diff options
Diffstat (limited to 'pki/base/kra/shared/conf')
35 files changed, 4432 insertions, 0 deletions
diff --git a/pki/base/kra/shared/conf/CS.cfg b/pki/base/kra/shared/conf/CS.cfg new file mode 100644 index 000000000..7bd887274 --- /dev/null +++ b/pki/base/kra/shared/conf/CS.cfg @@ -0,0 +1,286 @@ +installDate=[INSTALL_TIME] +preop.wizard.name=DRM Setup Wizard +preop.product.name=CS +preop.product.version= +preop.system.name=DRM +preop.system.fullname=Data Recovery Manager +cs.state=0 +cs.type=KRA +admin.interface.uri=kra/admin/console/config/wizard +agent.interface.uri=kra/agent/kra +authType=pwd +preop.securitydomain.url=https://[PKI_MACHINE_NAME]:9443 +instanceRoot=[PKI_INSTANCE_PATH] +machineName=[PKI_MACHINE_NAME] +instanceId=[PKI_INSTANCE_ID] +service.securePort=[PKI_SECURE_PORT] +preop.admin.name=Data Recovery Manager Administrator +preop.admin.group=Data Recovery Manager Agents +preop.admincert.profile=caAdminCert +preop.pin=[PKI_RANDOM_NUMBER] +preop.cert.list=transport,storage,sslserver,subsystem +preop.cert.transport.enable=true +preop.cert.storage.enable=true +preop.cert.sslserver.enable=true +preop.cert.subsystem.enable=true +preop.cert.storage.defaultSigningAlgorithm=SHA1withRSA +preop.cert.storage.dn=CN=DRM Storage Certificate +preop.cert.storage.keysize.custom_size=2048 +preop.cert.storage.keysize.size=2048 +preop.cert.storage.nickname=storageCert cert-[PKI_INSTANCE_ID] +preop.cert.storage.profile=caInternalAuthDRMstorageCert +preop.cert.storage.subsystem=kra +preop.cert.storage.type=remote +preop.cert.storage.userfriendlyname=Storage Certificate +preop.cert.storage.cncomponent.override=true +preop.cert.transport.defaultSigningAlgorithm=SHA1withRSA +preop.cert.transport.dn=CN=DRM Transport Certificate +preop.cert.transport.keysize.custom_size=2048 +preop.cert.transport.keysize.size=2048 +preop.cert.transport.nickname=transportCert cert-[PKI_INSTANCE_ID] +preop.cert.transport.profile=caInternalAuthTransportCert +preop.cert.transport.subsystem=kra +preop.cert.transport.type=remote +preop.cert.transport.userfriendlyname=Transport Certificate +preop.cert.transport.cncomponent.override=true +preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA +preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] +preop.cert.sslserver.keysize.custom_size=2048 +preop.cert.sslserver.keysize.size=2048 +preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID] +preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.sslserver.subsystem=kra +preop.cert.sslserver.type=remote +preop.cert.sslserver.userfriendlyname=SSL Server Certificate +preop.cert.sslserver.cncomponent.override=false +preop.cert.subsystem.defaultSigningAlgorithm=SHA1withRSA +preop.cert.subsystem.dn=CN=DRM Subsystem Certificate +preop.cert.subsystem.keysize.custom_size=2048 +preop.cert.subsystem.keysize.size=2048 +preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID] +preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.subsystem.subsystem=kra +preop.cert.subsystem.type=remote +preop.cert.subsystem.userfriendlyname=Subsystem Certificate +preop.cert.subsystem.cncomponent.override=true +preop.hierarchy.profile=caCert.profile +preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module +preop.configModules.module0.commonName=NSS Internal PKCS #11 Module +preop.configModules.module0.imagePath=../img/clearpixel.gif +preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module +preop.configModules.module1.commonName=nfast +preop.configModules.module1.imagePath=../img/clearpixel.gif +preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module +preop.configModules.module2.commonName=lunasa +preop.configModules.module2.imagePath=../img/clearpixel.gif +preop.configModules.count=3 +preop.module.token=Internal Key Storage Token +passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf +passwordClass=com.netscape.cmsutil.password.PlainPasswordFile +multiroles=true +CrossCertPair._000=## +CrossCertPair._001=## CrossCertPair Import +CrossCertPair._002=## +CrossCertPair.ldap=internaldb +accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator +accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator +accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator +auths._000=## +auths._001=## new authentication +auths._002=## +auths.impl._000=## +auths.impl._001=## authentication manager implementations +auths.impl._002=## +auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication +auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth +auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth +auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll +auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication +auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication +auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication +auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication +auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents +auths.instance.AgentCertAuth.pluginName=AgentCertAuth +auths.instance.TokenAuth.pluginName=TokenAuth +auths.revocationChecking.bufferSize=50 +auths.revocationChecking.enabled=false +auths.revocationChecking.kra=kra +authz._000=## +authz._001=## new authorizatioin +authz._002=## +authz.evaluateOrder=deny,allow +authz.sourceType=ldap +authz.impl._000=## +authz.impl._001=## authorization manager implementations +authz.impl._002=## +authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz +authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz +authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz +authz.instance.DirAclAuthz.ldap=internaldb +authz.instance.DirAclAuthz.pluginName=DirAclAuthz +authz.instance.DirAclAuthz.ldap._000=## +authz.instance.DirAclAuthz.ldap._001=## Internal Database +authz.instance.DirAclAuthz.ldap._002=## +cmc.cert.confirmRequired=false +cmc.lraPopWitness.verify.allow=true +cmc.revokeCert.verify=true +cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +cms.version= +dbs.beginRequestNumber=1 +dbs.endRequestNumber=10000000 +dbs.requestNumber.increment=10000000 +dbs.beginSerialNumber=1 +dbs.endSerialNumber=10000000 +dbs.serialNumber.increment=10000000 +dbs.ldap=internaldb +dbs.newSchemaEntryAdded=true +debug.append=true +debug.enabled=true +debug.filename=[PKI_INSTANCE_PATH]/logs/debug +debug.hashkeytypes= +debug.level=0 +debug.showcaller=false +internaldb._000=## +internaldb._001=## Internal Database +internaldb._002=## +internaldb.maxConns=15 +internaldb.minConns=3 +internaldb.ldapauth.authtype=BasicAuth +internaldb.ldapauth.bindDN=cn=Directory Manager +internaldb.ldapauth.bindPWPrompt=Internal LDAP Database +internaldb.ldapauth.clientCertNickname= +internaldb.ldapconn.host= +internaldb.ldapconn.port= +internaldb.ldapconn.secureConn=false +preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/schema.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/database.ldif +preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/db.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/acl.ldif +preop.internaldb.index_ldif= +preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/index.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlvtasks.ldif +preop.internaldb.wait_dn=cn=index1160527115, cn=index, cn=tasks, cn=config +internaldb.multipleSuffix.enable=false +jobsScheduler._000=## +jobsScheduler._001=## jobScheduler +jobsScheduler._002=## +jobsScheduler.enabled=false +jobsScheduler.interval=1 +jss._000=## +jss._001=## JSS +jss._002=## +jss.configDir=[PKI_INSTANCE_PATH]/alias/ +jss.enable=true +jss.secmodName=secmod.db +jss.ocspcheck.enable=false +jss.ssl.cipherfortezza=true +jss.ssl.cipherpref= +jss.ssl.cipherversion=cipherdomestic +kra.keySplitting=false +kra.noOfRequiredRecoveryAgents=1 +kra.recoveryAgentGroup=Data Recovery Manager Agents +kra.reqdbInc=20 +kra.entropy.bitsperkeypair=0 +kra.entropy.blockwarnms=0 +kra.storageUnit.nickName=storageCert cert-[PKI_INSTANCE_ID] +kra.transportUnit.nickName=transportCert cert-[PKI_INSTANCE_ID] +log._000=## +log._001=## Logging +log._002=## +log.impl.file.class=com.netscape.cms.logging.RollingLogFile +log.instance.SignedAudit._000=## +log.instance.SignedAudit._001=## Signed Audit Logging +log.instance.SignedAudit._002=## +log.instance.SignedAudit.bufferSize=512 +log.instance.SignedAudit.enable=true +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST +log.instance.SignedAudit.expirationTime=0 +log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/kra_cert-kra_audit +log.instance.SignedAudit.flushInterval=5 +log.instance.SignedAudit.level=1 +log.instance.SignedAudit.logSigning=false +log.instance.SignedAudit.maxFileSize=2000 +log.instance.SignedAudit.pluginName=file +log.instance.SignedAudit.rolloverInterval=2592000 +log.instance.SignedAudit.signedAudit:_000=## +log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow KRA audit logs to be signed +log.instance.SignedAudit.signedAudit:_002=## +log.instance.SignedAudit.signedAuditCertNickname= +log.instance.SignedAudit.type=signedAudit +log.instance.System._000=## +log.instance.System._001=## System Logging +log.instance.System._002=## +log.instance.System.bufferSize=512 +log.instance.System.enable=true +log.instance.System.expirationTime=0 +log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system +log.instance.System.flushInterval=5 +log.instance.System.level=3 +log.instance.System.maxFileSize=2000 +log.instance.System.pluginName=file +log.instance.System.rolloverInterval=2592000 +log.instance.System.type=system +log.instance.Transactions._000=## +log.instance.Transactions._001=## Transaction Logging +log.instance.Transactions._002=## +log.instance.Transactions.bufferSize=512 +log.instance.Transactions.enable=true +log.instance.Transactions.expirationTime=0 +log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions +log.instance.Transactions.flushInterval=5 +log.instance.Transactions.level=1 +log.instance.Transactions.maxFileSize=2000 +log.instance.Transactions.pluginName=file +log.instance.Transactions.rolloverInterval=2592000 +log.instance.Transactions.type=transaction +logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access +logError.fileName=[PKI_INSTANCE_PATH]/logs/error +oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension +oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 +oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword +oidmap.challenge_password.oid=1.2.840.113549.1.9.7 +oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension +oidmap.extended_key_usage.oid=2.5.29.37 +oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 +oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested +oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 +oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension +oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 +oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension +oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 +oidmap.pse.class=netscape.security.extensions.PresenceServerExtension +oidmap.pse.oid=2.16.840.1.113730.1.18 +oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension +oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 +os.serverName=cert-[PKI_INSTANCE_ID] +os.userid=nobody +registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg +selftests._000=## +selftests._001=## Self Tests +selftests._002=## +selftests.container.instance.KRAPresence=com.netscape.cms.selftests.kra.KRAPresence +selftests.container.logger.bufferSize=512 +selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile +selftests.container.logger.enable=true +selftests.container.logger.expirationTime=0 +selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log +selftests.container.logger.flushInterval=5 +selftests.container.logger.level=1 +selftests.container.logger.maxFileSize=2000 +selftests.container.logger.register=false +selftests.container.logger.rolloverInterval=2592000 +selftests.container.logger.type=transaction +selftests.container.order.onDemand=KRAPresence:critical +selftests.container.order.startup= +selftests.plugin.KRAPresence.SubId=kra +smtp.host=localhost +smtp.port=25 +subsystem.0.class=com.netscape.kra.KeyRecoveryAuthority +subsystem.0.id=kra +subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem +subsystem.1.id=selftests +subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem +subsystem.2.id=stats +usrgrp._000=## +usrgrp._001=## User/Group +usrgrp._002=## +usrgrp.ldap=internaldb diff --git a/pki/base/kra/shared/conf/acl.ldif b/pki/base/kra/shared/conf/acl.ldif new file mode 100644 index 000000000..c7ddd909f --- /dev/null +++ b/pki/base/kra/shared/conf/acl.ldif @@ -0,0 +1,32 @@ +dn: cn=aclResources,{rootSuffix} +objectClass: top +objectClass: CertACLS +cn: aclResources +resourceACLS: certServer.usrgrp.administration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read user and group configuration but only administrators are allowed to modify +resourceACLS: certServer.general.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify +resourceACLS: certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify +resourceACLS: certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify +resourceACLS: certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter +resourceACLS: certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter +resourceACLS: certServer.log.content.signedAudit:read:deny (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents":Only auditor is allowed to read the signed audit log +resourceACLS: certServer.log.content:read:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors":Administrators, auditors, and agents are allowed to read the log content +resourceACLS: certServer.auth.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read authentication configuration but only administrators allowed to modify +resourceACLS: certServer.registry.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":this acl is shared by all admin servlets +resourceACLS: certServer.job.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents, and auditors are allowed to read job configuration but only administrators allowed to modify +resourceACLS: certServer.kra.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, auditors, and agents are allowed to read DRM configuration but only administrators allowed to modify +resourceACLS: certServer.kra.key:read,recover,download:allow (read,recover,download) group="Data Recovery Manager Agents":Only data recovery manager agents retrieve key information +resourceACLS: certServer.kra.request:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read request +resourceACLS: certServer.kra.keys:list:allow (list) group="Data Recovery Manager Agents":Only data recovery manager agents list keys +resourceACLS: certServer.kra.requests:list:allow (list) group="Data Recovery Manager Agents":Only data recovery manager agents list key archival requests +resourceACLS: certServer.admin.certificate:import:allow (import) user="anybody":Any user may import a certificate +resourceACLS: certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody";allow (read,execute) group="Certificate Manager Agents":Anybody may submit an enrollment request, Certificate Manager Agents may read or execute request +resourceACLS: certServer.kra.connector:submit:allow (submit) group="Trusted Managers":Only Trusted Managers submit requests +resourceACLS: certServer.kra.systemstatus:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager agents may view statistics +resourceACLS: certServer.kra.certificate.transport:read:allow (read) user="anybody":Anybody is allowed to read transport certificate +resourceACLS: certServer.kra.request.status:read:allow (read) group="Data Recovery Manager Agents":Only data recovery manager agents retrieve the remote key recovery approval status +resourceACLS: certServer.kra.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify groups +resourceACLS: certServer.kra.GenerateKeyPair:submit,read:allow (read,submit) group="Data Recovery Manager Agents":Only Data Recovery Manager Agents are allowed to submit requests +resourceACLS: certServer.kra.TokenKeyRecovery:submit,read:allow (read,submit) group="Data Recovery Manager Agents":Only Data Recovery Manager Agents are allowed to submit requests +resourceACLS: certServer.kra.