally prepare to enable a java debugger
+ # (e. g. - 'eclipse'):
+ if config.str2bool(master['pki_enable_java_debugger']):
+ config.prepare_for_an_external_java_debugger(
+ master['pki_target_tomcat_conf_instance_id'])
+ tomcat_instances = util.instance.tomcat_instances()
+ if tomcat_instances == 1:
+ util.systemd.start()
+ elif tomcat_instances > 1:
+ util.systemd.restart()
+ else:
+ # ALWAYS display correct information (even during dry_run)
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+ apache_instances = util.instance.apache_instances()
+ if apache_instances == 0:
+ util.systemd.start()
+ elif apache_instances > 0:
+ util.systemd.restart()
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # Optionally prepare to enable a java debugger
+ # (e. g. - 'eclipse'):
+ if config.str2bool(master['pki_enable_java_debugger']):
+ config.prepare_for_an_external_java_debugger(
+ master['pki_target_tomcat_conf_instance_id'])
+ tomcat_instances = util.instance.tomcat_instances()
+ if tomcat_instances == 0:
+ util.systemd.start()
+ elif tomcat_instances > 0:
+ util.systemd.restart()
# Pass control to the Java servlet via Jython 2.2 'configuration.jy'
util.jython.invoke(master['pki_jython_configuration_scriptlet'])
return self.rv
@@ -67,6 +112,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
def respawn(self):
config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
+ # ALWAYS Restart this Apache/Tomcat PKI Process
+ util.systemd.restart()
return self.rv
def destroy(self):
@@ -76,23 +123,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
util.instance.apache_instances() == 1:
util.directory.delete(master['pki_client_path'])
- util.symlink.delete(
- config.pki_master_dict['pki_systemd_service_link'])
+ util.symlink.delete(master['pki_systemd_service_link'])
elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
util.instance.tomcat_instances() == 1:
util.directory.delete(master['pki_client_path'])
- util.symlink.delete(
- config.pki_master_dict['pki_systemd_service_link'])
+ util.symlink.delete(master['pki_systemd_service_link'])
else:
# ALWAYS display correct information (even during dry_run)
if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
util.instance.apache_instances() == 0:
util.directory.delete(master['pki_client_path'])
- util.symlink.delete(
- config.pki_master_dict['pki_systemd_service_link'])
+ util.symlink.delete(master['pki_systemd_service_link'])
elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
util.instance.tomcat_instances() == 0:
util.directory.delete(master['pki_client_path'])
- util.symlink.delete(
- config.pki_master_dict['pki_systemd_service_link'])
+ util.symlink.delete(master['pki_systemd_service_link'])
return self.rv
diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py
index 02c5065cb..bceec67e0 100644
--- a/base/deploy/src/scriptlets/finalization.py
+++ b/base/deploy/src/scriptlets/finalization.py
@@ -100,4 +100,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_0)
if not config.pki_dry_run_flag:
util.file.modify(master['pki_destroy_log'], silent=True)
+ # Start this Apache/Tomcat PKI Process
+ if not config.pki_dry_run_flag:
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instances() >= 1:
+ util.systemd.start()
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instances() >= 1:
+ util.systemd.start()
+ else:
+ # ALWAYS display correct information (even during dry_run)
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instances() >= 0:
+ util.systemd.start()
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instances() >= 0:
+ util.systemd.start()
return self.rv
diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py
index 3077737c8..1ff8522ed 100644
--- a/base/deploy/src/scriptlets/initialization.py
+++ b/base/deploy/src/scriptlets/initialization.py
@@ -41,9 +41,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# verify that this type of "subsystem" does NOT yet
# exist for this "instance"
util.instance.verify_subsystem_does_not_exist()
+ # initialize 'uid' and 'gid'
+ util.identity.add_uid_and_gid(master['pki_user'], master['pki_group'])
# establish 'uid' and 'gid'
util.identity.set_uid(master['pki_user'])
util.identity.set_gid(master['pki_group'])
+ # verify existence of MANDATORY configuration file data
+ util.configuration_file.verify_sensitive_data()
+ util.configuration_file.verify_mutually_exclusive_data()
return self.rv
def respawn(self):
@@ -74,4 +79,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# establish 'uid' and 'gid'
util.identity.set_uid(master['pki_user'])
util.identity.set_gid(master['pki_group'])
+ # ALWAYS Stop this Apache/Tomcat PKI Process
+ util.systemd.stop()
return self.rv
diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py
index 8a645f029..2fd7165d1 100644
--- a/base/deploy/src/scriptlets/instance_layout.py
+++ b/base/deploy/src/scriptlets/instance_layout.py
@@ -48,30 +48,90 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# establish Tomcat instance base
util.directory.create(master['pki_tomcat_common_path'])
util.directory.create(master['pki_tomcat_common_lib_path'])
+ util.directory.create(master['pki_tomcat_tmpdir_path'])
util.directory.create(master['pki_tomcat_webapps_path'])
util.directory.create(master['pki_tomcat_webapps_root_path'])
util.directory.create(master['pki_tomcat_webapps_root_webinf_path'])
util.file.copy(master['pki_source_webapps_root_web_xml'],
master['pki_tomcat_webapps_root_webinf_web_xml'],
overwrite_flag=True)
- util.directory.create(master['pki_tomcat_webapps_webinf_path'])
+ util.directory.create(master['pki_tomcat_work_path'])
+ util.directory.create(master['pki_tomcat_work_catalina_path'])
+ util.directory.create(master['pki_tomcat_work_catalina_host_path'])
util.directory.create(
- master['pki_tomcat_webapps_webinf_classes_path'])
- util.directory.create(master['pki_tomcat_webapps_webinf_lib_path'])
+ master['pki_tomcat_work_catalina_host_run_path'])
+ util.directory.create(
+ master['pki_tomcat_work_catalina_host_subsystem_path'])
# establish Tomcat instance logs
# establish Tomcat instance configuration
util.directory.copy(master['pki_source_shared_path'],
master['pki_instance_configuration_path'],
overwrite_flag=True)
# establish Tomcat instance registry
- # establish Tomcat instance convenience
- # symbolic links
+ # establish Tomcat instance convenience symbolic links
util.symlink.create(master['pki_tomcat_bin_path'],
master['pki_tomcat_bin_link'])
util.symlink.create(master['pki_tomcat_lib_path'],
master['pki_tomcat_lib_link'])
+ util.symlink.create(master['pki_instance_log4j_properties'],
+ master['pki_tomcat_lib_log4j_properties_link'],
+ uid=0, gid=0)
util.symlink.create(master['pki_tomcat_systemd'],
- master['pki_instance_systemd_link'])
+ master['pki_instance_systemd_link'],
+ uid=0, gid=0)
+ # establish Tomcat instance common lib jar symbolic links
+ util.symlink.create(master['pki_apache_commons_collections_jar'],
+ master['pki_apache_commons_collections_jar_link'])
+ util.symlink.create(master['pki_apache_commons_lang_jar'],
+ master['pki_apache_commons_lang_jar_link'])
+ util.symlink.create(master['pki_apache_commons_logging_jar'],
+ master['pki_apache_commons_logging_jar_link'])
+ util.symlink.create(master['pki_commons_codec_jar'],
+ master['pki_commons_codec_jar_link'])
+ util.symlink.create(master['pki_httpclient_jar'],
+ master['pki_httpclient_jar_link'])
+ util.symlink.create(master['pki_javassist_jar'],
+ master['pki_javassist_jar_link'])
+ util.symlink.create(master['pki_resteasy_jaxrs_api_jar'],
+ master['pki_resteasy_jaxrs_api_jar_link'])
+ util.symlink.create(master['pki_jettison_jar'],
+ master['pki_jettison_jar_link'])
+ util.symlink.create(master['pki_jss_jar'],
+ master['pki_jss_jar_link'])
+ util.symlink.create(master['pki_ldapjdk_jar'],
+ master['pki_ldapjdk_jar_link'])
+ util.symlink.create(master['pki_certsrv_jar'],
+ master['pki_certsrv_jar_link'])
+ util.symlink.create(master['pki_cmsbundle'],
+ master['pki_cmsbundle_jar_link'])
+ util.symlink.create(master['pki_cmscore'],
+ master['pki_cmscore_jar_link'])
+ util.symlink.create(master['pki_cms'],
+ master['pki_cms_jar_link'])
+ util.symlink.create(master['pki_cmsutil'],
+ master['pki_cmsutil_jar_link'])
+ util.symlink.create(master['pki_nsutil'],
+ master['pki_nsutil_jar_link'])
+ util.symlink.create(master['pki_resteasy_jaxb_provider_jar'],
+ master['pki_resteasy_jaxb_provider_jar_link'])
+ util.symlink.create(master['pki_resteasy_jaxrs_jar'],
+ master['pki_resteasy_jaxrs_jar_link'])
+ util.symlink.create(master['pki_resteasy_jettison_provider_jar'],
+ master['pki_resteasy_jettison_provider_jar_link'])
+ util.symlink.create(master['pki_scannotation_jar'],
+ master['pki_scannotation_jar_link'])
+ util.symlink.create(master['pki_symkey_jar'],
+ master['pki_symkey_jar_link'])
+ util.symlink.create(master['pki_tomcatjss_jar'],
+ master['pki_tomcatjss_jar_link'])
+ util.symlink.create(master['pki_velocity_jar'],
+ master['pki_velocity_jar_link'])
+ util.symlink.create(master['pki_xerces_j2_jar'],
+ master['pki_xerces_j2_jar_link'])
+ util.symlink.create(master['pki_xml_commons_apis_jar'],
+ master['pki_xml_commons_apis_jar_link'])
+ util.symlink.create(master['pki_xml_commons_resolver_jar'],
+ master['pki_xml_commons_resolver_jar_link'])
# establish shared NSS security databases for this instance
util.directory.create(master['pki_database_path'])
# establish instance convenience symbolic links
@@ -106,16 +166,53 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.file.copy(master['pki_source_webapps_root_web_xml'],
master['pki_tomcat_webapps_root_webinf_web_xml'],
overwrite_flag=True)
- util.directory.modify(master['pki_tomcat_webapps_webinf_path'])
+ util.directory.modify(master['pki_tomcat_work_path'])
+ util.directory.modify(master['pki_tomcat_work_catalina_path'])
+ util.directory.modify(master['pki_tomcat_work_catalina_host_path'])
+ util.directory.modify(
+ master['pki_tomcat_work_catalina_host_run_path'])
util.directory.modify(
- master['pki_tomcat_webapps_webinf_classes_path'])
- util.directory.modify(master['pki_tomcat_webapps_webinf_lib_path'])
+ master['pki_tomcat_work_catalina_host_subsystem_path'])
# update Tomcat instance logs
# update Tomcat instance configuration
# update Tomcat instance registry
# update Tomcat instance convenience symbolic links
util.symlink.modify(master['pki_tomcat_bin_link'])
util.symlink.modify(master['pki_tomcat_lib_link'])
+ util.symlink.modify(master['pki_tomcat_lib_log4j_properties_link'],
+ uid=0, gid=0)
+ util.symlink.modify(master['pki_instance_systemd_link'],
+ uid=0, gid=0)
+ # update Tomcat instance common lib jar symbolic links
+
+ util.symlink.modify(
+ master['pki_apache_commons_collections_jar_link'])
+ util.symlink.modify(master['pki_apache_commons_lang_jar_link'])
+ util.symlink.modify(master['pki_apache_commons_logging_jar_link'])
+ util.symlink.modify(master['pki_commons_codec_jar_link'])
+ util.symlink.modify(master['pki_httpclient_jar_link'])
+ util.symlink.modify(master['pki_javassist_jar_link'])
+ util.symlink.modify(master['pki_resteasy_jaxrs_api_jar_link'])
+ util.symlink.modify(master['pki_jettison_jar_link'])
+ util.symlink.modify(master['pki_jss_jar_link'])
+ util.symlink.modify(master['pki_ldapjdk_jar_link'])
+ util.symlink.modify(master['pki_certsrv_jar_link'])
+ util.symlink.modify(master['pki_cmsbundle_jar_link'])
+ util.symlink.modify(master['pki_cmscore_jar_link'])
+ util.symlink.modify(master['pki_cms_jar_link'])
+ util.symlink.modify(master['pki_cmsutil_jar_link'])
+ util.symlink.modify(master['pki_nsutil_jar_link'])
+ util.symlink.modify(master['pki_resteasy_jaxb_provider_jar_link'])
+ util.symlink.modify(master['pki_resteasy_jaxrs_jar_link'])
+ util.symlink.modify(
+ master['pki_resteasy_jettison_provider_jar_link'])
+ util.symlink.modify(master['pki_scannotation_jar_link'])
+ util.symlink.modify(master['pki_symkey_jar_link'])
+ util.symlink.modify(master['pki_tomcatjss_jar_link'])
+ util.symlink.modify(master['pki_velocity_jar_link'])
+ util.symlink.modify(master['pki_xerces_j2_jar_link'])
+ util.symlink.modify(master['pki_xml_commons_apis_jar_link'])
+ util.symlink.modify(master['pki_xml_commons_resolver_jar_link'])
# update shared NSS security databases for this instance
util.directory.modify(master['pki_database_path'])
# update instance convenience symbolic links
@@ -150,6 +247,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove shared NSS security database path for this instance
util.directory.delete(master['pki_database_path'])
# remove Tomcat instance configuration
+ util.symlink.delete(
+ master['pki_tomcat_lib_log4j_properties_link'])
util.directory.delete(master['pki_instance_configuration_path'])
# remove Tomcat instance registry
util.directory.delete(master['pki_instance_type_registry_path'])
@@ -174,6 +273,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# remove shared NSS security database path for this instance
util.directory.delete(master['pki_database_path'])
# remove Tomcat instance configuration
+ util.symlink.delete(
+ master['pki_tomcat_lib_log4j_properties_link'])
util.directory.delete(master['pki_instance_configuration_path'])
# remove Tomcat instance registry
util.directory.delete(master['pki_instance_type_registry_path'])
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 2acd37d36..07537d7aa 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -28,6 +28,13 @@ PKI_DEPLOYMENT_DEFAULT_SGID_DIR_PERMISSIONS = 02770
PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS = 00777
PKI_DEPLOYMENT_DEFAULT_UMASK = 00002
+PKI_DEPLOYMENT_DEFAULT_COMMENT = "'Certificate System'"
+PKI_DEPLOYMENT_DEFAULT_GID = 17
+PKI_DEPLOYMENT_DEFAULT_GROUP = "pkiuser"
+PKI_DEPLOYMENT_DEFAULT_SHELL = "/sbin/nologin"
+PKI_DEPLOYMENT_DEFAULT_UID = 17
+PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser"
+
PKI_SUBSYSTEMS = ["CA","KRA","OCSP","RA","TKS","TPS"]
PKI_SIGNED_AUDIT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS","TPS"]
PKI_APACHE_SUBSYSTEMS = ["RA","TPS"]
@@ -39,6 +46,12 @@ PKI_INDENTATION_LEVEL_2 = {'indent' : '....... '}
PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '}
PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '}
+PKI_DEPLOYMENT_INTERRUPT_BANNER = "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"\
+ "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-"
+PKI_DEPLOYMENT_JAR_SOURCE_ROOT = "/usr/share/java"
+PKI_DEPLOYMENT_HTTPCOMPONENTS_JAR_SOURCE_ROOT = "/usr/share/java/httpcomponents"
+PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT = "/usr/share/java/pki"
+PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT = "/usr/share/java/resteasy"
PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki"
PKI_DEPLOYMENT_SYSTEMD_ROOT = "/lib/systemd/system"
PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT = "/etc/systemd/system"
@@ -101,6 +114,48 @@ custom_pki_https_port = None
custom_pki_ajp_port = None
+# PKI Deployment Helper Functions
+def str2bool(string):
+ return string.lower() in ("yes", "true", "t", "1")
+
+# NOTE: To utilize the 'preparations_for_an_external_java_debugger(master)'
+# and 'wait_to_attach_an_external_java_debugger(master)' functions,
+# change 'pki_enable_java_debugger=False' to
+# 'pki_enable_java_debugger=True' in the appropriate
+# 'pkideployment.cfg' configuration file.
+def prepare_for_an_external_java_debugger(instance):
+ print
+ print PKI_DEPLOYMENT_INTERRUPT_BANNER
+ print
+ print "The following 'JAVA_OPTS' MUST be enabled (uncommented) in"
+ print "'%s':" % instance
+ print
+ print " JAVA_OPTS=\"-Xdebug -Xrunjdwp:transport=dt_socket,\""
+ print " \"address=8000,server=y,suspend\""
+ print
+ raw_input("Enable external java debugger 'JAVA_OPTS' "\
+ "and press return to continue . . . ")
+ print
+ print PKI_DEPLOYMENT_INTERRUPT_BANNER
+ print
+ return
+
+def wait_to_attach_an_external_java_debugger():
+ print
+ print PKI_DEPLOYMENT_INTERRUPT_BANNER
+ print
+ print "Attach the java debugger to this process on the port specified by"
+ print "the 'address' selected by 'JAVA_OPTS' (e. g. - port 8000) and"
+ print "set any desired breakpoints"
+ print
+ raw_input("Please attach an external java debugger "\
+ "and press return to continue . . . ")
+ print
+ print PKI_DEPLOYMENT_INTERRUPT_BANNER
+ print
+ return
+
+
# PKI Deployment Logger Variables
pki_jython_log_level = None
pki_log = None
@@ -111,6 +166,9 @@ pki_console_log_level = None
# PKI Deployment Global Dictionaries
+pki_sensitive_dict = None
+pki_mandatory_dict = None
+pki_optional_dict = None
pki_common_dict = None
pki_web_server_dict = None
pki_subsystem_dict = None
diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
index b88eafe72..7b77bcee5 100644
--- a/base/deploy/src/scriptlets/pkihelper.py
+++ b/base/deploy/src/scriptlets/pkihelper.py
@@ -30,14 +30,17 @@ import random
import shutil
import string
import subprocess
+from grp import getgrgid
from grp import getgrnam
from pwd import getpwnam
+from pwd import getpwuid
import zipfile
# PKI Deployment Imports
import pkiconfig as config
from pkiconfig import pki_master_dict as master
+from pkiconfig import pki_sensitive_dict as sensitive
from pkiconfig import pki_slots_dict as slots
import pkimanifest as manifest
import pkimessages as log
@@ -117,6 +120,136 @@ def pki_copytree(src, dst, symlinks=False, ignore=None):
# PKI Deployment Identity Class
class identity:
+ def __add_gid(self, pki_group):
+ pki_gid = None
+ try:
+ # Does the specified 'pki_group' exist?
