From 0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: Tue, 3 Jul 2012 17:52:33 -0700
Subject: PKI Deployment Scriptlets

* Integration of Tomcat 7
* Introduction of dependency upon tomcatjss 7.0
* Removal of http filtering configuration mechanisms
* Introduction of additional slot substitution to
  support revised filesystem layout
* Addition of 'pkiuser' uid:gid creation methods
* Inclusion of per instance '*.profile' files
* Introduction of configurable 'configurationRoot'
  parameter
* Introduction of default configuration of 'log4j'
  mechanism (alee)
* Modify web.xml to use new Application classes to
  bootstrap servers (alee)
* Introduction of "Wrapper" logic to support
  Tomcat 6 --> Tomcat 7 API change (jmagne)
* Added jython helper function to allow attaching
  a remote java debugger (e. g. - eclipse)
---
 .classpath                                         |    3 +-
 base/ca/shared/conf/CS.cfg.in                      |  145 +-
 base/ca/shared/webapps/ca/WEB-INF/web.xml          |  139 +-
 base/common/shared/conf/catalina.properties        |    4 +
 base/common/shared/conf/log4j.properties           |   27 +-
 base/common/shared/conf/server.xml                 |   95 +-
 base/common/shared/conf/serverCertNick.conf        |    6 +
 base/common/shared/conf/tomcat.conf                |    7 +-
 base/common/shared/conf/web.xml                    | 4283 ++++++++++++++++++++
 base/common/src/CMakeLists.txt                     |   11 +-
 .../com/netscape/cms/servlet/csadmin/CertUtil.java |    4 +-
 .../com/netscape/cmscore/realm/PKIJNDIRealm.java   |   21 +-
 base/deploy/config/pkideployment.cfg               |  201 +-
 base/deploy/config/pkislots.cfg                    |    2 +
 base/deploy/scripts/pkidaemon                      |    2 +
 base/deploy/src/pkidestroy                         |   34 +-
 base/deploy/src/pkispawn                           |   34 +-
 base/deploy/src/scriptlets/configuration.jy        |  116 +-
 base/deploy/src/scriptlets/configuration.py        |   69 +-
 base/deploy/src/scriptlets/finalization.py         |   16 +
 base/deploy/src/scriptlets/initialization.py       |    7 +
 base/deploy/src/scriptlets/instance_layout.py      |  119 +-
 base/deploy/src/scriptlets/pkiconfig.py            |   58 +
 base/deploy/src/scriptlets/pkihelper.py            |  382 +-
 base/deploy/src/scriptlets/pkijython.py            |  429 +-
 base/deploy/src/scriptlets/pkimessages.py          |   65 +
 base/deploy/src/scriptlets/pkiparser.py            | 1251 +++++-
 base/deploy/src/scriptlets/security_databases.py   |   33 +-
 base/deploy/src/scriptlets/slot_substitution.py    |   26 +-
 base/deploy/src/scriptlets/subsystem_layout.py     |   68 +
 base/deploy/src/scriptlets/war_explosion.py        |   32 +-
 base/kra/shared/conf/CS.cfg.in                     |   15 +-
 base/kra/shared/webapps/kra/WEB-INF/web.xml        |  101 +-
 base/ocsp/shared/conf/CS.cfg.in                    |   15 +-
 base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml      |  101 +-
 base/setup/pkicreate                               |    2 +
 base/tks/shared/conf/CS.cfg.in                     |   15 +-
 base/tks/shared/webapps/tks/WEB-INF/web.xml        |  100 +-
 specs/dogtag-pki.spec                              |   19 +-
 specs/pki-core.spec                                |   32 +-
 40 files changed, 7401 insertions(+), 688 deletions(-)
 create mode 100644 base/common/shared/conf/serverCertNick.conf
 create mode 100644 base/common/shared/conf/web.xml

diff --git a/.classpath b/.classpath
index f58839361..28dddffc2 100644
--- a/.classpath
+++ b/.classpath
@@ -39,10 +39,11 @@
 	<classpathentry kind="lib" path="/usr/share/java/velocity.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/xerces-j2.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/xml-commons-apis.jar"/>
-	<classpathentry kind="lib" path="/usr/share/tomcat6/lib/catalina.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/istack-commons-runtime.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/jss/jss4.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/apache-commons-lang.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/resteasy/resteasy-atom-provider.jar"/>
+	<classpathentry kind="lib" path="/usr/share/java/tomcat/catalina.jar"/>
+	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-util.jar"/>
 	<classpathentry kind="output" path="build/classes"/>
 </classpath>
diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
index 78c28435a..ca90d52d5 100644
--- a/base/ca/shared/conf/CS.cfg.in
+++ b/base/ca/shared/conf/CS.cfg.in
@@ -38,6 +38,7 @@ securitydomain.flushinterval=86400000
 securitydomain.source=ldap
 securitydomain.checkinterval=300000
 instanceRoot=[PKI_INSTANCE_PATH]
+configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/
 machineName=[PKI_MACHINE_NAME]
 instanceId=[PKI_INSTANCE_ID]
 pidDir=[PKI_PIDDIR]
@@ -180,7 +181,7 @@ auths.instance.AgentCertAuth.pluginName=AgentCertAuth
 auths.instance.raCertAuth.agentGroup=Registration Manager Agents
 auths.instance.raCertAuth.pluginName=AgentCertAuth
 auths.instance.flatFileAuth.pluginName=FlatFileAuth
-auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/flatfile.txt
+auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]flatfile.txt
 auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth
 auths.revocationChecking.bufferSize=50
 auths.revocationChecking.ca=ca
@@ -643,15 +644,15 @@ ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName=
 ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType=
 ca.crl.MasterCRL.extension.IssuingDistributionPoint.type=CRLExtension
 ca.notification.certIssued.emailSubject=Your Certificate Request
-ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/emails/certIssued_CA.html
+ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/certIssued_CA.html
 ca.notification.certIssued.enabled=false
 ca.notification.certIssued.senderEmail=
 ca.notification.certRevoked.emailSubject=Your Certificate Revoked
-ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/emails/certRevoked_CA.html
+ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/certRevoked_CA.html
 ca.notification.certRevoked.enabled=false
 ca.notification.certRevoked.senderEmail=
 ca.notification.requestInQ.emailSubject=Certificate Request in Queue
-ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/emails/reqInQueue_CA.html
+ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/reqInQueue_CA.html
 ca.notification.requestInQ.enabled=false
 ca.notification.requestInQ.recipientEmail=
 ca.notification.requestInQ.senderEmail=
@@ -793,7 +794,7 @@ dbs.ldap=internaldb
 dbs.newSchemaEntryAdded=true
 debug.append=true
 debug.enabled=true
-debug.filename=[PKI_INSTANCE_PATH]/logs/debug
+debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug
 debug.hashkeytypes=
 debug.level=0
 debug.showcaller=false
@@ -815,8 +816,8 @@ internaldb.ldapconn.host=
 internaldb.ldapconn.port=
 internaldb.ldapconn.secureConn=false
 preop.internaldb.schema.ldif=/usr/share/pki/ca/conf/schema.ldif
-preop.internaldb.ldif=/usr/share/pki/ca/conf/database.ldif
-preop.internaldb.data_ldif=/usr/share/pki/ca/conf/db.ldif,/usr/share/pki/ca/conf/acl.ldif
+preop.internaldb.ldif=/usr/share/pki/[PKI_SUBSYSTEM_DIR]conf/database.ldif
+preop.internaldb.data_ldif=/usr/share/pki/[PKI_SUBSYSTEM_DIR]conf/db.ldif,/usr/share/pki/ca/conf/acl.ldif
 preop.internaldb.index_ldif=
 preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif
 preop.internaldb.post_ldif=/usr/share/pki/ca/conf/index.ldif,/usr/share/pki/ca/conf/vlv.ldif,/usr/share/pki/ca/conf/vlvtasks.ldif
@@ -833,25 +834,25 @@ jobsScheduler.impl.RequestInQueueJob.class=com.netscape.cms.jobs.RequestInQueueJ
 jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob
 jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5
 jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification
-jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1.txt
+jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1.txt
 jobsScheduler.job.certRenewalNotifier.enabled=false
 jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30
 jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30
 jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob
 jobsScheduler.job.certRenewalNotifier.senderEmail=
 jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal Notification Summary
-jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Summary.txt
+jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1Summary.txt
 jobsScheduler.job.certRenewalNotifier.summary.enabled=true
-jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Item.txt
+jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1Item.txt
 jobsScheduler.job.certRenewalNotifier.summary.recipientEmail=
 jobsScheduler.job.certRenewalNotifier.summary.senderEmail=
 jobsScheduler.job.publishCerts.cron=0 0 * * 2 
 jobsScheduler.job.publishCerts.enabled=false
 jobsScheduler.job.publishCerts.pluginName=PublishCertsJob
 jobsScheduler.job.publishCerts.summary.emailSubject=Certs Publishing Summary
-jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/publishCerts.html
+jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/publishCerts.html
 jobsScheduler.job.publishCerts.summary.enabled=true
-jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/publishCertsItem.html
+jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/publishCertsItem.html
 jobsScheduler.job.publishCerts.summary.recipientEmail=
 jobsScheduler.job.publishCerts.summary.senderEmail=
 jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0
@@ -859,7 +860,7 @@ jobsScheduler.job.requestInQueueNotifier.enabled=false
 jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob
 jobsScheduler.job.requestInQueueNotifier.subsystemId=ca
 jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report
-jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/riq1Summary.html
+jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/riq1Summary.html
 jobsScheduler.job.requestInQueueNotifier.summary.enabled=true
 jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail=
 jobsScheduler.job.requestInQueueNotifier.summary.senderEmail=
@@ -867,9 +868,9 @@ jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6
 jobsScheduler.job.unpublishExpiredCerts.enabled=false
 jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob
 jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs Unpublished Summary
-jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/euJob1.html
+jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/euJob1.html
 jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true
-jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/euJob1Item.html
+jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/euJob1Item.html
 jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail=
 jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail=
 jss._000=##
@@ -897,7 +898,7 @@ log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
 log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER
 log.instance.SignedAudit.expirationTime=0
-log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ca_audit
+log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/ca_audit
 log.instance.SignedAudit.flushInterval=5
 log.instance.SignedAudit.level=1
 log.instance.SignedAudit.logSigning=false
@@ -913,7 +914,7 @@ log.instance.System._002=##
 log.instance.System.bufferSize=512
 log.instance.System.enable=true
 log.instance.System.expirationTime=0
-log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system
+log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system
 log.instance.System.flushInterval=5
 log.instance.System.level=3
 log.instance.System.maxFileSize=2000
@@ -926,15 +927,15 @@ log.instance.Transactions._002=##
 log.instance.Transactions.bufferSize=512
 log.instance.Transactions.enable=true
 log.instance.Transactions.expirationTime=0
-log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions
+log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions
 log.instance.Transactions.flushInterval=5
 log.instance.Transactions.level=1
 log.instance.Transactions.maxFileSize=2000
 log.instance.Transactions.pluginName=file
 log.instance.Transactions.rolloverInterval=2592000
 log.instance.Transactions.type=transaction
-logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access
-logError.fileName=[PKI_INSTANCE_PATH]/logs/error
+logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access
+logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error
 oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension
 oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1
 oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword
@@ -956,106 +957,106 @@ oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
 os.userid=nobody
 profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert
 profile.caUUIDdeviceCert.class_id=caEnrollImpl
-profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg
+profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUUIDdeviceCert.cfg
 profile.caManualRenewal.class_id=caEnrollImpl
-profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caManualRenewal.cfg
+profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caManualRenewal.cfg
 profile.caDirUserRenewal.class_id=caEnrollImpl
-profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserRenewal.cfg
+profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDirUserRenewal.cfg
 profile.caSSLClientSelfRenewal.class_id=caEnrollImpl
-profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caSSLClientSelfRenewal.cfg
+profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSSLClientSelfRenewal.cfg
 profile.DomainController.class_id=caEnrollImpl
-profile.DomainController.config=[PKI_INSTANCE_PATH]/profiles/ca/DomainController.cfg
+profile.DomainController.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/DomainController.cfg
 profile.caAgentFileSigning.class_id=caEnrollImpl
-profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentFileSigning.cfg
+profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAgentFileSigning.cfg
 profile.caAgentServerCert.class_id=caEnrollImpl
-profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentServerCert.cfg
+profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAgentServerCert.cfg
 profile.caRAserverCert.class_id=caEnrollImpl
-profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAserverCert.cfg
+profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRAserverCert.cfg
 profile.caCACert.class_id=caEnrollImpl
-profile.caCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCACert.cfg
+profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caCACert.cfg
 profile.caInstallCACert.class_id=caEnrollImpl
-profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInstallCACert.cfg
+profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInstallCACert.cfg
 profile.caCMCUserCert.class_id=caEnrollImpl
-profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCMCUserCert.cfg
+profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caCMCUserCert.cfg
 profile.caDirUserCert.class_id=caEnrollImpl
-profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserCert.cfg
+profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDirUserCert.cfg
 profile.caDualCert.class_id=caEnrollImpl
-profile.caDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualCert.cfg
+profile.caDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDualCert.cfg
 profile.caECDualCert.class_id=caEnrollImpl
-profile.caECDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caECDualCert.cfg
+profile.caECDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caECDualCert.cfg
 profile.caDualRAuserCert.class_id=caEnrollImpl
-profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualRAuserCert.cfg
+profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDualRAuserCert.cfg
 profile.caRAagentCert.class_id=caEnrollImpl
-profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAagentCert.cfg
+profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRAagentCert.cfg
 profile.caFullCMCUserCert.class_id=caEnrollImpl
-profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caFullCMCUserCert.cfg
+profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caFullCMCUserCert.cfg
 profile.caInternalAuthOCSPCert.class_id=caEnrollImpl
-profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthOCSPCert.cfg
+profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthOCSPCert.cfg
 profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl
-profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthAuditSigningCert.cfg
+profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthAuditSigningCert.cfg
 profile.caInternalAuthServerCert.class_id=caEnrollImpl
-profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthServerCert.cfg
+profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthServerCert.cfg
 profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl
-profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthSubsystemCert.cfg
+profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthSubsystemCert.cfg
 profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl
-profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthDRMstorageCert.cfg
+profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthDRMstorageCert.cfg
 profile.caInternalAuthTransportCert.class_id=caEnrollImpl
-profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthTransportCert.cfg 
+profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthTransportCert.cfg
 profile.caOCSPCert.class_id=caEnrollImpl
-profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOCSPCert.cfg
+profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caOCSPCert.cfg
 profile.caOtherCert.class_id=caEnrollImpl
-profile.caOtherCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOtherCert.cfg
+profile.caOtherCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caOtherCert.cfg
 profile.caRACert.class_id=caEnrollImpl
-profile.caRACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRACert.cfg
+profile.caRACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRACert.cfg
 profile.caRARouterCert.class_id=caEnrollImpl
-profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRARouterCert.cfg
+profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRARouterCert.cfg
 profile.caRouterCert.class_id=caEnrollImpl
-profile.caRouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRouterCert.cfg
+profile.caRouterCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRouterCert.cfg
 profile.caServerCert.class_id=caEnrollImpl
-profile.caServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caServerCert.cfg
+profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caServerCert.cfg
 profile.caSignedLogCert.class_id=caEnrollImpl
-profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSignedLogCert.cfg
+profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSignedLogCert.cfg
 profile.caSimpleCMCUserCert.class_id=caEnrollImpl
-profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSimpleCMCUserCert.cfg
+profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSimpleCMCUserCert.cfg
 profile.caTPSCert.class_id=caEnrollImpl
-profile.caTPSCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTPSCert.cfg
+profile.caTPSCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTPSCert.cfg
 profile.caAdminCert.class_id=caEnrollImpl
-profile.caAdminCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAdminCert.cfg
+profile.caAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAdminCert.cfg
 profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg
+profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenDeviceKeyEnrollment.cfg
 profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg
+profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg
 profile.caTokenUserEncryptionKeyRenewal.class_id=caUserCertEnrollImpl
-profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg
+profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserEncryptionKeyRenewal.cfg
 profile.caTempTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg
+profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg
 profile.caTokenUserSigningKeyRenewal.class_id=caUserCertEnrollImpl
-profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyRenewal.cfg
+profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserSigningKeyRenewal.cfg
 profile.caTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenDeviceKeyEnrollment.cfg
+profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenDeviceKeyEnrollment.cfg
 profile.caTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg
+profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg
 profile.caTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyEnrollment.cfg
+profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserSigningKeyEnrollment.cfg
 profile.caTokenMSLoginEnrollment.class_id=caUserCertEnrollImpl
-profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenMSLoginEnrollment.cfg
+profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenMSLoginEnrollment.cfg
 profile.caTransportCert.class_id=caEnrollImpl
-profile.caTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTransportCert.cfg
+profile.caTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTransportCert.cfg
 profile.caUserCert.class_id=caEnrollImpl
-profile.caUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserCert.cfg
+profile.caUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUserCert.cfg
 profile.caECUserCert.class_id=caEnrollImpl
-profile.caECUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caECUserCert.cfg
+profile.caECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caECUserCert.cfg
 profile.caUserSMIMEcapCert.class_id=caEnrollImpl
-profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserSMIMEcapCert.cfg
+profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUserSMIMEcapCert.cfg
 profile.caJarSigningCert.class_id=caEnrollImpl
-profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caJarSigningCert.cfg
+profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caJarSigningCert.cfg
 profile.caIPAserviceCert.class_id=caEnrollImpl
-profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caIPAserviceCert.cfg
+profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caIPAserviceCert.cfg
 profile.caEncUserCert.class_id=caEnrollImpl
-profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caEncUserCert.cfg
+profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caEncUserCert.cfg
 profile.caEncECUserCert.class_id=caEnrollImpl
-profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caEncECUserCert.cfg
-registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg
+profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caEncECUserCert.cfg
+registry.file=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]registry.cfg
 processor.caProfileProcess.getClientCert=true
 processor.caProfileProcess.authzMgr=BasicAclAuthz
 processor.caProfileProcess.authorityId=ca
@@ -1096,7 +1097,7 @@ selftests.container.logger.bufferSize=512
 selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
 selftests.container.logger.enable=true
 selftests.container.logger.expirationTime=0
-selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
+selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log
 selftests.container.logger.flushInterval=5
 selftests.container.logger.level=1
 selftests.container.logger.maxFileSize=2000
diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
index 692cb4898..8471d6cd4 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -3,90 +3,6 @@
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">
 <web-app>
 
-    <filter>
-        <filter-name>AgentRequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
-    <filter>
-        <filter-name>AdminRequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
-    <filter>
-        <filter-name>EERequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
-        <init-param>
-            <param-name>http_port</param-name>
-            <param-value>[PKI_UNSECURE_PORT]</param-value>
-        </init-param>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_EE_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-        <init-param>
-            <param-name>proxy_http_port</param-name>
-            <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
-    <filter>
-        <filter-name>EEClientAuthRequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.EEClientAuthRequestFilter</filter-class>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_EE_SECURE_CLIENT_AUTH_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
     <servlet>
         <servlet-name>csadmin-wizard</servlet-name>
         <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
@@ -415,7 +331,7 @@
              <init-param><param-name>  AuthzMgr    </param-name>
                          <param-value> BasicAclAuthz </param-value> </init-param>
              <init-param><param-name>  cfgPath     </param-name>
-                         <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param>
+                         <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param>
              <init-param><param-name>  ID          </param-name>
                          <param-value> castart     </param-value> </init-param>
       <load-on-startup>  1  </load-on-startup>
@@ -1900,10 +1816,9 @@
                          <param-value> /agent/ca/doRevoke       </param-value> </init-param>
    </servlet>
 
-   <context-param>
-      <param-name>resteasy.scan</param-name>
-      <param-value>true</param-value>
-   </context-param>
+   <listener>
+      <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
+   </listener>
 
    <context-param>
       <param-name>resteasy.servlet.mapping.prefix</param-name>
@@ -1920,50 +1835,12 @@
    <servlet>
       <servlet-name>Resteasy</servlet-name>
       <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
+      <init-param>
+         <param-name>javax.ws.rs.Application</param-name>
+         <param-value>com.netscape.ca.CertificateAuthorityApplication</param-value>
+      </init-param>
    </servlet>
    
-[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
-   <filter-mapping>
-      <filter-name>   AgentRequestFilter          </filter-name>
-      <url-pattern>   /agent/*                    </url-pattern>
-      <url-pattern>   /ca/getCertFromRequest      </url-pattern>
-      <url-pattern>   /ca/getBySerial             </url-pattern>
-      <url-pattern>   /ca/connector               </url-pattern>
-      <url-pattern>   /ca/displayCertFromRequest  </url-pattern>
-      <url-pattern>   /doRevoke                   </url-pattern>
-   </filter-mapping>
-
-   <filter-mapping>
-      <filter-name>   AdminRequestFilter          </filter-name>
-      <url-pattern>   /admin/*                    </url-pattern>
-      <url-pattern>   /auths                      </url-pattern>
-      <url-pattern>   /acl                        </url-pattern>
-      <url-pattern>   /server                     </url-pattern>
-      <url-pattern>   /caadmin                    </url-pattern>
-      <url-pattern>   /caprofile                  </url-pattern>
-      <url-pattern>   /jobsScheduler              </url-pattern>
-      <url-pattern>   /capublisher                </url-pattern>
-      <url-pattern>   /log                        </url-pattern>
-      <url-pattern>   /ug                         </url-pattern>
-   </filter-mapping>
-
-   <filter-mapping> 
-      <filter-name>  EEClientAuthRequestFilter    </filter-name>
-      <url-pattern>  /eeca/*                        </url-pattern>
-   </filter-mapping>
-
-   <filter-mapping>
-      <filter-name>  EERequestFilter              </filter-name>
-      <url-pattern>  /ee/*                        </url-pattern>
-      <url-pattern>  /renewal                     </url-pattern>
-      <url-pattern>  /certbasedenrollment         </url-pattern>
-      <url-pattern>  /ocsp                        </url-pattern>
-      <url-pattern>  /enrollment                  </url-pattern>
-      <url-pattern>  /profileSubmit               </url-pattern>
-      <url-pattern>  /cgi-bin/pkiclient.exe       </url-pattern>
-   </filter-mapping>
-[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
-
    <servlet-mapping>
       <servlet-name>Resteasy</servlet-name>
       <url-pattern>/pki/*</url-pattern>
diff --git a/base/common/shared/conf/catalina.properties b/base/common/shared/conf/catalina.properties
index 003089a43..c44758699 100644
--- a/base/common/shared/conf/catalina.properties
+++ b/base/common/shared/conf/catalina.properties
@@ -51,6 +51,10 @@ package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache
 #                  repositories
 #     "foo/bar.jar": Add bar.jar as a class repository
 common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB]
+#,[PKI_INSTANCE_PATH]/webapps/ca/WEB-INF/lib/pki-ca.jar
+#,[PKI_INSTANCE_PATH]/webapps/kra/WEB-INF/lib/pki-kra.jar
+#,[PKI_INSTANCE_PATH]/webapps/ocsp/WEB-INF/lib/pki-ocsp.jar
+#,[PKI_INSTANCE_PATH]/webapps/tks/WEB-INF/lib/pki-tks.jar
 
 #
 # List of comma-separated paths defining the contents of the "server"
diff --git a/base/common/shared/conf/log4j.properties b/base/common/shared/conf/log4j.properties
index 5861ec750..dd4bd9318 100644
--- a/base/common/shared/conf/log4j.properties
+++ b/base/common/shared/conf/log4j.properties
@@ -4,14 +4,27 @@
 # Modifications: configuration parameters
 # --- END COPYRIGHT BLOCK ---
 
-log4j.rootLogger=debug, R 
-log4j.appender.R=org.apache.log4j.RollingFileAppender 
-log4j.appender.R.File=${catalina.home}/logs/tomcat.log 
-log4j.appender.R.MaxFileSize=10MB 
-log4j.appender.R.MaxBackupIndex=10 
-log4j.appender.R.layout=org.apache.log4j.PatternLayout 
-log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n 
+log4j.rootLogger=debug, R
+log4j.appender.R=org.apache.log4j.RollingFileAppender
+log4j.appender.R.File=${catalina.base}/logs/catalina.out
+log4j.appender.R.MaxFileSize=10MB
+log4j.appender.R.MaxBackupIndex=10
+log4j.appender.R.layout=org.apache.log4j.PatternLayout
+log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n
 log4j.logger.org.apache.catalina=DEBUG, R
 log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG, R
 log4j.logger.org.apache.catalina.core=DEBUG, R
 log4j.logger.org.apache.catalina.session=DEBUG, R
+
+#resteasy
+log4j.appender.stdout=org.apache.log4j.ConsoleAppender
+log4j.appender.stdout.Target=System.out
+log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
+log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p (%c:%L) - %m%n
+log4j.rootLogger=warn, stdout
+log4j.rootCategory=debug, stdout
+log4j.category.org.jboss.resteasy.core=debug
+log4j.category.org.jboss.resteasy.plugins.providers=debug
+log4j.category.org.jboss.resteasy.specimpl=debug
+log4j.category.org.jboss.resteasy.plugins.server=debug
+log4j.logger.org.jboss.resteasy.mock=debug
diff --git a/base/common/shared/conf/server.xml b/base/common/shared/conf/server.xml
index d5788552c..46ee15b0b 100644
--- a/base/common/shared/conf/server.xml
+++ b/base/common/shared/conf/server.xml
@@ -68,7 +68,10 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
 <Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN">
 
   <!--APR library loader. Documentation at /docs/apr.html -->
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <!-- The following Listener class has been commented out because this -->
+  <!-- implementation depends upon the 'tomcatjss' JSSE module, 'JSS',  -->
+  <!-- and 'NSS' rather than the 'tomcat-native' module! -->
+  <!-- Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" -->
   <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
   <Listener className="org.apache.catalina.core.JasperListener" />
   <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
@@ -116,7 +119,7 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
     [PKI_UNSECURE_PORT_SERVER_COMMENT]
     <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443"
            maxHttpHeaderSize="8192"
-           acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
+           acceptCount="100" maxThreads="150" minSpareThreads="25"
            enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
            />
 
@@ -124,9 +127,31 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
     [PKI_SECURE_PORT_SERVER_COMMENT]
     <!-- DO NOT REMOVE - Begin define PKI secure port
     1
+    NOTE: The following 'keys' (and their assigned values) are exclusive to
+          the 'tomcatjss' JSSE module:
+
+              'enableOCSP'
+              'ocspResponderURL'
+              'ocspResponderCertNickname'
+              'ocspCacheSize'
+              'ocspMinCacheEntryDuration'
+              'ocspMaxCacheEntryDuration'
+              'ocspTimeout'
+              'strictCiphers'
+              'clientauth' (ALL lowercase)
+              'sslOptions'
+              'ssl2Ciphers'
+              'ssl3Ciphers'
+              'tlsCiphers'
+              'serverCertNickFile'
+              'passwordFile'
+              'passwordClass'
+              'certdbDir'
+
+          and are referenced via the value of the 'sslImplementationName' key.
     NOTE: The OCSP settings take effect globally, so it should only be set once.
 
-      In setup where SSL clientAuth="true", OCSP can be turned on by
+      In setup where SSL clientauth="true", OCSP can be turned on by
       setting enableOCSP to true like the following:
         enableOCSP="true"
       along with changes to related settings, especially:
@@ -150,9 +175,9 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
     -->
     <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
            maxHttpHeaderSize="8192"
-           acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
+           acceptCount="100" maxThreads="150" minSpareThreads="25"
            enableLookups="false" disableUploadTimeout="true"
-           SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
+           sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
            enableOCSP="false"
            ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp"
            ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
@@ -162,6 +187,7 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
            ocspTimeout="10"
            strictCiphers="false"
            clientAuth="[PKI_AGENT_CLIENTAUTH]"
+           clientauth="[PKI_AGENT_CLIENTAUTH]"
            sslOptions="[TOMCAT_SSL_OPTIONS]"
            ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
            ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
@@ -173,23 +199,6 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
            />
     <!-- DO NOT REMOVE - End define PKI secure port -->
 
-    <!-- A "Connector" using the shared thread pool-->
-    <!--
-    <Connector executor="tomcatThreadPool"
-               port="8080" protocol="HTTP/1.1"
-               connectionTimeout="20000"
-               redirectPort="8443" />
-    -->
-    <!-- Define a SSL HTTP/1.1 Connector on port 8443
-         This connector uses the JSSE configuration, when using APR, the
-         connector should be using the OpenSSL style configuration
-         described in the APR documentation -->
-    <!--
-    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
-               maxThreads="150" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS" />
-    -->
-
     <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
 [PKI_OPEN_AJP_PORT_COMMENT]
     <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
@@ -281,10 +290,45 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
       <!-- Define the default virtual host
            Note: XML Schema validation will not work with Xerces 2.2.
       -->
-      <Host name="localhost"  appBase="webapps"
+      <Host name="localhost"
+            appBase="[PKI_INSTANCE_PATH]/webapps"
             unpackWARs="true" autoDeploy="false"
             xmlValidation="false" xmlNamespaceAware="false">
 
+        <!--
+        <Context path="/ca"
+                 docBase="ca"
+                 allowLinking="true">
+          <Loader className="org.apache.catalina.loader.VirtualWebappLoader"
+                  virtualClasspath="[PKI_INSTANCE_PATH]/ca/webapps/ca/WEB-INF/classes;[PKI_INSTANCE_PATH]/ca/webapps/ca/WEB-INF/lib" />" />
+          <JarScanner scanAllDirectories="true" />
+        </Context>
+
+        <Context path="/kra"
+                 docBase="kra"
+                 allowLinking="true">
+          <Loader className="org.apache.catalina.loader.VirtualWebappLoader"
+                  virtualClasspath="[PKI_INSTANCE_PATH]/kra/webapps/kra/WEB-INF/classes;[PKI_INSTANCE_PATH]/kra/webapps/kra/WEB-INF/lib" />
+          <JarScanner scanAllDirectories="true" />
+        </Context>
+
+        <Context path="/ocsp"
+                 docBase="ocsp"
+                 allowLinking="true">
+          <Loader className="org.apache.catalina.loader.VirtualWebappLoader"
+                  virtualClasspath="[PKI_INSTANCE_PATH]/ocsp/webapps/ocsp/WEB-INF/classes;[PKI_INSTANCE_PATH]/ocsp/webapps/ocsp/WEB-INF/lib" />
+          <JarScanner scanAllDirectories="true" />
+        </Context>
+
+        <Context path="/tks"
+                 docBase="tks"
+                 allowLinking="true">
+          <Loader className="org.apache.catalina.loader.VirtualWebappLoader"
+                  virtualClasspath="[PKI_INSTANCE_PATH]/tks/webapps/tks/WEB-INF/classes;[PKI_INSTANCE_PATH]/tks/webapps/tks/WEB-INF/lib" />
+          <JarScanner scanAllDirectories="true" />
+        </Context>
+        -->
+
         <!-- SingleSignOn valve, share authentication between web applications
              Documentation at: /docs/config/valve.html -->
         <!--
@@ -294,8 +338,9 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
         <!-- Access log processes all example.
              Documentation at: /docs/config/valve.html -->
         <!--
-        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
-               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
+        <Valve className="org.apache.catalina.valves.AccessLogValve"
+               directory="logs" prefix="localhost_access_log." suffix=".txt"
+               pattern="common" resolveHosts="false"/>
         -->
 
       </Host>
diff --git a/base/common/shared/conf/serverCertNick.conf b/base/common/shared/conf/serverCertNick.conf
new file mode 100644
index 000000000..25bafd622
--- /dev/null
+++ b/base/common/shared/conf/serverCertNick.conf
@@ -0,0 +1,6 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+Server-Cert cert-[PKI_INSTANCE_ID]
diff --git a/base/common/shared/conf/tomcat.conf b/base/common/shared/conf/tomcat.conf
index aa7fefd19..9c1a81bb7 100644
--- a/base/common/shared/conf/tomcat.conf
+++ b/base/common/shared/conf/tomcat.conf
@@ -21,7 +21,7 @@
 CATALINA_BASE="[PKI_INSTANCE_PATH]"
 #CATALINA_HOME="/usr/share/tomcat"
 #JASPER_HOME="/usr/share/tomcat"
-#CATALINA_TMPDIR="/var/cache/tomcat/temp"
+CATALINA_TMPDIR=[PKI_TMPDIR]
 
 # You can pass some parameters to java here if you wish to
 #JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"
@@ -29,6 +29,9 @@ CATALINA_BASE="[PKI_INSTANCE_PATH]"
 # Use JAVA_OPTS to set java.library.path for libtcnative.so
 #JAVA_OPTS="-Djava.library.path=/usr/lib"
 
+# Enable the following JAVA_OPTS to run a java debugger (e. g. - 'eclipse')
+#JAVA_OPTS="-Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n -Djava.awt.headless=true -Xmx128M"
+
 # What user should run tomcat
 TOMCAT_USER="[PKI_USER]"
 
@@ -36,7 +39,7 @@ TOMCAT_USER="[PKI_USER]"
 #LANG="en_US"
 
 # Run tomcat under the Java Security Manager
-SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
+#SECURITY_MANAGER="[PKI_SECURITY_MANAGER]"
 
