From 819fd31d34b3159e895f15bfad41bf483adca79e Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 10 Feb 2014 13:46:10 -0500
Subject: Upgraded RESTEasy client library.

The Dogtag client library has been modified to use RESTEasy 3.0 client
library. A new upgrade script has been added to update existing servers.

The JAXB annotation in ResourceMessage has been modified to require
explicit property mapping.

Ticket #554
---
 .classpath                                         |  1 +
 base/common/src/CMakeLists.txt                     |  9 ++-
 .../com/netscape/certsrv/base/ResourceMessage.java |  3 +
 .../com/netscape/certsrv/client/PKIConnection.java | 76 +++++++++++++---------
 .../certsrv/client/PKIErrorInterceptor.java        | 62 ------------------
 base/java-tools/pki                                |  1 +
 .../cms/servlet/csadmin/ConfigurationUtils.java    | 25 +++----
 .../netscape/cms/servlet/csadmin/GetCookie.java    | 23 ++++++-
 .../cms/servlet/csadmin/SystemConfigService.java   | 19 +++++-
 base/server/etc/default.cfg                        |  1 +
 .../deployment/scriptlets/instance_layout.py       |  4 ++
 base/server/scripts/operations                     |  2 +
 base/server/share/conf/pki.policy                  |  4 ++
 base/server/upgrade/10.1.99/03-AddedRESTEasyClient | 76 ++++++++++++++++++++++
 scripts/compose_pki_test_package                   |  1 +
 tests/dogtag/dev_java_tests/run_junit_tests.sh     |  1 +
 16 files changed, 201 insertions(+), 107 deletions(-)
 delete mode 100644 base/common/src/com/netscape/certsrv/client/PKIErrorInterceptor.java
 create mode 100755 base/server/upgrade/10.1.99/03-AddedRESTEasyClient

diff --git a/.classpath b/.classpath
index 1e8307912..bc0c70f6b 100644
--- a/.classpath
+++ b/.classpath
@@ -48,6 +48,7 @@
 	<classpathentry kind="lib" path="/usr/share/java/httpcomponents/httpclient.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/httpcomponents/httpcore.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/resteasy/jaxrs-api.jar"/>
+	<classpathentry kind="lib" path="/usr/share/java/resteasy/resteasy-client.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/resteasy/resteasy-jaxb-provider.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/resteasy/resteasy-jaxrs.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/resteasy/resteasy-jackson-provider.jar"/>
diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
index e4f999921..f48ef8786 100644
--- a/base/common/src/CMakeLists.txt
+++ b/base/common/src/CMakeLists.txt
@@ -104,6 +104,13 @@ find_file(RESTEASY_ATOM_PROVIDER_JAR
         ${RESTEASY_LIB}
 )
 
+find_file(RESTEASY_CLIENT_JAR
+    NAMES
+        resteasy-client.jar
+    PATHS
+        ${RESTEASY_LIB}
+)
+
 find_file(HTTPCLIENT_JAR
     NAMES
         httpclient.jar
@@ -128,7 +135,7 @@ javac(pki-certsrv-classes
         ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR}
         ${APACHE_COMMONS_LANG_JAR}
         ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR} ${SYMKEY_JAR}
-        ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR}
+        ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR} ${RESTEASY_CLIENT_JAR}
         ${HTTPCLIENT_JAR} ${HTTPCORE_JAR}
     OUTPUT_DIR
         ${CMAKE_BINARY_DIR}/classes
diff --git a/base/common/src/com/netscape/certsrv/base/ResourceMessage.java b/base/common/src/com/netscape/certsrv/base/ResourceMessage.java
index 57b5539b8..e7ef44f4b 100644
--- a/base/common/src/com/netscape/certsrv/base/ResourceMessage.java
+++ b/base/common/src/com/netscape/certsrv/base/ResourceMessage.java
@@ -13,6 +13,8 @@ import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
 import javax.xml.bind.Marshaller;
 import javax.xml.bind.Unmarshaller;
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
 import javax.xml.bind.annotation.XmlAttribute;
 import javax.xml.bind.annotation.XmlElement;
 import javax.xml.bind.annotation.XmlRootElement;
@@ -24,6 +26,7 @@ import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
  * @author Ade Lee
  */
 @XmlRootElement(name="ResourceMessage")
+@XmlAccessorType(XmlAccessType.NONE)
 public class ResourceMessage {
 
