diff options
Diffstat (limited to 'pki/base/setup/pkicreate')
-rwxr-xr-x | pki/base/setup/pkicreate | 2939 |
1 files changed, 2939 insertions, 0 deletions
diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate new file mode 100755 index 000000000..87439e3c1 --- /dev/null +++ b/pki/base/setup/pkicreate @@ -0,0 +1,2939 @@ +#!/usr/bin/perl +# +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# + +############################################################## +# This script is used to create a new instance of a +# subsystem within a PKI installation. +# +# Sample Invocation (for CA): +# +# ./pkicreate +# -pki_instance_root=/var/lib +# -pki_instance_name=pki-ca1 +# -subsystem_type=ca +# -secure_port=9543 +# -unsecure_port=9180 +# -tomcat_server_port=1801 +# -user=pkiuser +# -group=pkiuser +# -redirect conf=/export/pki/pki-ca1/conf +# -redirect logs=/export/pki/pki-ca1/logs +# -verbose +# +############################################################## + + +############################################################## +# Perl Version +############################################################## + +my $MINIMUM_PERL_VERSION = "5.006001"; + +my $perl_version_error_message = "ERROR: Using Perl version $] ...\n" + . " Must use Perl version " + . "$MINIMUM_PERL_VERSION or later to " + . "run this script!\n"; + +die "$perl_version_error_message" if $] < $MINIMUM_PERL_VERSION; + + +############################################################## +# Execution Check +############################################################## + +# Disallow 'others' the ability to 'write' to new files +umask 00002; + +# Check to insure that this script's original +# invocation directory has not been deleted! +my $cwd = `/bin/pwd`; +chomp $cwd; +if( "$cwd" eq "" ) { + print( STDERR "Cannot invoke '$0' from non-existent directory!\n" ); + print( STDOUT "\n" ); + exit 255; +} + + +############################################################## +# Environment Variables +############################################################## + +# option to not run this script. +if( defined( $ENV{ 'DONT_RUN_PKICREATE' } ) ) { + if( $ENV{ 'DONT_RUN_PKICREATE' } == 1 ) { + print( STDERR "Env. variable DONT_RUN_PKICREATE is set. Exiting.\n" ); + print( STDOUT "\n" ); + exit 0; + } +} + +# additional option to not run this script on Solaris +# (unfortunately, pkgadd doesn't process all environment variables) +if( $^O eq "solaris" ) { + if( -f "/tmp/DONT_RUN_PKICREATE" ) { + print( STDERR "File DONT_RUN_PKICREATE exists. Exiting.\n" ); + print( STDOUT "\n" ); + exit 0; + } +} + +# untaint called subroutines +if( ( $^O ne 'Windows_NT' ) && ( $^O ne 'MSWin32' ) ) { + $> = $<; # set effective user ID to real UID + $) = $(; # set effective group ID to real GID + $ENV{ 'PATH' } = '/bin:/usr/bin'; + $ENV{ 'ENV' } = '' if $ENV{ 'ENV' } ne ''; +} + + +############################################################## +# Command-Line Variables +############################################################## + +my $ARGS = ( $#ARGV + 1 ); + + +############################################################## +# Shared Common Perl Data and Subroutines +############################################################## + +# Compute "flavor" of Operating System +my $pki_flavor = ""; +if( $^O eq "linux" ) { + $pki_flavor = `pkiflavor`; +} elsif( $^O eq "solaris" ) { + $pki_flavor = `pkiflavor`; +} else { + print( STDERR + "ERROR: Unsupported platform '$^O'!\n" ); + print( STDOUT "\n" ); + exit 255; +} + +$pki_flavor =~ s/\s+$//g; + +# Establish path to scripts +my $pki_subsystem_common_area = "/usr/share/$pki_flavor"; +my $common_path = "/usr/share/pki/scripts"; + +if( ! -d "$common_path" ) { + print( STDERR + "ERROR: The path '$common_path' does not exist!\n" + . " Unable to load shared Common Perl Data " + . "and Subroutines!\n" ); + print( STDOUT "\n" ); + exit 255; +} + +if( ! -e "$common_path/pkicommon" ) { + print( STDERR + "ERROR: The file '$common_path/pkicommon' does not exist!\n" + . " Unable to load shared Common Perl Data " + . "and Subroutines!\n" ); + print( STDOUT "\n" ); + exit 255; +} + +eval( "use lib '" . $common_path . "'" ); +require( 'pkicommon' ); + +# make -w happy by suppressing warnings of Global variables used only once +my $suppress = ""; +$suppress = $hostname; +$suppress = $obj_ext; +$suppress = $tmp_dir; +$suppress = $default_security_libraries; +$suppress = $default_system_libraries; +$suppress = $lib_prefix; +$suppress = $default_system_user_binaries; + + +############################################################## +# Local Constants +############################################################## + +# Script used to complete setting up the PKI framework +my $pkicomplete = "$pki_subsystem_common_area/scripts/pkicomplete"; + +# Links created via initial "tomcat" installation that MUST be removed!!! +my $jdbc_stdext_link = "/var/lib/tomcat5/common/lib/\[jdbc-stdext\].jar"; +my $jndi_link = "/var/lib/tomcat5/common/lib/\[jndi\].jar"; +my $jaas_link = "/var/lib/tomcat5/server/lib/\[jaas\].jar"; + +# Subsystem names +my $CA = "ca"; +my $OCSP = "ocsp"; +my $KRA = "kra"; +my $TKS = "tks"; +my $RA = "ra"; +my $TPS = "tps"; + +# Base subsystem directory names +my $acl_base_subsystem_dir = "acl"; # CA, KRA, OCSP, TKS +my $alias_base_subsystem_dir = "alias"; # CA, KRA, OCSP, TKS, RA, TPS +my $applets_base_subsystem_dir = "applets"; # TPS +my $cgibin_base_subsystem_dir = "cgi-bin"; # TPS (Apache) +my $conf_base_subsystem_dir = "conf"; # CA, KRA, OCSP, TKS, RA, TPS +my $docroot_base_subsystem_dir = "docroot"; # RA, TPS (Apache) +my $emails_base_subsystem_dir = "emails"; # CA +my $etc_base_subsystem_dir = "etc"; # CA, KRA, OCSP, TKS, RA, TPS +my $lib_base_subsystem_dir = "lib"; # RA, TPS +my $logs_base_subsystem_dir = "logs"; # CA, KRA, OCSP, TKS, RA, TPS +my $profiles_base_subsystem_dir = "profiles"; # CA, KRA, OCSP, TKS +my $samples_base_subsystem_dir = "samples"; # TPS +my $scripts_base_subsystem_dir = "scripts"; # RA, TPS +my $shared_base_subsystem_dir = "shared"; # CA, KRA, OCSP, TKS (Tomcat) +my $temp_base_subsystem_dir = "temp"; # CA, KRA, OCSP, TKS (Tomcat) +my $webapps_base_subsystem_dir = "webapps"; # CA, KRA, OCSP, TKS +my $work_base_subsystem_dir = "work"; # CA, KRA, OCSP, TKS (Tomcat) + +# Base instance directory names +my $acl_base_instance_dir = "acl"; # CA, KRA, OCSP, TKS +my $alias_base_instance_dir = "alias"; # CA, KRA, OCSP, TKS, RA, TPS +my $bin_base_instance_dir = "bin"; # TPS +my $cgibin_base_instance_dir = "cgi-bin"; # TPS (Apache) +my $conf_base_instance_dir = "conf"; # CA, KRA, OCSP, TKS, RA, TPS +my $docroot_base_instance_dir = "docroot"; # RA, TPS (Apache) +my $emails_base_instance_dir = "emails"; # CA +my $lib_base_instance_dir = "lib"; # RA, TPS +my $logs_base_instance_dir = "logs"; # CA, KRA, OCSP, TKS, RA, TPS +my $profiles_base_instance_dir = "profiles"; # CA, KRA, OCSP, TKS +my $scripts_base_instance_dir = "scripts"; # RA, TPS +my $shared_base_instance_dir = "shared"; # CA, KRA, OCSP, TKS (Tomcat) +my $temp_base_instance_dir = "temp"; # CA, KRA, OCSP, TKS (Tomcat) +my $webapps_base_instance_dir = "webapps"; # CA, KRA, OCSP, TKS +my $work_base_instance_dir = "work"; # CA, KRA, OCSP, TKS (Tomcat) + +# Base instance symbolic link names +my $common_base_instance_symlink = "common"; # CA, KRA, OCSP, TKS +my $conf_base_instance_symlink = "conf"; # CA, KRA, OCSP, TKS, RA, TPS +my $logs_base_instance_symlink = "logs"; # CA, KRA, OCSP, TKS, RA, TPS +my $run_base_instance_symlink = "run"; # RA, TPS + +# Base names +my $cgi_home_base_name = "home/index.cgi"; # TPS +my $cgi_demo_base_name = "demo/index.cgi"; # TPS +my $cgi_so_base_name = "so/index.cgi"; # TPS +my $cgi_sow_base_name = "sow/index.cgi"; # TPS +my $addAgents_ldif_base_name = "addAgents.ldif"; # TPS +my $addIndexes_ldif_base_name = "addIndexes.ldif"; # TPS +my $addTokens_ldif_base_name = "addTokens.ldif"; # TPS +my $addVLVIndexes_ldif_base_name = "addVLVIndexes.ldif"; # TPS +my $apachectl_base_name = "apachectl"; # TPS +my $nss_pcache_base_name = "nss_pcache"; # RA, TPS +my $catalina_sh_base_name = "dtomcat5"; # CA, KRA, OCSP, TKS +my $certsrv_jar_base_name = "certsrv.jar"; # CA, KRA, OCSP, TKS +my $nsutil_jar_base_name = "nsutil.jar"; # CA, KRA, OCSP, TKS +my $cmsutil_jar_base_name = "cmsutil.jar"; # CA, KRA, OCSP, TKS +my $cms_jar_base_name = "cms.jar"; # CA, KRA, OCSP, TKS +my $cmsbundle_jar_base_name = "cmsbundle.jar"; # CA, KRA, OCSP, TKS +my $cmscore_jar_base_name = "cmscore.jar"; # CA, KRA, OCSP, TKS +my $conf_base_name = "conf"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $httpd_base_name = "httpd"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $httpd_conf_base_name = "httpd.conf"; # RA, TPS +my $index_html_base_name = "index.html"; # CA, KRA, OCSP, TKS +my $logs_base_name = "logs"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $magic_base_name = "magic"; # RA, TPS +my $mime_types_base_name = "mime.types"; # RA, TPS +my $noise_base_name = "noise"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $nss_conf_base_name = "nss.conf"; # RA, TPS +my $perl_conf_base_name = "perl.conf"; # RA, TPS +my $osutil_jar_base_name = "osutil.jar"; # CA, KRA, OCSP, TKS +my $password_conf_base_name = "password.conf"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pfile_base_name = "pfile"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pki_cfg_base_name = "CS.cfg"; # CA, KRA, OCSP, TKS, + # RA, TPS +my $schemaMods_ldif_base_name = "schemaMods.ldif"; # RA, TPS +my $server_xml_base_name = "server.xml"; # CA, KRA, OCSP, TKS +my $servercertnick_conf_base_name = "serverCertNick.conf"; # CA, KRA, OCSP, TKS +my $tomcat5_conf_base_name = "tomcat5.conf"; # CA, KRA, OCSP, TKS +my $velocity_prop_base_name = "velocity.properties"; # CA, KRA, OCSP, TKS +my $web_xml_base_name = "web.xml"; # CA, KRA, OCSP, TKS + +# Subdirectory names +my $initd_base_subsystem_dir = "init.d"; # CA, KRA, OCSP, TKS, RA, TPS +my $perl_base_instance_symlink = "perl"; # RA, TPS +my $perl_base_subsystem_dir = "perl"; # RA, TPS +my $webapps_root_base_instance_dir = "ROOT"; # CA, KRA, OCSP, TKS +my $webapps_root_base_subsystem_dir = "ROOT"; # CA, KRA, OCSP, TKS +my $webinf_base_instance_dir = "WEB-INF"; # CA, KRA, OCSP, TKS + +# Defaults +my $default_apache_pids_path = "/var/run"; +my $default_java_path = "/usr/share/java"; +my $default_dir_permissions = 00770; +my $default_exe_permissions = 00770; +my $default_file_permissions = 00660; +my $default_security_token = "internal"; +my $default_start_stop_scripts = "/etc/init.d"; +my $default_tomcat_common_path = "/var/lib/tomcat5/common"; + +# Default PKI user and group to give to PKI installed files +my $pki_user = "pkiuser"; +my $pki_group = "pkiuser"; + +# PKI creation constants +my $db_password_low = 100000000000; +my $db_password_high = 999999999999; + +# Template slot constants (RA, TPS) +my $GROUPID = "GROUPID"; +my $HTTPD_CONF = "HTTPD_CONF"; +my $INSTANCE_ID = "INSTANCE_ID"; +my $LIB_PREFIX = "LIB_PREFIX"; +my $NSS_CONF = "NSS_CONF"; +my $OBJ_EXT = "OBJ_EXT"; +my $PORT = "PORT"; +my $PROCESS_ID = "PROCESS_ID"; +my $SECURE_PORT = "SECURE_PORT"; +my $SECURITY_LIBRARIES = "SECURITY_LIBRARIES"; +my $SERVER_NAME = "SERVER_NAME"; +my $SERVER_ROOT = "SERVER_ROOT"; +my $SUBSYSTEM_TYPE = "SUBSYSTEM_TYPE"; +my $SYSTEM_LIBRARIES = "SYSTEM_LIBRARIES"; +my $SYSTEM_USER_LIBRARIES = "SYSTEM_USER_LIBRARIES"; +my $TMP_DIR = "TMP_DIR"; +my $TPS_DIR = "TPS_DIR"; +my $USERID = "USERID"; +my $FORTITUDE_APACHE = "FORTITUDE_APACHE"; +my $FORTITUDE_DIR = "FORTITUDE_DIR"; +my $FORTITUDE_MODULE = "FORTITUDE_MODULE"; +my $FORTITUDE_LIB_DIR = "FORTITUDE_LIB_DIR"; +my $FORTITUDE_AUTH_MODULES = "FORTITUDE_AUTH_MODULES"; +my $FORTITUDE_NSS_MODULES = "FORTITUDE_NSS_MODULES"; + +# Template slot constants (CA, KRA, OCSP, TKS) +my $INSTALL_TIME = "INSTALL_TIME"; +my $PKI_CERT_DB_PASSWORD_SLOT = "PKI_CERT_DB_PASSWORD"; +my $PKI_CFG_PATH_NAME_SLOT = "PKI_CFG_PATH_NAME"; +my $PKI_GROUP_SLOT = "PKI_GROUP"; +my $PKI_INSTANCE_ID_SLOT = "PKI_INSTANCE_ID"; +my $PKI_INSTANCE_PATH_SLOT = "PKI_INSTANCE_PATH"; +my $PKI_INSTANCE_ROOT_SLOT = "PKI_INSTANCE_ROOT"; +my $PKI_MACHINE_NAME_SLOT = "PKI_MACHINE_NAME"; +my $PKI_RANDOM_NUMBER_SLOT = "PKI_RANDOM_NUMBER"; +my $PKI_SECURE_PORT_SLOT = "PKI_SECURE_PORT"; +my $PKI_SERVER_XML_CONF = "PKI_SERVER_XML_CONF"; +my $PKI_SUBSYSTEM_TYPE_SLOT = "PKI_SUBSYSTEM_TYPE"; +my $PKI_UNSECURE_PORT_SLOT = "PKI_UNSECURE_PORT"; +my $PKI_USER_SLOT = "PKI_USER"; +my $TOMCAT_SERVER_PORT_SLOT = "TOMCAT_SERVER_PORT"; +my $PKI_FLAVOR_SLOT = "PKI_FLAVOR"; + +# PKI removal constants +my $saved_cleanup_file_name = ".cleanup.dat"; +my $saved_file_marker = "[files]"; +my $saved_directory_marker = "[directories]"; + + +############################################################## +# Local Data Structures +############################################################## + +# Useful pki references +@installed_files = (); +@installed_stray_directories = (); + +%redirects = (); + + +############################################################## +# Local Variables +############################################################## + +# Command-line variables (mandatory) +my $pki_instance_root = ""; +my $pki_instance_name = ""; +my $subsystem_type = ""; +my $secure_port = -1; +my $unsecure_port = -1; +my $tomcat_server_port = -1; + +# Command-line variables (optional) +my $username = ""; +my $groupname = ""; +my $redirected_conf_path = ""; +my $redirected_logs_path = ""; + +# Base subsystem directory paths +my $pki_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $acl_subsystem_path = ""; # CA, KRA, OCSP, TKS +my $alias_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $applets_subsystem_path = ""; # TPS +my $bin_subsystem_path = ""; # TPS +my $cgibin_subsystem_path = ""; # TPS (Apache) +my $conf_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $docroot_subsystem_path = ""; # RA, TPS (Apache) +my $emails_subsystem_path = ""; # CA +my $etc_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $lib_subsystem_path = ""; # RA, TPS +my $logs_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $profiles_subsystem_path = ""; # CA, KRA, OCSP, TKS +my $samples_subsystem_path = ""; # TPS +my $scripts_subsystem_path = ""; # RA, TPS +my $shared_subsystem_path = ""; # CA, KRA, OCSP, TKS (Tomcat) +my $temp_subsystem_path = ""; # CA, KRA, OCSP, TKS (Tomcat) +my $webapps_subsystem_path = ""; # CA, KRA, OCSP, TKS +my $common_ui_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $ui_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $work_subsystem_path = ""; # CA, KRA, OCSP, TKS (Tomcat) + +# Base instance directory paths +my $pki_instance_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $acl_instance_path = ""; # CA, KRA, OCSP, TKS +my $alias_instance_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $bin_instance_path = ""; # TPS +my $cgibin_instance_path = ""; # TPS (Apache) +my $conf_instance_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $docroot_instance_path = ""; # RA, TPS (Apache) +my $emails_instance_path = ""; # CA +my $lib_instance_path = ""; # RA, TPS +my $logs_instance_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $profiles_instance_path = ""; # CA, KRA, OCSP, TKS +my $scripts_instance_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $shared_instance_path = ""; # CA, KRA, OCSP, TKS (Tomcat) +my $temp_instance_path = ""; # CA, KRA, OCSP, TKS (Tomcat) +my $webapps_instance_path = ""; # CA, KRA, OCSP, TKS +my $webapps_subsystem_instance_path = ""; # CA, KRA, OCSP, TKS +my $work_instance_path = ""; # CA, KRA, OCSP, TKS (Tomcat) + +# Base instance symbolic link paths +my $common_instance_symlink_path = ""; # CA, KRA, OCSP, TKS +my $conf_instance_symlink_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $logs_instance_symlink_path = ""; # CA, KRA, OCSP, TKS, RA, TPS +my $run_instance_symlink_path = ""; # RA, TPS + +# Subdirectory paths +my $cgi_home_instance_file_path = ""; # TPS +my $cgi_home_subsystem_file_path = ""; # TPS +my $cgi_demo_instance_file_path = ""; # TPS +my $cgi_demo_subsystem_file_path = ""; # TPS +my $cgi_so_instance_file_path = ""; # TPS +my $cgi_so_subsystem_file_path = ""; # TPS +my $cgi_sow_instance_file_path = ""; # TPS +my $cgi_sow_subsystem_file_path = ""; # TPS +my $addAgents_ldif_instance_file_path = ""; # TPS +my $addAgents_ldif_subsystem_file_path = ""; # TPS +my $addIndexes_ldif_instance_file_path = ""; # TPS +my $addIndexes_ldif_subsystem_file_path = ""; # TPS +my $addTokens_ldif_instance_file_path = ""; # TPS +my $addTokens_ldif_subsystem_file_path = ""; # TPS +my $addVLVIndexes_ldif_instance_file_path = ""; # TPS +my $addVLVIndexes_ldif_subsystem_file_path = ""; # TPS +my $apachectl_instance_file_path = ""; # TPS +my $apachectl_subsystem_file_path = ""; # TPS +my $catalina_sh_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $catalina_sh_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $certsrv_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $certsrv_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $cms_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $cms_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $nsutil_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $nsutil_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $cmsutil_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $cmsutil_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $cmsbundle_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $cmsbundle_jar_symlink = ""; # CA, KRA, OCSP, TKS +my $cmscore_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $cmscore_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $httpd_conf_instance_file_path = ""; # RA, TPS +my $httpd_conf_subsystem_file_path = ""; # RA, TPS +my $index_html_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $index_html_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $java_pki_flavor_jar_path = ""; # CA, KRA, OCSP, TKS +my $java_pki_flavor_subsystem_jar_path = ""; # CA, KRA, OCSP, TKS +my $magic_instance_file_path = ""; # RA, TPS +my $magic_subsystem_file_path = ""; # RA, TPS +my $mime_types_instance_file_path = ""; # RA, TPS +my $mime_types_subsystem_file_path = ""; # RA, TPS +my $noise_instance_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $nss_conf_instance_file_path = ""; # RA, TPS +my $nss_conf_subsystem_file_path = ""; # RA, TPS +my $perl_conf_instance_file_path = ""; # RA, TPS +my $perl_conf_subsystem_file_path = ""; # RA, TPS +my $osutil_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $osutil_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $password_conf_instance_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $perl_instance_symlink_path = ""; # RA, TPS +my $perl_subsystem_path = ""; # RA, TPS +my $pfile_instance_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pki_cfg_instance_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pki_cfg_subsystem_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pki_start_stop_script_instance_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pki_start_stop_script_subsystem_file_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $pki_start_stop_script_symlink_path = ""; # CA, KRA, OCSP, TKS, + # RA, TPS +my $schemaMods_ldif_instance_file_path = ""; # RA, TPS +my $schemaMods_ldif_subsystem_file_path = ""; # RA, TPS +my $server_xml_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $server_xml_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $servercertnick_conf_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $servercertnick_conf_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $subsystem_jar_file_path = ""; # CA, KRA, OCSP, TKS +my $subsystem_jar_symlink_path = ""; # CA, KRA, OCSP, TKS +my $tomcat5_conf_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $tomcat5_conf_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $velocity_prop_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $velocity_prop_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $web_xml_instance_file_path = ""; # CA, KRA, OCSP, TKS +my $web_xml_subsystem_file_path = ""; # CA, KRA, OCSP, TKS +my $webapps_root_instance_path = ""; # CA, KRA, OCSP, TKS +my $webapps_root_subsystem_path = ""; # CA, KRA, OCSP, TKS +my $webapps_subsystem_instance_path = ""; # CA, KRA, OCSP, TKS +my $webinf_instance_path = ""; # CA, KRA, OCSP, TKS +my $webinf_lib_instance_path = ""; # CA, KRA, OCSP, TKS +my $webinf_subsystem_path = ""; # CA, KRA, OCSP, TKS + +# PKI creation variables +my $host = ""; +my $db_password = 0; +my $random = 0; + + +############################################################## +# Platform-Dependent Data Initialization +############################################################## + +if( $^O eq "linux" ) { + $setup_base_subsystem_dir = "setup"; # CA, KRA, OCSP, TKS, RA, TPS + $setup_subsystem_path = ""; # CA, KRA, OCSP, TKS, RA, TPS + $setup_config_instance_file_path = ""; # CA, KRA, OCSP, TKS, RA, TPS + $setup_config_subsystem_file_path = ""; # CA, KRA, OCSP, TKS, RA, TPS + + # Linux required desktop files + $setup_config_area = "/usr/share/applications"; + $setup_config_name = "config.desktop"; + + # Platform-specific directories + @pki_static_directories = ( "temp", + "shared", + "shared/lib", + "shared/common", + "shared/lib", + "work", + "setup" ); + + # Superuser and group to give to PKI installed files + $root_user = "root"; + $root_group = "root"; +} elsif( $^O eq "solaris" ) { + # Platform-specific directories + @pki_static_directories = ( "temp", + "shared", + "shared/lib", + "shared/common", + "shared/lib", + "work" ); + + # Superuser and group to give to PKI installed files + $root_user = "root"; + $root_group = "other"; +} else { + print( STDERR + "ERROR: Unsupported platform '$^O'!