From 0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: Tue, 3 Jul 2012 17:52:33 -0700
Subject: PKI Deployment Scriptlets

* Integration of Tomcat 7
* Introduction of dependency upon tomcatjss 7.0
* Removal of http filtering configuration mechanisms
* Introduction of additional slot substitution to
  support revised filesystem layout
* Addition of 'pkiuser' uid:gid creation methods
* Inclusion of per instance '*.profile' files
* Introduction of configurable 'configurationRoot'
  parameter
* Introduction of default configuration of 'log4j'
  mechanism (alee)
* Modify web.xml to use new Application classes to
  bootstrap servers (alee)
* Introduction of "Wrapper" logic to support
  Tomcat 6 --> Tomcat 7 API change (jmagne)
* Added jython helper function to allow attaching
  a remote java debugger (e. g. - eclipse)
---
 base/ca/shared/conf/CS.cfg.in             | 145 +++++++++++++++---------------
 base/ca/shared/webapps/ca/WEB-INF/web.xml | 139 ++--------------------------
 2 files changed, 81 insertions(+), 203 deletions(-)

(limited to 'base/ca')

diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
index 78c28435a..ca90d52d5 100644
--- a/base/ca/shared/conf/CS.cfg.in
+++ b/base/ca/shared/conf/CS.cfg.in
@@ -38,6 +38,7 @@ securitydomain.flushinterval=86400000
 securitydomain.source=ldap
 securitydomain.checkinterval=300000
 instanceRoot=[PKI_INSTANCE_PATH]
+configurationRoot=/[PKI_SUBSYSTEM_DIR]conf/
 machineName=[PKI_MACHINE_NAME]
 instanceId=[PKI_INSTANCE_ID]
 pidDir=[PKI_PIDDIR]
@@ -180,7 +181,7 @@ auths.instance.AgentCertAuth.pluginName=AgentCertAuth
 auths.instance.raCertAuth.agentGroup=Registration Manager Agents
 auths.instance.raCertAuth.pluginName=AgentCertAuth
 auths.instance.flatFileAuth.pluginName=FlatFileAuth
-auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/flatfile.txt
+auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]flatfile.txt
 auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth
 auths.revocationChecking.bufferSize=50
 auths.revocationChecking.ca=ca
@@ -643,15 +644,15 @@ ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName=
 ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType=
 ca.crl.MasterCRL.extension.IssuingDistributionPoint.type=CRLExtension
 ca.notification.certIssued.emailSubject=Your Certificate Request
-ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/emails/certIssued_CA.html
+ca.notification.certIssued.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/certIssued_CA.html
 ca.notification.certIssued.enabled=false
 ca.notification.certIssued.senderEmail=
 ca.notification.certRevoked.emailSubject=Your Certificate Revoked
-ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/emails/certRevoked_CA.html
+ca.notification.certRevoked.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/certRevoked_CA.html
 ca.notification.certRevoked.enabled=false
 ca.notification.certRevoked.senderEmail=
 ca.notification.requestInQ.emailSubject=Certificate Request in Queue
-ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/emails/reqInQueue_CA.html
+ca.notification.requestInQ.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/reqInQueue_CA.html
 ca.notification.requestInQ.enabled=false
 ca.notification.requestInQ.recipientEmail=
 ca.notification.requestInQ.senderEmail=
@@ -793,7 +794,7 @@ dbs.ldap=internaldb
 dbs.newSchemaEntryAdded=true
 debug.append=true
 debug.enabled=true
-debug.filename=[PKI_INSTANCE_PATH]/logs/debug
+debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]debug
 debug.hashkeytypes=
 debug.level=0
 debug.showcaller=false
@@ -815,8 +816,8 @@ internaldb.ldapconn.host=
 internaldb.ldapconn.port=
 internaldb.ldapconn.secureConn=false
 preop.internaldb.schema.ldif=/usr/share/pki/ca/conf/schema.ldif
-preop.internaldb.ldif=/usr/share/pki/ca/conf/database.ldif
-preop.internaldb.data_ldif=/usr/share/pki/ca/conf/db.ldif,/usr/share/pki/ca/conf/acl.ldif
+preop.internaldb.ldif=/usr/share/pki/[PKI_SUBSYSTEM_DIR]conf/database.ldif
+preop.internaldb.data_ldif=/usr/share/pki/[PKI_SUBSYSTEM_DIR]conf/db.ldif,/usr/share/pki/ca/conf/acl.ldif
 preop.internaldb.index_ldif=
 preop.internaldb.manager_ldif=/usr/share/pki/ca/conf/manager.ldif
 preop.internaldb.post_ldif=/usr/share/pki/ca/conf/index.ldif,/usr/share/pki/ca/conf/vlv.ldif,/usr/share/pki/ca/conf/vlvtasks.ldif
@@ -833,25 +834,25 @@ jobsScheduler.impl.RequestInQueueJob.class=com.netscape.cms.jobs.RequestInQueueJ
 jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob
 jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5
 jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification
-jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1.txt
+jobsScheduler.job.certRenewalNotifier.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1.txt
 jobsScheduler.job.certRenewalNotifier.enabled=false
 jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30
 jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30
 jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob
 jobsScheduler.job.certRenewalNotifier.senderEmail=
 jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal Notification Summary
-jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Summary.txt
+jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1Summary.txt
