diff options
Diffstat (limited to 'pki/base/ca')
117 files changed, 22017 insertions, 0 deletions
diff --git a/pki/base/ca/LICENSE b/pki/base/ca/LICENSE new file mode 100644 index 000000000..e36f2269a --- /dev/null +++ b/pki/base/ca/LICENSE @@ -0,0 +1,311 @@ +This Program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published +by the Free Software Foundation; version 2 of the License. + +This Program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. + +You should have received a copy of the GNU General Public License +along with this Program; if not, write to the Free Software +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +In addition, as a special exception, Red Hat, Inc. gives You the additional +right to link the code of this Program with code not covered under the GNU +General Public License ("Non-GPL Code") and to distribute linked combinations +including the two, subject to the limitations in this paragraph. Non-GPL +Code permitted under this exception must only link to the code of this +Program through those well defined interfaces identified in the file named +EXCEPTION found in the source code files (the "Approved Interfaces"). + +The files of Non-GPL Code may instantiate templates or use macros or inline +functions from the Approved Interfaces without causing the resulting work to +be covered by the GNU General Public License. Only Red Hat, Inc. may make +changes or additions to the list of Approved Interfaces. You must obey the +GNU General Public License in all respects for all of the Program code and +other code used in conjunction with the Program except the Non-GPL Code +covered by this exception. If you modify this file, you may extend this +exception to your version of the file, but you are not obligated to do so. +If you do not wish to provide this exception without modification, you must +delete this exception statement from your version and license this file +solely under the GPL without exception. + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. diff --git a/pki/base/ca/build.xml b/pki/base/ca/build.xml new file mode 100644 index 000000000..c9e0daf7f --- /dev/null +++ b/pki/base/ca/build.xml @@ -0,0 +1,343 @@ +<!-- ### BEGIN COPYRIGHT BLOCK ### + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + ### END COPYRIGHT BLOCK ### --> +<project name="ca" default="main" basedir="."> + + <import file="config/product.xml"/> + <import file="config/product-ext.xml" optional="true"/> + + <property name="jss.home" value="${jni-jar.home}${dirsec}"/> + <property name="jss.jar" value="${jss.home}/jss4.jar"/> + <property name="osutil.jar" value="${jni-jar.home}/osutil.jar"/> + <property name="symkey.jar" value="${jni-jar.home}/symkey.jar"/> + <property name="ldapjdk.jar" value="${jar.home}/ldapjdk.jar"/> + <property name="servlet.jar" value="${jar.home}/servlet.jar"/> + <property name="velocity.jar" value="${jar.home}/velocity.jar"/> + <property name="certsrv.jar" value="${pki-jar.home}/certsrv.jar"/> + <property name="cms.jar" value="${pki-jar.home}/cms.jar"/> + <property name="cmscore.jar" value="${pki-jar.home}/cmscore.jar"/> + <property name="cmsutil.jar" value="${pki-jar.home}/cmsutil.jar"/> + <property name="nsutil.jar" value="${pki-jar.home}/nsutil.jar"/> + + <path id="classpath"> + <pathelement location="${servlet.jar}"/> + <pathelement location="${jss.jar}"/> + <pathelement location="${ldapjdk.jar}"/> + <pathelement location="${nsutil.jar}"/> + <pathelement location="${cmsutil.jar}"/> + <pathelement location="${osutil.jar}"/> + <pathelement location="${symkey.jar}"/> + <pathelement location="${velocity.jar}"/> + <pathelement location="${cms.jar}"/> + <pathelement location="${certsrv.jar}"/> + <pathelement location="${cmscore.jar}"/> + </path> + + <!-- Set up component-specific properties --> + <exec executable="perl" + failonerror="true" + outputproperty="config.desktop.version"> + <arg value="-pi -e"/> + <arg value="s/Version=.*/Version=${version}/"/> + <arg value="setup/config.desktop"/> + </exec> + + + <target name="clean" + depends="" + description="--> remove component directories"> + <echo message="${begin.clean.log.message}"/> + <delete dir="${dist.base}"/> + <delete dir="${build.dir}"/> + <echo message="${end.clean.log.message}"/> + </target> + + + <target name="download" + depends="" + description="--> download dependent components"> + <echo message="${begin.download.log.message}"/> + <echo message="${empty.download.log.message}"/> + <echo message="${end.download.log.message}"/> + </target> + + + <target name="compile_java" + depends="" + description="--> compile java source code into classes"> + <echo message="${begin.compile.java.log.message}"/> + <mkdir dir="${build.classes}"/> + <javac debug="on" + srcdir="${src.dir}/com/netscape/${product}" + destdir="${build.classes}"> + <classpath refid="classpath"/> + </javac> + <echo message="${end.compile.java.log.message}"/> + </target> + + + <target name="build_jars" + depends="compile_java" + description="--> generate jar files"> + <echo message="${begin.build.jars.log.message}"/> + <mkdir dir="${build.jars}"/> + <jar jarfile="${build.jars}/${product}.jar"> + <fileset dir="${build.classes}"> + <include name="com/netscape/${product}/**"/> + </fileset> + </jar> + <echo message="${end.build.jars.log.message}"/> + </target> + + + <target name="build_jni_headers" + depends="compile_java" + description="--> generate jni header files"> + <echo message="${begin.build.jni.headers.log.message}"/> + <echo message="${empty.build.jni.headers.log.message}"/> + <echo message="${end.build.jni.headers.log.message}"/> + </target> + + + <target name="build" + depends="build_jars,build_jni_headers" + description="--> build classes, jars, and jni headers"> + <echo message="${notify.build.log.message}"/> + </target> + + + <target name="compile_junit_tests" + depends="build" + description="--> compile junit test source code"> + <echo message="${begin.compile.junit.tests.log.message}"/> + <echo message="${empty.compile.junit.tests.log.message}"/> + <echo message="${end.compile.junit.tests.log.message}"/> + </target> + + + <target name="run_junit_tests" + depends="compile_junit_tests" + description="--> execute junit tests"> + <echo message="${begin.run.junit.tests.log.message}"/> + <echo message="${empty.run.junit.tests.log.message}"/> + <echo message="${end.run.junit.tests.log.message}"/> + </target> + + + <target name="verify" + depends="run_junit_tests" + description="--> build and execute junit tests"> + <echo message="${notify.verify.log.message}"/> + </target> + + + <target name="clean_javadocs" + depends="" + description="--> remove javadocs directory"> + <echo message="${begin.clean.javadocs.log.message}"/> + <echo message="${empty.clean.javadocs.log.message}"/> + <echo message="${end.clean.javadocs.log.message}"/> + </target> + + + <target name="compose_javadocs" + depends="build" + description="--> generate javadocs"> + <echo message="${begin.compose.javadocs.log.message}"/> + <echo message="${empty.compose.javadocs.log.message}"/> + <echo message="${end.compose.javadocs.log.message}"/> + </target> + + + <target name="document" + depends="clean_javadocs,compose_javadocs" + description="--> remove old javadocs and compose new javadocs"> + <echo message="${notify.document.log.message}"/> + </target> + + + <target name="distribute_binaries" + depends="document" + description="--> create the zip and gzipped tar binary distributions"> + <echo message="${begin.distribute.binaries.log.message}"/> + <mkdir dir="${dist.base.binaries}"/> + + <echo message="${begin.binary.wrappers.log.message}"/> + <echo message="${empty.binary.wrappers.log.message}"/> + <echo message="${end.binary.wrappers.log.message}"/> + + <echo message="${begin.binary.zip.log.message}"/> + <zip destfile="${dist.base.binaries}/${dist.name}.zip"> + <zipfileset dir="./build/jars" + filemode="755" + prefix="usr/share/java/${product.prefix}/${product}"> + <include name="**"/> + </zipfileset> + <zipfileset dir="./setup" + filemode="755" + prefix="usr/share/${product.prefix}/${product}/setup"> + <include name="**"/> + </zipfileset> + <zipfileset dir="./shared" + filemode="755" + prefix="usr/share/${product.prefix}/${product}"> + <include name="**"/> + </zipfileset> + <zipfileset dir="." + filemode="755" + prefix="usr/share/doc/${dist.name}"> + <include name="LICENSE"/> + </zipfileset> + </zip> + <echo message="${end.binary.zip.log.message}"/> + + <echo message="${begin.binary.tar.log.message}"/> + <tar longfile="gnu" + destfile="${dist.base.binaries}/${dist.name}.tar"> + <tarfileset dir="./build/jars" + mode="755" + prefix="${dist.name}/usr/share/java/${product.prefix}/${product}"> + <include name="**"/> + </tarfileset> + <tarfileset dir="./setup" + mode="755" + prefix="${dist.name}/usr/share/${product.prefix}/${product}/setup"> + <include name="**"/> + </tarfileset> + <tarfileset dir="./shared" + mode="755" + prefix="${dist.name}/usr/share/${product.prefix}/${product}"> + <include name="**"/> + </tarfileset> + <tarfileset dir="." + mode="755" + prefix="${dist.name}/usr/share/doc/${dist.name}"> + <include name="LICENSE"/> + </tarfileset> + </tar> + <echo message="${end.binary.tar.log.message}"/> + + <echo message="${begin.binary.gtar.log.message}"/> + <gzip destfile="${dist.base.binaries}/${dist.name}.tar.gz" + src="${dist.base.binaries}/${dist.name}.tar"/> + <delete file="${dist.base.binaries}/${dist.name}.tar"/> + <delete dir="${dist.name}"/> + <checksum fileext=".md5"> + <fileset dir="${dist.base.binaries}/"> + <include name="**/*"/> + <exclude name="**/*.asc"/> + <exclude name="**/*.md5"/> + </fileset> + </checksum> + <checksum fileext=".sha1" + algorithm="SHA"> + <fileset dir="${dist.base.binaries}/"> + <include name="**/*"/> + <exclude name="**/*.asc"/> + <exclude name="**/*.md5"/> + </fileset> + </checksum> + <echo message="${end.binary.gtar.log.message}"/> + + <echo message="${end.distribute.binaries.log.message}"/> + </target> + + + <target name="distribute_source" + depends="" + description="--> create the zip and gzipped tar source distributions"> + <echo message="${begin.distribute.source.log.message}"/> + <mkdir dir="${dist.base.source}"/> + + <echo message="${begin.source.zip.log.message}"/> + <zip destfile="${dist.base.source}/${src.dist.name}.zip"> + <zipfileset dir="." + filemode="755" + prefix="${src.dist.name}"> + <include name="${specfile}"/> + <include name="LICENSE"/> + <include name="build.xml"/> + <include name="config/product*.xml"/> + <include name="config/release*.xml"/> + <include name="release"/> + <include name="setup/**"/> + <include name="shared/**"/> + <include name="src/**"/> + </zipfileset> + </zip> + <echo message="${end.source.zip.log.message}"/> + + <echo message="${begin.source.tar.log.message}"/> + <tar longfile="gnu" + destfile="${dist.base.source}/${src.dist.name}.tar"> + <tarfileset dir="." + mode="755" + prefix="${src.dist.name}"> + <include name="${specfile}"/> + <include name="LICENSE"/> + <include name="build.xml"/> + <include name="config/product*.xml"/> + <include name="config/release*.xml"/> + <include name="release"/> + <include name="setup/**"/> + <include name="shared/**"/> + <include name="src/**"/> + </tarfileset> + </tar> + <echo message="${end.source.tar.log.message}"/> + + <echo message="${begin.source.gtar.log.message}"/> + <gzip destfile="${dist.base.source}/${src.dist.name}.tar.gz" + src="${dist.base.source}/${src.dist.name}.tar"/> + <delete file="${dist.base.source}/${src.dist.name}.tar"/> + <delete dir="${dist.name}"/> + <checksum fileext=".md5"> + <fileset dir="${dist.base.source}/"> + <include name="**/*"/> + <exclude name="**/*.asc"/> + <exclude name="**/*.md5"/> + </fileset> + </checksum> + <checksum fileext=".sha1" + algorithm="SHA"> + <fileset dir="${dist.base.source}/"> + <include name="**/*"/> + <exclude name="**/*.asc"/> + <exclude name="**/*.md5"/> + </fileset> + </checksum> + <echo message="${end.source.gtar.log.message}"/> + + <echo message="${end.distribute.source.log.message}"/> + </target> + + + <target name="distribute" + depends="distribute_binaries,distribute_source" + description="--> create binary and source component distributions"> + <echo message="${notify.distribute.log.message}"/> + </target> + + + <target name="main" + depends="clean,distribute" + description="--> clean, build, verify, document, distribute [default]"> + <echo message="${notify.main.log.message}"/> + </target> + +</project> + diff --git a/pki/base/ca/config/product.xml b/pki/base/ca/config/product.xml new file mode 100644 index 000000000..33caf48ed --- /dev/null +++ b/pki/base/ca/config/product.xml @@ -0,0 +1,305 @@ +<!-- ### BEGIN COPYRIGHT BLOCK ### + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + ### END COPYRIGHT BLOCK ### --> +<project name="product.xml" default="main" basedir="."> + + <!-- Set up properties based upon the user's default Ant configuration --> + <property file=".ant.properties"/> + <property file="${user.home}/.ant.properties"/> + <property environment="env"/> + + + <!-- Check for required properties passed-in via the build scripts --> + <fail message="The '-Dspecfile=SPECFILE' property MUST always be specified!" + unless="specfile"/> + + + <!-- Set up optional properties passed-in via the build scripts --> + <property name="basedir" value=""/> + <property name="dirsec" value=""/> + <property name="target" value=""/> + + + <!-- Set up properties obtained from the spec file --> + <exec executable="perl" + failonerror="true" + outputproperty="Name"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_product\s+(.*)/"/> + <arg value="${specfile}"/> + </exec> + + <exec executable="perl" + failonerror="true" + outputproperty="spec.product.ui.prefix"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_ui_prefix\s+(\S+)/"/> + <arg value="${specfile}"/> + </exec> + + <exec executable="perl" + failonerror="true" + outputproperty="product.prefix"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_prefix\s+(\S+)/"/> + <arg value="${specfile}"/> + </exec> + + <exec executable="perl" + failonerror="true" + outputproperty="product"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_component\s+(\S+)/"/> + <arg value="${specfile}"/> + </exec> + + <!-- if "spec.product.ui.prefix" is "" or "linux", --> + <!-- set "product.ui.prefix" to ""; otherwise --> + <!-- set "product.ui.prefix" to "spec.product.ui.prefix" --> + <condition property="product.ui.prefix" + value="" + else="${spec.product.ui.prefix}"> + <or> + <equals arg1="${spec.product.ui.prefix}" + arg2=""/> + <equals arg1="${spec.product.ui.prefix}" + arg2="linux"/> + </or> + </condition> + + <!-- "product.name" is of the form "x-y-z" --> + <condition property="product.name" + value="${product.ui.prefix}-${product.prefix}-${product}"> + <not> + <equals arg1="${product.ui.prefix}" + arg2=""/> + </not> + </condition> + + <!-- "product.name" is of the form "x-y" --> + <condition property="product.name" + value="${product.prefix}-${product}"> + <and> + <equals arg1="${product.ui.prefix}" + arg2=""/> + <not> + <equals arg1="${product.prefix}" + arg2=""/> + </not> + </and> + </condition> + + <!-- "product.name" is of the form "x" --> + <condition property="product.name" + value="${product}"> + <and> + <equals arg1="${product.ui.prefix}" + arg2=""/> + <equals arg1="${product.prefix}" + arg2=""/> + </and> + </condition> + + <exec executable="perl" + failonerror="true" + outputproperty="version"> + <arg value="-ne"/> + <arg value="print $1 if /%define base_version\s+(\S+)/"/> + <arg value="${specfile}"/> + </exec> + + + <!-- Set up architecture-dependent properties --> + <exec executable="uname" + failonerror="true" + outputproperty="arch"> + <arg line="-i"/> + </exec> + + <!-- Set up architecture-independent properties --> + <property name="jar.home" value="/usr/share/java"/> + <property name="pki-jar.home" value="${jar.home}/${product.prefix}"/> + <property name="jni-jar.home" value="/usr/lib/java"/> + + <!-- Set up properties that control various build options --> + <property name="debug" value="true"/> + <property name="chmod.fail" value="true"/> + <property name="chmod.maxparallel" value="250"/> + <property name="deprecation" value="false"/> + <property name="optimize" value="true"/> + + + <!-- Set up properties related to the source tree --> + <property name="docs.dir" value="docs"/> + <property name="lib.dir" value="lib"/> + <property name="src.dir" value="src"/> + <property name="test.dir" value="test"/> + <property name="etc.dir" value="${src.dir}/etc"/> + <property name="script.dir" value="${src.dir}/script"/> + + + <!-- Set up properties for the release area --> + <property name="release.root" value="."/> + + + <!-- Set up properties for the build area --> + <property name="build.dir" value="build"/> + <property name="bootstrap.dir" value="bootstrap"/> + <property name="build.jars" value="${build.dir}/jars"/> + <property name="build.classes" value="${build.dir}/classes"/> + <property name="build.lib" value="${build.dir}/lib"/> + <property name="build.javadocs" value="${build.dir}/javadocs"/> + <property name="build.tests" value="${build.dir}/testcases"/> + <property name="build.tests.javadocs" value="${build.dir}/javadocs.test/"/> + <property name="manifest.tmp" value="${build.dir}/optional.manifest"/> + + + <!-- Set up properties for the distribution area --> + <property name="dist.name" value="${product.name}-${version}"/> + <property name="dist.base" value="dist"/> + <property name="dist.base.source" value="${dist.base}/source"/> + <property name="dist.base.binaries" value="${dist.base}/binary"/> + <property name="dist.dir" value="dist"/> + <property name="dist.bin" value="${dist.dir}/bin"/> + <property name="dist.lib" value="${dist.dir}/lib"/> + <property name="dist.docs" value="${dist.dir}/docs"/> + <property name="dist.etc" value="${dist.dir}/etc"/> + <property name="src.dist.name" value="${product.name}-${version}"/> + <property name="src.dist.dir" value="dist-src"/> + <property name="src.dist.src" value="${src.dist.dir}/src"/> + <property name="src.dist.docs" value="${src.dist.dir}/docs"/> + <property name="src.dist.lib" value="${src.dist.dir}/lib"/> + + + <!-- Set up properties for log messages --> + <property name="begin.clean.log.message" + value="Removing '${product.name}' component directories ..."/> + <property name="empty.clean.log.message" + value="Nothing to do!"/> + <property name="end.clean.log.message" + value="Completed removing '${product.name}' component directories."/> + <property name="begin.download.log.message" + value="Downloading '${product.name}' dependent components ..."/> + <property name="empty.download.log.message" + value="Nothing to do!"/> + <property name="end.download.log.message" + value="Completed downloading '${product.name}' dependent components."/> + <property name="begin.compile.java.log.message" + value="Compiling '${product.name}' java code from '${src.dir}' into '${build.classes}' ..."/> + <property name="empty.compile.java.log.message" + value="Nothing to do!"/> + <property name="end.compile.java.log.message" + value="Completed compiling '${product.name}' java code from '${src.dir}' into '${build.classes}'."/> + <property name="begin.build.jars.log.message" + value="Generating '${product.name}' jar files ..."/> + <property name="empty.build.jars.log.message" + value="Nothing to do!"/> + <property name="end.build.jars.log.message" + value="Completed generating '${product.name}' jar files."/> + <property name="begin.build.jni.headers.log.message" + value="Generating '${product.name}' java header files ..."/> + <property name="empty.build.jni.headers.log.message" + value="Nothing to do!"/> + <property name="end.build.jni.headers.log.message" + value="Completed generating '${product.name}' java header files."/> + <property name="notify.build.log.message" + value="Built classes, jars, and jni headers for the '${product.name}' component."/> + <property name="begin.compile.junit.tests.log.message" + value="Compiling '${product.name}' junit tests from '${test.dir}' into '${build.tests}' ..."/> + <property name="empty.compile.junit.tests.log.message" + value="Nothing to do!"/> + <property name="end.compile.junit.tests.log.message" + value="Completed compiling '${product.name}' junit tests from '${test.dir}' into '${build.tests}'."/> + <property name="begin.run.junit.tests.log.message" + value="Executing '${product.name}' tests ..."/> + <property name="empty.run.junit.tests.log.message" + value="Nothing to do!"/> + <property name="end.run.junit.tests.log.message" + value="Completed executing '${product.name}' tests."/> + <property name="notify.verify.log.message" + value="Verified the '${product.name}' component."/> + <property name="begin.clean.javadocs.log.message" + value="Removing '${product.name}' javadocs directory ..."/> + <property name="empty.clean.javadocs.log.message" + value="Nothing to do!"/> + <property name="end.clean.javadocs.log.message" + value="Completed removing '${product.name}' javadocs directory."/> + <property name="begin.compose.javadocs.log.message" + value="Composing '${product.name}' javadocs ..."/> + <property name="empty.compose.javadocs.log.message" + value="Nothing to do!"/> + <property name="end.compose.javadocs.log.message" + value="Completed composing '${product.name}' javadocs."/> + <property name="notify.document.log.message" + value="Documented '${product.name}' javadocs."/> + <property name="begin.distribute.binaries.log.message" + value="Creating '${product.name}' binary distributions ..."/> + <property name="begin.binary.wrappers.log.message" + value=" Creating '${product.name}' binary wrappers ..."/> + <property name="empty.binary.wrappers.log.message" + value=" Nothing to do!"/> + <property name="end.binary.wrappers.log.message" + value=" Completed creating '${product.name}' binary wrappers."/> + <property name="begin.binary.zip.log.message" + value=" Creating '${product.name}' binary zip files ..."/> + <property name="empty.binary.zip.log.message" + value=" Nothing to do!"/> + <property name="end.binary.zip.log.message" + value=" Completed creating '${product.name}' binary zip files."/> + <property name="begin.binary.tar.log.message" + value=" Creating '${product.name}' binary tar files ..."/> + <property name="empty.binary.tar.log.message" + value=" Nothing to do!"/> + <property name="end.binary.tar.log.message" + value=" Completed creating '${product.name}' binary tar files."/> + <property name="begin.binary.gtar.log.message" + value=" Creating '${product.name}' binary gzip files ..."/> + <property name="empty.binary.gtar.log.message" + value=" Nothing to do!"/> + <property name="end.binary.gtar.log.message" + value=" Completed creating '${product.name}' binary gzip files."/> + <property name="end.distribute.binaries.log.message" + value="Completed creating '${product.name}' binary distributions."/> + <property name="begin.distribute.source.log.message" + value="Creating '${product.name}' source distributions ..."/> + <property name="begin.source.zip.log.message" + value=" Creating '${product.name}' source zip files ..."/> + <property name="empty.source.zip.log.message" + value=" Nothing to do!"/> + <property name="end.source.zip.log.message" + value=" Completed creating '${product.name}' source zip files."/> + <property name="begin.source.tar.log.message" + value=" Creating '${product.name}' source tar files ..."/> + <property name="empty.source.tar.log.message" + value=" Nothing to do!"/> + <property name="end.source.tar.log.message" + value=" Completed creating '${product.name}' source tar files."/> + <property name="begin.source.gtar.log.message" + value=" Creating '${product.name}' source gzip files ..."/> + <property name="empty.source.gtar.log.message" + value=" Nothing to do!"/> + <property name="end.source.gtar.log.message" + value=" Completed creating '${product.name}' source gzip files."/> + <property name="end.distribute.source.log.message" + value="Completed creating '${product.name}' source distributions."/> + <property name="notify.distribute.log.message" + value="Distributed '${product.name}' distribution packages."/> + <property name="notify.main.log.message" + value="Built, verified, documented, and distributed a fresh '${product.name}' component."/> + +</project> + diff --git a/pki/base/ca/config/release.xml b/pki/base/ca/config/release.xml new file mode 100644 index 000000000..fc43aaeb7 --- /dev/null +++ b/pki/base/ca/config/release.xml @@ -0,0 +1,86 @@ +<!-- ### BEGIN COPYRIGHT BLOCK ### + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + ### END COPYRIGHT BLOCK ### --> +<project name="release.xml" default="main" basedir="${basedir}"> + + <echo message="Importing shared properties ..."/> + <import file="product.xml"/> + <import file="product-ext.xml" optional="true"/> + <import file="release-ext.xml" optional="true"/> + <echo message="Completed importing shared properties."/> + + + <target name="local" + depends="" + description="--> Generate this target locally"> + <echo message="Generating the '${product.name}' target locally ..."/> + <exec executable="ant" dir="${release.root}"> + <arg value="-Dspecfile=${product.name}.spec"/> + <arg value="-Ddirsec=${dirsec}"/> + <arg value="${target}"/> + </exec> + <echo message="Completed generating the '${product.name}' target locally."/> + </target> + + + <target name="main" + depends="" + description="--> Generate component RPMS and SRPMS"> + <echo message="Generating '${product.name}' RPMS and SRPMS ..."/> + + <exec executable="pwd" + failonerror="true" + outputproperty="top.dir"/> + <echo message="Established the '${top.dir}' top-level directory."/> + + <echo message="Creating the '${product.name}' source distribution ..."/> + <exec executable="ant" + dir="${release.root}"> + <arg value="-Dspecfile=${product.name}.spec"/> + <arg value="-Ddirsec=${dirsec}"/> + <arg value="distribute_source"/> + </exec> + <echo message="Completed creating the '${product.name}' source distribution."/> + + <echo message="Creating '${product.name}' RPM directories ..."/> + <mkdir dir="${release.root}/dist/rpmpkg"/> + <mkdir dir="${release.root}/dist/rpmpkg/SOURCES"/> + <mkdir dir="${release.root}/dist/rpmpkg/RPMS"/> + <mkdir dir="${release.root}/dist/rpmpkg/SRPMS"/> + <mkdir dir="${release.root}/dist/rpmpkg/SPECS"/> + <mkdir dir="${release.root}/dist/rpmpkg/BUILD"/> + <echo message="Completed creating '${product.name}' RPM directories."/> + + <echo message="Building '${product.name}' RPMS and SRPMS ..."/> + <exec executable="rpmbuild" + dir="${release.root}"> + <arg value="--define"/> + <arg value="_topdir ${top.dir}/${release.root}/dist/rpmpkg"/> + <arg value="-ta"/> + <arg value="${top.dir}/${release.root}/dist/source/${product.name}-${version}.tar.gz"/> + </exec> + <echo message="Completed building '${product.name}' RPMS and SRPMS."/> + + <echo message="Removing various '${product.name}' RPM directories and files ..."/> + <delete dir="${release.root}/dist/rpmpkg/BUILD"/> + <echo message="Completed removing various '${product.name}' RPM directories and files."/> + + <echo message="Completed generating '${product.name}' RPMS and SRPMS."/> + </target> + +</project> + diff --git a/pki/base/ca/setup/config.desktop b/pki/base/ca/setup/config.desktop new file mode 100644 index 000000000..4c7a679aa --- /dev/null +++ b/pki/base/ca/setup/config.desktop @@ -0,0 +1,31 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +[Desktop Entry] +Version=1.0.0 +Encoding=UTF-8 +Name=Certificate Authority Configuration - [PKI_INSTANCE_ID] +GenericName=Certificate Authority Configuration +Comment=Configure Certificate Authority +Exec=firefox https://[PKI_MACHINE_NAME]:[PKI_SECURE_PORT]/ca/admin/console/config/login?pin=[PKI_RANDOM_NUMBER] +Icon=firefox.png +Terminal=false +Type=Application +MimeType=text/html;text/xml;application/xhtml+xml;application/vnd.mozilla.xul+xml;text/mml; +X-Desktop-File-Install-Version=0.9 +Categories=Application;CertServer; diff --git a/pki/base/ca/setup/postinstall b/pki/base/ca/setup/postinstall new file mode 100755 index 000000000..385a9accd --- /dev/null +++ b/pki/base/ca/setup/postinstall @@ -0,0 +1,66 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# + +############################################################################### +## (1) Check command line arguments to see how many were passed in. ## +############################################################################### + +if [ $# -eq 4 ] +then + PKI_PRODUCT_NAME=$1 + PKI_SUBSYSTEM_NAME=$2 + VERSION=$3 + RELEASE=$4 +else + echo + echo "Usage: $0 PKI_product_name PKI_subsystem_name version release" + echo + + exit 255 +fi + + +############################################################################### +## (2) Specify variables used by this script. ## +############################################################################### + +PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}" +SECURE_PORT=9443 +UNSECURE_PORT=9080 +TOMCAT_SERVER_PORT=1701 + + +############################################################################### +## (3) Create the first instance of a Certificate Authority (CA). ## +############################################################################### + +if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ] +then + /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -tomcat_server_port=${TOMCAT_SERVER_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME} +fi + + +############################################################################### +## (4) Successfully exit from this postinstallation script. ## +############################################################################### + +exit 0 + diff --git a/pki/base/ca/shared/acl/cms.acl b/pki/base/ca/shared/acl/cms.acl new file mode 100644 index 000000000..7ed6410fb --- /dev/null +++ b/pki/base/ca/shared/acl/cms.acl @@ -0,0 +1,45 @@ +resourceACLS +certServer.usrgrp.administration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read user and group configuration but only administrators are allowed to modify +certServer.general.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify +certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify +certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify +certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify +certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter +certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter. +certServer.log.content.signedAudit:read:deny (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents":Only auditor is allowed to read the signed audit log +certServer.log.content:read:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors":Administrators, auditors, and agents are allowed to read the log content +certServer.ca.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CA configuration but only administrators allowed to modify +certServer.auth.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read authentication configuration but only administrators allowed to modify +certServer.ocsp.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read ocsp configuration but only administrators allowed to modify +certServer.registry.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":this acl is shared by all admin servlets +certServer.profile.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read profile configuration but only administrators allowed to modify +certServer.job.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read job configuration but only administrators allowed to modify +certServer.publisher.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read publisher configuration but only administrators allowed to modify +certServer.kra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read DRM configuration but only administrators allowed to modify +certServer.ra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read RA configuration but only administrators allowed to modify +certServer.ca.directory:update:allow (update) group="Certificate Manager Agents":Certificate Manager agents may update directory +certServer.ca.certificate:import,unrevoke,revoke,read:allow (import,unrevoke,revoke,read) group="Certificate Manager Agents":Certificate Manager agents may import,unrevoke,revoke,read a certificate +certServer.ca.certificates:revoke,list:allow (revoke,list) group="Certificate Manager Agents":Only certificate manager agents revoke, list certificates +certServer.ca.requests:list:allow (list) group="Certificate Manager Agents":Only certificate manager agents list requests +certServer.ca.request.enrollment:submit,read,execute,assign,unassign:allow (submit) user="anybody";allow (read,execute,assign,unassign) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read,execute,assign or unassign request +certServer.ca.ocsp:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may read ocsp information +certServer.ee.request.ocsp:submit:allow (submit) ipaddress=".*":Any clients can submit ocsp requests +certServer.ca.crl:read,update:allow (read,update) group="Certificate Manager Agents":Certificate Manager agents may read or update crl +certServer.ee.certificate:renew,revoke,read,import:allow (renew,revoke,read,import) user="anybody":Anybody may renew,import,revoke,read a certificate +certServer.ee.certificates:revoke,list:allow (revoke,list) user="anybody":Anybody may revoke, list certificates +certServer.ee.certchain:download,read:allow (download,read) user="anybody":Anybody may download a certificate chain +certServer.ee.crl:read,add:allow (read,add) user="anybody":Anybody may add or retrieve CRL +certServer.ee.request.enrollment:submit:allow (submit) user="anybody":Anybody may submit an enrollment request +certServer.ee.requestStatus:read:allow (read) user="anybody":Anybody may read request status +certServer.ee.request.revocation:submit:allow (submit) user="anybody":Anybody may submit a revocation request +certServer.admin.certificate:import:allow (import) user="anybody":Any user may import a certificate +certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody";allow (read,execute) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read or execute request +certServer.ca.request.profile:approve,read:allow (approve,read) group="Certificate Manager Agents":Certificate Manager agents may approve profile +certServer.ca.profiles:list:allow (list) group="Certificate Manager Agents":Certificate Manager agents may list profiles +certServer.ca.profile:read,approve:allow (read,approve) group="Certificate Manager Agents":Certificate Manager agents may read profile +certServer.ee.profile:submit,read:allow (submit,read) user="anybody":Anybody may submit certificate profiles +certServer.ee.profiles:list:allow (list) user="anybody":Anybody may list certificate profiles +certServer.ca.connector:submit:allow (submit) group="Trusted Managers":Only Trusted Managers submit requests +certServer.ca.clone:submit:allow (submit) group="Certificate Manager Agents":Certificate Manager Agents are allowed to submit request to the master CA +certServer.ca.systemstatus:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may view statistics +certServer.ca.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify users and groups diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg new file mode 100644 index 000000000..a01071808 --- /dev/null +++ b/pki/base/ca/shared/conf/CS.cfg @@ -0,0 +1,907 @@ +# +#cs.state=0 (pre-operational) +#cs.state=1 (running) +# +installDate=[INSTALL_TIME] +preop.wizard.name=CA Setup Wizard +preop.product.name=CS +preop.product.version= +preop.system.name=CA +preop.system.fullname=Certificate Authority +cs.state=0 +cs.type=CA +authType=pwd +admin.interface.uri=ca/admin/console/config/wizard +ee.interface.uri=ca/ee/ca +agent.interface.uri=ca/agent/ca +preop.securitydomain.url=https://[PKI_MACHINE_NAME]:9443 +securitydomain.flushinterval=86400000 +instanceRoot=[PKI_INSTANCE_PATH] +machineName=[PKI_MACHINE_NAME] +instanceId=[PKI_INSTANCE_ID] +service.securePort=[PKI_SECURE_PORT] +preop.admin.name=Certificate System Administrator +preop.admin.group=Certificate Manager Agents +preop.admincert.profile=caAdminCert +preop.pin=[PKI_RANDOM_NUMBER] +preop.cert.list=signing,ocsp_signing,sslserver,subsystem +preop.cert.signing.enable=true +preop.cert.ocsp_signing.enable=true +preop.cert.sslserver.enable=true +preop.cert.subsystem.enable=true +preop.cert.signing.defaultSigningAlgorithm=SHA1withRSA +preop.cert.signing.dn=CN=Certificate Authority +preop.cert.signing.cncomponent.override=true +preop.cert.signing.keysize.size=2048 +preop.cert.signing.keysize.custom_size=2048 +preop.cert.signing.nickname=caSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.signing.profile=caCert.profile +preop.cert.signing.subsystem=ca +preop.cert.signing.type=selfsign +preop.cert.signing.userfriendlyname=CA Signing Certificate +preop.cert.ocsp_signing.defaultSigningAlgorithm=SHA1withRSA +preop.cert.ocsp_signing.dn=CN=OCSP Signing Certificate +preop.cert.ocsp_signing.keysize.custom_size=2048 +preop.cert.ocsp_signing.keysize.size=2048 +preop.cert.ocsp_signing.nickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.ocsp_signing.profile=caOCSPCert.profile +preop.cert.ocsp_signing.subsystem=ca +preop.cert.ocsp_signing.type=local +preop.cert.ocsp_signing.userfriendlyname=OCSP Signing Certificate +preop.cert.ocsp_signing.cncomponent.override=true +preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA +preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] +preop.cert.sslserver.keysize.custom_size=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.cert.sslserver.profile=serverCert.profile +preop.cert.sslserver.subsystem=ca +preop.cert.sslserver.type=local +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert.sslserver.cncomponent.override=false +preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA +preop.cert.subsystem.dn=CN=CA Subsystem Certificate +preop.cert.subsystem.keysize.custom_size=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.cert.subsystem.profile=subsystemCert.profile +preop.cert.subsystem.subsystem=ca +preop.cert.subsystem.type=local +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.cert.subsystem.cncomponent.override=true +preop.cert.admin.defaultSigningAlgorithm=SHA1withRSA +preop.cert.admin.dn=uid=admin,cn=admin +preop.cert.admin.keysize.custom_size=2048 +preop.cert.admin.keysize.size=2048 +preop.cert.admin.profile=adminCert.profile +preop.hierarchy.profile=caCert.profile +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=../img/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=../img/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=../img/clearpixel.gif +preop.configModules.count=3 +preop.module.token=Internal Key Storage Token +preop.name.caDN=CN=Certificate Authority +preop.name.sslDN=CN=[PKI_MACHINE_NAME] +preop.name.ocspDN=CN=OCSP Signing Certificate +preop.name.subsystemDN=CN=CA Subsystem Certificate +preop.name.canickname=caSigningCert cert-[PKI_INSTANCE_ID] +preop.name.ocspnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +preop.name.subsystemnickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.name.sslnickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.subsystem.count=0 +subsystem.count=0 +passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +passwordClass=com.netscape.cmsutil.password.PlainPasswordFile +multiroles=true +CrossCertPair._000=## +CrossCertPair._001=## CrossCertPair Import +CrossCertPair._002=## +CrossCertPair.ldap=internaldb +accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator +accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator +accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +auths._000=## +auths._001=## new authentication +auths._002=## +auths.impl._000=## +auths.impl._001=## authentication manager implementations +auths.impl._002=## +auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication +auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth +auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth +auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication +auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication +auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupDirAuthentication +auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication +auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth +auths.instance.TokenAuth.pluginName=TokenAuth +auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents +auths.instance.AgentCertAuth.pluginName=AgentCertAuth +auths.instance.raCertAuth.agentGroup=Registration Manager Agents +auths.instance.raCertAuth.pluginName=AgentCertAuth +auths.instance.flatFileAuth.pluginName=FlatFileAuth +auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/flatfile.txt +auths.revocationChecking.bufferSize=50 +auths.revocationChecking.ca=ca +auths.revocationChecking.enabled=true +auths.revocationChecking.unknownStateInterval=0 +auths.revocationChecking.validityInterval=120 +authz._000=## +authz._001=## new authorizatioin +authz._002=## +authz.evaluateOrder=deny,allow +authz.sourceType=ldap +authz.impl._000=## +authz.impl._001=## authorization manager implementations +authz.impl._002=## +authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz +authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz +authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz +authz.instance.DirAclAuthz.ldap=internaldb +authz.instance.DirAclAuthz.pluginName=DirAclAuthz +authz.instance.DirAclAuthz.ldap._000=## +authz.instance.DirAclAuthz.ldap._001=## Internal Database +authz.instance.DirAclAuthz.ldap._002=## +ca.ocsp=true +ca.certdbInc=20 +ca.crldbInc=20 +ca.id=ca +ca.local=true +ca.ocspUseCache=false +ca.reqdbInc=20 +ca.transitMaxRecords=1000000 +ca.transitRecordPageSize=200 +ca.Policy.order=KeyAlgRule, RSAKeyRule, DefaultValidityRule, RenewalConstraintsRule, DefaultRenewalValidityRule, RevocationConstraintsRule, NSCertTypeExt, CMCertKeyUsageExt, RMCertKeyUsageExt, ClientCertKeyUsageExt, ServerCertKeyUsageExt, ObjSignCertKeyUsageExt, CRLSignCertKeyUsageExt, SubjectKeyIdentifierExt, CertificatePoliciesExt, NSCCommentExt, OCSPNoCheckExt, OCSPSigningExt, CODESigningExt, GenericASN1Ext, CRLDistributionPointsExt, SubjectAltNameExt, SigningAlgRule, AuthorityKeyIdentifierExt, AuthInfoAccessExt, BasicConstraintsExt, UniqueSubjectNameConstraints, NameConstraintsExt, PolicyConstraintsExt, SubCANameConstraints, PolicyMappingsExt, IssuerRule +ca.Policy.processor=classic +ca.Policy.impl._000=## +ca.Policy.impl._001=## Policy Implementations +ca.Policy.impl._002=## +ca.Policy.impl.AttributePresentConstraints.class=com.netscape.cms.policy.constraints.AttributePresentConstraints +ca.Policy.impl.AuthInfoAccessExt.class=com.netscape.cms.policy.extensions.AuthInfoAccessExt +ca.Policy.impl.AuthorityKeyIdentifierExt.class=com.netscape.cms.policy.extensions.AuthorityKeyIdentifierExt +ca.Policy.impl.BasicConstraintsExt.class=com.netscape.cms.policy.extensions.BasicConstraintsExt +ca.Policy.impl.CRLDistributionPointsExt.class=com.netscape.cms.policy.extensions.CRLDistributionPointsExt +ca.Policy.impl.CertificatePoliciesExt.class=com.netscape.cms.policy.extensions.CertificatePoliciesExt +ca.Policy.impl.CertificateRenewalWindowExt.class=com.netscape.cms.policy.extensions.CertificateRenewalWindowExt +ca.Policy.impl.CertificateScopeOfUseExt.class=com.netscape.cms.policy.extensions.CertificateScopeOfUseExt +ca.Policy.impl.DSAKeyConstraints.class=com.netscape.cms.policy.constraints.DSAKeyConstraints +ca.Policy.impl.ExtendedKeyUsageExt.class=com.netscape.cms.policy.extensions.ExtendedKeyUsageExt +ca.Policy.impl.GenericASN1Ext.class=com.netscape.cms.policy.extensions.GenericASN1Ext +ca.Policy.impl.IssuerAltNameExt.class=com.netscape.cms.policy.extensions.IssuerAltNameExt +ca.Policy.impl.IssuerConstraints.class=com.netscape.cms.policy.constraints.IssuerConstraints +ca.Policy.impl.KeyAlgorithmConstraints.class=com.netscape.cms.policy.constraints.KeyAlgorithmConstraints +ca.Policy.impl.KeyUsageExt.class=com.netscape.cms.policy.extensions.KeyUsageExt +ca.Policy.impl.NSCCommentExt.class=com.netscape.cms.policy.extensions.NSCCommentExt +ca.Policy.impl.NSCertTypeExt.class=com.netscape.cms.policy.extensions.NSCertTypeExt +ca.Policy.impl.NameConstraintsExt.class=com.netscape.cms.policy.extensions.NameConstraintsExt +ca.Policy.impl.OCSPNoCheckExt.class=com.netscape.cms.policy.extensions.OCSPNoCheckExt +ca.Policy.impl.PolicyConstraintsExt.class=com.netscape.cms.policy.extensions.PolicyConstraintsExt +ca.Policy.impl.PolicyMappingsExt.class=com.netscape.cms.policy.extensions.PolicyMappingsExt +ca.Policy.impl.PrivateKeyUsagePeriodExt.class=com.netscape.cms.policy.extensions.PrivateKeyUsagePeriodExt +ca.Policy.impl.RSAKeyConstraints.class=com.netscape.cms.policy.constraints.RSAKeyConstraints +ca.Policy.impl.RemoveBasicConstraintsExt.class=com.netscape.cms.policy.extensions.RemoveBasicConstraintsExt +ca.Policy.impl.RenewalConstraints.class=com.netscape.cms.policy.constraints.RenewalConstraints +ca.Policy.impl.RenewalValidityConstraints.class=com.netscape.cms.policy.constraints.RenewalValidityConstraints +ca.Policy.impl.RevocationConstraints.class=com.netscape.cms.policy.constraints.RevocationConstraints +ca.Policy.impl.SigningAlgorithmConstraints.class=com.netscape.cms.policy.constraints.SigningAlgorithmConstraints +ca.Policy.impl.SubCANameConstraints.class=com.netscape.cms.policy.constraints.SubCANameConstraints +ca.Policy.impl.SubjectAltNameExt.class=com.netscape.cms.policy.extensions.SubjectAltNameExt +ca.Policy.impl.SubjectDirectoryAttributesExt.class=com.netscape.cms.policy.extensions.SubjectDirectoryAttributesExt +ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.cms.policy.extensions.SubjectKeyIdentifierExt +ca.Policy.impl.UniqueSubjectNameConstraints.class=com.netscape.cms.policy.constraints.UniqueSubjectNameConstraints +ca.Policy.impl.ValidityConstraints.class=com.netscape.cms.policy.constraints.ValidityConstraints +ca.Policy.rule.AuthInfoAccessExt.ad0_location=http://[PKI_MACHINE_NAME]:8080/ocsp +ca.Policy.rule.AuthInfoAccessExt.ad0_location_type=URL +ca.Policy.rule.AuthInfoAccessExt.ad0_method=ocsp +ca.Policy.rule.AuthInfoAccessExt.enable=false +ca.Policy.rule.AuthInfoAccessExt.implName=AuthInfoAccessExt +ca.Policy.rule.AuthInfoAccessExt.numADs=1 +ca.Policy.rule.AuthInfoAccessExt.predicate=HTTP_PARAMS.certType==client +ca.Policy.rule.AuthorityKeyIdentifierExt.enable=true +ca.Policy.rule.AuthorityKeyIdentifierExt.implName=AuthorityKeyIdentifierExt +ca.Policy.rule.AuthorityKeyIdentifierExt.predicate= +ca.Policy.rule.BasicConstraintsExt.critical=true +ca.Policy.rule.BasicConstraintsExt.enable=true +ca.Policy.rule.BasicConstraintsExt.implName=BasicConstraintsExt +ca.Policy.rule.BasicConstraintsExt.maxPathLen= +ca.Policy.rule.BasicConstraintsExt.predicate=HTTP_PARAMS.certType == ca +ca.Policy.rule.BasicConstraintsExt.removeBasicExt=true +ca.Policy.rule.CMCertKeyUsageExt.crlSign=true +ca.Policy.rule.CMCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.CMCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.CMCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.CMCertKeyUsageExt.enable=true +ca.Policy.rule.CMCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.CMCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.CMCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.CMCertKeyUsageExt.keyCertsign=true +ca.Policy.rule.CMCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.CMCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.CMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.CODESigningExt.critical=false +ca.Policy.rule.CODESigningExt.enable=true +ca.Policy.rule.CODESigningExt.id0=1.3.6.1.5.5.7.3.3 +ca.Policy.rule.CODESigningExt.implName=ExtendedKeyUsageExt +ca.Policy.rule.CODESigningExt.predicate=HTTP_PARAMS.certType==codeSignClient +ca.Policy.rule.CRLDistributionPointsExt.enable=false +ca.Policy.rule.CRLDistributionPointsExt.implName=CRLDistributionPointsExt +ca.Policy.rule.CRLDistributionPointsExt.issuerName0= +ca.Policy.rule.CRLDistributionPointsExt.issuerName1= +ca.Policy.rule.CRLDistributionPointsExt.issuerName2= +ca.Policy.rule.CRLDistributionPointsExt.issuerType0= +ca.Policy.rule.CRLDistributionPointsExt.issuerType1= +ca.Policy.rule.CRLDistributionPointsExt.issuerType2= +ca.Policy.rule.CRLDistributionPointsExt.numPoints=0 +ca.Policy.rule.CRLDistributionPointsExt.pointName0= +ca.Policy.rule.CRLDistributionPointsExt.pointName1= +ca.Policy.rule.CRLDistributionPointsExt.pointName2= +ca.Policy.rule.CRLDistributionPointsExt.pointType0= +ca.Policy.rule.CRLDistributionPointsExt.pointType1= +ca.Policy.rule.CRLDistributionPointsExt.pointType2= +ca.Policy.rule.CRLDistributionPointsExt.predicate= +ca.Policy.rule.CRLDistributionPointsExt.reasons0= +ca.Policy.rule.CRLDistributionPointsExt.reasons1= +ca.Policy.rule.CRLDistributionPointsExt.reasons2= +ca.Policy.rule.CRLSignCertKeyUsageExt.crlSign=true +ca.Policy.rule.CRLSignCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.CRLSignCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.CRLSignCertKeyUsageExt.digitalSignature=false +ca.Policy.rule.CRLSignCertKeyUsageExt.enable=true +ca.Policy.rule.CRLSignCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.CRLSignCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.CRLSignCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.CRLSignCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.CRLSignCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.CRLSignCertKeyUsageExt.nonRepudiation=false +ca.Policy.rule.CRLSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==caCrlSigning +ca.Policy.rule.CertificatePoliciesExt.critical=false +ca.Policy.rule.CertificatePoliciesExt.enable=false +ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt +ca.Policy.rule.CertificatePoliciesExt.numCertPolicies=1 +ca.Policy.rule.CertificatePoliciesExt.predicate= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.cpsURI= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefNumbers= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.noticeRefOrganization= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.policyId= +ca.Policy.rule.CertificatePoliciesExt.certPolicy0.userNoticeExplicitText= +ca.Policy.rule.ClientCertKeyUsageExt.crlSign=false +ca.Policy.rule.ClientCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.ClientCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.ClientCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.ClientCertKeyUsageExt.enable=true +ca.Policy.rule.ClientCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.ClientCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.ClientCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.ClientCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.ClientCertKeyUsageExt.keyEncipherment=true +ca.Policy.rule.ClientCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.ClientCertKeyUsageExt.predicate=HTTP_PARAMS.certType==client +ca.Policy.rule.DSAKeyRule.enable=true +ca.Policy.rule.DSAKeyRule.implName=DSAKeyConstraints +ca.Policy.rule.DSAKeyRule.maxSize=1024 +ca.Policy.rule.DSAKeyRule.minSize=512 +ca.Policy.rule.DSAKeyRule.predicate= +ca.Policy.rule.DefaultRenewalValidityRule.enable=true +ca.Policy.rule.DefaultRenewalValidityRule.implName=RenewalValidityConstraints +ca.Policy.rule.DefaultRenewalValidityRule.maxValidity=365 +ca.Policy.rule.DefaultRenewalValidityRule.minValidity=30 +ca.Policy.rule.DefaultRenewalValidityRule.predicate= +ca.Policy.rule.DefaultRenewalValidityRule.renewalInterval=15 +ca.Policy.rule.DefaultValidityRule.enable=true +ca.Policy.rule.DefaultValidityRule.implName=ValidityConstraints +ca.Policy.rule.DefaultValidityRule.maxValidity=365 +ca.Policy.rule.DefaultValidityRule.minValidity=1 +ca.Policy.rule.DefaultValidityRule.predicate= +ca.Policy.rule.GenericASN1Ext.critical=false +ca.Policy.rule.GenericASN1Ext.enable=false +ca.Policy.rule.GenericASN1Ext.implName=GenericASN1Ext +ca.Policy.rule.GenericASN1Ext.name= +ca.Policy.rule.GenericASN1Ext.oid= +ca.Policy.rule.GenericASN1Ext.pattern= +ca.Policy.rule.GenericASN1Ext.predicate= +ca.Policy.rule.GenericASN1Ext.attribute.0.source= +ca.Policy.rule.GenericASN1Ext.attribute.0.type= +ca.Policy.rule.GenericASN1Ext.attribute.0.value= +ca.Policy.rule.GenericASN1Ext.attribute.1.source= +ca.Policy.rule.GenericASN1Ext.attribute.1.type= +ca.Policy.rule.GenericASN1Ext.attribute.1.value= +ca.Policy.rule.GenericASN1Ext.attribute.2.source= +ca.Policy.rule.GenericASN1Ext.attribute.2.type= +ca.Policy.rule.GenericASN1Ext.attribute.2.value= +ca.Policy.rule.GenericASN1Ext.attribute.3.source= +ca.Policy.rule.GenericASN1Ext.attribute.3.type= +ca.Policy.rule.GenericASN1Ext.attribute.3.value= +ca.Policy.rule.GenericASN1Ext.attribute.4.source= +ca.Policy.rule.GenericASN1Ext.attribute.4.type= +ca.Policy.rule.GenericASN1Ext.attribute.4.value= +ca.Policy.rule.GenericASN1Ext.attribute.5.source= +ca.Policy.rule.GenericASN1Ext.attribute.5.type= +ca.Policy.rule.GenericASN1Ext.attribute.5.value= +ca.Policy.rule.GenericASN1Ext.attribute.6.source= +ca.Policy.rule.GenericASN1Ext.attribute.6.type= +ca.Policy.rule.GenericASN1Ext.attribute.6.value= +ca.Policy.rule.GenericASN1Ext.attribute.7.source= +ca.Policy.rule.GenericASN1Ext.attribute.7.type= +ca.Policy.rule.GenericASN1Ext.attribute.7.value= +ca.Policy.rule.GenericASN1Ext.attribute.8.source= +ca.Policy.rule.GenericASN1Ext.attribute.8.type= +ca.Policy.rule.GenericASN1Ext.attribute.8.value= +ca.Policy.rule.GenericASN1Ext.attribute.9.source= +ca.Policy.rule.GenericASN1Ext.attribute.9.type= +ca.Policy.rule.GenericASN1Ext.attribute.9.value= +ca.Policy.rule.IssuerRule.enable=false +ca.Policy.rule.IssuerRule.implName=IssuerConstraints +ca.Policy.rule.IssuerRule.issuerDN= +ca.Policy.rule.IssuerRule.predicate=HTTP_PARAMS.certType==client AND certauthEnroll==on +ca.Policy.rule.KeyAlgRule.algorithms=RSA,DSA +ca.Policy.rule.KeyAlgRule.enable=true +ca.Policy.rule.KeyAlgRule.implName=KeyAlgorithmConstraints +ca.Policy.rule.KeyAlgRule.predicate= +ca.Policy.rule.NSCCommentExt.commentFile= +ca.Policy.rule.NSCCommentExt.enable=false +ca.Policy.rule.NSCCommentExt.implName=NSCCommentExt +ca.Policy.rule.NSCCommentExt.inputType=Text +ca.Policy.rule.NSCCommentExt.predicate= +ca.Policy.rule.NSCertTypeExt.enable=true +ca.Policy.rule.NSCertTypeExt.implName=NSCertTypeExt +ca.Policy.rule.NSCertTypeExt.predicate=HTTP_PARAMS.certType!=CEP-Request +ca.Policy.rule.NameConstraintsExt.critical=true +ca.Policy.rule.NameConstraintsExt.enable=false +ca.Policy.rule.NameConstraintsExt.implName=NameConstraintsExt +ca.Policy.rule.NameConstraintsExt.numExcludedSubtrees=3 +ca.Policy.rule.NameConstraintsExt.numPermittedSubtrees=3 +ca.Policy.rule.NameConstraintsExt.predicate=HTTP_PARAMS.certType == ca +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.max=-1 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.min=0 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.max=-1 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.min=0 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.max=-1 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.min=0 +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.max=-1 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.min=0 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.max=-1 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.min=0 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base.generalNameValue= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.max=-1 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.min=0 +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameChoice= +ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base.generalNameValue= +ca.Policy.rule.OCSPNoCheckExt.critical=false +ca.Policy.rule.OCSPNoCheckExt.enable=true +ca.Policy.rule.OCSPNoCheckExt.implName=OCSPNoCheckExt +ca.Policy.rule.OCSPNoCheckExt.predicate=HTTP_PARAMS.certType==ocspResponder +ca.Policy.rule.OCSPSigningExt.critical=false +ca.Policy.rule.OCSPSigningExt.enable=true +ca.Policy.rule.OCSPSigningExt.id0=1.3.6.1.5.5.7.3.9 +ca.Policy.rule.OCSPSigningExt.implName=ExtendedKeyUsageExt +ca.Policy.rule.OCSPSigningExt.predicate=HTTP_PARAMS.certType==ocspResponder +ca.Policy.rule.ObjSignCertKeyUsageExt.crlSign=false +ca.Policy.rule.ObjSignCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.ObjSignCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.ObjSignCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.ObjSignCertKeyUsageExt.enable=true +ca.Policy.rule.ObjSignCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.ObjSignCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.ObjSignCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.ObjSignCertKeyUsageExt.keyCertsign=true +ca.Policy.rule.ObjSignCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.ObjSignCertKeyUsageExt.nonRepudiation=false +ca.Policy.rule.ObjSignCertKeyUsageExt.predicate=HTTP_PARAMS.certType==objSignClient +ca.Policy.rule.PolicyConstraintsExt.critical=false +ca.Policy.rule.PolicyConstraintsExt.enable=false +ca.Policy.rule.PolicyConstraintsExt.implName=PolicyConstraintsExt +ca.Policy.rule.PolicyConstraintsExt.inhibitPolicyMapping=0 +ca.Policy.rule.PolicyConstraintsExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.PolicyConstraintsExt.reqExplicitPolicy=0 +ca.Policy.rule.PolicyMappingsExt.critical=false +ca.Policy.rule.PolicyMappingsExt.enable=false +ca.Policy.rule.PolicyMappingsExt.implName=PolicyMappingsExt +ca.Policy.rule.PolicyMappingsExt.numPolicyMappings=1 +ca.Policy.rule.PolicyMappingsExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.PolicyMappingsExt.policyMap0.issuerDomainPolicy= +ca.Policy.rule.PolicyMappingsExt.policyMap0.subjectDomainPolicy= +ca.Policy.rule.RMCertKeyUsageExt.crlSign=false +ca.Policy.rule.RMCertKeyUsageExt.dataEncipherment=false +ca.Policy.rule.RMCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.RMCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.RMCertKeyUsageExt.enable=true +ca.Policy.rule.RMCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.RMCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.RMCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.RMCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.RMCertKeyUsageExt.keyEncipherment=false +ca.Policy.rule.RMCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.RMCertKeyUsageExt.predicate=HTTP_PARAMS.certType==ra +ca.Policy.rule.RSAKeyRule.enable=false +ca.Policy.rule.RSAKeyRule.exponents=3,7,17,65537 +ca.Policy.rule.RSAKeyRule.implName=RSAKeyConstraints +ca.Policy.rule.RSAKeyRule.maxSize=2048 +ca.Policy.rule.RSAKeyRule.minSize=512 +ca.Policy.rule.RSAKeyRule.predicate= +ca.Policy.rule.RenewalConstraintsRule.enable=true +ca.Policy.rule.RenewalConstraintsRule.implName=RenewalConstraints +ca.Policy.rule.RenewalConstraintsRule.predicate= +ca.Policy.rule.RevocationConstraintsRule.enable=true +ca.Policy.rule.RevocationConstraintsRule.implName=RevocationConstraints +ca.Policy.rule.RevocationConstraintsRule.predicate= +ca.Policy.rule.ServerCertKeyUsageExt.crlSign=false +ca.Policy.rule.ServerCertKeyUsageExt.dataEncipherment=true +ca.Policy.rule.ServerCertKeyUsageExt.decipherOnly=false +ca.Policy.rule.ServerCertKeyUsageExt.digitalSignature=true +ca.Policy.rule.ServerCertKeyUsageExt.enable=true +ca.Policy.rule.ServerCertKeyUsageExt.encipherOnly=false +ca.Policy.rule.ServerCertKeyUsageExt.implName=KeyUsageExt +ca.Policy.rule.ServerCertKeyUsageExt.keyAgreement=false +ca.Policy.rule.ServerCertKeyUsageExt.keyCertsign=false +ca.Policy.rule.ServerCertKeyUsageExt.keyEncipherment=true +ca.Policy.rule.ServerCertKeyUsageExt.nonRepudiation=true +ca.Policy.rule.ServerCertKeyUsageExt.predicate=HTTP_PARAMS.certType==server +ca.Policy.rule.SigningAlgRule.algorithms=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC +ca.Policy.rule.SigningAlgRule.enable=true +ca.Policy.rule.SigningAlgRule.implName=SigningAlgorithmConstraints +ca.Policy.rule.SigningAlgRule.predicate= +ca.Policy.rule.SubCANameConstraints.enable=true +ca.Policy.rule.SubCANameConstraints.implName=SubCANameConstraints +ca.Policy.rule.SubCANameConstraints.predicate=HTTP_PARAMS.certType == ca +ca.Policy.rule.SubjectAltNameExt.enable=true +ca.Policy.rule.SubjectAltNameExt.implName=SubjectAltNameExt +ca.Policy.rule.SubjectAltNameExt.numGeneralNames=3 +ca.Policy.rule.SubjectAltNameExt.predicate=HTTP_PARAMS.certType!=CEP-Request +ca.Policy.rule.SubjectAltNameExt.generalName0.generalNameChoice=rfc822Name +ca.Policy.rule.SubjectAltNameExt.generalName0.requestAttr=AUTH_TOKEN.mail +ca.Policy.rule.SubjectAltNameExt.generalName1.generalNameChoice=rfc822Name +ca.Policy.rule.SubjectAltNameExt.generalName1.requestAttr=AUTH_TOKEN.mailalternateaddress +ca.Policy.rule.SubjectAltNameExt.generalName2.generalNameChoice=rfc822Name +ca.Policy.rule.SubjectAltNameExt.generalName2.requestAttr=HTTP_PARAMS.csrRequestorEmail +ca.Policy.rule.SubjectKeyIdentifierExt.enable=true +ca.Policy.rule.SubjectKeyIdentifierExt.implName=SubjectKeyIdentifierExt +ca.Policy.rule.SubjectKeyIdentifierExt.predicate=HTTP_PARAMS.certType==ca +ca.Policy.rule.UniqueSubjectNameConstraints.enable=false +ca.Policy.rule.UniqueSubjectNameConstraints.implName=UniqueSubjectNameConstraints +ca.Policy.rule.UniqueSubjectNameConstraints.predicate= +ca.crl._000=## +ca.crl._001=## CA CRL +ca.crl._002=## +ca.crl.MasterCRL.allowExtensions=true +ca.crl.MasterCRL.alwaysUpdate=false +ca.crl.MasterCRL.autoUpdateInterval=240 +ca.crl.MasterCRL.caCertsOnly=false +ca.crl.MasterCRL.cacheUpdateInterval=15 +ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint +ca.crl.MasterCRL.dailyUpdates=3:45 +ca.crl.MasterCRL.description=CA's complete Certificate Revocation List +ca.crl.MasterCRL.enable=true +ca.crl.MasterCRL.enableCRLCache=true +ca.crl.MasterCRL.enableCRLUpdates=true +ca.crl.MasterCRL.enableCacheRecovery=false +ca.crl.MasterCRL.enableDailyUpdates=false +ca.crl.MasterCRL.enableUpdateInterval=true +ca.crl.MasterCRL.extendedNextUpdate=true +ca.crl.MasterCRL.includeExpiredCerts=false +ca.crl.MasterCRL.minUpdateInterval=0 +ca.crl.MasterCRL.nextUpdateGracePeriod=0 +ca.crl.MasterCRL.publishOnStart=false +ca.crl.MasterCRL.signingAlgorithm=SHA1withRSA +ca.crl.MasterCRL.updateSchema=1 +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.class=com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.critical=false +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=false +ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.type=CRLExtension +ca.crl.MasterCRL.extension.CRLNumber.class=com.netscape.cms.crl.CMSCRLNumberExtension +ca.crl.MasterCRL.extension.CRLNumber.critical=false +ca.crl.MasterCRL.extension.CRLNumber.enable=true +ca.crl.MasterCRL.extension.CRLNumber.type=CRLExtension +ca.crl.MasterCRL.extension.CRLReason.class=com.netscape.cms.crl.CMSCRLReasonExtension +ca.crl.MasterCRL.extension.CRLReason.critical=false +ca.crl.MasterCRL.extension.CRLReason.enable=true +ca.crl.MasterCRL.extension.CRLReason.type=CRLEntryExtension +ca.crl.MasterCRL.extension.DeltaCRLIndicator.class=com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension +ca.crl.MasterCRL.extension.DeltaCRLIndicator.critical=true +ca.crl.MasterCRL.extension.DeltaCRLIndicator.enable=false +ca.crl.MasterCRL.extension.DeltaCRLIndicator.type=CRLExtension +ca.crl.MasterCRL.extension.FreshestCRL.class=com.netscape.cms.crl.CMSFreshestCRLExtension +ca.crl.MasterCRL.extension.FreshestCRL.critical=false +ca.crl.MasterCRL.extension.FreshestCRL.enable=false +ca.crl.MasterCRL.extension.FreshestCRL.numPoints=0 +ca.crl.MasterCRL.extension.FreshestCRL.pointName0= +ca.crl.MasterCRL.extension.FreshestCRL.pointType0= +ca.crl.MasterCRL.extension.FreshestCRL.type=CRLExtension +ca.crl.MasterCRL.extension.HoldInstruction.class=com.netscape.cms.crl.CMSHoldInstructionExtension +ca.crl.MasterCRL.extension.HoldInstruction.critical=false +ca.crl.MasterCRL.extension.HoldInstruction.enable=false +ca.crl.MasterCRL.extension.HoldInstruction.instruction=none +ca.crl.MasterCRL.extension.HoldInstruction.type=CRLEntryExtension +ca.crl.MasterCRL.extension.InvalidityDate.class=com.netscape.cms.crl.CMSInvalidityDateExtension +ca.crl.MasterCRL.extension.InvalidityDate.critical=false +ca.crl.MasterCRL.extension.InvalidityDate.enable=true +ca.crl.MasterCRL.extension.InvalidityDate.type=CRLEntryExtension +ca.crl.MasterCRL.extension.IssuerAlternativeName.class=com.netscape.cms.crl.CMSIssuerAlternativeNameExtension +ca.crl.MasterCRL.extension.IssuerAlternativeName.critical=false +ca.crl.MasterCRL.extension.IssuerAlternativeName.enable=false +ca.crl.MasterCRL.extension.IssuerAlternativeName.name0= +ca.crl.MasterCRL.extension.IssuerAlternativeName.nameType0= +ca.crl.MasterCRL.extension.IssuerAlternativeName.numNames=0 +ca.crl.MasterCRL.extension.IssuerAlternativeName.type=CRLExtension +ca.crl.MasterCRL.extension.IssuingDistributionPoint.class=com.netscape.cms.crl.CMSIssuingDistributionPointExtension +ca.crl.MasterCRL.extension.IssuingDistributionPoint.critical=true +ca.crl.MasterCRL.extension.IssuingDistributionPoint.enable=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.indirectCRL=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsCACerts=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsUserCerts=false +ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlySomeReasons= +ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName= +ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType= +ca.crl.MasterCRL.extension.IssuingDistributionPoint.type=CRLExtension +ca.notification.certIssued.emailSubject=Your Certificate Request +ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/emails/certIssued_CA.html +ca.notification.certIssued.enabled=false +ca.notification.certIssued.senderEmail= +ca.notification.certRevoked.emailSubject=Your Certificate Revoked +ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/emails/certRevoked_CA.html +ca.notification.certRevoked.enabled=false +ca.notification.certRevoked.senderEmail= +ca.notification.requestInQ.emailSubject=Certificate Request in Queue +ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/emails/reqInQueue_CA.html +ca.notification.requestInQ.enabled=false +ca.notification.requestInQ.recipientEmail= +ca.notification.requestInQ.senderEmail= +ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] +ca.ocsp_signing.defaultSigningAlgorithm=SHA1withRSA +ca.ocsp_signing.tokenname=internal +ca.publish.createOwnDNEntry=false +ca.publish.mapper.impl.LdapCaSimpleMap.class=com.netscape.cms.publish.mappers.LdapCaSimpleMap +ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.cms.publish.mappers.LdapCertCompsMap +ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.cms.publish.mappers.LdapCertExactMap +ca.publish.mapper.impl.LdapEnhancedMap.class=com.netscape.cms.publish.mappers.LdapEnhancedMap +ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.cms.publish.mappers.LdapSimpleMap +ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.cms.publish.mappers.LdapCertSubjMap +ca.publish.mapper.impl.NoMap.class=com.netscape.cms.publish.mappers.NoMap +ca.publish.mapper.instance.LdapCaCertMap.createCAEntry=true +ca.publish.mapper.instance.LdapCaCertMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o +ca.publish.mapper.instance.LdapCaCertMap.pluginName=LdapCaSimpleMap +ca.publish.mapper.instance.LdapCrlMap.createCAEntry=true +ca.publish.mapper.instance.LdapCrlMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.o +ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapCaSimpleMap +ca.publish.mapper.instance.LdapUserCertMap.dnPattern=UID=$subj.UID,OU=people,O=$subj.o +ca.publish.mapper.instance.LdapUserCertMap.pluginName=LdapSimpleMap +ca.publish.mapper.instance.NoMap.pluginName=NoMap +ca.publish.publisher.impl.FileBasedPublisher.class=com.netscape.cms.publish.publishers.FileBasedPublisher +ca.publish.publisher.impl.LdapCaCertPublisher.class=com.netscape.cms.publish.publishers.LdapCaCertPublisher +ca.publish.publisher.impl.LdapCertificatePairPublisher.class=com.netscape.cms.publish.publishers.LdapCertificatePairPublisher +ca.publish.publisher.impl.LdapCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher +ca.publish.publisher.impl.LdapDeltaCrlPublisher.class=com.netscape.cms.publish.publishers.LdapCrlPublisher +ca.publish.publisher.impl.LdapUserCertPublisher.class=com.netscape.cms.publish.publishers.LdapUserCertPublisher +ca.publish.publisher.impl.OCSPPublisher.class=com.netscape.cms.publish.publishers.OCSPPublisher +ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr=caCertificate;binary +ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass=certificationAuthority +ca.publish.publisher.instance.LdapCaCertPublisher.pluginName=LdapCaCertPublisher +ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationList;binary +ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher +ca.publish.publisher.instance.LdapCrossCertPairPublisher.caObjectClass=certificationAuthority +ca.publish.publisher.instance.LdapCrossCertPairPublisher.crossCertPairAttr=crossCertificatePair;binary +ca.publish.publisher.instance.LdapCrossCertPairPublisher.pluginName=LdapCertificatePairPublisher +ca.publish.publisher.instance.LdapDeltaCrlPublisher.crlAttr=deltaRevocationList;binary +ca.publish.publisher.instance.LdapDeltaCrlPublisher.pluginName=LdapDeltaCrlPublisher +ca.publish.publisher.instance.LdapUserCertPublisher.certAttr=userCertificate;binary +ca.publish.publisher.instance.LdapUserCertPublisher.pluginName=LdapUserCertPublisher +ca.publish.rule.impl.Rule.class=com.netscape.cmscore.ldap.LdapRule +ca.publish.rule.instance.LdapCaCertRule.enable=true +ca.publish.rule.instance.LdapCaCertRule.mapper=LdapCaCertMap +ca.publish.rule.instance.LdapCaCertRule.pluginName=Rule +ca.publish.rule.instance.LdapCaCertRule.predicate= +ca.publish.rule.instance.LdapCaCertRule.publisher=LdapCaCertPublisher +ca.publish.rule.instance.LdapCaCertRule.type=cacert +ca.publish.rule.instance.LdapCrlRule.enable=true +ca.publish.rule.instance.LdapCrlRule.mapper=LdapCrlMap +ca.publish.rule.instance.LdapCrlRule.pluginName=Rule +ca.publish.rule.instance.LdapCrlRule.predicate= +ca.publish.rule.instance.LdapCrlRule.publisher=LdapCrlPublisher +ca.publish.rule.instance.LdapCrlRule.type=crl +ca.publish.rule.instance.LdapUserCertRule.enable=true +ca.publish.rule.instance.LdapUserCertRule.mapper=LdapUserCertMap +ca.publish.rule.instance.LdapUserCertRule.pluginName=Rule +ca.publish.rule.instance.LdapUserCertRule.predicate= +ca.publish.rule.instance.LdapUserCertRule.publisher=LdapUserCertPublisher +ca.publish.rule.instance.LdapUserCertRule.type=certs +ca.publish.rule.instance.LdapXCertRule.enable=true +ca.publish.rule.instance.LdapXCertRule.mapper=LdapCaCertMap +ca.publish.rule.instance.LdapXCertRule.pluginName=Rule +ca.publish.rule.instance.LdapXCertRule.predicate= +ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher +ca.publish.rule.instance.LdapXCertRule.type=xcert +cmc.cert.confirmRequired=false +cmc.lraPopWitness.verify.allow=true +cmc.revokeCert.verify=true +cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cms.version= +cmsgateway.enableAdminEnroll=false +https.port=8443 +http.port=8080 +dbs.beginRequestNumber=1 +dbs.endRequestNumber=10000000 +dbs.requestNumber.increment=10000000 +dbs.beginSerialNumber=1 +dbs.endSerialNumber=10000000 +dbs.serialNumber.increment=10000000 +dbs.ldap=internaldb +dbs.newSchemaEntryAdded=true +debug.append=true +debug.enabled=true +debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.hashkeytypes= +debug.level=0 +debug.showcaller=false +internaldb._000=## +internaldb._001=## Internal Database +internaldb._002=## +internaldb.basedn= +internaldb.maxConns=15 +internaldb.minConns=3 +internaldb.ldapauth.authtype=BasicAuth +internaldb.ldapauth.bindDN=cn=Directory Manager +internaldb.ldapauth.bindPWPrompt=Internal LDAP Database +internaldb.ldapauth.clientCertNickname= +internaldb.ldapconn.host= +internaldb.ldapconn.port= +internaldb.ldapconn.secureConn=false +preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/schema.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/acl.ldif +preop.internaldb.index_ldif= +preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/index.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlvtasks.ldif +preop.internaldb.wait_dn=cn=index1160589780, cn=index, cn=tasks, cn=config +internaldb.multipleSuffix.enable=false +jobsScheduler._000=## +jobsScheduler._001=## jobScheduler +jobsScheduler._002=## +jobsScheduler.enabled=false +jobsScheduler.interval=1 +jobsScheduler.impl.PublishCertsJob.class=com.netscape.cms.jobs.PublishCertsJob +jobsScheduler.impl.RenewalNotificationJob.class=com.netscape.cms.jobs.RenewalNotificationJob +jobsScheduler.impl.RequestInQueueJob.class=com.netscape.cms.jobs.RequestInQueueJob +jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob +jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5 +jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification +jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1.txt +jobsScheduler.job.certRenewalNotifier.enabled=false +jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30 +jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30 +jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob +jobsScheduler.job.certRenewalNotifier.senderEmail= +jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal Notification Summary +jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Summary.txt +jobsScheduler.job.certRenewalNotifier.summary.enabled=true +jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Item.txt +jobsScheduler.job.certRenewalNotifier.summary.recipientEmail= +jobsScheduler.job.certRenewalNotifier.summary.senderEmail= +jobsScheduler.job.publishCerts.cron=0 0 * * 2 +jobsScheduler.job.publishCerts.enabled=false +jobsScheduler.job.publishCerts.pluginName=PublishCertsJob +jobsScheduler.job.publishCerts.summary.emailSubject=Certs Publishing Summary +jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/publishCerts.html +jobsScheduler.job.publishCerts.summary.enabled=true +jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/publishCertsItem.html +jobsScheduler.job.publishCerts.summary.recipientEmail= +jobsScheduler.job.publishCerts.summary.senderEmail= +jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0 +jobsScheduler.job.requestInQueueNotifier.enabled=false +jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob +jobsScheduler.job.requestInQueueNotifier.subsystemId=ca +jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report +jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/riq1Summary.html +jobsScheduler.job.requestInQueueNotifier.summary.enabled=true +jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail= +jobsScheduler.job.requestInQueueNotifier.summary.senderEmail= +jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6 +jobsScheduler.job.unpublishExpiredCerts.enabled=false +jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob +jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs Unpublished Summary +jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/euJob1.html +jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true +jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/euJob1Item.html +jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail= +jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail= +jss._000=## +jss._001=## JSS +jss._002=## +jss.configDir=[PKI_INSTANCE_PATH]/alias/ +jss.enable=true +jss.secmodName=secmod.db +jss.ocspcheck.enable=false +jss.ssl.cipherfortezza=true +jss.ssl.cipherpref= +jss.ssl.cipherversion=cipherdomestic +log._000=## +log._001=## Logging +log._002=## +log.impl.file.class=com.netscape.cms.logging.RollingLogFile +log.instance.SignedAudit._000=## +log.instance.SignedAudit._001=## Signed Audit Logging +log.instance.SignedAudit._002=## +log.instance.SignedAudit.bufferSize=512 +log.instance.SignedAudit.enable=true +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST +log.instance.SignedAudit.expirationTime=0 +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ca_audit +log.instance.SignedAudit.flushInterval=5 +log.instance.SignedAudit.level=1 +log.instance.SignedAudit.logSigning=false +log.instance.SignedAudit.maxFileSize=2000 +log.instance.SignedAudit.pluginName=file +log.instance.SignedAudit.rolloverInterval=2592000 +log.instance.SignedAudit.signedAudit=_002=## +log.instance.SignedAudit.signedAuditCertNickname= +log.instance.SignedAudit.type=signedAudit +log.instance.System._000=## +log.instance.System._001=## System Logging +log.instance.System._002=## +log.instance.System.bufferSize=512 +log.instance.System.enable=true +log.instance.System.expirationTime=0 +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.flushInterval=5 +log.instance.System.level=3 +log.instance.System.maxFileSize=2000 +log.instance.System.pluginName=file +log.instance.System.rolloverInterval=2592000 +log.instance.System.type=system +log.instance.Transactions._000=## +log.instance.Transactions._001=## Transaction Logging +log.instance.Transactions._002=## +log.instance.Transactions.bufferSize=512 +log.instance.Transactions.enable=true +log.instance.Transactions.expirationTime=0 +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.flushInterval=5 +log.instance.Transactions.level=1 +log.instance.Transactions.maxFileSize=2000 +log.instance.Transactions.pluginName=file +log.instance.Transactions.rolloverInterval=2592000 +log.instance.Transactions.type=transaction +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access +logError.fileName=[PKI_INSTANCE_PATH]/logs/error +oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension +oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 +oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword +oidmap.challenge_password.oid=1.2.840.113549.1.9.7 +oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension +oidmap.extended_key_usage.oid=2.5.29.37 +oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 +oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 +oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension +oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 +oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension +oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 +oidmap.pse.class=netscape.security.extensions.PresenceServerExtension +oidmap.pse.oid=2.16.840.1.113730.1.18 +oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension +oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 +os.userid=nobody +profile.list=caUserCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert +profile.DomainController.class_id=caEnrollImpl +profile.DomainController.config=[PKI_INSTANCE_PATH]/profiles/ca/DomainController.cfg +profile.caAgentFileSigning.class_id=caEnrollImpl +profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentFileSigning.cfg +profile.caAgentServerCert.class_id=caEnrollImpl +profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentServerCert.cfg +profile.caRAserverCert.class_id=caEnrollImpl +profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAserverCert.cfg +profile.caCACert.class_id=caEnrollImpl +profile.caCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCACert.cfg +profile.caInstallCACert.class_id=caEnrollImpl +profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInstallCACert.cfg +profile.caCMCUserCert.class_id=caEnrollImpl +profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCMCUserCert.cfg +profile.caDirUserCert.class_id=caEnrollImpl +profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserCert.cfg +profile.caDualCert.class_id=caEnrollImpl +profile.caDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualCert.cfg +profile.caDualRAuserCert.class_id=caEnrollImpl +profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualRAuserCert.cfg +profile.caRAagentCert.class_id=caEnrollImpl +profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAagentCert.cfg +profile.caFullCMCUserCert.class_id=caEnrollImpl +profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caFullCMCUserCert.cfg +profile.caInternalAuthOCSPCert.class_id=caEnrollImpl +profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthOCSPCert.cfg +profile.caInternalAuthServerCert.class_id=caEnrollImpl +profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthServerCert.cfg +profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl +profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthSubsystemCert.cfg +profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl +profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthDRMstorageCert.cfg +profile.caInternalAuthTransportCert.class_id=caEnrollImpl +profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthTransportCert.cfg +profile.caOCSPCert.class_id=caEnrollImpl +profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOCSPCert.cfg +profile.caOtherCert.class_id=caEnrollImpl +profile.caOtherCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOtherCert.cfg +profile.caRACert.class_id=caEnrollImpl +profile.caRACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRACert.cfg +profile.caRARouterCert.class_id=caEnrollImpl +profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRARouterCert.cfg +profile.caRouterCert.class_id=caEnrollImpl +profile.caRouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRouterCert.cfg +profile.caServerCert.class_id=caEnrollImpl +profile.caServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caServerCert.cfg +profile.caSignedLogCert.class_id=caEnrollImpl +profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSignedLogCert.cfg +profile.caSimpleCMCUserCert.class_id=caEnrollImpl +profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSimpleCMCUserCert.cfg +profile.caTPSCert.class_id=caEnrollImpl +profile.caTPSCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTPSCert.cfg +profile.caAdminCert.class_id=caEnrollImpl +profile.caAdminCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAdminCert.cfg +profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg +profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg +profile.caTempTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg +profile.caTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenDeviceKeyEnrollment.cfg +profile.caTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg +profile.caTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyEnrollment.cfg +profile.caTransportCert.class_id=caEnrollImpl +profile.caTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTransportCert.cfg +profile.caUserCert.class_id=caEnrollImpl +profile.caUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserCert.cfg +registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +request.assignee.enable=true +selftests._000=## +selftests._001=## Self Tests +selftests._002=## +selftests.container.instance.CAPresence=com.netscape.cms.selftests.ca.CAPresence +selftests.container.instance.CAValidity=com.netscape.cms.selftests.ca.CAValidity +selftests.container.logger.bufferSize=512 +selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile +selftests.container.logger.enable=true +selftests.container.logger.expirationTime=0 +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.flushInterval=5 +selftests.container.logger.level=1 +selftests.container.logger.maxFileSize=2000 +selftests.container.logger.register=false +selftests.container.logger.rolloverInterval=2592000 +selftests.container.logger.type=transaction +selftests.container.order.onDemand=CAPresence:critical, CAValidity:critical +selftests.container.order.startup=CAPresence:critical, CAValidity:critical +selftests.plugin.CAPresence.CaSubId=ca +selftests.plugin.CAValidity.CaSubId=ca +smtp.host=localhost +smtp.port=25 +subsystem.0.class=com.netscape.ca.CertificateAuthority +subsystem.0.id=ca +subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem +subsystem.1.id=profile +subsystem.2.class=com.netscape.cmscore.selftests.SelfTestSubsystem +subsystem.2.id=selftests +subsystem.3.class=com.netscape.cmscore.cert.CrossCertPairSubsystem +subsystem.3.id=CrossCertPair +subsystem.4.class=com.netscape.cmscore.util.StatsSubsystem +subsystem.4.id=stats +usrgrp._000=## +usrgrp._001=## User/Group +usrgrp._002=## +usrgrp.ldap=internaldb diff --git a/pki/base/ca/shared/conf/acl.ldif b/pki/base/ca/shared/conf/acl.ldif new file mode 100644 index 000000000..edacc0147 --- /dev/null +++ b/pki/base/ca/shared/conf/acl.ldif @@ -0,0 +1,53 @@ +dn: cn=aclResources,{rootSuffix} +objectClass: top +objectClass: CertACLS +cn: aclResources +resourceACLS: certServer.usrgrp.administration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read user and group configuration but only administrators are allowed to modify +resourceACLS: certServer.general.