+ pki_gid = getgrnam(pki_group)[2]
+ # Yes, group 'pki_group' exists!
+ config.pki_log.info(log.PKIHELPER_GROUP_ADD_2, pki_group, pki_gid,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ except KeyError as exc:
+ # No, group 'pki_group' does not exist!
+ config.pki_log.debug(log.PKIHELPER_GROUP_ADD_KEYERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ try:
+ # Is the default well-known GID already defined?
+ group = getgrgid(config.PKI_DEPLOYMENT_DEFAULT_GID)[0]
+ # Yes, the default well-known GID exists!
+ config.pki_log.info(log.PKIHELPER_GROUP_ADD_DEFAULT_2,
+ group, config.PKI_DEPLOYMENT_DEFAULT_GID,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # Attempt to create 'pki_group' using a random GID.
+ command = "/usr/sbin/groupadd" + " " +\
+ pki_group + " " +\
+ "> /dev/null 2>&1"
+ except KeyError as exc:
+ # No, the default well-known GID does not exist!
+ config.pki_log.debug(log.PKIHELPER_GROUP_ADD_GID_KEYERROR_1,
+ exc, extra=config.PKI_INDENTATION_LEVEL_2)
+ # Is the specified 'pki_group' the default well-known group?
+ if pki_group == config.PKI_DEPLOYMENT_DEFAULT_GROUP:
+ # Yes, attempt to create the default well-known group
+ # using the default well-known GID.
+ command = "/usr/sbin/groupadd" + " " +\
+ "-g" + " " +\
+ str(config.PKI_DEPLOYMENT_DEFAULT_GID) + " " +\
+ "-r" + " " +\
+ pki_group + " " +\
+ "> /dev/null 2>&1"
+ else:
+ # No, attempt to create 'pki_group' using a random GID.
+ command = "/usr/sbin/groupadd" + " " +\
+ pki_group + " " +\
+ "> /dev/null 2>&1"
+ # Execute this "groupadd" command.
+ subprocess.call(command, shell=True)
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ return
+
+ def __add_uid(self, pki_user, pki_group):
+ pki_uid = None
+ try:
+ # Does the specified 'pki_user' exist?
+ pki_uid = getpwnam(pki_user)[2]
+ # Yes, user 'pki_user' exists!
+ config.pki_log.info(log.PKIHELPER_USER_ADD_2, pki_user, pki_uid,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # NOTE: For now, never check validity of specified 'pki_group'!
+ except KeyError as exc:
+ # No, user 'pki_user' does not exist!
+ config.pki_log.debug(log.PKIHELPER_USER_ADD_KEYERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ try:
+ # Is the default well-known UID already defined?
+ user = getpwuid(config.PKI_DEPLOYMENT_DEFAULT_UID)[0]
+ # Yes, the default well-known UID exists!
+ config.pki_log.info(log.PKIHELPER_USER_ADD_DEFAULT_2,
+ user, config.PKI_DEPLOYMENT_DEFAULT_UID,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # Attempt to create 'pki_user' using a random UID.
+ command = "/usr/sbin/useradd" + " " +\
+ "-g" + " " +\
+ pki_group + " " +\
+ "-d" + " " +\
+ config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\
+ "-s" + " " +\
+ config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\
+ "-c" + " " +\
+ config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\
+ pki_user + " " +\
+ "> /dev/null 2>&1"
+ except KeyError as exc:
+ # No, the default well-known UID does not exist!
+ config.pki_log.debug(log.PKIHELPER_USER_ADD_UID_KEYERROR_1,
+ exc, extra=config.PKI_INDENTATION_LEVEL_2)
+ # Is the specified 'pki_user' the default well-known user?
+ if pki_user == config.PKI_DEPLOYMENT_DEFAULT_USER:
+ # Yes, attempt to create the default well-known user
+ # using the default well-known UID.
+ command = "/usr/sbin/useradd" + " " +\
+ "-g" + " " +\
+ pki_group + " " +\
+ "-d" + " " +\
+ config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\
+ "-s" + " " +\
+ config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\
+ "-c" + " " +\
+ config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\
+ "-u" + " " +\
+ str(config.PKI_DEPLOYMENT_DEFAULT_UID) + " " +\
+ "-r" + " " +\
+ pki_user + " " +\
+ "> /dev/null 2>&1"
+ else:
+ # No, attempt to create 'pki_user' using a random UID.
+ command = "/usr/sbin/useradd" + " " +\
+ "-g" + " " +\
+ pki_group + " " +\
+ "-d" + " " +\
+ config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\
+ "-s" + " " +\
+ config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\
+ "-c" + " " +\
+ config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\
+ pki_user + " " +\
+ "> /dev/null 2>&1"
+ # Execute this "useradd" command.
+ subprocess.call(command, shell=True)
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ return
+
+ def add_uid_and_gid(self, pki_user, pki_group):
+ self.__add_gid(pki_group)
+ self.__add_uid(pki_user, pki_group)
+ return
+
def get_uid(self, critical_failure=True):
try:
pki_uid = master['pki_uid']
@@ -170,18 +303,140 @@ class identity:
return pki_gid
+# PKI Deployment Configuration File Class
+class configuration_file:
+ def verify_sensitive_data(self):
+ # Silently verify the existence of 'sensitive' data
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # Verify existence of Directory Server Password (ALWAYS)
+ if not sensitive.has_key('pki_ds_password') or\
+ not len(sensitive['pki_ds_password']):
+ config.pki_log.error(
+ log.PKIHELPER_UNDEFINED_DS_PASSWORD_1,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Verify existence of Admin Password (except for Clones)
+ if not config.str2bool(master['pki_clone']):
+ if not sensitive.has_key('pki_admin_password') or\
+ not len(sensitive['pki_admin_password']):
+ config.pki_log.error(
+ log.PKIHELPER_UNDEFINED_ADMIN_PASSWORD_1,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # If required, verify existence of Backup Password
+ # (except for Clones)
+ if config.str2bool(master['pki_backup_keys']):
+ if not config.str2bool(master['pki_clone']):
+ if not sensitive.has_key('pki_backup_password') or\
+ not len(sensitive['pki_backup_password']):
+ config.pki_log.error(
+ log.PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Verify existence of PKCS #12 Password (ONLY for Clones)
+ if config.str2bool(master['pki_clone']):
+ if not sensitive.has_key('pki_pkcs12_password') or\
+ not len(sensitive['pki_pkcs12_password']):
+ config.pki_log.error(
+ log.PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Verify existence of Security Domain Password File
+ # (ONLY for Clones, Subordinate CA, KRA, OCSP, RA, TKS, or TPS)
+ if config.str2bool(master['pki_clone']) or\
+ config.str2bool(master['pki_subordinate']) or\
+ master['pki_subsystem'] == "KRA" or\
+ master['pki_subsystem'] == "OCSP" or\
+ master['pki_subsystem'] == "RA" or\
+ master['pki_subsystem'] == "TKS" or\
+ master['pki_subsystem'] == "TPS":
+ if not sensitive.has_key('pki_security_domain_password') or\
+ not len(sensitive['pki_security_domain_password']):
+ config.pki_log.error(
+ log.PKIHELPER_UNDEFINED_SECURITY_DOMAIN_PASSWORD_1,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ return
+
+ def verify_mutually_exclusive_data(self):
+ # Silently verify the existence of 'mutually exclusive' data
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ if master['pki_subsystem'] == "CA":
+ if config.str2bool(master['pki_clone']) and\
+ config.str2bool(master['pki_external']) and\
+ config.str2bool(master['pki_subordinate']):
+ config.pki_log.error(
+ log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ elif config.str2bool(master['pki_clone']) and\
+ config.str2bool(master['pki_external']):
+ config.pki_log.error(
+ log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ elif config.str2bool(master['pki_clone']) and\
+ config.str2bool(master['pki_subordinate']):
+ config.pki_log.error(
+ log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ elif config.str2bool(master['pki_external']) and\
+ config.str2bool(master['pki_subordinate']):
+ config.pki_log.error(
+ log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA,
+ config.pkideployment_cfg,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+
+
+# PKI Deployment XML File Class
+#class xml_file:
+# def remove_filter_section_from_web_xml(self,
+# web_xml_source,
+# web_xml_target):
+# config.pki_log.info(log.PKIHELPER_REMOVE_FILTER_SECTION_1,
+# master['pki_target_subsystem_web_xml'],
+# extra=config.PKI_INDENTATION_LEVEL_2)
+# if not config.pki_dry_run_flag:
+# begin_filters_section = False
+# begin_servlet_section = False
+# FILE = open(web_xml_target, "w")
+# for line in fileinput.FileInput(web_xml_source):
+# if not begin_filters_section:
+# # Read and write lines until first "<filter>" tag
+# if line.count("<filter>") >= 1:
+# # Mark filters section
+# begin_filters_section = True
+# else:
+# FILE.write(line)
+# elif not begin_servlet_section:
+# # Skip lines until first "<servlet>" tag
+# if line.count("<servlet>") >= 1:
+# # Mark servlets section and write out the opening tag
+# begin_servlet_section = True
+# FILE.write(line)
+# else:
+# continue
+# else:
+# # Read and write lines all lines after "<servlet>" tag
+# FILE.write(line)
+# FILE.close()
+
+
# PKI Deployment Instance Class
class instance:
def apache_instances(self):
rv = 0
try:
- if not os.path.exists(master['pki_instance_path']) or\
- not os.path.isdir(master['pki_instance_path']):
- config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
- master['pki_instance_path'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
# count number of PKI subsystems present
# within the specified Apache instance
for subsystem in config.PKI_APACHE_SUBSYSTEMS:
@@ -206,13 +461,6 @@ class instance:
def pki_subsystem_instances(self):
rv = 0
try:
- if not os.path.exists(master['pki_path']) or\
- not os.path.isdir(master['pki_path']):
- config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
- master['pki_path'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
# Since ALL directories within the top-level PKI infrastructure
# SHOULD represent PKI instances, look for all possible
# PKI instances within the top-level PKI infrastructure
@@ -247,13 +495,6 @@ class instance:
def tomcat_instances(self):
rv = 0
try:
- if not os.path.exists(master['pki_instance_path']) or\
- not os.path.isdir(master['pki_instance_path']):
- config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
- master['pki_instance_path'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
# count number of PKI subsystems present
# within the specified Tomcat instance
for subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
@@ -1295,8 +1536,8 @@ class war:
# PKI Deployment Password Class
class password:
- def create_password_conf(self, path, pin, overwrite_flag=False,
- critical_failure=True):
+ def create_password_conf(self, path, pin, pin_sans_token=False,
+ overwrite_flag=False, critical_failure=True):
try:
if not config.pki_dry_run_flag:
if os.path.exists(path):
@@ -1306,7 +1547,9 @@ class password:
extra=config.PKI_INDENTATION_LEVEL_2)
# overwrite the existing 'password.conf' file
with open(path, "wt") as fd:
- if master['pki_subsystem'] in\
+ if pin_sans_token == True:
+ fd.write(str(pin))
+ elif master['pki_subsystem'] in\
config.PKI_APACHE_SUBSYSTEMS:
fd.write(master['pki_self_signed_token'] +\
":" + str(pin))
@@ -1319,7 +1562,9 @@ class password:
extra=config.PKI_INDENTATION_LEVEL_2)
# create a new 'password.conf' file
with open(path, "wt") as fd:
- if master['pki_subsystem'] in\
+ if pin_sans_token == True:
+ fd.write(str(pin))
+ elif master['pki_subsystem'] in\
config.PKI_APACHE_SUBSYSTEMS:
fd.write(master['pki_self_signed_token'] +\
":" + str(pin))
@@ -1642,6 +1887,90 @@ class certutil:
return
+# PKI Deployment 'systemd' Execution Management Class
+class systemd:
+ def start(self, critical_failure=True):
+ try:
+ # Compose this "systemd" execution management command
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+ command = "systemctl" + " " +\
+ "start" + " " +\
+ "pki-apached" + "@" +\
+ master['pki_instance_id'] + "." + "service"
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ command = "systemctl" + " " +\
+ "start" + " " +\
+ "pki-tomcatd" + "@" +\
+ master['pki_instance_id'] + "." + "service"
+ # Display this "systemd" execution managment command
+ config.pki_log.info(
+ log.PKIHELPER_SYSTEMD_COMMAND_1, command,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if not config.pki_dry_run_flag:
+ # Execute this "systemd" execution management command
+ subprocess.call(command, shell=True)
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return
+
+ def stop(self, critical_failure=True):
+ try:
+ # Compose this "systemd" execution management command
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+ command = "systemctl" + " " +\
+ "stop" + " " +\
+ "pki-apached" + "@" +\
+ master['pki_instance_id'] + "." + "service"
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ command = "systemctl" + " " +\
+ "stop" + " " +\
+ "pki-tomcatd" + "@" +\
+ master['pki_instance_id'] + "." + "service"
+ # Display this "systemd" execution managment command
+ config.pki_log.info(
+ log.PKIHELPER_SYSTEMD_COMMAND_1, command,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if not config.pki_dry_run_flag:
+ # Execute this "systemd" execution management command
+ subprocess.call(command, shell=True)
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return
+
+ def restart(self, critical_failure=True):
+ try:
+ # Compose this "systemd" execution management command
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+ command = "systemctl" + " " +\
+ "restart" + " " +\
+ "pki-apached" + "@" +\
+ master['pki_instance_id'] + "." + "service"
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ command = "systemctl" + " " +\
+ "restart" + " " +\
+ "pki-tomcatd" + "@" +\
+ master['pki_instance_id'] + "." + "service"
+ # Display this "systemd" execution managment command
+ config.pki_log.info(
+ log.PKIHELPER_SYSTEMD_COMMAND_1, command,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if not config.pki_dry_run_flag:
+ # Execute this "systemd" execution management command
+ subprocess.call(command, shell=True)
+ except subprocess.CalledProcessError as exc:
+ config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
+ return
+
+
# PKI Deployment 'jython' Class
class jython:
def invoke(self, scriptlet, critical_failure=True):
@@ -1681,6 +2010,8 @@ class jython:
# PKI Deployment Helper Class Instances
identity = identity()
+configuration_file = configuration_file()
+#xml_file = xml_file()
instance = instance()
directory = directory()
file = file()
@@ -1688,4 +2019,5 @@ symlink = symlink()
war = war()
password = password()
certutil = certutil()
+systemd = systemd()
jython = jython()
diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
index 9c8765a80..800826635 100644
--- a/base/deploy/src/scriptlets/pkijython.py
+++ b/base/deploy/src/scriptlets/pkijython.py
@@ -5,6 +5,7 @@ from java.io import BufferedReader
from java.io import ByteArrayInputStream
from java.io import FileReader
from java.io import IOException
+from java.lang import Integer
from java.lang import String as javastring
from java.lang import System as javasystem
from java.net import URISyntaxException
@@ -18,6 +19,7 @@ import jarray
# System Python Imports
+import ConfigParser
import os
import sys
pki_python_module_path = os.path.join(sys.prefix,
@@ -79,10 +81,15 @@ class classPathHacker:
jarLoad = classPathHacker()
# Webserver Jars
jarLoad.addFile("/usr/share/java/httpcomponents/httpclient.jar")
+jarLoad.addFile("/usr/share/java/httpcomponents/httpcore.jar")
jarLoad.addFile("/usr/share/java/apache-commons-cli.jar")
+jarLoad.addFile("/usr/share/java/apache-commons-codec.jar")
+jarLoad.addFile("/usr/share/java/apache-commons-logging.jar")
+jarLoad.addFile("/usr/share/java/istack-commons-runtime.jar")
# Resteasy Jars
jarLoad.addFile("/usr/share/java/glassfish-jaxb/jaxb-impl.jar")
jarLoad.addFile("/usr/share/java/resteasy/jaxrs-api.jar")
+jarLoad.addFile("/usr/share/java/resteasy/resteasy-atom-provider.jar")
jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxb-provider.jar")
jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxrs.jar")
jarLoad.addFile("/usr/share/java/resteasy/resteasy-jettison-provider.jar")
@@ -145,6 +152,63 @@ import pkiconfig as config
import pkimessages as log
+# PKI Deployment Jython Helper Functions
+def extract_sensitive_data(configuration_file):
+ "Read 'sensitive' configuration file section into a dictionary"
+ try:
+ parser = ConfigParser.ConfigParser()
+ # Make keys case-sensitive!