 jobsScheduler.job.certRenewalNotifier.summary.enabled=true
-jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/rnJob1Item.txt
+jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/rnJob1Item.txt
 jobsScheduler.job.certRenewalNotifier.summary.recipientEmail=
 jobsScheduler.job.certRenewalNotifier.summary.senderEmail=
 jobsScheduler.job.publishCerts.cron=0 0 * * 2 
 jobsScheduler.job.publishCerts.enabled=false
 jobsScheduler.job.publishCerts.pluginName=PublishCertsJob
 jobsScheduler.job.publishCerts.summary.emailSubject=Certs Publishing Summary
-jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/publishCerts.html
+jobsScheduler.job.publishCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/publishCerts.html
 jobsScheduler.job.publishCerts.summary.enabled=true
-jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/publishCertsItem.html
+jobsScheduler.job.publishCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/publishCertsItem.html
 jobsScheduler.job.publishCerts.summary.recipientEmail=
 jobsScheduler.job.publishCerts.summary.senderEmail=
 jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0
@@ -859,7 +860,7 @@ jobsScheduler.job.requestInQueueNotifier.enabled=false
 jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob
 jobsScheduler.job.requestInQueueNotifier.subsystemId=ca
 jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report
-jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/riq1Summary.html
+jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/riq1Summary.html
 jobsScheduler.job.requestInQueueNotifier.summary.enabled=true
 jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail=
 jobsScheduler.job.requestInQueueNotifier.summary.senderEmail=
@@ -867,9 +868,9 @@ jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6
 jobsScheduler.job.unpublishExpiredCerts.enabled=false
 jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob
 jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs Unpublished Summary
-jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/emails/euJob1.html
+jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/euJob1.html
 jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true
-jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/emails/euJob1Item.html
+jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]emails/euJob1Item.html
 jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail=
 jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail=
 jss._000=##
@@ -897,7 +898,7 @@ log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
 log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER
 log.instance.SignedAudit.expirationTime=0
-log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/ca_audit
+log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]signedAudit/ca_audit
 log.instance.SignedAudit.flushInterval=5
 log.instance.SignedAudit.level=1
 log.instance.SignedAudit.logSigning=false
@@ -913,7 +914,7 @@ log.instance.System._002=##
 log.instance.System.bufferSize=512
 log.instance.System.enable=true
 log.instance.System.expirationTime=0
-log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/system
+log.instance.System.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]system
 log.instance.System.flushInterval=5
 log.instance.System.level=3
 log.instance.System.maxFileSize=2000
@@ -926,15 +927,15 @@ log.instance.Transactions._002=##
 log.instance.Transactions.bufferSize=512
 log.instance.Transactions.enable=true
 log.instance.Transactions.expirationTime=0
-log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/transactions
+log.instance.Transactions.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]transactions
 log.instance.Transactions.flushInterval=5
 log.instance.Transactions.level=1
 log.instance.Transactions.maxFileSize=2000
 log.instance.Transactions.pluginName=file
 log.instance.Transactions.rolloverInterval=2592000
 log.instance.Transactions.type=transaction
-logAudit.fileName=[PKI_INSTANCE_PATH]/logs/access
-logError.fileName=[PKI_INSTANCE_PATH]/logs/error
+logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]access
+logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]error
 oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension
 oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1
 oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword
@@ -956,106 +957,106 @@ oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
 os.userid=nobody
 profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert
 profile.caUUIDdeviceCert.class_id=caEnrollImpl
-profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg
+profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUUIDdeviceCert.cfg
 profile.caManualRenewal.class_id=caEnrollImpl
-profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caManualRenewal.cfg
+profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caManualRenewal.cfg
 profile.caDirUserRenewal.class_id=caEnrollImpl
-profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserRenewal.cfg
+profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDirUserRenewal.cfg
 profile.caSSLClientSelfRenewal.class_id=caEnrollImpl
-profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caSSLClientSelfRenewal.cfg
+profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSSLClientSelfRenewal.cfg
 profile.DomainController.class_id=caEnrollImpl
-profile.DomainController.config=[PKI_INSTANCE_PATH]/profiles/ca/DomainController.cfg
+profile.DomainController.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/DomainController.cfg
 profile.caAgentFileSigning.class_id=caEnrollImpl
-profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentFileSigning.cfg
+profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAgentFileSigning.cfg
 profile.caAgentServerCert.class_id=caEnrollImpl
-profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAgentServerCert.cfg
+profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAgentServerCert.cfg
 profile.caRAserverCert.class_id=caEnrollImpl
-profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAserverCert.cfg
+profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRAserverCert.cfg
 profile.caCACert.class_id=caEnrollImpl
-profile.caCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCACert.cfg
+profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caCACert.cfg
 profile.caInstallCACert.class_id=caEnrollImpl
-profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInstallCACert.cfg
+profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInstallCACert.cfg
 profile.caCMCUserCert.class_id=caEnrollImpl
-profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caCMCUserCert.cfg
+profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caCMCUserCert.cfg
 profile.caDirUserCert.class_id=caEnrollImpl
-profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserCert.cfg
+profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDirUserCert.cfg
 profile.caDualCert.class_id=caEnrollImpl
-profile.caDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualCert.cfg
+profile.caDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDualCert.cfg
 profile.caECDualCert.class_id=caEnrollImpl
-profile.caECDualCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caECDualCert.cfg
+profile.caECDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caECDualCert.cfg
 profile.caDualRAuserCert.class_id=caEnrollImpl
-profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caDualRAuserCert.cfg
+profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caDualRAuserCert.cfg
 profile.caRAagentCert.class_id=caEnrollImpl
-profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRAagentCert.cfg
+profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRAagentCert.cfg
 profile.caFullCMCUserCert.class_id=caEnrollImpl
-profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caFullCMCUserCert.cfg
+profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caFullCMCUserCert.cfg
 profile.caInternalAuthOCSPCert.class_id=caEnrollImpl
-profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthOCSPCert.cfg
+profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthOCSPCert.cfg
 profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl
-profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthAuditSigningCert.cfg
+profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthAuditSigningCert.cfg
 profile.caInternalAuthServerCert.class_id=caEnrollImpl
-profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthServerCert.cfg
+profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthServerCert.cfg
 profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl
-profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthSubsystemCert.cfg
+profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthSubsystemCert.cfg
 profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl
-profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthDRMstorageCert.cfg
+profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthDRMstorageCert.cfg
 profile.caInternalAuthTransportCert.class_id=caEnrollImpl
-profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthTransportCert.cfg 
+profile.caInternalAuthTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caInternalAuthTransportCert.cfg
 profile.caOCSPCert.class_id=caEnrollImpl
-profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOCSPCert.cfg
+profile.caOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caOCSPCert.cfg
 profile.caOtherCert.class_id=caEnrollImpl
-profile.caOtherCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caOtherCert.cfg
+profile.caOtherCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caOtherCert.cfg
 profile.caRACert.class_id=caEnrollImpl
-profile.caRACert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRACert.cfg
+profile.caRACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRACert.cfg
 profile.caRARouterCert.class_id=caEnrollImpl
-profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRARouterCert.cfg
+profile.caRARouterCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRARouterCert.cfg
 profile.caRouterCert.class_id=caEnrollImpl
-profile.caRouterCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caRouterCert.cfg
+profile.caRouterCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caRouterCert.cfg
 profile.caServerCert.class_id=caEnrollImpl
-profile.caServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caServerCert.cfg
+profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caServerCert.cfg
 profile.caSignedLogCert.class_id=caEnrollImpl
-profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSignedLogCert.cfg
+profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSignedLogCert.cfg
 profile.caSimpleCMCUserCert.class_id=caEnrollImpl
-profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caSimpleCMCUserCert.cfg
+profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caSimpleCMCUserCert.cfg
 profile.caTPSCert.class_id=caEnrollImpl
-profile.caTPSCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTPSCert.cfg
+profile.caTPSCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTPSCert.cfg
 profile.caAdminCert.class_id=caEnrollImpl
-profile.caAdminCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caAdminCert.cfg
+profile.caAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caAdminCert.cfg
 profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg
+profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenDeviceKeyEnrollment.cfg
 profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg
+profile.caTempTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg
 profile.caTokenUserEncryptionKeyRenewal.class_id=caUserCertEnrollImpl
-profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg
+profile.caTokenUserEncryptionKeyRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserEncryptionKeyRenewal.cfg
 profile.caTempTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg
+profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg
 profile.caTokenUserSigningKeyRenewal.class_id=caUserCertEnrollImpl
-profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyRenewal.cfg
+profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserSigningKeyRenewal.cfg
 profile.caTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenDeviceKeyEnrollment.cfg
+profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenDeviceKeyEnrollment.cfg
 profile.caTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg
+profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg
 profile.caTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl
-profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenUserSigningKeyEnrollment.cfg
+profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenUserSigningKeyEnrollment.cfg
 profile.caTokenMSLoginEnrollment.class_id=caUserCertEnrollImpl
-profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/profiles/ca/caTokenMSLoginEnrollment.cfg
+profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTokenMSLoginEnrollment.cfg
 profile.caTransportCert.class_id=caEnrollImpl
-profile.caTransportCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caTransportCert.cfg
+profile.caTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caTransportCert.cfg
 profile.caUserCert.class_id=caEnrollImpl
-profile.caUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserCert.cfg
+profile.caUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUserCert.cfg
 profile.caECUserCert.class_id=caEnrollImpl
-profile.caECUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caECUserCert.cfg
+profile.caECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caECUserCert.cfg
 profile.caUserSMIMEcapCert.class_id=caEnrollImpl
-profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUserSMIMEcapCert.cfg
+profile.caUserSMIMEcapCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caUserSMIMEcapCert.cfg
 profile.caJarSigningCert.class_id=caEnrollImpl
-profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caJarSigningCert.cfg
+profile.caJarSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caJarSigningCert.cfg
 profile.caIPAserviceCert.class_id=caEnrollImpl
-profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caIPAserviceCert.cfg
+profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caIPAserviceCert.cfg
 profile.caEncUserCert.class_id=caEnrollImpl
-profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caEncUserCert.cfg
+profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caEncUserCert.cfg
 profile.caEncECUserCert.class_id=caEnrollImpl
-profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caEncECUserCert.cfg
-registry.file=[PKI_INSTANCE_PATH]/conf/registry.cfg
+profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_DIR]profiles/ca/caEncECUserCert.cfg
+registry.file=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]registry.cfg
 processor.caProfileProcess.getClientCert=true
 processor.caProfileProcess.authzMgr=BasicAclAuthz
 processor.caProfileProcess.authorityId=ca
@@ -1096,7 +1097,7 @@ selftests.container.logger.bufferSize=512
 selftests.container.logger.class=com.netscape.cms.logging.RollingLogFile
 selftests.container.logger.enable=true
 selftests.container.logger.expirationTime=0
-selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/selftests.log
+selftests.container.logger.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_DIR]selftests.log
 selftests.container.logger.flushInterval=5
 selftests.container.logger.level=1
 selftests.container.logger.maxFileSize=2000
diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
index 692cb4898..8471d6cd4 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -3,90 +3,6 @@
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">