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify +resourceACLS: certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify +resourceACLS: certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify +resourceACLS: certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify +resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml +resourceACLS: certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter +resourceACLS: certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter. +resourceACLS: certServer.log.content.signedAudit:read:deny (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents":Only auditor is allowed to read the signed audit log +resourceACLS: certServer.log.content:read:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors":Administrators, auditors, and agents are allowed to read the log content +resourceACLS: certServer.ca.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CA configuration but only administrators allowed to modify +resourceACLS: certServer.auth.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read authentication configuration but only administrators allowed to modify +resourceACLS: certServer.ocsp.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read ocsp configuration but only administrators allowed to modify +resourceACLS: certServer.registry.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":this acl is shared by all admin servlets +resourceACLS: certServer.profile.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read profile configuration but only administrators allowed to modify +resourceACLS: certServer.job.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read job configuration but only administrators allowed to modify +resourceACLS: certServer.publisher.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read publisher configuration but only administrators allowed to modify +resourceACLS: certServer.kra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read DRM configuration but only administrators allowed to modify +resourceACLS: certServer.ra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read RA configuration but only administrators allowed to modify +resourceACLS: certServer.ca.directory:update:allow (update) group="Certificate Manager Agents":Certificate Manager agents may update directory +resourceACLS: certServer.ca.certificate:import,unrevoke,revoke,read:allow (import,unrevoke,revoke,read) group="Certificate Manager Agents":Certificate Manager agents may import,unrevoke,revoke,read a certificate +resourceACLS: certServer.ca.certificates:revoke,list:allow (revoke,list) group="Certificate Manager Agents"|| group="Registration Manager Agents":Only certificate and registration manager agents revoke, list certificates +resourceACLS: certServer.ca.requests:list:allow (list) group="Certificate Manager Agents"|| group="Registration Manager Agents":Only certificate and registration manager agents list requests +resourceACLS: certServer.ca.request.enrollment:submit,read,execute,assign,unassign:allow (submit) user="anybody";allow (read,execute,assign,unassign) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read,execute,assign or unassign request +resourceACLS: certServer.ca.ocsp:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may read ocsp information +resourceACLS: certServer.ee.request.ocsp:submit:allow (submit) ipaddress=".*":Any clients can submit ocsp requests +resourceACLS: certServer.ca.crl:read,update:allow (read,update) group="Certificate Manager Agents":Certificate Manager agents may read or update crl +resourceACLS: certServer.ee.certificate:renew,revoke,read,import:allow (renew,revoke,read,import) user="anybody":Anybody may renew,import,revoke,read a certificate +resourceACLS: certServer.ee.certificates:revoke,list:allow (revoke,list) user="anybody":Anybody may revoke, list certificates +resourceACLS: certServer.ee.certchain:download,read:allow (download,read) user="anybody":Anybody may download a certificate chain +resourceACLS: certServer.ee.crl:read,add:allow (read,add) user="anybody":Anybody may add or retrieve CRL +resourceACLS: certServer.ee.request.enrollment:submit:allow (submit) user="anybody":Anybody may submit an enrollment request +resourceACLS: certServer.ee.requestStatus:read:allow (read) user="anybody":Anybody may read request status +resourceACLS: certServer.ee.request.revocation:submit:allow (submit) user="anybody":Anybody may submit a revocation request +resourceACLS: certServer.admin.certificate:import:allow (import) user="anybody":Any user may import a certificate +resourceACLS: certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody";allow (read,execute) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read or execute request +resourceACLS: certServer.ca.request.profile:approve,read:allow (approve,read) group="Certificate Manager Agents":Certificate Manager agents may approve profile +resourceACLS: certServer.ca.profiles:list:allow (list) group="Certificate Manager Agents":Certificate Manager agents may list profiles +resourceACLS: certServer.ca.profile:read,approve:allow (read,approve) group="Certificate Manager Agents":Certificate Manager agents may read profile +resourceACLS: certServer.ee.profile:submit,read:allow (submit,read) user="anybody":Anybody may submit certificate profiles +resourceACLS: certServer.ee.profiles:list:allow (list) user="anybody":Anybody may list certificate profiles +resourceACLS: certServer.ca.connector:submit:allow (submit) group="Trusted Managers":Only Trusted Managers submit requests +resourceACLS: certServer.ca.clone:submit:allow (submit) group="Certificate Manager Agents":Certificate Manager Agents are allowed to submit request to the master CA +resourceACLS: certServer.ca.systemstatus:read:allow (read) group="Certificate Manager Agents":Certificate Manager agents may view statistics +resourceACLS: certServer.ca.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify users and groups +resourceACLS: certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information +resourceACLS: certServer.ca.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent +resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. +resourceACLS: certServer.admin.ocsp:read,modify:allow (modify,read) group="Enterprise OCSP Administrators":Only Enterprise Administrators are allowed to read or update the OCSP configuration. diff --git a/pki/base/ca/shared/conf/adminCert.profile b/pki/base/ca/shared/conf/adminCert.profile new file mode 100644 index 000000000..30e01e46b --- /dev/null +++ b/pki/base/ca/shared/conf/adminCert.profile @@ -0,0 +1,37 @@ +# +# Server Certificate +# +id=adminCert.profile +name=All Purpose admin server cert Profile +description=This profile creates an administrator's certificate +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 diff --git a/pki/base/ca/shared/conf/caCert.profile b/pki/base/ca/shared/conf/caCert.profile new file mode 100644 index 000000000..eb721d5e4 --- /dev/null +++ b/pki/base/ca/shared/conf/caCert.profile @@ -0,0 +1,42 @@ +# +# CA Profile +# +id=caCert.profile +name=All Purpose CA Profile +description=This profile creates a CA certificate that is valid for all signing purposes. +list=2,4,5,6,7,8 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +4.default.params.localKey=true +5.default.class=com.netscape.cms.profile.def.BasicConstraintsExtDefault +5.default.name=Basic Constraints Extension Default +5.default.params.basicConstraintsCritical=true +5.default.params.basicConstraintsIsCA=true +5.default.params.basicConstraintsPathLen=-1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=false +6.default.params.keyUsageKeyEncipherment=false +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=true +6.default.params.keyUsageCrlSign=true +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault +7.default.name=Subject Key Identifier Extension Default +7.default.params.critical=false +8.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +8.default.name=AIA Extension Default +8.default.params.authInfoAccessADEnable_0=true +8.default.params.authInfoAccessADLocationType_0=URIName +8.default.params.authInfoAccessADLocation_0= +8.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +8.default.params.authInfoAccessCritical=false +8.default.params.authInfoAccessNumADs=1 diff --git a/pki/base/ca/shared/conf/caOCSPCert.profile b/pki/base/ca/shared/conf/caOCSPCert.profile new file mode 100644 index 000000000..72d95bec4 --- /dev/null +++ b/pki/base/ca/shared/conf/caOCSPCert.profile @@ -0,0 +1,40 @@ +# +# OCSP CA Profile +# +id=caOCSPCert.profile +name=All Purpose CA OCSP Profile +description=This profile creates a CA OCSP certificate that is valid for all signing purposes. +list=2,4,6,8,9 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=false +6.default.params.keyUsageKeyEncipherment=false +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=true +6.default.params.keyUsageCrlSign=true +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault +7.default.name=Subject Key Identifier Extension Default +7.default.params.critical=false +8.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +8.default.name=AIA Extension Default +8.default.params.authInfoAccessADEnable_0=true +8.default.params.authInfoAccessADLocationType_0=URIName +8.default.params.authInfoAccessADLocation_0= +8.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +8.default.params.authInfoAccessCritical=false +8.default.params.authInfoAccessNumADs=1 +9.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +9.default.name=Extended Key Usage Extension Default +9.default.params.exKeyUsageCritical=false +9.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 diff --git a/pki/base/ca/shared/conf/catalina.policy b/pki/base/ca/shared/conf/catalina.policy new file mode 100644 index 000000000..3447825b0 --- /dev/null +++ b/pki/base/ca/shared/conf/catalina.policy @@ -0,0 +1,172 @@ +// ============================================================================ +// catalina.corepolicy - Security Policy Permissions for Tomcat 5 +// +// This file contains a default set of security policies to be enforced (by the +// JVM) when Catalina is executed with the "-security" option. In addition +// to the permissions granted here, the following additional permissions are +// granted to the codebase specific to each web application: +// +// * Read access to the document root directory +// +// $Id: catalina.policy,v 1.13 2005/03/03 23:41:14 remm Exp $ +// ============================================================================ + + +// ========== SYSTEM CODE PERMISSIONS ========================================= + + +// These permissions apply to javac +grant codeBase "file:${java.home}/lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions +grant codeBase "file:${java.home}/jre/lib/ext/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/../lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions when +// ${java.home} points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/lib/ext/-" { + permission java.security.AllPermission; +}; + + +// ========== CATALINA CODE PERMISSIONS ======================================= + + +// These permissions apply to the launcher code +grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the daemon code +grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the commons-logging API +grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the JMX server +grant codeBase "file:${catalina.home}/bin/jmx.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to JULI +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "common" directory +grant codeBase "file:${catalina.home}/common/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to the container's core code, plus any additional +// libraries installed in the "server" directory +grant codeBase "file:${catalina.home}/server/-" { + permission java.security.AllPermission; +}; + +// The permissions granted to the balancer WEB-INF/classes directory +grant codeBase "file:${catalina.home}/webapps/balancer/WEB-INF/classes/-" { + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester.*"; +}; +// ========== WEB APPLICATION PERMISSIONS ===================================== + + +// These permissions are granted by default to all web applications +// In addition, a web application will be given a read FilePermission +// and JndiPermission for all files and directories in its document root. +grant { + // Required for JNDI lookup of named JDBC DataSource's and + // javamail named MimePart DataSource used to send mail + permission java.util.PropertyPermission "java.home", "read"; + permission java.util.PropertyPermission "java.naming.*", "read"; + permission java.util.PropertyPermission "javax.sql.*", "read"; + + // OS Specific properties to allow read access + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.version", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "file.separator", "read"; + permission java.util.PropertyPermission "path.separator", "read"; + permission java.util.PropertyPermission "line.separator", "read"; + + // JVM properties to allow read access + permission java.util.PropertyPermission "java.version", "read"; + permission java.util.PropertyPermission "java.vendor", "read"; + permission java.util.PropertyPermission "java.vendor.url", "read"; + permission java.util.PropertyPermission "java.class.version", "read"; + permission java.util.PropertyPermission "java.specification.version", "read"; + permission java.util.PropertyPermission "java.specification.vendor", "read"; + permission java.util.PropertyPermission "java.specification.name", "read"; + + permission java.util.PropertyPermission "java.vm.specification.version", "read"; + permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; + permission java.util.PropertyPermission "java.vm.specification.name", "read"; + permission java.util.PropertyPermission "java.vm.version", "read"; + permission java.util.PropertyPermission "java.vm.vendor", "read"; + permission java.util.PropertyPermission "java.vm.name", "read"; + + // Required for OpenJMX + permission java.lang.RuntimePermission "getAttribute"; + + // Allow read of JAXP compliant XML parser debug + permission java.util.PropertyPermission "jaxp.debug", "read"; + + // Precompiled JSPs need access to this package. + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + +}; + + +// You can assign additional permissions to particular web applications by +// adding additional "grant" entries here, based on the code base for that +// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. +// +// Different permissions can be granted to JSP pages, classes loaded from +// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ +// directory, or even to individual jar files in the /WEB-INF/lib/ directory. +// +// For instance, assume that the standard "examples" application +// included a JDBC driver that needed to establish a network connection to the +// corresponding database and used the scrape taglib to get the weather from +// the NOAA web server. You might create a "grant" entries like this: +// +// The permissions granted to the context root directory apply to JSP pages. +// grant codeBase "file:${catalina.home}/webapps/examples/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; +// +// The permissions granted to the context WEB-INF/classes directory +// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" { +// }; +// +// The permission granted to your JDBC driver +// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// }; +// The permission granted to the scrape taglib +// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; + diff --git a/pki/base/ca/shared/conf/catalina.properties b/pki/base/ca/shared/conf/catalina.properties new file mode 100644 index 000000000..86334d29f --- /dev/null +++ b/pki/base/ca/shared/conf/catalina.properties @@ -0,0 +1,64 @@ +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageAccess unless the +# corresponding RuntimePermission ("accessClassInPackage."+package) has +# been granted. +package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans. +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageDefinition unless the +# corresponding RuntimePermission ("defineClassInPackage."+package) has +# been granted. +# +# by default, no packages are restricted for definition, and none of +# the class loaders supplied with the JDK call checkPackageDefinition. +# +package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper. + +# +# +# List of comma-separated paths defining the contents of the "common" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank,the JVM system loader will be used as Catalina's "common" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +common.loader=${catalina.home}/common/classes,${catalina.home}/common/i18n/*.jar,${catalina.home}/common/endorsed/*.jar,${catalina.home}/common/lib/*.jar + +# +# List of comma-separated paths defining the contents of the "server" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank, the "common" loader will be used as Catalina's "server" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar + +# +# List of comma-separated paths defining the contents of the "shared" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_BASE path or absolute. If left as blank, +# the "common" loader will be used as Catalina's "shared" loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar + +# +# String cache configuration. +tomcat.util.buf.StringCache.byte.enabled=true +#tomcat.util.buf.StringCache.char.enabled=true +#tomcat.util.buf.StringCache.trainThreshold=500000 +#tomcat.util.buf.StringCache.cacheSize=5000 diff --git a/pki/base/ca/shared/conf/context.xml b/pki/base/ca/shared/conf/context.xml new file mode 100644 index 000000000..4998ad27d --- /dev/null +++ b/pki/base/ca/shared/conf/context.xml @@ -0,0 +1,12 @@ +<!-- The contents of this file will be loaded for each web application --> +<Context crossContext="true"> + + <!-- Default set of monitored resources --> + <WatchedResource>WEB-INF/web.xml</WatchedResource> + + <!-- Uncomment this to disable session persistence across Tomcat restarts --> + <!-- + <Manager pathname="" /> + --> + +</Context> diff --git a/pki/base/ca/shared/conf/database.ldif b/pki/base/ca/shared/conf/database.ldif new file mode 100644 index 000000000..99cdf6b79 --- /dev/null +++ b/pki/base/ca/shared/conf/database.ldif @@ -0,0 +1,4 @@ +dn: cn=config +changetype: modify +replace: nsslapd-maxbersize +nsslapd-maxbersize: 52428800 diff --git a/pki/base/ca/shared/conf/db.ldif b/pki/base/ca/shared/conf/db.ldif new file mode 100644 index 000000000..72f5b8e17 --- /dev/null +++ b/pki/base/ca/shared/conf/db.ldif @@ -0,0 +1,134 @@ +dn: ou=people,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: people +aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";) + +dn: ou=groups,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: groups + +dn: cn=Certificate Manager Agents,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Certificate Manager Agents +description: Agents for Certificate Manager + +dn: cn=Registration Manager Agents,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Registration Manager Agents +description: Agents for Registration Manager + +dn: cn=Subsystem Group, ou=groups, {rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Subsystem Group +description: Subsystem Group + +dn: cn=Trusted Managers,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Trusted Managers +description: Managers trusted by this PKI instance + +dn: cn=Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Administrators +description: People who manage the Fedora Certificate System + +dn: cn=Auditors,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Auditors +description: People who can read the signed audits + +dn: cn=ClonedSubsystems,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: ClonedSubsystems +description: People who can clone the master subsystem + +dn: cn=Security Domain Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Security Domain Administrators +description: People who are the Security Domain administrators + +dn: cn=Enterprise CA Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise CA Administrators +description: People who are the administrators for the security domain for CA + +dn: cn=Enterprise KRA Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise KRA Administrators +description: People who are the administrators for the security domain for KRA + +dn: cn=Enterprise OCSP Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise OCSP Administrators +description: People who are the administrators for the security domain for OCSP + +dn: cn=Enterprise TKS Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise TKS Administrators +description: People who are the administrators for the security domain for TKS + +dn: cn=Enterprise RA Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise RA Administrators +description: People who are the administrators for the security domain for RA + +dn: cn=Enterprise TPS Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise TPS Administrators +description: People who are the administrators for the security domain for TPS + +dn: ou=requests,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: requests + +dn: cn=crossCerts,{rootSuffix} +cn: crossCerts +sn: crossCerts +objectClass: top +objectClass: person +objectClass: certificationAuthority +cACertificate;binary: +authorityRevocationList;binary: +certificateRevocationList;binary: +crossCertificatePair;binary: + +dn: ou=ca,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +objectClass: pkiCA +ou: ca + +dn: ou=certificateRepository,ou=ca,{rootSuffix} +objectClass: top +objectClass: repository +ou: certificateRepository +serialno: 011 + +dn: ou=crlIssuingPoints,ou=ca,{rootSuffix} +objectClass: top +objectClass: repository +ou: crlIssuingPoints +serialno: 010 + +dn: ou=ca, ou=requests,{rootSuffix} +objectClass: top +objectClass: repository +ou: ca +serialno: 010 diff --git a/pki/base/ca/shared/conf/dtomcat5 b/pki/base/ca/shared/conf/dtomcat5 new file mode 100755 index 000000000..ba9a5dca8 --- /dev/null +++ b/pki/base/ca/shared/conf/dtomcat5 @@ -0,0 +1,448 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# ----------------------------------------------------------------------------- +# Start/Stop Script for the CATALINA Server +# +# Environment Variable Prequisites +# +# CATALINA_HOME May point at your Catalina "build" directory. +# +# CATALINA_BASE (Optional) Base directory for resolving dynamic portions +# of a Catalina installation. If not present, resolves to +# the same directory that CATALINA_HOME points to. +# +# CATALINA_OPTS (Optional) Java runtime options used when the "start", +# "stop", or "run" command is executed. +# +# CATALINA_TMPDIR (Optional) Directory path location of temporary directory +# the JVM should use (java.io.tmpdir). Defaults to +# $CATALINA_BASE/temp. +# +# JAVA_HOME Must point at your Java Development Kit installation. +# Required to run the with the "debug" or "javac" argument. +# +# JRE_HOME Must point at your Java Development Kit installation. +# Defaults to JAVA_HOME if empty. +# +# JAVA_OPTS (Optional) Java runtime options used when the "start", +# "stop", or "run" command is executed. +# +# JPDA_TRANSPORT (Optional) JPDA transport used when the "jpda start" +# command is executed. The default is "dt_socket". +# +# JPDA_ADDRESS (Optional) Java runtime options used when the "jpda start" +# command is executed. The default is 8000. +# +# JSSE_HOME (Optional) May point at your Java Secure Sockets Extension +# (JSSE) installation, whose JAR files will be added to the +# system class path used to start Tomcat. +# +# CATALINA_PID (Optional) Path of the file which should contains the pid +# of catalina startup java process, when start (fork) is used +# +# $Id: catalina.sh,v 1.19 2005/03/03 15:13:39 remm Exp $ +# ----------------------------------------------------------------------------- + +# Disallow 'others' the ability to 'write' to new files +umask 00002 + +# Check to insure that this script's original invocation directory +# has not been deleted! +CWD=`/bin/pwd > /dev/null 2>&1` +if [ $? -ne 0 ] ; then + echo "Cannot invoke '$0' from non-existent directory!" + exit 255 +fi + +# Check to insure that at least one PKI subsystem +# currently resides on this system. +if [ ! -x /usr/bin/pkiarch ] || + [ ! -x /usr/bin/pkiflavor ] || + [ ! -x /usr/bin/pkiname ]; then + echo "This machine is missing all PKI subsystems!" + exit 255 +fi + +# Check to insure that this script's associated PKI +# subsystem currently resides on this system. +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +if [ ! -d /usr/share/`pkiflavor`/${PKI_SUBSYSTEM_TYPE} ] ; then + echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" + exit 255 +fi + +# OS specific support. $var _must_ be set to either true or false. +OS=`pkiname` +cygwin=false +os400=false +case "${OS}" in +CYGWIN*) cygwin=true;; +OS400*) os400=true;; +esac + +TOMCAT_CFG=[PKI_INSTANCE_PATH]/conf/tomcat5.conf +JAVADIR="/usr/share/java" + +# resolve links - $0 may be a softlink +PRG="$0" + +while [ -h "$PRG" ]; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '.*/.*' > /dev/null; then + PRG="$link" + else + PRG=`dirname "$PRG"`/"$link" + fi +done + +# Get standard environment variables +PRGDIR=`dirname "$PRG"` + +# Only set CATALINA_HOME if not already set +[ -z "$CATALINA_HOME" ] && CATALINA_HOME=`cd "$PRGDIR/.." ; pwd` + +if [ -r "$CATALINA_HOME"/bin/setenv.sh ]; then + . "$CATALINA_HOME"/bin/setenv.sh +fi + +# For Cygwin, ensure paths are in UNIX format before anything is touched +if $cygwin; then + [ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --unix "$JAVA_HOME"` + [ -n "$JRE_HOME" ] && JRE_HOME=`cygpath --unix "$JRE_HOME"` + [ -n "$CATALINA_HOME" ] && CATALINA_HOME=`cygpath --unix "$CATALINA_HOME"` + [ -n "$CATALINA_BASE" ] && CATALINA_BASE=`cygpath --unix "$CATALINA_BASE"` + [ -n "$CLASSPATH" ] && CLASSPATH=`cygpath --path --unix "$CLASSPATH"` + [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --unix "$JSSE_HOME"` +fi + +# For OS400 +if $os400; then + # Set job priority to standard for interactive (interactive - 6) by using + # the interactive priority - 6, the helper threads that respond to requests + # will be running at the same priority as interactive jobs. + COMMAND='chgjob job('$JOBNAME') runpty(6)' + system $COMMAND + + # Enable multi threading + export QIBM_MULTI_THREADED=Y +fi + +[ -r "$TOMCAT_CFG" ] && . "${TOMCAT_CFG}" + +### Set up defaults if they were omitted in TOMCAT_CFG +### JVM lookup +if [ -z "$JAVA_HOME" ]; then + # Search for java in PATH + JAVA=`which java` + if [ -z "$JAVA" ] ; then + JAVA_BINDIR=`dirname ${JAVA}` + JAVA_HOME="${JAVA_BINDIR}/.." + fi + # Default clean JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/usr/lib/java" ] && JAVA_HOME="/usr/lib/java" + # Default IBM JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-13" ] && \ + JAVA_HOME="/opt/IBMJava2-13" + [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-131" ] && \ + JAVA_HOME="/opt/IBMJava2-131" + [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-14" ] && \ + JAVA_HOME="/opt/IBMJava2-14" + [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-141" ] && \ + JAVA_HOME="/opt/IBMJava2-141" + # Another solution + [ -z "$JAVA_HOME" -a -d "/usr/java/jdk" ] && \ + JAVA_HOME="/usr/java/jdk" + # madeinlinux JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/usr/local/jdk1.2.2" ] && \ + JAVA_HOME="/usr/local/jdk1.2.2" + # Kondara JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/usr/lib/java/jdk1.2.2" ] && \ + JAVA_HOME="/usr/lib/java/jdk1.2.2" + # Other commonly found JAVA_HOMEs + [ -z "$JAVA_HOME" -a -d "/usr/jdk1.2" ] && JAVA_HOME="/usr/jdk1.2" + # Default Caldera JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/opt/java-1.3" ] && \ + JAVA_HOME="/opt/java-1.3" + # Add other locations here + if [ -z "$JAVA_HOME" ]; then + echo "No JAVA_HOME specified in ${TOMCAT_CFG} and no java found" + exit 1 + else + echo "Found JAVA_HOME: ${JAVA_HOME}" + echo "Please complete your ${TOMCAT_CFG} so we won't have to look for it next time" + fi +fi + +# Set juli LogManager if it is present +if [ -r "$CATALINA_HOME"/bin/tomcat-juli.jar ]; then + JAVA_OPTS="$JAVA_OPTS "-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager +fi + +# Set standard commands for invoking Java. +_RUNJAVA="$JAVA_HOME"/bin/java +_RUNJAVAC="$JAVA_HOME"/bin/javac +_RUNJDB="$JAVA_HOME"/bin/jdb + +# Set standard CLASSPATH +# (always inherit any preset values from the PKI start script) +if [ ${OS} = "Linux" ] ; then + # Checking for IcedTea JVM + ICEDTEA_JVM="`java -version 2>&1 | tail -1 | awk '{print $1};'`" + if [ "${ICEDTEA_JVM}" = "IcedTea" ]; then + # using OpenJDK + CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar + + # add required classes to the CLASSPATH for OpenJDK + CLASSPATH="$CLASSPATH":"$JAVADIR"/commons-collections.jar + else + # NOT using OpenJDK + CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/tools.jar + fi +elif [ ${OS} = "SunOS" ] ; then + CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar +fi + +# Add on extra jar files to CLASSPATH +if [ -n "$JSSE_HOME" ]; then + CLASSPATH="$CLASSPATH":"$JSSE_HOME"/lib/jcert.jar:"$JSSE_HOME"/lib/jnet.jar:"$JSSE_HOME"/lib/jsse.jar +fi + +# JPackage JSSE location check +if [ -r "$JAVADIR/jsse/jcert.jar" ]; then + CLASSPATH="$CLASSPATH":"$JAVADIR"/jsse/jcert.jar:"$JAVADIR"/jsse/jnet.jar:"$JAVADIR"/jsse/jsse.jar +fi + +if [ ${OS} = "Linux" ] ; then + CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar:"$CATALINA_HOME"/bin/commons-logging-api.jar:`/usr/bin/build-classpath mx4j/mx4j-impl`:`/usr/bin/build-classpath mx4j/mx4j-jmx` +elif [ ${OS} = "SunOS" ] ; then + # The following definitions are provided for Solaris + # platforms since they are unable to execute the + # "/usr/bin/build-classpath" and + # "/usr/share/java-utils/java-functions" files . . . + + CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar + CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/commons-logging-api.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/base.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/certsrv.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cms.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cms72.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cms72_en.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cmsbundle.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cmscore.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cmsutil.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cstools.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/mcc70.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/mcc70_en.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/nmclf70.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/nmclf70_en.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/nsutil.jar + + if [ -d /usr/share/java/`pkiflavor`/ca ]; then + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/ca/ca.jar + fi + if [ -d /usr/share/java/`pkiflavor`/kra ]; then + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/kra/kra.jar + fi + if [ -d /usr/share/java/`pkiflavor`/ocsp ]; then + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/ocsp/ocsp.jar + fi + if [ -d /usr/share/java/`pkiflavor`/tks ]; then + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/tks/tks.jar + fi +fi + +if [ -z "$CATALINA_BASE" ] ; then + CATALINA_BASE="$CATALINA_HOME" +fi + +if [ -z "$CATALINA_TMPDIR" ] ; then + # Define the java.io.tmpdir to use for Catalina + CATALINA_TMPDIR="$CATALINA_BASE"/temp +fi + +if [ -z "$CATALINA_PID" ] ; then + export CATALINA_PID=/var/run/tomcat5.pid +fi + +# For Cygwin, switch paths to Windows format before running java +if $cygwin; then + JAVA_HOME=`cygpath --absolute --windows "$JAVA_HOME"` + JRE_HOME=`cygpath --absolute --windows "$JRE_HOME"` + CATALINA_HOME=`cygpath --absolute --windows "$CATALINA_HOME"` + CATALINA_BASE=`cygpath --absolute --windows "$CATALINA_BASE"` + CATALINA_TMPDIR=`cygpath --absolute --windows "$CATALINA_TMPDIR"` + CLASSPATH=`cygpath --path --windows "$CLASSPATH"` + [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --windows "$JSSE_HOME"` + JAVA_ENDORSED_DIRS=`cygpath --path --windows "$JAVA_ENDORSED_DIRS"` +fi + +# ----- Execute The Requested Command ----------------------------------------- +echo "Using CATALINA_PID $CATALINA_PID" +echo "Using CATALINA_BASE: $CATALINA_BASE" +echo "Using CATALINA_HOME: $CATALINA_HOME" +echo "Using CATALINA_TMPDIR: $CATALINA_TMPDIR" +if [ "$1" = "debug" -o "$1" = "javac" ] ; then + echo "Using JAVA_HOME: $JAVA_HOME" +else + echo "Using JRE_HOME: $JRE_HOME" +fi + +if [ "$1" = "jpda" ] ; then + if [ -z "$JPDA_TRANSPORT" ]; then + JPDA_TRANSPORT="dt_socket" + fi + if [ -z "$JPDA_ADDRESS" ]; then + JPDA_ADDRESS="8000" + fi + if [ -z "$JPDA_OPTS" ]; then + JPDA_OPTS="-Xdebug -Xrunjdwp:transport=$JPDA_TRANSPORT,address=$JPDA_ADDRESS,server=y,suspend=n" + fi + CATALINA_OPTS="$CATALINA_OPTS $JPDA_OPTS" + shift +fi + +if [ "$1" = "debug" ] ; then + if $os400; then + echo "Debug command not available on OS400" + exit 1 + else + shift + if [ "$1" = "-security" ] ; then + echo "Using Security Manager" + shift + exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ + -Djava.security.manager \ + -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start + else + exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start + fi + fi + +elif [ "$1" = "run" ]; then + + shift + if [ "$1" = "-security" ] ; then + echo "Using Security Manager" + shift + exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Djava.security.manager \ + -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start + else + exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start + fi + +elif [ "$1" = "start" ] ; then + + shift + touch "$CATALINA_BASE"/logs/catalina.out + if [ "$1" = "-security" ] ; then + echo "Using Security Manager" + shift + "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Djava.security.manager \ + -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start \ + >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & + + if [ ! -z "$CATALINA_PID" ]; then + echo $! > $CATALINA_PID + fi + else + "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start \ + >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & + + if [ ! -z "$CATALINA_PID" ]; then + echo $! > $CATALINA_PID + fi + fi + +elif [ "$1" = "stop" ] ; then + + shift + FORCE=0 + if [ "$1" = "-force" ]; then + shift + FORCE=1 + fi + + "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" stop + + if [ $FORCE -eq 1 ]; then + if [ ! -z "$CATALINA_PID" ]; then + echo "Killing: `cat $CATALINA_PID`" + kill -9 `cat $CATALINA_PID` + fi + fi + +elif [ "$1" = "version" ] ; then + + "$_RUNJAVA" \ + -classpath "$CATALINA_HOME/server/lib/catalina.jar" \ + org.apache.catalina.util.ServerInfo + +else + + echo "Usage: dtomcat5 ( commands ... )" + echo "commands:" + if $os400; then + echo " debug Start Catalina in a debugger (not available on OS400)" + echo " debug -security Debug Catalina with a security manager (not available on OS400)" + else + echo " debug Start Catalina in a debugger" + echo " debug -security Debug Catalina with a security manager" + fi + echo " jpda start Start Catalina under JPDA debugger" + echo " run Start Catalina in the current window" + echo " run -security Start in the current window with security manager" + echo " start Start Catalina in a separate window" + echo " start -security Start in a separate window with security manager" + echo " stop Stop Catalina" + echo " stop -force Stop Catalina (followed by kill -KILL)" + echo " version What version of tomcat are you running?" + exit 1 + +fi diff --git a/pki/base/ca/shared/conf/flatfile.txt b/pki/base/ca/shared/conf/flatfile.txt new file mode 100644 index 000000000..75defd1da --- /dev/null +++ b/pki/base/ca/shared/conf/flatfile.txt @@ -0,0 +1,2 @@ +#UID:172.16.24.238 +#PWD:1212 diff --git a/pki/base/ca/shared/conf/index.ldif b/pki/base/ca/shared/conf/index.ldif new file mode 100644 index 000000000..c1eecc19d --- /dev/null +++ b/pki/base/ca/shared/conf/index.ldif @@ -0,0 +1,177 @@ +dn: cn=revokedby,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: revokedby + +dn: cn=issuedby,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: issuedby + +dn: cn=publicKeyData,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: publicKeyData + +dn: cn=description,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: description + +dn: cn=serialno,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: serialno + +dn: cn=metaInfo,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: metaInfo + +dn: cn=certstatus,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: certstatus + +dn: cn=requestid,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requestid + +dn: cn=requesttype,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requesttype + +dn: cn=requeststate,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requeststate + +dn: cn=requestowner,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requestowner + +dn: cn=notbefore,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: notbefore + +dn: cn=notafter,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: notafter + +dn: cn=duration,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: duration + +dn: cn=dateOfCreate,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: dateOfCreate + +dn: cn=revokedOn,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: revokedOn + +dn: cn=archivedBy,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: archivedBy + +dn: cn=ownername,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: ownername + +dn: cn=subjectname,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: subjectname + +dn: cn=requestsourceid,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: requestsourceid + +dn: cn=revInfo,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: revInfo + +dn: cn=extension,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: extension diff --git a/pki/base/ca/shared/conf/jk2.manifest b/pki/base/ca/shared/conf/jk2.manifest new file mode 100644 index 000000000..986d7b874 --- /dev/null +++ b/pki/base/ca/shared/conf/jk2.manifest @@ -0,0 +1,2 @@ +Main-Class: org.apache.jk.apr.TomcatStarter +Class-Path: ../lib/tomcat.jar log4j.jar log4j-core.jar ../lib/common/log4j.jar ../lib/common/log4j-core.jar ../lib/common/classes ../lib/common/commons-logging.jar bootstrap.jar ../server/lib/commons-logging.jar ../server/lib/jmx.jar jmx.jar commons-logging-api.jar diff --git a/pki/base/ca/shared/conf/jk2.properties b/pki/base/ca/shared/conf/jk2.properties new file mode 100644 index 000000000..093bae802 --- /dev/null +++ b/pki/base/ca/shared/conf/jk2.properties @@ -0,0 +1,26 @@ +## THIS FILE MAY BE OVERRIDEN AT RUNTIME. MAKE SURE TOMCAT IS STOPED +## WHEN YOU EDIT THE FILE. + +## COMMENTS WILL BE _LOST_ + +## DOCUMENTATION OF THE FORMAT IN JkMain javadoc. + +# Set the desired handler list +# handler.list=apr,request,channelJni +# +# Override the default port for the socketChannel +# channelSocket.port=8019 +# Default: +# channelUnix.file=${jkHome}/work/jk2.socket +# Just to check if the the config is working +# shm.file=${jkHome}/work/jk2.shm + +# In order to enable jni use any channelJni directive +# channelJni.disabled = 0 +# And one of the following directives: + +# apr.jniModeSo=/opt/apache2/modules/mod_jk2.so + +# If set to inprocess the mod_jk2 will Register natives itself +# This will enable the starting of the Tomcat from mod_jk2 +# apr.jniModeSo=inprocess diff --git a/pki/base/ca/shared/conf/jkconf.ant.xml b/pki/base/ca/shared/conf/jkconf.ant.xml new file mode 100644 index 000000000..245cf98e2 --- /dev/null +++ b/pki/base/ca/shared/conf/jkconf.ant.xml @@ -0,0 +1,51 @@ +<project name="jkconf" default="main" basedir="."> + + <target name="init-3x" if="33.detect"> + <taskdef name="jkconf" + classname="org.apache.jk.config.WebXml2Jk" > + <classpath> + <!-- 3.3 support --> + <pathelement location="/ws/jtc/jk/build/classes" /> + <pathelement location="${tomcat.home}/lib/container/tomcat-jk2.jar" /> + <pathelement location="${tomcat.home}/lib/container/crimson.jar"/> + <pathelement location="${tomcat.home}/lib/common/commons-logging.jar"/> + </classpath> + </taskdef> + </target> + + <target name="init-4x" if="4x.detect" > + <path id="main.classpath"> + <!-- 3.3 support --> + <fileset dir="${tomcat.home}/lib" includes="*.jar" /> + <fileset dir="${tomcat.home}/server/lib" includes="*.jar" /> + <fileset dir="${tomcat.home}/common/lib" includes="*.jar" /> + </path> + + <taskdef name="jkconf" classpathref="main.classpath" + classname="org.apache.jk.config.WebXml2Jk" /> + </target> + + <target name="detect" > + <property file="build.properties"/> + <property file="${user.home}/build.properties"/> + <property file="${user.home}/.build.properties"/> + + <!-- default locations, overrident by properties. + This file must be installed in conf/ --> + <property name="tomcat.home" location=".." /> + + <available property="33.detect" file="${tomcat.home}/lib/container" /> + <available property="4x.detect" file="${tomcat.home}/server/lib" /> + </target> + + <target name="init" depends="detect,init-3x,init-4x" /> + + <!-- ==================== Detection and reports ==================== --> + + + <target name="main" depends="init"> + <jkconf docBase="${tomcat.home}/webapps/examples" + context="/examples" /> + </target> + +</project> diff --git a/pki/base/ca/shared/conf/jkconfig.manifest b/pki/base/ca/shared/conf/jkconfig.manifest new file mode 100644 index 000000000..3ba1f2e3e --- /dev/null +++ b/pki/base/ca/shared/conf/jkconfig.manifest @@ -0,0 +1,2 @@ +Main-Class: org.apache.jk.config.WebXml2Jk +Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xercesImpl.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar diff --git a/pki/base/ca/shared/conf/registry.cfg b/pki/base/ca/shared/conf/registry.cfg new file mode 100644 index 000000000..807ebdd4d --- /dev/null +++ b/pki/base/ca/shared/conf/registry.cfg @@ -0,0 +1,217 @@ +types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater +constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl +constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint +constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint +constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint +constraintPolicy.extensionConstraintImpl.class=com.netscape.cms.profile.constraint.ExtensionConstraint +constraintPolicy.extensionConstraintImpl.desc=Extension Constraint +constraintPolicy.extensionConstraintImpl.name=Extension Constraint +constraintPolicy.basicConstraintsExtConstraintImpl.class=com.netscape.cms.profile.constraint.BasicConstraintsExtConstraint +constraintPolicy.basicConstraintsExtConstraintImpl.desc=Basic Constraints Extension Constraint +constraintPolicy.basicConstraintsExtConstraintImpl.name=Basic Constraints Extension Constraint +constraintPolicy.keyConstraintImpl.class=com.netscape.cms.profile.constraint.KeyConstraint +constraintPolicy.keyConstraintImpl.desc=Key Constraint +constraintPolicy.keyConstraintImpl.name=Key Constraint +constraintPolicy.extendedKeyUsageExtConstraintImpl.class=com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConstraint +constraintPolicy.extendedKeyUsageExtConstraintImpl.desc=Extended Key Usage Extension Constraint +constraintPolicy.extendedKeyUsageExtConstraintImpl.name=Extended Key Usage Extension Constraint +constraintPolicy.keyUsageExtConstraintImpl.class=com.netscape.cms.profile.constraint.KeyUsageExtConstraint +constraintPolicy.keyUsageExtConstraintImpl.desc=Key Usage Extension Constraint +constraintPolicy.keyUsageExtConstraintImpl.name=Key Usage Extension Constraint +constraintPolicy.nsCertTypeExtConstraintImpl.class=com.netscape.cms.profile.constraint.NSCertTypeExtConstraint +constraintPolicy.nsCertTypeExtConstraintImpl.desc=Netscape Certificate Type Extension Constraint +constraintPolicy.nsCertTypeExtConstraintImpl.name=Netscape Certificate Type Extension Constraint +constraintPolicy.noConstraintImpl.class=com.netscape.cms.profile.constraint.NoConstraint +constraintPolicy.noConstraintImpl.desc=No Constraint +constraintPolicy.noConstraintImpl.name=No Constraint +constraintPolicy.subjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.SubjectNameConstraint +constraintPolicy.subjectNameConstraintImpl.desc=Subject Name Constraint +constraintPolicy.subjectNameConstraintImpl.name=Subject Name Constraint +constraintPolicy.uniqueSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint +constraintPolicy.uniqueSubjectNameConstraintImpl.desc=Unique Subject Name Constraint +constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constraint +constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint +constraintPolicy.validityConstraintImpl.desc=Validity Constraint +constraintPolicy.validityConstraintImpl.name=Validity Constraint +constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint +constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint +constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint +defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl +defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault +defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default +defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default +defaultPolicy.genericExtDefaultImpl.class=com.netscape.cms.profile.def.GenericExtDefault +defaultPolicy.genericExtDefaultImpl.desc=Generic Extension +defaultPolicy.genericExtDefaultImpl.name=Generic Extension +defaultPolicy.imageDefaultImpl.class=com.netscape.cms.profile.def.ImageDefault +defaultPolicy.imageDefaultImpl.desc=Image Default +defaultPolicy.imageDefaultImpl.name=Image Default +defaultPolicy.privateKeyPeriodExtDefaultImpl.class=com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault +defaultPolicy.privateKeyPeriodExtDefaultImpl.desc=Private Key Period Ext Default +defaultPolicy.privateKeyPeriodExtDefaultImpl.name=Private Key Period Ext Default +defaultPolicy.authTokenSubjectNameDefaultImpl.class=com.netscape.cms.profile.def.AuthTokenSubjectNameDefault +defaultPolicy.authTokenSubjectNameDefaultImpl.desc=Token Supplied Subject Name Default +defaultPolicy.authTokenSubjectNameDefaultImpl.name=Token Supplied Subject Name Default +defaultPolicy.userSubjectNameDefaultImpl.class=com.netscape.cms.profile.def.UserSubjectNameDefault +defaultPolicy.userSubjectNameDefaultImpl.desc=User Supplied Subject Name Default +defaultPolicy.userSubjectNameDefaultImpl.name=User Supplied Subject Name Default +defaultPolicy.userKeyDefaultImpl.class=com.netscape.cms.profile.def.UserKeyDefault +defaultPolicy.userKeyDefaultImpl.desc=User Supplied Key Default +defaultPolicy.userKeyDefaultImpl.name=User Supplied Key Default +defaultPolicy.userValidityDefaultImpl.class=com.netscape.cms.profile.def.UserValidityDefault +defaultPolicy.userValidityDefaultImpl.desc=User Supplied Validity Default +defaultPolicy.userValidityDefaultImpl.name=User Supplied Validity Default +defaultPolicy.userExtensionDefaultImpl.class=com.netscape.cms.profile.def.UserExtensionDefault +defaultPolicy.userExtensionDefaultImpl.desc=User Supplied Extension Default +defaultPolicy.userExtensionDefaultImpl.name=User Supplied Extension Default +defaultPolicy.userSigningAlgDefaultImpl.class=com.netscape.cms.profile.def.UserSigningAlgDefault +defaultPolicy.userSigningAlgDefaultImpl.desc=User Supplied Signing Alg Default +defaultPolicy.userSigningAlgDefaultImpl.name=User Supplied Signing Alg Default +defaultPolicy.signingAlgDefaultImpl.class=com.netscape.cms.profile.def.SigningAlgDefault +defaultPolicy.signingAlgDefaultImpl.desc=Signing Algorithm Default +defaultPolicy.signingAlgDefaultImpl.name=Signing Algorithm Default +defaultPolicy.authorityKeyIdentifierExtDefaultImpl.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +defaultPolicy.authorityKeyIdentifierExtDefaultImpl.desc=Authority Key Identifier Extension Default +defaultPolicy.authorityKeyIdentifierExtDefaultImpl.name=Authority Key Identifier Extension Default +defaultPolicy.basicConstraintsExtDefaultImpl.class=com.netscape.cms.profile.def.BasicConstraintsExtDefault +defaultPolicy.basicConstraintsExtDefaultImpl.desc=Basic Constraints Extension Default +defaultPolicy.basicConstraintsExtDefaultImpl.name=Basic Constraints Extension Default +defaultPolicy.extendedKeyUsageExtDefaultImpl.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +defaultPolicy.extendedKeyUsageExtDefaultImpl.desc=Extended Key Usage Extension Default +defaultPolicy.extendedKeyUsageExtDefaultImpl.name=Extended Key Usage Extension Default +defaultPolicy.keyUsageExtDefaultImpl.class=com.netscape.cms.profile.def.KeyUsageExtDefault +defaultPolicy.keyUsageExtDefaultImpl.desc=Key Usage Extension Default +defaultPolicy.keyUsageExtDefaultImpl.name=Key Usage Extension Default +defaultPolicy.noDefaultImpl.class=com.netscape.cms.profile.def.NoDefault +defaultPolicy.noDefaultImpl.desc=No Default +defaultPolicy.noDefaultImpl.name=No Default +defaultPolicy.nsCertTypeExtDefaultImpl.desc=Netscape Certificate Type Extension Default +defaultPolicy.nsCertTypeExtDefaultImpl.name=Netscape Certificate Type Extension Default +defaultPolicy.nsCertTypeExtDefaultImpl.class=com.netscape.cms.profile.def.NSCertTypeExtDefault +defaultPolicy.nsTokenDeviceKeySubjectNameDefaultImpl.class=com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault +defaultPolicy.nsTokenDeviceKeySubjectNameDefaultImpl.desc=nsTokenDeviceKeySubjectNameDefaultImpl +defaultPolicy.nsTokenDeviceKeySubjectNameDefaultImpl.name=nsTokenDeviceKeySubjectNameDefault +defaultPolicy.nsTokenUserKeySubjectNameDefaultImpl.class=com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault +defaultPolicy.nsTokenUserKeySubjectNameDefaultImpl.desc=nsTokenUserKeySubjectNameDefaultImpl +defaultPolicy.nsTokenUserKeySubjectNameDefaultImpl.name=nsTokenUserKeySubjectNameDefault +defaultPolicy.ocspNoCheckExtDefaultImpl.class=com.netscape.cms.profile.def.OCSPNoCheckExtDefault +defaultPolicy.ocspNoCheckExtDefaultImpl.desc=OCSP No Check Extension Default +defaultPolicy.ocspNoCheckExtDefaultImpl.name=OCSP No Check Extension Default +defaultPolicy.issuerAltNameExtDefaultImpl.class=com.netscape.cms.profile.def.IssuerAltNameExtDefault +defaultPolicy.issuerAltNameExtDefaultImpl.desc=Issuer Alternative Name Extension Default +defaultPolicy.issuerAltNameExtDefaultImpl.name=Issuer Alternative Name Extension Default +defaultPolicy.subjectAltNameExtDefaultImpl.class=com.netscape.cms.profile.def.SubjectAltNameExtDefault +defaultPolicy.subjectAltNameExtDefaultImpl.desc=Subject Alternative Name Extension Default +defaultPolicy.subjectAltNameExtDefaultImpl.name=Subject Alternative Name Extension Default +defaultPolicy.subjectKeyIdentifierExtDefaultImpl.class=com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault +defaultPolicy.subjectKeyIdentifierExtDefaultImpl.desc=Subject Key Identifier Default +defaultPolicy.subjectKeyIdentifierExtDefaultImpl.name=Subject Key Identifier Default +defaultPolicy.subjectNameDefaultImpl.class=com.netscape.cms.profile.def.SubjectNameDefault +defaultPolicy.subjectNameDefaultImpl.desc=Subject Name Default +defaultPolicy.subjectNameDefaultImpl.name=Subject Name Default +defaultPolicy.validityDefaultImpl.class=com.netscape.cms.profile.def.ValidityDefault +defaultPolicy.validityDefaultImpl.desc=Validty Default +defaultPolicy.validityDefaultImpl.name=Validity Default +defaultPolicy.subjectInfoAccessExtDefaultImpl.class=com.netscape.cms.profile.def.SubjectInfoAccessExtDefault +defaultPolicy.subjectInfoAccessExtDefaultImpl.desc=Subject Info Access Extension Default +defaultPolicy.subjectInfoAccessExtDefaultImpl.name=Subject Info Access Extension Default +defaultPolicy.authInfoAccessExtDefaultImpl.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +defaultPolicy.authInfoAccessExtDefaultImpl.desc=Authority Info Access Extension Default +defaultPolicy.authInfoAccessExtDefaultImpl.name=Authority Info Access Extension Default +defaultPolicy.nscCommentExtDefaultImpl.class=com.netscape.cms.profile.def.NSCCommentExtDefault +defaultPolicy.nscCommentExtDefaultImpl.desc=Netscape Comment Extension Default +defaultPolicy.nscCommentExtDefaultImpl.name=Netscape Comment Extension Default +defaultPolicy.freshestCRLExtDefaultImpl.class=com.netscape.cms.profile.def.FreshestCRLExtDefault +defaultPolicy.freshestCRLExtDefaultImpl.desc=Freshest CRL Extension Default +defaultPolicy.freshestCRLExtDefaultImpl.name=Freshest CRL Extension Default +defaultPolicy.crlDistributionPointsExtDefaultImpl.class=com.netscape.cms.profile.def.CRLDistributionPointsExtDefault +defaultPolicy.crlDistributionPointsExtDefaultImpl.desc=CRL Distribution Points Extension Default +defaultPolicy.crlDistributionPointsExtDefaultImpl.name=CRL Distribution Points Extension Default +defaultPolicy.policyConstraintsExtDefaultImpl.class=com.netscape.cms.profile.def.PolicyConstraintsExtDefault +defaultPolicy.policyConstraintsExtDefaultImpl.desc=Policy Constraints Extension Default +defaultPolicy.policyConstraintsExtDefaultImpl.name=Policy Constraints Extension Default +defaultPolicy.policyMappingsExtDefaultImpl.class=com.netscape.cms.profile.def.PolicyMappingsExtDefault +defaultPolicy.policyMappingsExtDefaultImpl.desc=Policy Mappings Extension Default +defaultPolicy.policyMappingsExtDefaultImpl.name=Policy Mappings Extension Default +defaultPolicy.nameConstraintsExtDefaultImpl.class=com.netscape.cms.profile.def.NameConstraintsExtDefault +defaultPolicy.nameConstraintsExtDefaultImpl.desc=Name Constraints Extension Default +defaultPolicy.nameConstraintsExtDefaultImpl.name=Name Constraints Extension Default +defaultPolicy.certificateVersionDefaultImpl.class=com.netscape.cms.profile.def.CertificateVersionDefault +defaultPolicy.certificateVersionDefaultImpl.desc=Certificate Version Default +defaultPolicy.certificateVersionDefaultImpl.name=Certificate Version Default +defaultPolicy.certificatePoliciesExtDefaultImpl.class=com.netscape.cms.profile.def.CertificatePoliciesExtDefault +defaultPolicy.certificatePoliciesExtDefaultImpl.desc=Certificate Policies Extension Default +defaultPolicy.certificatePoliciesExtDefaultImpl.name=Certificate Policies Extension Default +defaultPolicy.subjectDirAttributesExtDefaultImpl.class=com.netscape.cms.profile.def.SubjectDirAttributesExtDefault +defaultPolicy.subjectDirAttributesExtDefaultImpl.desc=Subject Directory Attributes Extension Default +defaultPolicy.subjectDirAttributesExtDefaultImpl.name=Subject Directory Attributes Extension Default +defaultPolicy.inhibitAnyPolicyExtDefaultImpl.class=com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault +defaultPolicy.inhibitAnyPolicyExtDefaultImpl.desc=Inhibit Any-Policy Extension Default +defaultPolicy.inhibitAnyPolicyExtDefaultImpl.name=Inhibit Any-Policy Extension Default +profile.ids=caEnrollImpl,caCACertEnrollImpl,caServerCertEnrollImpl,caUserCertEnrollImpl +profile.caEnrollImpl.class=com.netscape.cms.profile.common.CAEnrollProfile +profile.caEnrollImpl.desc=Certificate Authority Generic Certificate Enrollment Profile +profile.caEnrollImpl.name=Generic Certificate Enrollment Profile +profile.caCACertEnrollImpl.class=com.netscape.cms.profile.common.CACertCAEnrollProfile +profile.caCACertEnrollImpl.desc=Certificate Authority CA Certificate Enrollment Profile +profile.caCACertEnrollImpl.name=CA Certificate Enrollment Profile +profile.caServerCertEnrollImpl.class=com.netscape.cms.profile.common.ServerCertCAEnrollProfile +profile.caServerCertEnrollImpl.desc=Certificate Authority Server Certificate Enrollment Profile +profile.caServerCertEnrollImpl.name=Server Certificate Enrollment Profile +profile.caUserCertEnrollImpl.class=com.netscape.cms.profile.common.UserCertCAEnrollProfile +profile.caUserCertEnrollImpl.desc=Certificate Authority User Certificate Enrollment Profile +profile.caUserCertEnrollImpl.name=User Certificate Enrollment Profile +profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl +profileInput.fileSigningInputImpl.class=com.netscape.cms.profile.input.FileSigningInput +profileInput.fileSigningInputImpl.desc=File Signing Input +profileInput.fileSigningInputImpl.name=File Signing Input +profileInput.imageInputImpl.class=com.netscape.cms.profile.input.ImageInput +profileInput.imageInputImpl.desc=Image Input +profileInput.imageInputImpl.name=Image Input +profileInput.genericInputImpl.class=com.netscape.cms.profile.input.GenericInput +profileInput.genericInputImpl.desc=Generic Input +profileInput.genericInputImpl.name=Generic Input +profileInput.submitterInfoInputImpl.class=com.netscape.cms.profile.input.SubmitterInfoInput +profileInput.submitterInfoInputImpl.desc=Submitter Information Input +profileInput.submitterInfoInputImpl.name=Submitter Information Input +profileInput.certReqInputImpl.class=com.netscape.cms.profile.input.CertReqInput +profileInput.certReqInputImpl.desc=Certificate Request Input +profileInput.certReqInputImpl.name=Certificate Request Input +profileInput.cmcCertReqInputImpl.class=com.netscape.cms.profile.input.CMCCertReqInput +profileInput.cmcCertReqInputImpl.desc=CMC Certificate Request Input +profileInput.cmcCertReqInputImpl.name=CMC Certificate Request Input +profileInput.dualKeyGenInputImpl.class=com.netscape.cms.profile.input.DualKeyGenInput +profileInput.dualKeyGenInputImpl.desc=Dual Key Generation Input +profileInput.dualKeyGenInputImpl.name=Dual Key Generation Input +profileInput.keyGenInputImpl.class=com.netscape.cms.profile.input.KeyGenInput +profileInput.keyGenInputImpl.desc=Key Generation Input +profileInput.keyGenInputImpl.name=Key Generation Input +profileInput.nsNKeyCertReqInputImpl.class=com.netscape.cms.profile.input.nsNKeyCertReqInput +profileInput.nsNKeyCertReqInputImpl.desc=nsNKeyCertReqInputImpl +profileInput.nsNKeyCertReqInputImpl.name=nsNKeyCertReqInputImpl +profileInput.nsHKeyCertReqInputImpl.class=com.netscape.cms.profile.input.nsHKeyCertReqInput +profileInput.nsHKeyCertReqInputImpl.desc=nsHKeyCertReqInputImpl +profileInput.nsHKeyCertReqInputImpl.name=nsHKeyCertReqInputImpl +profileInput.subjectDNInputImpl.class=com.netscape.cms.profile.input.SubjectDNInput +profileInput.subjectDNInputImpl.desc=Subject DN Input +profileInput.subjectDNInputImpl.name=Subject DN Input +profileInput.subjectNameInputImpl.class=com.netscape.cms.profile.input.SubjectNameInput +profileInput.subjectNameInputImpl.desc=Subject Name Input +profileInput.subjectNameInputImpl.name=Subject Name Input +profileOutput.ids=certOutputImpl,cmmfOutputImpl,pkcs7OutputImpl,nsNKeyOutputImpl +profileOutput.certOutputImpl.class=com.netscape.cms.profile.output.CertOutput +profileOutput.certOutputImpl.desc=Certificate Output +profileOutput.certOutputImpl.name=Certificate Output +profileOutput.cmmfOutputImpl.class=com.netscape.cms.profile.output.CMMFOutput +profileOutput.cmmfOutputImpl.desc=CMMF Response Output +profileOutput.cmmfOutputImpl.name=CMMF Response Output +profileOutput.nsNKeyOutputImpl.class=com.netscape.cms.profile.output.nsNKeyOutput +profileOutput.nsNKeyOutputImpl.desc=nsNKeyOutputImpl +profileOutput.nsNKeyOutputImpl.name=nsNKeyOutputImpl +profileOutput.pkcs7OutputImpl.class=com.netscape.cms.profile.output.PKCS7Output +profileOutput.pkcs7OutputImpl.desc=PKCS7 Output +profileOutput.pkcs7OutputImpl.name=PKCS7 Output +profileUpdater.ids=subsystemGroupUpdaterImpl +profileUpdater.subsystemGroupUpdaterImpl.class=com.netscape.cms.profile.updater.SubsystemGroupUpdater +profileUpdater.subsystemGroupUpdaterImpl.desc=Updater for Subsystem Group +profileUpdater.subsystemGroupUpdaterImpl.name=Updater for Subsystem Group diff --git a/pki/base/ca/shared/conf/schema.ldif b/pki/base/ca/shared/conf/schema.ldif new file mode 100644 index 000000000..4431a2730 --- /dev/null +++ b/pki/base/ca/shared/conf/schema.ldif @@ -0,0 +1,394 @@ +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( usertype-oid NAME 'usertype' DESC 'Distinguish whether the user is administrator, agent or subsystem.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( userstate-oid NAME 'userstate' DESC 'Distinguish whether the user is administrator, agent or subsystem.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( cmsuser-oid NAME 'cmsuser' DESC 'CMS User' SUP top STRUCTURAL MUST usertype MAY userstate X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( archivedBy-oid NAME 'archivedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( adminMessages-oid NAME 'adminMessages' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( algorithm-oid NAME 'algorithm' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( algorithmId-oid NAME 'algorithmId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( signingAlgorithmId-oid NAME 'signingAlgorithmId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( autoRenew-oid NAME 'autoRenew' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( certStatus-oid NAME 'certStatus' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlName-oid NAME 'crlName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlSize-oid NAME 'crlSize' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( deltaSize-oid NAME 'deltaSize' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlNumber-oid NAME 'crlNumber' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( deltaNumber-oid NAME 'deltaNumber' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( firstUnsaved-oid NAME 'firstUnsaved' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlCache-oid NAME 'crlCache' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revokedCerts-oid NAME 'revokedCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( unrevokedCerts-oid NAME 'unrevokedCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( expiredCerts-oid NAME 'expiredCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( deltaCRL-oid NAME 'deltaCRL' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlExtensions-oid NAME 'crlExtensions' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfArchival-oid NAME 'dateOfArchival' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfRecovery-oid NAME 'dateOfRecovery' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfRevocation-oid NAME 'dateOfRevocation' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfCreate-oid NAME 'dateOfCreate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfModify-oid NAME 'dateOfModify' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( duration-oid NAME 'duration' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( extension-oid NAME 'extension' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( issuedBy-oid NAME 'issuedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( issueInfo-oid NAME 'issueInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( issuerName-oid NAME 'issuerName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( keySize-oid NAME 'keySize' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( keyState-oid NAME 'keyState' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( metaInfo-oid NAME 'metaInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( nextUpdate-oid NAME 'nextUpdate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( notAfter-oid NAME 'notAfter' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( notBefore-oid NAME 'notBefore' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( ownerName-oid NAME 'ownerName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( password-oid NAME 'password' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( p12Expiration-oid NAME 'p12Expiration' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( proofOfArchival-oid NAME 'proofOfArchival' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( publicKeyData-oid NAME 'publicKeyData' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( publicKeyFormat-oid NAME 'publicKeyFormat' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( privateKeyData-oid NAME 'privateKeyData' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestId-oid NAME 'requestId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestInfo-oid NAME 'requestInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestState-oid NAME 'requestState' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestResult-oid NAME 'requestResult' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestOwner-oid NAME 'requestOwner' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestAgentGroup-oid NAME 'requestAgentGroup' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestSourceId-oid NAME 'requestSourceId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestType-oid NAME 'requestType' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestFlag-oid NAME 'requestFlag' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestError-oid NAME 'requestError' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( resourceACLS-oid NAME 'resourceACLS' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revInfo-oid NAME 'revInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revokedBy-oid NAME 'revokedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revokedOn-oid NAME 'revokedOn' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( serialno-oid NAME 'serialno' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( subjectName-oid NAME 'subjectName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( sessionContext-oid NAME 'sessionContext' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( thisUpdate-oid NAME 'thisUpdate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transId-oid NAME 'transId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transStatus-oid NAME 'transStatus' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transName-oid NAME 'transName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transOps-oid NAME 'transOps' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( userDN-oid NAME 'userDN' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( userMessages-oid NAME 'userMessages' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( version-oid NAME 'version' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( CertACLS-oid NAME 'CertACLS' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY resourceACLS X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( repository-oid NAME 'repository' DESC 'CMS defined class' SUP top STRUCTURAL MUST ou MAY ( serialno $ description ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( transaction-oid NAME 'transaction' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( transId $ description $ transName $ transStatus $ transOps ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( pkiCA-oid NAME 'pkiCA' DESC 'CMS defined class' SUP top STRUCTURAL MUST ou MAY certificateRevocationList X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( crlIssuingPointRecord-oid NAME 'crlIssuingPointRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ crlNumber $ crlSize $ thisUpdate $ nextUpdate $ deltaNumber $ deltaSize $ firstUnsaved $ certificateRevocationList $ deltaCRL $ crlCache $ revokedCerts $ unrevokedCerts $ expiredCerts $ cACertificate ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subject $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( userDetails-oid NAME 'userDetails' DESC 'CMS defined class' SUP top STRUCTURAL MUST userDN MAY ( dateOfCreate $ dateOfModify $ password $ p12Expiration ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy ) X-ORIGIN 'user defined' ) diff --git a/pki/base/ca/shared/conf/server-minimal.xml b/pki/base/ca/shared/conf/server-minimal.xml new file mode 100644 index 000000000..7b542b6cf --- /dev/null +++ b/pki/base/ca/shared/conf/server-minimal.xml @@ -0,0 +1,25 @@ +<Server port="8005" shutdown="SHUTDOWN"> + + <GlobalNamingResources> + <!-- Used by Manager webapp --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + </GlobalNamingResources> + + <Service name="Catalina"> + <Connector port="8080" /> + + <!-- This is here for compatibility only, not required --> + <Connector port="8009" protocol="AJP/1.3" /> + + <Engine name="Catalina" defaultHost="localhost"> + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase" /> + <Host name="localhost" appBase="webapps" /> + </Engine> + + </Service> +</Server> diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml new file mode 100644 index 000000000..801e64c19 --- /dev/null +++ b/pki/base/ca/shared/conf/server.xml @@ -0,0 +1,395 @@ +<!-- Example Server Configuration File --> +<!-- Note that component elements are nested corresponding to their + parent-child relationships with each other --> + +<!-- A "Server" is a singleton element that represents the entire JVM, + which may contain one or more "Service" instances. The Server + listens for a shutdown command on the indicated port. + + Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" or "Loggers" at this level. + --> + +<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> + + <!-- Comment these entries out to disable JMX MBeans support used for the + administration web application --> + <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> + <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> + <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> + + <!-- Global JNDI resources --> + <GlobalNamingResources> + + <!-- Test entry for demonstration purposes --> + <Environment name="simpleValue" type="java.lang.Integer" value="30"/> + + <!-- Editable user database that can also be used by + UserDatabaseRealm to authenticate users --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + + </GlobalNamingResources> + + <!-- A "Service" is a collection of one or more "Connectors" that share + a single "Container" (and therefore the web applications visible + within that Container). Normally, that Container is an "Engine", + but this is not required. + + Note: A "Service" is not itself a "Container", so you may not + define subcomponents such as "Valves" or "Loggers" at this level. + --> + + <!-- Define the Tomcat Stand-Alone Service --> + <Service name="Catalina"> + + <!-- A "Connector" represents an endpoint by which requests are received + and responses are returned. Each Connector passes requests on to the + associated "Container" (normally an Engine) for processing. + + By default, a non-SSL HTTP/1.1 Connector is established on port 8080. + You can also enable an SSL HTTP/1.1 Connector on port 8443 by + following the instructions below and uncommenting the second Connector + entry. SSL support requires the following steps (see the SSL Config + HOWTO in the Tomcat 5 documentation bundle for more detailed + instructions): + * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or + later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". + * Execute: + %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) + $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) + with a password value of "changeit" for both the certificate and + the keystore itself. + + By default, DNS lookups are enabled when a web application calls + request.getRemoteHost(). This can have an adverse impact on + performance, so you can disable it by setting the + "enableLookups" attribute to "false". When DNS lookups are disabled, + request.getRemoteHost() will return the String version of the + IP address of the remote client. + --> + + <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> + + + + + <Connector port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" redirectPort="8443" acceptCount="100" + connectionTimeout="20000" disableUploadTimeout="true" /> + +<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> +<!-- DO NOT REMOVE - Begin define PKI secure port --> +<Connector port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + sslOptions="ssl2=true,ssl3=true,tls=true" + ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" + ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> +<!-- DO NOT REMOVE - End define PKI secure port --> + + + + <!-- Note : To disable connection timeouts, set connectionTimeout value + to 0 --> + + <!-- Note : To use gzip compression you could set the following properties : + + compression="on" + compressionMinSize="2048" + noCompressionUserAgents="gozilla, traviata" + compressableMimeType="text/html,text/xml" + --> + + + <!-- Define an AJP 1.3 Connector on port 8009 --> +<!-- + <Connector port="8009" + enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> +--> + + <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> + <!-- See proxy documentation for more information about using this. --> + <!-- + <Connector port="8082" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" acceptCount="100" connectionTimeout="20000" + proxyPort="80" disableUploadTimeout="true" /> + --> + + <!-- An Engine represents the entry point (within Catalina) that processes + every request. The Engine implementation for Tomcat stand alone + analyzes the HTTP headers included with the request, and passes them + on to the appropriate Host (virtual host). --> + + <!-- You should set jvmRoute to support load-balancing via AJP ie : + <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> + --> + + <!-- Define the top level container in our container hierarchy --> + <Engine name="Catalina" defaultHost="localhost"> + + <!-- The request dumper valve dumps useful debugging information about + the request headers and cookies that were received, and the response + headers and cookies that were sent, for all requests received by + this instance of Tomcat. If you care only about requests to a + particular virtual host, or a particular application, nest this + element inside the corresponding <Host> or <Context> entry instead. + + For a similar mechanism that is portable to all Servlet 2.4 + containers, check out the "RequestDumperFilter" Filter in the + example application (the source for this filter may be found in + "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). + + Request dumping is disabled by default. Uncomment the following + element to enable it. --> + <!-- + <Valve className="org.apache.catalina.valves.RequestDumperValve"/> + --> + + <!-- Because this Realm is here, an instance will be shared globally --> + + <!-- This Realm uses the UserDatabase configured in the global JNDI + resources under the key "UserDatabase". Any edits + that are performed against this UserDatabase are immediately + available for use by the Realm. --> + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase"/> + + <!-- Comment out the old realm but leave here for now in case we + need to go back quickly --> + <!-- + <Realm className="org.apache.catalina.realm.MemoryRealm" /> + --> + + <!-- Replace the above Realm with one of the following to get a Realm + stored in a database and accessed via JDBC --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="org.gjt.mm.mysql.Driver" + connectionURL="jdbc:mysql://localhost/authority" + connectionName="test" connectionPassword="test" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="oracle.jdbc.driver.OracleDriver" + connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" + connectionName="scott" connectionPassword="tiger" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="sun.jdbc.odbc.JdbcOdbcDriver" + connectionURL="jdbc:odbc:CATALINA" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- Define the default virtual host + Note: XML Schema validation will not work with Xerces 2.2. + --> + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="true" + xmlValidation="false" xmlNamespaceAware="false"> + + <!-- Defines a cluster for this node, + By defining this element, means that every manager will be changed. + So when running a cluster, only make sure that you have webapps in there + that need to be clustered and remove the other ones. + A cluster has the following parameters: + + className = the fully qualified name of the cluster class + + name = a descriptive name for your cluster, can be anything + + mcastAddr = the multicast address, has to be the same for all the nodes + + mcastPort = the multicast port, has to be the same for all the nodes + + mcastBindAddr = bind the multicast socket to a specific address + + mcastTTL = the multicast TTL if you want to limit your broadcast + + mcastSoTimeout = the multicast readtimeout + + mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat + + mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received + + tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes + + tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, + in case of multiple ethernet cards. + auto means that address becomes + InetAddress.getLocalHost().getHostAddress() + + tcpListenPort = the tcp listen port + + tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS + has a wakup bug in java.nio. Set to 0 for no timeout + + printToScreen = true means that managers will also print to std.out + + expireSessionsOnShutdown = true means that + + useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. + false means to replicate the session after each request. + false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) + <% + HashMap map = (HashMap)session.getAttribute("map"); + map.put("key","value"); + %> + replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. + * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. + * Synchronous means that the thread that executes the request, is also the + thread the replicates the data to the other nodes, and will not return until all + nodes have received the information. + * Asynchronous means that there is a specific 'sender' thread for each cluster node, + so the request thread will queue the replication request into a "smart" queue, + and then return to the client. + The "smart" queue is a queue where when a session is added to the queue, and the same session + already exists in the queue from a previous request, that session will be replaced + in the queue instead of replicating two requests. This almost never happens, unless there is a + large network delay. + --> + <!-- + When configuring for clustering, you also add in a valve to catch all the requests + coming in, at the end of the request, the session may or may not be replicated. + A session is replicated if and only if all the conditions are met: + 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND + 2. a session exists (has been created) + 3. the request is not trapped by the "filter" attribute + + The filter attribute is to filter out requests that could not modify the session, + hence we don't replicate the session after the end of this request. + The filter is negative, ie, anything you put in the filter, you mean to filter out, + ie, no replication will be done on requests that match one of the filters. + The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. + + filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI + ending with .gif and .js are intercepted. + + The deployer element can be used to deploy apps cluster wide. + Currently the deployment only deploys/undeploys to working members in the cluster + so no WARs are copied upons startup of a broken node. + The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" + When a new war file is added the war gets deployed to the local instance, + and then deployed to the other instances in the cluster. + When a war file is deleted from the watchDir the war is undeployed locally + and cluster wide + --> + + <!-- + <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" + managerClassName="org.apache.catalina.cluster.session.DeltaManager" + expireSessionsOnShutdown="false" + useDirtyFlag="true" + notifyListenersOnReplication="true"> + + <Membership + className="org.apache.catalina.cluster.mcast.McastService" + mcastAddr="228.0.0.4" + mcastPort="45564" + mcastFrequency="500" + mcastDropTime="3000"/> + + <Receiver + className="org.apache.catalina.cluster.tcp.ReplicationListener" + tcpListenAddress="auto" + tcpListenPort="4001" + tcpSelectorTimeout="100" + tcpThreadCount="6"/> + + <Sender + className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" + replicationMode="pooled" + ackTimeout="15000"/> + + <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" + filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> + + <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" + tempDir="/tmp/war-temp/" + deployDir="/tmp/war-deploy/" + watchDir="/tmp/war-listen/" + watchEnabled="false"/> + </Cluster> + --> + + + + <!