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent +resourceACLS: certServer.kra.getTransportCert:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to retrieve the transport cert +resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. diff --git a/pki/base/kra/shared/conf/catalina.policy b/pki/base/kra/shared/conf/catalina.policy new file mode 100644 index 000000000..3447825b0 --- /dev/null +++ b/pki/base/kra/shared/conf/catalina.policy @@ -0,0 +1,172 @@ +// ============================================================================ +// catalina.corepolicy - Security Policy Permissions for Tomcat 5 +// +// This file contains a default set of security policies to be enforced (by the +// JVM) when Catalina is executed with the "-security" option. In addition +// to the permissions granted here, the following additional permissions are +// granted to the codebase specific to each web application: +// +// * Read access to the document root directory +// +// $Id: catalina.policy,v 1.13 2005/03/03 23:41:14 remm Exp $ +// ============================================================================ + + +// ========== SYSTEM CODE PERMISSIONS ========================================= + + +// These permissions apply to javac +grant codeBase "file:${java.home}/lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions +grant codeBase "file:${java.home}/jre/lib/ext/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/../lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions when +// ${java.home} points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/lib/ext/-" { + permission java.security.AllPermission; +}; + + +// ========== CATALINA CODE PERMISSIONS ======================================= + + +// These permissions apply to the launcher code +grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the daemon code +grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the commons-logging API +grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the JMX server +grant codeBase "file:${catalina.home}/bin/jmx.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to JULI +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "common" directory +grant codeBase "file:${catalina.home}/common/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to the container's core code, plus any additional +// libraries installed in the "server" directory +grant codeBase "file:${catalina.home}/server/-" { + permission java.security.AllPermission; +}; + +// The permissions granted to the balancer WEB-INF/classes directory +grant codeBase "file:${catalina.home}/webapps/balancer/WEB-INF/classes/-" { + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester.*"; +}; +// ========== WEB APPLICATION PERMISSIONS ===================================== + + +// These permissions are granted by default to all web applications +// In addition, a web application will be given a read FilePermission +// and JndiPermission for all files and directories in its document root. +grant { + // Required for JNDI lookup of named JDBC DataSource's and + // javamail named MimePart DataSource used to send mail + permission java.util.PropertyPermission "java.home", "read"; + permission java.util.PropertyPermission "java.naming.*", "read"; + permission java.util.PropertyPermission "javax.sql.*", "read"; + + // OS Specific properties to allow read access + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.version", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "file.separator", "read"; + permission java.util.PropertyPermission "path.separator", "read"; + permission java.util.PropertyPermission "line.separator", "read"; + + // JVM properties to allow read access + permission java.util.PropertyPermission "java.version", "read"; + permission java.util.PropertyPermission "java.vendor", "read"; + permission java.util.PropertyPermission "java.vendor.url", "read"; + permission java.util.PropertyPermission "java.class.version", "read"; + permission java.util.PropertyPermission "java.specification.version", "read"; + permission java.util.PropertyPermission "java.specification.vendor", "read"; + permission java.util.PropertyPermission "java.specification.name", "read"; + + permission java.util.PropertyPermission "java.vm.specification.version", "read"; + permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; + permission java.util.PropertyPermission "java.vm.specification.name", "read"; + permission java.util.PropertyPermission "java.vm.version", "read"; + permission java.util.PropertyPermission "java.vm.vendor", "read"; + permission java.util.PropertyPermission "java.vm.name", "read"; + + // Required for OpenJMX + permission java.lang.RuntimePermission "getAttribute"; + + // Allow read of JAXP compliant XML parser debug + permission java.util.PropertyPermission "jaxp.debug", "read"; + + // Precompiled JSPs need access to this package. + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + +}; + + +// You can assign additional permissions to particular web applications by +// adding additional "grant" entries here, based on the code base for that +// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. +// +// Different permissions can be granted to JSP pages, classes loaded from +// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ +// directory, or even to individual jar files in the /WEB-INF/lib/ directory. +// +// For instance, assume that the standard "examples" application +// included a JDBC driver that needed to establish a network connection to the +// corresponding database and used the scrape taglib to get the weather from +// the NOAA web server. You might create a "grant" entries like this: +// +// The permissions granted to the context root directory apply to JSP pages. +// grant codeBase "file:${catalina.home}/webapps/examples/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; +// +// The permissions granted to the context WEB-INF/classes directory +// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" { +// }; +// +// The permission granted to your JDBC driver +// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// }; +// The permission granted to the scrape taglib +// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; + diff --git a/pki/base/kra/shared/conf/catalina.properties b/pki/base/kra/shared/conf/catalina.properties new file mode 100644 index 000000000..86334d29f --- /dev/null +++ b/pki/base/kra/shared/conf/catalina.properties @@ -0,0 +1,64 @@ +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageAccess unless the +# corresponding RuntimePermission ("accessClassInPackage."+package) has +# been granted. +package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans. +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageDefinition unless the +# corresponding RuntimePermission ("defineClassInPackage."+package) has +# been granted. +# +# by default, no packages are restricted for definition, and none of +# the class loaders supplied with the JDK call checkPackageDefinition. +# +package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper. + +# +# +# List of comma-separated paths defining the contents of the "common" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank,the JVM system loader will be used as Catalina's "common" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +common.loader=${catalina.home}/common/classes,${catalina.home}/common/i18n/*.jar,${catalina.home}/common/endorsed/*.jar,${catalina.home}/common/lib/*.jar + +# +# List of comma-separated paths defining the contents of the "server" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank, the "common" loader will be used as Catalina's "server" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar + +# +# List of comma-separated paths defining the contents of the "shared" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_BASE path or absolute. If left as blank, +# the "common" loader will be used as Catalina's "shared" loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar + +# +# String cache configuration. +tomcat.util.buf.StringCache.byte.enabled=true +#tomcat.util.buf.StringCache.char.enabled=true +#tomcat.util.buf.StringCache.trainThreshold=500000 +#tomcat.util.buf.StringCache.cacheSize=5000 diff --git a/pki/base/kra/shared/conf/context.xml b/pki/base/kra/shared/conf/context.xml new file mode 100644 index 000000000..4998ad27d --- /dev/null +++ b/pki/base/kra/shared/conf/context.xml @@ -0,0 +1,12 @@ +<!-- The contents of this file will be loaded for each web application --> +<Context crossContext="true"> + + <!-- Default set of monitored resources --> + <WatchedResource>WEB-INF/web.xml</WatchedResource> + + <!-- Uncomment this to disable session persistence across Tomcat restarts --> + <!-- + <Manager pathname="" /> + --> + +</Context> diff --git a/pki/base/kra/shared/conf/database.ldif b/pki/base/kra/shared/conf/database.ldif new file mode 100644 index 000000000..99cdf6b79 --- /dev/null +++ b/pki/base/kra/shared/conf/database.ldif @@ -0,0 +1,4 @@ +dn: cn=config +changetype: modify +replace: nsslapd-maxbersize +nsslapd-maxbersize: 52428800 diff --git a/pki/base/kra/shared/conf/db.ldif b/pki/base/kra/shared/conf/db.ldif new file mode 100644 index 000000000..813fc90d1 --- /dev/null +++ b/pki/base/kra/shared/conf/db.ldif @@ -0,0 +1,79 @@ +dn: ou=people,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: people +aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";) + +dn: ou=groups,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: groups + +dn: cn=Data Recovery Manager Agents,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Data Recovery Manager Agents +description: Agents for Data Recovery Manager + +dn: cn=Subsystem Group, ou=groups, {rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Subsystem Group +description: Subsystem Group + +dn: cn=Trusted Managers,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Trusted Managers +description: Managers trusted by this PKI instance + +dn: cn=Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Administrators +description: People who manage the Fedora Certificate System + +dn: cn=Auditors,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Auditors +description: People who can read the signed audits + +dn: cn=ClonedSubsystems,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: ClonedSubsystems +description: People who can clone the master subsystem + +dn: ou=requests,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: requests + +dn: cn=crossCerts,{rootSuffix} +cn: crossCerts +sn: crossCerts +objectClass: top +objectClass: person +objectClass: certificationAuthority +cACertificate;binary: +authorityRevocationList;binary: +certificateRevocationList;binary: +crossCertificatePair;binary: + +dn: ou=kra, {rootSuffix} +objectclass: top +objectclass: organizationalUnit +ou: kra + +dn: ou=keyRepository, ou=kra, {rootSuffix} +objectclass: top +objectclass: repository +ou: keyRepository +serialno: 010 + +dn: ou=kra, ou=requests, {rootSuffix} +objectclass: top +objectclass: repository +ou: kra +serialno: 010 diff --git a/pki/base/kra/shared/conf/dtomcat5 b/pki/base/kra/shared/conf/dtomcat5 new file mode 100755 index 000000000..ba9a5dca8 --- /dev/null +++ b/pki/base/kra/shared/conf/dtomcat5 @@ -0,0 +1,448 @@ +#!/bin/bash +# +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2006 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# ----------------------------------------------------------------------------- +# Start/Stop Script for the CATALINA Server +# +# Environment Variable Prequisites +# +# CATALINA_HOME May point at your Catalina "build" directory. +# +# CATALINA_BASE (Optional) Base directory for resolving dynamic portions +# of a Catalina installation. If not present, resolves to +# the same directory that CATALINA_HOME points to. +# +# CATALINA_OPTS (Optional) Java runtime options used when the "start", +# "stop", or "run" command is executed. +# +# CATALINA_TMPDIR (Optional) Directory path location of temporary directory +# the JVM should use (java.io.tmpdir). Defaults to +# $CATALINA_BASE/temp. +# +# JAVA_HOME Must point at your Java Development Kit installation. +# Required to run the with the "debug" or "javac" argument. +# +# JRE_HOME Must point at your Java Development Kit installation. +# Defaults to JAVA_HOME if empty. +# +# JAVA_OPTS (Optional) Java runtime options used when the "start", +# "stop", or "run" command is executed. +# +# JPDA_TRANSPORT (Optional) JPDA transport used when the "jpda start" +# command is executed. The default is "dt_socket". +# +# JPDA_ADDRESS (Optional) Java runtime options used when the "jpda start" +# command is executed. The default is 8000. +# +# JSSE_HOME (Optional) May point at your Java Secure Sockets Extension +# (JSSE) installation, whose JAR files will be added to the +# system class path used to start Tomcat. +# +# CATALINA_PID (Optional) Path of the file which should contains the pid +# of catalina startup java process, when start (fork) is used +# +# $Id: catalina.sh,v 1.19 2005/03/03 15:13:39 remm Exp $ +# ----------------------------------------------------------------------------- + +# Disallow 'others' the ability to 'write' to new files +umask 00002 + +# Check to insure that this script's original invocation directory +# has not been deleted! +CWD=`/bin/pwd > /dev/null 2>&1` +if [ $? -ne 0 ] ; then + echo "Cannot invoke '$0' from non-existent directory!" + exit 255 +fi + +# Check to insure that at least one PKI subsystem +# currently resides on this system. +if [ ! -x /usr/bin/pkiarch ] || + [ ! -x /usr/bin/pkiflavor ] || + [ ! -x /usr/bin/pkiname ]; then + echo "This machine is missing all PKI subsystems!" + exit 255 +fi + +# Check to insure that this script's associated PKI +# subsystem currently resides on this system. +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +if [ ! -d /usr/share/`pkiflavor`/${PKI_SUBSYSTEM_TYPE} ] ; then + echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" + exit 255 +fi + +# OS specific support. $var _must_ be set to either true or false. +OS=`pkiname` +cygwin=false +os400=false +case "${OS}" in +CYGWIN*) cygwin=true;; +OS400*) os400=true;; +esac + +TOMCAT_CFG=[PKI_INSTANCE_PATH]/conf/tomcat5.conf +JAVADIR="/usr/share/java" + +# resolve links - $0 may be a softlink +PRG="$0" + +while [ -h "$PRG" ]; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '.*/.*' > /dev/null; then + PRG="$link" + else + PRG=`dirname "$PRG"`/"$link" + fi +done + +# Get standard environment variables +PRGDIR=`dirname "$PRG"` + +# Only set CATALINA_HOME if not already set +[ -z "$CATALINA_HOME" ] && CATALINA_HOME=`cd "$PRGDIR/.." ; pwd` + +if [ -r "$CATALINA_HOME"/bin/setenv.sh ]; then + . "$CATALINA_HOME"/bin/setenv.sh +fi + +# For Cygwin, ensure paths are in UNIX format before anything is touched +if $cygwin; then + [ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --unix "$JAVA_HOME"` + [ -n "$JRE_HOME" ] && JRE_HOME=`cygpath --unix "$JRE_HOME"` + [ -n "$CATALINA_HOME" ] && CATALINA_HOME=`cygpath --unix "$CATALINA_HOME"` + [ -n "$CATALINA_BASE" ] && CATALINA_BASE=`cygpath --unix "$CATALINA_BASE"` + [ -n "$CLASSPATH" ] && CLASSPATH=`cygpath --path --unix "$CLASSPATH"` + [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --unix "$JSSE_HOME"` +fi + +# For OS400 +if $os400; then + # Set job priority to standard for interactive (interactive - 6) by using + # the interactive priority - 6, the helper threads that respond to requests + # will be running at the same priority as interactive jobs. + COMMAND='chgjob job('$JOBNAME') runpty(6)' + system $COMMAND + + # Enable multi threading + export QIBM_MULTI_THREADED=Y +fi + +[ -r "$TOMCAT_CFG" ] && . "${TOMCAT_CFG}" + +### Set up defaults if they were omitted in TOMCAT_CFG +### JVM lookup +if [ -z "$JAVA_HOME" ]; then + # Search for java in PATH + JAVA=`which java` + if [ -z "$JAVA" ] ; then + JAVA_BINDIR=`dirname ${JAVA}` + JAVA_HOME="${JAVA_BINDIR}/.." + fi + # Default clean JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/usr/lib/java" ] && JAVA_HOME="/usr/lib/java" + # Default IBM JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-13" ] && \ + JAVA_HOME="/opt/IBMJava2-13" + [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-131" ] && \ + JAVA_HOME="/opt/IBMJava2-131" + [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-14" ] && \ + JAVA_HOME="/opt/IBMJava2-14" + [ -z "$JAVA_HOME" -a -d "/opt/IBMJava2-141" ] && \ + JAVA_HOME="/opt/IBMJava2-141" + # Another solution + [ -z "$JAVA_HOME" -a -d "/usr/java/jdk" ] && \ + JAVA_HOME="/usr/java/jdk" + # madeinlinux JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/usr/local/jdk1.2.2" ] && \ + JAVA_HOME="/usr/local/jdk1.2.2" + # Kondara JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/usr/lib/java/jdk1.2.2" ] && \ + JAVA_HOME="/usr/lib/java/jdk1.2.2" + # Other commonly found JAVA_HOMEs + [ -z "$JAVA_HOME" -a -d "/usr/jdk1.2" ] && JAVA_HOME="/usr/jdk1.2" + # Default Caldera JAVA_HOME + [ -z "$JAVA_HOME" -a -d "/opt/java-1.3" ] && \ + JAVA_HOME="/opt/java-1.3" + # Add other locations here + if [ -z "$JAVA_HOME" ]; then + echo "No JAVA_HOME specified in ${TOMCAT_CFG} and no java found" + exit 1 + else + echo "Found JAVA_HOME: ${JAVA_HOME}" + echo "Please complete your ${TOMCAT_CFG} so we won't have to look for it next time" + fi +fi + +# Set juli LogManager if it is present +if [ -r "$CATALINA_HOME"/bin/tomcat-juli.jar ]; then + JAVA_OPTS="$JAVA_OPTS "-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager +fi + +# Set standard commands for invoking Java. +_RUNJAVA="$JAVA_HOME"/bin/java +_RUNJAVAC="$JAVA_HOME"/bin/javac +_RUNJDB="$JAVA_HOME"/bin/jdb + +# Set standard CLASSPATH +# (always inherit any preset values from the PKI start script) +if [ ${OS} = "Linux" ] ; then + # Checking for IcedTea JVM + ICEDTEA_JVM="`java -version 2>&1 | tail -1 | awk '{print $1};'`" + if [ "${ICEDTEA_JVM}" = "IcedTea" ]; then + # using OpenJDK + CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar + + # add required classes to the CLASSPATH for OpenJDK + CLASSPATH="$CLASSPATH":"$JAVADIR"/commons-collections.jar + else + # NOT using OpenJDK + CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/tools.jar + fi +elif [ ${OS} = "SunOS" ] ; then + CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/rt.jar +fi + +# Add on extra jar files to CLASSPATH +if [ -n "$JSSE_HOME" ]; then + CLASSPATH="$CLASSPATH":"$JSSE_HOME"/lib/jcert.jar:"$JSSE_HOME"/lib/jnet.jar:"$JSSE_HOME"/lib/jsse.jar +fi + +# JPackage JSSE location check +if [ -r "$JAVADIR/jsse/jcert.jar" ]; then + CLASSPATH="$CLASSPATH":"$JAVADIR"/jsse/jcert.jar:"$JAVADIR"/jsse/jnet.jar:"$JAVADIR"/jsse/jsse.jar +fi + +if [ ${OS} = "Linux" ] ; then + CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar:"$CATALINA_HOME"/bin/commons-logging-api.jar:`/usr/bin/build-classpath mx4j/mx4j-impl`:`/usr/bin/build-classpath mx4j/mx4j-jmx` +elif [ ${OS} = "SunOS" ] ; then + # The following definitions are provided for Solaris + # platforms since they are unable to execute the + # "/usr/bin/build-classpath" and + # "/usr/share/java-utils/java-functions" files . . . + + CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar + CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/commons-logging-api.