+ parser.optionxform = str
+ parser.read(configuration_file)
+ # return dict(parser._sections['Sensitive'])
+ dictionary = {}
+ for option in parser.options('Sensitive'):
+ dictionary[option] = parser.get('Sensitive', option)
+ return dictionary
+ except ConfigParser.ParsingError, err:
+ javasystem.out.println(log.PKI_JYTHON_EXCEPTION_PARSER + " '" +\
+ configuration_file + "': " + str(err))
+ javasystem.exit(1)
+
+def generateCRMFRequest(token, keysize, subjectdn, dualkey):
+ kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA)
+ x = Integer(keysize)
+ key_len = x.intValue()
+ kg.initialize(key_len)
+ # 1st key pair
+ pair = kg.genKeyPair()
+ # create CRMF
+ certTemplate = CertTemplate()
+ certTemplate.setVersion(INTEGER(2))
+ if not subjectdn is None:
+ name = X500Name(subjectdn)
+ cs = ByteArrayInputStream(name.getEncoded())
+ n = Name.getTemplate().decode(cs)
+ certTemplate.setSubject(n)
+ certTemplate.setPublicKey(SubjectPublicKeyInfo(pair.getPublic()))
+ seq = SEQUENCE()
+ certReq = CertRequest(INTEGER(1), certTemplate, seq)
+ popdata = jarray.array([0x0,0x3,0x0], 'b')
+ pop = ProofOfPossession.createKeyEncipherment(
+ POPOPrivKey.createThisMessage(BIT_STRING(popdata, 3)))
+ crmfMsg = CertReqMsg(certReq, pop, None)
+ s1 = SEQUENCE()
+ # 1st : Encryption key
+ s1.addElement(crmfMsg)
+ # 2nd : Signing Key
+ if dualkey:
+ javasystem.out.println(log.PKI_JYTHON_IS_DUALKEY)
+ seq1 = SEQUENCE()
+ certReqSigning = CertRequest(INTEGER(1), certTemplate, seq1)
+ signingMsg = CertReqMsg(certReqSigning, pop, None)
+ s1.addElement(signingMsg)
+ encoded = jarray.array(ASN1Util.encode(s1), 'b')
+ # encoder = BASE64Encoder()
+ # Req1 = encoder.encodeBuffer(encoded)
+ Req1 = Utils.base64encode(encoded)
+ return Req1
+
+
# PKI Deployment 'security databases' Class
class security_databases:
def initialize_token(self, pki_database_path, pki_dry_run_flag, log_level):
@@ -160,11 +224,13 @@ class security_databases:
# it is ok if it is already initialized
pass
except Exception, e:
- javasystem.out.println("INITIALIZATION ERROR: " + str(e))
+ javasystem.out.println(log.PKI_JYTHON_INITIALIZATION_ERROR +\
+ " " + str(e))
javasystem.exit(1)
def log_into_token(self, pki_database_path, password_conf,
pki_dry_run_flag, log_level):
+ token = None
try:
if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
print "%s %s '%s'" %\
@@ -174,10 +240,10 @@ class security_databases:
if not pki_dry_run_flag:
manager = CryptoManager.getInstance()
token = manager.getInternalKeyStorageToken()
- # Retrieve 'token_pwd' from 'password_conf'
+ # Retrieve 'password' from client-side 'password_conf'
#
# NOTE: For now, ONLY read the first line
- # (which contains the password)
+ # (which contains "password")
#
fd = open(password_conf, "r")
token_pwd = fd.readline()
@@ -188,13 +254,364 @@ class security_databases:
try:
token.login(password)
except Exception, e:
- javasystem.out.println("login Exception: " + str(e))
+ javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\
+ " " + str(e))
if not token.isLoggedIn():
token.initPassword(password, password)
+ javasystem.exit(1)
except Exception, e:
- javasystem.out.println("Exception in logging into token: " +\
- str(e))
+ javasystem.out.println(log.PKI_JYTHON_TOKEN_LOGIN_EXCEPTION +\
+ " " + str(e))
javasystem.exit(1)
+ return token
+
+
+# PKI Deployment 'REST Client' Class
+class rest_client:
+ client = None
+
+ def initialize(self, base_uri, pki_dry_run_flag, log_level):
+ try:
+ if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
+ print "%s %s '%s'" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_INITIALIZING_REST_CLIENT,
+ base_uri)
+ if not pki_dry_run_flag:
+ self.client = ConfigurationRESTClient(base_uri, None)
+ return self.client
+ except URISyntaxException, e:
+ e.printStackTrace()
+ javasystem.exit(1)
+
+ def construct_pki_configuration_data(self, master, token):
+ data = None
+ if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL:
+ print "%s %s '%s'" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_CONSTRUCTING_PKI_DATA,
+ master['pki_subsystem'])
+ if not master['pki_dry_run_flag']:
+ sensitive = extract_sensitive_data(master['pki_deployment_cfg'])
+ data = ConfigurationData()
+ # Miscellaneous Configuration Information
+ data.setPin(master['pki_one_time_pin'])
+ data.setToken(ConfigurationData.TOKEN_DEFAULT)
+ if master['pki_instance_type'] == "Tomcat":
+ if master['pki_subsystem'] == "CA":
+ if config.str2bool(master['pki_clone']):
+ # Cloned CA
+ data.setHierarchy("root")
+ data.setIsClone("true")
+ data.setSubsystemName("Cloned CA Subsystem")
+ elif config.str2bool(master['pki_external']):
+ # External CA
+ data.setHierarchy("join")
+ data.setIsClone("false")
+ data.setSubsystemName("External CA Subsystem")
+ elif config.str2bool(master['pki_subordinate']):
+ # Subordinate CA
+ data.setHierarchy("join")
+ data.setIsClone("false")
+ data.setSubsystemName("Subordinate CA Subsystem")
+ else:
+ # PKI CA
+ data.setHierarchy("root")
+ data.setIsClone("false")
+ data.setSubsystemName("PKI CA Subsystem")
+ elif master['pki_subsystem'] == "KRA":
+ if config.str2bool(master['pki_clone']):
+ # Cloned KRA
+ data.setIsClone("true")
+ data.setSubsystemName("Cloned KRA Subsystem")
+ else:
+ # PKI KRA
+ data.setIsClone("false")
+ data.setSubsystemName("PKI KRA Subsystem")
+ elif master['pki_subsystem'] == "OCSP":
+ if config.str2bool(master['pki_clone']):
+ # Cloned OCSP
+ data.setIsClone("true")
+ data.setSubsystemName("Cloned OCSP Subsystem")
+ else:
+ # PKI OCSP
+ data.setIsClone("false")
+ data.setSubsystemName("PKI OCSP Subsystem")
+ elif master['pki_subsystem'] == "TKS":
+ if config.str2bool(master['pki_clone']):
+ # Cloned TKS
+ data.setIsClone("true")
+ data.setSubsystemName("Cloned TKS Subsystem")
+ else:
+ # PKI TKS
+ data.setIsClone("false")
+ data.setSubsystemName("PKI TKS Subsystem")
+ # Security Domain Information
+ if master['pki_instance_type'] == "Tomcat":
+ if master['pki_subsystem'] == "CA":
+ if config.str2bool(master['pki_external']):
+ # External CA
+ data.setSecurityDomainType(
+ ConfigurationData.NEW_DOMAIN)
+ data.setSecurityDomainName(
+ master['pki_security_domain_name'])
+ elif not config.str2bool(master['pki_clone']) and\
+ not config.str2bool(master['pki_subordinate']):
+ # PKI CA
+ data.setSecurityDomainType(
+ ConfigurationData.NEW_DOMAIN)
+ data.setSecurityDomainName(
+ master['pki_security_domain_name'])
+ else:
+ # PKI Cloned or Subordinate CA
+ data.setSecurityDomainType(
+ ConfigurationData.EXISTING_DOMAIN)
+ data.setSecurityDomainUri(
+ master['pki_security_domain_uri'])
+ data.setSecurityDomainUser(
+ master['pki_security_domain_user'])
+ data.setSecurityDomainPassword(
+ sensitive['pki_security_domain_password'])
+ else:
+ # PKI KRA, OCSP, or TKS
+ data.setSecurityDomainType(
+ ConfigurationData.EXISTING_DOMAIN)
+ data.setSecurityDomainUri(
+ master['pki_security_domain_uri'])
+ data.setSecurityDomainUser(
+ master['pki_security_domain_user'])
+ data.setSecurityDomainPassword(
+ sensitive['pki_security_domain_password'])
+ # Directory Server Information
+ if master['pki_subsystem'] != "RA":
+ data.setDsHost(master['pki_ds_hostname'])
+ data.setDsPort(master['pki_ds_http_port'])
+ data.setBaseDN(master['pki_ds_base_dn'])
+ data.setBindDN(master['pki_ds_bind_dn'])
+ data.setDatabase(master['pki_ds_database'])
+ data.setBindpwd(sensitive['pki_ds_password'])
+ if config.str2bool(master['pki_ds_remove_data']):
+ data.setRemoveData("true")
+ else:
+ data.setRemoveData("false")
+ if config.str2bool(master['pki_ds_secure_connection']):
+ data.setSecureConn("true")
+ else:
+ data.setSecureConn("false")
+ # Backup Information
+ if master['pki_instance_type'] == "Tomcat":
+ if config.str2bool(master['pki_backup_keys']):
+ data.setBackupKeys("true")
+ data.setBackupFile(master['pki_backup_file'])
+ data.setBackupPassword(
+ sensitive['pki_backup_password'])
+ else:
+ data.setBackupKeys("false")
+ # Admin Information
+ if master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ data.setAdminEmail(master['pki_admin_email'])
+ data.setAdminName(master['pki_admin_name'])
+ data.setAdminPassword(sensitive['pki_admin_password'])
+ data.setAdminProfileID(master['pki_admin_profile_id'])
+ data.setAdminUID(master['pki_admin_uid'])
+ data.setAdminSubjectDN(master['pki_admin_subject_dn'])
+ if master['pki_admin_cert_request_type'] == "crmf":
+ data.setAdminCertRequestType("crmf")
+ if config.str2bool(master['pki_admin_dualkey']):
+ crmf_request = generateCRMFRequest(
+ token,
+ master['pki_admin_keysize'],
+ master['pki_admin_subject_dn'],
+ "true")
+ else:
+ crmf_request = generateCRMFRequest(
+ token,
+ master['pki_admin_keysize'],
+ master['pki_admin_subject_dn'],
+ "false")
+ data.setAdminCertRequest(crmf_request)
+ else:
+ javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY)
+ javasystem.exit(1)
+ # Create system certs
+ systemCerts = ArrayList()
+ # Create 'CA Signing Certificate'
+ if master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ if master['pki_subsystem'] == "CA":
+ # External CA, Subordinate CA, or PKI CA
+ cert1 = CertData()
+ cert1.setTag(master['pki_ca_signing_tag'])
+ cert1.setKeyAlgorithm(
+ master['pki_ca_signing_key_algorithm'])
+ cert1.setKeySize(master['pki_ca_signing_key_size'])
+ cert1.setKeyType(master['pki_ca_signing_key_type'])
+ cert1.setNickname(master['pki_ca_signing_nickname'])
+ cert1.setSigningAlgorithm(
+ master['pki_ca_signing_signing_algorithm'])
+ cert1.setSubjectDN(master['pki_ca_signing_subject_dn'])
+ cert1.setToken(master['pki_ca_signing_token'])
+ systemCerts.add(cert1)
+ # Create 'OCSP Signing Certificate'
+ if master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ if master['pki_subsystem'] == "CA" or\
+ master['pki_subsystem'] == "OCSP":
+ # External CA, Subordinate CA, PKI CA, or PKI OCSP
+ cert2 = CertData()
+ cert2.setTag(master['pki_ocsp_signing_tag'])
+ cert2.setKeyAlgorithm(
+ master['pki_ocsp_signing_key_algorithm'])
+ cert2.setKeySize(master['pki_ocsp_signing_key_size'])
+ cert2.setKeyType(master['pki_ocsp_signing_key_type'])
+ cert2.setNickname(master['pki_ocsp_signing_nickname'])
+ cert2.setSigningAlgorithm(
+ master['pki_ocsp_signing_signing_algorithm'])
+ cert2.setSubjectDN(
+ master['pki_ocsp_signing_subject_dn'])
+ cert2.setToken(master['pki_ocsp_signing_token'])
+ systemCerts.add(cert2)
+ # Create 'SSL Server Certificate'
+ # PKI RA, PKI TPS,
+ # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
+ # PKI CA CLONE, PKI KRA CLONE, PKI OCSP CLONE, PKI TKS CLONE,
+ # External CA, or Subordinate CA
+ cert3 = CertData()
+ cert3.setTag(master['pki_ssl_server_tag'])
+ cert3.setKeyAlgorithm(master['pki_ssl_server_key_algorithm'])
+ cert3.setKeySize(master['pki_ssl_server_key_size'])
+ cert3.setKeyType(master['pki_ssl_server_key_type'])
+ cert3.setNickname(master['pki_ssl_server_nickname'])
+ cert3.setSubjectDN(master['pki_ssl_server_subject_dn'])
+ cert3.setToken(master['pki_ssl_server_token'])
+ systemCerts.add(cert3)
+ # Create 'Subsystem Certificate'
+ if master['pki_instance_type'] == "Apache":
+ # PKI RA or PKI TPS
+ cert4 = CertData()
+ cert4.setTag(master['pki_subsystem_tag'])
+ cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm'])
+ cert4.setKeySize(master['pki_subsystem_key_size'])
+ cert4.setKeyType(master['pki_subsystem_key_type'])
+ cert4.setNickname(master['pki_subsystem_nickname'])
+ cert4.setSubjectDN(master['pki_subsystem_subject_dn'])
+ cert4.setToken(master['pki_subsystem_token'])
+ systemCerts.add(cert4)
+ elif master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
+ # External CA, or Subordinate CA
+ cert4 = CertData()
+ cert4.setTag(master['pki_subsystem_tag'])
+ cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm'])
+ cert4.setKeySize(master['pki_subsystem_key_size'])
+ cert4.setKeyType(master['pki_subsystem_key_type'])
+ cert4.setNickname(master['pki_subsystem_nickname'])
+ cert4.setSubjectDN(master['pki_subsystem_subject_dn'])
+ cert4.setToken(master['pki_subsystem_token'])
+ systemCerts.add(cert4)
+ # Create 'Audit Signing Certificate'
+ if master['pki_instance_type'] == "Apache":
+ if master['pki_subsystem'] != "RA":
+ # PKI TPS
+ cert5 = CertData()
+ cert5.setTag(master['pki_audit_signing_tag'])
+ cert5.setKeyAlgorithm(
+ master['pki_audit_signing_key_algorithm'])
+ cert5.setKeySize(master['pki_audit_signing_key_size'])
+ cert5.setKeyType(master['pki_audit_signing_key_type'])
+ cert5.setNickname(master['pki_audit_signing_nickname'])
+ cert5.setKeyAlgorithm(
+ master['pki_audit_signing_signing_algorithm'])
+ cert5.setSubjectDN(master['pki_audit_signing_subject_dn'])
+ cert5.setToken(master['pki_audit_signing_token'])
+ systemCerts.add(cert5)
+ elif master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
+ # External CA, or Subordinate CA
+ cert5 = CertData()
+ cert5.setTag(master['pki_audit_signing_tag'])
+ cert5.setKeyAlgorithm(
+ master['pki_audit_signing_key_algorithm'])
+ cert5.setKeySize(master['pki_audit_signing_key_size'])
+ cert5.setKeyType(master['pki_audit_signing_key_type'])
+ cert5.setNickname(master['pki_audit_signing_nickname'])
+ cert5.setKeyAlgorithm(
+ master['pki_audit_signing_signing_algorithm'])
+ cert5.setSubjectDN(master['pki_audit_signing_subject_dn'])
+ cert5.setToken(master['pki_audit_signing_token'])
+ systemCerts.add(cert5)
+ # Create 'DRM Transport Certificate'
+ if master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ if master['pki_subsystem'] == "KRA":
+ # PKI KRA
+ cert6 = CertData()
+ cert6.setTag(master['pki_transport_tag'])
+ cert6.setKeyAlgorithm(
+ master['pki_transport_key_algorithm'])
+ cert6.setKeySize(master['pki_transport_key_size'])
+ cert6.setKeyType(master['pki_transport_key_type'])
+ cert6.setNickname(master['pki_transport_nickname'])
+ cert6.setKeyAlgorithm(
+ master['pki_transport_signing_algorithm'])
+ cert6.setSubjectDN(master['pki_transport_subject_dn'])
+ cert6.setToken(master['pki_transport_token'])
+ systemCerts.add(cert6)
+ # Create 'DRM Storage Certificate'
+ if master['pki_instance_type'] == "Tomcat":
+ if not config.str2bool(master['pki_clone']):
+ if master['pki_subsystem'] == "KRA":
+ # PKI KRA
+ cert7 = CertData()
+ cert7.setTag(master['pki_storage_tag'])
+ cert7.setKeyAlgorithm(
+ master['pki_storage_key_algorithm'])
+ cert7.setKeySize(master['pki_storage_key_size'])
+ cert7.setKeyType(master['pki_storage_key_type'])
+ cert7.setNickname(master['pki_storage_nickname'])
+ cert7.setKeyAlgorithm(
+ master['pki_storage_signing_algorithm'])
+ cert7.setSubjectDN(master['pki_storage_subject_dn'])
+ cert7.setToken(master['pki_storage_token'])
+ systemCerts.add(cert7)
+ # Create system certs
+ data.setSystemCerts(systemCerts)
+ return data
+
+ def configure_pki_data(self, data, pki_subsystem, pki_dry_run_flag,
+ log_level):
+ if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
+ print "%s %s '%s'" %\
+ (log.PKI_JYTHON_INDENTATION_2,
+ log.PKI_JYTHON_CONFIGURING_PKI_DATA,
+ pki_subsystem)
+ if not pki_dry_run_flag:
+ try:
+ response = self.client.configure(data)
+ javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\
+ " " + response.getStatus())
+ javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\
+ " " + response.getAdminCert().getCert())
+ certs = response.getSystemCerts()
+ iterator = certs.iterator()
+ while iterator.hasNext():
+ cdata = iterator.next()
+ javasystem.out.println(log.PKI_JYTHON_CDATA_TAG + " " +\
+ cdata.getTag())
+ javasystem.out.println(log.PKI_JYTHON_CDATA_CERT + " " +\
+ cdata.getCert())
+ javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\
+ cdata.getRequest())
+ except Exception, e:
+ javasystem.out.println(
+ log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e))
+ javasystem.exit(1)
+ return
+
# PKI Deployment Jython Class Instances
security_databases = security_databases()
+rest_client = rest_client()
diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py
index 806a64e4d..d7d50a63e 100644
--- a/base/deploy/src/scriptlets/pkimessages.py
+++ b/base/deploy/src/scriptlets/pkimessages.py
@@ -20,6 +20,14 @@
#
# PKI Deployment Engine Messages
+PKI_DICTIONARY_MANDATORY ="\n"\
+"=====================================================\n"\
+" DISPLAY CONTENTS OF PKI MANDATORY DICTIONARY\n"\
+"====================================================="
+PKI_DICTIONARY_OPTIONAL ="\n"\
+"=====================================================\n"\
+" DISPLAY CONTENTS OF PKI OPTIONAL DICTIONARY\n"\
+"====================================================="
PKI_DICTIONARY_COMMON ="\n"\
"=====================================================\n"\
" DISPLAY CONTENTS OF PKI COMMON DICTIONARY\n"\
@@ -40,6 +48,7 @@ PKI_DICTIONARY_WEB_SERVER="\n"\
"=====================================================\n"\
" DISPLAY CONTENTS OF PKI WEB SERVER DICTIONARY\n"\
"====================================================="
+# NEVER print out 'sensitive' data dictionary!!!