     protected Map<String, String> attributes = new LinkedHashMap<String, String>();
diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
index 6e281dd5a..1c3e58a1b 100644
--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
@@ -8,6 +8,7 @@ import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.io.PrintStream;
 import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Modifier;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
@@ -21,7 +22,8 @@ import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.List;
 
-import javax.ws.rs.core.MediaType;
+import javax.ws.rs.client.Entity;
+import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 
 import org.apache.commons.httpclient.ConnectTimeoutException;
@@ -53,14 +55,11 @@ import org.apache.http.impl.client.RequestWrapper;
 import org.apache.http.message.BasicHttpResponse;
 import org.apache.http.params.HttpParams;
 import org.apache.http.protocol.HttpContext;
-import org.jboss.resteasy.client.ClientExecutor;
-import org.jboss.resteasy.client.ClientRequest;
-import org.jboss.resteasy.client.ClientResponse;
-import org.jboss.resteasy.client.ClientResponseFailure;
-import org.jboss.resteasy.client.ProxyFactory;
-import org.jboss.resteasy.client.core.BaseClientResponse;
-import org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor;
-import org.jboss.resteasy.client.core.extractors.ClientErrorHandler;
+import org.jboss.resteasy.client.jaxrs.ProxyBuilder;
+import org.jboss.resteasy.client.jaxrs.ResteasyClient;
+import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
+import org.jboss.resteasy.client.jaxrs.ResteasyWebTarget;
+import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine;
 import org.jboss.resteasy.spi.ResteasyProviderFactory;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.CryptoManager.NotInitializedException;
@@ -68,6 +67,8 @@ import org.mozilla.jss.crypto.X509Certificate;
 import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
 import org.mozilla.jss.ssl.SSLSocket;
 
+import com.netscape.certsrv.base.PKIException;
+
 
 public class PKIConnection {
 
@@ -82,9 +83,9 @@ public class PKIConnection {
 
     DefaultHttpClient httpClient = new DefaultHttpClient();
 
+    ApacheHttpClient4Engine engine;
+    ResteasyClient resteasyClient;
     ResteasyProviderFactory providerFactory;
-    ClientErrorHandler errorHandler;
-    ClientExecutor executor;
 
     int requestCounter;
     int responseCounter;
@@ -194,10 +195,8 @@ public class PKIConnection {
             }
         });
 
-        executor = new ApacheHttpClient4Executor(httpClient);
-        providerFactory = ResteasyProviderFactory.getInstance();
-        providerFactory.addClientErrorInterceptor(new PKIErrorInterceptor());
-        errorHandler = new ClientErrorHandler(providerFactory.getClientErrorInterceptors());
+        engine = new ApacheHttpClient4Engine(httpClient);
+        resteasyClient = new ResteasyClientBuilder().httpEngine(engine).build();
     }
 
     public void storeRequest(File file, HttpRequest request) throws IOException {
@@ -511,29 +510,48 @@ public class PKIConnection {
     }
 
     public <T> T createProxy(URI uri, Class<T> clazz) throws URISyntaxException {
-        return ProxyFactory.create(clazz, uri, executor, providerFactory);
+        ResteasyWebTarget target = resteasyClient.target(uri);
+        return ProxyBuilder.builder(clazz, target).build();
     }
 
-    @SuppressWarnings("unchecked")
     public <T> T getEntity(Response response, Class<T> clazz) {
-        BaseClientResponse<T> clientResponse = (BaseClientResponse<T>)response;
-        try {
-            clientResponse.checkFailureStatus();
 