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-impl.jar + CLASSPATH="$CLASSPATH":/usr/share/java/mx4j/mx4j-jmx.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/base.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/certsrv.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cms.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cms72.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cms72_en.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cmsbundle.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cmscore.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cmsutil.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/cstools.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/mcc70.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/mcc70_en.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/nmclf70.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/nmclf70_en.jar + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/nsutil.jar + + if [ -d /usr/share/java/`pkiflavor`/ca ]; then + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/ca/ca.jar + fi + if [ -d /usr/share/java/`pkiflavor`/kra ]; then + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/kra/kra.jar + fi + if [ -d /usr/share/java/`pkiflavor`/ocsp ]; then + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/ocsp/ocsp.jar + fi + if [ -d /usr/share/java/`pkiflavor`/tks ]; then + CLASSPATH="$CLASSPATH":/usr/share/java/`pkiflavor`/tks/tks.jar + fi +fi + +if [ -z "$CATALINA_BASE" ] ; then + CATALINA_BASE="$CATALINA_HOME" +fi + +if [ -z "$CATALINA_TMPDIR" ] ; then + # Define the java.io.tmpdir to use for Catalina + CATALINA_TMPDIR="$CATALINA_BASE"/temp +fi + +if [ -z "$CATALINA_PID" ] ; then + export CATALINA_PID=/var/run/tomcat5.pid +fi + +# For Cygwin, switch paths to Windows format before running java +if $cygwin; then + JAVA_HOME=`cygpath --absolute --windows "$JAVA_HOME"` + JRE_HOME=`cygpath --absolute --windows "$JRE_HOME"` + CATALINA_HOME=`cygpath --absolute --windows "$CATALINA_HOME"` + CATALINA_BASE=`cygpath --absolute --windows "$CATALINA_BASE"` + CATALINA_TMPDIR=`cygpath --absolute --windows "$CATALINA_TMPDIR"` + CLASSPATH=`cygpath --path --windows "$CLASSPATH"` + [ -n "$JSSE_HOME" ] && JSSE_HOME=`cygpath --absolute --windows "$JSSE_HOME"` + JAVA_ENDORSED_DIRS=`cygpath --path --windows "$JAVA_ENDORSED_DIRS"` +fi + +# ----- Execute The Requested Command ----------------------------------------- +echo "Using CATALINA_PID $CATALINA_PID" +echo "Using CATALINA_BASE: $CATALINA_BASE" +echo "Using CATALINA_HOME: $CATALINA_HOME" +echo "Using CATALINA_TMPDIR: $CATALINA_TMPDIR" +if [ "$1" = "debug" -o "$1" = "javac" ] ; then + echo "Using JAVA_HOME: $JAVA_HOME" +else + echo "Using JRE_HOME: $JRE_HOME" +fi + +if [ "$1" = "jpda" ] ; then + if [ -z "$JPDA_TRANSPORT" ]; then + JPDA_TRANSPORT="dt_socket" + fi + if [ -z "$JPDA_ADDRESS" ]; then + JPDA_ADDRESS="8000" + fi + if [ -z "$JPDA_OPTS" ]; then + JPDA_OPTS="-Xdebug -Xrunjdwp:transport=$JPDA_TRANSPORT,address=$JPDA_ADDRESS,server=y,suspend=n" + fi + CATALINA_OPTS="$CATALINA_OPTS $JPDA_OPTS" + shift +fi + +if [ "$1" = "debug" ] ; then + if $os400; then + echo "Debug command not available on OS400" + exit 1 + else + shift + if [ "$1" = "-security" ] ; then + echo "Using Security Manager" + shift + exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ + -Djava.security.manager \ + -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start + else + exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-catalina/catalina/src/share \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start + fi + fi + +elif [ "$1" = "run" ]; then + + shift + if [ "$1" = "-security" ] ; then + echo "Using Security Manager" + shift + exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Djava.security.manager \ + -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start + else + exec "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start + fi + +elif [ "$1" = "start" ] ; then + + shift + touch "$CATALINA_BASE"/logs/catalina.out + if [ "$1" = "-security" ] ; then + echo "Using Security Manager" + shift + "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Djava.security.manager \ + -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start \ + >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & + + if [ ! -z "$CATALINA_PID" ]; then + echo $! > $CATALINA_PID + fi + else + "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" start \ + >> "$CATALINA_BASE"/logs/catalina.out 2>&1 & + + if [ ! -z "$CATALINA_PID" ]; then + echo $! > $CATALINA_PID + fi + fi + +elif [ "$1" = "stop" ] ; then + + shift + FORCE=0 + if [ "$1" = "-force" ]; then + shift + FORCE=1 + fi + + "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \ + -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ + -Dcatalina.base="$CATALINA_BASE" \ + -Dcatalina.home="$CATALINA_HOME" \ + -Djava.io.tmpdir="$CATALINA_TMPDIR" \ + org.apache.catalina.startup.Bootstrap "$@" stop + + if [ $FORCE -eq 1 ]; then + if [ ! -z "$CATALINA_PID" ]; then + echo "Killing: `cat $CATALINA_PID`" + kill -9 `cat $CATALINA_PID` + fi + fi + +elif [ "$1" = "version" ] ; then + + "$_RUNJAVA" \ + -classpath "$CATALINA_HOME/server/lib/catalina.jar" \ + org.apache.catalina.util.ServerInfo + +else + + echo "Usage: dtomcat5 ( commands ... )" + echo "commands:" + if $os400; then + echo " debug Start Catalina in a debugger (not available on OS400)" + echo " debug -security Debug Catalina with a security manager (not available on OS400)" + else + echo " debug Start Catalina in a debugger" + echo " debug -security Debug Catalina with a security manager" + fi + echo " jpda start Start Catalina under JPDA debugger" + echo " run Start Catalina in the current window" + echo " run -security Start in the current window with security manager" + echo " start Start Catalina in a separate window" + echo " start -security Start in a separate window with security manager" + echo " stop Stop Catalina" + echo " stop -force Stop Catalina (followed by kill -KILL)" + echo " version What version of tomcat are you running?" + exit 1 + +fi diff --git a/pki/base/kra/shared/conf/index.ldif b/pki/base/kra/shared/conf/index.ldif new file mode 100644 index 000000000..c1eecc19d --- /dev/null +++ b/pki/base/kra/shared/conf/index.ldif @@ -0,0 +1,177 @@ +dn: cn=revokedby,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: revokedby + +dn: cn=issuedby,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: issuedby + +dn: cn=publicKeyData,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsSystemIndex: false +cn: publicKeyData + +dn: cn=description,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: description + +dn: cn=serialno,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: serialno + +dn: cn=metaInfo,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: metaInfo + +dn: cn=certstatus,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: certstatus + +dn: cn=requestid,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requestid + +dn: cn=requesttype,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requesttype + +dn: cn=requeststate,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requeststate + +dn: cn=requestowner,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: requestowner + +dn: cn=notbefore,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: notbefore + +dn: cn=notafter,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: notafter + +dn: cn=duration,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: duration + +dn: cn=dateOfCreate,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: dateOfCreate + +dn: cn=revokedOn,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: revokedOn + +dn: cn=archivedBy,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsSystemIndex: false +cn: archivedBy + +dn: cn=ownername,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: ownername + +dn: cn=subjectname,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: subjectname + +dn: cn=requestsourceid,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: requestsourceid + +dn: cn=revInfo,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: revInfo + +dn: cn=extension,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub +nsSystemIndex: false +cn: extension diff --git a/pki/base/kra/shared/conf/jk2.manifest b/pki/base/kra/shared/conf/jk2.manifest new file mode 100644 index 000000000..986d7b874 --- /dev/null +++ b/pki/base/kra/shared/conf/jk2.manifest @@ -0,0 +1,2 @@ +Main-Class: org.apache.jk.apr.TomcatStarter +Class-Path: ../lib/tomcat.jar log4j.jar log4j-core.jar ../lib/common/log4j.jar ../lib/common/log4j-core.jar ../lib/common/classes ../lib/common/commons-logging.jar bootstrap.jar ../server/lib/commons-logging.jar ../server/lib/jmx.jar jmx.jar commons-logging-api.jar diff --git a/pki/base/kra/shared/conf/jk2.properties b/pki/base/kra/shared/conf/jk2.properties new file mode 100644 index 000000000..093bae802 --- /dev/null +++ b/pki/base/kra/shared/conf/jk2.properties @@ -0,0 +1,26 @@ +## THIS FILE MAY BE OVERRIDEN AT RUNTIME. MAKE SURE TOMCAT IS STOPED +## WHEN YOU EDIT THE FILE. + +## COMMENTS WILL BE _LOST_ + +## DOCUMENTATION OF THE FORMAT IN JkMain javadoc. + +# Set the desired handler list +# handler.list=apr,request,channelJni +# +# Override the default port for the socketChannel +# channelSocket.port=8019 +# Default: +# channelUnix.file=${jkHome}/work/jk2.socket +# Just to check if the the config is working +# shm.file=${jkHome}/work/jk2.shm + +# In order to enable jni use any channelJni directive +# channelJni.disabled = 0 +# And one of the following directives: + +# apr.jniModeSo=/opt/apache2/modules/mod_jk2.so + +# If set to inprocess the mod_jk2 will Register natives itself +# This will enable the starting of the Tomcat from mod_jk2 +# apr.jniModeSo=inprocess diff --git a/pki/base/kra/shared/conf/jkconf.ant.xml b/pki/base/kra/shared/conf/jkconf.ant.xml new file mode 100644 index 000000000..245cf98e2 --- /dev/null +++ b/pki/base/kra/shared/conf/jkconf.ant.xml @@ -0,0 +1,51 @@ +<project name="jkconf" default="main" basedir="."> + + <target name="init-3x" if="33.detect"> + <taskdef name="jkconf" + classname="org.apache.jk.config.WebXml2Jk" > + <classpath> + <!-- 3.3 support --> + <pathelement location="/ws/jtc/jk/build/classes" /> + <pathelement location="${tomcat.home}/lib/container/tomcat-jk2.jar" /> + <pathelement location="${tomcat.home}/lib/container/crimson.jar"/> + <pathelement location="${tomcat.home}/lib/common/commons-logging.jar"/> + </classpath> + </taskdef> + </target> + + <target name="init-4x" if="4x.detect" > + <path id="main.classpath"> + <!-- 3.3 support --> + <fileset dir="${tomcat.home}/lib" includes="*.jar" /> + <fileset dir="${tomcat.home}/server/lib" includes="*.jar" /> + <fileset dir="${tomcat.home}/common/lib" includes="*.jar" /> + </path> + + <taskdef name="jkconf" classpathref="main.classpath" + classname="org.apache.jk.config.WebXml2Jk" /> + </target> + + <target name="detect" > + <property file="build.properties"/> + <property file="${user.home}/build.properties"/> + <property file="${user.home}/.build.properties"/> + + <!-- default locations, overrident by properties. + This file must be installed in conf/ --> + <property name="tomcat.home" location=".." /> + + <available property="33.detect" file="${tomcat.home}/lib/container" /> + <available property="4x.detect" file="${tomcat.home}/server/lib" /> + </target> + + <target name="init" depends="detect,init-3x,init-4x" /> + + <!-- ==================== Detection and reports ==================== --> + + + <target name="main" depends="init"> + <jkconf docBase="${tomcat.home}/webapps/examples" + context="/examples" /> + </target> + +</project> diff --git a/pki/base/kra/shared/conf/jkconfig.manifest b/pki/base/kra/shared/conf/jkconfig.manifest new file mode 100644 index 000000000..3ba1f2e3e --- /dev/null +++ b/pki/base/kra/shared/conf/jkconfig.manifest @@ -0,0 +1,2 @@ +Main-Class: org.apache.jk.config.WebXml2Jk +Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xercesImpl.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar diff --git a/pki/base/kra/shared/conf/registry.cfg b/pki/base/kra/shared/conf/registry.cfg new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/pki/base/kra/shared/conf/registry.cfg diff --git a/pki/base/kra/shared/conf/schema.ldif b/pki/base/kra/shared/conf/schema.ldif new file mode 100644 index 000000000..4431a2730 --- /dev/null +++ b/pki/base/kra/shared/conf/schema.ldif @@ -0,0 +1,394 @@ +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( usertype-oid NAME 'usertype' DESC 'Distinguish whether the user is administrator, agent or subsystem.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( userstate-oid NAME 'userstate' DESC 'Distinguish whether the user is administrator, agent or subsystem.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( cmsuser-oid NAME 'cmsuser' DESC 'CMS User' SUP top STRUCTURAL MUST usertype MAY userstate X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( archivedBy-oid NAME 'archivedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( adminMessages-oid NAME 'adminMessages' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( algorithm-oid NAME 'algorithm' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( algorithmId-oid NAME 'algorithmId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( signingAlgorithmId-oid NAME 'signingAlgorithmId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( autoRenew-oid NAME 'autoRenew' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( certStatus-oid NAME 'certStatus' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlName-oid NAME 'crlName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlSize-oid NAME 'crlSize' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( deltaSize-oid NAME 'deltaSize' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlNumber-oid NAME 'crlNumber' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( deltaNumber-oid NAME 'deltaNumber' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( firstUnsaved-oid NAME 'firstUnsaved' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlCache-oid NAME 'crlCache' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revokedCerts-oid NAME 'revokedCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( unrevokedCerts-oid NAME 'unrevokedCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( expiredCerts-oid NAME 'expiredCerts' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( deltaCRL-oid NAME 'deltaCRL' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( crlExtensions-oid NAME 'crlExtensions' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfArchival-oid NAME 'dateOfArchival' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfRecovery-oid NAME 'dateOfRecovery' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfRevocation-oid NAME 'dateOfRevocation' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfCreate-oid NAME 'dateOfCreate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( dateOfModify-oid NAME 'dateOfModify' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( duration-oid NAME 'duration' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( extension-oid NAME 'extension' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( issuedBy-oid NAME 'issuedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( issueInfo-oid NAME 'issueInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( issuerName-oid NAME 'issuerName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( keySize-oid NAME 'keySize' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( keyState-oid NAME 'keyState' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( metaInfo-oid NAME 'metaInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( nextUpdate-oid NAME 'nextUpdate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( notAfter-oid NAME 'notAfter' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( notBefore-oid NAME 'notBefore' DESC 'CMS defined