-- Normally, users must authenticate themselves to each web app + individually. Uncomment the following entry if you would like + a user to be authenticated the first time they encounter a + resource protected by a security constraint, and then have that + user identity maintained across *all* web applications contained + in this virtual host. --> + <!-- + <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> + --> + + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + --> + <Valve className="org.apache.catalina.valves.AccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + This access log implementation is optimized for maximum performance, + but is hardcoded to support only the "common" and "combined" patterns. + --> + <!-- + <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + This access log implementation is optimized for maximum performance, + but is hardcoded to support only the "common" and "combined" patterns. + + This valve use NIO direct Byte Buffer to asynchornously store the + log. + --> + <!-- + <Valve className="org.apache.catalina.valves.ByteBufferAccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + + </Host> + + </Engine> + + </Service> + +</Server> diff --git a/pki/base/ca/shared/conf/server.xml.good b/pki/base/ca/shared/conf/server.xml.good new file mode 100644 index 000000000..502c05d1d --- /dev/null +++ b/pki/base/ca/shared/conf/server.xml.good @@ -0,0 +1,390 @@ +<!-- Example Server Configuration File --> +<!-- Note that component elements are nested corresponding to their + parent-child relationships with each other --> + +<!-- A "Server" is a singleton element that represents the entire JVM, + which may contain one or more "Service" instances. The Server + listens for a shutdown command on the indicated port. + + Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" or "Loggers" at this level. + --> + +<Server port="8005" shutdown="SHUTDOWN"> + + <!-- Comment these entries out to disable JMX MBeans support used for the + administration web application --> + <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> + <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> + <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> + + <!-- Global JNDI resources --> + <GlobalNamingResources> + + <!-- Test entry for demonstration purposes --> + <Environment name="simpleValue" type="java.lang.Integer" value="30"/> + + <!-- Editable user database that can also be used by + UserDatabaseRealm to authenticate users --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + + </GlobalNamingResources> + + <!-- A "Service" is a collection of one or more "Connectors" that share + a single "Container" (and therefore the web applications visible + within that Container). Normally, that Container is an "Engine", + but this is not required. + + Note: A "Service" is not itself a "Container", so you may not + define subcomponents such as "Valves" or "Loggers" at this level. + --> + + <!-- Define the Tomcat Stand-Alone Service --> + <Service name="Catalina"> + + <!-- A "Connector" represents an endpoint by which requests are received + and responses are returned. Each Connector passes requests on to the + associated "Container" (normally an Engine) for processing. + + By default, a non-SSL HTTP/1.1 Connector is established on port 8080. + You can also enable an SSL HTTP/1.1 Connector on port 8443 by + following the instructions below and uncommenting the second Connector + entry. SSL support requires the following steps (see the SSL Config + HOWTO in the Tomcat 5 documentation bundle for more detailed + instructions): + * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or + later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". + * Execute: + %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) + $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) + with a password value of "changeit" for both the certificate and + the keystore itself. + + By default, DNS lookups are enabled when a web application calls + request.getRemoteHost(). This can have an adverse impact on + performance, so you can disable it by setting the + "enableLookups" attribute to "false". When DNS lookups are disabled, + request.getRemoteHost() will return the String version of the + IP address of the remote client. + --> + + <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> + + + + + <Connector port="<PKI_UNSECURE_PORT>" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" redirectPort="8443" acceptCount="100" + connectionTimeout="20000" disableUploadTimeout="true" /> + +<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> + +<!-- +<Connector port="<PKI_SECURE_PORT>" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCert="Server-Cert cert-<PKI_INSTANCE_ID>" + certdbDir="<PKI_INSTANCE_PATH>/alias" certdbPassword="<PKI_CERT_DB_PASSWORD>"/> +--> + + + + <!-- Note : To disable connection timeouts, set connectionTimeout value + to 0 --> + + <!-- Note : To use gzip compression you could set the following properties : + + compression="on" + compressionMinSize="2048" + noCompressionUserAgents="gozilla, traviata" + compressableMimeType="text/html,text/xml" + --> + + + <!-- Define an AJP 1.3 Connector on port 8009 --> + <Connector port="8009" + enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> + + <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> + <!-- See proxy documentation for more information about using this. --> + <!-- + <Connector port="8082" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" acceptCount="100" connectionTimeout="20000" + proxyPort="80" disableUploadTimeout="true" /> + --> + + <!-- An Engine represents the entry point (within Catalina) that processes + every request. The Engine implementation for Tomcat stand alone + analyzes the HTTP headers included with the request, and passes them + on to the appropriate Host (virtual host). --> + + <!-- You should set jvmRoute to support load-balancing via AJP ie : + <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> + --> + + <!-- Define the top level container in our container hierarchy --> + <Engine name="Catalina" defaultHost="localhost"> + + <!-- The request dumper valve dumps useful debugging information about + the request headers and cookies that were received, and the response + headers and cookies that were sent, for all requests received by + this instance of Tomcat. If you care only about requests to a + particular virtual host, or a particular application, nest this + element inside the corresponding <Host> or <Context> entry instead. + + For a similar mechanism that is portable to all Servlet 2.4 + containers, check out the "RequestDumperFilter" Filter in the + example application (the source for this filter may be found in + "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). + + Request dumping is disabled by default. Uncomment the following + element to enable it. --> + <!-- + <Valve className="org.apache.catalina.valves.RequestDumperValve"/> + --> + + <!-- Because this Realm is here, an instance will be shared globally --> + + <!-- This Realm uses the UserDatabase configured in the global JNDI + resources under the key "UserDatabase". Any edits + that are performed against this UserDatabase are immediately + available for use by the Realm. --> + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase"/> + + <!-- Comment out the old realm but leave here for now in case we + need to go back quickly --> + <!-- + <Realm className="org.apache.catalina.realm.MemoryRealm" /> + --> + + <!-- Replace the above Realm with one of the following to get a Realm + stored in a database and accessed via JDBC --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="org.gjt.mm.mysql.Driver" + connectionURL="jdbc:mysql://localhost/authority" + connectionName="test" connectionPassword="test" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="oracle.jdbc.driver.OracleDriver" + connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" + connectionName="scott" connectionPassword="tiger" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="sun.jdbc.odbc.JdbcOdbcDriver" + connectionURL="jdbc:odbc:CATALINA" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- Define the default virtual host + Note: XML Schema validation will not work with Xerces 2.2. + --> + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="true" + xmlValidation="false" xmlNamespaceAware="false"> + + <!-- Defines a cluster for this node, + By defining this element, means that every manager will be changed. + So when running a cluster, only make sure that you have webapps in there + that need to be clustered and remove the other ones. + A cluster has the following parameters: + + className = the fully qualified name of the cluster class + + name = a descriptive name for your cluster, can be anything + + mcastAddr = the multicast address, has to be the same for all the nodes + + mcastPort = the multicast port, has to be the same for all the nodes + + mcastBindAddr = bind the multicast socket to a specific address + + mcastTTL = the multicast TTL if you want to limit your broadcast + + mcastSoTimeout = the multicast readtimeout + + mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat + + mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received + + tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes + + tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, + in case of multiple ethernet cards. + auto means that address becomes + InetAddress.getLocalHost().getHostAddress() + + tcpListenPort = the tcp listen port + + tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS + has a wakup bug in java.nio. Set to 0 for no timeout + + printToScreen = true means that managers will also print to std.out + + expireSessionsOnShutdown = true means that + + useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. + false means to replicate the session after each request. + false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) + <% + HashMap map = (HashMap)session.getAttribute("map"); + map.put("key","value"); + %> + replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. + * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. + * Synchronous means that the thread that executes the request, is also the + thread the replicates the data to the other nodes, and will not return until all + nodes have received the information. + * Asynchronous means that there is a specific 'sender' thread for each cluster node, + so the request thread will queue the replication request into a "smart" queue, + and then return to the client. + The "smart" queue is a queue where when a session is added to the queue, and the same session + already exists in the queue from a previous request, that session will be replaced + in the queue instead of replicating two requests. This almost never happens, unless there is a + large network delay. + --> + <!-- + When configuring for clustering, you also add in a valve to catch all the requests + coming in, at the end of the request, the session may or may not be replicated. + A session is replicated if and only if all the conditions are met: + 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND + 2. a session exists (has been created) + 3. the request is not trapped by the "filter" attribute + + The filter attribute is to filter out requests that could not modify the session, + hence we don't replicate the session after the end of this request. + The filter is negative, ie, anything you put in the filter, you mean to filter out, + ie, no replication will be done on requests that match one of the filters. + The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. + + filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI + ending with .gif and .js are intercepted. + + The deployer element can be used to deploy apps cluster wide. + Currently the deployment only deploys/undeploys to working members in the cluster + so no WARs are copied upons startup of a broken node. + The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" + When a new war file is added the war gets deployed to the local instance, + and then deployed to the other instances in the cluster. + When a war file is deleted from the watchDir the war is undeployed locally + and cluster wide + --> + + <!-- + <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" + managerClassName="org.apache.catalina.cluster.session.DeltaManager" + expireSessionsOnShutdown="false" + useDirtyFlag="true" + notifyListenersOnReplication="true"> + + <Membership + className="org.apache.catalina.cluster.mcast.McastService" + mcastAddr="228.0.0.4" + mcastPort="45564" + mcastFrequency="500" + mcastDropTime="3000"/> + + <Receiver + className="org.apache.catalina.cluster.tcp.ReplicationListener" + tcpListenAddress="auto" + tcpListenPort="4001" + tcpSelectorTimeout="100" + tcpThreadCount="6"/> + + <Sender + className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" + replicationMode="pooled" + ackTimeout="15000"/> + + <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" + filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> + + <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" + tempDir="/tmp/war-temp/" + deployDir="/tmp/war-deploy/" + watchDir="/tmp/war-listen/" + watchEnabled="false"/> + </Cluster> + --> + + + + <!-- Normally, users must authenticate themselves to each web app + individually. Uncomment the following entry if you would like + a user to be authenticated the first time they encounter a + resource protected by a security constraint, and then have that + user identity maintained across *all* web applications contained + in this virtual host. --> + <!-- + <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> + --> + + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + --> + <!-- + <Valve className="org.apache.catalina.valves.AccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + This access log implementation is optimized for maximum performance, + but is hardcoded to support only the "common" and "combined" patterns. + --> + <!-- + <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + This access log implementation is optimized for maximum performance, + but is hardcoded to support only the "common" and "combined" patterns. + + This valve use NIO direct Byte Buffer to asynchornously store the + log. + --> + <!-- + <Valve className="org.apache.catalina.valves.ByteBufferAccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + + </Host> + + </Engine> + + </Service> + +</Server> diff --git a/pki/base/ca/shared/conf/serverCert.profile b/pki/base/ca/shared/conf/serverCert.profile new file mode 100644 index 000000000..adf6ee4ad --- /dev/null +++ b/pki/base/ca/shared/conf/serverCert.profile @@ -0,0 +1,37 @@ +# +# Server Certificate +# +id=serverCert.profile +name=All Purpose SSL server cert Profile +description=This profile creates an SSL server certificate that is valid for SSL servers +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 diff --git a/pki/base/ca/shared/conf/serverCertNick.conf b/pki/base/ca/shared/conf/serverCertNick.conf new file mode 100644 index 000000000..1b1f4fcad --- /dev/null +++ b/pki/base/ca/shared/conf/serverCertNick.conf @@ -0,0 +1 @@ +Server-Cert cert-[PKI_INSTANCE_ID] diff --git a/pki/base/ca/shared/conf/serverCertNick.conf.bak b/pki/base/ca/shared/conf/serverCertNick.conf.bak new file mode 100644 index 000000000..0966dfa87 --- /dev/null +++ b/pki/base/ca/shared/conf/serverCertNick.conf.bak @@ -0,0 +1 @@ +Server-Cert cert-rhpki-ca
\ No newline at end of file diff --git a/pki/base/ca/shared/conf/shm.manifest b/pki/base/ca/shared/conf/shm.manifest new file mode 100644 index 000000000..0505c085b --- /dev/null +++ b/pki/base/ca/shared/conf/shm.manifest @@ -0,0 +1,2 @@ +Main-Class: org.apache.jk.common.Shm +Class-Path: tomcat-jk2.jar commons-logging.jar tomcat-util.jar log4j.jar log4j-core.jar diff --git a/pki/base/ca/shared/conf/subsystemCert.profile b/pki/base/ca/shared/conf/subsystemCert.profile new file mode 100644 index 000000000..5b1a502df --- /dev/null +++ b/pki/base/ca/shared/conf/subsystemCert.profile @@ -0,0 +1,37 @@ +# +# Server Certificate +# +id=serverCert.profile +name=All Purpose SSL server cert Profile +description=This profile creates an SSL server certificate that is valid for SSL servers +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 diff --git a/pki/base/ca/shared/conf/tomcat-jk2.manifest b/pki/base/ca/shared/conf/tomcat-jk2.manifest new file mode 100644 index 000000000..acfef4a90 --- /dev/null +++ b/pki/base/ca/shared/conf/tomcat-jk2.manifest @@ -0,0 +1,7 @@ +Manifest-version: 1.0 +Extension-Name: org.apache.jk +Specification-Vendor: Apache Software Foundation +Specification-Version: 2.0 +Implementation-Vendor-Id: org.apache +Implementation-Vendor: Apache Software Foundation +Implementation-Version: 2.1 diff --git a/pki/base/ca/shared/conf/tomcat-users.xml b/pki/base/ca/shared/conf/tomcat-users.xml new file mode 100644 index 000000000..920e68240 --- /dev/null +++ b/pki/base/ca/shared/conf/tomcat-users.xml @@ -0,0 +1,13 @@ +<?xml version='1.0' encoding='utf-8'?> +<tomcat-users> + <role rolename="pkiuser"/> + <role rolename="tomcat"/> + <role rolename="role1"/> + <role rolename="manager"/> + <role rolename="admin"/> + <user username="pkiuser" password="pkiuser" roles="pkiuser"/> + <user username="tomcat" password="tomcat" roles="tomcat"/> + <user username="both" password="tomcat" roles="tomcat,role1"/> + <user username="role1" password="tomcat" roles="role1"/> + <user username="admin" password="netscape" roles="admin,manager"/> +</tomcat-users> diff --git a/pki/base/ca/shared/conf/tomcat5.conf b/pki/base/ca/shared/conf/tomcat5.conf new file mode 100644 index 000000000..f82eafd8e --- /dev/null +++ b/pki/base/ca/shared/conf/tomcat5.conf @@ -0,0 +1,73 @@ +# tomcat5 service configuration file + +# Check to insure that at least one PKI subsystem +# currently resides on this system. +if [ ! -x /usr/bin/pkiarch ] || + [ ! -x /usr/bin/pkiflavor ] || + [ ! -x /usr/bin/pkiname ]; then + echo "This machine is missing all PKI subsystems!" + exit 255 +fi + +# Check to insure that this configuration file's associated PKI +# subsystem currently resides on this system. +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +if [ ! -d /usr/share/`pkiflavor`/${PKI_SUBSYSTEM_TYPE} ] ; then + echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" + exit 255 +fi + +# you could also override JAVA_HOME here +# Where your java installation lives +JAVA_HOME="/usr/lib/jvm/jre" + +# You can pass some parameters to java +# here if you wish to +#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" + +# Where your tomcat installation lives +# That change from previous RPM where TOMCAT_HOME +# used to be /var/tomcat. +# Now /var/tomcat will be the base for webapps only +CATALINA_HOME="/usr/share/tomcat5" +JASPER_HOME="/usr/share/tomcat5" +CATALINA_TMPDIR="/usr/share/tomcat5/temp" +JAVA_ENDORSED_DIRS="/usr/share/tomcat5/common/endorsed" + +# What user should run tomcat +TOMCAT_USER="[PKI_USER]" +TOMCAT_GROUP="[PKI_GROUP]" + +# You can change your tomcat locale here +#LANG=en_US + +# Time to wait in seconds, while starting process +STARTUP_WAIT=30 + +# Time to wait in seconds, before killing process +SHUTDOWN_WAIT=30 + + +# If you wish to further customize your tomcat environment, +# put your own definitions here +# (i.e. LD_LIBRARY_PATH for some jdbc drivers) +# Just do not forget to export them :) + +PLATFORM=`pkiarch` + +if [ $PLATFORM = "i386" ]; then + # 32-bit Linux + LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib +elif [ $PLATFORM = "x86_64" ]; then + # 64-bit Linux + LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64/dirsec:/usr/lib64:/usr/lib +elif [ $PLATFORM = "sparc" ]; then + # 32-bit Solaris + LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib +elif [ $PLATFORM = "sparcv9" ]; then + # 64-bit Solaris + JAVA_OPTS="-d64" + export JAVA_OPTS + LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/sparcv9/dirsec:/usr/lib/sparcv9:/usr/lib/dirsec:/usr/lib +fi +export LD_LIBRARY_PATH diff --git a/pki/base/ca/shared/conf/uriworkermap.properties b/pki/base/ca/shared/conf/uriworkermap.properties new file mode 100644 index 000000000..c65445b10 --- /dev/null +++ b/pki/base/ca/shared/conf/uriworkermap.properties @@ -0,0 +1,13 @@ +# uriworkermap.properties - IIS +# +# This file provides sample mappings for example ajp13w +# worker defined in workermap.properties.minimal +# The general sytax for this file is: +# [URL]=[Worker name] + +/servlet-examples/*=ajp13w + +# Optionally filter out all .jpeg files inside that context +# For no mapping the url has to start with exclamation (!) + +!/servlet-examples/*.jpeg=ajp13w diff --git a/pki/base/ca/shared/conf/vlv.ldif b/pki/base/ca/shared/conf/vlv.ldif new file mode 100644 index 000000000..a3b574608 --- /dev/null +++ b/pki/base/ca/shared/conf/vlv.ldif @@ -0,0 +1,544 @@ +dn: cn=allCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=*) + +dn: cn=allExpiredCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allExpiredCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=EXPIRED) + +dn: cn=allInvalidCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allInvalidCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=INVALID) + +dn: cn=allInValidCertsNotBefore-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allInValidCertsNotBefore-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=INVALID) + +dn: cn=allNonRevokedCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allNonRevokedCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (|(certstatus=VALID)(certstatus=INVALID)(certstatus=EXPIRED)) + +dn: cn=allRevokedCaCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allRevokedCaCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(certStatus=REVOKED)(extension=2.5.29.19;*isCA=true*)) + +dn: cn=allRevokedCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allRevokedCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=REVOKED) + +dn: cn=allRevokedCertsNotAfter-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allRevokedCertsNotAfter-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=REVOKED) + +dn: cn=allRevokedExpiredCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allRevokedExpiredCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=REVOKED_EXPIRED) + +dn: cn=allRevokedOrRevokedExpiredCaCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allRevokedOrRevokedExpiredCaCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(|(certStatus=REVOKED)(certStatus=REVOKED_EXPIRED))(extension=2.5.29.19;*isCA=true*)) + +dn: cn=allRevokedOrRevokedExpiredCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allRevokedOrRevokedExpiredCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (|(certstatus=REVOKED)(certstatus=REVOKED_EXPIRED)) + +dn: cn=allValidCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allValidCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=VALID) + +dn: cn=allValidCertsNotAfter-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allValidCertsNotAfter-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (certstatus=VALID) + +dn: cn=allValidOrRevokedCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allValidOrRevokedCerts-{instanceId} +vlvBase: ou=certificateRepository,ou=ca,{rootSuffix} +vlvScope: 1 +vlvFilter: (|(certstatus=VALID)(certstatus=REVOKED)) + +dn: cn=caAll-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caAll-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=*) + +dn: cn=caCanceled-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCanceled-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=canceled) + +dn: cn=caCanceledEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCanceledEnrollment-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=canceled)(requesttype=enrollment)) + +dn: cn=caCanceledRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCanceledRenewal-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=canceled)(requesttype=renewal)) + +dn: cn=caCanceledRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCanceledRevocation-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=canceled)(requesttype=revocation)) + +dn: cn=caComplete-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caComplete-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=complete) + +dn: cn=caCompleteEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCompleteEnrollment-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=complete)(requesttype=enrollment)) + +dn: cn=caCompleteRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCompleteRenewal-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=complete)(requesttype=renewal)) + +dn: cn=caCompleteRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caCompleteRevocation-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=complete)(requesttype=revocation)) + +dn: cn=caEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caEnrollment-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requesttype=enrollment) + +dn: cn=caPending-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caPending-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=pending) + +dn: cn=caPendingEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caPendingEnrollment-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=pending)(requesttype=enrollment)) + +dn: cn=caPendingRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caPendingRenewal-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=pending)(requesttype=renewal)) + +dn: cn=caPendingRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caPendingRevocation-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=pending)(requesttype=revocation)) + +dn: cn=caRejected-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caRejected-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=rejected) + +dn: cn=caRejectedEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caRejectedEnrollment-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=rejected)(requesttype=enrollment)) + +dn: cn=caRejectedRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caRejectedRenewal-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=rejected)(requesttype=renewal)) + +dn: cn=caRejectedRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caRejectedRevocation-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=rejected)(requesttype=revocation)) + +dn: cn=caRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caRenewal-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requesttype=renewal) + +dn: cn=caRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: caRevocation-{instanceId} +vlvBase: ou=ca,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requesttype=revocation) + +dn: cn=allCerts-{instanceId}Index, cn=allCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allExpiredCerts-{instanceId}Index, cn=allExpiredCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allExpiredCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allInvalidCerts-{instanceId}Index, cn=allInvalidCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allInvalidCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allInValidCertsNotBefore-{instanceId}Index, cn=allInValidCertsNotBefore-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allInValidCertsNotBefore-{instanceId}Index +vlvSort: notBefore +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allNonRevokedCerts-{instanceId}Index, cn=allNonRevokedCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allNonRevokedCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allRevokedCaCerts-{instanceId}Index, cn=allRevokedCaCerts-{instanceId}, cn={database}, cn=ldb + m database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allRevokedCaCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allRevokedCerts-{instanceId}Index, cn=allRevokedCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allRevokedCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allRevokedCertsNotAfter-{instanceId}Index, cn=allRevokedCertsNotAfter-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allRevokedCertsNotAfter-{instanceId}Index +vlvSort: notAfter +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allRevokedExpiredCerts-{instanceId}Index, cn=allRevokedExpiredCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allRevokedExpiredCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allRevokedOrRevokedExpiredCaCerts-{instanceId}Index, cn=allRevokedOrRevokedExpiredCaCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allRevokedOrRevokedExpiredCaCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allRevokedOrRevokedExpiredCerts-{instanceId}Index, cn=allRevokedOrRevokedExpiredCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allRevokedOrRevokedExpiredCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allValidCerts-{instanceId}Index, cn=allValidCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allValidCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allValidCertsNotAfter-{instanceId}Index, cn=allValidCertsNotAfter-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allValidCertsNotAfter-{instanceId}Index +vlvSort: notAfter +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=allValidOrRevokedCerts-{instanceId}Index, cn=allValidOrRevokedCerts-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allValidOrRevokedCerts-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caAll-{instanceId}Index, cn=caAll-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caAll-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCanceled-{instanceId}Index, cn=caCanceled-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCanceled-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCanceledEnrollment-{instanceId}Index, cn=caCanceledEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCanceledEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCanceledRenewal-{instanceId}Index, cn=caCanceledRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCanceledRenewal-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCanceledRevocation-{instanceId}Index, cn=caCanceledRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCanceledRevocation-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caComplete-{instanceId}Index, cn=caComplete-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caComplete-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCompleteEnrollment-{instanceId}Index, cn=caCompleteEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCompleteEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCompleteRenewal-{instanceId}Index, cn=caCompleteRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCompleteRenewal-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caCompleteRevocation-{instanceId}Index, cn=caCompleteRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caCompleteRevocation-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caEnrollment-{instanceId}Index, cn=caEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caPending-{instanceId}Index, cn=caPending-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caPending-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caPendingEnrollment-{instanceId}Index, cn=caPendingEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caPendingEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caPendingRenewal-{instanceId}Index, cn=caPendingRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caPendingRenewal-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caPendingRevocation-{instanceId}Index, cn=caPendingRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caPendingRevocation-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caRejected-{instanceId}Index, cn=caRejected-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caRejected-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caRejectedEnrollment-{instanceId}Index, cn=caRejectedEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caRejectedEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caRejectedRenewal-{instanceId}Index, cn=caRejectedRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caRejectedRenewal-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caRejectedRevocation-{instanceId}Index, cn=caRejectedRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caRejectedRevocation-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caRenewal-{instanceId}Index, cn=caRenewal-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caRenewal-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=caRevocation-{instanceId}Index, cn=caRevocation-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: caRevocation-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 diff --git a/pki/base/ca/shared/conf/vlvtasks.ldif b/pki/base/ca/shared/conf/vlvtasks.ldif new file mode 100644 index 000000000..2158fb12c --- /dev/null +++ b/pki/base/ca/shared/conf/vlvtasks.ldif @@ -0,0 +1,40 @@ +dn: cn=index1160589769, cn=index, cn=tasks, cn=config +objectclass: top +objectclass: extensibleObject +cn: index1160589769 +ttl: 1 +nsInstance: {database} +nsIndexVLVAttribute: allCerts-{instanceId}Index +nsIndexVLVAttribute: allExpiredCerts-{instanceId}Index +nsIndexVLVAttribute: allInvalidCerts-{instanceId}Index +nsIndexVLVAttribute: allInValidCertsNotBefore-{instanceId}Index +nsIndexVLVAttribute: allNonRevokedCerts-{instanceId}Index +nsIndexVLVAttribute: allRevokedCaCerts-{instanceId}Index +nsIndexVLVAttribute: allRevokedCerts-{instanceId}Index +nsIndexVLVAttribute: allRevokedCertsNotAfter-{instanceId}Index +nsIndexVLVAttribute: allRevokedExpiredCerts-{instanceId}Index +nsIndexVLVAttribute: allRevokedOrRevokedExpiredCaCerts-{instanceId}Index +nsIndexVLVAttribute: allRevokedOrRevokedExpiredCerts-{instanceId}Index +nsIndexVLVAttribute: allValidCerts-{instanceId}Index +nsIndexVLVAttribute: allValidCertsNotAfter-{instanceId}Index +nsIndexVLVAttribute: allValidOrRevokedCerts-{instanceId}Index +nsIndexVLVAttribute: caAll-{instanceId}Index +nsIndexVLVAttribute: caCanceled-{instanceId}Index +nsIndexVLVAttribute: caCanceledEnrollment-{instanceId}Index +nsIndexVLVAttribute: caCanceledRenewal-{instanceId}Index +nsIndexVLVAttribute: caCanceledRevocation-{instanceId}Index +nsIndexVLVAttribute: caComplete-{instanceId}Index +nsIndexVLVAttribute: caCompleteEnrollment-{instanceId}Index +nsIndexVLVAttribute: caCompleteRenewal-{instanceId}Index +nsIndexVLVAttribute: caCompleteRevocation-{instanceId}Index +nsIndexVLVAttribute: caEnrollment-{instanceId}Index +nsIndexVLVAttribute: caPending-{instanceId}Index +nsIndexVLVAttribute: caPendingEnrollment-{instanceId}Index +nsIndexVLVAttribute: caPendingRenewal-{instanceId}Index +nsIndexVLVAttribute: caPendingRevocation-{instanceId}Index +nsIndexVLVAttribute: caRejected-{instanceId}Index +nsIndexVLVAttribute: caRejectedEnrollment-{instanceId}Index +nsIndexVLVAttribute: caRejectedRenewal-{instanceId}Index +nsIndexVLVAttribute: caRejectedRevocation-{instanceId}Index +nsIndexVLVAttribute: caRenewal-{instanceId}Index +nsIndexVLVAttribute: caRevocation-{instanceId}Index diff --git a/pki/base/ca/shared/conf/web.xml b/pki/base/ca/shared/conf/web.xml new file mode 100644 index 000000000..6b14b3b3c --- /dev/null +++ b/pki/base/ca/shared/conf/web.xml @@ -0,0 +1,979 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<web-app xmlns="http://java.sun.com/xml/ns/j2ee" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" + version="2.4"> + + <!-- ======================== Introduction ============================== --> + <!-- This document defines default values for *all* web applications --> + <!-- loaded into this instance of Tomcat. As each application is --> + <!-- deployed, this file is processed, followed by the --> + <!-- "/WEB-INF/web.xml" deployment descriptor from your own --> + <!-- applications. --> + <!-- --> + <!-- WARNING: Do not configure application-specific resources here! --> + <!-- They should go in the "/WEB-INF/web.xml" file in your application. --> + + + <!-- ================== Built In Servlet Definitions ==================== --> + + + <!-- The default servlet for all web applications, that serves static --> + <!-- resources. It processes all requests that are not mapped to other --> + <!-- servlets with servlet mappings (defined either here or in your own --> + <!-- web.xml file. This servlet supports the following initialization --> + <!-- parameters (default values are in square brackets): --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + <!-- --> + <!-- fileEncoding Encoding to be used to read static resources --> + <!-- [platform default] --> + <!-- --> + <!-- input Input buffer size (in bytes) when reading --> + <!-- resources to be served. [2048] --> + <!-- --> + <!-- listings Should directory listings be produced if there --> + <!-- is no welcome file in this directory? [true] --> + <!-- --> + <!-- output Output buffer size (in bytes) when writing --> + <!-- resources to be served. [2048] --> + <!-- --> + <!-- readonly Is this context "read only", so HTTP --> + <!-- commands like PUT and DELETE are --> + <!-- rejected? [true] --> + <!-- --> + <!-- readmeFile File name to display with the directory --> + <!-- contents. [null] --> + <!-- --> + <!-- For directory listing customization. Checks localXsltFile, then --> + <!-- globalXsltFile, then defaults to original behavior. --> + <!-- --> + <!-- localXsltFile Make directory listings an XML doc and --> + <!-- pass the result to this style sheet residing --> + <!-- in that directory. This overrides --> + <!-- globalXsltFile[null] --> + <!-- --> + <!-- globalXsltFile Site wide configuration version of --> + <!-- localXsltFile This argument is expected --> + <!-- to be a physical file. [null] --> + <!-- --> + <!-- --> + + <servlet> + <servlet-name>default</servlet-name> + <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> + <init-param> + <param-name>debug</param-name> + <param-value>0</param-value> + </init-param> + <init-param> + <param-name>listings</param-name> + <param-value>true</param-value> + </init-param> + <load-on-startup>1</load-on-startup> + </servlet> + + + <!-- The "invoker" servlet, which executes anonymous servlet classes --> + <!-- that have not been defined in a web.xml file. Traditionally, this --> + <!-- servlet is mapped to the URL pattern "/servlet/*", but you can map --> + <!-- it to other patterns as well. The extra path info portion of such a --> + <!-- request must be the fully qualified class name of a Java class that --> + <!-- implements Servlet (or extends HttpServlet), or the servlet name --> + <!-- of an existing servlet definition. This servlet supports the --> + <!-- following initialization parameters (default values are in square --> + <!-- brackets): --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + +<!-- + <servlet> + <servlet-name>invoker</servlet-name> + <servlet-class> + org.apache.catalina.servlets.InvokerServlet + </servlet-class> + <init-param> + <param-name>debug</param-name> + <param-value>0</param-value> + </init-param> + <load-on-startup>2</load-on-startup> + </servlet> +--> + + + <!-- The JSP page compiler and execution servlet, which is the mechanism --> + <!-- used by Tomcat to support JSP pages. Traditionally, this servlet --> + <!-- is mapped to the URL pattern "*.jsp". This servlet supports the --> + <!-- following initialization parameters (default values are in square --> + <!-- brackets): --> + <!-- --> + <!-- checkInterval If development is false and checkInterval is --> + <!-- greater than zero, background compilations are --> + <!-- enabled. checkInterval is the time in seconds --> + <!-- between checks to see if a JSP page needs to --> + <!-- be recompiled. [0] --> + <!-- --> + <!-- modificationTestInterval --> + <!-- Causes a JSP (and its dependent files) to not --> + <!-- be checked for modification during the --> + <!-- specified time interval (in seconds) from the --> + <!-- last time the JSP was checked for --> + <!-- modification. A value of 0 will cause the JSP --> + <!-- to be checked on every access. --> + <!-- Used in development mode only. [4] --> + <!-- --> + <!-- compiler Which compiler Ant should use to compile JSP --> + <!-- pages. See the Ant documentation for more --> + <!-- information. [javac] --> + <!-- --> + <!-- classdebuginfo Should the class file be compiled with --> + <!-- debugging information? [true] --> + <!-- --> + <!-- classpath What class path should I use while compiling --> + <!-- generated servlets? [Created dynamically --> + <!-- based on the current web application] --> + <!-- --> + <!-- development Is Jasper used in development mode? If true, --> + <!-- the frequency at which JSPs are checked for --> + <!-- modification may be specified via the --> + <!-- modificationTestInterval parameter. [true] --> + <!-- --> + <!-- enablePooling Determines whether tag handler pooling is --> + <!-- enabled [true] --> + <!-- --> + <!-- fork Tell Ant to fork compiles of JSP pages so that --> + <!-- a separate JVM is used for JSP page compiles --> + <!-- from the one Tomcat is running in. [true] --> + <!-- --> + <!-- ieClassId The class-id value to be sent to Internet --> + <!-- Explorer when using <jsp:plugin> tags. --> + <!-- [clsid:8AD9C840-044E-11D1-B3E9-00805F499D93] --> + <!-- --> + <!-- javaEncoding Java file encoding to use for generating java --> + <!-- source files. [UTF8] --> + <!-- --> + <!-- keepgenerated Should we keep the generated Java source code --> + <!-- for each page instead of deleting it? [true] --> + <!-- --> + <!-- mappedfile Should we generate static content with one --> + <!-- print statement per input line, to ease --> + <!-- debugging? [true] --> + <!-- --> + <!-- trimSpaces Should white spaces in template text between --> + <!-- actions or directives be trimmed? [false] --> + <!-- --> + <!-- suppressSmap Should the generation of SMAP info for JSR45 --> + <!-- debugging be suppressed? [false] --> + <!-- --> + <!-- dumpSmap Should the SMAP info for JSR45 debugging be --> + <!-- dumped to a file? [false] --> + <!-- False if suppressSmap is true --> + <!-- --> + <!-- genStrAsCharArray Should text strings be generated as char --> + <!-- arrays, to improve performance in some cases? --> + <!-- [false] --> + <!-- --> + <!-- errorOnUseBeanInvalidClassAttribute --> + <!-- Should Jasper issue an error when the value of --> + <!-- the class attribute in an useBean action is --> + <!-- not a valid bean class? [true] --> + <!-- --> + <!-- scratchdir What scratch directory should we use when --> + <!-- compiling JSP pages? [default work directory --> + <!-- for the current web application] --> + <!-- --> + <!-- xpoweredBy Determines whether X-Powered-By response --> + <!-- header is added by generated servlet [false] --> + <!-- --> + <!-- If you wish to use Jikes to compile JSP pages: --> + <!-- Please see the "Using Jikes" section of the Jasper-HowTo --> + <!-- page in the Tomcat documentation. --> + + <servlet> + <servlet-name>jsp</servlet-name> + <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class> + <init-param> + <param-name>fork</param-name> + <param-value>false</param-value> + </init-param> + <init-param> + <param-name>xpoweredBy</param-name> + <param-value>false</param-value> + </init-param> + <load-on-startup>3</load-on-startup> + </servlet> + + + <!-- Server Side Includes processing servlet, which processes SSI --> + <!-- directives in HTML pages consistent with similar support in web --> + <!-- servers like Apache. Traditionally, this servlet is mapped to the --> + <!-- URL pattern "*.shtml". This servlet supports the following --> + <!-- initialization parameters (default values are in square brackets): --> + <!-- --> + <!-- buffered Should output from this servlet be buffered? --> + <!-- (0=false, 1=true) [0] --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + <!-- --> + <!-- expires The number of seconds before a page with SSI --> + <!-- directives will expire. [No default] --> + <!-- --> + <!-- isVirtualWebappRelative --> + <!-- Should "virtual" paths be interpreted as --> + <!-- relative to the context root, instead of --> + <!-- the server root? (0=false, 1=true) [0] --> + <!-- --> + <!-- --> + <!-- IMPORTANT: To use the SSI servlet, you also need to rename the --> + <!-- $CATALINA_HOME/server/lib/servlets-ssi.renametojar file --> + <!-- to $CATALINA_HOME/server/lib/servlets-ssi.jar --> + +<!-- + <servlet> + <servlet-name>ssi</servlet-name> + <servlet-class> + org.apache.catalina.ssi.SSIServlet + </servlet-class> + <init-param> + <param-name>buffered</param-name> + <param-value>1</param-value> + </init-param> + <init-param> + <param-name>debug</param-name> + <param-value>0</param-value> + </init-param> + <init-param> + <param-name>expires</param-name> + <param-value>666</param-value> + </init-param> + <init-param> + <param-name>isVirtualWebappRelative</param-name> + <param-value>0</param-value> + </init-param> + <load-on-startup>4</load-on-startup> + </servlet> +--> + + + <!-- Common Gateway Includes (CGI) processing servlet, which supports --> + <!-- execution of external applications that conform to the CGI spec --> + <!-- requirements. Typically, this servlet is mapped to the URL pattern --> + <!-- "/cgi-bin/*", which means that any CGI applications that are --> + <!-- executed must be present within the web application. This servlet --> + <!-- supports the following initialization parameters (default values --> + <!-- are in square brackets): --> + <!-- --> + <!-- cgiPathPrefix The CGI search path will start at --> + <!-- webAppRootDir + File.separator + this prefix. --> + <!-- [WEB-INF/cgi] --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + <!-- --> + <!-- executable Name of the exectuable used to run the --> + <!-- script. [perl] --> + <!-- --> + <!-- parameterEncoding Name of parameter encoding to be used with --> + <!-- CGI servlet. --> + <!-- [System.getProperty("file.encoding","UTF-8")] --> + <!-- --> + <!-- passShellEnvironment Should the shell environment variables (if --> + <!-- any) be passed to the CGI script? [false] --> + <!-- --> + <!-- IMPORTANT: To use the CGI servlet, you also need to rename the --> + <!-- $CATALINA_HOME/server/lib/servlets-cgi.renametojar file --> + <!-- to $CATALINA_HOME/server/lib/servlets-cgi.jar --> + +<!-- + <servlet> + <servlet-name>cgi</servlet-name> + <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class> + <init-param> + <param-name>debug</param-name> + <param-value>6</param-value> + </init-param> + <init-param> + <param-name>cgiPathPrefix</param-name> + <param-value>WEB-INF/cgi</param-value> + </init-param> + <load-on-startup>5</load-on-startup> + </servlet> +--> + + + <!-- ================ Built In Servlet Mappings ========================= --> + + + <!-- The servlet mappings for the built in servlets defined above. Note --> + <!-- that, by default, the CGI and SSI servlets are *not* mapped. You --> + <!-- must uncomment these mappings (or add them to your application's own --> + <!-- web.xml deployment descriptor) to enable these services --> + + <!-- The mapping for the default servlet --> + <servlet-mapping> + <servlet-name>default</servlet-name> + <url-pattern>/</url-pattern> + </servlet-mapping> + + <!-- The mapping for the invoker servlet --> +<!-- + <servlet-mapping> + <servlet-name>invoker</servlet-name> + <url-pattern>/servlet/*</url-pattern> + </servlet-mapping> +--> + + <!-- The mapping for the JSP servlet --> + <servlet-mapping> + <servlet-name>jsp</servlet-name> + <url-pattern>*.jsp</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>jsp</servlet-name> + <url-pattern>*.jspx</url-pattern> + </servlet-mapping> + + <!-- The mapping for the SSI servlet --> +<!-- + <servlet-mapping> + <servlet-name>ssi</servlet-name> + <url-pattern>*.shtml</url-pattern> + </servlet-mapping> +--> + + <!-- The mapping for the CGI Gateway servlet --> + +<!-- + <servlet-mapping> + <servlet-name>cgi</servlet-name> + <url-pattern>/cgi-bin/*</url-pattern> + </servlet-mapping> +--> + + + <!-- ==================== Default Session Configuration ================= --> + <!-- You can set the default session timeout (in minutes) for all newly --> + <!-- created sessions by modifying the value below. --> + + <session-config> + <session-timeout>30</session-timeout> + </session-config> + + + <!-- ===================== Default MIME Type Mappings =================== --> + <!-- When serving static resources, Tomcat will automatically generate --> + <!-- a "Content-Type" header based on the resource's filename extension, --> + <!-- based on these mappings. Additional mappings can be added here (to --> + <!-- apply to all web applications), or in your own application's web.xml --> + <!-- deployment descriptor. --> + + <mime-mapping> + <extension>abs</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ai</extension> + <mime-type>application/postscript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aif</extension> + <mime-type>audio/x-aiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aifc</extension> + <mime-type>audio/x-aiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aiff</extension> + <mime-type>audio/x-aiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aim</extension> + <mime-type>application/x-aim</mime-type> + </mime-mapping> + <mime-mapping> + <extension>art</extension> + <mime-type>image/x-jg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>asf</extension> + <mime-type>video/x-ms-asf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>asx</extension> + <mime-type>video/x-ms-asf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>au</extension> + <mime-type>audio/basic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>avi</extension> + <mime-type>video/x-msvideo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>avx</extension> + <mime-type>video/x-rad-screenplay</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bcpio</extension> + <mime-type>application/x-bcpio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bin</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bmp</extension> + <mime-type>image/bmp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>body</extension> + <mime-type>text/html</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdf</extension> + <mime-type>application/x-cdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cer</extension> + <mime-type>application/x-x509-ca-cert</mime-type> + </mime-mapping> + <mime-mapping> + <extension>class</extension> + <mime-type>application/java</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cpio</extension> + <mime-type>application/x-cpio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>csh</extension> + <mime-type>application/x-csh</mime-type> + </mime-mapping> + <mime-mapping> + <extension>css</extension> + <mime-type>text/css</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dib</extension> + <mime-type>image/bmp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>doc</extension> + <mime-type>application/msword</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dtd</extension> + <mime-type>application/xml-dtd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dv</extension> + <mime-type>video/x-dv</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dvi</extension> + <mime-type>application/x-dvi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>eps</extension> + <mime-type>application/postscript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>etx</extension> + <mime-type>text/x-setext</mime-type> + </mime-mapping> + <mime-mapping> + <extension>exe</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gif</extension> + <mime-type>image/gif</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gtar</extension> + <mime-type>application/x-gtar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gz</extension> + <mime-type>application/x-gzip</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hdf</extension> + <mime-type>application/x-hdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hqx</extension> + <mime-type>application/mac-binhex40</mime-type> + </mime-mapping> + <mime-mapping> + <extension>htc</extension> + <mime-type>text/x-component</mime-type> + </mime-mapping> + <mime-mapping> + <extension>htm</extension> + <mime-type>text/html</mime-type> + </mime-mapping> + <mime-mapping> + <extension>html</extension> + <mime-type>text/html</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hqx</extension> + <mime-type>application/mac-binhex40</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ief</extension> + <mime-type>image/ief</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jad</extension> + <mime-type>text/vnd.sun.j2me.app-descriptor</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jar</extension> + <mime-type>application/java-archive</mime-type> + </mime-mapping> + <mime-mapping> + <extension>java</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jnlp</extension> + <mime-type>application/x-java-jnlp-file</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpe</extension> + <mime-type>image/jpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpeg</extension> + <mime-type>image/jpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpg</extension> + <mime-type>image/jpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>js</extension> + <mime-type>text/javascript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jsf</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jspf</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kar</extension> + <mime-type>audio/x-midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>latex</extension> + <mime-type>application/x-latex</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m3u</extension> + <mime-type>audio/x-mpegurl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mac</extension> + <mime-type>image/x-macpaint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>man</extension> + <mime-type>application/x-troff-man</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mathml</extension> + <mime-type>application/mathml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>me</extension> + <mime-type>application/x-troff-me</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mid</extension> + <mime-type>audio/x-midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>midi</extension> + <mime-type>audio/x-midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mif</extension> + <mime-type>application/x-mif</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mov</extension> + <mime-type>video/quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>movie</extension> + <mime-type>video/x-sgi-movie</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp1</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp2</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp3</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpa</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpe</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpeg</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpega</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpg</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpv2</extension> + <mime-type>video/mpeg2</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ms</extension> + <mime-type>application/x-wais-source</mime-type> + </mime-mapping> + <mime-mapping> + <extension>nc</extension> + <mime-type>application/x-netcdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>oda</extension> + <mime-type>application/oda</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ogg</extension> + <mime-type>application/ogg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pbm</extension> + <mime-type>image/x-portable-bitmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pct</extension> + <mime-type>image/pict</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pdf</extension> + <mime-type>application/pdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pgm</extension> + <mime-type>image/x-portable-graymap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pic</extension> + <mime-type>image/pict</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pict</extension> + <mime-type>image/pict</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pls</extension> + <mime-type>audio/x-scpls</mime-type> + </mime-mapping> + <mime-mapping> + <extension>png</extension> + <mime-type>image/png</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pnm</extension> + <mime-type>image/x-portable-anymap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pnt</extension> + <mime-type>image/x-macpaint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ppm</extension> + <mime-type>image/x-portable-pixmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ppt</extension> + <mime-type>application/powerpoint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ps</extension> + <mime-type>application/postscript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>psd</extension> + <mime-type>image/x-photoshop</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qt</extension> + <mime-type>video/quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qti</extension> + <mime-type>image/x-quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qtif</extension> + <mime-type>image/x-quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ras</extension> + <mime-type>image/x-cmu-raster</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rdf</extension> + <mime-type>application/rdf+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rgb</extension> + <mime-type>image/x-rgb</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rm</extension> + <mime-type>application/vnd.rn-realmedia</mime-type> + </mime-mapping> + <mime-mapping> + <extension>roff</extension> + <mime-type>application/x-troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rtf</extension> + <mime-type>application/rtf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rtx</extension> + <mime-type>text/richtext</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sh</extension> + <mime-type>application/x-sh</mime-type> + </mime-mapping> + <mime-mapping> + <extension>shar</extension> + <mime-type>application/x-shar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>smf</extension> + <mime-type>audio/x-midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sit</extension> + <mime-type>application/x-stuffit</mime-type> + </mime-mapping> + <mime-mapping> + <extension>snd</extension> + <mime-type>audio/basic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>src</extension> + <mime-type>application/x-wais-source</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sv4cpio</extension> + <mime-type>application/x-sv4cpio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sv4crc</extension> + <mime-type>application/x-sv4crc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>svg</extension> + <mime-type>image/svg+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>swf</extension> + <mime-type>application/x-shockwave-flash</mime-type> + </mime-mapping> + <mime-mapping> + <extension>t</extension> + <mime-type>application/x-troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tar</extension> + <mime-type>application/x-tar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tcl</extension> + <mime-type>application/x-tcl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tex</extension> + <mime-type>application/x-tex</mime-type> + </mime-mapping> + <mime-mapping> + <extension>texi</extension> + <mime-type>application/x-texinfo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>texinfo</extension> + <mime-type>application/x-texinfo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tif</extension> + <mime-type>image/tiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tiff</extension> + <mime-type>image/tiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tr</extension> + <mime-type>application/x-troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tsv</extension> + <mime-type>text/tab-separated-values</mime-type> + </mime-mapping> + <mime-mapping> + <extension>txt</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ulw</extension> + <mime-type>audio/basic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ustar</extension> + <mime-type>application/x-ustar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vxml</extension> + <mime-type>application/voicexml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xbm</extension> + <mime-type>image/x-xbitmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xht</extension> + <mime-type>application/xhtml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xhtml</extension> + <mime-type>application/xhtml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xml</extension> + <mime-type>application/xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xpm</extension> + <mime-type>image/x-xpixmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xsl</extension> + <mime-type>application/xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xslt</extension> + <mime-type>application/xslt+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xul</extension> + <mime-type>application/vnd.mozilla.xul+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xwd</extension> + <mime-type>image/x-xwindowdump</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wav</extension> + <mime-type>audio/x-wav</mime-type> + </mime-mapping> + <mime-mapping> + <extension>svg</extension> + <mime-type>image/svg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>svgz</extension> + <mime-type>image/svg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vsd</extension> + <mime-type>application/x-visio</mime-type> + </mime-mapping> + <mime-mapping> + <!-- Wireless Bitmap --> + <extension>wbmp</extension> + <mime-type>image/vnd.wap.wbmp</mime-type> + </mime-mapping> + <mime-mapping> + <!-- WML Source --> + <extension>wml</extension> + <mime-type>text/vnd.wap.wml</mime-type> + </mime-mapping> + <mime-mapping> + <!-- Compiled WML --> + <extension>wmlc</extension> + <mime-type>application/vnd.wap.wmlc</mime-type> + </mime-mapping> + <mime-mapping> + <!-- WML Script Source --> + <extension>wmls</extension> + <mime-type>text/vnd.wap.wmlscript</mime-type> + </mime-mapping> + <mime-mapping> + <!-- Compiled WML Script --> + <extension>wmlscriptc</extension> + <mime-type>application/vnd.wap.wmlscriptc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wrl</extension> + <mime-type>x-world/x-vrml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>Z</extension> + <mime-type>application/x-compress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>z</extension> + <mime-type>application/x-compress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>zip</extension> + <mime-type>application/zip</mime-type> + </mime-mapping> + + + <!-- ==================== Default Welcome File List ===================== --> + <!-- When a request URI refers to a directory, the default servlet looks --> + <!-- for a "welcome file" within that directory and, if present, --> + <!-- to the corresponding resource URI for display. If no welcome file --> + <!-- is present, the default servlet either serves a directory listing, --> + <!-- or returns a 404 status, depending on how it is configured. --> + <!-- --> + <!-- If you define welcome files in your own application's web.xml --> + <!-- deployment descriptor, that list *replaces* the list configured --> + <!-- here, so be sure that you include any of the default values that --> + <!-- you wish to include. --> + + <welcome-file-list> + <welcome-file>index.html</welcome-file> + <welcome-file>index.htm</welcome-file> + <welcome-file>index.jsp</welcome-file> + </welcome-file-list> + +</web-app> diff --git a/pki/base/ca/shared/conf/workers.properties b/pki/base/ca/shared/conf/workers.properties new file mode 100644 index 000000000..50d88557f --- /dev/null +++ b/pki/base/ca/shared/conf/workers.properties @@ -0,0 +1,206 @@ +# workers.properties - +# +# This file provides jk derived plugins with the needed information to +# connect to the different tomcat workers. Note that the distributed +# version of this file requires modification before it is usable by a +# plugin. +# +# As a general note, the characters $( and ) are used internally to define +# macros. Do not use them in your own configuration!!! +# +# Whenever you see a set of lines such as: +# x=value +# y=$(x)\something +# +# the final value for y will be value\something +# +# Normaly all you will need to do is un-comment and modify the first three +# properties, i.e. workers.tomcat_home, workers.java_home and ps. +# Most of the configuration is derived from these. +# +# When you are done updating workers.tomcat_home, workers.java_home and ps +# you should have 3 workers configured: +# +# - An ajp12 worker that connects to localhost:8007 +# - An ajp13 worker that connects to localhost:8009 +# - A jni inprocess worker. +# - A load balancer worker +# +# However by default the plugins will only use the ajp12 worker. To have +# the plugins use other workers you should modify the worker.list property. +# +# + +# OPTIONS ( very important for jni mode ) + +# +# workers.tomcat_home should point to the location where you +# installed tomcat. This is where you have your conf, webapps and lib +# directories. +# +workers.tomcat_home=/var/tomcat3 + +# +# workers.java_home should point to your Java installation. Normally +# you should have a bin and lib directories beneath it. +# +workers.java_home=/opt/IBMJava2-13 + +# +# You should configure your environment slash... ps=\ on NT and / on UNIX +# and maybe something different elsewhere. +# +ps=/ + +# +#------ ADVANCED MODE ------------------------------------------------ +#--------------------------------------------------------------------- +# + +# +#------ DEFAULT worket list ------------------------------------------ +#--------------------------------------------------------------------- +# +# +# The workers that your plugins should create and work with +# +# Add 'inprocess' if you want JNI connector +worker.list=ajp12, ajp13 +# , inprocess + + +# +#------ DEFAULT ajp12 WORKER DEFINITION ------------------------------ +#--------------------------------------------------------------------- +# + +# +# Defining a worker named ajp12 and of type ajp12 +# Note that the name and the type do not have to match. +# +worker.ajp12.port=8007 +worker.ajp12.host=localhost +worker.ajp12.type=ajp12 +# +# Specifies the load balance factor when used with +# a load balancing worker. +# Note: +# ----> lbfactor must be > 0 +# ----> Low lbfactor means less work done by the worker. +worker.ajp12.lbfactor=1 + +# +#------ DEFAULT ajp13 WORKER DEFINITION ------------------------------ +#--------------------------------------------------------------------- +# + +# +# Defining a worker named ajp13 and of type ajp13 +# Note that the name and the type do not have to match. +# +worker.ajp13.port=8009 +worker.ajp13.host=localhost +worker.ajp13.type=ajp13 +# +# Specifies the load balance factor when used with +# a load balancing worker. +# Note: +# ----> lbfactor must be > 0 +# ----> Low lbfactor means less work done by the worker. +worker.ajp13.lbfactor=1 + +# +# Specify the size of the open connection cache. +#worker.ajp13.cachesize + +# +#------ DEFAULT LOAD BALANCER WORKER DEFINITION ---------------------- +#--------------------------------------------------------------------- +# + +# +# The loadbalancer (type lb) workers perform wighted round-robin +# load balancing with sticky sessions. +# Note: +# ----> If a worker dies, the load balancer will check its state +# once in a while. Until then all work is redirected to peer +# workers. +worker.loadbalancer.type=lb +worker.loadbalancer.balanced_workers=ajp12, ajp13 + + +# +#------ DEFAULT JNI WORKER DEFINITION--------------------------------- +#--------------------------------------------------------------------- +# + +# +# Defining a worker named inprocess and of type jni +# Note that the name and the type do not have to match. +# +worker.inprocess.type=jni + +# +#------ CLASSPATH DEFINITION ----------------------------------------- +#--------------------------------------------------------------------- +# + +# +# Additional class path components. +# +worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar + +# +# Setting the command line for tomcat. +# Note: The cmd_line string may not contain spaces. +# +worker.inprocess.cmd_line=start + +# Not needed, but can be customized. +#worker.inprocess.cmd_line=-config +#worker.inprocess.cmd_line=$(workers.tomcat_home)$(ps)conf$(ps)server.xml +#worker.inprocess.cmd_line=-home +#worker.inprocess.cmd_line=$(workers.tomcat_home) + +# +# The JVM that we are about to use +# +# This is for Java2 +# +# Windows +worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)bin$(ps)classic$(ps)jvm.dll +# IBM JDK1.3 +#worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)bin$(ps)classic$(ps)libjvm.so +# Unix - Sun VM or blackdown +#worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)lib$(ps)i386$(ps)classic$(ps)libjvm.so + +# +# And this is for jdk1.1.X +# +#worker.inprocess.jvm_lib=$(workers.java_home)$(ps)bin$(ps)javai.dll + + +# +# Setting the place for the stdout and stderr of tomcat +# +worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout +worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr + +# +# Setting the tomcat.home Java property +# +#worker.inprocess.sysprops=tomcat.home=$(workers.tomcat_home) + +# +# Java system properties +# +# worker.inprocess.sysprops=java.compiler=NONE +# worker.inprocess.sysprops=myprop=mypropvalue + +# +# Additional path components. +# +# worker.inprocess.ld_path=d:$(ps)SQLLIB$(ps)bin +# + + diff --git a/pki/base/ca/shared/conf/workers.properties.minimal b/pki/base/ca/shared/conf/workers.properties.minimal new file mode 100644 index 000000000..e3b5942c2 --- /dev/null +++ b/pki/base/ca/shared/conf/workers.properties.minimal @@ -0,0 +1,17 @@ +# workers.properties.minimal - +# +# This file provides minimal jk configuration properties needed to +# connect to Tomcat. +# +# The workers that jk should create and work with +# +worker.list=ajp13w + + +# +# Defining a worker named ajp13w and of type ajp13 +# Note that the name and the type do not have to match. +# +worker.ajp13w.type=ajp13 +worker.ajp13w.host=localhost +worker.ajp13w.port=8009 diff --git a/pki/base/ca/shared/conf/workers2.properties b/pki/base/ca/shared/conf/workers2.properties new file mode 100644 index 000000000..778118ff2 --- /dev/null +++ b/pki/base/ca/shared/conf/workers2.properties @@ -0,0 +1,132 @@ +[logger] +level=DEBUG + +[config:] +file=${serverRoot}/conf/workers2.properties +debug=0 +debugEnv=0 + +[uriMap:] +info=Maps the requests. Options: debug +debug=0 + +# Alternate file logger +#[logger.file:0] +#level=DEBUG +#file=${serverRoot}/logs/jk2.log + +[shm:] +info=Scoreboard. Required for reconfiguration and status with multiprocess servers +file=${serverRoot}/logs/jk2.shm +size=1000000 +debug=0 +disabled=0 + +[workerEnv:] +info=Global server options +timing=1 +debug=0 +# Default Native Logger (apache2 or win32 ) +# can be overriden to a file logger, useful +# when tracing win32 related issues +#logger=logger.file:0 + +[lb:lb] +info=Default load balancer. +debug=0 + +[lb:lb_1] +info=A second load balancer. +debug=0 + +[channel.socket:localhost:8009] +info=Ajp13 forwarding over socket +debug=0 +tomcatId=localhost:8009 + +[channel.socket:localhost:8019] +info=A second tomcat instance. +debug=0 +tomcatId=localhost:8019 +lb_factor=1 +#group=lb +group:lb:lb +#group=lb_1 +group:lb:lb_1 +disabled=0 + +[channel.un:/opt/33/work/jk2.socket] +info=A second channel connecting to localhost:8019 via unix socket +tomcatId=localhost:8019 +lb_factor=1 +debug=0 + +[channel.jni:jni] +info=The jni channel, used if tomcat is started inprocess + +[status:] +info=Status worker, displays runtime informations + +[vm:] +info=Parameters used to load a JVM in the server process +#JVM=C:\jdk\jre\bin\hotspot\jvm.dll +classpath=${TOMCAT_HOME}/bin/tomcat-jni.jar +classpath=${TOMCAT_HOME}/server/lib/commons-logging.jar +OPT=-Dtomcat.home=${TOMCAT_HOME} +OPT=-Dcatalina.home=${TOMCAT_HOME} +OPT=-Xmx128M +#OPT=-Djava.compiler=NONE +disabled=1 + +[worker.jni:onStartup] +info=Command to be executed by the VM on startup. This one will start tomcat. +class=org/apache/jk/apr/TomcatStarter +ARG=start +# For Tomcat 5 use the 'stard' for startup argument +# ARG=stard +disabled=1 +stdout=${serverRoot}/logs/stdout.log +stderr=${serverRoot}/logs/stderr.log + +[worker.jni:onShutdown] +info=Command to be executed by the VM on shutdown. This one will stop tomcat. +class=org/apache/jk/apr/TomcatStarter +ARG=stop +disabled=1 + +[uri:/jkstatus/*] +info=Display status information and checks the config file for changes. +group=status: + +[uri:127.0.0.1:8003] +info=Example virtual host. Make sure myVirtualHost is in /etc/hosts to test it +alias=myVirtualHost:8003 + +[uri:127.0.0.1:8003/ex] +info=Example webapp in the virtual host. It'll go to lb_1 ( i.e. localhost:8019 ) +context=/ex +group=lb_1 + +[uri:/examples] +info=Example webapp in the default context. +context=/examples +debug=0 + +[uri:/examples1/*] +info=A second webapp, this time going to the second tomcat only. +group=lb_1 +debug=0 + +[uri:/examples/servlet/*] +info=Prefix mapping + +[uri:/examples/*.jsp] +info=Extension mapping + +[uri:/examples/*] +info=Map the whole webapp + +[uri:/examples/servlet/HelloW] +info=Example with debug enabled. +debug=10 + diff --git a/pki/base/ca/shared/conf/workers2.properties.minimal b/pki/base/ca/shared/conf/workers2.properties.minimal new file mode 100644 index 000000000..41a0ba6c1 --- /dev/null +++ b/pki/base/ca/shared/conf/workers2.properties.minimal @@ -0,0 +1,55 @@ +# +# This is the minimal JK2 connector configuration file. +# + +[logger] +info=Native logger +level=ERROR + +[config:] +file=${serverRoot}/conf/workers2.properties +debug=0 +debugEnv=0 + +[uriMap:] +info=Maps the requests. +debug=0 + +[shm:] +info=Scoreboard. Required for reconfiguration and status with multiprocess servers +file=anonymous +debug=0 + +[workerEnv:] +info=Global server options +timing=0 +debug=0 + +[lb:lb] +info=Default load balancer. +debug=0 + +[channel.socket:localhost:8009] +info=Ajp13 forwarding over socket +debug=0 +tomcatId=localhost:8009 + +[uri:/admin] +info=Tomcat HTML based administration web application. +debug=0 + +[uri:/manager] +info=A scriptable management web application for the Tomcat Web Server. +debug=0 + +[uri:/jsp-examples] +info=JSP 2.0 Examples. +debug=0 + +[uri:/servlets-examples] +info=Servlet 2.4 Examples. +debug=0 + +[uri:/*.jsp] +info=JSP Extension mapping. +debug=0 diff --git a/pki/base/ca/shared/emails/ExpiredUnpublishJob b/pki/base/ca/shared/emails/ExpiredUnpublishJob new file mode 100644 index 000000000..902125ee6 --- /dev/null +++ b/pki/base/ca/shared/emails/ExpiredUnpublishJob @@ -0,0 +1,6 @@ +ExpiredUnpublishJob $InstanceID summary: +$SummaryItemList +Executed at: $ExecutionTime. +$SummaryTotalSuccess succeeded +$SummaryTotalFailure failed +End of summary. diff --git a/pki/base/ca/shared/emails/ExpiredUnpublishJobItem b/pki/base/ca/shared/emails/ExpiredUnpublishJobItem new file mode 100644 index 000000000..cb60a2b7d --- /dev/null +++ b/pki/base/ca/shared/emails/ExpiredUnpublishJobItem @@ -0,0 +1,2 @@ +$SubjectDN == status: $TOKEN_STATUS + diff --git a/pki/base/ca/shared/emails/certIssued_CA b/pki/base/ca/shared/emails/certIssued_CA new file mode 100644 index 000000000..3539ceaf3 --- /dev/null +++ b/pki/base/ca/shared/emails/certIssued_CA @@ -0,0 +1,12 @@ +Your certificate request has been processed successfully. +SubjectDN= $SubjectDN +IssuerDN= $IssuerDN +notAfter= $NotAfter +notBefore= $NotBefore +Serial Number= 0x$HexSerialNumber + +To get your certificate, please follow this URL: +https://$HttpHost:$HttpPort/displayBySerial?op=displayBySerial&serialNumber=$SerialNumber + +Please contact your admin if there is any problem. +And, of course, this is just a \$SAMPLE\$ email notification form. diff --git a/pki/base/ca/shared/emails/certIssued_CA.html b/pki/base/ca/shared/emails/certIssued_CA.html new file mode 100644 index 000000000..36ed04376 --- /dev/null +++ b/pki/base/ca/shared/emails/certIssued_CA.html @@ -0,0 +1,17 @@ +<html> +<body> +<h2>An automatically generated notification from <i>$InstanceID</i></h2> +Your certificate request has been processed successfully. +<p> +SubjectDN= <b>$SubjectDN</b><br> +IssuerDN= <b>$IssuerDN</b><br> +notAfter= <b>$NotAfter</b><br> +notBefore= <b>$NotBefore</b><br> +Serial Number= <b>0x$HexSerialNumber</b><p> +<p> +To get your certificate, please follow this +<A HREF="https://$HttpHost:$HttpPort/displayBySerial?op=displayBySerial&serialNumber=$SerialNumber">URL</A> + +Please contact your admin if there is any problem. +</body> +</html> diff --git a/pki/base/ca/shared/emails/certIssued_RA b/pki/base/ca/shared/emails/certIssued_RA new file mode 100644 index 000000000..7bde6875b --- /dev/null +++ b/pki/base/ca/shared/emails/certIssued_RA @@ -0,0 +1,12 @@ +Your certificate request has been processed successfully. +SubjectDN= $SubjectDN +IssuerDN= $IssuerDN +notAfter= $NotAfter +notBefore= $NotBefore +Serial Number= 0x$HexSerialNumber + +To get your certificate, please follow this URL: +https://$HttpHost:$HttpPort/displayCertFromRequest?requestId=$RequestId + +Please contact your admin if there is any problem. +And, of course, this is just a \$SAMPLE\$ email notification form. diff --git a/pki/base/ca/shared/emails/certIssued_RA.html b/pki/base/ca/shared/emails/certIssued_RA.html new file mode 100644 index 000000000..2d7d2e36e --- /dev/null +++ b/pki/base/ca/shared/emails/certIssued_RA.html @@ -0,0 +1,17 @@ +<html> +<body> +<h2>An automatically generated notification from <i>$InstanceID</i></h2> +Your certificate request has been processed successfully. +<p> +SubjectDN= <b>$SubjectDN</b><br> +IssuerDN= <b>$IssuerDN</b><br> +notAfter= <b>$NotAfter</b><br> +notBefore= <b>$NotBefore</b><br> +Serial Number= <b>0x$HexSerialNumber</b><p> +<p> +To get your certificate, please follow this +<A HREF="https://$HttpHost:$HttpPort/displayCertFromRequest?requestId=$RequestId">URL</A> + +Please contact your admin if there is any problem. +</body> +</html> diff --git a/pki/base/ca/shared/emails/certRequestRejected.html b/pki/base/ca/shared/emails/certRequestRejected.html new file mode 100644 index 000000000..9cfa92d79 --- /dev/null +++ b/pki/base/ca/shared/emails/certRequestRejected.html @@ -0,0 +1,10 @@ +<html> +<body> +<h2>An automatically generated notification from <i>$InstanceID</i></h2> +Your certificate request has been <b>rejected</b>. +<p> +Request ID = <b>$RequestId</b><br> +<p> +Please contact your admin for assistance. +</body> +</html> diff --git a/pki/base/ca/shared/emails/certRevoked_CA b/pki/base/ca/shared/emails/certRevoked_CA new file mode 100644 index 000000000..3539ceaf3 --- /dev/null +++ b/pki/base/ca/shared/emails/certRevoked_CA @@ -0,0 +1,12 @@ +Your certificate request has been processed successfully. +SubjectDN= $SubjectDN +IssuerDN= $IssuerDN +notAfter= $NotAfter +notBefore= $NotBefore +Serial Number= 0x$HexSerialNumber + +To get your certificate, please follow this URL: +https://$HttpHost:$HttpPort/displayBySerial?op=displayBySerial&serialNumber=$SerialNumber + +Please contact your admin if there is any problem. +And, of course, this is just a \$SAMPLE\$ email notification form. diff --git a/pki/base/ca/shared/emails/certRevoked_CA.html b/pki/base/ca/shared/emails/certRevoked_CA.html new file mode 100644 index 000000000..025a0c94e --- /dev/null +++ b/pki/base/ca/shared/emails/certRevoked_CA.html @@ -0,0 +1,13 @@ +<html> +<body> +<h2>An automatically generated notification from <i>$InstanceID</i></h2> +Your certificate revocation request has been processed successfully. +<p> +SubjectDN= <b>$SubjectDN</b><br> +IssuerDN= <b>$IssuerDN</b><br> +RevocationDate= <b>$RevocationDate</b><br> +Serial Number= <b>0x$HexSerialNumber</b><p> +<p> +Please contact your admin if there is any problem. +</body> +</html> diff --git a/pki/base/ca/shared/emails/certRevoked_RA b/pki/base/ca/shared/emails/certRevoked_RA new file mode 100644 index 000000000..3539ceaf3 --- /dev/null +++ b/pki/base/ca/shared/emails/certRevoked_RA @@ -0,0 +1,12 @@ +Your certificate request has been processed successfully. +SubjectDN= $SubjectDN +IssuerDN= $IssuerDN +notAfter= $NotAfter +notBefore= $NotBefore +Serial Number= 0x$HexSerialNumber + +To get your certificate, please follow this URL: +https://$HttpHost:$HttpPort/displayBySerial?op=displayBySerial&serialNumber=$SerialNumber + +Please contact your admin if there is any problem. +And, of course, this is just a \$SAMPLE\$ email notification form. diff --git a/pki/base/ca/shared/emails/certRevoked_RA.html b/pki/base/ca/shared/emails/certRevoked_RA.html new file mode 100644 index 000000000..025a0c94e --- /dev/null +++ b/pki/base/ca/shared/emails/certRevoked_RA.html @@ -0,0 +1,13 @@ +<html> +<body> +<h2>An automatically generated notification from <i>$InstanceID</i></h2> +Your certificate revocation request has been processed successfully. +<p> +SubjectDN= <b>$SubjectDN</b><br> +IssuerDN= <b>$IssuerDN</b><br> +RevocationDate= <b>$RevocationDate</b><br> +Serial Number= <b>0x$HexSerialNumber</b><p> +<p> +Please contact your admin if there is any problem. +</body> +</html> diff --git a/pki/base/ca/shared/emails/euJob1.html b/pki/base/ca/shared/emails/euJob1.html new file mode 100644 index 000000000..86bae4a52 --- /dev/null +++ b/pki/base/ca/shared/emails/euJob1.html @@ -0,0 +1,29 @@ +<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> +<html> + <head> + <title>Summary for Unpublished Expired Certificates ($InstanceID)</title> + </head> + + <body> + <h1>Summary for Unpublished Expired Certificates</h1> +<TABLE BORDER COLS=4 widths="80%" > +<TR> +<TD><B>Serial Number</B></TD> + +<TD><B>Subject DN</B></TD> + +<TD><B>Issuer DN</B></TD> + +<TD><B>Expiration date/time</B></TD> + +<TD><B>Status</B></TD> +</TR> +$SummaryItemList +</TABLE> +Executed at: <b>$ExecutionTime</b><p> +<b>$SummaryTotalSuccess</b> succeeded<p> +<b>$SummaryTotalFailure</b> failed<p> +End of summary. + <hr> + </body> +</html> diff --git a/pki/base/ca/shared/emails/euJob1Item.html b/pki/base/ca/shared/emails/euJob1Item.html new file mode 100644 index 000000000..94732e4c3 --- /dev/null +++ b/pki/base/ca/shared/emails/euJob1Item.html @@ -0,0 +1,11 @@ +<TR> +<TD><B>0x$HexSerialNumber</B></TD> + +<TD><B>$SubjectDN</B></TD> + +<TD><B>$IssuerDN</B></TD> + +<TD><B>$NotAfter</B></TD> + +<TD><B>$Status</B></TD> +</TR> diff --git a/pki/base/ca/shared/emails/publishCerts.html b/pki/base/ca/shared/emails/publishCerts.html new file mode 100644 index 000000000..c53f01fb6 --- /dev/null +++ b/pki/base/ca/shared/emails/publishCerts.html @@ -0,0 +1,29 @@ +<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> +<html> + <head> + <title>Summary for Published Certificates ($InstanceID)</title> + </head> + + <body> + <h1>Summary for Published Certificates</h1> +<TABLE BORDER COLS=4 widths="80%" > +<TR> +<TD><B>Serial Number</B></TD> + +<TD><B>Subject DN</B></TD> + +<TD><B>Issuer DN</B></TD> + +<TD><B>Expiration date/time</B></TD> + +<TD><B>Status</B></TD> +</TR> +$SummaryItemList +</TABLE> +Executed at: <b>$ExecutionTime</b><p> +<b>$SummaryTotalSuccess</b> succeeded<p> +<b>$SummaryTotalFailure</b> failed<p> +End of summary. + <hr> + </body> +</html> diff --git a/pki/base/ca/shared/emails/publishCertsItem.html b/pki/base/ca/shared/emails/publishCertsItem.html new file mode 100644 index 000000000..94732e4c3 --- /dev/null +++ b/pki/base/ca/shared/emails/publishCertsItem.html @@ -0,0 +1,11 @@ +<TR> +<TD><B>0x$HexSerialNumber</B></TD> + +<TD><B>$SubjectDN</B></TD> + +<TD><B>$IssuerDN</B></TD> + +<TD><B>$NotAfter</B></TD> + +<TD><B>$Status</B></TD> +</TR> diff --git a/pki/base/ca/shared/emails/reqInQueue_CA b/pki/base/ca/shared/emails/reqInQueue_CA new file mode 100644 index 000000000..072d6f6a8 --- /dev/null +++ b/pki/base/ca/shared/emails/reqInQueue_CA @@ -0,0 +1,5 @@ +Request $RequestId is in queue. +requestor email is $RequestorEmail. +cert type is $CertType. +request type is $RequestType. +request process url: https://$HttpHost:$HttpPort/ca/processReq?seqNum=$RequestId diff --git a/pki/base/ca/shared/emails/reqInQueue_CA.html b/pki/base/ca/shared/emails/reqInQueue_CA.html new file mode 100644 index 000000000..e8791efb6 --- /dev/null +++ b/pki/base/ca/shared/emails/reqInQueue_CA.html @@ -0,0 +1,12 @@ +<html> +<body> +Request $RequestId is in queue. +<p> +requestor email is <b>$RequestorEmail</b>.