-        } catch (ClientResponseFailure e) {
-            errorHandler.clientErrorHandling((BaseClientResponse<T>) e.getResponse(), e);
+        // handle HTTP status code 4xx and 5xx only
+        int code = response.getStatus();
+        if (code < 400) {
+            if (!response.hasEntity()) return null;
+            return response.readEntity(clazz);
+        }
+
+        String contentType = response.getHeaderString("Content-Type");
+
+        if (contentType == null)
+            throw new PKIException("HTTP Error " + code);
 
-        } catch (RuntimeException e) {
-            errorHandler.clientErrorHandling(clientResponse, e);
+        PKIException.Data data = response.readEntity(PKIException.Data.class);
+
+        Class<?> exceptionClass;
+        try {
+            exceptionClass = Class.forName(data.getClassName());
+        } catch (ClassNotFoundException e) {
+            throw new PKIException(e.getMessage(), e);
         }
 
-        return clientResponse.getEntity();
+        try {
+            throw (PKIException) exceptionClass.getConstructor(PKIException.Data.class).newInstance(data);
+        } catch (InstantiationException
+                | IllegalAccessException
+                | IllegalArgumentException
+                | InvocationTargetException
+                | NoSuchMethodException
+                | SecurityException e) {
+            throw new PKIException(e.getMessage(), e);
+        }
     }
 
-    public ClientResponse<String> post(String content) throws Exception {
-        ClientRequest request = executor.createRequest(config.getServerURI().toString());
-        request.body(MediaType.APPLICATION_FORM_URLENCODED, content);
-        return request.post(String.class);
+    public String post(MultivaluedMap<String, String> form) throws Exception {
+        ResteasyWebTarget target = resteasyClient.target(config.getServerURI());
+        return target.request().post(Entity.form(form), String.class);
     }
 
     public void addRejectedCertStatus(Integer rejectedCertStatus) {
diff --git a/base/common/src/com/netscape/certsrv/client/PKIErrorInterceptor.java b/base/common/src/com/netscape/certsrv/client/PKIErrorInterceptor.java
deleted file mode 100644
index abb892289..000000000
--- a/base/common/src/com/netscape/certsrv/client/PKIErrorInterceptor.java
+++ /dev/null
@@ -1,62 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// This program is free software; you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation; version 2 of the License.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-//
-// (C) 2007 Red Hat, Inc.
-// All rights reserved.
-// --- END COPYRIGHT BLOCK ---
-package com.netscape.certsrv.client;
-
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.MultivaluedMap;
-
-import org.jboss.resteasy.client.ClientResponse;
-import org.jboss.resteasy.client.core.ClientErrorInterceptor;
-
-import com.netscape.certsrv.base.PKIException;
-
-public class PKIErrorInterceptor implements ClientErrorInterceptor {
-
-    public void handle(ClientResponse<?> response) {
-
-        // handle HTTP code 4xx and 5xx
-        int code = response.getResponseStatus().getStatusCode();
-        if (code < 400)
-            return;
-
-        MultivaluedMap<String, String> headers = response.getResponseHeaders();
-        String contentType = headers.getFirst("Content-Type");
-
-        // handle XML content only
-        if (contentType == null || !contentType.startsWith(MediaType.APPLICATION_XML))
-            return;
-
-        PKIException exception;
-
-        try {
-            // Requires RESTEasy 2.3.2
-            // https://issues.jboss.org/browse/RESTEASY-652
-            PKIException.Data data = response.getEntity(PKIException.Data.class);
-
-            Class<?> clazz = Class.forName(data.getClassName());
-            exception = (PKIException) clazz.getConstructor(PKIException.Data.class).newInstance(data);
-
-        } catch (Exception e) {
-            e.printStackTrace();
-            return;
-        }
-
-        throw exception;
-    }
-
-}
diff --git a/base/java-tools/pki b/base/java-tools/pki
index 87a00d708..9dfd7ec6e 100755
--- a/base/java-tools/pki
+++ b/base/java-tools/pki
@@ -102,6 +102,7 @@ $ENV{CLASSPATH} = "/usr/share/java/${PRODUCT}/pki-certsrv.jar:"
                 . "/usr/share/java/jaxb-api.jar:"
                 . "${RESTEASY_LIB}/jaxrs-api.jar:"
                 . "${RESTEASY_LIB}/resteasy-atom-provider.jar:"
+                . "${RESTEASY_LIB}/resteasy-client.jar:"
                 . "${RESTEASY_LIB}/resteasy-jaxb-provider.jar:"
                 . "${RESTEASY_LIB}/resteasy-jaxrs.jar:"
                 . "${RESTEASY_LIB}/resteasy-jaxrs-jandex.jar:"
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 30d908f2e..ded7c1eed 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -54,6 +54,8 @@ import java.util.Vector;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.core.MultivaluedHashMap;
+import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 import javax.xml.parsers.ParserConfigurationException;
 