\n" ); + print( STDOUT "\n" ); + exit 255; +} + + +############################################################## +# Local Data Initialization +############################################################## + +# Initialize Java-specific variables +if( $^O eq "linux" ) { + if( $default_hardware_platform eq "i386" ) { + # 32-bit Linux + + # Supported hardware token PKCS #11 modules + %supported_sec_modules_hash = ( "lunasa", + "/usr/lunasa/lib/libCryptoki2.so", + "nfast", + "/opt/nfast/toolkits/pkcs11/libcknfast.so" + ); + } elsif( $default_hardware_platform eq "x86_64" ) { + # 64-bit Linux + + # Supported hardware token PKCS #11 modules + %supported_sec_modules_hash = ( "lunasa", + "/usr/lunasa/lib/libCryptoki2.so", + "nfast", + "/opt/nfast/toolkits/pkcs11/libcknfast.so" + ); + } else { + print( STDERR + "ERROR: Unsupported '$^O' hardware platform " + . "'$default_hardware_platform'!\n" ); + print( "\n" ); + exit 255; + } +} elsif( $^O eq "solaris" ) { + if( $default_hardware_platform eq "sparc" ) { + # 32-bit Solaris + + # Supported hardware token PKCS #11 modules + %supported_sec_modules_hash = ( "lunasa", + "/usr/lunasa/lib/libCryptoki2.so", + "nfast", + "/opt/nfast/toolkits/pkcs11/libcknfast-32.so" + ); + } elsif( $default_hardware_platform eq "sparcv9" ) { + # 64-bit Solaris + + # Supported hardware token PKCS #11 modules + %supported_sec_modules_hash = ( "lunasa", + "/usr/lunasa/lib/libCryptoki2.so", + "nfast", + "/opt/nfast/toolkits/pkcs11/libcknfast-64.so" + ); + } else { + print( STDERR + "ERROR: Unsupported '$^O' hardware platform " + . "'$default_hardware_platform'!\n" ); + print( "\n" ); + exit 255; + } +} else { + print( STDERR + "ERROR: Unsupported platform '$^O'!\n" ); + print( "\n" ); + exit 255; +} + +# Links created via initial "tomcat" installation that MUST be removed!!! +if( -l $jdbc_stdext_link ) { + my $rv = `rm -f $jdbc_stdext_link`; + if( $rv ) { + print( STDERR + "ERROR: Unable to remove symbolic link called " + . "$jdbc_stdext_link!\n" ); + print( "\n" ); + exit 255; + } +} + +if( -l $jndi_link ) { + my $rv = `rm -f $jndi_link`; + if( $rv ) { + print( STDERR + "ERROR: Unable to remove symbolic link called " + . "$jndi_link!\n" ); + print( "\n" ); + exit 255; + } +} + +if( -l $jaas_link ) { + my $rv = `rm -f $jaas_link`; + if( $rv ) { + print( STDERR + "ERROR: Unable to remove symbolic link called " + . "$jaas_link!\n" ); + print( "\n" ); + exit 255; + } +} + + +############################################################## +# PKI Instance Creation Subroutines +############################################################## + +# no args +# no return value +sub usage() +{ + print( STDOUT + "Usage: pkicreate -pki_instance_root=<pki_instance_root> " + . "# Instance root\n" + . " " + . "# directory\n" + . " " + . "# destination\n\n" + . " -pki_instance_name=<pki_instance_id> " + . "# Unique PKI\n" + . " " + . "# subsystem\n" + . " " + . "# instance name\n\n" + . " -subsystem_type=<subsystem_type> " + . "# Subsystem type\n" + . " " + . "# [ca | kra | ocsp |\n" + . " " + . "# tks | ra | tps]\n\n" + . " -secure_port=<secure_port> " + . "# Secure port\n\n" + . " -unsecure_port=<unsecure_port> " + . "# Unsecure port\n\n" + . " -tomcat_server_port=<tomcat_server_port> " + . "# Unique port\n" + . " " + . "# for each\n" + . " " + . "# tomcat instance\n" + . " " + . "# [ca | kra | ocsp |\n" + . " " + . "# tks] ONLY\n\n" + . " [-user=<username>] " + . "# user ownership\n" + . " " + . "# [must ALSO specify\n" + . " " + . "# group ownership]\n" + . " " + . "#\n" + . " " + . "# (Default=pkiuser)\n\n" + . " [-group=<groupname>] " + . "# group ownership\n" + . " " + . "# [must ALSO specify\n" + . " " + . "# user ownership]\n" + . " " + . "#\n" + . " " + . "# (Default=pkiuser)\n\n" + . " [-redirect conf=<real conf dir path>] " + . "# redirection of\n" + . " " + . "# conf directory\n\n" + . " [-redirect logs=<real logs dir path>] " + . "# redirection of\n" + . " " + . "# logs directory\n\n" + . " [-verbose] " + . "# Print out\n" + . " " + . "# liberal info\n" + . " " + . "# during pkicreate\n\n" + . " [-help] " + . "# Print out\n" + . " " + . "# this screen\n\n" ); + + print( STDOUT + "Example: pkicreate -pki_instance_root=/var/lib\n" + . " -pki_instance_name=$pki_flavor-ca1\n" + . " -subsystem_type=ca\n" + . " -secure_port=9543\n" + . " -unsecure_port=9180\n" + . " -tomcat_server_port=1801\n" + . " -user=pkiuser\n" + . " -group=pkiuser\n" + . " -redirect conf=/export/pki/$pki_flavor-ca1/" + . "conf\n" + . " -redirect logs=/export/pki/$pki_flavor-ca1/" + . "logs\n" + . " -verbose\n\n" ); + + print( STDOUT + "IMPORTANT: Must be run as root!\n\n" ); + + return; +} + + +# arg0 instance name +# return 1 - exists, or +# return 0 - DOES NOT exist +sub pki_instance_already_exists +{ + my $name = $_[0]; + my $result = 0; + + my $instance = $default_start_stop_scripts . "/" . $name; + + if( -e $instance ) { + $result = 1; + } + + return $result; +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub parse_arguments() +{ + my $l_secure_port = -1; + my $l_unsecure_port = -1; + my $l_tomcat_server_port = -1; + my $show_help = 0; + + $result = GetOptions( "help" => \$show_help, + "pki_instance_root=s" => \$pki_instance_root, + "pki_instance_name=s" => \$pki_instance_name, + "subsystem_type=s" => \$subsystem_type, + "secure_port:i" => \$l_secure_port, + "unsecure_port:i" => \$l_unsecure_port, + "tomcat_server_port:i" => \$l_tomcat_server_port, + "user=s" => \$username, + "group=s" => \$groupname, + "verbose" => \$verbose, + "redirect=s" => \%redirects ); + + + ## Optional "-help" option - no "mandatory" options are required + if( $show_help ) { + usage(); + return 0; + } + + + ## Mandatory "-pki_instance_root=s" option + if( $pki_instance_root eq "" ) { + emit( "Must have value for -pki_instance_root!\n", "error" ); + usage(); + return 0; + } + + if( $pki_instance_root eq "/" ) { + emit( "Don't even think about making root the pki_instance_root! " + . "Try again.\n", "error" ); + usage(); + return 0; + } + + # Remove all trailing directory separators ('/') + $pki_instance_root =~ s/\/+$//; + + if( !is_path_valid( $pki_instance_root ) ) { + emit( "Target directory $pki_instance_root is not a " + . "legal directory try again.\n", + "error" ); + usage(); + return 0; + } + + + ## Mandatory "-pki_instance_name=s" option + if( $pki_instance_name eq "" ) { + emit( "Must have value for -pki_instance_name!\n", "error" ); + usage(); + return 0; + } + + if( !is_name_valid( $pki_instance_name ) ) { + emit( "Illegal Value => $pki_instance_name for -pki_instance_name!\n", + "error" ); + usage(); + return 0; + } + + if( pki_instance_already_exists( $pki_instance_name ) ) { + emit( "An instance named $pki_instance_name " + . "already exists; please try again.\n", "error" ); + usage(); + return 0; + } + + $pki_instance_path = $pki_instance_root + . "/" . $pki_instance_name; + + if( directory_exists( $pki_instance_path ) ) { + emit( "Target directory $pki_instance_path " + . "already exists; clean up and " + . "try again.\n", "error" ); + usage(); + return 0; + } + + + # capture installation information in a log file + # (always overwrite this file) + $logfile = "/var/log/$pki_instance_name-install.log"; + open_logfile( $logfile ); + push( @installed_files, $logfile ); + + emit( "Capturing installation information in $logfile.\n" ); + + emit( "Parsing PKI creation arguments ...\n" ); + + if( $verbose ) { + emit( " verbose mode is ENABLED\n" ); + } + + emit( " pki_instance_root $pki_instance_root\n" ); + emit( " pki_instance_name $pki_instance_name\n" ); + + + ## Mandatory "-subsystem_type=s" option + if( $subsystem_type ne $CA && + $subsystem_type ne $KRA && + $subsystem_type ne $OCSP && + $subsystem_type ne $TKS && + $subsystem_type ne $RA && + $subsystem_type ne $TPS ) { + emit( "Illegal value => $subsystem_type : for -subsystem_type!\n", + "error" ); + usage(); + return 0; + } + + $pki_subsystem_path = $pki_subsystem_common_area + . "/" . $subsystem_type; + + if( !( -d "$pki_subsystem_path" ) ) { + emit( "$pki_subsystem_path not present. " + . "Please install the corresponding subsystem RPM first!\n", + "error" ); + usage(); + return 0; + } else { + emit( " subsystem_type $subsystem_type\n" ); + } + + ## Mandatory "-secure_port=<secure_port>" option + if( $l_secure_port >= 0 ) { + $secure_port = $l_secure_port; + + emit( " secure_port $secure_port\n" ); + } else { + emit( "Must include value for secure_port!\n", "error" ); + usage(); + return 0; + } + + + ## Mandatory "-unsecure_port=<unsecure_port>" option + if( $l_unsecure_port >= 0 ) { + $unsecure_port = $l_unsecure_port; + + emit( " unsecure_port $unsecure_port\n" ); + } else { + emit( "Must include value for unsecure_port!\n", "error" ); + usage(); + return 0; + } + + + ## Mandatory "-tomcat_server_port=<tomcat_server_port>" option/exclusion + if( !