 # Time to wait in seconds, before killing process
 #SHUTDOWN_WAIT="30"
diff --git a/base/common/shared/conf/web.xml b/base/common/shared/conf/web.xml
new file mode 100644
index 000000000..cc8383cbf
--- /dev/null
+++ b/base/common/shared/conf/web.xml
@@ -0,0 +1,4283 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+                      http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+  version="3.0">
+
+  <!-- ======================== Introduction ============================== -->
+  <!-- This document defines default values for *all* web applications      -->
+  <!-- loaded into this instance of Tomcat.  As each application is         -->
+  <!-- deployed, this file is processed, followed by the                    -->
+  <!-- "/WEB-INF/web.xml" deployment descriptor from your own               -->
+  <!-- applications.                                                        -->
+  <!--                                                                      -->
+  <!-- WARNING:  Do not configure application-specific resources here!      -->
+  <!-- They should go in the "/WEB-INF/web.xml" file in your application.   -->
+
+
+  <!-- ================== Built In Servlet Definitions ==================== -->
+
+
+  <!-- The default servlet for all web applications, that serves static     -->
+  <!-- resources.  It processes all requests that are not mapped to other   -->
+  <!-- servlets with servlet mappings (defined either here or in your own   -->
+  <!-- web.xml file).  This servlet supports the following initialization   -->
+  <!-- parameters (default values are in square brackets):                  -->
+  <!--                                                                      -->
+  <!--   debug               Debugging detail level for messages logged     -->
+  <!--                       by this servlet.  [0]                          -->
+  <!--                                                                      -->
+  <!--   fileEncoding        Encoding to be used to read static resources   -->
+  <!--                       [platform default]                             -->
+  <!--                                                                      -->
+  <!--   input               Input buffer size (in bytes) when reading      -->
+  <!--                       resources to be served.  [2048]                -->
+  <!--                                                                      -->
+  <!--   listings            Should directory listings be produced if there -->
+  <!--                       is no welcome file in this directory?  [false] -->
+  <!--                       WARNING: Listings for directories with many    -->
+  <!--                       entries can be slow and may consume            -->
+  <!--                       significant proportions of server resources.   -->
+  <!--                                                                      -->
+  <!--   output              Output buffer size (in bytes) when writing     -->
+  <!--                       resources to be served.  [2048]                -->
+  <!--                                                                      -->
+  <!--   readonly            Is this context "read only", so HTTP           -->
+  <!--                       commands like PUT and DELETE are               -->
+  <!--                       rejected?  [true]                              -->
+  <!--                                                                      -->
+  <!--   readmeFile          File to display together with the directory    -->
+  <!--                       contents. [null]                               -->
+  <!--                                                                      -->
+  <!--   sendfileSize        If the connector used supports sendfile, this  -->
+  <!--                       represents the minimal file size in KB for     -->
+  <!--                       which sendfile will be used. Use a negative    -->
+  <!--                       value to always disable sendfile.  [48]        -->
+  <!--                                                                      -->
+  <!--   useAcceptRanges     Should the Accept-Ranges header be included    -->
+  <!--                       in responses where appropriate? [true]         -->
+  <!--                                                                      -->
+  <!--  For directory listing customization. Checks localXsltFile, then     -->
+  <!--  globalXsltFile, then defaults to original behavior.                 -->
+  <!--                                                                      -->
+  <!--   localXsltFile       Make directory listings an XML doc and         -->
+  <!--                       pass the result to this style sheet residing   -->
+  <!--                       in that directory. This overrides              -->
+  <!--                       contextXsltFile and globalXsltFile[null]       -->
+  <!--                                                                      -->
+  <!--   contextXsltFile     Make directory listings an XML doc and         -->
+  <!--                       pass the result to this style sheet which is   -->
+  <!--                       relative to the context root. This overrides   -->
+  <!--                       globalXsltFile[null]                           -->
+  <!--                                                                      -->
+  <!--   globalXsltFile      Site wide configuration version of             -->
+  <!--                       localXsltFile This argument is expected        -->
+  <!--                       to be a physical file. [null]                  -->
+  <!--                                                                      -->
+  <!--                                                                      -->
+
+    <servlet>
+        <servlet-name>default</servlet-name>
+        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
+        <init-param>
+            <param-name>debug</param-name>
+            <param-value>0</param-value>
+        </init-param>
+        <init-param>
+            <param-name>listings</param-name>
+            <param-value>false</param-value>
+        </init-param>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+
+
+  <!-- The JSP page compiler and execution servlet, which is the mechanism  -->
+  <!-- used by Tomcat to support JSP pages.  Traditionally, this servlet    -->
+  <!-- is mapped to the URL pattern "*.jsp".  This servlet supports the     -->
+  <!-- following initialization parameters (default values are in square    -->
+  <!-- brackets):                                                           -->
+  <!--                                                                      -->
+  <!--   checkInterval       If development is false and checkInterval is   -->
+  <!--                       greater than zero, background compilations are -->
+  <!--                       enabled. checkInterval is the time in seconds  -->
+  <!--                       between checks to see if a JSP page (and its   -->
+  <!--                       dependent files) needs to  be recompiled. [0]  -->
+  <!--                                                                      -->
+  <!--   classdebuginfo      Should the class file be compiled with         -->
+  <!--                       debugging information?  [true]                 -->
+  <!--                                                                      -->
+  <!--   classpath           What class path should I use while compiling   -->
+  <!--                       generated servlets?  [Created dynamically      -->
+  <!--                       based on the current web application]          -->
+  <!--                                                                      -->
+  <!--   compiler            Which compiler Ant should use to compile JSP   -->
+  <!--                       pages.  See the jasper documentation for more  -->
+  <!--                       information.                                   -->
+  <!--                                                                      -->
+  <!--   compilerSourceVM    Compiler source VM. [1.6]                      -->
+  <!--                                                                      -->
+  <!--   compilerTargetVM    Compiler target VM. [1.6]                      -->
+  <!--                                                                      -->
+  <!--   development         Is Jasper used in development mode? If true,   -->
+  <!--                       the frequency at which JSPs are checked for    -->
+  <!--                       modification may be specified via the          -->
+  <!--                       modificationTestInterval parameter. [true]     -->
+  <!--                                                                      -->
+  <!--   displaySourceFragment                                              -->
+  <!--                       Should a source fragment be included in        -->
+  <!--                       exception messages? [true]                     -->
+  <!--                                                                      -->
+  <!--   dumpSmap            Should the SMAP info for JSR45 debugging be    -->
+  <!--                       dumped to a file? [false]                      -->
+  <!--                       False if suppressSmap is true                  -->
+  <!--                                                                      -->
+  <!--   enablePooling       Determines whether tag handler pooling is      -->
+  <!--                       enabled. This is a compilation option. It will -->
+  <!--                       not alter the behaviour of JSPs that have      -->
+  <!--                       already been compiled. [true]                  -->
+  <!--                                                                      -->
+  <!--   engineOptionsClass  Allows specifying the Options class used to    -->
+  <!--                       configure Jasper. If not present, the default  -->
+  <!--                       EmbeddedServletOptions will be used.           -->
+  <!--                                                                      -->
+  <!--   errorOnUseBeanInvalidClassAttribute                                -->
+  <!--                       Should Jasper issue an error when the value of -->
+  <!--                       the class attribute in an useBean action is    -->
+  <!--                       not a valid bean class?  [true]                -->
+  <!--                                                                      -->
+  <!--   fork                Tell Ant to fork compiles of JSP pages so that -->
+  <!--                       a separate JVM is used for JSP page compiles   -->
+  <!--                       from the one Tomcat is running in. [true]      -->
+  <!--                                                                      -->
+  <!--   genStringAsCharArray                                               -->
+  <!--                       Should text strings be generated as char       -->
+  <!--                       arrays, to improve performance in some cases?  -->
+  <!--                       [false]                                        -->
+  <!--                                                                      -->
+  <!--   ieClassId           The class-id value to be sent to Internet      -->
+  <!--                       Explorer when using <jsp:plugin> tags.         -->
+  <!--                       [clsid:8AD9C840-044E-11D1-B3E9-00805F499D93]   -->
+  <!--                                                                      -->
+  <!--   javaEncoding        Java file encoding to use for generating java  -->
+  <!--                       source files. [UTF8]                           -->
+  <!--                                                                      -->
+  <!--   keepgenerated       Should we keep the generated Java source code  -->
+  <!--                       for each page instead of deleting it? [true]   -->
+  <!--                                                                      -->
+  <!--   mappedfile          Should we generate static content with one     -->
+  <!--                       print statement per input line, to ease        -->
+  <!--                       debugging?  [true]                             -->
+  <!--                                                                      -->
+  <!--   maxLoadedJsps       The maximum number of JSPs that will be loaded -->
+  <!--                       for a web application. If more than this       -->
+  <!--                       number of JSPs are loaded, the least recently  -->
+  <!--                       used JSPs will be unloaded so that the number  -->
+  <!--                       of JSPs loaded at any one time does not exceed -->
+  <!--                       this limit. A value of zero or less indicates  -->
+  <!--                       no limit. [-1]                                 -->
+  <!--                                                                      -->
+  <!--   jspIdleTimeout      The amount of time in seconds a JSP can be     -->
+  <!--                       idle before it is unloaded. A value of zero    -->
+  <!--                       or less indicates never unload. [-1]           -->
+  <!--                                                                      -->
+  <!--   modificationTestInterval                                           -->
+  <!--                       Causes a JSP (and its dependent files) to not  -->
+  <!--                       be checked for modification during the         -->
+  <!--                       specified time interval (in seconds) from the  -->
+  <!--                       last time the JSP was checked for              -->
+  <!--                       modification. A value of 0 will cause the JSP  -->
+  <!--                       to be checked on every access.                 -->
+  <!--                       Used in development mode only. [4]             -->
+  <!--                                                                      -->
+  <!--   recompileOnFail     If a JSP compilation fails should the          -->
+  <!--                       modificationTestInterval be ignored and the    -->
+  <!--                       next access trigger a re-compilation attempt?  -->
+  <!--                       Used in development mode only and is disabled  -->
+  <!--                       by default as compilation may be expensive and -->
+  <!--                       could lead to excessive resource usage.        -->
+  <!--                       [false]                                        -->
+  <!--                                                                      -->
+  <!--   scratchdir          What scratch directory should we use when      -->
+  <!--                       compiling JSP pages?  [default work directory  -->
+  <!--                       for the current web application]               -->
+  <!--                                                                      -->
+  <!--   suppressSmap        Should the generation of SMAP info for JSR45   -->
+  <!--                       debugging be suppressed?  [false]              -->
+  <!--                                                                      -->
+  <!--   trimSpaces          Should white spaces in template text between   -->
+  <!--                       actions or directives be trimmed?  [false]     -->
+  <!--                                                                      -->
+  <!--   xpoweredBy          Determines whether X-Powered-By response       -->
+  <!--                       header is added by generated servlet.  [false] -->
+
+    <servlet>
+        <servlet-name>jsp</servlet-name>
+        <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
+        <init-param>
+            <param-name>fork</param-name>
+            <param-value>false</param-value>
+        </init-param>
+        <init-param>
+            <param-name>xpoweredBy</param-name>
+            <param-value>false</param-value>
+        </init-param>
+        <load-on-startup>3</load-on-startup>
+    </servlet>
+
+
+  <!-- NOTE: An SSI Filter is also available as an alternative SSI          -->
+  <!-- implementation. Use either the Servlet or the Filter but NOT both.   -->
+  <!--                                                                      -->
+  <!-- Server Side Includes processing servlet, which processes SSI         -->
+  <!-- directives in HTML pages consistent with similar support in web      -->
+  <!-- servers like Apache.  Traditionally, this servlet is mapped to the   -->
+  <!-- URL pattern "*.shtml".  This servlet supports the following          -->
+  <!-- initialization parameters (default values are in square brackets):   -->
+  <!--                                                                      -->
+  <!--   buffered            Should output from this servlet be buffered?   -->
+  <!--                       (0=false, 1=true)  [0]                         -->
+  <!--                                                                      -->
+  <!--   debug               Debugging detail level for messages logged     -->
+  <!--                       by this servlet.  [0]                          -->
+  <!--                                                                      -->
+  <!--   expires             The number of seconds before a page with SSI   -->
+  <!--                       directives will expire.  [No default]          -->
+  <!--                                                                      -->
+  <!--   isVirtualWebappRelative                                            -->
+  <!--                       Should "virtual" paths be interpreted as       -->
+  <!--                       relative to the context root, instead of       -->
+  <!--                       the server root?  (0=false, 1=true) [0]        -->
+  <!--                                                                      -->
+  <!--   inputEncoding       The encoding to assume for SSI resources if    -->
+  <!--                       one is not available from the resource.        -->
+  <!--                       [Platform default]                             -->
+  <!--                                                                      -->
+  <!--   outputEncoding      The encoding to use for the page that results  -->
+  <!--                       from the SSI processing. [UTF-8]               -->
+  <!--                                                                      -->
+  <!--   allowExec           Is use of the exec command enabled? [false]    -->
+
+<!--
+    <servlet>
+        <servlet-name>ssi</servlet-name>
+        <servlet-class>
+          org.apache.catalina.ssi.SSIServlet
+        </servlet-class>
+        <init-param>
+          <param-name>buffered</param-name>
+          <param-value>1</param-value>
+        </init-param>
+        <init-param>
+          <param-name>debug</param-name>
+          <param-value>0</param-value>
+        </init-param>
+        <init-param>
+          <param-name>expires</param-name>
+          <param-value>666</param-value>
+        </init-param>
+        <init-param>
+          <param-name>isVirtualWebappRelative</param-name>
+          <param-value>0</param-value>
+        </init-param>
+        <load-on-startup>4</load-on-startup>
+    </servlet>
+-->
+
+
+  <!-- Common Gateway Includes (CGI) processing servlet, which supports     -->
+  <!-- execution of external applications that conform to the CGI spec      -->
+  <!-- requirements.  Typically, this servlet is mapped to the URL pattern  -->
+  <!-- "/cgi-bin/*", which means that any CGI applications that are         -->
+  <!-- executed must be present within the web application.  This servlet   -->
+  <!-- supports the following initialization parameters (default values     -->
+  <!-- are in square brackets):                                             -->
+  <!--                                                                      -->
+  <!--   cgiPathPrefix        The CGI search path will start at             -->
+  <!--                        webAppRootDir + File.separator + this prefix. -->
+  <!--                        [WEB-INF/cgi]                                 -->
+  <!--                                                                      -->
+  <!--   debug                Debugging detail level for messages logged    -->
+  <!--                        by this servlet.  [0]                         -->
+  <!--                                                                      -->
+  <!--   executable           Name of the executable used to run the        -->
+  <!--                        script. [perl]                                -->
+  <!--                                                                      -->
+  <!--   parameterEncoding    Name of parameter encoding to be used with    -->
+  <!--                        CGI servlet.                                  -->
+  <!--                        [System.getProperty("file.encoding","UTF-8")] -->
+  <!--                                                                      -->
+  <!--   passShellEnvironment Should the shell environment variables (if    -->
+  <!--                        any) be passed to the CGI script? [false]     -->
+  <!--                                                                      -->
+  <!--   stderrTimeout        The time (in milliseconds) to wait for the    -->
+  <!--                        reading of stderr to complete before          -->
+  <!--                        terminating the CGI process. [2000]           -->
+
+<!--
+    <servlet>
+        <servlet-name>cgi</servlet-name>
+        <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
+        <init-param>
+          <param-name>debug</param-name>
+          <param-value>0</param-value>
+        </init-param>
+        <init-param>
+          <param-name>cgiPathPrefix</param-name>
+          <param-value>WEB-INF/cgi</param-value>
+        </init-param>
+         <load-on-startup>5</load-on-startup>
+    </servlet>
+-->
+
+
+  <!-- ================ Built In Servlet Mappings ========================= -->
+
+
+  <!-- The servlet mappings for the built in servlets defined above.  Note  -->
+  <!-- that, by default, the CGI and SSI servlets are *not* mapped.  You    -->
+  <!-- must uncomment these mappings (or add them to your application's own -->
+  <!-- web.xml deployment descriptor) to enable these services              -->
+
+    <!-- The mapping for the default servlet -->
+    <servlet-mapping>
+        <servlet-name>default</servlet-name>
+        <url-pattern>/</url-pattern>
+    </servlet-mapping>
+
+    <!-- The mappings for the JSP servlet -->
+    <servlet-mapping>
+        <servlet-name>jsp</servlet-name>
+        <url-pattern>*.jsp</url-pattern>
+        <url-pattern>*.jspx</url-pattern>
+    </servlet-mapping>
+
+    <!-- The mapping for the SSI servlet -->
+<!--
+    <servlet-mapping>
+        <servlet-name>ssi</servlet-name>
+        <url-pattern>*.shtml</url-pattern>
+    </servlet-mapping>
+-->
+
+    <!-- The mapping for the CGI Gateway servlet -->
+
+<!--
+    <servlet-mapping>
+        <servlet-name>cgi</servlet-name>
+        <url-pattern>/cgi-bin/*</url-pattern>
+    </servlet-mapping>
+-->
+
+
+  <!-- ================== Built In Filter Definitions ===================== -->
+
+  <!-- A filter that sets character encoding that is used to decode -->
+  <!-- parameters in a POST request -->
+<!--
+    <filter>
+        <filter-name>setCharacterEncodingFilter</filter-name>
+        <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class>
+        <init-param>
+            <param-name>encoding</param-name>
+            <param-value>UTF-8</param-value>
+        </init-param>
+        <async-supported>true</async-supported>
+    </filter>
+-->
+
+  <!-- A filter that triggers request parameters parsing and rejects the    -->
+  <!-- request if some parameters were skipped because of parsing errors or -->
+  <!-- request size limitations.                                            -->
+<!--
+    <filter>
+        <filter-name>failedRequestFilter</filter-name>
+        <filter-class>
+          org.apache.catalina.filters.FailedRequestFilter
+        </filter-class>
+        <async-supported>true</async-supported>
+    </filter>
+-->
+
+
+  <!-- NOTE: An SSI Servlet is also available as an alternative SSI         -->
+  <!-- implementation. Use either the Servlet or the Filter but NOT both.   -->
+  <!--                                                                      -->
+  <!-- Server Side Includes processing filter, which processes SSI          -->
+  <!-- directives in HTML pages consistent with similar support in web      -->
+  <!-- servers like Apache.  Traditionally, this filter is mapped to the    -->
+  <!-- URL pattern "*.shtml", though it can be mapped to "*" as it will     -->
+  <!-- selectively enable/disable SSI processing based on mime types. For   -->
+  <!-- this to work you will need to uncomment the .shtml mime type         -->
+  <!-- definition towards the bottom of this file.                          -->
+  <!-- The contentType init param allows you to apply SSI processing to JSP -->
+  <!-- pages, javascript, or any other content you wish.  This filter       -->
+  <!-- supports the following initialization parameters (default values are -->
+  <!-- in square brackets):                                                 -->
+  <!--                                                                      -->
+  <!--   contentType         A regex pattern that must be matched before    -->
+  <!--                       SSI processing is applied.                     -->
+  <!--                       [text/x-server-parsed-html(;.*)?]              -->
+  <!--                                                                      -->
+  <!--   debug               Debugging detail level for messages logged     -->
+  <!--                       by this servlet.  [0]                          -->
+  <!--                                                                      -->
+  <!--   expires             The number of seconds before a page with SSI   -->
+  <!--                       directives will expire.  [No default]          -->
+  <!--                                                                      -->
+  <!--   isVirtualWebappRelative                                            -->
+  <!--                       Should "virtual" paths be interpreted as       -->
+  <!--                       relative to the context root, instead of       -->
+  <!--                       the server root?  (0=false, 1=true) [0]        -->
+  <!--                                                                      -->
+  <!--   allowExec           Is use of the exec command enabled? [false]    -->
+
+<!--
+    <filter>
+        <filter-name>ssi</filter-name>
+        <filter-class>
+          org.apache.catalina.ssi.SSIFilter
+        </filter-class>
+        <init-param>
+          <param-name>contentType</param-name>
+          <param-value>text/x-server-parsed-html(;.*)?</param-value>
+        </init-param>
+        <init-param>
+          <param-name>debug</param-name>
+          <param-value>0</param-value>
+        </init-param>
+        <init-param>
+          <param-name>expires</param-name>
+          <param-value>666</param-value>
+        </init-param>
+        <init-param>
+          <param-name>isVirtualWebappRelative</param-name>
+          <param-value>0</param-value>
+        </init-param>
+    </filter>
+-->
+
+
+  <!-- ==================== Built In Filter Mappings ====================== -->
+
+  <!-- The mapping for the Set Character Encoding Filter -->
+<!--
+    <filter-mapping>
+        <filter-name>setCharacterEncodingFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+-->
+
+  <!-- The mapping for the Failed Request Filter -->
+<!--
+    <filter-mapping>
+        <filter-name>failedRequestFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+-->
+
+  <!-- The mapping for the SSI Filter -->
+<!--
+    <filter-mapping>
+        <filter-name>ssi</filter-name>
+        <url-pattern>*.shtml</url-pattern>
+    </filter-mapping>
+-->
+
+
+  <!-- ==================== Default Session Configuration ================= -->
+  <!-- You can set the default session timeout (in minutes) for all newly   -->
+  <!-- created sessions by modifying the value below.                       -->
+
+    <session-config>
+        <session-timeout>30</session-timeout>
+    </session-config>
+
+
+  <!-- ===================== Default MIME Type Mappings =================== -->
+  <!-- When serving static resources, Tomcat will automatically generate    -->
+  <!-- a "Content-Type" header based on the resource's filename extension,  -->
+  <!-- based on these mappings.  Additional mappings can be added here (to  -->
+  <!-- apply to all web applications), or in your own application's web.xml -->
+  <!-- deployment descriptor.                                               -->
+
+    <mime-mapping>
+        <extension>123</extension>
+        <mime-type>application/vnd.lotus-1-2-3</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>3dml</extension>
+        <mime-type>text/vnd.in3d.3dml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>3g2</extension>
+        <mime-type>video/3gpp2</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>3gp</extension>
+        <mime-type>video/3gpp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>7z</extension>
+        <mime-type>application/x-7z-compressed</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>aab</extension>
+        <mime-type>application/x-authorware-bin</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>aac</extension>
+        <mime-type>audio/x-aac</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>aam</extension>
+        <mime-type>application/x-authorware-map</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>aas</extension>
+        <mime-type>application/x-authorware-seg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>abs</extension>
+        <mime-type>audio/x-mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>abw</extension>
+        <mime-type>application/x-abiword</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ac</extension>
+        <mime-type>application/pkix-attr-cert</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>acc</extension>
+        <mime-type>application/vnd.americandynamics.acc</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ace</extension>
+        <mime-type>application/x-ace-compressed</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>acu</extension>
+        <mime-type>application/vnd.acucobol</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>acutc</extension>
+        <mime-type>application/vnd.acucorp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>adp</extension>
+        <mime-type>audio/adpcm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>aep</extension>
+        <mime-type>application/vnd.audiograph</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>afm</extension>
+        <mime-type>application/x-font-type1</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>afp</extension>
+        <mime-type>application/vnd.ibm.modcap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ahead</extension>
+        <mime-type>application/vnd.ahead.space</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ai</extension>
+        <mime-type>application/postscript</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>aif</extension>
+        <mime-type>audio/x-aiff</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>aifc</extension>
+        <mime-type>audio/x-aiff</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>aiff</extension>
+        <mime-type>audio/x-aiff</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>aim</extension>
+        <mime-type>application/x-aim</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>air</extension>
+        <mime-type>application/vnd.adobe.air-application-installer-package+zip</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ait</extension>
+        <mime-type>application/vnd.dvb.ait</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ami</extension>
+        <mime-type>application/vnd.amiga.ami</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>anx</extension>
+        <mime-type>application/annodex</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>apk</extension>
+        <mime-type>application/vnd.android.package-archive</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>application</extension>
+        <mime-type>application/x-ms-application</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>apr</extension>
+        <mime-type>application/vnd.lotus-approach</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>art</extension>
+        <mime-type>image/x-jg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>asc</extension>
+        <mime-type>application/pgp-signature</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>asf</extension>
+        <mime-type>video/x-ms-asf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>asm</extension>
+        <mime-type>text/x-asm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>aso</extension>
+        <mime-type>application/vnd.accpac.simply.aso</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>asx</extension>
+        <mime-type>video/x-ms-asf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>atc</extension>
+        <mime-type>application/vnd.acucorp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>atom</extension>
+        <mime-type>application/atom+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>atomcat</extension>
+        <mime-type>application/atomcat+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>atomsvc</extension>
+        <mime-type>application/atomsvc+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>atx</extension>
+        <mime-type>application/vnd.antix.game-component</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>au</extension>
+        <mime-type>audio/basic</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>avi</extension>
+        <mime-type>video/x-msvideo</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>avx</extension>
+        <mime-type>video/x-rad-screenplay</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>aw</extension>
+        <mime-type>application/applixware</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>axa</extension>
+        <mime-type>audio/annodex</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>axv</extension>
+        <mime-type>video/annodex</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>azf</extension>
+        <mime-type>application/vnd.airzip.filesecure.azf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>azs</extension>
+        <mime-type>application/vnd.airzip.filesecure.azs</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>azw</extension>
+        <mime-type>application/vnd.amazon.ebook</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>bat</extension>
+        <mime-type>application/x-msdownload</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>bcpio</extension>
+        <mime-type>application/x-bcpio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>bdf</extension>
+        <mime-type>application/x-font-bdf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>bdm</extension>
+        <mime-type>application/vnd.syncml.dm+wbxml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>bed</extension>
+        <mime-type>application/vnd.realvnc.bed</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>bh2</extension>
+        <mime-type>application/vnd.fujitsu.oasysprs</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>bin</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>bmi</extension>
+        <mime-type>application/vnd.bmi</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>bmp</extension>
+        <mime-type>image/bmp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>body</extension>
+        <mime-type>text/html</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>book</extension>
+        <mime-type>application/vnd.framemaker</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>box</extension>
+        <mime-type>application/vnd.previewsystems.box</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>boz</extension>
+        <mime-type>application/x-bzip2</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>bpk</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>btif</extension>
+        <mime-type>image/prs.btif</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>bz</extension>
+        <mime-type>application/x-bzip</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>bz2</extension>
+        <mime-type>application/x-bzip2</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>c</extension>
+        <mime-type>text/x-c</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>c11amc</extension>
+        <mime-type>application/vnd.cluetrust.cartomobile-config</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>c11amz</extension>
+        <mime-type>application/vnd.cluetrust.cartomobile-config-pkg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>c4d</extension>
+        <mime-type>application/vnd.clonk.c4group</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>c4f</extension>
+        <mime-type>application/vnd.clonk.c4group</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>c4g</extension>
+        <mime-type>application/vnd.clonk.c4group</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>c4p</extension>
+        <mime-type>application/vnd.clonk.c4group</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>c4u</extension>
+        <mime-type>application/vnd.clonk.c4group</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cab</extension>
+        <mime-type>application/vnd.ms-cab-compressed</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cap</extension>
+        <mime-type>application/vnd.tcpdump.pcap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>car</extension>
+        <mime-type>application/vnd.curl.car</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cat</extension>
+        <mime-type>application/vnd.ms-pki.seccat</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cc</extension>
+        <mime-type>text/x-c</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cct</extension>
+        <mime-type>application/x-director</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ccxml</extension>
+        <mime-type>application/ccxml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cdbcmsg</extension>
+        <mime-type>application/vnd.contact.cmsg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cdf</extension>
+        <mime-type>application/x-cdf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cdkey</extension>
+        <mime-type>application/vnd.mediastation.cdkey</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cdmia</extension>
+        <mime-type>application/cdmi-capability</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cdmic</extension>
+        <mime-type>application/cdmi-container</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cdmid</extension>
+        <mime-type>application/cdmi-domain</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cdmio</extension>
+        <mime-type>application/cdmi-object</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cdmiq</extension>
+        <mime-type>application/cdmi-queue</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cdx</extension>
+        <mime-type>chemical/x-cdx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cdxml</extension>
+        <mime-type>application/vnd.chemdraw+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cdy</extension>
+        <mime-type>application/vnd.cinderella</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cer</extension>
+        <mime-type>application/pkix-cert</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cgm</extension>
+        <mime-type>image/cgm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>chat</extension>
+        <mime-type>application/x-chat</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>chm</extension>
+        <mime-type>application/vnd.ms-htmlhelp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>chrt</extension>
+        <mime-type>application/vnd.kde.kchart</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cif</extension>
+        <mime-type>chemical/x-cif</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cii</extension>
+        <mime-type>application/vnd.anser-web-certificate-issue-initiation</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cil</extension>
+        <mime-type>application/vnd.ms-artgalry</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cla</extension>
+        <mime-type>application/vnd.claymore</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>class</extension>
+        <mime-type>application/java</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>clkk</extension>
+        <mime-type>application/vnd.crick.clicker.keyboard</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>clkp</extension>
+        <mime-type>application/vnd.crick.clicker.palette</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>clkt</extension>
+        <mime-type>application/vnd.crick.clicker.template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>clkw</extension>
+        <mime-type>application/vnd.crick.clicker.wordbank</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>clkx</extension>
+        <mime-type>application/vnd.crick.clicker</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>clp</extension>
+        <mime-type>application/x-msclip</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cmc</extension>
+        <mime-type>application/vnd.cosmocaller</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cmdf</extension>
+        <mime-type>chemical/x-cmdf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cml</extension>
+        <mime-type>chemical/x-cml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cmp</extension>
+        <mime-type>application/vnd.yellowriver-custom-menu</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cmx</extension>
+        <mime-type>image/x-cmx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cod</extension>
+        <mime-type>application/vnd.rim.cod</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>com</extension>
+        <mime-type>application/x-msdownload</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>conf</extension>
+        <mime-type>text/plain</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cpio</extension>
+        <mime-type>application/x-cpio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cpp</extension>
+        <mime-type>text/x-c</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cpt</extension>
+        <mime-type>application/mac-compactpro</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>crd</extension>
+        <mime-type>application/x-mscardfile</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>crl</extension>
+        <mime-type>application/pkix-crl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>crt</extension>
+        <mime-type>application/x-x509-ca-cert</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cryptonote</extension>
+        <mime-type>application/vnd.rig.cryptonote</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>csh</extension>
+        <mime-type>application/x-csh</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>csml</extension>
+        <mime-type>chemical/x-csml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>csp</extension>
+        <mime-type>application/vnd.commonspace</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>css</extension>
+        <mime-type>text/css</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cst</extension>
+        <mime-type>application/x-director</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>csv</extension>
+        <mime-type>text/csv</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cu</extension>
+        <mime-type>application/cu-seeme</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>curl</extension>
+        <mime-type>text/vnd.curl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cww</extension>
+        <mime-type>application/prs.cww</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cxt</extension>
+        <mime-type>application/x-director</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>cxx</extension>
+        <mime-type>text/x-c</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dae</extension>
+        <mime-type>model/vnd.collada+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>daf</extension>
+        <mime-type>application/vnd.mobius.daf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dataless</extension>
+        <mime-type>application/vnd.fdsn.seed</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>davmount</extension>
+        <mime-type>application/davmount+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dcr</extension>
+        <mime-type>application/x-director</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dcurl</extension>
+        <mime-type>text/vnd.curl.dcurl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dd2</extension>
+        <mime-type>application/vnd.oma.dd2+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ddd</extension>
+        <mime-type>application/vnd.fujixerox.ddd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>deb</extension>
+        <mime-type>application/x-debian-package</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>def</extension>
+        <mime-type>text/plain</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>deploy</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>der</extension>
+        <mime-type>application/x-x509-ca-cert</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dfac</extension>
+        <mime-type>application/vnd.dreamfactory</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dib</extension>
+        <mime-type>image/bmp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dic</extension>
+        <mime-type>text/x-c</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dir</extension>
+        <mime-type>application/x-director</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dis</extension>
+        <mime-type>application/vnd.mobius.dis</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dist</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>distz</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>djv</extension>
+        <mime-type>image/vnd.djvu</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>djvu</extension>
+        <mime-type>image/vnd.djvu</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dll</extension>
+        <mime-type>application/x-msdownload</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dmg</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dmp</extension>
+        <mime-type>application/vnd.tcpdump.pcap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dms</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dna</extension>
+        <mime-type>application/vnd.dna</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>doc</extension>
+        <mime-type>application/msword</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>docm</extension>
+        <mime-type>application/vnd.ms-word.document.macroenabled.12</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>docx</extension>
+        <mime-type>application/vnd.openxmlformats-officedocument.wordprocessingml.document</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dot</extension>
+        <mime-type>application/msword</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dotm</extension>
+        <mime-type>application/vnd.ms-word.template.macroenabled.12</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dotx</extension>
+        <mime-type>application/vnd.openxmlformats-officedocument.wordprocessingml.template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dp</extension>
+        <mime-type>application/vnd.osgi.dp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dpg</extension>
+        <mime-type>application/vnd.dpgraph</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dra</extension>
+        <mime-type>audio/vnd.dra</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dsc</extension>
+        <mime-type>text/prs.lines.tag</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dssc</extension>
+        <mime-type>application/dssc+der</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dtb</extension>
+        <mime-type>application/x-dtbook+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dtd</extension>
+        <mime-type>application/xml-dtd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dts</extension>
+        <mime-type>audio/vnd.dts</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dtshd</extension>
+        <mime-type>audio/vnd.dts.hd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dump</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dv</extension>
+        <mime-type>video/x-dv</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dvb</extension>
+        <mime-type>video/vnd.dvb.file</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dvi</extension>
+        <mime-type>application/x-dvi</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dwf</extension>
+        <mime-type>model/vnd.dwf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dwg</extension>
+        <mime-type>image/vnd.dwg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dxf</extension>
+        <mime-type>image/vnd.dxf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dxp</extension>
+        <mime-type>application/vnd.spotfire.dxp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>dxr</extension>
+        <mime-type>application/x-director</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ecelp4800</extension>
+        <mime-type>audio/vnd.nuera.ecelp4800</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ecelp7470</extension>
+        <mime-type>audio/vnd.nuera.ecelp7470</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ecelp9600</extension>
+        <mime-type>audio/vnd.nuera.ecelp9600</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ecma</extension>
+        <mime-type>application/ecmascript</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>edm</extension>
+        <mime-type>application/vnd.novadigm.edm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>edx</extension>
+        <mime-type>application/vnd.novadigm.edx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>efif</extension>
+        <mime-type>application/vnd.picsel</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ei6</extension>
+        <mime-type>application/vnd.pg.osasli</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>elc</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>eml</extension>
+        <mime-type>message/rfc822</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>emma</extension>
+        <mime-type>application/emma+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>eol</extension>
+        <mime-type>audio/vnd.digital-winds</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>eot</extension>
+        <mime-type>application/vnd.ms-fontobject</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>eps</extension>
+        <mime-type>application/postscript</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>epub</extension>
+        <mime-type>application/epub+zip</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>es3</extension>
+        <mime-type>application/vnd.eszigno3+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>esf</extension>
+        <mime-type>application/vnd.epson.esf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>et3</extension>
+        <mime-type>application/vnd.eszigno3+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>etx</extension>
+        <mime-type>text/x-setext</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>exe</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>exi</extension>
+        <mime-type>application/exi</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ext</extension>
+        <mime-type>application/vnd.novadigm.ext</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ez</extension>
+        <mime-type>application/andrew-inset</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ez2</extension>
+        <mime-type>application/vnd.ezpix-album</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ez3</extension>
+        <mime-type>application/vnd.ezpix-package</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>f</extension>
+        <mime-type>text/x-fortran</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>f4v</extension>
+        <mime-type>video/x-f4v</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>f77</extension>
+        <mime-type>text/x-fortran</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>f90</extension>
+        <mime-type>text/x-fortran</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fbs</extension>
+        <mime-type>image/vnd.fastbidsheet</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fcs</extension>
+        <mime-type>application/vnd.isac.fcs</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fdf</extension>
+        <mime-type>application/vnd.fdf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fe_launch</extension>
+        <mime-type>application/vnd.denovo.fcselayout-link</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fg5</extension>
+        <mime-type>application/vnd.fujitsu.oasysgp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fgd</extension>
+        <mime-type>application/x-director</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fh</extension>
+        <mime-type>image/x-freehand</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fh4</extension>
+        <mime-type>image/x-freehand</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fh5</extension>
+        <mime-type>image/x-freehand</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fh7</extension>
+        <mime-type>image/x-freehand</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fhc</extension>
+        <mime-type>image/x-freehand</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fig</extension>
+        <mime-type>application/x-xfig</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>flac</extension>
+        <mime-type>audio/flac</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fli</extension>
+        <mime-type>video/x-fli</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>flo</extension>
+        <mime-type>application/vnd.micrografx.flo</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>flv</extension>
+        <mime-type>video/x-flv</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>flw</extension>
+        <mime-type>application/vnd.kde.kivio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>flx</extension>
+        <mime-type>text/vnd.fmi.flexstor</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fly</extension>
+        <mime-type>text/vnd.fly</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fm</extension>
+        <mime-type>application/vnd.framemaker</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fnc</extension>
+        <mime-type>application/vnd.frogans.fnc</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>for</extension>
+        <mime-type>text/x-fortran</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fpx</extension>
+        <mime-type>image/vnd.fpx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>frame</extension>
+        <mime-type>application/vnd.framemaker</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fsc</extension>
+        <mime-type>application/vnd.fsc.weblaunch</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fst</extension>
+        <mime-type>image/vnd.fst</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ftc</extension>
+        <mime-type>application/vnd.fluxtime.clip</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fti</extension>
+        <mime-type>application/vnd.anser-web-funds-transfer-initiation</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fvt</extension>
+        <mime-type>video/vnd.fvt</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fxp</extension>
+        <mime-type>application/vnd.adobe.fxp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fxpl</extension>
+        <mime-type>application/vnd.adobe.fxp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>fzs</extension>
+        <mime-type>application/vnd.fuzzysheet</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>g2w</extension>
+        <mime-type>application/vnd.geoplan</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>g3</extension>
+        <mime-type>image/g3fax</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>g3w</extension>
+        <mime-type>application/vnd.geospace</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gac</extension>
+        <mime-type>application/vnd.groove-account</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gbr</extension>
+        <mime-type>application/rpki-ghostbusters</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gdl</extension>
+        <mime-type>model/vnd.gdl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>geo</extension>
+        <mime-type>application/vnd.dynageo</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gex</extension>
+        <mime-type>application/vnd.geometry-explorer</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ggb</extension>
+        <mime-type>application/vnd.geogebra.file</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ggt</extension>
+        <mime-type>application/vnd.geogebra.tool</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ghf</extension>
+        <mime-type>application/vnd.groove-help</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gif</extension>
+        <mime-type>image/gif</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gim</extension>
+        <mime-type>application/vnd.groove-identity-message</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gmx</extension>
+        <mime-type>application/vnd.gmx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gnumeric</extension>
+        <mime-type>application/x-gnumeric</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gph</extension>
+        <mime-type>application/vnd.flographit</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gqf</extension>
+        <mime-type>application/vnd.grafeq</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gqs</extension>
+        <mime-type>application/vnd.grafeq</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gram</extension>
+        <mime-type>application/srgs</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gre</extension>
+        <mime-type>application/vnd.geometry-explorer</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>grv</extension>
+        <mime-type>application/vnd.groove-injector</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>grxml</extension>
+        <mime-type>application/srgs+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gsf</extension>
+        <mime-type>application/x-font-ghostscript</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gtar</extension>
+        <mime-type>application/x-gtar</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gtm</extension>
+        <mime-type>application/vnd.groove-tool-message</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gtw</extension>
+        <mime-type>model/vnd.gtw</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gv</extension>
+        <mime-type>text/vnd.graphviz</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gxt</extension>
+        <mime-type>application/vnd.geonext</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>gz</extension>
+        <mime-type>application/x-gzip</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>h</extension>
+        <mime-type>text/x-c</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>h261</extension>
+        <mime-type>video/h261</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>h263</extension>
+        <mime-type>video/h263</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>h264</extension>
+        <mime-type>video/h264</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>hal</extension>
+        <mime-type>application/vnd.hal+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>hbci</extension>
+        <mime-type>application/vnd.hbci</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>hdf</extension>
+        <mime-type>application/x-hdf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>hh</extension>
+        <mime-type>text/x-c</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>hlp</extension>
+        <mime-type>application/winhlp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>hpgl</extension>
+        <mime-type>application/vnd.hp-hpgl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>hpid</extension>
+        <mime-type>application/vnd.hp-hpid</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>hps</extension>
+        <mime-type>application/vnd.hp-hps</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>hqx</extension>
+        <mime-type>application/mac-binhex40</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>htc</extension>
+        <mime-type>text/x-component</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>htke</extension>
+        <mime-type>application/vnd.kenameaapp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>htm</extension>
+        <mime-type>text/html</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>html</extension>
+        <mime-type>text/html</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>hvd</extension>
+        <mime-type>application/vnd.yamaha.hv-dic</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>hvp</extension>
+        <mime-type>application/vnd.yamaha.hv-voice</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>hvs</extension>
+        <mime-type>application/vnd.yamaha.hv-script</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>i2g</extension>
+        <mime-type>application/vnd.intergeo</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>icc</extension>
+        <mime-type>application/vnd.iccprofile</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ice</extension>
+        <mime-type>x-conference/x-cooltalk</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>icm</extension>
+        <mime-type>application/vnd.iccprofile</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ico</extension>
+        <mime-type>image/x-icon</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ics</extension>
+        <mime-type>text/calendar</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ief</extension>
+        <mime-type>image/ief</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ifb</extension>
+        <mime-type>text/calendar</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ifm</extension>
+        <mime-type>application/vnd.shana.informed.formdata</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>iges</extension>
+        <mime-type>model/iges</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>igl</extension>
+        <mime-type>application/vnd.igloader</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>igm</extension>
+        <mime-type>application/vnd.insors.igm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>igs</extension>
+        <mime-type>model/iges</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>igx</extension>
+        <mime-type>application/vnd.micrografx.igx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>iif</extension>
+        <mime-type>application/vnd.shana.informed.interchange</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>imp</extension>
+        <mime-type>application/vnd.accpac.simply.imp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ims</extension>
+        <mime-type>application/vnd.ms-ims</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>in</extension>
+        <mime-type>text/plain</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ink</extension>
+        <mime-type>application/inkml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>inkml</extension>
+        <mime-type>application/inkml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>iota</extension>
+        <mime-type>application/vnd.astraea-software.iota</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ipfix</extension>
+        <mime-type>application/ipfix</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ipk</extension>
+        <mime-type>application/vnd.shana.informed.package</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>irm</extension>
+        <mime-type>application/vnd.ibm.rights-management</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>irp</extension>
+        <mime-type>application/vnd.irepository.package+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>iso</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>itp</extension>
+        <mime-type>application/vnd.shana.informed.formtemplate</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ivp</extension>
+        <mime-type>application/vnd.immervision-ivp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ivu</extension>
+        <mime-type>application/vnd.immervision-ivu</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jad</extension>
+        <mime-type>text/vnd.sun.j2me.app-descriptor</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jam</extension>
+        <mime-type>application/vnd.jam</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jar</extension>
+        <mime-type>application/java-archive</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>java</extension>
+        <mime-type>text/x-java-source</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jisp</extension>
+        <mime-type>application/vnd.jisp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jlt</extension>
+        <mime-type>application/vnd.hp-jlyt</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jnlp</extension>
+        <mime-type>application/x-java-jnlp-file</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>joda</extension>
+        <mime-type>application/vnd.joost.joda-archive</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jpe</extension>
+        <mime-type>image/jpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jpeg</extension>
+        <mime-type>image/jpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jpg</extension>
+        <mime-type>image/jpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jpgm</extension>
+        <mime-type>video/jpm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jpgv</extension>
+        <mime-type>video/jpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jpm</extension>
+        <mime-type>video/jpm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>js</extension>
+        <mime-type>application/javascript</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jsf</extension>
+        <mime-type>text/plain</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>json</extension>
+        <mime-type>application/json</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>jspf</extension>
+        <mime-type>text/plain</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>kar</extension>
+        <mime-type>audio/midi</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>karbon</extension>
+        <mime-type>application/vnd.kde.karbon</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>kfo</extension>
+        <mime-type>application/vnd.kde.kformula</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>kia</extension>
+        <mime-type>application/vnd.kidspiration</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>kml</extension>
+        <mime-type>application/vnd.google-earth.kml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>kmz</extension>
+        <mime-type>application/vnd.google-earth.kmz</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>kne</extension>
+        <mime-type>application/vnd.kinar</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>knp</extension>