@@ -78,7 +80,6 @@ import netscape.security.x509.X509CertImpl;
 import netscape.security.x509.X509Key;
 
 import org.apache.velocity.context.Context;
-import org.jboss.resteasy.client.ClientResponse;
 import org.jboss.resteasy.client.ClientResponseFailure;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.CryptoManager.NicknameConflictException;
@@ -213,8 +214,8 @@ public class ConfigurationUtils {
         return getHttpResponse(hostname, port, secure, uri, content, clientnickname, null);
     }
 
-    public static ClientResponse<String> getClientResponse(String hostname, int port, boolean secure,
-            String path, String content, String clientnickname,
+    public static String post(String hostname, int port, boolean secure,
+            String path, MultivaluedMap<String, String> map, String clientnickname,
             SSLCertificateApprovalCallback certApprovalCallback)
             throws Exception {
 
@@ -225,9 +226,7 @@ public class ConfigurationUtils {
 
         PKIClient client = new PKIClient(config);
         PKIConnection connection = client.getConnection();
-        ClientResponse<String> response = connection.post(content);
-
-        return response;
+        return connection.post(map);
     }
 
     //TODO - replace with Jack's connector code
@@ -328,6 +327,7 @@ public class ConfigurationUtils {
         boolean oldtoken = cs.getBoolean("cs.useOldTokenInterface", false);
 
         if (oldtoken) {
+            CMS.debug("Getting old token");
             return ConfigurationUtils.getOldToken(sdhost, sdport, user, passwd);
         }
 
@@ -361,9 +361,11 @@ public class ConfigurationUtils {
             return token.getToken();
 
         } catch (ClientResponseFailure e) {
+
             if (e.getResponse().getResponseStatus() == Response.Status.NOT_FOUND) {
                 // try the old servlet
                 String tokenString = getOldCookie(sdhost, sdport, user, passwd);
+                CMS.debug("Token: " + tokenString);
                 return tokenString;
             }
 
@@ -378,12 +380,13 @@ public class ConfigurationUtils {
                 + CMS.getAdminPort() + "/ca/admin/console/config/wizard" +
                 "?p=5&subsystem=" + cs.getString("cs.type");
 
-        String content = "uid=" + URLEncoder.encode(user, "UTF-8") + "&pwd=" + URLEncoder.encode(passwd, "UTF-8") +
-                "&url=" + URLEncoder.encode(subca_url, "UTF-8");
+        MultivaluedMap<String, String> map = new MultivaluedHashMap<String, String>();
+        map.putSingle("uid", user);
+        map.putSingle("pwd", passwd);
+        map.putSingle("url", subca_url);
 
-        ClientResponse<String> response = getClientResponse(sdhost, sdport, true, "/ca/admin/ca/getCookie",
-                content, null, null);
-        String body = response.getEntity();
+        String body = post(sdhost, sdport, true, "/ca/admin/ca/getCookie",
+                map, null, null);
         return getContentValue(body, "header.session_id");
     }
 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetCookie.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetCookie.java
index b8030f01a..f86f2498c 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetCookie.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetCookie.java
@@ -78,6 +78,15 @@ public class GetCookie extends CMSServlet {
      * @param cmsReq the object holding the request and response information
      */
     protected void process(CMSRequest cmsReq) throws EBaseException {
+        try {
+            processImpl(cmsReq);
+        } catch (Throwable t) {
+            CMS.debug(t);
+            throw t;
+        }
+    }
+
+    protected void processImpl(CMSRequest cmsReq) throws EBaseException {
         HttpServletRequest httpReq = cmsReq.getHttpReq();
         HttpServletResponse httpResp = cmsReq.getHttpResp();
 