($subsystem_type eq $RA || $subsystem_type eq $TPS ) ) { + ## Mandatory OPTION for CA, KRA, OCSP, and TKS subsystems + if( $l_tomcat_server_port < 0 ) { + emit( "Must include value for tomcat_server_port!\n", "error" ); + usage(); + return 0; + } + + $tomcat_server_port = $l_tomcat_server_port; + + emit( " tomcat_server_port $tomcat_server_port\n" ); + } else { + ## Mandatory EXCLUSION for RA and TPS subsystems + if( $l_tomcat_server_port != -1 ) { + emit( "Must NOT include value for tomcat_server_port!\n", + "error" ); + usage(); + return 0; + } + } + + + ## Optional "-user=<username>" option + if( $username ne "" ) { + if( $groupname eq "" ) { + emit( "Must ALSO specify group ownership using -group!\n", + "error" ); + usage(); + return 0; + } + + if( !user_exists( $username ) ) { + emit( "The user '$username' is invalid on this machine!\n", + "error" ); + usage(); + return 0; + } + + # Overwrite default value of $pki_user with user-specified $username + $pki_user = $username; + } + + + ## Optional "-group=<groupname>" option + if( $groupname ne "" ) { + if( $username eq "" ) { + emit( "Must ALSO specify user ownership using -user!\n", + "error" ); + usage(); + return 0; + } + + if( !group_exists( $groupname ) ) { + emit( "The group '$groupname' is invalid on this machine!\n", + "error" ); + usage(); + return 0; + } + + # Overwrite default value of $pki_group with user-specified $groupname + $pki_group = $groupname; + } + + + # At this point in time, ALWAYS check that "$pki_user" + # is a valid member of "$pki_group" + # + # NOTE: Uncomment the following code to enforce a strict policy of + # requiring $pki_user to be a member of $pki_group . . . + # + # if( !user_is_a_member_of_group( $pki_user, $pki_group ) ) { + # emit( "The user '$pki_user' is NOT a member of group '$pki_group'!\n", + # "error" ); + # usage(); + # return 0; + # } + + + ## Optional "-redirect <dir_name>=<real dir path> ..." option + while( my ($key, $value) = each( %redirects ) ) { + if( !is_path_valid( $value ) ) { + emit( "Illegal redirect directory value: key=$key value=" + . "$value\n", "error" ); + usage(); + return 0; + } + + if( $key eq "conf" ) { + $redirected_conf_path = $value; + emit( "setting conf_path $redirected_conf_path\n" ); + } elsif( $key eq "logs" ) { + $redirected_logs_path = $value; + emit( "setting logs_path $redirected_logs_path\n" ); + } else { + emit( "Illegal redirect directory key: key=$key value=" + . "$value\n", "error" ); + usage(); + return 0; + } + + emit( "redirect $key => $value\n" ); + } + + return 1; +} + + +# no args +# no return value +sub initialize_subsystem_paths() +{ + ## Initialize subsystem directory paths (subsystem independent) + $alias_subsystem_path = $pki_subsystem_path + . "/" . $alias_base_subsystem_dir; + $conf_subsystem_path = $pki_subsystem_path + . "/" . $conf_base_subsystem_dir; + $etc_subsystem_path = $pki_subsystem_path + . "/" . $etc_base_subsystem_dir; + $logs_subsystem_path = $pki_subsystem_path + . "/" . $logs_base_subsystem_dir; + if( $^O eq "linux" ) { + $setup_subsystem_path = $pki_subsystem_path + . "/" . $setup_base_subsystem_dir; + } + + ## Initialize subsystem directory paths (CA subsystems) + if( $subsystem_type eq $CA ) { + $emails_subsystem_path = $pki_subsystem_path + . "/" . $emails_base_subsystem_dir; + } + + + $common_ui_subsystem_path = $pki_subsystem_common_area . "/" . + "common-ui"; + $ui_subsystem_path = $pki_subsystem_path . "-ui"; + + ## Initialize subsystem directory paths (RA, TPS subsystems) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + if( $subsystem_type eq $TPS ) { + $applets_subsystem_path = $pki_subsystem_path + . "/" . $applets_base_subsystem_dir; + $bin_subsystem_path = $default_system_user_libraries + . "/" . $pki_flavor + . "/" . $subsystem_type; + $samples_subsystem_path = $pki_subsystem_path + . "/" . $samples_base_subsystem_dir; + } + + $lib_subsystem_path = $pki_subsystem_path + . "/" . $lib_base_subsystem_dir; + $scripts_subsystem_path = $pki_subsystem_path + . "/" . $scripts_base_subsystem_dir; + + # Apache Specific + if( $subsystem_type eq $TPS ) { + $cgibin_subsystem_path = $pki_subsystem_path + . "/" . $cgibin_base_subsystem_dir; + } + + # Apache Specific + $docroot_subsystem_path = $pki_subsystem_path + . "/" . $docroot_base_subsystem_dir; + } else { + + ## Initialize subsystem directory paths (CA, KRA, OCSP, TKS subsystems) + + $acl_subsystem_path = $pki_subsystem_path + . "/" . $acl_base_subsystem_dir; + $profiles_subsystem_path = $pki_subsystem_path + . "/" . $profiles_base_subsystem_dir; + $webapps_subsystem_path = $pki_subsystem_path + . "/" . $webapps_base_subsystem_dir; + + # Tomcat Specific + $shared_subsystem_path = $pki_subsystem_path + . "/" . $shared_base_subsystem_dir; + $temp_subsystem_path = $pki_subsystem_path + . "/" . $temp_base_subsystem_dir; + $work_subsystem_path = $pki_subsystem_path + . "/" . $work_base_subsystem_dir; + } + + return; +} + + +# no args +# no return value +sub initialize_instance_paths() +{ + ## Initialize instance directory paths (instance independent) + $alias_instance_path = $pki_instance_path + . "/" . $alias_base_instance_dir; + $conf_instance_path = $pki_instance_path + . "/" . $conf_base_instance_dir; + $logs_instance_path = $pki_instance_path + . "/" . $logs_base_instance_dir; + + + ## Initialize instance directory paths (CA instances) + if( $subsystem_type eq $CA ) { + $emails_instance_path = $pki_instance_path + . "/" . $emails_base_instance_dir; + } + + + ## Initialize instance directory paths (RA, TPS instances) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + if( $subsystem_type eq $TPS ) { + $bin_instance_path = $pki_instance_path + . "/" . $bin_base_instance_dir; + } + + $lib_instance_path = $pki_instance_path + . "/" . $lib_base_instance_dir; + $scripts_instance_path = $pki_instance_path + . "/" . $scripts_base_instance_dir; + + # Apache Specific + if( $subsystem_type eq $TPS ) { + $cgibin_instance_path = $pki_instance_path + . "/" . $cgibin_base_instance_dir; + } + + # Apache Specific + $docroot_instance_path = $pki_instance_path + . "/" . $docroot_base_instance_dir; + } else { + ## Initialize instance directory paths (CA, KRA, OCSP, TKS instances) + $acl_instance_path = $pki_instance_path + . "/" . $acl_base_instance_dir; + $profiles_instance_path = $pki_instance_path + . "/" . $profiles_base_instance_dir; + $webapps_instance_path = $pki_instance_path + . "/" . $webapps_base_instance_dir; + $webapps_subsystem_instance_path = $webapps_instance_path . "/" + . $subsystem_type; + + # Tomcat Specific + $shared_instance_path = $pki_instance_path + . "/" . $shared_base_instance_dir; + $temp_instance_path = $pki_instance_path + . "/" . $temp_base_instance_dir; + $work_instance_path = $pki_instance_path + . "/" . $work_base_instance_dir; + } + + return; +} + + +# no args +# no return value +sub initialize_instance_symlink_paths() +{ + ## Initialize instance symlinks (instance independent) + $conf_instance_symlink_path = $pki_instance_path + . "/" . $conf_base_instance_symlink; + $logs_instance_symlink_path = $pki_instance_path + . "/" . $logs_base_instance_symlink; + + + ## Initialize instance symlinks (CA instances) + # if( $subsystem_type eq $CA ) { + # } + + + ## Initialize instance symlinks (RA, TPS instances) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + # Apache Specific + $run_instance_symlink_path = $pki_instance_path + . "/" . $run_base_instance_symlink; + } else { + ## Initialize instance symlinks (CA, KRA, OCSP, TKS instances) + $common_instance_symlink_path = $pki_instance_path + . "/" . $common_base_instance_symlink; + } + + return; +} + + +# no args +# no return value +sub initialize_subdirectory_paths() +{ + ## Initialize subdirectory paths (subsystem independent) + $pki_cfg_subsystem_file_path = $conf_subsystem_path + . "/" . $pki_cfg_base_name; + $pki_start_stop_script_instance_file_path = $default_start_stop_scripts + . "/" . $pki_instance_name; + $pki_start_stop_script_subsystem_file_path = $pki_subsystem_path + . "/" . $etc_base_subsystem_dir + . "/" . $initd_base_subsystem_dir + . "/" . $httpd_base_name; + $pki_start_stop_script_symlink_path = $pki_instance_path + . "/" . $pki_instance_name; + if( $^O eq "linux" ) { + $setup_config_instance_file_path = $setup_config_area + . "/" . $pki_instance_name + . "-" . $setup_config_name; + $setup_config_subsystem_file_path = $setup_subsystem_path + . "/" . $setup_config_name; + } + + + ## Initialize subdirectory paths (CA subsystems) + # if( $subsystem_type eq $CA ) { + # } + + + ## Initialize subdirectory paths (RA, TPS subsystems) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + + if( $subsystem_type eq $TPS ) { + + $apachectl_instance_file_path = $bin_instance_path + . "/" . $apachectl_base_name; + $apachectl_subsystem_file_path = $bin_subsystem_path + . "/" . $apachectl_base_name; + $cgi_home_instance_file_path = $cgibin_instance_path + . "/" + . $cgi_home_base_name; + $cgi_home_subsystem_file_path = $cgibin_subsystem_path + . "/" + . $cgi_home_base_name; + $cgi_demo_instance_file_path = $cgibin_instance_path + . "/" + . $cgi_demo_base_name; + $cgi_demo_subsystem_file_path = $cgibin_subsystem_path + . "/" + . $cgi_demo_base_name; + $cgi_so_instance_file_path = $cgibin_instance_path + . "/" + . $cgi_so_base_name; + $cgi_so_subsystem_file_path = $cgibin_subsystem_path + . "/" + . $cgi_so_base_name; + $cgi_sow_instance_file_path = $cgibin_instance_path + . "/" + . $cgi_sow_base_name; + $cgi_sow_subsystem_file_path = $cgibin_subsystem_path + . "/" + . $cgi_sow_base_name; + $addAgents_ldif_instance_file_path = $scripts_instance_path + . "/" + . $addAgents_ldif_base_name; + $addAgents_ldif_subsystem_file_path = $scripts_subsystem_path + . "/" + . $addAgents_ldif_base_name; + $addIndexes_ldif_instance_file_path = $scripts_instance_path + . "/" + . $addIndexes_ldif_base_name; + $addIndexes_ldif_subsystem_file_path = $scripts_subsystem_path + . "/" + . $addIndexes_ldif_base_name; + $addTokens_ldif_instance_file_path = $scripts_instance_path + . "/" + . $addTokens_ldif_base_name; + $addTokens_ldif_subsystem_file_path = $scripts_subsystem_path + . "/" + . $addTokens_ldif_base_name; + $addVLVIndexes_ldif_instance_file_path = $scripts_instance_path + . "/" + . $addVLVIndexes_ldif_base_name; + $addVLVIndexes_ldif_subsystem_file_path = $scripts_subsystem_path + . "/" + . $addVLVIndexes_ldif_base_name; + $schemaMods_ldif_instance_file_path = $scripts_instance_path + . "/" + . $schemaMods_ldif_base_name; + $schemaMods_ldif_subsystem_file_path = $scripts_subsystem_path + . "/" + . $schemaMods_ldif_base_name; + } + + $nss_pcache_instance_file_path = $scripts_instance_path + . "/" + . $nss_pcache_base_name; + $nss_pcache_subsystem_file_path = $scripts_subsystem_path + . "/" + . $nss_pcache_base_name; + $httpd_conf_subsystem_file_path = $conf_subsystem_path + . "/" . $httpd_conf_base_name; + $magic_subsystem_file_path = $conf_subsystem_path + . "/" . $magic_base_name; + $mime_types_subsystem_file_path = $conf_subsystem_path + . "/" . $mime_types_base_name; + $nss_conf_subsystem_file_path = $conf_subsystem_path + . "/" . $nss_conf_base_name; + $perl_conf_subsystem_file_path = $conf_subsystem_path + . "/" . $perl_conf_base_name; + $perl_instance_symlink_path = $lib_instance_path + . "/" + . $perl_base_instance_symlink; + $perl_subsystem_path = $lib_subsystem_path + . "/" + . $perl_base_subsystem_dir; + } else { + ## Initialize subdirectory paths (CA, KRA, OCSP, TKS subsystems) + $webapps_root_instance_path = $webapps_instance_path + . "/" + . $webapps_root_base_instance_dir; + $webapps_root_subsystem_path = $webapps_subsystem_path + . "/" + . $webapps_root_base_subsystem_dir; + $webapps_subsystem_instance_path = $webapps_instance_path + . "/" . $subsystem_type; + $webinf_instance_path = $webapps_instance_path + . "/" . $subsystem_type + . "/" . $webinf_base_instance_dir; + $webinf_subsystem_path = $webapps_subsystem_path + . "/" . $subsystem_type + . "/" . $webinf_base_instance_dir; + $webinf_lib_instance_path = $webinf_instance_path + . "/" . $lib_base_instance_dir; + + $java_pki_flavor_jar_path = $default_java_path + . "/" . $pki_flavor; + $java_pki_flavor_subsystem_jar_path = $java_pki_flavor_jar_path + . "/" . $subsystem_type; + + $catalina_sh_instance_file_path = $default_system_user_binaries + . "/" . $catalina_sh_base_name + . "-" . $pki_instance_name; + $catalina_sh_subsystem_file_path = $conf_subsystem_path + . "/" . $catalina_sh_base_name; + $certsrv_jar_file_path = $java_pki_flavor_jar_path + . "/" . $certsrv_jar_base_name; + $certsrv_jar_symlink_path = $webinf_lib_instance_path + . "/" . $certsrv_jar_base_name; + $nsutil_jar_file_path = $java_pki_flavor_jar_path + . "/" . $nsutil_jar_base_name; + $nsutil_jar_symlink_path = $webinf_lib_instance_path + . "/" . $nsutil_jar_base_name; + $cmsutil_jar_file_path = $java_pki_flavor_jar_path + . "/" . $cmsutil_jar_base_name; + $cmsutil_jar_symlink_path = $webinf_lib_instance_path + . "/" . $cmsutil_jar_base_name; + $cms_jar_file_path = $java_pki_flavor_jar_path + . "/" . $cms_jar_base_name; + $cms_jar_symlink_path = $webinf_lib_instance_path + . "/" . $cms_jar_base_name; + $cmsbundle_jar_file_path = $java_pki_flavor_jar_path + . "/" . $cmsbundle_jar_base_name; + $cmsbundle_jar_symlink_path = $webinf_lib_instance_path + . "/" . $cmsbundle_jar_base_name; + $cmscore_jar_file_path = $java_pki_flavor_jar_path + . "/" . $cmscore_jar_base_name; + $cmscore_jar_symlink_path = $webinf_lib_instance_path + . "/" . $cmscore_jar_base_name; + $index_html_instance_file_path = $webapps_root_instance_path + . "/" . $index_html_base_name; + $index_html_subsystem_file_path = $webapps_root_subsystem_path + . "/" . $index_html_base_name; + $osutil_jar_file_path = $default_system_jni_java_path + . "/" . $osutil_jar_base_name; + $osutil_jar_symlink_path = $webinf_lib_instance_path + . "/" . $osutil_jar_base_name; + $server_xml_subsystem_file_path = $conf_subsystem_path + . "/" . $server_xml_base_name; + $servercertnick_conf_subsystem_file_path = $conf_subsystem_path + . "/" . $servercertnick_conf_base_name; + $subsystem_jar_file_path = $java_pki_flavor_subsystem_jar_path + . "/" . $subsystem_type . ".jar"; + $subsystem_jar_symlink_path = $webinf_lib_instance_path + . "/" . $subsystem_type . ".jar"; + $tomcat5_conf_subsystem_file_path = $conf_subsystem_path + . "/" . $tomcat5_conf_base_name; + $velocity_prop_instance_file_path = $webinf_instance_path + . "/" . $velocity_prop_base_name; + $velocity_prop_subsystem_file_path = $webinf_subsystem_path + . "/" . $velocity_prop_base_name; + $web_xml_instance_file_path = $webinf_instance_path + . "/" . $web_xml_base_name; + $web_xml_subsystem_file_path = $webinf_subsystem_path + . "/" . $web_xml_base_name; + } +} + + +# no args +# no return value +sub initialize_paths() +{ + initialize_subsystem_paths(); + initialize_instance_paths(); + initialize_instance_symlink_paths(); + initialize_subdirectory_paths(); +} + + +# no args +# no return value +sub initialize_pki_creation_values() +{ + # obtain the fully-qualified domain name of this host + $host = get_FQDN( $hostname ); + + # we need the certdb password generated now ... + $db_password = generate_random( $db_password_low, $db_password_high ); + + # generate a random value for a pin ... + $random = generate_random_string( 20 ); +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub process_pki_directories() +{ + my $result = 0; + + emit( "Processing PKI directories for '$pki_instance_path' ...\n" ); + + ## Populate instance directory paths (instance independent) + $result = copy_directory( $alias_subsystem_path, + $alias_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $alias_subsystem_path to $alias_instance_path ...\n" ); + return 0; + } + + # Check for an optionally redirected "conf" directory path ... + if( $redirected_conf_path eq "" ) { + $noise_instance_file_path = $conf_instance_path + . "/" . $noise_base_name; + $password_conf_instance_file_path = $conf_instance_path + . "/" . $password_conf_base_name; + $pfile_instance_file_path = $conf_instance_path + . "/" . $pfile_base_name; + $pki_cfg_instance_file_path = $conf_instance_path + . "/" . $pki_cfg_base_name; + + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + $httpd_conf_instance_file_path = "$conf_instance_path" + . "/" . $httpd_conf_base_name; + $magic_instance_file_path = "$conf_instance_path" + . "/" . $magic_base_name; + $mime_types_instance_file_path = $conf_instance_path + . "/" . $mime_types_base_name; + $nss_conf_instance_file_path = "$conf_instance_path" + . "/" . $nss_conf_base_name; + $perl_conf_instance_file_path = "$conf_instance_path" + . "/" . $perl_conf_base_name; + + # create instance directory + $result = create_directory( $conf_instance_path ); + if( !$result ) { + emit( "Failed to create directory $conf_instance_path ...\n" ); + return 0; + } + + # only copy selected files + $result = copy_file( $magic_subsystem_file_path, + $magic_instance_file_path ); + if( !$result ) { + emit( "Failed to copy file $magic_subsystem_file_path to $magic_instance_file_path ...\n" ); + return 0; + } + + $result = copy_file( $mime_types_subsystem_file_path, + $mime_types_instance_file_path ); + if( !$result ) { + emit( "Failed to copy file $mime_types_subsystem_file_path to $mime_types_instance_file_path ...\n" ); + return 0; + } + + # fix permissions + if( !is_Windows() ) { + chmod( $default_file_permissions, + $magic_instance_file_path ); + chmod( $default_file_permissions, + $mime_types_instance_file_path ); + } + } else { + $server_xml_instance_file_path = $conf_instance_path + . "/" . $server_xml_base_name; + $servercertnick_conf_instance_file_path = $conf_instance_path + . "/" . $servercertnick_conf_base_name; + $tomcat5_conf_instance_file_path = $conf_instance_path + . "/" . $tomcat5_conf_base_name; + + $result = copy_directory( $conf_subsystem_path, + $conf_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $conf_subsystem_path to $conf_instance_path ...\n" ); + return 0; + } + } + } else { + $noise_instance_file_path = $redirected_conf_path + . "/" . $noise_base_name; + $password_conf_instance_file_path = $redirected_conf_path + . "/" . $password_conf_base_name; + $pfile_instance_file_path = $redirected_conf_path + . "/" . $pfile_base_name; + $pki_cfg_instance_file_path = $redirected_conf_path + . "/" . $pki_cfg_base_name; + + # Populate optionally redirected instance directory path + # and setup a symlink in the standard area + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + $httpd_conf_instance_file_path = "$redirected_conf_path" + . "/" . $httpd_conf_base_name; + $magic_instance_file_path = "$redirected_conf_path" + . "/" . $magic_base_name; + $mime_types_instance_file_path = $redirected_conf_path + . "/" . $mime_types_base_name; + $nss_conf_instance_file_path = "$redirected_conf_path" + . "/" . $nss_conf_base_name; + $perl_conf_instance_file_path = "$redirected_conf_path" + . "/" . $perl_conf_base_name; + + # create redirected instance directory + $result = create_directory( $redirected_conf_path ); + if( !$result ) { + emit( "Failed to create directory $redirected_conf_path ...\n" ); + return 0; + } + + # only copy selected files + $result = copy_file( $magic_subsystem_file_path, + $magic_instance_file_path ); + if( !$result ) { + emit( "Failed to copy file $magic_subsystem_file_path to $magic_instance_file_path ...\n" ); + return 0; + } + + $result = copy_file( $mime_types_subsystem_file_path, + $mime_types_instance_file_path ); + if( !$result ) { + emit( "Failed to copy file $mime_types_subsystem_file_path to $mime_types_instance_file_path ...\n" ); + return 0; + } + + # fix permissions + if( !is_Windows() ) { + chmod( $default_file_permissions, + $magic_instance_file_path ); + chmod( $default_file_permissions, + $mime_types_instance_file_path ); + } + } else { + $server_xml_instance_file_path = $redirected_conf_path + . "/" . $server_xml_base_name; + $servercertnick_conf_instance_file_path = $redirected_conf_path + . "/" . $servercertnick_conf_base_name; + $tomcat5_conf_instance_file_path = $redirected_conf_path + . "/" . $tomcat5_conf_base_name; + + $result = copy_directory( $conf_subsystem_path, + $redirected_conf_path ); + if( !$result ) { + emit( "Failed to copy directory $conf_subsystem_path to $redirected_conf_path ...\n" ); + return 0; + } + } + + push( @installed_stray_directories, + $redirected_conf_path ); + + $result = create_symbolic_link( $conf_instance_symlink_path, + $redirected_conf_path ); + if( !