From 0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Tue, 3 Jul 2012 17:52:33 -0700 Subject: PKI Deployment Scriptlets * Integration of Tomcat 7 * Introduction of dependency upon tomcatjss 7.0 * Removal of http filtering configuration mechanisms * Introduction of additional slot substitution to support revised filesystem layout * Addition of 'pkiuser' uid:gid creation methods * Inclusion of per instance '*.profile' files * Introduction of configurable 'configurationRoot' parameter * Introduction of default configuration of 'log4j' mechanism (alee) * Modify web.xml to use new Application classes to bootstrap servers (alee) * Introduction of "Wrapper" logic to support Tomcat 6 --> Tomcat 7 API change (jmagne) * Added jython helper function to allow attaching a remote java debugger (e. g. - eclipse) --- base/deploy/config/pkideployment.cfg | 201 +++++++++++++++++++++++++++++++++-- base/deploy/config/pkislots.cfg | 2 + 2 files changed, 195 insertions(+), 8 deletions(-) (limited to 'base/deploy/config') diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg index dd688ed09..542fc5bef 100644 --- a/base/deploy/config/pkideployment.cfg +++ b/base/deploy/config/pkideployment.cfg @@ -1,34 +1,219 @@ -[Common] +############################################################################### +## 'Sensitive' Data: ## +## ## +## Values in this section pertain to various PKI subsystems, and contain ## +## required 'sensitive' information which MUST ALWAYS be provided by users. ## +## ## +## IMPORTANT: Sensitive data values must NEVER be displayed to the ## +## console NOR stored in log files!!! ## +############################################################################### +[Sensitive] +pki_admin_password= +pki_backup_password= +pki_ds_password= +pki_pkcs12_password= +pki_security_domain_password= +############################################################################### +## 'Mandatory' Data: ## +## ## +## Values in this section pertain to various PKI subsystems, and contain ## +## required information which MUST ALWAYS be provided by users. ## +############################################################################### +[Mandatory] +############################################################################### +## 'Optional' Data: ## +## ## +## Values in this section pertain to various PKI subsystems, and contain ## +## required information which MAY OPTIONALLY be provided by users. ## +## ## +## NOTE: Default values will be generated for any and all required ## +## 'optional' data values which are left undefined. ## +############################################################################### +[Optional] pki_admin_domain_name= -pki_user=pkiuser -pki_group=pkiuser +pki_admin_email= +pki_admin_subject_dn= +pki_audit_signing_nickname= +pki_audit_signing_subject_dn= +pki_audit_signing_token= +pki_backup_file= +pki_ca_signing_nickname= +pki_ca_signing_subject_dn= +pki_ca_signing_token= +pki_ds_base_dn= +pki_ds_database= +pki_ds_hostname= +pki_ocsp_signing_nickname= +pki_ocsp_signing_subject_dn= +pki_ocsp_signing_token= +pki_security_domain_hostname= +pki_security_domain_name= +pki_ssl_server_nickname= +pki_ssl_server_subject_dn= +pki_ssl_server_token= +pki_storage_nickname= +pki_storage_subject_dn= +pki_storage_token= +pki_subsystem_nickname= +pki_subsystem_subject_dn= +pki_subsystem_token= +pki_transport_nickname= +pki_transport_subject_dn= +pki_transport_token= +############################################################################### +## 'Common' Data: ## +## ## +## Values in this section are common to ALL PKI subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[Common] +pki_admin_cert_request_type=crmf +pki_admin_dualkey=False +pki_admin_keysize=2048 +pki_admin_name=admin +pki_admin_uid=admin pki_audit_group=pkiaudit +pki_audit_signing_key_algorithm=SHA256withRSA +pki_audit_signing_key_size=2048 +pki_audit_signing_key_type=rsa +pki_audit_signing_signing_algorithm=SHA256withRSA +pki_backup_keys=False +pki_ds_bind_dn=cn=Directory Manager +pki_ds_http_port=389 +pki_ds_https_port=636 +pki_ds_remove_data=True +pki_ds_secure_connection=False +pki_group=pkiuser +pki_security_domain_https_port=8443 +pki_security_domain_user=admin +pki_ssl_server_key_algorithm=SHA256withRSA +pki_ssl_server_key_size=2048 +pki_ssl_server_key_type=rsa +pki_subsystem_key_algorithm=SHA256withRSA +pki_subsystem_key_size=2048 +pki_subsystem_key_type=rsa +pki_user=pkiuser +############################################################################### +## 'Apache' Data: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Apache' (RA and TPS subsystems), and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### [Apache] pki_instance_name=apache pki_http_port=80 pki_https_port=443 +############################################################################### +## 'Tomcat' Data: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## +## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## +## or a 'TKS Clone', change the value of 'pki_clone' ## +## from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### [Tomcat] -pki_instance_name=tomcat +pki_ajp_port=8009 +pki_clone=False +pki_enable_java_debugger=False pki_http_port=8080 pki_https_port=8443 -pki_ajp_port=8009 -pki_proxy_http_port=80 -pki_proxy_https_port=443 -pki_security_manager=true +pki_instance_name=tomcat +pki_proxy_http_port= +pki_proxy_https_port= +pki_security_manager=false pki_tomcat_server_port=8005 +############################################################################### +## 'CA' Data: ## +## ## +## Values in this section are common to CA subsystems including 'PKI CAs', ## +## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## EXTERNAL CAs: To specify an 'External CA', change the value ## +## of 'pki_external' from 'False' to 'True'. ## +## ## +## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## +## of 'pki_subordinate' from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### [CA] +pki_ca_signing_key_algorithm=SHA256withRSA +pki_ca_signing_key_size=2048 +pki_ca_signing_key_type=rsa +pki_ca_signing_signing_algorithm=SHA256withRSA +pki_external=False +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_subordinate=False pki_subsystem=CA pki_war_name=ca.war +############################################################################### +## 'KRA' Data: ## +## ## +## Values in this section are common to KRA subsystems ## +## including 'PKI KRAs' and 'Cloned KRAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### [KRA] +pki_storage_key_algorithm=SHA256withRSA +pki_storage_key_size=2048 +pki_storage_key_type=rsa +pki_storage_signing_algorithm=SHA256withRSA pki_subsystem=KRA +pki_transport_key_algorithm=SHA256withRSA +pki_transport_key_size=2048 +pki_transport_key_type=rsa +pki_transport_signing_algorithm=SHA256withRSA pki_war_name=kra.war +############################################################################### +## 'OCSP' Data: ## +## ## +## Values in this section are common to OCSP subsystems ## +## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### [OCSP] +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_signing_algorithm=SHA256withRSA pki_subsystem=OCSP pki_war_name=ocsp.war +############################################################################### +## 'RA' Data: ## +## ## +## Values in this section are common to PKI RA subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### [RA] pki_subsystem=RA +############################################################################### +## 'TKS' Data: ## +## ## +## Values in this section are common to TKS subsystems ## +## including 'PKI TKSs' and 'Cloned TKSs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### [TKS] pki_subsystem=TKS pki_war_name=tks.war +############################################################################### +## 'TPS' Data: ## +## ## +## Values in this section are common to PKI TPS subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### [TPS] pki_subsystem=TPS diff --git a/base/deploy/config/pkislots.cfg b/base/deploy/config/pkislots.cfg index b6c40ebe3..ee75154ce 100644 --- a/base/deploy/config/pkislots.cfg +++ b/base/deploy/config/pkislots.cfg @@ -70,8 +70,10 @@ PKI_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_SECURE_PORT_CONNECTOR_NAME] PKI_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_SECURE_PORT_SERVER_COMMENT] PKI_SECURITY_MANAGER_SLOT=[PKI_SECURITY_MANAGER] PKI_SERVER_XML_CONF_SLOT=[PKI_SERVER_XML_CONF] +PKI_SUBSYSTEM_DIR_SLOT=[PKI_SUBSYSTEM_DIR] PKI_SUBSYSTEM_TYPE_SLOT=[PKI_SUBSYSTEM_TYPE] PKI_SYSTEMD_SERVICENAME_SLOT=[PKI_SYSTEMD_SERVICENAME] +PKI_TMPDIR_SLOT=[PKI_TMPDIR] PKI_UNSECURE_PORT_SLOT=[PKI_UNSECURE_PORT] PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_UNSECURE_PORT_CONNECTOR_NAME] PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT] -- cgit