# PKI Deployment Log Messages
@@ -150,10 +159,16 @@ PKIHELPER_CP_P_2 = "cp -p %s %s"
PKIHELPER_CP_RP_2 = "cp -rp %s %s"
PKIHELPER_CREATE_SECURITY_DATABASES_1 = "executing '%s'"
PKIHELPER_DANGLING_SYMLINK_2 = "Dangling symlink '%s'-->'%s'"
+PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1 = "KeyError: Master dictionary "\
+ "is missing the key called '%s'!"
PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty"
PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty"
PKIHELPER_GID_2 = "GID of '%s' is %s"
PKIHELPER_GROUP_1 = "retrieving GID for '%s' . . ."
+PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ."
+PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ."
+PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s"
+PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s"
PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\
"jython %s %s <master_dictionary>'"
PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory"
@@ -165,32 +180,82 @@ PKIHELPER_MKDIR_1 = "mkdir -p %s"
PKIHELPER_MODIFY_DIR_1 = "modifying '%s'"
PKIHELPER_MODIFY_FILE_1 = "modifying '%s'"
PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'"
+PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA = "cloned CAs and external "\
+ "CAs MUST be MUTUALLY "\
+ "EXCLUSIVE in '%s'"
+PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = "cloned CAs, external "\
+ "CAs, and subordinate CAs"\
+ "MUST ALL be MUTUALLY "\
+ "EXCLUSIVE in '%s'"
+PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA = "cloned CAs and subordinate "\
+ "CAs MUST be MUTUALLY "\
+ "EXCLUSIVE in '%s'"
+PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA = "external CAs and subordinate "\
+ "CAs MUST be MUTUALLY "\
+ "EXCLUSIVE in '%s'"
PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\
"filling it with '%d' random bytes"
PKIHELPER_PASSWORD_CONF_1 = "generating '%s'"
PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2 = "instance '%s' contains '%d' "\
"PKI subsystems"
+PKIHELPER_REMOVE_FILTER_SECTION_1 = "removing filter section from '%s'"
PKIHELPER_RM_F_1 = "rm -f %s"
PKIHELPER_RM_RF_1 = "rm -rf %s"
PKIHELPER_RMDIR_1 = "rmdir %s"
PKIHELPER_SET_MODE_1 = "setting ownerships, permissions, and acls on '%s'"
PKIHELPER_SLOT_SUBSTITUTION_2 = "slot substitution: '%s' ==> '%s'"
+PKIHELPER_SYSTEMD_COMMAND_1 = "executing '%s'"
PKIHELPER_TOMCAT_INSTANCES_2 = "instance '%s' contains '%d' "\
"Tomcat PKI subsystems"
PKIHELPER_TOUCH_1 = "touch %s"
PKIHELPER_UID_2 = "UID of '%s' is %s"
+PKIHELPER_UNDEFINED_ADMIN_PASSWORD_1 =\
+ "A value for 'pki_admin_password' MUST be defined in '%s'"
+PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1 =\
+ "A value for 'pki_backup_password' MUST be defined in '%s'"
+PKIHELPER_UNDEFINED_DS_PASSWORD_1 =\
+ "A value for 'pki_ds_password' MUST be defined in '%s'"
+PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1 =\
+ "A value for 'pki_pkcs12_password' MUST be defined in '%s'"
+PKIHELPER_UNDEFINED_SECURITY_DOMAIN_PASSWORD_1 =\
+ "A value for 'pki_security_domain_password' MUST be defined in '%s'"
PKIHELPER_USER_1 = "retrieving UID for '%s' . . ."
+PKIHELPER_USER_ADD_2 = "adding UID '%s' for user '%s' . . ."
+PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ."
+PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s"
+PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s"
# PKI Deployment Jython "Scriptlet" Messages
# (MUST contain NO embedded formats since Jython 2.2 does not support logging!)
+PKI_JYTHON_CDATA_TAG = "tag:"
+PKI_JYTHON_CDATA_CERT = "cert:"
+PKI_JYTHON_CDATA_REQUEST = "request:"
+PKI_JYTHON_CLONED_PKI_SUBSYSTEM = "Cloned"
+PKI_JYTHON_CONFIGURING_PKI_DATA = "configuring PKI configuration data for"
+PKI_JYTHON_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data for"
+PKI_JYTHON_CRMF_SUPPORT_ONLY = "only the 'crmf' certificate request type "\
+ "is currently supported"
+PKI_JYTHON_IS_DUALKEY = "dualkey = true"
+PKI_JYTHON_EXCEPTION_PARSER = "Problem parsing"
+PKI_JYTHON_EXTERNAL_CA = "External"
PKI_JYTHON_INDENTATION_0 = "pkispawn : JYTHON "
PKI_JYTHON_INDENTATION_1 = "pkispawn : JYTHON ..."
PKI_JYTHON_INDENTATION_2 = "pkispawn : JYTHON ......."
PKI_JYTHON_INDENTATION_3 = "pkispawn : JYTHON ..........."
PKI_JYTHON_INDENTATION_4 = "pkispawn : JYTHON ..............."
+PKI_JYTHON_INITIALIZATION_ERROR = "INITIALIZATION ERROR:"
+PKI_JYTHON_INITIALIZING_REST_CLIENT = "initializing REST client via"
PKI_JYTHON_INITIALIZING_TOKEN = "initializing token located in"
+PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION =\
+ "Exception from Java Configuration Servlet:"
PKI_JYTHON_LOG_INTO_TOKEN = "logging into token located in"
+PKI_JYTHON_LOGIN_EXCEPTION = "login Exception:"
+PKI_JYTHON_RESPONSE_ADMIN_CERT = "adminCert:"
+PKI_JYTHON_RESPONSE_STATUS = "status:"
+PKI_JYTHON_TOKEN_LOGIN_EXCEPTION = "Exception in logging into token:"
+PKI_JYTHON_NOT_YET_IMPLEMENTED = "NOT YET IMPLEMENTED"
+PKI_JYTHON_SUBORDINATE_CA = "Subordinate"
# PKI Deployment "Scriptlet" Messages
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index 0add192f7..5abfdc064 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -53,22 +53,18 @@ def process_command_line_arguments(argv):
required=True, metavar='<subsystem>',
help='where <subsystem> is '
'CA, KRA, OCSP, RA, TKS, or TPS')
+ if os.path.basename(argv[0]) == 'pkispawn':
+ mandatory.add_argument('-f',
+ dest='pkideployment_cfg', action='store',
+ nargs=1, required=True, metavar='<file>',
+ help='specifies configuration filename')
optional = parser.add_argument_group('optional arguments')
optional.add_argument('--dry_run',
dest='pki_dry_run_flag', action='store_true',
help='do not actually perform any actions')
- optional.add_argument('-f',
- dest='pkideployment_cfg', action='store',
- nargs=1, metavar='<file>',
- help='overrides default configuration filename')
optional.add_argument('-h', '--help',
dest='help', action='help',
help='show this help message and exit')
- optional.add_argument('-p',
- dest='pki_root_prefix', action='store',
- nargs=1, metavar='<prefix>',
- help='directory prefix to specify local directory '
- '[TEST ONLY]')
if os.path.basename(argv[0]) == 'pkispawn':
optional.add_argument('-u',
dest='pki_update_flag', action='store_true',
@@ -98,6 +94,12 @@ def process_command_line_arguments(argv):
dest='custom_pki_ajp_port', action='store',
nargs=1, metavar='<port>',
help='AJP port (CA, KRA, OCSP, TKS)')
+ test = parser.add_argument_group('test arguments')
+ test.add_argument('-p',
+ dest='pki_root_prefix', action='store',
+ nargs=1, metavar='<prefix>',
+ help='directory prefix to specify local directory '
+ '[TEST ONLY]')
args = parser.parse_args()
config.pki_subsystem = str(args.pki_subsystem).strip('[\']')
@@ -187,7 +189,7 @@ def process_command_line_arguments(argv):
print
parser.print_help()
parser.exit(-1);
- if not args.pkideployment_cfg is None:
+ if os.path.basename(argv[0]) == 'pkispawn':
config.pkideployment_cfg = str(args.pkideployment_cfg).strip('[\']')
elif os.path.basename(argv[0]) == 'pkidestroy':
# NOTE: When performing 'pkidestroy', a configuration file must be
@@ -258,6 +260,9 @@ def read_pki_configuration_file():
# Make keys case-sensitive!
parser.optionxform = str
parser.read(config.pkideployment_cfg)
+ config.pki_sensitive_dict = dict(parser._sections['Sensitive'])
+ config.pki_mandatory_dict = dict(parser._sections['Mandatory'])
+ config.pki_optional_dict = dict(parser._sections['Optional'])
config.pki_common_dict = dict(parser._sections['Common'])
if config.pki_subsystem == "CA":
config.pki_web_server_dict = dict(parser._sections['Tomcat'])
@@ -278,6 +283,9 @@ def read_pki_configuration_file():
config.pki_web_server_dict = dict(parser._sections['Apache'])
config.pki_subsystem_dict = dict(parser._sections['TPS'])
# Insert empty record into dictionaries for "pretty print" statements
+ # NEVER print "sensitive" key value pairs!!!
+ config.pki_mandatory_dict[0] = None
+ config.pki_optional_dict[0] = None
config.pki_common_dict[0] = None
config.pki_web_server_dict[0] = None
config.pki_subsystem_dict[0] = None
@@ -297,13 +305,19 @@ def compose_pki_master_dictionary():
config.pki_certificate_timestamp
config.pki_master_dict['pki_architecture'] = config.pki_architecture
config.pki_master_dict['pki_hostname'] = config.pki_hostname
+ config.pki_master_dict['pki_dns_domainname'] =\
+ config.pki_dns_domainname
config.pki_master_dict['pki_pin'] = config.pki_pin
config.pki_master_dict['pki_client_pin'] = config.pki_client_pin
config.pki_master_dict['pki_one_time_pin'] = config.pki_one_time_pin
config.pki_master_dict['pki_dry_run_flag'] = config.pki_dry_run_flag
config.pki_master_dict['pki_jython_log_level'] =\
config.pki_jython_log_level
+ config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg
# Configuration file name/value pairs
+ # NEVER add "sensitive" key value pairs to the master dictionary!!!
+ config.pki_master_dict.update(config.pki_mandatory_dict)
+ config.pki_master_dict.update(config.pki_optional_dict)
config.pki_master_dict.update(config.pki_common_dict)
config.pki_master_dict.update(config.pki_web_server_dict)
config.pki_master_dict.update(config.pki_subsystem_dict)
@@ -357,8 +371,7 @@ def compose_pki_master_dictionary():
# (e. g. Tomcat: "tomcat", "example.com-tomcat")
# (e. g. Apache: "apache", "example.com-apache")
#
- if not config.pki_master_dict['pki_admin_domain_name'] is None and\
- not config.pki_master_dict['pki_admin_domain_name'] is '':
+ if len(config.pki_master_dict['pki_admin_domain_name']):
config.pki_master_dict['pki_instance_id'] =\
config.pki_master_dict['pki_admin_domain_name'] +\
"-" + config.pki_master_dict['pki_instance_name']
@@ -458,6 +471,9 @@ def compose_pki_master_dictionary():
os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
"ca",
"emails")
+ config.pki_master_dict['pki_source_flatfile_txt'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "flatfile.txt")
config.pki_master_dict['pki_source_profiles'] =\
os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
"ca",
@@ -465,6 +481,43 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_source_proxy_conf'] =\
os.path.join(config.pki_master_dict['pki_source_conf_path'],
"proxy.conf")
+ config.pki_master_dict['pki_source_registry_cfg'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "registry.cfg")
+ # '*.profile'
+ config.pki_master_dict['pki_source_admincert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "adminCert.profile")
+ config.pki_master_dict['pki_source_caauditsigningcert_profile']\
+ = os.path.join(
+ config.pki_master_dict['pki_source_conf_path'],
+ "caAuditSigningCert.profile")
+ config.pki_master_dict['pki_source_cacert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "caCert.profile")
+ config.pki_master_dict['pki_source_caocspcert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "caOCSPCert.profile")
+ config.pki_master_dict['pki_source_servercert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "serverCert.profile")
+ config.pki_master_dict['pki_source_subsystemcert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "subsystemCert.profile")
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ # '*.profile'
+ config.pki_master_dict['pki_source_servercert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "serverCert.profile")
+ config.pki_master_dict['pki_source_storagecert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "storageCert.profile")
+ config.pki_master_dict['pki_source_subsystemcert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "subsystemCert.profile")
+ config.pki_master_dict['pki_source_transportcert_profile'] =\
+ os.path.join(config.pki_master_dict['pki_source_conf_path'],
+ "transportCert.profile")