$result ) { + emit( "Failed to create symlink $conf_instance_symlink_path ...\n" ); + return 0; + } + + $result = give_symbolic_link_to( $conf_instance_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$conf_instance_symlink_path ownership problems!", + "error" ); + return 0; + } + + give_directory_to( $redirected_conf_path, + $pki_user, + $pki_group ); + } + + + # Check for an optionally redirected "logs" directory path ... + if( $redirected_logs_path eq "" ) { + $result = copy_directory( $logs_subsystem_path, + $logs_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $logs_subsystem_path to $logs_instance_path ...\n" ); + return 0; + } + } else { + # Populate optionally redirected instance directory path + # and setup a symlink in the standard area + $result = copy_directory( $logs_subsystem_path, + $redirected_logs_path ); + if( !$result ) { + emit( "Failed to copy directory $logs_subsystem_path to $redirected_logs_path ...\n" ); + return 0; + } + + push( @installed_stray_directories, + $redirected_logs_path ); + + $result = create_symbolic_link( $logs_instance_symlink_path, + $redirected_logs_path ); + if( !$result ) { + emit( "Failed to create symlink $logs_instance_symlink_path ...\n" ); + return 0; + } + + $result = give_symbolic_link_to( $logs_instance_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$logs_instance_symlink_path ownership problems!", + "error" ); + return 0; + } + + give_directory_to( $redirected_logs_path, + $pki_user, + $pki_group ); + } + + + ## Populate instance directory paths (CA instances) + if( $subsystem_type eq $CA ) { + $result = copy_directory( $emails_subsystem_path, + $emails_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $emails_subsystem_path to $emails_instance_path ...\n" ); + return 0; + } + } + + + ## Populate instance directory paths (RA, TPS instances) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + + if( $subsystem_type eq $TPS ) { + $result = create_directory( $bin_instance_path ); + if( !$result ) { + emit( "Failed to create directory $bin_instance_path ...\n" ); + return 0; + } + } + + $result = create_directory( $lib_instance_path ); + if( !$result ) { + emit( "Failed to create directory $lib_instance_path ...\n" ); + return 0; + } + + $result = create_directory( $scripts_instance_path ); + if( !$result ) { + emit( "Failed to create directory $scripts_instance_path ...\n" ); + return 0; + } + + # Apache Specific + if( $subsystem_type eq $TPS ) { + $result = copy_directory( $cgibin_subsystem_path, + $cgibin_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $cgibin_subsystem_path ...\n" ); + return 0; + } + } + + # Apache Specific + $result = copy_directory( $docroot_subsystem_path, + $docroot_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $docroot_subsystem_path ...\n" ); + return 0; + } + + $result = copy_directory( $ui_subsystem_path, + $pki_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $webapps_subsystem_path ...\n" ); + return 0; + } + + # fix permissions + if( !is_Windows() ) { + # Apache Specific + if( $subsystem_type eq $TPS ) { + chmod( $default_dir_permissions, + "$cgibin_instance_path/demo" ); + chmod( $default_exe_permissions, + "$cgibin_instance_path/demo/*.cgi" ); + chmod( $default_file_permissions, + "$cgibin_instance_path/demo/*.html" ); + chmod( $default_dir_permissions, + "$cgibin_instance_path/home" ); + chmod( $default_exe_permissions, + "$cgibin_instance_path/home/*.cgi" ); + chmod( $default_file_permissions, + "$cgibin_instance_path/home/*.html" ); + chmod( $default_dir_permissions, + "$cgibin_instance_path/so" ); + chmod( $default_exe_permissions, + "$cgibin_instance_path/so/*.cgi" ); + chmod( $default_file_permissions, + "$cgibin_instance_path/so/*.html" ); + chmod( $default_dir_permissions, + "$cgibin_instance_path/sow" ); + chmod( $default_exe_permissions, + "$cgibin_instance_path/sow/*.cgi" ); + chmod( $default_file_permissions, + "$cgibin_instance_path/sow/*.html" ); + chmod( $default_exe_permissions, + "$cgibin_instance_path/sow/*.pl" ); + } + + # Apache Specific + chmod( $default_file_permissions, + "$docroot_instance_path/GenericAuth.html" ); + chmod( $default_file_permissions, + "$docroot_instance_path/style.css" ); + } + } else { + ## Populate instance directory paths (CA, KRA, OCSP, TKS instances) + $result = copy_directory( $acl_subsystem_path, + $acl_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $acl_subsystem_path ...\n" ); + return 0; + } + + $result = copy_directory( $profiles_subsystem_path, + $profiles_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $profiles_subsystem_path ...\n" ); + return 0; + } + + $result = copy_directory( $webapps_subsystem_path, + $webapps_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $webapps_subsystem_path ...\n" ); + return 0; + } + + $result = copy_directory( $common_ui_subsystem_path, + $webapps_subsystem_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $webapps_subsystem_path ...\n" ); + return 0; + } + + $result = copy_directory( $ui_subsystem_path, + $pki_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $webapps_subsystem_path ...\n" ); + return 0; + } + + # Tomcat Specific + $result = copy_directory( $shared_subsystem_path, + $shared_instance_path ); + if( !$result ) { + emit( "Failed to copy directory $shared_subsystem_path ...\n" ); + return 0; + } + + $result = create_directory( $temp_instance_path ); + if( !$result ) { + emit( "Failed to create directory $temp_instance_path ...\n" ); + return 0; + } + + $result = create_directory( $work_instance_path ); + if( !$result ) { + emit( "Failed to create directory $work_instance_path ...\n" ); + return 0; + } + } + + ## Set appropriate permissions + give_directory_to( $pki_instance_path, + $pki_user, + $pki_group ); + + return 1; +} + + +# arg0 source file path +# arg1 dest file path +# arg2 %slot_hash +# return 1 - success, or +# return 0 - failure +sub process_file_template +{ + my( $source_file_path ) = $_[0]; + my( $dest_file_path ) = $_[1]; + my( $l_slot_hash ) = $_[2]; + + my $result = 0; + my $inf = new FileHandle; + my $buff = ""; + my $ouf = new FileHandle; + + emit( " Converting '$source_file_path' ==> '$dest_file_path' ...\n" ); + + # check for a valid source file + if( !is_path_valid( $source_file_path ) ) { + emit( "process_file_template(): invalid source path " + . "$source_file_path!\n", + "error" ); + return $result; + } + + # check for a valid destination file + if( !is_path_valid( $dest_file_path ) ) { + emit( "process_file_template(): invalid destination path " + . "$dest_file_path!\n", + "error" ); + return $result; + } + + # read in contents of source file + $inf->open( "<$source_file_path" ) or + die "Could not open $source_file_path\n"; + while( <$inf> ) { + my $line = $_; + chomp( $line ); + $buff = $buff . "$line\n"; + } + $inf->close(); + + + # process each line substituting each [KEY] + # with its corresponding slot hash value + while( my( $key, $value ) = each( %$l_slot_hash ) ) { + emit( " replacing: $key with: $value\n" ); + $buff =~ s/\[$key\]/$value/g; + } + + + # write out these modified contents to the destination file + $ouf->open( ">$dest_file_path" ) or die "Could not open $dest_file_path\n"; + $ouf->print( $buff ); + $ouf->close(); + + $result = 1; + + return $result; +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub process_pki_templates() +{ + my %slot_hash = (); + + emit( "Processing PKI templates for '$pki_instance_path' ...\n" ); + + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + # Setup templates (RA, TPS) + $slot_hash{$GROUPID} = $pki_group; + $slot_hash{$HTTPD_CONF} = $httpd_conf_instance_file_path; + $slot_hash{$INSTANCE_ID} = $pki_instance_name; + $slot_hash{$LIB_PREFIX} = $lib_prefix; + $slot_hash{$NSS_CONF} = $nss_conf_instance_file_path; + $slot_hash{$OBJ_EXT} = $obj_ext; + $slot_hash{$PORT} = $unsecure_port; + $slot_hash{$PROCESS_ID} = $$; + $slot_hash{$SECURE_PORT} = $secure_port; + $slot_hash{$SECURITY_LIBRARIES} = $default_security_libraries; + $slot_hash{$SERVER_NAME} = $host; + $slot_hash{$SERVER_ROOT} = $pki_instance_path; + $slot_hash{$SUBSYSTEM_TYPE} = $subsystem_type; + $slot_hash{$SYSTEM_LIBRARIES} = $default_system_libraries; + $slot_hash{$SYSTEM_USER_LIBRARIES} = $default_system_user_libraries; + $slot_hash{$TMP_DIR} = $tmp_dir; + $slot_hash{$TPS_DIR} = $pki_subsystem_path; + $slot_hash{$USERID} = $pki_user; + $slot_hash{$PKI_FLAVOR} = $pki_flavor; + $slot_hash{$PKI_RANDOM_NUMBER_SLOT} = $random; + if( is_Fedora() || (is_RHEL() && (! is_RHEL4())) ) { + $slot_hash{$FORTITUDE_APACHE} = "Apache2"; + $slot_hash{$FORTITUDE_DIR} = "/usr"; + $slot_hash{$FORTITUDE_LIB_DIR} = "/etc/httpd"; + $slot_hash{$FORTITUDE_MODULE} = "/etc/httpd/modules"; + $slot_hash{$FORTITUDE_AUTH_MODULES} = +" +LoadModule auth_basic_module /etc/httpd/modules/mod_auth_basic.so +LoadModule authn_file_module /etc/httpd/modules/mod_authn_file.so +LoadModule authz_user_module /etc/httpd/modules/mod_authz_user.so +LoadModule authz_groupfile_module /etc/httpd/modules/mod_authz_groupfile.so +LoadModule authz_host_module /etc/httpd/modules/mod_authz_host.so +"; + $slot_hash{$FORTITUDE_NSS_MODULES} = +" +LoadModule nss_module /etc/httpd/modules/libmodnss.so +"; + } + else { + $slot_hash{$FORTITUDE_APACHE} = "Apache"; + $slot_hash{$FORTITUDE_DIR} = "/opt/fortitude"; + $slot_hash{$FORTITUDE_LIB_DIR} = "/opt/fortitude"; + $slot_hash{$FORTITUDE_MODULE} = "/opt/fortitude/modules.local"; + $slot_hash{$FORTITUDE_AUTH_MODULES} = +" +LoadModule auth_module /opt/fortitude/modules/mod_auth.so +LoadModule access_module /opt/fortitude/modules/mod_access.so +"; + $slot_hash{$FORTITUDE_NSS_MODULES} = +" +LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so +"; + } + } else { + # Setup templates (CA, KRA, OCSP, TKS) + $slot_hash{$INSTALL_TIME} = localtime; + $slot_hash{$PKI_CERT_DB_PASSWORD_SLOT} = $db_password; + $slot_hash{$PKI_CFG_PATH_NAME_SLOT} = $pki_cfg_instance_file_path; + $slot_hash{$PKI_GROUP_SLOT} = $pki_group; + $slot_hash{$PKI_INSTANCE_ID_SLOT} = $pki_instance_name; + $slot_hash{$PKI_INSTANCE_PATH_SLOT} = $pki_instance_path; + $slot_hash{$PKI_INSTANCE_ROOT_SLOT} = $pki_instance_root; + $slot_hash{$PKI_MACHINE_NAME_SLOT} = $host; + $slot_hash{$PKI_RANDOM_NUMBER_SLOT} = $random; + $slot_hash{$PKI_SECURE_PORT_SLOT} = $secure_port; + $slot_hash{$PKI_SERVER_XML_CONF} = $server_xml_instance_file_path; + $slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT} = $subsystem_type; + $slot_hash{$PKI_UNSECURE_PORT_SLOT} = $unsecure_port; + $slot_hash{$PKI_USER_SLOT} = $pki_user; + $slot_hash{$TOMCAT_SERVER_PORT_SLOT} = $tomcat_server_port; + $slot_hash{$PKI_FLAVOR_SLOT} = $pki_flavor; + } + + + ## Process templates (instance independent) + # + # NOTE: The values substituted may differ across subsystems. + # + + # process "CS.cfg" template + $result = process_file_template( $pki_cfg_subsystem_file_path, + $pki_cfg_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "httpd" template + # + # NOTE: CA, KRA, OCSP, TKS instances are dependent upon the location + # of the instance-specific "server.xml" file, while RA and TPS + # instances are dependent upon the instance-specific location + # of the "nss.conf" file. + # + $result = process_file_template( + $pki_start_stop_script_subsystem_file_path, + $pki_start_stop_script_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + chmod( $default_exe_permissions, + $pki_start_stop_script_instance_file_path ); + + push( @installed_files, + $pki_start_stop_script_instance_file_path ); + + + if( $^O eq "linux" ) { + # process "config.desktop" template + $result = process_file_template( $setup_config_subsystem_file_path, + $setup_config_instance_file_path, + \%slot_hash ); + if( ! $result ) { + return 0; + } + + push( @installed_files, + $setup_config_instance_file_path ); + } + + + ## Process templates (CA instances) + # if( $subsystem_type eq $CA ) { + # } + + + ## Process templates (RA, TPS instances) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + + if( $subsystem_type eq $TPS ) { + + # process "apachectl" template + $result = process_file_template( $apachectl_subsystem_file_path, + $apachectl_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + chmod( $default_exe_permissions, + $apachectl_instance_file_path ); + + + # process "cgi" template + $result = process_file_template( $cgi_home_subsystem_file_path, + $cgi_home_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + $result = process_file_template( $cgi_demo_subsystem_file_path, + $cgi_demo_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + $result = process_file_template( $cgi_so_subsystem_file_path, + $cgi_so_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + $result = process_file_template( $cgi_sow_subsystem_file_path, + $cgi_sow_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + # process "addAgents.ldif" template + $result = process_file_template( $addAgents_ldif_subsystem_file_path, + $addAgents_ldif_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "addIndexes.ldif" template + $result = process_file_template( $addIndexes_ldif_subsystem_file_path, + $addIndexes_ldif_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "addTokens.ldif" template + $result = process_file_template( $addTokens_ldif_subsystem_file_path, + $addTokens_ldif_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "addVLVIndexes.ldif" template + $result = process_file_template( + $addVLVIndexes_ldif_subsystem_file_path, + $addVLVIndexes_ldif_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + # process "schemaMods.ldif" template + $result = process_file_template( $schemaMods_ldif_subsystem_file_path, + $schemaMods_ldif_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + } + + + # process "httpd.conf" template + $result = process_file_template( $httpd_conf_subsystem_file_path, + $httpd_conf_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + chmod( $default_file_permissions, + $httpd_conf_instance_file_path ); + + + # process "nss.conf" template + $result = process_file_template( $nss_conf_subsystem_file_path, + $nss_conf_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + # fix ownership for nss.conf + $result = give_file_to( $nss_conf_instance_file_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "Can't change ownership of " + . "$nss_conf_instance_file_path.\n", + "error" ); + return 0; + } + + chmod( $default_file_permissions, + $nss_conf_instance_file_path ); + + + # process "perl.conf" template + $result = process_file_template( $perl_conf_subsystem_file_path, + $perl_conf_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + chmod( $default_file_permissions, + $perl_conf_instance_file_path ); + + # process "nss_pcache" template + $result = process_file_template( $nss_pcache_subsystem_file_path, + $nss_pcache_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + chmod( $default_exe_permissions, + $nss_pcache_instance_file_path ); + + + } else { + ## Process templates (CA, KRA, OCSP, TKS instances) + # process "catalina.sh" (aka dtomcat5) template + $result = process_file_template( $catalina_sh_subsystem_file_path, + $catalina_sh_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + $result = give_file_to( $catalina_sh_instance_file_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "Can't change ownership of " + . "$catalina_sh_instance_file_path.\n", + "error" ); + return 0; + } + + chmod( $default_exe_permissions, + $catalina_sh_instance_file_path ); + + push( @installed_files, + $catalina_sh_instance_file_path ); + + + # process "index.html" template + $result = process_file_template( $index_html_subsystem_file_path, + $index_html_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "server.xml" template + $result = process_file_template( $server_xml_subsystem_file_path, + $server_xml_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "serverCertNick.conf" template + $result = process_file_template( $servercertnick_conf_subsystem_file_path, + $servercertnick_conf_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + # process "tomcat5.conf" template + $result = process_file_template( $tomcat5_conf_subsystem_file_path, + $tomcat5_conf_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "velocity.properties" template + $result = process_file_template( $velocity_prop_subsystem_file_path, + $velocity_prop_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + + + # process "web.xml" template + $result = process_file_template( $web_xml_subsystem_file_path, + $web_xml_instance_file_path, + \%slot_hash ); + if( !$result ) { + return 0; + } + } + + return 1; +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub process_pki_files_and_symlinks() +{ + my $result = 0; + + emit( "Processing PKI files and symbolic links for " + . "'$pki_instance_path' ...\n" ); + + ## Populate instances (instance independent) + + # create a filled in temporary "noise" + # file for this instance + my $noise = generate_random_string( 1024 ); + + create_file( $noise_instance_file_path, + $noise ); + + $result = give_file_to( $noise_instance_file_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "Can't change ownership of $noise_base_name.\n", + "error" ); + return 0; + } + + chmod( $default_file_permissions, + $noise_instance_file_path ); + + + # create a filled in empty "password.conf" + # password file for this instance + create_file( $password_conf_instance_file_path, + "$default_security_token:$db_password" ); + + $result = give_file_to( $password_conf_instance_file_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "Can't change ownership of $password_conf_base_name.\n", + "error" ); + return 0; + } + + chmod( $default_file_permissions, + $password_conf_instance_file_path ); + + + # create a filled in empty temporary "pfile" + # password file for this instance + create_file( $pfile_instance_file_path, + $db_password ); + + $result = give_file_to( $pfile_instance_file_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "Can't change ownership of $pfile_base_name.\n", + "error" ); + return 0; + } + + chmod( $default_file_permissions, + $pfile_instance_file_path ); + + + # create instance symlink to actual instance "start/stop" script + $result = create_symbolic_link( $pki_start_stop_script_symlink_path, + $pki_start_stop_script_instance_file_path ); + if( !$result ) { + return 0; + } + # + # NOTE: This symlink requires "$root_user:$root_group" ownership + # since the destination that it refers to is owned by + # "$root_user:$root_group". + # + $result = give_symbolic_link_to( $pki_start_stop_script_symlink_path, + $root_user, + $root_group ); + if( !$result ) { + emit( "$pki_start_stop_script_instance_file_path ownership problems!", + "error" ); + return 0; + } + + + ## Populate instances (CA instances) + # if( $subsystem_type eq $CA ) { + # } + + + ## Populate instances (RA, TPS instances) + if( $subsystem_type eq $RA || $subsystem_type eq $TPS ) { + # Subdirectory Specific symbolic links + + # create instance symlink to subsystem "perl" subdirectory + $result = create_symbolic_link( $perl_instance_symlink_path, + $perl_subsystem_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $perl_instance_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$perl_instance_symlink_path ownership problems!", + "error" ); + return 0; + } + + + # Apache Specific symbolic links + + # create instance symlink to apache "run" subdirectory + $result = create_symbolic_link( $run_instance_symlink_path, + $default_apache_pids_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $run_instance_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$run_base_instance_symlink ownership problems!", + "error" ); + return 0; + } + } else { + ## Populate instances (CA, KRA, OCSP, TKS instances) + # create instance "webapps/$subsystem_type/WEB-INF/lib" subdirectory + $result = create_directory( $webinf_lib_instance_path ); + if( !