From 81bb209d0a3227f544b7b8e4ec3fc0631c8f3c47 Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Tue, 4 Dec 2012 07:19:43 -0500 Subject: Archiving default deployment configuration. The default deployment configuration has been renamed and moved to /etc/pki/default.cfg to make it more accessible to users. The pkispawn has been modified to archive the default deployment configuration along with the user-provided configuration in the registry. The pkidestroy will now use both archived configuration files to ensure proper removal of the subsystem. Ticket #399 --- base/deploy/etc/default.cfg | 315 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 315 insertions(+) create mode 100644 base/deploy/etc/default.cfg (limited to 'base/deploy/etc/default.cfg') diff --git a/base/deploy/etc/default.cfg b/base/deploy/etc/default.cfg new file mode 100644 index 000000000..abd0fb441 --- /dev/null +++ b/base/deploy/etc/default.cfg @@ -0,0 +1,315 @@ +############################################################################### +## Default Configuration: ## +## ## +## Values in this section are common to more than one PKI subsystem, and ## +## contain required information which MAY be overridden by users as ## +## necessary. ## +## ## +## There are also some meta-parameters that determine how the PKI ## +## configuratiion should work. ## +## ## +############################################################################### +[DEFAULT] + +# The sensitive_parameters contains a list of parameters which may contain +# sensitive information which must not be displayed to the console nor stored +# in log files for security reasons. +sensitive_parameters= + pki_admin_password + pki_backup_password + pki_client_database_password + pki_client_pin + pki_client_pkcs12_password + pki_clone_pkcs12_password + pki_ds_password + pki_one_time_pin + pki_pin + pki_security_domain_password + pki_token_password + +# The spawn_scriplets contains a list of scriplets to be executed by pkispawn. +spawn_scriplets= + initialization + infrastructure_layout + instance_layout + subsystem_layout + selinux_setup + webapp_deployment + slot_substitution + security_databases + configuration + finalization + +# The destroy_scriplets contains a list of scriplets to be executed by pkidestroy. +destroy_scriplets= + initialization + configuration + webapp_deployment + subsystem_layout + security_databases + instance_layout + selinux_setup + infrastructure_layout + finalization + +# By default, the following parameters will be set for Tomcat and Apache instances. +# There is no reason to uncomment these. They are provided for reference in +# case someone wants to override them in their config file. +# +# Tomcat instances: +# pki_subsystem_name=pki_tomcat +# pki_https_port=8443 +# pki_http_port=8080 +# +# Apache instances: +# pki_subsystem_name=pki_tomcat +# pki_https_port=443 +# pki_http_port=80 + +pki_admin_cert_request_type=crmf +pki_admin_dualkey=False +pki_admin_keysize=2048 +pki_admin_password= +pki_audit_group=pkiaudit +pki_audit_signing_key_algorithm=SHA256withRSA +pki_audit_signing_key_size=2048 +pki_audit_signing_key_type=rsa +pki_audit_signing_signing_algorithm=SHA256withRSA +pki_audit_signing_token=Internal Key Storage Token +pki_backup_keys=False +pki_backup_password= +pki_client_database_dir= +pki_client_database_password= +pki_client_database_purge=True +pki_client_dir= +pki_client_pkcs12_password= +pki_ds_bind_dn=cn=Directory Manager +pki_ds_ldap_port=389 +pki_ds_ldaps_port=636 +pki_ds_password= +pki_ds_remove_data=True +pki_ds_secure_connection=False +pki_group=pkiuser +pki_instance_id=%(pki_instance_name)s +pki_issuing_ca= +pki_restart_configured_instance=True +pki_security_domain_hostname=%(pki_hostname)s +pki_security_domain_https_port=8443 +pki_security_domain_name=%(pki_dns_domainname)s Security Domain +pki_security_domain_password= +pki_security_domain_user= +pki_skip_configuration=False +pki_skip_installation=False +pki_ssl_server_key_algorithm=SHA256withRSA +pki_ssl_server_key_size=2048 +pki_ssl_server_key_type=rsa +pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_id)s +pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s +pki_ssl_server_token=Internal Key Storage Token +pki_subsystem_key_algorithm=SHA256withRSA +pki_subsystem_key_size=2048 +pki_subsystem_key_type=rsa +pki_subsystem_token=Internal Key Storage Token +pki_token_name=internal +pki_token_password= +pki_user=pkiuser + +############################################################################### +## Apache Configuration: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Apache' (RA and TPS subsystems), and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[Apache] + +############################################################################### +## Tomcat Configuration: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## +## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## +## or a 'TKS Clone', change the value of 'pki_clone' ## +## from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[Tomcat] +pki_ajp_port=8009 +pki_clone=False +pki_clone_pkcs12_password= +pki_clone_pkcs12_path= +pki_clone_replicate_schema=True +pki_clone_replication_master_port= +pki_clone_replication_clone_port= +pki_clone_replication_security=None +pki_clone_uri= +pki_enable_java_debugger=False +pki_enable_proxy=False +pki_proxy_http_port=80 +pki_proxy_https_port=443 +pki_security_manager=true +pki_tomcat_server_port=8005 + +############################################################################### +## CA Configuration: ## +## ## +## Values in this section are common to CA subsystems including 'PKI CAs', ## +## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## EXTERNAL CAs: To specify an 'External CA', change the value ## +## of 'pki_external' from 'False' to 'True'. ## +## ## +## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## +## of 'pki_subordinate' from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[CA] +pki_ca_signing_key_algorithm=SHA256withRSA +pki_ca_signing_key_size=2048 +pki_ca_signing_key_type=rsa +pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_id)s CA +pki_ca_signing_signing_algorithm=SHA256withRSA +pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s +pki_ca_signing_token=Internal Key Storage Token +pki_external=False +pki_external_ca_cert_chain_path= +pki_external_ca_cert_path= +pki_external_csr_path= +pki_external_step_two=False +pki_import_admin_cert=False +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s CA +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s +pki_ocsp_signing_token=Internal Key Storage Token +pki_subordinate=False +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=caadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s CA +pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_id)s-CA +pki_ds_database=%(pki_instance_name)s-CA +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s CA +pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s + + +############################################################################### +## KRA Configuration: ## +## ## +## Values in this section are common to KRA subsystems ## +## including 'PKI KRAs' and 'Cloned KRAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[KRA] +pki_import_admin_cert=True +pki_storage_key_algorithm=SHA256withRSA +pki_storage_key_size=2048 +pki_storage_key_type=rsa +pki_storage_nickname=storageCert cert-%(pki_instance_id)s KRA +pki_storage_signing_algorithm=SHA256withRSA +pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s +pki_storage_token=Internal Key Storage Token +pki_transport_key_algorithm=SHA256withRSA +pki_transport_key_size=2048 +pki_transport_key_type=rsa +pki_transport_nickname=transportCert cert-%(pki_instance_id)s KRA +pki_transport_signing_algorithm=SHA256withRSA +pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s +pki_transport_token=Internal Key Storage Token +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=kraadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s KRA +pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_id)s-KRA +pki_ds_database=%(pki_instance_name)s-KRA +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s KRA +pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s + +############################################################################### +## OCSP Configuration: ## +## ## +## Values in this section are common to OCSP subsystems ## +## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[OCSP] +pki_import_admin_cert=True +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s OCSP +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s +pki_ocsp_signing_token=Internal Key Storage Token +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=ocspadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s OCSP +pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_id)s-OCSP +pki_ds_database=%(pki_instance_name)s-OCSP +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s OCSP +pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s + +############################################################################### +## RA Configuration: ## +## ## +## Values in this section are common to PKI RA subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[RA] + +############################################################################### +## TKS Configuration: ## +## ## +## Values in this section are common to TKS subsystems ## +## including 'PKI TKSs' and 'Cloned TKSs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TKS] +pki_import_admin_cert=True +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_uid=tksadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s TKS +pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_id)s-TKS +pki_ds_database=%(pki_instance_name)s-TKS +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s TKS +pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s + +############################################################################### +## TPS Configuration: ## +## ## +## Values in this section are common to PKI TPS subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TPS] -- cgit