<p> +cert type is <b>$CertType</b>.<p> +request type is <b>$RequestType</b>.<p> +Click +<a href="https://$HttpHost:$HttpPort/ca/processReq?seqNum=$RequestId"> +this URL</a> to process request +</body> +</html> diff --git a/pki/base/ca/shared/emails/reqInQueue_RA b/pki/base/ca/shared/emails/reqInQueue_RA new file mode 100644 index 000000000..41fa62b8a --- /dev/null +++ b/pki/base/ca/shared/emails/reqInQueue_RA @@ -0,0 +1,5 @@ +Request $RequestId is in queue. +requestor email is $RequestorEmail. +cert type is $CertType. +request type is $RequestType. +request process url: https://$HttpHost:$HttpPort/ra/processReq?seqNum=$RequestId diff --git a/pki/base/ca/shared/emails/reqInQueue_RA.html b/pki/base/ca/shared/emails/reqInQueue_RA.html new file mode 100644 index 000000000..1b5bcfaf6 --- /dev/null +++ b/pki/base/ca/shared/emails/reqInQueue_RA.html @@ -0,0 +1,12 @@ +<html> +<body> +Request $RequestId is in queue. +<p> +requestor email is <b>$RequestorEmail</b>.<p> +cert type is <b>$CertType</b>.<p> +request type is <b>$RequestType</b>.<p> +Click +<a href="https://$HttpHost:$HttpPort/ra/processReq?seqNum=$RequestId"> +this URL</a> to process request +</body> +</html> diff --git a/pki/base/ca/shared/emails/riq1Item.html b/pki/base/ca/shared/emails/riq1Item.html new file mode 100644 index 000000000..0550ddeaf --- /dev/null +++ b/pki/base/ca/shared/emails/riq1Item.html @@ -0,0 +1,5 @@ +<TR> +<TD><B>$RequestorEmail</B></TD> +<TD><B>$CertType</B></TD> +<TD><B>$RequestType</B></TD> +</TR> diff --git a/pki/base/ca/shared/emails/riq1Summary.html b/pki/base/ca/shared/emails/riq1Summary.html new file mode 100644 index 000000000..cf68bc7df --- /dev/null +++ b/pki/base/ca/shared/emails/riq1Summary.html @@ -0,0 +1,12 @@ +<html> + <head> + <title>Request in Queue Summary Report from $InstanceID</title> + </head> + + <body> + <h1>Request in Queue Summary Report from $InstanceID</h1> +Executed at: <b>$ExecutionTime</b><p> +Total number of requests in Queue: <b>$SummaryTotalNum</b><p> + <hr> + </body> +</html> diff --git a/pki/base/ca/shared/emails/rnJob1.txt b/pki/base/ca/shared/emails/rnJob1.txt new file mode 100644 index 000000000..f07250814 --- /dev/null +++ b/pki/base/ca/shared/emails/rnJob1.txt @@ -0,0 +1,8 @@ +The following certificate is going to expire (or has expired) on + $NotAfter +Serial number = 0x$HexSerialNumber +SubjectDN = $SubjectDN +You can renew this certificate by clicking the "Renewal" button +at the following URL: + +https://$HttpHost:$HttpPort diff --git a/pki/base/ca/shared/emails/rnJob1Item.txt b/pki/base/ca/shared/emails/rnJob1Item.txt new file mode 100644 index 000000000..8080c0bde --- /dev/null +++ b/pki/base/ca/shared/emails/rnJob1Item.txt @@ -0,0 +1,8 @@ +Serial number = 0x$HexSerialNumber +SubjectDN = $SubjectDN +Validity period = $NotBefore - $NotAfter +Suggested Renewal http host name = $HttpHost +Suggested Renewal http port number = $HttpPort +Renewal notification status = $Status +------- + diff --git a/pki/base/ca/shared/emails/rnJob1Summary.txt b/pki/base/ca/shared/emails/rnJob1Summary.txt new file mode 100644 index 000000000..65bf98583 --- /dev/null +++ b/pki/base/ca/shared/emails/rnJob1Summary.txt @@ -0,0 +1,7 @@ +Automatically generated summary report from $InstanceID +executed at $ExecutionTime +======================================================== + +$SummaryItemList +$SummaryTotalSuccess succeeded +$SummaryTotalFailure failed diff --git a/pki/base/ca/shared/etc/init.d/httpd b/pki/base/ca/shared/etc/init.d/httpd new file mode 100755 index 000000000..cf8d12d37 --- /dev/null +++ b/pki/base/ca/shared/etc/init.d/httpd @@ -0,0 +1,932 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK ### --- +# +# Startup script for Tomcat 5.0, the Apache Servlet Engine +# +# chkconfig: - 80 20 +# description: Tomcat 5.0 is the Apache Servlet Engine RI +# for Servlet 2.4/JSP 2.0 +# processname: tomcat +# pidfile: /var/run/tomcat5.pid +# config: /etc/tomcat5/tomcat5.conf +# +# Gomez Henri <hgomez@users.sourceforge.net> +# Keith Irwin <keith_irwin@non.hp.com> +# Nicolas Mailhot <nicolas.mailhot@one2team.com> +# +# version 1.02 - Removed initlog support +# version 1.03 - Removed config: +# version 1.04 - tomcat will start before httpd and stop after httpd +# version 1.05 - jdk hardcoded to link /usr/java/jdk and tomcat runs +# as "nobody" +# version 1.06 - split up into script and config file +# version 1.07 - Rework from Nicolas ideas +# version 1.08 - Fix work dir permission at start time, switch to use tomcat4 +# version 1.09 - Fix pidfile and config tags +# version 1.10 - Fallback to su direct use on systems without +# Redhat/Mandrake init.d functions +# version 1.11 - Fix webapps dir permissions +# version 1.12 - remove initial start/stop level for chkconfig (- 80 20) +# version 1.13 - remove chown of logs/work/temp/webapps dir, +# owned by tomcat4 at install time +# version 1.14 - correct the start/stop ugly hack by waiting +# all the threads stops +# version 1.15 - ensure we're looking for TOMCAT_USER running catalina +# version 1.16 - Add support for CATALINA_PID env var +# version 1.17 - Remove run files only tomcat started correctl +# in start area, check that tomcat is not allready running +# version 1.18 - Fix kill typo (thanks Kaj J. Niemi) +# version 1.19 - Add jar relinking +# version 1.20 - Check there is no stalling tomcat4.pid +# version 1.20tc5 - Changed all instances of tomcat4 to +# tomcat5 except TOMCAT_USER +# version 1.20tc5rh - Changed TOMCAT_USER from tomcat4 to tomcat +# + +# Disallow 'others' the ability to 'write' to new files +umask 00002 + +# Check to insure that this script's original invocation directory +# has not been deleted! +CWD=`/bin/pwd > /dev/null 2>&1` +if [ $? -ne 0 ] ; then + echo "Cannot invoke '$0' from non-existent directory!" + exit 255 +fi + +# Check to insure that at least one PKI subsystem +# currently resides on this system. +if [ ! -x /usr/bin/pkiarch ] || + [ ! -x /usr/bin/pkiflavor ] || + [ ! -x /usr/bin/pkiname ]; then + echo "This machine is missing all PKI subsystems!" + exit 255 +fi + +# Check to insure that this script's associated PKI +# subsystem currently resides on this system. +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +if [ ! -d /usr/share/`pkiflavor`/${PKI_SUBSYSTEM_TYPE} ] ; then + echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" + exit 255 +fi + +# Obtain the operating system upon which this script is being executed +OS=`pkiname` + +# This script must be run as root! +RV=0 +if [ ${OS} = "Linux" ] ; then + if [ `id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$0'!" + exit 1 + fi +elif [ ${OS} = "SunOS" ] ; then + if [ `/usr/xpg4/bin/id -u` -ne 0 ] ; then + echo "Must be 'root' to execute '$0'!" + exit 1 + fi +else + echo "Unsupported OS '${OS}'!" + exit 1 +fi + +# Source function library. +if [ -x /etc/init.d/functions ]; then + . /etc/init.d/functions +else + # The checkpid() function is provided for platforms that do not + # contain the "/etc/init.d/functions" file (e. g. - Solaris) . . . + + # Check if $pid (could be plural) are running (keep count) + checkpid() + { + rv=0 + for i in $* ; do + ps -p $i > /dev/null 2>&1 ; + if [ $? -ne 0 ] ; then + rv=`expr $rv + 1` + else + rv=`expr $rv + 0` + fi + done + # echo "rv=$rv" + return $rv + } + + # Create the following directories on platforms + # where they do not exist (e. g. - Solaris) . . . + if [ ! -d /var/lock/subsys ] ; then + mkdir -p /var/lock/subsys + fi + + ####################################################################### + ## NOTE: The following code needs to eventually be moved into the ## + ## template used to create the "/etc/<instance>/tomcat5.conf" ## + ## file! ## + ####################################################################### + + if [ ${OS} = "SunOS" ] ; then + DEFAULT_SOLARIS_JAVA_HOME="/usr/jdk/instances/jdk1.5.0/jre" + DEFAULT_LINUX_JAVA_HOME="/usr/lib/jvm/jre" + DEFAULT_LINUX_JAVA_HOME_PATH=`dirname ${DEFAULT_LINUX_JAVA_HOME}` + + # ensure that the Sun JRE 1.5.0 exists at the default location + if [ -d ${DEFAULT_SOLARIS_JAVA_HOME} ] ; then + # create the directory in which the symlink resides (if necessary) + if [ ! -d ${DEFAULT_LINUX_JAVA_HOME_PATH} ] ; then + mkdir -p ${DEFAULT_LINUX_JAVA_HOME_PATH} + fi + # create the actual symlink (if necessary) + if [ ! -h ${DEFAULT_LINUX_JAVA_HOME} ] ; then + ln -s ${DEFAULT_SOLARIS_JAVA_HOME} ${DEFAULT_LINUX_JAVA_HOME} + fi + else + # for now, simply exit with an appropriate error message + echo -n "The Solaris 1.5.0 JRE must be installed " + echo -n "at \"${DEFAULT_SOLARIS_JAVA_HOME}\"!" + echo + echo + exit 255 + fi + fi +fi + +#Use CATALINA_BASE + +CATALINA_BASE=[PKI_INSTANCE_PATH] +export CATALINA_BASE + +# Get Tomcat config + +TOMCAT_CFG="[PKI_INSTANCE_PATH]/conf/tomcat5.conf" + +[ -r "$TOMCAT_CFG" ] && . "${TOMCAT_CFG}" + +# Path to the tomcat launch script (direct don't use wrapper) +TOMCAT_SCRIPT=/usr/bin/dtomcat5-[PKI_INSTANCE_ID] + +# Path to the script that will refresh jar symlinks on startup +if [ ${OS} = "Linux" ] ; then + TOMCAT_RELINK_SCRIPT="/usr/share/tomcat5/bin/relink" +fi + +# Tomcat name :) +TOMCAT_PROG=[PKI_INSTANCE_ID] + +# if TOMCAT_USER is not set, use tomcat5 like Apache HTTP server +if [ -z "$TOMCAT_USER" ]; then + TOMCAT_USER="[PKI_USER]" +fi + +# if TOMCAT_GROUP is not set, use tomcat5 like Apache HTTP server +if [ -z "$TOMCAT_GROUP" ]; then + TOMCAT_GROUP="[PKI_GROUP]" +fi + +# Since the daemon function will sandbox $tomcat +# no environment stuff should be defined here anymore. +# Please use the /etc/tomcat.conf file instead ; it will +# be read by the $tomcat script + +RETVAL=0 + +get_pki_secure_port() +{ + # establish well-known strings + begin_ssl_comment="<!-- DO NOT REMOVE - Begin define PKI secure port -->" + end_ssl_comment="<!-- DO NOT REMOVE - End define PKI secure port -->" + connector_statement="<Connector port=\"" + + # initialize looping variables + ssl_comment_found=0 + + # first check to see that an instance-specific "server.xml" file exists + if [ ! -f [PKI_SERVER_XML_CONF] ] ; then + echo "File '[PKI_SERVER_XML_CONF]' does not exist!" + exit 255 + fi + + # read this instance-specific "server.xml" file line-by-line + # to obtain the current value of the PKI secure port + exec < [PKI_SERVER_XML_CONF] + while read line; do + # first look for the well-known end SSL comment + # (to turn off processing) + if [ "$line" == "$end_ssl_comment" ] ; then + ssl_comment_found=0 + fi + + # then look for the well-known begin SSL comment + # (to turn on processing) + if [ "$line" == "$begin_ssl_comment" ] ; then + ssl_comment_found=1 + fi + + # once the well-known begin SSL comment has been found, + # begin processing to obtain the numeric port information + if [ $ssl_comment_found -eq 1 ] ; then + # look for the next Connector statement + head=`echo $line | cut -b1-17` + if [ "$head" == "$connector_statement" ] ; then + # once the Connector statement has been found, + tail=`echo $line | cut -b18-` + # extract the numeric port information + port=`echo $tail | cut -d\" -f1` + PKI_SECURE_PORT=$port + return 0 + fi + fi + done + + return 255 +} + +# See how we were called. +start() +{ + echo -n "Starting $TOMCAT_PROG: " + + if [ -f /var/lock/subsys/[PKI_INSTANCE_ID] ] ; then + if [ -f /var/run/[PKI_INSTANCE_ID].pid ]; then + read kpid < /var/run/[PKI_INSTANCE_ID].pid + if checkpid $kpid 2>&1; then + echo + echo "process already running" + return -1 + else + echo + echo -n "lock file found but no process " + echo -n "running for pid $kpid, continuing" + echo + echo + fi + fi + fi + + CATALINA_PID=/var/run/[PKI_INSTANCE_ID].pid + export CATALINA_PID + touch $CATALINA_PID + chown $TOMCAT_USER:$TOMCAT_GROUP $CATALINA_PID + [ -x /sbin/restorecon ] && /sbin/restorecon $CATALINA_PID + + # Always initialize CLASSPATH to start looking + # in the local PKI classes directory . . . + CLASSPATH=/usr/share/[PKI_FLAVOR]/classes + + if [ ${OS} = "Linux" ] ; then + $TOMCAT_RELINK_SCRIPT + elif [ ${OS} = "SunOS" ] ; then + # The following definitions are provided for Solaris + # platforms since they are unable to execute the + # "/usr/share/tomcat5/bin/relink", + # "/usr/bin/rebuild-jar-repository", and + # "/usr/share/java-utils/java-functions" files . . . + + ####################################### + ## /var/lib/tomcat5/common/lib: + ####################################### + + # Build the tomcat jar classpath . . . + CLASSPATH="$CLASSPATH":/usr/share/java/ant.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-collections.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-dbcp.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging-api.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-pool.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-ejb-2.1.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-1.4.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-connector-1.5.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2ee-management-1.0.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-j2eeschema-1.0.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jms-1.1.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jsp-2.0.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-jta-1.0.1B.jar + CLASSPATH="$CLASSPATH":/usr/share/java/geronimo/spec-servlet-2.4.jar + CLASSPATH="$CLASSPATH":/usr/share/java/jaf.jar + CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-collections.jar + CLASSPATH="$CLASSPATH":/usr/share/java/jakarta-commons-modeler.jar + CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-compiler.jar + CLASSPATH="$CLASSPATH":/usr/share/java/jasper5-runtime.jar + CLASSPATH="$CLASSPATH":/usr/share/java/javamail/imap.jar + CLASSPATH="$CLASSPATH":/usr/share/java/javamail/mailapi.jar + CLASSPATH="$CLASSPATH":/usr/share/java/javamail/nntp.jar + CLASSPATH="$CLASSPATH":/usr/share/java/javamail/pop3.jar + CLASSPATH="$CLASSPATH":/usr/share/java/javamail/providers.jar + CLASSPATH="$CLASSPATH":/usr/share/java/javamail/smtp.jar + + # BEGIN LINUX-SPECIFIC FILE + # CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar + # CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar + # CLASSPATH="$CLASSPATH":/usr/share/java/jsp.jar + # END LINUX-SPECIFIC FILE + + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar + + # BEGIN LINUX-SPECIFIC FILE + # CLASSPATH="$CLASSPATH":/usr/share/java/servlet.jar + # END LINUX-SPECIFIC FILE + + CLASSPATH="$CLASSPATH":/usr/share/java/avalon-logkit.jar + CLASSPATH="$CLASSPATH":/usr/share/java/cmsutil.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar + if [ `pkiarch` = "sparc" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar + elif [ `pkiarch` = "sparcv9" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/`pkiarch`/java/dirsec/jss4.jar + fi + CLASSPATH="$CLASSPATH":/usr/share/java/ldapjdk.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-factory.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/common/lib/naming-resources.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/nsutil.jar + if [ `pkiarch` = "sparc" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/java/osutil.jar + elif [ `pkiarch` = "sparcv9" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/`pkiarch`/java/osutil.jar + fi + CLASSPATH="$CLASSPATH":/usr/share/java/rhino.jar + CLASSPATH="$CLASSPATH":/usr/share/java/servletapi5.jar + if [ `pkiarch` = "sparc" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/java/symkey.jar + elif [ `pkiarch` = "sparcv9" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/`pkiarch`/java/symkey.jar + fi + CLASSPATH="$CLASSPATH":/usr/share/java/velocity.jar + CLASSPATH="$CLASSPATH":/usr/share/java/xalan-j2.jar + CLASSPATH="$CLASSPATH":/usr/share/java/xerces-j2.jar + + # Relink tomcat jar repositories . . . + cd /var/lib/tomcat5/common/lib + + if [ ! -e /var/lib/tomcat5/common/lib/\[ant\].jar ]; then + ln -s /usr/share/java/ant.jar [ant].jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-collections\].jar ]; then + ln -s /usr/share/java/commons-collections.jar [commons-collections].jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-dbcp\].jar ]; then + ln -s /usr/share/java/commons-dbcp.jar [commons-dbcp].jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-el\].jar ]; then + ln -s /usr/share/java/commons-el.jar [commons-el].jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-logging-api\].jar ]; then + ln -s /usr/share/java/commons-logging-api.jar [commons-logging-api].jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[commons\-pool\].jar ]; then + ln -s /usr/share/java/commons-pool.jar [commons-pool].jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-ejb-2.1-rc2.jar [geronimo]spec-ejb-2.1-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-ejb\-2.1.jar ]; then + ln -s /usr/share/java/geronimo/spec-ejb-2.1.jar [geronimo]spec-ejb-2.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-1.4-rc2.jar [geronimo]spec-j2ee-1.4-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-1.4.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-1.4.jar [geronimo]spec-j2ee-1.4.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5-rc2.jar [geronimo]spec-j2ee-connector-1.5-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-connector\-1.5.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-connector-1.5.jar [geronimo]spec-j2ee-connector-1.5.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1-rc2.jar [geronimo]spec-j2ee-deployment-1.1-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-deployment\-1.1.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-deployment-1.1.jar [geronimo]spec-j2ee-deployment-1.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-jacc-1.0-rc2.jar [geronimo]spec-j2ee-jacc-1.0-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-jacc\-1.0.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-jacc-1.0.jar [geronimo]spec-j2ee-jacc-1.0.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0-rc2.jar [geronimo]spec-j2ee-management-1.0-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2ee\-management\-1.0.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2ee-management-1.0.jar [geronimo]spec-j2ee-management-1.0.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0\-M2.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0-M2.jar [geronimo]spec-j2eeschema-1.0-M2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-j2eeschema\-1.0.jar ]; then + ln -s /usr/share/java/geronimo/spec-j2eeschema-1.0.jar [geronimo]spec-j2eeschema-1.0.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-jms-1.1-rc2.jar [geronimo]spec-jms-1.1-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jms\-1.1.jar ]; then + ln -s /usr/share/java/geronimo/spec-jms-1.1.jar [geronimo]spec-jms-1.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-jsp-2.0-rc2.jar [geronimo]spec-jsp-2.0-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jsp\-2.0.jar ]; then + ln -s /usr/share/java/geronimo/spec-jsp-2.0.jar [geronimo]spec-jsp-2.0.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec-jta-1.0.1B-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-jta-1.0.1B-rc2.jar [geronimo]spec-jta-1.0.1B-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-jta\-1.0.1B.jar ]; then + ln -s /usr/share/java/geronimo/spec-jta-1.0.1B.jar [geronimo]spec-jta-1.0.1B.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4\-rc2.jar ]; then + ln -s /usr/share/java/geronimo/spec-servlet-2.4-rc2.jar [geronimo]spec-servlet-2.4-rc2.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[geronimo\]spec\-servlet\-2.4.jar ]; then + ln -s /usr/share/java/geronimo/spec-servlet-2.4.jar [geronimo]spec-servlet-2.4.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[jaf\].jar ]; then + ln -s /usr/share/java/jaf.jar [jaf].jar + fi + + ### BEGIN SOLARIS-SPECIFIC LINKS + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-collections.jar\] ]; then + ### ln -s /usr/share/java/jakarta-commons-collections.jar [jakarta-commons-collections.jar] + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jakarta\-commons\-modeler.jar\] ]; then + ### ln -s /usr/share/java/jakarta-commons-modeler.jar [jakarta-commons-modeler.jar] + ### fi + ### END SOLARIS-SPECIFIC LINKS + + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-compiler\].jar ]; then + ### ln -s /usr/share/java/jasper5-compiler.jar [jasper5-compiler].jar + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jasper5\-runtime\].jar ]; then + ### ln -s /usr/share/java/jasper5-runtime.jar [jasper5-runtime].jar + ### fi + + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap\-1.3.1.jar ]; then + ln -s /usr/share/java/javamail/imap-1.3.1.jar [javamail]imap-1.3.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]imap.jar ]; then + ln -s /usr/share/java/javamail/imap.jar [javamail]imap.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi\-1.3.1.jar ]; then + ln -s /usr/share/java/javamail/mailapi-1.3.1.jar [javamail]mailapi-1.3.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]mailapi.jar ]; then + ln -s /usr/share/java/javamail/mailapi.jar [javamail]mailapi.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp\-1.3.1.jar ]; then + ln -s /usr/share/java/javamail/nntp-1.3.1.jar [javamail]nntp-1.3.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]nntp.jar ]; then + ln -s /usr/share/java/javamail/nntp.jar [javamail]nntp.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3\-1.3.1.jar ]; then + ln -s /usr/share/java/javamail/pop3-1.3.1.jar [javamail]pop3-1.3.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]pop3.jar ]; then + ln -s /usr/share/java/javamail/pop3.jar [javamail]pop3.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers\-1.3.1.jar ]; then + ln -s /usr/share/java/javamail/providers-1.3.1.jar [javamail]providers-1.3.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]providers.jar ]; then + ln -s /usr/share/java/javamail/providers.jar [javamail]providers.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp\-1.3.1.jar ]; then + ln -s /usr/share/java/javamail/smtp-1.3.1.jar [javamail]smtp-1.3.1.jar + fi + if [ ! -e /var/lib/tomcat5/common/lib/\[javamail\]smtp.jar ]; then + ln -s /usr/share/java/javamail/smtp.jar [javamail]smtp.jar + fi + + ### BEGIN LINUX-SPECIFIC LINKS + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtCompilerAdapter\].jar ]; then + ### ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jdtcore\].jar ]; then + ### ln -s /usr/share/java/jdtcore.jar [jdtcore].jar + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/\[jsp\].jar ]; then + ### ln -s /usr/share/java/jsp.jar [jsp].jar + ### fi + ### END LINUX-SPECIFIC LINKS + + if [ ! -e /var/lib/tomcat5/common/lib/\[mx4j\]\[mx4j\].jar ]; then + ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar + fi + + ### BEGIN LINUX-SPECIFIC LINKS + ### if [ ! -e /var/lib/tomcat5/common/lib/\[servlet\].jar ]; then + ### ln -s /usr/share/java/servlet.jar [servlet].jar + ### fi + ### END LINUX-SPECIFIC LINKS + + ### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK + if [ ! -e /var/lib/tomcat5/common/lib/avalon\-logkit.jar ]; then + ln -s /usr/share/java/avalon-logkit.jar avalon-logkit.jar + fi + ### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK + + ### if [ ! -e /var/lib/tomcat5/common/lib/cmsutil.jar ]; then + ### ln -s /usr/share/java/rphki/cmsutil.jar cmsutil.jar + ### fi + + ### BEGIN LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK + if [ ! -e /var/lib/tomcat5/common/lib/commons\-logging.jar ]; then + ln -s /usr/share/java/commons-logging.jar commons-logging.jar + fi + ### END LINUX-SPECIFIC FILE BUT SOLARIS-SPECIFIC LINK + + ### if [ ! -e /var/lib/tomcat5/common/lib/jss4.jar ]; then + ### if [ `pkiarch` = "sparc" ] ; then + ### ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar + ### elif [ `pkiarch` = "sparcv9" ] ; then + ### ln -s /usr/lib/`pkiarch`/java/dirsec/jss4.jar jss4.jar + ### fi + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/ldapjdk.jar ]; then + ### ln -s /usr/share/java/ldapjdk.jar ldapjdk.jar + ### fi + + ### naming-factory.jar + ### naming-resources.jar + + ### if [ ! -e /var/lib/tomcat5/common/lib/nsutil.jar ]; then + ### ln -s /usr/share/java/`pkiflavor`/nsutil.jar nsutil.jar + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/osutil.jar ]; then + ### if [ `pkiarch` = "sparc" ] ; then + ### ln -s /usr/lib/java/osutil.jar osutil.jar + ### elif [ `pkiarch` = "sparcv9" ] ; then + ### ln -s /usr/lib/`pkiarch`/java/osutil.jar osutil.jar + ### fi + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/rhino.jar ]; then + ### ln -s /usr/share/java/rhino.jar rhino.jar + ### fi + + ### BEGIN SOLARIS-SPECIFIC LINKS + ### if [ ! -e /var/lib/tomcat5/common/lib/\[servletapi5.jar\] ]; then + ### ln -s /usr/share/java/servletapi5.jar [servletapi5.jar] + ### fi + ### END SOLARIS-SPECIFIC LINKS + + ### if [ ! -e /var/lib/tomcat5/common/lib/symkey.jar ]; then + ### if [ `pkiarch` = "sparc" ] ; then + ### ln -s /usr/lib/java/symkey.jar symkey.jar + ### elif [ `pkiarch` = "sparcv9" ] ; then + ### ln -s /usr/lib/`pkiarch`/java/symkey.jar symkey.jar + ### fi + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/velocity.jar ]; then + ### ln -s /usr/share/java/velocity.jar velocity.jar + ### fi + ### if [ ! -e /var/lib/tomcat5/common/lib/xalan\-j2.jar ]; then + ### ln -s /usr/share/java/xalan-j2.jar xalan-j2.jar + ### fi + + if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2\-2.6.2.jar ]; then + ln -s /usr/share/java/xerces-j2-2.6.2.jar xerces-j2-2.6.2.jar + fi + + ### if [ ! -e /var/lib/tomcat5/common/lib/xerces\-j2.jar ]; then + ### ln -s /usr/share/java/xerces-j2.jar xerces-j2.jar + ### fi + + + ####################################### + ## /var/lib/tomcat5/common/endorsed: + ####################################### + + # Build the tomcat jar classpath . . . + CLASSPATH="$CLASSPATH":/usr/share/java/xml-commons-apis.jar + + # BEGIN LINUX-SPECIFIC FILE + # CLASSPATH="$CLASSPATH":/usr/share/java/jaxp_parser_impl.jar + # END LINUX-SPECIFIC FILE + + + # Relink tomcat jar repositories . . . + cd /var/lib/tomcat5/common/endorsed + + ### BEGIN LINUX-SPECIFIC LINKS + ### if [ ! -e /var/lib/tomcat5/common/endorsed/\[jaxp_parser_impl\].jar ]; then + ### ln -s /usr/share/java/jaxp_parser_impl.jar [jaxp_parser_impl].jar + ### fi + ### END LINUX-SPECIFIC LINKS + + if [ ! -e /var/lib/tomcat5/common/endorsed/\[xml\-commons\-apis\].jar ]; then + ln -s /usr/share/java/xml-commons-apis.jar [xml-commons-apis].jar + fi + + + ####################################### + ## /var/lib/tomcat5/server/lib: + ####################################### + + # Build the tomcat jar classpath . . . + CLASSPATH="$CLASSPATH":/usr/share/java/catalina-ant5.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-beanutils.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-digester.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-el.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-fileupload.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-logging.jar + CLASSPATH="$CLASSPATH":/usr/share/java/commons-modeler.jar + + # BEGIN LINUX-SPECIFIC FILE + # CLASSPATH="$CLASSPATH":/usr/share/java/jdtCompilerAdapter.jar + # CLASSPATH="$CLASSPATH":/usr/share/java/jdtcore.jar + # END LINUX-SPECIFIC FILE + + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-remote.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rimpl.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-rjmx.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-tools.jar + CLASSPATH="$CLASSPATH":/usr/share/java/regexp.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-cluster.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-optional.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina-storeconfig.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/catalina.jar + if [ `pkiarch` = "sparc" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/java/dirsec/jss4.jar + elif [ `pkiarch` = "sparcv9" ] ; then + CLASSPATH="$CLASSPATH":/usr/lib/`pkiarch`/java/dirsec/jss4.jar + fi + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-cgi.renametojar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-default.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-invoker.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-ssi.renametojar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/servlets-webdav.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-ajp.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-coyote.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-http.jar + CLASSPATH="$CLASSPATH":/var/lib/tomcat5/server/lib/tomcat-util.jar + CLASSPATH="$CLASSPATH":/usr/share/java/tomcatjss.jar + + + # Relink tomcat jar repositories . . . + cd /var/lib/tomcat5/server/lib + + if [ ! -e /var/lib/tomcat5/server/lib/\[catalina\-ant5\].jar ]; then + ln -s /usr/share/java/catalina-ant5.jar [catalina-ant5].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-beanutils\].jar ]; then + ln -s /usr/share/java/commons-beanutils.jar [commons-beanutils].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-digester\].jar ]; then + ln -s /usr/share/java/commons-digester.jar [commons-digester].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-el\].jar ]; then + ln -s /usr/share/java/commons-el.jar [commons-el].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-fileupload\].jar ]; then + ln -s /usr/share/java/commons-fileupload.jar [commons-fileupload].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-logging\].jar ]; then + ln -s /usr/share/java/commons-logging.jar [commons-logging].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[commons\-modeler\].jar ]; then + ln -s /usr/share/java/commons-modeler.jar [commons-modeler].jar + fi + + ### BEGIN LINUX-SPECIFIC LINKS + ### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtCompilerAdapter\].jar ]; then + ### ln -s /usr/share/java/jdtCompilerAdapter.jar [jdtCompilerAdapter].jar + ### fi + ### if [ ! -e /var/lib/tomcat5/server/lib/\[jdtcore\].jar ]; then + ### ln -s /usr/share/java/jdtcore.jar [jdtcore].jar + ### fi + ### END LINUX-SPECIFIC LINKS + + if [ ! -e /var/lib/tomcat5/server/lib/\[mx4j\]\[mx4j\].jar ]; then + ln -s /usr/share/java/mx4j/mx4j.jar [mx4j][mx4j].jar + fi + if [ ! -e /var/lib/tomcat5/server/lib/\[regexp\].jar ]; then + ln -s /usr/share/java/regexp.jar [regexp].jar + fi + + ### catalina-cluster.jar + ### catalina-optional.jar + ### catalina-storeconfig.jar + ### catalina.jar + ### if [ ! -e /var/lib/tomcat5/server/lib/jss4.jar ]; then + ### if [ `pkiarch` = "sparc" ] ; then + ### ln -s /usr/lib/java/dirsec/jss4.jar jss4.jar + ### elif [ `pkiarch` = "sparcv9" ] ; then + ### ln -s /usr/lib/`pkiarch`/java/dirsec/jss4.jar jss4.jar + ### fi + ### fi + ### servlets-cgi.renametojar + ### servlets-default.jar + ### servlets-invoker.jar + ### servlets-ssi.renametojar + ### servlets-webdav.jar + ### tomcat-ajp.jar + ### tomcat-coyote.jar + ### tomcat-http.jar + ### tomcat-util.jar + ### if [ ! -e /var/lib/tomcat5/server/lib/tomcatjss.jar ]; then + ### ln -s /usr/share/java/tomcatjss.jar tomcatjss.jar + ### fi + + + ####################################### + ## /var/lib/tomcat5/shared/lib: + ####################################### + + # Build the tomcat jar classpath . . . + + export CLASSPATH + + + # Relink tomcat jar repositories . . . + cd /var/lib/tomcat5/shared/lib + fi + + # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT start + if [ ${OS} = "SunOS" ] ; then + su $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null + else + su -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT start" > /dev/null + fi + + RETVAL=$? + [ $RETVAL = 0 ] && touch /var/lock/subsys/[PKI_INSTANCE_ID] + + if [ $RETVAL = 0 ] ; then + count=0; + + let swait=$STARTUP_WAIT + while [ ! -s /var/run/[PKI_INSTANCE_ID].pid ] && + [ $count -lt $swait ] + do + echo -n "." + sleep 1 + let count=$count+1; + done + + if [ -x /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_success > /etc/rhgb/temp/rhgb-console + cat /etc/rhgb/temp/rhgb-console + echo + else + echo " [ OK ]" + fi + + get_pki_secure_port + if [ $? -ne 0 ] ; then + PKI_SECURE_PORT="<Port Undefined>" + fi + + echo + echo -n "PKI service(s) are available at " + echo -n "https://[PKI_MACHINE_NAME]:$PKI_SECURE_PORT" + echo + echo + else + if [ -x /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_failure > /etc/rhgb/temp/rhgb-console + cat /etc/rhgb/temp/rhgb-console + echo + else + echo " [ FAILED ]" + fi + fi + + sleep 5 + return $RETVAL +} + +stop() +{ + echo -n "Stopping $TOMCAT_PROG: " + + if [ -f /var/lock/subsys/[PKI_INSTANCE_ID] ] ; then + CATALINA_PID=/var/run/[PKI_INSTANCE_ID].pid + export CATALINA_PID + + # daemon --user $TOMCAT_USER $TOMCAT_SCRIPT stop + if [ ${OS} = "SunOS" ] ; then + su $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null + else + su -s /bin/bash $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" > /dev/null + fi + + RETVAL=$? + + if [ $RETVAL = 0 ]; then + count=0; + + if [ -f /var/run/[PKI_INSTANCE_ID].pid ]; then + read kpid < /var/run/[PKI_INSTANCE_ID].pid + let kwait=$SHUTDOWN_WAIT + + until [ `ps -p $kpid | grep -c $kpid` = '0' ] || + [ $count -gt $kwait ] + do + echo -n "." + sleep 1 + let count=$count+1; + done + + if [ $count -gt $kwait ]; then + kill -9 $kpid + fi + fi + + rm -f /var/lock/subsys/[PKI_INSTANCE_ID] + rm -f /var/run/[PKI_INSTANCE_ID].pid + + if [ -x /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_success > /etc/rhgb/temp/rhgb-console + cat /etc/rhgb/temp/rhgb-console + echo + else + echo " [ OK ]" + fi + else + if [ -x /etc/init.d/functions ]; then + if [ "$CONSOLETYPE" = "serial" ]; then + echo -n " " + fi + echo_failure > /etc/rhgb/temp/rhgb-console + cat /etc/rhgb/temp/rhgb-console + echo + else + echo " [ FAILED ]" + fi + fi + else + echo + echo "process already stopped" + fi +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + sleep 2 + start + ;; + condrestart) + if [ -f /var/run/[PKI_INSTANCE_ID].pid ] ; then + stop + sleep 2 + start + else + echo -n "Unable to restart process since " + echo -n "'/var/run/[PKI_INSTANCE_ID].pid' does not exist!" + echo + fi + ;; + *) + echo "Usage: $TOMCAT_PROG {start|stop|restart|condrestart}" + exit 1 +esac + +exit $RETVAL + diff --git a/pki/base/ca/shared/profiles/ca/DomainController.cfg b/pki/base/ca/shared/profiles/ca/DomainController.cfg new file mode 100644 index 000000000..3a7663046 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/DomainController.cfg @@ -0,0 +1,130 @@ +desc=This profile is for enrolling Domain Controller Certificate +enable=true +enableBy=admin +name=Domain Controller +visible=true +auth.instance_id=AgentCertAuth +input.list=i1,i2,i3 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +input.i3.class_id=genericInputImpl +input.i3.params.gi_display_name0=ccm +input.i3.params.gi_param_enable0=true +input.i3.params.gi_param_name0=ccm +input.i3.params.gi_display_name1=GUID +input.i3.params.gi_param_enable1=true +input.i3.params.gi_param_name1=GUID +input.i3.params.gi_num=2 +output.list=o1,o2 +output.o1.class_id=certOutputImpl +output.o2.class_id=pkcs7OutputImpl +policyset.list=set1 +policyset.set1.list=p2,p4,p5,subj,p6,p8,p9,p12,eku,gen,crldp +policyset.set1.subj.constraint.class_id=noConstraintImpl +policyset.set1.subj.constraint.name=No Constraint +policyset.set1.subj.default.class_id=nsTokenUserKeySubjectNameDefaultImpl +policyset.set1.subj.default.name=nsTokenUserKeySubjectNameDefault +#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User +#policyset.set1.subj.default.params.dnpattern=CN=GEMSTAR,OU=Domain Controllers,DC=test,dc=local +policyset.set1.subj.default.params.dnpattern=CN=$request.ccm$ +policyset.set1.subj.default.params.ldap.enable=false +policyset.set1.subj.default.params.ldap.searchName=uid +policyset.set1.subj.default.params.ldapStringAttributes=uid,mail +policyset.set1.subj.default.params.ldap.basedn= +policyset.set1.subj.default.params.ldap.maxConns=4 +policyset.set1.subj.default.params.ldap.minConns=1 +policyset.set1.subj.default.params.ldap.ldapconn.Version=2 +policyset.set1.subj.default.params.ldap.ldapconn.host= +policyset.set1.subj.default.params.ldap.ldapconn.port= +policyset.set1.subj.default.params.ldap.ldapconn.secureConn=false +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=1825 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=true +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=true +policyset.set1.p5.default.params.keyUsageNonRepudiation=false +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=true +policyset.set1.p6.default.params.subjAltExtGNEnable_1=true +policyset.set1.p6.default.params.subjAltExtPattern_0=$request.ccm$ +policyset.set1.p6.default.params.subjAltExtType_0=DNSName +policyset.set1.p6.default.params.subjAltExtPattern_1=(Any)1.3.6.1.4.1.311.25.1,0410$request.GUID$ +policyset.set1.p6.default.params.subjAltExtType_1=OtherName +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=2 +policyset.set1.5.constraint.class_id=noConstraintImpl +policyset.set1.5.constraint.name=No Constraint +policyset.set1.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.set1.5.default.name=AIA Extension Default +policyset.set1.5.default.params.authInfoAccessADEnable_0=true +policyset.set1.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.set1.5.default.params.authInfoAccessADLocation_0=http://air.sfbay.redhat.com:9080/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit +policyset.set1.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.2 +policyset.set1.5.default.params.authInfoAccessCritical=false +policyset.set1.5.default.params.authInfoAccessNumADs=1 +policyset.set1.eku.constraint.class_id=noConstraintImpl +policyset.set1.eku.constraint.name=No Constraint +policyset.set1.eku.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.set1.eku.default.name=Extended Key Usage Extension Default +policyset.set1.eku.default.params.exKeyUsageCritical=false +policyset.set1.eku.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.crldp.constraint.class_id=noConstraintImpl +policyset.set1.crldp.constraint.name=No Constraint +policyset.set1.crldp.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.crldp.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.crldp.default.params.crlDistPointsCritical=false +policyset.set1.crldp.default.params.crlDistPointsNum=1 +policyset.set1.crldp.default.params.crlDistPointsEnable_0=true +policyset.set1.crldp.default.params.crlDistPointsIssuerName_0= +policyset.set1.crldp.default.params.crlDistPointsIssuerType_0= +policyset.set1.crldp.default.params.crlDistPointsPointName_0=http://air.sfbay.redhat.com:9080/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit +policyset.set1.crldp.default.params.crlDistPointsPointType_0=URIName +policyset.set1.crldp.default.params.crlDistPointsReasons_0= +policyset.set1.gen.constraint.class_id=noConstraintImpl +policyset.set1.gen.constraint.name=No Constraint +policyset.set1.gen.default.class_id=genericExtDefaultImpl +policyset.set1.gen.default.name=Generic Extension +#This is the Microsoft 'Certificate Template Name' Extensions. The Value is 'DomainController' +policyset.set1.gen.default.params.genericExtOID=1.3.6.1.4.1.311.20.2 +policyset.set1.gen.default.params.genericExtData=1e200044006f006d00610069006e0043006f006e00740072006f006c006c00650072 diff --git a/pki/base/ca/shared/profiles/ca/caAdminCert.cfg b/pki/base/ca/shared/profiles/ca/caAdminCert.cfg new file mode 100644 index 000000000..db15fe83f --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caAdminCert.cfg @@ -0,0 +1,88 @@ +desc=This certificate profile is for enrolling Security Domain administrator's certificates with LDAP authentication against the internal LDAP database. +visible=false +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Security Domain Administrator Certificate Enrollment +input.list=i1,i2,i3 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +input.i3.class_id=subjectDNInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=adminCertSet +policyset.adminCertSet.list=1,2,3,4,5,6,7,8 +policyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.adminCertSet.1.constraint.name=Subject Name Constraint +policyset.adminCertSet.1.constraint.params.pattern=.* +policyset.adminCertSet.1.constraint.params.accept=true +policyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.adminCertSet.1.default.name=Subject Name Default +policyset.adminCertSet.1.default.params.name= +policyset.adminCertSet.2.constraint.class_id=validityConstraintImpl +policyset.adminCertSet.2.constraint.name=Validity Constraint +policyset.adminCertSet.2.constraint.params.range=365 +policyset.adminCertSet.2.constraint.params.notBeforeCheck=false +policyset.adminCertSet.2.constraint.params.notAfterCheck=false +policyset.adminCertSet.2.default.class_id=validityDefaultImpl +policyset.adminCertSet.2.default.name=Validity Default +policyset.adminCertSet.2.default.params.range=365 +policyset.adminCertSet.2.default.params.startTime=0 +policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl +policyset.adminCertSet.3.constraint.name=Key Constraint +policyset.adminCertSet.3.constraint.params.keyType=- +policyset.adminCertSet.3.constraint.params.keyMinLength=256 +policyset.adminCertSet.3.constraint.params.keyMaxLength=4096 +policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl +policyset.adminCertSet.3.default.name=Key Default +policyset.adminCertSet.4.constraint.class_id=noConstraintImpl +policyset.adminCertSet.4.constraint.name=No Constraint +policyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.adminCertSet.4.default.name=Authority Key Identifier Default +policyset.adminCertSet.5.constraint.class_id=noConstraintImpl +policyset.adminCertSet.5.constraint.name=No Constraint +policyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.adminCertSet.5.default.name=AIA Extension Default +policyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.adminCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.adminCertSet.5.default.params.authInfoAccessCritical=false +policyset.adminCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.adminCertSet.6.constraint.params.keyUsageCritical=true +policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.adminCertSet.6.default.name=Key Usage Default +policyset.adminCertSet.6.default.params.keyUsageCritical=true +policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.adminCertSet.6.default.params.keyUsageCrlSign=false +policyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.adminCertSet.7.constraint.class_id=noConstraintImpl +policyset.adminCertSet.7.constraint.name=No Constraint +policyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.adminCertSet.7.default.name=Extended Key Usage Extension Default +policyset.adminCertSet.7.default.params.exKeyUsageCritical=false +policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.adminCertSet.8.constraint.name=No Constraint +policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.adminCertSet.8.default.name=Signing Alg +policyset.adminCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caAgentFileSigning.cfg b/pki/base/ca/shared/profiles/ca/caAgentFileSigning.cfg new file mode 100644 index 000000000..192756222 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caAgentFileSigning.cfg @@ -0,0 +1,87 @@ +desc=This certificate profile is for file signing with agent authentication. +visible=true +enable=true +enableBy=admin +auth.instance_id=AgentCertAuth +name=Agent-Authenticated File Signing +input.list=i1,i2,i3 +input.i1.class_id=keyGenInputImpl +input.i2.class_id=fileSigningInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=pkcs7OutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=(Name)$request.requestor_name$(Text)$request.file_signing_text$(Size)$request.file_signing_size$(DigestType)$request.file_signing_digest_type$(Digest)$request.file_signing_digest$ +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=365 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=180 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyMinLength=256 +policyset.serverCertSet.3.constraint.params.keyMaxLength=4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caAgentServerCert.cfg b/pki/base/ca/shared/profiles/ca/caAgentServerCert.cfg new file mode 100644 index 000000000..534becd63 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caAgentServerCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling server certificates with agent authentication. +visible=true +enable=true +enableBy=admin +auth.instance_id=AgentCertAuth +name=Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=365 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=180 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyMinLength=256 +policyset.serverCertSet.3.constraint.params.keyMaxLength=4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caCACert.cfg b/pki/base/ca/shared/profiles/ca/caCACert.cfg new file mode 100644 index 000000000..0af20356b --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caCACert.cfg @@ -0,0 +1,96 @@ +desc=This certificate profile is for enrolling Certificate Authority certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual Certificate Manager Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=caCertSet +policyset.caCertSet.list=1,2,3,4,5,6,8,9,10 +policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.caCertSet.1.constraint.name=Subject Name Constraint +policyset.caCertSet.1.constraint.params.pattern=CN=.* +policyset.caCertSet.1.constraint.params.accept=true +policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.caCertSet.1.default.name=Subject Name Default +policyset.caCertSet.1.default.params.name= +policyset.caCertSet.2.constraint.class_id=validityConstraintImpl +policyset.caCertSet.2.constraint.name=Validity Constraint +policyset.caCertSet.2.constraint.params.range=720 +policyset.caCertSet.2.constraint.params.notBeforeCheck=false +policyset.caCertSet.2.constraint.params.notAfterCheck=false +policyset.caCertSet.2.default.class_id=validityDefaultImpl +policyset.caCertSet.2.default.name=Validity Default +policyset.caCertSet.2.default.params.range=720 +policyset.caCertSet.2.default.params.startTime=0 +policyset.caCertSet.3.constraint.class_id=keyConstraintImpl +policyset.caCertSet.3.constraint.name=Key Constraint +policyset.caCertSet.3.constraint.params.keyType=- +policyset.caCertSet.3.constraint.params.keyMinLength=256 +policyset.caCertSet.3.constraint.params.keyMaxLength=4096 +policyset.caCertSet.3.default.class_id=userKeyDefaultImpl +policyset.caCertSet.3.default.name=Key Default +policyset.caCertSet.4.constraint.class_id=noConstraintImpl +policyset.caCertSet.4.constraint.name=No Constraint +policyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.caCertSet.4.default.name=Authority Key Identifier Default +policyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint +policyset.caCertSet.5.constraint.params.basicConstraintsCritical=true +policyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true +policyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1 +policyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl +policyset.caCertSet.5.default.name=Basic Constraints Extension Default +policyset.caCertSet.5.default.params.basicConstraintsCritical=true +policyset.caCertSet.5.default.params.basicConstraintsIsCA=true +policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1 +policyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.caCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.caCertSet.6.constraint.params.keyUsageCritical=true +policyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true +policyset.caCertSet.6.constraint.params.keyUsageCrlSign=true +policyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.caCertSet.6.default.name=Key Usage Default +policyset.caCertSet.6.default.params.keyUsageCritical=true +policyset.caCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.caCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.caCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.caCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.caCertSet.6.default.params.keyUsageKeyCertSign=true +policyset.caCertSet.6.default.params.keyUsageCrlSign=true +policyset.caCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.caCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.caCertSet.8.constraint.class_id=noConstraintImpl +policyset.caCertSet.8.constraint.name=No Constraint +policyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default +policyset.caCertSet.8.default.params.critical=false +policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.caCertSet.9.constraint.name=No Constraint +policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.caCertSet.9.default.name=Signing Alg +policyset.caCertSet.9.default.params.signingAlg=- +policyset.caCertSet.10.constraint.class_id=noConstraintImpl +policyset.caCertSet.10.constraint.name=No Constraint +policyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl +policyset.caCertSet.10.default.name=AIA Extension Default +policyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true +policyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName +policyset.caCertSet.10.default.params.authInfoAccessADLocation_0= +policyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.caCertSet.10.default.params.authInfoAccessCritical=false +policyset.caCertSet.10.default.params.authInfoAccessNumADs=1 diff --git a/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg new file mode 100644 index 000000000..8b6936e06 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caCMCUserCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. +visible=true +enable=true +enableBy=admin +auth.instance_id=CMCAuth +name=Signed CMC-Authenticated User Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=cmcCertReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=cmcUserCertSet +policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 +policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint +policyset.cmcUserCertSet.1.constraint.params.pattern=.* +policyset.cmcUserCertSet.1.constraint.params.accept=true +policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.cmcUserCertSet.1.default.name=Subject Name Default +policyset.cmcUserCertSet.1.default.params.name= +policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl +policyset.cmcUserCertSet.2.constraint.name=Validity Constraint +policyset.cmcUserCertSet.2.constraint.params.range=365 +policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false +policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false +policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl +policyset.cmcUserCertSet.2.default.name=Validity Default +policyset.cmcUserCertSet.2.default.params.range=180 +policyset.cmcUserCertSet.2.default.params.startTime=0 +policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl +policyset.cmcUserCertSet.3.constraint.name=Key Constraint +policyset.cmcUserCertSet.3.constraint.params.keyType=- +policyset.cmcUserCertSet.3.constraint.params.keyMinLength=256 +policyset.cmcUserCertSet.3.constraint.params.keyMaxLength=4096 +policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl +policyset.cmcUserCertSet.3.default.name=Key Default +policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.4.constraint.name=No Constraint +policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default +policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.5.constraint.name=No Constraint +policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.cmcUserCertSet.5.default.name=AIA Extension Default +policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false +policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.cmcUserCertSet.6.default.name=Key Usage Default +policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true +policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.7.constraint.name=No Constraint +policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default +policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false +policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.cmcUserCertSet.8.constraint.name=No Constraint +policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.cmcUserCertSet.8.default.name=Signing Alg +policyset.cmcUserCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg b/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg new file mode 100644 index 000000000..3806d0b21 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg @@ -0,0 +1,94 @@ +desc=This certificate profile is for enrolling user certificates with directory-based authentication. +visible=true +enable=true +enableBy=admin +name=Directory-Authenticated User Dual-Use Certificate Enrollment +auth.instance_id=UserDirEnrollment +input.list=i1 +input.i1.class_id=keyGenInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=userCertSet +policyset.userCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.userCertSet.1.constraint.name=Subject Name Constraint +policyset.userCertSet.1.constraint.params.pattern=UID=.* +policyset.userCertSet.1.constraint.params.accept=true +policyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl +policyset.userCertSet.1.default.name=Subject Name Default +policyset.userCertSet.1.default.params.name= +policyset.userCertSet.2.constraint.class_id=validityConstraintImpl +policyset.userCertSet.2.constraint.name=Validity Constraint +policyset.userCertSet.2.constraint.params.range=365 +policyset.userCertSet.2.constraint.params.notBeforeCheck=false +policyset.userCertSet.2.constraint.params.notAfterCheck=false +policyset.userCertSet.2.default.class_id=validityDefaultImpl +policyset.userCertSet.2.default.name=Validity Default +policyset.userCertSet.2.default.params.range=180 +policyset.userCertSet.2.default.params.startTime=0 +policyset.userCertSet.3.constraint.class_id=keyConstraintImpl +policyset.userCertSet.3.constraint.name=Key Constraint +policyset.userCertSet.3.constraint.params.keyType=- +policyset.userCertSet.3.constraint.params.keyMinLength=256 +policyset.userCertSet.3.constraint.params.keyMaxLength=4096 +policyset.userCertSet.3.default.class_id=userKeyDefaultImpl +policyset.userCertSet.3.default.name=Key Default +policyset.userCertSet.4.constraint.class_id=noConstraintImpl +policyset.userCertSet.4.constraint.name=No Constraint +policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.userCertSet.4.default.name=Authority Key Identifier Default +policyset.userCertSet.5.constraint.class_id=noConstraintImpl +policyset.userCertSet.5.constraint.name=No Constraint +policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.userCertSet.5.default.name=AIA Extension Default +policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.userCertSet.5.default.params.authInfoAccessCritical=false +policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.userCertSet.6.constraint.params.keyUsageCritical=true +policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.userCertSet.6.default.name=Key Usage Default +policyset.userCertSet.6.default.params.keyUsageCritical=true +policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.default.params.keyUsageCrlSign=false +policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.userCertSet.7.constraint.class_id=noConstraintImpl +policyset.userCertSet.7.constraint.name=No Constraint +policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.userCertSet.7.default.name=Extended Key Usage Extension Default +policyset.userCertSet.7.default.params.exKeyUsageCritical=false +policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.userCertSet.8.constraint.class_id=noConstraintImpl +policyset.userCertSet.8.constraint.name=No Constraint +policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.userCertSet.8.default.name=Subject Alt Name Constraint +policyset.userCertSet.8.default.params.subjAltNameExtCritical=false +policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.userCertSet.9.constraint.name=No Constraint +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.userCertSet.9.default.name=Signing Alg +policyset.userCertSet.9.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caDualCert.cfg b/pki/base/ca/shared/profiles/ca/caDualCert.cfg new file mode 100644 index 000000000..bd99199fa --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caDualCert.cfg @@ -0,0 +1,170 @@ +desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later. +visible=true +enable=true +enableBy=admin +name=Manual User Signing & Encryption Certificates Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=dualKeyGenInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=encryptionCertSet,signingCertSet +policyset.encryptionCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.encryptionCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.encryptionCertSet.1.constraint.name=Subject Name Constraint +policyset.encryptionCertSet.1.constraint.params.pattern=UID=.* +policyset.encryptionCertSet.1.constraint.params.accept=true +policyset.encryptionCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.encryptionCertSet.1.default.name=Subject Name Default +policyset.encryptionCertSet.1.default.params.name= +policyset.encryptionCertSet.2.constraint.class_id=validityConstraintImpl +policyset.encryptionCertSet.2.constraint.name=Validity Constraint +policyset.encryptionCertSet.2.constraint.params.range=365 +policyset.encryptionCertSet.2.constraint.params.notBeforeCheck=false +policyset.encryptionCertSet.2.constraint.params.notAfterCheck=false +policyset.encryptionCertSet.2.default.class_id=validityDefaultImpl +policyset.encryptionCertSet.2.default.name=Validity Default +policyset.encryptionCertSet.2.default.params.range=180 +policyset.encryptionCertSet.2.default.params.startTime=0 +policyset.encryptionCertSet.3.constraint.class_id=keyConstraintImpl +policyset.encryptionCertSet.3.constraint.name=Key Constraint +policyset.encryptionCertSet.3.constraint.params.keyType=- +policyset.encryptionCertSet.3.constraint.params.keyMinLength=256 +policyset.encryptionCertSet.3.constraint.params.keyMaxLength=4096 +policyset.encryptionCertSet.3.default.class_id=userKeyDefaultImpl +policyset.encryptionCertSet.3.default.name=Key Default +policyset.encryptionCertSet.4.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.4.constraint.name=No Constraint +policyset.encryptionCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.encryptionCertSet.4.default.name=Authority Key Identifier Default +policyset.encryptionCertSet.5.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.5.constraint.name=No Constraint +policyset.encryptionCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.encryptionCertSet.5.default.name=AIA Extension Default +policyset.encryptionCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.encryptionCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.encryptionCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.encryptionCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.encryptionCertSet.5.default.params.authInfoAccessCritical=false +policyset.encryptionCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.encryptionCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.encryptionCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.encryptionCertSet.6.constraint.params.keyUsageCritical=true +policyset.encryptionCertSet.6.constraint.params.keyUsageDigitalSignature=false +policyset.encryptionCertSet.6.constraint.params.keyUsageNonRepudiation=false +policyset.encryptionCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.encryptionCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.encryptionCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.encryptionCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.encryptionCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.encryptionCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.encryptionCertSet.6.default.name=Key Usage Default +policyset.encryptionCertSet.6.default.params.keyUsageCritical=true +policyset.encryptionCertSet.6.default.params.keyUsageDigitalSignature=false +policyset.encryptionCertSet.6.default.params.keyUsageNonRepudiation=false +policyset.encryptionCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.encryptionCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.encryptionCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.encryptionCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.encryptionCertSet.6.default.params.keyUsageCrlSign=false +policyset.encryptionCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.encryptionCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.encryptionCertSet.7.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.7.constraint.name=No Constraint +policyset.encryptionCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.encryptionCertSet.7.default.name=Extended Key Usage Extension Default +policyset.encryptionCertSet.7.default.params.exKeyUsageCritical=false +policyset.encryptionCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.encryptionCertSet.8.constraint.class_id=noConstraintImpl +policyset.encryptionCertSet.8.constraint.name=No Constraint +policyset.encryptionCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.encryptionCertSet.8.default.name=Subject Alt Name Constraint +policyset.encryptionCertSet.8.default.params.subjAltNameExtCritical=false +policyset.encryptionCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.encryptionCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.encryptionCertSet.9.constraint.name=No Constraint +policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.encryptionCertSet.9.default.name=Signing Alg +policyset.encryptionCertSet.9.default.params.signingAlg=- +policyset.signingCertSet.list=1,2,3,4,6,7,8,9 +policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.signingCertSet.1.constraint.name=Subject Name Constraint +policyset.signingCertSet.1.constraint.params.pattern=UID=.* +policyset.signingCertSet.1.constraint.params.accept=true +policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.signingCertSet.1.default.name=Subject Name Default +policyset.signingCertSet.1.default.params.name= +policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl +policyset.signingCertSet.2.constraint.name=Validity Constraint +policyset.signingCertSet.2.constraint.params.range=365 +policyset.signingCertSet.2.constraint.params.notBeforeCheck=false +policyset.signingCertSet.2.constraint.params.notAfterCheck=false +policyset.signingCertSet.2.default.class_id=validityDefaultImpl +policyset.signingCertSet.2.default.name=Validity Default +policyset.signingCertSet.2.default.params.range=180 +policyset.signingCertSet.2.default.params.startTime=60 +policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl +policyset.signingCertSet.3.constraint.name=Key Constraint +policyset.signingCertSet.3.constraint.params.keyType=RSA +policyset.signingCertSet.3.constraint.params.keyMinLength=512 +policyset.signingCertSet.3.constraint.params.keyMaxLength=4096 +policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl +policyset.signingCertSet.3.default.name=Key Default +policyset.signingCertSet.4.constraint.class_id=noConstraintImpl +policyset.signingCertSet.4.constraint.name=No Constraint +policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.signingCertSet.4.default.name=Authority Key Identifier Default +policyset.signingCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.signingCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.signingCertSet.6.constraint.params.keyUsageCritical=true +policyset.signingCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.signingCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.signingCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.signingCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.signingCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.signingCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.signingCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.signingCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.signingCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.signingCertSet.6.default.name=Key Usage Default +policyset.signingCertSet.6.default.params.keyUsageCritical=true +policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.signingCertSet.6.default.params.keyUsageCrlSign=false +policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.signingCertSet.7.constraint.class_id=noConstraintImpl +policyset.signingCertSet.7.constraint.name=No Constraint +policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default +policyset.signingCertSet.7.default.params.exKeyUsageCritical=false +policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.signingCertSet.8.constraint.class_id=noConstraintImpl +policyset.signingCertSet.8.constraint.name=No Constraint +policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.signingCertSet.8.default.name=Subject Alt Name Constraint +policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false +policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.signingCertSet.9.constraint.name=No Constraint +policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA +policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.signingCertSet.9.default.name=Signing Alg +policyset.signingCertSet.9.default.params.signingAlg=SHA1withRSA +policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA diff --git a/pki/base/ca/shared/profiles/ca/caDualRAuserCert.cfg b/pki/base/ca/shared/profiles/ca/caDualRAuserCert.cfg new file mode 100644 index 000000000..0f6036cf2 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caDualRAuserCert.cfg @@ -0,0 +1,95 @@ +desc=This certificate profile is for enrolling user certificates with RA agent authentication. +visible=true +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=RA Agent-Authenticated User Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=userCertSet +policyset.userCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.userCertSet.1.constraint.name=Subject Name Constraint +policyset.userCertSet.1.constraint.params.pattern=.*UID=.* +policyset.userCertSet.1.constraint.params.accept=true +policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.userCertSet.1.default.name=Subject Name Default +policyset.userCertSet.1.default.params.name= +policyset.userCertSet.2.constraint.class_id=validityConstraintImpl +policyset.userCertSet.2.constraint.name=Validity Constraint +policyset.userCertSet.2.constraint.params.range=365 +policyset.userCertSet.2.constraint.params.notBeforeCheck=false +policyset.userCertSet.2.constraint.params.notAfterCheck=false +policyset.userCertSet.2.default.class_id=validityDefaultImpl +policyset.userCertSet.2.default.name=Validity Default +policyset.userCertSet.2.default.params.range=180 +policyset.userCertSet.2.default.params.startTime=0 +policyset.userCertSet.3.constraint.class_id=keyConstraintImpl +policyset.userCertSet.3.constraint.name=Key Constraint +policyset.userCertSet.3.constraint.params.keyType=- +policyset.userCertSet.3.constraint.params.keyMinLength=256 +policyset.userCertSet.3.constraint.params.keyMaxLength=4096 +policyset.userCertSet.3.default.class_id=userKeyDefaultImpl +policyset.userCertSet.3.default.name=Key Default +policyset.userCertSet.4.constraint.class_id=noConstraintImpl +policyset.userCertSet.4.constraint.name=No Constraint +policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.userCertSet.4.default.name=Authority Key Identifier Default +policyset.userCertSet.5.constraint.class_id=noConstraintImpl +policyset.userCertSet.5.constraint.name=No Constraint +policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.userCertSet.5.default.name=AIA Extension Default +policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.userCertSet.5.default.params.authInfoAccessCritical=false +policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.userCertSet.6.constraint.params.keyUsageCritical=true +policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.userCertSet.6.default.name=Key Usage Default +policyset.userCertSet.6.default.params.keyUsageCritical=true +policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.default.params.keyUsageCrlSign=false +policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.userCertSet.7.constraint.class_id=noConstraintImpl +policyset.userCertSet.7.constraint.name=No Constraint +policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.userCertSet.7.default.name=Extended Key Usage Extension Default +policyset.userCertSet.7.default.params.exKeyUsageCritical=false +policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.userCertSet.8.constraint.class_id=noConstraintImpl +policyset.userCertSet.8.constraint.name=No Constraint +policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.userCertSet.8.default.name=Subject Alt Name Constraint +policyset.userCertSet.8.default.params.subjAltNameExtCritical=false +policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.userCertSet.9.constraint.name=No Constraint +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC +policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.userCertSet.9.default.name=Signing Alg +policyset.userCertSet.9.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg new file mode 100644 index 000000000..11a5475ec --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. +enable=true +enableBy=admin +name=Signed CMC-Authenticated User Certificate Enrollment +visible=false +auth.instance_id=CMCAuth +input.list=i1,i2 +input.i1.class_id=cmcCertReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=cmcUserCertSet +policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 +policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint +policyset.cmcUserCertSet.1.constraint.params.accept=true +policyset.cmcUserCertSet.1.constraint.params.pattern=.* +policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.cmcUserCertSet.1.default.name=Subject Name Default +policyset.cmcUserCertSet.1.default.params.name= +policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl +policyset.cmcUserCertSet.2.constraint.name=Validity Constraint +policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false +policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false +policyset.cmcUserCertSet.2.constraint.params.range=365 +policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl +policyset.cmcUserCertSet.2.default.name=Validity Default +policyset.cmcUserCertSet.2.default.params.range=180 +policyset.cmcUserCertSet.2.default.params.startTime=0 +policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl +policyset.cmcUserCertSet.3.constraint.name=Key Constraint +policyset.cmcUserCertSet.3.constraint.params.keyMaxLength=4096 +policyset.cmcUserCertSet.3.constraint.params.keyMinLength=256 +policyset.cmcUserCertSet.3.constraint.params.keyType=- +policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl +policyset.cmcUserCertSet.3.default.name=Key Default +policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.4.constraint.name=No Constraint +policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default +policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.5.constraint.name=No Constraint +policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.cmcUserCertSet.5.default.name=AIA Extension Default +policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false +policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.cmcUserCertSet.6.default.name=Key Usage Default +policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true +policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.7.constraint.name=No Constraint +policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default +policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false +policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.cmcUserCertSet.8.constraint.name=No Constraint +policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.cmcUserCertSet.8.default.name=Signing Alg +policyset.cmcUserCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caInstallCACert.cfg b/pki/base/ca/shared/profiles/ca/caInstallCACert.cfg new file mode 100644 index 000000000..2f01ee306 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caInstallCACert.cfg @@ -0,0 +1,97 @@ +desc=This certificate profile is for enrolling Security Domain Certificate Authority certificates. +visible=true +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Manual Security Domain Certificate Authority Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=caCertSet +policyset.caCertSet.list=1,2,3,4,5,6,8,9,10 +policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.caCertSet.1.constraint.name=Subject Name Constraint +policyset.caCertSet.1.constraint.params.pattern=CN=.* +policyset.caCertSet.1.constraint.params.accept=true +policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.caCertSet.1.default.name=Subject Name Default +policyset.caCertSet.1.default.params.name= +policyset.caCertSet.2.constraint.class_id=validityConstraintImpl +policyset.caCertSet.2.constraint.name=Validity Constraint +policyset.caCertSet.2.constraint.params.range=720 +policyset.caCertSet.2.constraint.params.notBeforeCheck=false +policyset.caCertSet.2.constraint.params.notAfterCheck=false +policyset.caCertSet.2.default.class_id=validityDefaultImpl +policyset.caCertSet.2.default.name=Validity Default +policyset.caCertSet.2.default.params.range=720 +policyset.caCertSet.2.default.params.startTime=0 +policyset.caCertSet.3.constraint.class_id=keyConstraintImpl +policyset.caCertSet.3.constraint.name=Key Constraint +policyset.caCertSet.3.constraint.params.keyType=- +policyset.caCertSet.3.constraint.params.keyMinLength=256 +policyset.caCertSet.3.constraint.params.keyMaxLength=4096 +policyset.caCertSet.3.default.class_id=userKeyDefaultImpl +policyset.caCertSet.3.default.name=Key Default +policyset.caCertSet.4.constraint.class_id=noConstraintImpl +policyset.caCertSet.4.constraint.name=No Constraint +policyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.caCertSet.4.default.name=Authority Key Identifier Default +policyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint +policyset.caCertSet.5.constraint.params.basicConstraintsCritical=true +policyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true +policyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1 +policyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl +policyset.caCertSet.5.default.name=Basic Constraints Extension Default +policyset.caCertSet.5.default.params.basicConstraintsCritical=true +policyset.caCertSet.5.default.params.basicConstraintsIsCA=true +policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1 +policyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.caCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.caCertSet.6.constraint.params.keyUsageCritical=true +policyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true +policyset.caCertSet.6.constraint.params.keyUsageCrlSign=true +policyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.caCertSet.6.default.name=Key Usage Default +policyset.caCertSet.6.default.params.keyUsageCritical=true +policyset.caCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.caCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.caCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.caCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.caCertSet.6.default.params.keyUsageKeyCertSign=true +policyset.caCertSet.6.default.params.keyUsageCrlSign=true +policyset.caCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.caCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.caCertSet.8.constraint.class_id=noConstraintImpl +policyset.caCertSet.8.constraint.name=No Constraint +policyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default +policyset.caCertSet.8.default.params.critical=false +policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.caCertSet.9.constraint.name=No Constraint +policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.caCertSet.9.default.name=Signing Alg +policyset.caCertSet.9.default.params.signingAlg=- +policyset.caCertSet.10.constraint.class_id=noConstraintImpl +policyset.caCertSet.10.constraint.name=No Constraint +policyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl +policyset.caCertSet.10.default.name=AIA Extension Default +policyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true +policyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName +policyset.caCertSet.10.default.params.authInfoAccessADLocation_0= +policyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.caCertSet.10.default.params.authInfoAccessCritical=false +policyset.caCertSet.10.default.params.authInfoAccessNumADs=1 diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg new file mode 100644 index 000000000..5702c7662 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg @@ -0,0 +1,72 @@ +desc=This certificate profile is for enrolling Security Domain DRM storage certificates +visible=true +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Security Domain DRM storage Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=ocspCertSet +policyset.ocspCertSet.list=1,2,3,4,5,6,8,9 +policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.ocspCertSet.1.constraint.name=Subject Name Constraint +policyset.ocspCertSet.1.constraint.params.pattern=CN=.* +policyset.ocspCertSet.1.constraint.params.accept=true +policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.ocspCertSet.1.default.name=Subject Name Default +policyset.ocspCertSet.1.default.params.name= +policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl +policyset.ocspCertSet.2.constraint.name=Validity Constraint +policyset.ocspCertSet.2.constraint.params.range=720 +policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false +policyset.ocspCertSet.2.constraint.params.notAfterCheck=false +policyset.ocspCertSet.2.default.class_id=validityDefaultImpl +policyset.ocspCertSet.2.default.name=Validity Default +policyset.ocspCertSet.2.default.params.range=720 +policyset.ocspCertSet.2.default.params.startTime=0 +policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl +policyset.ocspCertSet.3.constraint.name=Key Constraint +policyset.ocspCertSet.3.constraint.params.keyType=- +policyset.ocspCertSet.3.constraint.params.keyMinLength=256 +policyset.ocspCertSet.3.constraint.params.keyMaxLength=4096 +policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl +policyset.ocspCertSet.3.default.name=Key Default +policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.4.constraint.name=No Constraint +policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.ocspCertSet.4.default.name=Authority Key Identifier Default +policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.5.constraint.name=No Constraint +policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.ocspCertSet.5.default.name=AIA Extension Default +policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false +policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl +policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension +policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.ocspCertSet.6.default.name=Extended Key Usage Default +policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl +policyset.ocspCertSet.8.constraint.name=No Constraint +policyset.ocspCertSet.8.constraint.params.extCritical=false +policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5 +policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl +policyset.ocspCertSet.8.default.name=OCSP No Check Extension +policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false +policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.ocspCertSet.9.constraint.name=No Constraint +policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.ocspCertSet.9.default.name=Signing Alg +policyset.ocspCertSet.9.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg new file mode 100644 index 000000000..453d31e06 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg @@ -0,0 +1,72 @@ +desc=This certificate profile is for enrolling Security Domain OCSP Manager certificates. +visible=true +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Security Domain OCSP Manager Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=ocspCertSet +policyset.ocspCertSet.list=1,2,3,4,5,6,8,9 +policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.ocspCertSet.1.constraint.name=Subject Name Constraint +policyset.ocspCertSet.1.constraint.params.pattern=CN=.