# PKI top-level file system layout name/value pairs
# NOTE: Never use 'os.path.join()' whenever 'pki_root_prefix'
# is being prepended!!!
@@ -498,12 +551,14 @@ def compose_pki_master_dictionary():
if config.pki_master_dict['pki_subsystem'] in\
config.PKI_APACHE_SUBSYSTEMS:
# Apache instance base name/value pairs
+ config.pki_master_dict['pki_instance_type'] = "Apache"
# Apache instance log name/value pairs
# Apache instance configuration name/value pairs
# Apache instance registry name/value pairs
config.pki_master_dict['pki_instance_type_registry_path'] =\
- os.path.join(config.pki_master_dict['pki_registry_path'],
- "apache")
+ os.path.join(
+ config.pki_master_dict['pki_registry_path'],
+ config.pki_master_dict['pki_instance_type'].lower())
config.pki_master_dict['pki_instance_registry_path'] =\
os.path.join(
config.pki_master_dict['pki_instance_type_registry_path'],
@@ -513,12 +568,16 @@ def compose_pki_master_dictionary():
elif config.pki_master_dict['pki_subsystem'] in\
config.PKI_TOMCAT_SUBSYSTEMS:
# Tomcat instance base name/value pairs
+ config.pki_master_dict['pki_instance_type'] = "Tomcat"
config.pki_master_dict['pki_tomcat_common_path'] =\
os.path.join(config.pki_master_dict['pki_instance_path'],
"common")
config.pki_master_dict['pki_tomcat_common_lib_path'] =\
os.path.join(config.pki_master_dict['pki_tomcat_common_path'],
"lib")
+ config.pki_master_dict['pki_tomcat_tmpdir_path'] =\
+ os.path.join(config.pki_master_dict['pki_instance_path'],
+ "temp")
config.pki_master_dict['pki_tomcat_webapps_path'] =\
os.path.join(config.pki_master_dict['pki_instance_path'],
"webapps")
@@ -529,28 +588,43 @@ def compose_pki_master_dictionary():
os.path.join(
config.pki_master_dict['pki_tomcat_webapps_root_path'],
"WEB-INF")
- config.pki_master_dict['pki_tomcat_webapps_webinf_path'] =\
- os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
- "WEB-INF")
- config.pki_master_dict['pki_tomcat_webapps_webinf_classes_path'] =\
- os.path.join(
- config.pki_master_dict['pki_tomcat_webapps_webinf_path'],
- "classes")
- config.pki_master_dict['pki_tomcat_webapps_webinf_lib_path'] =\
- os.path.join(
- config.pki_master_dict['pki_tomcat_webapps_webinf_path'],
- "lib")
config.pki_master_dict['pki_tomcat_webapps_root_webinf_web_xml'] =\
os.path.join(
config.pki_master_dict\
['pki_tomcat_webapps_root_webinf_path'],
"web.xml")
+ config.pki_master_dict['pki_tomcat_work_path'] =\
+ os.path.join(config.pki_master_dict['pki_instance_path'],
+ "work")
+ config.pki_master_dict['pki_tomcat_work_catalina_path'] =\
+ os.path.join(config.pki_master_dict['pki_tomcat_work_path'],
+ "Catalina")
+ config.pki_master_dict['pki_tomcat_work_catalina_host_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_work_catalina_path'],
+ "localhost")
+ config.pki_master_dict['pki_tomcat_work_catalina_host_run_path'] =\
+ os.path.join(
+ config.pki_master_dict\
+ ['pki_tomcat_work_catalina_host_path'],
+ "_")
+ config.pki_master_dict\
+ ['pki_tomcat_work_catalina_host_subsystem_path'] =\
+ os.path.join(
+ config.pki_master_dict\
+ ['pki_tomcat_work_catalina_host_path'],
+ config.pki_master_dict['pki_subsystem'].lower())
# Tomcat instance log name/value pairs
# Tomcat instance configuration name/value pairs
+ config.pki_master_dict['pki_instance_log4j_properties'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_configuration_path'],
+ "log4j.properties")
# Tomcat instance registry name/value pairs
config.pki_master_dict['pki_instance_type_registry_path'] =\
- os.path.join(config.pki_master_dict['pki_registry_path'],
- "tomcat")
+ os.path.join(
+ config.pki_master_dict['pki_registry_path'],
+ config.pki_master_dict['pki_instance_type'].lower())
config.pki_master_dict['pki_instance_registry_path'] =\
os.path.join(
config.pki_master_dict['pki_instance_type_registry_path'],
@@ -562,9 +636,205 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_tomcat_lib_link'] =\
os.path.join(config.pki_master_dict['pki_instance_path'],
"lib")
+ config.pki_master_dict['pki_tomcat_lib_log4j_properties_link'] =\
+ os.path.join(config.pki_master_dict['pki_tomcat_lib_path'],
+ "log4j.properties")
config.pki_master_dict['pki_instance_systemd_link'] =\
os.path.join(config.pki_master_dict['pki_instance_path'],
config.pki_master_dict['pki_instance_id'])
+ # Tomcat instance common lib jars
+ if config.pki_master_dict['pki_architecture'] == 64:
+ config.pki_master_dict['pki_jss_jar'] =\
+ os.path.join("/usr/lib64/java",
+ "jss4.jar")
+ config.pki_master_dict['pki_symkey_jar'] =\
+ os.path.join("/usr/lib64/java",
+ "symkey.jar")
+ else:
+ config.pki_master_dict['pki_jss_jar'] =\
+ os.path.join("/usr/lib/java",
+ "jss4.jar")
+ config.pki_master_dict['pki_symkey_jar'] =\
+ os.path.join("/usr/lib/java",
+ "symkey.jar")
+ config.pki_master_dict['pki_apache_commons_collections_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "apache-commons-collections.jar")
+ config.pki_master_dict['pki_apache_commons_lang_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "apache-commons-lang.jar")
+ config.pki_master_dict['pki_apache_commons_logging_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "apache-commons-logging.jar")
+ config.pki_master_dict['pki_commons_codec_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "commons-codec.jar")
+ config.pki_master_dict['pki_httpclient_jar'] =\
+ os.path.join(
+ config.PKI_DEPLOYMENT_HTTPCOMPONENTS_JAR_SOURCE_ROOT,
+ "httpclient.jar")
+ config.pki_master_dict['pki_javassist_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "javassist.jar")
+ config.pki_master_dict['pki_resteasy_jaxrs_api_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
+ "jaxrs-api.jar")
+ config.pki_master_dict['pki_jettison_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "jettison.jar")
+ config.pki_master_dict['pki_ldapjdk_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "ldapjdk.jar")
+ config.pki_master_dict['pki_certsrv_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-certsrv.jar")
+ config.pki_master_dict['pki_cmsbundle'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-cmsbundle.jar")
+ config.pki_master_dict['pki_cmscore'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-cmscore.jar")
+ config.pki_master_dict['pki_cms'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-cms.jar")
+ config.pki_master_dict['pki_cmsutil'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-cmsutil.jar")
+ config.pki_master_dict['pki_nsutil'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-nsutil.jar")
+ config.pki_master_dict['pki_resteasy_jaxb_provider_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
+ "resteasy-jaxb-provider.jar")
+ config.pki_master_dict['pki_resteasy_jaxrs_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
+ "resteasy-jaxrs.jar")
+ config.pki_master_dict['pki_resteasy_jettison_provider_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
+ "resteasy-jettison-provider.jar")
+ config.pki_master_dict['pki_scannotation_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "scannotation.jar")
+ config.pki_master_dict['pki_tomcatjss_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "tomcatjss.jar")
+ config.pki_master_dict['pki_velocity_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "velocity.jar")
+ config.pki_master_dict['pki_xerces_j2_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "xerces-j2.jar")
+ config.pki_master_dict['pki_xml_commons_apis_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "xml-commons-apis.jar")
+ config.pki_master_dict['pki_xml_commons_resolver_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+ "xml-commons-resolver.jar")
+ # Tomcat instance common lib jar symbolic links
+ config.pki_master_dict['pki_jss_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "jss4.jar")
+ config.pki_master_dict['pki_symkey_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "symkey.jar")
+ config.pki_master_dict['pki_apache_commons_collections_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "apache-commons-collections.jar")
+ config.pki_master_dict['pki_apache_commons_lang_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "apache-commons-lang.jar")
+ config.pki_master_dict['pki_apache_commons_logging_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "apache-commons-logging.jar")
+ config.pki_master_dict['pki_commons_codec_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "apache-commons-codec.jar")
+ config.pki_master_dict['pki_httpclient_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "httpclient.jar")
+ config.pki_master_dict['pki_javassist_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "javassist.jar")
+ config.pki_master_dict['pki_resteasy_jaxrs_api_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "jaxrs-api.jar")
+ config.pki_master_dict['pki_jettison_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "jettison.jar")
+ config.pki_master_dict['pki_ldapjdk_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "ldapjdk.jar")
+ config.pki_master_dict['pki_certsrv_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-certsrv.jar")
+ config.pki_master_dict['pki_cmsbundle_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-cmsbundle.jar")
+ config.pki_master_dict['pki_cmscore_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-cmscore.jar")
+ config.pki_master_dict['pki_cms_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-cms.jar")
+ config.pki_master_dict['pki_cmsutil_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-cmsutil.jar")
+ config.pki_master_dict['pki_nsutil_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-nsutil.jar")
+ config.pki_master_dict['pki_resteasy_jaxb_provider_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "resteasy-jaxb-provider.jar")
+ config.pki_master_dict['pki_resteasy_jaxrs_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "resteasy-jaxrs.jar")
+ config.pki_master_dict['pki_resteasy_jettison_provider_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "resteasy-jettison-provider.jar")
+ config.pki_master_dict['pki_scannotation_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "scannotation.jar")
+ config.pki_master_dict['pki_tomcatjss_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "tomcatjss.jar")
+ config.pki_master_dict['pki_velocity_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "velocity.jar")
+ config.pki_master_dict['pki_xerces_j2_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "xerces-j2.jar")
+ config.pki_master_dict['pki_xml_commons_apis_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "xml-commons-apis.jar")
+ config.pki_master_dict['pki_xml_commons_resolver_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "xml-commons-resolver.jar")
# Instance layout NSS security database name/value pairs
config.pki_master_dict['pki_database_path'] =\
os.path.join(
@@ -612,9 +882,6 @@ def compose_pki_master_dictionary():
elif config.pki_master_dict['pki_subsystem'] in\
config.PKI_TOMCAT_SUBSYSTEMS:
# Instance-based Tomcat PKI subsystem base name/value pairs
- config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\
- os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
- config.pki_master_dict['pki_subsystem'].lower())
if config.pki_master_dict['pki_subsystem'] == "CA":
config.pki_master_dict['pki_subsystem_emails_path'] =\
os.path.join(config.pki_master_dict['pki_subsystem_path'],
@@ -632,18 +899,6 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_subsystem_tomcat_webapps_link'] =\
os.path.join(config.pki_master_dict['pki_subsystem_path'],
"webapps")
- config.pki_master_dict\
- ['pki_tomcat_webapps_subsystem_webinf_classes_link'] =\
- os.path.join(
- config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
- "WEB-INF",
- "classes")
- config.pki_master_dict\
- ['pki_tomcat_webapps_subsystem_webinf_lib_link'] =\
- os.path.join(
- config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
- "WEB-INF",
- "lib")
# Instance-based Apache/Tomcat PKI subsystem convenience symbolic links
config.pki_master_dict['pki_subsystem_database_link'] =\
os.path.join(config.pki_master_dict['pki_subsystem_path'],
@@ -654,6 +909,78 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_subsystem_logs_link'] =\
os.path.join(config.pki_master_dict['pki_subsystem_path'],
"logs")
+ # PKI Target (war file) name/value pairs
+ if config.pki_master_dict['pki_subsystem'] in\
+ config.PKI_TOMCAT_SUBSYSTEMS:
+ # Tomcat PKI subsystem war file base name/value pairs
+ config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\
+ os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
+ config.pki_master_dict['pki_subsystem'].lower())
+ config.pki_master_dict\
+ ['pki_tomcat_webapps_subsystem_webinf_classes_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+ "WEB-INF",
+ "classes")
+ config.pki_master_dict\
+ ['pki_tomcat_webapps_subsystem_webinf_lib_path'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+ "WEB-INF",
+ "lib")
+ # Tomcat PKI subsystem war file convenience symbolic links
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ config.pki_master_dict['pki_ca_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-ca.jar")
+ # config.pki_master_dict['pki_ca_jar_link'] =\
+ # os.path.join(
+ # config.pki_master_dict\
+ # ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+ # "pki-ca.jar")
+ config.pki_master_dict['pki_ca_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-ca.jar")
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ config.pki_master_dict['pki_kra_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-kra.jar")
+ # config.pki_master_dict['pki_kra_jar_link'] =\
+ # os.path.join(
+ # config.pki_master_dict\
+ # ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+ # "pki-kra.jar")
+ config.pki_master_dict['pki_kra_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-kra.jar")
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ config.pki_master_dict['pki_ocsp_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-ocsp.jar")
+ # config.pki_master_dict['pki_ocsp_jar_link'] =\
+ # os.path.join(
+ # config.pki_master_dict\
+ # ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+ # "pki-ocsp.jar")
+ config.pki_master_dict['pki_ocsp_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-ocsp.jar")
+ elif config.pki_master_dict['pki_subsystem'] == "TKS":
+ config.pki_master_dict['pki_tks_jar'] =\
+ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+ "pki-tks.jar")
+ # config.pki_master_dict['pki_tks_jar_link'] =\
+ # os.path.join(
+ # config.pki_master_dict\
+ # ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+ # "pki-tks.jar")
+ config.pki_master_dict['pki_tks_jar_link'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_common_lib_path'],
+ "pki-tks.jar")
# PKI Target (slot substitution) name/value pairs
config.pki_master_dict['pki_target_cs_cfg'] =\
os.path.join(
@@ -699,12 +1026,50 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
"WEB-INF",
"web.xml")
+ config.pki_master_dict['pki_target_subsystem_web_xml_orig'] =\
+ os.path.join(
+ config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+ "WEB-INF",
+ "web.xml.orig")
# subystem-specific slot substitution name/value pairs
if config.pki_master_dict['pki_subsystem'] == "CA":
+ config.pki_master_dict['pki_target_flatfile_txt'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "flatfile.txt")
config.pki_master_dict['pki_target_proxy_conf'] =\
os.path.join(config.pki_master_dict\
['pki_subsystem_configuration_path'],
"proxy.conf")
+ config.pki_master_dict['pki_target_registry_cfg'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "registry.cfg")
+ # '*.profile'
+ config.pki_master_dict['pki_target_admincert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "adminCert.profile")
+ config.pki_master_dict['pki_target_caauditsigningcert_profile']\
+ = os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "caAuditSigningCert.profile")
+ config.pki_master_dict['pki_target_cacert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "caCert.profile")
+ config.pki_master_dict['pki_target_caocspcert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "caOCSPCert.profile")
+ config.pki_master_dict['pki_target_servercert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "serverCert.profile")
+ config.pki_master_dict['pki_target_subsystemcert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "subsystemCert.profile")
# in-place slot substitution name/value pairs
config.pki_master_dict['pki_target_profileselect_template'] =\
os.path.join(
@@ -713,6 +1078,24 @@ def compose_pki_master_dictionary():
"ee",
config.pki_master_dict['pki_subsystem'].lower(),
"ProfileSelect.template")
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ # '*.profile'
+ config.pki_master_dict['pki_target_servercert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "serverCert.profile")
+ config.pki_master_dict['pki_target_storagecert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "storageCert.profile")
+ config.pki_master_dict['pki_target_subsystemcert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "subsystemCert.profile")
+ config.pki_master_dict['pki_target_transportcert_profile'] =\
+ os.path.join(config.pki_master_dict\
+ ['pki_subsystem_configuration_path'],
+ "transportCert.profile")
# Slot assignment name/value pairs
# NOTE: Master key == Slots key; Master value ==> Slots value
config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\
@@ -830,6 +1213,8 @@ def compose_pki_master_dictionary():
"tomcat")
config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\
config.pki_master_dict['pki_proxy_https_port']
+ config.pki_master_dict['PKI_TMPDIR_SLOT'] =\
+ config.pki_master_dict['pki_tomcat_tmpdir_path']
config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\
config.pki_master_dict['pki_proxy_http_port']
config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\
@@ -846,6 +1231,8 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_security_manager']
config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\
config.pki_master_dict['pki_target_server_xml']
+ config.pki_master_dict['PKI_SUBSYSTEM_DIR_SLOT'] =\
+ config.pki_master_dict['pki_subsystem'].lower() + "/"
config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\
config.pki_master_dict['pki_subsystem'].lower()
config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\
@@ -924,6 +1311,10 @@ def compose_pki_master_dictionary():
"+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\
"+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
# Shared Apache/Tomcat NSS security database name/value pairs
+ config.pki_master_dict['pki_shared_pfile'] =\
+ os.path.join(
+ config.pki_master_dict['pki_instance_configuration_path'],
+ "pfile")
config.pki_master_dict['pki_shared_password_conf'] =\
os.path.join(
config.pki_master_dict['pki_instance_configuration_path'],
@@ -941,13 +1332,13 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_self_signed_nickname'] =\
"Server-Cert cert-" + config.pki_master_dict['pki_instance_id']
config.pki_master_dict['pki_self_signed_subject'] =\
- "CN=" + config.pki_master_dict['pki_hostname'] + "," +\
- "O=" + config.pki_master_dict['pki_certificate_timestamp']
+ "cn=" + config.pki_master_dict['pki_hostname'] + "," +\
+ "o=" + config.pki_master_dict['pki_certificate_timestamp']
config.pki_master_dict['pki_self_signed_serial_number'] = 0
config.pki_master_dict['pki_self_signed_validity_period'] = 12
config.pki_master_dict['pki_self_signed_issuer_name'] =\
- "CN=" + config.pki_master_dict['pki_hostname'] + "," +\