+        <mime-type>application/vnd.kinar</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>kon</extension>
+        <mime-type>application/vnd.kde.kontour</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>kpr</extension>
+        <mime-type>application/vnd.kde.kpresenter</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>kpt</extension>
+        <mime-type>application/vnd.kde.kpresenter</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ksp</extension>
+        <mime-type>application/vnd.kde.kspread</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ktr</extension>
+        <mime-type>application/vnd.kahootz</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ktx</extension>
+        <mime-type>image/ktx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ktz</extension>
+        <mime-type>application/vnd.kahootz</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>kwd</extension>
+        <mime-type>application/vnd.kde.kword</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>kwt</extension>
+        <mime-type>application/vnd.kde.kword</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>lasxml</extension>
+        <mime-type>application/vnd.las.las+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>latex</extension>
+        <mime-type>application/x-latex</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>lbd</extension>
+        <mime-type>application/vnd.llamagraphics.life-balance.desktop</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>lbe</extension>
+        <mime-type>application/vnd.llamagraphics.life-balance.exchange+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>les</extension>
+        <mime-type>application/vnd.hhe.lesson-player</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>lha</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>link66</extension>
+        <mime-type>application/vnd.route66.link66+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>list</extension>
+        <mime-type>text/plain</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>list3820</extension>
+        <mime-type>application/vnd.ibm.modcap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>listafp</extension>
+        <mime-type>application/vnd.ibm.modcap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>log</extension>
+        <mime-type>text/plain</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>lostxml</extension>
+        <mime-type>application/lost+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>lrf</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>lrm</extension>
+        <mime-type>application/vnd.ms-lrm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ltf</extension>
+        <mime-type>application/vnd.frogans.ltf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>lvp</extension>
+        <mime-type>audio/vnd.lucent.voice</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>lwp</extension>
+        <mime-type>application/vnd.lotus-wordpro</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>lzh</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m13</extension>
+        <mime-type>application/x-msmediaview</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m14</extension>
+        <mime-type>application/x-msmediaview</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m1v</extension>
+        <mime-type>video/mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m21</extension>
+        <mime-type>application/mp21</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m2a</extension>
+        <mime-type>audio/mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m2v</extension>
+        <mime-type>video/mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m3a</extension>
+        <mime-type>audio/mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m3u</extension>
+        <mime-type>audio/x-mpegurl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m3u8</extension>
+        <mime-type>application/vnd.apple.mpegurl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m4a</extension>
+        <mime-type>audio/mp4</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m4b</extension>
+        <mime-type>audio/mp4</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m4r</extension>
+        <mime-type>audio/mp4</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m4u</extension>
+        <mime-type>video/vnd.mpegurl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>m4v</extension>
+        <mime-type>video/mp4</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ma</extension>
+        <mime-type>application/mathematica</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mac</extension>
+        <mime-type>image/x-macpaint</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mads</extension>
+        <mime-type>application/mads+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mag</extension>
+        <mime-type>application/vnd.ecowin.chart</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>maker</extension>
+        <mime-type>application/vnd.framemaker</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>man</extension>
+        <mime-type>text/troff</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mathml</extension>
+        <mime-type>application/mathml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mb</extension>
+        <mime-type>application/mathematica</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mbk</extension>
+        <mime-type>application/vnd.mobius.mbk</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mbox</extension>
+        <mime-type>application/mbox</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mc1</extension>
+        <mime-type>application/vnd.medcalcdata</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mcd</extension>
+        <mime-type>application/vnd.mcd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mcurl</extension>
+        <mime-type>text/vnd.curl.mcurl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mdb</extension>
+        <mime-type>application/x-msaccess</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mdi</extension>
+        <mime-type>image/vnd.ms-modi</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>me</extension>
+        <mime-type>text/troff</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mesh</extension>
+        <mime-type>model/mesh</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>meta4</extension>
+        <mime-type>application/metalink4+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mets</extension>
+        <mime-type>application/mets+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mfm</extension>
+        <mime-type>application/vnd.mfmp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mft</extension>
+        <mime-type>application/rpki-manifest</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mgp</extension>
+        <mime-type>application/vnd.osgeo.mapguide.package</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mgz</extension>
+        <mime-type>application/vnd.proteus.magazine</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mid</extension>
+        <mime-type>audio/midi</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>midi</extension>
+        <mime-type>audio/midi</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mif</extension>
+        <mime-type>application/x-mif</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mime</extension>
+        <mime-type>message/rfc822</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mj2</extension>
+        <mime-type>video/mj2</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mjp2</extension>
+        <mime-type>video/mj2</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mlp</extension>
+        <mime-type>application/vnd.dolby.mlp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mmd</extension>
+        <mime-type>application/vnd.chipnuts.karaoke-mmd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mmf</extension>
+        <mime-type>application/vnd.smaf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mmr</extension>
+        <mime-type>image/vnd.fujixerox.edmics-mmr</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mny</extension>
+        <mime-type>application/x-msmoney</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mobi</extension>
+        <mime-type>application/x-mobipocket-ebook</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mods</extension>
+        <mime-type>application/mods+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mov</extension>
+        <mime-type>video/quicktime</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>movie</extension>
+        <mime-type>video/x-sgi-movie</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mp1</extension>
+        <mime-type>audio/mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mp2</extension>
+        <mime-type>audio/mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mp21</extension>
+        <mime-type>application/mp21</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mp2a</extension>
+        <mime-type>audio/mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mp3</extension>
+        <mime-type>audio/mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mp4</extension>
+        <mime-type>video/mp4</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mp4a</extension>
+        <mime-type>audio/mp4</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mp4s</extension>
+        <mime-type>application/mp4</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mp4v</extension>
+        <mime-type>video/mp4</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpa</extension>
+        <mime-type>audio/mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpc</extension>
+        <mime-type>application/vnd.mophun.certificate</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpe</extension>
+        <mime-type>video/mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpeg</extension>
+        <mime-type>video/mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpega</extension>
+        <mime-type>audio/x-mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpg</extension>
+        <mime-type>video/mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpg4</extension>
+        <mime-type>video/mp4</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpga</extension>
+        <mime-type>audio/mpeg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpkg</extension>
+        <mime-type>application/vnd.apple.installer+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpm</extension>
+        <mime-type>application/vnd.blueice.multipass</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpn</extension>
+        <mime-type>application/vnd.mophun.application</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpp</extension>
+        <mime-type>application/vnd.ms-project</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpt</extension>
+        <mime-type>application/vnd.ms-project</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpv2</extension>
+        <mime-type>video/mpeg2</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mpy</extension>
+        <mime-type>application/vnd.ibm.minipay</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mqy</extension>
+        <mime-type>application/vnd.mobius.mqy</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mrc</extension>
+        <mime-type>application/marc</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mrcx</extension>
+        <mime-type>application/marcxml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ms</extension>
+        <mime-type>text/troff</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mscml</extension>
+        <mime-type>application/mediaservercontrol+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mseed</extension>
+        <mime-type>application/vnd.fdsn.mseed</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mseq</extension>
+        <mime-type>application/vnd.mseq</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>msf</extension>
+        <mime-type>application/vnd.epson.msf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>msh</extension>
+        <mime-type>model/mesh</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>msi</extension>
+        <mime-type>application/x-msdownload</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>msl</extension>
+        <mime-type>application/vnd.mobius.msl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>msty</extension>
+        <mime-type>application/vnd.muvee.style</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mts</extension>
+        <mime-type>model/vnd.mts</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mus</extension>
+        <mime-type>application/vnd.musician</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>musicxml</extension>
+        <mime-type>application/vnd.recordare.musicxml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mvb</extension>
+        <mime-type>application/x-msmediaview</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mwf</extension>
+        <mime-type>application/vnd.mfer</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mxf</extension>
+        <mime-type>application/mxf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mxl</extension>
+        <mime-type>application/vnd.recordare.musicxml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mxml</extension>
+        <mime-type>application/xv+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mxs</extension>
+        <mime-type>application/vnd.triscape.mxs</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>mxu</extension>
+        <mime-type>video/vnd.mpegurl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>n-gage</extension>
+        <mime-type>application/vnd.nokia.n-gage.symbian.install</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>n3</extension>
+        <mime-type>text/n3</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>nb</extension>
+        <mime-type>application/mathematica</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>nbp</extension>
+        <mime-type>application/vnd.wolfram.player</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>nc</extension>
+        <mime-type>application/x-netcdf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ncx</extension>
+        <mime-type>application/x-dtbncx+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ngdat</extension>
+        <mime-type>application/vnd.nokia.n-gage.data</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>nlu</extension>
+        <mime-type>application/vnd.neurolanguage.nlu</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>nml</extension>
+        <mime-type>application/vnd.enliven</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>nnd</extension>
+        <mime-type>application/vnd.noblenet-directory</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>nns</extension>
+        <mime-type>application/vnd.noblenet-sealer</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>nnw</extension>
+        <mime-type>application/vnd.noblenet-web</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>npx</extension>
+        <mime-type>image/vnd.net-fpx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>nsf</extension>
+        <mime-type>application/vnd.lotus-notes</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>oa2</extension>
+        <mime-type>application/vnd.fujitsu.oasys2</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>oa3</extension>
+        <mime-type>application/vnd.fujitsu.oasys3</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>oas</extension>
+        <mime-type>application/vnd.fujitsu.oasys</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>obd</extension>
+        <mime-type>application/x-msbinder</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>oda</extension>
+        <mime-type>application/oda</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- OpenDocument Database -->
+        <extension>odb</extension>
+        <mime-type>application/vnd.oasis.opendocument.database</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- OpenDocument Chart -->
+        <extension>odc</extension>
+        <mime-type>application/vnd.oasis.opendocument.chart</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- OpenDocument Formula -->
+        <extension>odf</extension>
+        <mime-type>application/vnd.oasis.opendocument.formula</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>odft</extension>
+        <mime-type>application/vnd.oasis.opendocument.formula-template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- OpenDocument Drawing -->
+        <extension>odg</extension>
+        <mime-type>application/vnd.oasis.opendocument.graphics</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- OpenDocument Image -->
+        <extension>odi</extension>
+        <mime-type>application/vnd.oasis.opendocument.image</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- OpenDocument Master Document -->
+        <extension>odm</extension>
+        <mime-type>application/vnd.oasis.opendocument.text-master</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- OpenDocument Presentation -->
+        <extension>odp</extension>
+        <mime-type>application/vnd.oasis.opendocument.presentation</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- OpenDocument Spreadsheet -->
+        <extension>ods</extension>
+        <mime-type>application/vnd.oasis.opendocument.spreadsheet</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- OpenDocument Text -->
+        <extension>odt</extension>
+        <mime-type>application/vnd.oasis.opendocument.text</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>oga</extension>
+        <mime-type>audio/ogg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ogg</extension>
+        <mime-type>audio/ogg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ogv</extension>
+        <mime-type>video/ogg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- xiph mime types -->
+        <extension>ogx</extension>
+        <mime-type>application/ogg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>onepkg</extension>
+        <mime-type>application/onenote</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>onetmp</extension>
+        <mime-type>application/onenote</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>onetoc</extension>
+        <mime-type>application/onenote</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>onetoc2</extension>
+        <mime-type>application/onenote</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>opf</extension>
+        <mime-type>application/oebps-package+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>oprc</extension>
+        <mime-type>application/vnd.palm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>org</extension>
+        <mime-type>application/vnd.lotus-organizer</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>osf</extension>
+        <mime-type>application/vnd.yamaha.openscoreformat</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>osfpvg</extension>
+        <mime-type>application/vnd.yamaha.openscoreformat.osfpvg+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>otc</extension>
+        <mime-type>application/vnd.oasis.opendocument.chart-template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>otf</extension>
+        <mime-type>application/x-font-otf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- OpenDocument Drawing Template -->
+        <extension>otg</extension>
+        <mime-type>application/vnd.oasis.opendocument.graphics-template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- HTML Document Template -->
+        <extension>oth</extension>
+        <mime-type>application/vnd.oasis.opendocument.text-web</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>oti</extension>
+        <mime-type>application/vnd.oasis.opendocument.image-template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- OpenDocument Presentation Template -->
+        <extension>otp</extension>
+        <mime-type>application/vnd.oasis.opendocument.presentation-template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- OpenDocument Spreadsheet Template -->
+        <extension>ots</extension>
+        <mime-type>application/vnd.oasis.opendocument.spreadsheet-template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- OpenDocument Text Template -->
+        <extension>ott</extension>
+        <mime-type>application/vnd.oasis.opendocument.text-template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>oxps</extension>
+        <mime-type>application/oxps</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>oxt</extension>
+        <mime-type>application/vnd.openofficeorg.extension</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>p</extension>
+        <mime-type>text/x-pascal</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>p10</extension>
+        <mime-type>application/pkcs10</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>p12</extension>
+        <mime-type>application/x-pkcs12</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>p7b</extension>
+        <mime-type>application/x-pkcs7-certificates</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>p7c</extension>
+        <mime-type>application/pkcs7-mime</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>p7m</extension>
+        <mime-type>application/pkcs7-mime</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>p7r</extension>
+        <mime-type>application/x-pkcs7-certreqresp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>p7s</extension>
+        <mime-type>application/pkcs7-signature</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>p8</extension>
+        <mime-type>application/pkcs8</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pas</extension>
+        <mime-type>text/x-pascal</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>paw</extension>
+        <mime-type>application/vnd.pawaafile</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pbd</extension>
+        <mime-type>application/vnd.powerbuilder6</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pbm</extension>
+        <mime-type>image/x-portable-bitmap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pcap</extension>
+        <mime-type>application/vnd.tcpdump.pcap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pcf</extension>
+        <mime-type>application/x-font-pcf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pcl</extension>
+        <mime-type>application/vnd.hp-pcl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pclxl</extension>
+        <mime-type>application/vnd.hp-pclxl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pct</extension>
+        <mime-type>image/pict</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pcurl</extension>
+        <mime-type>application/vnd.curl.pcurl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pcx</extension>
+        <mime-type>image/x-pcx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pdb</extension>
+        <mime-type>application/vnd.palm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pdf</extension>
+        <mime-type>application/pdf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pfa</extension>
+        <mime-type>application/x-font-type1</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pfb</extension>
+        <mime-type>application/x-font-type1</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pfm</extension>
+        <mime-type>application/x-font-type1</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pfr</extension>
+        <mime-type>application/font-tdpfr</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pfx</extension>
+        <mime-type>application/x-pkcs12</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pgm</extension>
+        <mime-type>image/x-portable-graymap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pgn</extension>
+        <mime-type>application/x-chess-pgn</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pgp</extension>
+        <mime-type>application/pgp-encrypted</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pic</extension>
+        <mime-type>image/pict</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pict</extension>
+        <mime-type>image/pict</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pkg</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pki</extension>
+        <mime-type>application/pkixcmp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pkipath</extension>
+        <mime-type>application/pkix-pkipath</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>plb</extension>
+        <mime-type>application/vnd.3gpp.pic-bw-large</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>plc</extension>
+        <mime-type>application/vnd.mobius.plc</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>plf</extension>
+        <mime-type>application/vnd.pocketlearn</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pls</extension>
+        <mime-type>audio/x-scpls</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pml</extension>
+        <mime-type>application/vnd.ctc-posml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>png</extension>
+        <mime-type>image/png</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pnm</extension>
+        <mime-type>image/x-portable-anymap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pnt</extension>
+        <mime-type>image/x-macpaint</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>portpkg</extension>
+        <mime-type>application/vnd.macports.portpkg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pot</extension>
+        <mime-type>application/vnd.ms-powerpoint</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>potm</extension>
+        <mime-type>application/vnd.ms-powerpoint.template.macroenabled.12</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>potx</extension>
+        <mime-type>application/vnd.openxmlformats-officedocument.presentationml.template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ppam</extension>
+        <mime-type>application/vnd.ms-powerpoint.addin.macroenabled.12</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ppd</extension>
+        <mime-type>application/vnd.cups-ppd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ppm</extension>
+        <mime-type>image/x-portable-pixmap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pps</extension>
+        <mime-type>application/vnd.ms-powerpoint</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ppsm</extension>
+        <mime-type>application/vnd.ms-powerpoint.slideshow.macroenabled.12</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ppsx</extension>
+        <mime-type>application/vnd.openxmlformats-officedocument.presentationml.slideshow</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ppt</extension>
+        <mime-type>application/vnd.ms-powerpoint</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pptm</extension>
+        <mime-type>application/vnd.ms-powerpoint.presentation.macroenabled.12</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pptx</extension>
+        <mime-type>application/vnd.openxmlformats-officedocument.presentationml.presentation</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pqa</extension>
+        <mime-type>application/vnd.palm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>prc</extension>
+        <mime-type>application/x-mobipocket-ebook</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pre</extension>
+        <mime-type>application/vnd.lotus-freelance</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>prf</extension>
+        <mime-type>application/pics-rules</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ps</extension>
+        <mime-type>application/postscript</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>psb</extension>
+        <mime-type>application/vnd.3gpp.pic-bw-small</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>psd</extension>
+        <mime-type>image/vnd.adobe.photoshop</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>psf</extension>
+        <mime-type>application/x-font-linux-psf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pskcxml</extension>
+        <mime-type>application/pskc+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ptid</extension>
+        <mime-type>application/vnd.pvi.ptid1</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pub</extension>
+        <mime-type>application/x-mspublisher</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pvb</extension>
+        <mime-type>application/vnd.3gpp.pic-bw-var</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pwn</extension>
+        <mime-type>application/vnd.3m.post-it-notes</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pya</extension>
+        <mime-type>audio/vnd.ms-playready.media.pya</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>pyv</extension>
+        <mime-type>video/vnd.ms-playready.media.pyv</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>qam</extension>
+        <mime-type>application/vnd.epson.quickanime</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>qbo</extension>
+        <mime-type>application/vnd.intu.qbo</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>qfx</extension>
+        <mime-type>application/vnd.intu.qfx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>qps</extension>
+        <mime-type>application/vnd.publishare-delta-tree</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>qt</extension>
+        <mime-type>video/quicktime</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>qti</extension>
+        <mime-type>image/x-quicktime</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>qtif</extension>
+        <mime-type>image/x-quicktime</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>qwd</extension>
+        <mime-type>application/vnd.quark.quarkxpress</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>qwt</extension>
+        <mime-type>application/vnd.quark.quarkxpress</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>qxb</extension>
+        <mime-type>application/vnd.quark.quarkxpress</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>qxd</extension>
+        <mime-type>application/vnd.quark.quarkxpress</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>qxl</extension>
+        <mime-type>application/vnd.quark.quarkxpress</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>qxt</extension>
+        <mime-type>application/vnd.quark.quarkxpress</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ra</extension>
+        <mime-type>audio/x-pn-realaudio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ram</extension>
+        <mime-type>audio/x-pn-realaudio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rar</extension>
+        <mime-type>application/x-rar-compressed</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ras</extension>
+        <mime-type>image/x-cmu-raster</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rcprofile</extension>
+        <mime-type>application/vnd.ipunplugged.rcprofile</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rdf</extension>
+        <mime-type>application/rdf+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rdz</extension>
+        <mime-type>application/vnd.data-vision.rdz</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rep</extension>
+        <mime-type>application/vnd.businessobjects</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>res</extension>
+        <mime-type>application/x-dtbresource+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rgb</extension>
+        <mime-type>image/x-rgb</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rif</extension>
+        <mime-type>application/reginfo+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rip</extension>
+        <mime-type>audio/vnd.rip</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rl</extension>
+        <mime-type>application/resource-lists+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rlc</extension>
+        <mime-type>image/vnd.fujixerox.edmics-rlc</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rld</extension>
+        <mime-type>application/resource-lists-diff+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rm</extension>
+        <mime-type>application/vnd.rn-realmedia</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rmi</extension>
+        <mime-type>audio/midi</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rmp</extension>
+        <mime-type>audio/x-pn-realaudio-plugin</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rms</extension>
+        <mime-type>application/vnd.jcp.javame.midlet-rms</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rnc</extension>
+        <mime-type>application/relax-ng-compact-syntax</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>roa</extension>
+        <mime-type>application/rpki-roa</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>roff</extension>
+        <mime-type>text/troff</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rp9</extension>
+        <mime-type>application/vnd.cloanto.rp9</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rpss</extension>
+        <mime-type>application/vnd.nokia.radio-presets</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rpst</extension>
+        <mime-type>application/vnd.nokia.radio-preset</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rq</extension>
+        <mime-type>application/sparql-query</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rs</extension>
+        <mime-type>application/rls-services+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rsd</extension>
+        <mime-type>application/rsd+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rss</extension>
+        <mime-type>application/rss+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rtf</extension>
+        <mime-type>application/rtf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>rtx</extension>
+        <mime-type>text/richtext</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>s</extension>
+        <mime-type>text/x-asm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>saf</extension>
+        <mime-type>application/vnd.yamaha.smaf-audio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sbml</extension>
+        <mime-type>application/sbml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sc</extension>
+        <mime-type>application/vnd.ibm.secure-container</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>scd</extension>
+        <mime-type>application/x-msschedule</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>scm</extension>
+        <mime-type>application/vnd.lotus-screencam</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>scq</extension>
+        <mime-type>application/scvp-cv-request</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>scs</extension>
+        <mime-type>application/scvp-cv-response</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>scurl</extension>
+        <mime-type>text/vnd.curl.scurl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sda</extension>
+        <mime-type>application/vnd.stardivision.draw</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sdc</extension>
+        <mime-type>application/vnd.stardivision.calc</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sdd</extension>
+        <mime-type>application/vnd.stardivision.impress</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sdkd</extension>
+        <mime-type>application/vnd.solent.sdkm+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sdkm</extension>
+        <mime-type>application/vnd.solent.sdkm+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sdp</extension>
+        <mime-type>application/sdp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sdw</extension>
+        <mime-type>application/vnd.stardivision.writer</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>see</extension>
+        <mime-type>application/vnd.seemail</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>seed</extension>
+        <mime-type>application/vnd.fdsn.seed</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sema</extension>
+        <mime-type>application/vnd.sema</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>semd</extension>
+        <mime-type>application/vnd.semd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>semf</extension>
+        <mime-type>application/vnd.semf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ser</extension>
+        <mime-type>application/java-serialized-object</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>setpay</extension>
+        <mime-type>application/set-payment-initiation</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>setreg</extension>
+        <mime-type>application/set-registration-initiation</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sfd-hdstx</extension>
+        <mime-type>application/vnd.hydrostatix.sof-data</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sfs</extension>
+        <mime-type>application/vnd.spotfire.sfs</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sgl</extension>
+        <mime-type>application/vnd.stardivision.writer-global</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sgm</extension>
+        <mime-type>text/sgml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sgml</extension>
+        <mime-type>text/sgml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sh</extension>
+        <mime-type>application/x-sh</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>shar</extension>
+        <mime-type>application/x-shar</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>shf</extension>
+        <mime-type>application/shf+xml</mime-type>
+    </mime-mapping>
+    <!--
+    <mime-mapping>
+        <extension>shtml</extension>
+        <mime-type>text/x-server-parsed-html</mime-type>
+    </mime-mapping>
+    -->
+    <mime-mapping>
+        <extension>sig</extension>
+        <mime-type>application/pgp-signature</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>silo</extension>
+        <mime-type>model/mesh</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sis</extension>
+        <mime-type>application/vnd.symbian.install</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sisx</extension>
+        <mime-type>application/vnd.symbian.install</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sit</extension>
+        <mime-type>application/x-stuffit</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sitx</extension>
+        <mime-type>application/x-stuffitx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>skd</extension>
+        <mime-type>application/vnd.koan</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>skm</extension>
+        <mime-type>application/vnd.koan</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>skp</extension>
+        <mime-type>application/vnd.koan</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>skt</extension>
+        <mime-type>application/vnd.koan</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sldm</extension>
+        <mime-type>application/vnd.ms-powerpoint.slide.macroenabled.12</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sldx</extension>
+        <mime-type>application/vnd.openxmlformats-officedocument.presentationml.slide</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>slt</extension>
+        <mime-type>application/vnd.epson.salt</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sm</extension>
+        <mime-type>application/vnd.stepmania.stepchart</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>smf</extension>
+        <mime-type>application/vnd.stardivision.math</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>smi</extension>
+        <mime-type>application/smil+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>smil</extension>
+        <mime-type>application/smil+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>smzip</extension>
+        <mime-type>application/vnd.stepmania.package</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>snd</extension>
+        <mime-type>audio/basic</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>snf</extension>
+        <mime-type>application/x-font-snf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>so</extension>
+        <mime-type>application/octet-stream</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>spc</extension>
+        <mime-type>application/x-pkcs7-certificates</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>spf</extension>
+        <mime-type>application/vnd.yamaha.smaf-phrase</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>spl</extension>
+        <mime-type>application/x-futuresplash</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>spot</extension>
+        <mime-type>text/vnd.in3d.spot</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>spp</extension>
+        <mime-type>application/scvp-vp-response</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>spq</extension>
+        <mime-type>application/scvp-vp-request</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>spx</extension>
+        <mime-type>audio/ogg</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>src</extension>
+        <mime-type>application/x-wais-source</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sru</extension>
+        <mime-type>application/sru+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>srx</extension>
+        <mime-type>application/sparql-results+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sse</extension>
+        <mime-type>application/vnd.kodak-descriptor</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ssf</extension>
+        <mime-type>application/vnd.epson.ssf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ssml</extension>
+        <mime-type>application/ssml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>st</extension>
+        <mime-type>application/vnd.sailingtracker.track</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>stc</extension>
+        <mime-type>application/vnd.sun.xml.calc.template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>std</extension>
+        <mime-type>application/vnd.sun.xml.draw.template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>stf</extension>
+        <mime-type>application/vnd.wt.stf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sti</extension>
+        <mime-type>application/vnd.sun.xml.impress.template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>stk</extension>
+        <mime-type>application/hyperstudio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>stl</extension>
+        <mime-type>application/vnd.ms-pki.stl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>str</extension>
+        <mime-type>application/vnd.pg.format</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>stw</extension>
+        <mime-type>application/vnd.sun.xml.writer.template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sub</extension>
+        <mime-type>text/vnd.dvb.subtitle</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sus</extension>
+        <mime-type>application/vnd.sus-calendar</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>susp</extension>
+        <mime-type>application/vnd.sus-calendar</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sv4cpio</extension>
+        <mime-type>application/x-sv4cpio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sv4crc</extension>
+        <mime-type>application/x-sv4crc</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>svc</extension>
+        <mime-type>application/vnd.dvb.service</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>svd</extension>
+        <mime-type>application/vnd.svd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>svg</extension>
+        <mime-type>image/svg+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>svgz</extension>
+        <mime-type>image/svg+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>swa</extension>
+        <mime-type>application/x-director</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>swf</extension>
+        <mime-type>application/x-shockwave-flash</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>swi</extension>
+        <mime-type>application/vnd.aristanetworks.swi</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sxc</extension>
+        <mime-type>application/vnd.sun.xml.calc</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sxd</extension>
+        <mime-type>application/vnd.sun.xml.draw</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sxg</extension>
+        <mime-type>application/vnd.sun.xml.writer.global</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sxi</extension>
+        <mime-type>application/vnd.sun.xml.impress</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sxm</extension>
+        <mime-type>application/vnd.sun.xml.math</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>sxw</extension>
+        <mime-type>application/vnd.sun.xml.writer</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>t</extension>
+        <mime-type>text/troff</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>taglet</extension>
+        <mime-type>application/vnd.mynfc</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tao</extension>
+        <mime-type>application/vnd.tao.intent-module-archive</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tar</extension>
+        <mime-type>application/x-tar</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tcap</extension>
+        <mime-type>application/vnd.3gpp2.tcap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tcl</extension>
+        <mime-type>application/x-tcl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>teacher</extension>
+        <mime-type>application/vnd.smart.teacher</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tei</extension>
+        <mime-type>application/tei+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>teicorpus</extension>
+        <mime-type>application/tei+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tex</extension>
+        <mime-type>application/x-tex</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>texi</extension>
+        <mime-type>application/x-texinfo</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>texinfo</extension>
+        <mime-type>application/x-texinfo</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>text</extension>
+        <mime-type>text/plain</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tfi</extension>
+        <mime-type>application/thraud+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tfm</extension>
+        <mime-type>application/x-tex-tfm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>thmx</extension>
+        <mime-type>application/vnd.ms-officetheme</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tif</extension>
+        <mime-type>image/tiff</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tiff</extension>
+        <mime-type>image/tiff</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tmo</extension>
+        <mime-type>application/vnd.tmobile-livetv</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>torrent</extension>
+        <mime-type>application/x-bittorrent</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tpl</extension>
+        <mime-type>application/vnd.groove-tool-template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tpt</extension>
+        <mime-type>application/vnd.trid.tpt</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tr</extension>
+        <mime-type>text/troff</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tra</extension>
+        <mime-type>application/vnd.trueapp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>trm</extension>
+        <mime-type>application/x-msterminal</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tsd</extension>
+        <mime-type>application/timestamped-data</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>tsv</extension>
+        <mime-type>text/tab-separated-values</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ttc</extension>
+        <mime-type>application/x-font-ttf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ttf</extension>
+        <mime-type>application/x-font-ttf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ttl</extension>
+        <mime-type>text/turtle</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>twd</extension>
+        <mime-type>application/vnd.simtech-mindmapper</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>twds</extension>
+        <mime-type>application/vnd.simtech-mindmapper</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>txd</extension>
+        <mime-type>application/vnd.genomatix.tuxedo</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>txf</extension>
+        <mime-type>application/vnd.mobius.txf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>txt</extension>
+        <mime-type>text/plain</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>u32</extension>
+        <mime-type>application/x-authorware-bin</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>udeb</extension>
+        <mime-type>application/x-debian-package</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ufd</extension>
+        <mime-type>application/vnd.ufdl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ufdl</extension>
+        <mime-type>application/vnd.ufdl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ulw</extension>
+        <mime-type>audio/basic</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>umj</extension>
+        <mime-type>application/vnd.umajin</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>unityweb</extension>
+        <mime-type>application/vnd.unity</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uoml</extension>
+        <mime-type>application/vnd.uoml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uri</extension>
+        <mime-type>text/uri-list</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uris</extension>
+        <mime-type>text/uri-list</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>urls</extension>
+        <mime-type>text/uri-list</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>ustar</extension>
+        <mime-type>application/x-ustar</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>utz</extension>
+        <mime-type>application/vnd.uiq.theme</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uu</extension>
+        <mime-type>text/x-uuencode</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uva</extension>
+        <mime-type>audio/vnd.dece.audio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvd</extension>
+        <mime-type>application/vnd.dece.data</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvf</extension>
+        <mime-type>application/vnd.dece.data</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvg</extension>
+        <mime-type>image/vnd.dece.graphic</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvh</extension>
+        <mime-type>video/vnd.dece.hd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvi</extension>
+        <mime-type>image/vnd.dece.graphic</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvm</extension>
+        <mime-type>video/vnd.dece.mobile</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvp</extension>
+        <mime-type>video/vnd.dece.pd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvs</extension>
+        <mime-type>video/vnd.dece.sd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvt</extension>
+        <mime-type>application/vnd.dece.ttml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvu</extension>
+        <mime-type>video/vnd.uvvu.mp4</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvv</extension>
+        <mime-type>video/vnd.dece.video</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvva</extension>
+        <mime-type>audio/vnd.dece.audio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvvd</extension>
+        <mime-type>application/vnd.dece.data</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvvf</extension>
+        <mime-type>application/vnd.dece.data</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvvg</extension>
+        <mime-type>image/vnd.dece.graphic</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvvh</extension>
+        <mime-type>video/vnd.dece.hd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvvi</extension>
+        <mime-type>image/vnd.dece.graphic</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvvm</extension>
+        <mime-type>video/vnd.dece.mobile</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvvp</extension>
+        <mime-type>video/vnd.dece.pd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvvs</extension>
+        <mime-type>video/vnd.dece.sd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvvt</extension>
+        <mime-type>application/vnd.dece.ttml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvvu</extension>
+        <mime-type>video/vnd.uvvu.mp4</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvvv</extension>
+        <mime-type>video/vnd.dece.video</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvvx</extension>
+        <mime-type>application/vnd.dece.unspecified</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvvz</extension>
+        <mime-type>application/vnd.dece.zip</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvx</extension>
+        <mime-type>application/vnd.dece.unspecified</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>uvz</extension>
+        <mime-type>application/vnd.dece.zip</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vcard</extension>
+        <mime-type>text/vcard</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vcd</extension>
+        <mime-type>application/x-cdlink</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vcf</extension>
+        <mime-type>text/x-vcard</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vcg</extension>
+        <mime-type>application/vnd.groove-vcard</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vcs</extension>
+        <mime-type>text/x-vcalendar</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vcx</extension>
+        <mime-type>application/vnd.vcx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vis</extension>
+        <mime-type>application/vnd.visionary</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>viv</extension>
+        <mime-type>video/vnd.vivo</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vor</extension>
+        <mime-type>application/vnd.stardivision.writer</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vox</extension>
+        <mime-type>application/x-authorware-bin</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vrml</extension>
+        <mime-type>model/vrml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vsd</extension>
+        <mime-type>application/vnd.visio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vsf</extension>
+        <mime-type>application/vnd.vsf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vss</extension>
+        <mime-type>application/vnd.visio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vst</extension>
+        <mime-type>application/vnd.visio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vsw</extension>
+        <mime-type>application/vnd.visio</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vtu</extension>
+        <mime-type>model/vnd.vtu</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>vxml</extension>
+        <mime-type>application/voicexml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>w3d</extension>
+        <mime-type>application/x-director</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wad</extension>
+        <mime-type>application/x-doom</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wav</extension>
+        <mime-type>audio/x-wav</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wax</extension>
+        <mime-type>audio/x-ms-wax</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- Wireless Bitmap -->
+        <extension>wbmp</extension>
+        <mime-type>image/vnd.wap.wbmp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wbs</extension>
+        <mime-type>application/vnd.criticaltools.wbs+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wbxml</extension>
+        <mime-type>application/vnd.wap.wbxml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wcm</extension>
+        <mime-type>application/vnd.ms-works</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wdb</extension>
+        <mime-type>application/vnd.ms-works</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>weba</extension>
+        <mime-type>audio/webm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>webm</extension>
+        <mime-type>video/webm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>webp</extension>
+        <mime-type>image/webp</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wg</extension>
+        <mime-type>application/vnd.pmi.widget</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wgt</extension>
+        <mime-type>application/widget</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wks</extension>
+        <mime-type>application/vnd.ms-works</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wm</extension>
+        <mime-type>video/x-ms-wm</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wma</extension>
+        <mime-type>audio/x-ms-wma</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wmd</extension>
+        <mime-type>application/x-ms-wmd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wmf</extension>
+        <mime-type>application/x-msmetafile</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- WML Source -->
+        <extension>wml</extension>
+        <mime-type>text/vnd.wap.wml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- Compiled WML -->
+        <extension>wmlc</extension>
+        <mime-type>application/vnd.wap.wmlc</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- WML Script Source -->
+        <extension>wmls</extension>
+        <mime-type>text/vnd.wap.wmlscript</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <!-- Compiled WML Script -->
+        <extension>wmlsc</extension>
+        <mime-type>application/vnd.wap.wmlscriptc</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wmv</extension>
+        <mime-type>video/x-ms-wmv</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wmx</extension>
+        <mime-type>video/x-ms-wmx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wmz</extension>
+        <mime-type>application/x-ms-wmz</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>woff</extension>
+        <mime-type>application/x-font-woff</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wpd</extension>
+        <mime-type>application/vnd.wordperfect</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wpl</extension>
+        <mime-type>application/vnd.ms-wpl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wps</extension>
+        <mime-type>application/vnd.ms-works</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wqd</extension>
+        <mime-type>application/vnd.wqd</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wri</extension>
+        <mime-type>application/x-mswrite</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wrl</extension>
+        <mime-type>model/vrml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wsdl</extension>
+        <mime-type>application/wsdl+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wspolicy</extension>
+        <mime-type>application/wspolicy+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wtb</extension>
+        <mime-type>application/vnd.webturbo</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>wvx</extension>
+        <mime-type>video/x-ms-wvx</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>x32</extension>
+        <mime-type>application/x-authorware-bin</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>x3d</extension>
+        <mime-type>application/vnd.hzn-3d-crossword</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xap</extension>
+        <mime-type>application/x-silverlight-app</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xar</extension>
+        <mime-type>application/vnd.xara</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xbap</extension>
+        <mime-type>application/x-ms-xbap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xbd</extension>
+        <mime-type>application/vnd.fujixerox.docuworks.binder</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xbm</extension>
+        <mime-type>image/x-xbitmap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xdf</extension>
+        <mime-type>application/xcap-diff+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xdm</extension>
+        <mime-type>application/vnd.syncml.dm+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xdp</extension>
+        <mime-type>application/vnd.adobe.xdp+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xdssc</extension>
+        <mime-type>application/dssc+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xdw</extension>
+        <mime-type>application/vnd.fujixerox.docuworks</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xenc</extension>
+        <mime-type>application/xenc+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xer</extension>
+        <mime-type>application/patch-ops-error+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xfdf</extension>
+        <mime-type>application/vnd.adobe.xfdf</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xfdl</extension>
+        <mime-type>application/vnd.xfdl</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xht</extension>
+        <mime-type>application/xhtml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xhtml</extension>
+        <mime-type>application/xhtml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xhvml</extension>
+        <mime-type>application/xv+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xif</extension>
+        <mime-type>image/vnd.xiff</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xla</extension>
+        <mime-type>application/vnd.ms-excel</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xlam</extension>
+        <mime-type>application/vnd.ms-excel.addin.macroenabled.12</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xlc</extension>
+        <mime-type>application/vnd.ms-excel</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xlm</extension>
+        <mime-type>application/vnd.ms-excel</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xls</extension>
+        <mime-type>application/vnd.ms-excel</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xlsb</extension>
+        <mime-type>application/vnd.ms-excel.sheet.binary.macroenabled.12</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xlsm</extension>
+        <mime-type>application/vnd.ms-excel.sheet.macroenabled.12</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xlsx</extension>
+        <mime-type>application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xlt</extension>
+        <mime-type>application/vnd.ms-excel</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xltm</extension>
+        <mime-type>application/vnd.ms-excel.template.macroenabled.12</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xltx</extension>
+        <mime-type>application/vnd.openxmlformats-officedocument.spreadsheetml.template</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xlw</extension>
+        <mime-type>application/vnd.ms-excel</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xml</extension>
+        <mime-type>application/xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xo</extension>
+        <mime-type>application/vnd.olpc-sugar</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xop</extension>
+        <mime-type>application/xop+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xpi</extension>
+        <mime-type>application/x-xpinstall</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xpm</extension>
+        <mime-type>image/x-xpixmap</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xpr</extension>
+        <mime-type>application/vnd.is-xpr</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xps</extension>
+        <mime-type>application/vnd.ms-xpsdocument</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xpw</extension>
+        <mime-type>application/vnd.intercon.formnet</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xpx</extension>
+        <mime-type>application/vnd.intercon.formnet</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xsl</extension>
+        <mime-type>application/xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xslt</extension>
+        <mime-type>application/xslt+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xsm</extension>
+        <mime-type>application/vnd.syncml+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xspf</extension>
+        <mime-type>application/xspf+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xul</extension>
+        <mime-type>application/vnd.mozilla.xul+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xvm</extension>
+        <mime-type>application/xv+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xvml</extension>
+        <mime-type>application/xv+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xwd</extension>
+        <mime-type>image/x-xwindowdump</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>xyz</extension>
+        <mime-type>chemical/x-xyz</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>yang</extension>
+        <mime-type>application/yang</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>yin</extension>
+        <mime-type>application/yin+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>z</extension>
+        <mime-type>application/x-compress</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>Z</extension>
+        <mime-type>application/x-compress</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>zaz</extension>
+        <mime-type>application/vnd.zzazz.deck+xml</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>zip</extension>
+        <mime-type>application/zip</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>zir</extension>
+        <mime-type>application/vnd.zul</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>zirz</extension>
+        <mime-type>application/vnd.zul</mime-type>
+    </mime-mapping>
+    <mime-mapping>
+        <extension>zmm</extension>
+        <mime-type>application/vnd.handheld-entertainment+xml</mime-type>
+    </mime-mapping>
+
+  <!-- ==================== Default Welcome File List ===================== -->
+  <!-- When a request URI refers to a directory, the default servlet looks  -->
+  <!-- for a "welcome file" within that directory and, if present, to the   -->
+  <!-- corresponding resource URI for display.                              -->
+  <!-- If no welcome files are present, the default servlet either serves a -->
+  <!-- directory listing (see default servlet configuration on how to       -->
+  <!-- customize) or returns a 404 status, depending on the value of the    -->
+  <!-- listings setting.                                                    -->
+  <!--                                                                      -->
+  <!-- If you define welcome files in your own application's web.xml        -->
+  <!-- deployment descriptor, that list *replaces* the list configured      -->
+  <!-- here, so be sure to include any of the default values that you wish  -->
+  <!-- to use within your application.                                       -->
+
+    <welcome-file-list>
+        <welcome-file>index.html</welcome-file>
+        <welcome-file>index.htm</welcome-file>
+        <welcome-file>index.jsp</welcome-file>
+    </welcome-file-list>
+
+</web-app>
diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
index eab5db24c..0505c7e74 100644
--- a/base/common/src/CMakeLists.txt
+++ b/base/common/src/CMakeLists.txt
@@ -48,7 +48,14 @@ find_file(TOMCAT_CATALINA_JAR
     NAMES
         catalina.jar
     PATHS
-        /usr/share/java/tomcat6
+        /usr/share/java/tomcat
+)
+
+find_file(TOMCAT_UTIL_JAR
+    NAMES
+        tomcat-util.jar
+    PATHS
+        /usr/share/java/tomcat
 )
 