$result ) { + return 0; + } + + + # create instance symlink to "$subsystem_type.jar" + $result = create_symbolic_link( $subsystem_jar_symlink_path, + $subsystem_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $subsystem_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$subsystem_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + + # create instance symlink to "certsrv.jar" + $result = create_symbolic_link( $certsrv_jar_symlink_path, + $certsrv_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $certsrv_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$certsrv_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + # create instance symlink to "cmsutil.jar" + $result = create_symbolic_link( $cmsutil_jar_symlink_path, + $cmsutil_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $cmsutil_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$cms_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + # create instance symlink to "nsutil.jar" + $result = create_symbolic_link( $nsutil_jar_symlink_path, + $nsutil_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $nsutil_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$cms_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + # create instance symlink to "cms.jar" + $result = create_symbolic_link( $cms_jar_symlink_path, + $cms_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $cms_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$cms_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + + # create instance symlink to "cmsbundle.jar" + $result = create_symbolic_link( $cmsbundle_jar_symlink_path, + $cmsbundle_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $cmsbundle_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$cmsbundle_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + + # create instance symlink to "cmscore.jar" + $result = create_symbolic_link( $cmscore_jar_symlink_path, + $cmscore_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $cmscore_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$cmscore_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + + # create instance symlink to "osutil.jar" + $result = create_symbolic_link( $osutil_jar_symlink_path, + $osutil_jar_file_path ); + if( !$result ) { + return 0; + } + + $result = give_symbolic_link_to( $osutil_jar_symlink_path, + $pki_user, + $pki_group ); + if( !$result ) { + emit( "$osutil_jar_symlink_path ownership problems!", + "error" ); + return 0; + } + + + # Tomcat Specific + + # create instance symlink to tomcat "common" directory + # + # NOTE: This symlink requires "$root_user:$root_group" ownership + # since the destination that it refers to is owned by + # "$root_user:$root_group". + # + $result = create_symbolic_link( $common_instance_symlink_path, + $default_tomcat_common_path ); + if( !$result ) { + return 0; + } + $result = give_symbolic_link_to( $common_instance_symlink_path, + $root_user, + $root_group ); + if( !$result ) { + emit( "$common_instance_symlink_path ownership problems!", + "error" ); + return 0; + } + } + + return 1; +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub process_pki_security_databases() +{ + my $result = 0; + my $serial_number = 0; + my $validity_period = 12; + my $time_stamp = get_time_stamp(); + my $subject = "CN=$host,O=$time_stamp"; + my $issuer_name = "CN=$host,O=$time_stamp"; + my $nickname = "Server-Cert cert-$pki_instance_name"; + my $trustargs = "CTu,CTu,CTu"; + + emit( "Processing PKI security databases for '$pki_instance_path' ...\n" ); + + # now create and configure pki security databases, + # cert3.db, key3.db, secmod.db ... + if( !file_exists( $default_certutil_command ) ) { + emit( "process_pki_security_databases(): $default_certutil_command " + . "does not exist!\n", + "error" ); + return $result; + + } + + if( !file_exists( $noise_instance_file_path ) ) { + emit( "process_pki_security_databases(): Can't find " + . "temp noise file!\n", + "error" ); + return $result; + } + + if( !file_exists( $pfile_instance_file_path ) ) { + emit( "process_pki_security_databases(): Can't find temp file " + . "with password!\n", + "error" ); + return $result; + } + + certutil_create_databases( $alias_instance_path, + $pfile_instance_file_path ); + + certutil_generate_self_signed_cert( $alias_instance_path, + $default_security_token, + $serial_number, + $validity_period, + $subject, + $issuer_name, + $nickname, + $trustargs, + $noise_instance_file_path, + $pfile_instance_file_path ); + + remove_file( $noise_instance_file_path ); + + remove_file( $pfile_instance_file_path ); + + give_directory_to( $alias_instance_path, $pki_user, $pki_group ); + + return 1; +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub process_pki_security_modules() +{ + my $result = 0; + + emit( "Processing PKI security modules for '$pki_instance_path' ...\n" ); + + if( !file_exists( $default_modutil_command ) ) { + emit( "process_pki_security_modules(): $default_modutil_command " + . "must be installed on system!\n", + "error" ); + return $result; + } + + emit( " Attempting to add hardware security modules to system if " + . "applicable ...\n" ); + + while( my( $key, $value ) = each( %supported_sec_modules_hash ) ) { + if( !file_exists( $value ) ) { + emit( " module name: $key lib: $value DOES NOT EXIST!\n" ); + next; + } else { + modutil_add_token( $alias_instance_path, $key, $value ); + emit( " Added module name: $key lib: $value\n" ); + } + } + + return 1; +} + + +# no args +# return 1 - success, or +# return 0 - failure +sub install_pki_instance() +{ + my $result = 0; + + emit( "Installing PKI instance ...\n" ); + + if( !directory_exists( "$pki_instance_path" ) ) { + $result = create_directory( "$pki_instance_path" ); + + push( @installed_stray_directories, + "$pki_instance_path" ); + if( !$result ) { + return 0; + } + } + + $result = process_pki_directories(); + if( !$result ) { + return 0; + } + + $result = process_pki_templates(); + if( !$result ) { + return 0; + } + + $result = process_pki_files_and_symlinks(); + if( !$result ) { + return 0; + } + + $result = process_pki_security_databases(); + if( !$result ) { + return 0; + } + + $result = process_pki_security_modules(); + if( !$result ) { + return 0; + } + + return 1; +} + + +############################################################## +# PKI Instance Removal Subroutines +############################################################## + +# no args +# return 1 - success, or +# return 0 - failure +sub save_cleanup_file() +{ + my $result = 0; + + my $cleanup = new FileHandle; + + my $source_file_path = $pki_instance_path + . "/" . $saved_cleanup_file_name; + + my $files_size = @installed_files; + my $directories_size = @installed_stray_directories; + + if( $files_size == 0 && $installed_stray_directories == 0 ) { + emit( "No files or directories created in save_cleanup_file!", + "error" ); + return $result; + } + + $cleanup->open( ">$source_file_path" ) or + die "Could not open $source_file_path\n"; + + my $buff = ""; + + $cleanup->print( "$saved_file_marker\n" ); + + if( $files_size ) { + my $i = 0; + + for( $i = 0; $i < $files_size; $i++ ) { + $cleanup->print( "$installed_files[$i]\n" ); + } + } + + $cleanup->print( "$saved_directory_marker\n" ); + + if( $directories_size ) { + my $i = 0; + + for( $i = 0; $i < $directories_size; $i++ ) { + $cleanup->print( "$installed_stray_directories[$i]\n" ); + } + } + + $cleanup->close(); + + return 1; +} + + +# no args +# no return value +sub cleanup() +{ + my $result = 0; + + print( STDOUT + "\n\nPKI instance creation Cleanup Utility " + . "cleaning up on error ...\n\n" ); + + $result = remove_directory( "$pki_instance_path" ); + + my $size = @installed_files; + + if( $size ) { + my $i = 0; + + for( $i = 0; $i < $size; $i ++ ) { + remove_file( $installed_files[$i] ); + } + } + + $size = @installed_stray_directories; + + if( $size ) { + my $i = 0; + + for( $i = 0; $i < $size; $i++ ) { + remove_directory( $installed_stray_directories[$i] ); + } + } + + return; +} + + +############################################################## +# Main Program +############################################################## + +# no args +# no return value +sub main() +{ + my $result = 0; + my $parse_result = 0; + my $command = ""; + + chdir( "/tmp" ); + + print( STDOUT + "PKI instance creation Utility ...\n\n" ); + + # On Linux/UNIX, insure that this script is being run as "root". + $result = check_for_root_UID(); + if( !$result ) { + usage(); + exit 255; + } + + # Setup platform-dependent parameters + setup_platform_dependent_parameters(); + + $parse_result = parse_arguments(); + if( !$parse_result || $parse_result == -1 ) { + # If it exists, close the log file + close_logfile( $logfile ); + exit 255; + } + + initialize_paths(); + + initialize_pki_creation_values(); + + if( $subsystem_type eq $CA || + $subsystem_type eq $KRA || + $subsystem_type eq $OCSP || + $subsystem_type eq $TKS ) { + if( -e $pkicomplete ) { + `$pkicomplete`; + } + } + + $result = install_pki_instance(); + if( !$result ) { + print( STDOUT "\n" ); + +ASK_AGAIN: + my $confirm = prompt( "Error detected would you like to clean up " + . "$pki_instance_path (Y/N)? " ); + + if( $confirm eq "Y" || $confirm eq "y" ) { + cleanup(); + } elsif( $confirm ne "N" && $confirm ne "n" ) { + goto ASK_AGAIN; + } + + # If it exists, close the log file + close_logfile( $logfile ); + + exit 255; + } + + print( STDOUT "\n" ); + print( STDOUT + "PKI instance creation completed ...\n\n" ); + + + $result = save_cleanup_file(); + if( !$result ) { + emit( "Unable to create " + . $pki_instance_path + . "/" . $saved_cleanup_file_name + . "!\n", + "error" ); + + # If it exists, close the log file + close_logfile( $logfile ); + + exit 255; + } + + $command = "$pki_start_stop_script_instance_file_path start"; + + system( "$command" ); + + print( STDOUT + "Server can be operated with " + . "$pki_start_stop_script_instance_file_path " + . "start | stop | restart\n\n" ); + emit( "Server can be operated with " + . "$pki_start_stop_script_instance_file_path " + . "start | stop | restart\n", + "log" ); + + print( STDOUT + "Please start the configuration by accessing:\n" + . "http://$host:$unsecure_port/$subsystem_type/admin/" + . "console/config/login?pin=$random\n\n" ); + emit( "Configuration Wizard listening on\n" + . "http://$host:$unsecure_port/$subsystem_type/admin/" + . "console/config/login?pin=$random\n", + "log" ); + + # If it exists, close the log file + close_logfile( $logfile ); + + return; +} + + +############################################################## +# PKI Instance Creation +############################################################## + +main(); + +exit 0; + |