@@ -93,7 +102,12 @@ public class GetCookie extends CMSServlet {
         Locale[] locale = new Locale[1];
 
         String url = httpReq.getParameter("url");
-        CMS.debug("GetCookie before auth, url =" + url);
+        CMS.debug("GetCookie before auth, url = " + url);
+        if (url == null) {
+            throw new ECMSGWException(
+                    "GetCookie missing parameter: url");
+        }
+
         String url_e = "";
         URL u = null;
         try {
@@ -101,7 +115,7 @@ public class GetCookie extends CMSServlet {
             u = new URL(url_e);
         } catch (Exception eee) {
             throw new ECMSGWException(
-                    "GetCookie missing parameter: url");
+                    "Unable to parse URL: " + url);
         }
 
         int index2 = url_e.indexOf("subsystem=");
@@ -165,11 +179,13 @@ public class GetCookie extends CMSServlet {
 
         if (authToken != null) {
             String uid = authToken.getInString("uid");
+            CMS.debug("UID: " + uid);
 
             String addr = "";
             try {
                 addr = u.getHost();
             } catch (Exception e) {
+                CMS.debug(e);
             }
 
             try {
@@ -177,6 +193,7 @@ public class GetCookie extends CMSServlet {
 
                 InstallToken installToken = processor.getInstallToken(uid, addr, subsystem);
                 String cookie = installToken.getToken();
+                CMS.debug("Cookie: " + cookie);
 
                 if (!url.startsWith("$")) {
                     try {
@@ -210,7 +227,7 @@ public class GetCookie extends CMSServlet {
                 }
 
             } catch (Exception e) {
-                e.printStackTrace();
+                CMS.debug(e);
             }
         }
     }
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
index 252a58472..a2c7b525b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
@@ -118,7 +118,17 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
      * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(com.netscape.cms.servlet.csadmin.data.ConfigurationData)
      */
     @Override
-    public ConfigurationResponse configure(ConfigurationRequest data){
+    public ConfigurationResponse configure(ConfigurationRequest data) {
+        try {
+            return configureImpl(data);
+        } catch (Throwable t) {
+            CMS.debug(t);
+            throw t;
+        }
+    }
+
+    public ConfigurationResponse configureImpl(ConfigurationRequest data) {
+
         if (csState.equals("1")) {
             throw new BadRequestException("System is already configured");
         }
@@ -915,6 +925,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         String securityDomainURL = data.getSecurityDomainUri();
 
         if (securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) {
+            CMS.debug("Creating new security domain");
             cs.putString("preop.securitydomain.select", "new");
             cs.putString("securitydomain.select", "new");
             cs.putString("preop.securitydomain.name", securityDomainName);
@@ -931,12 +942,15 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                 cs.putString("preop.cert.subsystem.type", "local");
             }
             cs.putString("preop.cert.subsystem.profile", "subsystemCert.profile");
+
         } else {
+            CMS.debug("Joining existing security domain");
             cs.putString("preop.securitydomain.select", "existing");
             cs.putString("securitydomain.select", "existing");
             cs.putString("preop.cert.subsystem.type", "remote");
             cs.putString("preop.cert.subsystem.profile", "caInternalAuthSubsystemCert");
 
+            CMS.debug("Getting certificate chain");
             // contact and log onto security domain
             URL secdomainURL;
             String host;
@@ -953,6 +967,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                 throw new PKIException("Failed to import certificate chain from security domain master: " + e);
             }
 