* +policyset.ocspCertSet.1.constraint.params.accept=true +policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.ocspCertSet.1.default.name=Subject Name Default +policyset.ocspCertSet.1.default.params.name= +policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl +policyset.ocspCertSet.2.constraint.name=Validity Constraint +policyset.ocspCertSet.2.constraint.params.range=720 +policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false +policyset.ocspCertSet.2.constraint.params.notAfterCheck=false +policyset.ocspCertSet.2.default.class_id=validityDefaultImpl +policyset.ocspCertSet.2.default.name=Validity Default +policyset.ocspCertSet.2.default.params.range=720 +policyset.ocspCertSet.2.default.params.startTime=0 +policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl +policyset.ocspCertSet.3.constraint.name=Key Constraint +policyset.ocspCertSet.3.constraint.params.keyType=- +policyset.ocspCertSet.3.constraint.params.keyMinLength=256 +policyset.ocspCertSet.3.constraint.params.keyMaxLength=4096 +policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl +policyset.ocspCertSet.3.default.name=Key Default +policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.4.constraint.name=No Constraint +policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.ocspCertSet.4.default.name=Authority Key Identifier Default +policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.5.constraint.name=No Constraint +policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.ocspCertSet.5.default.name=AIA Extension Default +policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false +policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl +policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension +policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.ocspCertSet.6.default.name=Extended Key Usage Default +policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl +policyset.ocspCertSet.8.constraint.name=No Constraint +policyset.ocspCertSet.8.constraint.params.extCritical=false +policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5 +policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl +policyset.ocspCertSet.8.default.name=OCSP No Check Extension +policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false +policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.ocspCertSet.9.constraint.name=No Constraint +policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.ocspCertSet.9.default.name=Signing Alg +policyset.ocspCertSet.9.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg new file mode 100644 index 000000000..85aff8b4f --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg @@ -0,0 +1,87 @@ +desc=This certificate profile is for enrolling Security Domain server certificates. +visible=true +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Security Domain Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyMinLength=256 +policyset.serverCertSet.3.constraint.params.keyMaxLength=4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg new file mode 100644 index 000000000..95534a15a --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg @@ -0,0 +1,89 @@ +desc=This certificate profile is for enrolling Security Domain subsystem certificates. +visible=true +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Security Domain Subsysem Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +updater.list=u1 +updater.u1.class_id=subsystemGroupUpdaterImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyMinLength=256 +policyset.serverCertSet.3.constraint.params.keyMaxLength=4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg new file mode 100644 index 000000000..55896adb6 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg @@ -0,0 +1,81 @@ +desc=This certificate profile is for enrolling Security Domain Data Recovery Manager transport certificates. +visible=true +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Security Domain Data Recovery Manager Transport Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=transportCertSet +policyset.transportCertSet.list=1,2,3,4,5,6,8 +policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.transportCertSet.1.constraint.name=Subject Name Constraint +policyset.transportCertSet.1.constraint.params.pattern=CN=.* +policyset.transportCertSet.1.constraint.params.accept=true +policyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.transportCertSet.1.default.name=Subject Name Default +policyset.transportCertSet.1.default.params.name= +policyset.transportCertSet.2.constraint.class_id=validityConstraintImpl +policyset.transportCertSet.2.constraint.name=Validity Constraint +policyset.transportCertSet.2.constraint.params.range=720 +policyset.transportCertSet.2.constraint.params.notBeforeCheck=false +policyset.transportCertSet.2.constraint.params.notAfterCheck=false +policyset.transportCertSet.2.default.class_id=validityDefaultImpl +policyset.transportCertSet.2.default.name=Validity Default +policyset.transportCertSet.2.default.params.range=720 +policyset.transportCertSet.2.default.params.startTime=0 +policyset.transportCertSet.3.constraint.class_id=keyConstraintImpl +policyset.transportCertSet.3.constraint.name=Key Constraint +policyset.transportCertSet.3.constraint.params.keyType=- +policyset.transportCertSet.3.constraint.params.keyMinLength=256 +policyset.transportCertSet.3.constraint.params.keyMaxLength=4096 +policyset.transportCertSet.3.default.class_id=userKeyDefaultImpl +policyset.transportCertSet.3.default.name=Key Default +policyset.transportCertSet.4.constraint.class_id=noConstraintImpl +policyset.transportCertSet.4.constraint.name=No Constraint +policyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.transportCertSet.4.default.name=Authority Key Identifier Default +policyset.transportCertSet.5.constraint.class_id=noConstraintImpl +policyset.transportCertSet.5.constraint.name=No Constraint +policyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.transportCertSet.5.default.name=AIA Extension Default +policyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.transportCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.transportCertSet.5.default.params.authInfoAccessCritical=false +policyset.transportCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.transportCertSet.6.constraint.params.keyUsageCritical=true +policyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.transportCertSet.6.default.name=Key Usage Default +policyset.transportCertSet.6.default.params.keyUsageCritical=true +policyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.transportCertSet.6.default.params.keyUsageCrlSign=false +policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.transportCertSet.8.constraint.name=No Constraint +policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.transportCertSet.8.default.name=Signing Alg +policyset.transportCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caOCSPCert.cfg b/pki/base/ca/shared/profiles/ca/caOCSPCert.cfg new file mode 100644 index 000000000..4f5204f1e --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caOCSPCert.cfg @@ -0,0 +1,71 @@ +desc=This certificate profile is for enrolling OCSP Manager certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual OCSP Manager Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=ocspCertSet +policyset.ocspCertSet.list=1,2,3,4,5,6,8,9 +policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.ocspCertSet.1.constraint.name=Subject Name Constraint +policyset.ocspCertSet.1.constraint.params.pattern=CN=.* +policyset.ocspCertSet.1.constraint.params.accept=true +policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.ocspCertSet.1.default.name=Subject Name Default +policyset.ocspCertSet.1.default.params.name= +policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl +policyset.ocspCertSet.2.constraint.name=Validity Constraint +policyset.ocspCertSet.2.constraint.params.range=720 +policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false +policyset.ocspCertSet.2.constraint.params.notAfterCheck=false +policyset.ocspCertSet.2.default.class_id=validityDefaultImpl +policyset.ocspCertSet.2.default.name=Validity Default +policyset.ocspCertSet.2.default.params.range=720 +policyset.ocspCertSet.2.default.params.startTime=0 +policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl +policyset.ocspCertSet.3.constraint.name=Key Constraint +policyset.ocspCertSet.3.constraint.params.keyType=- +policyset.ocspCertSet.3.constraint.params.keyMinLength=256 +policyset.ocspCertSet.3.constraint.params.keyMaxLength=4096 +policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl +policyset.ocspCertSet.3.default.name=Key Default +policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.4.constraint.name=No Constraint +policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.ocspCertSet.4.default.name=Authority Key Identifier Default +policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.5.constraint.name=No Constraint +policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.ocspCertSet.5.default.name=AIA Extension Default +policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false +policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl +policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension +policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.ocspCertSet.6.default.name=Extended Key Usage Default +policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl +policyset.ocspCertSet.8.constraint.name=No Constraint +policyset.ocspCertSet.8.constraint.params.extCritical=false +policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5 +policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl +policyset.ocspCertSet.8.default.name=OCSP No Check Extension +policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false +policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.ocspCertSet.9.constraint.name=No Constraint +policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.ocspCertSet.9.default.name=Signing Alg +policyset.ocspCertSet.9.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caOtherCert.cfg b/pki/base/ca/shared/profiles/ca/caOtherCert.cfg new file mode 100644 index 000000000..2abdc36f8 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caOtherCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling other certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Other Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=otherCertSet +policyset.otherCertSet.list=1,2,3,4,5,6,7,8 +policyset.otherCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.otherCertSet.1.constraint.name=Subject Name Constraint +policyset.otherCertSet.1.constraint.params.pattern=CN=.* +policyset.otherCertSet.1.constraint.params.accept=true +policyset.otherCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.otherCertSet.1.default.name=Subject Name Default +policyset.otherCertSet.1.default.params.name= +policyset.otherCertSet.2.constraint.class_id=validityConstraintImpl +policyset.otherCertSet.2.constraint.name=Validity Constraint +policyset.otherCertSet.2.constraint.params.range=720 +policyset.otherCertSet.2.constraint.params.notBeforeCheck=false +policyset.otherCertSet.2.constraint.params.notAfterCheck=false +policyset.otherCertSet.2.default.class_id=validityDefaultImpl +policyset.otherCertSet.2.default.name=Validity Default +policyset.otherCertSet.2.default.params.range=720 +policyset.otherCertSet.2.default.params.startTime=0 +policyset.otherCertSet.3.constraint.class_id=keyConstraintImpl +policyset.otherCertSet.3.constraint.name=Key Constraint +policyset.otherCertSet.3.constraint.params.keyType=- +policyset.otherCertSet.3.constraint.params.keyMinLength=256 +policyset.otherCertSet.3.constraint.params.keyMaxLength=4096 +policyset.otherCertSet.3.default.class_id=userKeyDefaultImpl +policyset.otherCertSet.3.default.name=Key Default +policyset.otherCertSet.4.constraint.class_id=noConstraintImpl +policyset.otherCertSet.4.constraint.name=No Constraint +policyset.otherCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.otherCertSet.4.default.name=Authority Key Identifier Default +policyset.otherCertSet.5.constraint.class_id=noConstraintImpl +policyset.otherCertSet.5.constraint.name=No Constraint +policyset.otherCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.otherCertSet.5.default.name=AIA Extension Default +policyset.otherCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.otherCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.otherCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.otherCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.otherCertSet.5.default.params.authInfoAccessCritical=false +policyset.otherCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.otherCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.otherCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.otherCertSet.6.constraint.params.keyUsageCritical=true +policyset.otherCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.otherCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.otherCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.otherCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.otherCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.otherCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.otherCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.otherCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.otherCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.otherCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.otherCertSet.6.default.name=Key Usage Default +policyset.otherCertSet.6.default.params.keyUsageCritical=true +policyset.otherCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.otherCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.otherCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.otherCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.otherCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.otherCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.otherCertSet.6.default.params.keyUsageCrlSign=false +policyset.otherCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.otherCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.otherCertSet.7.constraint.class_id=noConstraintImpl +policyset.otherCertSet.7.constraint.name=No Constraint +policyset.otherCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.otherCertSet.7.default.name=Extended Key Usage Extension Default +policyset.otherCertSet.7.default.params.exKeyUsageCritical=false +policyset.otherCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +policyset.otherCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.otherCertSet.8.constraint.name=No Constraint +policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.otherCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.otherCertSet.8.default.name=Signing Alg +policyset.otherCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caRACert.cfg b/pki/base/ca/shared/profiles/ca/caRACert.cfg new file mode 100644 index 000000000..4910bd4b7 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caRACert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling Registration Manager certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual Registration Manager Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=raCertSet +policyset.raCertSet.list=1,2,3,4,5,6,7,8 +policyset.raCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.raCertSet.1.constraint.name=Subject Name Constraint +policyset.raCertSet.1.constraint.params.pattern=CN=.* +policyset.raCertSet.1.constraint.params.accept=true +policyset.raCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.raCertSet.1.default.name=Subject Name Default +policyset.raCertSet.1.default.params.name= +policyset.raCertSet.2.constraint.class_id=validityConstraintImpl +policyset.raCertSet.2.constraint.name=Validity Constraint +policyset.raCertSet.2.constraint.params.range=720 +policyset.raCertSet.2.constraint.params.notBeforeCheck=false +policyset.raCertSet.2.constraint.params.notAfterCheck=false +policyset.raCertSet.2.default.class_id=validityDefaultImpl +policyset.raCertSet.2.default.name=Validity Default +policyset.raCertSet.2.default.params.range=720 +policyset.raCertSet.2.default.params.startTime=0 +policyset.raCertSet.3.constraint.class_id=keyConstraintImpl +policyset.raCertSet.3.constraint.name=Key Constraint +policyset.raCertSet.3.constraint.params.keyType=- +policyset.raCertSet.3.constraint.params.keyMinLength=256 +policyset.raCertSet.3.constraint.params.keyMaxLength=4096 +policyset.raCertSet.3.default.class_id=userKeyDefaultImpl +policyset.raCertSet.3.default.name=Key Default +policyset.raCertSet.4.constraint.class_id=noConstraintImpl +policyset.raCertSet.4.constraint.name=No Constraint +policyset.raCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.raCertSet.4.default.name=Authority Key Identifier Default +policyset.raCertSet.5.constraint.class_id=noConstraintImpl +policyset.raCertSet.5.constraint.name=No Constraint +policyset.raCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.raCertSet.5.default.name=AIA Extension Default +policyset.raCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.raCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.raCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.raCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.raCertSet.5.default.params.authInfoAccessCritical=false +policyset.raCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.raCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.raCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.raCertSet.6.constraint.params.keyUsageCritical=true +policyset.raCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.raCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.raCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.raCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.raCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.raCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.raCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.raCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.raCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.raCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.raCertSet.6.default.name=Key Usage Default +policyset.raCertSet.6.default.params.keyUsageCritical=true +policyset.raCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.raCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.raCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.raCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.raCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.raCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.raCertSet.6.default.params.keyUsageCrlSign=false +policyset.raCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.raCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.raCertSet.7.constraint.class_id=noConstraintImpl +policyset.raCertSet.7.constraint.name=No Constraint +policyset.raCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.raCertSet.7.default.name=Extended Key Usage Extension Default +policyset.raCertSet.7.default.params.exKeyUsageCritical=false +policyset.raCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.raCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.raCertSet.8.constraint.name=No Constraint +policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.raCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.raCertSet.8.default.name=Signing Alg +policyset.raCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caRARouterCert.cfg b/pki/base/ca/shared/profiles/ca/caRARouterCert.cfg new file mode 100644 index 000000000..a6df27a6e --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caRARouterCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling router certificates. +visible=true +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=RA Agent-Authenticated Router Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyMinLength=256 +policyset.serverCertSet.3.constraint.params.keyMaxLength=4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caRAagentCert.cfg b/pki/base/ca/shared/profiles/ca/caRAagentCert.cfg new file mode 100644 index 000000000..97d4c9821 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caRAagentCert.cfg @@ -0,0 +1,96 @@ +desc=This certificate profile is for enrolling RA agent user certificates with RA agent authentication. +visible=true +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=RA Agent-Authenticated Agent User Certificate Enrollment +input.list=i1,i2,i3 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +input.i3.class_id=subjectDNInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=userCertSet +policyset.userCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.userCertSet.1.constraint.name=Subject Name Constraint +policyset.userCertSet.1.constraint.params.pattern=UID=.* +policyset.userCertSet.1.constraint.params.accept=true +policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.userCertSet.1.default.name=Subject Name Default +policyset.userCertSet.1.default.params.name= +policyset.userCertSet.2.constraint.class_id=validityConstraintImpl +policyset.userCertSet.2.constraint.name=Validity Constraint +policyset.userCertSet.2.constraint.params.range=365 +policyset.userCertSet.2.constraint.params.notBeforeCheck=false +policyset.userCertSet.2.constraint.params.notAfterCheck=false +policyset.userCertSet.2.default.class_id=validityDefaultImpl +policyset.userCertSet.2.default.name=Validity Default +policyset.userCertSet.2.default.params.range=180 +policyset.userCertSet.2.default.params.startTime=0 +policyset.userCertSet.3.constraint.class_id=keyConstraintImpl +policyset.userCertSet.3.constraint.name=Key Constraint +policyset.userCertSet.3.constraint.params.keyType=- +policyset.userCertSet.3.constraint.params.keyMinLength=256 +policyset.userCertSet.3.constraint.params.keyMaxLength=4096 +policyset.userCertSet.3.default.class_id=userKeyDefaultImpl +policyset.userCertSet.3.default.name=Key Default +policyset.userCertSet.4.constraint.class_id=noConstraintImpl +policyset.userCertSet.4.constraint.name=No Constraint +policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.userCertSet.4.default.name=Authority Key Identifier Default +policyset.userCertSet.5.constraint.class_id=noConstraintImpl +policyset.userCertSet.5.constraint.name=No Constraint +policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.userCertSet.5.default.name=AIA Extension Default +policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.userCertSet.5.default.params.authInfoAccessCritical=false +policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.userCertSet.6.constraint.params.keyUsageCritical=true +policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.userCertSet.6.default.name=Key Usage Default +policyset.userCertSet.6.default.params.keyUsageCritical=true +policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.default.params.keyUsageCrlSign=false +policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.userCertSet.7.constraint.class_id=noConstraintImpl +policyset.userCertSet.7.constraint.name=No Constraint +policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.userCertSet.7.default.name=Extended Key Usage Extension Default +policyset.userCertSet.7.default.params.exKeyUsageCritical=false +policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.userCertSet.8.constraint.class_id=noConstraintImpl +policyset.userCertSet.8.constraint.name=No Constraint +policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.userCertSet.8.default.name=Subject Alt Name Constraint +policyset.userCertSet.8.default.params.subjAltNameExtCritical=false +policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.userCertSet.9.constraint.name=No Constraint +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC +policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.userCertSet.9.default.name=Signing Alg +policyset.userCertSet.9.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caRAserverCert.cfg b/pki/base/ca/shared/profiles/ca/caRAserverCert.cfg new file mode 100644 index 000000000..e139a193f --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caRAserverCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling server certificates with RA agent authentication. +visible=true +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=365 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=180 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyMinLength=256 +policyset.serverCertSet.3.constraint.params.keyMaxLength=4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caRouterCert.cfg b/pki/base/ca/shared/profiles/ca/caRouterCert.cfg new file mode 100644 index 000000000..d4f22ac16 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caRouterCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling router certificates. +visible=true +enable=true +enableBy=admin +auth.instance_id=flatFileAuth +name=One Time Pin Router Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyMinLength=256 +policyset.serverCertSet.3.constraint.params.keyMaxLength=4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caServerCert.cfg b/pki/base/ca/shared/profiles/ca/caServerCert.cfg new file mode 100644 index 000000000..7f971429b --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caServerCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling server certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyMinLength=256 +policyset.serverCertSet.3.constraint.params.keyMaxLength=4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/pki/base/ca/shared/profiles/ca/caSignedLogCert.cfg new file mode 100644 index 000000000..00a35d386 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caSignedLogCert.cfg @@ -0,0 +1,75 @@ +desc=This profile is for enrolling audit log signing certificates +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual Log Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=caLogSigningSet +policyset.caLogSigningSet.list=1,2,3,4,6,8,9 +policyset.caLogSigningSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.caLogSigningSet.1.constraint.name=Subject Name Constraint +policyset.caLogSigningSet.1.constraint.params.pattern=CN=.* +policyset.caLogSigningSet.1.constraint.params.accept=true +policyset.caLogSigningSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.caLogSigningSet.1.default.name=Subject Name Default +policyset.caLogSigningSet.1.default.params.name= +policyset.caLogSigningSet.2.constraint.class_id=validityConstraintImpl +policyset.caLogSigningSet.2.constraint.name=Validity Constraint +policyset.caLogSigningSet.2.constraint.params.range=365 +policyset.caLogSigningSet.2.constraint.params.notBeforeCheck=false +policyset.caLogSigningSet.2.constraint.params.notAfterCheck=false +policyset.caLogSigningSet.2.default.class_id=validityDefaultImpl +policyset.caLogSigningSet.2.default.name=Validity Default +policyset.caLogSigningSet.2.default.params.range=180 +policyset.caLogSigningSet.2.default.params.startTime=60 +policyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl +policyset.caLogSigningSet.3.constraint.name=Key Constraint +policyset.caLogSigningSet.3.constraint.params.keyType=- +policyset.caLogSigningSet.3.constraint.params.keyMinLength=256 +policyset.caLogSigningSet.3.constraint.params.keyMaxLength=4096 +policyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl +policyset.caLogSigningSet.3.default.name=Key Default +policyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl +policyset.caLogSigningSet.4.constraint.name=No Constraint +policyset.caLogSigningSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.caLogSigningSet.4.default.name=Authority Key Identifier Default +policyset.caLogSigningSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.caLogSigningSet.6.constraint.name=Key Usage Extension Constraint +policyset.caLogSigningSet.6.constraint.params.keyUsageCritical=true +policyset.caLogSigningSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.caLogSigningSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.caLogSigningSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.caLogSigningSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.caLogSigningSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.caLogSigningSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.caLogSigningSet.6.constraint.params.keyUsageCrlSign=false +policyset.caLogSigningSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.caLogSigningSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.caLogSigningSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.caLogSigningSet.6.default.name=Key Usage Default +policyset.caLogSigningSet.6.default.params.keyUsageCritical=true +policyset.caLogSigningSet.6.default.params.keyUsageDigitalSignature=true +policyset.caLogSigningSet.6.default.params.keyUsageNonRepudiation=true +policyset.caLogSigningSet.6.default.params.keyUsageDataEncipherment=false +policyset.caLogSigningSet.6.default.params.keyUsageKeyEncipherment=false +policyset.caLogSigningSet.6.default.params.keyUsageKeyAgreement=false +policyset.caLogSigningSet.6.default.params.keyUsageKeyCertSign=false +policyset.caLogSigningSet.6.default.params.keyUsageCrlSign=false +policyset.caLogSigningSet.6.default.params.keyUsageEncipherOnly=false +policyset.caLogSigningSet.6.default.params.keyUsageDecipherOnly=false +policyset.caLogSigningSet.8.constraint.class_id=noConstraintImpl +policyset.caLogSigningSet.8.constraint.name=No Constraint +policyset.caLogSigningSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Default +policyset.caLogSigningSet.8.default.params.critical=false +policyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.caLogSigningSet.9.constraint.name=No Constraint +policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC +policyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl +policyset.caLogSigningSet.9.default.name=Signing Alg +policyset.caLogSigningSet.9.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg new file mode 100644 index 000000000..91e34b8ab --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg @@ -0,0 +1,85 @@ +desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. +enable=true +enableBy=admin +name=Simple CMC Enrollment Request for User Certificate +visible=false +auth.instance_id= +input.list=i1 +input.i1.class_id=certReqInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=cmcUserCertSet +policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 +policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint +policyset.cmcUserCertSet.1.constraint.params.accept=true +policyset.cmcUserCertSet.1.constraint.params.pattern=.* +policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.cmcUserCertSet.1.default.name=Subject Name Default +policyset.cmcUserCertSet.1.default.params.name= +policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl +policyset.cmcUserCertSet.2.constraint.name=Validity Constraint +policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false +policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false +policyset.cmcUserCertSet.2.constraint.params.range=365 +policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl +policyset.cmcUserCertSet.2.default.name=Validity Default +policyset.cmcUserCertSet.2.default.params.range=180 +policyset.cmcUserCertSet.2.default.params.startTime=0 +policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl +policyset.cmcUserCertSet.3.constraint.name=Key Constraint +policyset.cmcUserCertSet.3.constraint.params.keyMaxLength=4096 +policyset.cmcUserCertSet.3.constraint.params.keyMinLength=256 +policyset.cmcUserCertSet.3.constraint.params.keyType=- +policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl +policyset.cmcUserCertSet.3.default.name=Key Default +policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.4.constraint.name=No Constraint +policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default +policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.5.constraint.name=No Constraint +policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.cmcUserCertSet.5.default.name=AIA Extension Default +policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false +policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.cmcUserCertSet.6.default.name=Key Usage Default +policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true +policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl +policyset.cmcUserCertSet.7.constraint.name=No Constraint +policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default +policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false +policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.cmcUserCertSet.8.constraint.name=No Constraint +policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.cmcUserCertSet.8.default.name=Signing Alg +policyset.cmcUserCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caTPSCert.cfg b/pki/base/ca/shared/profiles/ca/caTPSCert.cfg new file mode 100644 index 000000000..b2233a4e7 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caTPSCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling TPS server certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual TPS Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyMinLength=256 +policyset.serverCertSet.3.constraint.params.keyMaxLength=4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg b/pki/base/ca/shared/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg new file mode 100644 index 000000000..5d0c569fe --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg @@ -0,0 +1,144 @@ +desc=This profile is for enrolling token device keys +enable=true +enableBy=admin +lastModified=1068835451090 +name=Temporary Device Certificate Enrollment +visible=true +auth.instance_id=AgentCertAuth +input.list=i1 +input.i1.class_id=nsHKeyCertReqInputImpl +input.i1.name=nsHKeyCertReqInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o2.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p3,p4,p5,p1,p7,p8,p9,p12,p6 +policyset.set1.list=p2,p4,p5,p1,p8,p9,p12 +policyset.set1.p1.constraint.class_id=noConstraintImpl +policyset.set1.p1.constraint.name=No Constraint +policyset.set1.p1.default.class_id=nsTokenDeviceKeySubjectNameDefaultImpl +policyset.set1.p1.default.name=nsTokenDeviceKeySubjectNameDefault +policyset.set1.p1.default.params.dnpattern=UID=Token Key Device - $request.tokencuid$ +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=7 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p3.constraint.class_id=noConstraintImpl +policyset.set1.p3.constraint.name=No Constraint +policyset.set1.p3.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p3.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p3.default.params.crlDistPointsCritical=false +policyset.set1.p3.default.params.crlDistPointsNum=0 +policyset.set1.p3.default.params.crlDistPointsEnable_0=false +policyset.set1.p3.default.params.crlDistPointsIssuerName_0= +policyset.set1.p3.default.params.crlDistPointsIssuerType_0= +policyset.set1.p3.default.params.crlDistPointsPointName_0= +policyset.set1.p3.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p3.default.params.crlDistPointsReasons_0= +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=true +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=false +policyset.set1.p5.default.params.keyUsageNonRepudiation=false +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.num=5 +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=false +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0= +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=OtherName +policyset.set1.p6.default.params.subjAltExtType_1=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=0 diff --git a/pki/base/ca/shared/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg b/pki/base/ca/shared/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg new file mode 100644 index 000000000..3d35c984a --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg @@ -0,0 +1,166 @@ +desc=This profile is for enrolling Token Encryption key +enable=true +enableBy=admin +name=Temporary Token User Encryption Certificate Enrollment +visible=true +auth.instance_id=AgentCertAuth +input.list=i1 +input.i1.class_id=nsNKeyCertReqInputImpl +input.i1.name=nsNKeyCertReqInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o2.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14 +policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12 +policyset.set1.p1.constraint.class_id=noConstraintImpl +policyset.set1.p1.constraint.name=No Constraint +policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl +policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault +#uncomment below to support SMIME +#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User +policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User +#changed ldap.enable to true to support SMIME +policyset.set1.p1.default.params.ldap.enable=false +policyset.set1.p1.default.params.ldap.searchName=uid +policyset.set1.p1.default.params.ldapStringAttributes=uid,mail +policyset.set1.p1.default.params.ldap.basedn= +policyset.set1.p1.default.params.ldap.maxConns=4 +policyset.set1.p1.default.params.ldap.minConns=1 +policyset.set1.p1.default.params.ldap.ldapconn.Version=2 +policyset.set1.p1.default.params.ldap.ldapconn.host= +policyset.set1.p1.default.params.ldap.ldapconn.port= +policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=7 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=false +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=true +policyset.set1.p5.default.params.keyUsageNonRepudiation=false +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=true +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$ +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_1=OtherName +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=1 +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.num=5 +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p13.constraint.class_id=noConstraintImpl +policyset.set1.p13.constraint.name=No Constraint +policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.params.crlDistPointsCritical=false +policyset.set1.p13.default.params.crlDistPointsNum=0 +policyset.set1.p13.default.params.crlDistPointsEnable_0=false +policyset.set1.p13.default.params.crlDistPointsIssuerName_0= +policyset.set1.p13.default.params.crlDistPointsIssuerType_0= +policyset.set1.p13.default.params.crlDistPointsPointName_0= +policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p13.default.params.crlDistPointsReasons_0= +policyset.set1.p14.constraint.class_id=noConstraintImpl +policyset.set1.p14.constraint.name=No Constraint +policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl +policyset.set1.p14.default.name=AIA Extension Default +policyset.set1.p14.default.params.authInfoAccessADEnable_0=false +policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName +policyset.set1.p14.default.params.authInfoAccessADLocation_0= +policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.set1.p14.default.params.authInfoAccessCritical=false +policyset.set1.p14.default.params.authInfoAccessNumADs=0 diff --git a/pki/base/ca/shared/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg b/pki/base/ca/shared/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg new file mode 100644 index 000000000..538a17db3 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg @@ -0,0 +1,166 @@ +desc=This profile is for enrolling Token Signing key +enable=true +enableBy=admin +name=Temporary Token User Signing Certificate Enrollment +visible=true +auth.instance_id=AgentCertAuth +input.list=i1 +input.i1.class_id=nsNKeyCertReqInputImpl +input.i1.name=nsNKeyCertReqInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o2.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14 +policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12 +policyset.set1.p1.constraint.class_id=noConstraintImpl +policyset.set1.p1.constraint.name=No Constraint +policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl +policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault +#uncomment below to support SMIME +#policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, E=$request.mail$, O=Token Key User +policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User +#changed ldap.enable to true to support SMIME +policyset.set1.p1.default.params.ldap.enable=false +policyset.set1.p1.default.params.ldap.searchName=uid +policyset.set1.p1.default.params.ldapStringAttributes=uid,mail +policyset.set1.p1.default.params.ldap.basedn= +policyset.set1.p1.default.params.ldap.maxConns=4 +policyset.set1.p1.default.params.ldap.minConns=1 +policyset.set1.p1.default.params.ldap.ldapconn.Version=2 +policyset.set1.p1.default.params.ldap.ldapconn.host= +policyset.set1.p1.default.params.ldap.ldapconn.port= +policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=7 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=true +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=false +policyset.set1.p5.default.params.keyUsageNonRepudiation=true +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=true +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$ +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_1=OtherName +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=1 +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.num=5 +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p13.constraint.class_id=noConstraintImpl +policyset.set1.p13.constraint.name=No Constraint +policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.params.crlDistPointsCritical=false +policyset.set1.p13.default.params.crlDistPointsNum=0 +policyset.set1.p13.default.params.crlDistPointsEnable_0=false +policyset.set1.p13.default.params.crlDistPointsIssuerName_0= +policyset.set1.p13.default.params.crlDistPointsIssuerType_0= +policyset.set1.p13.default.params.crlDistPointsPointName_0= +policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p13.default.params.crlDistPointsReasons_0= +policyset.set1.p14.constraint.class_id=noConstraintImpl +policyset.set1.p14.constraint.name=No Constraint +policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl +policyset.set1.p14.default.name=AIA Extension Default +policyset.set1.p14.default.params.authInfoAccessADEnable_0=false +policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName +policyset.set1.p14.default.params.authInfoAccessADLocation_0= +policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.set1.p14.default.params.authInfoAccessCritical=false +policyset.set1.p14.default.params.authInfoAccessNumADs=0 diff --git a/pki/base/ca/shared/profiles/ca/caTokenDeviceKeyEnrollment.cfg b/pki/base/ca/shared/profiles/ca/caTokenDeviceKeyEnrollment.cfg new file mode 100644 index 000000000..7eaf6f96f --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caTokenDeviceKeyEnrollment.cfg @@ -0,0 +1,143 @@ +desc=This profile is for enrolling token device keys +enable=true +enableBy=admin +lastModified=1068835451090 +name=Token Device Key Enrollment +visible=true +auth.instance_id=AgentCertAuth +input.list=i1 +input.i1.class_id=nsHKeyCertReqInputImpl +input.i1.name=nsHKeyCertReqInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o2.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p3,p4,p5,p1,p7,p8,p9,p12,p6 +policyset.set1.list=p2,p4,p5,p1,p8,p9,p12 +policyset.set1.p1.constraint.class_id=noConstraintImpl +policyset.set1.p1.constraint.name=No Constraint +policyset.set1.p1.default.class_id=nsTokenDeviceKeySubjectNameDefaultImpl +policyset.set1.p1.default.name=nsTokenDeviceKeySubjectNameDefault +policyset.set1.p1.default.params.dnpattern=UID=Token Key Device - $request.tokencuid$ +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=1825 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p3.constraint.class_id=noConstraintImpl +policyset.set1.p3.constraint.name=No Constraint +policyset.set1.p3.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p3.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p3.default.params.crlDistPointsCritical=false +policyset.set1.p3.default.params.crlDistPointsNum=0 +policyset.set1.p3.default.params.crlDistPointsEnable_0=false +policyset.set1.p3.default.params.crlDistPointsIssuerName_0= +policyset.set1.p3.default.params.crlDistPointsIssuerType_0= +policyset.set1.p3.default.params.crlDistPointsPointName_0= +policyset.set1.p3.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p3.default.params.crlDistPointsReasons_0= +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=true +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=false +policyset.set1.p5.default.params.keyUsageNonRepudiation=false +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=false +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0= +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=OtherName +policyset.set1.p6.default.params.subjAltExtType_1=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=0 diff --git a/pki/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg b/pki/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg new file mode 100644 index 000000000..724f3dc18 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg @@ -0,0 +1,164 @@ +desc=This profile is for enrolling Token Encryption key +enable=true +enableBy=admin +name=Token User Encryption Certificate Enrollment +visible=true +auth.instance_id=AgentCertAuth +input.list=i1 +input.i1.class_id=nsNKeyCertReqInputImpl +input.i1.name=nsNKeyCertReqInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o2.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14 +policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12 +policyset.set1.p1.constraint.class_id=noConstraintImpl +policyset.set1.p1.constraint.name=No Constraint +policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl +policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault +policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User +#changed ldap.enable to true to support SMIME +policyset.set1.p1.default.params.ldap.enable=false +policyset.set1.p1.default.params.ldap.searchName=uid +policyset.set1.p1.default.params.ldapStringAttributes=uid,mail +policyset.set1.p1.default.params.ldap.basedn= +policyset.set1.p1.default.params.ldap.maxConns=4 +policyset.set1.p1.default.params.ldap.minConns=1 +policyset.set1.p1.default.params.ldap.ldapconn.Version=2 +policyset.set1.p1.default.params.ldap.ldapconn.host= +policyset.set1.p1.default.params.ldap.ldapconn.port= +policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=1825 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=false +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=true +policyset.set1.p5.default.params.keyUsageNonRepudiation=false +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=true +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$ +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_1=OtherName +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=1 +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.num=5 +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p13.constraint.class_id=noConstraintImpl +policyset.set1.p13.constraint.name=No Constraint +policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.params.crlDistPointsCritical=false +policyset.set1.p13.default.params.crlDistPointsNum=0 +policyset.set1.p13.default.params.crlDistPointsEnable_0=false +policyset.set1.p13.default.params.crlDistPointsIssuerName_0= +policyset.set1.p13.default.params.crlDistPointsIssuerType_0= +policyset.set1.p13.default.params.crlDistPointsPointName_0= +policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p13.default.params.crlDistPointsReasons_0= +policyset.set1.p14.constraint.class_id=noConstraintImpl +policyset.set1.p14.constraint.name=No Constraint +policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl +policyset.set1.p14.default.name=AIA Extension Default +policyset.set1.p14.default.params.authInfoAccessADEnable_0=false +policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName +policyset.set1.p14.default.params.authInfoAccessADLocation_0= +policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.set1.p14.default.params.authInfoAccessCritical=false +policyset.set1.p14.default.params.authInfoAccessNumADs=0 diff --git a/pki/base/ca/shared/profiles/ca/caTokenUserSigningKeyEnrollment.cfg b/pki/base/ca/shared/profiles/ca/caTokenUserSigningKeyEnrollment.cfg new file mode 100644 index 000000000..9f9bf20c3 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caTokenUserSigningKeyEnrollment.cfg @@ -0,0 +1,164 @@ +desc=This profile is for enrolling Token Signing key +enable=true +enableBy=admin +name=Token User Signing Certificate Enrollment +visible=true +auth.instance_id=AgentCertAuth +input.list=i1 +input.i1.class_id=nsNKeyCertReqInputImpl +input.i1.name=nsNKeyCertReqInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o2.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14 +policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12 +policyset.set1.p1.constraint.class_id=noConstraintImpl +policyset.set1.p1.constraint.name=No Constraint +policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl +policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault +policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User +#changed ldap.enable to true to support SMIME +policyset.set1.p1.default.params.ldap.enable=false +policyset.set1.p1.default.params.ldap.searchName=uid +policyset.set1.p1.default.params.ldapStringAttributes=uid,mail +policyset.set1.p1.default.params.ldap.basedn= +policyset.set1.p1.default.params.ldap.maxConns=4 +policyset.set1.p1.default.params.ldap.minConns=1 +policyset.set1.p1.default.params.ldap.ldapconn.Version=2 +policyset.set1.p1.default.params.ldap.ldapconn.host= +policyset.set1.p1.default.params.ldap.ldapconn.port= +policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=1825 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=true +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=false +policyset.set1.p5.default.params.keyUsageNonRepudiation=true +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=true +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0=$request.mail$ +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_1=OtherName +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=1 +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.num=5 +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p13.constraint.class_id=noConstraintImpl +policyset.set1.p13.constraint.name=No Constraint +policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.params.crlDistPointsCritical=false +policyset.set1.p13.default.params.crlDistPointsNum=0 +policyset.set1.p13.default.params.crlDistPointsEnable_0=false +policyset.set1.p13.default.params.crlDistPointsIssuerName_0= +policyset.set1.p13.default.params.crlDistPointsIssuerType_0= +policyset.set1.p13.default.params.crlDistPointsPointName_0= +policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p13.default.params.crlDistPointsReasons_0= +policyset.set1.p14.constraint.class_id=noConstraintImpl +policyset.set1.p14.constraint.name=No Constraint +policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl +policyset.set1.p14.default.name=AIA Extension Default +policyset.set1.p14.default.params.authInfoAccessADEnable_0=false +policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName +policyset.set1.p14.default.params.authInfoAccessADLocation_0= +policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.set1.p14.default.params.authInfoAccessCritical=false +policyset.set1.p14.default.params.authInfoAccessNumADs=0 diff --git a/pki/base/ca/shared/profiles/ca/caTransportCert.cfg b/pki/base/ca/shared/profiles/ca/caTransportCert.cfg new file mode 100644 index 000000000..a63e254c1 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caTransportCert.cfg @@ -0,0 +1,80 @@ +desc=This certificate profile is for enrolling Data Recovery Manager transport certificates. +visible=true +enable=true +enableBy=admin +auth.class_id= +name=Manual Data Recovery Manager Transport Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=transportCertSet +policyset.transportCertSet.list=1,2,3,4,5,6,8 +policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.transportCertSet.1.constraint.name=Subject Name Constraint +policyset.transportCertSet.1.constraint.params.pattern=CN=.* +policyset.transportCertSet.1.constraint.params.accept=true +policyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.transportCertSet.1.default.name=Subject Name Default +policyset.transportCertSet.1.default.params.name= +policyset.transportCertSet.2.constraint.class_id=validityConstraintImpl +policyset.transportCertSet.2.constraint.name=Validity Constraint +policyset.transportCertSet.2.constraint.params.range=720 +policyset.transportCertSet.2.constraint.params.notBeforeCheck=false +policyset.transportCertSet.2.constraint.params.notAfterCheck=false +policyset.transportCertSet.2.default.class_id=validityDefaultImpl +policyset.transportCertSet.2.default.name=Validity Default +policyset.transportCertSet.2.default.params.range=720 +policyset.transportCertSet.2.default.params.startTime=0 +policyset.transportCertSet.3.constraint.class_id=keyConstraintImpl +policyset.transportCertSet.3.constraint.name=Key Constraint +policyset.transportCertSet.3.constraint.params.keyType=- +policyset.transportCertSet.3.constraint.params.keyMinLength=256 +policyset.transportCertSet.3.constraint.params.keyMaxLength=4096 +policyset.transportCertSet.3.default.class_id=userKeyDefaultImpl +policyset.transportCertSet.3.default.name=Key Default +policyset.transportCertSet.4.constraint.class_id=noConstraintImpl +policyset.transportCertSet.4.constraint.name=No Constraint +policyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.transportCertSet.4.default.name=Authority Key Identifier Default +policyset.transportCertSet.5.constraint.class_id=noConstraintImpl +policyset.transportCertSet.5.constraint.name=No Constraint +policyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.transportCertSet.5.default.name=AIA Extension Default +policyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.transportCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.transportCertSet.5.default.params.authInfoAccessCritical=false +policyset.transportCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.transportCertSet.6.constraint.params.keyUsageCritical=true +policyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.transportCertSet.6.default.name=Key Usage Default +policyset.transportCertSet.6.default.params.keyUsageCritical=true +policyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.transportCertSet.6.default.params.keyUsageCrlSign=false +policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.transportCertSet.8.constraint.name=No Constraint +policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.transportCertSet.8.default.name=Signing Alg +policyset.transportCertSet.8.default.params.signingAlg=- diff --git a/pki/base/ca/shared/profiles/ca/caUserCert.cfg b/pki/base/ca/shared/profiles/ca/caUserCert.cfg new file mode 100644 index 000000000..bd5932a76 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caUserCert.cfg @@ -0,0 +1,96 @@ +desc=This certificate profile is for enrolling user certificates. +visible=true +enable=true +enableBy=admin +name=Manual User Dual-Use Certificate Enrollment +auth.class_id= +input.list=i1,i2,i3 +input.i1.class_id=keyGenInputImpl +input.i2.class_id=subjectNameInputImpl +input.i3.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=userCertSet +policyset.userCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.userCertSet.1.constraint.name=Subject Name Constraint +policyset.userCertSet.1.constraint.params.pattern=UID=.* +policyset.userCertSet.1.constraint.params.accept=true +policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.userCertSet.1.default.name=Subject Name Default +policyset.userCertSet.1.default.params.name= +policyset.userCertSet.2.constraint.class_id=validityConstraintImpl +policyset.userCertSet.2.constraint.name=Validity Constraint +policyset.userCertSet.2.constraint.params.range=365 +policyset.userCertSet.2.constraint.params.notBeforeCheck=false +policyset.userCertSet.2.constraint.params.notAfterCheck=false +policyset.userCertSet.2.default.class_id=validityDefaultImpl +policyset.userCertSet.2.default.name=Validity Default +policyset.userCertSet.2.default.params.range=180 +policyset.userCertSet.2.default.params.startTime=0 +policyset.userCertSet.3.constraint.class_id=keyConstraintImpl +policyset.userCertSet.3.constraint.name=Key Constraint +policyset.userCertSet.3.constraint.params.keyType=- +policyset.userCertSet.3.constraint.params.keyMinLength=256 +policyset.userCertSet.3.constraint.params.keyMaxLength=4096 +policyset.userCertSet.3.default.class_id=userKeyDefaultImpl +policyset.userCertSet.3.default.name=Key Default +policyset.userCertSet.4.constraint.class_id=noConstraintImpl +policyset.userCertSet.4.constraint.name=No Constraint +policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.userCertSet.4.default.name=Authority Key Identifier Default +policyset.userCertSet.5.constraint.class_id=noConstraintImpl +policyset.userCertSet.5.constraint.name=No Constraint +policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.userCertSet.5.default.name=AIA Extension Default +policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.userCertSet.5.default.params.authInfoAccessCritical=false +policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.userCertSet.6.constraint.params.keyUsageCritical=true +policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.userCertSet.6.default.name=Key Usage Default +policyset.userCertSet.6.default.params.keyUsageCritical=true +policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.default.params.keyUsageCrlSign=false +policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.userCertSet.7.constraint.class_id=noConstraintImpl +policyset.userCertSet.7.constraint.name=No Constraint +policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.userCertSet.7.default.name=Extended Key Usage Extension Default +policyset.userCertSet.7.default.params.exKeyUsageCritical=false +policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.userCertSet.8.constraint.class_id=noConstraintImpl +policyset.userCertSet.8.constraint.name=No Constraint +policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl +policyset.userCertSet.8.default.name=Subject Alt Name Constraint +policyset.userCertSet.8.default.params.subjAltNameExtCritical=false +policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name +policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ +policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true +policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 +policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.userCertSet.9.constraint.name=No Constraint +policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC +policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.userCertSet.9.default.name=Signing Alg +policyset.userCertSet.9.default.params.signingAlg=- diff --git a/pki/base/ca/shared/webapps/ROOT/WEB-INF/web.xml b/pki/base/ca/shared/webapps/ROOT/WEB-INF/web.xml new file mode 100644 index 000000000..59245836e --- /dev/null +++ b/pki/base/ca/shared/webapps/ROOT/WEB-INF/web.xml @@ -0,0 +1,29 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Copyright 2004 The Apache Software Foundation + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<web-app xmlns="http://java.sun.com/xml/ns/j2ee" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" + version="2.4"> + + <display-name>Welcome to Tomcat</display-name> + <description> + Welcome to Tomcat + </description> + +</web-app> + diff --git a/pki/base/ca/shared/webapps/ROOT/index.html b/pki/base/ca/shared/webapps/ROOT/index.html new file mode 100644 index 000000000..ecfd741c9 --- /dev/null +++ b/pki/base/ca/shared/webapps/ROOT/index.html @@ -0,0 +1,22 @@ +<!-- --- BEGIN COPYRIGHT BLOCK --- + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + Copyright (C) 2007 Red Hat, Inc. + All rights reserved. + --- END COPYRIGHT BLOCK --- --> +<html> +<head> +<meta http-equiv="refresh" content="0; URL=https://[PKI_MACHINE_NAME]:[PKI_SECURE_PORT]/ca/services"> +</head> +</html> diff --git a/pki/base/ca/shared/webapps/ROOT/index.jsp b/pki/base/ca/shared/webapps/ROOT/index.jsp new file mode 100644 index 000000000..3e23e05b0 --- /dev/null +++ b/pki/base/ca/shared/webapps/ROOT/index.jsp @@ -0,0 +1,9 @@ +<% + String op = request.getParameter("op"); + if (op == null || op.equals("")) { + String redirectURL = "/ca/ee/ca"; + response.sendRedirect(redirectURL); + } else if (op.equals("enroll")) { + /* redirect to enrollment servlet */ + } +%> diff --git a/pki/base/ca/shared/webapps/ca/WEB-INF/velocity.properties b/pki/base/ca/shared/webapps/ca/WEB-INF/velocity.properties new file mode 100644 index 000000000..0f4b375f3 --- /dev/null +++ b/pki/base/ca/shared/webapps/ca/WEB-INF/velocity.properties @@ -0,0 +1,8 @@ +resource.loader = file +file.resource.loader.class = org.apache.velocity.runtime.resource.loader.FileResourceLoader +file.resource.loader.path = [PKI_INSTANCE_PATH]/webapps/[PKI_SUBSYSTEM_TYPE] +file.resource.loader.cache = true +file.resource.loader.modificationCheckInterval = 2 +input.encoding=UTF-8 +output.encoding=UTF-8 +runtime.log.logsystem.class=org.apache.velocity.runtime.log.NullLogSystem diff --git a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml new file mode 100644 index 000000000..add8ff6c4 --- /dev/null +++ b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -0,0 +1,2557 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE web-app + PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/rhpki/setup/web-app_2_3.dtd"> +<web-app> + + <servlet> + <servlet-name>csadmin-wizard</servlet-name> + <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + <init-param> + <param-name>name</param-name> + <param-value>CA Setup Wizard</param-value> + </init-param> + <init-param> + <param-name>panels</param-name> + <param-value>welcome=com.netscape.cms.servlet.csadmin.WelcomePanel,securitydomain=com.netscape.cms.servlet.csadmin.SecurityDomainPanel,securitydomain=com.netscape.cms.servlet.csadmin.DisplayCertChainPanel,subsystem=com.netscape.cms.servlet.csadmin.CreateSubsystemPanel,clone=com.netscape.cms.servlet.csadmin.DisplayCertChainPanel,restorekeys=com.netscape.cms.servlet.csadmin.RestoreKeyCertPanel,cahierarchy=com.netscape.cms.servlet.csadmin.HierarchyPanel,database=com.netscape.cms.servlet.csadmin.DatabasePanel,module=com.netscape.cms.servlet.csadmin.ModulePanel,confighsmlogin=com.netscape.cms.servlet.csadmin.ConfigHSMLoginPanel,size=com.netscape.cms.servlet.csadmin.SizePanel,subjectname=com.netscape.cms.servlet.csadmin.NamePanel,certrequest=com.netscape.cms.servlet.csadmin.CertRequestPanel,backupkeys=com.netscape.cms.servlet.csadmin.BackupKeyCertPanel,savepk12=com.netscape.cms.servlet.csadmin.SavePKCS12Panel,admin=com.netscape.cms.servlet.csadmin.AdminPanel,importadmincert=com.netscape.cms.servlet.csadmin.ImportAdminCertPanel,done=com.netscape.cms.servlet.csadmin.DonePanel</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-base</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.BaseServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-login</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.LoginServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>config-certreq</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ConfigCertReqServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>config-importcert</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ConfigImportCertServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>config-db</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ConfigDatabaseServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>config-hsm</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ConfigHSMServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>config-rootca</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ConfigRootCAServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>config-join</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ConfigJoinServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>config-clone</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ConfigCloneServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-welcome</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.WelcomeServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-database</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.DatabaseServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-admin</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.AdministratorServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-module</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.ModuleServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-size</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.KeySizeServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-name</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.NameServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-hierarchy</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.HierarchyServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>csadmin-done</servlet-name> + <servlet-class>com.netscape.cms.servlet.csadmin.DoneServlet</servlet-class> + <init-param> + <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name> services </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.MainPageServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> services </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /services.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caacl </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.ACLAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caacl </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caug </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.UsrGrpAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caug </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caserver </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.CMSAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caserver </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> capolicy </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.PolicyAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> capolicy </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> calog </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.LogAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> calog </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetAdminCertBySerial </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.GetBySerial </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetAdminCertBySerial </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.admin.certificate </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caUpdateConnector </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.UpdateConnector </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caUpdateConnector </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.connectorInfo </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caRegisterUser </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.RegisterUser </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caRegisterUser </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> GroupName </param-name> + <param-value> Certificate Manager Agents </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.registerUser </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caRegisterRaUser </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.RegisterUser </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caRegisterRaUser </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> GroupName </param-name> + <param-value> Registration Manager Agents </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.registerUser </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetDomainXML </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetDomainXML </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetDomainXML </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caUpdateDomainXML </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.UpdateDomainXML </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caUpdateDomainXML </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.securitydomain.domainxml </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caUpdateNumberRange </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.UpdateNumberRange </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caUpdateNumberRange </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.clone.configuration </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caUpdateOCSPConfig </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.UpdateOCSPConfig </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caUpdateOCSPConfig </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.admin.ocsp </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caDownloadPKCS12 </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.DownloadPKCS12 </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caDownloadPKCS12 </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.clone.configuration </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetCertChain </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetCertChain </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetCertChain </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetStatus </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetStatus </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetStatus </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caCheckIdentity </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.CheckIdentity </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caCheckIdentity </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> passwdUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetConfigEntries </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetConfigEntries </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetConfigEntries </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.clone.configuration </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caca </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.CAAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caca </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caregistry </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.RegistryAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caregistry </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caauths </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.AuthAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caauths </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> castart </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.CMSStartServlet </servlet-class> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> cfgPath </param-name> + <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> castart </param-value> </init-param> + <load-on-startup> 1 </load-on-startup> + </servlet> + + <servlet> + <servlet-name> caocsp </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.OCSPAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caocsp </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caprofile </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.ProfileAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caprofile </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> cajobsScheduler </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.JobsAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> cajobsScheduler </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caadminEnroll </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.EnrollServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> successTemplate </param-name> + <param-value> /admin/ca/EnrollSuccess.template </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> admin </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caadminEnroll </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.admin.request.enrollment </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> passwdUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> capublisher </servlet-name> + <servlet-class> com.netscape.cms.servlet.admin.PublisherAdminServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> capublisher </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetOCSPInfo </servlet-name> + <servlet-class> com.netscape.cms.servlet.ocsp.GetOCSPInfo </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/getOCSPInfo.template </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetOCSPInfo </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.ocsp </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caUpdateDir </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.UpdateDir </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/updateDir.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caUpdateDir </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.directory </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetCertFromRequest-agent </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.GetCertFromRequest </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetCertFromRequest </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.certificate </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> importCert </param-name> + <param-value> true </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetBySerial-agent </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.GetBySerial </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> successTemplate </param-name> + <param-value> /ca/ImportCert.template </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetBySerial </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.certificate </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileSelect-agent </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileSelectServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileSelect </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/ProfileSelect.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.profile </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caindex </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.IndexServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caindex </param-value> </init-param> + <init-param><param-name> template </param-name> + <param-value> index.template </param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caStats </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.GetStats </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/getStats.template </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> stats </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.systemstatus </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caMonitor </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.Monitor </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caMonitor </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.systemstatus </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caReasonToRevoke </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.ReasonToRevoke </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/reasonToRevoke.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caReasonToRevoke </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.certificates </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caListRequests </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.DisplayHtmlServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> htmlPath </param-name> + <param-value> /agent/ca/ListRequests.html </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caListRequests </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /agent/ca/GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> casearchReqs </servlet-name> + <servlet-class> com.netscape.cms.servlet.request.SearchReqs </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> parser </param-name> + <param-value> CertReqParser.NODETAIL_PARSER </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/queryReq.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> casearchReqs </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.requests </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileApprove </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileApproveServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileApprove </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /agent/GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/ProfileApprove.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.profile </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caUpdateDirectory </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.DisplayHtmlServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> htmlPath </param-name> + <param-value> /agent/ca/UpdateDir.html </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caUpdateDirectory </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /agent/GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileReview </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileReviewServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileReview </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /agent/GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/ProfileReview.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.request.profile </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caConnector </servlet-name> + <servlet-class> com.netscape.cms.servlet.connector.ConnectorServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caConnector </param-value> </init-param> + <init-param><param-name> RequestEncoder </param-name> + <param-value> com.netscape.cmscore.connector.HttpRequestEncoder </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.connector </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caSrchCerts-agent </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.SrchCerts </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/srchCert.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caSrchCerts </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.certificates </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caheader </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.IndexServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caheader </param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> template </param-name> + <param-value> /agent/header.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + </servlet> + + + <servlet> + <servlet-name> caDisplayCertFromRequest-agent </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.GetCertFromRequest </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caDisplayCertFromRequest </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.certificate </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> importCert </param-name> + <param-value> false </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caListCerts-agent </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.ListCerts </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/queryCert.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caListCerts </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.certificates </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caqueryReq </servlet-name> + <servlet-class> com.netscape.cms.servlet.request.QueryReq </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> parser </param-name> + <param-value> CertReqParser.NODETAIL_PARSER </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/queryReq.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caqueryReq </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.requests </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProcessReq </servlet-name> + <servlet-class> com.netscape.cms.servlet.request.ProcessReq </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> parser </param-name> + <param-value> CertReqParser.DETAIL_PARSER </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProcessReq </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/processReq.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.request.enrollment </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caports </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.PortsServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caports </param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caSrchCert </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.DisplayHtmlServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> htmlPath </param-name> + <param-value> /agent/ca/SrchCert.html </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caSrchCert </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /agent/GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileList-agent </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileListServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileList </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /agent/GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/ProfileList.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.profiles </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caDisplayBySerial-agent </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.DisplayBySerial </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/displayBySerial.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caDisplayBySerial </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.certificate </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caSrchRevokeCert </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.DisplayHtmlServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> htmlPath </param-name> + <param-value> /agent/ca/SrchRevokeCert.html </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caSrchRevokeCert </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /agent/GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caDoUnrevoke </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.DoUnrevoke </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/unrevocationResult.