- "O=" + config.pki_master_dict['pki_certificate_timestamp']
+ "cn=" + config.pki_master_dict['pki_hostname'] + "," +\
+ "o=" + config.pki_master_dict['pki_certificate_timestamp']
config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu"
config.pki_master_dict['pki_self_signed_noise_file'] =\
os.path.join(
@@ -992,10 +1383,778 @@ def compose_pki_master_dictionary():
"pki",
"deployment",
"configuration.jy")
+ config.pki_master_dict['pki_jython_base_uri'] =\
+ "https" + "://" + config.pki_master_dict['pki_hostname'] + ":" +\
+ config.pki_master_dict['pki_https_port'] + "/" +\
+ config.pki_master_dict['pki_subsystem'].lower() + "/" + "pki"
+ # Jython scriptlet
+ # 'Security Domain' Configuration name/value pairs
+ #
+ # Apache - [RA], [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_security_domain_type']
+ # config.pki_master_dict['pki_security_domain_uri']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_security_domain_https_port']
+ # config.pki_master_dict['pki_security_domain_password']
+ # config.pki_master_dict['pki_security_domain_user']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_security_domain_hostname']
+ # config.pki_master_dict['pki_security_domain_name']
+ #
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if config.pki_subsystem == "CA":
+ if config.str2bool(config.pki_master_dict['pki_external']):
+ # External CA
+ config.pki_master_dict['pki_security_domain_type'] = "new"
+ if not len(config.pki_master_dict\
+ ['pki_security_domain_name']):
+ config.pki_master_dict['pki_security_domain_name'] =\
+ "External CA Security Domain"
+ elif not config.str2bool(config.pki_master_dict['pki_clone'])\
+ and not\
+ config.str2bool(config.pki_master_dict['pki_subordinate']):
+ # PKI CA
+ config.pki_master_dict['pki_security_domain_type'] = "new"
+ if not len(config.pki_master_dict\
+ ['pki_security_domain_name']):
+ config.pki_master_dict['pki_security_domain_name'] =\
+ config.pki_master_dict['pki_dns_domainname'] +\
+ " " + "Security Domain"
+ else:
+ # PKI Cloned or Subordinate CA
+ config.pki_master_dict['pki_security_domain_type'] =\
+ "existing"
+ if not len(config.pki_master_dict\
+ ['pki_security_domain_hostname']):
+ # Guess that it is the local host
+ config.pki_master_dict['pki_security_domain_hostname']\
+ = config.pki_master_dict['pki_hostname']
+ config.pki_master_dict['pki_security_domain_uri'] =\
+ "https" + "://" +\
+ config.pki_master_dict['pki_security_domain_hostname']\
+ + ":" + config.pki_security_domain_https_port
+ else:
+ # PKI KRA, OCSP, or TKS
+ config.pki_master_dict['pki_security_domain_type'] = "existing"
+ if not len(config.pki_master_dict\
+ ['pki_security_domain_hostname']):
+ # Guess that it is the local host
+ config.pki_master_dict['pki_security_domain_hostname'] =\
+ config.pki_master_dict['pki_hostname']
+ config.pki_master_dict['pki_security_domain_uri'] =\
+ "https" + "://" +\
+ config.pki_master_dict['pki_security_domain_hostname'] +\
+ ":" +\
+ config.pki_master_dict['pki_security_domain_https_port']
+ # Jython scriptlet
+ # 'Directory Server' Configuration name/value pairs
+ #
+ # Apache - [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_ds_bind_dn']
+ # config.pki_master_dict['pki_ds_http_port']
+ # config.pki_master_dict['pki_ds_https_port']
+ # config.pki_master_dict['pki_ds_password']
+ # config.pki_master_dict['pki_ds_remove_data']
+ # config.pki_master_dict['pki_ds_secure_connection']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_ds_base_dn']
+ # config.pki_master_dict['pki_ds_database']
+ # config.pki_master_dict['pki_ds_hostname']
+ #
+ if not len(config.pki_master_dict['pki_ds_base_dn']):
+ config.pki_master_dict['pki_ds_base_dn'] =\
+ "o=" + config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict['pki_ds_database']):
+ config.pki_master_dict['pki_ds_database'] =\
+ "o=" + config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict['pki_ds_hostname']):
+ # Guess that the Directory Server resides on the local host
+ config.pki_master_dict['pki_ds_hostname'] =\
+ config.pki_master_dict['pki_hostname']
+ # Jython scriptlet
+ # 'Backup' Configuration name/value pairs
+ #
+ # Apache - [RA], [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_backup_keys']
+ # config.pki_master_dict['pki_backup_password']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_backup_file']
+ #
+ if config.str2bool(config.pki_master_dict['pki_backup_keys']):
+ if not len(config.pki_master_dict['pki_backup_file']):
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ if config.str2bool(
+ config.pki_master_dict['pki_external']):
+ # External CA
+ config.pki_master_dict['pki_backup_file'] =\
+ "/tmp" + "/" + "externalca.p12" + "." +\
+ config.pki_master_dict['pki_timestamp']
+ elif config.str2bool(
+ config.pki_master_dict['pki_subordinate']):
+ # Subordinate CA
+ config.pki_master_dict['pki_backup_file'] =\
+ "/tmp" + "/" + "subca.p12" + "." +\
+ config.pki_master_dict['pki_timestamp']
+ else:
+ # PKI CA
+ config.pki_master_dict['pki_backup_file'] =\
+ "/tmp" + "/" + "ca.p12" + "." +\
+ config.pki_master_dict['pki_timestamp']
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ # PKI KRA
+ config.pki_master_dict['pki_backup_file'] =\
+ "/tmp" + "/" + "kra.p12" + "." +\
+ config.pki_master_dict['pki_timestamp']
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ # PKI OCSP
+ config.pki_master_dict['pki_backup_file'] =\
+ "/tmp" + "/" + "ocsp.p12" + "." +\
+ config.pki_master_dict['pki_timestamp']
+ elif config.pki_master_dict['pki_subsystem'] == "TKS":
+ # PKI TKS
+ config.pki_master_dict['pki_backup_file'] =\
+ "/tmp" + "/" + "tks.p12" + "." +\
+ config.pki_master_dict['pki_timestamp']
+ # Jython scriptlet
+ # 'Admin Certificate' Configuration name/value pairs
+ #
+ # Apache - [RA], [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_admin_cert_request_type']
+ # config.pki_master_dict['pki_admin_dualkey']
+ # config.pki_master_dict['pki_admin_keysize']
+ # config.pki_master_dict['pki_admin_name']
+ # config.pki_master_dict['pki_admin_password']
+ # config.pki_master_dict['pki_admin_uid']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_admin_email']
+ # config.pki_master_dict['pki_admin_subject_dn']
+ #
+ config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert"
+ if not len(config.pki_master_dict['pki_admin_email']):
+ config.pki_master_dict['pki_admin_email'] =\
+ config.pki_master_dict['pki_admin_name'] + "@" +\
+ config.pki_master_dict['pki_dns_domainname']
+ if not len(config.pki_master_dict['pki_admin_subject_dn']):
+ if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+ if config.pki_master_dict['pki_subsystem'] == "RA":
+ # PKI RA
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=" + "RA Administrator" + "," +\
+ "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+ "," + "e=" +\
+ config.pki_master_dict['pki_admin_email'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "TPS":
+ # PKI TPS
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=" + "TPS Administrator" + "," +\
+ "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+ "," + "e=" +\
+ config.pki_master_dict['pki_admin_email'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ # PKI CA, Subordinate CA, or External CA
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=" + "CA Administrator of Instance" + " " +\
+ config.pki_master_dict['pki_instance_id'] + "," +\
+ "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+ "," + "e=" +\
+ config.pki_master_dict['pki_admin_email'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ # PKI KRA
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=" + "KRA Administrator of Instance" + " " +\
+ config.pki_master_dict['pki_instance_id'] + "," +\
+ "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+ "," + "e=" +\
+ config.pki_master_dict['pki_admin_email'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ # PKI OCSP
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=" + "OCSP Administrator of Instance" + " " +\
+ config.pki_master_dict['pki_instance_id'] + "," +\
+ "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+ "," + "e=" +\
+ config.pki_master_dict['pki_admin_email'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "TKS":
+ # PKI TKS
+ config.pki_master_dict['pki_admin_subject_dn'] =\
+ "cn=" + "TKS Administrator of Instance" + " " +\
+ config.pki_master_dict['pki_instance_id'] + "," +\
+ "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+ "," + "e=" +\
+ config.pki_master_dict['pki_admin_email'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ # Jython scriptlet
+ # 'CA Signing Certificate' Configuration name/value pairs
+ #
+ # Tomcat - [CA]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_ca_signing_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_ca_signing_key_algorithm']
+ # config.pki_master_dict['pki_ca_signing_key_size']
+ # config.pki_master_dict['pki_ca_signing_key_type']
+ # config.pki_master_dict['pki_ca_signing_signing_algorithm']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_ca_signing_nickname']
+ # config.pki_master_dict['pki_ca_signing_subject_dn']
+ # config.pki_master_dict['pki_ca_signing_token']
+ #
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ # config.pki_master_dict['pki_ca_signing_nickname']
+ if not len(config.pki_master_dict\
+ ['pki_ca_signing_nickname']):
+ config.pki_master_dict['pki_ca_signing_nickname'] =\
+ "caSigningCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ # config.pki_master_dict['pki_ca_signing_subject_dn']
+ if config.str2bool(config.pki_master_dict['pki_external']):
+ # External CA
+ if not len(config.pki_master_dict\
+ ['pki_ca_signing_subject_dn']):
+ config.pki_master_dict['pki_ca_signing_subject_dn']\
+ = "cn=" + "External CA Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.str2bool(
+ config.pki_master_dict['pki_subordinate']):
+ # Subordinate CA
+ if not len(config.pki_master_dict\
+ ['pki_ca_signing_subject_dn']):
+ config.pki_master_dict['pki_ca_signing_subject_dn']\
+ = "cn=" + "SubCA Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ else:
+ # PKI CA
+ if not len(config.pki_master_dict\
+ ['pki_ca_signing_subject_dn']):
+ config.pki_master_dict['pki_ca_signing_subject_dn']\
+ = "cn=" + "CA Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ # config.pki_master_dict['pki_ca_signing_tag']
+ config.pki_master_dict['pki_ca_signing_tag'] =\
+ "signing"
+ # config.pki_master_dict['pki_ca_signing_token']
+ if not len(config.pki_master_dict['pki_ca_signing_token']):
+ config.pki_master_dict['pki_ca_signing_token'] =\
+ "Internal Key Storage Token"
+ # Jython scriptlet
+ # 'OCSP Signing Certificate' Configuration name/value pairs
+ #
+ # Tomcat - [CA], [OCSP]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_ocsp_signing_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_ocsp_signing_key_algorithm']
+ # config.pki_master_dict['pki_ocsp_signing_key_size']
+ # config.pki_master_dict['pki_ocsp_signing_key_type']
+ # config.pki_master_dict['pki_ocsp_signing_signing_algorithm']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_ocsp_signing_nickname']
+ # config.pki_master_dict['pki_ocsp_signing_subject_dn']
+ # config.pki_master_dict['pki_ocsp_signing_token']
+ #
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_nickname']):
+ config.pki_master_dict['pki_ocsp_signing_nickname'] =\
+ "ocspSigningCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if config.str2bool(config.pki_master_dict['pki_external']):
+ # External CA
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn']):
+ config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn'] =\
+ "cn=" + "External CA OCSP Signing Certificate"\
+ + "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.str2bool(
+ config.pki_master_dict['pki_subordinate']):
+ # Subordinate CA
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn']):
+ config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn'] =\
+ "cn=" + "SubCA OCSP Signing Certificate"\
+ + "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ else:
+ # PKI CA
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn']):
+ config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn'] =\
+ "cn=" + "CA OCSP Signing Certificate"\
+ + "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ config.pki_master_dict['pki_ocsp_signing_tag'] =\
+ "ocsp_signing"
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_token']):
+ config.pki_master_dict['pki_ocsp_signing_token'] =\
+ "Internal Key Storage Token"
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ # PKI OCSP
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_nickname']):
+ config.pki_master_dict['pki_ocsp_signing_nickname'] =\
+ "ocspSigningCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_subject_dn']):
+ config.pki_master_dict['pki_ocsp_signing_subject_dn'] =\
+ "cn=" + "OCSP Signing Certificate" + "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_ocsp_signing_tag'] =\
+ "signing"
+ if not len(config.pki_master_dict\
+ ['pki_ocsp_signing_token']):
+ config.pki_master_dict['pki_ocsp_signing_token'] =\
+ "Internal Key Storage Token"
+ # Jython scriptlet
+ # 'SSL Server Certificate' Configuration name/value pairs
+ #
+ # Apache - [RA], [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_ssl_server_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_ssl_server_key_algorithm']
+ # config.pki_master_dict['pki_ssl_server_key_size']
+ # config.pki_master_dict['pki_ssl_server_key_type']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_ssl_server_nickname']
+ # config.pki_master_dict['pki_ssl_server_subject_dn']
+ # config.pki_master_dict['pki_ssl_server_token']
+ #
+ if not len(config.pki_master_dict['pki_ssl_server_nickname']):
+ config.pki_master_dict['pki_ssl_server_nickname'] =\
+ "Server-Cert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict['pki_ssl_server_subject_dn']):
+ if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+ config.pki_master_dict['pki_ssl_server_subject_dn'] =\
+ "cn=" + config.pki_master_dict['pki_hostname'] +\
+ "," + "ou=" + config.pki_master_dict['pki_instance_id'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ config.pki_master_dict['pki_ssl_server_subject_dn'] =\
+ "cn=" + config.pki_master_dict['pki_hostname'] +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_ssl_server_tag'] = "sslserver"
+ if not len(config.pki_master_dict['pki_ssl_server_token']):
+ config.pki_master_dict['pki_ssl_server_token'] =\
+ "Internal Key Storage Token"
+ # Jython scriptlet
+ # 'Subsystem Certificate' Configuration name/value pairs
+ #
+ # Apache - [RA], [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_subsystem_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_subsystem_key_algorithm']
+ # config.pki_master_dict['pki_subsystem_key_size']
+ # config.pki_master_dict['pki_subsystem_key_type']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_subsystem_nickname']
+ # config.pki_master_dict['pki_subsystem_subject_dn']
+ # config.pki_master_dict['pki_subsystem_token']
+ #
+ if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+ if not len(config.pki_master_dict['pki_subsystem_nickname']):
+ config.pki_master_dict['pki_subsystem_nickname'] =\
+ "subsystemCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict['pki_subsystem_subject_dn']):
+ if config.pki_master_dict['pki_subsystem'] == "RA":
+ # PKI RA
+ config.pki_master_dict['pki_subsystem_subject_dn'] =\
+ "cn=" + "RA Subsystem Certificate" +\
+ "," + "ou=" + config.pki_master_dict['pki_instance_id']\
+ + "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "TPS":
+ # PKI TPS
+ config.pki_master_dict['pki_subsystem_subject_dn'] =\
+ "cn=" + "TPS Subsystem Certificate" +\
+ "," + "ou=" + config.pki_master_dict['pki_instance_id']\
+ + "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
+ if not len(config.pki_master_dict['pki_subsystem_token']):
+ config.pki_master_dict['pki_subsystem_token'] =\
+ "Internal Key Storage Token"
+ elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if not len(config.pki_master_dict['pki_subsystem_nickname']):
+ config.pki_master_dict['pki_subsystem_nickname'] =\
+ "subsystemCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict['pki_subsystem_subject_dn']):
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ if config.str2bool(
+ config.pki_master_dict['pki_external']):
+ # External CA
+ config.pki_master_dict['pki_subsystem_subject_dn']\
+ = "cn=" + "External CA Subsystem Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.str2bool(
+ config.pki_master_dict['pki_subordinate']):
+ # Subordinate CA
+ config.pki_master_dict['pki_subsystem_subject_dn']\
+ = "cn=" + "SubCA Subsystem Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ else:
+ # PKI CA
+ config.pki_master_dict['pki_subsystem_subject_dn']\
+ = "cn=" + "CA Subsystem Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ # PKI KRA
+ config.pki_master_dict['pki_subsystem_subject_dn'] =\
+ "cn=" + "DRM Subsystem Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ # PKI OCSP
+ config.pki_master_dict['pki_subsystem_subject_dn'] =\
+ "cn=" + "OCSP Subsystem Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "TKS":
+ # PKI TKS
+ config.pki_master_dict['pki_subsystem_subject_dn'] =\
+ "cn=" + "TKS Subsystem Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
+ if not len(config.pki_master_dict['pki_subsystem_token']):
+ config.pki_master_dict['pki_subsystem_token'] =\
+ "Internal Key Storage Token"
+ # Jython scriptlet
+ # 'Audit Signing Certificate' Configuration name/value pairs
+ #
+ # Apache - [TPS]
+ # Tomcat - [CA], [KRA], [OCSP], [TKS]
+ # - [External CA]
+ # - [Subordinate CA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_audit_signing_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_audit_signing_key_algorithm']
+ # config.pki_master_dict['pki_audit_signing_key_size']
+ # config.pki_master_dict['pki_audit_signing_key_type']
+ # config.pki_master_dict['pki_audit_signing_signing_algorithm']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_audit_signing_nickname']
+ # config.pki_master_dict['pki_audit_signing_subject_dn']
+ # config.pki_master_dict['pki_audit_signing_token']
+ #
+ if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+ if config.pki_master_dict['pki_subsystem'] != "RA":
+ if not len(config.pki_master_dict\
+ ['pki_audit_signing_nickname']):
+ config.pki_master_dict['pki_audit_signing_nickname'] =\
+ "auditSigningCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict\
+ ['pki_audit_signing_subject_dn']):
+ config.pki_master_dict['pki_audit_signing_subject_dn'] =\
+ "cn=" + "TPS Audit Signing Certificate" +\
+ "," + "ou=" + config.pki_master_dict['pki_instance_id']\
+ + "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_audit_signing_tag'] =\
+ "audit_signing"
+ if not len(config.pki_master_dict['pki_audit_signing_token']):
+ config.pki_master_dict['pki_audit_signing_token'] =\
+ "Internal Key Storage Token"
+ elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if not len(config.pki_master_dict\
+ ['pki_audit_signing_nickname']):
+ config.pki_master_dict['pki_audit_signing_nickname'] =\
+ "auditSigningCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict\
+ ['pki_audit_signing_subject_dn']):
+ if config.pki_master_dict['pki_subsystem'] == "CA":
+ if config.str2bool(
+ config.pki_master_dict['pki_external']):
+ # External CA
+ config.pki_master_dict\
+ ['pki_audit_signing_subject_dn'] =\
+ "cn=" + "External CA Audit Signing Certificate"\