 <web-app>
 
-    <filter>
-        <filter-name>AgentRequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
-    <filter>
-        <filter-name>AdminRequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
-    <filter>
-        <filter-name>EERequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
-        <init-param>
-            <param-name>http_port</param-name>
-            <param-value>[PKI_UNSECURE_PORT]</param-value>
-        </init-param>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_EE_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-        <init-param>
-            <param-name>proxy_http_port</param-name>
-            <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
-    <filter>
-        <filter-name>EEClientAuthRequestFilter</filter-name>
-        <filter-class>com.netscape.cms.servlet.filter.EEClientAuthRequestFilter</filter-class>
-        <init-param>
-            <param-name>https_port</param-name>
-            <param-value>[PKI_EE_SECURE_CLIENT_AUTH_PORT]</param-value>
-        </init-param>
-[PKI_OPEN_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>proxy_port</param-name>
-            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
-        </init-param>
-[PKI_CLOSE_ENABLE_PROXY_COMMENT]
-        <init-param>
-            <param-name>active</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-
     <servlet>
         <servlet-name>csadmin-wizard</servlet-name>
         <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
@@ -415,7 +331,7 @@
              <init-param><param-name>  AuthzMgr    </param-name>
                          <param-value> BasicAclAuthz </param-value> </init-param>
              <init-param><param-name>  cfgPath     </param-name>
-                         <param-value> [PKI_INSTANCE_PATH]/conf/CS.cfg </param-value> </init-param>
+                         <param-value> [PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_DIR]CS.cfg </param-value> </init-param>
              <init-param><param-name>  ID          </param-name>
                          <param-value> castart     </param-value> </init-param>
       <load-on-startup>  1  </load-on-startup>
@@ -1900,10 +1816,9 @@
                          <param-value> /agent/ca/doRevoke       </param-value> </init-param>
    </servlet>
 
-   <context-param>
-      <param-name>resteasy.scan</param-name>
-      <param-value>true</param-value>
-   </context-param>
+   <listener>
+      <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
+   </listener>
 
    <context-param>
       <param-name>resteasy.servlet.mapping.prefix</param-name>
@@ -1920,50 +1835,12 @@
    <servlet>
       <servlet-name>Resteasy</servlet-name>
       <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
+      <init-param>
+         <param-name>javax.ws.rs.Application</param-name>
+         <param-value>com.netscape.ca.CertificateAuthorityApplication</param-value>
+      </init-param>
    </servlet>
    
-[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
-   <filter-mapping>
-      <filter-name>   AgentRequestFilter          </filter-name>
-      <url-pattern>   /agent/*                    </url-pattern>
-      <url-pattern>   /ca/getCertFromRequest      </url-pattern>
-      <url-pattern>   /ca/getBySerial             </url-pattern>
-      <url-pattern>   /ca/connector               </url-pattern>
-      <url-pattern>   /ca/displayCertFromRequest  </url-pattern>
-      <url-pattern>   /doRevoke                   </url-pattern>
-   </filter-mapping>
-
-   <filter-mapping>
-      <filter-name>   AdminRequestFilter          </filter-name>
-      <url-pattern>   /admin/*                    </url-pattern>
-      <url-pattern>   /auths                      </url-pattern>
-      <url-pattern>   /acl                        </url-pattern>
-      <url-pattern>   /server                     </url-pattern>
-      <url-pattern>   /caadmin                    </url-pattern>
-      <url-pattern>   /caprofile                  </url-pattern>
-      <url-pattern>   /jobsScheduler              </url-pattern>
-      <url-pattern>   /capublisher                </url-pattern>
-      <url-pattern>   /log                        </url-pattern>
-      <url-pattern>   /ug                         </url-pattern>
-   </filter-mapping>
-
-   <filter-mapping> 
-      <filter-name>  EEClientAuthRequestFilter    </filter-name>
-      <url-pattern>  /eeca/*                        </url-pattern>
-   </filter-mapping>
-
-   <filter-mapping>
-      <filter-name>  EERequestFilter              </filter-name>
-      <url-pattern>  /ee/*                        </url-pattern>
-      <url-pattern>  /renewal                     </url-pattern>
-      <url-pattern>  /certbasedenrollment         </url-pattern>
-      <url-pattern>  /ocsp                        </url-pattern>
-      <url-pattern>  /enrollment                  </url-pattern>
-      <url-pattern>  /profileSubmit               </url-pattern>
-      <url-pattern>  /cgi-bin/pkiclient.exe       </url-pattern>
-   </filter-mapping>
-[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
-
    <servlet-mapping>
       <servlet-name>Resteasy</servlet-name>
       <url-pattern>/pki/*</url-pattern>
-- 
cgit