 find_file(SERVLET_JAR
@@ -1193,7 +1200,7 @@ set(CMAKE_JAVA_INCLUDE_PATH
     ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
     ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR}
     ${APACHE_COMMONS_CLI_JAR} ${APACHE_COMMONS_LANG_JAR}
-    ${TOMCAT_CATALINA_JAR} ${SYMKEY_JAR}
+    ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR} ${SYMKEY_JAR}
     ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR}
     ${HTTPCLIENT_JAR} ${HTTPCORE_JAR})
 
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
index 35ec7c515..6ad9e7680 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
@@ -371,8 +371,10 @@ public class CertUtil {
 
             String instanceRoot = config.getString("instanceRoot");
 
+            String configurationRoot = config.getString("configurationRoot");
+
             CertInfoProfile processor = new CertInfoProfile(
-                    instanceRoot + "/conf/" + profile);
+                    instanceRoot + configurationRoot + profile);
 
             // cfu - create request to enable renewal
             try {
diff --git a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
index 86debf3da..bd551baf0 100644
--- a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
+++ b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
@@ -28,6 +28,7 @@ import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 import org.apache.catalina.deploy.SecurityConstraint;
 import org.apache.catalina.realm.JNDIRealm;
+import org.apache.catalina.Wrapper;
 
 /*
  *  Self contained PKI JNDI Real that overrides the standard JNDI Realm
@@ -206,6 +207,8 @@ public class PKIJNDIRealm extends JNDIRealm {
 
         boolean allowed = super.hasResourcePermission(request, response, constraints, context);
 
+        Wrapper wrapper = request.getWrapper();
+
         if (allowed == true && hasResourceACLS()) {
 
             loadAuthzProperties(context);
@@ -238,7 +241,7 @@ public class PKIJNDIRealm extends JNDIRealm {
                         }
                     }
 
-                    allowed = checkACLPermission(principal, resourceID, operation);
+                    allowed = checkACLPermission(principal, resourceID, operation, wrapper);
                     logDebug("resourceID: " + resourceID + " operation: " + operation + " allowed: " + allowed);
                 }
             }
@@ -351,7 +354,7 @@ public class PKIJNDIRealm extends JNDIRealm {
 
     // Check a PKI  ACL resourceID and operation for permissions
     // If the check fails the user (principal) is not authorized to access the resource
-    private boolean checkACLPermission(Principal principal, String resourceId, String operation) {
+    private boolean checkACLPermission(Principal principal, String resourceId, String operation, Wrapper wrapper) {
 
         boolean allowed = true;
 
@@ -378,7 +381,7 @@ public class PKIJNDIRealm extends JNDIRealm {
 
             String expressions = entry.getAttributeExpressions();
 
-            allowed = evaluateExpressions(principal, expressions);
+            allowed = evaluateExpressions(principal, expressions, wrapper);
 
             if (isEntryNegative) {
                 allowed = !allowed;
@@ -400,7 +403,7 @@ public class PKIJNDIRealm extends JNDIRealm {
 
     // Evaluate an expression as part of a PKI ACL
     // Ex: user=anybody , group=Data Recovery Manager Agents
-    private boolean evaluateExpression(Principal principal, String expression) {
+    private boolean evaluateExpression(Principal principal, String expression, Wrapper wrapper) {
 
         boolean allowed = true;
         if (principal == null || expression == null) {
@@ -445,7 +448,7 @@ public class PKIJNDIRealm extends JNDIRealm {
         allowed = false;
         if (left.equals(PROP_GROUP)) {
             // Check JNDI to see if the user has this role/group
-            if (hasRole(principal, right)) {
+            if (hasRole(wrapper, principal, right)) {
                 allowed = true;
             }
         } else if (left.equals(PROP_USER)) {
@@ -482,7 +485,7 @@ public class PKIJNDIRealm extends JNDIRealm {
     }
 
     // Take a set of expressions in an ACL and evaluate it
-    private boolean evaluateExpressions(Principal principal, String s) {
+    private boolean evaluateExpressions(Principal principal, String s, Wrapper wrapper) {
 
         Vector<Object> v = new Vector<Object>();
 
@@ -492,7 +495,7 @@ public class PKIJNDIRealm extends JNDIRealm {
 
             // this is the last expression
             if (orIndex == -1 && andIndex == -1) {
-                boolean passed = evaluateExpression(principal, s.trim());
+                boolean passed = evaluateExpression(principal, s.trim(), wrapper);
 
                 v.addElement(Boolean.valueOf(passed));
                 break;
@@ -500,7 +503,7 @@ public class PKIJNDIRealm extends JNDIRealm {
                 // || first
             } else if (andIndex == -1 || (orIndex != -1 && orIndex < andIndex)) {
                 String s1 = s.substring(0, orIndex);
-                boolean passed = evaluateExpression(principal, s1.trim());
+                boolean passed = evaluateExpression(principal, s1.trim(), wrapper);
 
                 v.addElement(Boolean.valueOf(passed));
                 v.addElement("||");
@@ -508,7 +511,7 @@ public class PKIJNDIRealm extends JNDIRealm {
                 // && first
             } else {
                 String s1 = s.substring(0, andIndex);
-                boolean passed = evaluateExpression(principal, s1.trim());
+                boolean passed = evaluateExpression(principal, s1.trim(), wrapper);
 
                 v.addElement(Boolean.valueOf(passed));
                 v.addElement("&&");
diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg
index dd688ed09..542fc5bef 100644
--- a/base/deploy/config/pkideployment.cfg
+++ b/base/deploy/config/pkideployment.cfg
@@ -1,34 +1,219 @@
-[Common]
+###############################################################################
+##  'Sensitive' Data:                                                        ##
+##                                                                           ##
+##  Values in this section pertain to various PKI subsystems, and contain    ##
+##  required 'sensitive' information which MUST ALWAYS be provided by users. ##
+##                                                                           ##
+##  IMPORTANT:  Sensitive data values must NEVER be displayed to the         ##
+##              console NOR stored in log files!!!                           ##
+###############################################################################
+[Sensitive]
+pki_admin_password=
+pki_backup_password=
+pki_ds_password=
+pki_pkcs12_password=
+pki_security_domain_password=
+###############################################################################
+##  'Mandatory' Data:                                                        ##
+##                                                                           ##
+##  Values in this section pertain to various PKI subsystems, and contain    ##
+##  required information which MUST ALWAYS be provided by users.             ##
+###############################################################################
+[Mandatory]
+###############################################################################
+##  'Optional' Data:                                                         ##
+##                                                                           ##
+##  Values in this section pertain to various PKI subsystems, and contain    ##
+##  required information which MAY OPTIONALLY be provided by users.          ##
+##                                                                           ##
+##  NOTE:  Default values will be generated for any and all required         ##
+##         'optional' data values which are left undefined.                  ##
+###############################################################################
+[Optional]
 pki_admin_domain_name=
-pki_user=pkiuser
-pki_group=pkiuser
+pki_admin_email=
+pki_admin_subject_dn=
+pki_audit_signing_nickname=
+pki_audit_signing_subject_dn=
+pki_audit_signing_token=
+pki_backup_file=
+pki_ca_signing_nickname=
+pki_ca_signing_subject_dn=
+pki_ca_signing_token=
+pki_ds_base_dn=
+pki_ds_database=
+pki_ds_hostname=
+pki_ocsp_signing_nickname=
+pki_ocsp_signing_subject_dn=
+pki_ocsp_signing_token=
+pki_security_domain_hostname=
+pki_security_domain_name=
+pki_ssl_server_nickname=
+pki_ssl_server_subject_dn=
+pki_ssl_server_token=
+pki_storage_nickname=
+pki_storage_subject_dn=
+pki_storage_token=
+pki_subsystem_nickname=
+pki_subsystem_subject_dn=
+pki_subsystem_token=
+pki_transport_nickname=
+pki_transport_subject_dn=
+pki_transport_token=
+###############################################################################
+##  'Common' Data:                                                           ##
+##                                                                           ##
+##  Values in this section are common to ALL PKI subsystems, and contain     ##
+##  required information which MAY be overridden by users as necessary.      ##
+###############################################################################
+[Common]
+pki_admin_cert_request_type=crmf
+pki_admin_dualkey=False
+pki_admin_keysize=2048
+pki_admin_name=admin
+pki_admin_uid=admin
 pki_audit_group=pkiaudit
+pki_audit_signing_key_algorithm=SHA256withRSA
+pki_audit_signing_key_size=2048
+pki_audit_signing_key_type=rsa
+pki_audit_signing_signing_algorithm=SHA256withRSA
+pki_backup_keys=False
+pki_ds_bind_dn=cn=Directory Manager
+pki_ds_http_port=389
+pki_ds_https_port=636
+pki_ds_remove_data=True
+pki_ds_secure_connection=False
+pki_group=pkiuser
+pki_security_domain_https_port=8443
+pki_security_domain_user=admin
+pki_ssl_server_key_algorithm=SHA256withRSA
+pki_ssl_server_key_size=2048
+pki_ssl_server_key_type=rsa
+pki_subsystem_key_algorithm=SHA256withRSA
+pki_subsystem_key_size=2048
+pki_subsystem_key_type=rsa
+pki_user=pkiuser
+###############################################################################
+##  'Apache' Data:                                                           ##
+##                                                                           ##
+##  Values in this section are common to PKI subsystems that run             ##
+##  as an instance of 'Apache' (RA and TPS subsystems), and contain          ##
+##  required information which MAY be overridden by users as necessary.      ##
+###############################################################################
 [Apache]
 pki_instance_name=apache
 pki_http_port=80
 pki_https_port=443
+###############################################################################
+##  'Tomcat' Data:                                                           ##
+##                                                                           ##
+##  Values in this section are common to PKI subsystems that run             ##
+##  as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems            ##
+##  including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain  ##
+##  required information which MAY be overridden by users as necessary.      ##
+##                                                                           ##
+##  PKI CLONES:  To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone',    ##
+##               or a 'TKS Clone', change the value of 'pki_clone'           ##
+##               from 'False' to 'True'.                                     ##
+##                                                                           ##
+##    REMINDER:  PKI CA Clones, Subordinate CAs, and External CAs            ##
+##               are MUTUALLY EXCLUSIVE entities!!!                          ##
+###############################################################################
 [Tomcat]
-pki_instance_name=tomcat
+pki_ajp_port=8009
+pki_clone=False
+pki_enable_java_debugger=False
 pki_http_port=8080
 pki_https_port=8443
-pki_ajp_port=8009
-pki_proxy_http_port=80
-pki_proxy_https_port=443
-pki_security_manager=true
+pki_instance_name=tomcat
+pki_proxy_http_port=
+pki_proxy_https_port=
+pki_security_manager=false
 pki_tomcat_server_port=8005
+###############################################################################
+##  'CA' Data:                                                               ##
+##                                                                           ##
+##  Values in this section are common to CA subsystems including 'PKI CAs',  ##
+##  'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain         ##
+##  required information which MAY be overridden by users as necessary.      ##
+##                                                                           ##
+##     EXTERNAL CAs:  To specify an 'External CA', change the value          ##
+##                    of 'pki_external' from 'False' to 'True'.              ##
+##                                                                           ##
+##  SUBORDINATE CAs:  To specify a 'Subordinate CA', change the value        ##
+##                    of 'pki_subordinate' from 'False' to 'True'.           ##
+##                                                                           ##
+##         REMINDER:  PKI CA Clones, Subordinate CAs, and External CAs       ##
+##                    are MUTUALLY EXCLUSIVE entities!!!                     ##
+###############################################################################
 [CA]
+pki_ca_signing_key_algorithm=SHA256withRSA
+pki_ca_signing_key_size=2048
+pki_ca_signing_key_type=rsa
+pki_ca_signing_signing_algorithm=SHA256withRSA
+pki_external=False
+pki_ocsp_signing_key_algorithm=SHA256withRSA
+pki_ocsp_signing_key_size=2048
+pki_ocsp_signing_key_type=rsa
+pki_ocsp_signing_signing_algorithm=SHA256withRSA
+pki_subordinate=False
 pki_subsystem=CA
 pki_war_name=ca.war
+###############################################################################
+##  'KRA' Data:                                                              ##
+##                                                                           ##
+##  Values in this section are common to KRA subsystems                      ##
+##  including 'PKI KRAs' and 'Cloned KRAs', and contain                      ##
+##  required information which MAY be overridden by users as necessary.      ##
+###############################################################################
 [KRA]
+pki_storage_key_algorithm=SHA256withRSA
+pki_storage_key_size=2048
+pki_storage_key_type=rsa
+pki_storage_signing_algorithm=SHA256withRSA
 pki_subsystem=KRA
+pki_transport_key_algorithm=SHA256withRSA
+pki_transport_key_size=2048
+pki_transport_key_type=rsa
+pki_transport_signing_algorithm=SHA256withRSA
 pki_war_name=kra.war
+###############################################################################
+##  'OCSP' Data:                                                             ##
+##                                                                           ##
+##  Values in this section are common to OCSP subsystems                     ##
+##  including 'PKI OCSPs' and 'Cloned OCSPs', and contain                    ##
+##  required information which MAY be overridden by users as necessary.      ##
+###############################################################################
 [OCSP]
+pki_ocsp_signing_key_algorithm=SHA256withRSA
+pki_ocsp_signing_key_size=2048
+pki_ocsp_signing_key_type=rsa
+pki_ocsp_signing_signing_algorithm=SHA256withRSA
 pki_subsystem=OCSP
 pki_war_name=ocsp.war
+###############################################################################
+##  'RA' Data:                                                               ##
+##                                                                           ##
+##  Values in this section are common to PKI RA subsystems, and contain      ##
+##  required information which MAY be overridden by users as necessary.      ##
+###############################################################################
 [RA]
 pki_subsystem=RA
+###############################################################################
+##  'TKS' Data:                                                              ##
+##                                                                           ##
+##  Values in this section are common to TKS subsystems                      ##
+##  including 'PKI TKSs' and 'Cloned TKSs', and contain                      ##
+##  required information which MAY be overridden by users as necessary.      ##
+###############################################################################
 [TKS]
 pki_subsystem=TKS
 pki_war_name=tks.war
+###############################################################################
+##  'TPS' Data:                                                              ##
+##                                                                           ##
+##  Values in this section are common to PKI TPS subsystems, and contain     ##
+##  required information which MAY be overridden by users as necessary.      ##
+###############################################################################
 [TPS]
 pki_subsystem=TPS
diff --git a/base/deploy/config/pkislots.cfg b/base/deploy/config/pkislots.cfg
index b6c40ebe3..ee75154ce 100644
--- a/base/deploy/config/pkislots.cfg
+++ b/base/deploy/config/pkislots.cfg
@@ -70,8 +70,10 @@ PKI_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_SECURE_PORT_CONNECTOR_NAME]
 PKI_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_SECURE_PORT_SERVER_COMMENT]
 PKI_SECURITY_MANAGER_SLOT=[PKI_SECURITY_MANAGER]
 PKI_SERVER_XML_CONF_SLOT=[PKI_SERVER_XML_CONF]
+PKI_SUBSYSTEM_DIR_SLOT=[PKI_SUBSYSTEM_DIR]
 PKI_SUBSYSTEM_TYPE_SLOT=[PKI_SUBSYSTEM_TYPE]
 PKI_SYSTEMD_SERVICENAME_SLOT=[PKI_SYSTEMD_SERVICENAME]
+PKI_TMPDIR_SLOT=[PKI_TMPDIR]
 PKI_UNSECURE_PORT_SLOT=[PKI_UNSECURE_PORT]
 PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_UNSECURE_PORT_CONNECTOR_NAME]
 PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT]
diff --git a/base/deploy/scripts/pkidaemon b/base/deploy/scripts/pkidaemon
index 7be30c9d3..02b02370f 100755
--- a/base/deploy/scripts/pkidaemon
+++ b/base/deploy/scripts/pkidaemon
@@ -51,6 +51,8 @@ case $command in
         exit $?
         ;;
     stop)
+        echo "An exit status of '143' refers to the 'systemd' method of using"\
+             "'SIGTERM' to shutdown a Java process and can safely be ignored."
         stop
         exit $?
         ;;
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index 6a2db56b8..5faa97cee 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -34,6 +34,7 @@ try:
     import socket
     import string
     import struct
+    import subprocess
     import time
     from time import strftime as date
     from pki.deployment import pkiconfig as config
@@ -74,7 +75,18 @@ def main(argv):
     config.pki_architecture = struct.calcsize("P") * 8
 
     # Retrieve hostname
-    config.pki_hostname = socket.gethostname()
+    config.pki_hostname = socket.getfqdn()
+
+    # Retrieve DNS domainname
+    config.pki_dns_domainname = None
+    try:
+        config.pki_dns_domainname = subprocess.check_output("domainname",
+                                                            shell=True)
+        config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n')
+    except subprocess.CalledProcessError as exc:
+        config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+                             extra=config.PKI_INDENTATION_LEVEL_0)
+        sys.exit(1)
 
     # Initialize 'pretty print' for objects
     pp = pprint.PrettyPrinter(indent=4)
@@ -111,6 +123,15 @@ def main(argv):
                              extra=config.PKI_INDENTATION_LEVEL_0)
         sys.exit(1)
     else:
+        # NEVER print out 'sensitive' name/value pairs!!!
+        config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
+                             extra=config.PKI_INDENTATION_LEVEL_0)
+        config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
+                             extra=config.PKI_INDENTATION_LEVEL_0)
+        config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
+                             extra=config.PKI_INDENTATION_LEVEL_0)
+        config.pki_log.debug(pp.pformat(config.pki_optional_dict),
+                             extra=config.PKI_INDENTATION_LEVEL_0)
         config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
                              extra=config.PKI_INDENTATION_LEVEL_0)
         config.pki_log.debug(pp.pformat(config.pki_common_dict),
@@ -126,7 +147,7 @@ def main(argv):
 
     # Override PKI configuration file values with 'custom' command-line values.
     if not config.custom_pki_admin_domain_name is None:
-        config.pki_common_dict['pki_admin_domain_name'] =\
+        config.pki_optional_dict['pki_admin_domain_name'] =\
             config.custom_pki_admin_domain_name
     if not config.custom_pki_instance_name is None:
         config.pki_web_server_dict['pki_instance_name'] =\
@@ -140,6 +161,15 @@ def main(argv):
     if not config.custom_pki_ajp_port is None:
         config.pki_web_server_dict['pki_ajp_port'] =\
             config.custom_pki_ajp_port
+    # NEVER print out 'sensitive' name/value pairs!!!
+    config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
+                         extra=config.PKI_INDENTATION_LEVEL_0)
+    config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
+                         extra=config.PKI_INDENTATION_LEVEL_0)
+    config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
+                         extra=config.PKI_INDENTATION_LEVEL_0)
+    config.pki_log.debug(pp.pformat(config.pki_optional_dict),
+                         extra=config.PKI_INDENTATION_LEVEL_0)
     config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
                          extra=config.PKI_INDENTATION_LEVEL_0)
     config.pki_log.debug(pp.pformat(config.pki_common_dict),
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index 66152a334..931b9baf0 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -34,6 +34,7 @@ try:
     import socket
     import string
     import struct
+    import subprocess
     import time
     from time import strftime as date
     from pki.deployment import pkiconfig as config
@@ -74,7 +75,18 @@ def main(argv):
     config.pki_architecture = struct.calcsize("P") * 8
 
     # Retrieve hostname
-    config.pki_hostname = socket.gethostname()
+    config.pki_hostname = socket.getfqdn()
+
+    # Retrieve DNS domainname
+    config.pki_dns_domainname = None
+    try:
+        config.pki_dns_domainname = subprocess.check_output("domainname",
+                                                            shell=True)
+        config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n')
+    except subprocess.CalledProcessError as exc:
+        config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+                             extra=config.PKI_INDENTATION_LEVEL_0)
+        sys.exit(1)
 
     # Generate random 'pin's for use as security database passwords
     pin_low  = 100000000000
@@ -140,6 +152,15 @@ def main(argv):
                              extra=config.PKI_INDENTATION_LEVEL_0)
         sys.exit(1)
     else:
+        # NEVER print out 'sensitive' name/value pairs!!!
+        config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
+                             extra=config.PKI_INDENTATION_LEVEL_0)
+        config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
+                             extra=config.PKI_INDENTATION_LEVEL_0)
+        config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
+                             extra=config.PKI_INDENTATION_LEVEL_0)
+        config.pki_log.debug(pp.pformat(config.pki_optional_dict),
+                             extra=config.PKI_INDENTATION_LEVEL_0)
         config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
                              extra=config.PKI_INDENTATION_LEVEL_0)
         config.pki_log.debug(pp.pformat(config.pki_common_dict),
@@ -155,7 +176,7 @@ def main(argv):
 
     # Override PKI configuration file values with 'custom' command-line values.
     if not config.custom_pki_admin_domain_name is None:
-        config.pki_common_dict['pki_admin_domain_name'] =\
+        config.pki_optional_dict['pki_admin_domain_name'] =\
             config.custom_pki_admin_domain_name
     if not config.custom_pki_instance_name is None:
         config.pki_web_server_dict['pki_instance_name'] =\
@@ -169,6 +190,15 @@ def main(argv):
     if not config.custom_pki_ajp_port is None:
         config.pki_web_server_dict['pki_ajp_port'] =\
             config.custom_pki_ajp_port
+    # NEVER print out 'sensitive' name/value pairs!!!
+    config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY,
+                         extra=config.PKI_INDENTATION_LEVEL_0)
+    config.pki_log.debug(pp.pformat(config.pki_mandatory_dict),
+                         extra=config.PKI_INDENTATION_LEVEL_0)
+    config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL,
+                         extra=config.PKI_INDENTATION_LEVEL_0)
+    config.pki_log.debug(pp.pformat(config.pki_optional_dict),
+                         extra=config.PKI_INDENTATION_LEVEL_0)
     config.pki_log.debug(log.PKI_DICTIONARY_COMMON,
                          extra=config.PKI_INDENTATION_LEVEL_0)
     config.pki_log.debug(pp.pformat(config.pki_common_dict),
diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy
index f7366c723..a40e7c645 100644
--- a/base/deploy/src/scriptlets/configuration.jy
+++ b/base/deploy/src/scriptlets/configuration.jy
@@ -9,7 +9,6 @@ import sys
 # PKI Python Imports
 import pkijython as jyutil
 import pkiconfig as config
-from pkiconfig import pki_master_jython_dict as master
 import pkimessages as log
 
 
@@ -18,12 +17,19 @@ from java.lang import System as javasystem
 
 
 def main(argv):
+    rv = 0
+
     # Establish 'master' as the PKI jython dictionary
     master = dict()
 
-    # import the master dictionary from 'pkispawn'
+    # Import the master dictionary from 'pkispawn'
     master = pickle.loads(argv[1])
 
+    # Optionally enable a java debugger (e. g. - 'eclipse'):
+    if config.str2bool(master['pki_enable_java_debugger']):
+        config.wait_to_attach_an_external_java_debugger()
+
+
     # IMPORTANT:  Unfortunately, 'jython 2.2' does NOT support logging!
     #
     #             Until, and unless, 'jython 2.5' or later is used,
@@ -59,11 +65,107 @@ def main(argv):
         master['pki_jython_log_level'])
 
     # Log into token
-    jyutil.security_databases.log_into_token(
-        master['pki_client_database_path'],
-        master['pki_client_password_conf'],
-        master['pki_dry_run_flag'],
-        master['pki_jython_log_level'])
+    token = jyutil.security_databases.log_into_token(
+                master['pki_client_database_path'],
+                master['pki_client_password_conf'],
+                master['pki_dry_run_flag'],
+                master['pki_jython_log_level'])
+
+    # Establish REST Client
+    client = jyutil.rest_client.initialize(
+                 master['pki_jython_base_uri'],
+                 master['pki_dry_run_flag'],
+                 master['pki_jython_log_level'])
+
+    # Construct PKI Subsystem Configuration Data
+    data = None
+    if master['pki_instance_type'] == "Apache":
+        if master['pki_subsystem'] == "RA":
+            print "%s '%s' %s" %\
+                  (log.PKI_JYTHON_INDENTATION_2,
+                   master['pki_subsystem'],
+                   log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+            return self.rv
+        elif master['pki_subsystem'] == "TPS":
+            print "%s '%s' %s" %\
+                  (log.PKI_JYTHON_INDENTATION_2,
+                   master['pki_subsystem'],
+                   log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+            return self.rv
+    elif master['pki_instance_type'] == "Tomcat":
+        if master['pki_subsystem'] == "CA":
+            if config.str2bool(master['pki_clone']):
+                print "%s '%s %s' %s" %\
+                      (log.PKI_JYTHON_INDENTATION_2,
+                       log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
+                       master['pki_subsystem'],
+                       log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+                return self.rv
+            elif config.str2bool(master['pki_external']):
+                print "%s '%s %s' %s" %\
+                      (log.PKI_JYTHON_INDENTATION_2,
+                       log.PKI_JYTHON_EXTERNAL_CA,
+                       master['pki_subsystem'],
+                       log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+                return self.rv
+            elif config.str2bool(master['pki_subordinate']):
+                print "%s '%s %s' %s" %\
+                      (log.PKI_JYTHON_INDENTATION_2,
+                       log.PKI_JYTHON_SUBORDINATE_CA,
+                       master['pki_subsystem'],
+                       log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+                return self.rv
+            else:
+                data = jyutil.rest_client.construct_pki_configuration_data(
+                           master, token)
+        elif master['pki_subsystem'] == "KRA":
+            if config.str2bool(master['pki_clone']):
+                print "%s '%s %s' %s" %\
+                      (log.PKI_JYTHON_INDENTATION_2,
+                       log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
+                       master['pki_subsystem'],
+                       log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+                return self.rv
+            else:
+                print "%s '%s' %s" %\
+                      (log.PKI_JYTHON_INDENTATION_2,
+                       master['pki_subsystem'],
+                       log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+                return self.rv
+        elif master['pki_subsystem'] == "OCSP":
+            if config.str2bool(master['pki_clone']):
+                print "%s '%s %s' %s" %\
+                      (log.PKI_JYTHON_INDENTATION_2,
+                       log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
+                       master['pki_subsystem'],
+                       log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+                return self.rv
+            else:
+                print "%s '%s' %s" %\
+                      (log.PKI_JYTHON_INDENTATION_2,
+                       master['pki_subsystem'],
+                       log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+                return self.rv
+        elif master['pki_subsystem'] == "TKS":
+            if config.str2bool(master['pki_clone']):
+                print "%s '%s %s' %s" %\
+                      (log.PKI_JYTHON_INDENTATION_2,
+                       log.PKI_JYTHON_CLONED_PKI_SUBSYSTEM,
+                       master['pki_subsystem'],
+                       log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+                return self.rv
+            else:
+                print "%s '%s' %s" %\
+                      (log.PKI_JYTHON_INDENTATION_2,
+                       master['pki_subsystem'],
+                       log.PKI_JYTHON_NOT_YET_IMPLEMENTED)
+                return self.rv
+
+    # Formulate PKI Subsystem Configuration Data Response
+    jyutil.rest_client.configure_pki_data(data,
+                                          master['pki_subsystem'],
+                                          master['pki_dry_run_flag'],
+                                          master['pki_jython_log_level'])
 
 
 if __name__ == "__main__":
diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py
index f40573940..421e08dc0 100644
--- a/base/deploy/src/scriptlets/configuration.py
+++ b/base/deploy/src/scriptlets/configuration.py
@@ -36,9 +36,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                             extra=config.PKI_INDENTATION_LEVEL_1)
         if not config.pki_dry_run_flag:
             util.directory.create(master['pki_client_path'], uid=0, gid=0)
+            # Since 'certutil' does NOT strip the 'token=' portion of
+            # the 'token=password' entries, create a client password file
+            # which ONLY contains the 'password' for the purposes of
+            # allowing 'certutil' to generate the security databases
             util.password.create_password_conf(
                 master['pki_client_password_conf'],
-                master['pki_client_pin'])
+                master['pki_client_pin'], pin_sans_token=True)
             util.directory.create(master['pki_client_database_path'],
                                   uid=0, gid=0)
             util.certutil.create_security_databases(
@@ -47,19 +51,60 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 master['pki_client_key_database'],
                 master['pki_client_secmod_database'],
                 password_file=master['pki_client_password_conf'])
-            util.symlink.create(
-                config.pki_master_dict['pki_systemd_service'],
-                config.pki_master_dict['pki_systemd_service_link'])
+            util.symlink.create(master['pki_systemd_service'],
+                                master['pki_systemd_service_link'])
         else:
+            # Since 'certutil' does NOT strip the 'token=' portion of
+            # the 'token=password' entries, create a client password file
+            # which ONLY contains the 'password' for the purposes of
+            # allowing 'certutil' to generate the security databases
             util.password.create_password_conf(
                 master['pki_client_password_conf'],
-                master['pki_client_pin'])
+                master['pki_client_pin'], pin_sans_token=True)
             util.certutil.create_security_databases(
                 master['pki_client_database_path'],
                 master['pki_client_cert_database'],
                 master['pki_client_key_database'],
                 master['pki_client_secmod_database'],
                 password_file=master['pki_client_password_conf'])
+        # Start/Restart this Apache/Tomcat PKI Process
+        if not config.pki_dry_run_flag:
+            if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+                apache_instances = util.instance.apache_instances()
+                if apache_instances == 1:
+                    util.systemd.start()
+                elif apache_instances > 1:
+                    util.systemd.restart()
+            elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+                # Optionally prepare to enable a java debugger
+                # (e. g. - 'eclipse'):
+                if config.str2bool(master['pki_enable_java_debugger']):
+                    config.prepare_for_an_external_java_debugger(
+                        master['pki_target_tomcat_conf_instance_id'])
+                tomcat_instances = util.instance.tomcat_instances()
+                if tomcat_instances == 1:
+                    util.systemd.start()
+                elif tomcat_instances > 1:
+                    util.systemd.restart()
+        else:
+            # ALWAYS display correct information (even during dry_run)
+            if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+                apache_instances = util.instance.apache_instances()
+                if apache_instances == 0:
+                    util.systemd.start()
+                elif apache_instances > 0:
+                    util.systemd.restart()
+            elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+                # Optionally prepare to enable a java debugger
+                # (e. g. - 'eclipse'):
+                if config.str2bool(master['pki_enable_java_debugger']):
+                    config.prepare_for_an_external_java_debugger(
+                        master['pki_target_tomcat_conf_instance_id'])
+                tomcat_instances = util.instance.tomcat_instances()
+                if tomcat_instances == 0:
+                    util.systemd.start()
+                elif tomcat_instances > 0:
+                    util.systemd.restart()
         # Pass control to the Java servlet via Jython 2.2 'configuration.jy'
         util.jython.invoke(master['pki_jython_configuration_scriptlet'])
         return self.rv
@@ -67,6 +112,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
     def respawn(self):
         config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__,
                             extra=config.PKI_INDENTATION_LEVEL_1)
+        # ALWAYS Restart this Apache/Tomcat PKI Process
+        util.systemd.restart()
         return self.rv
 
     def destroy(self):
@@ -76,23 +123,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
                util.instance.apache_instances() == 1:
                 util.directory.delete(master['pki_client_path'])
-                util.symlink.delete(
-                    config.pki_master_dict['pki_systemd_service_link'])
+                util.symlink.delete(master['pki_systemd_service_link'])
             elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
                  util.instance.tomcat_instances() == 1:
                 util.directory.delete(master['pki_client_path'])
-                util.symlink.delete(
-                    config.pki_master_dict['pki_systemd_service_link'])
+                util.symlink.delete(master['pki_systemd_service_link'])
         else:
             # ALWAYS display correct information (even during dry_run)
             if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
                util.instance.apache_instances() == 0:
                 util.directory.delete(master['pki_client_path'])
-                util.symlink.delete(
-                    config.pki_master_dict['pki_systemd_service_link'])
+                util.symlink.delete(master['pki_systemd_service_link'])
             elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
                  util.instance.tomcat_instances() == 0:
                 util.directory.delete(master['pki_client_path'])
-                util.symlink.delete(
-                    config.pki_master_dict['pki_systemd_service_link'])
+                util.symlink.delete(master['pki_systemd_service_link'])
         return self.rv
diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py
index 02c5065cb..bceec67e0 100644
--- a/base/deploy/src/scriptlets/finalization.py
+++ b/base/deploy/src/scriptlets/finalization.py
@@ -100,4 +100,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                             extra=config.PKI_INDENTATION_LEVEL_0)
         if not config.pki_dry_run_flag:
             util.file.modify(master['pki_destroy_log'], silent=True)
+        # Start this Apache/Tomcat PKI Process
+        if not config.pki_dry_run_flag:
+            if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+               util.instance.apache_instances() >= 1:
+                util.systemd.start()
+            elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+                 util.instance.tomcat_instances() >= 1:
+                util.systemd.start()
+        else:
+            # ALWAYS display correct information (even during dry_run)
+            if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+               util.instance.apache_instances() >= 0:
+                util.systemd.start()
+            elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+                 util.instance.tomcat_instances() >= 0:
+                util.systemd.start()
         return self.rv
diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py
index 3077737c8..1ff8522ed 100644
--- a/base/deploy/src/scriptlets/initialization.py
+++ b/base/deploy/src/scriptlets/initialization.py
@@ -41,9 +41,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         # verify that this type of "subsystem" does NOT yet
         # exist for this "instance"
         util.instance.verify_subsystem_does_not_exist()
+        # initialize 'uid' and 'gid'
+        util.identity.add_uid_and_gid(master['pki_user'], master['pki_group'])
         # establish 'uid' and 'gid'
         util.identity.set_uid(master['pki_user'])
         util.identity.set_gid(master['pki_group'])
+        # verify existence of MANDATORY configuration file data
+        util.configuration_file.verify_sensitive_data()
+        util.configuration_file.verify_mutually_exclusive_data()
         return self.rv
 
     def respawn(self):
@@ -74,4 +79,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         # establish 'uid' and 'gid'
         util.identity.set_uid(master['pki_user'])
         util.identity.set_gid(master['pki_group'])
+        # ALWAYS Stop this Apache/Tomcat PKI Process
+        util.systemd.stop()
         return self.rv
diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py
index 8a645f029..2fd7165d1 100644
--- a/base/deploy/src/scriptlets/instance_layout.py
+++ b/base/deploy/src/scriptlets/instance_layout.py
@@ -48,30 +48,90 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             # establish Tomcat instance base
             util.directory.create(master['pki_tomcat_common_path'])
             util.directory.create(master['pki_tomcat_common_lib_path'])
+            util.directory.create(master['pki_tomcat_tmpdir_path'])
             util.directory.create(master['pki_tomcat_webapps_path'])
             util.directory.create(master['pki_tomcat_webapps_root_path'])
             util.directory.create(master['pki_tomcat_webapps_root_webinf_path'])
             util.file.copy(master['pki_source_webapps_root_web_xml'],
                            master['pki_tomcat_webapps_root_webinf_web_xml'],
                            overwrite_flag=True)
-            util.directory.create(master['pki_tomcat_webapps_webinf_path'])
+            util.directory.create(master['pki_tomcat_work_path'])
+            util.directory.create(master['pki_tomcat_work_catalina_path'])
+            util.directory.create(master['pki_tomcat_work_catalina_host_path'])
             util.directory.create(
-                master['pki_tomcat_webapps_webinf_classes_path'])
-            util.directory.create(master['pki_tomcat_webapps_webinf_lib_path'])
+                master['pki_tomcat_work_catalina_host_run_path'])
+            util.directory.create(
+                master['pki_tomcat_work_catalina_host_subsystem_path'])
             # establish Tomcat instance logs
             # establish Tomcat instance configuration
             util.directory.copy(master['pki_source_shared_path'],
                                 master['pki_instance_configuration_path'],
                                 overwrite_flag=True)
             # establish Tomcat instance registry
-            # establish Tomcat instance convenience
-            # symbolic links
+            # establish Tomcat instance convenience symbolic links
             util.symlink.create(master['pki_tomcat_bin_path'],
                                 master['pki_tomcat_bin_link'])
             util.symlink.create(master['pki_tomcat_lib_path'],
                                 master['pki_tomcat_lib_link'])
+            util.symlink.create(master['pki_instance_log4j_properties'],
+                                master['pki_tomcat_lib_log4j_properties_link'],
+                                uid=0, gid=0)
             util.symlink.create(master['pki_tomcat_systemd'],
-                                master['pki_instance_systemd_link'])
+                                master['pki_instance_systemd_link'],
+                                uid=0, gid=0)
+            # establish Tomcat instance common lib jar symbolic links
+            util.symlink.create(master['pki_apache_commons_collections_jar'],
+                master['pki_apache_commons_collections_jar_link'])
+            util.symlink.create(master['pki_apache_commons_lang_jar'],
+                master['pki_apache_commons_lang_jar_link'])
+            util.symlink.create(master['pki_apache_commons_logging_jar'],
+                master['pki_apache_commons_logging_jar_link'])
+            util.symlink.create(master['pki_commons_codec_jar'],
+                master['pki_commons_codec_jar_link'])
+            util.symlink.create(master['pki_httpclient_jar'],
+                master['pki_httpclient_jar_link'])
+            util.symlink.create(master['pki_javassist_jar'],
+                master['pki_javassist_jar_link'])
+            util.symlink.create(master['pki_resteasy_jaxrs_api_jar'],
+                master['pki_resteasy_jaxrs_api_jar_link'])
+            util.symlink.create(master['pki_jettison_jar'],
+                master['pki_jettison_jar_link'])
+            util.symlink.create(master['pki_jss_jar'],
+                master['pki_jss_jar_link'])
+            util.symlink.create(master['pki_ldapjdk_jar'],
+                master['pki_ldapjdk_jar_link'])
+            util.symlink.create(master['pki_certsrv_jar'],
+                master['pki_certsrv_jar_link'])
+            util.symlink.create(master['pki_cmsbundle'],
+                master['pki_cmsbundle_jar_link'])
+            util.symlink.create(master['pki_cmscore'],
+                master['pki_cmscore_jar_link'])
+            util.symlink.create(master['pki_cms'],
+                master['pki_cms_jar_link'])
+            util.symlink.create(master['pki_cmsutil'],
+                master['pki_cmsutil_jar_link'])
+            util.symlink.create(master['pki_nsutil'],
+                master['pki_nsutil_jar_link'])
+            util.symlink.create(master['pki_resteasy_jaxb_provider_jar'],
+                master['pki_resteasy_jaxb_provider_jar_link'])
+            util.symlink.create(master['pki_resteasy_jaxrs_jar'],
+                master['pki_resteasy_jaxrs_jar_link'])
+            util.symlink.create(master['pki_resteasy_jettison_provider_jar'],
+                master['pki_resteasy_jettison_provider_jar_link'])
+            util.symlink.create(master['pki_scannotation_jar'],
+                master['pki_scannotation_jar_link'])
+            util.symlink.create(master['pki_symkey_jar'],
+                master['pki_symkey_jar_link'])
+            util.symlink.create(master['pki_tomcatjss_jar'],
+                master['pki_tomcatjss_jar_link'])
+            util.symlink.create(master['pki_velocity_jar'],
+                master['pki_velocity_jar_link'])
+            util.symlink.create(master['pki_xerces_j2_jar'],
+                master['pki_xerces_j2_jar_link'])
+            util.symlink.create(master['pki_xml_commons_apis_jar'],
+                master['pki_xml_commons_apis_jar_link'])
+            util.symlink.create(master['pki_xml_commons_resolver_jar'],
+                master['pki_xml_commons_resolver_jar_link'])
         # establish shared NSS security databases for this instance
         util.directory.create(master['pki_database_path'])
         # establish instance convenience symbolic links
@@ -106,16 +166,53 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             util.file.copy(master['pki_source_webapps_root_web_xml'],
                            master['pki_tomcat_webapps_root_webinf_web_xml'],
                            overwrite_flag=True)
-            util.directory.modify(master['pki_tomcat_webapps_webinf_path'])
+            util.directory.modify(master['pki_tomcat_work_path'])
+            util.directory.modify(master['pki_tomcat_work_catalina_path'])
+            util.directory.modify(master['pki_tomcat_work_catalina_host_path'])
+            util.directory.modify(
+                master['pki_tomcat_work_catalina_host_run_path'])
             util.directory.modify(
-                master['pki_tomcat_webapps_webinf_classes_path'])
-            util.directory.modify(master['pki_tomcat_webapps_webinf_lib_path'])
+                master['pki_tomcat_work_catalina_host_subsystem_path'])
             # update Tomcat instance logs
             # update Tomcat instance configuration
             # update Tomcat instance registry
             # update Tomcat instance convenience symbolic links
             util.symlink.modify(master['pki_tomcat_bin_link'])
             util.symlink.modify(master['pki_tomcat_lib_link'])
+            util.symlink.modify(master['pki_tomcat_lib_log4j_properties_link'],
+                                uid=0, gid=0)
+            util.symlink.modify(master['pki_instance_systemd_link'],
+                                uid=0, gid=0)
+            # update Tomcat instance common lib jar symbolic links
+
+            util.symlink.modify(
+                master['pki_apache_commons_collections_jar_link'])
+            util.symlink.modify(master['pki_apache_commons_lang_jar_link'])
+            util.symlink.modify(master['pki_apache_commons_logging_jar_link'])
+            util.symlink.modify(master['pki_commons_codec_jar_link'])
+            util.symlink.modify(master['pki_httpclient_jar_link'])
+            util.symlink.modify(master['pki_javassist_jar_link'])
+            util.symlink.modify(master['pki_resteasy_jaxrs_api_jar_link'])
+            util.symlink.modify(master['pki_jettison_jar_link'])
+            util.symlink.modify(master['pki_jss_jar_link'])
+            util.symlink.modify(master['pki_ldapjdk_jar_link'])
+            util.symlink.modify(master['pki_certsrv_jar_link'])
+            util.symlink.modify(master['pki_cmsbundle_jar_link'])
+            util.symlink.modify(master['pki_cmscore_jar_link'])
+            util.symlink.modify(master['pki_cms_jar_link'])
+            util.symlink.modify(master['pki_cmsutil_jar_link'])
+            util.symlink.modify(master['pki_nsutil_jar_link'])
+            util.symlink.modify(master['pki_resteasy_jaxb_provider_jar_link'])
+            util.symlink.modify(master['pki_resteasy_jaxrs_jar_link'])
+            util.symlink.modify(
+                master['pki_resteasy_jettison_provider_jar_link'])
+            util.symlink.modify(master['pki_scannotation_jar_link'])
+            util.symlink.modify(master['pki_symkey_jar_link'])
+            util.symlink.modify(master['pki_tomcatjss_jar_link'])
+            util.symlink.modify(master['pki_velocity_jar_link'])
+            util.symlink.modify(master['pki_xerces_j2_jar_link'])
+            util.symlink.modify(master['pki_xml_commons_apis_jar_link'])
+            util.symlink.modify(master['pki_xml_commons_resolver_jar_link'])
         # update shared NSS security databases for this instance
         util.directory.modify(master['pki_database_path'])
         # update instance convenience symbolic links
@@ -150,6 +247,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 # remove shared NSS security database path for this instance
                 util.directory.delete(master['pki_database_path'])
                 # remove Tomcat instance configuration
+                util.symlink.delete(
+                    master['pki_tomcat_lib_log4j_properties_link'])
                 util.directory.delete(master['pki_instance_configuration_path'])
                 # remove Tomcat instance registry
                 util.directory.delete(master['pki_instance_type_registry_path'])
@@ -174,6 +273,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 # remove shared NSS security database path for this instance
                 util.directory.delete(master['pki_database_path'])
                 # remove Tomcat instance configuration
+                util.symlink.delete(
+                    master['pki_tomcat_lib_log4j_properties_link'])
                 util.directory.delete(master['pki_instance_configuration_path'])
                 # remove Tomcat instance registry
                 util.directory.delete(master['pki_instance_type_registry_path'])
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 2acd37d36..07537d7aa 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -28,6 +28,13 @@ PKI_DEPLOYMENT_DEFAULT_SGID_DIR_PERMISSIONS = 02770
 PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS = 00777
 PKI_DEPLOYMENT_DEFAULT_UMASK = 00002
 