+ + "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.str2bool(
+ config.pki_master_dict['pki_subordinate']):
+ # Subordinate CA
+ config.pki_master_dict\
+ ['pki_audit_signing_subject_dn'] =\
+ "cn=" + "SubCA Audit Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ else:
+ # PKI CA
+ config.pki_master_dict\
+ ['pki_audit_signing_subject_dn'] =\
+ "cn=" + "CA Audit Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict\
+ ['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "KRA":
+ # PKI KRA
+ config.pki_master_dict['pki_audit_signing_subject_dn']\
+ = "cn=" + "DRM Audit Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+ # PKI OCSP
+ config.pki_master_dict['pki_audit_signing_subject_dn']\
+ = "cn=" + "OCSP Audit Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ elif config.pki_master_dict['pki_subsystem'] == "TKS":
+ # PKI TKS
+ config.pki_master_dict['pki_audit_signing_subject_dn']\
+ = "cn=" + "TKS Audit Signing Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_audit_signing_tag'] =\
+ "audit_signing"
+ if not len(config.pki_master_dict['pki_audit_signing_token']):
+ config.pki_master_dict['pki_audit_signing_token'] =\
+ "Internal Key Storage Token"
+ # Jython scriptlet
+ # 'DRM Transport Certificate' Configuration name/value pairs
+ #
+ # Tomcat - [KRA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_transport_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_transport_key_algorithm']
+ # config.pki_master_dict['pki_transport_key_size']
+ # config.pki_master_dict['pki_transport_key_type']
+ # config.pki_master_dict['pki_transport_signing_algorithm']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_transport_nickname']
+ # config.pki_master_dict['pki_transport_subject_dn']
+ # config.pki_master_dict['pki_transport_token']
+ #
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if config.pki_master_dict['pki_subsystem'] == "KRA":
+ # PKI KRA
+ if not len(config.pki_master_dict\
+ ['pki_transport_nickname']):
+ config.pki_master_dict['pki_transport_nickname'] =\
+ "transportCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict\
+ ['pki_transport_subject_dn']):
+ config.pki_master_dict['pki_transport_subject_dn']\
+ = "cn=" + "DRM Transport Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_transport_tag'] =\
+ "transport"
+ if not len(config.pki_master_dict['pki_transport_token']):
+ config.pki_master_dict['pki_transport_token'] =\
+ "Internal Key Storage Token"
+ # Jython scriptlet
+ # 'DRM Storage Certificate' Configuration name/value pairs
+ #
+ # Tomcat - [KRA]
+ #
+ # The following variables are defined below:
+ #
+ # config.pki_master_dict['pki_storage_tag']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and are NOT redefined below:
+ #
+ # config.pki_master_dict['pki_storage_key_algorithm']
+ # config.pki_master_dict['pki_storage_key_size']
+ # config.pki_master_dict['pki_storage_key_type']
+ # config.pki_master_dict['pki_storage_signing_algorithm']
+ #
+ # The following variables are established via the specified PKI
+ # deployment configuration file and potentially overridden below:
+ #
+ # config.pki_master_dict['pki_storage_nickname']
+ # config.pki_master_dict['pki_storage_subject_dn']
+ # config.pki_master_dict['pki_storage_token']
+ #
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if not config.str2bool(config.pki_master_dict['pki_clone']):
+ if config.pki_master_dict['pki_subsystem'] == "KRA":
+ # PKI KRA
+ if not len(config.pki_master_dict['pki_storage_nickname']):
+ config.pki_master_dict['pki_storage_nickname'] =\
+ "storageCert" + " " + "cert-" +\
+ config.pki_master_dict['pki_instance_id']
+ if not len(config.pki_master_dict\
+ ['pki_storage_subject_dn']):
+ config.pki_master_dict['pki_storage_subject_dn']\
+ = "cn=" + "DRM Storage Certificate" +\
+ "," + "o=" +\
+ config.pki_master_dict['pki_security_domain_name']
+ config.pki_master_dict['pki_storage_tag'] =\
+ "storage"
+ if not len(config.pki_master_dict['pki_storage_token']):
+ config.pki_master_dict['pki_storage_token'] =\
+ "Internal Key Storage Token"
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
+ except KeyError as err:
+ config.pki_log.error(log.PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1,
+ err, extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
return
diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py
index 1a08fdccb..8364d9519 100644
--- a/base/deploy/src/scriptlets/security_databases.py
+++ b/base/deploy/src/scriptlets/security_databases.py
@@ -38,13 +38,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.password.create_password_conf(
master['pki_shared_password_conf'],
master['pki_pin'])
+ # Since 'certutil' does NOT strip the 'token=' portion of
+ # the 'token=password' entries, create a temporary server 'pfile'
+ # which ONLY contains the 'password' for the purposes of
+ # allowing 'certutil' to generate the security databases
+ util.password.create_password_conf(
+ master['pki_shared_pfile'],
+ master['pki_pin'], pin_sans_token=True)
util.file.modify(master['pki_shared_password_conf'])
util.certutil.create_security_databases(
master['pki_database_path'],
master['pki_cert_database'],
master['pki_key_database'],
master['pki_secmod_database'],
- password_file=master['pki_shared_password_conf'])
+ password_file=master['pki_shared_pfile'])
util.file.modify(master['pki_cert_database'], perms=\
config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
util.file.modify(master['pki_key_database'], perms=\
@@ -58,7 +65,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_secmod_database'],
master['pki_self_signed_token'],
master['pki_self_signed_nickname'],
- password_file=master['pki_shared_password_conf'])
+ password_file=master['pki_shared_pfile'])
if not rv:
util.file.generate_noise_file(
master['pki_self_signed_noise_file'],
@@ -76,18 +83,28 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_self_signed_issuer_name'],
master['pki_self_signed_trustargs'],
master['pki_self_signed_noise_file'],
- password_file=master['pki_shared_password_conf'])
+ password_file=master['pki_shared_pfile'])
+ # Delete the temporary 'noise' file
util.file.delete(master['pki_self_signed_noise_file'])
+ # Delete the temporary 'pfile'
+ util.file.delete(master['pki_shared_pfile'])
else:
util.password.create_password_conf(
master['pki_shared_password_conf'],
master['pki_pin'])
+ # Since 'certutil' does NOT strip the 'token=' portion of
+ # the 'token=password' entries, create a temporary server 'pfile'
+ # which ONLY contains the 'password' for the purposes of
+ # allowing 'certutil' to generate the security databases
+ util.password.create_password_conf(
+ master['pki_shared_pfile'],
+ master['pki_pin'], pin_sans_token=True)
util.certutil.create_security_databases(
master['pki_database_path'],
master['pki_cert_database'],
master['pki_key_database'],
master['pki_secmod_database'],
- password_file=master['pki_shared_password_conf'])
+ password_file=master['pki_shared_pfile'])
rv = util.certutil.verify_certificate_exists(
master['pki_database_path'],
master['pki_cert_database'],
@@ -95,7 +112,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_secmod_database'],
master['pki_self_signed_token'],
master['pki_self_signed_nickname'],
- password_file=master['pki_shared_password_conf'])
+ password_file=master['pki_shared_pfile'])
if not rv:
util.file.generate_noise_file(
master['pki_self_signed_noise_file'],
@@ -113,7 +130,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_self_signed_issuer_name'],
master['pki_self_signed_trustargs'],
master['pki_self_signed_noise_file'],
- password_file=master['pki_shared_password_conf'])
+ password_file=master['pki_shared_pfile'])
+ # Delete the temporary 'noise' file
+ util.file.delete(master['pki_self_signed_noise_file'])
+ # Delete the temporary 'pfile'
+ util.file.delete(master['pki_shared_pfile'])
return self.rv
def respawn(self):
diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py
index 93b0ae750..3467596e8 100644
--- a/base/deploy/src/scriptlets/slot_substitution.py
+++ b/base/deploy/src/scriptlets/slot_substitution.py
@@ -39,7 +39,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_target_cs_cfg'])
util.file.copy_with_slot_substitution(master['pki_source_registry'],
master['pki_target_registry'],
- overwrite_flag=True)
+ uid=0, gid=0, overwrite_flag=True)
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
util.file.copy_with_slot_substitution(
master['pki_source_catalina_properties'],
@@ -56,7 +56,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.file.copy_with_slot_substitution(
master['pki_source_tomcat_conf'],
master['pki_target_tomcat_conf_instance_id'],
- overwrite_flag=True)
+ uid=0, gid=0, overwrite_flag=True)
util.file.copy_with_slot_substitution(
master['pki_source_tomcat_conf'],
master['pki_target_tomcat_conf'],
@@ -69,6 +69,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_target_velocity_properties'])
util.file.apply_slot_substitution(
master['pki_target_subsystem_web_xml'])
+ # Strip "<filter>" section from subsystem "web.xml"
+ # This is ONLY necessary because XML comments cannot be "nested"!
+ #util.file.copy(master['pki_target_subsystem_web_xml'],
+ # master['pki_target_subsystem_web_xml_orig'])
+ #util.file.delete(master['pki_target_subsystem_web_xml'])
+ #util.xml_file.remove_filter_section_from_web_xml(
+ # master['pki_target_subsystem_web_xml_orig'],
+ # master['pki_target_subsystem_web_xml'])
+ #util.file.delete(master['pki_target_subsystem_web_xml_orig'])
if master['pki_subsystem'] == "CA":
util.file.copy_with_slot_substitution(
master['pki_source_proxy_conf'],
@@ -85,7 +94,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
overwrite_flag=True)
util.file.copy_with_slot_substitution(master['pki_source_registry'],
master['pki_target_registry'],
- overwrite_flag=True)
+ uid=0, gid=0, overwrite_flag=True)
if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
util.file.copy_with_slot_substitution(
master['pki_source_catalina_properties'],
@@ -102,7 +111,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.file.copy_with_slot_substitution(
master['pki_source_tomcat_conf'],
master['pki_target_tomcat_conf_instance_id'],
- overwrite_flag=True)
+ uid=0, gid=0, overwrite_flag=True)
util.file.copy_with_slot_substitution(
master['pki_source_tomcat_conf'],
master['pki_target_tomcat_conf'],
@@ -115,6 +124,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_target_velocity_properties'])
util.file.apply_slot_substitution(
master['pki_target_subsystem_web_xml'])
+ # Strip "<filter>" section from subsystem "web.xml"
+ # This is ONLY necessary because XML comments cannot be "nested"!
+ #util.file.copy(master['pki_target_subsystem_web_xml'],
+ # master['pki_target_subsystem_web_xml_orig'])
+ #util.file.delete(master['pki_target_subsystem_web_xml'])
+ #util.xml_file.remove_filter_section_from_web_xml(
+ # master['pki_target_subsystem_web_xml_orig'],
+ # master['pki_target_subsystem_web_xml'])
+ #util.file.delete(master['pki_target_subsystem_web_xml_orig'])
if master['pki_subsystem'] == "CA":
util.file.copy_with_slot_substitution(
master['pki_source_proxy_conf'],
diff --git a/base/deploy/src/scriptlets/subsystem_layout.py b/base/deploy/src/scriptlets/subsystem_layout.py
index 4ea5e6f84..d9c597d60 100644
--- a/base/deploy/src/scriptlets/subsystem_layout.py
+++ b/base/deploy/src/scriptlets/subsystem_layout.py
@@ -56,6 +56,34 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_subsystem_profiles_path'])
# establish instance-based Tomcat PKI subsystem logs
# establish instance-based Tomcat PKI subsystem configuration
+ if master['pki_subsystem'] == "CA":
+ util.file.copy(master['pki_source_flatfile_txt'],
+ master['pki_target_flatfile_txt'])
+ util.file.copy(master['pki_source_registry_cfg'],
+ master['pki_target_registry_cfg'])
+ # '*.profile'
+ util.file.copy(master['pki_source_admincert_profile'],
+ master['pki_target_admincert_profile'])
+ util.file.copy(master['pki_source_caauditsigningcert_profile'],
+ master['pki_target_caauditsigningcert_profile'])
+ util.file.copy(master['pki_source_cacert_profile'],
+ master['pki_target_cacert_profile'])
+ util.file.copy(master['pki_source_caocspcert_profile'],
+ master['pki_target_caocspcert_profile'])
+ util.file.copy(master['pki_source_servercert_profile'],
+ master['pki_target_servercert_profile'])
+ util.file.copy(master['pki_source_subsystemcert_profile'],
+ master['pki_target_subsystemcert_profile'])
+ elif master['pki_subsystem'] == "KRA":
+ # '*.profile'
+ util.file.copy(master['pki_source_servercert_profile'],
+ master['pki_target_servercert_profile'])
+ util.file.copy(master['pki_source_storagecert_profile'],
+ master['pki_target_storagecert_profile'])
+ util.file.copy(master['pki_source_subsystemcert_profile'],
+ master['pki_target_subsystemcert_profile'])
+ util.file.copy(master['pki_source_transportcert_profile'],
+ master['pki_target_transportcert_profile'])
# establish instance-based Tomcat PKI subsystem registry
# establish instance-based Tomcat PKI subsystem convenience
# symbolic links
@@ -98,6 +126,46 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
overwrite_flag=True)
# update instance-based Tomcat PKI subsystem logs
# update instance-based Tomcat PKI subsystem configuration
+ if master['pki_subsystem'] == "CA":
+ # util.file.copy(master['pki_source_flatfile_txt'],
+ # master['pki_target_flatfile_txt'],
+ # overwrite_flag=True)
+ util.file.copy(master['pki_source_registry_cfg'],
+ master['pki_target_registry_cfg'],
+ overwrite_flag=True)
+ # '*.profile'
+ util.file.copy(master['pki_source_admincert_profile'],
+ master['pki_target_admincert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_caauditsigningcert_profile'],
+ master['pki_target_caauditsigningcert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_cacert_profile'],
+ master['pki_target_cacert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_caocspcert_profile'],
+ master['pki_target_caocspcert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_servercert_profile'],
+ master['pki_target_servercert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_subsystemcert_profile'],
+ master['pki_target_subsystemcert_profile'],
+ overwrite_flag=True)
+ elif master['pki_subsystem'] == "KRA":
+ # '*.profile'
+ util.file.copy(master['pki_source_servercert_profile'],
+ master['pki_target_servercert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_storagecert_profile'],
+ master['pki_target_storagecert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_subsystemcert_profile'],
+ master['pki_target_subsystemcert_profile'],
+ overwrite_flag=True)
+ util.file.copy(master['pki_source_transportcert_profile'],
+ master['pki_target_transportcert_profile'],
+ overwrite_flag=True)
# update instance-based Tomcat PKI subsystem registry
# update instance-based Tomcat PKI subsystem convenience
# symbolic links
diff --git a/base/deploy/src/scriptlets/war_explosion.py b/base/deploy/src/scriptlets/war_explosion.py
index ca2ea601b..16113ba7d 100644
--- a/base/deploy/src/scriptlets/war_explosion.py
+++ b/base/deploy/src/scriptlets/war_explosion.py
@@ -39,11 +39,23 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.directory.create(master['pki_tomcat_webapps_subsystem_path'])
util.war.explode(master['pki_war'],
master['pki_tomcat_webapps_subsystem_path'])
- # establish convenience symbolic links
- util.symlink.create(master['pki_tomcat_webapps_webinf_classes_path'],
- master['pki_tomcat_webapps_subsystem_webinf_classes_link'])
- util.symlink.create(master['pki_tomcat_webapps_webinf_lib_path'],
- master['pki_tomcat_webapps_subsystem_webinf_lib_link'])
+ util.directory.create(
+ master['pki_tomcat_webapps_subsystem_webinf_classes_path'])
+ util.directory.create(
+ master['pki_tomcat_webapps_subsystem_webinf_lib_path'])
+ # establish Tomcat webapps subsystem WEB-INF lib symbolic links
+ if master['pki_subsystem'] == "CA":
+ util.symlink.create(master['pki_ca_jar'],
+ master['pki_ca_jar_link'])
+ elif master['pki_subsystem'] == "KRA":
+ util.symlink.create(master['pki_kra_jar'],
+ master['pki_kra_jar_link'])
+ elif master['pki_subsystem'] == "OCSP":
+ util.symlink.create(master['pki_ocsp_jar'],
+ master['pki_ocsp_jar_link'])
+ elif master['pki_subsystem'] == "TKS":
+ util.symlink.create(master['pki_tks_jar'],
+ master['pki_tks_jar_link'])
# set ownerships, permissions, and acls
util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path'])
return self.rv
@@ -56,8 +68,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.directory.modify(master['pki_tomcat_webapps_subsystem_path'])
util.war.explode(master['pki_war'],
master['pki_tomcat_webapps_subsystem_path'])
+ # update Tomcat webapps subsystem WEB-INF lib symbolic links
+ if master['pki_subsystem'] == "CA":
+ util.symlink.modify(master['pki_ca_jar_link'])
+ elif master['pki_subsystem'] == "KRA":
+ util.symlink.modify(master['pki_kra_jar_link'])
+ elif master['pki_subsystem'] == "OCSP":
+ util.symlink.modify(master['pki_ocsp_jar_link'])
+ elif master['pki_subsystem'] == "TKS":
+ util.symlink.modify(master['pki_tks_jar_link'])
# update ownerships, permissions, and acls
- # NOTE: This includes existing convenience symbolic links
util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path'])
return self.rv
diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in
index 5135e1311..c2655fc75 100644
--- a/base/kra/shared/conf/CS.cfg.in
+++ b/base/kra/shared/conf/CS.cfg.in
@@ -29,6 +29,7 @@ agent.interface.uri=kra/agent/kra
authType=pwd
preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445
instanceRoot=[PKI_INSTANCE_PATH]
+configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/
machineName=[PKI_MACHINE_NAME]
instanceId=[PKI_INSTANCE_ID]
pidDir=[PKI_PIDDIR]
@@ -201,7 +202,7 @@ dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
debug.append=true
debug.enabled=true
-debug.filename=[PKI_INSTANCE_PATH]/logs/debug
+debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug
debug.hashkeytypes=
debug.level=0
debug.showcaller=false
@@ -277,7 +278,7 @@ log.instance.SignedAudit.bufferSize=512
log.instance.SignedAudit.enable=true
log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER
log.instance.SignedAudit.expirationTime=0
-log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/kra_cert-kra_audit
+log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/kra_cert-kra_audit
log.instance.SignedAudit.flushInterval=5
log.instance.SignedAudit.level=1
log.instance.SignedAudit.logSigning=false
@@ -295,7 +296,7 @@ log.instance.System._002=##
log.instance.System.bufferSize=512
log.instance.System.enable=true
log.instance.System.expirationTime=0
-log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system
+log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system
log.instance.System.flushInterval=5
log.instance.System.level=3
log.instance.System.maxFileSize=2000
@@ -308,15 +309,15 @@ log.instance.Transactions._002=##
log.instance.Transactions.bufferSize=512
log.instance.Transactions.enable=true
log.instance.Transactions.expirationTime=0
-log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions
+log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions
log.instance.Transactions.flushInterval=5
log.instance.Transactions.level=1
log.instance.Transactions.maxFileSize=2000
log.instance.Transactions.pluginName=file
log.instance.Transactions.rolloverInterval=2592000
log.instance.Transactions.type=transaction
-logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access
-logError.fileName=[PKI_INSTANCE_PATH]/logs/error
+logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access
+logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error
oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension
oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1
oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword
@@ -353,7 +354,7 @@ selftests.container.logger.bufferSize=512
selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
selftests.container.logger.enable=true
selftests.container.logger.expirationTime=0
-selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
+selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log
selftests.container.logger.flushInterval=5
selftests.container.logger.level=1
selftests.container.logger.maxFileSize=2000
diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml
index c6e9934eb..273ca1fa4 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/web.xml
+++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml
@@ -3,71 +3,6 @@
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">
<web-app>
- <filter>
- <filter-name>AgentRequestFilter</filter-name>
- <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
- <init-param>
- <param-name>https_port</param-name>
- <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
- </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>proxy_port</param-name>
- <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
- </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>active</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
-
- <filter>
- <filter-name>AdminRequestFilter</filter-name>
- <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
- <init-param>
- <param-name>https_port</param-name>
- <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
- </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>proxy_port</param-name>
- <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
- </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>active</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
-
- <filter>
- <filter-name>EERequestFilter</filter-name>
- <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
- <init-param>
- <param-name>http_port</param-name>
- <param-value>[PKI_UNSECURE_PORT]</param-value>
- </init-param>
- <init-param>
- <param-name>https_port</param-name>
- <param-value>[PKI_EE_SECURE_PORT]</param-value>
- </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>proxy_port</param-name>
- <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
- </init-param>
- <init-param>
- <param-name>proxy_http_port</param-name>
- <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
- </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>active</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
-
<servlet>
<servlet-name>csadmin-wizard</servlet-name>
<servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
@@ -640,7 +575,7 @@
<init-param><param-name> AuthzMgr </param-name>
<param-value> BasicAclAuthz </param-value> </init-param>
<init-param><param-name> cfgPath </param-name>
- <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param>
+ <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param>
<init-param><param-name> ID </param-name>
<param-value> krastart </param-value> </init-param>
<load-on-startup> 1 </load-on-startup>
@@ -756,10 +691,9 @@
<param-value> ee </param-value> </init-param>
</servlet>
- <context-param>
- <param-name>resteasy.scan</param-name>
- <param-value>true</param-value>
- </context-param>
+ <listener>
+ <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
+ </listener>
<context-param>
<param-name>resteasy.servlet.mapping.prefix</param-name>
@@ -776,31 +710,12 @@
<servlet>
<servlet-name>Resteasy</servlet-name>
<servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
+ <init-param>
+ <param-name>javax.ws.rs.Application</param-name>
+ <param-value>com.netscape.kra.KeyRecoveryAuthorityApplication</param-value>
+ </init-param>
</servlet>
-[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
- <filter-mapping>
- <filter-name> AgentRequestFilter </filter-name>
- <url-pattern> /agent/* </url-pattern>
- </filter-mapping>
-
- <filter-mapping>
- <filter-name> AdminRequestFilter </filter-name>
- <url-pattern> /admin/* </url-pattern>
- <url-pattern> /auths </url-pattern>
- <url-pattern> /server </url-pattern>
- <url-pattern> /log </url-pattern>
- <url-pattern> /ug </url-pattern>
- <url-pattern> /acl </url-pattern>
- <url-pattern> /kra </url-pattern>
- </filter-mapping>
-
- <filter-mapping>
- <filter-name> EERequestFilter </filter-name>
- <url-pattern> /ee/* </url-pattern>
- </filter-mapping>
-[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
-
<servlet-mapping>
<servlet-name>Resteasy</servlet-name>
<url-pattern>/pki/*</url-pattern>
diff --git a/base/ocsp/shared/conf/CS.cfg.in b/base/ocsp/shared/conf/CS.cfg.in
index 658a1b6d3..0910d6672 100644
--- a/base/ocsp/shared/conf/CS.cfg.in
+++ b/base/ocsp/shared/conf/CS.cfg.in
@@ -99,6 +99,7 @@ preop.cert.subsystem.cncomponent.override=true
cs.state=0
authType=pwd
instanceRoot=[PKI_INSTANCE_PATH]
+configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/
machineName=[PKI_MACHINE_NAME]
instanceId=[PKI_INSTANCE_ID]
service.machineName=[PKI_MACHINE_NAME]
@@ -163,7 +164,7 @@ dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
debug.append=true
debug.enabled=true
-debug.filename=[PKI_INSTANCE_PATH]/logs/debug
+debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug
debug.hashkeytypes=
debug.level=0
debug.showcaller=false
@@ -216,7 +217,7 @@ log.instance.SignedAudit.bufferSize=512
log.instance.SignedAudit.enable=true
log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION
log.instance.SignedAudit.expirationTime=0
-log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ocsp_cert-ocsp_audit
+log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/ocsp_cert-ocsp_audit
log.instance.SignedAudit.flushInterval=5
log.instance.SignedAudit.level=1
log.instance.SignedAudit.logSigning=false
@@ -234,7 +235,7 @@ log.instance.System._002=##
log.instance.System.bufferSize=512
log.instance.System.enable=true
log.instance.System.expirationTime=0
-log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system
+log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system
log.instance.System.flushInterval=5
log.instance.System.level=3
log.instance.System.maxFileSize=2000
@@ -247,15 +248,15 @@ log.instance.Transactions._002=##
log.instance.Transactions.bufferSize=512
log.instance.Transactions.enable=true
log.instance.Transactions.expirationTime=0
-log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions
+log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions
log.instance.Transactions.flushInterval=5
log.instance.Transactions.level=1
log.instance.Transactions.maxFileSize=2000
log.instance.Transactions.pluginName=file
log.instance.Transactions.rolloverInterval=2592000
log.instance.Transactions.type=transaction
-logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access
-logError.fileName=[PKI_INSTANCE_PATH]/logs/error
+logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access
+logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error
ocsp.certNickname=
ocsp.storeId=defStore
ocsp.signing.certnickname=
@@ -302,7 +303,7 @@ selftests.container.logger.bufferSize=512
selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
selftests.container.logger.enable=true
selftests.container.logger.expirationTime=0
-selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
+selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log
selftests.container.logger.flushInterval=5
selftests.container.logger.level=1
selftests.container.logger.maxFileSize=2000
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
index e4ea799eb..cb18574b3 100644
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
@@ -7,71 +7,6 @@
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">
<web-app>
- <filter>
- <filter-name>AgentRequestFilter</filter-name>
- <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
- <init-param>
- <param-name>https_port</param-name>
- <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
- </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>proxy_port</param-name>
- <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
- </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>active</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
-
- <filter>
- <filter-name>AdminRequestFilter</filter-name>
- <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
- <init-param>
- <param-name>https_port</param-name>
- <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
- </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>proxy_port</param-name>
- <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
- </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>active</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
-
- <filter>
- <filter-name>EERequestFilter</filter-name>
- <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
- <init-param>
- <param-name>http_port</param-name>
- <param-value>[PKI_UNSECURE_PORT]</param-value>
- </init-param>
- <init-param>
- <param-name>https_port</param-name>
- <param-value>[PKI_EE_SECURE_PORT]</param-value>
- </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>proxy_port</param-name>
- <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
- </init-param>
- <init-param>
- <param-name>proxy_http_port</param-name>
- <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
- </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>active</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
-
<servlet>
<servlet-name>csadmin-wizard</servlet-name>
<servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
@@ -160,7 +95,7 @@
<init-param><param-name> AuthzMgr </param-name>
<param-value> BasicAclAuthz </param-value> </init-param>
<init-param><param-name> cfgPath </param-name>
- <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param>
+ <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param>
<init-param><param-name> ID </param-name>
<param-value> ocspstart </param-value> </init-param>
<load-on-startup> 1 </load-on-startup>
@@ -469,10 +404,9 @@
<param-value> ee </param-value> </init-param>
</servlet>
- <context-param>
- <param-name>resteasy.scan</param-name>
- <param-value>true</param-value>
- </context-param>
+ <listener>
+ <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
+ </listener>
<context-param>
<param-name>resteasy.servlet.mapping.prefix</param-name>
@@ -489,31 +423,12 @@
<servlet>
<servlet-name>Resteasy</servlet-name>
<servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
+ <init-param>
+ <param-name>javax.ws.rs.Application</param-name>
+ <param-value>com.netscape.ocsp.OCSPApplication</param-value>
+ </init-param>
</servlet>
-[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
- <filter-mapping>
- <filter-name> AgentRequestFilter </filter-name>
- <url-pattern> /agent/* </url-pattern>
- </filter-mapping>
-
- <filter-mapping>
- <filter-name> AdminRequestFilter </filter-name>
- <url-pattern> /admin/* </url-pattern>
- <url-pattern> /auths </url-pattern>
- <url-pattern> /ug </url-pattern>
- <url-pattern> /log </url-pattern>
- <url-pattern> /acl </url-pattern>
- <url-pattern> /server </url-pattern>
- <url-pattern> /ocsp </url-pattern>
- </filter-mapping>
-
- <filter-mapping>
- <filter-name> EERequestFilter </filter-name>
- <url-pattern> /ee/* </url-pattern>
- </filter-mapping>
-[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
-
<servlet-mapping>
<servlet-name>Resteasy</servlet-name>
<url-pattern>/pki/*</url-pattern>
diff --git a/base/setup/pkicreate b/base/setup/pkicreate
index bd07eb0b0..6abb73755 100755
--- a/base/setup/pkicreate
+++ b/base/setup/pkicreate
@@ -307,6 +307,7 @@ my $PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT = "PKI_EE_SECURE_CLIENT_AUTH_PORT_UI"
my $PKI_AGENT_SECURE_PORT_SLOT = "PKI_AGENT_SECURE_PORT";
my $PKI_ADMIN_SECURE_PORT_SLOT = "PKI_ADMIN_SECURE_PORT";
my $PKI_SERVER_XML_CONF = "PKI_SERVER_XML_CONF";
+my $PKI_SUBSYSTEM_DIR_SLOT = "PKI_SUBSYSTEM_DIR";
my $PKI_SUBSYSTEM_TYPE_SLOT = "PKI_SUBSYSTEM_TYPE";
my $PKI_UNSECURE_PORT_SLOT = "PKI_UNSECURE_PORT";
my $PKI_USER_SLOT = "PKI_USER";
@@ -2417,6 +2418,7 @@ sub process_pki_templates
emit("Processing PKI templates for '$pki_instance_path' ...\n");
+ $slot_hash{$PKI_SUBSYSTEM_DIR_SLOT} = "";
$slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT} = $subsystem_type;
$slot_hash{$PKI_INSTANCE_ID_SLOT} = $pki_instance_name;
$slot_hash{$PKI_INSTANCE_ROOT_SLOT} = $pki_instance_root;
diff --git a/base/tks/shared/conf/CS.cfg.in b/base/tks/shared/conf/CS.cfg.in
index 740baf61e..f641e026f 100644
--- a/base/tks/shared/conf/CS.cfg.in
+++ b/base/tks/shared/conf/CS.cfg.in
@@ -91,6 +91,7 @@ preop.module.token=Internal Key Storage Token
cs.state=0
authType=pwd
instanceRoot=[PKI_INSTANCE_PATH]
+configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/
machineName=[PKI_MACHINE_NAME]
instanceId=[PKI_INSTANCE_ID]
preop.pin=[PKI_RANDOM_NUMBER]
@@ -156,7 +157,7 @@ dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
debug.append=true
debug.enabled=true
-debug.filename=[PKI_INSTANCE_PATH]/logs/debug
+debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug
debug.hashkeytypes=
debug.level=0
debug.showcaller=false
@@ -209,7 +210,7 @@ log.instance.SignedAudit.bufferSize=512
log.instance.SignedAudit.enable=true
log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION
log.instance.SignedAudit.expirationTime=0
-log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/tks_cert-tks_audit
+log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/tks_cert-tks_audit
log.instance.SignedAudit.flushInterval=5
log.instance.SignedAudit.level=1
log.instance.SignedAudit.logSigning=false
@@ -227,7 +228,7 @@ log.instance.System._002=##
log.instance.System.bufferSize=512
log.instance.System.enable=true
log.instance.System.expirationTime=0
-log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system
+log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system
log.instance.System.flushInterval=5
log.instance.System.level=3
log.instance.System.maxFileSize=2000
@@ -240,15 +241,15 @@ log.instance.Transactions._002=##
log.instance.Transactions.bufferSize=512
log.instance.Transactions.enable=true
log.instance.Transactions.expirationTime=0
-log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions
+log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions
log.instance.Transactions.flushInterval=5
log.instance.Transactions.level=1
log.instance.Transactions.maxFileSize=2000
log.instance.Transactions.pluginName=file
log.instance.Transactions.rolloverInterval=2592000
log.instance.Transactions.type=transaction
-logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access
-logError.fileName=[PKI_INSTANCE_PATH]/logs/error
+logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access
+logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error
oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension
oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1
oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword
@@ -285,7 +286,7 @@ selftests.container.logger.bufferSize=512
selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
selftests.container.logger.enable=true
selftests.container.logger.expirationTime=0
-selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
+selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log
selftests.container.logger.flushInterval=5
selftests.container.logger.level=1
selftests.container.logger.maxFileSize=2000
diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml
index c3f7593c2..20874de45 100644
--- a/base/tks/shared/webapps/tks/WEB-INF/web.xml
+++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml
@@ -7,71 +7,6 @@
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">
<web-app>
- <filter>
- <filter-name>AgentRequestFilter</filter-name>
- <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
- <init-param>
- <param-name>https_port</param-name>
- <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
- </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>proxy_port</param-name>
- <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
- </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>active</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
-
- <filter>
- <filter-name>AdminRequestFilter</filter-name>
- <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
- <init-param>
- <param-name>https_port</param-name>
- <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
- </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>proxy_port</param-name>
- <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
- </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>active</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
-
- <filter>
- <filter-name>EERequestFilter</filter-name>
- <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
- <init-param>
- <param-name>http_port</param-name>
- <param-value>[PKI_UNSECURE_PORT]</param-value>
- </init-param>
- <init-param>
- <param-name>https_port</param-name>
- <param-value>[PKI_EE_SECURE_PORT]</param-value>
- </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>proxy_port</param-name>
- <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
- </init-param>
- <init-param>
- <param-name>proxy_http_port</param-name>
- <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
- </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
- <init-param>
- <param-name>active</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
-
<servlet>
<servlet-name>csadmin-wizard</servlet-name>
<servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
@@ -104,7 +39,7 @@
<init-param><param-name> AuthzMgr </param-name>
<param-value> BasicAclAuthz </param-value> </init-param>
<init-param><param-name> cfgPath </param-name>
- <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param>
+ <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param>
<init-param><param-name> ID </param-name>
<param-value> tksstart </param-value> </init-param>
<load-on-startup> 1 </load-on-startup>
@@ -338,10 +273,9 @@
<param-value> ee </param-value> </init-param>
</servlet>
- <context-param>
- <param-name>resteasy.scan</param-name>
- <param-value>true</param-value>
- </context-param>
+ <listener>
+ <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
+ </listener>
<context-param>
<param-name>resteasy.servlet.mapping.prefix</param-name>
@@ -358,30 +292,12 @@
<servlet>
<servlet-name>Resteasy</servlet-name>
<servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
+ <init-param>
+ <param-name>javax.ws.rs.Application</param-name>
+ <param-value>com.netscape.tks.TKSApplication</param-value>
+ </init-param>
</servlet>
-[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
- <filter-mapping>
- <filter-name> AgentRequestFilter </filter-name>
- <url-pattern> /agent/* </url-pattern>
- </filter-mapping>
-
- <filter-mapping>
- <filter-name> AdminRequestFilter </filter-name>
- <url-pattern> /admin/* </url-pattern>
- <url-pattern> /auths </url-pattern>
- <url-pattern> /ug </url-pattern>
- <url-pattern> /log </url-pattern>
- <url-pattern> /acl </url-pattern>
- <url-pattern> /server </url-pattern>
- </filter-mapping>
-
- <filter-mapping>
- <filter-name> EERequestFilter </filter-name>
- <url-pattern> /ee/* </url-pattern>
- </filter-mapping>
-[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
-
<servlet-mapping>
<servlet-name>Resteasy</servlet-name>
<url-pattern>/pki/*</url-pattern>