attribute'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( ownerName-oid NAME 'ownerName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( password-oid NAME 'password' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( p12Expiration-oid NAME 'p12Expiration' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( proofOfArchival-oid NAME 'proofOfArchival' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( publicKeyData-oid NAME 'publicKeyData' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( publicKeyFormat-oid NAME 'publicKeyFormat' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( privateKeyData-oid NAME 'privateKeyData' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestId-oid NAME 'requestId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestInfo-oid NAME 'requestInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestState-oid NAME 'requestState' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestResult-oid NAME 'requestResult' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestOwner-oid NAME 'requestOwner' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestAgentGroup-oid NAME 'requestAgentGroup' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestSourceId-oid NAME 'requestSourceId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestType-oid NAME 'requestType' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestFlag-oid NAME 'requestFlag' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( requestError-oid NAME 'requestError' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( resourceACLS-oid NAME 'resourceACLS' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revInfo-oid NAME 'revInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revokedBy-oid NAME 'revokedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( revokedOn-oid NAME 'revokedOn' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( serialno-oid NAME 'serialno' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( subjectName-oid NAME 'subjectName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( sessionContext-oid NAME 'sessionContext' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( thisUpdate-oid NAME 'thisUpdate' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transId-oid NAME 'transId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transStatus-oid NAME 'transStatus' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transName-oid NAME 'transName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( transOps-oid NAME 'transOps' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( userDN-oid NAME 'userDN' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( userMessages-oid NAME 'userMessages' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: attributeTypes +attributeTypes: ( version-oid NAME 'version' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( CertACLS-oid NAME 'CertACLS' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY resourceACLS X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( repository-oid NAME 'repository' DESC 'CMS defined class' SUP top STRUCTURAL MUST ou MAY ( serialno $ description ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( transaction-oid NAME 'transaction' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( transId $ description $ transName $ transStatus $ transOps ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( pkiCA-oid NAME 'pkiCA' DESC 'CMS defined class' SUP top STRUCTURAL MUST ou MAY certificateRevocationList X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( crlIssuingPointRecord-oid NAME 'crlIssuingPointRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ crlNumber $ crlSize $ thisUpdate $ nextUpdate $ deltaNumber $ deltaSize $ firstUnsaved $ certificateRevocationList $ deltaCRL $ crlCache $ revokedCerts $ unrevokedCerts $ expiredCerts $ cACertificate ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subject $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( userDetails-oid NAME 'userDetails' DESC 'CMS defined class' SUP top STRUCTURAL MUST userDN MAY ( dateOfCreate $ dateOfModify $ password $ p12Expiration ) X-ORIGIN 'user defined' ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy ) X-ORIGIN 'user defined' ) diff --git a/pki/base/kra/shared/conf/server-minimal.xml b/pki/base/kra/shared/conf/server-minimal.xml new file mode 100644 index 000000000..7b542b6cf --- /dev/null +++ b/pki/base/kra/shared/conf/server-minimal.xml @@ -0,0 +1,25 @@ +<Server port="8005" shutdown="SHUTDOWN"> + + <GlobalNamingResources> + <!-- Used by Manager webapp --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + </GlobalNamingResources> + + <Service name="Catalina"> + <Connector port="8080" /> + + <!-- This is here for compatibility only, not required --> + <Connector port="8009" protocol="AJP/1.3" /> + + <Engine name="Catalina" defaultHost="localhost"> + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase" /> + <Host name="localhost" appBase="webapps" /> + </Engine> + + </Service> +</Server> diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml new file mode 100644 index 000000000..68730db04 --- /dev/null +++ b/pki/base/kra/shared/conf/server.xml @@ -0,0 +1,396 @@ +<!-- Example Server Configuration File --> +<!-- Note that component elements are nested corresponding to their + parent-child relationships with each other --> + +<!-- A "Server" is a singleton element that represents the entire JVM, + which may contain one or more "Service" instances. The Server + listens for a shutdown command on the indicated port. + + Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" or "Loggers" at this level. + --> + +<Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> + + <!-- Comment these entries out to disable JMX MBeans support used for the + administration web application --> + <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> + <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> + <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> + + <!-- Global JNDI resources --> + <GlobalNamingResources> + + <!-- Test entry for demonstration purposes --> + <Environment name="simpleValue" type="java.lang.Integer" value="30"/> + + <!-- Editable user database that can also be used by + UserDatabaseRealm to authenticate users --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + + </GlobalNamingResources> + + <!-- A "Service" is a collection of one or more "Connectors" that share + a single "Container" (and therefore the web applications visible + within that Container). Normally, that Container is an "Engine", + but this is not required. + + Note: A "Service" is not itself a "Container", so you may not + define subcomponents such as "Valves" or "Loggers" at this level. + --> + + <!-- Define the Tomcat Stand-Alone Service --> + <Service name="Catalina"> + + <!-- A "Connector" represents an endpoint by which requests are received + and responses are returned. Each Connector passes requests on to the + associated "Container" (normally an Engine) for processing. + + By default, a non-SSL HTTP/1.1 Connector is established on port 8080. + You can also enable an SSL HTTP/1.1 Connector on port 8443 by + following the instructions below and uncommenting the second Connector + entry. SSL support requires the following steps (see the SSL Config + HOWTO in the Tomcat 5 documentation bundle for more detailed + instructions): + * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or + later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". + * Execute: + %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) + $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) + with a password value of "changeit" for both the certificate and + the keystore itself. + + By default, DNS lookups are enabled when a web application calls + request.getRemoteHost(). This can have an adverse impact on + performance, so you can disable it by setting the + "enableLookups" attribute to "false". When DNS lookups are disabled, + request.getRemoteHost() will return the String version of the + IP address of the remote client. + --> + + <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> + + + + + <Connector port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" redirectPort="8443" acceptCount="100" + connectionTimeout="20000" disableUploadTimeout="true" /> + +<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> + +<!-- DO NOT REMOVE - Begin define PKI secure port --> +<Connector port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + sslOptions="ssl2=true,ssl3=true,tls=true" + ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" + ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> +<!-- DO NOT REMOVE - End define PKI secure port --> + + + + <!-- Note : To disable connection timeouts, set connectionTimeout value + to 0 --> + + <!-- Note : To use gzip compression you could set the following properties : + + compression="on" + compressionMinSize="2048" + noCompressionUserAgents="gozilla, traviata" + compressableMimeType="text/html,text/xml" + --> + + + <!-- Define an AJP 1.3 Connector on port 8009 --> +<!-- + <Connector port="8009" + enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> +--> + + <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> + <!-- See proxy documentation for more information about using this. --> + <!-- + <Connector port="8082" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" acceptCount="100" connectionTimeout="20000" + proxyPort="80" disableUploadTimeout="true" /> + --> + + <!-- An Engine represents the entry point (within Catalina) that processes + every request. The Engine implementation for Tomcat stand alone + analyzes the HTTP headers included with the request, and passes them + on to the appropriate Host (virtual host). --> + + <!-- You should set jvmRoute to support load-balancing via AJP ie : + <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> + --> + + <!-- Define the top level container in our container hierarchy --> + <Engine name="Catalina" defaultHost="localhost"> + + <!-- The request dumper valve dumps useful debugging information about + the request headers and cookies that were received, and the response + headers and cookies that were sent, for all requests received by + this instance of Tomcat. If you care only about requests to a + particular virtual host, or a particular application, nest this + element inside the corresponding <Host> or <Context> entry instead. + + For a similar mechanism that is portable to all Servlet 2.4 + containers, check out the "RequestDumperFilter" Filter in the + example application (the source for this filter may be found in + "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). + + Request dumping is disabled by default. Uncomment the following + element to enable it. --> + <!-- + <Valve className="org.apache.catalina.valves.RequestDumperValve"/> + --> + + <!-- Because this Realm is here, an instance will be shared globally --> + + <!-- This Realm uses the UserDatabase configured in the global JNDI + resources under the key "UserDatabase". Any edits + that are performed against this UserDatabase are immediately + available for use by the Realm. --> + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase"/> + + <!-- Comment out the old realm but leave here for now in case we + need to go back quickly --> + <!-- + <Realm className="org.apache.catalina.realm.MemoryRealm" /> + --> + + <!-- Replace the above Realm with one of the following to get a Realm + stored in a database and accessed via JDBC --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="org.gjt.mm.mysql.Driver" + connectionURL="jdbc:mysql://localhost/authority" + connectionName="test" connectionPassword="test" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="oracle.jdbc.driver.OracleDriver" + connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" + connectionName="scott" connectionPassword="tiger" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="sun.jdbc.odbc.JdbcOdbcDriver" + connectionURL="jdbc:odbc:CATALINA" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- Define the default virtual host + Note: XML Schema validation will not work with Xerces 2.2. + --> + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="true" + xmlValidation="false" xmlNamespaceAware="false"> + + <!-- Defines a cluster for this node, + By defining this element, means that every manager will be changed. + So when running a cluster, only make sure that you have webapps in there + that need to be clustered and remove the other ones. + A cluster has the following parameters: + + className = the fully qualified name of the cluster class + + name = a descriptive name for your cluster, can be anything + + mcastAddr = the multicast address, has to be the same for all the nodes + + mcastPort = the multicast port, has to be the same for all the nodes + + mcastBindAddr = bind the multicast socket to a specific address + + mcastTTL = the multicast TTL if you want to limit your broadcast + + mcastSoTimeout = the multicast readtimeout + + mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat + + mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received + + tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes + + tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, + in case of multiple ethernet cards. + auto means that address becomes + InetAddress.getLocalHost().getHostAddress() + + tcpListenPort = the tcp listen port + + tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS + has a wakup bug in java.nio. Set to 0 for no timeout + + printToScreen = true means that managers will also print to std.out + + expireSessionsOnShutdown = true means that + + useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. + false means to replicate the session after each request. + false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) + <% + HashMap map = (HashMap)session.getAttribute("map"); + map.put("key","value"); + %> + replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. + * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. + * Synchronous means that the thread that executes the request, is also the + thread the replicates the data to the other nodes, and will not return until all + nodes have received the information. + * Asynchronous means that there is a specific 'sender' thread for each cluster node, + so the request thread will queue the replication request into a "smart" queue, + and then return to the client. + The "smart" queue is a queue where when a session is added to the queue, and the same session + already exists in the queue from a previous request, that session will be replaced + in the queue instead of replicating two requests. This almost never happens, unless there is a + large network delay. + --> + <!-- + When configuring for clustering, you also add in a valve to catch all the requests + coming in, at the end of the request, the session may or may not be replicated. + A session is replicated if and only if all the conditions are met: + 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND + 2. a session exists (has been created) + 3. the request is not trapped by the "filter" attribute + + The filter attribute is to filter out requests that could not modify the session, + hence we don't replicate the session after the end of this request. + The filter is negative, ie, anything you put in the filter, you mean to filter out, + ie, no replication will be done on requests that match one of the filters. + The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. + + filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI + ending with .gif and .js are intercepted. + + The deployer element can be used to deploy apps cluster wide. + Currently the deployment only deploys/undeploys to working members in the cluster + so no WARs are copied upons startup of a broken node. + The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" + When a new war file is added the war gets deployed to the local instance, + and then deployed to the other instances in the cluster. + When a war file is deleted from the watchDir the war is undeployed locally + and cluster wide + --> + + <!-- + <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" + managerClassName="org.apache.catalina.cluster.session.DeltaManager" + expireSessionsOnShutdown="false" + useDirtyFlag="true" + notifyListenersOnReplication="true"> + + <Membership + className="org.apache.catalina.cluster.mcast.McastService" + mcastAddr="228.0.0.4" + mcastPort="45564" + mcastFrequency="500" + mcastDropTime="3000"/> + + <Receiver + className="org.apache.catalina.cluster.tcp.ReplicationListener" + tcpListenAddress="auto" + tcpListenPort="4001" + tcpSelectorTimeout="100" + tcpThreadCount="6"/> + + <Sender + className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" + replicationMode="pooled" + ackTimeout="15000"/> + + <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" + filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> + + <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" + tempDir="/tmp/war-temp/" + deployDir="/tmp/war-deploy/" + watchDir="/tmp/war-listen/" + watchEnabled="false"/> + </Cluster> + --> + + + + <!