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caDoUnrevoke </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.certificate </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caDoRevoke-agent </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.DoRevoke </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/revocationResult.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caDoRevoke </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.certificates </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileProcess </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileProcessServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileProcess </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/ProfileProcess.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.request.profile </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProcessCertReq </servlet-name> + <servlet-class> com.netscape.cms.servlet.request.ProcessCertReq </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProcessCertReq </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.request.enrollment </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> cabulkissuance </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.EnrollServlet </servlet-class> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /agent/ca/bulkissuance.template </param-value> </init-param> + <init-param><param-name> rejectedTemplate </param-name> + <param-value> /agent/ca/bulkissuance.template </param-value> </init-param> + <init-param><param-name> svcpendingTemplate </param-name> + <param-value> /agent/ca/bulkissuance.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.request.enrollment </param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> cabulkissuance </param-value> </init-param> + <init-param><param-name> errorTemplate </param-name> + <param-value> /agent/ca/bulkissuance.template </param-value> </init-param> + <init-param><param-name> unexpectedErrorTemplate </param-name> + <param-value> /agent/ca/bulkissuance.template </param-value> </init-param> + <init-param><param-name> pendingTemplate </param-name> + <param-value> /agent/ca/bulkissuance.template </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> successTemplate </param-name> + <param-value> /agent/ca/bulkissuance.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caQueryBySerial </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.DisplayHtmlServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> htmlPath </param-name> + <param-value> /agent/ca/queryBySerial.html </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caQueryBySerial </param-value> </init-param> + <init-param><param-name> unauthorizedTemplate </param-name> + <param-value> /agent/GenUnauthorized.template </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> camasterCAUpdateCRL </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.UpdateCRL </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/updateCRL.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> camasterCAUpdateCRL </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.crl </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> camasterCCA-CLAConnector </servlet-name> + <servlet-class> com.netscape.cms.servlet.connector.CloneServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> camasterCCA-CLAConnector </param-value> </init-param> + <init-param><param-name> RequestEncoder </param-name> + <param-value> com.netscape.cmscore.connector.HttpRequestEncoder </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.clone </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> camasterCADisplayCRL </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.DisplayCRL </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/displayCRL.template </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> camasterCADisplayCRL </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.crl </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> camasterCAGetInfo </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.GetInfo </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> camasterCAGetInfo </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.crl </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileSubmit </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileSubmit </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.profile </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caRenewal </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.RenewalServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> successTemplate </param-name> + <param-value> /ca/RenewalSuccess.template </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caRenewal </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.certificate </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> sslClientCertAuthMgr </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetCertFromRequest </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.GetCertFromRequest </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> successTemplate </param-name> + <param-value> /ee/ca/ImportCert.template </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetCertFromRequest </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.certificate </param-value> </init-param> + <init-param><param-name> importCert </param-name> + <param-value> true </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetCRL </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.GetCRL </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/displayCRL.template </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetCRL </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.crl </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caRemoteAuthConfig </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.RemoteAuthConfig </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caRemoteAuthConfig </param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetBySerial </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.GetBySerial </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> successTemplate </param-name> + <param-value> /ee/ca/ImportCert.template </param-value> </init-param> + <init-param><param-name> importCertTemplate </param-name> + <param-value> /ee/ca/ImportAdminCert.template </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetBySerial </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.certificate </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> cacertbasedenrollment </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.EnrollServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> successTemplate </param-name> + <param-value> /ca/EnrollSuccess.template </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> cacertbasedenrollment </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.request.enrollment </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileSelect </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileSelectServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileSelect </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/ProfileSelect.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.profile </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caenrollment </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.EnrollServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> successTemplate </param-name> + <param-value> /ca/EnrollSuccess.template </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caenrollment </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.request.enrollment </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caCheckRequest </servlet-name> + <servlet-class> com.netscape.cms.servlet.request.CheckRequest </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/requestStatus.template </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caCheckRequest </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.requestStatus </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caOCSP </servlet-name> + <servlet-class> com.netscape.cms.servlet.ocsp.OCSPServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caOCSP </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.request.ocsp </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caDoRevoke1 </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.DoRevokeTPS </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /agent/ca/revocationResult.template</param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caDoRevoke1 </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.certificates </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caSrchCerts </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.SrchCerts </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/srchCert.template </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caSrchCerts </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.certificates </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caDynamicVariables </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.DynamicVariablesServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caDynamicVariables </param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> dynamicVariables </param-name> + <param-value> serverdate=serverdate(),subsystemname=subsystemname(),http=http(),authmgrs=authmgrs(),clacrlurl=clacrlurl() </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caDynamicVariables-admin </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.DynamicVariablesServlet </servlet-class> + <init-param><param-name> ID </param-name> + <param-value> caDynamicVariables </param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> dynamicVariables </param-name> + <param-value> serverdate=serverdate(),subsystemname=subsystemname(),http=http(),authmgrs=authmgrs(),clacrlurl=clacrlurl() </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> admin </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileSubmitCMCSimple </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> cert_request_type </param-name> + <param-value> pkcs10 </param-value> </init-param> + <init-param><param-name> profileId </param-name> + <param-value> caSimpleCMCUserCert </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> outputFormat </param-name> + <param-value> cmc </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileSubmitCMCSimple </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.profile </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caDisplayCertFromRequest </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.GetCertFromRequest </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> successTemplate </param-name> + <param-value> /ee/ca/displayCertFromRequest.template </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caDisplayCertFromRequest </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.certificate </param-value> </init-param> + <init-param><param-name> importCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caListCerts </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.ListCerts </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/queryCert.template </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caListCerts </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.certificates </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileSubmitSSLClient </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileSubmitSSLClient </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.profile </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetCAChain </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.GetCAChain </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/displayCaCert.template </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetCAChain </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.certchain </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileSubmitCMCFull </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> cert_request_type </param-name> + <param-value> cmc </param-value> </init-param> + <init-param><param-name> profileId </param-name> + <param-value> caFullCMCUserCert </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileSubmitCMCFull </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.profile </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileList </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileListServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileList </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/ProfileList.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.profiles </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caCMCRevReq </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.CMCRevReqServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/revocationResult.template </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caCMCRevReq </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> CMCAuth </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.request.revocation </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caDoUnrevoke1 </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.DoUnrevokeTPS </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caDoUnrevoke1 </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ca.certificate </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caDisplayBySerial </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.DisplayBySerial </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/displayBySerial.template </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caDisplayBySerial </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.certificate </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caRevocation </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.RevocationServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> successTemplate </param-name> + <param-value> /ee/ca/reasonToRevoke.template </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caRevocation </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.request.revocation </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> sslClientCertAuthMgr </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetInfo </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.GetInfo </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetInfo </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.crl </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetSubsystemCert </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetSubsystemCert </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetSubsystemCert </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.cert </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caDoRevoke </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.DoRevoke </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caDoRevoke </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.certificates </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caSecurityDomainLogin </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.SecurityDomainLogin </servlet-class> + <init-param> <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caSecurityDomainLogin </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.certificates </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetCookie </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetCookie </servlet-class> + <init-param> <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetCookie </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> passwdUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/sendCookie.template </param-value> </init-param> + <init-param><param-name> errorTemplatePath </param-name> + <param-value> /ee/ca/securitydomainlogin.template </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caTokenAuthenticate </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.TokenAuthenticate </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caTokenAuthenticate </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caGetTokenInfo </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetTokenInfo </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caGetTokenInfo </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProxyProfileSubmit </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.ProxyServlet </servlet-class> + <init-param><param-name> destServlet </param-name> + <param-value> /ee/ca/profileSubmit </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProxyBulkIssuance </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.ProxyServlet </servlet-class> + <init-param><param-name> destServlet </param-name> + <param-value> /agent/ca/bulkissuance </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caSCEP </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.scep.CRSEnrollment </servlet-class> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> profileId </param-name> + <param-value> caRouterCert </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caRASCEP </servlet-name> + <servlet-class> com.netscape.cms.servlet.cert.scep.CRSEnrollment </servlet-class> + <init-param><param-name> authority </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> profileId </param-name> + <param-value> caRARouterCert </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProxyDoRevoke </servlet-name> + <servlet-class> com.netscape.cms.servlet.base.ProxyServlet </servlet-class> + <init-param><param-name> destServlet </param-name> + <param-value> /agent/ca/doRevoke </param-value> </init-param> + </servlet> + + <servlet-mapping> + <servlet-name> caacl </servlet-name> + <url-pattern> /acl </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caug </servlet-name> + <url-pattern> /ug </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caserver </servlet-name> + <url-pattern> /server </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> capolicy </servlet-name> + <url-pattern> /capolicy </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> calog </servlet-name> + <url-pattern> /log </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetAdminCertBySerial </servlet-name> + <url-pattern> /ca/getAdminCertBySerial </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caCheckIdentity </servlet-name> + <url-pattern> /ee/ca/checkIdentity </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetConfigEntries </servlet-name> + <url-pattern> /admin/ca/getConfigEntries </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetDomainXML </servlet-name> + <url-pattern> /ee/ca/getDomainXML </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caUpdateDomainXML </servlet-name> + <url-pattern> /agent/ca/updateDomainXML </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caUpdateNumberRange </servlet-name> + <url-pattern> /ee/ca/updateNumberRange </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caDownloadPKCS12 </servlet-name> + <url-pattern> /admin/console/config/savepkcs12 </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetCertChain </servlet-name> + <url-pattern> /ee/ca/getCertChain </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetStatus </servlet-name> + <url-pattern> /ee/ca/getStatus </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caca </servlet-name> + <url-pattern> /caadmin </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caregistry </servlet-name> + <url-pattern> /registry </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caauths </servlet-name> + <url-pattern> /auths </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> castart </servlet-name> + <url-pattern> /start </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caocsp </servlet-name> + <url-pattern> /ocsp </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caprofile </servlet-name> + <url-pattern> /caprofile </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caDynamicVariables </servlet-name> + <url-pattern> /ee/dynamicVars.js </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caDynamicVariables-admin </servlet-name> + <url-pattern> /admin/dynamicVars.js </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> cajobsScheduler </servlet-name> + <url-pattern> /jobsScheduler </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caadminEnroll </servlet-name> + <url-pattern> /admin/ca/adminEnroll </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> capublisher </servlet-name> + <url-pattern> /capublisher </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetOCSPInfo </servlet-name> + <url-pattern> /agent/ca/getOCSPInfo </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caUpdateDir </servlet-name> + <url-pattern> /agent/ca/updateDir </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetCertFromRequest-agent </servlet-name> + <url-pattern> /ca/getCertFromRequest </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetBySerial-agent </servlet-name> + <url-pattern> /ca/getBySerial </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileSelect-agent </servlet-name> + <url-pattern> /agent/ca/profileSelect </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caindex </servlet-name> + <url-pattern> /index </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caMonitor </servlet-name> + <url-pattern> /agent/ca/monitor </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caReasonToRevoke </servlet-name> + <url-pattern> /agent/ca/reasonToRevoke </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caListRequests </servlet-name> + <url-pattern> /agent/ca/listRequests.html </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> casearchReqs </servlet-name> + <url-pattern> /agent/ca/searchReqs </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileApprove </servlet-name> + <url-pattern> /agent/ca/profileApprove </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caUpdateDirectory </servlet-name> + <url-pattern> /agent/ca/updateDir.html </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileReview </servlet-name> + <url-pattern> /agent/ca/profileReview </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caConnector </servlet-name> + <url-pattern> /ca/connector </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caSrchCerts-agent </servlet-name> + <url-pattern> /agent/ca/srchCerts </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caheader </servlet-name> + <url-pattern> /agent/header </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caDisplayCertFromRequest-agent </servlet-name> + <url-pattern> /ca/displayCertFromRequest </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caListCerts-agent </servlet-name> + <url-pattern> /agent/ca/listCerts </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caqueryReq </servlet-name> + <url-pattern> /agent/ca/queryReq </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProcessReq </servlet-name> + <url-pattern> /agent/ca/processReq </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caports </servlet-name> + <url-pattern> /ee/ca/ports </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caSrchCert </servlet-name> + <url-pattern> /agent/ca/srchCert.html </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileList-agent </servlet-name> + <url-pattern> /agent/ca/profileList </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caDisplayBySerial-agent </servlet-name> + <url-pattern> /agent/ca/displayBySerial </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caSrchRevokeCert </servlet-name> + <url-pattern> /agent/ca/srchRevokeCert.html </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caDoUnrevoke </servlet-name> + <url-pattern> /agent/ca/doUnrevoke </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caDoRevoke-agent </servlet-name> + <url-pattern> /agent/ca/doRevoke </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileProcess </servlet-name> + <url-pattern> /agent/ca/profileProcess </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProcessCertReq </servlet-name> + <url-pattern> /agent/ca/processCertReq </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> cabulkissuance </servlet-name> + <url-pattern> /agent/ca/bulkissuance </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caQueryBySerial </servlet-name> + <url-pattern> /agent/ca/queryBySerial.html </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> camasterCAUpdateCRL </servlet-name> + <url-pattern> /agent/ca/updateCRL </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> camasterCCA-CLAConnector </servlet-name> + <url-pattern> /ca/cloneConnector </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> camasterCADisplayCRL </servlet-name> + <url-pattern> /agent/ca/displayCRL </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> camasterCAGetInfo </servlet-name> + <url-pattern> /agent/ca/getInfo </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileSubmit </servlet-name> + <url-pattern> /ee/ca/profileSubmit </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caRenewal </servlet-name> + <url-pattern> /renewal </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetCertFromRequest </servlet-name> + <url-pattern> /ee/ca/getCertFromRequest </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetCRL </servlet-name> + <url-pattern> /ee/ca/getCRL </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caRemoteAuthConfig </servlet-name> + <url-pattern> /remoteAuthConfig </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetBySerial </servlet-name> + <url-pattern> /ee/ca/getBySerial </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> cacertbasedenrollment </servlet-name> + <url-pattern> /certbasedenrollment </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileSelect </servlet-name> + <url-pattern> /ee/ca/profileSelect </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caenrollment </servlet-name> + <url-pattern> /enrollment </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caCheckRequest </servlet-name> + <url-pattern> /ee/ca/checkRequest </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caOCSP </servlet-name> + <url-pattern> /ocsp </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caDoRevoke1 </servlet-name> + <url-pattern> /subsystem/ca/doRevoke </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caStats </servlet-name> + <url-pattern> /agent/ca/getStats </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caSrchCerts </servlet-name> + <url-pattern> /ee/ca/srchCerts </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileSubmitCMCSimple </servlet-name> + <url-pattern> /ee/ca/profileSubmitCMCSimple </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caDisplayCertFromRequest </servlet-name> + <url-pattern> /ee/ca/displayCertFromRequest </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caListCerts </servlet-name> + <url-pattern> /ee/ca/listCerts </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileSubmitSSLClient </servlet-name> + <url-pattern> /ee/ca/profileSubmitSSLClient </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetCAChain </servlet-name> + <url-pattern> /ee/ca/getCAChain </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileSubmitCMCFull </servlet-name> + <url-pattern> /ee/ca/profileSubmitCMCFull </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileList </servlet-name> + <url-pattern> /ee/ca/profileList </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caCMCRevReq </servlet-name> + <url-pattern> /ee/ca/CMCRevReq </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caDoUnrevoke1 </servlet-name> + <url-pattern> /subsystem/ca/doUnrevoke </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caDisplayBySerial </servlet-name> + <url-pattern> /ee/ca/displayBySerial </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caRevocation </servlet-name> + <url-pattern> /ee/ca/revocation </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetInfo </servlet-name> + <url-pattern> /ee/ca/getInfo </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caDoRevoke </servlet-name> + <url-pattern> /ee/ca/doRevoke </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-base</servlet-name> + <url-pattern>/admin/console/config/base</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-login</servlet-name> + <url-pattern>/admin/console/config/login</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-welcome</servlet-name> + <url-pattern>/admin/console/config/welcome</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-database</servlet-name> + <url-pattern>/admin/console/config/database</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-admin</servlet-name> + <url-pattern>/admin/console/config/admin</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-module</servlet-name> + <url-pattern>/admin/console/config/module</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-size</servlet-name> + <url-pattern>/admin/console/config/size</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-name</servlet-name> + <url-pattern>/admin/console/config/name</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-hierarchy</servlet-name> + <url-pattern>/admin/console/config/hierarchy</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-done</servlet-name> + <url-pattern>/admin/console/config/done</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>config-db</servlet-name> + <url-pattern>/admin/console/config/config_db</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>config-certreq</servlet-name> + <url-pattern>/admin/console/config/config_certreq</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>config-importcert</servlet-name> + <url-pattern>/admin/console/config/config_importcert</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>config-hsm</servlet-name> + <url-pattern>/admin/console/config/config_hsm</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>config-rootca</servlet-name> + <url-pattern>/admin/console/config/config_rootca</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>config-join</servlet-name> + <url-pattern>/admin/console/config/config_join</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>config-clone</servlet-name> + <url-pattern>/admin/console/config/config_clone</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>csadmin-wizard</servlet-name> + <url-pattern>/admin/console/config/wizard</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caUpdateConnector </servlet-name> + <url-pattern> /admin/ca/updateConnector </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caRegisterUser </servlet-name> + <url-pattern> /admin/ca/registerUser </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caRegisterRaUser </servlet-name> + <url-pattern> /admin/ca/registerRaUser </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> services </servlet-name> + <url-pattern> /services </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetSubsystemCert </servlet-name> + <url-pattern> /admin/ca/getSubsystemCert </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caSecurityDomainLogin </servlet-name> + <url-pattern> /ee/ca/securityDomainLogin </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetCookie </servlet-name> + <url-pattern> /ee/ca/getCookie </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caTokenAuthenticate </servlet-name> + <url-pattern> /ee/ca/tokenAuthenticate </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caGetTokenInfo </servlet-name> + <url-pattern> /ee/ca/getTokenInfo </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caUpdateOCSPConfig </servlet-name> + <url-pattern> /ee/ca/updateOCSPConfig </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProxyProfileSubmit </servlet-name> + <url-pattern> /profileSubmit </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProxyBulkIssuance </servlet-name> + <url-pattern> /agent/bulkissuance </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProxyDoRevoke </servlet-name> + <url-pattern> /doRevoke </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caSCEP </servlet-name> + <url-pattern> /cgi-bin/pkiclient.exe </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caRASCEP </servlet-name> + <url-pattern> /ee/ca/pkiclient </url-pattern> + </servlet-mapping> + +</web-app> + diff --git a/pki/base/ca/src/com/netscape/ca/CAPolicy.java b/pki/base/ca/src/com/netscape/ca/CAPolicy.java new file mode 100644 index 000000000..9d5aed005 --- /dev/null +++ b/pki/base/ca/src/com/netscape/ca/CAPolicy.java @@ -0,0 +1,136 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + + +import com.netscape.certsrv.policy.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.ca.*; + +import com.netscape.cmscore.policy.*; +import com.netscape.cmscore.util.Debug; + + +/** + * XXX Just inherit 'GenericPolicyProcessor' (from RA) for now. + * This really bad. need to make a special case just for connector. + * would like a much better way of doing this to handle both EE and + * connectors. + * XXX2 moved to just implement IPolicy since GenericPolicyProcessor is + * unuseable for CA. + * + * @version $Revision: 14646 $, $Date: 2007-05-04 14:17:27 -0700 (Fri, 04 May 2007) $ + */ +public class CAPolicy implements IPolicy { + IConfigStore mConfig = null; + ICertificateAuthority mCA = null; + + public static String PROP_PROCESSOR = + "processor"; + // These are the different types of policy that are + // allowed for the "processor" property + public static String PR_TYPE_CLASSIC = "classic"; + + // XXX this way for now since generic just works for EE. + public GenericPolicyProcessor mPolicies = null; + + public CAPolicy() { + } + + public IPolicyProcessor getPolicyProcessor() { + return mPolicies; + } + + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + mCA = (ICertificateAuthority) owner; + mConfig = config; + + String processorType = // XXX - need to upgrade 4.2 + config.getString(PROP_PROCESSOR, PR_TYPE_CLASSIC); + + Debug.trace("selected policy processor = " + processorType); + if (processorType.equals(PR_TYPE_CLASSIC)) { + mPolicies = new GenericPolicyProcessor(); + } else { + throw new EBaseException("Unknown policy processor type (" + + processorType + ")"); + } + + mPolicies.init(mCA, mConfig); + } + + public boolean isProfileRequest(IRequest request) { + String profileId = request.getExtDataInString("profileId"); + + if (profileId == null || profileId.equals("")) + return false; + else + return true; + } + + /** + */ + public PolicyResult apply(IRequest r) { + if (r == null) { + Debug.trace("in CAPolicy.apply(request=null)"); + return PolicyResult.REJECTED; + } + + Debug.trace("in CAPolicy.apply(requestType=" + + r.getRequestType() + ",requestId=" + + r.getRequestId().toString() + ",requestStatus=" + + r.getRequestStatus().toString() + ")"); + + if (isProfileRequest(r)) { + Debug.trace("CAPolicy: Profile-base Request " + + r.getRequestId().toString()); + + CMS.debug("CAPolicy: requestId=" + + r.getRequestId().toString()); + + String profileId = r.getExtDataInString("profileId"); + + if (profileId == null || profileId.equals("")) { + return PolicyResult.REJECTED; + } + + IProfileSubsystem ps = (IProfileSubsystem) + CMS.getSubsystem("profile"); + + try { + IProfile profile = ps.getProfile(profileId); + + r.setExtData("dbStatus", "NOT_UPDATED"); + profile.populate(r); + profile.validate(r); + return PolicyResult.ACCEPTED; + } catch (EBaseException e) { + CMS.debug("CAPolicy: " + e.toString()); + return PolicyResult.REJECTED; + } + } + Debug.trace("mPolicies = " + mPolicies.getClass()); + return mPolicies.apply(r); + } + +} + diff --git a/pki/base/ca/src/com/netscape/ca/CAService.java b/pki/base/ca/src/com/netscape/ca/CAService.java new file mode 100644 index 000000000..0361006a2 --- /dev/null +++ b/pki/base/ca/src/com/netscape/ca/CAService.java @@ -0,0 +1,2038 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + + +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.dbs.certdb.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.dbs.crldb.*; +import com.netscape.certsrv.base.*; +import com.netscape.cmscore.base.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.connector.*; +import com.netscape.cmscore.connector.*; +import netscape.security.extensions.CertInfo; +import com.netscape.cmscore.dbs.*; +import com.netscape.cmscore.crmf.*; +import com.netscape.cmscore.util.Debug; + +import netscape.security.x509.*; +import netscape.security.util.BigInt; +import netscape.security.util.*; +import java.security.cert.*; +import java.security.NoSuchAlgorithmException; +import java.io.*; +import java.util.*; +import java.math.*; +import java.security.*; + + +/** + * Request Service for CertificateAuthority. + */ +public class CAService implements ICAService, IService { + + public static final String CRMF_REQUEST = "CRMFRequest"; + public static final String CHALLENGE_PHRASE = "challengePhrase"; + public static final String SERIALNO_ARRAY = "serialNoArray"; + + // CCA->CLA connector + protected static IConnector mCLAConnector = null; + + private ICertificateAuthority mCA = null; + private Hashtable mServants = new Hashtable(); + private IConnector mKRAConnector = null; + private IConfigStore mConfig = null; + private boolean mArchivalRequired = true; + private Hashtable mCRLIssuingPoints = new Hashtable(); + + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + private final static String + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + + public CAService(ICertificateAuthority ca) { + mCA = ca; + + // init services. + mServants.put( + IRequest.ENROLLMENT_REQUEST, + new serviceIssue(this)); + mServants.put( + IRequest.RENEWAL_REQUEST, + new serviceRenewal(this)); + mServants.put( + IRequest.REVOCATION_REQUEST, + new serviceRevoke(this)); + mServants.put( + IRequest.CMCREVOKE_REQUEST, + new serviceRevoke(this)); + mServants.put( + IRequest.REVOCATION_CHECK_CHALLENGE_REQUEST, + new serviceCheckChallenge(this)); + mServants.put( + IRequest.GETCERTS_FOR_CHALLENGE_REQUEST, + new getCertsForChallenge(this)); + mServants.put( + IRequest.UNREVOCATION_REQUEST, + new serviceUnrevoke(this)); + mServants.put( + IRequest.GETCACHAIN_REQUEST, + new serviceGetCAChain(this)); + mServants.put( + IRequest.GETCRL_REQUEST, + new serviceGetCRL(this)); + mServants.put( + IRequest.GETREVOCATIONINFO_REQUEST, + new serviceGetRevocationInfo(this)); + mServants.put( + IRequest.GETCERTS_REQUEST, + new serviceGetCertificates(this)); + mServants.put( + IRequest.CLA_CERT4CRL_REQUEST, + new serviceCert4Crl(this)); + mServants.put( + IRequest.CLA_UNCERT4CRL_REQUEST, + new serviceUnCert4Crl(this)); + mServants.put( + IRequest.GETCERT_STATUS_REQUEST, + new getCertStatus(this)); + } + + public void init(IConfigStore config) throws EBaseException { + mConfig = config; + + try { + // MOVED TO com.netscape.certsrv.apps.CMS + // java.security.Security.addProvider(new netscape.security.provider.CMS()); + // java.security.Provider pr = java.security.Security.getProvider("CMS"); + // if (pr != null) { + // ; + // } + // else + // Debug.trace("Something is wrong in CMS install !"); + java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509"); + + Debug.trace("CertificateFactory Type : " + cf.getType()); + Debug.trace("CertificateFactory Provider : " + cf.getProvider().getInfo()); + } catch (java.security.cert.CertificateException e) { + Debug.trace("Something is happen in install CMS provider !" + e.toString()); + } + } + + public void startup() throws EBaseException { + IConfigStore kraConfig = mConfig.getSubStore("KRA"); + + if (kraConfig != null) { + mArchivalRequired = kraConfig.getBoolean( + "archivalRequired", true); + mKRAConnector = getConnector(kraConfig); + if (mKRAConnector != null) { + if (Debug.ON) { + Debug.trace("Started KRA Connector"); + } + mKRAConnector.start(); + } + } + + // clone ca to CLA (clone master) connector + IConfigStore claConfig = mConfig.getSubStore("CLA"); + + if (claConfig != null) { + mCLAConnector = getConnector(claConfig); + if (mCLAConnector != null) { + CMS.debug(CMS.getLogMessage("CMSCORE_CA_START_CONNECTOR")); + if (Debug.ON) { + Debug.trace("Started CLA Connector in CCA"); + } + mCLAConnector.start(); + } + } + } + + protected ICertificateAuthority getCA() { + return mCA; + } + + public IConnector getKRAConnector() { + return mKRAConnector; + } + + public void setKRAConnector(IConnector c) { + mKRAConnector = c; + } + + public IConnector getConnector(IConfigStore config) + throws EBaseException { + IConnector connector = null; + + if (config == null || config.size() <= 0) { + return null; + } + boolean enable = config.getBoolean("enable", true); + // provide a way to register a 3rd connector into RA + String extConnector = config.getString("class", null); + + if (extConnector != null) { + try { + connector = (IConnector) + Class.forName(extConnector).newInstance(); + // connector.start() will be called later on + return connector; + } catch (Exception e) { + // ignore external class if error + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_LOAD_CONNECTOR", extConnector, e.toString())); + } + } + + if (!enable) + return null; + boolean local = config.getBoolean("local"); + IAuthority authority = null; + + if (local) { + String id = config.getString("id"); + + authority = (IAuthority) SubsystemRegistry.getInstance().get(id); + if (authority == null) { + String msg = "local authority " + id + " not found."; + + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_AUTHORITY_NOT_FOUND", id)); + throw new EBaseException(msg); + } + connector = new LocalConnector((ICertAuthority) mCA, authority); + // log(ILogger.LL_INFO, "local Connector to "+id+" inited"); + } else { + String host = config.getString("host"); + int port = config.getInteger("port"); + String uri = config.getString("uri"); + String nickname = config.getString("nickName", null); + int resendInterval = config.getInteger("resendInterval", -1); + // Inserted by beomsuk + int timeout = config.getInteger("timeout", 0); + // Insert end + // Changed by beomsuk + //RemoteAuthority remauthority = + // new RemoteAuthority(host, port, uri); + RemoteAuthority remauthority = + new RemoteAuthority(host, port, uri, timeout); + + // Change end + if (nickname == null) + nickname = mCA.getNickname(); + // Changed by beomsuk + //connector = + // new HttpConnector(mCA, nickname, remauthority, resendInterval); + if (timeout == 0) + connector = new HttpConnector((IAuthority) mCA, nickname, remauthority, resendInterval, config); + else + connector = new HttpConnector((IAuthority) mCA, nickname, remauthority, resendInterval, config, timeout); + // Change end + + // log(ILogger.LL_INFO, "remote authority "+ + // host+":"+port+" "+uri+" inited"); + } + return connector; + } + + public boolean isProfileRequest(IRequest request) { + String profileId = request.getExtDataInString("profileId"); + + if (profileId == null || profileId.equals("")) + return false; + else + return true; + } + + /** + * After population of defaults, and constraint validation, + * the profile request is processed here. + */ + public void serviceProfileRequest(IRequest request) + throws EBaseException { + CMS.debug("CAService: serviceProfileRequest requestId=" + + request.getRequestId().toString()); + + String profileId = request.getExtDataInString("profileId"); + + if (profileId == null || profileId.equals("")) { + throw new EBaseException("profileId not found"); + } + + IProfileSubsystem ps = (IProfileSubsystem) + CMS.getSubsystem("profile"); + IProfile profile = null; + + try { + profile = ps.getProfile(profileId); + } catch (EProfileException e) { + } + if (profile == null) { + throw new EProfileException("Profile not found " + profileId); + } + + // assumed rejected + request.setExtData("dbStatus", "NOT_UPDATED"); + + // profile.populate(request); + profile.validate(request); + profile.execute(request); + + // This function is called only from ConnectorServlet + + // serialize to request queue + } + + /** + * method interface for IService + * <P> + * + * <ul> + * <li>signed.audit LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST used + * whenever a user private key archive request is made. This is an option + * in a cert enrollment request detected by an RA or a CA, so, if selected, + * it should be logged immediately following the certificate request. + * </ul> + * @param request a certificate enrollment request from an RA or CA + * @return true or false + */ + public boolean serviceRequest(IRequest request) { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(); + String auditArchiveID = ILogger.SIGNED_AUDIT_NON_APPLICABLE; + + boolean completed = false; + + // short cut profile-based request + if (isProfileRequest(request)) { + try { + CMS.debug("CAServic: x0 requestStatus=" + request.getRequestStatus().toString() + " instance=" + request); + serviceProfileRequest(request); + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + CMS.debug("CAServic: x1 requestStatus=" + request.getRequestStatus().toString()); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + return true; + } catch (EBaseException e) { + CMS.debug("CAServic: x2 requestStatus=" + request.getRequestStatus().toString()); + // need to put error into the request + CMS.debug("CAService: serviceRequest " + e.toString()); + request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); + request.setExtData(IRequest.ERROR, e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + return false; + } + } + + String type = request.getRequestType(); + IServant servant = (IServant) mServants.get(type); + + if (servant == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_INVALID_REQUEST_TYPE", type)); + request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); + request.setExtData(IRequest.ERROR, + new ECAException(CMS.getUserMessage("CMS_CA_UNRECOGNIZED_REQUEST_TYPE", type))); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + return true; + } + + try { + // send request to KRA first + if (type.equals(IRequest.ENROLLMENT_REQUEST) && + isPKIArchiveOptionPresent(request) && mKRAConnector != null) { + if (Debug.ON) { + Debug.trace("*** Sending enrollment request to KRA"); + } + boolean sendStatus = mKRAConnector.send(request); + + if (mArchivalRequired == true) { + if (sendStatus == false) { + request.setExtData(IRequest.RESULT, + IRequest.RES_ERROR); + request.setExtData(IRequest.ERROR, + new ECAException(CMS.getUserMessage("CMS_CA_SEND_KRA_REQUEST"))); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + return true; + } else { + if (request.getExtDataInString(IRequest.ERROR) != null) { + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + request.deleteExtData(IRequest.ERROR); + } + } + if (request.getExtDataInString(IRequest.ERROR) != null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + return true; + } + } + } else { + if (Debug.ON) { + Debug.trace("*** NOT Send to KRA type=" + type + " ENROLLMENT=" + IRequest.ENROLLMENT_REQUEST); + } + } + + completed = servant.service(request); + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + } catch (EBaseException e) { + request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); + request.setExtData(IRequest.ERROR, e); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + return true; + } + + // XXX in case of key archival this may not always be the case. + if (Debug.ON) + Debug.trace("serviceRequest completed = " + completed); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + return completed; + } + + /** + * register CRL Issuing Point + */ + public void addCRLIssuingPoint(String id, ICRLIssuingPoint crlIssuingPoint) { + mCRLIssuingPoints.put(id, crlIssuingPoint); + } + + /** + * get CRL Issuing Point + */ + public Hashtable getCRLIssuingPoints() { + return mCRLIssuingPoints; + } + + /** + * Checks if PKIArchiveOption present in the request. + */ + private boolean isPKIArchiveOptionPresent(IRequest request) { + String crmfBlob = request.getExtDataInString( + IRequest.HTTP_PARAMS, CRMF_REQUEST); + + if (crmfBlob == null) { + if (Debug.ON) { + Debug.trace("CRMF not found"); + } + } else { + try { + PKIArchiveOptionsContainer opts[] = CRMFParser.getPKIArchiveOptions(crmfBlob); + + if (opts != null) { + return true; + } + } catch (IOException e) { + } + return false; + } + return false; + } + + /// + /// CA related routines. + /// + + public X509CertImpl issueX509Cert(X509CertInfo certi) + throws EBaseException { + return issueX509Cert(certi, null, null); + } + + /** + * issue cert for enrollment. + */ + public X509CertImpl issueX509Cert(X509CertInfo certi, String profileId, String rid) + throws EBaseException { + CMS.debug("issueX509Cert"); + X509CertImpl certImpl = issueX509Cert("", certi, false, null); + + CMS.debug("storeX509Cert " + certImpl.getSerialNumber()); + storeX509Cert(profileId, rid, certImpl); + CMS.debug("done storeX509Cert"); + return certImpl; + } + + X509CertImpl issueX509Cert(String rid, X509CertInfo certi) + throws EBaseException { + return issueX509Cert(rid, certi, false, null); + } + + /** + * issue cert for enrollment. + */ + void storeX509Cert(String profileId, String rid, X509CertImpl cert) + throws EBaseException { + storeX509Cert(rid, cert, false, null, null, null, profileId); + } + + /** + * issue cert for enrollment. + */ + void storeX509Cert(String rid, X509CertImpl cert, String crmfReqId) + throws EBaseException { + storeX509Cert(rid, cert, false, null, crmfReqId, null, null); + } + + void storeX509Cert(String rid, X509CertImpl cert, String crmfReqId, + String challengePassword) throws EBaseException { + storeX509Cert(rid, cert, false, null, crmfReqId, challengePassword, null); + } + + /** + * issue cert for enrollment and renewal. + * renewal is expected to have original cert serial no. in cert info + * field. + */ + X509CertImpl issueX509Cert(String rid, X509CertInfo certi, + boolean renewal, BigInteger oldSerialNo) + throws EBaseException { + String algname = null; + X509CertImpl cert = null; + + // NOTE: In this implementation, the "oldSerialNo" + // parameter is NOT used! + + boolean doUTF8 = mConfig.getBoolean("dnUTF8Encoding", false); + + CMS.debug("dnUTF8Encoding " + doUTF8); + + try { + // check required fields in certinfo. + if (certi.get(X509CertInfo.SUBJECT) == null || + certi.get(X509CertInfo.KEY) == null) { + + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_MISSING_ATTR")); + // XXX how do you reject a request in the service object ? + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_REQD_FIELDS_IN_CERTISSUE")); + } + + // set default cert version. If policies added a extensions + // the version would already be set to version 3. + if (certi.get(X509CertInfo.VERSION) == null) { + certi.set(X509CertInfo.VERSION, mCA.getDefaultCertVersion()); + } + + // set default validity if not set. + // validity would normally be set by policies or by + // agent or by authentication module. + CertificateValidity validity = (CertificateValidity) + certi.get(X509CertInfo.VALIDITY); + Date begin = null, end = null; + + if (validity != null) { + begin = (Date) + validity.get(CertificateValidity.NOT_BEFORE); + end = (Date) + validity.get(CertificateValidity.NOT_AFTER); + } + if (validity == null || + (begin.getTime() == 0 && end.getTime() == 0)) { + if (Debug.ON) { + Debug.trace("setting default validity"); + } + + // set to CA's not after if default validity + // exceeds ca's not after. + begin = CMS.getCurrentDate(); + end = new Date(begin.getTime() + mCA.getDefaultValidity()); + certi.set(CertificateValidity.NAME, + new CertificateValidity(begin, end)); + } + + // check if validity exceeds CA time. + Date caNotAfter = + mCA.getSigningUnit().getCertImpl().getNotAfter(); + + if (begin.after(caNotAfter)) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_PAST_VALIDITY")); + throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_BEGIN_AFTER_CA_VALIDITY")); + } + if (!mCA.isEnablePastCATime()) { + if (end.after(caNotAfter)) { + end = caNotAfter; + certi.set(CertificateValidity.NAME, + new CertificateValidity(begin, caNotAfter)); + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_PAST_NOT_AFTER")); + } + } + + // check algorithm in certinfo. + AlgorithmId algid = null; + CertificateAlgorithmId algor = (CertificateAlgorithmId) + certi.get(X509CertInfo.ALGORITHM_ID); + + if (algor == null || algor.toString().equals(CertInfo.SERIALIZE_ALGOR.toString())) { + algname = mCA.getSigningUnit().getDefaultAlgorithm(); + algid = AlgorithmId.get(algname); + certi.set(X509CertInfo.ALGORITHM_ID, + new CertificateAlgorithmId(algid)); + } else { + algid = (AlgorithmId) + algor.get(CertificateAlgorithmId.ALGORITHM); + algname = algid.getName(); + } + } catch (CertificateException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_BAD_FIELD", e.toString())); + if (Debug.ON) { + e.printStackTrace(); + } + throw new ECAException( + CMS.getUserMessage("CMS_CA_ERROR_GETTING_FIELDS_IN_ISSUE")); + } catch (IOException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_BAD_FIELD", e.toString())); + if (Debug.ON) { + e.printStackTrace(); + } + throw new ECAException( + CMS.getUserMessage("CMS_CA_ERROR_GETTING_FIELDS_IN_ISSUE")); + } catch (NoSuchAlgorithmException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname)); + if (Debug.ON) { + e.printStackTrace(); + } + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + } + + // get old cert serial number if renewal + if (renewal) { + try { + CertificateSerialNumber serialno = (CertificateSerialNumber) + certi.get(X509CertInfo.SERIAL_NUMBER); + + if (serialno == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NULL_SERIAL_NUMBER")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + SerialNumber serialnum = (SerialNumber) + serialno.get(CertificateSerialNumber.NUMBER); + + if (serialnum == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NULL_SERIAL_NUMBER")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + } catch (CertificateException e) { + // not possible + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_ORG_SERIAL", e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } catch (IOException e) { + // not possible. + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_ORG_SERIAL", e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + } + + // set issuer, serial number + try { + BigInteger serialNo = + mCA.getCertificateRepository().getNextSerialNumber(); + + certi.set(X509CertInfo.SERIAL_NUMBER, + new CertificateSerialNumber(serialNo)); + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_SIGN_SERIAL", serialNo.toString(16))); + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_NEXT_SERIAL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_NOSERIALNO", rid)); + } catch (CertificateException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_SERIAL", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SET_SERIALNO_FAILED", rid)); + } catch (IOException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_SERIAL", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SET_SERIALNO_FAILED", rid)); + } + + try { + certi.set(X509CertInfo.ISSUER, + new CertificateIssuerName(mCA.getX500Name())); + } catch (CertificateException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_ISSUER", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); + } catch (IOException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_ISSUER", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); + } + + byte[] utf8_encodingOrder = { DerValue.tag_UTF8String }; + + if (doUTF8 == true) { + try { + + CMS.debug("doUTF8 true, updating subject."); + CertificateSubjectName sName = (CertificateSubjectName) certi.get(X509CertInfo.SUBJECT); + + String subject = certi.get(X509CertInfo.SUBJECT).toString(); + + certi.set(X509CertInfo.SUBJECT, new CertificateSubjectName( + new X500Name(subject, + new LdapV3DNStrConverter(X500NameAttrMap.getDirDefault(), true), utf8_encodingOrder))); + + } catch (CertificateException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_SUBJECT", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); + } catch (IOException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_SUBJECT", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); + } + } + + CMS.debug("About to mCA.sign cert."); + cert = mCA.sign(certi, algname); + return cert; + } + + void storeX509Cert(String rid, X509CertImpl cert, + boolean renewal, BigInteger oldSerialNo) + throws EBaseException { + storeX509Cert(rid, cert, renewal, oldSerialNo, null, null, null); + } + + void storeX509Cert(String rid, X509CertImpl cert, + boolean renewal, BigInteger oldSerialNo, String crmfReqId, + String challengePassword, String profileId) throws EBaseException { + // now store in repository. + // if renewal, set the old serial number in the new cert, + // set the new serial number in the old cert. + + CMS.debug("In storeX509Cert"); + try { + BigInteger newSerialNo = cert.getSerialNumber(); + MetaInfo metaInfo = new MetaInfo(); + + if (profileId != null) + metaInfo.set("profileId", profileId); + if (rid != null) + metaInfo.set(CertRecord.META_REQUEST_ID, rid); + if (challengePassword != null && !challengePassword.equals("")) + metaInfo.set("challengePhrase", challengePassword); + if (crmfReqId != null) { + //System.out.println("Adding crmf reqid "+crmfReqId); + metaInfo.set(CertRecord.META_CRMF_REQID, crmfReqId); + } + if (renewal) + metaInfo.set(CertRecord.META_OLD_CERT, oldSerialNo.toString()); + mCA.getCertificateRepository().addCertificateRecord( + new CertRecord(newSerialNo, cert, metaInfo)); + + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_STORE_SERIAL", cert.getSerialNumber().toString(16))); + if (renewal) { + + /* + mCA.getCertificateRepository().markCertificateAsRenewed( + BigIntegerMapper.BigIntegerToDB(oldSerialNo)); + mCA.mCertRepot.markCertificateAsRenewed(oldSerialNo); + */ + MetaInfo oldMeta = null; + CertRecord oldCertRec = (CertRecord) + mCA.getCertificateRepository().readCertificateRecord(oldSerialNo); + + if (oldCertRec == null) { + Exception e = + new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "Cannot read cert record for " + oldSerialNo)); + + e.printStackTrace(); + } + if (oldCertRec != null) + oldMeta = oldCertRec.getMetaInfo(); + if (oldMeta == null) { + if (Debug.ON) { + Debug.trace("No meta info! for " + oldSerialNo); + } + oldMeta = new MetaInfo(); + } else { + if (Debug.ON) { + System.out.println("Old meta info"); + Enumeration n = oldMeta.getElements(); + + while (n.hasMoreElements()) { + String name = (String) n.nextElement(); + + System.out.println("name " + name + " value " + + oldMeta.get(name)); + } + } + } + oldMeta.set(CertRecord.META_RENEWED_CERT, + newSerialNo.toString()); + ModificationSet modSet = new ModificationSet(); + + modSet.add(CertRecord.ATTR_AUTO_RENEW, + Modification.MOD_REPLACE, + CertRecord.AUTO_RENEWAL_DONE); + modSet.add(ICertRecord.ATTR_META_INFO, + Modification.MOD_REPLACE, oldMeta); + mCA.getCertificateRepository().modifyCertificateRecord(oldSerialNo, modSet); + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_MARK_SERIAL", oldSerialNo.toString(16), newSerialNo.toString(16))); + if (Debug.ON) { + CertRecord check = (CertRecord) + mCA.getCertificateRepository().readCertificateRecord(oldSerialNo); + MetaInfo meta = check.getMetaInfo(); + + Enumeration n = oldMeta.getElements(); + + while (n.hasMoreElements()) { + String name = (String) n.nextElement(); + + } + } + } + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_STORE_SERIAL", cert.getSerialNumber().toString(16))); + if (Debug.ON) + e.printStackTrace(); + throw e; + } + } + + /** + * revoke cert, check fields in crlentry, etc. + */ + public void revokeCert(RevokedCertImpl crlentry) + throws EBaseException { + revokeCert(crlentry, null); + } + + public void revokeCert(RevokedCertImpl crlentry, String requestId) + throws EBaseException { + BigInteger serialno = crlentry.getSerialNumber(); + Date revdate = crlentry.getRevocationDate(); + CRLExtensions crlentryexts = crlentry.getExtensions(); + + CertRecord certRec = (CertRecord) mCA.getCertificateRepository().readCertificateRecord(serialno); + + if (certRec == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_NOT_FOUND", serialno.toString(16))); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CANT_FIND_CERT_SERIAL", + "0x" + serialno.toString(16))); + } + RevocationInfo revInfo = (RevocationInfo) certRec.getRevocationInfo(); + CRLExtensions exts = null; + CRLReasonExtension reasonext = null; + + if (revInfo != null) + exts = revInfo.getCRLEntryExtensions(); + if (exts != null) { + try { + reasonext = (CRLReasonExtension) + exts.get(CRLReasonExtension.NAME); + } catch (X509ExtensionException e) { + // this means no crl reason extension set. + } + } + // allow revoking certs that are on hold. + String certStatus = certRec.getStatus(); + + if (certStatus.equals(ICertRecord.STATUS_REVOKED) || + certStatus.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_ALREADY_REVOKED", + "0x" + Long.toHexString(serialno.longValue()))); + } + try { + mCA.getCertificateRepository().markAsRevoked(serialno, + new RevocationInfo(revdate, crlentryexts)); + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_CERT_REVOKED", + serialno.toString(16))); + // inform all CRLIssuingPoints about revoked certificate + Enumeration eIPs = mCRLIssuingPoints.elements(); + + while (eIPs.hasMoreElements()) { + ICRLIssuingPoint ip = (ICRLIssuingPoint) eIPs.nextElement(); + + if (ip != null) { + boolean b = true; + + if (ip.isCACertsOnly()) { + X509CertImpl cert = certRec.getCertificate(); + + if (cert != null) b = cert.getBasicConstraintsIsCA(); + } + if (ip.isProfileCertsOnly()) { + MetaInfo metaInfo = certRec.getMetaInfo(); + if (metaInfo != null) { + String profileId = (String)metaInfo.get("profileId"); + if (profileId != null) { + b = ip.checkCurrentProfile(profileId); + } + } + } + if (b) ip.addRevokedCert(serialno, crlentry, requestId); + } + } + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ERROR_REVOCATION", serialno.toString(), e.toString())); + //e.printStackTrace(); + throw e; + } + return; + } + + /** + * unrevoke cert, check serial number, etc. + */ + void unrevokeCert(BigInteger serialNo) + throws EBaseException { + unrevokeCert(serialNo, null); + } + + void unrevokeCert(BigInteger serialNo, String requestId) + throws EBaseException { + CertRecord certRec = (CertRecord) mCA.getCertificateRepository().readCertificateRecord(serialNo); + + if (certRec == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_NOT_FOUND", serialNo.toString(16))); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CANT_FIND_CERT_SERIAL", + "0x" + serialNo.toString(16))); + } + RevocationInfo revInfo = (RevocationInfo) certRec.getRevocationInfo(); + CRLExtensions exts = null; + CRLReasonExtension reasonext = null; + + if (revInfo == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", serialNo.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", + serialNo.toString())); + } + exts = revInfo.getCRLEntryExtensions(); + if (exts != null) { + try { + reasonext = (CRLReasonExtension) + exts.get(CRLReasonExtension.NAME); + } catch (X509ExtensionException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", serialNo.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", + serialNo.toString())); + } + } else { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", serialNo.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", + serialNo.toString())); + } + // allow unrevoking certs that are on hold. + if ((certRec.getStatus().equals(ICertRecord.STATUS_REVOKED) || + certRec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED)) && + reasonext != null && + reasonext.getReason() == RevocationReason.CERTIFICATE_HOLD) { + try { + mCA.getCertificateRepository().unmarkRevoked(serialNo, revInfo, + certRec.getRevokedOn(), certRec.getRevokedBy()); + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_CERT_UNREVOKED", serialNo.toString(16))); + // inform all CRLIssuingPoints about unrevoked certificate + Enumeration eIPs = mCRLIssuingPoints.elements(); + + while (eIPs.hasMoreElements()) { + ICRLIssuingPoint ip = (ICRLIssuingPoint) eIPs.nextElement(); + + if (ip != null) { + boolean b = true; + + if (ip.isCACertsOnly()) { + X509CertImpl cert = certRec.getCertificate(); + + if (cert != null) b = cert.getBasicConstraintsIsCA(); + } + if (ip.isProfileCertsOnly()) { + MetaInfo metaInfo = certRec.getMetaInfo(); + if (metaInfo != null) { + String profileId = (String)metaInfo.get("profileId"); + if (profileId != null) { + b = ip.checkCurrentProfile(profileId); + } + } + } + if (b) ip.addUnrevokedCert(serialNo, requestId); + } + } + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ERROR_UNREVOKE", serialNo.toString(16))); + throw e; + } + } else { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_ON_HOLD", serialNo.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_IS_NOT_ON_HOLD", + "0x" + serialNo.toString(16))); + } + + return; + } + + /** + * Signed Audit Log + * + * This method is called to store messages to the signed audit log. + * <P> + * + * @param msg signed audit log message + */ + private void audit(String msg) { + // in this case, do NOT strip preceding/trailing whitespace + // from passed-in String parameters + + if (mSignedAuditLogger == null) { + return; + } + + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + /** + * Signed Audit Log Subject ID + * + * This method is called to obtain the "SubjectID" for + * a signed audit log message. + * <P> + * + * @return id string containing the signed audit log message SubjectID + */ + private String auditSubjectID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String subjectID = null; + + // Initialize subjectID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + subjectID = (String) + auditContext.get(SessionContext.USER_ID); + + if (subjectID != null) { + subjectID = subjectID.trim(); + } else { + subjectID = ILogger.NONROLEUSER; + } + } else { + subjectID = ILogger.UNIDENTIFIED; + } + + return subjectID; + } + + /** + * Signed Audit Log Requester ID + * + * This method is called to obtain the "RequesterID" for + * a signed audit log message. + * <P> + * + * @return id string containing the signed audit log message RequesterID + */ + private String auditRequesterID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String requesterID = null; + + // Initialize requesterID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + requesterID = (String) + auditContext.get(SessionContext.REQUESTER_ID); + + if (requesterID != null) { + requesterID = requesterID.trim(); + } else { + requesterID = ILogger.UNIDENTIFIED; + } + } else { + requesterID = ILogger.UNIDENTIFIED; + } + + return requesterID; + } +} + + +/// +/// servant classes +/// + +interface IServant { + public boolean service(IRequest request) throws EBaseException; +} + + +class serviceIssue implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceIssue(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + // XXX This is ugly. should associate attributes with + // request types, not policy. + // XXX how do we know what to look for in request ? + + if (request.getExtDataInCertInfoArray(IRequest.CERT_INFO) != null) + return serviceX509(request); + else + return false; // Don't know what it is ????? + } + + public boolean serviceX509(IRequest request) + throws EBaseException { + // XXX This is ugly. should associate attributes with + // request types, not policy. + // XXX how do we know what to look for in request ? + X509CertInfo certinfos[] = + request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + + if (certinfos == null || certinfos[0] == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_REQUEST_NOT_FOUND", request.getRequestId().toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_ISSUEREQ")); + } + String challengePassword = + request.getExtDataInString(CAService.CHALLENGE_PHRASE); + + X509CertImpl[] certs = new X509CertImpl[certinfos.length]; + String rid = request.getRequestId().toString(); + int i; + + for (i = 0; i < certinfos.length; i++) { + try { + certs[i] = mService.issueX509Cert(rid, certinfos[i]); + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUE_ERROR", Integer.toString(i), rid, e.toString())); + throw e; + } + } + String crmfReqId = request.getExtDataInString(IRequest.CRMF_REQID); + EBaseException ex = null; + + for (i = 0; i < certs.length; i++) { + try { + mService.storeX509Cert(rid, certs[i], crmfReqId, challengePassword); + } catch (EBaseException e) { + e.printStackTrace(); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_STORE_ERROR", Integer.toString(i), rid, e.toString())); + ex = e; // save to throw later. + break; + } + } + if (ex != null) { + for (int j = 0; j < i; j++) { + // delete the stored cert records from the database. + // we issue all or nothing. + BigInteger serialNo = + ((X509Certificate) certs[i]).getSerialNumber(); + + try { + mCA.getCertificateRepository().deleteCertificateRecord(serialNo); + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_DELETE_CERT_ERROR", serialNo.toString(), e.toString())); + } + } + throw ex; + } + + request.setExtData(IRequest.ISSUED_CERTS, certs); + + return true; + } +} + + +class serviceRenewal implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceRenewal(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + // XXX if one fails should all fail ? - can't backtrack. + X509CertInfo certinfos[] = + request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + + if (certinfos == null || certinfos[0] == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT_REQUEST_NOT_FOUND", request.getRequestId().toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + X509CertImpl issuedCerts[] = new X509CertImpl[certinfos.length]; + + for (int j = 0; j < issuedCerts.length; j++) + issuedCerts[j] = null; + String svcerrors[] = new String[certinfos.length]; + + for (int k = 0; k < svcerrors.length; k++) + svcerrors[k] = null; + String rid = request.getRequestId().toString(); + + for (int i = 0; i < certinfos.length; i++) { + try { + // get old serial number. + SerialNumber serialnum = null; + + try { + CertificateSerialNumber serialno = (CertificateSerialNumber) + certinfos[i].get(X509CertInfo.SERIAL_NUMBER); + + if (serialno == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NULL_SERIAL_NUMBER")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + serialnum = (SerialNumber) + serialno.get(CertificateSerialNumber.NUMBER); + } catch (IOException e) { + if (Debug.ON) + e.printStackTrace(); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ERROR_GET_CERT", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } catch (CertificateException e) { + if (Debug.ON) + e.printStackTrace(); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ERROR_GET_CERT", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + if (serialnum == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ERROR_GET_CERT", "")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_RENEWREQ")); + } + BigInt serialnumBigInt = serialnum.getNumber(); + BigInteger oldSerialNo = serialnumBigInt.toBigInteger(); + + // get cert record + CertRecord certRecord = (CertRecord) + mCA.getCertificateRepository().readCertificateRecord(oldSerialNo); + + if (certRecord == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NOT_FROM_CA", oldSerialNo.toString())); + svcerrors[i] = new ECAException( + CMS.getUserMessage("CMS_CA_CANT_FIND_CERT_SERIAL", + oldSerialNo.toString())).toString(); + continue; + } + + // check if cert has been revoked. + String certStatus = certRecord.getStatus(); + + if (certStatus.equals(ICertRecord.STATUS_REVOKED) || + certStatus.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_RENEW_REVOKED", oldSerialNo.toString())); + svcerrors[i] = new ECAException( + CMS.getUserMessage("CMS_CA_CANNOT_RENEW_REVOKED_CERT", + "0x" + oldSerialNo.toString(16))).toString(); + continue; + } + + // check if cert has already been renewed. + MetaInfo metaInfo = certRecord.getMetaInfo(); + + if (metaInfo != null) { + String renewed = (String) + metaInfo.get(certRecord.META_RENEWED_CERT); + + if (renewed != null) { + BigInteger serial = new BigInteger(renewed); + X509CertImpl cert = (X509CertImpl) + mCA.getCertificateRepository().getX509Certificate(serial); + + if (cert == null) { + // something wrong + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_MISSING_RENEWED", serial.toString())); + svcerrors[i] = new ECAException( + CMS.getUserMessage("CMS_CA_ERROR_GETTING_RENEWED_CERT", + oldSerialNo.toString(), serial.toString())).toString(); + continue; + } + // get cert record + CertRecord cRecord = (CertRecord) + mCA.getCertificateRepository().readCertificateRecord(serial); + + if (cRecord == null) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NOT_FROM_CA", serial.toString())); + svcerrors[i] = new ECAException( + CMS.getUserMessage("CMS_CA_CANT_FIND_CERT_SERIAL", + serial.toString())).toString(); + continue; + } + // Check renewed certificate already REVOKED or EXPIRED + String status = cRecord.getStatus(); + + if (status.equals(ICertRecord.STATUS_REVOKED) || + status.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + Debug.trace("It is already revoked or Expired !!!"); + } // it is still new ... So just return this certificate to user + else { + Debug.trace("It is still new !!!"); + issuedCerts[i] = cert; + continue; + } + } + } + + // issue the cert. + issuedCerts[i] = + mService.issueX509Cert(rid, certinfos[i], true, oldSerialNo); + mService.storeX509Cert(rid, issuedCerts[i], true, oldSerialNo); + } catch (ECAException e) { + svcerrors[i] = e.toString(); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CANNOT_RENEW", Integer.toString(i), request.getRequestId().toString())); + } + } + + // always set issued certs regardless of error. + request.setExtData(IRequest.ISSUED_CERTS, issuedCerts); + + // set and throw error if any. + int l; + + for (l = svcerrors.length - 1; l >= 0 && svcerrors[l] == null; l--); + if (l >= 0) { + request.setExtData(IRequest.SVCERRORS, svcerrors); + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_NO_RENEW", request.getRequestId().toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_RENEW_FAILED")); + } + return true; + } +} + + +class getCertsForChallenge implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public getCertsForChallenge(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + BigInteger[] serialNoArray = + request.getExtDataInBigIntegerArray(CAService.SERIALNO_ARRAY); + X509CertImpl[] certs = new X509CertImpl[serialNoArray.length]; + + for (int i = 0; i < serialNoArray.length; i++) { + certs[i] = mCA.getCertificateRepository().getX509Certificate(serialNoArray[i]); + } + request.setExtData(IRequest.OLD_CERTS, certs); + return true; + } +} + + +class getCertStatus implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public getCertStatus(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) throws EBaseException { + BigInteger serialno = request.getExtDataInBigInteger("serialNumber"); + String issuerDN = request.getExtDataInString("issuerDN"); + CertificateRepository certDB = (CertificateRepository) + mCA.getCertificateRepository(); + + String status = null; + + if (serialno != null) { + CertRecord record = null; + + try { + record = (CertRecord) certDB.readCertificateRecord(serialno); + } catch (EBaseException ee) { + Debug.trace(ee.toString()); + } + + if (record != null) { + status = record.getStatus(); + if (status.equals("VALID")) { + X509CertImpl cacert = mCA.getCACert(); + Principal p = cacert.getSubjectDN(); + + if (!p.toString().equals(issuerDN)) { + status = "INVALIDCERTROOT"; + } + } + } + } + + request.setExtData(IRequest.CERT_STATUS, status); + return true; + } +} + + +class serviceCheckChallenge implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + private MessageDigest mSHADigest = null; + + public serviceCheckChallenge(CAService service) { + mService = service; + mCA = mService.getCA(); + try { + mSHADigest = MessageDigest.getInstance("SHA1"); + } catch (NoSuchAlgorithmException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + } + } + + public boolean service(IRequest request) + throws EBaseException { + // note: some request attributes used below are set in + // authentication/ChallengePhraseAuthentication.java :( + BigInteger serialno = request.getExtDataInBigInteger("serialNumber"); + String pwd = request.getExtDataInString( + CAService.CHALLENGE_PHRASE); + CertificateRepository certDB = (CertificateRepository) mCA.getCertificateRepository(); + BigInteger[] bigIntArray = null; + + if (serialno != null) { + CertRecord record = null; + + try { + record = (CertRecord) certDB.readCertificateRecord(serialno); + } catch (EBaseException ee) { + Debug.trace(ee.toString()); + } + if (record != null) { + String status = record.getStatus(); + + if (status.equals("VALID")) { + boolean samepwd = compareChallengePassword(record, pwd); + + if (samepwd) { + bigIntArray = new BigInteger[1]; + bigIntArray[0] = record.getSerialNumber(); + } + } else { + bigIntArray = new BigInteger[0]; + } + } else + bigIntArray = new BigInteger[0]; + } else { + String subjectName = request.getExtDataInString("subjectName"); + + if (subjectName != null) { + String filter = "(&(x509cert.subject=" + subjectName + ")(certStatus=VALID))"; + ICertRecordList list = certDB.findCertRecordsInList(filter, null, 10); + int size = list.getSize(); + Enumeration en = list.getCertRecords(0, size - 1); + + if (!en.hasMoreElements()) { + bigIntArray = new BigInteger[0]; + } else { + Vector idv = new Vector(); + + while (en.hasMoreElements()) { + CertRecord record = (CertRecord) en.nextElement(); + boolean samepwd = compareChallengePassword(record, pwd); + + if (samepwd) { + BigInteger id = record.getSerialNumber(); + + idv.addElement(id); + } + } + bigIntArray = new BigInteger[idv.size()]; + idv.copyInto(bigIntArray); + } + } + } + + if (bigIntArray == null) + bigIntArray = new BigInteger[0]; + + request.setExtData(CAService.SERIALNO_ARRAY, bigIntArray); + return true; + } + + private boolean compareChallengePassword(CertRecord record, String pwd) + throws EBaseException { + MetaInfo metaInfo = (MetaInfo) record.get(CertRecord.ATTR_META_INFO); + + if (metaInfo == null) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "metaInfo")); + } + + String hashpwd = hashPassword(pwd); + + // got metaInfo + String challengeString = + (String) metaInfo.get(CertRecord.META_CHALLENGE_PHRASE); + + if (!challengeString.equals(hashpwd)) { + return false; + } else + return true; + } + + private String hashPassword(String pwd) { + String salt = "lala123"; + byte[] pwdDigest = mSHADigest.digest((salt + pwd).getBytes()); + String b64E = com.netscape.osutil.OSUtil.BtoA(pwdDigest); + + return "{SHA}" + b64E; + } +} + + +class serviceRevoke implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceRevoke(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + boolean sendStatus = true; + // XXX Need to think passing as array. + // XXX every implemented according to servlet. + RevokedCertImpl crlentries[] = + request.getExtDataInRevokedCertArray(IRequest.CERT_INFO); + + if (crlentries == null || + crlentries.length == 0 || + crlentries[0] == null) { + // XXX should this be an error ? + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRL_NOT_FOUND", request.getRequestId().toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_REVREQ")); + } + + RevokedCertImpl revokedCerts[] = + new RevokedCertImpl[crlentries.length]; + String svcerrors[] = null; + + for (int i = 0; i < crlentries.length; i++) { + try { + mService.revokeCert(crlentries[i], request.getRequestId().toString()); + revokedCerts[i] = crlentries[i]; + } catch (ECAException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CANNOT_REVOKE", Integer.toString(i), request.getRequestId().toString(), e.toString())); + revokedCerts[i] = null; + if (svcerrors == null) { + svcerrors = new String[revokedCerts.length]; + } + svcerrors[i] = e.toString(); + } + } + + // #605941 - request.get(IRequest.CERT_INFO) store exact same thing + // request.set(IRequest.REVOKED_CERTS, revokedCerts); + + // if clone ca, send revoked cert records to CLA + if (CAService.mCLAConnector != null) { + CMS.debug(CMS.getLogMessage("CMSCORE_CA_CLONE_READ_REVOKED")); + BigInteger revokedCertIds[] = + new BigInteger[revokedCerts.length]; + + for (int i = 0; i < revokedCerts.length; i++) { + revokedCertIds[i] = revokedCerts[i].getSerialNumber(); + } + request.deleteExtData(IRequest.CERT_INFO); + request.deleteExtData(IRequest.OLD_CERTS); + request.setExtData(IRequest.REVOKED_CERT_RECORDS, revokedCertIds); + + CMS.debug(CMS.getLogMessage("CMSCORE_CA_CLONE_READ_REVOKED_CONNECTOR")); + + request.setRequestType(IRequest.CLA_CERT4CRL_REQUEST); + sendStatus = CAService.mCLAConnector.send(request); + if (sendStatus == false) { + request.setExtData(IRequest.RESULT, + IRequest.RES_ERROR); + request.setExtData(IRequest.ERROR, + new ECAException(CMS.getUserMessage("CMS_CA_SEND_CLA_REQUEST"))); + return sendStatus; + } else { + if (request.getExtDataInString(IRequest.ERROR) != null) { + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + request.deleteExtData(IRequest.ERROR); + } + } + if (request.getExtDataInString(IRequest.ERROR) != null) { + return sendStatus; + } + } + + if (svcerrors != null) { + request.setExtData(IRequest.SVCERRORS, svcerrors); + throw new ECAException(CMS.getUserMessage("CMS_CA_REVOKE_FAILED")); + } + + if (Debug.ON) { + Debug.trace("serviceRevoke sendStatus=" + sendStatus); + } + + return sendStatus; + } +} + + +class serviceUnrevoke implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceUnrevoke(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + boolean sendStatus = true; + BigInteger oldSerialNo[] = + request.