+PKI_DEPLOYMENT_DEFAULT_COMMENT = "'Certificate System'"
+PKI_DEPLOYMENT_DEFAULT_GID = 17
+PKI_DEPLOYMENT_DEFAULT_GROUP = "pkiuser"
+PKI_DEPLOYMENT_DEFAULT_SHELL = "/sbin/nologin"
+PKI_DEPLOYMENT_DEFAULT_UID = 17
+PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser"
+
 PKI_SUBSYSTEMS = ["CA","KRA","OCSP","RA","TKS","TPS"]
 PKI_SIGNED_AUDIT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS","TPS"]
 PKI_APACHE_SUBSYSTEMS = ["RA","TPS"]
@@ -39,6 +46,12 @@ PKI_INDENTATION_LEVEL_2 = {'indent' : '....... '}
 PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '}
 PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '}
 
+PKI_DEPLOYMENT_INTERRUPT_BANNER = "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"\
+                                  "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-"
+PKI_DEPLOYMENT_JAR_SOURCE_ROOT = "/usr/share/java"
+PKI_DEPLOYMENT_HTTPCOMPONENTS_JAR_SOURCE_ROOT = "/usr/share/java/httpcomponents"
+PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT = "/usr/share/java/pki"
+PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT = "/usr/share/java/resteasy"
 PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki"
 PKI_DEPLOYMENT_SYSTEMD_ROOT = "/lib/systemd/system"
 PKI_DEPLOYMENT_SYSTEMD_CONFIGURATION_ROOT = "/etc/systemd/system"
@@ -101,6 +114,48 @@ custom_pki_https_port = None
 custom_pki_ajp_port = None
 
 
+# PKI Deployment Helper Functions
+def str2bool(string):
+    return string.lower() in ("yes", "true", "t", "1")
+
+# NOTE:  To utilize the 'preparations_for_an_external_java_debugger(master)'
+#        and 'wait_to_attach_an_external_java_debugger(master)' functions,
+#        change 'pki_enable_java_debugger=False' to
+#        'pki_enable_java_debugger=True' in the appropriate
+#        'pkideployment.cfg' configuration file.
+def prepare_for_an_external_java_debugger(instance):
+    print
+    print PKI_DEPLOYMENT_INTERRUPT_BANNER
+    print
+    print "The following 'JAVA_OPTS' MUST be enabled (uncommented) in"
+    print "'%s':" % instance
+    print
+    print "    JAVA_OPTS=\"-Xdebug -Xrunjdwp:transport=dt_socket,\""
+    print "              \"address=8000,server=y,suspend\""
+    print
+    raw_input("Enable external java debugger 'JAVA_OPTS' "\
+              "and press return to continue  . . . ")
+    print
+    print PKI_DEPLOYMENT_INTERRUPT_BANNER
+    print
+    return
+
+def wait_to_attach_an_external_java_debugger():
+    print
+    print PKI_DEPLOYMENT_INTERRUPT_BANNER
+    print
+    print "Attach the java debugger to this process on the port specified by"
+    print "the 'address' selected by 'JAVA_OPTS' (e. g. - port 8000) and"
+    print "set any desired breakpoints"
+    print
+    raw_input("Please attach an external java debugger "\
+              "and press return to continue  . . . ")
+    print
+    print PKI_DEPLOYMENT_INTERRUPT_BANNER
+    print
+    return
+
+
 # PKI Deployment Logger Variables
 pki_jython_log_level = None
 pki_log = None
@@ -111,6 +166,9 @@ pki_console_log_level = None
 
 
 # PKI Deployment Global Dictionaries
+pki_sensitive_dict = None
+pki_mandatory_dict = None
+pki_optional_dict = None
 pki_common_dict = None
 pki_web_server_dict = None
 pki_subsystem_dict = None
diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
index b88eafe72..7b77bcee5 100644
--- a/base/deploy/src/scriptlets/pkihelper.py
+++ b/base/deploy/src/scriptlets/pkihelper.py
@@ -30,14 +30,17 @@ import random
 import shutil
 import string
 import subprocess
+from grp import getgrgid
 from grp import getgrnam
 from pwd import getpwnam
+from pwd import getpwuid
 import zipfile
 
 
 # PKI Deployment Imports
 import pkiconfig as config
 from pkiconfig import pki_master_dict as master
+from pkiconfig import pki_sensitive_dict as sensitive
 from pkiconfig import pki_slots_dict as slots
 import pkimanifest as manifest
 import pkimessages as log
@@ -117,6 +120,136 @@ def pki_copytree(src, dst, symlinks=False, ignore=None):
 
 # PKI Deployment Identity Class
 class identity:
+    def __add_gid(self, pki_group):
+        pki_gid = None
+        try:
+            # Does the specified 'pki_group' exist?
+            pki_gid = getgrnam(pki_group)[2]
+            # Yes, group 'pki_group' exists!
+            config.pki_log.info(log.PKIHELPER_GROUP_ADD_2, pki_group, pki_gid,
+                                extra=config.PKI_INDENTATION_LEVEL_2)
+        except KeyError as exc:
+            # No, group 'pki_group' does not exist!
+            config.pki_log.debug(log.PKIHELPER_GROUP_ADD_KEYERROR_1, exc,
+                                 extra=config.PKI_INDENTATION_LEVEL_2)
+            try:
+                # Is the default well-known GID already defined?
+                group = getgrgid(config.PKI_DEPLOYMENT_DEFAULT_GID)[0]
+                # Yes, the default well-known GID exists!
+                config.pki_log.info(log.PKIHELPER_GROUP_ADD_DEFAULT_2,
+                                    group, config.PKI_DEPLOYMENT_DEFAULT_GID,
+                                    extra=config.PKI_INDENTATION_LEVEL_2)
+                # Attempt to create 'pki_group' using a random GID.
+                command = "/usr/sbin/groupadd" + " " +\
+                          pki_group + " " +\
+                          "> /dev/null 2>&1"
+            except KeyError as exc:
+                # No, the default well-known GID does not exist!
+                config.pki_log.debug(log.PKIHELPER_GROUP_ADD_GID_KEYERROR_1,
+                                     exc, extra=config.PKI_INDENTATION_LEVEL_2)
+                # Is the specified 'pki_group' the default well-known group?
+                if pki_group == config.PKI_DEPLOYMENT_DEFAULT_GROUP:
+                    # Yes, attempt to create the default well-known group
+                    # using the default well-known GID.
+                    command = "/usr/sbin/groupadd" + " " +\
+                              "-g" + " " +\
+                              str(config.PKI_DEPLOYMENT_DEFAULT_GID) + " " +\
+                              "-r" + " " +\
+                              pki_group + " " +\
+                              "> /dev/null 2>&1"
+                else:
+                    # No, attempt to create 'pki_group' using a random GID.
+                    command = "/usr/sbin/groupadd" + " " +\
+                              pki_group + " " +\
+                              "> /dev/null 2>&1"
+            # Execute this "groupadd" command.
+            subprocess.call(command, shell=True)
+        except subprocess.CalledProcessError as exc:
+            config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+                                 extra=config.PKI_INDENTATION_LEVEL_2)
+            sys.exit(1)
+        return
+
+    def __add_uid(self, pki_user, pki_group):
+        pki_uid = None
+        try:
+            # Does the specified 'pki_user' exist?
+            pki_uid = getpwnam(pki_user)[2]
+            # Yes, user 'pki_user' exists!
+            config.pki_log.info(log.PKIHELPER_USER_ADD_2, pki_user, pki_uid,
+                                extra=config.PKI_INDENTATION_LEVEL_2)
+            # NOTE:  For now, never check validity of specified 'pki_group'!
+        except KeyError as exc:
+            # No, user 'pki_user' does not exist!
+            config.pki_log.debug(log.PKIHELPER_USER_ADD_KEYERROR_1, exc,
+                                 extra=config.PKI_INDENTATION_LEVEL_2)
+            try:
+                # Is the default well-known UID already defined?
+                user = getpwuid(config.PKI_DEPLOYMENT_DEFAULT_UID)[0]
+                # Yes, the default well-known UID exists!
+                config.pki_log.info(log.PKIHELPER_USER_ADD_DEFAULT_2,
+                                    user, config.PKI_DEPLOYMENT_DEFAULT_UID,
+                                    extra=config.PKI_INDENTATION_LEVEL_2)
+                # Attempt to create 'pki_user' using a random UID.
+                command = "/usr/sbin/useradd" + " " +\
+                          "-g" + " " +\
+                          pki_group + " " +\
+                          "-d" + " " +\
+                          config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\
+                          "-s" + " " +\
+                          config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\
+                          "-c" + " " +\
+                          config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\
+                          pki_user + " " +\
+                          "> /dev/null 2>&1"
+            except KeyError as exc:
+                # No, the default well-known UID does not exist!
+                config.pki_log.debug(log.PKIHELPER_USER_ADD_UID_KEYERROR_1,
+                                     exc, extra=config.PKI_INDENTATION_LEVEL_2)
+                # Is the specified 'pki_user' the default well-known user?
+                if pki_user == config.PKI_DEPLOYMENT_DEFAULT_USER:
+                    # Yes, attempt to create the default well-known user
+                    # using the default well-known UID.
+                    command = "/usr/sbin/useradd" + " " +\
+                              "-g" + " " +\
+                              pki_group + " " +\
+                              "-d" + " " +\
+                              config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\
+                              "-s" + " " +\
+                              config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\
+                              "-c" + " " +\
+                              config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\
+                              "-u" + " " +\
+                              str(config.PKI_DEPLOYMENT_DEFAULT_UID) + " " +\
+                              "-r" + " " +\
+                              pki_user + " " +\
+                              "> /dev/null 2>&1"
+                else:
+                    # No, attempt to create 'pki_user' using a random UID.
+                    command = "/usr/sbin/useradd" + " " +\
+                              "-g" + " " +\
+                              pki_group + " " +\
+                              "-d" + " " +\
+                              config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\
+                              "-s" + " " +\
+                              config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\
+                              "-c" + " " +\
+                              config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\
+                              pki_user + " " +\
+                              "> /dev/null 2>&1"
+            # Execute this "useradd" command.
+            subprocess.call(command, shell=True)
+        except subprocess.CalledProcessError as exc:
+            config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+                                 extra=config.PKI_INDENTATION_LEVEL_2)
+            sys.exit(1)
+        return
+
+    def add_uid_and_gid(self, pki_user, pki_group):
+        self.__add_gid(pki_group)
+        self.__add_uid(pki_user, pki_group)
+        return
+
     def get_uid(self, critical_failure=True):
         try:
             pki_uid = master['pki_uid']
@@ -170,18 +303,140 @@ class identity:
         return pki_gid
 
 
+# PKI Deployment Configuration File Class
+class configuration_file:
+    def verify_sensitive_data(self):
+        # Silently verify the existence of 'sensitive' data
+        if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+            # Verify existence of Directory Server Password (ALWAYS)
+            if not sensitive.has_key('pki_ds_password') or\
+               not len(sensitive['pki_ds_password']):
+                config.pki_log.error(
+                    log.PKIHELPER_UNDEFINED_DS_PASSWORD_1,
+                    config.pkideployment_cfg,
+                    extra=config.PKI_INDENTATION_LEVEL_2)
+                sys.exit(1)
+            # Verify existence of Admin Password (except for Clones)
+            if not config.str2bool(master['pki_clone']):
+                if not sensitive.has_key('pki_admin_password') or\
+                   not len(sensitive['pki_admin_password']):
+                    config.pki_log.error(
+                        log.PKIHELPER_UNDEFINED_ADMIN_PASSWORD_1,
+                        config.pkideployment_cfg,
+                        extra=config.PKI_INDENTATION_LEVEL_2)
+                    sys.exit(1)
+            # If required, verify existence of Backup Password
+            # (except for Clones)
+            if config.str2bool(master['pki_backup_keys']):
+                if not config.str2bool(master['pki_clone']):
+                    if not sensitive.has_key('pki_backup_password') or\
+                       not len(sensitive['pki_backup_password']):
+                        config.pki_log.error(
+                            log.PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1,
+                            config.pkideployment_cfg,
+                            extra=config.PKI_INDENTATION_LEVEL_2)
+                        sys.exit(1)
+            # Verify existence of PKCS #12 Password (ONLY for Clones)
+            if config.str2bool(master['pki_clone']):
+                if not sensitive.has_key('pki_pkcs12_password') or\
+                   not len(sensitive['pki_pkcs12_password']):
+                    config.pki_log.error(
+                        log.PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1,
+                        config.pkideployment_cfg,
+                        extra=config.PKI_INDENTATION_LEVEL_2)
+                    sys.exit(1)
+            # Verify existence of Security Domain Password File
+            # (ONLY for Clones, Subordinate CA, KRA, OCSP, RA, TKS, or TPS)
+            if config.str2bool(master['pki_clone']) or\
+               config.str2bool(master['pki_subordinate']) or\
+               master['pki_subsystem'] == "KRA" or\
+               master['pki_subsystem'] == "OCSP" or\
+               master['pki_subsystem'] == "RA" or\
+               master['pki_subsystem'] == "TKS" or\
+               master['pki_subsystem'] == "TPS":
+                if not sensitive.has_key('pki_security_domain_password') or\
+                   not len(sensitive['pki_security_domain_password']):
+                    config.pki_log.error(
+                        log.PKIHELPER_UNDEFINED_SECURITY_DOMAIN_PASSWORD_1,
+                        config.pkideployment_cfg,
+                        extra=config.PKI_INDENTATION_LEVEL_2)
+                    sys.exit(1)
+        return
+
+    def verify_mutually_exclusive_data(self):
+        # Silently verify the existence of 'mutually exclusive' data
+        if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+            if master['pki_subsystem'] == "CA":
+                if config.str2bool(master['pki_clone']) and\
+                   config.str2bool(master['pki_external']) and\
+                   config.str2bool(master['pki_subordinate']):
+                    config.pki_log.error(
+                        log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA,
+                        config.pkideployment_cfg,
+                        extra=config.PKI_INDENTATION_LEVEL_2)
+                    sys.exit(1)
+                elif config.str2bool(master['pki_clone']) and\
+                     config.str2bool(master['pki_external']):
+                    config.pki_log.error(
+                        log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA,
+                        config.pkideployment_cfg,
+                        extra=config.PKI_INDENTATION_LEVEL_2)
+                    sys.exit(1)
+                elif config.str2bool(master['pki_clone']) and\
+                     config.str2bool(master['pki_subordinate']):
+                    config.pki_log.error(
+                        log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA,
+                        config.pkideployment_cfg,
+                        extra=config.PKI_INDENTATION_LEVEL_2)
+                    sys.exit(1)
+                elif config.str2bool(master['pki_external']) and\
+                     config.str2bool(master['pki_subordinate']):
+                    config.pki_log.error(
+                        log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA,
+                        config.pkideployment_cfg,
+                        extra=config.PKI_INDENTATION_LEVEL_2)
+                    sys.exit(1)
+
+
+# PKI Deployment XML File Class
+#class xml_file:
+#    def remove_filter_section_from_web_xml(self,
+#                                           web_xml_source,
+#                                           web_xml_target):
+#        config.pki_log.info(log.PKIHELPER_REMOVE_FILTER_SECTION_1,
+#            master['pki_target_subsystem_web_xml'],
+#            extra=config.PKI_INDENTATION_LEVEL_2)
+#        if not config.pki_dry_run_flag:
+#            begin_filters_section = False
+#            begin_servlet_section = False
+#            FILE = open(web_xml_target, "w")
+#            for line in fileinput.FileInput(web_xml_source):
+#                if not begin_filters_section:
+#                    # Read and write lines until first "<filter>" tag
+#                    if line.count("<filter>") >= 1:
+#                        # Mark filters section
+#                        begin_filters_section = True
+#                    else:
+#                        FILE.write(line)
+#                elif not begin_servlet_section:
+#                    # Skip lines until first "<servlet>" tag
+#                    if line.count("<servlet>") >= 1:
+#                        # Mark servlets section and write out the opening tag
+#                        begin_servlet_section = True
+#                        FILE.write(line)
+#                    else:
+#                        continue
+#                else:
+#                    # Read and write lines all lines after "<servlet>" tag
+#                    FILE.write(line)
+#            FILE.close()
+
+
 # PKI Deployment Instance Class
 class instance:
     def apache_instances(self):
         rv = 0
         try:
-            if not os.path.exists(master['pki_instance_path']) or\
-               not os.path.isdir(master['pki_instance_path']):
-                config.pki_log.error(
-                    log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
-                    master['pki_instance_path'],
-                    extra=config.PKI_INDENTATION_LEVEL_2)
-                sys.exit(1)
             # count number of PKI subsystems present
             # within the specified Apache instance
             for subsystem in config.PKI_APACHE_SUBSYSTEMS:
@@ -206,13 +461,6 @@ class instance:
     def pki_subsystem_instances(self):
         rv = 0
         try:
-            if not os.path.exists(master['pki_path']) or\
-               not os.path.isdir(master['pki_path']):
-                config.pki_log.error(
-                    log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
-                    master['pki_path'],
-                    extra=config.PKI_INDENTATION_LEVEL_2)
-                sys.exit(1)
             # Since ALL directories within the top-level PKI infrastructure
             # SHOULD represent PKI instances, look for all possible
             # PKI instances within the top-level PKI infrastructure
@@ -247,13 +495,6 @@ class instance:
     def tomcat_instances(self):
         rv = 0
         try:
-            if not os.path.exists(master['pki_instance_path']) or\
-               not os.path.isdir(master['pki_instance_path']):
-                config.pki_log.error(
-                    log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
-                    master['pki_instance_path'],
-                    extra=config.PKI_INDENTATION_LEVEL_2)
-                sys.exit(1)
             # count number of PKI subsystems present
             # within the specified Tomcat instance
             for subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
@@ -1295,8 +1536,8 @@ class war:
 
 # PKI Deployment Password Class
 class password:
-    def create_password_conf(self, path, pin, overwrite_flag=False,
-                             critical_failure=True):
+    def create_password_conf(self, path, pin, pin_sans_token=False,
+                             overwrite_flag=False, critical_failure=True):
         try:
             if not config.pki_dry_run_flag:
                 if os.path.exists(path):
@@ -1306,7 +1547,9 @@ class password:
                             extra=config.PKI_INDENTATION_LEVEL_2)
                         # overwrite the existing 'password.conf' file
                         with open(path, "wt") as fd:
-                            if master['pki_subsystem'] in\
+                            if pin_sans_token == True:
+                                fd.write(str(pin))
+                            elif master['pki_subsystem'] in\
                                config.PKI_APACHE_SUBSYSTEMS:
                                 fd.write(master['pki_self_signed_token'] +\
                                          ":" + str(pin))
@@ -1319,7 +1562,9 @@ class password:
                                         extra=config.PKI_INDENTATION_LEVEL_2)
                     # create a new 'password.conf' file
                     with open(path, "wt") as fd:
-                        if master['pki_subsystem'] in\
+                        if pin_sans_token == True:
+                            fd.write(str(pin))
+                        elif master['pki_subsystem'] in\
                            config.PKI_APACHE_SUBSYSTEMS:
                             fd.write(master['pki_self_signed_token'] +\
                                      ":" + str(pin))
@@ -1642,6 +1887,90 @@ class certutil:
         return
 
 
+# PKI Deployment 'systemd' Execution Management Class
+class systemd:
+    def start(self, critical_failure=True):
+        try:
+            # Compose this "systemd" execution management command
+            if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+                command = "systemctl" + " " +\
+                          "start" + " " +\
+                          "pki-apached" + "@" +\
+                          master['pki_instance_id'] + "." + "service"
+            elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+                command = "systemctl" + " " +\
+                          "start" + " " +\
+                          "pki-tomcatd" + "@" +\
+                          master['pki_instance_id'] + "." + "service"
+            # Display this "systemd" execution managment command
+            config.pki_log.info(
+                log.PKIHELPER_SYSTEMD_COMMAND_1, command,
+                extra=config.PKI_INDENTATION_LEVEL_2)
+            if not config.pki_dry_run_flag:
+                # Execute this "systemd" execution management command
+                subprocess.call(command, shell=True)
+        except subprocess.CalledProcessError as exc:
+            config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+                                 extra=config.PKI_INDENTATION_LEVEL_2)
+            if critical_failure == True:
+                sys.exit(1)
+        return
+
+    def stop(self, critical_failure=True):
+        try:
+            # Compose this "systemd" execution management command
+            if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+                command = "systemctl" + " " +\
+                          "stop" + " " +\
+                          "pki-apached" + "@" +\
+                          master['pki_instance_id'] + "." + "service"
+            elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+                command = "systemctl" + " " +\
+                          "stop" + " " +\
+                          "pki-tomcatd" + "@" +\
+                          master['pki_instance_id'] + "." + "service"
+            # Display this "systemd" execution managment command
+            config.pki_log.info(
+                log.PKIHELPER_SYSTEMD_COMMAND_1, command,
+                extra=config.PKI_INDENTATION_LEVEL_2)
+            if not config.pki_dry_run_flag:
+                # Execute this "systemd" execution management command
+                subprocess.call(command, shell=True)
+        except subprocess.CalledProcessError as exc:
+            config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+                                 extra=config.PKI_INDENTATION_LEVEL_2)
+            if critical_failure == True:
+                sys.exit(1)
+        return
+
+    def restart(self, critical_failure=True):
+        try:
+            # Compose this "systemd" execution management command
+            if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+                command = "systemctl" + " " +\
+                          "restart" + " " +\
+                          "pki-apached" + "@" +\
+                          master['pki_instance_id'] + "." + "service"
+            elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+                command = "systemctl" + " " +\
+                          "restart" + " " +\
+                          "pki-tomcatd" + "@" +\
+                          master['pki_instance_id'] + "." + "service"
+            # Display this "systemd" execution managment command
+            config.pki_log.info(
+                log.PKIHELPER_SYSTEMD_COMMAND_1, command,
+                extra=config.PKI_INDENTATION_LEVEL_2)
+            if not config.pki_dry_run_flag:
+                # Execute this "systemd" execution management command
+                subprocess.call(command, shell=True)
+        except subprocess.CalledProcessError as exc:
+            config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
+                                 extra=config.PKI_INDENTATION_LEVEL_2)
+            if critical_failure == True:
+                sys.exit(1)
+        return
+
+
 # PKI Deployment 'jython' Class
 class jython:
     def invoke(self, scriptlet, critical_failure=True):
@@ -1681,6 +2010,8 @@ class jython:
 
 # PKI Deployment Helper Class Instances
 identity = identity()
+configuration_file = configuration_file()
+#xml_file = xml_file()
 instance = instance()
 directory = directory()
 file = file()
@@ -1688,4 +2019,5 @@ symlink = symlink()
 war = war()
 password = password()
 certutil = certutil()
+systemd = systemd()
 jython = jython()
diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
index 9c8765a80..800826635 100644
--- a/base/deploy/src/scriptlets/pkijython.py
+++ b/base/deploy/src/scriptlets/pkijython.py
@@ -5,6 +5,7 @@ from java.io import BufferedReader
 from java.io import ByteArrayInputStream
 from java.io import FileReader
 from java.io import IOException
+from java.lang import Integer
 from java.lang import String as javastring
 from java.lang import System as javasystem
 from java.net import URISyntaxException
@@ -18,6 +19,7 @@ import jarray
 
 
 # System Python Imports
+import ConfigParser
 import os
 import sys
 pki_python_module_path = os.path.join(sys.prefix,
@@ -79,10 +81,15 @@ class classPathHacker:
 jarLoad = classPathHacker()
 #     Webserver Jars
 jarLoad.addFile("/usr/share/java/httpcomponents/httpclient.jar")
+jarLoad.addFile("/usr/share/java/httpcomponents/httpcore.jar")
 jarLoad.addFile("/usr/share/java/apache-commons-cli.jar")
+jarLoad.addFile("/usr/share/java/apache-commons-codec.jar")
+jarLoad.addFile("/usr/share/java/apache-commons-logging.jar")
+jarLoad.addFile("/usr/share/java/istack-commons-runtime.jar")
 #     Resteasy Jars
 jarLoad.addFile("/usr/share/java/glassfish-jaxb/jaxb-impl.jar")
 jarLoad.addFile("/usr/share/java/resteasy/jaxrs-api.jar")
+jarLoad.addFile("/usr/share/java/resteasy/resteasy-atom-provider.jar")
 jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxb-provider.jar")
 jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxrs.jar")
 jarLoad.addFile("/usr/share/java/resteasy/resteasy-jettison-provider.jar")
@@ -145,6 +152,63 @@ import pkiconfig as config
 import pkimessages as log
 
 
+# PKI Deployment Jython Helper Functions
+def extract_sensitive_data(configuration_file):
+    "Read 'sensitive' configuration file section into a dictionary"
+    try:
+        parser = ConfigParser.ConfigParser()
+        # Make keys case-sensitive!
+        parser.optionxform = str
+        parser.read(configuration_file)
+        # return dict(parser._sections['Sensitive'])
+        dictionary = {}
+        for option in parser.options('Sensitive'):
+            dictionary[option] = parser.get('Sensitive', option)
+        return dictionary
+    except ConfigParser.ParsingError, err:
+        javasystem.out.println(log.PKI_JYTHON_EXCEPTION_PARSER + " '" +\
+                               configuration_file + "':  " + str(err))
+        javasystem.exit(1)
+
+def generateCRMFRequest(token, keysize, subjectdn, dualkey):
+        kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA)
+        x = Integer(keysize)
+        key_len = x.intValue()
+        kg.initialize(key_len)
+        # 1st key pair
+        pair = kg.genKeyPair()
+        # create CRMF
+        certTemplate = CertTemplate()
+        certTemplate.setVersion(INTEGER(2))
+        if not subjectdn is None:
+            name = X500Name(subjectdn)
+            cs = ByteArrayInputStream(name.getEncoded())
+            n = Name.getTemplate().decode(cs)
+            certTemplate.setSubject(n)
+        certTemplate.setPublicKey(SubjectPublicKeyInfo(pair.getPublic()))
+        seq = SEQUENCE()
+        certReq = CertRequest(INTEGER(1), certTemplate, seq)
+        popdata = jarray.array([0x0,0x3,0x0], 'b')
+        pop = ProofOfPossession.createKeyEncipherment(
+                  POPOPrivKey.createThisMessage(BIT_STRING(popdata, 3)))
+        crmfMsg = CertReqMsg(certReq, pop, None)
+        s1 = SEQUENCE()
+        # 1st : Encryption key
+        s1.addElement(crmfMsg)
+        # 2nd : Signing Key
+        if dualkey:
+            javasystem.out.println(log.PKI_JYTHON_IS_DUALKEY)
+            seq1 = SEQUENCE()
+            certReqSigning = CertRequest(INTEGER(1), certTemplate, seq1)
+            signingMsg = CertReqMsg(certReqSigning, pop, None)
+            s1.addElement(signingMsg)
+        encoded = jarray.array(ASN1Util.encode(s1), 'b')
+        # encoder = BASE64Encoder()
+        # Req1 = encoder.encodeBuffer(encoded)
+        Req1 = Utils.base64encode(encoded)
+        return Req1
+
+
 # PKI Deployment 'security databases' Class
 class security_databases:
     def initialize_token(self, pki_database_path, pki_dry_run_flag, log_level):
@@ -160,11 +224,13 @@ class security_databases:
             # it is ok if it is already initialized
             pass
         except Exception, e:
-            javasystem.out.println("INITIALIZATION ERROR: " + str(e))
+            javasystem.out.println(log.PKI_JYTHON_INITIALIZATION_ERROR +\
+                                   " " + str(e))
             javasystem.exit(1)
 