-- Normally, users must authenticate themselves to each web app + individually. Uncomment the following entry if you would like + a user to be authenticated the first time they encounter a + resource protected by a security constraint, and then have that + user identity maintained across *all* web applications contained + in this virtual host. --> + <!-- + <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> + --> + + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + --> + <Valve className="org.apache.catalina.valves.AccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + This access log implementation is optimized for maximum performance, + but is hardcoded to support only the "common" and "combined" patterns. + --> + <!-- + <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + This access log implementation is optimized for maximum performance, + but is hardcoded to support only the "common" and "combined" patterns. + + This valve use NIO direct Byte Buffer to asynchornously store the + log. + --> + <!-- + <Valve className="org.apache.catalina.valves.ByteBufferAccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + + </Host> + + </Engine> + + </Service> + +</Server> diff --git a/pki/base/kra/shared/conf/server.xml.good b/pki/base/kra/shared/conf/server.xml.good new file mode 100644 index 000000000..502c05d1d --- /dev/null +++ b/pki/base/kra/shared/conf/server.xml.good @@ -0,0 +1,390 @@ +<!-- Example Server Configuration File --> +<!-- Note that component elements are nested corresponding to their + parent-child relationships with each other --> + +<!-- A "Server" is a singleton element that represents the entire JVM, + which may contain one or more "Service" instances. The Server + listens for a shutdown command on the indicated port. + + Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" or "Loggers" at this level. + --> + +<Server port="8005" shutdown="SHUTDOWN"> + + <!-- Comment these entries out to disable JMX MBeans support used for the + administration web application --> + <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> + <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> + <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> + + <!-- Global JNDI resources --> + <GlobalNamingResources> + + <!-- Test entry for demonstration purposes --> + <Environment name="simpleValue" type="java.lang.Integer" value="30"/> + + <!-- Editable user database that can also be used by + UserDatabaseRealm to authenticate users --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + + </GlobalNamingResources> + + <!-- A "Service" is a collection of one or more "Connectors" that share + a single "Container" (and therefore the web applications visible + within that Container). Normally, that Container is an "Engine", + but this is not required. + + Note: A "Service" is not itself a "Container", so you may not + define subcomponents such as "Valves" or "Loggers" at this level. + --> + + <!-- Define the Tomcat Stand-Alone Service --> + <Service name="Catalina"> + + <!-- A "Connector" represents an endpoint by which requests are received + and responses are returned. Each Connector passes requests on to the + associated "Container" (normally an Engine) for processing. + + By default, a non-SSL HTTP/1.1 Connector is established on port 8080. + You can also enable an SSL HTTP/1.1 Connector on port 8443 by + following the instructions below and uncommenting the second Connector + entry. SSL support requires the following steps (see the SSL Config + HOWTO in the Tomcat 5 documentation bundle for more detailed + instructions): + * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or + later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". + * Execute: + %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) + $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) + with a password value of "changeit" for both the certificate and + the keystore itself. + + By default, DNS lookups are enabled when a web application calls + request.getRemoteHost(). This can have an adverse impact on + performance, so you can disable it by setting the + "enableLookups" attribute to "false". When DNS lookups are disabled, + request.getRemoteHost() will return the String version of the + IP address of the remote client. + --> + + <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> + + + + + <Connector port="<PKI_UNSECURE_PORT>" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" redirectPort="8443" acceptCount="100" + connectionTimeout="20000" disableUploadTimeout="true" /> + +<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> + +<!-- +<Connector port="<PKI_SECURE_PORT>" maxHttpHeaderSize="8192" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + acceptCount="100" scheme="https" secure="true" + clientAuth="false" sslProtocol="SSL" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + serverCert="Server-Cert cert-<PKI_INSTANCE_ID>" + certdbDir="<PKI_INSTANCE_PATH>/alias" certdbPassword="<PKI_CERT_DB_PASSWORD>"/> +--> + + + + <!-- Note : To disable connection timeouts, set connectionTimeout value + to 0 --> + + <!-- Note : To use gzip compression you could set the following properties : + + compression="on" + compressionMinSize="2048" + noCompressionUserAgents="gozilla, traviata" + compressableMimeType="text/html,text/xml" + --> + + + <!-- Define an AJP 1.3 Connector on port 8009 --> + <Connector port="8009" + enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> + + <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> + <!-- See proxy documentation for more information about using this. --> + <!-- + <Connector port="8082" + maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" acceptCount="100" connectionTimeout="20000" + proxyPort="80" disableUploadTimeout="true" /> + --> + + <!-- An Engine represents the entry point (within Catalina) that processes + every request. The Engine implementation for Tomcat stand alone + analyzes the HTTP headers included with the request, and passes them + on to the appropriate Host (virtual host). --> + + <!-- You should set jvmRoute to support load-balancing via AJP ie : + <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> + --> + + <!-- Define the top level container in our container hierarchy --> + <Engine name="Catalina" defaultHost="localhost"> + + <!-- The request dumper valve dumps useful debugging information about + the request headers and cookies that were received, and the response + headers and cookies that were sent, for all requests received by + this instance of Tomcat. If you care only about requests to a + particular virtual host, or a particular application, nest this + element inside the corresponding <Host> or <Context> entry instead. + + For a similar mechanism that is portable to all Servlet 2.4 + containers, check out the "RequestDumperFilter" Filter in the + example application (the source for this filter may be found in + "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). + + Request dumping is disabled by default. Uncomment the following + element to enable it. --> + <!-- + <Valve className="org.apache.catalina.valves.RequestDumperValve"/> + --> + + <!-- Because this Realm is here, an instance will be shared globally --> + + <!-- This Realm uses the UserDatabase configured in the global JNDI + resources under the key "UserDatabase". Any edits + that are performed against this UserDatabase are immediately + available for use by the Realm. --> + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase"/> + + <!-- Comment out the old realm but leave here for now in case we + need to go back quickly --> + <!-- + <Realm className="org.apache.catalina.realm.MemoryRealm" /> + --> + + <!-- Replace the above Realm with one of the following to get a Realm + stored in a database and accessed via JDBC --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="org.gjt.mm.mysql.Driver" + connectionURL="jdbc:mysql://localhost/authority" + connectionName="test" connectionPassword="test" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="oracle.jdbc.driver.OracleDriver" + connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" + connectionName="scott" connectionPassword="tiger" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- + <Realm className="org.apache.catalina.realm.JDBCRealm" + driverName="sun.jdbc.odbc.JdbcOdbcDriver" + connectionURL="jdbc:odbc:CATALINA" + userTable="users" userNameCol="user_name" userCredCol="user_pass" + userRoleTable="user_roles" roleNameCol="role_name" /> + --> + + <!-- Define the default virtual host + Note: XML Schema validation will not work with Xerces 2.2. + --> + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="true" + xmlValidation="false" xmlNamespaceAware="false"> + + <!-- Defines a cluster for this node, + By defining this element, means that every manager will be changed. + So when running a cluster, only make sure that you have webapps in there + that need to be clustered and remove the other ones. + A cluster has the following parameters: + + className = the fully qualified name of the cluster class + + name = a descriptive name for your cluster, can be anything + + mcastAddr = the multicast address, has to be the same for all the nodes + + mcastPort = the multicast port, has to be the same for all the nodes + + mcastBindAddr = bind the multicast socket to a specific address + + mcastTTL = the multicast TTL if you want to limit your broadcast + + mcastSoTimeout = the multicast readtimeout + + mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat + + mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received + + tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes + + tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, + in case of multiple ethernet cards. + auto means that address becomes + InetAddress.getLocalHost().getHostAddress() + + tcpListenPort = the tcp listen port + + tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS + has a wakup bug in java.nio. Set to 0 for no timeout + + printToScreen = true means that managers will also print to std.out + + expireSessionsOnShutdown = true means that + + useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. + false means to replicate the session after each request. + false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) + <% + HashMap map = (HashMap)session.getAttribute("map"); + map.put("key","value"); + %> + replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. + * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. + * Synchronous means that the thread that executes the request, is also the + thread the replicates the data to the other nodes, and will not return until all + nodes have received the information. + * Asynchronous means that there is a specific 'sender' thread for each cluster node, + so the request thread will queue the replication request into a "smart" queue, + and then return to the client. + The "smart" queue is a queue where when a session is added to the queue, and the same session + already exists in the queue from a previous request, that session will be replaced + in the queue instead of replicating two requests. This almost never happens, unless there is a + large network delay. + --> + <!-- + When configuring for clustering, you also add in a valve to catch all the requests + coming in, at the end of the request, the session may or may not be replicated. + A session is replicated if and only if all the conditions are met: + 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND + 2. a session exists (has been created) + 3. the request is not trapped by the "filter" attribute + + The filter attribute is to filter out requests that could not modify the session, + hence we don't replicate the session after the end of this request. + The filter is negative, ie, anything you put in the filter, you mean to filter out, + ie, no replication will be done on requests that match one of the filters. + The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. + + filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI + ending with .gif and .js are intercepted. + + The deployer element can be used to deploy apps cluster wide. + Currently the deployment only deploys/undeploys to working members in the cluster + so no WARs are copied upons startup of a broken node. + The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" + When a new war file is added the war gets deployed to the local instance, + and then deployed to the other instances in the cluster. + When a war file is deleted from the watchDir the war is undeployed locally + and cluster wide + --> + + <!-- + <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" + managerClassName="org.apache.catalina.cluster.session.DeltaManager" + expireSessionsOnShutdown="false" + useDirtyFlag="true" + notifyListenersOnReplication="true"> + + <Membership + className="org.apache.catalina.cluster.mcast.McastService" + mcastAddr="228.0.0.4" + mcastPort="45564" + mcastFrequency="500" + mcastDropTime="3000"/> + + <Receiver + className="org.apache.catalina.cluster.tcp.ReplicationListener" + tcpListenAddress="auto" + tcpListenPort="4001" + tcpSelectorTimeout="100" + tcpThreadCount="6"/> + + <Sender + className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" + replicationMode="pooled" + ackTimeout="15000"/> + + <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" + filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> + + <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" + tempDir="/tmp/war-temp/" + deployDir="/tmp/war-deploy/" + watchDir="/tmp/war-listen/" + watchEnabled="false"/> + </Cluster> + --> + + + + <!-- Normally, users must authenticate themselves to each web app + individually. Uncomment the following entry if you would like + a user to be authenticated the first time they encounter a + resource protected by a security constraint, and then have that + user identity maintained across *all* web applications contained + in this virtual host. --> + <!-- + <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> + --> + + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + --> + <!-- + <Valve className="org.apache.catalina.valves.AccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + This access log implementation is optimized for maximum performance, + but is hardcoded to support only the "common" and "combined" patterns. + --> + <!-- + <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + <!-- Access log processes all requests for this virtual host. By + default, log files are created in the "logs" directory relative to + $CATALINA_HOME. If you wish, you can specify a different + directory with the "directory" attribute. Specify either a relative + (to $CATALINA_HOME) or absolute path to the desired directory. + This access log implementation is optimized for maximum performance, + but is hardcoded to support only the "common" and "combined" patterns. + + This valve use NIO direct Byte Buffer to asynchornously store the + log. + --> + <!-- + <Valve className="org.apache.catalina.valves.ByteBufferAccessLogValve" + directory="logs" prefix="localhost_access_log." suffix=".txt" + pattern="common" resolveHosts="false"/> + --> + + </Host> + + </Engine> + + </Service> + +</Server> diff --git a/pki/base/kra/shared/conf/serverCert.profile b/pki/base/kra/shared/conf/serverCert.profile new file mode 100644 index 000000000..adf6ee4ad --- /dev/null +++ b/pki/base/kra/shared/conf/serverCert.profile @@ -0,0 +1,37 @@ +# +# Server Certificate +# +id=serverCert.profile +name=All Purpose SSL server cert Profile +description=This profile creates an SSL server certificate that is valid for SSL servers +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 diff --git a/pki/base/kra/shared/conf/serverCertNick.conf b/pki/base/kra/shared/conf/serverCertNick.conf new file mode 100644 index 000000000..1b1f4fcad --- /dev/null +++ b/pki/base/kra/shared/conf/serverCertNick.conf @@ -0,0 +1 @@ +Server-Cert cert-[PKI_INSTANCE_ID] diff --git a/pki/base/kra/shared/conf/shm.manifest b/pki/base/kra/shared/conf/shm.manifest new file mode 100644 index 000000000..0505c085b --- /dev/null +++ b/pki/base/kra/shared/conf/shm.manifest @@ -0,0 +1,2 @@ +Main-Class: org.apache.jk.common.Shm +Class-Path: tomcat-jk2.jar commons-logging.jar tomcat-util.jar log4j.jar log4j-core.jar diff --git a/pki/base/kra/shared/conf/storageCert.profile b/pki/base/kra/shared/conf/storageCert.profile new file mode 100644 index 000000000..fe46c19c1 --- /dev/null +++ b/pki/base/kra/shared/conf/storageCert.profile @@ -0,0 +1,37 @@ +# +# DRM Storage Certificate +# +id=storageCert.profile +name=DRM Key Storage Cert profile +description=This profile creates a certificate that is good for DRM to encrypt private key materials in storage +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 diff --git a/pki/base/kra/shared/conf/subsystemCert.profile b/pki/base/kra/shared/conf/subsystemCert.profile new file mode 100644 index 000000000..1fc1a6f71 --- /dev/null +++ b/pki/base/kra/shared/conf/subsystemCert.profile @@ -0,0 +1,37 @@ +# +# Subsystem Certificate +# +id=subsystemCert.profile +name=subsystem cert Profile +description=This profile creates a subsystem certificate that is valid for a CS subsystem +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 diff --git a/pki/base/kra/shared/conf/tomcat-jk2.manifest b/pki/base/kra/shared/conf/tomcat-jk2.manifest new file mode 100644 index 000000000..acfef4a90 --- /dev/null +++ b/pki/base/kra/shared/conf/tomcat-jk2.manifest @@ -0,0 +1,7 @@ +Manifest-version: 1.0 +Extension-Name: org.apache.jk +Specification-Vendor: Apache Software Foundation +Specification-Version: 2.0 +Implementation-Vendor-Id: org.apache +Implementation-Vendor: Apache Software Foundation +Implementation-Version: 2.1 diff --git a/pki/base/kra/shared/conf/tomcat-users.xml b/pki/base/kra/shared/conf/tomcat-users.xml new file mode 100644 index 000000000..920e68240 --- /dev/null +++ b/pki/base/kra/shared/conf/tomcat-users.xml @@ -0,0 +1,13 @@ +<?xml version='1.0' encoding='utf-8'?