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); + + if (oldSerialNo == null || oldSerialNo.length < 1) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_UNREVOKE_MISSING_SERIAL")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_SERIAL_NUMBER")); + } + + String svcerrors[] = null; + boolean needOldCerts = false; + X509CertImpl oldCerts[] = request.getExtDataInCertArray(IRequest.OLD_CERTS); + + if (oldCerts == null || oldCerts.length < 1) { + needOldCerts = true; + oldCerts = new X509CertImpl[oldSerialNo.length]; + } + + for (int i = 0; i < oldSerialNo.length; i++) { + try { + if (oldSerialNo[i].compareTo(new BigInteger("0")) < 0) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_UNREVOKE_MISSING_SERIAL")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_SERIAL_NUMBER")); + } + if (needOldCerts) { + CertRecord certRec = (CertRecord) + mCA.getCertificateRepository().readCertificateRecord(oldSerialNo[i]); + + oldCerts[i] = certRec.getCertificate(); + } + mService.unrevokeCert(oldSerialNo[i], request.getRequestId().toString()); + } catch (ECAException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_UNREVOKE_FAILED", oldSerialNo[i].toString(), request.getRequestId().toString())); + if (svcerrors == null) { + svcerrors = new String[oldSerialNo.length]; + } + svcerrors[i] = e.toString(); + } + } + + // if clone ca, send unrevoked cert serials to CLA + if (CAService.mCLAConnector != null) { + request.setRequestType(IRequest.CLA_UNCERT4CRL_REQUEST); + sendStatus = CAService.mCLAConnector.send(request); + if (sendStatus == false) { + request.setExtData(IRequest.RESULT, + IRequest.RES_ERROR); + request.setExtData(IRequest.ERROR, + new ECAException(CMS.getUserMessage("CMS_CA_SEND_CLA_REQUEST"))); + return sendStatus; + } else { + if (request.getExtDataInString(IRequest.ERROR) != null) { + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + request.deleteExtData(IRequest.ERROR); + } + } + + } + + if (needOldCerts) { + request.setExtData(IRequest.OLD_CERTS, oldCerts); + } + + if (svcerrors != null) { + request.setExtData(IRequest.SVCERRORS, svcerrors); + throw new ECAException(CMS.getUserMessage("CMS_CA_UNREVOKE_FAILED")); + } + + return sendStatus; + } +} + + +class serviceGetCAChain implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceGetCAChain(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) throws EBaseException { + CertificateChain certChain = mCA.getCACertChain(); + ByteArrayOutputStream certChainOut = new ByteArrayOutputStream(); + try { + certChain.encode(certChainOut); + } catch (IOException e) { + mCA.log(ILogger.LL_FAILURE, e.toString()); + throw new EBaseException(e.toString()); + } + request.setExtData(IRequest.CACERTCHAIN, certChainOut.toByteArray()); + return true; + } +} + + +class serviceGetCRL implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceGetCRL(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + try { + ICRLIssuingPointRecord crlRec = + (ICRLIssuingPointRecord) mCA.getCRLRepository().readCRLIssuingPointRecord(mCA.PROP_MASTER_CRL); + X509CRLImpl crl = new X509CRLImpl(crlRec.getCRL()); + + request.setExtData(IRequest.CRL, crl.getEncoded()); + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_GETCRL_FIND_CRL")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRL_ISSUEPT_NOT_FOUND", e.toString())); + } catch (CRLException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_GETCRL_INST_CRL", mCA.PROP_MASTER_CRL)); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRL_ISSUEPT_NOGOOD", mCA.PROP_MASTER_CRL)); + } catch (X509ExtensionException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_GETCRL_NO_ISSUING_REC")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRL_ISSUEPT_EXT_NOGOOD", + mCA.PROP_MASTER_CRL)); + } + return true; + } +} + + +class serviceGetRevocationInfo implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceGetRevocationInfo(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + Enumeration enum1 = request.getExtDataKeys(); + + while (enum1.hasMoreElements()) { + String name = (String) enum1.nextElement(); + + if (name.equals(IRequest.ISSUED_CERTS)) { + X509CertImpl certsToCheck[] = + request.getExtDataInCertArray(IRequest.ISSUED_CERTS); + + CertificateRepository certDB = (CertificateRepository) mCA.getCertificateRepository(); + RevocationInfo info = + certDB.isCertificateRevoked(certsToCheck[0]); + + if (info != null) { + RevokedCertImpl revokedCerts[] = new RevokedCertImpl[1]; + RevokedCertImpl revokedCert = new RevokedCertImpl( + certsToCheck[0].getSerialNumber(), + info.getRevocationDate(), + info.getCRLEntryExtensions()); + + revokedCerts[0] = revokedCert; + request.setExtData(IRequest.REVOKED_CERTS, revokedCerts); + } + } + } + return true; + } +} + + +class serviceGetCertificates implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceGetCertificates(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + Enumeration enum1 = request.getExtDataKeys(); + + while (enum1.hasMoreElements()) { + String name = (String) enum1.nextElement(); + + if (name.equals(IRequest.CERT_FILTER)) { + String filter = request.getExtDataInString(IRequest.CERT_FILTER); + + CertificateRepository certDB = (CertificateRepository) mCA.getCertificateRepository(); + X509CertImpl[] certs = certDB.getX509Certificates(filter); + + if (certs != null) { + request.setExtData(IRequest.OLD_CERTS, certs); + } + } + } + return true; + } +} + + +class serviceCert4Crl implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceCert4Crl(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + // XXX Need to think passing as array. + // XXX every implemented according to servlet. + BigInteger revokedCertIds[] = request.getExtDataInBigIntegerArray( + IRequest.REVOKED_CERT_RECORDS); + if (revokedCertIds == null || + revokedCertIds.length == 0) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT4CRL_NO_ENTRY", request.getRequestId().toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_CLAREQ")); + } + + CertRecord revokedCertRecs[] = new CertRecord[revokedCertIds.length]; + for (int i = 0; i < revokedCertIds.length; i++) { + revokedCertRecs[i] = (CertRecord) + mCA.getCertificateRepository().readCertificateRecord( + revokedCertIds[i]); + } + + if (revokedCertRecs == null || + revokedCertRecs.length == 0 || + revokedCertRecs[0] == null) { + // XXX should this be an error ? + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT4CRL_NO_ENTRY", request.getRequestId().toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_MISSING_INFO_IN_CLAREQ")); + } + + CertRecord recordedCerts[] = + new CertRecord[revokedCertRecs.length]; + String svcerrors[] = null; + + for (int i = 0; i < revokedCertRecs.length; i++) { + try { + // for CLA, record it into cert repost + ((CertificateRepository) mCA.getCertificateRepository()).addRevokedCertRecord(revokedCertRecs[i]); + // mService.revokeCert(crlentries[i]); + recordedCerts[i] = revokedCertRecs[i]; + // inform all CRLIssuingPoints about revoked certificate + Hashtable hips = mService.getCRLIssuingPoints(); + Enumeration eIPs = hips.elements(); + + while (eIPs.hasMoreElements()) { + ICRLIssuingPoint ip = (ICRLIssuingPoint) eIPs.nextElement(); + // form RevokedCertImpl + RevokedCertImpl rci = + new RevokedCertImpl(revokedCertRecs[i].getSerialNumber(), + revokedCertRecs[i].getRevokedOn()); + + if (ip != null) { + ip.addRevokedCert(revokedCertRecs[i].getSerialNumber(), rci); + } + } + + } catch (ECAException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CERT4CRL_NO_REC", Integer.toString(i), request.getRequestId().toString(), e.toString())); + recordedCerts[i] = null; + if (svcerrors == null) { + svcerrors = new String[recordedCerts.length]; + } + svcerrors[i] = e.toString(); + } + } + //need to record which gets recorded and which failed...cfu + // request.set(IRequest.REVOKED_CERTS, revokedCerts); + if (svcerrors != null) { + request.setExtData(IRequest.SVCERRORS, svcerrors); + throw new ECAException(CMS.getUserMessage("CMS_CA_CERT4CRL_FAILED")); + } + + return true; + } +} + + +class serviceUnCert4Crl implements IServant { + private ICertificateAuthority mCA; + private CAService mService; + + public serviceUnCert4Crl(CAService service) { + mService = service; + mCA = mService.getCA(); + } + + public boolean service(IRequest request) + throws EBaseException { + BigInteger oldSerialNo[] = + request.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); + + if (oldSerialNo == null || oldSerialNo.length < 1) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_UNREVOKE_MISSING_SERIAL")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_MISSING_SERIAL_NUMBER")); + } + + String svcerrors[] = null; + + for (int i = 0; i < oldSerialNo.length; i++) { + try { + mCA.getCertificateRepository().deleteCertificateRecord(oldSerialNo[i]); + // inform all CRLIssuingPoints about unrevoked certificate + Hashtable hips = mService.getCRLIssuingPoints(); + Enumeration eIPs = hips.elements(); + + while (eIPs.hasMoreElements()) { + ICRLIssuingPoint ip = (ICRLIssuingPoint) eIPs.nextElement(); + + if (ip != null) { + ip.addUnrevokedCert(oldSerialNo[i]); + } + } + } catch (EBaseException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_DELETE_CERT_ERROR", oldSerialNo[i].toString(), e.toString())); + if (svcerrors == null) { + svcerrors = new String[oldSerialNo.length]; + } + svcerrors[i] = e.toString(); + } + + } + + if (svcerrors != null) { + request.setExtData(IRequest.SVCERRORS, svcerrors); + throw new ECAException(CMS.getUserMessage("CMS_CA_UNCERT4CRL_FAILED")); + } + + return true; + } +} + diff --git a/pki/base/ca/src/com/netscape/ca/CMSCRLExtensions.java b/pki/base/ca/src/com/netscape/ca/CMSCRLExtensions.java new file mode 100644 index 000000000..1aa121d85 --- /dev/null +++ b/pki/base/ca/src/com/netscape/ca/CMSCRLExtensions.java @@ -0,0 +1,606 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + + +import java.io.IOException; +import java.util.*; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.Extension; +import netscape.security.x509.CRLExtensions; +import netscape.security.x509.AuthorityKeyIdentifierExtension; +import netscape.security.x509.IssuerAlternativeNameExtension; +import netscape.security.x509.CRLNumberExtension; +import netscape.security.x509.DeltaCRLIndicatorExtension; +import netscape.security.x509.IssuingDistributionPointExtension; +import netscape.security.x509.CRLReasonExtension; +import netscape.security.x509.HoldInstructionExtension; +import netscape.security.x509.InvalidityDateExtension; +import netscape.security.x509.CertificateIssuerExtension; +import netscape.security.x509.FreshestCRLExtension; +import netscape.security.x509.OIDMap; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.cmscore.base.SubsystemRegistry; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.EPropertyNotDefined; +import com.netscape.certsrv.base.EPropertyNotFound; +import com.netscape.certsrv.common.Constants; +import com.netscape.certsrv.common.NameValuePair; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.ca.*; +import java.security.cert.CertificateException; + + +public class CMSCRLExtensions implements ICMSCRLExtensions { + public static final String PROP_ENABLE = "enable"; + public static final String PROP_EXTENSION = "extension"; + public static final String PROP_CLASS = "class"; + public static final String PROP_TYPE = "type"; + public static final String PROP_CRITICAL = "critical"; + public static final String PROP_CRL_EXT = "CRLExtension"; + public static final String PROP_CRL_ENTRY_EXT = "CRLEntryExtension"; + + private ICRLIssuingPoint mCRLIssuingPoint = null; + + private IConfigStore mConfig = null; + private IConfigStore mCRLExtConfig = null; + + private Vector mCRLExtensionNames = new Vector(); + private Vector mCRLEntryExtensionNames = new Vector(); + private Vector mEnabledCRLExtensions = new Vector(); + private Vector mCriticalCRLExtensions = new Vector(); + private Hashtable mCRLExtensionClassNames = new Hashtable(); + private Hashtable mCRLExtensionIDs = new Hashtable(); + + private static final Vector mDefaultCRLExtensionNames = new Vector(); + private static final Vector mDefaultCRLEntryExtensionNames = new Vector(); + private static final Vector mDefaultEnabledCRLExtensions = new Vector(); + private static final Vector mDefaultCriticalCRLExtensions = new Vector(); + private static final Hashtable mDefaultCRLExtensionClassNames = new Hashtable(); + private static final Hashtable mDefaultCRLExtensionIDs = new Hashtable(); + + private ILogger mLogger = CMS.getLogger(); + + static { + + /* Default CRL Extensions */ + mDefaultCRLExtensionNames.addElement(AuthorityKeyIdentifierExtension.NAME); + mDefaultCRLExtensionNames.addElement(IssuerAlternativeNameExtension.NAME); + mDefaultCRLExtensionNames.addElement(CRLNumberExtension.NAME); + mDefaultCRLExtensionNames.addElement(DeltaCRLIndicatorExtension.NAME); + mDefaultCRLExtensionNames.addElement(IssuingDistributionPointExtension.NAME); + mDefaultCRLExtensionNames.addElement(FreshestCRLExtension.NAME); + + /* Default CRL Entry Extensions */ + mDefaultCRLEntryExtensionNames.addElement(CRLReasonExtension.NAME); + mDefaultCRLEntryExtensionNames.addElement(HoldInstructionExtension.NAME); + mDefaultCRLEntryExtensionNames.addElement(InvalidityDateExtension.NAME); + //mDefaultCRLEntryExtensionNames.addElement(CertificateIssuerExtension.NAME); + + /* Default Enabled CRL Extensions */ + mDefaultEnabledCRLExtensions.addElement(CRLNumberExtension.NAME); + //mDefaultEnabledCRLExtensions.addElement(DeltaCRLIndicatorExtension.NAME); + mDefaultEnabledCRLExtensions.addElement(CRLReasonExtension.NAME); + mDefaultEnabledCRLExtensions.addElement(InvalidityDateExtension.NAME); + + /* Default Critical CRL Extensions */ + mDefaultCriticalCRLExtensions.addElement(DeltaCRLIndicatorExtension.NAME); + mDefaultCriticalCRLExtensions.addElement(IssuingDistributionPointExtension.NAME); + //mDefaultCriticalCRLExtensions.addElement(CertificateIssuerExtension.NAME); + + /* CRL extension IDs */ + mDefaultCRLExtensionIDs.put(PKIXExtensions.AuthorityKey_Id.toString(), + AuthorityKeyIdentifierExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.IssuerAlternativeName_Id.toString(), + IssuerAlternativeNameExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.CRLNumber_Id.toString(), + CRLNumberExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.DeltaCRLIndicator_Id.toString(), + DeltaCRLIndicatorExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.IssuingDistributionPoint_Id.toString(), + IssuingDistributionPointExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.ReasonCode_Id.toString(), + CRLReasonExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.HoldInstructionCode_Id.toString(), + HoldInstructionExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.InvalidityDate_Id.toString(), + InvalidityDateExtension.NAME); + //mDefaultCRLExtensionIDs.put(PKIXExtensions.CertificateIssuer_Id.toString(), + // CertificateIssuerExtension.NAME); + mDefaultCRLExtensionIDs.put(PKIXExtensions.FreshestCRL_Id.toString(), + FreshestCRLExtension.NAME); + + /* Class names */ + mDefaultCRLExtensionClassNames.put(AuthorityKeyIdentifierExtension.NAME, + "com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension"); + mDefaultCRLExtensionClassNames.put(IssuerAlternativeNameExtension.NAME, + "com.netscape.cms.crl.CMSIssuerAlternativeNameExtension"); + mDefaultCRLExtensionClassNames.put(CRLNumberExtension.NAME, + "com.netscape.cms.crl.CMSCRLNumberExtension"); + mDefaultCRLExtensionClassNames.put(DeltaCRLIndicatorExtension.NAME, + "com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension"); + mDefaultCRLExtensionClassNames.put(IssuingDistributionPointExtension.NAME, + "com.netscape.cms.crl.CMSIssuingDistributionPointExtension"); + mDefaultCRLExtensionClassNames.put(CRLReasonExtension.NAME, + "com.netscape.cms.crl.CMSCRLReasonExtension"); + mDefaultCRLExtensionClassNames.put(HoldInstructionExtension.NAME, + "com.netscape.cms.crl.CMSHoldInstructionExtension"); + mDefaultCRLExtensionClassNames.put(InvalidityDateExtension.NAME, + "com.netscape.cms.crl.CMSInvalidityDateExtension"); + //mDefaultCRLExtensionClassNames.put(CertificateIssuerExtension.NAME, + // "com.netscape.cms.crl.CMSCertificateIssuerExtension"); + mDefaultCRLExtensionClassNames.put(FreshestCRLExtension.NAME, + "com.netscape.cms.crl.CMSFreshestCRLExtension"); + + try { + OIDMap.addAttribute(DeltaCRLIndicatorExtension.class.getName(), + DeltaCRLIndicatorExtension.OID, + DeltaCRLIndicatorExtension.NAME); + } catch (CertificateException e) { + } + try { + OIDMap.addAttribute(HoldInstructionExtension.class.getName(), + HoldInstructionExtension.OID, + HoldInstructionExtension.NAME); + } catch (CertificateException e) { + } + try { + OIDMap.addAttribute(InvalidityDateExtension.class.getName(), + InvalidityDateExtension.OID, + InvalidityDateExtension.NAME); + } catch (CertificateException e) { + } + try { + OIDMap.addAttribute(FreshestCRLExtension.class.getName(), + FreshestCRLExtension.OID, + FreshestCRLExtension.NAME); + } catch (CertificateException e) { + } + } + + /** + * Constructs a CRL extensions for CRL issuing point. + */ + public CMSCRLExtensions(ICRLIssuingPoint crlIssuingPoint, IConfigStore config) { + boolean modifiedConfig = false; + + mConfig = config; + mCRLExtConfig = config.getSubStore(PROP_EXTENSION); + mCRLIssuingPoint = crlIssuingPoint; + + IConfigStore mFileConfig = + SubsystemRegistry.getInstance().get("MAIN").getConfigStore(); + + IConfigStore crlExtConfig = (IConfigStore) mFileConfig; + StringTokenizer st = new StringTokenizer(mCRLExtConfig.getName(), "."); + + while (st.hasMoreTokens()) { + String subStoreName = st.nextToken(); + IConfigStore newConfig = crlExtConfig.getSubStore(subStoreName); + + if (newConfig != null) { + crlExtConfig = newConfig; + } + } + + if (crlExtConfig != null) { + Enumeration enumExts = crlExtConfig.getSubStoreNames(); + + while (enumExts.hasMoreElements()) { + String extName = (String) enumExts.nextElement(); + IConfigStore extConfig = crlExtConfig.getSubStore(extName); + + if (extConfig != null) { + modifiedConfig |= getEnableProperty(extName, extConfig); + modifiedConfig |= getCriticalProperty(extName, extConfig); + modifiedConfig |= getTypeProperty(extName, extConfig); + modifiedConfig |= getClassProperty(extName, extConfig); + } + } + + if (modifiedConfig) { + try { + mFileConfig.commit(true); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_SAVE_CONF", e.toString())); + } + } + } + } + + private boolean getEnableProperty(String extName, IConfigStore extConfig) { + boolean modifiedConfig = false; + + try { + if (extConfig.getBoolean(PROP_ENABLE)) { + mEnabledCRLExtensions.addElement(extName); + } + } catch (EPropertyNotFound e) { + extConfig.putBoolean(PROP_ENABLE, mDefaultEnabledCRLExtensions.contains(extName)); + modifiedConfig = true; + if (mDefaultEnabledCRLExtensions.contains(extName)) { + mEnabledCRLExtensions.addElement(extName); + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_NO_ENABLE", extName, mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + } catch (EPropertyNotDefined e) { + extConfig.putBoolean(PROP_ENABLE, mDefaultEnabledCRLExtensions.contains(extName)); + modifiedConfig = true; + if (mDefaultEnabledCRLExtensions.contains(extName)) { + mEnabledCRLExtensions.addElement(extName); + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_UNDEFINE_ENABLE", extName, mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + } catch (EBaseException e) { + extConfig.putBoolean(PROP_ENABLE, mDefaultEnabledCRLExtensions.contains(extName)); + modifiedConfig = true; + if (mDefaultEnabledCRLExtensions.contains(extName)) { + mEnabledCRLExtensions.addElement(extName); + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_ENABLE", extName, mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + } + return modifiedConfig; + } + + private boolean getCriticalProperty(String extName, IConfigStore extConfig) { + boolean modifiedConfig = false; + + try { + if (extConfig.getBoolean(PROP_CRITICAL)) { + mCriticalCRLExtensions.addElement(extName); + } + } catch (EPropertyNotFound e) { + extConfig.putBoolean(PROP_CRITICAL, mDefaultCriticalCRLExtensions.contains(extName)); + modifiedConfig = true; + if (mDefaultCriticalCRLExtensions.contains(extName)) { + mCriticalCRLExtensions.addElement(extName); + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_NO_CRITICAL", extName, mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + } catch (EPropertyNotDefined e) { + extConfig.putBoolean(PROP_CRITICAL, mDefaultCriticalCRLExtensions.contains(extName)); + modifiedConfig = true; + if (mDefaultCriticalCRLExtensions.contains(extName)) { + mCriticalCRLExtensions.addElement(extName); + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_UNDEFINE_CRITICAL", extName, mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + } catch (EBaseException e) { + extConfig.putBoolean(PROP_CRITICAL, mDefaultCriticalCRLExtensions.contains(extName)); + modifiedConfig = true; + if (mDefaultCriticalCRLExtensions.contains(extName)) { + mCriticalCRLExtensions.addElement(extName); + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_CRITICAL", extName, mDefaultEnabledCRLExtensions.contains(extName) ? "true" : "false")); + } + return modifiedConfig; + } + + private boolean getTypeProperty(String extName, IConfigStore extConfig) { + boolean modifiedConfig = false; + String extType = null; + + try { + extType = extConfig.getString(PROP_TYPE); + if (extType.length() > 0) { + if (extType.equals(PROP_CRL_ENTRY_EXT)) { + mCRLEntryExtensionNames.addElement(extName); + } else if (extType.equals(PROP_CRL_EXT)) { + mCRLExtensionNames.addElement(extName); + } else { + if (mDefaultCRLEntryExtensionNames.contains(extName)) { + extConfig.putString(PROP_TYPE, PROP_CRL_ENTRY_EXT); + modifiedConfig = true; + mCRLEntryExtensionNames.addElement(extName); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, PROP_CRL_ENTRY_EXT)); + } else if (mDefaultCRLExtensionNames.contains(extName)) { + extConfig.putString(PROP_TYPE, PROP_CRL_EXT); + modifiedConfig = true; + mCRLExtensionNames.addElement(extName); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, PROP_CRL_EXT)); + } else { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, "")); + } + } + } else { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_UNDEFINE_EXT", extName)); + } + } catch (EPropertyNotFound e) { + if (mDefaultCRLEntryExtensionNames.contains(extName)) { + extConfig.putString(PROP_TYPE, PROP_CRL_ENTRY_EXT); + modifiedConfig = true; + } else if (mDefaultCRLExtensionNames.contains(extName)) { + extConfig.putString(PROP_TYPE, PROP_CRL_EXT); + modifiedConfig = true; + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_MISSING_EXT", extName)); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_INVALID_EXT", extName, "")); + } + return modifiedConfig; + } + + private boolean getClassProperty(String extName, IConfigStore extConfig) { + boolean modifiedConfig = false; + String extClass = null; + + try { + extClass = extConfig.getString(PROP_CLASS); + if (extClass.length() > 0) { + mCRLExtensionClassNames.put(extName, extClass); + + try { + Class crlExtClass = Class.forName(extClass); + + if (crlExtClass != null) { + ICMSCRLExtension cmsCRLExt = (ICMSCRLExtension) crlExtClass.newInstance(); + + if (cmsCRLExt != null) { + String id = (String) cmsCRLExt.getCRLExtOID(); + + if (id != null) { + mCRLExtensionIDs.put(id, extName); + } + } + } + } catch (ClassNotFoundException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_FOUND", extClass, e.toString())); + } catch (InstantiationException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_INST", extClass, e.toString())); + } catch (IllegalAccessException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_ACCESS", extClass, e.toString())); + } + + } else { + if (mDefaultCRLExtensionClassNames.containsKey(extName)) { + extClass = (String) mCRLExtensionClassNames.get(extName); + extConfig.putString(PROP_CLASS, extClass); + modifiedConfig = true; + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_DEFINED", extName)); + } + } catch (EPropertyNotFound e) { + if (mDefaultCRLExtensionClassNames.containsKey(extName)) { + extClass = (String) mDefaultCRLExtensionClassNames.get(extName); + extConfig.putString(PROP_CLASS, extClass); + modifiedConfig = true; + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_MISSING", extName)); + } catch (EBaseException e) { + if (mDefaultCRLExtensionClassNames.containsKey(extName)) { + extClass = (String) mDefaultCRLExtensionClassNames.get(extName); + extConfig.putString(PROP_CLASS, extClass); + modifiedConfig = true; + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_INVALID", extName)); + } + return modifiedConfig; + } + + public boolean isCRLExtension(String extName) { + return mCRLExtensionNames.contains(extName); + } + + public boolean isCRLEntryExtension(String extName) { + return mCRLEntryExtensionNames.contains(extName); + } + + public boolean isCRLExtensionEnabled(String extName) { + return ((mCRLExtensionNames.contains(extName) || + mCRLEntryExtensionNames.contains(extName)) && + mEnabledCRLExtensions.contains(extName)); + } + + public boolean isCRLExtensionCritical(String extName) { + return mCriticalCRLExtensions.contains(extName); + } + + public String getCRLExtensionName(String id) { + String name = null; + + if (mCRLExtensionIDs.containsKey(id)) { + name = (String) mCRLExtensionIDs.get(id); + } + return name; + } + + public Vector getCRLExtensionNames() { + return (Vector) mCRLExtensionNames.clone(); + } + + public Vector getCRLEntryExtensionNames() { + return (Vector) mCRLEntryExtensionNames.clone(); + } + + public void addToCRLExtensions(CRLExtensions crlExts, String extName, Extension ext) { + if (mCRLExtensionClassNames.containsKey(extName)) { + String name = (String) mCRLExtensionClassNames.get(extName); + + try { + Class extClass = Class.forName(name); + + if (extClass != null) { + ICMSCRLExtension cmsCRLExt = (ICMSCRLExtension) extClass.newInstance(); + + if (cmsCRLExt != null) { + if (ext != null) { + if (isCRLExtensionCritical(extName) ^ ext.isCritical()) { + ext = (Extension) cmsCRLExt.setCRLExtensionCriticality( + ext, isCRLExtensionCritical(extName)); + } + } else { + ext = (Extension) cmsCRLExt.getCRLExtension(mCRLExtConfig.getSubStore(extName), + mCRLIssuingPoint, + isCRLExtensionCritical(extName)); + } + + if (crlExts != null && ext != null) { + crlExts.set(extName, ext); + } + } + } + } catch (ClassNotFoundException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_FOUND", name, e.toString())); + } catch (InstantiationException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_INST", name, e.toString())); + } catch (IllegalAccessException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_ACCESS", name, e.toString())); + } catch (IOException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_ADD", name, e.toString())); + } + } + } + + public NameValuePairs getConfigParams(String id) { + NameValuePairs nvp = null; + + if (mCRLEntryExtensionNames.contains(id) || + mCRLExtensionNames.contains(id)) { + nvp = new NameValuePairs(); + + /* + if (mCRLEntryExtensionNames.contains(id)) { + nvp.add(Constants.PR_CRLEXT_IMPL_NAME, "CRLEntryExtension"); + } else { + nvp.add(Constants.PR_CRLEXT_IMPL_NAME, "CRLExtension"); + } + + if (mCRLEntryExtensionNames.contains(id)) { + nvp.add(PROP_TYPE, "CRLEntryExtension"); + } else { + nvp.add(PROP_TYPE, "CRLExtension"); + } + */ + + if (mEnabledCRLExtensions.contains(id)) { + nvp.add(PROP_ENABLE, Constants.TRUE); + } else { + nvp.add(PROP_ENABLE, Constants.FALSE); + } + if (mCriticalCRLExtensions.contains(id)) { + nvp.add(PROP_CRITICAL, Constants.TRUE); + } else { + nvp.add(PROP_CRITICAL, Constants.FALSE); + } + + if (mCRLExtensionClassNames.containsKey(id)) { + String name = (String) mCRLExtensionClassNames.get(id); + + if (name != null) { + + try { + Class extClass = Class.forName(name); + + if (extClass != null) { + ICMSCRLExtension cmsCRLExt = (ICMSCRLExtension) extClass.newInstance(); + + if (cmsCRLExt != null) { + cmsCRLExt.getConfigParams(mCRLExtConfig.getSubStore(id), nvp); + } + } + } catch (ClassNotFoundException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_FOUND", name, e.toString())); + } catch (InstantiationException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_INST", name, e.toString())); + } catch (IllegalAccessException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CRLEXTS_CLASS_NOT_ACCESS", name, e.toString())); + } + + int i = name.lastIndexOf('.'); + + if ((i > -1) && (i + 1 < name.length())) { + String idName = name.substring(i + 1); + + if (idName != null) { + nvp.add(Constants.PR_CRLEXT_IMPL_NAME, idName); + } + } + } + } + } + return nvp; + } + + public void setConfigParams(String id, NameValuePairs nvp, IConfigStore config) { + for (int i = 0; i < nvp.size(); i++) { + NameValuePair p = nvp.elementAt(i); + String name = p.getName(); + String value = p.getValue(); + + if (name.equals(PROP_ENABLE)) { + if (!(value.equals(Constants.TRUE) || + value.equals(Constants.FALSE))) { + continue; + } + if (value.equals(Constants.TRUE)) { + if (!(mEnabledCRLExtensions.contains(id))) { + mEnabledCRLExtensions.addElement(id); + } + } + if (value.equals(Constants.FALSE)) { + mEnabledCRLExtensions.remove(id); + } + } + + if (name.equals(PROP_CRITICAL)) { + if (!(value.equals(Constants.TRUE) || + value.equals(Constants.FALSE))) { + continue; + } + if (value.equals(Constants.TRUE)) { + if (!(mCriticalCRLExtensions.contains(id))) { + mCriticalCRLExtensions.addElement(id); + } + } + if (value.equals(Constants.FALSE)) { + mCriticalCRLExtensions.remove(id); + } + } + + config.putString(name, value); + } + } + + public String getClassPath(String name) { + Enumeration enum1 = mCRLExtensionClassNames.elements(); + + while (enum1.hasMoreElements()) { + String extClassName = (String) enum1.nextElement(); + + if (extClassName != null) { + int i = extClassName.lastIndexOf('.'); + + if ((i > -1) && (i + 1 < extClassName.length())) { + String idName = extClassName.substring(i + 1); + + if (idName != null) { + if (name.equals(idName)) { + return extClassName; + } + } + } + } + } + + return null; + } + + private void log(int level, String msg) { + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level, + "CMSCRLExtension - " + msg); + } +} + diff --git a/pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java new file mode 100644 index 000000000..5d500d8d5 --- /dev/null +++ b/pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -0,0 +1,2564 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + + +import java.util.*; +import java.math.*; +import java.io.*; +import java.security.cert.CRLException; +import java.security.NoSuchAlgorithmException; +import netscape.security.x509.*; +import netscape.security.util.*; +import netscape.security.pkcs.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.util.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.security.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.dbs.crldb.*; +import com.netscape.cmscore.dbs.*; +import com.netscape.certsrv.dbs.crldb.ICRLRepository; +import com.netscape.certsrv.dbs.certdb.*; +import com.netscape.certsrv.ldap.*; +import com.netscape.certsrv.publish.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.ca.ICMSCRLExtension; +import com.netscape.cmscore.request.CertRequestConstants; +import com.netscape.cmscore.ldap.*; +import com.netscape.cmscore.util.Debug; + + +/** + * This class encapsulates CRL issuing mechanism. CertificateAuthority + * contains a map of CRLIssuingPoint indexed by string ids. Each issuing + * point contains information about CRL issuing and publishing parameters + * as well as state information which includes last issued CRL, next CRL + * serial number, time of the next update etc. + * If autoUpdateInterval is set to non-zero value then worker thread + * is created that will perform CRL update at scheduled intervals. Update + * can also be triggered by invoking updateCRL method directly. Another + * parameter minUpdateInterval can be used to prevent CRL + * from being updated too often + * <P> + * + * @author awnuk + * @author lhsiao + * @author galperin + * @version $Revision: 14562 $, $Date: 2007-05-01 10:31:12 -0700 (Tue, 01 May 2007) $ + */ + +public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { + + public static final long SECOND = 1000L; + public static final long MINUTE = (SECOND * 60L); + + /* configuration file property names */ + + public IPublisherProcessor mPublisherProcessor = null; + + private ILogger mLogger = CMS.getLogger(); + + private IConfigStore mConfigStore; + + private ICRLPublisher mCRLPublisher = null; + private int mCountMod = 0; + private int mCount = 0; + + private CMSCRLExtensions mCMSCRLExtensions = null; + + /** + * Internal unique id of this CRL issuing point. + */ + protected String mId = null; + + /** + * Reference to the CertificateAuthority instance which owns this + * issuing point. + */ + protected ICertificateAuthority mCA = null; + + /** + * Reference to the CRL repository maintained in CA. + */ + protected ICRLRepository mCRLRepository = null; + + /** + * Reference to the cert repository maintained in CA. + */ + private ICertificateRepository mCertRepository = null; + + /** + * Enable CRL issuing point. + */ + private boolean mEnable = true; + + /** + * Description of the issuing point + */ + private String mDescription = null; + + /** + * CRL cache + */ + private Hashtable mCRLCerts = new Hashtable(); + private Hashtable mRevokedCerts = new Hashtable(); + private Hashtable mUnrevokedCerts = new Hashtable(); + private Hashtable mExpiredCerts = new Hashtable(); + private boolean mIncludeExpiredCerts = false; + private boolean mCACertsOnly = false; + + private boolean mProfileCertsOnly = false; + private Vector mProfileList = null; + + /** + * Enable CRL cache. + */ + private boolean mEnableCRLCache = true; + private boolean mCRLCacheIsCleared = true; + private boolean mEnableCacheRecovery = false; + private String mFirstUnsaved = null; + + /** + * Last CRL cache update + */ + private long mLastCacheUpdate = 0; + + /** + * Time interval in milliseconds between consequential CRL cache + * updates performed automatically. + */ + private long mCacheUpdateInterval; + + /** + * Enable CRL updates. + */ + private boolean mEnableCRLUpdates = true; + + /** + * CRL update schema. + */ + private int mUpdateSchema = 1; + private int mSchemaCounter = 0; + + /** + * Enable CRL daily updates at listed times. + */ + private boolean mEnableDailyUpdates = false; + private Vector mDailyUpdates = null; + + /** + * Enable CRL auto update with interval + */ + private boolean mEnableUpdateFreq = false; + + /** + * Time interval in milliseconds between consequential CRL Enable CRL daily update at updates + * performed automatically. + */ + private long mAutoUpdateInterval; + + /** + * Minimum time interval in milliseconds between consequential + * CRL updates (manual or automatic). + */ + private long mMinUpdateInterval; + + /** + * Update CRL even if auto interval > 0 + */ + private boolean mAlwaysUpdate = false; + + /** + * next update grace period + */ + private long mNextUpdateGracePeriod; + + /** + * Boolean flag controlling whether CRLv2 extensions are to be + * used in CRL. + */ + private boolean mAllowExtensions = false; + + /** + * DN of the directory entry where CRLs from this issuing point + * are published. + */ + private String mPublishDN = null; + + /** + * signing algorithm + */ + private String mSigningAlgorithm = null; + private String mLastSigningAlgorithm = null; + + /** + * Cached value of the CRL extensions to be placed in CRL + */ + //protected CRLExtensions mCrlExtensions; + + /** + * CRL number + */ + private BigInteger mCRLNumber; + private BigInteger mNextCRLNumber; + private BigInteger mLastCRLNumber; + + /** + * Delta CRL number + */ + private BigInteger mDeltaCRLNumber; + private BigInteger mNextDeltaCRLNumber; + + /** + * Last CRL update date + */ + private Date mLastUpdate; + + /** + * Next scheduled CRL update date + */ + private Date mNextUpdate; + private Date mNextDeltaUpdate; + private boolean mExtendedNextUpdate; + + /** + * Worker thread doing auto-update + */ + private Thread mUpdateThread = null; + + /** + * for going one more round when auto-interval is set to 0 (turned off) + */ + private boolean mDoLastAutoUpdate = false; + + /** + * whether issuing point has been initialized. + */ + private int mInitialized = CRL_IP_NOT_INITIALIZED; + + /** + * number of entries in the CRL + */ + private long mCRLSize = -1; + private long mDeltaCRLSize = -1; + + /** + * update status, publishing status Strings to store in requests to + * display result. + */ + private String mCrlUpdateStatus; + private String mCrlUpdateError; + private String mCrlPublishStatus; + private String mCrlPublishError; + + /** + * begin, end serial number range of revoked certs if any. + */ + protected BigInteger mBeginSerial = null; + protected BigInteger mEndSerial = null; + + private int mUpdatingCRL = CRL_UPDATE_DONE; + + private boolean mDoManualUpdate = false; + private String mSignatureAlgorithmForManualUpdate = null; + + private boolean mPublishOnStart = false; + private long[] mSplits = new long[10]; + + /** + * Constructs a CRL issuing point from instantiating from class name. + * CRL Issuing point must be followed by method call init(CA, id, config); + */ + public CRLIssuingPoint() { + } + + public boolean isCRLIssuingPointEnabled() { + return mEnable; + } + + public void enableCRLIssuingPoint(boolean enable) { + if ((!enable) && (mEnable ^ enable)) { + clearCRLCache(); + updateCRLCacheRepository(); + } + mEnable = enable; + setAutoUpdates(); + } + + public boolean isCRLGenerationEnabled() { + return mEnableCRLUpdates; + } + + public String getCrlUpdateStatusStr() { + return mCrlUpdateStatus; + } + + public String getCrlUpdateErrorStr() { + return mCrlUpdateError; + } + + public String getCrlPublishStatusStr() { + return mCrlPublishStatus; + } + + public String getCrlPublishErrorStr() { + return mCrlPublishError; + } + + public ICMSCRLExtensions getCRLExtensions() { + return mCMSCRLExtensions; + } + + public int isCRLIssuingPointInitialized() { + return mInitialized; + } + + public boolean isManualUpdateSet() { + return mDoManualUpdate; + } + + public boolean areExpiredCertsIncluded() { + return mIncludeExpiredCerts; + } + + public boolean isCACertsOnly() { + return mCACertsOnly; + } + + public boolean isProfileCertsOnly() { + return (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0); + } + + public boolean checkCurrentProfile(String id) { + boolean b = false; + + if (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0) { + for (int k = 0; k < mProfileList.size(); k++) { + String profileId = (String) mProfileList.elementAt(k); + if (id != null && profileId != null && profileId.equalsIgnoreCase(id)) { + b = true; + break; + } + } + } + + return b; + } + + + /** + * Initializes a CRL issuing point config. + * <P> + * + * @param ca reference to CertificateAuthority instance which + * owns this issuing point. + * @param id string id of this CRL issuing point. + * @param config configuration of this CRL issuing point. + * @exception EBaseException if initialization failed + * @exception IOException + */ + public void init(ISubsystem ca, String id, IConfigStore config) + throws EBaseException { + mCA = (ICertificateAuthority) ca; + mId = id; + + if (mId.equals(ICertificateAuthority.PROP_MASTER_CRL)) { + mCrlUpdateStatus = IRequest.CRL_UPDATE_STATUS; + mCrlUpdateError = IRequest.CRL_UPDATE_ERROR; + mCrlPublishStatus = IRequest.CRL_PUBLISH_STATUS; + mCrlPublishError = IRequest.CRL_PUBLISH_ERROR; + } else { + mCrlUpdateStatus = IRequest.CRL_UPDATE_STATUS + "_" + mId; + mCrlUpdateError = IRequest.CRL_UPDATE_ERROR + "_" + mId; + mCrlPublishStatus = IRequest.CRL_PUBLISH_STATUS + "_" + mId; + mCrlPublishError = IRequest.CRL_PUBLISH_ERROR + "_" + mId; + } + + mConfigStore = config; + mCountMod = config.getInteger("countMod",0); + mCRLRepository = mCA.getCRLRepository(); + mCertRepository = mCA.getCertificateRepository(); + ((CertificateRepository) mCertRepository).addCRLIssuingPoint(mId, this); + mPublisherProcessor = mCA.getPublisherProcessor(); + + //mCRLPublisher = mCA.getCRLPublisher(); + ((CAService) mCA.getCAService()).addCRLIssuingPoint(mId, this); + + // read in config parameters. + initConfig(config); + + // create request listener. + String lname = RevocationRequestListener.class.getName(); + String crlListName = lname + "_" + mId; + + if (mCA.getRequestListener(crlListName) == null) { + mCA.registerRequestListener( + crlListName, new RevocationRequestListener()); + } + + for (int i = 0; i < mSplits.length; i++) { + mSplits[i] = 0; + } + + // this will start a thread if necessary for automatic updates. + setAutoUpdates(); + } + + + private int checkTime(String time) { + String digits = "0123456789"; + + int len = time.length(); + if (len < 3 || len > 5) return -1; + + int s = time.indexOf(':'); + if (s < 0 || s > 2 || (len - s) != 3) return -1; + + int h = 0; + for (int i = 0; i < s; i++) { + h *= 10; + int k = digits.indexOf(time.charAt(i)); + if (k < 0) return -1; + h += k; + } + if (h > 23) return -1; + + int m = 0; + for (int i = s+1; i < len; i++) { + m *= 10; + int k = digits.indexOf(time.charAt(i)); + if (k < 0) return -1; + m += k; + } + if (m > 59) return -1; + + return ((h * 60) + m); + } + + private Vector getTimeList(String list) { + if (list == null) return null; + if (list.length() > 0 && list.charAt(list.length()-1) == ',') return null; + + Vector listedTimes = new Vector(); + + StringTokenizer elements = new StringTokenizer(list, ",", true); + int t0 = -1; + int n = 0; + while (elements.hasMoreTokens()) { + String element = elements.nextToken().trim(); + if (element == null || element.length() == 0) return null; + if (element.equals(",") && n % 2 == 0) return null; + if (n % 2 == 0) { + int t = checkTime(element); + if (t < 0) { + return null; + } else { + if (t > t0) { + listedTimes.addElement(Integer.valueOf(t)); + t0 = t; + } else { + return null; + } + } + } + n++; + } + if (n % 2 == 0) return null; + + return listedTimes; + } + + private String checkProfile(String id, Enumeration e) { + if (e != null) { + while (e.hasMoreElements()) { + String profileId = (String) e.nextElement(); + if (profileId != null && profileId.equalsIgnoreCase(id)) + return id; + } + } + return null; + } + + private Vector getProfileList(String list) { + Enumeration e = null; + IConfigStore pc = CMS.getConfigStore().getSubStore("profile"); + if (pc != null) e = pc.getSubStoreNames(); + if (list == null) return null; + if (list.length() > 0 && list.charAt(list.length()-1) == ',') return null; + + Vector listedProfiles = new Vector(); + + StringTokenizer elements = new StringTokenizer(list, ",", true); + int t0 = -1; + int n = 0; + while (elements.hasMoreTokens()) { + String element = elements.nextToken().trim(); + if (element == null || element.length() == 0) return null; + if (element.equals(",") && n % 2 == 0) return null; + if (n % 2 == 0) { + String id = checkProfile(element, e); + if (id != null) { + listedProfiles.addElement(id); + } + } + n++; + } + if (n % 2 == 0) return null; + + return listedProfiles; + } + + + /** + * get CRL config store info + */ + protected void initConfig(IConfigStore config) + throws EBaseException { + + mEnable = config.getBoolean(Constants.PR_ENABLE, true); + mDescription = config.getString(Constants.PR_DESCRIPTION); + + // Get CRL cache config. + mEnableCRLCache = config.getBoolean(Constants.PR_ENABLE_CACHE, true); + mCacheUpdateInterval = MINUTE * config.getInteger(Constants.PR_CACHE_FREQ, 0); + mEnableCacheRecovery = config.getBoolean(Constants.PR_CACHE_RECOVERY, false); + + // check if CRL generation is enabled + mEnableCRLUpdates = config.getBoolean(Constants.PR_ENABLE_CRL, true); + + // get update schema + mUpdateSchema = config.getInteger(Constants.PR_UPDATE_SCHEMA, 1); + mSchemaCounter = 0; + + // Get always update even if updated perdically. + mAlwaysUpdate = config.getBoolean(Constants.PR_UPDATE_ALWAYS, false); + + // Get list of daily updates. + mEnableDailyUpdates = config.getBoolean(Constants.PR_ENABLE_DAILY, false); + String daily = config.getString(Constants.PR_DAILY_UPDATES, null); + mDailyUpdates = getTimeList(daily); + if (mDailyUpdates == null || mDailyUpdates.isEmpty()) { + mEnableDailyUpdates = false; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_INVALID_TIME_LIST")); + } + + // Get auto update interval in minutes. + mEnableUpdateFreq = config.getBoolean(Constants.PR_ENABLE_FREQ, true); + mAutoUpdateInterval = MINUTE * config.getInteger(Constants.PR_UPDATE_FREQ, 0); + mMinUpdateInterval = MINUTE * config.getInteger(PROP_MIN_UPDATE_INTERVAL, 0); + if (mEnableUpdateFreq && mAutoUpdateInterval > 0 && + mAutoUpdateInterval < mMinUpdateInterval) + mAutoUpdateInterval = mMinUpdateInterval; + + // get next update grace period + mNextUpdateGracePeriod = MINUTE * config.getInteger(Constants.PR_GRACE_PERIOD, 0); + + // Get V2 or V1 CRL + mAllowExtensions = config.getBoolean(Constants.PR_EXTENSIONS, false); + + mIncludeExpiredCerts = config.getBoolean(Constants.PR_INCLUDE_EXPIREDCERTS, false); + mCACertsOnly = config.getBoolean(Constants.PR_CA_CERTS_ONLY, false); + mProfileCertsOnly = config.getBoolean(Constants.PR_PROFILE_CERTS_ONLY, false); + if (mProfileCertsOnly) { + String profiles = config.getString(Constants.PR_PROFILE_LIST, null); + mProfileList = getProfileList(profiles); + } + + // Get default signing algorithm. + // check if algorithm is supported. + mSigningAlgorithm = mCA.getCRLSigningUnit().getDefaultAlgorithm(); + String algorithm = config.getString(Constants.PR_SIGNING_ALGORITHM, null); + + if (algorithm != null) { + // make sure this algorithm is acceptable to CA. + mCA.getCRLSigningUnit().checkSigningAlgorithmFromName(algorithm); + mSigningAlgorithm = algorithm; + } + + mPublishOnStart = config.getBoolean(PROP_PUBLISH_ON_START, false); + // if publish dn is null then certificate will be published to + // CA's entry in the directory. + mPublishDN = config.getString(PROP_PUBLISH_DN, null); + + mCMSCRLExtensions = new CMSCRLExtensions(this, config); + + mExtendedNextUpdate = (mUpdateSchema > 1 && isDeltaCRLEnabled())? + config.getBoolean(Constants.PR_EXTENDED_NEXT_UPDATE, true): + false; + + // Get serial number ranges if any. + mBeginSerial = config.getBigInteger(PROP_BEGIN_SERIAL, null); + if (mBeginSerial != null && mBeginSerial.compareTo(BigInteger.ZERO) < 0) { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_PROPERTY_1", + PROP_BEGIN_SERIAL, "BigInteger", "positive number")); + } + mEndSerial = config.getBigInteger(PROP_END_SERIAL, null); + if (mEndSerial != null && mEndSerial.compareTo(BigInteger.ZERO) < 0) { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_PROPERTY_1", + PROP_END_SERIAL, "BigInteger", "positive number")); + } + } + + /** + * Reads CRL issuing point, if missing, it creates one. + * Initializes CRL cache and republishes CRL if requested + * Called from auto update thread (run()). + * Do not call it from init(), because it will block CMS on start. + */ + private void initCRL() { + ICRLIssuingPointRecord crlRecord = null; + + mLastCacheUpdate = System.currentTimeMillis() + mCacheUpdateInterval; + + try { + crlRecord = mCRLRepository.readCRLIssuingPointRecord(mId); + } catch (EDBNotAvailException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_INST_CRL", e.toString())); + mInitialized = CRL_IP_INITIALIZATION_FAILED; + return; + } catch (EBaseException e) { + // CRL was never set. + // fall to the following.. + } + + if (crlRecord != null) { + mCRLNumber = crlRecord.getCRLNumber(); + if (crlRecord.getCRLSize() != null) { + mCRLSize = crlRecord.getCRLSize().longValue(); + } + mNextCRLNumber = mCRLNumber.add(BigInteger.ONE); + + if (crlRecord.getDeltaCRLSize() != null) { + mDeltaCRLSize = crlRecord.getDeltaCRLSize().longValue(); + } + + mDeltaCRLNumber = crlRecord.getDeltaCRLNumber(); + if (mDeltaCRLNumber == null) { + mDeltaCRLNumber = mCRLNumber; // better recovery later + } else { + if (mDeltaCRLNumber.compareTo(mCRLNumber) < 0) { + mDeltaCRLNumber = mCRLNumber; + clearCRLCache(); + mDeltaCRLSize = -1L; + } + } + mNextDeltaCRLNumber = mDeltaCRLNumber.add(BigInteger.ONE); + + if (mNextDeltaCRLNumber.compareTo(mNextCRLNumber) > 0) { + mNextCRLNumber = mNextDeltaCRLNumber; + } + + mLastCRLNumber = BigInteger.ZERO; + + mLastUpdate = crlRecord.getThisUpdate(); + if (mLastUpdate == null) { + mLastUpdate = new Date(0L); + } + + mNextUpdate = crlRecord.getNextUpdate(); + if (isDeltaCRLEnabled()) { + mNextDeltaUpdate = (mNextUpdate != null)? new Date(mNextUpdate.getTime()): null; + } + + mFirstUnsaved = crlRecord.getFirstUnsaved(); + if (Debug.on()) { + Debug.trace("initCRL CRLNumber="+mCRLNumber.toString()+" CRLSize="+mCRLSize+ + " FirstUnsaved="+mFirstUnsaved); + } + if (mFirstUnsaved == null || + (mFirstUnsaved != null && mFirstUnsaved.equals(ICRLIssuingPointRecord.NEW_CACHE))) { + clearCRLCache(); + updateCRLCacheRepository(); + } else { + byte[] crl = crlRecord.getCRL(); + + if (crl != null) { + X509CRLImpl x509crl = null; + + if (mEnableCRLCache || mPublishOnStart) { + try { + x509crl = new X509CRLImpl(crl); + } catch (Exception e) { + clearCRLCache(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_DECODE_CRL", e.toString())); + } catch (OutOfMemoryError e) { + clearCRLCache(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_DECODE_CRL", e.toString())); + mInitialized = CRL_IP_INITIALIZATION_FAILED; + return; + } + } + if (x509crl != null) { + if (mEnableCRLCache) { + if (mCRLCacheIsCleared && mUpdatingCRL == CRL_UPDATE_DONE) { + mRevokedCerts = crlRecord.getRevokedCerts(); + if (mRevokedCerts == null) { + mRevokedCerts = new Hashtable(); + } + mUnrevokedCerts = crlRecord.getUnrevokedCerts(); + if (mUnrevokedCerts == null) { + mUnrevokedCerts = new Hashtable(); + } + mExpiredCerts = crlRecord.getExpiredCerts(); + if (mExpiredCerts == null) { + mExpiredCerts = new Hashtable(); + } + if (isDeltaCRLEnabled()) { + mNextUpdate = x509crl.getNextUpdate(); + } + mCRLCerts = x509crl.getListOfRevokedCertificates(); + } + if (mFirstUnsaved != null && !mFirstUnsaved.equals(ICRLIssuingPointRecord.CLEAN_CACHE)) { + recoverCRLCache(); + } else { + mCRLCacheIsCleared = false; + } + mInitialized = CRL_IP_INITIALIZED; + } + if (mPublishOnStart) { + try { + publishCRL(x509crl); + x509crl = null; + } catch (EBaseException e) { + x509crl = null; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); + } catch (OutOfMemoryError e) { + x509crl = null; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); + } + } + } + } + } + } + + if (crlRecord == null) { + // no crl was ever created, or crl in db is corrupted. + // create new one. + try { + crlRecord = new CRLIssuingPointRecord(mId, BigInteger.ZERO, Long.valueOf(-1), + null, null, BigInteger.ZERO, Long.valueOf(-1), + mRevokedCerts, mUnrevokedCerts, mExpiredCerts); + mCRLRepository.addCRLIssuingPointRecord(crlRecord); + mCRLNumber = BigInteger.ZERO; //BIG_ZERO; + mNextCRLNumber = BigInteger.ONE; //BIG_ONE; + mLastCRLNumber = mCRLNumber; + mDeltaCRLNumber = mCRLNumber; + mNextDeltaCRLNumber = mNextCRLNumber; + mLastUpdate = new Date(0L); + if (crlRecord != null) { + // This will trigger updateCRLNow, which will also publish CRL. + if ((mDoManualUpdate == false) && + (mEnableCRLCache || mAlwaysUpdate || + (mEnableUpdateFreq && mAutoUpdateInterval > 0))) { + mInitialized = CRL_IP_INITIALIZED; + setManualUpdate(null); + } + } + } catch (EBaseException ex) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_CREATE_CRL", ex.toString())); + mInitialized = CRL_IP_INITIALIZATION_FAILED; + return; + } + } + mInitialized = CRL_IP_INITIALIZED; + } + + private Object configMonitor = new Object(); + + public boolean updateConfig(NameValuePairs params) { + synchronized (configMonitor) { + boolean noRestart = true; + boolean modifiedSchedule = false; + + for (int i = 0; i < params.size(); i++) { + NameValuePair p = params.elementAt(i); + String name = p.getName(); + String value = p.getValue(); + + // -- Update Schema -- + if (name.equals(Constants.PR_ENABLE_CRL)) { + if (value.equals(Constants.FALSE) && mEnableCRLUpdates) { + mEnableCRLUpdates = false; + modifiedSchedule = true; + } else if (value.equals(Constants.TRUE) && (!mEnableCRLUpdates)) { + mEnableCRLUpdates = true; + modifiedSchedule = true; + } + } + + if (name.equals(Constants.PR_UPDATE_SCHEMA)) { + try { + if (value != null && value.length() > 0) { + int schema = Integer.parseInt(value.trim()); + if (mUpdateSchema != schema) { + mUpdateSchema = schema; + mSchemaCounter = 0; + modifiedSchedule = true; + } + } + } catch (NumberFormatException e) { + noRestart = false; + } + } + + if (name.equals(Constants.PR_EXTENDED_NEXT_UPDATE)) { + if (value.equals(Constants.FALSE) && mExtendedNextUpdate) { + mExtendedNextUpdate = false; + } else if (value.equals(Constants.TRUE) && (!mExtendedNextUpdate)) { + mExtendedNextUpdate = true; + } + } + + // -- Update Frequency -- + if (name.equals(Constants.PR_UPDATE_ALWAYS)) { + if (value.equals(Constants.FALSE) && mAlwaysUpdate) { + mAlwaysUpdate = false; + } else if (value.equals(Constants.TRUE) && (!mAlwaysUpdate)) { + mAlwaysUpdate = true; + } + } + + if (name.equals(Constants.PR_ENABLE_DAILY)) { + if (value.equals(Constants.FALSE) && mEnableDailyUpdates) { + mEnableDailyUpdates = false; + modifiedSchedule = true; + } else if (value.equals(Constants.TRUE) && (!mEnableDailyUpdates)) { + mEnableDailyUpdates = true; + modifiedSchedule = true; + } + } + + if (name.equals(Constants.PR_DAILY_UPDATES)) { + Vector dailyUpdates = getTimeList(value); + if (((dailyUpdates != null) ^ (mDailyUpdates != null)) || + (dailyUpdates != null && mDailyUpdates != null && + (!mDailyUpdates.equals(dailyUpdates)))) { + if (dailyUpdates != null) { + mDailyUpdates = (Vector) dailyUpdates.clone(); + } else { + mDailyUpdates = null; + } + modifiedSchedule = true; + } + if (mDailyUpdates == null || mDailyUpdates.isEmpty()) { + mEnableDailyUpdates = false; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_INVALID_TIME_LIST")); + } + } + + if (name.equals(Constants.PR_ENABLE_FREQ)) { + if (value.equals(Constants.FALSE) && mEnableUpdateFreq) { + mEnableUpdateFreq = false; + modifiedSchedule = true; + } else if (value.equals(Constants.TRUE) && (!mEnableUpdateFreq)) { + mEnableUpdateFreq = true; + modifiedSchedule = true; + } + } + + if (name.equals(Constants.PR_UPDATE_FREQ)) { + try { + if (value != null && value.length() > 0) { + long t = MINUTE * Long.parseLong(value.trim()); + if (mAutoUpdateInterval != t) { + mAutoUpdateInterval = t; + modifiedSchedule = true; + } + } else { + if (mAutoUpdateInterval != 0) { + mAutoUpdateInterval = 0; + modifiedSchedule = true; + } + } + } catch (NumberFormatException e) { + noRestart = false; + } + } + + if (name.equals(Constants.PR_GRACE_PERIOD)) { + try { + if (value != null && value.length() > 0) { + mNextUpdateGracePeriod = MINUTE * Long.parseLong(value.trim()); + } + } catch (NumberFormatException e) { + noRestart = false; + } + } + + // -- CRL Cache -- + if (name.equals(Constants.PR_ENABLE_CACHE)) { + if (value.equals(Constants.FALSE) && mEnableCRLCache) { + clearCRLCache(); + updateCRLCacheRepository(); + mEnableCRLCache = false; + modifiedSchedule = true; + } else if (value.equals(Constants.TRUE) && (!mEnableCRLCache)) { + clearCRLCache(); + updateCRLCacheRepository(); + mEnableCRLCache = true; + modifiedSchedule = true; + } + } + + if (name.equals(Constants.PR_CACHE_FREQ)) { + try { + if (value != null && value.length() > 0) { + long t = MINUTE * Long.parseLong(value.trim()); + if (mCacheUpdateInterval != t) { + mCacheUpdateInterval = t; + modifiedSchedule = true; + } + } + } catch (NumberFormatException e) { + noRestart = false; + } + } + + if (name.equals(Constants.PR_CACHE_RECOVERY)) { + if (value.equals(Constants.FALSE) && mEnableCacheRecovery) { + mEnableCacheRecovery = false; + } else if (value.equals(Constants.TRUE) && (!mEnableCacheRecovery)) { + mEnableCacheRecovery = true; + } + } + + // -- CRL Format -- + if (name.equals(Constants.PR_SIGNING_ALGORITHM)) { + if (value != null) value = value.trim(); + if (!mSigningAlgorithm.equals(value)) { + mSigningAlgorithm = value; + } + } + + if (name.equals(Constants.PR_EXTENSIONS)) { + if (value.equals(Constants.FALSE) && mAllowExtensions) { + clearCRLCache(); + updateCRLCacheRepository(); + mAllowExtensions = false; + } else if (value.equals(Constants.TRUE) && (!mAllowExtensions)) { + clearCRLCache(); + updateCRLCacheRepository(); + mAllowExtensions = true; + } + } + + if (name.equals(Constants.PR_INCLUDE_EXPIREDCERTS)) { + if (value.equals(Constants.FALSE) && mIncludeExpiredCerts) { + clearCRLCache(); + updateCRLCacheRepository(); + mIncludeExpiredCerts = false; + } else if (value.equals(Constants.TRUE) && (!mIncludeExpiredCerts)) { + clearCRLCache(); + updateCRLCacheRepository(); + mIncludeExpiredCerts = true; + } + } + + if (name.equals(Constants.PR_CA_CERTS_ONLY)) { + if (value.equals(Constants.FALSE) && mCACertsOnly) { + clearCRLCache(); + updateCRLCacheRepository(); + mCACertsOnly = false; + } else if (value.equals(Constants.TRUE) && (!mCACertsOnly)) { + clearCRLCache(); + updateCRLCacheRepository(); + mCACertsOnly = true; + } + } + + if (name.equals(Constants.PR_PROFILE_CERTS_ONLY)) { + if (value.equals(Constants.FALSE) && mProfileCertsOnly) { + clearCRLCache(); + updateCRLCacheRepository(); + mProfileCertsOnly = false; + } else if (value.equals(Constants.TRUE) && (!mProfileCertsOnly)) { + clearCRLCache(); + updateCRLCacheRepository(); + mProfileCertsOnly = true; + } + } + + if (name.equals(Constants.PR_PROFILE_LIST)) { + Vector profileList = getProfileList(value); + if (((profileList != null) ^ (mProfileList != null)) || + (profileList != null && mProfileList != null && + (!mProfileList.equals(profileList)))) { + if (profileList != null) { + mProfileList = (Vector) profileList.clone(); + } else { + mProfileList = null; + } + clearCRLCache(); + updateCRLCacheRepository(); + } + if (mProfileList == null || mProfileList.isEmpty()) { + mProfileCertsOnly = false; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_INVALID_PROFILE_LIST")); + } + } + } + + if (modifiedSchedule) setAutoUpdates(); + + return noRestart; + } + } + + /** + * This method is called during shutdown. + * <P> + */ + public synchronized void shutdown() { + // this should stop a thread if necessary + if (mEnableCRLCache && mCacheUpdateInterval > 0) { + updateCRLCacheRepository(); + } + mEnable = false; + + setAutoUpdates(); + if (mUpdateThread != null) + mUpdateThread.destroy(); + } + + /** + * Returns internal id of this CRL issuing point. + * <P> + * + * @return internal id of this CRL issuing point + */ + public String getId() { + return mId; + } + + /** + * Returns internal description of this CRL issuing point. + * <P> + * + * @return internal description of this CRL issuing point + */ + public String getDescription() { + return mDescription; + } + + /** + * Sets internal description of this CRL issuing point. + * + * @param description description for this CRL issuing point. + */ + public void setDescription(String description) { + mDescription = description; + } + + /** + * Returns DN of the directory entry where CRLs.from this issuing point + * are published. + * <P> + * + * @return DN of the directory entry where CRLs are published. + */ + public String getPublishDN() { + return mPublishDN; + } + + /** + * Returns signing algorithm. + * <P> + * + * @return SigningAlgorithm. + */ + public String getSigningAlgorithm() { + return mSigningAlgorithm; + } + + public String getLastSigningAlgorithm() { + return mLastSigningAlgorithm; + } + + /** + * Returns current CRL generation schema for this CRL issuing point. + * <P> + * + * @return current CRL generation schema for this CRL issuing point + */ + public int getCRLSchema() { + return mUpdateSchema; + } + + /** + * Returns current CRL number of this CRL issuing point. + * <P> + * + * @return current CRL number of this CRL issuing point + */ + public BigInteger getCRLNumber() { + return mCRLNumber; + } + + /** + * Returns current delta CRL number of this CRL issuing point. + * <P> + * + * @return current delta CRL number of this CRL issuing point + */ + public BigInteger getDeltaCRLNumber() { + return (isDeltaCRLEnabled() && mDeltaCRLSize > -1)? mDeltaCRLNumber: BigInteger.ZERO; + } + + /** + * Returns next CRL number of this CRL issuing point. + * <P> + * + * @return next CRL number of this CRL issuing point + */ + public BigInteger getNextCRLNumber() { + return mNextDeltaCRLNumber; + } + + /** + * Returns number of entries in the CRL + * <P> + * + * @return number of entries in the CRL + */ + public long getCRLSize() { + return (mCRLCerts.size() > 0 && mCRLSize == 0)? mCRLCerts.size(): mCRLSize; + } + + /** + * Returns number of entries in delta CRL + * <P> + * + * @return number of entries in delta CRL + */ + public long getDeltaCRLSize() { + return mDeltaCRLSize; + } + + /** + * Returns last update time + * <P> + * + * @return last CRL update time + */ + public Date getLastUpdate() { + return mLastUpdate; + } + + /** + * Returns next update time + * <P> + * + * @return next CRL update time + */ + public Date getNextUpdate() { + return mNextUpdate; + } + + /** + * Returns next update time + * <P> + * + * @return next CRL update time + */ + public Date getNextDeltaUpdate() { + return mNextDeltaUpdate; + } + + /** + * Returns all the revoked certificates from the CRL cache. + * <P> + * + * @return set of all the revoked certificates or null if there are none. + */ + public Set getRevokedCertificates(int start, int end) { + if (mCRLCacheIsCleared || mCRLCerts == null || mCRLCerts.isEmpty()) { + return null; + } else { + ArraySet certSet = new ArraySet(); + Collection badCerts = mCRLCerts.values(); + Object[] objs = badCerts.toArray(); + for (int i = start; i < end && i < objs.length; i++) + certSet.add(objs[i]); + return certSet; + } + } + + /** + * Returns certificate authority. + * <P> + * + * @return certificate authority + */ + public ISubsystem getCertificateAuthority() { + return mCA; + } + + /** + * Sets CRL auto updates + */ + + private synchronized void setAutoUpdates() { + if ((mEnable && mUpdateThread == null) && + ((mEnableCRLCache && mCacheUpdateInterval > 0) || + (mEnableCRLUpdates && + ((mEnableDailyUpdates && mDailyUpdates != null && + mDailyUpdates.size() > 0) || + (mEnableUpdateFreq && mAutoUpdateInterval > 0) || + (mInitialized == CRL_IP_NOT_INITIALIZED) || + mDoLastAutoUpdate || mDoManualUpdate)))) { + mUpdateThread = new Thread(this, "CRLIssuingPoint-" + mId); + log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_ISSUING_START_CRL", mId)); + mUpdateThread.setDaemon(true); + mUpdateThread.start(); + } + + if ((mInitialized == CRL_IP_INITIALIZED) && (((mNextUpdate != null) ^ + ((mEnableDailyUpdates && mDailyUpdates != null && mDailyUpdates.size() > 0) || + (mEnableUpdateFreq && mAutoUpdateInterval > 0))) || + (!mEnableCRLUpdates && mNextUpdate != null))) { + mDoLastAutoUpdate = true; + } + + if (mEnableUpdateFreq && mAutoUpdateInterval > 0 && + mAutoUpdateInterval < mMinUpdateInterval) { + mAutoUpdateInterval = mMinUpdateInterval; + } + + notifyAll(); + } + + /** + * Sets CRL manual-update + * Starts or stops worker thread as necessary. + */ + public synchronized void setManualUpdate(String signatureAlgorithm) { + if (!mDoManualUpdate) { + mDoManualUpdate = true; + mSignatureAlgorithmForManualUpdate = signatureAlgorithm; + if (mEnableUpdateFreq && mAutoUpdateInterval > 0 && mUpdateThread != null) { + notifyAll(); + } else { + setAutoUpdates(); + } + } + } + + /** + * @return auto update interval in milliseconds. + */ + public long getAutoUpdateInterval() { + return (mEnableUpdateFreq)? mAutoUpdateInterval: 0; + } + + /** + * @return always update the CRL + */ + public boolean getAlwaysUpdate() { + return mAlwaysUpdate; + } + + /** + * @return next update grace period in minutes. + */ + + public long getNextUpdateGracePeriod() { + return mNextUpdateGracePeriod; + } + + + private long findNextUpdate(boolean fromLastUpdate, boolean delta) { + long now = System.currentTimeMillis(); + TimeZone tz = TimeZone.getDefault(); + int offset = tz.getOffset(now); + long oneDay = 1440L * MINUTE; + long nowToday = (now + (long)offset) % oneDay; + long startOfToday = now - nowToday; + + long lastUpdate = (mLastUpdate != null && fromLastUpdate)? mLastUpdate.getTime(): now; + long last = (lastUpdate + (long)offset) % oneDay; + long lastDay = lastUpdate - last; + + boolean isDeltaEnabled = isDeltaCRLEnabled(); + long next = 0L; + long nextUpdate = 0L; + + if ((delta || fromLastUpdate) && isDeltaEnabled && + mUpdateSchema > 1 && mNextDeltaUpdate != null) { + nextUpdate = mNextDeltaUpdate.getTime(); + } else if (mNextUpdate != null) { + nextUpdate = mNextUpdate.getTime(); + } + + if (mEnableDailyUpdates && + mDailyUpdates != null && mDailyUpdates.size() > 0) { + long firstTime = MINUTE * ((Integer)mDailyUpdates.elementAt(0)).longValue(); + int n = 0; + if (mDailyUpdates.size() == 1 && + mEnableUpdateFreq && mAutoUpdateInterval > 0) { + long t = firstTime; + long interval = mAutoUpdateInterval; + if (mExtendedNextUpdate && (!fromLastUpdate) && (!delta) && + isDeltaEnabled && mUpdateSchema > 1) { + interval *= mUpdateSchema; + } + while (t < oneDay) { + if (t - mMinUpdateInterval > last) break; + t += interval; + n++; + } + n = n % mUpdateSchema; + + if (t <= oneDay) { + next = lastDay + t; + if (t == firstTime && fromLastUpdate) { + mSchemaCounter = 0; + } else if (n != mSchemaCounter && fromLastUpdate) { + if (mSchemaCounter != 0 && (mSchemaCounter < n || n == 0)) { + mSchemaCounter = n; + } + } + } else { + next = lastDay + oneDay + firstTime; + if (fromLastUpdate) { + mSchemaCounter = 0; + } + } + } else { + int k = 1; + if ((!fromLastUpdate) && (!delta) && + isDeltaEnabled && mUpdateSchema > 1) { + k = mUpdateSchema; + } + int i; + for (i = 0; i < mDailyUpdates.size(); i += k) { + long t = MINUTE * ((Integer)mDailyUpdates.elementAt(i)).longValue(); + if (t - mMinUpdateInterval > last) break; + n++; + } + n = n % mUpdateSchema; + + if (i < mDailyUpdates.size()) { + next = lastDay + (MINUTE * ((Integer)mDailyUpdates.elementAt(i)).longValue()); + if (i == 0 && fromLastUpdate) { + mSchemaCounter = 0; + } else if (n != mSchemaCounter && fromLastUpdate) { + if (mSchemaCounter != 0 && (mSchemaCounter < n || n == 0)) { + mSchemaCounter = n; + } + } + } else { + // done with today + next = lastDay + oneDay + firstTime; + if (fromLastUpdate) { + mSchemaCounter = 0; + } + } + } + } else if (mEnableUpdateFreq && mAutoUpdateInterval > 0) { + if (!delta && isDeltaEnabled && mUpdateSchema > 1) { + next = lastUpdate + (mUpdateSchema * mAutoUpdateInterval); + } else { + next = lastUpdate + mAutoUpdateInterval; + } + } + + if (fromLastUpdate && nextUpdate > 0 && nextUpdate < next) { + next = nextUpdate; + } + + return (fromLastUpdate)? next-now: next; + } + + + /** + * Implements Runnable interface. Defines auto-update + * logic used by worker thread. + * <P> + */ + public void run() { + while (mEnable && ((mEnableCRLCache && mCacheUpdateInterval > 0) || + (mInitialized == CRL_IP_NOT_INITIALIZED) || + mDoLastAutoUpdate || (mEnableCRLUpdates && + ((mEnableDailyUpdates && mDailyUpdates != null && + mDailyUpdates.size() > 0) || + (mEnableUpdateFreq && mAutoUpdateInterval > 0) || + mDoManualUpdate)))) { + + synchronized (this) { + long delay = 0; + long delay2 = 0; + boolean doCacheUpdate = false; + boolean scheduledUpdates = mEnableCRLUpdates && + ((mEnableDailyUpdates && mDailyUpdates != null && + mDailyUpdates.size() > 0) || + (mEnableUpdateFreq && mAutoUpdateInterval > 0)); + + if (mInitialized == CRL_IP_NOT_INITIALIZED) + initCRL(); + if (mInitialized == CRL_IP_INITIALIZED && (!mEnable)) break; + + if ((mEnableCRLUpdates && mDoManualUpdate) || mDoLastAutoUpdate) { + delay = 0; + } else if (scheduledUpdates) { + delay = findNextUpdate(true, false); + } + + if (mEnableCRLCache && mCacheUpdateInterval > 0) { + delay2 = mLastCacheUpdate + mCacheUpdateInterval - + System.currentTimeMillis(); + if (delay2 < delay || + (!(scheduledUpdates || mDoLastAutoUpdate || + (mEnableCRLUpdates && mDoManualUpdate)))) { + delay = delay2; + if (delay <= 0) { + doCacheUpdate = true; + mLastCacheUpdate = System.currentTimeMillis(); + } + } + } + + if (delay > 0) { + try { + wait(delay); + } catch (InterruptedException e) { + } + } else { + try { + if (doCacheUpdate) { + updateCRLCacheRepository(); + } else if (mAutoUpdateInterval > 0 || mDoLastAutoUpdate || mDoManualUpdate) { + updateCRL(); + } + } catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_CRL", + (doCacheUpdate)?"update CRL cache":"update CRL", e.toString())); + if (Debug.on()) { + Debug.trace((doCacheUpdate)?"update CRL cache":"update CRL" + " error " + e); + Debug.printStackTrace(e); + } + } + // put this here to prevent continuous loop if internal + // db is down. + if (mDoLastAutoUpdate) + mDoLastAutoUpdate = false; + if (mDoManualUpdate) { + mDoManualUpdate = false; + mSignatureAlgorithmForManualUpdate = null; + } + } + } + } + mUpdateThread = null; + } + + + /** + * Updates CRL and publishes it. + * If time elapsed since last CRL update is less than + * minUpdateInterval silently returns. + * Otherwise determines nextUpdate by adding autoUpdateInterval or + * minUpdateInterval to the current time. If neither of the + * intervals are defined nextUpdate will be null. + * Then using specified configuration parameters it formulates new + * CRL, signs it, updates CRLIssuingPointRecord in the database + * and publishes CRL in the directory. + * <P> + */ + private void updateCRL() throws EBaseException { + /* + if (mEnableUpdateFreq && mAutoUpdateInterval > 0 && + (System.currentTimeMillis() - mLastUpdate.getTime() < + mMinUpdateInterval)) { + // log or alternatively throw an Exception + return; + } + */ + if (mDoManualUpdate && mSignatureAlgorithmForManualUpdate != null) { + updateCRLNow(mSignatureAlgorithmForManualUpdate); + } else { + updateCRLNow(); + } + } + + /** + * This method may be overrided by CRLWithExpiredCerts.java + */ + public String getFilter() { + // PLEASE DONT CHANGE THE FILTER. It is indexed. + // Changing it will degrade performance. See + // also com.netscape.certsetup.LDAPUtil.java + String filter = ""; + + if (mIncludeExpiredCerts) + filter += "(|"; + filter += "(" + CertRecord.ATTR_CERT_STATUS + "=" + CertRecord.STATUS_REVOKED + ")"; + if (mIncludeExpiredCerts) + filter += "(" + CertRecord.ATTR_CERT_STATUS + "=" + CertRecord.STATUS_REVOKED_EXPIRED + "))"; + + if (mCACertsOnly) { + filter += "(x509cert.BasicConstraints.isCA=on)"; + } + + if (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0) { + if (mProfileList.size() > 1) { + filter += "(|"; + } + for (int k = 0; k < mProfileList.size(); k++) { + String id = (String) mProfileList.elementAt(k); + filter += "(" + CertRecord.ATTR_META_INFO + "=profileId:" + id + ")"; + } + if (mProfileList.size() > 1) { + filter += ")"; + } + } + + // check if any ranges specified. + if (mBeginSerial != null) { + filter += "(" + CertRecord.ATTR_ID + ">=" + mBeginSerial.toString() + ")"; + } + if (mEndSerial != null) { + filter += "(" + CertRecord.ATTR_ID + "<=" + mEndSerial.toString() + ")"; + } + + // get all revoked non-expired certs. + if (mEndSerial != null || mBeginSerial != null || mCACertsOnly || + (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0)) { + filter = "(&" + filter + ")"; + } + + return filter; + } + + /** + * Gets a enumeration of revoked certs to put into CRL. + * This does not include expired certs. + * <i>Override this method to make a CRL other than the + * full/complete CRL.</i> + * @return Enumeration of CertRecords to put into CRL. + * @exception EBaseException if an error occured in the database. + */ + public void processRevokedCerts(IElementProcessor p) + throws EBaseException { + CertRecProcessor cp = (CertRecProcessor) p; + String filter = getFilter(); + + // NOTE: dangerous cast. + // correct way would be to modify interface and add + // accessor but we don't want to touch the interface + CertificateRepository cr = (CertificateRepository)mCertRepository; + + synchronized (cr.mCertStatusUpdateThread) { + ICertRecordList list = mCertRepository.findCertRecordsInList(filter, + new String[] {ICertRecord.ATTR_ID, ICertRecord.ATTR_REVO_INFO, "objectclass" }, + "serialno", + 10000); + + int totalSize = list.getSize(); + + list.processCertRecords(0, totalSize - 1, cp); + } + } + + /** + * clears CRL cache + */ + public void clearCRLCache() { + mCRLCacheIsCleared = true; + mCRLCerts.clear(); + mRevokedCerts.clear(); + mUnrevokedCerts.clear(); + mExpiredCerts.clear(); + mSchemaCounter = 0; + } + + /** + * clears Delta-CRL cache + */ + public void clearDeltaCRLCache() { + mRevokedCerts.clear(); + mUnrevokedCerts.clear(); + mExpiredCerts.clear(); + mSchemaCounter = 0; + } + + /** + * recovers CRL cache + */ + private void recoverCRLCache() { + if (mEnableCacheRecovery) { + String filter = "(&(requeststate=complete)"+ + "(|(requestType=" + IRequest.REVOCATION_REQUEST + ")"+ + "(requestType=" + IRequest.UNREVOCATION_REQUEST + ")))"; + if (Debug.on()) { + Debug.trace("recoverCRLCache mFirstUnsaved="+mFirstUnsaved+" filter="+filter); + } + IRequestQueue mQueue = mCA.getRequestQueue(); + + IRequestVirtualList list = mQueue.getPagedRequestsByFilter( + new RequestId(mFirstUnsaved), filter, 500, "requestId"); + if (Debug.on()) { + Debug.trace("recoverCRLCache size="+list.getSize()+" index="+list.getCurrentIndex()); + } + + int s = list.getSize() - list.getCurrentIndex(); + for (int i = 0; i < s; i++) { + IRequest request = null; + try { + request = list.getElementAt(i); + } catch (Exception e) { + // handled below + } + if (request == null) { + continue; + } + if (Debug.on()) { + Debug.trace("recoverCRLCache request="+request.getRequestId().toString()+ + " type="+request.getRequestType()); + } + if (IRequest.REVOCATION_REQUEST.equals(request.getRequestType())) { + RevokedCertImpl revokedCert[] = + request.getExtDataInRevokedCertArray(IRequest.CERT_INFO); + for (int j = 0; j < revokedCert.length; j++) { + if (Debug.on()) { + Debug.trace("recoverCRLCache R j="+j+" length="+revokedCert.length+ + " SerialNumber=0x"+revokedCert[j].getSerialNumber().toString(16)); + } + updateRevokedCert(REVOKED_CERT, revokedCert[j].getSerialNumber(), revokedCert[j]); + } + } else if (IRequest.UNREVOCATION_REQUEST.equals(request.getRequestType())) { + BigInteger serialNo[] = request.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); + for (int j = 0; j < serialNo.length; j++) { + if (Debug.on()) { + Debug.trace("recoverCRLCache U j="+j+" length="+serialNo.length+ + " SerialNumber=0x"+serialNo[j].toString(16)); + } + updateRevokedCert(UNREVOKED_CERT, serialNo[j], null); + } + } + } + + try { + mCRLRepository.updateRevokedCerts(mId, mRevokedCerts, mUnrevokedCerts); + mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; + mCRLCacheIsCleared = false; + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_CRL_CACHE", e.toString())); + } + } else { + clearCRLCache(); + updateCRLCacheRepository(); + } + } + + public int getNumberOfRecentlyRevokedCerts() { + return mRevokedCerts.size(); + } + + public int getNumberOfRecentlyUnrevokedCerts() { + return mUnrevokedCerts.size(); + } + + public int getNumberOfRecentlyExpiredCerts() { + return mExpiredCerts.size(); + } + + /** + * get required crl entry extensions + */ + public CRLExtensions getRequiredEntryExtensions(CRLExtensions exts) { + CRLExtensions entryExt = null; + + if (mAllowExtensions && exts != null && exts.size() > 0) { + entryExt = new CRLExtensions(); + Vector extNames = mCMSCRLExtensions.getCRLEntryExtensionNames(); + + for (int i = 0; i < extNames.size(); i++) { + String extName = (String) extNames.elementAt(i); + + if (mCMSCRLExtensions.isCRLExtensionEnabled(extName)) { + int k; + + for (k = 0; k < exts.size(); k++) { + Extension ext = (Extension) exts.elementAt(k); + String name = mCMSCRLExtensions.getCRLExtensionName( + ext.getExtensionId().toString()); + + if (extName.equals(name)) { + if (!(ext instanceof CRLReasonExtension) || + (((CRLReasonExtension) ext).getReason().toInt() > + RevocationReason.UNSPECIFIED.toInt())) { + mCMSCRLExtensions.addToCRLExtensions(entryExt, extName, ext); + } + break; + } + } + if (k == exts.size()) { + mCMSCRLExtensions.addToCRLExtensions(entryExt, extName, null); + } + } + } + } + + return entryExt; + } + + private static final int REVOKED_CERT = 1; + private static final int UNREVOKED_CERT = 2; + private Object cacheMonitor = new Object(); + + /** + * update CRL cache with new revoked-unrevoked certificate info + */ + private void updateRevokedCert(int certType, + BigInteger serialNumber, + RevokedCertImpl revokedCert) { + updateRevokedCert(certType, serialNumber, revokedCert, null); + } + + private void updateRevokedCert(int certType, + BigInteger serialNumber, + RevokedCertImpl revokedCert, + String requestId) { + synchronized (cacheMonitor) { + if (requestId != null && mFirstUnsaved != null && + mFirstUnsaved.equals(ICRLIssuingPointRecord.CLEAN_CACHE)) { + mFirstUnsaved = requestId; + try { + mCRLRepository.updateFirstUnsaved(mId, mFirstUnsaved); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_CRL_CACHE", e.toString())); + } + } + if (certType == REVOKED_CERT) { + if (mUnrevokedCerts.containsKey(serialNumber)) { + mUnrevokedCerts.remove(serialNumber); + if (mCRLCerts.containsKey(serialNumber)) { + Date revocationDate = revokedCert.getRevocationDate(); + CRLExtensions entryExt = getRequiredEntryExtensions(revokedCert.getExtensions()); + RevokedCertImpl newRevokedCert = + new RevokedCertImpl(serialNumber, revocationDate, entryExt); + + mCRLCerts.put(serialNumber, (RevokedCertificate) newRevokedCert); + } + } else { + Date revocationDate = revokedCert.getRevocationDate(); + CRLExtensions entryExt = getRequiredEntryExtensions(revokedCert.getExtensions()); + RevokedCertImpl newRevokedCert = + new RevokedCertImpl(serialNumber, revocationDate, entryExt); + + mRevokedCerts.put(serialNumber, (RevokedCertificate) newRevokedCert); + } + } else if (certType == UNREVOKED_CERT) { + if (mRevokedCerts.containsKey(serialNumber)) { + mRevokedCerts.remove(serialNumber); + } else { + CRLExtensions entryExt = new CRLExtensions(); + + try { + entryExt.set(CRLReasonExtension.REMOVE_FROM_CRL.getName(), + CRLReasonExtension.REMOVE_FROM_CRL); + } catch (IOException e) { + } + RevokedCertImpl newRevokedCert = new RevokedCertImpl(serialNumber, + CMS.getCurrentDate(), entryExt); + + mUnrevokedCerts.put(serialNumber, (RevokedCertificate) newRevokedCert); + } + } + } + } + + /** + * registers revoked certificates + */ + public void addRevokedCert(BigInteger serialNumber, RevokedCertImpl revokedCert) { + addRevokedCert(serialNumber, revokedCert, null); + } + + public void addRevokedCert(BigInteger serialNumber, RevokedCertImpl revokedCert, + String requestId) { + if (mEnable && mEnableCRLCache) { + updateRevokedCert(REVOKED_CERT, serialNumber, revokedCert, requestId); + + if (mCacheUpdateInterval == 0) { + try { + mCRLRepository.updateRevokedCerts(mId, mRevokedCerts, mUnrevokedCerts); + mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_REVOKED_CERT", mId, e.toString())); + } + } + } + } + + /** + * registers unrevoked certificates + */ + public void addUnrevokedCert(BigInteger serialNumber) { + addUnrevokedCert(serialNumber, null); + } + + public void addUnrevokedCert(BigInteger serialNumber, String requestId) { + if (mEnable && mEnableCRLCache) { + updateRevokedCert(UNREVOKED_CERT, serialNumber, null, requestId); + + if (mCacheUpdateInterval == 0) { + try { + mCRLRepository.updateRevokedCerts(mId, mRevokedCerts, mUnrevokedCerts); + mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_UNREVOKED_CERT", mId, e.toString())); + } + } + } + } + + /** + * registers expired certificates + */ + public void addExpiredCert(BigInteger serialNumber) { + if (mEnable && mEnableCRLCache && (!mIncludeExpiredCerts)) { + if (!