     def log_into_token(self, pki_database_path, password_conf,
                        pki_dry_run_flag, log_level):
+        token = None
         try:
             if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
                 print "%s %s '%s'" %\
@@ -174,10 +240,10 @@ class security_databases:
             if not pki_dry_run_flag:
                 manager = CryptoManager.getInstance()
                 token = manager.getInternalKeyStorageToken()
-                # Retrieve 'token_pwd' from 'password_conf'
+                # Retrieve 'password' from client-side 'password_conf'
                 #
                 #     NOTE:  For now, ONLY read the first line
-                #            (which contains the password)
+                #            (which contains "password")
                 #
                 fd = open(password_conf, "r")
                 token_pwd = fd.readline()
@@ -188,13 +254,364 @@ class security_databases:
                 try:
                     token.login(password)
                 except Exception, e:
-                    javasystem.out.println("login Exception: " + str(e))
+                    javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\
+                                           " " + str(e))
                     if not token.isLoggedIn():
                         token.initPassword(password, password)
+                    javasystem.exit(1)
         except Exception, e:
-            javasystem.out.println("Exception in logging into token: " +\
-                                   str(e))
+            javasystem.out.println(log.PKI_JYTHON_TOKEN_LOGIN_EXCEPTION +\
+                                   " " + str(e))
             javasystem.exit(1)
+        return token
+
+
+# PKI Deployment 'REST Client' Class
+class rest_client:
+    client = None
+
+    def initialize(self, base_uri, pki_dry_run_flag, log_level):
+        try:
+            if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
+                print "%s %s '%s'" %\
+                      (log.PKI_JYTHON_INDENTATION_2,
+                       log.PKI_JYTHON_INITIALIZING_REST_CLIENT,
+                       base_uri)
+            if not pki_dry_run_flag:
+                self.client = ConfigurationRESTClient(base_uri, None)
+            return self.client
+        except URISyntaxException, e:
+            e.printStackTrace()
+            javasystem.exit(1)
+
+    def construct_pki_configuration_data(self, master, token):
+        data = None
+        if master['pki_jython_log_level'] >= config.PKI_JYTHON_INFO_LOG_LEVEL:
+            print "%s %s '%s'" %\
+                  (log.PKI_JYTHON_INDENTATION_2,
+                   log.PKI_JYTHON_CONSTRUCTING_PKI_DATA,
+                   master['pki_subsystem'])
+        if not master['pki_dry_run_flag']:
+            sensitive = extract_sensitive_data(master['pki_deployment_cfg'])
+            data = ConfigurationData()
+            # Miscellaneous Configuration Information
+            data.setPin(master['pki_one_time_pin'])
+            data.setToken(ConfigurationData.TOKEN_DEFAULT)
+            if master['pki_instance_type'] == "Tomcat":
+                if master['pki_subsystem'] == "CA":
+                    if config.str2bool(master['pki_clone']):
+                        # Cloned CA
+                        data.setHierarchy("root")
+                        data.setIsClone("true")
+                        data.setSubsystemName("Cloned CA Subsystem")
+                    elif config.str2bool(master['pki_external']):
+                        # External CA
+                        data.setHierarchy("join")
+                        data.setIsClone("false")
+                        data.setSubsystemName("External CA Subsystem")
+                    elif config.str2bool(master['pki_subordinate']):
+                        # Subordinate CA
+                        data.setHierarchy("join")
+                        data.setIsClone("false")
+                        data.setSubsystemName("Subordinate CA Subsystem")
+                    else:
+                        # PKI CA
+                        data.setHierarchy("root")
+                        data.setIsClone("false")
+                        data.setSubsystemName("PKI CA Subsystem")
+                elif master['pki_subsystem'] == "KRA":
+                    if config.str2bool(master['pki_clone']):
+                        # Cloned KRA
+                        data.setIsClone("true")
+                        data.setSubsystemName("Cloned KRA Subsystem")
+                    else:
+                        # PKI KRA
+                        data.setIsClone("false")
+                        data.setSubsystemName("PKI KRA Subsystem")
+                elif master['pki_subsystem'] == "OCSP":
+                    if config.str2bool(master['pki_clone']):
+                        # Cloned OCSP
+                        data.setIsClone("true")
+                        data.setSubsystemName("Cloned OCSP Subsystem")
+                    else:
+                        # PKI OCSP
+                        data.setIsClone("false")
+                        data.setSubsystemName("PKI OCSP Subsystem")
+                elif master['pki_subsystem'] == "TKS":
+                    if config.str2bool(master['pki_clone']):
+                        # Cloned TKS
+                        data.setIsClone("true")
+                        data.setSubsystemName("Cloned TKS Subsystem")
+                    else:
+                        # PKI TKS
+                        data.setIsClone("false")
+                        data.setSubsystemName("PKI TKS Subsystem")
+            # Security Domain Information
+            if master['pki_instance_type'] == "Tomcat":
+                if master['pki_subsystem'] == "CA":
+                    if config.str2bool(master['pki_external']):
+                        # External CA
+                        data.setSecurityDomainType(
+                            ConfigurationData.NEW_DOMAIN)
+                        data.setSecurityDomainName(
+                            master['pki_security_domain_name'])
+                    elif not config.str2bool(master['pki_clone']) and\
+                         not config.str2bool(master['pki_subordinate']):
+                        # PKI CA
+                        data.setSecurityDomainType(
+                            ConfigurationData.NEW_DOMAIN)
+                        data.setSecurityDomainName(
+                            master['pki_security_domain_name'])
+                    else:
+                        # PKI Cloned or Subordinate CA
+                        data.setSecurityDomainType(
+                            ConfigurationData.EXISTING_DOMAIN)
+                        data.setSecurityDomainUri(
+                            master['pki_security_domain_uri'])
+                        data.setSecurityDomainUser(
+                            master['pki_security_domain_user'])
+                        data.setSecurityDomainPassword(
+                            sensitive['pki_security_domain_password'])
+                else:
+                    # PKI KRA, OCSP, or TKS
+                    data.setSecurityDomainType(
+                        ConfigurationData.EXISTING_DOMAIN)
+                    data.setSecurityDomainUri(
+                        master['pki_security_domain_uri'])
+                    data.setSecurityDomainUser(
+                        master['pki_security_domain_user'])
+                    data.setSecurityDomainPassword(
+                        sensitive['pki_security_domain_password'])
+            # Directory Server Information
+            if master['pki_subsystem'] != "RA":
+                data.setDsHost(master['pki_ds_hostname'])
+                data.setDsPort(master['pki_ds_http_port'])
+                data.setBaseDN(master['pki_ds_base_dn'])
+                data.setBindDN(master['pki_ds_bind_dn'])
+                data.setDatabase(master['pki_ds_database'])
+                data.setBindpwd(sensitive['pki_ds_password'])
+                if config.str2bool(master['pki_ds_remove_data']):
+                    data.setRemoveData("true")
+                else:
+                    data.setRemoveData("false")
+                if config.str2bool(master['pki_ds_secure_connection']):
+                    data.setSecureConn("true")
+                else:
+                    data.setSecureConn("false")
+            # Backup Information
+            if master['pki_instance_type'] == "Tomcat":
+                if config.str2bool(master['pki_backup_keys']):
+                    data.setBackupKeys("true")
+                    data.setBackupFile(master['pki_backup_file'])
+                    data.setBackupPassword(
+                        sensitive['pki_backup_password'])
+                else:
+                    data.setBackupKeys("false")
+            # Admin Information
+            if master['pki_instance_type'] == "Tomcat":
+                if not config.str2bool(master['pki_clone']):
+                    data.setAdminEmail(master['pki_admin_email'])
+                    data.setAdminName(master['pki_admin_name'])
+                    data.setAdminPassword(sensitive['pki_admin_password'])
+                    data.setAdminProfileID(master['pki_admin_profile_id'])
+                    data.setAdminUID(master['pki_admin_uid'])
+                    data.setAdminSubjectDN(master['pki_admin_subject_dn'])
+                    if master['pki_admin_cert_request_type'] == "crmf":
+                        data.setAdminCertRequestType("crmf")
+                        if config.str2bool(master['pki_admin_dualkey']):
+                            crmf_request = generateCRMFRequest(
+                                               token,
+                                               master['pki_admin_keysize'],
+                                               master['pki_admin_subject_dn'],
+                                               "true")
+                        else:
+                            crmf_request = generateCRMFRequest(
+                                               token,
+                                               master['pki_admin_keysize'],
+                                               master['pki_admin_subject_dn'],
+                                               "false")
+                        data.setAdminCertRequest(crmf_request)
+                    else:
+                        javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY)
+                        javasystem.exit(1)
+            # Create system certs
+            systemCerts = ArrayList()
+            # Create 'CA Signing Certificate'
+            if master['pki_instance_type'] == "Tomcat":
+                if not config.str2bool(master['pki_clone']):
+                    if master['pki_subsystem'] == "CA":
+                        # External CA, Subordinate CA, or PKI CA
+                        cert1 = CertData()
+                        cert1.setTag(master['pki_ca_signing_tag'])
+                        cert1.setKeyAlgorithm(
+                            master['pki_ca_signing_key_algorithm'])
+                        cert1.setKeySize(master['pki_ca_signing_key_size'])
+                        cert1.setKeyType(master['pki_ca_signing_key_type'])
+                        cert1.setNickname(master['pki_ca_signing_nickname'])
+                        cert1.setSigningAlgorithm(
+                            master['pki_ca_signing_signing_algorithm'])
+                        cert1.setSubjectDN(master['pki_ca_signing_subject_dn'])
+                        cert1.setToken(master['pki_ca_signing_token'])
+                        systemCerts.add(cert1)
+            # Create 'OCSP Signing Certificate'
+            if master['pki_instance_type'] == "Tomcat":
+                if not config.str2bool(master['pki_clone']):
+                    if master['pki_subsystem'] == "CA" or\
+                       master['pki_subsystem'] == "OCSP":
+                        # External CA, Subordinate CA, PKI CA, or PKI OCSP
+                        cert2 = CertData()
+                        cert2.setTag(master['pki_ocsp_signing_tag'])
+                        cert2.setKeyAlgorithm(
+                            master['pki_ocsp_signing_key_algorithm'])
+                        cert2.setKeySize(master['pki_ocsp_signing_key_size'])
+                        cert2.setKeyType(master['pki_ocsp_signing_key_type'])
+                        cert2.setNickname(master['pki_ocsp_signing_nickname'])
+                        cert2.setSigningAlgorithm(
+                            master['pki_ocsp_signing_signing_algorithm'])
+                        cert2.setSubjectDN(
+                            master['pki_ocsp_signing_subject_dn'])
+                        cert2.setToken(master['pki_ocsp_signing_token'])
+                        systemCerts.add(cert2)
+            # Create 'SSL Server Certificate'
+            #     PKI RA, PKI TPS,
+            #     PKI CA, PKI KRA, PKI OCSP, PKI TKS,
+            #     PKI CA CLONE, PKI KRA CLONE, PKI OCSP CLONE, PKI TKS CLONE,
+            #     External CA, or Subordinate CA
+            cert3 = CertData()
+            cert3.setTag(master['pki_ssl_server_tag'])
+            cert3.setKeyAlgorithm(master['pki_ssl_server_key_algorithm'])
+            cert3.setKeySize(master['pki_ssl_server_key_size'])
+            cert3.setKeyType(master['pki_ssl_server_key_type'])
+            cert3.setNickname(master['pki_ssl_server_nickname'])
+            cert3.setSubjectDN(master['pki_ssl_server_subject_dn'])
+            cert3.setToken(master['pki_ssl_server_token'])
+            systemCerts.add(cert3)
+            # Create 'Subsystem Certificate'
+            if master['pki_instance_type'] == "Apache":
+                # PKI RA or PKI TPS
+                cert4 = CertData()
+                cert4.setTag(master['pki_subsystem_tag'])
+                cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm'])
+                cert4.setKeySize(master['pki_subsystem_key_size'])
+                cert4.setKeyType(master['pki_subsystem_key_type'])
+                cert4.setNickname(master['pki_subsystem_nickname'])
+                cert4.setSubjectDN(master['pki_subsystem_subject_dn'])
+                cert4.setToken(master['pki_subsystem_token'])
+                systemCerts.add(cert4)
+            elif master['pki_instance_type'] == "Tomcat":
+                if not config.str2bool(master['pki_clone']):
+                    # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
+                    # External CA, or Subordinate CA
+                    cert4 = CertData()
+                    cert4.setTag(master['pki_subsystem_tag'])
+                    cert4.setKeyAlgorithm(master['pki_subsystem_key_algorithm'])
+                    cert4.setKeySize(master['pki_subsystem_key_size'])
+                    cert4.setKeyType(master['pki_subsystem_key_type'])
+                    cert4.setNickname(master['pki_subsystem_nickname'])
+                    cert4.setSubjectDN(master['pki_subsystem_subject_dn'])
+                    cert4.setToken(master['pki_subsystem_token'])
+                    systemCerts.add(cert4)
+            # Create 'Audit Signing Certificate'
+            if master['pki_instance_type'] == "Apache":
+                if master['pki_subsystem'] != "RA":
+                    # PKI TPS
+                    cert5 = CertData()
+                    cert5.setTag(master['pki_audit_signing_tag'])
+                    cert5.setKeyAlgorithm(
+                        master['pki_audit_signing_key_algorithm'])
+                    cert5.setKeySize(master['pki_audit_signing_key_size'])
+                    cert5.setKeyType(master['pki_audit_signing_key_type'])
+                    cert5.setNickname(master['pki_audit_signing_nickname'])
+                    cert5.setKeyAlgorithm(
+                        master['pki_audit_signing_signing_algorithm'])
+                    cert5.setSubjectDN(master['pki_audit_signing_subject_dn'])
+                    cert5.setToken(master['pki_audit_signing_token'])
+                    systemCerts.add(cert5)
+            elif master['pki_instance_type'] == "Tomcat":
+                if not config.str2bool(master['pki_clone']):
+                    # PKI CA, PKI KRA, PKI OCSP, PKI TKS,
+                    # External CA, or Subordinate CA
+                    cert5 = CertData()
+                    cert5.setTag(master['pki_audit_signing_tag'])
+                    cert5.setKeyAlgorithm(
+                        master['pki_audit_signing_key_algorithm'])
+                    cert5.setKeySize(master['pki_audit_signing_key_size'])
+                    cert5.setKeyType(master['pki_audit_signing_key_type'])
+                    cert5.setNickname(master['pki_audit_signing_nickname'])
+                    cert5.setKeyAlgorithm(
+                        master['pki_audit_signing_signing_algorithm'])
+                    cert5.setSubjectDN(master['pki_audit_signing_subject_dn'])
+                    cert5.setToken(master['pki_audit_signing_token'])
+                    systemCerts.add(cert5)
+            # Create 'DRM Transport Certificate'
+            if master['pki_instance_type'] == "Tomcat":
+                if not config.str2bool(master['pki_clone']):
+                    if master['pki_subsystem'] == "KRA":
+                        # PKI KRA
+                        cert6 = CertData()
+                        cert6.setTag(master['pki_transport_tag'])
+                        cert6.setKeyAlgorithm(
+                            master['pki_transport_key_algorithm'])
+                        cert6.setKeySize(master['pki_transport_key_size'])
+                        cert6.setKeyType(master['pki_transport_key_type'])
+                        cert6.setNickname(master['pki_transport_nickname'])
+                        cert6.setKeyAlgorithm(
+                            master['pki_transport_signing_algorithm'])
+                        cert6.setSubjectDN(master['pki_transport_subject_dn'])
+                        cert6.setToken(master['pki_transport_token'])
+                        systemCerts.add(cert6)
+            # Create 'DRM Storage Certificate'
+            if master['pki_instance_type'] == "Tomcat":
+                if not config.str2bool(master['pki_clone']):
+                    if master['pki_subsystem'] == "KRA":
+                        # PKI KRA
+                        cert7 = CertData()
+                        cert7.setTag(master['pki_storage_tag'])
+                        cert7.setKeyAlgorithm(
+                            master['pki_storage_key_algorithm'])
+                        cert7.setKeySize(master['pki_storage_key_size'])
+                        cert7.setKeyType(master['pki_storage_key_type'])
+                        cert7.setNickname(master['pki_storage_nickname'])
+                        cert7.setKeyAlgorithm(
+                            master['pki_storage_signing_algorithm'])
+                        cert7.setSubjectDN(master['pki_storage_subject_dn'])
+                        cert7.setToken(master['pki_storage_token'])
+                        systemCerts.add(cert7)
+            # Create system certs
+            data.setSystemCerts(systemCerts)
+        return data
+
+    def configure_pki_data(self, data, pki_subsystem, pki_dry_run_flag,
+                           log_level):
+        if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
+            print "%s %s '%s'" %\
+                  (log.PKI_JYTHON_INDENTATION_2,
+                   log.PKI_JYTHON_CONFIGURING_PKI_DATA,
+                   pki_subsystem)
+        if not pki_dry_run_flag:
+            try:
+                response = self.client.configure(data)
+                javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\
+                                       " " + response.getStatus())
+                javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\
+                                       " " + response.getAdminCert().getCert())
+                certs = response.getSystemCerts()
+                iterator = certs.iterator()
+                while iterator.hasNext():
+                    cdata = iterator.next()
+                    javasystem.out.println(log.PKI_JYTHON_CDATA_TAG + " " +\
+                                           cdata.getTag())
+                    javasystem.out.println(log.PKI_JYTHON_CDATA_CERT + " " +\
+                                           cdata.getCert())
+                    javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\
+                                           cdata.getRequest())
+            except Exception, e:
+                javasystem.out.println(
+                    log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e))
+                javasystem.exit(1)
+        return
+
 
 # PKI Deployment Jython Class Instances
 security_databases = security_databases()
+rest_client = rest_client()
diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py
index 806a64e4d..d7d50a63e 100644
--- a/base/deploy/src/scriptlets/pkimessages.py
+++ b/base/deploy/src/scriptlets/pkimessages.py
@@ -20,6 +20,14 @@
 #
 
 # PKI Deployment Engine Messages
+PKI_DICTIONARY_MANDATORY ="\n"\
+"=====================================================\n"\
+"    DISPLAY CONTENTS OF PKI MANDATORY DICTIONARY\n"\
+"====================================================="
+PKI_DICTIONARY_OPTIONAL ="\n"\
+"=====================================================\n"\
+"    DISPLAY CONTENTS OF PKI OPTIONAL DICTIONARY\n"\
+"====================================================="
 PKI_DICTIONARY_COMMON ="\n"\
 "=====================================================\n"\
 "    DISPLAY CONTENTS OF PKI COMMON DICTIONARY\n"\
@@ -40,6 +48,7 @@ PKI_DICTIONARY_WEB_SERVER="\n"\
 "=====================================================\n"\
 "    DISPLAY CONTENTS OF PKI WEB SERVER DICTIONARY\n"\
 "====================================================="
+# NEVER print out 'sensitive' data dictionary!!!
 
 
 # PKI Deployment Log Messages
@@ -150,10 +159,16 @@ PKIHELPER_CP_P_2 = "cp -p %s %s"
 PKIHELPER_CP_RP_2 = "cp -rp %s %s"
 PKIHELPER_CREATE_SECURITY_DATABASES_1 = "executing '%s'"
 PKIHELPER_DANGLING_SYMLINK_2 = "Dangling symlink '%s'-->'%s'"
+PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1 = "KeyError:  Master dictionary "\
+                                            "is missing the key called '%s'!"
 PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty"
 PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty"
 PKIHELPER_GID_2 = "GID of '%s' is %s"
 PKIHELPER_GROUP_1 = "retrieving GID for '%s' . . ."
+PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ."
+PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ."
+PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError:  pki_gid %s"
+PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError:  pki_group %s"
 PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\
                             "jython %s %s <master_dictionary>'"
 PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory"
@@ -165,32 +180,82 @@ PKIHELPER_MKDIR_1 = "mkdir -p %s"
 PKIHELPER_MODIFY_DIR_1 = "modifying '%s'"
 PKIHELPER_MODIFY_FILE_1 = "modifying '%s'"
 PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'"
+PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA = "cloned CAs and external "\
+                                                 "CAs MUST be MUTUALLY "\
+                                                 "EXCLUSIVE in '%s'"
+PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = "cloned CAs, external "\
+                                                     "CAs, and subordinate CAs"\
+                                                     "MUST ALL be MUTUALLY "\
+                                                     "EXCLUSIVE in '%s'"
+PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA = "cloned CAs and subordinate "\
+                                            "CAs MUST be MUTUALLY "\
+                                            "EXCLUSIVE in '%s'"
+PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA = "external CAs and subordinate "\
+                                               "CAs MUST be MUTUALLY "\
+                                               "EXCLUSIVE in '%s'"
 PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\
                          "filling it with '%d' random bytes"
 PKIHELPER_PASSWORD_CONF_1 = "generating '%s'"
 PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2 = "instance '%s' contains '%d' "\
                                       "PKI subsystems"
+PKIHELPER_REMOVE_FILTER_SECTION_1 = "removing filter section from '%s'"
 PKIHELPER_RM_F_1 = "rm -f %s"
 PKIHELPER_RM_RF_1 = "rm -rf %s"
 PKIHELPER_RMDIR_1 = "rmdir %s"
 PKIHELPER_SET_MODE_1 = "setting ownerships, permissions, and acls on '%s'"
 PKIHELPER_SLOT_SUBSTITUTION_2 = "slot substitution: '%s' ==> '%s'"
+PKIHELPER_SYSTEMD_COMMAND_1 = "executing '%s'"
 PKIHELPER_TOMCAT_INSTANCES_2 = "instance '%s' contains '%d' "\
                                "Tomcat PKI subsystems"
 PKIHELPER_TOUCH_1 = "touch %s"
 PKIHELPER_UID_2 = "UID of '%s' is %s"
+PKIHELPER_UNDEFINED_ADMIN_PASSWORD_1 =\
+    "A value for 'pki_admin_password' MUST be defined in '%s'"
+PKIHELPER_UNDEFINED_BACKUP_PASSWORD_1 =\
+    "A value for 'pki_backup_password' MUST be defined in '%s'"
+PKIHELPER_UNDEFINED_DS_PASSWORD_1 =\
+    "A value for 'pki_ds_password' MUST be defined in '%s'"
+PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1 =\
+    "A value for 'pki_pkcs12_password' MUST be defined in '%s'"
+PKIHELPER_UNDEFINED_SECURITY_DOMAIN_PASSWORD_1 =\
+    "A value for 'pki_security_domain_password' MUST be defined in '%s'"
 PKIHELPER_USER_1 = "retrieving UID for '%s' . . ."
+PKIHELPER_USER_ADD_2 = "adding UID '%s' for user '%s' . . ."
+PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ."
+PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError:  pki_user %s"
+PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError:  pki_uid %s"
 
 
 # PKI Deployment Jython "Scriptlet" Messages
 # (MUST contain NO embedded formats since Jython 2.2 does not support logging!)
+PKI_JYTHON_CDATA_TAG = "tag:"
+PKI_JYTHON_CDATA_CERT = "cert:"
+PKI_JYTHON_CDATA_REQUEST = "request:"
+PKI_JYTHON_CLONED_PKI_SUBSYSTEM = "Cloned"
+PKI_JYTHON_CONFIGURING_PKI_DATA = "configuring PKI configuration data for"
+PKI_JYTHON_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data for"
+PKI_JYTHON_CRMF_SUPPORT_ONLY = "only the 'crmf' certificate request type "\
+                               "is currently supported"
+PKI_JYTHON_IS_DUALKEY = "dualkey = true"
+PKI_JYTHON_EXCEPTION_PARSER = "Problem parsing"
+PKI_JYTHON_EXTERNAL_CA = "External"
 PKI_JYTHON_INDENTATION_0 = "pkispawn    : JYTHON  "
 PKI_JYTHON_INDENTATION_1 = "pkispawn    : JYTHON   ..."
 PKI_JYTHON_INDENTATION_2 = "pkispawn    : JYTHON   ......."
 PKI_JYTHON_INDENTATION_3 = "pkispawn    : JYTHON   ..........."
 PKI_JYTHON_INDENTATION_4 = "pkispawn    : JYTHON   ..............."
+PKI_JYTHON_INITIALIZATION_ERROR = "INITIALIZATION ERROR:"
+PKI_JYTHON_INITIALIZING_REST_CLIENT = "initializing REST client via"
 PKI_JYTHON_INITIALIZING_TOKEN = "initializing token located in"
+PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION =\
+    "Exception from Java Configuration Servlet:"
 PKI_JYTHON_LOG_INTO_TOKEN = "logging into token located in"
+PKI_JYTHON_LOGIN_EXCEPTION = "login Exception:"
+PKI_JYTHON_RESPONSE_ADMIN_CERT = "adminCert:"
+PKI_JYTHON_RESPONSE_STATUS = "status:"
+PKI_JYTHON_TOKEN_LOGIN_EXCEPTION = "Exception in logging into token:"
+PKI_JYTHON_NOT_YET_IMPLEMENTED = "NOT YET IMPLEMENTED"
+PKI_JYTHON_SUBORDINATE_CA = "Subordinate"
 
 
 # PKI Deployment "Scriptlet" Messages
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index 0add192f7..5abfdc064 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -53,22 +53,18 @@ def process_command_line_arguments(argv):
                            required=True, metavar='<subsystem>',
                            help='where <subsystem> is '
                                 'CA, KRA, OCSP, RA, TKS, or TPS')
+    if os.path.basename(argv[0]) == 'pkispawn':
+        mandatory.add_argument('-f',
+                               dest='pkideployment_cfg', action='store',
+                               nargs=1, required=True, metavar='<file>',
+                               help='specifies configuration filename')
     optional = parser.add_argument_group('optional arguments')
     optional.add_argument('--dry_run',
                           dest='pki_dry_run_flag', action='store_true',
                           help='do not actually perform any actions')
-    optional.add_argument('-f',
-                          dest='pkideployment_cfg', action='store',
-                          nargs=1, metavar='<file>',
-                          help='overrides default configuration filename')
     optional.add_argument('-h', '--help',
                           dest='help', action='help',
                           help='show this help message and exit')
-    optional.add_argument('-p',
-                          dest='pki_root_prefix', action='store',
-                          nargs=1, metavar='<prefix>',
-                          help='directory prefix to specify local directory '
-                               '[TEST ONLY]')
     if os.path.basename(argv[0]) == 'pkispawn':
         optional.add_argument('-u',
                               dest='pki_update_flag', action='store_true',
@@ -98,6 +94,12 @@ def process_command_line_arguments(argv):
                         dest='custom_pki_ajp_port', action='store',
                         nargs=1, metavar='<port>',
                         help='AJP port (CA, KRA, OCSP, TKS)')
+    test = parser.add_argument_group('test arguments')
+    test.add_argument('-p',
+                      dest='pki_root_prefix', action='store',
+                      nargs=1, metavar='<prefix>',
+                      help='directory prefix to specify local directory '
+                           '[TEST ONLY]')
     args = parser.parse_args()
 