> +<tomcat-users> + <role rolename="pkiuser"/> + <role rolename="tomcat"/> + <role rolename="role1"/> + <role rolename="manager"/> + <role rolename="admin"/> + <user username="pkiuser" password="pkiuser" roles="pkiuser"/> + <user username="tomcat" password="tomcat" roles="tomcat"/> + <user username="both" password="tomcat" roles="tomcat,role1"/> + <user username="role1" password="tomcat" roles="role1"/> + <user username="admin" password="netscape" roles="admin,manager"/> +</tomcat-users> diff --git a/pki/base/kra/shared/conf/tomcat5.conf b/pki/base/kra/shared/conf/tomcat5.conf new file mode 100644 index 000000000..f82eafd8e --- /dev/null +++ b/pki/base/kra/shared/conf/tomcat5.conf @@ -0,0 +1,73 @@ +# tomcat5 service configuration file + +# Check to insure that at least one PKI subsystem +# currently resides on this system. +if [ ! -x /usr/bin/pkiarch ] || + [ ! -x /usr/bin/pkiflavor ] || + [ ! -x /usr/bin/pkiname ]; then + echo "This machine is missing all PKI subsystems!" + exit 255 +fi + +# Check to insure that this configuration file's associated PKI +# subsystem currently resides on this system. +PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE] +if [ ! -d /usr/share/`pkiflavor`/${PKI_SUBSYSTEM_TYPE} ] ; then + echo "This machine is missing the '${PKI_SUBSYSTEM_TYPE}' subsystem!" + exit 255 +fi + +# you could also override JAVA_HOME here +# Where your java installation lives +JAVA_HOME="/usr/lib/jvm/jre" + +# You can pass some parameters to java +# here if you wish to +#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" + +# Where your tomcat installation lives +# That change from previous RPM where TOMCAT_HOME +# used to be /var/tomcat. +# Now /var/tomcat will be the base for webapps only +CATALINA_HOME="/usr/share/tomcat5" +JASPER_HOME="/usr/share/tomcat5" +CATALINA_TMPDIR="/usr/share/tomcat5/temp" +JAVA_ENDORSED_DIRS="/usr/share/tomcat5/common/endorsed" + +# What user should run tomcat +TOMCAT_USER="[PKI_USER]" +TOMCAT_GROUP="[PKI_GROUP]" + +# You can change your tomcat locale here +#LANG=en_US + +# Time to wait in seconds, while starting process +STARTUP_WAIT=30 + +# Time to wait in seconds, before killing process +SHUTDOWN_WAIT=30 + + +# If you wish to further customize your tomcat environment, +# put your own definitions here +# (i.e. LD_LIBRARY_PATH for some jdbc drivers) +# Just do not forget to export them :) + +PLATFORM=`pkiarch` + +if [ $PLATFORM = "i386" ]; then + # 32-bit Linux + LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib +elif [ $PLATFORM = "x86_64" ]; then + # 64-bit Linux + LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64/dirsec:/usr/lib64:/usr/lib +elif [ $PLATFORM = "sparc" ]; then + # 32-bit Solaris + LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/dirsec:/usr/lib +elif [ $PLATFORM = "sparcv9" ]; then + # 64-bit Solaris + JAVA_OPTS="-d64" + export JAVA_OPTS + LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/sparcv9/dirsec:/usr/lib/sparcv9:/usr/lib/dirsec:/usr/lib +fi +export LD_LIBRARY_PATH diff --git a/pki/base/kra/shared/conf/transportCert.profile b/pki/base/kra/shared/conf/transportCert.profile new file mode 100644 index 000000000..aba748bfe --- /dev/null +++ b/pki/base/kra/shared/conf/transportCert.profile @@ -0,0 +1,37 @@ +# +# DRM Transport Certificate +# +id=transportCert.profile +name=DRM Key Transport Cert profile +description=This profile creates a certificate that is good for transporting private key materials +list=2,4,5,6,7 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +5.default.name=AIA Extension Default +5.default.params.authInfoAccessADEnable_0=true +5.default.params.authInfoAccessADLocationType_0=URIName +5.default.params.authInfoAccessADLocation_0= +5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +5.default.params.authInfoAccessCritical=false +5.default.params.authInfoAccessNumADs=1 +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=true +6.default.params.keyUsageKeyEncipherment=true +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +7.default.name=Extended Key Usage Extension Default +7.default.params.exKeyUsageCritical=false +7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 diff --git a/pki/base/kra/shared/conf/uriworkermap.properties b/pki/base/kra/shared/conf/uriworkermap.properties new file mode 100644 index 000000000..c65445b10 --- /dev/null +++ b/pki/base/kra/shared/conf/uriworkermap.properties @@ -0,0 +1,13 @@ +# uriworkermap.properties - IIS +# +# This file provides sample mappings for example ajp13w +# worker defined in workermap.properties.minimal +# The general sytax for this file is: +# [URL]=[Worker name] + +/servlet-examples/*=ajp13w + +# Optionally filter out all .jpeg files inside that context +# For no mapping the url has to start with exclamation (!) + +!/servlet-examples/*.jpeg=ajp13w diff --git a/pki/base/kra/shared/conf/vlv.ldif b/pki/base/kra/shared/conf/vlv.ldif new file mode 100644 index 000000000..b619e8657 --- /dev/null +++ b/pki/base/kra/shared/conf/vlv.ldif @@ -0,0 +1,207 @@ +dn: cn=allKeys-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: allKeys-{instanceId} +vlvBase: ou=keyRepository,ou=kra,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(&(objectClass=top)(objectClass=keyRecord))(serialno=*)) + +dn: cn=kraAll-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraAll-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=*) + +dn: cn=kraArchival-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraArchival-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requesttype=enrollment) + +dn: cn=kraRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraRecovery-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requesttype=recovery) + +dn: cn=kraCanceled-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraCanceled-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=canceled) + +dn: cn=kraCanceledEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraCanceledEnrollment-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=canceled)(requesttype=enrollment)) + +dn: cn=kraCanceledRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraCanceledRecovery-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=canceled)(requesttype=recovery)) + +dn: cn=kraRejected-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraRejected-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=rejected) + +dn: cn=kraRejectedEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraRejectedEnrollment-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=rejected)(requesttype=enrollment)) + +dn: cn=kraRejectedRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraRejectedRecovery-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=rejected)(requesttype=recovery)) + +dn: cn=kraComplete-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraComplete-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (requeststate=complete) + +dn: cn=kraCompleteEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraCompleteEnrollment-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=complete)(requesttype=enrollment)) + +dn: cn=kraCompleteRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvSearch +cn: kraCompleteRecovery-{instanceId} +vlvBase: ou=kra,ou=requests,{rootSuffix} +vlvScope: 1 +vlvFilter: (&(requeststate=complete)(requesttype=recovery)) + +dn: cn=allKeys-{instanceId}Index, cn=allKeys-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: allKeys-{instanceId}Index +vlvSort: serialno +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraAll-{instanceId}Index, cn=kraAll-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraAll-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraArchival-{instanceId}Index, cn=kraArchival-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraArchival-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraRecovery-{instanceId}Index, cn=kraRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraRecovery-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraCanceled-{instanceId}Index, cn=kraCanceled-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraCanceled-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraCanceledEnrollment-{instanceId}Index, cn=kraCanceledEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraCanceledEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraCanceledRecovery-{instanceId}Index, cn=kraCanceledRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraCanceledRecovery-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraRejected-{instanceId}Index, cn=kraRejected-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraRejected-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraRejectedEnrollment-{instanceId}Index, cn=kraRejectedEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraRejectedEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraRejectedRecovery-{instanceId}Index, cn=kraRejectedRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraRejectedRecovery-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraComplete-{instanceId}Index, cn=kraComplete-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraComplete-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraCompleteEnrollment-{instanceId}Index, cn=kraCompleteEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraCompleteEnrollment-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 + +dn: cn=kraCompleteRecovery-{instanceId}Index, cn=kraCompleteRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: vlvIndex +cn: kraCompleteRecovery-{instanceId}Index +vlvSort: requestId +vlvEnabled: 0 +vlvUses: 0 diff --git a/pki/base/kra/shared/conf/vlvtasks.ldif b/pki/base/kra/shared/conf/vlvtasks.ldif new file mode 100644 index 000000000..014483ac1 --- /dev/null +++ b/pki/base/kra/shared/conf/vlvtasks.ldif @@ -0,0 +1,19 @@ +dn: cn=index1160527115, cn=index, cn=tasks, cn=config +objectclass: top +objectclass: extensibleObject +cn: index1160527115 +ttl: 1 +nsInstance: {database} +nsIndexVLVAttribute: allKeys-{instanceId}Index +nsIndexVLVAttribute: kraAll-{instanceId}Index +nsIndexVLVAttribute: kraArchival-{instanceId}Index +nsIndexVLVAttribute: kraRecovery-{instanceId}Index +nsIndexVLVAttribute: kraCanceled-{instanceId}Index +nsIndexVLVAttribute: kraCanceledEnrollment-{instanceId}Index +nsIndexVLVAttribute: kraCanceledRecovery-{instanceId}Index +nsIndexVLVAttribute: kraRejected-{instanceId}Index +nsIndexVLVAttribute: kraRejectedEnrollment-{instanceId}Index +nsIndexVLVAttribute: kraRejectedRecovery-{instanceId}Index +nsIndexVLVAttribute: kraComplete-{instanceId}Index +nsIndexVLVAttribute: kraCompleteEnrollment-{instanceId}Index +nsIndexVLVAttribute: kraCompleteRecovery-{instanceId}Index diff --git a/pki/base/kra/shared/conf/web.xml b/pki/base/kra/shared/conf/web.xml new file mode 100644 index 000000000..6b14b3b3c --- /dev/null +++ b/pki/base/kra/shared/conf/web.xml @@ -0,0 +1,979 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<web-app xmlns="http://java.sun.com/xml/ns/j2ee" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" + version="2.4"> + + <!-- ======================== Introduction ============================== --> + <!-- This document defines default values for *all* web applications --> + <!-- loaded into this instance of Tomcat. As each application is --> + <!-- deployed, this file is processed, followed by the --> + <!-- "/WEB-INF/web.xml" deployment descriptor from your own --> + <!-- applications. --> + <!-- --> + <!-- WARNING: Do not configure application-specific resources here! --> + <!-- They should go in the "/WEB-INF/web.xml" file in your application. --> + + + <!-- ================== Built In Servlet Definitions ==================== --> + + + <!-- The default servlet for all web applications, that serves static --> + <!-- resources. It processes all requests that are not mapped to other --> + <!-- servlets with servlet mappings (defined either here or in your own --> + <!-- web.xml file. This servlet supports the following initialization --> + <!-- parameters (default values are in square brackets): --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + <!-- --> + <!-- fileEncoding Encoding to be used to read static resources --> + <!-- [platform default] --> + <!-- --> + <!-- input Input buffer size (in bytes) when reading --> + <!-- resources to be served. [2048] --> + <!-- --> + <!-- listings Should directory listings be produced if there --> + <!-- is no welcome file in this directory? [true] --> + <!-- --> + <!-- output Output buffer size (in bytes) when writing --> + <!-- resources to be served. [2048] --> + <!-- --> + <!-- readonly Is this context "read only", so HTTP --> + <!-- commands like PUT and DELETE are --> + <!-- rejected? [true] --> + <!-- --> + <!-- readmeFile File name to display with the directory --> + <!-- contents. [null] --> + <!-- --> + <!-- For directory listing customization. Checks localXsltFile, then --> + <!-- globalXsltFile, then defaults to original behavior. --> + <!-- --> + <!-- localXsltFile Make directory listings an XML doc and --> + <!-- pass the result to this style sheet residing --> + <!-- in that directory. This overrides --> + <!-- globalXsltFile[null] --> + <!-- --> + <!-- globalXsltFile Site wide configuration version of --> + <!-- localXsltFile This argument is expected --> + <!-- to be a physical file. [null] --> + <!-- --> + <!-- --> + + <servlet> + <servlet-name>default</servlet-name> + <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> + <init-param> + <param-name>debug</param-name> + <param-value>0</param-value> + </init-param> + <init-param> + <param-name>listings</param-name> + <param-value>true</param-value> + </init-param> + <load-on-startup>1</load-on-startup> + </servlet> + + + <!-- The "invoker" servlet, which executes anonymous servlet classes --> + <!-- that have not been defined in a web.xml file. Traditionally, this --> + <!-- servlet is mapped to the URL pattern "/servlet/*", but you can map --> + <!-- it to other patterns as well. The extra path info portion of such a --> + <!-- request must be the fully qualified class name of a Java class that --> + <!-- implements Servlet (or extends HttpServlet), or the servlet name --> + <!-- of an existing servlet definition. This servlet supports the --> + <!-- following initialization parameters (default values are in square --> + <!-- brackets): --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + +<!-- + <servlet> + <servlet-name>invoker</servlet-name> + <servlet-class> + org.apache.catalina.servlets.InvokerServlet + </servlet-class> + <init-param> + <param-name>debug</param-name> + <param-value>0</param-value> + </init-param> + <load-on-startup>2</load-on-startup> + </servlet> +--> + + + <!-- The JSP page compiler and execution servlet, which is the mechanism --> + <!-- used by Tomcat to support JSP pages. Traditionally, this servlet --> + <!-- is mapped to the URL pattern "*.jsp". This servlet supports the --> + <!-- following initialization parameters (default values are in square --> + <!-- brackets): --> + <!-- --> + <!-- checkInterval If development is false and checkInterval is --> + <!-- greater than zero, background compilations are --> + <!-- enabled. checkInterval is the time in seconds --> + <!-- between checks to see if a JSP page needs to --> + <!-- be recompiled. [0] --> + <!-- --> + <!-- modificationTestInterval --> + <!-- Causes a JSP (and its dependent files) to not --> + <!-- be checked for modification during the --> + <!-- specified time interval (in seconds) from the --> + <!-- last time the JSP was checked for --> + <!-- modification. A value of 0 will cause the JSP --> + <!-- to be checked on every access. --> + <!-- Used in development mode only. [4] --> + <!-- --> + <!-- compiler Which compiler Ant should use to compile JSP --> + <!-- pages. See the Ant documentation for more --> + <!-- information. [javac] --> + <!-- --> + <!-- classdebuginfo Should the class file be compiled with --> + <!-- debugging information? [true] --> + <!-- --> + <!-- classpath What class path should I use while compiling --> + <!-- generated servlets? [Created dynamically --> + <!-- based on the current web application] --> + <!-- --> + <!-- development Is Jasper used in development mode? If true, --> + <!-- the frequency at which JSPs are checked for --> + <!