+            CMS.debug("Getting install token");
             // log onto security domain and get token
             String user = data.getSecurityDomainUser();
             String pass = data.getSecurityDomainPassword();
@@ -965,10 +980,12 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             }
 
             if (installToken == null) {
+                CMS.debug("Install token is null");
                 throw new PKIException("Failed to obtain installation token from security domain");
             }
             CMS.setConfigSDSessionId(installToken);
 
+            CMS.debug("Getting domain XML");
             try {
                 domainXML = ConfigurationUtils.getDomainXML(host, port, true);
                 ConfigurationUtils.getSecurityDomainPorts(domainXML, host, port);
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index e60cb3a14..ea9c54019 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -342,6 +342,7 @@ pki_jackson_xc_jar=/usr/share/java/jackson/jackson-xc.jar
 
 # RESTEasy
 pki_resteasy_atom_provider_jar=%(resteasy_lib)s/resteasy-atom-provider.jar
+pki_resteasy_client_jar=%(resteasy_lib)s/resteasy-client.jar
 pki_resteasy_jaxb_provider_jar=%(resteasy_lib)s/resteasy-jaxb-provider.jar
 pki_resteasy_jaxrs_api_jar=%(resteasy_lib)s/jaxrs-api.jar
 pki_resteasy_jaxrs_jar=%(resteasy_lib)s/resteasy-jaxrs.jar
diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
index 3dbf62363..83c101fa7 100644
--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
@@ -198,6 +198,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 os.path.join(
                     deployer.master_dict['pki_tomcat_common_lib_path'],
                     'resteasy-atom-provider.jar'))
+            deployer.symlink.create(deployer.master_dict['pki_resteasy_client_jar'],
+                os.path.join(
+                    deployer.master_dict['pki_tomcat_common_lib_path'],
+                    'resteasy-client.jar'))
             deployer.symlink.create(deployer.master_dict['pki_resteasy_jaxb_provider_jar'],
                 os.path.join(
                     deployer.master_dict['pki_tomcat_common_lib_path'],
diff --git a/base/server/scripts/operations b/base/server/scripts/operations
index 21b4748a0..bfd2de898 100644
--- a/base/server/scripts/operations
+++ b/base/server/scripts/operations
@@ -1239,6 +1239,7 @@ verify_symlinks()
             [ldapjdk.jar]=${java_dir}/ldapjdk.jar
             [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar
             [resteasy-atom-provider.jar]=${RESTEASY_LIB}/resteasy-atom-provider.jar
+            [resteasy-client.jar]=${RESTEASY_LIB}/resteasy-client.jar
             [resteasy-jaxb-provider.jar]=${RESTEASY_LIB}/resteasy-jaxb-provider.jar
             [resteasy-jaxrs.jar]=${RESTEASY_LIB}/resteasy-jaxrs.jar
             [resteasy-jackson-provider.jar]=${RESTEASY_LIB}/resteasy-jackson-provider.jar
@@ -1275,6 +1276,7 @@ verify_symlinks()
             [ldapjdk.jar]=${java_dir}/ldapjdk.jar
             [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar
             [resteasy-atom-provider.jar]=${RESTEASY_LIB}/resteasy-atom-provider.jar
+            [resteasy-client.jar]=${RESTEASY_LIB}/resteasy-client.jar
             [resteasy-jaxb-provider.jar]=${RESTEASY_LIB}/resteasy-jaxb-provider.jar
             [resteasy-jaxrs.jar]=${RESTEASY_LIB}/resteasy-jaxrs.jar
             [resteasy-jackson-provider.jar]=${RESTEASY_LIB}/resteasy-jackson-provider.jar
diff --git a/base/server/share/conf/pki.policy b/base/server/share/conf/pki.policy
index 5ce07b2cf..6a1018825 100644
--- a/base/server/share/conf/pki.policy
+++ b/base/server/share/conf/pki.policy
@@ -162,6 +162,10 @@ grant codeBase "file:${RESTEASY_LIB}/resteasy-atom-provider.jar" {
         permission java.security.AllPermission;
 };
 