     config.pki_subsystem = str(args.pki_subsystem).strip('[\']')
@@ -187,7 +189,7 @@ def process_command_line_arguments(argv):
                 print
                 parser.print_help()
                 parser.exit(-1);
-    if not args.pkideployment_cfg is None:
+    if os.path.basename(argv[0]) == 'pkispawn':
         config.pkideployment_cfg = str(args.pkideployment_cfg).strip('[\']')
     elif os.path.basename(argv[0]) == 'pkidestroy':
         # NOTE:  When performing 'pkidestroy', a configuration file must be
@@ -258,6 +260,9 @@ def read_pki_configuration_file():
         # Make keys case-sensitive!
         parser.optionxform = str
         parser.read(config.pkideployment_cfg)
+        config.pki_sensitive_dict = dict(parser._sections['Sensitive'])
+        config.pki_mandatory_dict = dict(parser._sections['Mandatory'])
+        config.pki_optional_dict = dict(parser._sections['Optional'])
         config.pki_common_dict = dict(parser._sections['Common'])
         if config.pki_subsystem == "CA":
             config.pki_web_server_dict = dict(parser._sections['Tomcat'])
@@ -278,6 +283,9 @@ def read_pki_configuration_file():
             config.pki_web_server_dict = dict(parser._sections['Apache'])
             config.pki_subsystem_dict = dict(parser._sections['TPS'])
         # Insert empty record into dictionaries for "pretty print" statements
+        #     NEVER print "sensitive" key value pairs!!!
+        config.pki_mandatory_dict[0] = None
+        config.pki_optional_dict[0] = None
         config.pki_common_dict[0] = None
         config.pki_web_server_dict[0] = None
         config.pki_subsystem_dict[0] = None
@@ -297,13 +305,19 @@ def compose_pki_master_dictionary():
             config.pki_certificate_timestamp
         config.pki_master_dict['pki_architecture'] = config.pki_architecture
         config.pki_master_dict['pki_hostname'] = config.pki_hostname
+        config.pki_master_dict['pki_dns_domainname'] =\
+            config.pki_dns_domainname
         config.pki_master_dict['pki_pin'] = config.pki_pin
         config.pki_master_dict['pki_client_pin'] = config.pki_client_pin
         config.pki_master_dict['pki_one_time_pin'] = config.pki_one_time_pin
         config.pki_master_dict['pki_dry_run_flag'] = config.pki_dry_run_flag
         config.pki_master_dict['pki_jython_log_level'] =\
             config.pki_jython_log_level
+        config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg
         # Configuration file name/value pairs
+        #     NEVER add "sensitive" key value pairs to the master dictionary!!!
+        config.pki_master_dict.update(config.pki_mandatory_dict)
+        config.pki_master_dict.update(config.pki_optional_dict)
         config.pki_master_dict.update(config.pki_common_dict)
         config.pki_master_dict.update(config.pki_web_server_dict)
         config.pki_master_dict.update(config.pki_subsystem_dict)
@@ -357,8 +371,7 @@ def compose_pki_master_dictionary():
         #           (e. g. Tomcat:  "tomcat", "example.com-tomcat")
         #           (e. g. Apache:  "apache", "example.com-apache")
         #
-        if not config.pki_master_dict['pki_admin_domain_name'] is None and\
-           not config.pki_master_dict['pki_admin_domain_name'] is '':
+        if len(config.pki_master_dict['pki_admin_domain_name']):
             config.pki_master_dict['pki_instance_id'] =\
                 config.pki_master_dict['pki_admin_domain_name'] +\
                 "-" + config.pki_master_dict['pki_instance_name']
@@ -458,6 +471,9 @@ def compose_pki_master_dictionary():
                     os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
                                  "ca",
                                  "emails")
+                config.pki_master_dict['pki_source_flatfile_txt'] =\
+                    os.path.join(config.pki_master_dict['pki_source_conf_path'],
+                                 "flatfile.txt")
                 config.pki_master_dict['pki_source_profiles'] =\
                     os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT,
                                  "ca",
@@ -465,6 +481,43 @@ def compose_pki_master_dictionary():
                 config.pki_master_dict['pki_source_proxy_conf'] =\
                     os.path.join(config.pki_master_dict['pki_source_conf_path'],
                                  "proxy.conf")
+                config.pki_master_dict['pki_source_registry_cfg'] =\
+                    os.path.join(config.pki_master_dict['pki_source_conf_path'],
+                                 "registry.cfg")
+                # '*.profile'
+                config.pki_master_dict['pki_source_admincert_profile'] =\
+                    os.path.join(config.pki_master_dict['pki_source_conf_path'],
+                                 "adminCert.profile")
+                config.pki_master_dict['pki_source_caauditsigningcert_profile']\
+                    = os.path.join(
+                          config.pki_master_dict['pki_source_conf_path'],
+                          "caAuditSigningCert.profile")
+                config.pki_master_dict['pki_source_cacert_profile'] =\
+                    os.path.join(config.pki_master_dict['pki_source_conf_path'],
+                                 "caCert.profile")
+                config.pki_master_dict['pki_source_caocspcert_profile'] =\
+                    os.path.join(config.pki_master_dict['pki_source_conf_path'],
+                                 "caOCSPCert.profile")
+                config.pki_master_dict['pki_source_servercert_profile'] =\
+                    os.path.join(config.pki_master_dict['pki_source_conf_path'],
+                                 "serverCert.profile")
+                config.pki_master_dict['pki_source_subsystemcert_profile'] =\
+                    os.path.join(config.pki_master_dict['pki_source_conf_path'],
+                                 "subsystemCert.profile")
+            elif config.pki_master_dict['pki_subsystem'] == "KRA":
+                # '*.profile'
+                config.pki_master_dict['pki_source_servercert_profile'] =\
+                    os.path.join(config.pki_master_dict['pki_source_conf_path'],
+                                 "serverCert.profile")
+                config.pki_master_dict['pki_source_storagecert_profile'] =\
+                    os.path.join(config.pki_master_dict['pki_source_conf_path'],
+                                 "storageCert.profile")
+                config.pki_master_dict['pki_source_subsystemcert_profile'] =\
+                    os.path.join(config.pki_master_dict['pki_source_conf_path'],
+                                 "subsystemCert.profile")
+                config.pki_master_dict['pki_source_transportcert_profile'] =\
+                    os.path.join(config.pki_master_dict['pki_source_conf_path'],
+                                 "transportCert.profile")
         # PKI top-level file system layout name/value pairs
         # NOTE:  Never use 'os.path.join()' whenever 'pki_root_prefix'
         #        is being prepended!!!
@@ -498,12 +551,14 @@ def compose_pki_master_dictionary():
         if config.pki_master_dict['pki_subsystem'] in\
            config.PKI_APACHE_SUBSYSTEMS:
             # Apache instance base name/value pairs
+            config.pki_master_dict['pki_instance_type'] = "Apache"
             # Apache instance log name/value pairs
             # Apache instance configuration name/value pairs
             # Apache instance registry name/value pairs
             config.pki_master_dict['pki_instance_type_registry_path'] =\
-                os.path.join(config.pki_master_dict['pki_registry_path'],
-                             "apache")
+                os.path.join(
+                    config.pki_master_dict['pki_registry_path'],
+                    config.pki_master_dict['pki_instance_type'].lower())
             config.pki_master_dict['pki_instance_registry_path'] =\
                 os.path.join(
                     config.pki_master_dict['pki_instance_type_registry_path'],
@@ -513,12 +568,16 @@ def compose_pki_master_dictionary():
         elif config.pki_master_dict['pki_subsystem'] in\
              config.PKI_TOMCAT_SUBSYSTEMS:
             # Tomcat instance base name/value pairs
+            config.pki_master_dict['pki_instance_type'] = "Tomcat"
             config.pki_master_dict['pki_tomcat_common_path'] =\
                 os.path.join(config.pki_master_dict['pki_instance_path'],
                              "common")
             config.pki_master_dict['pki_tomcat_common_lib_path'] =\
                 os.path.join(config.pki_master_dict['pki_tomcat_common_path'],
                              "lib")
+            config.pki_master_dict['pki_tomcat_tmpdir_path'] =\
+                os.path.join(config.pki_master_dict['pki_instance_path'],
+                             "temp")
             config.pki_master_dict['pki_tomcat_webapps_path'] =\
                 os.path.join(config.pki_master_dict['pki_instance_path'],
                              "webapps")
@@ -529,28 +588,43 @@ def compose_pki_master_dictionary():
                 os.path.join(
                     config.pki_master_dict['pki_tomcat_webapps_root_path'],
                     "WEB-INF")
-            config.pki_master_dict['pki_tomcat_webapps_webinf_path'] =\
-                os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
-                             "WEB-INF")
-            config.pki_master_dict['pki_tomcat_webapps_webinf_classes_path'] =\
-                os.path.join(
-                    config.pki_master_dict['pki_tomcat_webapps_webinf_path'],
-                    "classes")
-            config.pki_master_dict['pki_tomcat_webapps_webinf_lib_path'] =\
-                os.path.join(
-                    config.pki_master_dict['pki_tomcat_webapps_webinf_path'],
-                    "lib")
             config.pki_master_dict['pki_tomcat_webapps_root_webinf_web_xml'] =\
                 os.path.join(
                     config.pki_master_dict\
                     ['pki_tomcat_webapps_root_webinf_path'],
                     "web.xml")
+            config.pki_master_dict['pki_tomcat_work_path'] =\
+                os.path.join(config.pki_master_dict['pki_instance_path'],
+                             "work")
+            config.pki_master_dict['pki_tomcat_work_catalina_path'] =\
+                os.path.join(config.pki_master_dict['pki_tomcat_work_path'],
+                             "Catalina")
+            config.pki_master_dict['pki_tomcat_work_catalina_host_path'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_work_catalina_path'],
+                    "localhost")
+            config.pki_master_dict['pki_tomcat_work_catalina_host_run_path'] =\
+                os.path.join(
+                    config.pki_master_dict\
+                    ['pki_tomcat_work_catalina_host_path'],
+                    "_")
+            config.pki_master_dict\
+            ['pki_tomcat_work_catalina_host_subsystem_path'] =\
+                os.path.join(
+                    config.pki_master_dict\
+                    ['pki_tomcat_work_catalina_host_path'],
+                    config.pki_master_dict['pki_subsystem'].lower())
             # Tomcat instance log name/value pairs
             # Tomcat instance configuration name/value pairs
+            config.pki_master_dict['pki_instance_log4j_properties'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_instance_configuration_path'],
+                    "log4j.properties")
             # Tomcat instance registry name/value pairs
             config.pki_master_dict['pki_instance_type_registry_path'] =\
-                os.path.join(config.pki_master_dict['pki_registry_path'],
-                             "tomcat")
+                os.path.join(
+                    config.pki_master_dict['pki_registry_path'],
+                    config.pki_master_dict['pki_instance_type'].lower())
             config.pki_master_dict['pki_instance_registry_path'] =\
                 os.path.join(
                     config.pki_master_dict['pki_instance_type_registry_path'],
@@ -562,9 +636,205 @@ def compose_pki_master_dictionary():
             config.pki_master_dict['pki_tomcat_lib_link'] =\
                 os.path.join(config.pki_master_dict['pki_instance_path'],
                              "lib")
+            config.pki_master_dict['pki_tomcat_lib_log4j_properties_link'] =\
+                os.path.join(config.pki_master_dict['pki_tomcat_lib_path'],
+                             "log4j.properties")
             config.pki_master_dict['pki_instance_systemd_link'] =\
                 os.path.join(config.pki_master_dict['pki_instance_path'],
                              config.pki_master_dict['pki_instance_id'])
+            # Tomcat instance common lib jars
+            if config.pki_master_dict['pki_architecture'] == 64:
+                config.pki_master_dict['pki_jss_jar'] =\
+                    os.path.join("/usr/lib64/java",
+                                 "jss4.jar")
+                config.pki_master_dict['pki_symkey_jar'] =\
+                    os.path.join("/usr/lib64/java",
+                                 "symkey.jar")
+            else:
+                config.pki_master_dict['pki_jss_jar'] =\
+                    os.path.join("/usr/lib/java",
+                                 "jss4.jar")
+                config.pki_master_dict['pki_symkey_jar'] =\
+                    os.path.join("/usr/lib/java",
+                                 "symkey.jar")
+            config.pki_master_dict['pki_apache_commons_collections_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+                             "apache-commons-collections.jar")
+            config.pki_master_dict['pki_apache_commons_lang_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+                             "apache-commons-lang.jar")
+            config.pki_master_dict['pki_apache_commons_logging_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+                             "apache-commons-logging.jar")
+            config.pki_master_dict['pki_commons_codec_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+                             "commons-codec.jar")
+            config.pki_master_dict['pki_httpclient_jar'] =\
+                os.path.join(
+                    config.PKI_DEPLOYMENT_HTTPCOMPONENTS_JAR_SOURCE_ROOT,
+                    "httpclient.jar")
+            config.pki_master_dict['pki_javassist_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+                             "javassist.jar")
+            config.pki_master_dict['pki_resteasy_jaxrs_api_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
+                             "jaxrs-api.jar")
+            config.pki_master_dict['pki_jettison_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+                             "jettison.jar")
+            config.pki_master_dict['pki_ldapjdk_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+                             "ldapjdk.jar")
+            config.pki_master_dict['pki_certsrv_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+                             "pki-certsrv.jar")
+            config.pki_master_dict['pki_cmsbundle'] =\
+                os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+                             "pki-cmsbundle.jar")
+            config.pki_master_dict['pki_cmscore'] =\
+                os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+                             "pki-cmscore.jar")
+            config.pki_master_dict['pki_cms'] =\
+                os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+                             "pki-cms.jar")
+            config.pki_master_dict['pki_cmsutil'] =\
+                os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+                             "pki-cmsutil.jar")
+            config.pki_master_dict['pki_nsutil'] =\
+                os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+                             "pki-nsutil.jar")
+            config.pki_master_dict['pki_resteasy_jaxb_provider_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
+                             "resteasy-jaxb-provider.jar")
+            config.pki_master_dict['pki_resteasy_jaxrs_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
+                             "resteasy-jaxrs.jar")
+            config.pki_master_dict['pki_resteasy_jettison_provider_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
+                             "resteasy-jettison-provider.jar")
+            config.pki_master_dict['pki_scannotation_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+                             "scannotation.jar")
+            config.pki_master_dict['pki_tomcatjss_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+                             "tomcatjss.jar")
+            config.pki_master_dict['pki_velocity_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+                             "velocity.jar")
+            config.pki_master_dict['pki_xerces_j2_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+                             "xerces-j2.jar")
+            config.pki_master_dict['pki_xml_commons_apis_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+                             "xml-commons-apis.jar")
+            config.pki_master_dict['pki_xml_commons_resolver_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT,
+                             "xml-commons-resolver.jar")
+            # Tomcat instance common lib jar symbolic links
+            config.pki_master_dict['pki_jss_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "jss4.jar")
+            config.pki_master_dict['pki_symkey_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "symkey.jar")
+            config.pki_master_dict['pki_apache_commons_collections_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "apache-commons-collections.jar")
+            config.pki_master_dict['pki_apache_commons_lang_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "apache-commons-lang.jar")
+            config.pki_master_dict['pki_apache_commons_logging_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "apache-commons-logging.jar")
+            config.pki_master_dict['pki_commons_codec_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "apache-commons-codec.jar")
+            config.pki_master_dict['pki_httpclient_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "httpclient.jar")
+            config.pki_master_dict['pki_javassist_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "javassist.jar")
+            config.pki_master_dict['pki_resteasy_jaxrs_api_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "jaxrs-api.jar")
+            config.pki_master_dict['pki_jettison_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "jettison.jar")
+            config.pki_master_dict['pki_ldapjdk_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "ldapjdk.jar")
+            config.pki_master_dict['pki_certsrv_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "pki-certsrv.jar")
+            config.pki_master_dict['pki_cmsbundle_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "pki-cmsbundle.jar")
+            config.pki_master_dict['pki_cmscore_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "pki-cmscore.jar")
+            config.pki_master_dict['pki_cms_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "pki-cms.jar")
+            config.pki_master_dict['pki_cmsutil_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "pki-cmsutil.jar")
+            config.pki_master_dict['pki_nsutil_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "pki-nsutil.jar")
+            config.pki_master_dict['pki_resteasy_jaxb_provider_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "resteasy-jaxb-provider.jar")
+            config.pki_master_dict['pki_resteasy_jaxrs_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "resteasy-jaxrs.jar")
+            config.pki_master_dict['pki_resteasy_jettison_provider_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "resteasy-jettison-provider.jar")
+            config.pki_master_dict['pki_scannotation_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "scannotation.jar")
+            config.pki_master_dict['pki_tomcatjss_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "tomcatjss.jar")
+            config.pki_master_dict['pki_velocity_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "velocity.jar")
+            config.pki_master_dict['pki_xerces_j2_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "xerces-j2.jar")
+            config.pki_master_dict['pki_xml_commons_apis_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "xml-commons-apis.jar")
+            config.pki_master_dict['pki_xml_commons_resolver_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_common_lib_path'],
+                    "xml-commons-resolver.jar")
         # Instance layout NSS security database name/value pairs
         config.pki_master_dict['pki_database_path'] =\
             os.path.join(
@@ -612,9 +882,6 @@ def compose_pki_master_dictionary():
         elif config.pki_master_dict['pki_subsystem'] in\
              config.PKI_TOMCAT_SUBSYSTEMS:
             # Instance-based Tomcat PKI subsystem base name/value pairs
-            config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\
-                os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
-                             config.pki_master_dict['pki_subsystem'].lower())
             if config.pki_master_dict['pki_subsystem'] == "CA":
                 config.pki_master_dict['pki_subsystem_emails_path'] =\
                 os.path.join(config.pki_master_dict['pki_subsystem_path'],
@@ -632,18 +899,6 @@ def compose_pki_master_dictionary():
             config.pki_master_dict['pki_subsystem_tomcat_webapps_link'] =\
                 os.path.join(config.pki_master_dict['pki_subsystem_path'],
                              "webapps")
-            config.pki_master_dict\
-            ['pki_tomcat_webapps_subsystem_webinf_classes_link'] =\
-                os.path.join(
-                    config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
-                    "WEB-INF",
-                    "classes")
-            config.pki_master_dict\
-            ['pki_tomcat_webapps_subsystem_webinf_lib_link'] =\
-                os.path.join(
-                    config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
-                    "WEB-INF",
-                    "lib")
         # Instance-based Apache/Tomcat PKI subsystem convenience symbolic links
         config.pki_master_dict['pki_subsystem_database_link'] =\
             os.path.join(config.pki_master_dict['pki_subsystem_path'],
@@ -654,6 +909,78 @@ def compose_pki_master_dictionary():
         config.pki_master_dict['pki_subsystem_logs_link'] =\
             os.path.join(config.pki_master_dict['pki_subsystem_path'],
                          "logs")
+        # PKI Target (war file) name/value pairs
+        if config.pki_master_dict['pki_subsystem'] in\
+           config.PKI_TOMCAT_SUBSYSTEMS:
+            # Tomcat PKI subsystem war file base name/value pairs
+            config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\
+                os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'],
+                             config.pki_master_dict['pki_subsystem'].lower())
+            config.pki_master_dict\
+            ['pki_tomcat_webapps_subsystem_webinf_classes_path'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+                    "WEB-INF",
+                    "classes")
+            config.pki_master_dict\
+            ['pki_tomcat_webapps_subsystem_webinf_lib_path'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+                    "WEB-INF",
+                    "lib")
+            # Tomcat PKI subsystem war file convenience symbolic links
+            if config.pki_master_dict['pki_subsystem'] == "CA":
+                config.pki_master_dict['pki_ca_jar'] =\
+                    os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+                                 "pki-ca.jar")
+                # config.pki_master_dict['pki_ca_jar_link'] =\
+                #     os.path.join(
+                #         config.pki_master_dict\
+                #         ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+                #         "pki-ca.jar")
+                config.pki_master_dict['pki_ca_jar_link'] =\
+                    os.path.join(
+                        config.pki_master_dict['pki_tomcat_common_lib_path'],
+                        "pki-ca.jar")
+            elif config.pki_master_dict['pki_subsystem'] == "KRA":
+                config.pki_master_dict['pki_kra_jar'] =\
+                    os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+                                 "pki-kra.jar")
+                # config.pki_master_dict['pki_kra_jar_link'] =\
+                #     os.path.join(
+                #         config.pki_master_dict\
+                #         ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+                #         "pki-kra.jar")
+                config.pki_master_dict['pki_kra_jar_link'] =\
+                    os.path.join(
+                        config.pki_master_dict['pki_tomcat_common_lib_path'],
+                        "pki-kra.jar")
+            elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+                config.pki_master_dict['pki_ocsp_jar'] =\
+                    os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+                                 "pki-ocsp.jar")
+                # config.pki_master_dict['pki_ocsp_jar_link'] =\
+                #     os.path.join(
+                #         config.pki_master_dict\
+                #         ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+                #         "pki-ocsp.jar")
+                config.pki_master_dict['pki_ocsp_jar_link'] =\
+                    os.path.join(
+                        config.pki_master_dict['pki_tomcat_common_lib_path'],
+                        "pki-ocsp.jar")
+            elif config.pki_master_dict['pki_subsystem'] == "TKS":
+                config.pki_master_dict['pki_tks_jar'] =\
+                    os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+                                 "pki-tks.jar")
+                # config.pki_master_dict['pki_tks_jar_link'] =\
+                #     os.path.join(
+                #         config.pki_master_dict\
+                #         ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+                #         "pki-tks.jar")
+                config.pki_master_dict['pki_tks_jar_link'] =\
+                    os.path.join(
+                        config.pki_master_dict['pki_tomcat_common_lib_path'],
+                        "pki-tks.jar")
         # PKI Target (slot substitution) name/value pairs
         config.pki_master_dict['pki_target_cs_cfg'] =\
             os.path.join(
@@ -699,12 +1026,50 @@ def compose_pki_master_dictionary():
                     config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
                     "WEB-INF",
                     "web.xml")
+            config.pki_master_dict['pki_target_subsystem_web_xml_orig'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+                    "WEB-INF",
+                    "web.xml.orig")
             # subystem-specific slot substitution name/value pairs
             if config.pki_master_dict['pki_subsystem'] == "CA":
+                config.pki_master_dict['pki_target_flatfile_txt'] =\
+                    os.path.join(config.pki_master_dict\
+                                 ['pki_subsystem_configuration_path'],
+                                 "flatfile.txt")
                 config.pki_master_dict['pki_target_proxy_conf'] =\
                     os.path.join(config.pki_master_dict\
                                  ['pki_subsystem_configuration_path'],
                                  "proxy.conf")
+                config.pki_master_dict['pki_target_registry_cfg'] =\
+                    os.path.join(config.pki_master_dict\
+                                 ['pki_subsystem_configuration_path'],
+                                 "registry.cfg")
+                # '*.profile'
+                config.pki_master_dict['pki_target_admincert_profile'] =\
+                    os.path.join(config.pki_master_dict\
+                                 ['pki_subsystem_configuration_path'],
+                                 "adminCert.profile")
+                config.pki_master_dict['pki_target_caauditsigningcert_profile']\
+                    = os.path.join(config.pki_master_dict\
+                                   ['pki_subsystem_configuration_path'],
+                                   "caAuditSigningCert.profile")
+                config.pki_master_dict['pki_target_cacert_profile'] =\
+                    os.path.join(config.pki_master_dict\
+                                 ['pki_subsystem_configuration_path'],
+                                 "caCert.profile")
+                config.pki_master_dict['pki_target_caocspcert_profile'] =\
+                    os.path.join(config.pki_master_dict\
+                                 ['pki_subsystem_configuration_path'],
+                                 "caOCSPCert.profile")
+                config.pki_master_dict['pki_target_servercert_profile'] =\
+                    os.path.join(config.pki_master_dict\
+                                 ['pki_subsystem_configuration_path'],
+                                 "serverCert.profile")
+                config.pki_master_dict['pki_target_subsystemcert_profile'] =\
+                    os.path.join(config.pki_master_dict\
+                                 ['pki_subsystem_configuration_path'],
+                                 "subsystemCert.profile")
                 # in-place slot substitution name/value pairs
                 config.pki_master_dict['pki_target_profileselect_template'] =\
                     os.path.join(
@@ -713,6 +1078,24 @@ def compose_pki_master_dictionary():
                         "ee",
                         config.pki_master_dict['pki_subsystem'].lower(),
                         "ProfileSelect.template")
+            elif config.pki_master_dict['pki_subsystem'] == "KRA":
+                # '*.profile'
+                config.pki_master_dict['pki_target_servercert_profile'] =\
+                    os.path.join(config.pki_master_dict\
+                                 ['pki_subsystem_configuration_path'],
+                                 "serverCert.profile")
+                config.pki_master_dict['pki_target_storagecert_profile'] =\
+                    os.path.join(config.pki_master_dict\
+                                 ['pki_subsystem_configuration_path'],
+                                 "storageCert.profile")
+                config.pki_master_dict['pki_target_subsystemcert_profile'] =\
+                    os.path.join(config.pki_master_dict\
+                                 ['pki_subsystem_configuration_path'],
+                                 "subsystemCert.profile")
+                config.pki_master_dict['pki_target_transportcert_profile'] =\
+                    os.path.join(config.pki_master_dict\
+                                 ['pki_subsystem_configuration_path'],
+                                 "transportCert.profile")
         # Slot assignment name/value pairs
         #     NOTE:  Master key == Slots key; Master value ==> Slots value
         config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\
@@ -830,6 +1213,8 @@ def compose_pki_master_dictionary():
                              "tomcat")
             config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\
                 config.pki_master_dict['pki_proxy_https_port']
+            config.pki_master_dict['PKI_TMPDIR_SLOT'] =\
+                config.pki_master_dict['pki_tomcat_tmpdir_path']
             config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\
                 config.pki_master_dict['pki_proxy_http_port']
             config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\
@@ -846,6 +1231,8 @@ def compose_pki_master_dictionary():
                 config.pki_master_dict['pki_security_manager']
             config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\
                 config.pki_master_dict['pki_target_server_xml']
+            config.pki_master_dict['PKI_SUBSYSTEM_DIR_SLOT'] =\
+                config.pki_master_dict['pki_subsystem'].lower() + "/"
             config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\
                 config.pki_master_dict['pki_subsystem'].lower()
             config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\
@@ -924,6 +1311,10 @@ def compose_pki_master_dictionary():
                 "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\
                 "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
         # Shared Apache/Tomcat NSS security database name/value pairs
+        config.pki_master_dict['pki_shared_pfile'] =\
+            os.path.join(
+                config.pki_master_dict['pki_instance_configuration_path'],
+                "pfile")
         config.pki_master_dict['pki_shared_password_conf'] =\
             os.path.join(
                 config.pki_master_dict['pki_instance_configuration_path'],
@@ -941,13 +1332,13 @@ def compose_pki_master_dictionary():
         config.pki_master_dict['pki_self_signed_nickname'] =\
             "Server-Cert cert-" + config.pki_master_dict['pki_instance_id']
         config.pki_master_dict['pki_self_signed_subject'] =\
-            "CN=" + config.pki_master_dict['pki_hostname'] + "," +\
-            "O=" + config.pki_master_dict['pki_certificate_timestamp']
+            "cn=" + config.pki_master_dict['pki_hostname'] + "," +\
+            "o=" + config.pki_master_dict['pki_certificate_timestamp']
         config.pki_master_dict['pki_self_signed_serial_number'] = 0
         config.pki_master_dict['pki_self_signed_validity_period'] = 12
         config.pki_master_dict['pki_self_signed_issuer_name'] =\
-            "CN=" + config.pki_master_dict['pki_hostname'] + "," +\
-            "O=" + config.pki_master_dict['pki_certificate_timestamp']
+            "cn=" + config.pki_master_dict['pki_hostname'] + "," +\
+            "o=" + config.pki_master_dict['pki_certificate_timestamp']
         config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu"
         config.pki_master_dict['pki_self_signed_noise_file'] =\
             os.path.join(
@@ -992,10 +1383,778 @@ def compose_pki_master_dictionary():
                          "pki",
                          "deployment",
                          "configuration.jy")
+        config.pki_master_dict['pki_jython_base_uri'] =\
+            "https" + "://" + config.pki_master_dict['pki_hostname'] + ":" +\
+            config.pki_master_dict['pki_https_port'] + "/" +\
+            config.pki_master_dict['pki_subsystem'].lower() + "/" + "pki"
+        # Jython scriptlet
+        # 'Security Domain' Configuration name/value pairs
+        #
+        #     Apache - [RA], [TPS]
+        #     Tomcat - [CA], [KRA], [OCSP], [TKS]
+        #            - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
+        #            - [External CA]
+        #            - [Subordinate CA]
+        #
+        #     The following variables are defined below:
+        #
+        #         config.pki_master_dict['pki_security_domain_type']
+        #         config.pki_master_dict['pki_security_domain_uri']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and are NOT redefined below:
+        #
+        #         config.pki_master_dict['pki_security_domain_https_port']
+        #         config.pki_master_dict['pki_security_domain_password']
+        #         config.pki_master_dict['pki_security_domain_user']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and potentially overridden below:
+        #
+        #         config.pki_master_dict['pki_security_domain_hostname']
+        #         config.pki_master_dict['pki_security_domain_name']
+        #
+        if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+            if config.pki_subsystem == "CA":
+                if config.str2bool(config.pki_master_dict['pki_external']):
+                    # External CA
+                    config.pki_master_dict['pki_security_domain_type'] = "new"
+                    if not len(config.pki_master_dict\
+                               ['pki_security_domain_name']):
+                        config.pki_master_dict['pki_security_domain_name'] =\
+                            "External CA Security Domain"
+                elif not config.str2bool(config.pki_master_dict['pki_clone'])\
+                     and not\
+                     config.str2bool(config.pki_master_dict['pki_subordinate']):
+                    # PKI CA
+                    config.pki_master_dict['pki_security_domain_type'] = "new"
+                    if not len(config.pki_master_dict\
+                               ['pki_security_domain_name']):
+                        config.pki_master_dict['pki_security_domain_name'] =\
+                            config.pki_master_dict['pki_dns_domainname'] +\
+                            " " + "Security Domain"
+                else:
+                    # PKI Cloned or Subordinate CA
+                    config.pki_master_dict['pki_security_domain_type'] =\
+                        "existing"
+                    if not len(config.pki_master_dict\
+                               ['pki_security_domain_hostname']):
+                        # Guess that it is the local host
+                        config.pki_master_dict['pki_security_domain_hostname']\
+                            = config.pki_master_dict['pki_hostname']
+                    config.pki_master_dict['pki_security_domain_uri'] =\
+                        "https" + "://" +\
+                        config.pki_master_dict['pki_security_domain_hostname']\
+                        + ":" + config.pki_security_domain_https_port
+            else:
+                # PKI KRA, OCSP, or TKS
+                config.pki_master_dict['pki_security_domain_type'] = "existing"
+                if not len(config.pki_master_dict\
+                           ['pki_security_domain_hostname']):
+                    # Guess that it is the local host
+                    config.pki_master_dict['pki_security_domain_hostname'] =\
+                        config.pki_master_dict['pki_hostname']
+                config.pki_master_dict['pki_security_domain_uri'] =\
+                    "https" + "://" +\
+                    config.pki_master_dict['pki_security_domain_hostname'] +\
+                    ":" +\
+                    config.pki_master_dict['pki_security_domain_https_port']
+        # Jython scriptlet
+        # 'Directory Server' Configuration name/value pairs
+        #
+        #     Apache - [TPS]
+        #     Tomcat - [CA], [KRA], [OCSP], [TKS]
+        #            - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
+        #            - [External CA]
+        #            - [Subordinate CA]
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and are NOT redefined below:
+        #
+        #         config.pki_master_dict['pki_ds_bind_dn']
+        #         config.pki_master_dict['pki_ds_http_port']
+        #         config.pki_master_dict['pki_ds_https_port']
+        #         config.pki_master_dict['pki_ds_password']
+        #         config.pki_master_dict['pki_ds_remove_data']
+        #         config.pki_master_dict['pki_ds_secure_connection']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and potentially overridden below:
+        #
+        #         config.pki_master_dict['pki_ds_base_dn']
+        #         config.pki_master_dict['pki_ds_database']
+        #         config.pki_master_dict['pki_ds_hostname']
+        #
+        if not len(config.pki_master_dict['pki_ds_base_dn']):
+            config.pki_master_dict['pki_ds_base_dn'] =\
+                "o=" + config.pki_master_dict['pki_instance_id']
+        if not len(config.pki_master_dict['pki_ds_database']):
+            config.pki_master_dict['pki_ds_database'] =\
+                "o=" + config.pki_master_dict['pki_instance_id']
+        if not len(config.pki_master_dict['pki_ds_hostname']):
+            # Guess that the Directory Server resides on the local host
+            config.pki_master_dict['pki_ds_hostname'] =\
+                config.pki_master_dict['pki_hostname']
+        # Jython scriptlet
+        # 'Backup' Configuration name/value pairs
+        #
+        #     Apache - [RA], [TPS]
+        #     Tomcat - [CA], [KRA], [OCSP], [TKS]
+        #            - [External CA]
+        #            - [Subordinate CA]
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and are NOT redefined below:
+        #
+        #        config.pki_master_dict['pki_backup_keys']
+        #        config.pki_master_dict['pki_backup_password']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and potentially overridden below:
+        #
+        #        config.pki_master_dict['pki_backup_file']
+        #
+        if config.str2bool(config.pki_master_dict['pki_backup_keys']):
+            if not len(config.pki_master_dict['pki_backup_file']):
+                if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+                    if not config.str2bool(config.pki_master_dict['pki_clone']):
+                        if config.pki_master_dict['pki_subsystem'] == "CA":
+                            if config.str2bool(
+                                   config.pki_master_dict['pki_external']):
+                                # External CA
+                                config.pki_master_dict['pki_backup_file'] =\
+                                    "/tmp" + "/" + "externalca.p12" + "." +\
+                                    config.pki_master_dict['pki_timestamp']
+                            elif config.str2bool(
+                                     config.pki_master_dict['pki_subordinate']):
+                                # Subordinate CA
+                                config.pki_master_dict['pki_backup_file'] =\
+                                    "/tmp" + "/" + "subca.p12" + "." +\
+                                    config.pki_master_dict['pki_timestamp']
+                            else:
+                                # PKI CA
+                                config.pki_master_dict['pki_backup_file'] =\
+                                    "/tmp" + "/" + "ca.p12" + "." +\
+                                    config.pki_master_dict['pki_timestamp']
+                        elif config.pki_master_dict['pki_subsystem'] == "KRA":
+                            # PKI KRA
+                            config.pki_master_dict['pki_backup_file'] =\
+                                "/tmp" + "/" + "kra.p12" + "." +\
+                                config.pki_master_dict['pki_timestamp']
+                        elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+                            # PKI OCSP
+                            config.pki_master_dict['pki_backup_file'] =\
+                                "/tmp" + "/" + "ocsp.p12" + "." +\
+                                config.pki_master_dict['pki_timestamp']
+                        elif config.pki_master_dict['pki_subsystem'] == "TKS":
+                            # PKI TKS
+                            config.pki_master_dict['pki_backup_file'] =\
+                                "/tmp" + "/" + "tks.p12" + "." +\
+                                config.pki_master_dict['pki_timestamp']
+        # Jython scriptlet
+        # 'Admin Certificate' Configuration name/value pairs
+        #
+        #     Apache - [RA], [TPS]
+        #     Tomcat - [CA], [KRA], [OCSP], [TKS]
+        #            - [External CA]
+        #            - [Subordinate CA]
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and are NOT redefined below:
+        #
+        #         config.pki_master_dict['pki_admin_cert_request_type']
+        #         config.pki_master_dict['pki_admin_dualkey']
+        #         config.pki_master_dict['pki_admin_keysize']
+        #         config.pki_master_dict['pki_admin_name']
+        #         config.pki_master_dict['pki_admin_password']
+        #         config.pki_master_dict['pki_admin_uid']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and potentially overridden below:
+        #
+        #         config.pki_master_dict['pki_admin_email']
+        #         config.pki_master_dict['pki_admin_subject_dn']
+        #
+        config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert"
+        if not len(config.pki_master_dict['pki_admin_email']):
+            config.pki_master_dict['pki_admin_email'] =\
+                config.pki_master_dict['pki_admin_name'] + "@" +\
+                config.pki_master_dict['pki_dns_domainname']
+        if not len(config.pki_master_dict['pki_admin_subject_dn']):
+            if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+                if config.pki_master_dict['pki_subsystem'] == "RA":
+                    # PKI RA
+                    config.pki_master_dict['pki_admin_subject_dn'] =\
+                        "cn=" + "RA Administrator" + "," +\
+                        "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+                        "," + "e=" +\
+                        config.pki_master_dict['pki_admin_email'] +\
+                        "," + "o=" +\
+                        config.pki_master_dict['pki_security_domain_name']
+                elif config.pki_master_dict['pki_subsystem'] == "TPS":
+                    # PKI TPS
+                    config.pki_master_dict['pki_admin_subject_dn'] =\
+                        "cn=" + "TPS Administrator" + "," +\
+                        "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+                        "," + "e=" +\
+                        config.pki_master_dict['pki_admin_email'] +\
+                        "," + "o=" +\
+                        config.pki_master_dict['pki_security_domain_name']
+            elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+                if not config.str2bool(config.pki_master_dict['pki_clone']):
+                    if config.pki_master_dict['pki_subsystem'] == "CA":
+                        # PKI CA, Subordinate CA, or External CA
+                        config.pki_master_dict['pki_admin_subject_dn'] =\
+                            "cn=" + "CA Administrator of Instance" + " " +\
+                            config.pki_master_dict['pki_instance_id'] + "," +\
+                            "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+                            "," + "e=" +\
+                            config.pki_master_dict['pki_admin_email'] +\
+                            "," + "o=" +\
+                            config.pki_master_dict['pki_security_domain_name']
+                    elif config.pki_master_dict['pki_subsystem'] == "KRA":
+                        # PKI KRA
+                        config.pki_master_dict['pki_admin_subject_dn'] =\
+                            "cn=" + "KRA Administrator of Instance" + " " +\
+                            config.pki_master_dict['pki_instance_id'] + "," +\
+                            "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+                            "," + "e=" +\
+                            config.pki_master_dict['pki_admin_email'] +\
+                            "," + "o=" +\
+                            config.pki_master_dict['pki_security_domain_name']
+                    elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+                        # PKI OCSP
+                        config.pki_master_dict['pki_admin_subject_dn'] =\
+                            "cn=" + "OCSP Administrator of Instance" + " " +\
+                            config.pki_master_dict['pki_instance_id'] + "," +\
+                            "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+                            "," + "e=" +\
+                            config.pki_master_dict['pki_admin_email'] +\
+                            "," + "o=" +\
+                            config.pki_master_dict['pki_security_domain_name']
+                    elif config.pki_master_dict['pki_subsystem'] == "TKS":
+                        # PKI TKS
+                        config.pki_master_dict['pki_admin_subject_dn'] =\
+                            "cn=" + "TKS Administrator of Instance" + " " +\
+                            config.pki_master_dict['pki_instance_id'] + "," +\
+                            "uid=" + config.pki_master_dict['pki_admin_uid'] +\
+                            "," + "e=" +\
+                            config.pki_master_dict['pki_admin_email'] +\
+                            "," + "o=" +\
+                            config.pki_master_dict['pki_security_domain_name']
+        # Jython scriptlet
+        # 'CA Signing Certificate' Configuration name/value pairs
+        #
+        #     Tomcat - [CA]
+        #            - [External CA]
+        #            - [Subordinate CA]
+        #
+        #     The following variables are defined below:
+        #
+        #         config.pki_master_dict['pki_ca_signing_tag']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and are NOT redefined below:
+        #
+        #         config.pki_master_dict['pki_ca_signing_key_algorithm']
+        #         config.pki_master_dict['pki_ca_signing_key_size']
+        #         config.pki_master_dict['pki_ca_signing_key_type']
+        #         config.pki_master_dict['pki_ca_signing_signing_algorithm']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and potentially overridden below:
+        #
+        #         config.pki_master_dict['pki_ca_signing_nickname']
+        #         config.pki_master_dict['pki_ca_signing_subject_dn']
+        #         config.pki_master_dict['pki_ca_signing_token']
+        #
+        if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+            if not config.str2bool(config.pki_master_dict['pki_clone']):
+                if config.pki_master_dict['pki_subsystem'] == "CA":
+                    # config.pki_master_dict['pki_ca_signing_nickname']
+                    if not len(config.pki_master_dict\
+                               ['pki_ca_signing_nickname']):
+                        config.pki_master_dict['pki_ca_signing_nickname'] =\
+                            "caSigningCert" + " " + "cert-" +\
+                            config.pki_master_dict['pki_instance_id']
+                    # config.pki_master_dict['pki_ca_signing_subject_dn']
+                    if config.str2bool(config.pki_master_dict['pki_external']):
+                        # External CA
+                        if not len(config.pki_master_dict\
+                                   ['pki_ca_signing_subject_dn']):
+                            config.pki_master_dict['pki_ca_signing_subject_dn']\
+                                =  "cn=" + "External CA Signing Certificate" +\
+                                   "," + "o=" +\
+                                   config.pki_master_dict\
+                                   ['pki_security_domain_name']
+                    elif config.str2bool(
+                             config.pki_master_dict['pki_subordinate']):
+                        # Subordinate CA
+                        if not len(config.pki_master_dict\
+                                   ['pki_ca_signing_subject_dn']):
+                            config.pki_master_dict['pki_ca_signing_subject_dn']\
+                                =  "cn=" + "SubCA Signing Certificate" +\
+                                   "," + "o=" +\
+                                   config.pki_master_dict\
+                                   ['pki_security_domain_name']
+                    else:
+                        # PKI CA
+                        if not len(config.pki_master_dict\
+                                   ['pki_ca_signing_subject_dn']):
+                            config.pki_master_dict['pki_ca_signing_subject_dn']\
+                                =  "cn=" + "CA Signing Certificate" +\
+                                   "," + "o=" +\
+                                   config.pki_master_dict\
+                                   ['pki_security_domain_name']
+                    # config.pki_master_dict['pki_ca_signing_tag']
+                    config.pki_master_dict['pki_ca_signing_tag'] =\
+                        "signing"
+                    # config.pki_master_dict['pki_ca_signing_token']
+                    if not len(config.pki_master_dict['pki_ca_signing_token']):
+                        config.pki_master_dict['pki_ca_signing_token'] =\
+                            "Internal Key Storage Token"
+        # Jython scriptlet
+        # 'OCSP Signing Certificate' Configuration name/value pairs
+        #
+        #     Tomcat - [CA], [OCSP]
+        #            - [External CA]
+        #            - [Subordinate CA]
+        #
+        #     The following variables are defined below:
+        #
+        #         config.pki_master_dict['pki_ocsp_signing_tag']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and are NOT redefined below:
+        #
+        #         config.pki_master_dict['pki_ocsp_signing_key_algorithm']
+        #         config.pki_master_dict['pki_ocsp_signing_key_size']
+        #         config.pki_master_dict['pki_ocsp_signing_key_type']
+        #         config.pki_master_dict['pki_ocsp_signing_signing_algorithm']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and potentially overridden below:
+        #
+        #         config.pki_master_dict['pki_ocsp_signing_nickname']
+        #         config.pki_master_dict['pki_ocsp_signing_subject_dn']
+        #         config.pki_master_dict['pki_ocsp_signing_token']
+        #
+        if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+            if not config.str2bool(config.pki_master_dict['pki_clone']):
+                if config.pki_master_dict['pki_subsystem'] == "CA":
+                    if not len(config.pki_master_dict\
+                               ['pki_ocsp_signing_nickname']):
+                        config.pki_master_dict['pki_ocsp_signing_nickname'] =\
+                            "ocspSigningCert" + " " + "cert-" +\
+                            config.pki_master_dict['pki_instance_id']
+                    if config.str2bool(config.pki_master_dict['pki_external']):
+                        # External CA
+                        if not len(config.pki_master_dict\
+                                   ['pki_ocsp_signing_subject_dn']):
+                            config.pki_master_dict\
+                            ['pki_ocsp_signing_subject_dn'] =\
+                                "cn=" + "External CA OCSP Signing Certificate"\
+                                + "," + "o=" +\
+                                config.pki_master_dict\
+                                ['pki_security_domain_name']
+                    elif config.str2bool(
+                             config.pki_master_dict['pki_subordinate']):
+                        # Subordinate CA
+                        if not len(config.pki_master_dict\
+                                   ['pki_ocsp_signing_subject_dn']):
+                            config.pki_master_dict\
+                            ['pki_ocsp_signing_subject_dn'] =\
+                                "cn=" + "SubCA OCSP Signing Certificate"\
+                                + "," + "o=" +\
+                                config.pki_master_dict\
+                                ['pki_security_domain_name']
+                    else:
+                        # PKI CA
+                        if not len(config.pki_master_dict\
+                                   ['pki_ocsp_signing_subject_dn']):
+                            config.pki_master_dict\
+                            ['pki_ocsp_signing_subject_dn'] =\
+                                "cn=" + "CA OCSP Signing Certificate"\
+                                + "," + "o=" +\
+                                config.pki_master_dict\
+                                ['pki_security_domain_name']
+                    config.pki_master_dict['pki_ocsp_signing_tag'] =\
+                        "ocsp_signing"
+                    if not len(config.pki_master_dict\
+                               ['pki_ocsp_signing_token']):
+                        config.pki_master_dict['pki_ocsp_signing_token'] =\
+                            "Internal Key Storage Token"
+                elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+                    # PKI OCSP
+                    if not len(config.pki_master_dict\
+                               ['pki_ocsp_signing_nickname']):
+                        config.pki_master_dict['pki_ocsp_signing_nickname'] =\
+                            "ocspSigningCert" + " " + "cert-" +\
+                            config.pki_master_dict['pki_instance_id']
+                    if not len(config.pki_master_dict\
+                               ['pki_ocsp_signing_subject_dn']):
+                        config.pki_master_dict['pki_ocsp_signing_subject_dn'] =\
+                            "cn=" + "OCSP Signing Certificate" + "," + "o=" +\
+                            config.pki_master_dict['pki_security_domain_name']
+                    config.pki_master_dict['pki_ocsp_signing_tag'] =\
+                        "signing"
+                    if not len(config.pki_master_dict\
+                               ['pki_ocsp_signing_token']):
+                        config.pki_master_dict['pki_ocsp_signing_token'] =\
+                            "Internal Key Storage Token"
+        # Jython scriptlet
+        # 'SSL Server Certificate' Configuration name/value pairs
+        #
+        #     Apache - [RA], [TPS]
+        #     Tomcat - [CA], [KRA], [OCSP], [TKS]
+        #            - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone]
+        #            - [External CA]
+        #            - [Subordinate CA]
+        #
+        #     The following variables are defined below:
+        #
+        #         config.pki_master_dict['pki_ssl_server_tag']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and are NOT redefined below:
+        #
+        #         config.pki_master_dict['pki_ssl_server_key_algorithm']
+        #         config.pki_master_dict['pki_ssl_server_key_size']
+        #         config.pki_master_dict['pki_ssl_server_key_type']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and potentially overridden below:
+        #
+        #         config.pki_master_dict['pki_ssl_server_nickname']
+        #         config.pki_master_dict['pki_ssl_server_subject_dn']
+        #         config.pki_master_dict['pki_ssl_server_token']
+        #
+        if not len(config.pki_master_dict['pki_ssl_server_nickname']):
+            config.pki_master_dict['pki_ssl_server_nickname'] =\
+                "Server-Cert" + " " + "cert-" +\
+                config.pki_master_dict['pki_instance_id']
+        if not len(config.pki_master_dict['pki_ssl_server_subject_dn']):
+            if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+                config.pki_master_dict['pki_ssl_server_subject_dn'] =\
+                    "cn=" + config.pki_master_dict['pki_hostname'] +\
+                    "," + "ou=" + config.pki_master_dict['pki_instance_id'] +\
+                    "," + "o=" +\
+                    config.pki_master_dict['pki_security_domain_name']
+            elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+                config.pki_master_dict['pki_ssl_server_subject_dn'] =\
+                    "cn=" + config.pki_master_dict['pki_hostname'] +\
+                    "," + "o=" +\
+                    config.pki_master_dict['pki_security_domain_name']
+        config.pki_master_dict['pki_ssl_server_tag'] = "sslserver"
+        if not len(config.pki_master_dict['pki_ssl_server_token']):
+            config.pki_master_dict['pki_ssl_server_token'] =\
+                "Internal Key Storage Token"
+        # Jython scriptlet
+        # 'Subsystem Certificate' Configuration name/value pairs
+        #
+        #     Apache - [RA], [TPS]
+        #     Tomcat - [CA], [KRA], [OCSP], [TKS]
+        #            - [External CA]
+        #            - [Subordinate CA]
+        #
+        #     The following variables are defined below:
+        #
+        #         config.pki_master_dict['pki_subsystem_tag']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and are NOT redefined below:
+        #
+        #         config.pki_master_dict['pki_subsystem_key_algorithm']
+        #         config.pki_master_dict['pki_subsystem_key_size']
+        #         config.pki_master_dict['pki_subsystem_key_type']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and potentially overridden below:
+        #
+        #         config.pki_master_dict['pki_subsystem_nickname']
+        #         config.pki_master_dict['pki_subsystem_subject_dn']
+        #         config.pki_master_dict['pki_subsystem_token']
+        #
+        if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+            if not len(config.pki_master_dict['pki_subsystem_nickname']):
+                config.pki_master_dict['pki_subsystem_nickname'] =\
+                    "subsystemCert" + " " + "cert-" +\
+                    config.pki_master_dict['pki_instance_id']
+            if not len(config.pki_master_dict['pki_subsystem_subject_dn']):
+                if config.pki_master_dict['pki_subsystem'] == "RA":
+                    # PKI RA
+                    config.pki_master_dict['pki_subsystem_subject_dn'] =\
+                        "cn=" + "RA Subsystem Certificate" +\
+                        "," + "ou=" + config.pki_master_dict['pki_instance_id']\
+                        + "," + "o=" +\
+                        config.pki_master_dict['pki_security_domain_name']
+                elif config.pki_master_dict['pki_subsystem'] == "TPS":
+                    # PKI TPS
+                    config.pki_master_dict['pki_subsystem_subject_dn'] =\
+                        "cn=" + "TPS Subsystem Certificate" +\
+                        "," + "ou=" + config.pki_master_dict['pki_instance_id']\
+                        + "," + "o=" +\
+                        config.pki_master_dict['pki_security_domain_name']
+            config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
+            if not len(config.pki_master_dict['pki_subsystem_token']):
+                config.pki_master_dict['pki_subsystem_token'] =\
+                    "Internal Key Storage Token"
+        elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+            if not config.str2bool(config.pki_master_dict['pki_clone']):
+                if not len(config.pki_master_dict['pki_subsystem_nickname']):
+                    config.pki_master_dict['pki_subsystem_nickname'] =\
+                        "subsystemCert" + " " + "cert-" +\
+                        config.pki_master_dict['pki_instance_id']
+                if not len(config.pki_master_dict['pki_subsystem_subject_dn']):
+                    if config.pki_master_dict['pki_subsystem'] == "CA":
+                        if config.str2bool(
+                               config.pki_master_dict['pki_external']):
+                            # External CA
+                            config.pki_master_dict['pki_subsystem_subject_dn']\
+                                = "cn=" + "External CA Subsystem Certificate" +\
+                                  "," + "o=" +\
+                                  config.pki_master_dict\
+                                  ['pki_security_domain_name']
+                        elif config.str2bool(
+                                 config.pki_master_dict['pki_subordinate']):
+                            # Subordinate CA
+                            config.pki_master_dict['pki_subsystem_subject_dn']\
+                                = "cn=" + "SubCA Subsystem Certificate" +\
+                                  "," + "o=" +\
+                                  config.pki_master_dict\
+                                  ['pki_security_domain_name']
+                        else:
+                            # PKI CA
+                            config.pki_master_dict['pki_subsystem_subject_dn']\
+                                = "cn=" + "CA Subsystem Certificate" +\
+                                  "," + "o=" +\
+                                  config.pki_master_dict\
+                                  ['pki_security_domain_name']
+                    elif config.pki_master_dict['pki_subsystem'] == "KRA":
+                        # PKI KRA
+                        config.pki_master_dict['pki_subsystem_subject_dn'] =\
+                            "cn=" + "DRM Subsystem Certificate" +\
+                            "," + "o=" +\
+                            config.pki_master_dict\
+                            ['pki_security_domain_name']
+                    elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+                        # PKI OCSP
+                        config.pki_master_dict['pki_subsystem_subject_dn'] =\
+                            "cn=" + "OCSP Subsystem Certificate" +\
+                            "," + "o=" +\
+                            config.pki_master_dict\
+                            ['pki_security_domain_name']
+                    elif config.pki_master_dict['pki_subsystem'] == "TKS":
+                        # PKI TKS
+                        config.pki_master_dict['pki_subsystem_subject_dn'] =\
+                            "cn=" + "TKS Subsystem Certificate" +\
+                            "," + "o=" +\
+                            config.pki_master_dict\
+                            ['pki_security_domain_name']
+                config.pki_master_dict['pki_subsystem_tag'] = "subsystem"
+                if not len(config.pki_master_dict['pki_subsystem_token']):
+                    config.pki_master_dict['pki_subsystem_token'] =\
+                        "Internal Key Storage Token"
+        # Jython scriptlet
+        # 'Audit Signing Certificate' Configuration name/value pairs
+        #
+        #     Apache - [TPS]
+        #     Tomcat - [CA], [KRA], [OCSP], [TKS]
+        #            - [External CA]
+        #            - [Subordinate CA]
+        #
+        #     The following variables are defined below:
+        #
+        #         config.pki_master_dict['pki_audit_signing_tag']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and are NOT redefined below:
+        #
+        #         config.pki_master_dict['pki_audit_signing_key_algorithm']
+        #         config.pki_master_dict['pki_audit_signing_key_size']
+        #         config.pki_master_dict['pki_audit_signing_key_type']
+        #         config.pki_master_dict['pki_audit_signing_signing_algorithm']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and potentially overridden below:
+        #
+        #         config.pki_master_dict['pki_audit_signing_nickname']
+        #         config.pki_master_dict['pki_audit_signing_subject_dn']
+        #         config.pki_master_dict['pki_audit_signing_token']
+        #
+        if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS:
+            if config.pki_master_dict['pki_subsystem'] != "RA":
+                if not len(config.pki_master_dict\
+                           ['pki_audit_signing_nickname']):
+                    config.pki_master_dict['pki_audit_signing_nickname'] =\
+                        "auditSigningCert" + " " + "cert-" +\
+                        config.pki_master_dict['pki_instance_id']
+                if not len(config.pki_master_dict\
+                           ['pki_audit_signing_subject_dn']):
+                    config.pki_master_dict['pki_audit_signing_subject_dn'] =\
+                        "cn=" + "TPS Audit Signing Certificate" +\
+                        "," + "ou=" + config.pki_master_dict['pki_instance_id']\
+                        + "," + "o=" +\
+                        config.pki_master_dict['pki_security_domain_name']
+                config.pki_master_dict['pki_audit_signing_tag'] =\
+                    "audit_signing"
+                if not len(config.pki_master_dict['pki_audit_signing_token']):
+                    config.pki_master_dict['pki_audit_signing_token'] =\
+                        "Internal Key Storage Token"
+        elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+            if not config.str2bool(config.pki_master_dict['pki_clone']):
+                if not len(config.pki_master_dict\
+                           ['pki_audit_signing_nickname']):
+                    config.pki_master_dict['pki_audit_signing_nickname'] =\
+                        "auditSigningCert" + " " + "cert-" +\
+                        config.pki_master_dict['pki_instance_id']
+                if not len(config.pki_master_dict\
+                           ['pki_audit_signing_subject_dn']):
+                    if config.pki_master_dict['pki_subsystem'] == "CA":
+                        if config.str2bool(
+                               config.pki_master_dict['pki_external']):
+                            # External CA
+                            config.pki_master_dict\
+                            ['pki_audit_signing_subject_dn'] =\
+                                "cn=" + "External CA Audit Signing Certificate"\
+                                + "," + "o=" +\
+                                config.pki_master_dict\
+                                ['pki_security_domain_name']
+                        elif config.str2bool(
+                                 config.pki_master_dict['pki_subordinate']):
+                            # Subordinate CA
+                            config.pki_master_dict\
+                            ['pki_audit_signing_subject_dn'] =\
+                                "cn=" + "SubCA Audit Signing Certificate" +\
+                                "," + "o=" +\
+                                config.pki_master_dict\
+                                ['pki_security_domain_name']
+                        else:
+                            # PKI CA
+                            config.pki_master_dict\
+                            ['pki_audit_signing_subject_dn'] =\
+                                "cn=" + "CA Audit Signing Certificate" +\
+                                "," + "o=" +\
+                                config.pki_master_dict\
+                                ['pki_security_domain_name']
+                    elif config.pki_master_dict['pki_subsystem'] == "KRA":
+                        # PKI KRA
+                        config.pki_master_dict['pki_audit_signing_subject_dn']\
+                            = "cn=" + "DRM Audit Signing Certificate" +\
+                              "," + "o=" +\
+                              config.pki_master_dict['pki_security_domain_name']
+                    elif config.pki_master_dict['pki_subsystem'] == "OCSP":
+                        # PKI OCSP
+                        config.pki_master_dict['pki_audit_signing_subject_dn']\
+                            = "cn=" + "OCSP Audit Signing Certificate" +\
+                              "," + "o=" +\
+                              config.pki_master_dict['pki_security_domain_name']
+                    elif config.pki_master_dict['pki_subsystem'] == "TKS":
+                        # PKI TKS
+                        config.pki_master_dict['pki_audit_signing_subject_dn']\
+                            = "cn=" + "TKS Audit Signing Certificate" +\
+                              "," + "o=" +\
+                              config.pki_master_dict['pki_security_domain_name']
+                config.pki_master_dict['pki_audit_signing_tag'] =\
+                    "audit_signing"
+                if not len(config.pki_master_dict['pki_audit_signing_token']):
+                    config.pki_master_dict['pki_audit_signing_token'] =\
+                        "Internal Key Storage Token"
+        # Jython scriptlet
+        # 'DRM Transport Certificate' Configuration name/value pairs
+        #
+        #     Tomcat - [KRA]
+        #
+        #     The following variables are defined below:
+        #
+        #         config.pki_master_dict['pki_transport_tag']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and are NOT redefined below:
+        #
+        #         config.pki_master_dict['pki_transport_key_algorithm']
+        #         config.pki_master_dict['pki_transport_key_size']
+        #         config.pki_master_dict['pki_transport_key_type']
+        #         config.pki_master_dict['pki_transport_signing_algorithm']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and potentially overridden below:
+        #
+        #         config.pki_master_dict['pki_transport_nickname']
+        #         config.pki_master_dict['pki_transport_subject_dn']
+        #         config.pki_master_dict['pki_transport_token']
+        #
+        if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+            if not config.str2bool(config.pki_master_dict['pki_clone']):
+                if config.pki_master_dict['pki_subsystem'] == "KRA":
+                    # PKI KRA
+                    if not len(config.pki_master_dict\
+                               ['pki_transport_nickname']):
+                        config.pki_master_dict['pki_transport_nickname'] =\
+                            "transportCert" + " " + "cert-" +\
+                            config.pki_master_dict['pki_instance_id']
+                    if not len(config.pki_master_dict\
+                               ['pki_transport_subject_dn']):
+                        config.pki_master_dict['pki_transport_subject_dn']\
+                            = "cn=" + "DRM Transport Certificate" +\
+                              "," + "o=" +\
+                              config.pki_master_dict['pki_security_domain_name']
+                    config.pki_master_dict['pki_transport_tag'] =\
+                        "transport"
+                    if not len(config.pki_master_dict['pki_transport_token']):
+                        config.pki_master_dict['pki_transport_token'] =\
+                            "Internal Key Storage Token"
+        # Jython scriptlet
+        # 'DRM Storage Certificate' Configuration name/value pairs
+        #
+        #     Tomcat - [KRA]
+        #
+        #     The following variables are defined below:
+        #
+        #         config.pki_master_dict['pki_storage_tag']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and are NOT redefined below:
+        #
+        #         config.pki_master_dict['pki_storage_key_algorithm']
+        #         config.pki_master_dict['pki_storage_key_size']
+        #         config.pki_master_dict['pki_storage_key_type']
+        #         config.pki_master_dict['pki_storage_signing_algorithm']
+        #
+        #     The following variables are established via the specified PKI
+        #     deployment configuration file and potentially overridden below:
+        #
+        #         config.pki_master_dict['pki_storage_nickname']
+        #         config.pki_master_dict['pki_storage_subject_dn']
+        #         config.pki_master_dict['pki_storage_token']
+        #
+        if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+            if not config.str2bool(config.pki_master_dict['pki_clone']):
+                if config.pki_master_dict['pki_subsystem'] == "KRA":
+                    # PKI KRA
+                    if not len(config.pki_master_dict['pki_storage_nickname']):
+                        config.pki_master_dict['pki_storage_nickname'] =\
+                            "storageCert" + " " + "cert-" +\
+                            config.pki_master_dict['pki_instance_id']
+                    if not len(config.pki_master_dict\
+                               ['pki_storage_subject_dn']):
+                        config.pki_master_dict['pki_storage_subject_dn']\
+                            = "cn=" + "DRM Storage Certificate" +\
+                              "," + "o=" +\
+                              config.pki_master_dict['pki_security_domain_name']
+                    config.pki_master_dict['pki_storage_tag'] =\
+                        "storage"
+                    if not len(config.pki_master_dict['pki_storage_token']):
+                        config.pki_master_dict['pki_storage_token'] =\
+                            "Internal Key Storage Token"
     except OSError as exc:
         config.pki_log.error(log.PKI_OSERROR_1, exc,
                              extra=config.PKI_INDENTATION_LEVEL_2)
         sys.exit(1)
+    except KeyError as err:
+        config.pki_log.error(log.PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1,
+                             err, extra=config.PKI_INDENTATION_LEVEL_2)
+        sys.exit(1)
     return
 