(mExpiredCerts.containsKey(serialNumber))) { + CRLExtensions entryExt = new CRLExtensions(); + + try { + entryExt.set(CRLReasonExtension.REMOVE_FROM_CRL.getName(), + CRLReasonExtension.REMOVE_FROM_CRL); + } catch (IOException e) { + } + RevokedCertImpl newRevokedCert = new RevokedCertImpl(serialNumber, + CMS.getCurrentDate(), entryExt); + + mExpiredCerts.put(serialNumber, (RevokedCertificate) newRevokedCert); + } + + if (mCacheUpdateInterval == 0) { + try { + mCRLRepository.updateExpiredCerts(mId, mExpiredCerts); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_EXPIRED_CERT", mId, e.toString())); + } + } + } + } + + private Object repositoryMonitor = new Object(); + + public void updateCRLCacheRepository() { + synchronized (repositoryMonitor) { + try { + mCRLRepository.updateCRLCache(mId, Long.valueOf(mCRLSize), + mRevokedCerts, mUnrevokedCerts, mExpiredCerts); + mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_STORE_CRL_CACHE", e.toString())); + } + } + } + + public boolean isDeltaCRLEnabled() { + return (mAllowExtensions && mEnableCRLCache && + mCMSCRLExtensions.isCRLExtensionEnabled(DeltaCRLIndicatorExtension.NAME) && + mCMSCRLExtensions.isCRLExtensionEnabled(CRLNumberExtension.NAME) && + mCMSCRLExtensions.isCRLExtensionEnabled(CRLReasonExtension.NAME)); + } + + public boolean isThisCurrentDeltaCRL(X509CRLImpl deltaCRL) { + boolean result = false; + + if (isDeltaCRLEnabled() && mDeltaCRLSize > -1) { + if (deltaCRL != null) { + CRLExtensions crlExtensions = deltaCRL.getExtensions(); + + if (crlExtensions != null) { + for (int k = 0; k < crlExtensions.size(); k++) { + Extension ext = (Extension) crlExtensions.elementAt(k); + + if (DeltaCRLIndicatorExtension.OID.equals(ext.getExtensionId().toString())) { + DeltaCRLIndicatorExtension dExt = (DeltaCRLIndicatorExtension) ext; + BigInteger crlNumber = null; + + try { + crlNumber = (BigInteger) dExt.get(DeltaCRLIndicatorExtension.NUMBER); + } catch (IOException e) { + } + if (crlNumber != null && (crlNumber.equals(mLastCRLNumber) || + mLastCRLNumber.equals(BigInteger.ZERO))) { + result = true; + } + } + } + } + } + } + return (result); + } + + public boolean isCRLCacheEnabled() { + return mEnableCRLCache; + } + + public Date getRevocationDateFromCache(BigInteger serialNumber, + boolean checkDeltaCache, + boolean includeExpiredCerts) { + Date revocationDate = null; + + if (mCRLCerts.containsKey(serialNumber)) { + revocationDate = ((RevokedCertificate) mCRLCerts.get(serialNumber)).getRevocationDate(); + } + + if (checkDeltaCache && isDeltaCRLEnabled()) { + if (mUnrevokedCerts.containsKey(serialNumber)) { + revocationDate = null; + } + if (mRevokedCerts.containsKey(serialNumber)) { + revocationDate = ((RevokedCertificate) mRevokedCerts.get(serialNumber)).getRevocationDate(); + } + if (!includeExpiredCerts && mExpiredCerts.containsKey(serialNumber)) { + revocationDate = null; + } + } + + return revocationDate; + } + + public Vector getSplitTimes() { + Vector splits = new Vector(); + + for (int i = 0; i < mSplits.length; i++) { + splits.addElement(Long.valueOf(mSplits[i])); + } + return splits; + } + + public int isCRLUpdateInProgress() { + return mUpdatingCRL; + } + + /** + * updates CRL and publishes it now + */ + public void updateCRLNow() + throws EBaseException { + + updateCRLNow(null); + } + + public synchronized void updateCRLNow(String signingAlgorithm) + throws EBaseException { + + if ((!mEnable) || (!mEnableCRLUpdates && !mDoLastAutoUpdate)) return; + CMS.debug("Updating CRL"); + mUpdatingCRL = CRL_UPDATE_STARTED; + if (signingAlgorithm == null || signingAlgorithm.length() == 0) + signingAlgorithm = mSigningAlgorithm; + mLastSigningAlgorithm = signingAlgorithm; + Date thisUpdate = CMS.getCurrentDate(); + Date nextUpdate = null; + Date nextDeltaUpdate = null; + + long startTime = CMS.getCurrentDate().getTime(); + + if (mEnableCRLUpdates && ((mEnableDailyUpdates && + mDailyUpdates != null && mDailyUpdates.size() > 0) || + (mEnableUpdateFreq && mAutoUpdateInterval > 0))) { + + if ((!isDeltaCRLEnabled()) || mSchemaCounter == 0) { + nextUpdate = new Date(findNextUpdate(false, false)); + mNextUpdate = new Date(nextUpdate.getTime()); + } + if (isDeltaCRLEnabled()) { + if (mUpdateSchema > 1) { + nextDeltaUpdate = new Date(findNextUpdate(false, true)); + if (mExtendedNextUpdate && mSchemaCounter > 0 && + mNextUpdate != null && mNextUpdate.equals(nextDeltaUpdate)) { + mSchemaCounter = mUpdateSchema - 1; + } + } else { + nextDeltaUpdate = new Date(nextUpdate.getTime()); + } + } + } + + for (int i = 0; i < mSplits.length; i++) { + mSplits[i] = 0; + } + + mLastUpdate = thisUpdate; + // mNextUpdate = nextUpdate; + mNextDeltaUpdate = (nextDeltaUpdate != null)? new Date(nextDeltaUpdate.getTime()): null; + if (nextUpdate != null) { + nextUpdate.setTime((nextUpdate.getTime())+mNextUpdateGracePeriod); + } + if (nextDeltaUpdate != null) { + nextDeltaUpdate.setTime((nextDeltaUpdate.getTime())+mNextUpdateGracePeriod); + } + + mSplits[0] -= System.currentTimeMillis(); + Hashtable clonedRevokedCerts = (Hashtable) mRevokedCerts.clone(); + Hashtable clonedUnrevokedCerts = (Hashtable) mUnrevokedCerts.clone(); + Hashtable clonedExpiredCerts = (Hashtable) mExpiredCerts.clone(); + + mSplits[0] += System.currentTimeMillis(); + + // starting from the beginning + + if ((!mEnableCRLCache) || + ((mCRLCacheIsCleared && mCRLCerts.isEmpty() && clonedRevokedCerts.isEmpty() && + clonedUnrevokedCerts.isEmpty() && clonedExpiredCerts.isEmpty()) || + (mCRLCerts.isEmpty() && (!clonedUnrevokedCerts.isEmpty())) || + (mCRLCerts.size() < clonedUnrevokedCerts.size()) || + (mCRLCerts.isEmpty() && (mCRLSize > 0)) || + (mCRLCerts.size() > 0 && mCRLSize == 0))) { + + mSplits[5] -= System.currentTimeMillis(); + mDeltaCRLSize = -1; + clearCRLCache(); + clonedRevokedCerts.clear(); + clonedUnrevokedCerts.clear(); + clonedExpiredCerts.clear(); + mSchemaCounter = 0; + + IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + if (statsSub != null) { + statsSub.startTiming("generation"); + } + + CertRecProcessor cp = new CertRecProcessor(mCRLCerts, this, mLogger); + processRevokedCerts(cp); + + if (statsSub != null) { + statsSub.endTiming("generation"); + } + + mCRLCacheIsCleared = false; + mSplits[5] += System.currentTimeMillis(); + } else { + if (isDeltaCRLEnabled()) { + mSplits[1] -= System.currentTimeMillis(); + Hashtable deltaCRLCerts = (Hashtable) clonedRevokedCerts.clone(); + + deltaCRLCerts.putAll(clonedUnrevokedCerts); + deltaCRLCerts.putAll(clonedExpiredCerts); + + mLastCRLNumber = mCRLNumber; + + CRLExtensions ext = new CRLExtensions(); + Vector extNames = mCMSCRLExtensions.getCRLExtensionNames(); + + for (int i = 0; i < extNames.size(); i++) { + String extName = (String) extNames.elementAt(i); + + if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) && + (!extName.equals(FreshestCRLExtension.NAME))) { + mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); + } + } + mSplits[1] += System.currentTimeMillis(); + + X509CRLImpl newX509DeltaCRL = null; + + try { + mSplits[2] -= System.currentTimeMillis(); + byte[] newDeltaCRL; + + // #56123 - dont generate CRL if no revoked certificates + if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { + if (deltaCRLCerts.size() == 0) { + CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated"); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", "No Revoked Certificates")); + } + } + X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), + AlgorithmId.get(signingAlgorithm), + thisUpdate, nextDeltaUpdate, deltaCRLCerts, ext); + + newX509DeltaCRL = mCA.sign(crl, signingAlgorithm); + newDeltaCRL = newX509DeltaCRL.getEncoded(); + mSplits[2] += System.currentTimeMillis(); + + mSplits[3] -= System.currentTimeMillis(); + mCRLRepository.updateDeltaCRL(mId, mNextDeltaCRLNumber, + Long.valueOf(deltaCRLCerts.size()), mNextDeltaUpdate, newDeltaCRL); + mSplits[3] += System.currentTimeMillis(); + + mDeltaCRLSize = deltaCRLCerts.size(); + + long endTime = CMS.getCurrentDate().getTime(); + + + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + CMS.getLogMessage("CMSCORE_CA_CA_DELTA_CRL_UPDATED"), + new Object[] { + getId(), + getNextCRLNumber(), + getCRLNumber(), + getLastUpdate(), + getNextDeltaUpdate(), + Long.toString(mDeltaCRLSize), + Long.toString(endTime - startTime)} + ); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString())); + mDeltaCRLSize = -1; + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + mDeltaCRLSize = -1; + } catch (CRLException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + mDeltaCRLSize = -1; + } catch (X509ExtensionException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + mDeltaCRLSize = -1; + } catch (OutOfMemoryError e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + mDeltaCRLSize = -1; + } + + try { + mSplits[4] -= System.currentTimeMillis(); + publishCRL(newX509DeltaCRL, true); + mSplits[4] += System.currentTimeMillis(); + } catch (EBaseException e) { + newX509DeltaCRL = null; + if (Debug.on()) + Debug.printStackTrace(e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); + } catch (OutOfMemoryError e) { + newX509DeltaCRL = null; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); + } + } else { + mDeltaCRLSize = -1; + } + + mSplits[5] -= System.currentTimeMillis(); + + if (mSchemaCounter == 0) { + if (((!mCRLCerts.isEmpty()) && ((!clonedRevokedCerts.isEmpty()) || + (!clonedUnrevokedCerts.isEmpty()) || (!clonedExpiredCerts.isEmpty()))) || + (mCRLCerts.isEmpty() && (mCRLSize == 0) && (!clonedRevokedCerts.isEmpty()))) { + + if (!clonedUnrevokedCerts.isEmpty()) { + for (Enumeration e = clonedUnrevokedCerts.keys(); e.hasMoreElements();) { + BigInteger serialNumber = (BigInteger) e.nextElement(); + + if (mCRLCerts.containsKey(serialNumber)) { + mCRLCerts.remove(serialNumber); + } + mUnrevokedCerts.remove(serialNumber); + } + } + + if (!clonedRevokedCerts.isEmpty()) { + for (Enumeration e = clonedRevokedCerts.keys(); e.hasMoreElements();) { + BigInteger serialNumber = (BigInteger) e.nextElement(); + + mCRLCerts.put(serialNumber, mRevokedCerts.get(serialNumber)); + mRevokedCerts.remove(serialNumber); + } + } + + if (!clonedExpiredCerts.isEmpty()) { + for (Enumeration e = clonedExpiredCerts.keys(); e.hasMoreElements();) { + BigInteger serialNumber = (BigInteger) e.nextElement(); + + if (mCRLCerts.containsKey(serialNumber)) { + mCRLCerts.remove(serialNumber); + } + mExpiredCerts.remove(serialNumber); + } + } + } + } + mSplits[5] += System.currentTimeMillis(); + } + + clonedRevokedCerts.clear(); + clonedUnrevokedCerts.clear(); + clonedExpiredCerts.clear(); + clonedRevokedCerts = null; + clonedUnrevokedCerts = null; + clonedExpiredCerts = null; + + if ((!isDeltaCRLEnabled()) || mSchemaCounter == 0) { + mSplits[6] -= System.currentTimeMillis(); + if (mNextDeltaCRLNumber.compareTo(mNextCRLNumber) > 0) { + mNextCRLNumber = mNextDeltaCRLNumber; + } + + CRLExtensions ext = null; + + if (mAllowExtensions) { + ext = new CRLExtensions(); + Vector extNames = mCMSCRLExtensions.getCRLExtensionNames(); + + for (int i = 0; i < extNames.size(); i++) { + String extName = (String) extNames.elementAt(i); + + if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) && + (!extName.equals(DeltaCRLIndicatorExtension.NAME))) { + mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); + } + } + } + mSplits[6] += System.currentTimeMillis(); + // for audit log + + X509CRLImpl newX509CRL; + + startTime = CMS.getCurrentDate().getTime(); + + + try { + byte[] newCRL; + + CMS.debug("Making CRL wth algorithm " + + signingAlgorithm + " " + AlgorithmId.get(signingAlgorithm)); + + mSplits[7] -= System.currentTimeMillis(); + + // #56123 - dont generate CRL if no revoked certificates + if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { + if (mCRLCerts.size() == 0) { + CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated"); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", "No Revoked Certificates")); + } + } + CMS.debug("before new X509CRLImpl"); + X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), + AlgorithmId.get(signingAlgorithm), + thisUpdate, nextUpdate, mCRLCerts, ext); + + CMS.debug("before sign"); + newX509CRL = mCA.sign(crl, signingAlgorithm); + + CMS.debug("before getEncoded()"); + newCRL = newX509CRL.getEncoded(); + CMS.debug("after getEncoded()"); + mSplits[7] += System.currentTimeMillis(); + + mSplits[8] -= System.currentTimeMillis(); + + Date nextUpdateDate = mNextUpdate; + if (isDeltaCRLEnabled() && mUpdateSchema > 1 && mNextDeltaUpdate != null) { + nextUpdateDate = mNextDeltaUpdate; + } + mCRLRepository.updateCRLIssuingPointRecord( + mId, newCRL, thisUpdate, nextUpdateDate, + mNextCRLNumber, Long.valueOf(mCRLCerts.size()), + mRevokedCerts, mUnrevokedCerts, mExpiredCerts); + mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; + mSplits[8] += System.currentTimeMillis(); + + mCRLSize = mCRLCerts.size(); + mCRLNumber = mNextCRLNumber; + mDeltaCRLNumber = mCRLNumber; + mNextCRLNumber = mCRLNumber.add(BigInteger.ONE); + mNextDeltaCRLNumber = mNextCRLNumber; + + + long endTime = CMS.getCurrentDate().getTime(); + + CMS.debug("Logging CRL Update to transaction log"); + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATED"), + new Object[] { + getId(), + getCRLNumber(), + getLastUpdate(), + getNextUpdate(), + Long.toString(mCRLSize), + Long.toString(endTime - startTime)} + ); + CMS.debug("Finished Logging CRL Update to transaction log"); + + } catch (EBaseException e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + if (Debug.on()) + Debug.printStackTrace(e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } catch (NoSuchAlgorithmException e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } catch (CRLException e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } catch (X509ExtensionException e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } catch (OutOfMemoryError e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } + + try { + mSplits[9] -= System.currentTimeMillis(); + mUpdatingCRL = CRL_PUBLISHING_STARTED; + publishCRL(newX509CRL); + newX509CRL = null; + mSplits[9] += System.currentTimeMillis(); + } catch (EBaseException e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); + } catch (OutOfMemoryError e) { + newX509CRL = null; + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); + } + } + + if (isDeltaCRLEnabled() && mDeltaCRLSize > -1 && mSchemaCounter > 0) { + mDeltaCRLNumber = mNextDeltaCRLNumber; + mNextDeltaCRLNumber = mDeltaCRLNumber.add(BigInteger.ONE); + } + + mSchemaCounter++; + if (mSchemaCounter >= mUpdateSchema) mSchemaCounter = 0; + + mUpdatingCRL = CRL_UPDATE_DONE; + notifyAll(); + } + + /** + * publish CRL. called from updateCRLNow() and init(). + */ + + public void publishCRL() + throws EBaseException { + publishCRL(null); + } + + protected void publishCRL(X509CRLImpl x509crl) + throws EBaseException { + publishCRL(x509crl, false); + } + + protected void publishCRL(X509CRLImpl x509crl, boolean isDeltaCRL) + throws EBaseException { + SessionContext sc = SessionContext.getContext(); + + IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + if (statsSub != null) { + statsSub.startTiming("crl_publishing"); + } + + if (mCountMod == 0) { + sc.put(SC_CRL_COUNT, Integer.toString(mCount)); + } else { + sc.put(SC_CRL_COUNT, Integer.toString(mCount%mCountMod)); + } + mCount++; + sc.put(SC_ISSUING_POINT_ID, mId); + if (isDeltaCRL) { + sc.put(SC_IS_DELTA_CRL, "true"); + } else { + sc.put(SC_IS_DELTA_CRL, "false"); + } + + ICRLIssuingPointRecord crlRecord = null; + + CMS.debug("Publish CRL"); + try { + if (x509crl == null) { + crlRecord = mCRLRepository.readCRLIssuingPointRecord(mId); + if (crlRecord != null) { + byte[] crl = (isDeltaCRL) ? crlRecord.getDeltaCRL() : crlRecord.getCRL(); + + if (crl != null) { + x509crl = new X509CRLImpl(crl); + } + } + } + if (x509crl != null && + mPublisherProcessor != null && mPublisherProcessor.enabled()) { + if (mPublishDN != null) { + mPublisherProcessor.publishCRL(mPublishDN, x509crl); + CMS.debug("CRL published to " + mPublishDN); + } else { + mPublisherProcessor.publishCRL(x509crl,getId()); + CMS.debug("CRL published."); + } + } + } catch (Exception e) { + CMS.debug("Could not publish CRL. Error " + e); + CMS.debug("Could not publish CRL. ID " + mId); + throw new EErrorPublishCRL( + CMS.getUserMessage("CMS_CA_ERROR_PUBLISH_CRL", mId, e.toString())); + } finally { + if (statsSub != null) { + statsSub.endTiming("crl_publishing"); + } + } + } + + protected void log(int level, String msg) { + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level, + "CRLIssuingPoint " + mId + " - " + msg); + } + + void setConfigParam(String name, String value) { + mConfigStore.putString(name, value); + } + + class RevocationRequestListener implements IRequestListener { + + public void init(ISubsystem sys, IConfigStore config) + throws EBaseException { + } + + public void set(String name, String val) { + } + + public void accept(IRequest r) { + String requestType = r.getRequestType(); + + if (requestType.equals(IRequest.REVOCATION_REQUEST) || + requestType.equals(IRequest.UNREVOCATION_REQUEST) || + requestType.equals(IRequest.CLA_CERT4CRL_REQUEST) || + requestType.equals(IRequest.CLA_UNCERT4CRL_REQUEST)) { + CMS.debug("Revocation listener called."); + // check if serial number is in begin/end range if set. + if (mBeginSerial != null || mEndSerial != null) { + CMS.debug( + "Checking if serial number is between " + + mBeginSerial + " and " + mEndSerial); + BigInteger[] serialNos = + r.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS); + + if (serialNos == null || serialNos.length == 0) { + X509CertImpl oldCerts[] = + r.getExtDataInCertArray(IRequest.OLD_CERTS); + + if (oldCerts == null || oldCerts.length == 0) + return; + serialNos = new BigInteger[oldCerts.length]; + for (int i = 0; i < oldCerts.length; i++) { + serialNos[i] = oldCerts[i].getSerialNumber(); + } + } + + boolean inRange = false; + + for (int i = 0; i < serialNos.length; i++) { + if ((mBeginSerial == null || + serialNos[i].compareTo(mBeginSerial) >= 0) && + (mEndSerial == null || + serialNos[i].compareTo(mEndSerial) <= 0)) { + inRange = true; + } + } + if (!inRange) { + return; + } + } + + if (mAlwaysUpdate) { + try { + updateCRLNow(); + r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS); + if (mPublisherProcessor != null) { + r.setExtData(mCrlPublishStatus, IRequest.RES_SUCCESS); + } + } catch (EErrorPublishCRL e) { + // error already logged in updateCRLNow(); + r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS); + if (mPublisherProcessor != null) { + r.setExtData(mCrlPublishStatus, IRequest.RES_ERROR); + r.setExtData(mCrlPublishError, e); + } + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); + r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); + r.setExtData(mCrlUpdateError, e); + } catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString())); + if (Debug.on()) + Debug.printStackTrace(e); + r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR); + r.setExtData(mCrlUpdateError, + new EBaseException( + CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()))); + } + } + } + } + } +} + + +class CertRecProcessor implements IElementProcessor { + private Hashtable mCRLCerts = null; + private boolean mAllowExtensions; + private ILogger mLogger; + private CRLIssuingPoint mIP = null; + + public CertRecProcessor(Hashtable crlCerts, CRLIssuingPoint ip, ILogger logger) { + mCRLCerts = crlCerts; + mLogger = logger; + mIP = ip; + } + + public void process(Object o) throws EBaseException { + try { + CertRecord certRecord = (CertRecord) o; + + CRLExtensions entryExt = null; + BigInteger serialNumber = certRecord.getSerialNumber(); + Date revocationDate = certRecord.getRevocationDate(); + IRevocationInfo revInfo = certRecord.getRevocationInfo(); + + if (revInfo != null) { + entryExt = mIP.getRequiredEntryExtensions(revInfo.getCRLEntryExtensions()); + } + RevokedCertificate newRevokedCert = + new RevokedCertImpl(serialNumber, revocationDate, entryExt); + + mCRLCerts.put(serialNumber, (RevokedCertificate) newRevokedCert); + if (serialNumber != null) { + CMS.debug("Putting certificate serial: 0x"+serialNumber.toString(16)+" into CRL hashtable"); + } + } catch (EBaseException e) { + CMS.debug( + "CA failed constructing CRL entry: " + + (mCRLCerts.size() + 1) + " " + e); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } + } +} + diff --git a/pki/base/ca/src/com/netscape/ca/CRLWithExpiredCerts.java b/pki/base/ca/src/com/netscape/ca/CRLWithExpiredCerts.java new file mode 100644 index 000000000..94de0d90b --- /dev/null +++ b/pki/base/ca/src/com/netscape/ca/CRLWithExpiredCerts.java @@ -0,0 +1,74 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + + +import java.util.Enumeration; +import java.util.Date; +import java.math.*; + +import com.netscape.certsrv.dbs.certdb.ICertificateRepository; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.cmscore.util.Debug; +import com.netscape.cmscore.dbs.*; + + +/** + * A CRL Issuing point that contains revoked certs, include onces that + * have expired. + */ +public class CRLWithExpiredCerts extends CRLIssuingPoint { + + /** + * overrides getRevokedCerts in CRLIssuingPoint to include + * all revoked certs, including once that have expired. + * + * @param thisUpdate parameter is ignored. + * + * @exception EBaseException if an exception occured getting revoked + * certificates from the database. + */ + public String getFilter() { + // PLEASE DONT CHANGE THE FILTER. It is indexed. + // Changing it will degrade performance. See + // also com.netscape.certsetup.LDAPUtil.java + String filter = + "(|(" + CertRecord.ATTR_CERT_STATUS + "=" + + CertRecord.STATUS_REVOKED + ")" + + "(" + CertRecord.ATTR_CERT_STATUS + "=" + + CertRecord.STATUS_REVOKED_EXPIRED + "))"; + + // check if any ranges specified. + if (mBeginSerial != null) + filter += "(" + CertRecord.ATTR_ID + ">=" + mBeginSerial.toString() + ")"; + if (mEndSerial != null) + filter += "(" + CertRecord.ATTR_ID + "<=" + mEndSerial.toString() + ")"; + // get all revoked non-expired certs. + if (mEndSerial != null || mBeginSerial != null) { + filter = "(&" + filter + ")"; + } + return filter; + } + + /** + * registers expired certificates + */ + public void addExpiredCert(BigInteger serialNumber) { + // don't do anything + } +} diff --git a/pki/base/ca/src/com/netscape/ca/CertificateAuthority.java b/pki/base/ca/src/com/netscape/ca/CertificateAuthority.java new file mode 100644 index 000000000..c08deaa3c --- /dev/null +++ b/pki/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -0,0 +1,1882 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + + +import java.io.*; +import java.net.*; +import java.util.*; +import java.math.*; +import java.security.cert.CertificateException; +import java.security.cert.CertificateParsingException; +import java.security.cert.CRLException; +import java.security.cert.X509Certificate; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.PublicKey; +import netscape.security.x509.*; +import netscape.security.util.*; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.pkix.primitive.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.util.*; +import com.netscape.certsrv.listeners.*; +import com.netscape.cmscore.base.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.dbs.repository.*; +import com.netscape.cmscore.dbs.*; +import com.netscape.certsrv.dbs.certdb.*; +import com.netscape.certsrv.dbs.crldb.*; +import com.netscape.certsrv.dbs.crldb.ICRLRepository; +import com.netscape.certsrv.apps.*; + +import org.mozilla.jss.pkix.cert.Extension; +import org.mozilla.jss.*; +import org.mozilla.jss.crypto.*; +import com.netscape.certsrv.ldap.*; +import com.netscape.certsrv.publish.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.security.*; +import com.netscape.certsrv.policy.*; + +import com.netscape.certsrv.ocsp.*; +import com.netscape.cmscore.policy.*; +import com.netscape.cmscore.request.*; +import com.netscape.cmscore.dbs.*; +import com.netscape.cmscore.ldap.*; +import com.netscape.cmscore.util.*; +import com.netscape.cmscore.security.*; +import com.netscape.cmsutil.ocsp.*; + +import com.netscape.certsrv.listeners.*; +import com.netscape.cmscore.listeners.*; + + +/** + * A class represents a Certificate Authority that is + * responsible for certificate specific operations. + * <P> + * + * @author lhsiao + * @version $Revision: 14562 $, $Date: 2007-05-01 10:31:12 -0700 (Tue, 01 May 2007) $ + */ +public class CertificateAuthority implements ICertificateAuthority, ICertAuthority, IOCSPService { + public static final String OFFICIAL_NAME = "Certificate Manager"; + + public final static OBJECT_IDENTIFIER OCSP_NONCE = new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.48.1.2"); + + protected ISubsystem mOwner = null; + protected IConfigStore mConfig = null; + protected ILogger mLogger = CMS.getLogger(); + protected Hashtable mCRLIssuePoints = new Hashtable(); + protected CRLIssuingPoint mMasterCRLIssuePoint = null; // the complete crl. + protected SigningUnit mSigningUnit; + protected SigningUnit mOCSPSigningUnit; + protected SigningUnit mCRLSigningUnit; + + protected X500Name mName = null; + protected X500Name mCRLName = null; + protected X500Name mOCSPName = null; + protected String mNickname = null; // nickname of CA signing cert. + protected String mOCSPNickname = null; // nickname of OCSP signing cert. + protected long mCertSerialNumberCounter = System.currentTimeMillis(); + protected long mRequestID = System.currentTimeMillis(); + + protected String[] mAllowedSignAlgors = null; + + protected CertificateRepository mCertRepot = null; + protected CRLRepository mCRLRepot = null; + + protected CertificateChain mCACertChain = null; + protected CertificateChain mOCSPCertChain = null; + protected X509CertImpl mCRLCert = null; + protected org.mozilla.jss.crypto.X509Certificate mCRLX509Cert = null; + protected X509CertImpl mCaCert = null; + protected org.mozilla.jss.crypto.X509Certificate mCaX509Cert = null; + protected X509CertImpl mOCSPCert = null; + protected org.mozilla.jss.crypto.X509Certificate mOCSPX509Cert = null; + protected String[] mCASigningAlgorithms = null; + + protected PublisherProcessor mPublisherProcessor = null; + protected IRequestQueue mRequestQueue = null; + protected CAPolicy mPolicy = null; + protected CAService mService = null; + protected IRequestNotifier mNotify = null; + protected IRequestNotifier mPNotify = null; + protected long mNumOCSPRequest = 0; + protected long mTotalTime = 0; + protected long mTotalData = 0; + protected long mSignTime = 0; + protected long mLookupTime = 0; + + protected static final int FASTSIGNING_DISABLED = 0; + protected static final int FASTSIGNING_ENABLED = 1; + + protected CertificateVersion mDefaultCertVersion; + protected long mDefaultValidity; + protected boolean mEnablePastCATime; + protected boolean mEnableOCSP; + protected int mFastSigning = FASTSIGNING_DISABLED; + + protected static final long SECOND = 1000; // 1000 milliseconds + protected static final long MINUTE = 60 * SECOND; + protected static final long HOUR = 60 * MINUTE; + protected static final long DAY = 24 * HOUR; + protected static final long YEAR = DAY * 365; + + protected static final String PROP_CERT_REPOS_DN = "CertificateRepositoryDN"; + protected static final String PROP_REPOS_DN = "RepositoryDN"; + + // for the notification listeners + + /** + * Package constants + */ + + public IRequestListener mCertIssuedListener = null; + public IRequestListener mCertRevokedListener = null; + public IRequestListener mReqInQListener = null; + + /* cache responder ID for performance */ + private ResponderID mResponderIDByName = null; + private ResponderID mResponderIDByHash = null; + + protected Hashtable mListenerPlugins = null; + + /** + * Internal constants + */ + + protected ICRLPublisher mCRLPublisher = null; + private String mId = null; + + private boolean mByName = true; + + /** + * Constructs a CA subsystem. + */ + public CertificateAuthority() { + } + + /** + * Retrieves subsystem identifier. + */ + public String getId() { + return mId; + } + + public CertificateVersion getDefaultCertVersion() { + return mDefaultCertVersion; + } + + public boolean isEnablePastCATime() { + return mEnablePastCATime; + } + + /** + * Sets subsystem identifier. + */ + public void setId(String id) throws EBaseException { + mId = id; + } + + /** + * updates the Master CRL now + */ + public void updateCRLNow() throws EBaseException { + if (mMasterCRLIssuePoint != null) { + mMasterCRLIssuePoint.updateCRLNow(); + } + } + + + public void publishCRLNow() throws EBaseException { + if (mMasterCRLIssuePoint != null) { + mMasterCRLIssuePoint.publishCRL(); + } + } + public ICRLPublisher getCRLPublisher() { + return mCRLPublisher; + } + + public IPolicyProcessor getPolicyProcessor() { + return mPolicy.getPolicyProcessor(); + } + + /** + * Initializes this CA subsystem. + * <P> + * + * @param owner owner of this subsystem + * @param config configuration of this subsystem + * @exception EBaseException failed to initialize this CA + */ + public void init(ISubsystem owner, IConfigStore config) throws + EBaseException { + + try { + CMS.debug("CertificateAuthority init "); + mOwner = owner; + mConfig = config; + + // init cert & crl database. + initCaDatabases(); + + // init signing unit & CA cert. + initSigUnit(); + + // init default CA attributes like cert version, validity. + initDefCaAttrs(); + + // set certificate status to 10 minutes + mCertRepot.setCertStatusUpdateInterval( + mConfig.getInteger("certStatusUpdateInterval", 10 * 60), + mConfig.getBoolean("listenToCloneModifications", false)); + mCertRepot.setConsistencyCheck( + mConfig.getBoolean("ConsistencyCheck", false)); + mCertRepot.setSkipIfInConsistent( + mConfig.getBoolean("SkipIfInConsistent", false)); + + // init web gateway. + initWebGateway(); + + // init request queue and related modules. + CMS.debug("CertificateAuthority init: initRequestQueue"); + initRequestQueue(); + mService.init(config.getSubStore("connector")); + + initMiscellaneousListeners(); + + // instantiate CRL publisher + IConfigStore cpStore = null; + + mByName = config.getBoolean("byName", true); + + cpStore = config.getSubStore("crlPublisher"); + if (cpStore != null && cpStore.size() > 0) { + String publisherClass = cpStore.getString("class"); + + if (publisherClass != null) { + try { + Class pc = Class.forName(publisherClass); + + mCRLPublisher = (ICRLPublisher) + pc.newInstance(); + mCRLPublisher.init(this, cpStore); + } catch (ClassNotFoundException ee) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISHER", ee.toString())); + } catch (IllegalAccessException ee) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISHER", ee.toString())); + } catch (InstantiationException ee) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISHER", ee.toString())); + } + } + } + + // initialize publisher processor (publish remote admin + // rely on this subsystem, so it has to be initialized) + initPublish(); + + // Initialize CRL issuing points. + // note CRL framework depends on DBS, CRYPTO and PUBLISHING + // being functional. + initCRL(); + } catch (EBaseException e) { + if (CMS.isPreOpMode()) + return; + else + throw e; + } + } + + /** + * return CA's request queue processor + */ + public IRequestQueue getRequestQueue() { + return mRequestQueue; + } + + /** + * registers listener + */ + public void registerRequestListener(IRequestListener listener) { + mNotify.registerListener(listener); + } + + /** + * registers listener with a name. + */ + public void registerRequestListener(String name, IRequestListener listener) { + mNotify.registerListener(name, listener); + } + + /** + * removes listener + */ + public void removeRequestListener(IRequestListener listener) { + mNotify.removeListener(listener); + } + + /** + * removes listener with a name. + */ + public void removeRequestListener(String name) { + mNotify.removeListener(name); + } + + /** + * register listener for pending requests + */ + public void registerPendingListener(IRequestListener listener) { + mPNotify.registerListener(listener); + } + + /** + * register listener for pending requests with a name. + */ + public void registerPendingListener(String name, IRequestListener listener) { + mPNotify.registerListener(name, listener); + } + + /** + * get listener from listener list + */ + public IRequestListener getRequestListener(String name) { + return mNotify.getListener(name); + } + + /** + * get listener from listener list + */ + public IRequestListener getPendingListener(String name) { + return mPNotify.getListener(name); + } + + public Enumeration getRequestListenerNames() { + return mNotify.getListenerNames(); + } + + public IRequestListener getRequestInQListener() { + return mReqInQListener; + } + + public IRequestListener getCertIssuedListener() { + return mCertIssuedListener; + } + + public IRequestListener getCertRevokedListener() { + return mCertRevokedListener; + } + + /** + * return CA's policy processor. + */ + public IPolicy getCAPolicy() { + return mPolicy; + } + + /** + * return CA's request queue service object. + */ + public IService getCAService() { + return mService; + } + + /** + * check if the ca is a clone. + */ + public boolean isClone() { + if (mService.mCLAConnector != null) + return true; + else + return false; + } + + /** + * Starts up this subsystem. + */ + public void startup() throws EBaseException { + if (CMS.isPreOpMode()) { + return; + } + mService.startup(); + mRequestQueue.recover(); + + // Note that this could be null. + + // setup Admin operations + + initNotificationListeners(); + + startPublish(); + // startCRL(); + } + + /** + * Shutdowns this subsystem. + * <P> + */ + public void shutdown() { + Enumeration enums = mCRLIssuePoints.elements(); + while (enums.hasMoreElements()) { + CRLIssuingPoint point = (CRLIssuingPoint)enums.nextElement(); + point.shutdown(); + } + + if (mMasterCRLIssuePoint != null) { + mMasterCRLIssuePoint.shutdown(); + } + + mSigningUnit = null; + mOCSPSigningUnit = null; + mCRLSigningUnit = null; + if (mCertRepot != null) { + mCertRepot.shutdown(); + mCertRepot = null; + } + mCRLRepot = null; + mPublisherProcessor.shutdown(); + } + + /** + * Retrieves the configuration store of this subsystem. + * <P> + */ + public IConfigStore getConfigStore() { + return mConfig; + } + + /** + * Retrieves logger. + */ + public ILogger getLogger() { + return CMS.getLogger(); + } + + /** + * Retrieves database services. + */ + public IDBSubsystem getDBSubsystem() { + return DBSubsystem.getInstance(); + } + + public void setValidity(String enableCAPast) throws EBaseException { + if (enableCAPast.equals("true")) + mEnablePastCATime = true; + else + mEnablePastCATime = false; + mConfig.putString(PROP_ENABLE_PAST_CATIME, enableCAPast); + } + + public long getDefaultValidity() { + return mDefaultValidity; + } + + public String getDefaultAlgorithm() { + return mSigningUnit.getDefaultAlgorithm(); + } + + public void setDefaultAlgorithm(String algorithm) throws EBaseException { + mSigningUnit.setDefaultAlgorithm(algorithm); + } + + public String getStartSerial() { + try { + BigInteger serial = + ((Repository) mCertRepot).getTheSerialNumber(); + + if (serial == null) + return ""; + else + return serial.toString(16); + } catch (EBaseException e) { + // shouldn't get here. + return ""; + } + } + + public void setStartSerial(String serial) throws EBaseException { + ((Repository) mCertRepot).setTheSerialNumber(new BigInteger(serial)); + } + + public String getMaxSerial() { + String serial = ((Repository) mCertRepot).getMaxSerial(); + + if (serial != null) + return serial; + else + return ""; + } + + public void setMaxSerial(String serial) throws EBaseException { + ((Repository) mCertRepot).setMaxSerial(serial); + } + + /** + * Retrieves certificate repository. + * <P> + * + * @return certificate repository + */ + public ICertificateRepository getCertificateRepository() { + return mCertRepot; + } + + /** + * Retrieves CRL repository. + */ + public ICRLRepository getCRLRepository() { + return mCRLRepot; + } + + public IPublisherProcessor getPublisherProcessor() { + return mPublisherProcessor; + } + + /** + * Retrieves the CRL issuing point by id. + * <P> + * @param id string id of the CRL issuing point + * @return CRL issuing point + */ + public ICRLIssuingPoint getCRLIssuingPoint(String id) { + return (CRLIssuingPoint) mCRLIssuePoints.get(id); + } + + /** + * Enumerates CRL issuing points + * <P> + * @return security service + */ + public Enumeration getCRLIssuingPoints() { + return mCRLIssuePoints.elements(); + } + + public int getCRLIssuingPointsSize() { + return mCRLIssuePoints.size(); + } + + /** + * Adds CRL issuing point with the given identifier and description. + */ + public boolean addCRLIssuingPoint(IConfigStore crlSubStore, String id, + boolean enable, String description) { + crlSubStore.makeSubStore(id); + IConfigStore c = crlSubStore.getSubStore(id); + + if (c != null) { + c.putString("allowExtensions", "true"); + c.putString("alwaysUpdate", "false"); + c.putString("autoUpdateInterval", "240"); + c.putString("caCertsOnly", "false"); + c.putString("cacheUpdateInterval", "15"); + c.putString("class", "com.netscape.ca.CRLIssuingPoint"); + c.putString("dailyUpdates", "3:45"); + c.putString("description", description); + c.putBoolean("enable", enable); + c.putString("enableCRLCache", "true"); + c.putString("enableCRLUpdates", "true"); + c.putString("enableCacheRecovery", "false"); + c.putString("enableDailyUpdates", "false"); + c.putString("enableUpdateInterval", "true"); + c.putString("extendedNextUpdate", "true"); + c.putString("includeExpiredCerts", "false"); + c.putString("minUpdateInterval", "0"); + c.putString("nextUpdateGracePeriod", "0"); + c.putString("publishOnStart", "false"); + c.putString("signingAlgorithm", "SHA1withRSA"); + c.putString("updateSchema", "1"); + + // crl extensions + // AuthorityKeyIdentifier + c.putString("extension.AuthorityKeyIdentifier.enable", "false"); + c.putString("extension.AuthorityKeyIdentifier.critical", "false"); + c.putString("extension.AuthorityKeyIdentifier.type", "CRLExtension"); + c.putString("extension.AuthorityKeyIdentifier.class", + "com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension"); + // IssuerAlternativeName + c.putString("extension.IssuerAlternativeName.enable", "false"); + c.putString("extension.IssuerAlternativeName.critical", "false"); + c.putString("extension.IssuerAlternativeName.type", "CRLExtension"); + c.putString("extension.IssuerAlternativeName.class", + "com.netscape.cms.crl.CMSIssuerAlternativeNameExtension"); + c.putString("extension.IssuerAlternativeName.numNames", "0"); + c.putString("extension.IssuerAlternativeName.nameType0", ""); + c.putString("extension.IssuerAlternativeName.name0", ""); + // CRLNumber + c.putString("extension.CRLNumber.enable", "true"); + c.putString("extension.CRLNumber.critical", "false"); + c.putString("extension.CRLNumber.type", "CRLExtension"); + c.putString("extension.CRLNumber.class", + "com.netscape.cms.crl.CMSCRLNumberExtension"); + // DeltaCRLIndicator + c.putString("extension.DeltaCRLIndicator.enable", "false"); + c.putString("extension.DeltaCRLIndicator.critical", "true"); + c.putString("extension.DeltaCRLIndicator.type", "CRLExtension"); + c.putString("extension.DeltaCRLIndicator.class", + "com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension"); + // IssuingDistributionPoint + c.putString("extension.IssuingDistributionPoint.enable", "false"); + c.putString("extension.IssuingDistributionPoint.critical", "true"); + c.putString("extension.IssuingDistributionPoint.type", "CRLExtension"); + c.putString("extension.IssuingDistributionPoint.class", + "com.netscape.cms.crl.CMSIssuingDistributionPointExtension"); + c.putString("extension.IssuingDistributionPoint.pointType", ""); + c.putString("extension.IssuingDistributionPoint.pointName", ""); + c.putString("extension.IssuingDistributionPoint.onlyContainsUserCerts", "false"); + c.putString("extension.IssuingDistributionPoint.onlyContainsCACerts", "false"); + c.putString("extension.IssuingDistributionPoint.onlySomeReasons", ""); + //"keyCompromise,cACompromise,affiliationChanged,superseded,cessationOfOperation,certificateHold"); + c.putString("extension.IssuingDistributionPoint.indirectCRL", "false"); + // CRLReason + c.putString("extension.CRLReason.enable", "true"); + c.putString("extension.CRLReason.critical", "false"); + c.putString("extension.CRLReason.type", "CRLEntryExtension"); + c.putString("extension.CRLReason.class", + "com.netscape.cms.crl.CMSCRLReasonExtension"); + // HoldInstruction + c.putString("extension.HoldInstruction.enable", "false"); + c.putString("extension.HoldInstruction.critical", "false"); + c.putString("extension.HoldInstruction.type", "CRLEntryExtension"); + c.putString("extension.HoldInstruction.class", + "com.netscape.cms.crl.CMSHoldInstructionExtension"); + c.putString("extension.HoldInstruction.instruction", "none"); + // InvalidityDate + c.putString("extension.InvalidityDate.enable", "true"); + c.putString("extension.InvalidityDate.critical", "false"); + c.putString("extension.InvalidityDate.type", "CRLEntryExtension"); + c.putString("extension.InvalidityDate.class", + "com.netscape.cms.crl.CMSInvalidityDateExtension"); + // CertificateIssuer + /* + c.putString("extension.CertificateIssuer.enable", "false"); + c.putString("extension.CertificateIssuer.critical", "true"); + c.putString("extension.CertificateIssuer.type", "CRLEntryExtension"); + c.putString("extension.CertificateIssuer.class", + "com.netscape.cms.crl.CMSCertificateIssuerExtension"); + c.putString("extension.CertificateIssuer.numNames", "0"); + c.putString("extension.CertificateIssuer.nameType0", ""); + c.putString("extension.CertificateIssuer.name0", ""); + */ + // FreshestCRL + c.putString("extension.FreshestCRL.enable", "false"); + c.putString("extension.FreshestCRL.critical", "false"); + c.putString("extension.FreshestCRL.type", "CRLExtension"); + c.putString("extension.FreshestCRL.class", + "com.netscape.cms.crl.CMSFreshestCRLExtension"); + c.putString("extension.FreshestCRL.numPoints", "0"); + c.putString("extension.FreshestCRL.pointType0", ""); + c.putString("extension.FreshestCRL.pointName0", ""); + + String issuingPointClassName = null; + Class issuingPointClass = null; + CRLIssuingPoint issuingPoint = null; + + try { + issuingPointClassName = c.getString(PROP_CLASS); + issuingPointClass = Class.forName(issuingPointClassName); + issuingPoint = (CRLIssuingPoint) issuingPointClass.newInstance(); + issuingPoint.init(this, id, c); + mCRLIssuePoints.put(id, issuingPoint); + } catch (EPropertyNotFound e) { + crlSubStore.removeSubStore(id); + return false; + } catch (EBaseException e) { + crlSubStore.removeSubStore(id); + return false; + } catch (ClassNotFoundException e) { + crlSubStore.removeSubStore(id); + return false; + } catch (InstantiationException e) { + crlSubStore.removeSubStore(id); + return false; + } catch (IllegalAccessException e) { + crlSubStore.removeSubStore(id); + return false; + } + } + return true; + } + + /** + * Deletes CRL issuing point with the given identifier. + */ + public void deleteCRLIssuingPoint(IConfigStore crlSubStore, String id) { + CRLIssuingPoint ip = (CRLIssuingPoint) mCRLIssuePoints.get(id); + + if (ip != null) { + ip.shutdown(); + mCRLIssuePoints.remove(id); + ip = null; + crlSubStore.removeSubStore(id); + try { + mCRLRepot.deleteCRLIssuingPointRecord(id); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("FAILED_REMOVING_CRL_IP_2", id, e.toString())); + } + } + } + + /** + * Returns X500 name of the Certificate Authority + * <P> + * + * @return CA name + */ + public X500Name getX500Name() { + return mName; + } + + public X500Name getCRLX500Name() { + return mCRLName; + } + + public X500Name getOCSPX500Name() { + return mOCSPName; + } + + /** + * Returns nickname of CA's signing cert. + * <p> + * @return CA signing cert nickname. + */ + public String getNickname() { + return mNickname; + } + + /** + * Returns nickname of OCSP's signing cert. + * <p> + * @return OCSP signing cert nickname. + */ + public String getOCSPNickname() { + return mOCSPNickname; + } + + /** + * Returns default signing unit used by this CA + * <P> + * + * @return request identifier + */ + public ISigningUnit getSigningUnit() { + return mSigningUnit; + } + + public ISigningUnit getCRLSigningUnit() { + return mCRLSigningUnit; + } + + public ISigningUnit getOCSPSigningUnit() { + return mOCSPSigningUnit; + } + + public void setBasicConstraintMaxLen(int num) { + mConfig.putString("Policy.rule.BasicConstraintsExt.maxPathLen", "" + num); + } + + /** + * Signs CRL using the specified signature algorithm. + * If no algorithm is specified the CA's default signing algorithm + * is used. + * <P> + * @param crl the CRL to be signed. + * @param algname the algorithm name to use. This is a JCA name such + * as MD5withRSA, etc. If set to null the default signing algorithm + * is used. + * + * @return the signed CRL + */ + public X509CRLImpl sign(X509CRLImpl crl, String algname) + throws EBaseException { + X509CRLImpl signedcrl = null; + + IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + if (statsSub != null) { + statsSub.startTiming("signing"); + } + + long startTime = CMS.getCurrentDate().getTime(); + try { + DerOutputStream out = new DerOutputStream(); + DerOutputStream tmp = new DerOutputStream(); + + if (algname == null) { + algname = mSigningUnit.getDefaultAlgorithm(); + } + + crl.encodeInfo(tmp); + AlgorithmId.get(algname).encode(tmp); + + byte[] tbsCertList = crl.getTBSCertList(); + + byte[] signature = mCRLSigningUnit.sign(tbsCertList, algname); + + tmp.putBitString(signature); + out.write(DerValue.tag_Sequence, tmp); + + signedcrl = new X509CRLImpl(out.toByteArray()); + } catch (CRLException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); + } catch (X509ExtensionException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); + } catch (IOException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage())); + } finally { + if (statsSub != null) { + statsSub.endTiming("signing"); + } + } + + return signedcrl; + } + + /** + * Signs the given certificate info using specified signing algorithm + * If no algorithm is specified the CA's default algorithm is used. + * <P> + * @param certInfo the certificate info to be signed. + * @param algname the signing algorithm to use. These are names defined + * in JCA, such as MD5withRSA, etc. If null the CA's default + * signing algorithm will be used. + * @return signed certificate + */ + public X509CertImpl sign(X509CertInfo certInfo, String algname) + throws EBaseException { + + X509CertImpl signedcert = null; + + IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + if (statsSub != null) { + statsSub.startTiming("signing"); + } + + long startTime = CMS.getCurrentDate().getTime(); + try { + DerOutputStream out = new DerOutputStream(); + DerOutputStream tmp = new DerOutputStream(); + + if (certInfo == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_CERTINFO")); + return null; + } + + if (algname == null) { + algname = mSigningUnit.getDefaultAlgorithm(); + } + + CMS.debug("sign cert get algorithm"); + AlgorithmId alg = AlgorithmId.get(algname); + + // encode certificate info + CMS.debug("sign cert encoding cert"); + certInfo.encode(tmp); + byte[] rawCert = tmp.toByteArray(); + + // encode algorithm identifier + CMS.debug("sign cert encoding algorithm"); + alg.encode(tmp); + + CMS.debug("CA cert signing: signing cert"); + byte[] signature = mSigningUnit.sign(rawCert, algname); + + tmp.putBitString(signature); + + // Wrap the signed data in a SEQUENCE { data, algorithm, sig } + out.write(DerValue.tag_Sequence, tmp); + //log(ILogger.LL_INFO, "CertificateAuthority: done signing"); + + switch (mFastSigning) { + case FASTSIGNING_DISABLED: + signedcert = new X509CertImpl(out.toByteArray()); + break; + + case FASTSIGNING_ENABLED: + signedcert = new X509CertImpl(out.toByteArray(), certInfo); + break; + + default: + break; + } + } + catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CERT_FAILED", e.getMessage())); + } catch (IOException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CERT_FAILED", e.getMessage())); + } catch (CertificateException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_CERT_FAILED", e.getMessage())); + } finally { + if (statsSub != null) { + statsSub.endTiming("signing"); + } + } + return signedcert; + } + + /** + * Sign a byte array using the specified algorithm. + * If algorithm is null the CA's default algorithm is used. + * <p> + * @param data the data to be signed in a byte array. + * @param algname the algorithm to use. + * @return the signature in a byte array. + */ + public byte[] sign(byte[] data, String algname) + throws EBaseException { + return mSigningUnit.sign(data, algname); + } + + /** + * logs a message in the CA area. + * @param level the debug level. + * @param msg the message to debug. + */ + public void log(int level, String msg) { + mLogger.log(ILogger.EV_SYSTEM, ILogger.S_CA, + level, msg); + } + + /** + * Retrieves certificate chains of this CA. + * @return this CA's cert chain. + */ + public CertificateChain getCACertChain() { + return mCACertChain; + } + + public X509CertImpl getCACert() { + if (mCaCert != null) { + return mCaCert; + } + // during configuration + try { + String cert = mConfig.getString("signing.cert", null); + if (cert != null) { + return new X509CertImpl(CMS.AtoB(cert)); + } + } catch (EBaseException e) { + CMS.debug(e); + } catch (CertificateException e) { + CMS.debug(e); + } + return null; + } + + public org.mozilla.jss.crypto.X509Certificate getCaX509Cert() { + return mCaX509Cert; + } + + public String[] getCASigningAlgorithms() { + if (mCASigningAlgorithms != null) + return mCASigningAlgorithms; + + if (mCaCert == null) + return null; // CA not inited yet. + X509Key caPubKey = null; + + try { + caPubKey = (X509Key) mCaCert.get(X509CertImpl.PUBLIC_KEY); + } catch (CertificateParsingException e) { + } + if (caPubKey == null) + return null; // something seriously wrong. + AlgorithmId alg = caPubKey.getAlgorithmId(); + + if (alg == null) + return null; // something seriously wrong. + mCASigningAlgorithms = AlgorithmId.getSigningAlgorithms(alg); + if (mCASigningAlgorithms == null) { + CMS.debug( + "CA - no signing algorithms for " + alg.getName()); + } else { + CMS.debug( + "CA First signing algorithm is " + mCASigningAlgorithms[0]); + } + + return mCASigningAlgorithms; + } + + ////////// + // Initialization routines. + // + + + /** + * init CA signing unit & cert chain. + */ + private void initSigUnit() + throws EBaseException { + try { + // init signing unit + mSigningUnit = new SigningUnit(); + IConfigStore caSigningCfg = + mConfig.getSubStore(PROP_SIGNING_SUBSTORE); + + mSigningUnit.init(this, caSigningCfg); + CMS.debug("CA signing unit inited"); + + // for identrus + IConfigStore CrlStore = mConfig.getSubStore(PROP_CRL_SIGNING_SUBSTORE); + + if (CrlStore != null && CrlStore.size() > 0) { + mCRLSigningUnit = new SigningUnit(); + mCRLSigningUnit.init(this, mConfig.getSubStore(PROP_CRL_SIGNING_SUBSTORE)); + } else { + mCRLSigningUnit = mSigningUnit; + } + + // init cert chain + CryptoManager manager = CryptoManager.getInstance(); + + int caChainNum = + caSigningCfg.getInteger(PROP_CA_CHAIN_NUM, 0); + + CMS.debug("cachainNum= " + caChainNum); + if (caChainNum > 0) { + // custom build chain (for cross cert chain) + // audit here *** + IConfigStore chainStore = + caSigningCfg.getSubStore(PROP_CA_CHAIN); + + if (chainStore == null) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", + "ca cert chain config error")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", + "ca cert chain config error")); + } + + java.security.cert.X509Certificate[] implchain = + new java.security.cert.X509Certificate[caChainNum]; + + for (int i = 0; i < caChainNum; i++) { + String subtreeName = PROP_CA_CERT + i; + // cert file name must be full path + String certFileName = + chainStore.getString(subtreeName, null); + + if ((certFileName == null) || certFileName.equals("")) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", "cert file config error")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", + "cert file config error")); + } + byte[] b64Bytes = getCertFromFile(certFileName); + String b64String = new String(b64Bytes); + byte[] certBytes = KeyCertUtil.convertB64EToByteArray(b64String); + + implchain[i] = new X509CertImpl(certBytes); + } // for + + mCACertChain = new CertificateChain(implchain); + CMS.debug("in init - custom built CA cert chain."); + } else { + // build ca chain the traditional way + org.mozilla.jss.crypto.X509Certificate[] chain = + manager.buildCertificateChain(mSigningUnit.getCert()); + // do this in case other subsyss expect a X509CertImpl + java.security.cert.X509Certificate[] implchain = + new java.security.cert.X509Certificate[chain.length]; + + for (int i = 0; i < chain.length; i++) { + implchain[i] = new X509CertImpl(chain[i].getEncoded()); + } + mCACertChain = new CertificateChain(implchain); + CMS.debug("in init - got CA chain from JSS."); + } + + IConfigStore OCSPStore = mConfig.getSubStore(PROP_OCSP_SIGNING_SUBSTORE); + + if (OCSPStore != null && OCSPStore.size() > 0) { + mOCSPSigningUnit = new SigningUnit(); + mOCSPSigningUnit.init(this, mConfig.getSubStore(PROP_OCSP_SIGNING_SUBSTORE)); + CMS.debug("Separate OCSP signing unit inited"); + } else { + mOCSPSigningUnit = mSigningUnit; + CMS.debug("Shared OCSP signing unit inited"); + } + + org.mozilla.jss.crypto.X509Certificate[] ocspChain = + manager.buildCertificateChain(mOCSPSigningUnit.getCert()); + // do this in case other subsyss expect a X509CertImpl + java.security.cert.X509Certificate[] ocspImplchain = + new java.security.cert.X509Certificate[ocspChain.length]; + + for (int i = 0; i < ocspChain.length; i++) { + ocspImplchain[i] = new X509CertImpl(ocspChain[i].getEncoded()); + } + mOCSPCertChain = new CertificateChain(ocspImplchain); + CMS.debug("in init - got OCSP chain from JSS."); + // init issuer name - take name from the cert. + + mCaX509Cert = mSigningUnit.getCert(); + mCaCert = new X509CertImpl(mCaX509Cert.getEncoded()); + getCASigningAlgorithms(); + mName = (X500Name) mCaCert.getSubjectDN(); + + mCRLX509Cert = mCRLSigningUnit.getCert(); + mCRLCert = new X509CertImpl(mCRLX509Cert.getEncoded()); + mCRLName = (X500Name) mCRLCert.getSubjectDN(); + + mOCSPX509Cert = mOCSPSigningUnit.getCert(); + mOCSPNickname = mOCSPSigningUnit.getNickname(); + mOCSPCert = new X509CertImpl(mOCSPX509Cert.getEncoded()); + mOCSPName = (X500Name) mOCSPCert.getSubjectDN(); + mNickname = mSigningUnit.getNickname(); + CMS.debug("in init - got CA name " + mName); + + } catch (CryptoManager.NotInitializedException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_SIGNING", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED")); + } catch (CertificateException e) { + if (Debug.ON) + e.printStackTrace(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); + } catch (FileNotFoundException e) { + if (Debug.ON) + e.printStackTrace(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); + } catch (IOException e) { + if (Debug.ON) + e.printStackTrace(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); + } catch (TokenException e) { + if (Debug.ON) + e.printStackTrace(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); + } + } + + /** + * read ca cert from path, converts and bytes + */ + byte[] getCertFromFile(String path) + throws FileNotFoundException, IOException { + + File file = new File(path); + Long l = Long.valueOf(file.length()); + byte[] b = new byte[l.intValue()]; + FileInputStream in = new FileInputStream(path); + int num = in.read(b); + in.close(); + + return b; + } + + /** + * init default cert attributes. + */ + private void initDefCaAttrs() + throws EBaseException { + int version = mConfig.getInteger(PROP_X509CERT_VERSION, + CertificateVersion.V3); + + if (version != CertificateVersion.V1 && + version != CertificateVersion.V3) { + throw new ECAException( + CMS.getUserMessage("CMS_CA_X509CERT_VERSION_NOT_SUPPORTED")); + } + try { + mDefaultCertVersion = new CertificateVersion(version - 1); + } catch (IOException e) { + // should never occur. + } + + int validity_in_days = mConfig.getInteger(PROP_DEF_VALIDITY, 2 * 365); + + mDefaultValidity = validity_in_days * DAY; // days in config file. + + mEnablePastCATime = + mConfig.getBoolean(PROP_ENABLE_PAST_CATIME, false); + mEnableOCSP = + mConfig.getBoolean(PROP_ENABLE_OCSP, true); + + String fs = mConfig.getString(PROP_FAST_SIGNING, ""); + + if (fs.equals("enabled") || fs.equals("enable")) { + mFastSigning = FASTSIGNING_ENABLED; + } else { + mFastSigning = FASTSIGNING_DISABLED; + } + + } + + /** + * init cert & crl database + */ + private void initCaDatabases() + throws EBaseException { + int certdb_inc = mConfig.getInteger(PROP_CERTDB_INC, 5); + + String certReposDN = mConfig.getString(PROP_CERT_REPOS_DN, null); + + if (certReposDN == null) { + certReposDN = "ou=certificateRepository, ou=" + getId() + + ", " + getDBSubsystem().getBaseDN(); + } + String reposDN = mConfig.getString(PROP_REPOS_DN, null); + + if (reposDN == null) { + reposDN = "ou=certificateRepository, ou=" + getId() + + ", " + getDBSubsystem().getBaseDN(); + } + + int transitMaxRecords = mConfig.getInteger(PROP_CERTDB_TRANS_MAXRECORDS, 1000000); + int transitRecordPageSize = mConfig.getInteger(PROP_CERTDB_TRANS_PAGESIZE, 200); + + mCertRepot = new CertificateRepository( + DBSubsystem.getInstance(), + certReposDN, certdb_inc, reposDN); + + mCertRepot.setTransitMaxRecords(transitMaxRecords); + mCertRepot.setTransitRecordPageSize(transitRecordPageSize); + + CMS.debug("Cert Repot inited"); + + // init crl repot. + + int crldb_inc = mConfig.getInteger(PROP_CRLDB_INC, 5); + + mCRLRepot = new CRLRepository( + DBSubsystem.getInstance(), + crldb_inc, + "ou=crlIssuingPoints, ou=" + getId() + ", " + + getDBSubsystem().getBaseDN()); + CMS.debug("CRL Repot inited"); + } + + /** + * init web gateway - just gets the ee gateway for this CA. + */ + private void initWebGateway() + throws EBaseException { + } + + private void startPublish() + throws EBaseException { + //xxx Note that CMS411 only support ca cert publishing to ldap + // if ldap publishing is not enabled while publishing isenabled + // there will be a lot of problem. + try { + if (mPublisherProcessor.enabled()) { + mPublisherProcessor.publishCACert(mCaCert); + CMS.debug("published ca cert"); + } + } catch (ELdapException e) { + // exception not thrown - not seen as a fatal error. + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_PUBLISH", e.toString())); + } + } + + /** + * init publishing + */ + private void initPublish() + throws EBaseException { + IConfigStore c = null; + + try { + c = mConfig.getSubStore(PROP_PUBLISH_SUBSTORE); + if (c != null && c.size() > 0) { + mPublisherProcessor = new PublisherProcessor( + getId() + "pp"); + mPublisherProcessor.init(this, c); + CMS.debug("Publishing inited"); + } else { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISH")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_INIT_PUBLISH_MODULE_FAILED")); + } + + } catch (ELdapException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_ERROR_PUBLISH_MODULE", e.toString())); + //throw new ECAException( + // CAResources.INIT_PUBLISH_MODULE_FAILED, e); + } + } + + private void initMiscellaneousListeners() { + IConfigStore lc = null; + IConfigStore implc = null; + IConfigStore instc = null; + + mListenerPlugins = new Hashtable(); + try { + // Get list of listener implementations + lc = mConfig.getSubStore(PROP_LISTENER_SUBSTORE); + if (lc != null) { + + implc = lc.getSubStore(PROP_IMPL); + Enumeration names = implc.getSubStoreNames(); + + while (names.hasMoreElements()) { + String id = (String) names.nextElement(); + + if (Debug.ON) + Debug.trace("registering listener impl: " + id); + String cl = implc.getString(id + "." + PROP_CLASS); + + ListenerPlugin plugin = new ListenerPlugin(id, cl); + + mListenerPlugins.put(id, plugin); + } + + instc = lc.getSubStore(PROP_INSTANCE); + Enumeration instances = instc.getSubStoreNames(); + + while (instances.hasMoreElements()) { + String id = (String) instances.nextElement(); + + if (Debug.ON) + Debug.trace("registering listener instance: " + id); + IConfigStore iConfig = instc.getSubStore(id); + String implName = instc.getString(id + "." + PROP_PLUGIN); + ListenerPlugin plugin = (ListenerPlugin) mListenerPlugins.get(implName); + + if (plugin == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_ERROR_LISTENER", implName)); + throw new Exception("Cannot initialize"); + } + String className = plugin.getClassPath(); + + try { + IRequestListener listener = null; + + listener = (IRequestListener) + Class.forName(className).newInstance(); + + //listener.init(id, implName, iConfig); + listener.init(this, iConfig); + // registerRequestListener(id, (IRequestListener) listener); + //log(ILogger.LL_INFO, + // "Listener instance " + id + " added"); + + } catch (Exception e) { + if (Debug.ON) { + e.printStackTrace(); + } + Debug.trace("failed to add listener instance"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_INIT_LISTENER", id, e.toString())); + throw e; + } + } + + } + + } catch (Exception e) { + log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_CA_FAILED_LISTENER", e.toString())); + } + + } + + /** + * init notification related listeners + */ + private void initNotificationListeners() { + IConfigStore nc = null; + + try { + nc = mConfig.getSubStore(PROP_NOTIFY_SUBSTORE); + if (nc != null && nc.size() > 0) { + // Initialize Certificate Issued notification listener + + String certificateIssuedListenerClassName = nc.getString("certificateIssuedListenerClassName", "com.netscape.cms.listeners.CertificateIssuedListener"); + + try { + mCertIssuedListener = (IRequestListener) Class.forName(certificateIssuedListenerClassName).newInstance(); + mCertIssuedListener.init(this, nc); + } catch (Exception e1) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_REGISTER_LISTENER", certificateIssuedListenerClassName)); + } + + // Initialize Revoke Request notification listener + + String certificateRevokedListenerClassName = nc.getString("certificateIssuedListenerClassName", "com.netscape.cms.listeners.CertificateRevokedListener"); + + try { + mCertRevokedListener = (IRequestListener) Class.forName(certificateRevokedListenerClassName).newInstance(); + mCertRevokedListener.init(this, nc); + } catch (Exception e1) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_REGISTER_LISTENER", certificateRevokedListenerClassName)); + } + + // Initialize Request In Queue notification listener + IConfigStore rq = nc.getSubStore(PROP_REQ_IN_Q_SUBSTORE); + + String requestInQListenerClassName = nc.getString("certificateIssuedListenerClassName", "com.netscape.cms.listeners.RequestInQListener"); + + try { + mReqInQListener = (IRequestListener) Class.forName(requestInQListenerClassName).newInstance(); + mReqInQListener.init(this, nc); + } catch (Exception e1) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_REGISTER_REQ_LISTENER", requestInQListenerClassName)); + } + + // Initialize extra listeners + IConfigStore mListenerConfig = null; + + } else { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NOTIFY_NONE")); + } + } catch (Exception e) { + e.printStackTrace(); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NOTIFY_FAILED")); + // throw e; + } + } + + /** + * initialize request queue components + */ + private void initRequestQueue() + throws EBaseException { + mPolicy = new CAPolicy(); + ((CAPolicy) mPolicy).init(this, mConfig.getSubStore(PROP_POLICY)); + CMS.debug("CA policy inited"); + mService = new CAService(this); + CMS.debug("CA service inited"); + mNotify = new ARequestNotifier(); + CMS.debug("CA notifier inited"); + mPNotify = new ARequestNotifier(); + CMS.debug("CA pending notifier inited"); + + // instantiate CA request queue. + try { + int reqdb_inc = mConfig.getInteger("reqdbInc", 5); + + mRequestQueue = + RequestSubsystem.getInstance().getRequestQueue( + getId(), reqdb_inc, mPolicy, mService, mNotify, mPNotify); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_QUEUE_FAILED", e.toString())); + throw e; + } + + // init request scheduler if configured + String schedulerClass = + mConfig.getString("requestSchedulerClass", null); + + if (schedulerClass != null) { + try { + IRequestScheduler scheduler = (IRequestScheduler) + Class.forName(schedulerClass).newInstance(); + + mRequestQueue.setRequestScheduler(scheduler); + } catch (Exception e) { + // do nothing here + } + } + } + + /* + private void startCRL() + throws EBaseException + { + Enumeration e = mCRLIssuePoints.keys(); + while (e.hasMoreElements()) { + CRLIssuingPoint cp = (CRLIssuingPoint) + mCRLIssuePoints.get(e.nextElement()); + cp.startup(); + } + } + */ + + /** + * initialize CRL + */ + private void initCRL() + throws EBaseException { + IConfigStore crlConfig = mConfig.getSubStore(PROP_CRL_SUBSTORE); + + if ((crlConfig == null) || (crlConfig.size() <= 0)) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_MASTER_CRL")); + //throw new ECAException(CAResources.NO_CONFIG_FOR_MASTER_CRL); + return; + } + Enumeration issuePointIdEnum = crlConfig.getSubStoreNames(); + + if (issuePointIdEnum == null || !issuePointIdEnum.hasMoreElements()) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_MASTER_CRL_SUBSTORE")); + //throw new ECAException(CAResources.NO_CONFIG_FOR_MASTER_CRL); + return; + } + + // a Master/full crl must exist. + + while (issuePointIdEnum.hasMoreElements()) { + String issuePointId = (String) issuePointIdEnum.nextElement(); + + CMS.debug( + "initializing crl issue point " + issuePointId); + IConfigStore issuePointConfig = null; + String issuePointClassName = null; + Class issuePointClass = null; + CRLIssuingPoint issuePoint = null; + + try { + issuePointConfig = crlConfig.getSubStore(issuePointId); + issuePointClassName = issuePointConfig.getString(PROP_CLASS); + issuePointClass = Class.forName(issuePointClassName); + issuePoint = (CRLIssuingPoint) issuePointClass.newInstance(); + issuePoint.init(this, issuePointId, issuePointConfig); + mCRLIssuePoints.put(issuePointId, issuePoint); + if (mMasterCRLIssuePoint == null && + issuePointId.equals(PROP_MASTER_CRL)) + mMasterCRLIssuePoint = issuePoint; + } catch (ClassNotFoundException e) { + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRL_ISSUING_POINT_INIT_FAILED", + issuePointId, e.toString())); + } catch (InstantiationException e) { + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRL_ISSUING_POINT_INIT_FAILED", + issuePointId, e.toString())); + } catch (IllegalAccessException e) { + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRL_ISSUING_POINT_INIT_FAILED", + issuePointId, e.toString())); + } + } + + /* + if (mMasterCRLIssuePoint == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_FULL_CRL", PROP_MASTER_CRL)); + throw new ECAException(CAResources.NO_CONFIG_FOR_MASTER_CRL); + } + */ + log(ILogger.LL_INFO, "CRL Issuing Points inited"); + } + + public String getOfficialName() { + return OFFICIAL_NAME; + } + + public long getNumOCSPRequest() { + return mNumOCSPRequest; + } + + public long getOCSPRequestTotalTime() { + return mTotalTime; + } + + public long getOCSPTotalData() { + return mTotalData; + } + + public long getOCSPTotalSignTime() { + return mSignTime; + } + + public long getOCSPTotalLookupTime() + { + return mLookupTime; + } + + public ResponderID getResponderIDByName() { + try { + X500Name name = getOCSPX500Name(); + Name.Template nameTemplate = new Name.Template(); + + return new NameID((Name) nameTemplate.decode( + new ByteArrayInputStream(name.getEncoded()))); + } catch (IOException e) { + return null; + } catch (InvalidBERException e) { + return null; + } + } + + public ResponderID getResponderIDByHash() { + + /* + KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key + --(excluding the tag and length fields) + */ + PublicKey publicKey = getOCSPSigningUnit().getPublicKey(); + MessageDigest md = null; + + try { + md = MessageDigest.getInstance("SHA1"); + } catch (NoSuchAlgorithmException e) { + return null; + } + md.update(publicKey.getEncoded()); + byte digested[] = md.digest(); + + return new KeyHashID(new OCTET_STRING(digested)); + } + + /** + * Process OCSPRequest. + */ + public OCSPResponse validate(OCSPRequest request) + throws EBaseException { + + if (!mEnableOCSP) { + CMS.debug("Local ocsp service is disable."); + return null; + } + + mNumOCSPRequest++; + IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + long startTime = CMS.getCurrentDate().getTime(); + try { + //log(ILogger.LL_INFO, "start OCSP request"); + TBSRequest tbsReq = request.getTBSRequest(); + + // (3) look into database to check the + // certificate's status + Vector singleResponses = new Vector(); + if (statsSub != null) { + statsSub.startTiming("lookup"); + } + + long lookupStartTime = CMS.getCurrentDate().getTime(); + for (int i = 0; i < tbsReq.getRequestCount(); i++) { + com.netscape.cmsutil.ocsp.Request req = + tbsReq.getRequestAt(i); + CertID cid = req.getCertID(); + SingleResponse sr = processRequest(cid); + + singleResponses.addElement(sr); + } + long lookupEndTime = CMS.getCurrentDate().getTime(); + if (statsSub != null) { + statsSub.endTiming("lookup"); + } + mLookupTime += lookupEndTime - lookupStartTime; + + if (statsSub != null) { + statsSub.startTiming("build_response"); + } + SingleResponse res[] = new SingleResponse[singleResponses.size()]; + + singleResponses.copyInto(res); + + ResponderID rid = null; + if (mByName) { + if (mResponderIDByName == null) { + mResponderIDByName = getResponderIDByName(); + } + rid = mResponderIDByName; + } else { + if (mResponderIDByHash == null) { + mResponderIDByHash = getResponderIDByHash(); + } + rid = mResponderIDByHash; + } + + Extension nonce[] = null; + + for (int j = 0; j < tbsReq.getExtensionsCount(); j++) { + Extension thisExt = tbsReq.getRequestExtensionAt(j); + + if (thisExt.getExtnId().equals(OCSP_NONCE)) { + nonce = new Extension[1]; + nonce[0] = thisExt; + } + } + ResponseData rd = new ResponseData(rid, + new GeneralizedTime(CMS.getCurrentDate()), res, nonce); + if (statsSub != null) { + statsSub.endTiming("build_response"); + } + + if (statsSub != null) { + statsSub.startTiming("signing"); + } + long signStartTime = CMS.getCurrentDate().getTime(); + BasicOCSPResponse basicRes = sign(rd); + long signEndTime = CMS.getCurrentDate().getTime(); + mSignTime += signEndTime - signStartTime; + if (statsSub != null) { + statsSub.endTiming("signing"); + } + + OCSPResponse response = new OCSPResponse( + OCSPResponseStatus.SUCCESSFUL, + new ResponseBytes(ResponseBytes.OCSP_BASIC, + new OCTET_STRING(ASN1Util.encode(basicRes)))); + + //log(ILogger.LL_INFO, "done OCSP request"); + long endTime = CMS.getCurrentDate().getTime(); + mTotalTime += endTime - startTime; + return response; + } catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_REQUEST", e.toString())); + return null; + } + } + + private BasicOCSPResponse sign(ResponseData rd) throws EBaseException { + try { + DerOutputStream out = new DerOutputStream(); + DerOutputStream tmp = new DerOutputStream(); + + String algname = mOCSPSigningUnit.getDefaultAlgorithm(); + + byte rd_data[] = ASN1Util.encode(rd); + if (rd_data != null) { + mTotalData += rd_data.length; + } + rd.encode(tmp); + AlgorithmId.get(algname).encode(tmp); + CMS.debug("adding signature"); + byte[] signature = mOCSPSigningUnit.sign(rd_data, algname); + + tmp.putBitString(signature); + // optional, put the certificate chains in also + + DerOutputStream tmpChain = new DerOutputStream(); + DerOutputStream tmp1 = new DerOutputStream(); + DerOutputStream outChain = new DerOutputStream(); + java.security.cert.X509Certificate chains[] = + mOCSPCertChain.getChain(); + + for (int i = 0; i < chains.length; i++) { + tmpChain.putDerValue(new DerValue(chains[i].getEncoded())); + } + tmp1.write(DerValue.tag_Sequence, tmpChain); + tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), + tmp1); + + out.write(DerValue.tag_Sequence, tmp); + + BasicOCSPResponse response = new BasicOCSPResponse(out.toByteArray()); + + return response; + } catch (Exception e) { + e.printStackTrace(); + // error e + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_SIGN", e.toString())); + return null; + } + } + + private SingleResponse processRequest(CertID cid) { + INTEGER serialNo = cid.getSerialNumber(); + + CMS.debug("process request " + serialNo); + CertStatus certStatus = null; + GeneralizedTime thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); + GeneralizedTime nextUpdate = null; + + boolean ocspUseCache = true; + + try { + /* enable OCSP cache by default */ + ocspUseCache = mConfig.getBoolean("ocspUseCache", false); + } catch (EBaseException e) { + } + + if (ocspUseCache) { + String issuingPointId = PROP_MASTER_CRL; + + try { + issuingPointId = mConfig.getString( + "ocspUseCacheIssuingPointId", PROP_MASTER_CRL); + + } catch (EBaseException e) { + } + CRLIssuingPoint point = (CRLIssuingPoint) + getCRLIssuingPoint(issuingPointId); + + if (point.isCRLCacheEnabled()) { + // only do this if cache is enabled + BigInteger sno = new BigInteger(serialNo.toString()); + boolean checkDeltaCache = false; + boolean includeExpiredCerts = false; + + try { + checkDeltaCache = mConfig.getBoolean("ocspUseCacheCheckDeltaCache", false); + } catch (EBaseException e) { + } + try { + includeExpiredCerts = mConfig.getBoolean("ocspUseCacheIncludeExpiredCerts", false); + } catch (EBaseException e) { + } + Date revokedOn = point.getRevocationDateFromCache( + sno, checkDeltaCache, includeExpiredCerts); + + if (revokedOn == null) { + certStatus = new GoodInfo(); + } else { + certStatus = new RevokedInfo(new GeneralizedTime(revokedOn)); + } + return new SingleResponse(cid, certStatus, thisUpdate, nextUpdate); + } + } + + try { + ICertRecord rec = mCertRepot.readCertificateRecord(serialNo); + String status = rec.getStatus(); + + if (status == null) { + certStatus = new UnknownInfo(); + } else if (status.equals(CertRecord.STATUS_VALID)) { + certStatus = new GoodInfo(); + } else if (status.equals(CertRecord.STATUS_INVALID)) { + // not yet valid + certStatus = new UnknownInfo(); + } else if (status.equals(CertRecord.STATUS_REVOKED)) { + certStatus = new RevokedInfo(new GeneralizedTime(rec.getRevokedOn())); + } else if (status.equals(CertRecord.STATUS_EXPIRED)) { + certStatus = new UnknownInfo(); + } else if (status.equals(CertRecord.STATUS_REVOKED_EXPIRED)) { + certStatus = new RevokedInfo(new GeneralizedTime(rec.getRevokedOn())); + } else { + certStatus = new UnknownInfo(); + } + } catch (Exception e) { + // not found + certStatus = new UnknownInfo(); // not issued not all + } + + return new SingleResponse(cid, certStatus, thisUpdate, nextUpdate); + } +} + diff --git a/pki/base/ca/src/com/netscape/ca/SigningUnit.java b/pki/base/ca/src/com/netscape/ca/SigningUnit.java new file mode 100644 index 000000000..d6ff93389 --- /dev/null +++ b/pki/base/ca/src/com/netscape/ca/SigningUnit.java @@ -0,0 +1,374 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.ca; + + +import java.io.*; +import java.security.SignatureException; +import java.security.NoSuchAlgorithmException; +import java.security.PublicKey; +import java.security.InvalidKeyException; +import netscape.security.x509.*; +import netscape.security.util.*; +import org.mozilla.jss.*; +import org.mozilla.jss.crypto.*; +import org.mozilla.jss.util.*; +import org.mozilla.jss.crypto.Signature; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.security.*; +import com.netscape.certsrv.ca.*; +import com.netscape.cmsutil.util.*; + +import com.netscape.cmscore.security.JssSubsystem; + + +/** + * CA signing unit based on JSS. + * + * $Revision: 14562 $ $Date: 2007-05-01 10:31:12 -0700 (Tue, 01 May 2007) $ + */ + +public final class SigningUnit implements ISigningUnit { + public static final String PROP_DEFAULT_SIGNALG = "defaultSigningAlgorithm"; + public static final String PROP_CERT_NICKNAME = "cacertnickname"; + // This signing unit is being used in OCSP and CRL also. So + // it is better to have a more generic name + public static final String PROP_RENAMED_CERT_NICKNAME = "certnickname"; + public static final String PROP_TOKEN_NAME = "tokenname"; + public static final String PROP_NEW_NICKNAME = "newNickname"; + + private CryptoManager mManager = null; + private CryptoToken mToken = null; + private PublicKey mPubk = null; + private PrivateKey mPrivk = null; + + protected X509Certificate mCert = null; + protected X509CertImpl mCertImpl = null; + protected String mNickname = null; + + private boolean mInited = false; + private ILogger mLogger = CMS.getLogger(); + private IConfigStore mConfig; + + private ISubsystem mOwner = null; + + private String mDefSigningAlgname = null; + private SignatureAlgorithm mDefSigningAlgorithm = null; + + public SigningUnit() { + } + + public X509Certificate getCert() { + return mCert; + } + + public X509CertImpl getCertImpl() { + return mCertImpl; + } + + public String getNickname() { + return mNickname; + } + + public String getNewNickName() throws EBaseException { + return mConfig.getString(PROP_NEW_NICKNAME, ""); + } + + public void setNewNickName(String name) { + mConfig.putString(PROP_NEW_NICKNAME, name); + } + + public PublicKey getPublicKey() { + return mPubk; + } + + public PrivateKey getPrivateKey() { + return mPrivk; + } + + public void updateConfig(String nickname, String tokenname) { + mConfig.putString(PROP_CERT_NICKNAME, nickname); + mConfig.putString(PROP_TOKEN_NAME, tokenname); + } + + public String getTokenName() throws EBaseException { + return mConfig.getString(PROP_TOKEN_NAME); + } + + public String getNickName() throws EBaseException { + try { + return mConfig.getString(PROP_RENAMED_CERT_NICKNAME); + } catch (EBaseException e) { + return mConfig.getString(PROP_CERT_NICKNAME); + } + } + + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + mOwner = owner; + mConfig = config; + + String tokenname = null; + try { + mManager = CryptoManager.getInstance(); + + mNickname = getNickName(); + + tokenname = config.getString(PROP_TOKEN_NAME); + if (tokenname.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) || + tokenname.equalsIgnoreCase("Internal Key Storage Token")) { + mToken = mManager.getInternalKeyStorageToken(); + setNewNickName(mNickname); + } else { + mToken = mManager.getTokenByName(tokenname); + mNickname = tokenname + ":" + mNickname; + setNewNickName(mNickname); + } + CMS.debug(config.getName() + " Signing Unit nickname " + mNickname); + CMS.debug("Got token " + tokenname + " by name"); + + PasswordCallback cb = JssSubsystem.getInstance().getPWCB(); + + mToken.login(cb); // ONE_TIME by default. + + mCert = mManager.findCertByNickname(mNickname); + CMS.debug("Found cert by nickname"); + + mCertImpl = new X509CertImpl(mCert.getEncoded()); + CMS.debug("converted to x509CertImpl"); + + mPrivk = mManager.findPrivKeyByCert(mCert); + CMS.debug("Got private key from cert"); + + mPubk = mCert.getPublicKey(); + CMS.debug("Got public key from cert"); + + // get def alg and check if def sign alg is valid for token. + mDefSigningAlgname = config.getString(PROP_DEFAULT_SIGNALG); + mDefSigningAlgorithm = + checkSigningAlgorithmFromName(mDefSigningAlgname); + CMS.debug( + "got signing algorithm " + mDefSigningAlgorithm); + mInited = true; + } catch (java.security.cert.CertificateException e) { + CMS.debug("SigningUnit init: debug "+ e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CA_CERT", e.getMessage())); + throw new ECAException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + } catch (CryptoManager.NotInitializedException e) { + CMS.debug("SigningUnit init: debug "+ e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_INIT", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED")); + } catch (IncorrectPasswordException e) { + CMS.debug("SigningUnit init: debug "+ e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_WRONG_PWD", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_INVALID_PASSWORD")); + } catch (NoSuchTokenException e) { + CMS.debug("SigningUnit init: debug "+ e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname)); + } catch (ObjectNotFoundException e) { + CMS.debug("SigningUnit init: debug "+ e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + } catch (TokenException e) { + CMS.debug("SigningUnit init: debug "+ e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_ERROR")); + } catch (Exception e){ + CMS.debug("SigningUnit init: debug "+ e.toString()); + } + } + + /** + * Check if the signing algorithm name is supported and valid for this + * signing unit's token and key. + * + * @param algname a signing algorithm name from JCA. + * @return the mapped JSS signature algorithm object. + * + * @exception EBaseException if signing algorithm is not supported. + */ + public SignatureAlgorithm checkSigningAlgorithmFromName(String algname) + throws EBaseException { + try { + SignatureAlgorithm sigalg = null; + + sigalg = mapAlgorithmToJss(algname); + if (sigalg == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, "")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + } + Signature signer = mToken.getSignatureContext(sigalg); + + signer.initSign(mPrivk); + return sigalg; + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + } catch (TokenException e) { + // from get signature context or from initSign + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + } catch (InvalidKeyException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED_FOR_KEY", algname)); + } + } + + /** + * @param algname is expected to be one of JCA's algorithm names. + */ + public byte[] sign(byte[] data, String algname) + throws EBaseException { + if (!mInited) { + throw new EBaseException("CASigningUnit not initialized!"); + } + try { + // XXX for now do this mapping until James changes the names + // to match JCA names and provide a getAlgorithm method. + SignatureAlgorithm signAlg = mDefSigningAlgorithm; + + if (algname != null) { + signAlg = checkSigningAlgorithmFromName(algname); + } + + // XXX use a pool of signers based on alg ? + // XXX Map algor. name to id. hack: use hardcoded define for now. + CMS.debug( + "Getting algorithm context for " + algname + " " + signAlg); + Signature signer = mToken.getSignatureContext(signAlg); + + signer.initSign(mPrivk); + signer.update(data); + // XXX add something more descriptive. + CMS.debug("Signing Certificate"); + return signer.sign(); + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + } catch (TokenException e) { + // from get signature context or from initSign + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } catch (InvalidKeyException e) { + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } catch (SignatureException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } + } + + public boolean verify(byte[] data, byte[] signature, String algname) + throws EBaseException { + if (!mInited) { + throw new EBaseException("CASigningUnit not initialized!"); + } + try { + SignatureAlgorithm signAlg = mapAlgorithmToJss(algname); + + if (signAlg == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, "")); + throw new ECAException( + CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + } + // XXX make this configurable. hack: use hardcoded for now. + Signature signer = mToken.getSignatureContext(signAlg); + + signer.initVerify(mPubk); + signer.update(data); + return signer.verify(signature); + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } catch (TokenException e) { + // from get signature context or from initSign + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } catch (InvalidKeyException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } catch (SignatureException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + // XXX fix this exception later. + throw new EBaseException(e.toString()); + } + } + + private void log(int level, String msg) { + if (mLogger == null) + return; + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, + level, "CASigningUnit: " + msg); + } + + /** + * returns default signing algorithm name. + */ + public String getDefaultAlgorithm() { + return mDefSigningAlgname; + } + + public void setDefaultAlgorithm(String algorithm) throws EBaseException { + mConfig.putString(PROP_DEFAULT_SIGNALG, algorithm); + mDefSigningAlgname = algorithm; + log(ILogger.LL_INFO, + "Default signing algorithm is set to " + algorithm); + } + + /** + * get all possible algorithms for the CA signing key type. + */ + public String[] getAllAlgorithms() throws EBaseException { + byte[] keybytes = mPubk.getEncoded(); + X509Key key = new X509Key(); + + try { + key.decode(keybytes); + } catch (java.security.InvalidKeyException e) { + String msg = "Invalid encoding in CA signing key."; + + log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", msg)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg)); + } + + if (key.getAlgorithmId().getOID().equals(AlgorithmId.DSA_oid)) { + return new String[] { "SHA1withDSA" }; + } else { + return new String[] { "MD5withRSA", "MD2withRSA", "SHA1withRSA", "SHA256withRSA", "SHA512withRSA","SHA1withEC" }; + } + } + + public static SignatureAlgorithm mapAlgorithmToJss(String algname) { + return Cert.mapAlgorithmToJss(algname); + } +} + |