-- modification may be specified via the --> + <!-- modificationTestInterval parameter. [true] --> + <!-- --> + <!-- enablePooling Determines whether tag handler pooling is --> + <!-- enabled [true] --> + <!-- --> + <!-- fork Tell Ant to fork compiles of JSP pages so that --> + <!-- a separate JVM is used for JSP page compiles --> + <!-- from the one Tomcat is running in. [true] --> + <!-- --> + <!-- ieClassId The class-id value to be sent to Internet --> + <!-- Explorer when using <jsp:plugin> tags. --> + <!-- [clsid:8AD9C840-044E-11D1-B3E9-00805F499D93] --> + <!-- --> + <!-- javaEncoding Java file encoding to use for generating java --> + <!-- source files. [UTF8] --> + <!-- --> + <!-- keepgenerated Should we keep the generated Java source code --> + <!-- for each page instead of deleting it? [true] --> + <!-- --> + <!-- mappedfile Should we generate static content with one --> + <!-- print statement per input line, to ease --> + <!-- debugging? [true] --> + <!-- --> + <!-- trimSpaces Should white spaces in template text between --> + <!-- actions or directives be trimmed? [false] --> + <!-- --> + <!-- suppressSmap Should the generation of SMAP info for JSR45 --> + <!-- debugging be suppressed? [false] --> + <!-- --> + <!-- dumpSmap Should the SMAP info for JSR45 debugging be --> + <!-- dumped to a file? [false] --> + <!-- False if suppressSmap is true --> + <!-- --> + <!-- genStrAsCharArray Should text strings be generated as char --> + <!-- arrays, to improve performance in some cases? --> + <!-- [false] --> + <!-- --> + <!-- errorOnUseBeanInvalidClassAttribute --> + <!-- Should Jasper issue an error when the value of --> + <!-- the class attribute in an useBean action is --> + <!-- not a valid bean class? [true] --> + <!-- --> + <!-- scratchdir What scratch directory should we use when --> + <!-- compiling JSP pages? [default work directory --> + <!-- for the current web application] --> + <!-- --> + <!-- xpoweredBy Determines whether X-Powered-By response --> + <!-- header is added by generated servlet [false] --> + <!-- --> + <!-- If you wish to use Jikes to compile JSP pages: --> + <!-- Please see the "Using Jikes" section of the Jasper-HowTo --> + <!-- page in the Tomcat documentation. --> + + <servlet> + <servlet-name>jsp</servlet-name> + <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class> + <init-param> + <param-name>fork</param-name> + <param-value>false</param-value> + </init-param> + <init-param> + <param-name>xpoweredBy</param-name> + <param-value>false</param-value> + </init-param> + <load-on-startup>3</load-on-startup> + </servlet> + + + <!-- Server Side Includes processing servlet, which processes SSI --> + <!-- directives in HTML pages consistent with similar support in web --> + <!-- servers like Apache. Traditionally, this servlet is mapped to the --> + <!-- URL pattern "*.shtml". This servlet supports the following --> + <!-- initialization parameters (default values are in square brackets): --> + <!-- --> + <!-- buffered Should output from this servlet be buffered? --> + <!-- (0=false, 1=true) [0] --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + <!-- --> + <!-- expires The number of seconds before a page with SSI --> + <!-- directives will expire. [No default] --> + <!-- --> + <!-- isVirtualWebappRelative --> + <!-- Should "virtual" paths be interpreted as --> + <!-- relative to the context root, instead of --> + <!-- the server root? (0=false, 1=true) [0] --> + <!-- --> + <!-- --> + <!-- IMPORTANT: To use the SSI servlet, you also need to rename the --> + <!-- $CATALINA_HOME/server/lib/servlets-ssi.renametojar file --> + <!-- to $CATALINA_HOME/server/lib/servlets-ssi.jar --> + +<!-- + <servlet> + <servlet-name>ssi</servlet-name> + <servlet-class> + org.apache.catalina.ssi.SSIServlet + </servlet-class> + <init-param> + <param-name>buffered</param-name> + <param-value>1</param-value> + </init-param> + <init-param> + <param-name>debug</param-name> + <param-value>0</param-value> + </init-param> + <init-param> + <param-name>expires</param-name> + <param-value>666</param-value> + </init-param> + <init-param> + <param-name>isVirtualWebappRelative</param-name> + <param-value>0</param-value> + </init-param> + <load-on-startup>4</load-on-startup> + </servlet> +--> + + + <!-- Common Gateway Includes (CGI) processing servlet, which supports --> + <!-- execution of external applications that conform to the CGI spec --> + <!-- requirements. Typically, this servlet is mapped to the URL pattern --> + <!-- "/cgi-bin/*", which means that any CGI applications that are --> + <!-- executed must be present within the web application. This servlet --> + <!-- supports the following initialization parameters (default values --> + <!-- are in square brackets): --> + <!-- --> + <!-- cgiPathPrefix The CGI search path will start at --> + <!-- webAppRootDir + File.separator + this prefix. --> + <!-- [WEB-INF/cgi] --> + <!-- --> + <!-- debug Debugging detail level for messages logged --> + <!-- by this servlet. [0] --> + <!-- --> + <!-- executable Name of the exectuable used to run the --> + <!-- script. [perl] --> + <!-- --> + <!-- parameterEncoding Name of parameter encoding to be used with --> + <!-- CGI servlet. --> + <!-- [System.getProperty("file.encoding","UTF-8")] --> + <!-- --> + <!-- passShellEnvironment Should the shell environment variables (if --> + <!-- any) be passed to the CGI script? [false] --> + <!-- --> + <!-- IMPORTANT: To use the CGI servlet, you also need to rename the --> + <!-- $CATALINA_HOME/server/lib/servlets-cgi.renametojar file --> + <!-- to $CATALINA_HOME/server/lib/servlets-cgi.jar --> + +<!-- + <servlet> + <servlet-name>cgi</servlet-name> + <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class> + <init-param> + <param-name>debug</param-name> + <param-value>6</param-value> + </init-param> + <init-param> + <param-name>cgiPathPrefix</param-name> + <param-value>WEB-INF/cgi</param-value> + </init-param> + <load-on-startup>5</load-on-startup> + </servlet> +--> + + + <!-- ================ Built In Servlet Mappings ========================= --> + + + <!-- The servlet mappings for the built in servlets defined above. Note --> + <!-- that, by default, the CGI and SSI servlets are *not* mapped. You --> + <!-- must uncomment these mappings (or add them to your application's own --> + <!-- web.xml deployment descriptor) to enable these services --> + + <!-- The mapping for the default servlet --> + <servlet-mapping> + <servlet-name>default</servlet-name> + <url-pattern>/</url-pattern> + </servlet-mapping> + + <!-- The mapping for the invoker servlet --> +<!-- + <servlet-mapping> + <servlet-name>invoker</servlet-name> + <url-pattern>/servlet/*</url-pattern> + </servlet-mapping> +--> + + <!-- The mapping for the JSP servlet --> + <servlet-mapping> + <servlet-name>jsp</servlet-name> + <url-pattern>*.jsp</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>jsp</servlet-name> + <url-pattern>*.jspx</url-pattern> + </servlet-mapping> + + <!-- The mapping for the SSI servlet --> +<!-- + <servlet-mapping> + <servlet-name>ssi</servlet-name> + <url-pattern>*.shtml</url-pattern> + </servlet-mapping> +--> + + <!-- The mapping for the CGI Gateway servlet --> + +<!-- + <servlet-mapping> + <servlet-name>cgi</servlet-name> + <url-pattern>/cgi-bin/*</url-pattern> + </servlet-mapping> +--> + + + <!-- ==================== Default Session Configuration ================= --> + <!-- You can set the default session timeout (in minutes) for all newly --> + <!-- created sessions by modifying the value below. --> + + <session-config> + <session-timeout>30</session-timeout> + </session-config> + + + <!-- ===================== Default MIME Type Mappings =================== --> + <!-- When serving static resources, Tomcat will automatically generate --> + <!-- a "Content-Type" header based on the resource's filename extension, --> + <!-- based on these mappings. Additional mappings can be added here (to --> + <!-- apply to all web applications), or in your own application's web.xml --> + <!-- deployment descriptor. --> + + <mime-mapping> + <extension>abs</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ai</extension> + <mime-type>application/postscript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aif</extension> + <mime-type>audio/x-aiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aifc</extension> + <mime-type>audio/x-aiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aiff</extension> + <mime-type>audio/x-aiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>aim</extension> + <mime-type>application/x-aim</mime-type> + </mime-mapping> + <mime-mapping> + <extension>art</extension> + <mime-type>image/x-jg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>asf</extension> + <mime-type>video/x-ms-asf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>asx</extension> + <mime-type>video/x-ms-asf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>au</extension> + <mime-type>audio/basic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>avi</extension> + <mime-type>video/x-msvideo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>avx</extension> + <mime-type>video/x-rad-screenplay</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bcpio</extension> + <mime-type>application/x-bcpio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bin</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>bmp</extension> + <mime-type>image/bmp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>body</extension> + <mime-type>text/html</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cdf</extension> + <mime-type>application/x-cdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cer</extension> + <mime-type>application/x-x509-ca-cert</mime-type> + </mime-mapping> + <mime-mapping> + <extension>class</extension> + <mime-type>application/java</mime-type> + </mime-mapping> + <mime-mapping> + <extension>cpio</extension> + <mime-type>application/x-cpio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>csh</extension> + <mime-type>application/x-csh</mime-type> + </mime-mapping> + <mime-mapping> + <extension>css</extension> + <mime-type>text/css</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dib</extension> + <mime-type>image/bmp</mime-type> + </mime-mapping> + <mime-mapping> + <extension>doc</extension> + <mime-type>application/msword</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dtd</extension> + <mime-type>application/xml-dtd</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dv</extension> + <mime-type>video/x-dv</mime-type> + </mime-mapping> + <mime-mapping> + <extension>dvi</extension> + <mime-type>application/x-dvi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>eps</extension> + <mime-type>application/postscript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>etx</extension> + <mime-type>text/x-setext</mime-type> + </mime-mapping> + <mime-mapping> + <extension>exe</extension> + <mime-type>application/octet-stream</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gif</extension> + <mime-type>image/gif</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gtar</extension> + <mime-type>application/x-gtar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>gz</extension> + <mime-type>application/x-gzip</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hdf</extension> + <mime-type>application/x-hdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hqx</extension> + <mime-type>application/mac-binhex40</mime-type> + </mime-mapping> + <mime-mapping> + <extension>htc</extension> + <mime-type>text/x-component</mime-type> + </mime-mapping> + <mime-mapping> + <extension>htm</extension> + <mime-type>text/html</mime-type> + </mime-mapping> + <mime-mapping> + <extension>html</extension> + <mime-type>text/html</mime-type> + </mime-mapping> + <mime-mapping> + <extension>hqx</extension> + <mime-type>application/mac-binhex40</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ief</extension> + <mime-type>image/ief</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jad</extension> + <mime-type>text/vnd.sun.j2me.app-descriptor</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jar</extension> + <mime-type>application/java-archive</mime-type> + </mime-mapping> + <mime-mapping> + <extension>java</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jnlp</extension> + <mime-type>application/x-java-jnlp-file</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpe</extension> + <mime-type>image/jpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpeg</extension> + <mime-type>image/jpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jpg</extension> + <mime-type>image/jpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>js</extension> + <mime-type>text/javascript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jsf</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>jspf</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>kar</extension> + <mime-type>audio/x-midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>latex</extension> + <mime-type>application/x-latex</mime-type> + </mime-mapping> + <mime-mapping> + <extension>m3u</extension> + <mime-type>audio/x-mpegurl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mac</extension> + <mime-type>image/x-macpaint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>man</extension> + <mime-type>application/x-troff-man</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mathml</extension> + <mime-type>application/mathml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>me</extension> + <mime-type>application/x-troff-me</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mid</extension> + <mime-type>audio/x-midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>midi</extension> + <mime-type>audio/x-midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mif</extension> + <mime-type>application/x-mif</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mov</extension> + <mime-type>video/quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>movie</extension> + <mime-type>video/x-sgi-movie</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp1</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp2</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mp3</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpa</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpe</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpeg</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpega</extension> + <mime-type>audio/x-mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpg</extension> + <mime-type>video/mpeg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>mpv2</extension> + <mime-type>video/mpeg2</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ms</extension> + <mime-type>application/x-wais-source</mime-type> + </mime-mapping> + <mime-mapping> + <extension>nc</extension> + <mime-type>application/x-netcdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>oda</extension> + <mime-type>application/oda</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ogg</extension> + <mime-type>application/ogg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pbm</extension> + <mime-type>image/x-portable-bitmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pct</extension> + <mime-type>image/pict</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pdf</extension> + <mime-type>application/pdf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pgm</extension> + <mime-type>image/x-portable-graymap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pic</extension> + <mime-type>image/pict</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pict</extension> + <mime-type>image/pict</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pls</extension> + <mime-type>audio/x-scpls</mime-type> + </mime-mapping> + <mime-mapping> + <extension>png</extension> + <mime-type>image/png</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pnm</extension> + <mime-type>image/x-portable-anymap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>pnt</extension> + <mime-type>image/x-macpaint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ppm</extension> + <mime-type>image/x-portable-pixmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ppt</extension> + <mime-type>application/powerpoint</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ps</extension> + <mime-type>application/postscript</mime-type> + </mime-mapping> + <mime-mapping> + <extension>psd</extension> + <mime-type>image/x-photoshop</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qt</extension> + <mime-type>video/quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qti</extension> + <mime-type>image/x-quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>qtif</extension> + <mime-type>image/x-quicktime</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ras</extension> + <mime-type>image/x-cmu-raster</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rdf</extension> + <mime-type>application/rdf+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rgb</extension> + <mime-type>image/x-rgb</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rm</extension> + <mime-type>application/vnd.rn-realmedia</mime-type> + </mime-mapping> + <mime-mapping> + <extension>roff</extension> + <mime-type>application/x-troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rtf</extension> + <mime-type>application/rtf</mime-type> + </mime-mapping> + <mime-mapping> + <extension>rtx</extension> + <mime-type>text/richtext</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sh</extension> + <mime-type>application/x-sh</mime-type> + </mime-mapping> + <mime-mapping> + <extension>shar</extension> + <mime-type>application/x-shar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>smf</extension> + <mime-type>audio/x-midi</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sit</extension> + <mime-type>application/x-stuffit</mime-type> + </mime-mapping> + <mime-mapping> + <extension>snd</extension> + <mime-type>audio/basic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>src</extension> + <mime-type>application/x-wais-source</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sv4cpio</extension> + <mime-type>application/x-sv4cpio</mime-type> + </mime-mapping> + <mime-mapping> + <extension>sv4crc</extension> + <mime-type>application/x-sv4crc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>svg</extension> + <mime-type>image/svg+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>swf</extension> + <mime-type>application/x-shockwave-flash</mime-type> + </mime-mapping> + <mime-mapping> + <extension>t</extension> + <mime-type>application/x-troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tar</extension> + <mime-type>application/x-tar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tcl</extension> + <mime-type>application/x-tcl</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tex</extension> + <mime-type>application/x-tex</mime-type> + </mime-mapping> + <mime-mapping> + <extension>texi</extension> + <mime-type>application/x-texinfo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>texinfo</extension> + <mime-type>application/x-texinfo</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tif</extension> + <mime-type>image/tiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tiff</extension> + <mime-type>image/tiff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tr</extension> + <mime-type>application/x-troff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>tsv</extension> + <mime-type>text/tab-separated-values</mime-type> + </mime-mapping> + <mime-mapping> + <extension>txt</extension> + <mime-type>text/plain</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ulw</extension> + <mime-type>audio/basic</mime-type> + </mime-mapping> + <mime-mapping> + <extension>ustar</extension> + <mime-type>application/x-ustar</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vxml</extension> + <mime-type>application/voicexml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xbm</extension> + <mime-type>image/x-xbitmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xht</extension> + <mime-type>application/xhtml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xhtml</extension> + <mime-type>application/xhtml+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xml</extension> + <mime-type>application/xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xpm</extension> + <mime-type>image/x-xpixmap</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xsl</extension> + <mime-type>application/xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xslt</extension> + <mime-type>application/xslt+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xul</extension> + <mime-type>application/vnd.mozilla.xul+xml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>xwd</extension> + <mime-type>image/x-xwindowdump</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wav</extension> + <mime-type>audio/x-wav</mime-type> + </mime-mapping> + <mime-mapping> + <extension>svg</extension> + <mime-type>image/svg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>svgz</extension> + <mime-type>image/svg</mime-type> + </mime-mapping> + <mime-mapping> + <extension>vsd</extension> + <mime-type>application/x-visio</mime-type> + </mime-mapping> + <mime-mapping> + <!-- Wireless Bitmap --> + <extension>wbmp</extension> + <mime-type>image/vnd.wap.wbmp</mime-type> + </mime-mapping> + <mime-mapping> + <!-- WML Source --> + <extension>wml</extension> + <mime-type>text/vnd.wap.wml</mime-type> + </mime-mapping> + <mime-mapping> + <!-- Compiled WML --> + <extension>wmlc</extension> + <mime-type>application/vnd.wap.wmlc</mime-type> + </mime-mapping> + <mime-mapping> + <!-- WML Script Source --> + <extension>wmls</extension> + <mime-type>text/vnd.wap.wmlscript</mime-type> + </mime-mapping> + <mime-mapping> + <!-- Compiled WML Script --> + <extension>wmlscriptc</extension> + <mime-type>application/vnd.wap.wmlscriptc</mime-type> + </mime-mapping> + <mime-mapping> + <extension>wrl</extension> + <mime-type>x-world/x-vrml</mime-type> + </mime-mapping> + <mime-mapping> + <extension>Z</extension> + <mime-type>application/x-compress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>z</extension> + <mime-type>application/x-compress</mime-type> + </mime-mapping> + <mime-mapping> + <extension>zip</extension> + <mime-type>application/zip</mime-type> + </mime-mapping> + + + <!-- ==================== Default Welcome File List ===================== --> + <!-- When a request URI refers to a directory, the default servlet looks --> + <!-- for a "welcome file" within that directory and, if present, --> + <!-- to the corresponding resource URI for display. If no welcome file --> + <!-- is present, the default servlet either serves a directory listing, --> + <!-- or returns a 404 status, depending on how it is configured. --> + <!-- --> + <!-- If you define welcome files in your own application's web.xml --> + <!-- deployment descriptor, that list *replaces* the list configured --> + <!-- here, so be sure that you include any of the default values that --> + <!-- you wish to include. --> + + <welcome-file-list> + <welcome-file>index.html</welcome-file> + <welcome-file>index.htm</welcome-file> + <welcome-file>index.jsp</welcome-file> + </welcome-file-list> + +</web-app> diff --git a/pki/base/kra/shared/conf/workers.properties b/pki/base/kra/shared/conf/workers.properties new file mode 100644 index 000000000..50d88557f --- /dev/null +++ b/pki/base/kra/shared/conf/workers.properties @@ -0,0 +1,206 @@ +# workers.properties - +# +# This file provides jk derived plugins with the needed information to +# connect to the different tomcat workers. Note that the distributed +# version of this file requires modification before it is usable by a +# plugin. +# +# As a general note, the characters $( and ) are used internally to define +# macros. Do not use them in your own configuration!!! +# +# Whenever you see a set of lines such as: +# x=value +# y=$(x)\something +# +# the final value for y will be value\something +# +# Normaly all you will need to do is un-comment and modify the first three +# properties, i.e. workers.tomcat_home, workers.java_home and ps. +# Most of the configuration is derived from these. +# +# When you are done updating workers.tomcat_home, workers.java_home and ps +# you should have 3 workers configured: +# +# - An ajp12 worker that connects to localhost:8007 +# - An ajp13 worker that connects to localhost:8009 +# - A jni inprocess worker. +# - A load balancer worker +# +# However by default the plugins will only use the ajp12 worker. To have +# the plugins use other workers you should modify the worker.list property. +# +# + +# OPTIONS ( very important for jni mode ) + +# +# workers.tomcat_home should point to the location where you +# installed tomcat. This is where you have your conf, webapps and lib +# directories. +# +workers.tomcat_home=/var/tomcat3 + +# +# workers.java_home should point to your Java installation. Normally +# you should have a bin and lib directories beneath it. +# +workers.java_home=/opt/IBMJava2-13 + +# +# You should configure your environment slash... ps=\ on NT and / on UNIX +# and maybe something different elsewhere. +# +ps=/ + +# +#------ ADVANCED MODE ------------------------------------------------ +#--------------------------------------------------------------------- +# + +# +#------ DEFAULT worket list ------------------------------------------ +#--------------------------------------------------------------------- +# +# +# The workers that your plugins should create and work with +# +# Add 'inprocess' if you want JNI connector +worker.list=ajp12, ajp13 +# , inprocess + + +# +#------ DEFAULT ajp12 WORKER DEFINITION ------------------------------ +#--------------------------------------------------------------------- +# + +# +# Defining a worker named ajp12 and of type ajp12 +# Note that the name and the type do not have to match. +# +worker.ajp12.port=8007 +worker.ajp12.host=localhost +worker.ajp12.type=ajp12 +# +# Specifies the load balance factor when used with +# a load balancing worker. +# Note: +# ----> lbfactor must be > 0 +# ----> Low lbfactor means less work done by the worker. +worker.ajp12.lbfactor=1 + +# +#------ DEFAULT ajp13 WORKER DEFINITION ------------------------------ +#--------------------------------------------------------------------- +# + +# +# Defining a worker named ajp13 and of type ajp13 +# Note that the name and the type do not have to match. +# +worker.ajp13.port=8009 +worker.ajp13.host=localhost +worker.ajp13.type=ajp13 +# +# Specifies the load balance factor when used with +# a load balancing worker. +# Note: +# ----> lbfactor must be > 0 +# ----> Low lbfactor means less work done by the worker. +worker.ajp13.lbfactor=1 + +# +# Specify the size of the open connection cache. +#worker.ajp13.cachesize + +# +#------ DEFAULT LOAD BALANCER WORKER DEFINITION ---------------------- +#--------------------------------------------------------------------- +# + +# +# The loadbalancer (type lb) workers perform wighted round-robin +# load balancing with sticky sessions. +# Note: +# ----> If a worker dies, the load balancer will check its state +# once in a while. Until then all work is redirected to peer +# workers. +worker.loadbalancer.type=lb +worker.loadbalancer.balanced_workers=ajp12, ajp13 + + +# +#------ DEFAULT JNI WORKER DEFINITION--------------------------------- +#--------------------------------------------------------------------- +# + +# +# Defining a worker named inprocess and of type jni +# Note that the name and the type do not have to match. +# +worker.inprocess.type=jni + +# +#------ CLASSPATH DEFINITION ----------------------------------------- +#--------------------------------------------------------------------- +# + +# +# Additional class path components. +# +worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar + +# +# Setting the command line for tomcat. +# Note: The cmd_line string may not contain spaces. +# +worker.inprocess.cmd_line=start + +# Not needed, but can be customized. +#worker.inprocess.cmd_line=-config +#worker.inprocess.cmd_line=$(workers.tomcat_home)$(ps)conf$(ps)server.xml +#worker.inprocess.cmd_line=-home +#worker.inprocess.cmd_line=$(workers.tomcat_home) + +# +# The JVM that we are about to use +# +# This is for Java2 +# +# Windows +worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)bin$(ps)classic$(ps)jvm.dll +# IBM JDK1.3 +#worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)bin$(ps)classic$(ps)libjvm.so +# Unix - Sun VM or blackdown +#worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)lib$(ps)i386$(ps)classic$(ps)libjvm.so + +# +# And this is for jdk1.1.X +# +#worker.inprocess.jvm_lib=$(workers.java_home)$(ps)bin$(ps)javai.dll + + +# +# Setting the place for the stdout and stderr of tomcat +# +worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout +worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr + +# +# Setting the tomcat.home Java property +# +#worker.inprocess.sysprops=tomcat.home=$(workers.tomcat_home) + +# +# Java system properties +# +# worker.inprocess.sysprops=java.compiler=NONE +# worker.inprocess.sysprops=myprop=mypropvalue + +# +# Additional path components. +# +# worker.inprocess.ld_path=d:$(ps)SQLLIB$(ps)bin +# + + diff --git a/pki/base/kra/shared/conf/workers.properties.minimal b/pki/base/kra/shared/conf/workers.properties.minimal new file mode 100644 index 000000000..e3b5942c2 --- /dev/null +++ b/pki/base/kra/shared/conf/workers.properties.minimal @@ -0,0 +1,17 @@ +# workers.properties.minimal - +# +# This file provides minimal jk configuration properties needed to +# connect to Tomcat. +# +# The workers that jk should create and work with +# +worker.list=ajp13w + + +# +# Defining a worker named ajp13w and of type ajp13 +# Note that the name and the type do not have to match. +# +worker.ajp13w.type=ajp13 +worker.ajp13w.host=localhost +worker.ajp13w.port=8009 diff --git a/pki/base/kra/shared/conf/workers2.properties b/pki/base/kra/shared/conf/workers2.properties new file mode 100644 index 000000000..778118ff2 --- /dev/null +++ b/pki/base/kra/shared/conf/workers2.properties @@ -0,0 +1,132 @@ +[logger] +level=DEBUG + +[config:] +file=${serverRoot}/conf/workers2.properties +debug=0 +debugEnv=0 + +[uriMap:] +info=Maps the requests. Options: debug +debug=0 + +# Alternate file logger +#[logger.file:0] +#level=DEBUG +#file=${serverRoot}/logs/jk2.log + +[shm:] +info=Scoreboard. Required for reconfiguration and status with multiprocess servers +file=${serverRoot}/logs/jk2.shm +size=1000000 +debug=0 +disabled=0 + +[workerEnv:] +info=Global server options +timing=1 +debug=0 +# Default Native Logger (apache2 or win32 ) +# can be overriden to a file logger, useful +# when tracing win32 related issues +#logger=logger.file:0 + +[lb:lb] +info=Default load balancer. +debug=0 + +[lb:lb_1] +info=A second load balancer. +debug=0 + +[channel.socket:localhost:8009] +info=Ajp13 forwarding over socket +debug=0 +tomcatId=localhost:8009 + +[channel.socket:localhost:8019] +info=A second tomcat instance. +debug=0 +tomcatId=localhost:8019 +lb_factor=1 +#group=lb +group:lb:lb +#group=lb_1 +group:lb:lb_1 +disabled=0 + +[channel.un:/opt/33/work/jk2.socket] +info=A second channel connecting to localhost:8019 via unix socket +tomcatId=localhost:8019 +lb_factor=1 +debug=0 + +[channel.jni:jni] +info=The jni channel, used if tomcat is started inprocess + +[status:] +info=Status worker, displays runtime informations + +[vm:] +info=Parameters used to load a JVM in the server process +#JVM=C:\jdk\jre\bin\hotspot\jvm.dll +classpath=${TOMCAT_HOME}/bin/tomcat-jni.jar +classpath=${TOMCAT_HOME}/server/lib/commons-logging.jar +OPT=-Dtomcat.home=${TOMCAT_HOME} +OPT=-Dcatalina.home=${TOMCAT_HOME} +OPT=-Xmx128M +#OPT=-Djava.compiler=NONE +disabled=1 + +[worker.jni:onStartup] +info=Command to be executed by the VM on startup. This one will start tomcat. +class=org/apache/jk/apr/TomcatStarter +ARG=start +# For Tomcat 5 use the 'stard' for startup argument +# ARG=stard +disabled=1 +stdout=${serverRoot}/logs/stdout.log +stderr=${serverRoot}/logs/stderr.log + +[worker.jni:onShutdown] +info=Command to be executed by the VM on shutdown. This one will stop tomcat. +class=org/apache/jk/apr/TomcatStarter +ARG=stop +disabled=1 + +[uri:/jkstatus/*] +info=Display status information and checks the config file for changes. +group=status: + +[uri:127.0.0.1:8003] +info=Example virtual host. Make sure myVirtualHost is in /etc/hosts to test it +alias=myVirtualHost:8003 + +[uri:127.0.0.1:8003/ex] +info=Example webapp in the virtual host. It'll go to lb_1 ( i.e. localhost:8019 ) +context=/ex +group=lb_1 + +[uri:/examples] +info=Example webapp in the default context. +context=/examples +debug=0 + +[uri:/examples1/*] +info=A second webapp, this time going to the second tomcat only. +group=lb_1 +debug=0 + +[uri:/examples/servlet/*] +info=Prefix mapping + +[uri:/examples/*.jsp] +info=Extension mapping + +[uri:/examples/*] +info=Map the whole webapp + +[uri:/examples/servlet/HelloW] +info=Example with debug enabled. +debug=10 + diff --git a/pki/base/kra/shared/conf/workers2.properties.minimal b/pki/base/kra/shared/conf/workers2.properties.minimal new file mode 100644 index 000000000..41a0ba6c1 --- /dev/null +++ b/pki/base/kra/shared/conf/workers2.properties.minimal @@ -0,0 +1,55 @@ +# +# This is the minimal JK2 connector configuration file. +# + +[logger] +info=Native logger +level=ERROR + +[config:] +file=${serverRoot}/conf/workers2.properties +debug=0 +debugEnv=0 + +[uriMap:] +info=Maps the requests. +debug=0 + +[shm:] +info=Scoreboard. Required for reconfiguration and status with multiprocess servers +file=anonymous +debug=0 + +[workerEnv:] +info=Global server options +timing=0 +debug=0 + +[lb:lb] +info=Default load balancer. +debug=0 + +[channel.socket:localhost:8009] +info=Ajp13 forwarding over socket +debug=0 +tomcatId=localhost:8009 + +[uri:/admin] +info=Tomcat HTML based administration web application. +debug=0 + +[uri:/manager] +info=A scriptable management web application for the Tomcat Web Server. +debug=0 + +[uri:/jsp-examples] +info=JSP 2.0 Examples. +debug=0 + +[uri:/servlets-examples] +info=Servlet 2.4 Examples. +debug=0 + +[uri:/*.jsp] +info=JSP Extension mapping. +debug=0 |