 
diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py
index 1a08fdccb..8364d9519 100644
--- a/base/deploy/src/scriptlets/security_databases.py
+++ b/base/deploy/src/scriptlets/security_databases.py
@@ -38,13 +38,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             util.password.create_password_conf(
                 master['pki_shared_password_conf'],
                 master['pki_pin'])
+            # Since 'certutil' does NOT strip the 'token=' portion of
+            # the 'token=password' entries, create a temporary server 'pfile'
+            # which ONLY contains the 'password' for the purposes of
+            # allowing 'certutil' to generate the security databases
+            util.password.create_password_conf(
+                master['pki_shared_pfile'],
+                master['pki_pin'], pin_sans_token=True)
             util.file.modify(master['pki_shared_password_conf'])
             util.certutil.create_security_databases(
                 master['pki_database_path'],
                 master['pki_cert_database'],
                 master['pki_key_database'],
                 master['pki_secmod_database'],
-                password_file=master['pki_shared_password_conf'])
+                password_file=master['pki_shared_pfile'])
             util.file.modify(master['pki_cert_database'], perms=\
                 config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
             util.file.modify(master['pki_key_database'], perms=\
@@ -58,7 +65,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                      master['pki_secmod_database'],
                      master['pki_self_signed_token'],
                      master['pki_self_signed_nickname'],
-                     password_file=master['pki_shared_password_conf'])
+                     password_file=master['pki_shared_pfile'])
             if not rv:
                 util.file.generate_noise_file(
                     master['pki_self_signed_noise_file'],
@@ -76,18 +83,28 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     master['pki_self_signed_issuer_name'],
                     master['pki_self_signed_trustargs'],
                     master['pki_self_signed_noise_file'],
-                    password_file=master['pki_shared_password_conf'])
+                    password_file=master['pki_shared_pfile'])
+                # Delete the temporary 'noise' file
                 util.file.delete(master['pki_self_signed_noise_file'])
+            # Delete the temporary 'pfile'
+            util.file.delete(master['pki_shared_pfile'])
         else:
             util.password.create_password_conf(
                 master['pki_shared_password_conf'],
                 master['pki_pin'])
+            # Since 'certutil' does NOT strip the 'token=' portion of
+            # the 'token=password' entries, create a temporary server 'pfile'
+            # which ONLY contains the 'password' for the purposes of
+            # allowing 'certutil' to generate the security databases
+            util.password.create_password_conf(
+                master['pki_shared_pfile'],
+                master['pki_pin'], pin_sans_token=True)
             util.certutil.create_security_databases(
                 master['pki_database_path'],
                 master['pki_cert_database'],
                 master['pki_key_database'],
                 master['pki_secmod_database'],
-                password_file=master['pki_shared_password_conf'])
+                password_file=master['pki_shared_pfile'])
             rv = util.certutil.verify_certificate_exists(
                      master['pki_database_path'],
                      master['pki_cert_database'],
@@ -95,7 +112,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                      master['pki_secmod_database'],
                      master['pki_self_signed_token'],
                      master['pki_self_signed_nickname'],
-                     password_file=master['pki_shared_password_conf'])
+                     password_file=master['pki_shared_pfile'])
             if not rv:
                 util.file.generate_noise_file(
                     master['pki_self_signed_noise_file'],
@@ -113,7 +130,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     master['pki_self_signed_issuer_name'],
                     master['pki_self_signed_trustargs'],
                     master['pki_self_signed_noise_file'],
-                    password_file=master['pki_shared_password_conf'])
+                    password_file=master['pki_shared_pfile'])
+                # Delete the temporary 'noise' file
+                util.file.delete(master['pki_self_signed_noise_file'])
+            # Delete the temporary 'pfile'
+            util.file.delete(master['pki_shared_pfile'])
         return self.rv
 
     def respawn(self):
diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py
index 93b0ae750..3467596e8 100644
--- a/base/deploy/src/scriptlets/slot_substitution.py
+++ b/base/deploy/src/scriptlets/slot_substitution.py
@@ -39,7 +39,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                                               master['pki_target_cs_cfg'])
         util.file.copy_with_slot_substitution(master['pki_source_registry'],
                                               master['pki_target_registry'],
-                                              overwrite_flag=True)
+                                              uid=0, gid=0, overwrite_flag=True)
         if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
             util.file.copy_with_slot_substitution(
                 master['pki_source_catalina_properties'],
@@ -56,7 +56,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             util.file.copy_with_slot_substitution(
                 master['pki_source_tomcat_conf'],
                 master['pki_target_tomcat_conf_instance_id'],
-                overwrite_flag=True)
+                uid=0, gid=0, overwrite_flag=True)
             util.file.copy_with_slot_substitution(
                 master['pki_source_tomcat_conf'],
                 master['pki_target_tomcat_conf'],
@@ -69,6 +69,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 master['pki_target_velocity_properties'])
             util.file.apply_slot_substitution(
                 master['pki_target_subsystem_web_xml'])
+            # Strip "<filter>" section from subsystem "web.xml"
+            # This is ONLY necessary because XML comments cannot be "nested"!
+            #util.file.copy(master['pki_target_subsystem_web_xml'],
+            #               master['pki_target_subsystem_web_xml_orig'])
+            #util.file.delete(master['pki_target_subsystem_web_xml'])
+            #util.xml_file.remove_filter_section_from_web_xml(
+            #    master['pki_target_subsystem_web_xml_orig'],
+            #    master['pki_target_subsystem_web_xml'])
+            #util.file.delete(master['pki_target_subsystem_web_xml_orig'])
             if master['pki_subsystem'] == "CA":
                 util.file.copy_with_slot_substitution(
                     master['pki_source_proxy_conf'],
@@ -85,7 +94,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                                               overwrite_flag=True)
         util.file.copy_with_slot_substitution(master['pki_source_registry'],
                                               master['pki_target_registry'],
-                                              overwrite_flag=True)
+                                              uid=0, gid=0, overwrite_flag=True)
         if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
             util.file.copy_with_slot_substitution(
                 master['pki_source_catalina_properties'],
@@ -102,7 +111,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             util.file.copy_with_slot_substitution(
                 master['pki_source_tomcat_conf'],
                 master['pki_target_tomcat_conf_instance_id'],
-                overwrite_flag=True)
+                uid=0, gid=0, overwrite_flag=True)
             util.file.copy_with_slot_substitution(
                 master['pki_source_tomcat_conf'],
                 master['pki_target_tomcat_conf'],
@@ -115,6 +124,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 master['pki_target_velocity_properties'])
             util.file.apply_slot_substitution(
                 master['pki_target_subsystem_web_xml'])
+            # Strip "<filter>" section from subsystem "web.xml"
+            # This is ONLY necessary because XML comments cannot be "nested"!
+            #util.file.copy(master['pki_target_subsystem_web_xml'],
+            #               master['pki_target_subsystem_web_xml_orig'])
+            #util.file.delete(master['pki_target_subsystem_web_xml'])
+            #util.xml_file.remove_filter_section_from_web_xml(
+            #    master['pki_target_subsystem_web_xml_orig'],
+            #    master['pki_target_subsystem_web_xml'])
+            #util.file.delete(master['pki_target_subsystem_web_xml_orig'])
             if master['pki_subsystem'] == "CA":
                 util.file.copy_with_slot_substitution(
                     master['pki_source_proxy_conf'],
diff --git a/base/deploy/src/scriptlets/subsystem_layout.py b/base/deploy/src/scriptlets/subsystem_layout.py
index 4ea5e6f84..d9c597d60 100644
--- a/base/deploy/src/scriptlets/subsystem_layout.py
+++ b/base/deploy/src/scriptlets/subsystem_layout.py
@@ -56,6 +56,34 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                                     master['pki_subsystem_profiles_path'])
             # establish instance-based Tomcat PKI subsystem logs
             # establish instance-based Tomcat PKI subsystem configuration
+            if master['pki_subsystem'] == "CA":
+                util.file.copy(master['pki_source_flatfile_txt'],
+                               master['pki_target_flatfile_txt'])
+                util.file.copy(master['pki_source_registry_cfg'],
+                               master['pki_target_registry_cfg'])
+                # '*.profile'
+                util.file.copy(master['pki_source_admincert_profile'],
+                               master['pki_target_admincert_profile'])
+                util.file.copy(master['pki_source_caauditsigningcert_profile'],
+                               master['pki_target_caauditsigningcert_profile'])
+                util.file.copy(master['pki_source_cacert_profile'],
+                               master['pki_target_cacert_profile'])
+                util.file.copy(master['pki_source_caocspcert_profile'],
+                               master['pki_target_caocspcert_profile'])
+                util.file.copy(master['pki_source_servercert_profile'],
+                               master['pki_target_servercert_profile'])
+                util.file.copy(master['pki_source_subsystemcert_profile'],
+                               master['pki_target_subsystemcert_profile'])
+            elif master['pki_subsystem'] == "KRA":
+                # '*.profile'
+                util.file.copy(master['pki_source_servercert_profile'],
+                               master['pki_target_servercert_profile'])
+                util.file.copy(master['pki_source_storagecert_profile'],
+                               master['pki_target_storagecert_profile'])
+                util.file.copy(master['pki_source_subsystemcert_profile'],
+                               master['pki_target_subsystemcert_profile'])
+                util.file.copy(master['pki_source_transportcert_profile'],
+                               master['pki_target_transportcert_profile'])
             # establish instance-based Tomcat PKI subsystem registry
             # establish instance-based Tomcat PKI subsystem convenience
             # symbolic links
@@ -98,6 +126,46 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                                     overwrite_flag=True)
             # update instance-based Tomcat PKI subsystem logs
             # update instance-based Tomcat PKI subsystem configuration
+            if master['pki_subsystem'] == "CA":
+                # util.file.copy(master['pki_source_flatfile_txt'],
+                #                master['pki_target_flatfile_txt'],
+                #                overwrite_flag=True)
+                util.file.copy(master['pki_source_registry_cfg'],
+                               master['pki_target_registry_cfg'],
+                               overwrite_flag=True)
+                # '*.profile'
+                util.file.copy(master['pki_source_admincert_profile'],
+                               master['pki_target_admincert_profile'],
+                               overwrite_flag=True)
+                util.file.copy(master['pki_source_caauditsigningcert_profile'],
+                               master['pki_target_caauditsigningcert_profile'],
+                               overwrite_flag=True)
+                util.file.copy(master['pki_source_cacert_profile'],
+                               master['pki_target_cacert_profile'],
+                               overwrite_flag=True)
+                util.file.copy(master['pki_source_caocspcert_profile'],
+                               master['pki_target_caocspcert_profile'],
+                               overwrite_flag=True)
+                util.file.copy(master['pki_source_servercert_profile'],
+                               master['pki_target_servercert_profile'],
+                               overwrite_flag=True)
+                util.file.copy(master['pki_source_subsystemcert_profile'],
+                               master['pki_target_subsystemcert_profile'],
+                               overwrite_flag=True)
+            elif master['pki_subsystem'] == "KRA":
+                # '*.profile'
+                util.file.copy(master['pki_source_servercert_profile'],
+                               master['pki_target_servercert_profile'],
+                               overwrite_flag=True)
+                util.file.copy(master['pki_source_storagecert_profile'],
+                               master['pki_target_storagecert_profile'],
+                               overwrite_flag=True)
+                util.file.copy(master['pki_source_subsystemcert_profile'],
+                               master['pki_target_subsystemcert_profile'],
+                               overwrite_flag=True)
+                util.file.copy(master['pki_source_transportcert_profile'],
+                               master['pki_target_transportcert_profile'],
+                               overwrite_flag=True)
             # update instance-based Tomcat PKI subsystem registry
             # update instance-based Tomcat PKI subsystem convenience
             # symbolic links
diff --git a/base/deploy/src/scriptlets/war_explosion.py b/base/deploy/src/scriptlets/war_explosion.py
index ca2ea601b..16113ba7d 100644
--- a/base/deploy/src/scriptlets/war_explosion.py
+++ b/base/deploy/src/scriptlets/war_explosion.py
@@ -39,11 +39,23 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             util.directory.create(master['pki_tomcat_webapps_subsystem_path'])
             util.war.explode(master['pki_war'],
                              master['pki_tomcat_webapps_subsystem_path'])
-            # establish convenience symbolic links
-            util.symlink.create(master['pki_tomcat_webapps_webinf_classes_path'],
-                master['pki_tomcat_webapps_subsystem_webinf_classes_link'])
-            util.symlink.create(master['pki_tomcat_webapps_webinf_lib_path'],
-                master['pki_tomcat_webapps_subsystem_webinf_lib_link'])
+            util.directory.create(
+                master['pki_tomcat_webapps_subsystem_webinf_classes_path'])
+            util.directory.create(
+                master['pki_tomcat_webapps_subsystem_webinf_lib_path'])
+            # establish Tomcat webapps subsystem WEB-INF lib symbolic links
+            if master['pki_subsystem'] == "CA":
+                util.symlink.create(master['pki_ca_jar'],
+                                    master['pki_ca_jar_link'])
+            elif master['pki_subsystem'] == "KRA":
+                util.symlink.create(master['pki_kra_jar'],
+                                    master['pki_kra_jar_link'])
+            elif master['pki_subsystem'] == "OCSP":
+                util.symlink.create(master['pki_ocsp_jar'],
+                                    master['pki_ocsp_jar_link'])
+            elif master['pki_subsystem'] == "TKS":
+                util.symlink.create(master['pki_tks_jar'],
+                                    master['pki_tks_jar_link'])
             # set ownerships, permissions, and acls
             util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path'])
         return self.rv
@@ -56,8 +68,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             util.directory.modify(master['pki_tomcat_webapps_subsystem_path'])
             util.war.explode(master['pki_war'],
                              master['pki_tomcat_webapps_subsystem_path'])
+            # update Tomcat webapps subsystem WEB-INF lib symbolic links
+            if master['pki_subsystem'] == "CA":
+                util.symlink.modify(master['pki_ca_jar_link'])
+            elif master['pki_subsystem'] == "KRA":
+                util.symlink.modify(master['pki_kra_jar_link'])
+            elif master['pki_subsystem'] == "OCSP":
+                util.symlink.modify(master['pki_ocsp_jar_link'])
+            elif master['pki_subsystem'] == "TKS":
+                util.symlink.modify(master['pki_tks_jar_link'])
             # update ownerships, permissions, and acls
-            # NOTE:  This includes existing convenience symbolic links
             util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path'])
         return self.rv
 
diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in
index 5135e1311..c2655fc75 100644
--- a/base/kra/shared/conf/CS.cfg.in
+++ b/base/kra/shared/conf/CS.cfg.in
@@ -29,6 +29,7 @@ agent.interface.uri=kra/agent/kra
 authType=pwd
 preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445
 instanceRoot=[PKI_INSTANCE_PATH]
+configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/
 machineName=[PKI_MACHINE_NAME]
 instanceId=[PKI_INSTANCE_ID]
 pidDir=[PKI_PIDDIR]
@@ -201,7 +202,7 @@ dbs.ldap=internaldb
 dbs.newSchemaEntryAdded=true
 debug.append=true
 debug.enabled=true
-debug.filename=[PKI_INSTANCE_PATH]/logs/debug
+debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug
 debug.hashkeytypes=
 debug.level=0
 debug.showcaller=false
@@ -277,7 +278,7 @@ log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
 log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER
 log.instance.SignedAudit.expirationTime=0
-log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/kra_cert-kra_audit
+log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/kra_cert-kra_audit
 log.instance.SignedAudit.flushInterval=5
 log.instance.SignedAudit.level=1
 log.instance.SignedAudit.logSigning=false
@@ -295,7 +296,7 @@ log.instance.System._002=##
 log.instance.System.bufferSize=512
 log.instance.System.enable=true
 log.instance.System.expirationTime=0
-log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system
+log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system
 log.instance.System.flushInterval=5
 log.instance.System.level=3
 log.instance.System.maxFileSize=2000
@@ -308,15 +309,15 @@ log.instance.Transactions._002=##
 log.instance.Transactions.bufferSize=512
 log.instance.Transactions.enable=true
 log.instance.Transactions.expirationTime=0
-log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions
+log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions
 log.instance.Transactions.flushInterval=5
 log.instance.Transactions.level=1
 log.instance.Transactions.maxFileSize=2000
 log.instance.Transactions.pluginName=file
 log.instance.Transactions.rolloverInterval=2592000
 log.instance.Transactions.type=transaction
-logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access
-logError.fileName=[PKI_INSTANCE_PATH]/logs/error
+logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access
+logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error
 oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension
 oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1
 oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword
@@ -353,7 +354,7 @@ selftests.container.logger.bufferSize=512
 selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
 selftests.container.logger.enable=true
 selftests.container.logger.expirationTime=0
-selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
+selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log
 selftests.container.logger.flushInterval=5
 selftests.container.logger.level=1
 selftests.container.logger.maxFileSize=2000
diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml
index c6e9934eb..273ca1fa4 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/web.xml
+++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml
@@ -3,71 +3,6 @@
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">
 <web-app>
 
-    <filter>
-        <filter-name>AgentRequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-         </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
-    <filter>
-        <filter-name>AdminRequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-         </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
-    <filter>
-        <filter-name>EERequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
-        <init-param>
-            <param-name>http_port</param-name>
-            <param-value>[PKI_UNSECURE_PORT]</param-value>
-        </init-param>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_EE_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-         </init-param>
-        <init-param>
-            <param-name>proxy_http_port</param-name>
-            <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
-         </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
     <servlet>
         <servlet-name>csadmin-wizard</servlet-name>
         <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
@@ -640,7 +575,7 @@
              <init-param><param-name>  AuthzMgr    </param-name>
                          <param-value> BasicAclAuthz </param-value> </init-param>
              <init-param><param-name>  cfgPath     </param-name>
-                         <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg  </param-value> </init-param>
+                         <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg  </param-value> </init-param>
              <init-param><param-name>  ID          </param-name>
                          <param-value> krastart    </param-value> </init-param>
       <load-on-startup>  1  </load-on-startup>
@@ -756,10 +691,9 @@
                          <param-value> ee          </param-value> </init-param>
    </servlet>
 
-   <context-param>
-      <param-name>resteasy.scan</param-name>
-      <param-value>true</param-value>
-   </context-param>
+   <listener>
+      <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
+   </listener>
 
    <context-param>
       <param-name>resteasy.servlet.mapping.prefix</param-name>
@@ -776,31 +710,12 @@
    <servlet>
       <servlet-name>Resteasy</servlet-name>
       <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
+      <init-param>
+         <param-name>javax.ws.rs.Application</param-name>
+         <param-value>com.netscape.kra.KeyRecoveryAuthorityApplication</param-value>
+      </init-param>
    </servlet>
 
-[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
-   <filter-mapping>
-      <filter-name>  AgentRequestFilter  </filter-name>
-      <url-pattern>  /agent/*            </url-pattern>
-   </filter-mapping>
-
-   <filter-mapping>
-      <filter-name>  AdminRequestFilter  </filter-name>
-      <url-pattern>  /admin/*            </url-pattern>
-      <url-pattern>  /auths              </url-pattern>
-      <url-pattern>  /server             </url-pattern>
-      <url-pattern>  /log                </url-pattern>
-      <url-pattern>  /ug                 </url-pattern>
-      <url-pattern>  /acl                </url-pattern>
-      <url-pattern>  /kra                </url-pattern>
-   </filter-mapping>
-
-   <filter-mapping>
-      <filter-name>  EERequestFilter  </filter-name>
-      <url-pattern>  /ee/*            </url-pattern>
-   </filter-mapping>
-[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
-
    <servlet-mapping>
       <servlet-name>Resteasy</servlet-name>
       <url-pattern>/pki/*</url-pattern>
diff --git a/base/ocsp/shared/conf/CS.cfg.in b/base/ocsp/shared/conf/CS.cfg.in
index 658a1b6d3..0910d6672 100644
--- a/base/ocsp/shared/conf/CS.cfg.in
+++ b/base/ocsp/shared/conf/CS.cfg.in
@@ -99,6 +99,7 @@ preop.cert.subsystem.cncomponent.override=true
 cs.state=0
 authType=pwd
 instanceRoot=[PKI_INSTANCE_PATH]
+configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/
 machineName=[PKI_MACHINE_NAME]
 instanceId=[PKI_INSTANCE_ID]
 service.machineName=[PKI_MACHINE_NAME]
@@ -163,7 +164,7 @@ dbs.ldap=internaldb
 dbs.newSchemaEntryAdded=true
 debug.append=true
 debug.enabled=true
-debug.filename=[PKI_INSTANCE_PATH]/logs/debug
+debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug
 debug.hashkeytypes=
 debug.level=0
 debug.showcaller=false
@@ -216,7 +217,7 @@ log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
 log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION
 log.instance.SignedAudit.expirationTime=0
-log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ocsp_cert-ocsp_audit
+log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/ocsp_cert-ocsp_audit
 log.instance.SignedAudit.flushInterval=5
 log.instance.SignedAudit.level=1
 log.instance.SignedAudit.logSigning=false
@@ -234,7 +235,7 @@ log.instance.System._002=##
 log.instance.System.bufferSize=512
 log.instance.System.enable=true
 log.instance.System.expirationTime=0
-log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system
+log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system
 log.instance.System.flushInterval=5
 log.instance.System.level=3
 log.instance.System.maxFileSize=2000
@@ -247,15 +248,15 @@ log.instance.Transactions._002=##
 log.instance.Transactions.bufferSize=512
 log.instance.Transactions.enable=true
 log.instance.Transactions.expirationTime=0
-log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions
+log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions
 log.instance.Transactions.flushInterval=5
 log.instance.Transactions.level=1
 log.instance.Transactions.maxFileSize=2000
 log.instance.Transactions.pluginName=file
 log.instance.Transactions.rolloverInterval=2592000
 log.instance.Transactions.type=transaction
-logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access
-logError.fileName=[PKI_INSTANCE_PATH]/logs/error
+logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access
+logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error
 ocsp.certNickname=
 ocsp.storeId=defStore
 ocsp.signing.certnickname=
@@ -302,7 +303,7 @@ selftests.container.logger.bufferSize=512
 selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
 selftests.container.logger.enable=true
 selftests.container.logger.expirationTime=0
-selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
+selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log
 selftests.container.logger.flushInterval=5
 selftests.container.logger.level=1
 selftests.container.logger.maxFileSize=2000
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
index e4ea799eb..cb18574b3 100644
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
@@ -7,71 +7,6 @@
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">
 <web-app>
 
-    <filter>
-        <filter-name>AgentRequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
-    <filter>
-        <filter-name>AdminRequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
-    <filter>
-        <filter-name>EERequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
-        <init-param>
-            <param-name>http_port</param-name>
-            <param-value>[PKI_UNSECURE_PORT]</param-value>
-        </init-param>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_EE_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-        <init-param>
-            <param-name>proxy_http_port</param-name>
-            <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
     <servlet>
         <servlet-name>csadmin-wizard</servlet-name>
         <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
@@ -160,7 +95,7 @@
              <init-param><param-name>  AuthzMgr    </param-name>
                          <param-value> BasicAclAuthz </param-value> </init-param>
              <init-param><param-name>  cfgPath     </param-name>
-                         <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param>
+                         <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param>
              <init-param><param-name>  ID          </param-name>
                          <param-value> ocspstart   </param-value> </init-param>
       <load-on-startup>  1  </load-on-startup>
@@ -469,10 +404,9 @@
                          <param-value> ee          </param-value> </init-param>
    </servlet>
 
-   <context-param>
-      <param-name>resteasy.scan</param-name>
-      <param-value>true</param-value>
-   </context-param>
+   <listener>
+      <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
+   </listener>
 
    <context-param>
       <param-name>resteasy.servlet.mapping.prefix</param-name>
@@ -489,31 +423,12 @@
    <servlet>
       <servlet-name>Resteasy</servlet-name>
       <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
+      <init-param>
+         <param-name>javax.ws.rs.Application</param-name>
+         <param-value>com.netscape.ocsp.OCSPApplication</param-value>
+      </init-param>
    </servlet>
 
-[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
-   <filter-mapping>
-      <filter-name>  AgentRequestFilter  </filter-name>
-      <url-pattern>  /agent/*            </url-pattern>
-   </filter-mapping>
-
-   <filter-mapping>
-      <filter-name>  AdminRequestFilter  </filter-name>
-      <url-pattern>  /admin/*            </url-pattern>
-      <url-pattern>  /auths              </url-pattern>
-      <url-pattern>  /ug                 </url-pattern>
-      <url-pattern>  /log                </url-pattern>
-      <url-pattern>  /acl                </url-pattern>
-      <url-pattern>  /server             </url-pattern>
-      <url-pattern>  /ocsp               </url-pattern>
-   </filter-mapping>
-
-   <filter-mapping>
-      <filter-name>  EERequestFilter  </filter-name>
-      <url-pattern>  /ee/*            </url-pattern>
-   </filter-mapping>
-[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
-
    <servlet-mapping>
       <servlet-name>Resteasy</servlet-name>
       <url-pattern>/pki/*</url-pattern>
diff --git a/base/setup/pkicreate b/base/setup/pkicreate
index bd07eb0b0..6abb73755 100755
--- a/base/setup/pkicreate
+++ b/base/setup/pkicreate
@@ -307,6 +307,7 @@ my $PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT = "PKI_EE_SECURE_CLIENT_AUTH_PORT_UI"
 my $PKI_AGENT_SECURE_PORT_SLOT          = "PKI_AGENT_SECURE_PORT";
 my $PKI_ADMIN_SECURE_PORT_SLOT          = "PKI_ADMIN_SECURE_PORT";
 my $PKI_SERVER_XML_CONF                 = "PKI_SERVER_XML_CONF";
+my $PKI_SUBSYSTEM_DIR_SLOT              = "PKI_SUBSYSTEM_DIR";
 my $PKI_SUBSYSTEM_TYPE_SLOT             = "PKI_SUBSYSTEM_TYPE";
 my $PKI_UNSECURE_PORT_SLOT              = "PKI_UNSECURE_PORT";
 my $PKI_USER_SLOT                       = "PKI_USER";
@@ -2417,6 +2418,7 @@ sub process_pki_templates
 
     emit("Processing PKI templates for '$pki_instance_path' ...\n");
 
+    $slot_hash{$PKI_SUBSYSTEM_DIR_SLOT}    = "";
     $slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT}   = $subsystem_type;
     $slot_hash{$PKI_INSTANCE_ID_SLOT}      = $pki_instance_name;
     $slot_hash{$PKI_INSTANCE_ROOT_SLOT}    = $pki_instance_root;
diff --git a/base/tks/shared/conf/CS.cfg.in b/base/tks/shared/conf/CS.cfg.in
index 740baf61e..f641e026f 100644
--- a/base/tks/shared/conf/CS.cfg.in
+++ b/base/tks/shared/conf/CS.cfg.in
@@ -91,6 +91,7 @@ preop.module.token=Internal Key Storage Token
 cs.state=0
 authType=pwd
 instanceRoot=[PKI_INSTANCE_PATH]
+configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/
 machineName=[PKI_MACHINE_NAME]
 instanceId=[PKI_INSTANCE_ID]
 preop.pin=[PKI_RANDOM_NUMBER]
@@ -156,7 +157,7 @@ dbs.ldap=internaldb
 dbs.newSchemaEntryAdded=true
 debug.append=true
 debug.enabled=true
-debug.filename=[PKI_INSTANCE_PATH]/logs/debug
+debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug
 debug.hashkeytypes=
 debug.level=0
 debug.showcaller=false
@@ -209,7 +210,7 @@ log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
 log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION
 log.instance.SignedAudit.expirationTime=0
-log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/tks_cert-tks_audit
+log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/tks_cert-tks_audit
 log.instance.SignedAudit.flushInterval=5
 log.instance.SignedAudit.level=1
 log.instance.SignedAudit.logSigning=false
@@ -227,7 +228,7 @@ log.instance.System._002=##
 log.instance.System.bufferSize=512
 log.instance.System.enable=true
 log.instance.System.expirationTime=0
-log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system
+log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system
 log.instance.System.flushInterval=5
 log.instance.System.level=3
 log.instance.System.maxFileSize=2000
@@ -240,15 +241,15 @@ log.instance.Transactions._002=##
 log.instance.Transactions.bufferSize=512
 log.instance.Transactions.enable=true
 log.instance.Transactions.expirationTime=0
-log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions
+log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions
 log.instance.Transactions.flushInterval=5
 log.instance.Transactions.level=1
 log.instance.Transactions.maxFileSize=2000
 log.instance.Transactions.pluginName=file
 log.instance.Transactions.rolloverInterval=2592000
 log.instance.Transactions.type=transaction
-logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access
-logError.fileName=[PKI_INSTANCE_PATH]/logs/error
+logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access
+logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error
 oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension
 oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1
 oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword
@@ -285,7 +286,7 @@ selftests.container.logger.bufferSize=512
 selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
 selftests.container.logger.enable=true
 selftests.container.logger.expirationTime=0
-selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
+selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log
 selftests.container.logger.flushInterval=5
 selftests.container.logger.level=1
 selftests.container.logger.maxFileSize=2000
diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml
index c3f7593c2..20874de45 100644
--- a/base/tks/shared/webapps/tks/WEB-INF/web.xml
+++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml
@@ -7,71 +7,6 @@
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">
 <web-app>
 
-    <filter>
-        <filter-name>AgentRequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
-    <filter>
-        <filter-name>AdminRequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
-    <filter>
-        <filter-name>EERequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
-        <init-param>
-            <param-name>http_port</param-name>
-            <param-value>[PKI_UNSECURE_PORT]</param-value>
-        </init-param>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_EE_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-        <init-param>
-            <param-name>proxy_http_port</param-name>
-            <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
     <servlet>
         <servlet-name>csadmin-wizard</servlet-name>
         <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
@@ -104,7 +39,7 @@
              <init-param><param-name>  AuthzMgr    </param-name>
                          <param-value> BasicAclAuthz </param-value> </init-param>
              <init-param><param-name>  cfgPath     </param-name>
-                         <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param>
+                         <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param>
              <init-param><param-name>  ID          </param-name>
                          <param-value> tksstart    </param-value> </init-param>
       <load-on-startup>  1  </load-on-startup>
@@ -338,10 +273,9 @@
                          <param-value> ee          </param-value> </init-param>
    </servlet>
 
-   <context-param>
-      <param-name>resteasy.scan</param-name>
-      <param-value>true</param-value>
-   </context-param>
+   <listener>
+      <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
+   </listener>
 
    <context-param>
       <param-name>resteasy.servlet.mapping.prefix</param-name>
@@ -358,30 +292,12 @@
    <servlet>
       <servlet-name>Resteasy</servlet-name>
       <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
+      <init-param>
+         <param-name>javax.ws.rs.Application</param-name>
+         <param-value>com.netscape.tks.TKSApplication</param-value>
+      </init-param>
    </servlet>
 
-[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
-   <filter-mapping>
-      <filter-name>  AgentRequestFilter  </filter-name>
-      <url-pattern>  /agent/*            </url-pattern>
-   </filter-mapping>
-
-   <filter-mapping>
-      <filter-name>  AdminRequestFilter  </filter-name>
-      <url-pattern>  /admin/*            </url-pattern>
-      <url-pattern>  /auths              </url-pattern>
-      <url-pattern>  /ug                 </url-pattern>
-      <url-pattern>  /log                </url-pattern>
-      <url-pattern>  /acl                </url-pattern>
-      <url-pattern>  /server             </url-pattern>
-   </filter-mapping>
-
-   <filter-mapping>
-      <filter-name>  EERequestFilter  </filter-name>
-      <url-pattern>  /ee/*            </url-pattern>
-   </filter-mapping>
-[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
-
    <servlet-mapping>
       <servlet-name>Resteasy</servlet-name>
       <url-pattern>/pki/*</url-pattern>
diff --git a/specs/dogtag-pki.spec b/specs/dogtag-pki.spec
index 20b0c7bc2..4b079751f 100644
--- a/specs/dogtag-pki.spec
+++ b/specs/dogtag-pki.spec
@@ -8,7 +8,7 @@
 Summary:          Dogtag Public Key Infrastructure (PKI) Suite
 Name:             dogtag-pki
 Version:          10.0.0
-Release:          %{?relprefix}4%{?prerel}%{?dist}
+Release:          %{?relprefix}5%{?prerel}%{?dist}
 # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
 License:          GPLv2 and LGPLv2
 URL:              http://pki.fedoraproject.org/
@@ -17,6 +17,19 @@ BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch:        noarch
 
 # Establish MINIMUM package versions based upon platform
+%if 0%{?fedora} >= 18
+%define dogtag_pki_theme_version   10.0.0
+%define esc_version                1.1.0
+%define jss_version                4.2.6-24
+%define pki_core_version           10.0.0
+%define pki_kra_version            10.0.0
+%define pki_ocsp_version           10.0.0
+%define pki_ra_version             10.0.0
+%define pki_tks_version            10.0.0
+%define pki_tps_version            10.0.0
+%define pki_console_version        10.0.0
+%define tomcatjss_version          7.0.0
+%else
 %if 0%{?fedora} >= 17
 %define dogtag_pki_theme_version   10.0.0
 %define esc_version                1.1.0
@@ -56,6 +69,7 @@ BuildArch:        noarch
 %define tomcatjss_version          2.0.0
 %endif
 %endif
+%endif
 
 Requires:         apache-commons-codec
 
@@ -184,6 +198,9 @@ rm -rf %{buildroot}
 %doc README
 
 %changelog
+* Thu Jun 14 2012 Matthew Harmsen <mharmsen@redhat.com> 10.0.0-0.5.a1
+- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 18
+
 * Thu Apr  5 2012 Christina Fu <cfu@redhat.com> 10.0.0-0.4.a1
 - Bug 745278 - [RFE] ECC encryption keys cannot be archived
 
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index b742e52cf..2af431121 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 
 Name:             pki-core
 Version:          10.0.0
-Release:          %{?relprefix}17%{?prerel}%{?dist}
+Release:          %{?relprefix}19%{?prerel}%{?dist}
 Summary:          Certificate System - PKI Core Components
 URL:              http://pki.fedoraproject.org/
 License:          GPLv2
@@ -47,6 +47,12 @@ BuildRequires:    junit
 %else
 BuildRequires:    junit4
 %endif
+%if 0%{?fedora} >= 18
+BuildRequires:    jpackage-utils >= 0:1.7.5-10
+BuildRequires:    jss >= 4.2.6-24
+BuildRequires:    systemd-units
+BuildRequires:    tomcatjss >= 7.0.0
+%else
 %if 0%{?fedora} >= 16
 BuildRequires:    jpackage-utils >= 0:1.7.5-10
 BuildRequires:    jss >= 4.2.6-24
@@ -63,6 +69,7 @@ BuildRequires:    jss >= 4.2.6-17
 BuildRequires:    tomcatjss >= 2.0.0
 %endif
 %endif
+%endif
 # Add the following build-time requirements to support the "pki-deploy" package
 BuildRequires:    pki-common-theme
 BuildRequires:    pki-ca-theme
@@ -345,6 +352,7 @@ BuildArch:        noarch
 Requires:         java >= 1:1.6.0
 Requires:         javassist
 Requires:         jettison
+Requires:         jython >= 2.2.1
 Requires:         pki-common-theme >= 9.0.0
 Requires:         pki-java-tools = %{version}-%{release}
 Requires:         pki-deploy = %{version}-%{release}
@@ -360,6 +368,15 @@ Requires:         velocity
 %if 0%{?fedora} >= 17
 Requires:         resteasy >= 2.3.2-1
 %endif
+%if 0%{?fedora} >= 18
+Requires:         apache-commons-lang
+Requires:         apache-commons-logging
+Requires:         jss >= 4.2.6-24
+Requires(post):   systemd-units
+Requires(preun):  systemd-units
+Requires(postun): systemd-units
+Requires:         tomcatjss >= 7.0.0
+%else
 %if 0%{?fedora} >= 16
 Requires:         apache-commons-lang
 Requires:         apache-commons-logging
@@ -398,6 +415,7 @@ Requires:         tomcatjss >= 2.0.0
 %endif
 %endif
 %endif
+%endif
 
 %description -n   pki-common
 The PKI Common Framework is required by the following four PKI subsystems:
@@ -785,8 +803,8 @@ echo "D /var/run/pki/tks 0755 root root -"  >> %{buildroot}%{_sysconfdir}/tmpfil
 %{__rm} %{buildroot}%{_initrddir}/pki-ocspd
 %{__rm} %{buildroot}%{_initrddir}/pki-tksd
 # Create symlink to the pki-jndi-realm jar
-%{__mkdir_p} %{buildroot}%{_javadir}/tomcat6
-%{__ln_s} -f %{_javadir}/pki/pki-jndi-realm.jar %{buildroot}%{_javadir}/tomcat6/pki-jndi-realm.jar
+%{__mkdir_p} %{buildroot}%{_javadir}/tomcat
+%{__ln_s} -f %{_javadir}/pki/pki-jndi-realm.jar %{buildroot}%{_javadir}/tomcat/pki-jndi-realm.jar
 %else
 %{__rm} %{buildroot}%{_bindir}/pkicontrol
 %{__rm} %{buildroot}%{_bindir}/pkidaemon
@@ -1253,7 +1271,7 @@ fi
 
 %if 0%{?fedora} >= 16
 # Create symlink to the pki-jndi-realm jar
-%{_javadir}/tomcat6/pki-jndi-realm.jar
+%{_javadir}/tomcat/pki-jndi-realm.jar
 %endif
 %if 0%{?fedora} >= 15
 # Details:
@@ -1413,6 +1431,12 @@ fi
 
 
 %changelog
+* Wed Jul 11 2012 Matthew Harmsen <mharmsen@redhat.com> 10.0.0-0.19.a1
+- Moved 'pki-jndi-real.jar' link from 'tomcat6' to 'tomcat' (Tomcat 7)
+
+* Thu Jun 14 2012 Matthew Harmsen <mharmsen@redhat.com> 10.0.0-0.18.a1
+- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 18
+
 * Mon May 29 2012 Endi S. Dewata <edewata@redhat.com> 10.0.0-0.17.a1
 - Added CLI for REST services
 
-- 
cgit