+grant codeBase "file:${RESTEASY_LIB}/resteasy-client.jar" {
+        permission java.security.AllPermission;
+};
+
 grant codeBase "file:${RESTEASY_LIB}/resteasy-jaxb-provider.jar" {
         permission java.security.AllPermission;
 };
diff --git a/base/server/upgrade/10.1.99/03-AddedRESTEasyClient b/base/server/upgrade/10.1.99/03-AddedRESTEasyClient
new file mode 100755
index 000000000..55bc8c367
--- /dev/null
+++ b/base/server/upgrade/10.1.99/03-AddedRESTEasyClient
@@ -0,0 +1,76 @@
+#!/usr/bin/python
+# Authors:
+#     Endi S. Dewata <edewata@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2014 Red Hat, Inc.
+# All rights reserved.
+#
+
+import grp
+import os
+import pwd
+import re
+import subprocess
+
+import pki.server.upgrade
+
+
+class AddedRESTEasyClient(pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+    def __init__(self):
+
+        self.message = 'Added RESTEasy client'
+
+    def upgrade_instance(self, instance):
+
+        # Tomcat common library
+        common_lib = os.path.join(instance.base_dir, 'common', 'lib')
+
+        # Tomcat user and group
+        registry_file = os.path.join(
+            pki.server.REGISTRY_DIR, 'tomcat', instance.name, instance.name)
+
+        with open(registry_file, "r") as registry:
+            lines = registry.readlines()
+
+        for line in lines:
+            m = re.search('^PKI_USER=(.*)$', line)
+            if m:
+                user = m.group(1)
+            m = re.search('^PKI_GROUP=(.*)$', line)
+            if m:
+                group = m.group(1)
+
+        uid = pwd.getpwnam(user).pw_uid
+        gid = grp.getgrnam(group).gr_gid
+
+        # RESTEasy library
+        resteasy_lib = subprocess.check_output(
+            '. /etc/pki/pki.conf && echo $RESTEASY_LIB',
+            shell=True)
+        # workaround for pylint error E1103
+        resteasy_lib = str(resteasy_lib).strip()
+
+        # create new links
+        source = os.path.join(resteasy_lib, 'resteasy-client.jar')
+        link = os.path.join(common_lib, 'resteasy-client.jar')
+        self.create_link(source, link, uid, gid)
+
+    def create_link(self, source, link, uid, gid):
+
+        self.backup(link)
+        os.symlink(source, link)
+        os.lchown(link, uid, gid)
diff --git a/scripts/compose_pki_test_package b/scripts/compose_pki_test_package
index fc534c8e7..5b26220a7 100755
--- a/scripts/compose_pki_test_package
+++ b/scripts/compose_pki_test_package
@@ -111,6 +111,7 @@ CLASSPATH=$CLASSPATH:/usr/share/java/jackson/jackson-smile.jar
 CLASSPATH=$CLASSPATH:/usr/share/java/jackson/jackson-xc.jar
 CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/jaxrs-api.jar
 CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-atom-provider.jar
+CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-client.jar
 CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-jaxb-provider.jar
 CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-jaxrs.jar
 CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-jaxrs-jandex.jar
diff --git a/tests/dogtag/dev_java_tests/run_junit_tests.sh b/tests/dogtag/dev_java_tests/run_junit_tests.sh
index 31d647ca2..7b298a4b7 100644
--- a/tests/dogtag/dev_java_tests/run_junit_tests.sh
+++ b/tests/dogtag/dev_java_tests/run_junit_tests.sh
@@ -45,6 +45,7 @@ run_dev_junit_tests() {
     CLASSPATH=$CLASSPATH:/usr/share/java/jackson/jackson-xc.jar
     CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/jaxrs-api.jar
     CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-atom-provider.jar
+    CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-client.jar
     CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-jaxb-provider.jar
     CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-jaxrs.jar
     CLASSPATH=$CLASSPATH:/usr/share/java/resteasy/resteasy-jaxrs-jandex.jar
-- 
cgit